Articles by the cybersecurity community

Blog has Moved!

The Demystify Cyber Project blog has moved.

Thank you to all the subscribers to this blog. Please note that Demystify Cyber has moved to its own website! 

For articles by the InfoSec community please go to the Demystify Cyber Community Blog page here> Demystify Cyber Community Blog




What is #cybercrime?

When cybercrime s mentoned people may immediately think of malware, others may think phishing, however cybercrime is far more than that. Cybercrime is crime against technology or crime enabled by it. This means that as well as perhaps the more obvious crimes of malware and phishing, it encompasses online fraud, unauthorised modification or destruction of data, romance fraud, tech support or remote access scams,  child abuse material, and a range of other crimes.



Remember that anyone can become a victim of cybercrime, nobody is immune. Also be wary of victim blaming, as a cybercrime victim needs support, the only people to blame ar ethe criminals.

All of us that understand tech and cybercrime need to be part of the solution and help help each other, our friends, families,colleagues, and total strangers to stay safer from cybercrime. Anyone can become a victim of cybercrime, the fall out of cybercrime to victims and their famiies and/or businesses can be huge. Please be part of the fight against cybercrime. Be kind to each other, support each other, and help everyone stay safer in the online world.



#cybersecurity - 5 points about vulnerabilities and patching

Software and technology evolve fast, and at times they may have an inadvertent flaw in them. Vulnerabilities in technology or software code can be exploited by criminals to gain access to a person’s computer or phone, or a company’s system. The reason why software companies release security patches is to fix or mitigate security flaws that have been discovered in their code

 

Five points about vulnerabilities and patching:

1. Vulnerabilities – A flaw in code, hardware or systems may be exploited by criminals to gain access to restricted systems

2. Zero day - A vulnerability that is not widely known about, except by the criminals exploiting it, and where there is yet no known fix, is called a zero-day exploit.

3. Exploits - Criminals can exploit vulnerabilities in applications and use these to steal passwords, gain access to networks and install malware

4. Patches - Software companies release security patches is to fix or mitigate security flaws.

5. Patching - All users of technology, whether individuals or corporate entities need to ensure they keep their systems and software current and patched as this helps to protect the technology from criminal exploitation.



Guest Post - Ella Donald - How do I spot a #phishing scam? #cybersecurity

Thank you to my lovely colleague, Ella Donald, for generously taking time to write this article supporting the demystifying cyber project and helping people to stay safer from cybercrime.

How do I spot a phishing scam?

As society becomes more digitised, our lives are increasingly conducted online. We must give our banking details, identifying information, and more to many sources, and may be prompted to provide them again. Our email inboxes are, more than ever, a receptacle of sensitive information. So, if many organisations – from our bank, to gym, to phone company, postal service, and government – have our details, how can we tell that an email from them is legitimate?

Phishing scams are attempts by an attacker to extract personal information from a victim. This information can include banking and credit card details, passwords, and other personal details; and can be done through emails, phone calls, and text messages. Phishing scams can also install malicious software (eg. Ransomware) on a computer. These scams are becoming increasingly common and complex in this digital age, with attackers impersonating trusted brands and organisations from Australia Post, to the Australian Taxation Office, to Netflix. How can we keep our information safe in these circumstances? Below, learn how to spot a phishing scam, and how you can stay safe online.

Navigate to the website yourself to check

Phishing scams usually have a sense of urgency – for example, an email telling you that your account or computer has been compromised, or a call informing you of a charge on your credit card. Attackers have recently posed as Amazon and Microsoft to carry out scams like these, designed to elicit a knee-jerk reaction from the victim. When receiving a message such as this, it's important to not panic and respond to the call, message, or email – and never open a link or attachment on an email that has this tone. This could trigger ransomware or another malicious software to be installed on your computer.

Instead, open your web browser and navigate to the website of the organisation or brand that the email claims to be from. Then log into your account, and check your details, transactions, or other information that the message is claiming to be compromised. If you can’t access their website, ring their official number (not that listed on the email, or the number that called you) and ask to speak to a representative, who will be able to verify the legitimacy of the message. This will ensure that you’re accessing a legitimate website and are avoiding any possible viruses.

