Strengthen Healthcare Defenses: Embrace Offensive Cybersecurity

Healthcare organisations must transition from reactive to proactive cybersecurity strategies to counteract escalating cyber threats. Implementing offensive measures like vulnerability assessments and penetration testing can uncover system weaknesses and improve defences.

Despite challenges such as budget limitations and insufficient expertise, these approaches offer significant benefits, including enhanced security posture, quicker threat response, and improved staff training. Adopting offensive cybersecurity methods is crucial for safeguarding patient data and maintaining healthcare operations.

READ MORE

London Drugs Employee Data Leaked on Dark Web Following Cyberattack

London Drugs experienced a significant cybersecurity breach, leading to the leak of employee data on the dark web. The attack forced the retailer to shut down its 80 stores across Western Canada.

Despite efforts to rebuild its data infrastructure and ongoing investigations, no customer data breaches have been confirmed. The company is working with third-party experts to restore operations safely and address the breach's impact, emphasising the protection of its customers and community.

READ MORE

Cyberattacks on Water Systems Persist, Warns Cybersecurity Expert

Cybersecurity expert Lee McKnight warns that recent cyberattacks on water systems will likely continue, highlighting the sector's vulnerability due to outdated practices. The Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA) are increasing their efforts to improve cybersecurity in water facilities.

With 70% of water systems failing to maintain basic cyber hygiene, there is an urgent need for better training and updated security measures to prevent devastating breaches. The expert calls for significant improvements in both public and private sectors to protect critical infrastructure.

READ MORE

Deepfakes Surge as Second Most Common Cybersecurity Threat for U.S. Businesses

Deepfakes have emerged as the second most common cybersecurity incident for U.S. businesses, following malware infections. Over a third of companies reported experiencing deep fake-related security issues in the past year. These attacks often involve business email compromise (BEC), where AI-generated voice and video content deceives employees into authorising financial transactions.

Additionally, deep fakes pose risks for information theft, reputational damage, and bypassing security measures. To combat these threats, businesses are investing in AI and machine learning technologies, enhancing employee training, and increasing budgets for securing third-party vendor connections.

READ MORE

CyberArk Acquires Venafi for $1.54B to Strengthen Cybersecurity Offerings

CyberArk has acquired cybersecurity provider Venafi for $1.54 billion, enhancing its capabilities in protecting human and machine identities. The acquisition, funded by $1 billion in cash and $540 million in CyberArk shares, aims to address sophisticated cyberattacks by integrating Venafi’s public key cryptography solutions.

Venafi's products secure TLS certificates, SSH connections, and code integrity. This acquisition is expected to add $150 million in annual recurring revenue and expand CyberArk's total addressable market by $10 billion.

READ MORE

PSNI Faces £750,000 Fine for Data Breach Affecting Entire Workforce

The Police Service of Northern Ireland (PSNI) is facing a £750,000 fine from the UK's Information Commissioner’s Office (ICO) due to a data breach that exposed the personal information of its entire workforce last August.

The breach highlighted significant lapses in data protection protocols, prompting the ICO to take strict action to ensure compliance and safeguard sensitive information in the future.

READ MORE

CentroMed Data Breach Exposes Personal Information of 400,000 Individuals

CentroMed, a healthcare provider in San Antonio, experienced a data breach compromising the personal and health information of 400,000 individuals. The breach, discovered on May 1, 2024, involved unauthorised access to names, addresses, birthdates, medical details, Social Security numbers, and financial data.

CentroMed is notifying affected individuals and advising vigilance in monitoring financial statements. This incident follows a previous breach in 2023 involving 350,000 people.

READ MORE

Optus to Challenge Federal Court Decision Over Deloitte Report in Data Breach Case

Optus is set to challenge a Federal Court decision denying its claim of legal professional privilege over a Deloitte report prepared following a major cyberattack in September 2022. The court found that the report, commissioned to identify the causes and improve cyber risk management, was not primarily for obtaining legal advice.

As a result, Optus must produce the report for the ongoing class action lawsuit. This case highlights the complexities of claiming privilege over documents created for multiple purposes.

READ MORE

Kakao Fined $11.1 Million for 2023 Data Breach Affecting 65,000 Users

The Personal Information Protection Commission has fined Kakao 15.1 billion won ($11.1 million) for a 2023 data breach that exposed the personal data of over 65,000 users. The breach involved hackers exploiting vulnerabilities in KakaoTalk's open chat service.

Despite Kakao's contention that the leaked data did not constitute personal information, the commission held the company accountable for negligence in protecting user data. Kakao plans to challenge the fine legally.

READ MORE

Chinese Hackers 'Unfading Sea Haze' Infiltrate Military and Government Networks for Six Years

The cyber-espionage group "Unfading Sea Haze," linked to Chinese interests, has been undetected on military and government networks in the South China Sea region since 2018. Using sophisticated methods such as spear-phishing, file-less malware, and commercial RMM tools, they collected intelligence and maintained persistence.

The group's activities align with those of known Chinese state-sponsored actors, notably APT41. To counter such advanced threats, organisations are advised to enhance security measures, including patch management, MFA, and network segmentation.

READ MORE

Enjoyed this week’s digest? Why not share it with a friend? Let these topical events lead your security conversations, and become the expert. Oh, and don’t forget to subscribe :)

Subscribe now

Thoughts… 💭

Maybe you’ve thought about this, maybe you haven’t.

To answer the question in short, no public Wi-Fi is not ‘safe’, regardless of whether it’s a secured or unsecured network.

The potential dangers of using public Wi-Fi, such as the risk of having your banking information, passwords, and personal data stolen, should be a cause for concern. You may not have suffered any breaches (to your knowledge), but that cannot be any reasonable person’s yardstick for safety.

I know people who often drive without a seatbelt and have not yet suffered any accidents… Do you see where I’m going here?

Most public Wi-Fi networks don't require a password or use weak encryption, making it easy for cybercriminals to intercept your data through man-in-the-middle attacks (MitM).

On a Saturday a few years ago, I was sitting in Starbucks waiting for a friend when I glanced over my shoulder to see a 20-something-year-old man performing some bash scripting on Kali Linux — I have no idea what he was doing, but I do know that Starbucks had public Wi-Fi.

Even with a password, older encryption protocols like WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) have known vulnerabilities that can be exploited. To be honest, you shouldn’t even be using these anymore—I’d stick to WPA2 (Wi-Fi Protected Access 2).

Having said that, in 2017, a vulnerability called KRACK (Key Reinstallation Attack) allowed hackers to exploit the four-way handshake WPA2 encryption uses to establish an encrypted connection.

The preferred option, however, is WPA3, where it’s available.

Session hijacking (or cookie hijacking) is another popular activity hackers love to do where they can, and public Wi-Fi will always be a prime location for carrying out black hat activities. The myth of HTTPS as a silver bullet to protect from all attacks is nothing but laughable to a skilled hacker.

Sure, HTTPS is great for encrypting data in transit, among a couple of other things. But it can’t protect against malware being injected into the website or transmitted through the connection. It can’t protect against server-side vulnerabilities like SQL injection or cross-site scripting (XSS). It can’t protect against DNS attacks like DNS spoofing. It can’t even fully protect against MitM attacks! It just makes it more difficult.

