CYBERINTELLIGENCE & INFOSEC


Image by Pete Linforth from Pixabay

Translation of original, from may 4th 2022.

The Threats in the cyberspace and against sensitive physical infrastructures can be categorized and classified as both hybrid as well as asymmetric, since it is not only the heritage of transnational criminal organizations but may also allegedly be part of offensive actions of hostile states, directly or in a delegated (outsourced) manner. Cyberterrorism has become a phenomenon that crosses borders and sovereignties, and by offering profit to those who participate in it, it has become a threat to sovereign states and companies, and their assets and wealth.

Organizations, no matter if public or private, must make decisions based on information, knowledge and data, accurate available and accessible, and with the digital transformation, information is no longer on physical supports or paper supports or punched cards, but also or mainly in computer support, both in own computers or in hybrid solutions with data and information hosted or stored in the cloud (Cloud Computing), In databases fed by the resources available in the organization:

- Primary sources: information and intelligence generated or developed by employees and technical resources of the organization e.g., barcode readers.

- Or secondary: Data and reports prepared and provided by external third parties such as logistics or marketing providers. By human (consultants) or technical sources (sensors or cameras #IoT).

This new paradigm forces us to establish security protocols to safeguard the integrity and resilience of data, information, knowledge, and the infrastructure that hosts, manages and stores the whole.

Establishing parallelism with the physical security, it comes to my mind some similitudes between security in the cyberspace or cybersecurity with the one at an airport, and its facilities, where different security perimeters are established, and for each perimeter, the passenger or their luggage or the employees of the airport or its suppliers, are subjected to a protocol and / or a specific procedure for each scenario,  to safeguard the security of the airport infrastructure, integrity and its resilience, as well as to protect citizens and ensure their use of the airport transport service with the maximum guarantees of safety and security. I cite this example as a physical scenario to establish a parallel logical scenario to the cyberspace.

First of all to guarantee access to passengers, suppliers, workers and carriers (taxi bus etc ...) to the airport, the  protocol is more lax to reach the parking lot or passenger area or metro or train station or taxis drop area, human security systems before the filter and technical means (private security,  police, cameras, counter-surveillance, barriers etc ...) aim to offer a first level of security on arrival for all, however the non-travelers, may no longer pass the following security filter with arches and security ensured by private companies and law enforcement staff, without a valid boarding passes; The crews and workers in the internal transit areas of the airport may not access or cross this second perimeter either without the mandatory authorization, issued by the notified body authorized for this purpose and under a pre-established regulation, nor may suppliers of products and services transit through all areas past security controls,  without proper authorization for drivers, materials and vehicles. Finally, passengers must identify themselves, when passing a passport control when entering from outside the Schengen area and document themselves when leaving it or through a valid boarding pass to confirm to the airline that the affiliation data of the person traveling correspond to the person on the boarding pass; And according to the TV shows related to borders and customs, in parallel there are reconciliations of databases of those who travel with the police and / or justice to confirm that there are no people evading justice or tax payments or being charged with a file for illegal immigration due to lack authorization (Visas or passports ...); At least it is the conclusion of watching television programs and series dedicated to this subject.

To reinforce with greater technical and human redundancy if possible; The items carried by all passengers, such as hand luggage or those that you check in before boarding and before passing the security control are subject to controls:

- Security arch filter that allows to rule out that traveling suppliers, workers or crews, may carry weapons or substances not legitimized for boarding in the cabin, and may pose a risk and / or a threat to other travelers and / or to the infrastructure itself.

- Both luggage are scanned by equipment intended for this purpose, both hand and checked one, and randomly stratified surveying with a spectrum chromatograph device to identify any residue that serves as alert in both cases, and / or are subjected for example to canine control depending on destination or origin, to locate non-licit substances (explosive weapons drugs, money etc. ...) or not legitimized (food or fauna or flora or cash beyond what is legally allowed etc. ...), or guarantee that the airspace or the take-off or landing area is not invaded by subjects or animals or other unforeseen elements.

- Or surveillance cameras controlling the behavior of all users of the facilities, the abandonment of luggage or suitcases, and as a deterrent or for subsequent investigations.

