Vox Ex Machina




2024 - The Year of Data Integrity

Greetings Cyber Security enthusiasts! Welcome to the Enersec year-end review for 2023 and our forward-looking predictions for 2024. As numerous countries gear up for elections this year, the presence of AI looms large, poised to exert its influence on electoral outcomes. The impending AI misinformation battles are set to intensify, raising questions about whether AI might manipulate itself. This could potentially lead mainstream media to predominantly echo social media narratives, rendering traditional fact-checking efforts obsolete in the rapidly evolving news cycle. The news industry may find itself caught in a loop, with the world moving on before verified information is reported.

Reflecting on 2023, it was a year marked by a surge in ransomware attacks, thanks to what we dub as "Chocolate Fireguard Cyber Security." This surge, in turn, bolstered the relevance of worthless cryptocurrencies primarily used to fulfill ransom demands.

Looking ahead to 2024, CEOs are poised to take a more active interest in Cyber Security. While technical aspects remain within the purview of IT departments, boardroom discussions will increasingly focus on analyzing and understanding the business risks associated with potential cyber threats. Addressing these risks, especially with products reaching end-of-life in 2024 and 2025, will necessitate strategic plans to prevent business failures. Brace yourselves for significant upgrades in Hard Security Modules.

The Horizon Post Office scandal continues to plague the justice system, underscoring the foundational importance of integrity in Cyber Security. Policing and measuring integrity, the most elusive component, pose significant challenges. The default assumption of computer infallibility within the justice system has led to life-altering consequences. A proposal to replace the justice system with HAL, an error-free computer, adds an ironic twist to this ongoing saga.

In the realm of compliance, the trend of tick-box mentality prevails into 2024. Managers find solace in green ticks as symbols of accomplishment and proof. However, the cyber security audit landscape may not be as vigilant about non-compliance, particularly in the face of regulatory capture economics, especially during an election year. Those adept at plausible deniability and ambiguity thrive in this environment, where achieving nothing becomes an art form, and the revolving door remains open.

The cyber landscape in 2024 is set to embrace Post Quantum Crypto, Lattice-based cryptography, FIPS 140-3 compliance, and Deep Space Optical Communications. Blockchain, often dubbed the digital lemon, might find a purpose in addressing challenges, possibly linked to self-driving cars. Cyber Security's role in ensuring food security gains prominence, with Agri-Tech emerging as a vital player in global food supply chains.

The trend of impersonal tech support persists in 2024, especially when database errors lead to erroneous electricity bills. People and businesses find themselves at the mercy of automated systems, replete with the biases and flaws of anonymous creators. The era of Data Armageddon is upon us, rendering data integrity meaningless without regulation supported by legislation. The computer assumes infallibility, leaving no qualified individuals to verify the accuracy of data. It's a call for comprehensive regulation to safeguard data integrity in this digital age.

Good Luck for 2024.


2023 - The Year of the Cyber Peter

Enersec delves into the future of 2023 and looks back at the previous year to see what lessons can be identified.

Data breaches, ransomware attacks, and crypto-currency pyramid scheme collapses dominated the headlines in 2022. The crystal ball predicts that this will continue into 2023, coupled with worldwide recession, stock market collapse, wars, impending global climate disaster, semiconductor supply chain issues, famine and plague. Oh, and let's not forget inflation, the cost of living crisis and potholes in the road. More on those pesky potholes later.

Is there any good news? Yes indeed the opportunities for the global cybersecurity experts (heroes) to come riding to the rescue are many. However before we delve into those opportunities, we must first look at the Peter Principle. The what!? I hear you cry.

The Peter principle is a satirical theory developed by Laurence J. Peter, who postulates that people in a hierarchy rise to "a level of respective incompetence", until they reach a level at which they are no longer competent.

This is standard practice in politics. UK Politicians and Prime Ministers are a case in point.

The principle has been adopted by the software community known as the Software Peter principle, which describes a faltering project which has become too complex to be understood even by its own developers.

Now this sounds familiar.

