Gulf Information Security Expo & Conference (GISEC 2019)

The Gulf Information Security Expo & Conference (GISEC) brings together over 6,000 top security professionals to discover cutting-edge solutions, share insights with industry experts and equip themselves with the right tools to protect their businesses from rapidly-evolving cyber attackers.

Supported by Smart Dubai, Dubai Police and the National Cyber Security Center KSA, GISEC is your opportunity to do business and share ideas with the world’s most important tech companies, government officials and private industries.

I was invited to go on stage and present at @GISECDUBAI at the #DarkStage, presenting on “CyberSecurity in Evolutionary Terms”.

#CyberDubai #GISEC #GISEC2019 #SmartDubai #SecurityMindset #ThoughtLeadership


See the GISEC 2019 - Post-show report can be found here

GISEC 2019 Speaker Profile: https://www.gisec.ae/conference-speakers/grigorios-fragkos

International Defence Conference, IDEX2019

The International Defence Exhibition & Conference, or IDEX, is a biennial Arms and Defence technology sales exhibition. The exhibition is the largest defence exhibition and conference in the Middle East and takes place in Abu Dhabi, United Arab Emirates.

As Cyber space is officially the 5th domain of operations, Cyber Defense is in everyone's agenda. 

This week I was at IDEX 2019, presenting & sharing expertise on how to tackle the challenge of ‘Measuring Cyber Security Maturity’ especially when it comes to protection entities that have a key role in the Critical National Infrastructure. 

Driving groundbreaking innovation in CyberSecurity required to be able to protect and defend the emerging new technologies and smart cities from evolving Cyber threats. 
#CNI #SmartCity #SmartDubai #CyberRisk #CyberDefense #CyberResilience #MENA #IDEX2019 @IDEX_UAE, Cyber Risk Exposure, #CyberDefense, #CyberResilience, #IDEX

ISSA UK meet on board the HQS Wellington

This week we had an amazing event with @issauk. The meet took place on-board the @HQSWellington #HQSWellington #InfoSec #CyberSecurity #CyberDefense #CyberDecence 

ISSA-UK, isthe UK Chapter of the ISSA. With active participation from individuals and chapters all over the world, the Information Systems Security Association (ISSA) is the largest international, not-for-profit association specifically for information security professionals. Having welcomed over 1,800 members since our beginnings in 2003, the ISSA-UK Chapter is the world’s most successful chapter. 

Cyber Europe 2018 by ENISA (EU Agency for Network and Information Security)

The EU Agency for Network and Information Security (ENISA) manages the programme of pan-European exercises known as Cyber Europe #CE2018. 

The Cyber Europe exercises are simulations of large-scale cybersecurity incidents that escalate to become Cyber crises. 

I am part of ENISA's approved NIS Experts*, where I have both designed and reviewed different Cyber incidents/exercises for the pan-European Cyber Europe exercise, I wanted to share with you the opportunity to get to know more about this very important bi-annual European initiative. This year is the 5th pan European Cyber crisis exercise.

The scenario

• Cyber Europe 2018 planners developed a scenario revolving around Aviation which can include, Civil Aviation Authorities, Air Navigation Service Providers (ANSPs), Airport Companies, Air Carriers, with potential impacts in other sector.
• The scenario will contain real life inspired technical incidents to analyse, from forensic and malware analysis, open source intelligence, and of course non-technical incidents.
• The incidents will build up into a crisis at all levels: local, organization, national, European. Business continuity plans and Crisis management procedures will be put at test

The exercise is organised for IT security, business continuity and crisis management teams coming from EU and EFTA Member States only.


More: https://www.enisa.europa.eu/topics/cyber-exercises/cyber-europe-programme 

*NOTE: The CEI List of Experts is a tool used solely for the purposes of assessing and identifying suitable external experts for a potential future contractual working relationship with ENISA. It is emphasised that inclusion in the list does NOT mean that you are considered to be an official representative of ENISA or in any way entitled to represent the Agency.

UK Minister for Digital on CyberSecurity..

Britain’s most critical industries are being warned to boost cyber security or face hefty fines, as the government acts to protect essential services from cyber attacks.

"We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services," said the current Minister for Digital, Margot James.