- Law enforcement staff patrolling the different perimeters with the same purpose of surveillance or counter-surveillance (identify subjects who may be investigating vulnerabilities for subsequent exploitation for criminal purposes).

All the redundant protocols and procedures put in place for each case and scenario (preventive or corrective action in the event of contingencies) pursue one purpose: to offer guarantees of safety and protection for citizens and the resilience of the infrastructure in case of contingencies, without harming the flow of passengers, suitcases, and goods. With private companies managing the service of cameras or other passive elements, private companies controlling access at different perimeter levels, and the law enforcement and Customs enabled for the task of controlling goods and people at different levels of preventive or corrective action.

From the previous paragraph, I want to extract the simile for the logical and physical infrastructure of the cyberspace, with logic I mean all the programs or Software or routines or algorithms that intervene in its operation such as computer programs, commands, routines / algorithms, relational databases and access protocols, and the physics that goes from the SAI (element as energy back up) to the last processor or semiconductor or peripherals both input and output in the terminals that make up the network of said infrastructure (sensors also involved) and the network itself (routers, modems, switch cables ...). From the example of physical security, the first parallel is the resilience of the infrastructure with its firewall or energy systems included, and here it is important to define, program and parameterize all the elements and physical protocols to safeguard the infrastructure from attacks that may be physical, for example temperature or volumetric sensors or photoelectric cells,  against smoke or flood or fire, in data centers as well as establish physical control systems of energy flow with sufficient technical and human redundancies (e.g.  security personnel in data centers doing patrols and rounds), with alarms and alerts at different levels. On the other hand, the logical infrastructure must be protected by defining the access protocols and competences / privileges/ credentials of the users according to their job description, tasks and work to be carried out; For  example, a commercial should not be able to create users with domain of an organization for example nor access to databases of suppliers or citizens without the relevant authorization, and always leaving a trace of accesses and modifications carried out for subsequent forensic or expertise in case of contingencies, and if it is accessed that it is by virtue of and respect of the law and regulations in force and the business protocols implemented. Also in the use cases of management systems type CRM or ERP or Knowledge transfer and its management (type shared resources or databases relationships ...) or other analogues in the private sector or in the public administration, the implementation of tools that ensure the continuity of the business or service must be ensured,  safeguarding tangible and intangible assets, either through safeguarding information redundantly (Back up in cloud or hybrid cloud or own hosts/servers) and allowing access to services and availability of tools for users enabled by the organization for this purpose and in each scenario, both internal and external. In addition to the aforementioned, protocols must also be established in case of contingencies to safeguard the physical and logical infrastructure and the tangible and intangible ones, as well as the restart in conditions of security gathering the maximum of data and information for a subsequent forensic IT and expertise for an evaluation and assessment of improvement in the protocols and procedures,  In addition to serving for the action of justice to identify and prosecute individuals or organizations that have allegedly participated in an action that has violated or impaired the cyberspace, and here it is worth mentioning that the crime will be public or private depending on the legislation and the scope of the attack at the level of damages, and in each case, the justice may act at the request for protection of the private injured party,  or ex officio under the protection of the proceedings of the police or judicial bodies authorized in this regard or in aid of the Public Prosecutor's Office or investigating judge, based on what our legal system dictates in each scenario (LEC and criminal law I understand among others ... Not being a lawyer, I think this requires a multi-disciplinary approach with the intervention of jurists in addition to other profiles, since it is not limited to the purely technical field only). Ethical hackers and cyber agents who are employed by public administrations or companies, may carry out intrusive, passive, prospective and retrospective tactics, to study past and assess potential future threats and foresee with iterations and Ad-hoc or customized tools, action scenarios, in the same way that in physical perimeter controls security was carried out with surveillance and counter-surveillance with human personnel patrolling or through tools such as  arcs or X Ray scanners or Spectrum chromatographs or cameras... etc.

To allow humans to interact with information, while enabling and ensuring production, protocols must be established based on the profile of each user so as not to block or undermine business productivity, allowing a safe flow of information for consumption and transformation, to provide value to the and in the organizations.