How can we improve our security posture when we’re out and about?

The concept of Defence-in-Depth springs to mind! Implement as many as possible to reduce the attack surface.

1. Use a VPN: These make it even harder for a ‘man’ to be in the middle of your communications with the server.

2. Avoid Sensitive Activities: Think. It may not be a good idea to be accessing sensitive information from a public Wi-Fi connection?

3. Use Secure Connections: HTTPS-only connections. I know I’ve just criticised them, perhaps harshly, but they are still strong for Encryption, Authentication, and Integrity.

4. Software Updates: Don’t ignore the notifications; it could cost you. Update your operating system, browser, and antivirus software if you have this.

5. Multi-Factor Authentication (MFA): Wherever possible, enable MFA to add an additional layer of security.

6. Have Wits: Simply, if a public Wi-Fi network seems suspicious to you or has weak security, move on.

In the end, it's not about whether public Wi-Fi is safe or not. It's about understanding the risks and taking proactive measures to protect yourself because the convenience of public Wi-Fi comes with a price—your security.

“Heartbleed was the internet's surprise colonoscopy, revealing the embarrassing vulnerabilities we never bothered to look for.” - CS

Picture this: A critical flaw in OpenSSL, a widely used encryption software, remained undiscovered for two years. Known as Heartbleed, this vulnerability allowed attackers to access sensitive information undetected. OpenSSL is essential for securing online communications, but this flaw, caused by a simple programming error, exposed a significant weakness.

When Heartbleed was discovered, it highlighted the mistaken belief that this security measure was infallible. The breach exposed private conversations, sensitive data, user passwords, and encryption keys, leading to a widespread scramble to update passwords and secure systems.

Heartbleed's legacy is a stark reminder that vigilance is priceless in our fast-evolving digital world, and even the smallest oversight can lead to monumentally upsetting breaches.

TL;DR ⌛️

Threat modelling is essential in cybersecurity, a dynamic strategy for outsmarting cyber threats by understanding and preparing for them. Unlike financial modelling’s one-size-fits-all approach, threat modelling is a tailored, active process. It’s a blend of proactive design (Secure by Design) and reactive measures (Threat Hunting), ensuring digital assets are safeguarded from the get-go and continuously monitored.

Effective threat modelling demands a security mindset, understanding system vulnerabilities through methods like FTA and FMEA, and recognising the importance of accident prevention and deliberate attack mitigation. It involves mapping potential attacks, dissecting our digital systems to pinpoint vulnerabilities, prioritising threats, and crafting intelligent defences.

Frameworks like PASTA and STRIDE offer systematic ways to uncover and mitigate risks. Remember, cybersecurity is a journey of constant learning and adaptation, with threat modelling at its core.

🚨 Security Briefing 🚨

Threat modelling is a term often used by professionals (even some security professionals) but is not well understood. When I first heard it, I tried to liken it to financial modelling, as I’d done so much of this after I became a qualified accountant. Depending on your objective for the model you’re trying to build, there are many templates for financial models.

I was mistaken to try and apply the same concept to cybersecurity as here; we’re dealing with something quite different. Where financial modelling is often an out-the-box exercise where you can simply manipulate inputs for your own use-case, threat modelling is a highly tailored exercise, and one which is as active and dynamic as the four seasons. 🍂🌞❄️🌷

So, with that said let’s see what’s on the menu today. We’ll be covering…

• What threat modelling is.

• How we should think about approaching threat modelling.

• The key practical considerations.

• Prioritising and responding to identified threats.

Without further adieu…

Threat Modelling Decoded 👨🏼‍💻

Threat Modelling Defined:

In the cybersecurity realm, the overarching objective is to keep our assets safe from those with malicious intent (or those accessing information without authorised purpose). At the heart of this endeavour lies the practice of threat modelling, an indispensable strategy that helps us foresee and outsmart potential cyber threats.

Conceptually simple. Pragmatically involved.

This isn't merely about putting up firewalls and calling it a day; it's a methodical process of identifying, classifying, and evaluating threats to ensure our virtual valuables are well-protected.

Think of threat modelling as a two-part harmony.

On one side, we have the defensive strategy 🛡️, similar to designing a medieval castle with defence in mind right from the drawing board. This approach, taken during the earliest stages of system development, involves anticipating potential cyber-attacks and weaving in defences as we build. It's all about being one step ahead, ensuring that security is a fundamental aspect of the system's design, effectively reducing the chances and impacts of any digital breach. This preventive measure is not just savvy; it's cost-effective too, saving resources that might otherwise be spent ‘sticking’ on security measures after the system has been built.

Utilising frameworks like STRIDE or PASTA and tools such as Microsoft Threat Modeling Tool or OWASP Threat Dragon allows for a systematic analysis of threats.

On the flip side, we explore the adversarial strategy 🗡️, which kicks in post-deployment (this is after a product has been created and deployed, even if only in a test environment). This is where the cybersecurity militia don their white hats, engaging in ethical hacking and penetration testing to hunt down and fix vulnerabilities. It’s a bit like checking the locks and alarms after the house is built. Although invaluable in shoring up defences, this reactive measure often involves patching up security holes discovered after the fact, which is a bit like playing catch up.

This strategy relies heavily on tools and methodologies designed to identify and exploit weaknesses, such as Metasploit, Burp Suite, and Nmap. Penetration testers use these tools to simulate real-world attacks, uncovering vulnerabilities that could be exploited by malicious actors. 

Unsurprisingly, the comprehensive and most robust approach is a combination of the two.

By integrating proactive security considerations into the design process and complementing them with vigilant, ongoing scrutiny, we enhance our shield against cyber threats. This dual approach not only aims to minimise the number of security flaws but also to dampen the impact of any that might slip through the net—which is bound to have some holes, of course.

NB - Security State of Mind:

Before diving headfirst into the deep end of threat modelling, it's crucial to set the scene. Understanding the security landscape and our objectives lays the groundwork for effective defence strategies.

Two seasoned methods stand out when it comes to dissecting potential system vulnerabilities: Fault Tree Analysis (FTA) and Failure Mode and Effects Analysis (FMEA). Both demand a thorough understanding of the systems at hand and a recognition that automation has its limits, given the complexity and potential for change within any given system.

Automation is incredibly brilliant and all, but it isn’t magic—it still depends on integration with systems, pre-defined rules and machine learning capabilities.

Our quest for security doesn't stop at just safeguarding against deliberate attacks, either; it, of course, extends to accidents and human error, too. This is where application-specific knowledge gained over time is of prime value in security. Partner with such people when working on security-related problems, they’ll accelerate the learning process.

Take the automotive industry, for example, Tesla, more specifically. The increasing reliance on electronic systems in their cars means that traditional safety checks, such as ensuring headlamps work correctly, now need to incorporate considerations of cybersecurity threats. Imagine a filthy hacker taking control of your Tesla’s entertainment system, and while you’re bombing it down the highway at 125 mph 🏎️🛣️ (on the Autobahn, of course), he switches off the headlamps—a risk that could be mitigated by introducing firewalls within Tesla’s network, as an example.