In 2023 we will see the rise of the Cyber Peter principle. The entire cybersecurity ecosystem has become so complicated and convoluted, that people, organisations and entire governments no longer know which way is up.

Lets face it, those in perceived control at their relative incompetency level are too busy checking out the latest social media news and gossip, which will influence their next misguided political or business move.

Shadow IT devices in 2023 will reach epidemic proportions, the warnings have been coming for some time. Shadow Apps and processes that emerge in government and the private sector are due to lack of oversight. IT departments do not provide the staff with the tools to do the job, or at least do the job easily. Security is deemed too difficult to comply with no matter how many staff training seminars are conducted.

Social Media apps will continue to be a prime source of social engineering in 2023. Reliance upon social media, verging on addiction does not help control the prime resource of social engineering and cyber attacks. Time and time again social media is used to trick, coerce and gain access to bank accounts and in some cases entire IT systems. The media industry is in itself addicted to social media. This is a self fulfilling prophecy akin to Stockholm Syndrome, using promoting and defending the very thing they hate most, misinformation and disinformation platforms.

Cabinet ministers conduct government business via whatsapp on personnel phones, because official alternatives are too difficult, inconvenient and cumbersome. Humans take the easy route everytime. If there are no consequences for breaking rules, then rules will be broken.

Cybersecurity marketing brochures and policies for robust cybersecurity do not meet the real people at the coalface.

The tools to do the job quickly and efficiently and securely must be provided to the workforce, otherwise insecure workarounds and alternatives will be found and used, and this starts at the top and trickles down.

The foundation stones of cybersecurity are beyond the scope of most IT departments. The operating systems and microprocessors that we all rely on are not perfect, far from it. All IT departments can do is to patch quickly and anticipate obsolescence, with a future proof plan of action. Understand the risks and mitigate them.

This brings us back to those pesky potholes, “4000 holes in Blackburn, Lancashire.” Over the years I have noticed across the UK that the state of the roads has noticeably deteriorated. The potholes appearing, which are not being fixed, have reached epidemic proportions. In my local area after the 2022 pre-Christmas freeze and thaw, many new holes have appeared. I don’t expect that they will be fixed anytime soon. We have the technology to get people to the moon, and yet fixing potholes quickly seems beyond us.

What have potholes got to do with cybersecurity?

If councils cannot fix potholes in the road, they cannot fix cybersecurity holes. The state of a nation's roads are a direct reflection on its governance.

Let's imagine a different approach. Prevention is better than cure. Repair cracks before they get worse. Use AI and available data to proactively monitor for holes. Repair holes asap, with repair drones, to avoid further consequences. Invest in new road surface technology and drainage. Think 10-20 years in advance.

Policies are easy - Free school meals for all children. Making this happen is another matter.

Businesses and governments that will succeed in 2023 are those that understand the cyber risks they carry. Those that can revert back to a pen and paper strategy in the case of a cyber meltdown, whilst the systems are being repaired from the backup, to enable the business to function, will prosper. Technology is not the silver bullet that it has become in many organisations. Flights cancelled due to IT disruption? Give me a break. Have you tested your DR plan? No of course you haven’t as this is too disruptive. It’s working, don't touch it, is the cry from all those senior executives, on final salary pensions with only one year to go. Then it will be someone else's problem.

Do senior executives understand their PKI infrastructure, or reliance on unencrypted removable media processes? Do they realise that their IT department has introduced backdoor processes to enable them to do their job, whilst appearing to adhere to cybersecurity policy?

When a company is hacked, and data breached, we get an initial news report and then all goes quiet. The root cause analysis is not public, nor is the fact that millions were paid to the criminal ransomware hackers, to get the crypto-keys, which never appeared. The exploitation of the vulnerabilities that were discovered during the cyber essentials audit, went unfixed. No consequences.

Integrity will be a big word in 2023. We only need to look at The Post Office Horizon IT Scandal to see the worst of it. Little old ladies sent to prison and lives ruined. Again no consequences for those in charge at the time.

The cybersecurity industry badly needs clear lines of responsibility and consequences for breaches that impact lives. We require transparency and accountability. This starts with an audit of your cybersecurity and a plan.