Check the email address it is coming from

Official emails – whether from PayPal, Google, the government, Netflix, or a bank – will come from an address that includes the official domain name (eg. ‘(name)@google.com’, ‘(name)@paypal.com’). When receiving an email that asks for banking or other personal information, click on the sender to check the address it is coming from. If the address doesn’t match the official domain name (you can always navigate to the organisation’s website yourself to check what it is), and is perhaps a mess of letters and numbers, this is an indication that the message is a phishing scam. Again, you can always log into your account on their official website or give them a call to check. Better safe than sorry.

Look out for misspellings and other imperfections

One hallmark of phishing emails is their subtle imperfections, that may not be immediately noticeable to the panicked eye but are obvious upon closer inspection. These can be everything from slightly pixelated images, to a misspelled domain name, to poor grammar in the email text. Alternatively, it may be that the layout and style of the message doesn’t fit previous communications you’ve received. These are a sign of a phishing scam, caused by the use of translation programs (that can provide a word without the proper context) and templates. If something looks not quite right, delete the email, and get in touch with the company through another method.


Ella Donald works with The University of Queensland’s Data Strategy and Governance team, and has a background in journalism and communications.

Guest Post - Simon Stahn - So, you want a new IOT device in your home ... #cybersecurity #IoT

Thank you to the well-respected data governance and information security expert, Simon Stahn, founder of  consultancy and advisory company, Adrenalan, for writing this article and supporting the demystifying of all things cyber. If you are deciding whether or not to get your home interconnected, or already have IoT in your home, this is the article for you to read.

\

So, you want a new IOT device in your home… how do you go about evaluating its risks to you and your environment?

Let’s reduce this to the questions you should be asking yourself to discover enough about the device / manufacturer / cloud-app before you let this 'thing' into your home?

When I approach new things, the first question I think about is:

Why do I need this device and what benefit(s) is it bringing me?

I think of the ’why’ as the key to my internal business case. This why determines both the benefit it (might) bring as well as qualifying what we are balancing the risk of having the device join our network and share in our data.


If we’ve established the why, we need to establish the risks of having the device in our lives and on our network. To get a feel for the risks, as yourself the following questions:

Firstly, what data will the device actually be collecting and/or using to provide you a service? This is pretty crucial to the overall use case - if the device is measuring the temperature of your living room and that data gets out… 🤷‍♂️ well that’s likely not a big issue. But if it’s video and audio of the baby monitor and it’s being handled by a country that is not ‘legally friendly’ with Australia (I.e. any misdeeds with that data cannot be punished in any way) then it might be a bigger issue for you.

What info does the device or corresponding app need about me (or my family/business/staff) in order to function, or even set it up? Is this device ‘personal info’ that, if it fell into the wrong hands, could be used against me in some way?

o As a sub-question, can I give the device false info and still achieve my objectives of having the device? I.e. it’s not a law enforcement, government or financial sector device or app where it might not be legal to provide false details.

Where is my data stored? The answer to this will determine whether or not you could do anything about it if the organisation you, or your devices, gives the data to has a data breach.

Can I delete my data? If your new device has a one-way flow of data out to some cloud service, can you ensure that data is removed/deleted from the service after a given time period?

What is the likelihood of my data being breached? Evaluating this question as a “non techie” is very, very difficult. Even inside the info security industry, it is difficult to determine all the factors needed to make an educated guess at the probability of the data “getting out” to somewhere unintended. However, what I mean here is, for most people reading this, is that if you’ve heard of the big name (think Microsoft, Google, Amazon Web Services) then there is an inherent safety factor in that most of those companies spend a lot of money to protect themselves and their client data within their systems - because they will be held accountable when something goes wrong. On the other hand “Mom & Pop’s Corner Data Mart” that are based in a different country may have little to no repercussions for them.

How does the device connect to the internet/cloud? Is it through your wifi or a built-in mobile data service?

Can I use a unique email address for sign-up in order to provide some traceability if the gathering party misuses my data? e.g. with Gmail you can setup an email with a ‘+’ in it, to provide you some easy tracking if your email address is used for something other than what you gave consent to.

If the software (device or cloud app) isn't updated or 'patched' regularly, what does this do for the my risks? 

The term 'risk' used here is combination of the likelihood of something happening (usually untoward or it would be an opportunity, not a risk!) and the impact of that something happening. There are usually also mitigations that help reduce the overall risk.

