Martiniano Mallavibarrena

The multiple aspects of cybersecurity (attacks, investigations, defence, disloyal employees, negligence, etc.) have been part of the plot of countless movies and TV series for years. In today's society, with a part of the population born with mobile phones in their hands and universal Wifi, talk of "hackers", "malware" or "cyber-attacks" is commonplace and no one is surprised. Both the one (the evil villains or those who help them) and the other (the victims, not always passive) are often caught in the middle of a cyber-epic struggle of good versus evil in the form of investigative agencies, elite police forces and other groups of "do-gooders" who save us from all evil (or try with all their might). As with other technologies (particularly robotics and artificial intelligence), the film/TV production industry is not going to risk a big hit with audiences by being overly purist in the more technical details. As a result, we constantly see the most creative interpretations of the possibilities of technology and of each other's abilities on the big screen. 10 examples Cybersecurity in cinema, television and streaming We will use 10 films or TV/Streaming series to illustrate, in this article, how reality and fiction, when it comes to cyber security, can be separated by abysmal distances. The end justifies the means, as we all know. 1. Not everyone is a script kiddie: "WarGames" (1983) Ever since going online was a matter of knowing the right phone number and having a modem set up, the archetype of the solitary, tech-savvy young techie who compulsively consumes knowledge and challenges himself by trying out new techniques of intrusion and compromise, often for the sheer pleasure of it, has been cultivated. Although this profile of malicious actor exists and is common in today's society (who hasn't looked on Youtube for a tutorial on something?) it is not representative when it comes to drawing a map of really dangerous actors where we will have as leaders the professionals of organised crime, intelligence agencies, digital mercenaries, etc. 🔵 These people that we witnessed being born as icons in the classic film "WarGames" (1983) are a constant in our immediate surroundings, but beyond the pranks (some try to change their class grades as in the famous film) and hacktivism, they do not usually go beyond attempts at fraud, small scams on the Internet, etc. So, they are not really representative of the cybercrime sector. 2. Lone wolves and other profile features: "Sneakers" (1992) In order to increase the drama of the script, we can all agree that "lone hacker in our film wolves" (regardless of their age and gender) are very suitable characters. Former members of intelligence agencies, elite hackers with a desire for revenge and a long etcetera, make up a huge pool of candidates to be the perfect script. As with the first point, it is obvious to say that, while both profiles exist in the team of malicious actors, most of today's organised cybercrime is made up of thousands of mercenaries of all ages and types whose only goal is to make money and prosper in the organisation. Lone wolves (for revenge or on a mission) do exist, but they certainly do not represent this group. The film "Sneakers" (1992) is a nice example of how in "reality" these teams of experts (in this case, a charming team of ethical hackers) are put together. The same applies to police units and other groups: more experienced professionals combined with younger people (and in some cases, redeemed cybercriminals), all united with a common goal: to attack or defend (the famous metaphor of the red and blue teams). AI OF THINGS Artificial Intelligence in Fiction: The Bestiary Chronicles, by Steve Coulson January 10, 2023 3. Type fast, type better: "Matrix" (1999) One of the most comical effects, perhaps, in today's cinema and in terms of cybersecurity, is that all the experts in the field must type at full speed, stringing together very long commands, with complex instructions, etc. Without respite or error. Whether you're wearing gloves, injured, at a cash machine keyboard, or the world is collapsing around you. 🔵 Of the thousand and one examples of this circus-like agility, we can recall some scenes from the "Matrix" saga where several of its protagonists type (in some cases using real tools such as "nmap" with leather gloves and under extreme pressure) at breakneck speed, obtaining perfect results. 4. Immediacy of access: Jason Bourne (2016) It is easy to remember scenes in recent productions where the protagonist has to enter a remote system (or a personal computer in front of him) that he does not know and of which he has no prior knowledge (the script has already given us this information to increase the complexity) and he succeeds without hesitation and in a few moments. While it is true that, in many cases, it may be relatively easy for a trained and prepared person (both conditions are necessary) to perform an intrusion, it seems unlikely that in general it will be done in a few seconds, without errors, without downloading (almost never happens) any supporting tools, without checking existing vulnerabilities, etc. That sort of magic universal password (no two-factor authentication or address-locking) is often the result of some prior work (e.g., sending a malware email that includes a password-capturing tool) or at least known vulnerability checks or a couple of trivial password tries. 