But if you’re not thinking in this way, how will you effectively defend against threats?

Navigating the intricate landscape of modern system security calls for both a structured and dynamic approach, aligning our protective measures with clearly defined objectives and a strategic risk management plan. Is there one way to do this? Absolutely not! This is why we must adopt a security state of mind.

Mapping the Attacker's Mind

The next step in threat modelling is to determine the potential types of attacks that could be waged against us.

The first step is to create a (sometimes not-so-simple) map or diagram that shows how information moves in a system. For example, the paths data takes during an online transaction or how data is shared between your computer and the Internet.

This map helps highlight the system's key parts, where it's vulnerable, and where we need to tighten security.

This isn't about delving into the nitty-gritty of computer code; rather, it's a bird's-eye 🦅👁️ view of where our system's digital walls and gates lie. For more complicated setups, we might need several of these maps, zooming in on different security zones to catch the important areas.

Once our map is ready, the second step is to pinpoint every piece of technology on it. Third, we brainstorm all the ways someone could launch an attack on each part, considering not just hacking attempts but also physical break-ins or other deceptive techniques like phishing scams. This mapping and brainstorming lay the groundwork for moving to the next stage—figuring out how to reduce these threats.

The fourth stage in threat modelling is to perform a reduction analysis, or as I like to call it, the art of cyber dissection 🔪. Imagine taking a complex system—be it software, a network, or even an entire business setup—and breaking it down into bite-sized pieces. It's akin to dismantling a watch to understand how each cog and wheel (component) contributes to telling time (objective), except here, we're unravelling the digital threads that make our systems tick, which can be very time-consuming if the system is complex.

This meticulous breakdown helps us examine the inner workings of our digital beasts, from the small routines in software to the big protocols governing networks. By segmenting our focus, we can scrutinise how data dances 💃🏼 from one point to another, how decisions 🗺️ are made within the system, and how securely 🔒 information is stored and managed.

Key to this process are a few navigational concepts:

• Trust Boundaries: These are the digital 'Do Not Cross' tapes, marking where we ramp up our security checks as trust levels increase.

• Dataflow Paths: The highways and byways along which our data zips, carrying information from A to B.

• Input Points: Our system's mailboxes, where we receive external information, and yes, sometimes spam.

• Privileged Operations: Think of these as VIP access areas, where only the high-flyers with special passes (higher privileges) can make significant changes.

• Security Stance and Approach: Our manifesto, outlining how we plan to defend our digital domain, from the ground rules to the lofty ideals.

By dissecting our systems in this way, we not only understand their anatomy but also prepare better defences against the cyber threats lurking in the shadows.

Prioritisation and Response

Now we've got all our potential cyber threats down on paper; the next crucial step is figuring out which ones we should lose sleep over 💤. This is where we start ranking these threats. There are a few ways to do this, and it's not one-size-fits-all, as with anything in cybersecurity. One popular method gives threats scores from 1 to 100, mixing how likely they are to happen with how much havoc they could wreak.

Another method uses a simpler approach, tagging threats as high, medium, or low risk, similar to categorising them into the red, yellow, or green traffic light system 🚦. This creates a sort of danger map, showing us where the biggest fires could start so we know where to focus our firefighting efforts. Then there's the DREAD system, which sounds as ominous as it is for those often malevolent hackers 🥷🏼. It asks five critical questions about each threat, from "How bad would the damage be?" to "How easy is it for bad actors to find and exploit this weakness?"

Once we've decided which threats are the meanest, it’ll be time to plan our counter. This could mean tweaking our digital defence, changing how we do things day-to-day, or introducing new so-called shields and watchtowers in our cybersecurity setup. It's all about finding the smartest, efficient and most cost-effective way to keep our most valuable assets safe.

Common Examples:

Two common frameworks you're likely to encounter in threat modelling are PASTA and STRIDE. Each offers a distinct pathway for navigating the complex landscape of digital threats by helping to uncover and mitigate potential vulnerabilities in a systematic way. PASTA, which stands for Process for Attack Simulation and Threat Analysis, takes a risk-centered approach, weaving together business objectives with technical analysis across seven detailed steps.

Meanwhile, STRIDE breaks down threats into six categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Developed by the tech giant Microsoft, STRIDE simplifies the process of identifying potential threats by giving teams a clear framework to categorise and tackle each type of risk. When STRIDE and PASTA are employed together, they provide a holistic view of both the forest and the trees: STRIDE focuses on the technical details of potential vulnerabilities, while PASTA aligns threat modelling with business impacts.

….and besides, who doesn’t like pasta? 🍝

Conclusion

This serves as a pretty sensible introduction to threat modelling if I do say so myself. It’s also a very practical way to prepare for an interview, enter an organisation, or engage in a conversation and be equipped with the general and somewhat specialist knowledge to add value to the discussion, but it’s important that your understanding of threat modelling does not end here.

You see, cybersecurity is a lifelong journey of learning and adapting, and threat modelling encompasses much of that because it’s so vast and is, by nature, woven into the very tapestry of security.

Major Data Breach Compromises Personal Details of UK Military Personnel

A significant data breach has compromised the personal details of UK military personnel. The breach involved a payroll system managed by an external contractor. The exposed data includes the names, bank details, and, in some cases, personal addresses of current and former members of the Royal Navy, Army, and Royal Air Force.

The Ministry of Defence (MoD) has taken the affected system offline. It is currently investigating, with Defence Secretary Grant Shapps set to discuss the incident and proposed security measures in an upcoming parliamentary update. This breach underscores ongoing cyber-security concerns amidst increasing threats.

READ MORE

The Strategic Role of Open Source Intelligence in Enhancing Cybersecurity

This article from SpecialEurasia discusses the critical role of Open Source Intelligence (OSINT) in modern cybersecurity frameworks. It explains how OSINT contributes to penetration testing, red teaming, digital forensics, and threat intelligence by leveraging publicly available data to identify and mitigate security vulnerabilities.

Real-world examples highlight OSINT's practical applications in safeguarding against cyber threats, emphasising its importance in a comprehensive cybersecurity strategy and the ongoing battle against cybercrime.

READ MORE

The Rising Cybersecurity Concerns for Children in the Digital Age

As discussed in a recent Newstalk article, the cybersecurity of children has become a pressing concern for both parents and policymakers. The digital age has brought unique challenges that require vigilant supervision and proactive educational efforts.

Alex Cooney, CEO of CyberSafeKids, highlights the urgency of addressing these issues, emphasising the widespread use of smart devices by children from a very young age and calling for an increased focus on digital safety measures to protect the vulnerable in our increasingly connected world.

READ MORE

Microsoft Commits to Comprehensive Cybersecurity Overhaul

Microsoft has announced extensive cybersecurity improvements following severe critiques of its security practices highlighted by the Cyber Safety Review Board.

