threat mitigation – Are security controls themselves considered assets (e.g., cryptographic keys)

Looking at a plain system (there are no security controls implemented yet), we need to think about its functions and derive appropriate assets which we’d like to protect in order to ensure the system continues to function as intended (also making sure no intellectual property, private data, etc. are leaked).

My question is, do security measures themselves become assets once they are implemented? For example, we have a shared key to encrypt some data. This data is an asset with the property “confidentiality”, to protect its confidentiality, we implement the security control encryption using said key.

The key in itself is not relevant to us, its just some random bits. Fundamentally, we still only care about the data being encrypted. However, the key is required to ensure the confidentiality of our data.

Does this in turn make the key itself an asset (we can argue that the key must remain confidential as well, since information disclosure of the key automatically results in information disclosure of our data).
Or would you argue that storing the key securely is simply part of the security control/measure in the first place, thus it doesn’t make sense to make the key a new asset and continue with risk analysis for this new asset.

Another example, messages transmitted are digitally signed to ensure authenticity/integrity. Now I have somewhere a function/code which performs the verification, as well as cryptographic key material. Would the verification functionality and keys/certificates become new assets on their own, or is it considered part of the mitigation in the first place to correctly/securely handle these.

Curious about your opinions on this topic.

Thanks!

risk management – Is Power Failure an Environmental or Structural Threat?

As @ConorMancone says, there’s no reason it can’t fall under both categories.

When a hurricane takes down power lines and imposes a power outage, that’s an environmental threat.

When the power supply company lacks sufficient capacity and inflicts brownouts and blackouts on its customers, that’s a structural threat. (Peabody, I’m looking at you).

These both meet the posed question, “Susan has lost power to her building” so such a question would be wrong without more details to indicate which interpretation is more valid.

threat mitigation – Best material for a faraday enclosure

I am having an issue with someone directly below me compromising my machines by tracking me with RF signals. I am looking for the most efficient way to set up a faraday enclosure to prevent this from continuing to happen.

Initially I looked into using faraday fabric that is composed primarily of nickel and copper. However the attenuation rating was only 80-100dB even if multiple layers of the fabric are used. Since the RF transceiver can be placed within a foot of the fabric layer on my floor I did not think that this attenuation rating was sufficient.

My next thought was to use multiple layers of aluminum foil as the protective layer, but I have no idea what level of protection that would provide without implementing it first. Can someone provide advice regarding if this the most effective approach or if I should construct it using different materials?

anti virus – Windows Defender won’t delete or restore quarantined threat

Windows Defender has quarantined two threats on my PC recently: one is an infected executable on a network share (which was put there deliberately and which someone needs), the other is a simple “potentially unwanted app” from a bundle installer I downloaded for FileZilla.

In Defender’s Protection History, when I click on “Restore” or “Remove” for one threat, I get a UAC prompt, then nothing happens when I confirm. After accepting once, I don’t get other UAC prompts, but further commands don’t do anything either.

The Windows Security task bar icon keeps warning me of the bundle installer, even though I can’t remove it.

Why can’t I act on quarantined threats, and how can I fix this?

Generalization of The Term “Insider Threat”

A definition of an Insider Threat in enterprises/organizations context is: “A current or former employee or business associate who has access to sensitive information or privileged accounts within the network of an organization, and who misuses this access.”

I would like to know if such a threat can be generalized in a broader context so I can say that: “An Insider Threat refers to any user or entity that misuses the delegated access by taking the privilege that it is already authenticated and authorized to the system. The misuse of delegated access can be unintentional such as program flaws and failure, or intentional such as user account compromise.”

Is my generalization of the term “Insider Threat” correct?

If it is not, what term is used to designate the type of threat that I defined in my generalization (2nd paragraph)?

macos – Insider Threat Management solutions for small teams using Mac

The question is if anyone can recommend proper cloud-based tool(s), which can be used for insider threats on mac computers, similar to ObserveIT or Forcepoint, but for smaller teams, more adequate licensing model (<10 users), e.g. Kolide with more security/IR features. Thanks!

email – How to quickly find out what the threat nature of a password protected archive without getting infected?

I am wondering about how to find out the exact nature of the threat in a secure way

Doing malware analysis yourself is pretty hard – malware is often designed so that it can’t easily be reverse engineered. Your best bet is searching for the VirusTotal results – unfortunately, there may not be any definite information on what your specific malware does exactly. Also, if malware connects back to a server and downloads additional pieces, it might be impossible to tell, as those pieces could change at any time, or depending on the specific target.

Do previewing and extracting the archive impose any security risk or is it only the document inside that can be infected?

Unlikely, but possibly. Most run-of-the-mill malware relies on the user actively executing a file that contains code. There are several common ways to do that:

  • The simplest way is to just provide a .exe. There are some ways to hide the file extension so that it seems less suspicious (Windows has a bad habit of just hiding them)
  • Using a less-known file format, like .bat or .vbs, that are executable files too
  • By embedding macros in a Word document (or similar format). If you were to open such a document, Word would ask you if you wanted to execute the unsafe macro contents. Many users are trained to click “yes” on such a prompt, which would lead to executing the malware.

Likely, the encrypted zip is just a way of hiding the malicious contents from automated scanners that might detect a known malware.

But there is another possibility: the Malware might contain an actual exploit for a weakness in the software that you are running. That might be a known vulnerability relying on you using an outdated version (more likely) or even an undiscovered “zero-day” vulnerability (less likely). In that case, just viewing a “harmless” format like a .zip might lead to system compromise (although targeting a much more complex format like .docx or .pdf using a document inside the zip that would have to be opened is probably much more likely).

In any case, using a VM was definitely the safe choice – just make sure to not connect it to the Internet and dispose of it afterwards. By contacting your security department about it you definitely did the right thing – they might have the resources to further analyze the threat, or at least block those specific mails from going through.

docker – What is / are the best threat modeling method(s) for container security?

I am currently researching threat modeling for container security, I am wondering which methods are the best for container security. Till now I got the conclusion that STRIDE is most used and it is used as well for container security because it is easy to understand and each threat is easy to map to the CVE database.

Maybe in the community are people with experience in the field that can advise or share their experience about what is the best threat modeling method for container security and why.

Thanks.

Threat Mitigation: Does TLS 1.3 Mitigate BREACH Vulnerability?

Section 5.4 of the TLS 1.3 specification describes record stuffing.

One of the mitigations for BREACH is to add random padding.

Therefore, I ask myself:

  1. Does it require TLS 1.3? random filler record? It is also unclear to me whether this padding is optional or mandatory, and whether it is always random.
  2. If the TLS 1.3 random log padding is done, am I correct in thinking it mitigates BREACH?

Assuming both questions are answered in the affirmative, I think that would mean that any site that uses TLS 1.3 (and does not support any previous version of SSL / TLS) would not be vulnerable to BREACH.

viability of blue computers that detect infiltration of internal threat data

Stack Exchange Network

The Stack Exchange network consists of 176 question and answer communities, including Stack Overflow, the largest and most trusted online community for developers to learn, share their insights, and develop their careers.

Visit Stack Exchange