🔵 The latest instalment of the "Jason Bourne" saga is littered with such scenes where the viewer must assume that the CIA bypasses all sorts of legal delays and ethical dilemmas in the relentless pursuit of its target as one after another, all systems are accessed with enviable comfort. 5. Prior knowledge of all types of systems and platforms: "Live Free or Die Hard" (2007) Another recurring theme in the film is the attacker's universal knowledge of all types of systems and platforms that the victims use on a regular basis and the obvious simplicity of their use: industrial control systems, air traffic control, nuclear weapons, electric lighting or autonomous cars. However professional we may believe the attackers to be (almost always elite hackers, three-letter agencies, etc.) it does not seem very convincing that whatever the system, the actor moves with total agility (it always seems that they are connecting for the first time) through the console (ignoring that these systems have multiple access security measures that disappear and that the actor would have installed the necessary software on their computer) and that even overcoming the language barrier (Mandarin, Arabic, Russian, etc.) the attacker does not hesitate to choose the perfect option to (without further checking) turn off the power in half of the state of California. 🔵 The cute fourth part of the "Live Free or Die Hard" saga, is full of all kinds of poetic licences in terms of industrial control (lighting in the tunnel, the power plant, the federal reserve, etc.) AI of Things AI in Science Fiction Films: A Recurring Pattern of Fascination and Horror May 12, 2022 6. Information connected between some systems and others: "NCIS" (2003–) Another great reality in current information systems is that the format in which the information is treated is not standardised beyond the obvious, the clearest case being that of car number plates, telephone numbers or identification numbers (such as ID numbers). It is therefore surprising that when our elite team (from the "good guys" team) gets the first piece of information (a blurred car number plate at a tollbooth), they get within seconds the position of the car, the mobile phone, the subject's high school grades and his military record (as they were almost always members of the special forces before they became serial killers or mercenaries. Considering the current population of the USA and that a combination of a first name and a single surname will almost always give thousands of results, it seems curious that the first face that appears on the screen when typing the name "John X. Smith" is exactly that of the villain (the photo will be recent, of course). 🔵 Series in which individuals are constantly located, often abuse these resources as in the case of the NCIS series, being surprising that we never have problems with the format of the data, telephone prefixes, postcodes, initials in proper names, etc. 7. With their bare hands: McGyver (1985–1992) Those of us who watched the TV series in the 80s ("McGyver", we had a remake a few years ago, for the new generations) smile every time a cybersecurity expert gets to work on our favourite film production, without having any initial resources. In the scenes we see on the screen, our protagonist will have only a portable video game console (wireless connection, we assume, of course), an old mobile phone or the old PC of a library in some town in North Dakota. However, within minutes, he will have gained access to the federal reserve or the air traffic control centre at Washington airport (Dulles, D.C). 🔵 Some scenes in films such as "The Net" (1995) can be framed in this way, when the bad guys or the protagonist do all kinds of cybernetic balancing on computers used randomly anywhere. 8. Ubiquitous collateral information: "Enemy of the state" (1998) Any "cyber" scene in today's cinema usually involves infiltration of some remote system (bank, military environment, industrial control, etc.) to perform a necessary action (stealing money or cryptocurrencies, perhaps from the bad guys' team) for a specific purpose (launching the missiles without human control). To carry out these actions, our hero or heroine (or diverse team of people with multiple skills, all complementary to each other) will make clear to us their extensive knowledge of technology and use advanced penetration techniques (not always shown, but always intuited) until they achieve their goal and smilingly shout out the timeless classic "We're in!"!”. On the way to a successful connection and subsequent actions, we will be able to see on the screen, surprisingly, countless drawings of parts, architectural diagrams of buildings, sewerage plans, power lines, private security systems, modules of a factory or power plant, etc. No matter how old the building or environment and how private and protected the information on the screen is, the plans will show us all these pieces of information in an accelerated way to make us understand that despite the hacker's skills, the collateral information shown covers the most "miraculous" part of the exploit. 