In summary, in my opinion, the flows of data and information to the users who need them to produce and generate assets or value or intelligence must be guaranteed, which is important within the organizations so that the departments involved make decisions based on reliable and accurate elements, whether extracted from an ERP (for example economic and financial planning or inventories) or from a CRM (for example for commercial activity and marketing); thus ensuring the functioning of the organization and all its departments and guaranteeing the continuity of the business or process or survival of the organization. In the same way as the case at the airport security, security protocols and procedures must be defined and parameterized not only ensuring and protecting, but also thinking about guaranteeing the proper functioning of the infrastructure for the purpose it was conceived, allowing a correct flow of passengers, goods, personnel, luggage, crew etc ... Watertightness may be detrimental to business productivity and be assessed on a case-by-case basis.

With digital transformation in all sectors and with industry 4.0 taking giant steps, cyber intelligence and cybersecurity have become indispensable pillars, due to its implications in the intelligence that may be obtained in the value chain, and competitive advantage for states and organizations. And with the arrival of IoT (Internet of Things) and delegated computing (Cloud-Cloud or hybrid), this allows information to be collected and gathered with sensors of wide range, spectrum and variety (movement, weight, humidity, temperature, pressure, radiation, volume, photoelectric ...), providing many redundancies that require storage that grows exponentially, becoming data lakes, requiring  the use of data science as a discipline for automated processing and exploitation of these results for analysis and add value to the value chain (worth the redundancy), to allow decision-making as accurate as possible, providing certainty to decision-makers whether human, or automated when the decision is based on the result of metrics already predefined and preprogrammed in an ecosystem. As all of the above are potential intangible assets, cybersecurity becomes relevant due to the importance of safeguarding, protecting and guaranteeing the resilience of the infrastructure on which cyberspace or logical space depends, on which industry 4.0 is based, for example, or digital transformation in its broad definition in sensitive and strategic sectors,  such as banking or energy or supplies or the supply chain of perishables for urban centers of high population density ... etc.

Last but not least, not forget that the weakest link identified to date in the digital value chain is the human factor, and for this it is not only a matter of establishing stricter access requirements (making the work more arduous) or firewalls, but also pedagogy of the importance of cybersecurity and cyber intelligence for the organization,  society and citizens with all the Stakeholders / participants involved; it is a work of evangelization so that the human factor acts with awareness and involvement, so as not to compromise logical resources and reporting to the organizational hierarchical line or to the institution involved any suspicious vulnerability identified; and to review the most recent newspaper library,  It can be intuited that the alleged cybercriminals do not articulate their strategy around computing only, but that a not despicable resource on which they structure their strategy and tactics, is social engineering, to identify subjects that can serve with or without their knowledge as Trojan horses to be able to orchestrate their attacks successfully,  Hence, the human factor is important in protection. Everything depends on establishing good practice guides accepted and adopted by all participants/users. And in the transition from analog to digital, the human remains an essential and inescapable link in the entire value chain of the digital ecosystem, whether cyberspace or management environment in the public or private sphere. Let's bear in mind that cyber defense and cybersecurity is a strongly pegged to the cyber intelligence and counterintelligence in the cyberspace, and therefore before undertaking strategies that may be sterile, it must be addressed holistically in my opinion, articulating it around generating added value, rather than just motivated by fear.

And where cyber defense or security does not reach, corporate liability insurance should be able to reach, for organizations and for the individuals that form it, to protect their assets, employees and shareholders against the demands of injured parties, whether legal or physical subjects, private or public organizations.

Incibe from Spain makes recommendations in this regard, which I believe should be incorporated into the "Corporate Compliance" policy in the holistic strategy of cyber intelligence and cyber defense/security: https://www.incibe.es/protege-tu-empresa/catalogo-de-ciberseguridad/listado-soluciones/consultoria-y-seguros-prevencion

