(ISC)² Community

As a reminder, this Community is a venue to provide professional discussions related to information security. The Community is intended to be a forum for peer engagement, positive discussion and constructive advice. We expect all users to maintain a tone of professionalism in all Community interactions. We have guidelines in place to ensure everyone maintains a civil and productive discussion. Every day, we are encouraged by so many great posts and helpful comments across the Community. We ask that everyone reserve this space for sharing ideas focused on informed and helpful cybersecurity discussion such as technical and security implications, threats and mitigating them in the industry. We would like to keep this Community a place for appropriate cybersecurity topics and encourage all off-topic discussions to be held elsewhere.    All Community users can help ensure we build a professional and respectful community. As mentioned in the guidelines, community members can help self-regulate and flag any inappropriate content or off-topic content that does not uphold the vision of (ISC)² and our code of ethics. To flag, use the menu at the top right of a post and select “Report Inappropriate Content.” It will be reviewed by a Community team member. This Community is intended to be a tool for cybersecurity professionals to work together to solve problems.   Thank you in advance for your help, your engagement in the Community and for all that you all do to inspire a safe and secure cyber world.

The (ISC)² Community has been updated during the last few months. Take a look at this quick (2 minute) video to learn more about new features and where to find discussions in the Community. You can find it on the Community homepage or click here to view.        https://www.youtube.com/watch?v=QsWi_uVSgOs&feature=youtu.be 

Shameless self-promotion time.  If you're interested in learning how to identify, assess, and respond to risks in a straightforward and practical manner, consider the newest PDI fully immersive course, Conducting Practical Risk Analysis for Security Professionals, authored by yours truly.   As with other PDI courses they are free to members and with mine you can earn 4 CPEs.   As a consultant, my phone rings when people need to solve complex multi-dimensional problems; problems that they weren't able or willing to solve themselves.  Regardless of where they think these problems stem from, my investigations usually find causes and contributing factors that go well beyond the realm of security.  I apply my early background from my military service and my years as a cop, with my last few decades in business and technology as a Lean Six Sigma Black Belt, Public Service Technologist, and Industry Thought Leader.   With that said, I'm a bit dense when it comes to understanding my own problems. After ignoring the warning signs for years I spent a week in a local hospital learning I had a heart attack and walking out with 3 new titanium stents in my coronary arteries as souvenirs.  It's been a slow and painful rehab and recovery, but one other message got through. It was time to accept that I have more yesterdays than tomorrows; it was time to share what I know.   When the PDI approached me about creating course material I saw it as an opportunity to do just that and do so in a format whereby you, as the learner, become part of a fictional company's leadership team.  You'll join their meetings, read emails, make choices, and learn with them as a consultant guides and gently teaches them how to better protect their people, their customers, and their business.    However, I couldn't do it alone. Maci Devaney and Ty Crawford worked with me every step of the way.  (Actually, they held my hand for quite a few steps.). Their professionalism, attention to detail, and incredible skills made this a polished and high caliber production.  The actors enabled a sense of realism that a standard course would never emulate.   It was a bit weird during the studio recording sessions as I watched a professional actor, Chris Hurt, portray me as the consultant.  I wrote the scripts (a first for me) based on what I've actually said to my clients in countless meetings over the years.  However, watching Chris in the studio as he spoke my words and perfectly captured the way I talk with my hands, my facial expressions, and the inflections in my voice, was unlike anything I ever experienced.  Now, no one will ever confuse the two of us - I know this because my wife leaned over during the first recording session and whispered to me that she loves me, but Chris is a "younger and better looking version" of me!  In all honesty, I have to agree, besides the fact that the consultant's name in the script isn't "Lloyd Diernisse," (it's "Steve Romano").    Kindly check it out and provide feedback, positive or negative.  I created the course for you and I just verbally committed to create others (haven't signed the contract yet, but we're going ahead with it as soon as the paperwork is sorted out).  Therefore, I need to know what you think - it's the only way I can improve. 🙂

Your phone knows where it is, and thus most of the time, where you are. And your phone tells your phone company all of the time. Mobile phone companies know where your cell phone is all the time it is turned on. They have to, because they monitor which cell towers it uses. And they keep records of your phone's geographic location (geoloc).  Who else knows?   The history of your phone locations is considered sensitive privacy data, and in many jurisdictions a law enforcement or intelligence activity must have a warrant or court order to obtain those records from the phone company.  That sounds nice, but do not for a moment think your location privacy is protected from government surveillance by these legal requirements. Your geoloc history is on the market for purchase, and governments are buying.   Every smart phone is delivered with a batch of apps already installed, and almost every new owner adds more games and productivity apps in short order. They also very rarely read and understand the permissions they grant to those apps when they click the ACCEPT button to install each app. And a surprising number of apps ask for permission to know your location. Why in the world would a flashlight app or a picture-mapping app need to know where it is being used? Because those app companies build their own geoloc files for your phone, independent of the phone company's records. Then they sell that data to data brokers. And the data brokers aggregate that data from multiple app vendors to esll to other customers. Who buys from these data brokers? We can assume companies that want to do marketing analysis are primary buyers. However, another buyer category has come to light: government agencies.   See the Jan 22, 2021, Verge article US Defense Intelligence Agency admits to buying citizens’ location data. The title tells the core story: while the US Supreme Court Carpenter ruling said the government must have a warrant to obtain geoloc data from phone companies, both the DIA and law enforcement agencies assert that ruling does not restrict them from buying geoloc data from commercial data brokers, without any judicial approval in advance. You can read for yourself what the DIA said in   their memo to Senator Wyden  explaining their testimony in a recent Senate committee hearing. Basically, DIA says it is OK for them to have this data, and as long as they are not looking at it, they have not "collected location data on US persons.   Hmmm, that sounds a lot like the testimony years ago by a NSA Director that they had not "collected" the cell phone data being stored in their massive Utah data enter, because they had not looked at that data.  =-=-=-= “When I use a word,’ Humpty Dumpty said in rather a scornful tone, ‘it means just what I choose it to mean — neither more nor less.’ ’The question is,’ said Alice, ‘whether you can make words mean so many different things.’ ’The question is,’ said Humpty Dumpty, ‘which is to be master — that’s all.” Lewis Carroll, Through the Looking Glass =-=-=-= (c) 2021 D. Cragin Shelton   The above article originally appeared in my Randomness Blog.  