🔵 In the interesting "Enemy of the state" (1998), the bad guys' team (the NSA misdirected by an unscrupulous and unsupervised manager) makes use, time and again, of these miraculous resources to try to destroy the poor protagonist's life. 9. We have our system perfectly prepared: "Blackhat" (2015) Another of the great poetic licences of productions is that of the perfectly prepared "actor". It doesn't matter if the protagonist is in the middle of the desert armed only with a Swiss Army knife (see myth number 7) or if he is in his "lair" with his super laptop (let's not forget the stickers, the low light and the hood) moving with total agility from one system to another, from one technology to another, while his fingers dance on a geek keyboard full of LED lights or stickers with emoticons. Logically, everything would lose its magic, if the actor had to change tools many times, download a new utility, search in Github for some software of interest, etc. 🔵 In some blockbusters such as "Blackhat" we can see this kind of compulsive actions where it doesn't matter the environment where we move, the attacker always has everything ready, the software installed, etc. Everything works perfectly, then we can see our star typing at full speed while things happen suddenly (without intermediate errors, of course). 10. Constant violation of legal requirements: "Criminal Minds" (2005–) Although we can all understand that some police operations in cyberspace are especially critical and urgent (perhaps trying to prevent a terrorist attack at the last moment), all intelligence agencies, police units, etc., have to strictly follow the regulations that apply in that region and scenario (as well as a basic code of ethics) and therefore court orders, permissions from users, service providers, groups, etc., have to be requested. Of course, it is not usually convenient for the agility of the script to have to "stop the action" every few steps, waiting for the "paperwork" and the presumed slowness of the corresponding judicial system. 🔵 The vast majority of cases in series such as "Criminal Minds" or "FBI" where the analyst jumps from flight reservations to credit card payments after seeing what they had for dinner at the nearby restaurant, seem hardly credible (from a legal perspective) considering the sequence of steps required in most countries that protect civil rights and privacy of citizens. Conclusion So, the next time we watch a streaming series, or a big movie premiere and a guy comes out typing fast in the dark, hiding his face with a hood while the world succumbs... you know what you must do: enjoy the show (which should always go on) and forget the level of realism used. By the way, using the term hacker always for the case we all imagine is as inaccurate as it is unfair, but we'd better look at that in another post. 😊 Featured photo: Felipe Bustillo / Unsplash

The ransomware phenomenon If there is one term that has earned its way to the top of the headlines in the media over the last two years, ransomware is undoubtedly the clear winner. It is rare the week when the media does not tell us about an incident using this type of approach and it is rare the sector that has been exempt from this sort of biblical curse of the latest generation. Whether the background is really understood or not, the public always translates this term as synonymous with serious cyber-attacks and a significant level of damage to companies. Usually, the media narrative is somewhat confusing as they talk about the impact (the website that is down or the factory that cannot open) and not so much about the incident itself, which usually has happened a long time ago and often has other stories to tell. This article is the first in a series of four articles in which we will try to share our close vision of the phenomenon, narrating how we experience the dynamics of this type of cyber security incidents when they are a reality in our organisation. Ransomware incident response at a glance In an incident of this type, an actor will have gained access to the client's infrastructure and will have begun a sequence of easily foreseeable steps where it will download tools (to analyse its environment, detect machines and IP addresses, to enumerate systems and users, etc.) and then try to make various lateral movements towards a progressive escalation of privileges that will optimise the culmination of its activity by eliminating the environment's own resistance. Connections with their C2 (the attacker's centre of operations, known as Command & Control) will be frequent in these movements. The timing of the multiple phases used to often take several weeks to complete, although recent experiences in 2021 have confirmed shorter timescales (around one week in total in many cases), making detection and response platforms (EDR, XDR, etc.) even more urgently needed, if that is possible. Once the actor has the desired level of knowledge and access, the attack will actually take place, either because a large amount of data is exfiltrated and encrypted, or because it is only exfiltrated (not all actors who follow this pattern exfiltrate data). In any case, within a very short period of time, a significant number of our client's folders and files will have been compromised and encrypted, and the famous "ransom notes" will appear (similar to the traditional