A brief, simplistic example would be of a baking tray in a hot oven. If you open the oven and take out the tray with your hand, the likelihood of your skin coming into contact with the tray is 'almost certain' and the impact of coming into contact with the hot tray may be 'major' (i.e. being burnt). Combining the likelihood and impact we might end up with a 'high' risk to your health and safety. However, a simple mitigation of wearing a heat-proof oven mitt would lower (i.e. 'mitigate') the likelihood of your skin coming into contact to 'very rare' and may decrease the impact slightly as well, to say 'minor' (by decreasing the possible surface area of skin that may be affected during contact). Thus, the resultant risk with the mitigating mitt would be 'low'.

CHECKLIST

For those of you still reading who like checklists, my thinking is along the lines of understanding the following:

Why do I need this device; what benefit does it bring me?

What data will the device be collecting/using?

What info does the device or corresponding app need about me? How could this info be used against me?

Where is my data stored? And can I delete my data if I want to?

What’s the likelihood of my data being breached, and what is the impact to me?

How does the device connect to the internet/cloud, and how does data get in/out of your environment?

How is the device maintained / patched, and how regularly?

Practical Application

Let’s put this into practice and weigh up a use case I have just gone through - getting an IOT device to check pool chemical levels. For those that don't own a pool, there are various chemical levels that need to be 'in balance' for a domestic swimming pool to stay clean, sanitary and nice to swim in. Typically, pool owners use either test strips bought from the local pool shop or hardware, they take water to a pool shop for testing, or they pay someone to come around regularly to maintain their pool. I've been in the 'test strips' group but with an interest in home automation and a bit of a data geek, I could see the point in something a little higher tech, more accurate, and less wasteful of those little chemical strips; i.e. more sustainable, reliable and consistent.  

Context / aka 'use case': The test strips, and replacements I've been using, have provided unreliable, inconsistent data to me about the condition of the pool - namely pH, chlorine and salt levels. This has meant I've been treating the pool incorrectly (based on incorrect data) and have been spending too much money. The core problems are consistency and accuracy (within the limits of a pool testing device, but not a scientific tool for research) to cut financial losses in chemical costs. The pool is also inconveniently placed for me to do testing on a daily basis (i.e. I'm lazy and don't like going out in the cold and dark of a winter's morning!) to ensure I get my data.

 

Solution: a device that test for the core levels (pH, free chlorine, salinity) with enough accuracy that I can make decisions and see trends (like pH rising over a week). And being a techno geek of some sort, I would like that delivered to my smartphone or email.


What benefit(s) does it bring me?

The device + cloud app brings me the ability to know what my pool chemical levels are like, updated on an hourly basis. This allows me to make decisions (like adding pool acid) based on not only instantaneous data (like using a pool testing strip) but on historical data over the whole day or week. In turn, this drives down the cost of making pool chemical errors, lessens wastage of both chemicals and testing strips; leading in turn to more swimming time and less swearing at the state of the pool.


What info will the device be collecting?

The device I put on my short list detects and collects pH, free chlorine, salinity, and temperature. There's no location data, other than what I choose to tell the app so it can give me weather predictions. 

For the purposes of a basic "can this data be used against me" analysis… well, you can tell how bad I am at managing our pool but in real terms, there is not much an attacker could do with this info. (Please get in touch if you think that the pH level of my pool could be used against me in something other than a public shaming of my pool maintenance because I'd legitimately love to hear another angle!)

All in all, I'm comfortable with what the device collects and sends away to be stored. (I am hopefully it will show that I will get better at pool maintenance… but that trend will only be visible with hindsight!)

 

Moving on - what info does the device need to operate?

It turns out that the setup of this device is app + bluetooth based (info I obtained from the website prior to purchase). I had made an unvalidated assumption that the device would then default to wifi connection, in order to upload its data to a cloud app.

It turns out I completely missed the fact it can use wifi but only does so when the Sigfox network is not available in the installed area. The what-fox-network!?! Standing there with the installer drilling holes in my pool piping, I realised I had never heard of the Sigfox network… I had a quick decision to make - do I let this install go ahead or stop it now?

I made a quick mental risk calculation - the device will be connected to 'some other network' but not mine and transfer minimal data (basically a few data points, every hour or so) to a cloud service. Thus, it should not be "a way in" to my network, so I let the install continue.

(As a side note - I actually have an IoT zone on my wifi network for such devices as this and had the details ready for the installer.)

Going back to answer the question though - the device only needs enough 'data' of mine to link/sync up with your account in the cloud app… so I'm happy enough with that.