In my humble opinion, Open Source and  encryption tools, are the backbone of a cyber intelligence strategy and holistic counter-intelligence: We have numerous applications and business and management tools for all sectors of the economy, however, in strategic sectors the usual solutions pose risks, to list: Intel, Huawei, Microsoft, SAP, Oracle, Crypto AG... etc. The risk is the vulnerabilities that may arise from the fact that they own a market share that is not insignificant in general, and the subjects or organizations allegedly dedicated to cyberterrorism or crime for profit or at the service of an hostile State, may exploit these vulnerabilities to penetrate the technological infrastructures of companies and institutions; And at the end of the day it is a matter of cost-benefit ratio, since it is more profitable to identify and exploit (back-doors) in tools of wide use than in those that do not have so many customers, and have a residual presence. At this point, I believe that open source applications are an advantage over standard ones, since they allow auditing and knowing the entire ecosystem by its owner and not depend on third parties outside the organization (suppliers and consultants); And I also believe that in terms of security, they offer greater room for maneuver to managers to establish encryption systems, without forgetting that backdoors and / or vulnerabilities allegedly installed intentionally by interested parties outside the service, is reduced or disappears; and now with the war in Ukraine, we see other risks, as some of the GAFAM are forced to leave Russia or to interrupt the service provided, even with paid licenses, to comply with the sanctions imposed on Russia by the West.

If an organization is not able to properly integrate an information system, it will not be able to collect information or know a list of products and services for example, nor extract sales reports by customer, by range, by sector and make decisions based on objective metrics the famous key performance indicators #KPI (Key Performance indicators). Integration is the main axis, since, without the correct integration, you will not get the required precision or accuracy; Therefore, without data accuracy, how is it possible to obtain reliable process automation? I understand that process automation is not possible if there is spurious and biased data.

One of the examples that I would like to take is that of the intelligence community, since it generates events to be recorded as any organization in terms of management, then over time the events will generate data to be stored, which will result in data lakes that require a lot of computing to allow their processing and transformation into information and later into valuable and relevant intelligence for decision making.

On the ground, human assets are key to generating HUMINT, on the other hand, technical assets can generate IMINT SIGINT DATINT among others, data and information that can become valuable only by processing, analysis and transformation into intelligence, and the whole put in context for decision makers. Cloud computing is a tool that empowers stakeholders, not only for the storage of event data and intelligence information, but also for further processing. For example, software tools to run remotely and asynchronously, to track patterns in all generated data lakes, trying to identify the correlation between events, IMINT, HUMINT, DATINT etc... Taxonomy and folksonomy can also be used to structure storage, and support processing.

The intelligence community uses primary and secondary sources for the generation of data and information that will be processed potential exploitation in order to generate intelligence, enabling an accurate decision making; sometimes in the case of human sources and more technical types #IMINT #SIGINT #HUMINT #DATINT #IoT #Sensores etc ... With shared resources with strategic partners from the public or private sector, and sometimes in joint operations with a wide diversity of stakeholders/participants involved in the operations. All this generates events and data, all this sometimes in a structured way with the possibility of generating databases, however, increasingly in an unstructured way, but it is still relevant, and folksonomy and taxonomy must be used to be able to process and exploit what is stored and what is generated in real time for potential generation of intelligence. With a panorama like the one described, where collaboration is remote and asynchronous, and with a huge amount of information and data stored, to which are added those that are generated in real time, thus creating an ocean more than a data lake; makes it more imperative/mandatory to guarantee the operation, to have tools for storage ensuring integrity, accessibility and availability, and here I believe that the cloud may be a tool of high added value for the entire intelligence community, and that is why I understand that it is natural the decision of British and American intelligence to tender and award succulent contracts in this regard to cloud computing providers (Azure, Google, AWZ…),  that allow the availability and access to logical resources, remotely in any geography through redundant and asynchronous services at the time the operation requires it.

As previously evoked, the intelligence community's commitment to cloud solutions was foreseeable and natural, since it will allow to search for correlation and patterns more easily between the huge amount of information and data in the seas of data or lakes  generated, in a structured or unstructured way, and enable the generation of a more precise and accurate intelligence,  with shared resources and advantageous for the taxpayer, with the available solutions IaaS SaaS PaaS etc. .. It is true that the doubt arises around security and integrity, and for this I refer to Infosec techniques, and in fact I believe that cybersecurity and intelligence in this panorama gains more prominence if possible, being  the NIST Cybersecurity Framework, an ideal guide for such an ecosystem, by demanding the availability on demand of computing resources. Therefore, it is about sharing resources to use economies of scale, by adopting a pay-as-you-go business model, which allows Capex savings by converting most of the costs related to computing into an Opex, drastically reducing the cost of entry for most users and incidentally the bill for the taxpayer.