I'm currently in the process of learning about and implementing a threat modeling program for overall architecture and systems changes within our Org. At this point, I'm leaning towards using STRIDE with the four key questions:   * I'm going to tailor them a bit to fit our Org better but the concepts are the same *   What are you building? What can go wrong? What should you do about those things that can go wrong? Did you do a decent job of analysis? I'm currently reading Threat Modeling by Adam Shostack to learn more about threat modeling in general. It's a tome of a book but I'm enjoying it. I like the STRIDE method because of how simple it is to communicate and how broad the threat categories are.    My questions are:   Are you using a formalized threat modeling program or method? If so, which one? Any gotchas or things you would do differently if you could do it all over again? Most of the video training courses on threat modeling are centered on building applications and not necessarily around network or overall architecture changes. Is that intentional? Any other comments on threat modeling are welcome as well  

 WhatsApp (WA) recently announced   new privacy policies   on data sharing that emphasized that, as a Facebook (FB) company, they will share data collected on users with the other FB companies. Lots going on here.   1. Apparently this new sharing policy has caused a massive backlash, especially in India. WhatsApp Scrambles As Users In Big Indian Market Fret Over Privacy (1/15/21)   2. FB and WA have reacted to the clamor by delaying the new policy implementation three months. WhatsApp is delaying a new policy change after critics claimed the update would have turned over user data to Facebook (1/15/21) Note they apparently are trying to deal with their PR mess, not improve the policy. FB is claiming that they have not really changed how they handle data within the FB family of companies, just improve how they support businesses who use WA.   3. People abandoning WA have created a good news/bad news situation for competitor encrypted chat service   Signal, as new Signal subscribers swamp their servers.  Messaging App Signal Facing Technical Difficulties    (1/15/21)   Presumably many of the messaging migrants were influenced by Tesla CEO Elon Musk's statements. Signal sees surge in new signups after boost from Elon Musk and WhatsApp controversy  (1/7/21)   4.   Isn't user privacy preserved   as long as WA keeps the promise to use true end-to-end encryption, never decrypting chat content?   Not really. By merging all data from all FB companies about who you chat with, when, how often, and for how long, what FB pages you visit and which you   like, what online ads you click in FB, then cross-linking that with what FB knows about all of your chat contacts, and who they contact, they can build a whopper of a detailed dossier on you. The detail will include all   unencrypted   messages FB can read through   Facebook Messenger, along with comments on your FB page and the FB pages of those contacts. Consider particularly an open conversation in FB Messenger with a comment as a new topic opens up,   "Let's move this to WhatsApp."   This process is based on the   network analysis   processes used for many decades by   signals intelligence   agencies like   NSA   and   GCHQ. Think of it like super-powered contact tracing. In fact, consider NSA's methods today for   social network analysis, as described in Wired's Inside the NSA’s Secret Tool for Mapping Your Social Network   (5/24/2020) We can reasonably assume that FB is doing exactly the same thing as the NSA as they build your personal dossier with all of their tools.    (c) 2021 D. Cragin Shelton   The above was originally published in my Randomness blog.   Craig  

Here are some important links for information and background on the hack of Solarwinds.   SunBurst: the next level of stealth SolarWinds compromise exploited through sophistication and patience https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth   Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers - Microsoft Security https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromis[…]icated-cyberattack-and-how-microsoft-defender-helps-protect/ SolarWinds releases updated advisory for new SUPERNOVA malware https://www.bleepingcomputer.com/news/security/solarwinds-releases-updated-advisory-for-new-supernova-malware/   cyber.dhs.gov - Emergency Directive 21-01 Updated guidance from CISA https://cyber.dhs.gov/ed/21-01/#supplemental-guidance   SUNSPOT Malware: A Technical Analysis | CrowdStrike This is a great analysis of how the code was injected into the Software pipeline. https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ Hacking victim SolarWinds hires ex-Homeland Security official Krebs as consultant Stamos helped Zoom...now teamed up with Chris Krebs their first client is SolarWinds. https://www.reuters.com/article/technologyNews/idUSKBN29D0CL   Paul