In August last year, it was mentioned by the former Minister of Digital Matt Hancock, that a new government directive is being considered, that will allow regulators to inspect the Cyber Security status of companies.
More specifically, it was said that companies in the Energy, Transport, Water and Health sectors, are expected to have "the most robust safeguards".

The Global Risks Landscape 2018

Towards the end of each year, we tend to come across several reports and white papers that discuss the cyber-threat predictions/concerns for the following year. However, I do believe that very few of these reports really attempt to dig deep when it comes to emerging Cyber related threats and really discuss future trends. 

I have had several discussions regarding the future of cyber risk exposure and how cyber risk assessments will start experiencing a significant shift in the following months. There is a bigger picture when it comes to cyber threats and cyber crime. It is not only how much a data breach or business disruption will cost, but at what scale it affects people's lives. This is the moment we need to take a step back and look at magnitude and implications. The main reasons why things should be expected to dramatically change in the Cyber front between 2018-2020, are briefly outlined below:

a) The General Data Protection Regulation (GDPR). GDPR has brought Information Security and Cyber Security into the boardroom as a discussion topic, "motivating" stakeholders to act upon the requirements before the regulation is finally in effect (25 May 2018). You should also consider that the disclosure of a breach needs to take place within 72 hours from the moment it was detected, the increased cost of responding to a data breach, and the fines imposed under GDPR.    

b) The number of Cyber attacks expected in 2018 and their impact, according to the Cyber Security Breaches Survey conducted for 2017. (FYI: The official Cyber Security Breaches Survey 2018 detailing business action on cyber security and the costs and impacts of cyber breaches and attacks will be publish in April 2018).

c) Now consider the domino effect when it comes to the scale and magnitude of the cyberattacks anticipated by 2020, in contrast with the current state of readiness of business entities and their dependencies across all industries. 

The recently published Global Risk Report by the World Economic Forum (www.weforum.org) has highlighted some very important facts regarding the risk perception for the year 2018. Cyberattacks are now perceived as a global risk of highest concern, especially to business leaders in advanced economies. Cyber is also viewed by the wider risk community as the risk most likely to intensify in 2018 according to the publish Global Risks Report. 

IRISSCON 2016 - 8th IRISSCERT Cyber Crime Conference

IRISSCON 2016 - The 8th #IRISSCERT Cyber Crime Conference
Ireland's first CERT (Computer Emergency Response Team)

This year, my talk was all about Cyber Resilience. The talk provided the opportunity to participants to familiarise and understand what the term really means, and why it should not be considered as another buzzword used in the industry.  

"Threats constantly evolve based on the way our defences counter-evolve, and this cycle is something that is going to happen no matter what. What matters the most, is in what way we act upon, and how our decisions need to be part of a bigger forward looking strategy that does not treat security in an ad-hoc manner, especially when it is too late"

Towards a Cyber Resilience strategy (Cyber Security Awareness Month – Oct 2016)

As most of you already know, October is Cyber Security awareness month. The aim of the Cyber Security awareness month is to raise awareness across the international community about cyber threats, discuss best practices, and educate the public and private sector, on how to stay safe online.

Cyber Security is promoted extensively during this month and many events are being organized with the sole purpose to engage and educate public and private sector entities, while provide them with the necessary tools and resource to stay safe when connected online. Given the opportunity let’s talk about the UK’s Cyber Security Clusters and how you could get to engage, participate, network and most importantly ask any questions that you currently have regarding your organizations cyber security posture and staying safe online.

Securing Online Gaming 2016

The challenge of continuous security are going to be discussed at this year's annual "Securing Online Gaming" in London, on the 4th October 2016. It is a great to be among such amazing speakers and have the opportunity to speak about the challenges of securing online gaming. 

I will be representing DeepRecce which already has a leading role in the market when it comes to its cyber security solutions and its under 15 minutes deployable managed SOC solution across any number of hosts. 

My talk will discuss Online Gaming towards Cyber Resilience, and more specifically it will focus on:

• Today's challenges & requirements towards security online gaming
• How attacks are evolving, and what should we expect
• Taking steps for an effective Cyber Resilience strategy

The event will take place near the St. Paul's Cathedral and The Barbican. This is directly opposite the Museum of London. Located at 200 Aldersgate etc.venues St Paul's is a state of the art conference centre with the largest room holding up to 400 along with a further 12 rooms for conference breakouts, training and meetings.