The initiatives, led by Microsoft Security EVP Charlie Bell, include assigning deputy CISOs to every product team, tying a portion of senior leaders' salaries to cybersecurity advancements, and bolstering the Secure Future Initiative. This strategic push aims to enhance cloud vulnerability patching, improve identity management, and organise software assets, reflecting Microsoft’s prioritisation of security over all other product features.

READ MORE

The High Cost of Cyber Insecurity: Financial Implications for SMBs

A recent report from The Hacker News details the daunting financial burdens that cyberattacks impose on small and medium-sized businesses (SMBs). The analysis underscores that the costs of recovering from cyber incidents frequently exceed those of preemptive cybersecurity investments.

The article indicates that many SMBs lack sufficient cybersecurity infrastructure, including dedicated personnel and comprehensive incident response strategies. It recommends that SMBs adopt managed endpoint detection and response (EDR) solutions as a cost-effective measure to fortify their defences against escalating cyber threats.

READ MORE

Indonesia Identified as a Hub for International Spyware Trade

Amnesty International's latest research reveals Indonesia as a significant hub for distributing invasive surveillance technologies. According to the report, since 2017, Indonesia has imported spyware from countries including Israel and Singapore, involving companies like Q Cyber-Technologies and FinFisher.

The spyware, used to mimic political and media entities, poses a severe risk to civil liberties, mainly targeting journalists and activists. Amnesty emphasises the need for accountability to protect civil society from unlawful surveillance threats in Indonesia.

READ MORE

UnitedHealth Pays $22 Million Ransom in Major Healthcare Cyberattack

UnitedHealth Group CEO Andrew Witty confirmed that the company paid a $22 million ransom following a cybersecurity breach at its subsidiary Change Healthcare. The breach, which compromised patient and provider data, led to significant disruptions, including prescription fillings and payments issues.

Addressing the U.S. Senate Committee on Finance, Witty disclosed that the breach was due to inadequate security measures, specifically the lack of multi-factor authentication. UnitedHealth has since improved security protocols and is collaborating with regulators to mitigate the fallout and prevent future incidents.

READ MORE

Dell Alerts 49 Million Users to a Monumental Data Breach

Dell has issued warnings to 49 million customers about a significant data breach. A hacker claimed to have accessed a vast amount of personal information, including purchase data, through unauthorised access to a Dell portal.

The stolen data includes names, addresses, and details of purchased hardware, though no financial data was compromised. Dell has responded by engaging a third-party forensics firm, implementing incident response measures, and notifying law enforcement, assuring that the risk to customers remains minimal.

READ MORE

Enjoyed this week’s digest? Why not share it with a friend? Let these topical events lead your security conversations, and become the expert. Oh, and don’t forget to subscribe :)

Subscribe now

Thoughts… 💭

According to a 2023 report by Statista, SQL Injection is the primary source of web application critical vulnerabilities globally, accounting for 23% of such vulnerabilities.

For context, there are thousands of critical vulnerabilities that exist in web applications worldwide, so this is a pretty big deal.

For the record, an SQL injection is where an attacker manipulates a website into running malicious commands by inserting (or "injecting") these commands into places where the website expects to receive harmless inputs, like a username or password field.

These injections can allow the attacker to view, change, or delete data from the underlying database that they shouldn't have access to, such as personal information or financial details.

Database admins and programmers are not necessarily security professionals, and it’s common to find that they are a long way behind in keeping up with best security practices. We need to adopt more secure coding practices across the board, even if it's a development database, especially regarding SQL Injection attacks.

So how do we solve it?

Here are two simple ways:

1. Parameterized Queries: These tools ensure attackers can't alter a query's purpose by inserting harmful SQL commands. For instance, if a hacker tries to manipulate a search term, parameterized queries treat the input literally, searching for the exact string rather than executing any part of it as a command. Even if a user inputs something malicious, it will be treated as plaintext rather than executable SQL.

2. Input Validation: By implementing input validation techniques like whitelisting (allowing only safe inputs) and blacklisting (blocking dangerous inputs), you can ensure that only appropriate and expected data is processed in your SQL queries.
   
   For example, suppose you have a website form where users can select a country from a list to perform a search. To ensure only valid data is submitted, you create a list of acceptable country names, such as "USA," "Canada," and "Mexico." When a user submits their form, the system checks if the country they entered is on this approved list. If it is, the search goes ahead; if not, the input is rejected.

By following these best practices, you can secure your application against SQL Injection attacks.

Subscribe now

Four years unseen, the hackers played,
A ghostly dance, their plans were laid.
Names and numbers, spoils so bright,
Passport dreams took sudden flight.
- CS

Picture this: In 2018, Marriott International faced a cybersecurity nightmare when a colossal data breach exposed up to 500 million guests' personal details. This digital disaster traced its roots to the 2016 merger with Starwood Hotels, where a crucial misstep occurred: Starwood's IT systems were left vulnerable and not fully woven into Marriott's security fabric.

The insult to injury was that hackers had been lurking in Starwood's reservation systems since 2014, a shadowy presence overlooked during Marriott's acquisition. The oversight proved costly, granting cyber thieves a criminal’s paradise of data, from passport numbers to payment details.

Recognised as one of history's most extensive data breaches, the fallout was profound for Marriott—a staggering $30 million in damage control, a stock plummet of 5%, over $1 billion in revenue losses, a flurry of lawsuits, and a hefty £18.4 million fine from UK regulators.

Marriott's ordeal with Starwood's legacy systems serves as a stark reminder of the dire consequences of underestimating cybersecurity's pivotal role in mergers and acquisitions.

TL;DR ⌛️

Security isn't free—it's a vital investment for safeguarding a company's crown jewels: its data. Identifying what to protect is step one, categorising data from "must-guard-with-our-lives" to "okay-to-share." This isn't just about state-of-the-art tech; it's perhaps more importantly about the goldmine of data accessed through them.

For businesses, it's about securing the protect surface, whether it’s confidential strategic plans or intellectual property. In the government realm, think classified levels, from "Top Secret" nuclear codes to everyday recruitment flyers. The guardians? Data owners decide what's sensitive, while data custodians keep it safe.

Bottom line—Security is pricey, but knowing what's crucial ensures we're not throwing money into a digital black hole. Let's invest wisely, protecting what truly matters.

🚨 Security Briefing 🚨

Security is not FREE.

Yeah, obvious, I know, but I think it’s important that people understand it can be expensive to implement security, and even big companies don’t have a bottomless pit of funds they can just reach into and use for whatever they wish.

We need to know exactly which assets are worth the expense of securing due to the very nature of their sensitivity. How do we do this? Well, we first need to identify all of our assets (which also include information and data). Then, we’ll need to classify them accordingly from the most critical to the least critical. Here’s what we’ll cover:

• What is the difference between an asset, information and data?

• What the deal is about identifying assets.

• What data classifications are; and

• How we typically define them in companies.

Without further adieu…

Asset Classification Decoded 👨🏼‍💻

ASSETS, INFORMATION, & DATA are often used interchangeably in everyday cybersecurity vernacular, but they are technically distinct.

Let’s start in reverse order for a more logical explanation:

What do we mean by ‘Data’?