ones when it comes to kidnapping people) where we are usually informed about the attack, about the perpetrators (who will be identified by a certain nom de guerre, organisation name, etc.) and about the conditions of the "ransom". The recovery of the files encrypted in the attack is usually very complex (the encryption mechanisms are very robust) and therefore, the actor will invite us to visit a page on TOR (Darkweb) where we can check how much time we have to make the payment (countdown) and the expected way to do it (usually with cryptocurrencies, to make it difficult to trace). It is important to highlight the fact that, in recent months, the RaaS approach (Ransomware as a service, using the nomenclature of cloud services) has been used very intensively. In these cases, a first actor develops software to carry out Ransomware attacks and is shared with a different actor that, based on different models (profit sharing, monthly payment, etc.), will finally carry out the attacks. In this model, the first actor will provide technical support to the second, so the actor that actually attacks does not need to have extensive knowledge of offensive technology. Once an organisation is the victim of a ransomware attack, a significant number of computers (usually servers and, collaterally, workstations) will be encrypted and their performance will start to degrade (the attackers do not fully encrypt the systems to allow the ransom note to be displayed) or stop completely. In many cases, the customer's own IT/security services will detect the attack or at least some aspects of it. Perhaps they can hopefully contain part of the attack. In any case, the situation will be obvious within minutes. The impact on services will be immediate and absolute. When an organisation suffers a Ransomware-based security incident, it will initiate an Incident Response (IR) process that typically follows various best practices from international bodies such as NIST (US) or ENISA (Europa). During this process it will essentially try to cover three stages: Containment (preventing the damage from spreading and the threat from growing) Eradication (eliminating the presence of the actor/malware so that it does not reactivate in the future) Recovery (of systems and services, securely and safely) It is rare that the company/organisation has enough resources or activates (already active service companies) to face this IR process with only its own resources, which is why Telefónica Tech's DFIR (Digital Forensics, Incident Response) services are usually required. How do we carry out an IR-Ransomware process? Telefónica TECH's incident response team has resources in several countries and offers various IR services globally, having carried out work for clients in Europe, USA and LATAM. The IR service is delivered in both Spanish and English. The main factor on which all the work revolves is an EDR (Endpoint Detection & Response) platform. If the client does not have such a system already deployed, the team activates it in the cloud and deploys one of the solutions of our technological partners in a matter of minutes. The first meeting with the client is essential in order to provide initial guidelines and to support the client's decision-making process: cut or minimise external communications, deploy or reuse an EDR platform, preventive shutdown of other systems and communications, communication with the media, users, clients, etc. As well as the corresponding communication with the data protection agency that applies in the specific case. Once the client has taken the first decisions, a mixed work team is formed in which different technical roles from both Telefónica Tech and the client (or related third parties such as manufacturers or service providers) participate and which will initiate a routine of work and regular checkpoints in a 24x7 mode (reaction time is fundamental). After a period of no less than 15 days, the situation is relatively stable, the threat will have been contained and eradicated and the level of recovery is usually high or total (perhaps with some loss of data due to the impact of the attack). It is common to hold parallel sessions to support the client on paralegal, regulatory, law enforcement or communication process issues. In the following articles of this series we will look in more detail at the specific operations of the three main groups that Telefónica Tech works with in these IR-ransomware processes: The DFIR (general coordination, diverse forensic work, malware analysis, etc.) The group known as Threat Hunting (which will investigate and support the process in different ways using the EDR console as a focal point) The intelligence group, whose reports and specific suggestions will allow the containment work and forensic investigation to be focused in an optimal way. Once the IR process is completed, the Telefónica Tech team will complete the delivery of related documentation, always including a final investigation report and several collateral intelligence reports. In the final meeting, the report will be reviewed, doubts of the client team will be solved and the most important security recommendations will be reviewed. 🔵 Download our guide created in partnership with Palo Alto to help you prepare, plan, and respond to ransomware attacks.