 

Moving on from the shock of discovering a type of network I had not heard of yet that has coverage in my backyard… 

 

What data does the corresponding app need?

When setting up the app, I created an email address unique for this install in the format of myname+devicename@example.gmail.com which is simply delivered to the myname@example.gmail.com mailbox I already use. However, if the cloud app provider ever has a data 'leak' (or sells the data) then I might find spam coming to that particular myname+devicename address, so I at least know where the leak happened. 

Note that this is not 'protection' but it is a form of 'detection' in the language of security. I also used my password manager to generate a unique, long, complex passphrase that I'll never have to remember, because the password manager does that for me (topics for a different post, I'm sure!).


The app also wanted my location (via smartphone location/GPS) as a one-time set of location, to sync up weather patterns that may be helpful when determining pool conditions. I ‘corrected’ the app’s location data and set it for a park near my house - close enough for weather purposes - but not my actual home address.

 

So far, so good - nothing I wouldn't expect, given what the device needs to do to provide me with my benefits. It has asked for no credit card numbers, photos of my driver's license or requests for my mother's maiden name or birthday. 👍

As a side note, this lack of pumping me for information is refreshing but correlates nicely with the manufacturer being European and having to conform with GDPR. Having the manufacturer conforming to this privacy legislation provides me with comfort that they will uphold some basic privacy principles like not storing or using my data for purposes other than what I have consented to.


What’s the likelihood of my data being breached and the impact to me?

Looking at what I know so far about the device and cloud app, I decided that the likelihood was effectively irrelevant as the impact of a data breach to me would be basically non-existent. 

Said another way, there is only pool water data and a unique user+password combo being held by the company providing me with the service – any breach of this data should cause me no harm, so I’m not going to invest time and effort investigating exactly where and how the company is storing my data.


How does the device connect to the internet/cloud, and how does data get in/out of your environment?

As evaluated earlier, the device connects outside of my home network. I can connect directly to it from my phone, using Bluetooth, to request an immediate water check, however this only provides an attack vector to my smartphone. As I’m using an up-to-date iOS device to run the app, using the IoT device (and its very limited compute power) to ‘attack’ me via my smartphone would be a very esoteric and costly way of ‘getting in’ to my environment. 

While valid for some threat models, I’m going to discount them for the typical ‘home user’ and this post. Why? Because they’re theoretical attacks around a completely different threat model to the target audience (please excuse the pun). If the device was, for example, a set-top box that is connected to a home’s core network and uses/stores your credentials to access your home computers for videos and music, there is a far more credible threat to be thought through based around the data and access of that particular IoT device.


Lastly, let’s look at how the device maintained / patched, and how regularly?

For this IoT device, I’m not even sure it can get software updates as it is a very basic device. If it does, it will likely require a local Bluetooth connection from the smartphone. The Sigfox network seems to exist more for transferring captured data points, not maintaining software/patch-levels.

The supporting cloud app seems to be patched through the smartphone’s app store for bugs and features, and the cloud server side is invisible to me. As covered earlier, if this device gathered info that I was more concerned about, I would investigate the server side more.

Summary

In summary, while I did look at my list of key points to evaluate, the lack of the device and related cloud app gathering any data of use to anyone but me, along with the benefits the device should realise made it a quick decision to approve the device for install.

Now if only someone would break into the device, see the trend of my pool’s pH levels rising on a daily basis and tell me exactly how I can solve that problem… now that’s a ‘hack’ I could get behind!


#Cybersecurity - least privilege

The concept of least privilege relates to users having an account on a computer / system that has the absolute minimum permissions needed to do their work.

If a criminal manages to access a computer or system via administrative privileges they can hide their tracks, exfiltrate data, and ensure they remain undetected for a long period of time. If however a criminal gains access to the computer system credentials of a person with limited access, then the criminal is restricted on what they can do.

While it is understandable that some computer users in a business environment may want the flexibility and freedom to download and update software on their work computer themselves, this can cause a significant cyber security risk to the computer, data, and system. For home users, good practice is to create two accounts on their home computers, one with the administrative rights and a secondary account without administrative rights that serves as the everyday computer account

Restricting administrative rights, will allow users to continue their work while reducing the attack surface for criminals.