The existence of an ecosystem with a lot of diversity, of agencies and institutions of internal and international intelligence, military and civilian, public or private or public-private, force to further investigate into dynamic and non-static forms of collaboration, allowing access to intelligence generated remotely and asynchronously, in order to optimize the decision-making cycle and provide certainty in the allocation of resources,  adding value to the value chain; and fulfill the mission of the agencies and institutions, and ensure business continuity and cyber security of the strategic and critical infrastructures of the country, so necessary for the citizen / taxpayer.

Social engineering in cybersecurity: a constant threat

Social engineering is a technique that cybercriminals use to manipulate people and obtain confidential information. Instead of exploiting technical vulnerabilities, they take advantage of the social nature of humans.

How does it work?

* Phishing: They send fake emails or messages pretending to be trusted entities so that you reveal passwords or personal data.

* Pretexting: They make up convincing stories to obtain information, such as pretending to be an employee of a company.

* Baiting: They offer something attractive (free downloads, prizes) so that you click on malicious links.

* Quid pro quo: They offer a favor in exchange for information.

Why is it dangerous?

* It bypasses technical security measures: Firewalls and antivirus are useless against social attacks.

* It is highly effective: People tend to trust others and can be easily manipulated.

 * Serious consequences: It can lead to financial loss, identity theft, and reputational damage.

How to protect yourself:

* Be wary of unsolicited messages: Verify the sender's identity before clicking on links or opening attachments.

* Never reveal personal information over the phone or in email: Legitimate companies will not ask you for passwords through these means.

* Use strong and unique passwords: Avoid obvious passwords and change them regularly.

* Stay informed: Learn about the latest scams and social engineering techniques.

In short, social engineering is a constant threat in the digital world. By being alert and following good security practices, you can protect yourself and your organization.

Want to learn more about a specific topic related to social engineering?

* Types of attacks: Baiting, quid pro quo, etc.

* Real-life examples: Mass phishing, targeted attacks.

* Tools to detect attacks: Link analysis, domain verification.

 Pegasus and Social Engineering: A Dangerous Combination

Pegasus is a highly sophisticated spyware capable of infiltrating mobile devices and extracting a vast amount of private data. To achieve this, it masterfully leverages social engineering techniques.

How does it work?

* Personalized Messages: Attackers send text messages or emails that look legitimate and personalized. These messages often include links or attachments that, when opened, infect the device.

* Urgency and Scarcity: They create a sense of urgency or scarcity to pressure the victim into acting quickly. For example, they might claim that there is a problem with their bank account and that they must click on a link to fix it.

* Authority: They impersonate authority figures, such as government officials or representatives of well-known companies, to gain the victim's trust.

* Curiosity: They arouse the victim's curiosity with attractive but misleading content, such as fake news or irresistible offers.

 Specific examples:

* Disguise: Messages can appear to come from well-known instant messaging services or news apps.

* Current Topics: Attackers take advantage of current events or relevant news to create more convincing messages.

* Vulnerability Exploitation: They identify specific vulnerabilities in certain devices or operating systems to facilitate infection.

Why is it so effective?

* Personalization: Messages are tailored to each victim, which increases the likelihood that they will be opened.

* Urgency: The sense of urgency pushes people to make impulsive decisions without thinking about the consequences.

* Trust: People tend to trust authority figures or sources they consider trustworthy.

Protection against Pegasus attacks:

* Be wary of unsolicited messages: Verify the identity of the sender before clicking on links or opening attachments.

* Don't give out personal information over the phone or email: Legitimate companies won't ask you for passwords over these means.

 * Use strong and unique passwords: Avoid obvious passwords and change them regularly.

* Stay updated: Install the latest software updates on your device.

* Use security apps: A good antivirus can help you detect and block malware.

In short, Pegasus is a powerful tool that exploits human nature to infiltrate our devices. By knowing the social engineering tactics used by attackers, we can protect ourselves more effectively.