Invitation to the largest European Cyber Security Challenge

ENISA (European Union Agency for Network and Information Security) is organising the European Cyber Security Challenge 2016 - the largest European challenge for cyber security talent. The Challenge will be held in November in Dusseldorf, Germany - and the Greek National Cyber Security team will compete with other national teams in various security-related challenges, such as web security, mobile security, crypto puzzles, reverse engineering, forensics.

The Greek team will be assembled in a qualifying round - in which we'd like to invite you to participate!

The qualifier will be held on Saturday, July 9 at the Department of Digital Systems of the University of Piraeus. The challenges will be similar to the ones outlined above, and the top 10 participants will comprise the Greek team that will travel to Germany. In order to be eligible, contestants need to legally reside in the country, be aged between 14-30, not have a Master's or higher degree or any professional experience in the information security sector - and of course have some InfoSec skills! Both competitions will be held in English, so contestants need to have at least basic understanding of the English language.

The Greek team is organised by TwelveSec and the Department of Digital Systems of the University of Piraeus, and supported by other major Greek universities and organisations, such as Security BSides Athens.

All you need to do to get the chance to compete in the qualifier is to register in the official website of the Greek team http://ecsc.gr/

Registrations are closing this week (Friday, July 1), so hurry up and register!

Security BSides Athens 2016

It has been a while since my last blog-post and the main reason for that, was the numerous things I had to keep track for organising:

Security BSides Athens 2016 (www.bsidesath.gr) 

It has been a very busy year trying to organise this Security BSides event for the first time in Athens, Greece, with plenty of “hiccups” to overcome in the meantime. 

Once we had a team of people who were equally excited and passionate about this, we started working towards the event details.  

---

Given the opportunity, I would like to personally thank the team once again, all the volunteers who helped out on the day, the review committee who provided constructive feedback to all submissions, the speakers who travelled from all over the world to be there and present, and last but not least, all of YOU who attended the event. 

Special thanks goes to our sponsors, who trusted us on our promise to deliver this information security community based conference. We couldn't be able to bring this event to Athens, especially for the first time if it wasn’t for them, and for that we really appreciate their contribution and support.

Of course, such an event would not be able to exist without the community support we had from fellow conferences all over Europe, the Universities that promoted the conference, the Hellenic Army General Staff, and all the people how were involved and made this event a success story. 

We had some great feedback already and we are committed to tweak things according to the recommendations and suggestions we received in order to make the event next year even better. There is always room for improvement and for more people to get involved. 

Building a Security Operations Centre (SOC)

Building a Security Operations Centre (SOC) is undoubtedly the best move you can make towards protecting not only your organisation’s data, systems and services, but also any sensitive information about your clients that you handle or store. This article is a brief overview of the task of building a SOC, introducing not only the key elements but also how the challenges of increased security requirements and rapid response are addressed.

The process for building a SOC can be time consuming and it is directly related to the available budget. The best approach is to create a plan that allows for incremental phases of implementation. Starting with a gap analysis, you will be able to define and prioritise the milestones for incremental improvements by setting the appropriate expectations and timelines. To start with, take a look at the Centre for the Protection of National Infrastructure (CPNI) and more specifically the Top 20 Critical Security Controls guidance.

The incremental improvements need to take under consideration the collaboration and communication between people, technology, and processes. These are the three equally important components that define a SOC.

Decrypting RSA with Obsolete and Weakened eNcryption (DROWN)

An OpenSSL security hole enables Secure Sockets Layer (SSLv2), to be used to attack modern web sites. Even though this is a  an ancient, long deprecated security protocol, it is estimated to be able to "kill" at least one-third of all HTTPS servers (approx. 11.5 million servers). 

The attack is dubbed as DROWN based on the words: 

Decrypting RSA with Obsolete and Weakened eNcryption. 

Obsolete Microsoft Internet Information Services (IIS) versions 7 and earlier are vulnerable as well, and editions of Network Security Services (NSS), a common cryptographic library built into many server products prior to 2012's 3.13 version, are also open to attack. 

OpenSSL 1.0.2 users should upgrade to 1.0.2g. 
OpenSSL 1.0.1 users should upgrade to 1.0.1s. 