Once Black Friday, Singles' Day (if you have Chinese roots or any kind of relationship to it) and Christmas are over, I'm sure the vast majority of us have a long list of anecdotes of exotic e-commerce portals, carriers in trouble, packages that never arrived and so many other stories. However, the real question we should all be asking ourselves is: Did I buy securely? Although we may all think we did, I hope this article makes you think for a moment and take a mental review of this list of best practices. First level - Choosing the right portals Most people make their online purchases on well-known portals where there should be no major problems to do business (if the following levels are taken into account). However, many others are looking for better prices (the "bargain" concept) or are looking for borderline legal options (imitations, second-hand of questionable reliability, private-to-private exchanges on little-known portals, etc.). In these other cases, the problem is that users will basically approach two scenarios: Fraudulent websites: where under the guise of legitimate online commerce they will steal your credentials, payment method data, etc. Without giving anything in return or delivering useless merchandise. Legitimate imitation websites: In these cases, the portal functions normally, sometimes imitating the authentic portal of well-known brands (RayBan, Nike, Adidas, etc.) but the delivered product is a low-quality imitation or something similar directly. These cases border on legality, although they clearly infringe trademark and so on. The rest of the "known" portals that we can use and that are in common use should not present a major problem when carrying out online transactions as long as we take into account the following two levels. Be cautious and always check (forums, friends, etc.) how these other portals “are rated”. Second level - Following some best practices (in the purchasing process) At this level, there will come a time to check out and pay for the purchase. At this level, there are of course a few points to try to keep in mind: The famous "padlock" sign indicates that we are using the HTTPS protocol (HTTP Secure) and is the most basic condition for secure electronic transactions on the web. In addition to encrypting the data we send; it authenticates end-to-end the two environments (the portal and the user). Buying online without this approach is very dangerous. There are no minimum-security guarantees. If you are using the portal for the first time (watch out for level 3, below) give the basic data needed and nothing more than necessary (much of the data is for marketing and profiling purposes as we saw in another post) It may be a good practice to have a personal email address exclusively for e-commerce (person.online@gmail.com) and to manage this type of activity more carefully. The payment method is important. If we use third-party services such as PayPal, it is perfect as long as we condiv the validation options in a reasonable way (authentication, payment approval security, maximum amounts, etc.) If you use credit/debit cards, be cautious about leaving the data already saved, be sensitive to the facilities provided by the browser or the operating system to save the data of all the cards that you have active. The most dangerous piece of information is the card's security code (the CVV), which we should try not to leave stored and always keep in mind level 3 (below). We should be serious about accepting the transaction with our bank. Each time (if possible) we should be asked for specific authentication with a code generated on the spot (there are many variants depending on the bank) so that we can validate each transaction one-by-one. Taxes and currencies. Be aware of what exchange rate will be applied when using foreign currency and whether you will be charged taxes in the case of certain countries (e.g., UK now out of the EU due to Brexit). With the previous point, before accepting the transaction at the bank, keep in mind this issue (currency and taxes). If something does not fit, it is better not to accept and check everything. Avoid compulsive buying 😊 Always keep the complete information (and if official, with digital signature) of the "receipt" of the purchase where the whole route of the purchase is completely identified (for possible claims or possible fraud). Third level - Choosing the best scenario for buying online It is obvious that sometimes we must make an emergency online purchase (a trip due to a family emergency) but we should try to avoid some basic high-risk scenarios: Use our own "secure" device and avoid computers in hotels, cyber-cafés, friends, etc. Use home or office connections, the 4G/5G network or trusted Wi-Fi networks and avoid networks in cafés, hotels, town halls, etc. Specially, if they are "open" or if we have never used them before. If a friend sends us an SMS, e-mail, Whatsapp, etc. with an address of a portal with outrageous prices (see level 1), avoid clicking on the link directly and look for it first on the internet or make sure it is a trustworthy portal. It has always been said, and I believe it is still true, that the weakest link in the cyber security chain is the human being. When we shop online on a personal basis, we are making micro-decisions at all three levels above. Before you go on to do anything else, please think for a moment to see if you are shopping (or not) in a “ secure” way.

