ENIGMA machine in a display case. Photo by Mauro Sbicego on Unsplash

I was due to be going away this weekend so I had planned to delay publishing this until Monday; however due to a new national lockdown in the UK, I am no longer able to travel. The bright side is I have time to publish this at the weekend, small mercies.

Google’s Project Zero discloses a vulnerability in the Windows Kernel

October felt like a busy month for anyone dealing with Windows on their network; and was certainly a reminder of the value of a Defence in Depth strategy is key. To round off the month Google Disclosed a zero-day vulnerability in the kernel Cryptographic Driver that was being exploited in the wild.

What was unusual about this disclosure was that it was only reported to Microsoft on October 22nd meaning there was a little more than a week before public disclosure. This would normally be a faux pas on the part of Google, however given it was observed in the wild, via a Chrome exploit, it makes sense to disclose it. Never the less, Microsoft are planning on patching this next week.

Plugging the CyberSecurity Skills Gap

The information and cyber security industry has a real problem with talent; and it only gets worse when you consider the need for the same skills in non-cyber security roles. The industry simply doesn’t have enough people graduating with relevant skills to sustain the growth in demand.

Fortunately this recognised and many organisations are leading the charge to reduce the skills gap and encourage more people, and greater diversity, into the industry as a whole.

Our very own National Cyber Security Centre in the UK has a entire programme to encourage 11–17 year olds to consider cyber security as a profession. NCSC take this a step further by having a related programme focusing on encouraging girls from Year 8 and upwards to develop skills relevant to Cyber Security.

The work doesn’t stop with the UK or even when students finish school, talent management is about systems thinking so creating a world class onboarding and continuous professional development programmes are key to recruiting and retaining professionals:

Continued Attacks on Healthcare Services

It shouldn’t be surprising to see that criminals gladly take advantage of Coronavirus. I would have hoped people would see the bigger picture here and consider the human cost of targeting Healthcare services during a global pandemic — however I suspect there is a expectation that all a global pandemic means is a higher chance that someone will pay out.

It’s not all doom and gloom, NCSC have been supporting the NHS during this time according to their annual report:

How a SOC Analyst handles a potentially malicious Office document.

I’ve been enjoying the SANS InfoSec Handlers Diary of late; solid practical advice on how to respond to threats to your organisation. In this instalment Didier Stevens describes the use of his Oledump tool to investigate a malicious document; for bonus points we find out how an Anti-virus vendor “cleans” the file.

North Korea’s cyber offensive capability levels up

North Korea’s Cyber Offensive capability has grown steadily in the last couple of years; the US Department of Homeland Security has identified that recently they have upped their game with new attack and evasion tools potentially giving them an upper hand against high value US targets. I do wonder how long before North Korea extends their sights beyond the US and we start running into attacks in the UK.

Another author goes on to say that it’s probably not just North Korea that is upping the ante:

Subsequently it emerged that attacks against defence workers were more clandestine than had originally been understood:

Attacks on Machine Learning on the rise

Microsoft and friends released their Adversarial Machine Learning Threat Matrix which Dark Reading have broken down further. In a world where the quantity of data exceeds any reasonable human comprehension, we are turning to Machine Learning to manage this volume; however with new technologies comes new responsibilities and it’s good to see Microsoft taking the charge.

Seth Adler makes the case for ‘actionable threat inteligence’

One of the hardest alerts to respond to is the confusing and unhelpful: “something went wrong”. Actionability is essential, in the alerting world, threat intelligence is no different — actionable threat intelligence is at the core of MITRE’s ATT&CK framework so this is where the industry is going.

Marketeering in the Information Security world

In 2014 pointed out that many new flaws, vulnerabilities and exploits now had catchy names; rolling forward six years this has become a bit of a problem with every vulnerability having a catchy nickname, logo and brand — as it turns out making it easy to market vulnerabilities creates a great deal of fear. We absolutely have a responsibility to protect and inform those we are charged with defending, but equally we need to defend them from undue psychological stress.

IoT on home networks poses a security threat to employers

With everyone working from home there is concern that the Internet of Things devices on home networks could represent a threat to the information security of corporate networks.

There is something to be said here for not relying on a “ring of steel” to protect your resources, there is a lot of value in not trusting any client regardless of it’s origin and protecting every asset following the principles of zero trust as suggested by Google in their BeyondCorp Paper.

GitHub’s source was not leaked (this time)

A site claimed this week that a copy of the GitHub source code had been leaked, turns out that this time it was a fake; although GitHub did admit that the source code had accidently been released to customers in the past.