The NIS Directive (Network and Information Systems Directive) is a European Union law aimed at enhancing cybersecurity across the EU. It sets out minimum standards for cybersecurity risk management, incident reporting, and cooperation between EU member states.

The NIS Directive has several consequences for the EU corporate ecosystem:

 * Increased cybersecurity requirements: Companies in sectors considered critical infrastructure, such as energy, transport, and finance, must comply with stricter cybersecurity standards. This includes conducting risk assessments, implementing security measures, and reporting incidents to authorities.

 * Higher costs: Implementing cybersecurity measures can be expensive, particularly for smaller companies. This could lead to increased operational costs and potentially reduce profitability.

 * Increased complexity: Complying with the NIS Directive can be complex, requiring companies to understand and implement a range of security measures. This could place a burden on IT departments and other relevant functions.

 * Improved cybersecurity: By raising the bar for cybersecurity across the EU, the NIS Directive can help to protect critical infrastructure and reduce the risk of cyberattacks. This can benefit both businesses and consumers.

Overall, the NIS Directive represents a significant step forward in EU cybersecurity. While it imposes additional costs and burdens on businesses, it can also help to create a more secure and resilient digital environment.

Everything mentioned has been elaborated by my professional, academic experience and the reading of material in open academic sources or others on the internet, mainly Wikipedia, Google Scholar and using Google search engine with restrictions of Boolean characters, #Gemini #AI without forgetting the series and movies of intrigue that I enjoy so much viewing.

Comments

Post a Comment

Popular posts from this blog

Intelligence, STT Speech to text, AI, and SIGINT

Leverage Gemini AI for asynchronous and remote learning. #SIGINT #STT #AI #INTELLIGENCE  SIGINT: A Brief Overview SIGINT stands for Signals Intelligence. It's a field of intelligence gathering that involves the interception and analysis of electronic signals. These signals can come from a variety of sources, including:  * Communications systems: Phones, radios, satellites, etc.  * Radar systems: Used for detecting and tracking objects.  * Electronic sensors: Devices that detect and measure physical quantities. Purpose of SIGINT:  * Understanding adversaries: By analyzing their communications and activities, intelligence agencies can gain insights into their capabilities, intentions, and plans.  * Identifying threats: SIGINT can help detect potential threats, such as terrorist plots or foreign aggression.  * Protecting national interests: Intelligence gathered through SIGINT can be used to protect a nation's security and sovereignty. Types of SIGINT: ...
Read more

BIOMEDICAL ENGINEERING AND MAINTENANCE

Image
Biomedical Engineering and Maintenance: Bridging Innovation and Operational Reliability This article explores the critical intersection between biomedical engineering and maintenance operations within modern healthcare systems. It emphasizes the indispensable role of biomedical engineers in safeguarding patient safety and optimizing equipment performance through structured preventive maintenance programs, real-time diagnostics, and adherence to international standards. The post outlines the lifecycle of medical devices—from procurement and calibration to decommissioning—highlighting the technical and regulatory challenges in hospital environments. A key focus is placed on the integration of Odoo as a cornerstone information system, enabling centralized asset management, work order tracking, compliance documentation, and analytics. Drawing on real-world examples and cross-functional collaboration models, it advocates for continuous technical training, asset tracea...
Read more

European Intelligence: Theoretical Foundations and Strategic Challenges

Image
European Intelligence: Theoretical Foundations and Strategic Challenges European Intelligence: Theoretical Foundations and Strategic Challenges By Ryan Khouja | Published: October 2024 Introduction In a world marked by geopolitical tensions, hybrid threats, and digital warfare, European intelligence must evolve beyond national silos. This article explores the theoretical foundations of intelligence, institutional fragmentation within the EU, and the strategic and operational hurdles to building a unified European Intelligence Agency. Theoretical Framework of Intelligence Intelligence is not merely data collection; it is a core function of strategic governance. As scholars like Michael Herman and Christopher Andrew emphasize, intelligence requires a coherent doctrine combining analysis, anticipation, and covert influence. The lack of a common EU intelligence doctrine undermines strategic autonomy and collective security. Fragmented Institut...
Read more