In the world of cybersecurity, grasping the distinction between data and information is akin to understanding the difference between a sack of flour and a loaf of bread. Data, in its true essence, is like that sack of flour—raw, unrefined, and without much use in its current state. These can be numbers, characters, or snapshots 📸 from the world around us, essentially the building blocks that lack inherent meaning on their own. For example, a sequence of numbers might seem like random gibberish until it’s processed and given context.

So, why do we sometimes talk about data and information as if they're one and the same? It's partly because the distinction can seem a bit academic when we're casually discussing how businesses or technologies use "data" to improve or "inform" decisions. In practice, the line between the two blurs as we process and analyse data to extract value from it, turning it into information seamlessly as part of our analytical protocols.

In essence, while data and information serve different roles in the cycle of understanding and decision-making, their close relationship in the process of analysis and interpretation often leads to the two terms being used interchangeably.

Remember, though—appreciating the journey from data to information is key to recognising the value hidden in the vast cyber seas we navigate daily.

What do we mean by ‘Information’?

So we take this data, sift it, knead it, and finally bake it within the oven of our processing methodologies, and it transforms it into information. This information, much like our loaf of bread, is palatable, useful, and ready to be consumed to satisfy our hunger for knowledge. It's the analysis, structuring, and contextualisation of data that gives it the significance we hope for, turning raw figures into insights on trends, behaviours, or operational metrics that inform decisions.

A commonly referenced example of information is ‘Personally identifiable information’ or PII, for short. This is any information that can identify an individual. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-122 provides a more formal definition:

Woah, so you can see that something as innocuous as your name is considered PII, which companies have a key responsibility to protect!

“Hmm, but how effective are they at doing this?” I hear you cynically mutter… Well, I’ll let you be the judge of that.

Diving a bit deeper, let’s talk about proprietary information. This is the secret sauce or the unique recipe that organisations guard with their very life’s blood. It's the magic formula, like Coca-Cola's "Merchandise 7X" 🥃📋 or KFC's blend of 11 herbs and spices 🐔📋. These aren’t just random concoctions but carefully curated secrets that provide these companies with their competitive edge. Just as these recipes are only ever known by a few employees at any given time and kept away from prying eyes, so too must all organisations protect their proprietary information—be it software codes, technical blueprints, or business methodologies—from the purview of their competitors.

NB: For the avoidance of doubt, when I refer to data I’ll be effectively referring to information as well.

What do we mean by ‘Assets’?

When we talk about 'assets', we're really just talking about all the things a company wants to keep safe. This includes everything you can touch, like computers and servers and even the stuff you can't, like the masses of data they have stored.

IDENTIFYING YOUR ASSETS is the preliminary task we must do before we get anywhere.

Now, there’s something called the data lifecycle 🔄, which describes the journey of data from its initial collection to its eventual destruction. It involves six key phases: acquisition (collecting data), storage (keeping it securely), use (utilising the data), sharing (distributing it appropriately), archival (storing it long-term for future reference), and destruction (safely disposing of data when it's no longer needed). This is the journey data takes we must protect it from the cradle to the grave.

One of the first steps in the lifecycle we must consider is to identify and classify our information and assets.

Within a company’s security policy, an organisation will often guide us on how to classify different types of data, which we’ll come to in a moment; hang tight 🐒. But what is the stance on the data itself? Should we pinpoint and monitor all of it as rigorously as we do our physical assets?

Well, it's not a straightforward yes or no. Many organisations possess data so vital that its loss, corruption, or exposure could spell disaster. Picture a healthcare provider's patient records going awry. The repercussions of such incidents could be dire, plunging the entity into turmoil. To avoid such scenarios from happening, exhaustive efforts are made to pinpoint and keep tabs on this critical data, often resulting in embedding metadata (virtual sticky notes containing key details) within files or records for easier tracking—we’ll worry about that one at a later time. Just comprehend the high-level concept for now.

DATA CLASSIFICATIONS are simply ways to organise data based on its criticality or sensitivity. They may also be referred to as ASSET CLASSIFICATIONS, which, in reality, is the more all-encompassing term. We tend to use the former because, for most companies in the 21st century, their most prized possessions are not the computers and hardware they use to facilitate business but the data that is viewed and accessed by them.

With that in mind, if a confidential document resides on the CEO’s laptop, then that device (including its hard drive, should it be taken out) merits enhanced protection. Generally, the security level assigned to an asset (such as a laptop or a removable drive) holding or working with data should match the highest value of data contained within it.

For example, in a private company where an asset contains information ranging from public to sensitive and confidential, it should be tagged with the most secure classification and safeguarded appropriately… Comprendo? Bueno! 🪇

In the digital world, information is like the lifeblood of any organisation, pumping through its veins and keeping it alive. However, not all information is created equal. It's often sorted into categories depending on how sensitive or critical it is. Think of sensitivity as how much of a storm would brew if certain pieces of information ended up in the wrong hands—that's the kind of hot water organisations like Equifax, Sina Weibo, and Marriott International found themselves in when their sensitive data was splashed across the headlines.

On the flip side, we've got criticality. This is about figuring out which pieces of information are the pillars holding up the organisation. If these were to vanish or get tampered with, it's like pulling the rug from under the organisation's feet. If sensitivity is hot water, criticality is boiling water. 💦

A stark example is Code Spaces, which had to shut its doors for good back in 2014. Why? Because critical data it depended on got wiped out in a cyber-attack. Without this data, it was game over. So, as we continue to traverse the connected highways of cybersecurity, understanding the difference between sensitive and critical information not only helps guard against potential threats but also ensures the lights stay on.

CLASSIFICATIONS DEFINED in companies are typically dependent on whether we’re talking about a Private Entity or a Public Entity (i.e. Governmental Agencies).

For commercial or private companies, the common levels of sensitivity (with examples) from the highest to the lowest are as follows:

• Confidential—Merger and acquisition plans: This is business-critical, and leaks could jeopardise competitive advantage.

• Private—Employee personal information: This includes information like your phone number, home address, or email that you might not necessarily want publicly listed.

• Sensitive—Proprietary software code: This could be the cornerstone of a company's new (non-flagship) product.

• Public—Annual reports: Often published on a company's website for investor transparency.

For governmental entities such as the UK Ministry of Defence🎖️, sensitivity levels are categorised as:

• Top Secret—This involves information that, if disclosed, could cause exceptionally grave damage to national security, such as nuclear weapon launch codes. The UK's Developed Vetting (DV) is the highest level of security clearance, and for good reason. Unsurprisingly, individuals with DV clearance often need to operate with minimal oversight, which explains the need for such stringent checks.

• Secret—Details of military technologies in development could give adversaries an unfair advantage.

• Confidential—Personnel records of soldiers while less critical than undercover identities, they still need protection.

• Controlled Unclassified Information—Non-sensitive logistical plans are things like supply chain management.

• Unclassified—Recruitment materials designed to attract new enlistees.

The maestros behind these data classifications are the data owners, who decide on the appropriate classification level based on the data’s value and sensitivity. Meanwhile, the data custodians play the crucial role of maintaining the data and its assigned security level, ensuring the data's integrity, confidentiality, and availability are preserved as per the owners' directives.