If you're using another version move up to 1.0.2g or 1.0.1s

OpenSSL 1.0.2g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html):

• http://www.openssl.org/source/
• ftp://ftp.openssl.org/source/

The flaw was identified by academics and the code for the attack has not yet been released. The main reason for this, is to allow people to patch their systems before the vulnerability starts being exploited. 

For further information on the issue, please visit the site: https://drownattack.com

Migration/Protection: https://drownattack.com/#mitigation
Instructions for Apache: https://drownattack.com/apache.html
Instructions for Postfix: https://drownattack.com/postfix.html
Instructions for Nginx: https://drownattack.com/nginx.html

There is also an offline scanner available on GitHub: 
https://github.com/nimia/public_drown_scanner

Critical vulnerability found in glibc

A critical vulnerability has been found in Glibc. The critical flaw affects nearly all Linux machines, as well as API web services and major web frameworks. Glibc is the GNU C library which was at the core of last year’s GHOST vulnerability. 

The flaw, CVE-2015-7547, effects all Linux servers and web frameworks such as Rails, PHP and Python, as well as Android apps running Glibc. The vulnerability was discovered by researchers at Google and Red Hat and a patch has been made available. Google has released further information on the issue in its advisory. 

It is strongly suggested to patch all effected systems immediately, as this vulnerability is considered critical and could be exploited for malicious reasons (allows remote code execution). More specifically, the vulnerability effects all versions of Glibc since version 2.9 and there are no temporary mitigations that can be implemented until Linux machines are patched. 

The "prediction" frenzy for 2016 in CyberSecurity and the Black Swan effect

The past few days, a number of articles have hit the web, which have as their main subject the attempt to predict emerging threats for 2016. Moreover, numerous webinars and discussion panels are being organized, mainly to express an opinion on these claimed predictions. I would like to share with the readers of my blog that this “prediction” frenzy is happening for a very specific underlying reason. 

The information security industry and more specifically the vendors, attempt to shift their value proposition once more in 2016, and make it the year of “predicting” attacks, initially from detection to prevention, and now to prediction. This is going to be the InfoSec buzzword for this coming year. 

Detection > Prevention >  Prediction 

It is sometimes annoying to see that some industry professionals (especially tied to specific vendors, as a publicity stand for quick profit) discuss/present such ideas as novel, when in reality researchers, especially in academia, have worked upon the evolution of threat assessment, and detection, many years back. Several PhD theses have been written on how intrusion detection will evolve, and even more on how unification of networkevents will address the problem of managing the vast amounts of information generated (later called “Big Data”). Also, how prevention can be effective across different geographic locations, how will this lead to “Threat Intelligence” needs, by sharing attack patterns across heterogeneous systems in real-time (including IoT), and what are the realistic expectations for predicting cyber threats, based on the abstraction of network events, and the behavioural analysis of cyber-criminals, and trends in cybercrime.

Temporary & Disposable Email / SMS List

Sometimes it is very useful to have a temporary email address which you will be only using briefly. I admit it, I personally use these disposable email providers because I need to download for example a free whitepaper or register to an online form that I know I won't be using again in the future for a very long time and I don't want to get bombarded with advertising material afterwards (or have my email shared with undisclosed third-parties).

Before I move on telling you about the temporary/disposable email addresses, let me point out another interesting online service that sometimes might come in handy. These are temporary mobile numbers to receive actual text messages (aka SMS). There are websites which allow you to receive an SMS online and won't parse or modify the content. (Yes, this means you can do XSS if you manage to fit your JavaScript code within one SMS.) Basically, the only thing you need to do is to look for the country you want the SMS to be sent to, and pick an available number from the list. 

I am surprised to see that major companies in the information security community don't maintain a black-list of these temporary emails and public phone numbers for SMS messages, at least the same way Google does. Google knows these temporary/disposable email addresses and publicly accessible phone numbers for SMS, and won't allow you to use them when registering for a new gmail account. 

So, I have done the hard work for you. Instead of listing the websites where you can go get a temporary/disposable email (for example, see here or use a search engine), I am listing all the domains being used by these websites that offer temporary/disposable email addresses. (its too much work to list all the phone numbers as well and by the way, these are modified/change too often to put them in a static list similar to the temporary/disposable email domains).

This information is fully up-to-date today (19/Jan/2016) and I will try to update it again as often as it is possible. Of course, if you find any domain used for such purpose which is not on my list, feel free to contact me and I will be happy to update the list. I believe this list is good to be shared among the infosec community, so anyone who might have a domain or domains to add, will be able to do so. 