Guest Post - Craig Ford. - The road less travelled

 Thank you to author and infosec profesional Craig Ford, for writing this article and supporting the demystifying of all things cyber. If you are looking for your dream career in cybersecurity, infosec, all things cyber, this article will be of interest to you.

If you use Goodreads, please follow Craig's author page on Goodreads.

                                                        ......... 

The road less travelled

What is the right path for you to get into cybersecurity? 

Honestly, I have absolutely no idea and I think it's okay if you don’t either. I get asked this question a lot, by industry peers, by people wanting to get into security and by the people doing the hiring but I really don’t know the answer. My path migrating from an IT support background dating back to the dinosaurs (really just early 2000s but sometimes it feels that way), doing a masters and a transition over via a dual IT/cybersecurity role, it’s a path I would feel is quite common. 

Is it though? 

I was in IT for more than ten years before I did my first degree, I did the degree because I was moving into management type roles and wanted to expand my skills in that area, that’s why my first degree was the “Master of Management (Information Technology/Digital Forensics focus). I honestly choose Digital forensics because I thought it sounded cool. I had been asked to do some reports for legal cases before as an expert in IT and I thought why not learn the principles so that I could better provide that service. Makes sense, right? 

I found my passion with this decision; I didn’t know it at the time, but I got the security bug and that has been my drive ever since. That transition was not an easy one though, even with two master’s degrees and almost 15 years of experience in IT roles I was still finding it difficult to make the change. It is baffling, I had all of the foundation skills, I knew how systems worked, I had the job of fixing anything and everything, I was perfect for a SOC analyst or incident responder. I could learn that skill quickly. 
I kept failing though, missing out on jobs, rejection after rejection. I didn’t stop I kept volunteering for any Security related activities in my IT focus roles and I was building the experience but that still wasn’t enough. I either didn’t have the right certs (I had two master’s degrees for heaven’s sake) or I didn’t have the minimum of five year’s experience for an entry-level job. 

It’s ridiculous. 

I know change is hard and it doesn’t happen overnight but we as the industry need to figure out what we are doing. With an avalanche of threats facing businesses, we need to pull down that wall, the barrier that is stopping them from chasing their dreams. Look not everyone is suited to every role in cybersecurity, some do require specific skills or talents that just can’t be ignored but many roles can be taught, people can be taught. 
I have gotten a little side-tracked though, I want to talk about your path, yes you. Your path doesn’t need to be like mine or any other person already in the industry. I get it, you have role models, you want to be like them, that’s awesome I get that completely but don’t try and walk their path. You need to do you. What do I mean? You need to walk your own path, find your own way, not a well-trodden path that has come before you, the one that is overgrown and covered in vegetation. The one that scares you and pushes you out of your comfort zone. If you have a goal figure out how you can get there. 
Let’s expand on this a bit, I don’t even know if my path was the right one for me and your idol that you want to mirror may have parts of their own journey that they regret or think was unnecessary. They might think their path is perfect, but does that mean it will be for you? No, I think you will find it is not the case, maybe it is but probably not. We are all individuals and should not try to fit a round peg in a square hole or vice versa. The cybersecurity industry needs new ways of thinking, not old ways. We need you to take a path less travelled, to have a different viewpoint, a different perspective. 

I know it won't be easy, I know at times many of you will want to give up. I did a few times. I want you to keep going, forging new paths, doing things a bit different. 

If you have read my A Hacker I Am book series you will know that is my jam, walking the slightly different path, doing things a bit differently. I think it makes me who I am, not everyone likes how I do things and that’s completely okay because I am doing me and they are doing them. Remember we are all different and we need to do things how we need to. 
So what was the point of the article? It is simple (well in theory anyway) when figuring out how to break into cybersecurity, think less about what everyone else has done. Think about your goals, your skills. What makes you a good candidate for security and build on that. Find your path, one that works for who you are. Expand on what you love, what you are good at. The opportunity will come when you least expect it, don’t rush it just enjoy your journey and when that opportunity does come knocking don’t hesitate, seize it. 

Guest Post - Rajitha U. - Responsible Disclosure

Thank you to the highly respected infosec professional, Raj, for writing this article on responsible disclosure of exploitable vulnerabilities. This artilce highlights the reasons for being carefull how vulnerabilites are disclosed, adn the ethical approach to this disclosure.

                                                        ......... 

