Alwite me ol’ chinas,

Welcome to the fourth edition of Briefly Briefed:, I hope you’re finding it useful. After some useful feedback, I’ve added a new section to each post entitled ‘So What?’. The concept is that I provide a couple of sentences as to why this may be interesting to read in more detail, or to provide additional insights and opinion that may (or may not) be useful.

My favourite posts this week were:

• Google’s post on Security Theatre. This was a great reminder to always question why you do things and provided an actionable list to help.

• Signal’s post on quantum resistant crypto (pun intended). It’s great to see organisations prepping for a post-quantum world and sharing their experiences.

Kat Slaterz,

Lawrence

Funny Cyber Quote || Meme of the Week:

A really interesting post from Signal relating to the introduction of quantum resistant encryption in their messaging platform by Ehren Kret

The post provides a brief primer on quantum computing and an overview of their process of following the guidance from the NIST 'Standardization Process for Post-Quantum Cryptography'. Intriguingly, they highlight that late in NIST's algorithm candidate review process, they found that one of the proposed algorithms was vulnerable to attack, and was cracked by a research team in Belgium. This shows how nascent and challenging this field still is. It's great to see organisations, like Signal Foundation, getting ahead of the threat.

So What?

This is an important example to the software industry, especially for products that intend to provide privacy and integrity to their users. Vendors need to be preparing now, as nation states are definitively ramping up their capabilities and research in this area.

An extremely large and comprehensive list of domain names by Bohdan Turkynevych

Handy for many a research or operational project.

So What?

While this may not be a useful list for everyone, it’s surprising how challenging it is to answer some fundamental questions about the ‘www’.

IANS and Artico release a Security Budget Benchmark report

The report shows a deceleration in the growth of cybersecurity budgets. Drawing on data from 550 CISOs, the average security budget increase was reported to be 6%, marking an 11% reduction from the prior year's 17%. Technology firms saw the most notable decline, dropping from a 30% increase to a mere 5%. A total of 33% of organisations either froze or cut their cybersecurity budgets. Security budgets as a percentage of IT budgets have risen from 8.6% to 11.6% since 2020. Venture Capital-backed firms have an average security budget of nearly 30%, more than twice the overall average. Staff and compensation account for 38% of the security budget, with cloud-based companies allocating more (47%) compared to on-premise ones (35%).

So What?

These types of documents are especially useful for CISOs, in terms of understanding trends in security spending. Moreover, security vendors / investors may find utility, to see which sectors are increasing their spend.

Microsoft OS Security VP David Weston highlights the latest security features in Windows 11

A few key snippets:

• Introduction of Passkeys: Windows 11 introduces passkeys as an alternative to traditional passwords. A unique cryptographic credential is generated and stored securely on your device, enabling secure sign-ins via Windows Hello or a phone's authentication.

• Phish-Resistant Credentials: Windows Hello for Business and FIDO2 security keys can be utilised for passwordless authentication. IT policies can remove the password option altogether, increasing the use of strong, phish-resistant credentials.

• Config Refresh for IT Policy: This feature allows IT teams to revert tampered policies to a secure state. Policies can be reset every 90 minutes by default or every 30 minutes if desired, ensuring consistency and security in IT settings.

• Custom App Control: Only trusted and approved apps will be allowed to run on the device, thus reducing the risk of malware infections. App Control settings can be managed via Microsoft Intune.

• Enhanced Windows Firewall Configurations: Windows Firewall now supports tagging with App IDs and allows more granular logging. It also allows IT to specify rules based on location awareness and supports settings for ICMP types and codes.

So What?

Windows 11 definitely uplifts security from Windows 10, providing more secure defaults and native options to move away from passwords and weak MFA. It’s not bulletproof though, and does require significant hardening. From speaking with a number of serious red teamers this week, it’s still possible to compromise a well-hardened host for low-to-mid-tier actors. So there’s still some way to go.