Conclusion

I wasn’t entirely honest earlier. I said the UK’s DV is the highest level of security clearance in the nation, but that’s not technically correct. There is a level of clearance above that which only a very small number of people hold, and that’s enhanced-Developed Vetting (eDV). I can only imagine what kind of lives they live. Anyway, I digress.

Security is often a very costly expense, and data identification and its subsequent classification help us direct our efforts to where they matter most. So, if time and funds are going to be wasted, it won’t be on our watch!

Privacy Failures Endanger People Living with HIV: Urgent Action Needed Amid Persistent Data Breaches

The UK Information Commissioner John Edwards has highlighted ongoing significant privacy failures within health services that handle HIV-related data, putting patients' confidentiality at risk. Repeated data breaches have exposed the HIV statuses of individuals, undermining trust and subjecting them to stigma and discrimination.

Despite advancements in HIV treatment and support, the lack of privacy protection remains a grave concern. The ICO has demanded immediate improvements and better compliance with data protection laws across health services. Further, the ICO is working with HIV charities to enhance the guidance on handling sensitive information and ensuring victims of data breaches have access to remedial measures.

READ MORE

Nationwide Shutdown: London Drugs Closes All Stores Following Major Cyberattack

After a cyberattack disrupted operations over the weekend, Vancouver-based retailer London Drugs has indefinitely closed all of its 79 stores across Canada. This proactive measure aims to secure customer and employee data and prevent further damage.

The attack has halted both physical store operations and e-commerce sales, although pharmacists remain available for urgent needs. This incident underscores a broader trend of rising cyberattacks on Canadian businesses, highlighting the vulnerability of retail operations to such threats.

READ MORE

Over a Million Australians at Risk as ClubsNSW Suffers Major Data Breach

A significant data breach at ClubsNSW has potentially exposed the personal details of over a million Australians, increasing their risk of identity theft. The breach, involving a third-party IT provider, affected less than 20 clubs but compromised sensitive information like driver’s license details and contact information, which may have been shared internationally.

ClubsNSW is working with affected venues and authorities to manage the situation, while individuals are advised to remain vigilant against potential phishing attempts stemming from the breach.

READ MORE

Global Security Compromised: Cybercriminals Threaten Leak from Massive KYC Database

Cybercriminals have stolen and threatened to release data from the World-Check database, which contains sensitive information about individuals deemed high-risk for activities like terrorism and money laundering.

The breach, confirmed by the London Stock Exchange Group, occurred through a third-party vendor. The database serves as a critical resource for financial institutions performing Know Your Customer checks and contains over five million records. This breach raises significant concerns about privacy, security, and the potential misuse of the exposed data.

READ MORE

Massive Data Breach at FBCS Exposes Personal Information of Nearly 2 Million Consumers

Financial Business and Consumer Solutions (FBCS) reported a significant data breach initiated on February 14, 2024, affecting around 1.955 million people. North Korean hackers are suspected of accessing sensitive data, including full names, Social Security numbers, and driver’s license numbers.

The breach was contained by February 26 after FBCS detected unauthorised network access. Measures were taken to secure the network and mitigate potential misuse, with ongoing investigations and strengthened security protocols. FBCS has also notified federal law enforcement and affected individuals about the breach.

READ MORE

Potter Handy Law Firm to Represent Thousands in 23andMe Genetic Data Breach Case

Potter Handy LLP is representing nearly 5,000 clients in a lawsuit against 23andMe following a significant data breach that compromised the sensitive information of about seven million users. The stolen data, which includes genetic and personal details, was reportedly sold on the dark web.

The law firm accuses 23andMe of negligence in safeguarding user data and failing to meet reasonable cybersecurity standards, thereby violating consumer privacy rights and exposing clients to potential identity theft and discrimination. Impacted individuals are primarily from California and Illinois.

READ MORE

Change Healthcare Faces Massive Ransomware Attack Due to Security Lapses

Change Healthcare was hit by a ransomware attack executed by the BlackCat gang using stolen Citrix account credentials that lacked multi-factor authentication (MFA).

Initiated on February 12, 2024, the breach allowed unauthorised access for about ten days, enabling data theft and system encryption that caused significant operational disruptions and a financial impact estimated at $872 million. The breach highlighted critical security failures and triggered a comprehensive response, including massive system overhauls and increased security measures to prevent future incidents.

READ MORE

Finnish Hacker Sentenced for Blackmailing Therapy Patients in Massive Data Breach

Aleksanteri Kivimäki, a Finnish hacker, has been sentenced to six years and three months in prison for hacking into a psychotherapy centre's records and blackmailing patients. Kivimäki accessed the records of Vastaamo, a therapy centre affecting about 33,000 clients.

He initially demanded a ransom from Vastaamo and then from the patients directly, leading to widespread outrage in Finland. This case marks a significant breach of privacy and security, highlighting the severe consequences of cyberattacks on personal data.

READ MORE

FCC Levies Hefty Fines on U.S. Carriers for Unauthorized Location Data Sales

The FCC has fined major U.S. wireless carriers, including AT&T, Sprint, T-Mobile, and Verizon, a total of nearly $200 million for illegally selling access to customer location data. This action concludes an extensive four-year investigation triggered by Senator Ron Wyden's inquiries.

The carriers, which had passed the responsibility of obtaining customer consent to third parties, continued their practices even after acknowledgements of security flaws, leading to widespread unauthorised data access and potential privacy invasions.

READ MORE

Marriott Admits to Misrepresenting Encryption Standards in 2018 Data Breach Case

In a recent court hearing, Marriott International confessed that it had misrepresented using AES-128 encryption to protect customer data during the 2018 breach, which actually used the less secure SHA-1 hashing method.

This revelation came after a forensic investigation contradicted Marriott's long-standing claims. The misuse of SHA-1, which is prone to quick decryption, may have allowed hackers easier access to sensitive customer data. The disclosure has raised serious legal and security ramifications, potentially affecting ongoing lawsuits and Marriott's obligations under data protection regulations.

READ MORE

Enjoyed this week’s digest? Why not share it with a friend? Let these topical events lead your security conversations, and become the expert. Oh, and don’t forget to subscribe :)

Subscribe now

Thoughts… 💭*

Sadly, this isn’t an uncommon scenario in the industry.

So how do we solve it?

My approach is always to break this communication flow over two meetings with senior management where possible:

1. Sensibility → Before I even start thinking about explaining the security problems within the organisation, I would first make every effort to understand senior management's cognitive and emotional position regarding security.

   
   As you’ve probably heard before, ‘Companies do not hire people; people hire people,’ and management’s attitude towards security carries the same sentiment. We’re dealing with individuals, not faceless entities.

   
   Ideally, I’m trying to build rapport and trust over coffee, an informal chat, a ride to the office, lunchtime, or whatever the medium. I do that by asking genuine questions seemingly unrelated to the business, although the answers will doubtless reference it; an ingenious way of doing this is to start high and stay on that path for a series of three or four questions in a friendly, inquisitive manner before organically moving onto another line of questioning, when appropriate.