A few days ago, I saw one of the cybersecurity enthusiasts publish a post on how he found a brand-new vulnerability affecting a network security device. No doubt it’s cool when someone identifies a bug/security flow, and many followers congratulated him on his findings. It turned out the person found the flaw then within a few hours posted it straight to social media. 

Finding a security flaw/vulnerability is a fantastic thing. However, you must do a responsible disclosure too.


There are three ways of doing a disclosure:


Private disclosure

In the private disclosure model, the vulnerability is reported privately to the organisation. The organisation may choose to publish the details of the vulnerabilities, but this is done at the discretion of the organisation, not the researcher, meaning that many vulnerabilities may never be made public. The majority of bug bounty programs require that the researcher follows this model.

 

Public (or Full) Disclosure

The full details of the vulnerability are made public as soon as they are identified. This means that the full details (sometimes including exploit code) are available to attackers, often before a patch is available. The full disclosure approach is primarily used in response or organisations ignoring reported vulnerabilities in order to put pressure on them to develop and publish a fix.

 

Responsible or coordinated disclosure

Responsible disclosure attempts to find a reasonable middle ground between these two approaches. With responsible disclosure, the initial report is made privately, but with the full details being published once a patch has been made available (sometimes with a delay to allow more time for the patches to be installed).

In many cases, the researcher also provides a deadline for the organisation to respond to the report or to provide a patch. If this deadline is not met, then the researcher may adopt the full disclosure approach and publish the full details.

 

It’s clear that the responsible disclosure approach is designed to ensure the security researched / enthusiasts identify security flows/vulnerabilities where product owners/vendors fix them with a reasonable time. Also, this system enforces time limits on vendors to act; if not, the researcher can go for full disclosure. 

 

So why would people go with the full disclosure?


- Lack of understanding of Vuleneraility disclosure ethics.

- To gain public attention (to the person)

- Unavailability of a Proper vulnerability disclosure policy by the product vendor

 

Why you shouldn’t choose public disclosure as the first option

 

- The intention of finding a vulnerability is to fix them, so if we do a full disclosure in the first place, the attacker could easily exploit it or weaponised them and cause harm against general public systems.

- Someone else already did a responsible disclosure, and the product owner/vendor is already working on a fix (This time known as disclosure embargo).

- You may be violating the software use agreement and could face legal challenges.

- You may be breaking the ethics of cybersecurity. This will also may severely be impacting your career.

Suppose you ever found a vulnerability/security flow. In that case, the best thing you can do is do a responsible vulnerability disclosure, so you play your part in the fight against cybercriminals.  If you are unsure, get advice from a cybersecurity professional.


Further Reading

 

ASD ISMS guidelines on Vulnerability disclosure program -  https://www.cyber.gov.au/acsc/view-all-content/guidance/application-development

International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 29147:2018, Information technology – Security techniques – Vulnerability disclosure, at https://www.iso.org/standard/72311.html

CISA Coordinated Vulnerability Disclosure (CVD) Process - https://www.cisa.gov/coordinated-vulnerability-disclosure-process

#cybersecurityFAQ - Does HTTPS mean the site is safe?

The Cybersecurity FAQ series, in the Demystify Cyber project's blog, looks at some commonly asked questions about cybersecurity and cybercrime. If you have a query you would like covered in a future blog post please contact Demystify Cyber via the contact form.

________________________________________


QUESTION: If the website has HTTPS does that mean it is safe?

ANSWER: HTTPS means the web traffic is encyrpted for data transmission security but does not mean the website is safe.

The Hypertext Transfer Protocol Secure (HTTPS),  first used in 1994,  places a layer of encryption over HTTP to help prevent sensitive data, like payment details, being eavesdropped or leaked. This means that a site using HTTPS is encrypted and private, however just because a website is using HTTPS does not mean the site is safe from being compromised, nor does it prevent a site from dropping malware on its visitors' computers or being used to phish for credentials. In fact criminals may purchase their own certificates to create malicious websites using HTTPS. 

Do not be lulled into a false sense of security when you see a site is using HTTPS, it may be encrypted but that doesn't mean the site is not being used by criminals.


10 cybersecurity essentials for individuals

If you use connected or connectable technology in any form it is essential you do what is in your power to help protect your information, finances and accounts. Although cyber security can seem daunting, it is just another avaneue of life we need to learn to be secure in. From a young age you may have learned about keys and locking doors, or looking both ways before crossing a street, let's make cybersecurity as easy to understand! 