A fascinating post (if you’re nosy, like me) from Bellingcat showing interesting locations via satellite imagery

The Bellingcat folks suggestions online of where to photograph with high resolution satellite imagery (accurate to 50cm). They captured the following locations:

1. Intrenchment Creek Park in Atlanta, Georgia, is a proposed $90-million training centre for police and firefighters, featuring diverse training facilities, and has been a site of activist resistance.
2. The base near Shigatse Peace Airport at the Sino-Indian border has seen significant infrastructure expansion, indicating potential military strengthening near a geopolitically sensitive area.
3. Votkinsk Machine Building Plant in Russia specialises in the production of various missiles and recently experienced an explosion in one of its workshops, warranting further scrutiny.
4. Mischief Reef in the South China Sea is a Chinese-occupied island that has been developed into a military base, involving significant dredging and construction activities, including a completed airfield.
5. The Burevestnik Launch Pad on Novaya Zemlya is a reported launch site for Russia's nuclear-powered cruise missiles and has been the subject of recent reports highlighting increased activity.

So What?

Your interest in this really depends on how concerned you are with current affairs and nosing around areas you wouldn’t normally have access to. The images are very high resolution, and acquired from a third-party subscription with a specialist company. Tinfoil hat optional.

A handy list of assorted cloud security blogs, podcasts, standards and miscellaneous by Jacob Michael Silva

So What?

This is a pretty comprehensive collection, which serves well as a bookmark for anyone involved in cloud-related security. I had a good snuffle through the list and found that the most extensive collections were in the ‘container’ and ‘labs’ sections.

Microsoft release a training document on how to “Build reliable and secure C++ programs” by Tyler Whitney et al.

There’s currently a big debate in the technical cyber community as to whether or how we should focus on migrating to memory-safe programming languages (those which are designed to prevent common programming errors that can lead to vulnerabilities such as buffer overflows and memory leaks) such as Rust, and how to do this. Some argue that we should just migrate and re-write things like OS kernels (MS have done elements of this in Windows 11¹). Others are trying to fix this at hardware level (such as the CHERI² on ARM architectures), meaning re-writes are not required for existing codebases. However, some feel there’s too much focus on this category of vulnerability³, at the cost of others, and just switching languages ignores a raft of other problems.

As we’ve seen in the phishing space, humans (users and developers) can make mistakes or fail to learn or be taught security fundamentals⁴. That’s not to say they can’t learn and improve or that they’re the ‘weak-link’, but that technical controls are the most effective mechanism to prevent bad security outcomes. As with all things security, it will require all these things (better education, better OS and hardware controls, better defaults and DX and better support in languages for security goals).

So What?

Security in programming languages providing low-level memory manipulation have been been an ongoing challenge. This is highlighted by years of memory corruption bugs in Operating Systems such as Windows. It’s great to see these being addressed in enhanced guidance and by initiatives such as the Rust programming language and CHERI Arm Morello boards. I’d highly encourage you to explore some of the link below to learn more.

¹ https://www.malwarebytes.com/blog/news/2023/05/microsoft-introduces-rust-into-kernel-in-windows-11
² https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
³ https://x.com/daveaitel/status/1704593879578591279?s=46&t=uEddZbVmOK5FnjptLhPzkQ
⁴ https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working

Google Cloud’s OCISO release a post outlining “How leaders can reduce risk by shutting down security theatre.” by Taylor Lehmann and Seth Rosenblatt

The blog post warns against the pitfalls of 'security theatre' in cloud environments (although this can be applied more broadly), particularly the over-reliance on passwords for identity authentication. Security theatre is defined as "security measures that make people feel more secure without doing anything to actually improve their security." Security theatre often masquerades as effective controls, but lacks logical justification and tangible benefit. It is harmful as it perpetuates a false sense of security.

In order to uncover security theatre in your organisation, the post suggests you look for five key characteristics (and assess with technical validation, such as red teaming):
1. Inability to prove the control mitigates a relevant threat.
2. Ease in bypassing the control without detection.
3. Reliance on perfect human performance for effectiveness.
4. An unfounded belief that an adversary will overlook a weakness.
5. Justification for the control based solely on compliance requirements.

The blog encourages transitioning to modern, cloud-first security measures, to reduce risk and abandon security theatre practices. Adopting these strategies during digital transformations will set the stage for practical, effective security.

So What?

This post creates one of those moments when you think ‘this is pretty obvious’, but then you realise it’s infrequently called-out (well), and even less frequently accompanied by a solution. I really valued this post as a reminder and validation of my own thoughts. I’d encourage the use of these ‘characteristics’ next time you review a control or think about how you’re going to tackle a risk.