Let's look at those opportunities. Go back to basics, ask your IT department for a firmware audit, this will keep them busy for a while as like in every organisation this foundational cornerstone is very often neglected. Test your DR plan. Check your source code is signed and integrity checked. Are your private keys really private? Ask your IT department for proof and to place that evidence in the evidence folder. Is your evidence admissible in court? If you are called into court could you state that you did everything you could have done, to prevent the cyber attack that cost lives or livelihoods.

I expect in the future, possibly in 2023 that a CEO will not be able to answer yes confidently and will be found guilty of negligence and will end up in prison, where they belong.

Keep your hands on the wheel and eyes upon the road, and don't forget to rock n roll.

Good luck for 2023.


2022 - My God it's full of stars


The start of a new year in 2022. What can we learn from 2021 and what do we foresee for the future of cyber and security? 

Without doubt the ransomware attacks on critical national infrastructure reached epidemic proportions. The crystal ball predicts that this will continue as a lucrative business opportunity for bad actors, and we are not talking about the Hollywood variety.

“Is it asking for Bitcoin?’

The omnishambles variant and its ilk will continue to shape the modern world and the new normal practise of “working from home”. The Solar Winds fiasco has not been solved and lessons have not been learned. The supply chain remains as riddled as ever with flaws and God only knows what evil lurks in the code of open source software.

However all our problems have been solved by the “Executive Order on Improving the Nation’s Cybersecurity”

https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

“The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.” 

Those pesky actors again!

“The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”

That’s right folks it's down to you to make sure cyberspace is safe. The governments of the allied forces will share intelligence and then share that intel with corporations to ensure the safety of citizens around the world. Castles in ancient times were built to be “secure by design” and now we are going back to the future to embrace that philosophy. 

The word security is being replaced with the word risk. Security does not exist, only the acceptance or risk. Life is impossible without the acceptance of risk. Crossing the street, driving on the M25, swimming in shark infested waters, flying kites during lighting storms, etc, etc. Insurance companies measure risk and assess how much your insurance will be based upon past experience, stats, where you live, your age and many other factors. 

Cyber risk in theory can be measured and mitigated against. This is the theory. In practice it is difficult to judge the cyber practices of a company and the labyrinth of the supply chain.

The purpose you undertake is dangerous.
Why, that’s certain. ’Tis dangerous to take a cold,
to sleep, to drink; but I tell you, my Lord Fool, out
of this nettle, danger, we pluck this flower, safety.
The purpose you undertake is dangerous, the friends
you have named uncertain, the time itself unsorted,
and your whole plot too light for the counterpoise
of so great an opposition.”

William Shakespeare - Henry IV Part 1: Act 2, Scene 3

However we have this handy and pretty box that will help protect you.

Good luck all for 2022

Mobirise

2021 - The Future Of Cyber.



What can we learn from 2020? What can we expect to happen in 2021? Can the “Zero Trust Model” be trusted?

2020 will go down in the annals of history as the most important year in the history of womankind since World War II. COVID-19 and all that this entails will continue into 2021 and beyond. The world will never be the same again. 

Where do we go from here? The “new normal” is a phrase that we have become used to hearing. 

In the world of Cyber, the SolarWinds hack is a monumental moment, the world of Cyber will never be the same again. Is this the cyber equivalent of Pearl Harbour, will this wake the sleeping giant of the USA?

The film Parasite won the Academy Award for best picture in 2020. This is a very apt winner. The story of how a poor family infiltrates a rich family only to discover that another poor family is already living in the basement.

Everyday the news seems to get worse. Rather like the condemned man in Monty Python, “you are only making worse for yourself!” 

The official narrative of both 2020 events is a work in progress. The unofficial narrative is also a work in progress. The questions of Who; What; When; Where; Why and How will be debated for many years, and possibly will never be fully answered or a consensus agreed upon. 

We are still waiting for a universally agreed scientific answer with regards to the Egyptian pyramid construction techniques, and alignment to constellations such as Orion. 

Speaking of Orion:

“The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.”