Here is a list of some achievable basic cybersecurity essentials to consider.


  1. Keep software patched
  2. Use reputable and up to date antivirus software
  3. Use strong unique passwords – do not reuse passwords
  4. Use 2FA or MFA wherever possible
  5. Be vigilant about phishing, vishing and smishing scams, and those seeking to groom you or your children
  6. Protect your Personally Identifiable Infomration (often reffered to as PII) and understand how to help others protect theirs
  7. Be cautious what you download or on what links you click
  8. Back up data regularly and store offline
  9. Review online accounts and credit reports
  10. Take care what you post online about your job, accesses, location




cartoon picture of a green frog typoing , there is a speech bubble where the forg says it uses multi frog authenitcaiton ot keep its accouunts secure







Guest post - James Meikle - BBQing #Risks Steakments (Statements)

 Thank you to James Meikle for contributing his expertise to support the Demystify Cyber project. 

........................

BBQing Risks Steakments Statements

 

Risk statements have the power to deliver a strong message to people from all backgrounds on something bad that might happen. To be clearly understood common language should be used. There are a few different ways to formulate risk statements this is just one of the common ones.

PS: We all need an acronym swear jar!

 

As I would like to see more powerful messages and I like Aussie BBQ's. It is time for a combo!

 

Diving in at BBQs you usually need a story, keep the interest going use common tongue, use Aussie slang rarely. You tell a story, and you hope people understand it. Your feedback is provided by still having an audience and as you practice you get better at it. There is a formular for success of storytelling – its watchable if you do not do this yourself.

 

A formula is also needed for successful risk talking. Let us try a minimal one (in BBQ speak) and yes, I had to change it for the example – but it is still based on a true story in our very own Gold Coast of Australia!

 

“Our family fun day on a whale sighting trip may be ruined by naughty jet skiers that get too close scaring off whales resulting in no fun and children in tears.”

 

This is going to get a bit quirky but let us try take this apart. My rough translation of talking risk is people trying to explain the effect of uncertainty against what they want to occur so they can help the situation.

 

Event

An event is something that happens due to something else that disrupts its objective. In this example the objective is family fun, and the event is a whale sighting tour. Keep it to one event per statement.

 

“Our family fun day while on a whale sighting trip may be ruined”

 

Cause

The jet skis cannot be linked directly to kids crying their little hearts out as their effect of being there is scaring whales. Cause and event can be mixed up if you are not careful – events have objectives causes do not. There can be more than one cause.

 

“… by naughty jet skiers that get too close scaring off whales”

 

Consequence

The worst examined outcome for the day was whales not being seen on a (first-time) sightseeing tour with crying kids and ruined day. I always seem to focus on this one since it is the meaty part of why we should care about the risk. There can be more than one consequence.

 

“… resulting in no fun and children in tears”

 

Okay since my BBQ stories have happy endings when involving children, I must add this bit…

“The day was saved by instant karma when the pair were intercepted by the cops waved at by a few really happy children and camera people. Kids got to see a whale. Day Saved!”

 

It has been said before we cyber people must speak many languages but common is the most important.

 

My quick tips advice

 

1.       Use common language

2.       Use specific industry language sparingly - only if you must (Aussie Slang at BBQs!)

3.       Use an obvious formular like:
There is a risk that “Event” occurs that can be “caused by” resulting in “the bad thing”.

4.       Use your voice and read them out loud (take care of surroundings people)

5.       Use the basic one you come up with to build on what you and add to the narrative.

Break up the statement using spreadsheeting or other tools to make it easier to consume if appropriate

6.       Use ISACA’s good quality risk statement questions to sound your content:

What could happen, Why could it happen, Why do we care.

 

Helpful links

https://www.isaca.org/

 


Guest Post - Laura Jiew and Sean McIntyre from AusCERT - I got 99 problems but a vuln ain’t one


Thank you to AusCERT's Laura Jiew and Sean McIntyre for writing a guest post for the Demystify Cyber project. Cybercrime fighting is truly a team sport, and I am thrilled to have this contribution from AusCERT for the blog. The team at AusCERT have always been extremely supportive of me both professionally and with my personal projects. and volunteer work, and they are passionae about supporting the community and Nation to stand strong against cybercrime.  I recommend their blog for up to date cybersecutity information, you can get to it from this link: https://www.auscert.org.au/resources/blogs/

............