We have been hearing about "data leaks" on a regular basis for years, both in the media and in our professional or even personal environment. The concept actually covers several different scenarios, but, in general terms, we could say that the consequences are similar and that the main lessons learned are common. In this article we are going to explain what kind of situations can provoke these leaks, their multidimensional impact and some best practices that can help us avoid these crises. Apart from doctrine and theoretical definitions, in this sector we tend to use the expressions "data leak" or "data breach" in the same way to refer to certain situations where, for various reasons, a significant amount of data (it can be hundreds of gigabytes or even terabytes) belonging to an organisation ends up outside its control in terms of both privacy and location (the data is accessible either directly on the Internet, or because of an auction, or because it is exposed on Internet sites with restricted access but with no connection to the original organisation). Such situations are often referred to, in simplified form, as 'data leaks'. As an example, the INCIBE organisation defines this situation as: "the loss of confidentiality, so that privileged information is accessed by unauthorised personnel". Let us first look at the three main types of scenarios in which data leaks occur and then comment on the consequences that occur in all cases in this type of situation. The first scenario: Negligence For years now, the widespread use of cloud-based data storage services for organisations has led to an immense concentration of information in the form of millions of files classified in thousands and thousands of folders at international service providers of this type (the famous "OneDrive" or folders in "Sharepoint" or "Teams" are already part of many people's routine). Such services combined with the latest generation of office applications clearly and easily optimise the processing and sharing within workgroups, but at the same time generate (unintentionally) a sense of overall security that is generally true but does not include the classification of information (digital labelling of your document as containing public, internal, classified or secret information). In some environments, this classification may occur automatically (e.g., if the system detects bank account details or credit card numbers, the document is classified as confidential without asking for confirmation), but this is not the most common scenario. A common example in many companies is that of hermetic systems containing highly sensitive financial and human resources information that "no one not entitled" can access and, on the other hand, dozens of files (almost always spreadsheets) with summaries of this information specially prepared for internal meetings and decision making that, unfortunately, are not usually classified or treated in a specific way beyond storing them in shared folders for restricted use. Although this is not the only case, it is certainly the most representative when we mistakenly share a folder with a client, auditor or supplier using online storage services, but the control measures are not adequate and/or the information is not correctly classified. In that case, the files (maybe tens or hundreds, maybe thousands) will be exposed on the Internet and the probability that they will end up for sale on the Dark Web or shared in bulk anywhere is high. In these cases and beyond the general consequences that we will see at the end of the article, in these specific cases, the organisation usually ends up being aware of the problem, and it is not unusual for disciplinary measures to be taken against specific individuals, most of the actions are usually aimed at deploying or reinforcing the use of specific platforms such as those known as DLP (Data Loss Prevention) or more broadly, SASE (Secure Access Service Edge). The absence of proper classification of information in this type of situation (your manager asks you to review your team's salary increases using a spreadsheet that is shared by email) inhibits other automatic protection measures (such as DLP-type functions) from having to use various techniques (such as searching for patterns in files using machine learning techniques) to try to maintain their level of effectiveness. The second scenario: Insider Another case, less likely statistically, but more lethal in terms of impact, involves employees (or any internal staff) who deliberately act against the interests of the company. This is often referred to as an "insider". Disloyal employees, extorted by third parties or people with labour disputes can follow this behavioural profile and generate very significant damage to organisations when they calculatedly expose or steal (and then share/sell) data to the outside world (always seeking to maximise reputational or intellectual property damage, among others), again causing a data leak. In this case, most of the comments of the previous scenario apply, both because of the possible ineffectiveness of DLP/SASE type platforms and the lack of strict control of information classification. If the action can be attributed to particular individuals, in this case, the consequences are usually of a criminal nature, as some types of offences, such as article 197 of the Spanish penal code, can be applied. If they are not direct employees of the organisation, penalties, cancellation of service contracts, etc. may be applied. These types of leaks are not always known by the public or even by the organisation itself, although on occasions there have been cases of extortion in exchange for not publishing or selling the data (in the case of sensitive financial information on human resources or intellectual property, for example). Cyber Security 'Insiders' in Cybersecurity: “Catch me if you can” April 25, 2022 The third scenario: Security incidents This is the best known and most common scenario, especially in cases of incidents supported by the use of ransomware (where client data is encrypted and a ransom is demanded in exchange for an encryption mechanism), the actor compromises the organisation's infrastructure, accesses certain volumes of data (not always sensitive, most of the time they seek volume in attacks that last a few days) and before encrypting them, they