Architecture

When people are talking about cybersecurity they are often talking about IT-security, but there are also OT-security. But what are the difference? Most people in tech know what IT is, the tech that handles information. The focus is on handling data, collecting, modifying or providing it. OT (Operational Technology) on the other hand is focused on the tech that impacts the real world. An example could be a control-system that manages the indoor climate in an office. An easy example are the smart homes, where IoT devices control the the house. ...

As in all fields there are lots of decisions that has to be taken in Cyber Security. But how can we maximise our chances to take the correct decisions? This question has many answers, but from my experience many of them boil down to information. To make the correct decision one needs to make an informed decision. But what information is it that is needed, and how can we gather it efficiently? This depends on the decision to be taken, but let’s try to boil it down to some general guidelines that can be applied to all decisions. The first step is to split the information into two categories, internal and external. The external information is what usually comes from Cyber Threat Intelligence. This can answer questions that are generalized outside the own organisation, such as “What attack vectors are most commonly used to by attackers to gain a foothold in organisations?” How to find the answers of these questions is an area of it’s own, so I’m not going to dig deep into it, instead we leave the answers to this kind of questions to external reports published by researchers focusing in the area. A common example of this is OWASP top 10 that shows the most common attacks used to attack web applications. There is however a secondary kind of external information needed to make good decisions in, and that is in regards to the legal or regulatory requirements. These impact all areas of the business, including cyber security. ...

Far to often organisations do all their security work on the few systems that are exposed to the internet. This might be acceptable when you begin the structured and ongoing work with security, but you should try to move on to defence in depth as soon as possible. Defence in depth is where you do not leave security to one layer of an application (or solution), but instead validate the security every step of the way. A common example for this is that even if you have a network firewall you do not disable the firewall in the operating system. This can be transferred to software development as well. In a more complex system each component should get the same security controls. It should not only be the frontend API that validates the input, instead each component should validate the data as untrusted when it receives it from another component. By doing so the resilience of the solution as a whole is greatly improved, where a single issue have limited impact, and might not even be exploitable. ...

In my years of working as an application security (appsec) penetration tester I’ve come to the conclusion that there are so much more value to be added than pure technical vulnerabilities. To deliver the most value you have to be willing and able to walk the extra mile. Before getting into what can be done to increase the value, let’s dig into the two most common types of vulnerabilities. Technical Vulnerabilities The technical vulnerabilities are the most common vulnerabilities we see. This is where the application is abused to do something it shouldn’t, for example by injecting code or abusing weak cryptography. Even though the vulnerability is technical, it is important for the reporter to describe how it will impact the business. Otherwise the receiving organisation might not have enough of an understanding to prioritise the issues, and handle them accordingly. Even though a code injection can be used to pivot to other machines, the main impact for the business can often be linked to the confidentiality, integrity and availability of the application. As a tester it can be hard to accept, but a dom based XSS might be an accepted risk if the only impact is defacing the sight by pasting code into the searchbox. ...

We live in a world where technology compete for our attention, especially on our smartphones. Apps do everything they can to get us to open the app, and not leave it. At least that’s how I feel, with endless newsfeeds, notifications and autoplay, it’s so easy to just open the phone and get stuck. The feeling is not new, but the thing that pinned it down for me was the book Zucked by Roger McNamee [1]. It highlighted the reason for the feelings, both why companies do it and what they do. By using data companies have on their users they maximise their consumption. This can be in the form of video content on a streaming platform or browsing the newsfeed on social media. ...