Here are some useful data visualisation sites detailing the impact of Covid-19 in different geographies, scenarios and contexts. Some are more useful than others in aiding the understanding of risk:
The Royal Society | David Spiegelhalter Communicating statistics in the time of Covid
From an excellent talk from David Spieglehalter (link at the bottom) he points out that to build trust, the communications must. be transparent and that:
Data must be accessible – you must be able to get at the data.
Comprehensible – complete and understandable
Usable – it must answer concerns it is generated for
Assessable – can you check the working out? What claims are made?
Today I was privileged to give a talk at the excellent DST-UKIERI VIRTUAL WORKSHOP ON ADVERSARIAL CYBER SECURITY. Due to Covid-19 the event was virtual. It was a collaboration between UKIERI, India Institute of Technology Mandi, Department of Science & Technology, London Metropolitan University, C-MRiC, British Council, Carnegie Mellon University and others.
The subject of my talk was entitled “Enhancing Cyber Security Using Audio Techniques” and described my research into a new authentication model using audio steganography.
Super useful resource outlining a new Cyber Recovery Operational Framework was also presented offering a new focus on cyber recovery activities as opposed to the majority of guidance frameworks aimed at protection, detection and response. https://cyberframework.c-mric.com
Here’s some of the cool stuff I captured on a CCSP boot camp in December 2019.
First up is a list of books, websites, and videos recommended by our instructor:
The Art of Profiling: Reading People Right the First Time Hardcover – 1 Jul 2012
by Dan Korem
A recommendation for red teaming. The book details a system for rapid-fire profiling people after just a few minutes of interaction. Used by USAF for gaining confidence and entry to site etc.
CSA Security Trust Assurance and Risk (STAR)
A site to find out about major cloud service providors audits and assurance. The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.
Useful security configuration guides from the Defense Information Systems Agency (DISA) called the Security Technical Implementation Guides (STIGs). 500+ guides covering all platforms and systems.
Like the Plan / Do / Check / Act (PDCA) cycle the OODA Loop was a military interpretation of the Demming model used by the USAF https://en.wikipedia.org/wiki/OODA_loop
Can be applied in a cyber context.
Scientists Extract RSA Key from GnuPG Using Sound of CPU
Keys can now be extracted from hardware / chips using microphones:
“In their research paper titled RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis, Daniel Genkin, Adi Shamir and Eran Tromer et al. present a method for extracting decryption keys from the GnuPG security suite using an interesting side-channel attack. By analysing the acoustic sound made by the CPU they were able to extract a 4096-bit RSA key in about an hour (PDF). A modern mobile phone placed next to the computer is sufficient to carry out the attack, but up to four meters have been successfully tested using specially designed microphones.”
Following a discussion about cloud hosting in the ocean, the discussion turned to what happens about data protection and privacy in space. It turns out its already been thought about:
The goal of the OWASP Top 10 Proactive Controls project (OPC) is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of.
The list is ordered by importance with list item number 1 being the most important:
Funny and usual vitriolic content about de-perimeterisation. Basically the Jerico foundation anger brought up to date for the cloud and zero trust age:
Some useful content.
Privacy-first – DNS service
The 1.1.1.1 is a free Domain Name System (DNS) service that is supposed to protect privacy. There is also a mobile app. Run by cloudflare.
Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Kibana is an open source data visualization dashboard for Elasticsearch. It provides visualization capabilities on top of the content indexed on an Elasticsearch cluster.
Gray Hat Hacking: The Ethical Hacker’s Handbook, Fifth Edition
The group remembered the contribution of Shon Harris and apert from her CISSP book the following book was recommended:
Gray Hat Hacking: The Ethical Hacker’s Handbook, Fifth Edition explains the enemy’s current weapons, skills, and tactics and offers field-tested remedies, case studies, and ready-to-try testing labs.
The Cathedral & the Bazaar
The book on open source software is by Eric S. Raymond. Interesting point made – how come with no central leadership can open source be better? Many eyes means less faults.