   
   For example, what are some of the ways you typically manage stress? → how would you grade yourself on doing ‘x’ effectively? → what’s getting in your way of improving on ‘x’? → would you say that’s your biggest stressor, or is there another?
   
   The above could go on for hours; get to the crux of the issue quickly and move on. Oh, and read the room.

   
   Note: You’re not asking for the sake of it. Focus on what’s being said; it’ll be invaluable later.
   

2. Hypothesis → Once I’ve built a reasonably strong rapport for the time with this executive, I’ll switch gears towards risk by coaxing them to think about what its significance is to them.

   
   Here, I’m trying to find out how a sudden downturn in business would impact their personal lives. Is it something they really care about? Perhaps they are involved in other ventures, which makes the current business less integral to their affairs.
   
   Usually, the man or woman opposite me will care a great deal about ensuring things go smoothly and will be severely impacted in some way by a business meltdown.

I’d make a mental note of how the discussion went and ruminate on it as I start planning a slightly more formal setting for the follow-up rendezvous.

3. Case Study → This will take a little work, but it could be well worth it in the end. Researching and presenting a case study or two of a security breach in a similar organisation in the industry adds colour to the picture.

   
   Going into the how, why, and the impact it caused is a visceral way to convey the need for adequate security. The most important thing here is to characterise the whole case study presentation with the knowledge acquired in the previous sensibility and hypothesis phase during our first informal meeting.
   
   The closer I can get to “your-fears-were-realised-in-a-company-similar-to-us”, the better.
   

4. Application → Finally, this is where one can shine. Providing you’ve done the work in working through your company’s vulnerabilities, this should be a cakewalk.

   
   Naturally, the application stage builds upon all the previous information and shows why we are not in a firm position regarding the security of our company’s assets. Until this point, everything has been somewhat notional—things suggestive but not imminently existing in our reality.

   
   That all changes with application, for which you’d hope the executive in question will be paying extremely close attention at this point.
   

Is this a foolproof method to change senior management's minds in your good-natured security endeavours? Absolutely not, but it could be a giant leap in the right direction if you can execute it well.

CEOs, for example, have 101 things they’ll be dealing with at any given time. It takes sincerity, empathy and exceptional communication skills to influence decisions at this level. The people advising senior management in various capacities are generally people they trust. As a competent security professional, you must make that exclusive list and become one of them.

What do you think?

Subscribe now

*Subject to change at any time

"In the grand scheme of cybersecurity, an intern and a leaked password are like a rogue mosquito at a picnic – small, annoying, and capable of ruining the whole day." - CS

Picture this: Back in early 2021, the cybersecurity world was set ablaze with the story of the SolarWinds breach—a real head-scratcher that hit the very heart of digital trust, compromising both confidentiality and integrity.

Hackers, with their digital toolbox, found an open window through SolarWinds' Orion software, all thanks to a password that might as well have been "open sesame." Yep, you guessed it: "solarwinds123." This password, created by a junior intern, can be brute-forced in seconds and somehow found its way onto the internet's vast bulletin board, GitHub, through a little slip-up.

The fallout? Enormous. This tiny crack in the wall let intruders waltz right into the digital homes of some pretty significant players, including folks over at the U.S. government, rummaging through sensitive data as if it were a yard sale. It's a stark reminder of how something as simple as a password can have ripples far beyond its humble characters.

TL;DR ⌛️

Cybersecurity isn't just for tech experts; it's also about applying common sense, much like not leaving your house unlocked. Here's a quick rundown of its core principles:

• Confidentiality: Keeping data locked away from those who shouldn't see it.

• Integrity: Making sure data stays accurate and unaltered.

• Availability: Ensuring data is there when you need it, without delays.

• Authenticity: Verifying data comes from its true source.

• Non-repudiation: Creating a digital trail that prevents denying actions online.

These pillars are the foundation of staying safe in the digital realm, protecting everything from personal info to ensuring transactions are genuine. Understanding these basics is crucial for everyone in today's interconnected world.

🚨 Security Briefing 🚨

Often, when people talk about how much they want to get into cybersecurity, or even when my contemporaries speak about cybersecurity concepts, more attention should be given to the fundamental principles that form the backbone of security. I’m still yet to meet someone in my part of the world who purposely opts to leave the main door of their home wide open just before they retire to bed for the night.

Why? Because inherently, they know better. Kids might act carelessly enough to do that, but (I hope) adults generally don't. They understand the basics of personal safety without needing to take a dedicated course on Safety Essentials 101. That’s because security, at its core, is a mindset, and this applies equally to the digital world. So, to move from a child’s approach to a more mature understanding of cybersecurity, these are the pillars we need to master:

• Confidentiality - Keeping sensitive data under lock and key

• Integrity - Accurate and reliable data, no unauthorised tampering

• Availability - Information access without delays or disruptions

• Authenticity - Verifying your information comes from a genuine source

• Non-repudiation - Proof of actions that cannot be denied later

Without further adieu…

Pillars Decoded 👨🏼‍💻

CONFIDENTIALITY means protecting your data from prying eyes. We put systems in place to control who can access what, ensuring sensitive information stays secure. It's about allowing the right people in and keeping unauthorised individuals out. To this aim, you’re almost certain to come across (if not already) the following industry-related terms, which all serve our purpose of achieving information security 🔒:

Sensitivity gauges how distressing it would be if someone else glimpsed your data. Technically, it measures the potential for negative impact or harm due to unauthorised disclosure. Picture your private browser history as dirty laundry; clearly, not everyone needs to see it.

Discretion affords you the power to dictate who sees what and when. Technically speaking, it involves implementing access controls based on need-to-know and least-privilege principles. It’s akin to deciding whom you would entrust with babysitting your children. You wouldn’t confer this responsibility to just anyone, and the same cautious principle applies to your sensitive information.

Moving on to Criticality, this term probes how essential the information is for maintaining life's smooth progression. It assesses the indispensability of a system, asset, or process and the potential repercussions if it were compromised. Consider the difference between losing your house keys and a pack of gum. Both scenarios suck, particularly when your breath is beefing, but one clearly presents a more significant problem than the other.

Concealment is not too dissimilar to playing hide-and-seek with your data, except we’re not playing here. Through techniques like encryption and obfuscation, it’s about making data difficult for unauthorised individuals to uncover. Picture stashing your valuables in a secret drawer instead of simply sliding them under your pillow.

To use a common catchphrase, the concept of Secrecy can be illustrated as "What happens in Vegas stays in Vegas," but applied to your data. It’s about preserving confidentiality through stringent access controls and safeguards. Imagine if the plot of the next Marvel movie were leaked before its release; spoilers aren’t fun for anyone.

Privacy emphasises personal boundaries; it’s about keeping what you wish close to your chest, shielded from view. This entails protecting personally identifiable information (PII) to avoid damaging an individual's reputation or safety. Imagine your private diary, littered with all its secrets, suddenly displayed on posters at every bus stop in town. Far from an ideal situation.

