Why traditional information security fails in an agile environment

Matching information security and agile

While agile development is going mainstream, information security is having difficulties to keep up. The result of this struggle is that new systems are insecure, or that they are loaded with point solutions for security.

What is so hard about security in agile environments? In this article we examine what makes infosec fail with agile, in future articles we will propose solutions for that and present a model to integrate information security into an agile development process.

eHealth: een zorgenkind op het gebied van cybersecurity?

Het Internet-of-Things doet razendsnel haar intrede in de maatschappij, zo ook in de zorgsector onder de noemer ’eHealth’. De beveiliging van IoT, en dus ook eHealth, is lang niet altijd op orde, waardoor deze apparaten meermaals misbruikt zijn voor onder andere cyberaanvallen. Het doel van dit onderzoek is tweeledig:

  1. Onderzoeken welke specifieke cybersecurityrisico’s gepaard gaan met het gebruik van eHealthtoepassingen bij Universitaire Medische Centra
  2. Adviseren welke strategische maatregelen genomen kunnen worden om cybersecurity voor eHealth-toepassingen beter te borgen door Universitaire Medische Centra, leveranciers van eHealth-toepassingen en beleidsmakers in de zorgsector.

Een maand na de inwerkingtreding van de AVG is het AVG-chaos in Nederland

Een maand na de inwerkingtreding van de AVG is het AVG-chaos in Nederland. Bedrijven lopen elkaar in de weg, overheidsinstanties vertrouwen elkaars beveiligingsbeleid niet en weigeren gegevens te leveren als er niet eerst een ‘data-overeenkomst’ is getekend (wat dat ook precies moge zijn), kerkblaadjes die met bloed, zweet en tranen door vrijwilligers in elkaar worden gedraaid besluiten ermee te stoppen en sportverenigingen weten niet of zij nog de foto’s van de sportdag op hun website mogen zetten. 

Bypass client-side generated HTTP security headers

Every now and then when doing a security test on a web application I have to deal with client-side generated HTTP headers that are there for security reasons. These headers can cause problems during a security test. Fortunately they can easily be bypassed using Burp Suite.

Lessons to be learned from the Polar incident

Last Sunday, journalists from The Correspondent revealed that it was trivially easy to find the names and addresses of military and intelligence service personnel that use Polar, a popular runners wearable and fitness app. All runs (even private ones) made by owners of a Polar fitness device are stored on a central server, and can be viewed on a map. Even though the user interface restricted access to only public runs, bypassing the user interface and entering URLs manually allowed them to extract all runs made by anyone since 2014. Polar switched off access to the map recently to prevent further abuse of this. What can we learn from this incident?

False cyber security assumptions

With technology changing so fast, security can sometimes seem like a goal post that is continually moving. Below are corrections to some of the more common misperceptions

Jouw bijdrage op het kennisplatform?

Informeer de redactie

Hunting with JA3

Within this blog post I will explain how JA3 can be used in Threat Hunting. I will discuss a relative simple hunt on a possible way to identify malicious PowerShell using JA3 and a more advanced hunt that involves the use of Darktrace and JA3.

EFAIL: detection and prevention

In our previous blog posting we discussed the EFAIL "Generic exfiltration" attack on S/MIME and suggested how such an attack may be detected.

Even though the CipherMail gateway is not directly vulnerable to EFAIL (see EFAIL: which is vulnerable? PGP, S/MIME or your mail client? for more details), if your email client is configured to automatically download external resources, your email client may leak your decrypted email.

The main issue with the EFAIL "Generic exfiltration" attack is that an encrypted message can be modified by an attacker without being detected. This is a general S/MIME problem and can only be solved by fixing the S/MIME standards.

AVG is een zegen voor zorginstellingen

Met de komst van de Europese wetgeving AVG (vertaling van GDPR), worden we als particulier overspoeld met brieven en emails van bedrijven die hun privacyreglement hebben aangepast. Ik krijg als security- en privacyexpert dagelijks de vraag: "Moet een zorginstelling nu ook opeens emails gaan versturen aan patiënten?". Die vraag zal ik u beantwoorden, maar met de komst van de AVG ontstaat een JOEKEL van een kans om de administratieve lasten in de zorg enorm te verlichten.

EFAIL: how to detect you are being attacked?

In an earlier blog, we discussed some implications of the newly found EFAIL attack on PGP and S/MIME. We concluded that CipherMail gateway was not directly vulnerable because the gateway does not load remote content from the email. The email only gets decrypted, validated and then forwarded.

The EFAIL paper describes two types of attack. The "Direct exfiltration" attack and the "Generic exfiltration" attack.

ICANN haalt bakzeil voor Duitse rechter

Zoals eerder beschreven op ISP Today is ICANN niet blij met de AVG/GDPR. De organisatie heeft last minute – onder druk van de Amerikaanse achterban – geprobeerd de EU te overtuigen van een vage aparte status. Dat werkte niet en de ICANN achterban moet zich dus aan de GDPR houden. Daarop stapte ICANN direct per 25 mei naar de Duitse rechter voor een proefproces.

EFAIL: which is vulnerable? PGP, S/MIME or your mail client?

What is EFAIL?

EFAIL is a recent attack on PGP en S/MIME email encryption (EFAIL).

EFAIL exploits remote content resolving built into most email clients (like for example images and CSS rules) to get (parts) of a previously encrypted email.

What EFAIL basically does, is that it takes a previously encrypted email (for which the attacker does not have the private key) and embeds this encrypted email into a new email in a special way. The email is then sent to the recipient for decryption. The attacker however designed the email in a way that the decrypted content of the original email gets embedded into the URL for a remote resource (for example an image). If the email client is configured to automatically resolve external content (for example download images), the content of the email gets sent to the remote server as a URL request. If the remote server is under control of the attacker, or if the URL is sent via HTTP, the attacker can access the URL and therefore has access to the plain text content of the original email.

Will DANE for SMTP solve all of your GDPR problems?

Will DANE for SMTP solve all of your GDPR problems?

The short answer: probably not. The long answer: keep reading.

What is DANE?

According to Wikipedia:

"DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using Domain Name System Security Extensions (DNSSEC)"

In less technical terms, DANE is a protocol which allows you to securely associate a domain name with an X.509 certificate.

Continuous GDPR compliance

Organisations are very much aware of the deadline of 25 May 2018 to become GDPR compliant. But let us not forget that 25 May is not just the end of the period to become compliant. Even more, it is the start of an era where organisations are to be GDPR compliant continuously.

So, as organisations are working to update their privacy statements, improve consent (e.g. opt-in vs opt-out), document records of processing, determine retention schedules and remove old personal data, determine person's (data subject) rights to be adhered to, and more, organisations should consider two perspectives:

  1. Manage the complete life cycle of personal data in the organisation
  2. Demonstrate GDPR compliance continuously

Security and audit in a cloud-native world

A co-creation with my colleague Janot van Wegen, Risk Officer.

Before the cloud era, you had your own IT organization as a reliable gatekeeper to make your company a cyber fortress. With a strong gateway, your data and applications were kept in house and in good hands. Nowadays a Fort Knox stance on cyber security is unrealistic. Applications that are designed to make the best use of the functionality of all aspects of the cloud are distributed and therefore cannot be captured in the traditional Fort Knox paradigm. With the rise of cloud-native computing, expertise in security and compliance is a must for everyone in the chain