Two factor authentication & how to check unusual twitter activity?

Recently my Twitter account was hacked. That teaches me to use simple passwords. This account was quite old and unused for a while. When i started to use it again it got a bit more visibility and was take over. I got it recovered quite quickly, but cleaning-up takes a while.

Just a few minor tips:

  • Do not re-use passwords (this was my luck, i never do. Multi-level protection password managers help me here).
  • Check past likes you have not made yourself and look “off-beat” – do this FREQUENTLY.
  • Many services provide “recent user activity/logon” info (sometimes difficult for me, since i use VPN’s of many types with different countries as target).
  • Verify profile changes and email notifications regarding your accounts (never click on those email links, always go to the page directly to take action).
  • Change password periodically (every year, when using 2factor?).
  • Use multi factor authentication (with few trusted devices) where possible.

Threat summary

Simple chart with classification of different InfoSec threats.

Misdirection:

  • Spoofing,
  • Pharming,
  • XSS,
  • poisoning (arp,dns)
Social trust:

  • Phishing,
  • Social engineering,
  • Social network attacks,
Vulnerability:

  • SQl inject,
  • code injection,
  • path traversal,
  • buffer overflow,
Snooping:

  • Replay attacks,
  • Sniffing,
  • Keylogging,
  • Session Hijacking,
  • TEMPEST
Password attacks:

  • Dictionary,
  • Brute force,
  • Rainbow(hash) tables,
  • Shoulder surfing
Escalation:

  • Authentication
  • Bypass,
  • Pivoting,
  • Heuristic commits
Malware:

  • Rootkits,
  • Trojans,
  • Worms,
  • Spyware
Malicious actions:

  • DoS,
  • DDoS,
  • Virus,
  • Scare/Ransomware
Mitigations:

  • Hardening,
  • Secure boot,
  • threat Scanning

What control activities to verify?

During the validation of control activities you should attempt to make security easier on users and more difficult for attackers. 

Activities to verify may include (not limited to):

  • Prevention (2FA, least privilege, reduce deniability, …)
  • Delay (strong encryption, layering, …)
  • Detect (monitor, detect change, audit, automate, …)
  • Compliance (implementation of corporate policy and standards, including configuration best practices)
  • Recover (verify the ability to reset to the last known good state)

NOTE: validation of control activities is not considered an audit. Auditors should also be evaluated by watching the watcher & comply with segregation of duties. Example: auditors should NOT define the governing policy or have the ability to implement change.

More assurance slang

Due care:

You should care! Due care is the conduct of a person in a particular situation. If due care negligence is tested, each due care juror (auditor/tester) has to determine what is “reasonable” in the given situation. Do train people in good choice vs bad choice.

Due diligence:

Continually ensure that threats and vulnerabilities are known and acted upon.

  • Assets are identified and protected.
  • Controls are in-place.
  • Regulations are followed and evaluated.

CIA, a convenient reminder

Q. What is CIA?

Confidentiality:

is:

  • who can access
  • how data is classified

enforced via:

  • file permissions,
  • encryption (how data is transferred & stored),
  • secrecy (what you know),
  • isolation (from network or in vault),
  • Bell-LaPadula model

Integrity (of data):

is:

  • who can change data
  • verify data has not changed
  • know data has been changed

enforce via:

  • permissions
  • hashing (traceability)
  • digital signatures
  • wax seals
  • tamper evident packaging,
  • Biba model

Availability:

is:

  • Keep data and services online
  • restore data after failure
  • restore services quickly after failure (incl. DR)
  • scale to peak capacity (DoS)

enforced via:

  • testing
  • redundancy
  • anti malware
  • backups
  • Disaster Recovery plan (get data back)
  • Business Continuity (get business back)

Accountability in a more classical structure

Is…

  • Who did it?
  • Do we have Non-repudiation?
  • What are legal consequences?
  • How shall we secure the systems?
  • Who is accountable?

Provides:

  • integrity and assurance,
  • authenticity..

Enforced via:

  • audit trails & logs,
  • design, governance and policy,
  • standards*,
  • RACI matrix..

*standards should include [internal] Minimal Security Baseline (MSB) with influences of vendor best practices, external standards, directives, etc.

Information System types and CIA

Q. is the Classical CIA triad still valid as a base for our information systems?

A. Sure, below are some examples for information systems that mainly require – but are not limited to:

  • Confidentiality for Personal data systems (ex: PII, HR info),
  • Integrity for Financial critical systems (ex: reporting, projections),
  • Availability for Business critical systems (ex: production, assembly).

It’s alive…

It’s alive! Welcome to the SEcurity Content COmmunity (SECCO), a place to share and comment on: IT security – related topics.

SECCO is the interactive section of the CIA³ site (pronounced: CIA cubed). CIA³ is a more modern version of the more classical security concepts known as the CIA triad. CIA³ does however cover: Confidentiality, Integrity, Availability, Accountability, and Assurance.