Seclusion transports your data to a metaphorical deserted island, storing it in a highly restricted, segregated environment away from social contact insofar as possible. Similar to secrecy but with the added step of separation. It’s like securing your secret bank account documents in a safe and burying that safe in your garden. Mr Fox might be curious, but he won’t be getting his paws on your assets.

Lastly, Isolation involves keeping your data in a sort of ‘quarantine’, away from other environments or processes. By segmenting sensitive data from other systems, the goal is to minimise attack surfaces and prevent any cross-contamination. Ever experienced the nauseating feeling when you’ve discovered that you’ve forwarded an email to the wrong person? Isolation is the cybersecurity strategy that helps avert such awkward blunders.

INTEGRITY means no random changes to your data and nothing misplaced. Your digital life is a giant jigsaw puzzle 🧩. Every email, text message, photo, and online purchase is a unique piece. For the whole picture to make sense, you need all those pieces to be exactly as you left them. This is the essence of data integrity.

In the cybersecurity world, integrity is about making sure the digital puzzle remains reliable and accurate. It's about putting safeguards in place to prevent a whole range of mishaps, which we can view from three broad perspectives:

• Protection against unauthorised subjects making changes: Hackers love to tamper with data: changing prices in an online shop, tweaking medical records, or even messing with your smart home settings. Strong integrity measures act like a digital bouncer, keeping these bad actors out.

• Protection against authorised subjects making unauthorised changes: We all make the occasional typo or accidentally delete important files. Integrity controls are your digital "undo" button, allowing you to roll back to the correct version or, more ideally, preventing them from happening in the first place.

• Maintaining the big picture: Integrity isn't just about individual files; it focuses on how everything fits together. If the balance in your online bank account is suddenly incorrect, it doesn't matter whether the transactions themselves are right. Integrity helps ensure all the pieces of your digital world align correctly.

Unfortunately, upholding data integrity isn't easy. It requires a lot of work and robust access controls. It also involves constant checks to ensure data stays pristine as it moves between devices and online services where many cyber-criminals reside 🥷🏼.

While the technical side might get a bit complex, the core concept is simple: in the digital world, just like in a jigsaw puzzle, you want every single piece to be perfecto!

AVAILABILITY is a straightforward concept. If you’re reading this, I could bet my bottom dollar that on more than a dozen occasions in your life, you’ve tried to watch a video on a streaming service 🍿, only to be greeted by that irritating buffering circle. That's the frustrating taste of an "availability" issue in the digital world. In cybersecurity, availability means making sure the stuff you need, when you need it, is actually there and working as you expect it.

But the cyber world, as we all know, isn't all sunshine and rainbows. Availability has its enemies:

• Structural Issues: Hardware failures, software bugs, and power outages – these are the classic infrastructural components which love to cause us problems.

• Bad Actors: Hackers love launching Denial-of-Service (DoS) attacks, which basically flood your system with so much junk traffic that it grinds to a halt because it can’t process that junk quickly enough.

• Good Actors (albeit misinformed): Mistakes do happen! Accidental deletions, bad configurations, spilling coffee on the server...all classic availability downers due to human error.

So, how do we keep things running as they should?

• Redundancy is Key: You’ll be familiar with the term ‘backup,’ but here, we mean something a little different. We’re talking about having spares so that if one system fails, another takes over immediately. Very nice.

• Cybersecurity Shields: Firewalls and access controls are like bodyguards, keeping malicious agents away from your precious resources. We’d rather not go without them.

• The Age-Old Backup: They're the ultimate "rewind button" in case something goes wrong. If we’re in charge of operations, it’s always a good idea to test them regularly—we don't want to find out they don't work when disaster strikes.

Remember, availability is a big part of what makes the digital world truly useful. Companies spend a lot of time and money making sure their systems stay online reliably – because, let's be honest, an unavailable website or service is about as useful as a broken vending machine, and it will cost a company a whole lot more than a few missed kinder-bueno sales.

AUTHENTICITY is what the spring chickens refer to as “being real”. No. Well, not quite.

Unlike integrity, authenticity is proving that the message you received was actually sent by the person or place it says it's from 😇. This means that when you get some piece of information, you can be pretty sure it's legitimate and hasn't been messed with along the way.

How many examples have we personally come across in our daily lives? A spoofed email from your bank saying your account's been compromised? A counterfeit handbag? Fake IDs? Watches? Emails? Knock-off websites? Take your pick!

Now, here's where things get interesting:

• One-trick ponies aren't secure anymore: Relying on just a password is risky—hackers crack those all the time, especially when it’s as weak as our intern friend's earlier. That's why we use multi-factor authentication (MFA), such as having to input a text code received on your phone in addition to entering your password, or even better, a YubiKey. It might be annoying, but it’s better than having your accounts compromised.

• Context matters: Where you are and what device you use are extra clues to confirm that you're actually logging in, not a criminal halfway across the world trying to access your account after you just logged in from your home location 30 minutes ago—what we call in security ‘impossible travel’.

Authentication is a complex topic we'll explore further later, but for now, remember that in the digital world, it’s not advisable to take things at face value. Make sure you’re dealing with a legitimate source before you hand over your personal information because once you do, you won’t get it back.

NON-REPUDIATION sounds pretty intellectual, doesn’t it?

In the online world, words like "I didn't do it!" don't fly; that’s why people would rather exclaim, “I was hacked!”—hmm, yeah, convenient 💭🧐. That's where non-repudiation comes in. Think ‘digital receipt’, proving who sent what message, bought that embarrassing item, or triggered a security alert.

Here's why non-repudiation matters:

• No Take-Backsies: If someone fakes your email to send nasty messages, you'd have a hard time proving it wasn't you without non-repudiation. You may well be in hot water for something a mischievous impersonator did.

• Take Accountability: From online shopping to file sharing at work, non-repudiation ensures everyone is responsible for their actions. No more blaming glitches.

• Detective Work Made Easy(ier): When something goes wrong, non-repudiation leaves us a trail of digital breadcrumbs to follow. This helps us figure out who accessed what and when, making investigations a lot more straightforward than if this trail wasn’t available.

So, how do we make this non-repudiation magic happen?

• Digital Signatures: At the moment, just think of these as fancy, impossible-to-fake electronic scribbles that prove it's really you.

• Logging the Details: Tracking who logs in, what they do, and when they’ve done it (as we kinda just said). It's the boring but essential audit trail that is logged and monitored by specialised software.

• Strong Access Controls: These controls ensure that only the right people can do the right things. They also minimise the chances of someone else using your account to cause trouble.

Non-repudiation might seem like a techy, abstract concept, but it's arguably the cornerstone of trust online. Whether you're paying for a service online or accessing sensitive files at work, it's the system that helps make sure you (and only you) are responsible for your digital actions, so let’s behave shall we?

Conclusion

As you may have noticed, there are many overlapping concepts in cybersecurity, and it’s good they do because, as we discussed at the top of this post, security, at its core, is a mindset. Whether you’re a seasoned professional swashbuckling through the cybersecurity industry or a ‘regular degular’ simply trying to ensure you’re not unnecessarily putting yourself at risk, there’s a healthy dose of professional scepticism needed to ensure we're keeping ourselves, families and organisations out of harm’s way.