Yada yada. Good luck with the hotfix.

One woman's conspiracy theory is another woman's truth: 400 years ago it was a conspiracy to believe in the fact that the earth and planets orbit the sun. The Heliocentric model undermined the authority of the powers that be (The Church) who fundamentally believed in the Geocentric model, that put the earth at the centre of the universe.

Stifling a balanced debate on any subject is never a way to win over the hearts and minds of people and does not make the fundamental belief correct. However this is exactly what will happen. We only have to look at the Boeing 737 Max debacle to see how the investigation will go. 

The SolarWinds’ Orion monitoring and management software was hacked, the world can agree on that. In theory all networks and computers that use and or have used this software in the past need to be destroyed. This in practise will never happen as it is prohibitively expensive. A sticking plaster will be applied and most if not all organisations will pretend it never happened, senior management final salary pensions, and Government reputations are at stake. Honesty and transparency is never the best policy. No one like to air ones dirty linen in public. Let’s blame the enemy, good idea. 

What mines have been laid for future use?

Microsoft published a blog on the 17th of December, which is full to the brim with nuggets of wisdom on all things Cyber and Espionage.

https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/

However it turns out that the guardians of the galaxy have also been hacked and released a sheepish update statement:

““Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”

The deliberate ambiguity lawyers will be getting paid overtime on this one for some time.

Many large organisations and Governments using the same security software is a very juicy target to a hostile actor. There are numerous ways to infiltrate an organisation, and in many ways this is now much easier in the modern world than it was during the height of the cold war, everything can be done remotely, from China, from Russia, from anywhere.

Lesson number 1 - Diversify your security approach. We can learn from the Tower of Babel in this respect.

Lesson number 2 - Don’t trust anyone. The twisted logic of the ancient proverb “The Enemy of My Enemy is My Friend.” Are they really your friend? Everything I say is a lie, am I telling the truth?

If you don’t know you have been hacked and there are no immediate consequences of been hacked, why worry?

Lesson number 3 - Irrational optimism is the enemy. “All along the watchtower princes kept the view.” When the enemy is the very software, that you use and rely on to monitor your security, you are toast.

It is not until you start looking for problems that you find them. FireEye were the first organisation to notice that they had been hacked and go public. Why no other company or Government organisation noticed that they had been hacked is a mystery.

Lesson number 4 - "Those who cannot remember the past are condemned to repeat it"

SolarWinds were warned that all was not well. However whistleblowers are never well received. Warnings were ignored.

Before Pearl harbour was bombed by the Japanese, there were warning signs. Those warnings were even published in the Hawaii Tribune-Herald a week before the attack.

Eighty years later and after countless investigations, the conclusion was that incompetence, underestimation, and misapprehension of Japanese capabilities and intentions; problems resulting from excessive secrecy about cryptography; division of responsibility between Army and Navy (and lack of consultation between them); and lack of adequate manpower for intelligence (analysis, collection, processing) was the cause.

Indeed. 

Last but not least, Lesson number 5 - “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Sun Tzu - The Art of War

Mobirise

LAN usage and “cloud” enablement for nCipher Edge

The nCipher Edge unit, as you are aware, is a portable, USB connected, low-volume transaction Hardware Security Module (HSM) which features as the cost-effective choice in the nShield product line.

The nCipher Edge unit works well in a single user environment, locally or via passthrough to a virtual machine with the relevant COM port mappings. With the logistic difficulties faced by COVID and a move to a more global workforce that wants to leverage resources in a more cost-efficient way, it would be beneficial to be able to utilise an nCipher Edge unit in a remotely connected capacity.

This is NOT to replace performant Connect or XC HSMs, nor is it to replace nCiphers HSM as a service offering. It is a middle ground to allow for the maximum usage of an nCipher Edge over a large number of use cases in the new landscape we find ourselves in.

The details of how to undertake this is simply one approach, as always there are multiple ways to tackle a given problem.

Psychology of Cyber Security

The human interaction with computers and technology with regards to cyber security is a complex topic that deserves more attention. In this paper we discuss the psychology of cyber security from a number of different angles.