Security: A major new challenge for companies

Security is a term we often hear these days, yet behind this simple word lie many aspects.

This article contains many links to sources or definitions of certain terms, feel free to click on them. (Several links are in french language)

LinkedIn, WhatsApp, iCloud, Renault : What do these companies have in common? They have all been victims at one time or another of a compromise of their information system.

Whether it was a hijacking of the application, with WhatsApp that allowed spying on its users, file access, with iCloud, account compromises with LinkedIn, or an attack by Ransomware for Renault, all of these companies had to face attacks. Although the impacts are not necessarily the same, the image always takes a hit.

What is interesting is to see that no company is spared, including companies with a consequent ISD that one might think too big to fall. In fact, it's quite the opposite: they gather a mass of information that allows a hacker to leave often having made digital history (and potentially filling his pockets in the process).

In recent days, ZombieLoad has made its mark on the digital landscape with a new attack that can affect both computers and servers.

An aspect set aside in the design?

The application development models want to face security by design today, which means in a simple way to take into account the security component from the very beginning of the application. This implies that the architecture, the development and the chosen frameworks must respect these rules.

Unfortunately, very often the priority is to get the new fashionable feature out as quickly as possible, at the expense of safety, which is often seen as a hindrance.

However, some good security practices do exist, such as the OWASP Top 10, which is seen as a basic reference in this field and which defines basic attack patterns with possible solutions to avoid them.

In the same way, at the infrastructure level, a certain number of rules exist, it is necessary to keep in mind that today, a machine exposed to the Internet has a lifespan of less than 5 minutes.

The security challenge in an ISD

Why is it so difficult to secure one's information system?

Quite simply because security is everyone's business and requires a sensitivity that must be worked on regularly.

For my part, I consider that I'm quite sensitive to the security aspects, however, it requires investment, i.e. following sites dedicated to this domain, regularly surfing the darknet to see the latest leaks, testing vulnerabilities on a sandboxed environment, and even so, I'm very far from being an expert in cybersecurity.

Like IT, the world of security is in constant evolution, constantly changing and adapting to new operating modes and new security solutions. For example, e-mail providers scan e-mails to detect potential phishing attempts, so hackers now use images to make these scans much less simple. MFA tokens make ID theft more complicated, no worries, we're doing man-in-the-middle to intercept them.

The simplest way is to work with professionals in the field within your company. Small problem, with the multiple daily attacks on any application, the number of people trained in security is not so numerous compared to the demand that literally explodes in front of it. For smaller companies, the TJM of a security expert can also be a hindrance.

The wolf in the sheepfold: The staff

If securing his IS stopped at ISD, it would be simple.

Unfortunately, we must not believe that attacks only come from outside. Indeed, it can also come from the company's employees:

• A user with a workstation compromised by a download of any kind
• A malicious act from within
• A handling error (a concrete example with Uber, who had published his login information on Git)

How can we limit these exposure vectors?

Raising user awareness

First of all, prevention, raising awareness, warning users when major threats emerge so that they are more attentive. Teaching them the right reflexes to have, for example in case of suspicious emails, to get closer to the IT department.

However, teaching users who are not in the business to know how to react is not necessarily easy. In my past, I've known people who didn't know, for example, that a company email was not designed to send attachments of several GB because they didn't understand what it meant, so asking them to think about "security" is not necessarily easy, even if a well-informed employee will probably be more suspicious.

Be careful though, over-emphasizing security communications will have the opposite effect and the information will quickly be considered irrelevant and ... ignored.

Equip yourself accordingly

There is no lack of tools to secure its internal infrastructure, firewall, proxies, antivirus, antimalware, and other physical security elements.

But equipping yourself doesn't just mean scanning and blocking.

It also goes through a step too often ignored, the audit of permissions within its IS. Indeed, in a company, there can be internal movements, departures, arrivals, so it is healthy to regularly check that users have access to what they need and only what they need, to verify that the person who left yesterday has had his access revoked etc...

I add a point on antivirus, using an antivirus based on signatures is insufficient today. Indeed, modern viruses and malware can easily fool these scans, today it is necessary to move to heuristic analysis, the goal of the latter is no longer to detect the signature of malicious software, but rather to identify abnormal behavior.

Preventing social hacking / social engineering

Increasingly in vogue in recent years, social hacking consists of obtaining information in a roundabout way, i.e. by knowing certain personal information about the target, such as the first names of his children, in an attempt to access secure data. An example enough ... edifying example below, where it will only take a few minutes for a hacker to obtain the personal information on the target's phone provider account with only a few pieces of information, namely the target's phone number and the name of the target's wife.

Once again, social hacking is preventable, and this also requires the implementation of strict procedures for sensitive operations, such as changing passwords. Nevertheless, I find this variant much more complicated to prevent since the attack vector can be more discreet and unpredictable, in the sense that the person may appear to be acting in good faith (as in this video) when this is absolutely not the case.

In conclusion

I would conclude this post by recalling the following points:
Security is everyone's business, it's naive to think that only IT is responsible for this point.

Raising awareness among users, technical or otherwise, is essential.

An attack doesn't have to come from outside the company.

I also add in appendix of this article some useful links:

• https://www.owasp.org/ : The reference on software security
• https://www.intrinsec.com/blog/ : [FR] The blog of Intrinsec, a company recognized in the field of security
• https://www.leblogduhacker.fr/ : [FR] A blog dedicated to hacking, educational and playful.
• https://www.zataz.com/ : [FR] A blog dedicated to security, updated very often.
• https://phishingquiz.withgoogle.com/ : A little test created by google to see your phising skill