You can find all these hundreds of domain names in this PDF File. Follow me on Twitter (@drgfragkos) and let me know if you found this list useful. 

A Weapon for the Mass Destruction of Computer Infrastructures

Disclaimer: This is NOT a weapon. This is AN EXPERIMENT. 

You MUST NOT try this at home. The tests were performed under the supervision of licensed electricians, in a controlled environment. 

I intentionally do not provide any technical details about the devices. The purpose of this blog post is not to tell you how to do this, but to raise the awareness that this can actually happen. I believe, entities should be aware of this threat and take any necessary actions to protect their infrastructures. 

Having done a number of physical security assessments over the years, I started wondering how vulnerable our computer infrastructures are. I tried to think of a way for a malicious insider or an external third-party, to target a company’s computer network and take it down by damaging it (someone who doesn't have physical access to the server room). I started thinking about this from a different perspective and I tried to approach this "question" with an outside-the-box point of view. 

Due to my experience with physical security assessments I noticed that there are many unattended Ethernet ports (sockets) everywhere around a building. These ports might not be “active” but most of the time they are connected at the far-end on a managed or unmanaged network switch. 

I started wondering what would be the effect if one tried to apply electric current on an Ethernet socket from a power socket directly. The picture on the left illustrates a cable which sends electric current (220V-250V) directly from the power socket to the Ethernet port (This is very dangerous, do not make one, and do not try to use it). In reality, such attempt is actually pointless, as it will only "toast" the device you connect this modified power cable. 

The hypothetical network switch at the other end will end up toasted in a split second and the person doing this will experience a loud bang and a bright flash, along with the smell of burned plastic at the Ethernet socket side. 

This is a very dangerous thing for one to do and not a very convenient or an effective way for taking down the whole computer infrastructure. The whole point is to manage to "fry" all the devices behind the network switch!!! (..even after the network switch is "toasted", and the circuits are burned). Also, without exposing ourselves to any danger, as it would have happen if someone have used the cable mentioned earlier on. 

Logjam attack - Diffie-Hellman key exchange weakness (a quick and brief explanation)

A study was published regarding the security of the Diffie-Hellman key exchange. This popular cryptographic algorithm can be found among many protocols such as HTTPS, SSH, IPsec, SMTPS and it is used for sharing a key and establishing a secure connection. 

The weaknesses uncovered affect websites, mail servers, and other TLS-dependent services that support DHE_EXPORT ciphers. The exploitation of this vulnerability  was given the name Logjam attack [1] and depends on how Diffie-Hellman key exchange has been deployed in each case. 

The Logjam attack against TLS can be performed by downgrading vulnerable TLS connections to 512-bit export-grade cryptography, allowing the man-in-the-middle (MiTM) attacker to read and modify any data passed over the connection. At the moment, this attack affects all modern web browsers. 

Cyber Essentials Scheme explained

Cyber Security is of increasing importance to private companies, SMEs and organisations. Becoming certified against a cyber security standard can be proven a trivial task. Getting familiar with the Cyber Essentials Scheme might proven invaluable when it comes to the cyber security of a business/organisation and to obtaining government contracts. Becoming certified to a cyber security standard significantly lowers the risk of becoming the victim of a data breach. 

According to the Verizon Data Breach Investigations Report (2013-2015) most of the attacks require very little skill or experience to be carried out. Consequently, the UK government in order to roll out a basic level of security for protecting businesses against these widely spread cyber attacks (usually low-tech attacks) introduced the Cyber Essentials Scheme on the 1st of October 2014.

How to prevent a business from being the next exploited target

Over the past few years, Cybersecurity has become a high priority task on the agenda of every organisation that wants to: prevent unpleasant security incidents, avoid being breached by sophisticated attacks and Advance Persistent Threats, detect malicious activity which is specifically designed to evade detection and last but not least respond proactively to the emerging cyber threat landscape. During 2014 in particular, cyberattacks became the norm making headlines on a regular basis with a number of high profile breaches being in the spotlight which as a result affected the number of online transactions. More specifically, it was reported that the levels of fraud increased in 2013-2014 by 12% which accounts for 37% of the total £603m cost of retail crime as reported by the BRC Retail Crime Survey.