 Ninety nine problems but a vuln ain't one

If you’re having cyber problems, I feel bad for your SOC
I got ninety nine problems but a vuln ain't one, hit us!   

Okay, cheesy (revised) lyrics aside, I caught up with my colleague Sean McIntyre - Information Security Analyst at AusCERT - to discuss our shared thoughts on the common misconception that cyber criminals are “hooded / masked baddies” and we outlined some ways in which AusCERT, as a not-for-profit security group can help our members and the general public avoid the common pitfalls of falling victim to a cybercrime and/or incident. 

 

Sean, it isn’t unusual for our collective cultural community to think of cyber security in terms of tired cliches and common tropes. In your opinion, what can we do to help people understand that a cyber criminal and victim could look like anyone, including you and me. 

 

I think it’s really important to talk to folks - family, friends, neighbours even - about how cyber crime isn’t discriminatory, that it can happen to anyone. I feel it’s great that the media draws attention to cyber related incidents, it helps bring the topic to the mainframe. People relate to examples like Nine Network or domain.com.au. However, I do think we can do better at the grassroots-level. We should start talking about it with kids in schools etc., avoid making “cyber” a scary topic. I think organisations like eSafety do some good work in this space [1].

You’ve been working at AusCERT for close to 18 months now, in your opinion and observations, what cyber security challenges are the most common in terms of our membership audience? 


Personally, my top 3 observed challenges are as follows:
 

  1. Staying on top of the countless advisories, vulnerabilities and CVEs that come through daily. Identify all of your infrastructure;  systems, operating systems, patch levels, appliances, applications. This may sound elementary, but sometimes the concept of going back to the basics is a great starting point. Actually, Jess Dodson, one of our keynotes and speakers at the AusCERT2021 conference does a great job of this through her personal website, definitely worth checking out! [2]. Members, once you’ve done this audit, make sure you subscribe to the appropriate AusCERT security bulletins through our member portal function.
  2. Identifying Business Email Compromise (BEC) attempts from what can be extremely confusing email headers and what to do from there. BECs are such a common scam - so much so that the ACCC had recently reported that payment redirection scams, also known as business email compromise (BEC) scams, resulted in $128 million of losses in the year 2020 [3]. Members, the AusCERT team is always happy to assist with the analysis of phishing email attempts and headers and will contact and assist affected member organisations where a BEC has occurred. Don’t forget that public agencies such as Scamwatch can also assist [4]
  3. Domain impersonation or squatting and brand protection. This one is a particularly challenging one, as AusCERT would love to help members who find themselves in such cases - however our success in getting websites taken down relies on malicious activity such as phishing or malware delivery being present. In cases where a brand is being impersonated, registrars and website hosts will request that the owner of the trademark contacts them directly. Abuse contacts can generally be found in the ‘whois’ info of a domain. Members can always reach out to our team for assistance and we are happy to walk through the necessary steps with them. 

 

We sat down and did one of these sessions at the end of last year, when you and I presented a case study on the AusCERT Incident Management service [5]. Can you reiterate the key take-aways for our readers again?

 

Of course! For those who haven’t had a read of that piece we did together, definitely check it out on the AusCERT website [5].

If you’re an AusCERT member, definitely utilise our 24/7 Incident Hotline or email us at 
auscert@auscert.org.au for any cyber related incidents. 

 

Where possible, implement the “Essential 8” as outlined by the ACSC [6]. This protocol provides a baseline for cyber security incident mitigation. Implementing these strategies as a minimum makes it much harder for adversaries to compromise systems.

Thanks so much for the chat Sean!


.............................


AusCERT is a Cyber Emergency Response Team (CERT) based in Australia. We help members prevent, detect, respond and mitigate cyber-based attacks. As a not-for-profit security group based at The University of Queensland Australia, we deliver 24/7 service to members alongside a range of comprehensive tools to strengthen their cyber security strategy and posture.


..........................

 

Resources:
[1] 
https://www.esafety.gov.au/kids
[2] 
https://girl-germs.com/?p=2324 

[3] https://www.accc.gov.au/media-release/scammers-capitalise-on-pandemic-as-australians-lose-record-851-million-to-scams
[4] 
https://www.scamwatch.gov.au/types-of-scams 

[5] https://www.auscert.org.au/blog/2020-11-06-case-study-incident-management
[6] 
https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explained