exfiltrate them outside the organisation's perimeter. While this practice is not common to all actors, it is common for many of them, offering a second pressure factor for the payment of the ransom. Once the malicious actor has exfiltrated a certain volume of data (the techniques for doing so are diverse and fall outside the scope of this article) it will usually take a few days (perhaps weeks) before he hears about it again. The ways in which this data is made public are almost always in one of the following cases: Pre-publication on some kind of "blog" (there are several famous "Happy blogs" by these actors) of the future file sharing. It seeks to increase the pressure on the victim, again aiming for the payment of the ransom. If they announce it beforehand, they usually comply and after some time they usually share (on another page, usually in TOR to avoid police or judicial action) the stolen data, a sample or the whole of it, but in subsequent deliveries. If, in some cases, the actor publishes the data on websites on the "shallow Internet", the victim organisation or the law enforcement agency in charge of the case usually has the possibility to takedown the content by contacting the legitimate owners of the relevant web portal. In other cases, with or without prior notice on a blog, the exfiltrated data appear on a TOR page either in "auction" mode (restricted access but the victim can see the auctioned object as a third measure of pressure) or in public access mode (mentioned above). In all these cases, our organisation's data (of any kind) can end up uncontrollably on the Internet. The overall impact of information leaks Thinking about the more general cases, a number of direct consequences of data leaks in organisations should be taken into account. Legal consequences (the most popular but not necessarily the most sanctioning is the GDPR/LOPD line). They apply to cases where it is certain or highly likely that personal data of EU citizens are held in such files. — In other regions, regulations similar to the GDPR may apply but of local or regional use (as far as their citizens are concerned), but not in the same way as the GDPR) — In all these cases there is a sanctioning regime that may be applicable (including financial penalties and disqualification from holding public office in cases where it applies). Automated tools are usually necessary to be able to analyse hundreds of Gigabytes or even Terabytes of a leak, trying to characterise the type of data we have inside (which will be the focus of the argumentation of the data protection agency to decide on the sanction, as discussed in the previous point). Contractual or NDA issues: In many cases, these data leaks contain confidential information about private companies, audits or sensitive intellectual property. This type of situation is often associated with confidential contracts covered by an NDA (Nondisclosure agreement) which, if not respected, can lead to significant financial penalties, cancellation of contracts, etc. Reputational damage: In the context of data leaks, it is obvious that many people visit TOR (or monitor it with automatic tools) and profit from these situations: either by commenting on social networks (they position themselves as experts), or by alerting third parties (almost always on commission), downloading the data and trading with them, etc. In all these cases, the situation will end up in the media and, depending on the case, perhaps in the press and on TV (with a very significant deterioration of brand image). Therefore: Some organisations have been tempted to pay the ransom for a ransomware incident (or for extortion by an internal insider), for example, just to avoid this situation even if they have a good recovery plan: severe reputational damage and disclosure of secrets, loss of trust of their main customers, etc., may be motivation enough. Beyond the sensitive information that a data leak may contain, much other information (including personal files of users themselves at any level of the organisation) may end up being downloaded anywhere and by any individual or group, which should be taken into account again, perhaps, for communication measures, legal action with third parties, disciplinary action against clearly incompetent employees, etc. — In some anecdotal cases, the content of users' personal files has been more "popular" than the actual leakage of data. A mixed case that sometimes occurs is where the data leakage includes data from third party organisations. Then the leakage relating to one company A has a negative impact on others (B, C, D, etc.) which again leads to serious problems of the two previous types. The summary of the article is clear: no organisation is free from the risks of such situations and therefore any organisation can be faced with a major data leak with press and TV coverage. Often the content of the leak is not fully known until it is shared by the actor and can be downloaded for analysis. Depending on the case, reputational or legal problems will be the most serious concerns. A very complex situation in any case and a major risk that we all need to mitigate. We should not forget that.

If any of us were asked about the hypothetical appearance and profile of those responsible for a serious cyber security incident in a large company, I think we would all automatically think of the archetype that movies constantly show us: teenagers in hoodies, working with laptops full of stickers in a communal house where the music is too loud and the atmosphere is of the most "criminal" kind. The interesting thing is that there is a significant window of opportunity for security and cybersecurity incidents within organisations: employees, temporary staff, service companies, contractors, etc. Insider typologies Let's look at the different typologies of “insiders”, which is the common name used in this field to generically refer to all typologies that produce the same effect: security incidents whose perpetrator is within the "perimeter" of the organisation (as a concept, the walls of the medieval castle where the population to protect lived): Disgruntled or resentful employees Very often, there are employees in organisations who are underperforming or in difficult situations which often lead to tensions, sanctions, career stagnation, threat of dismissal, etc. These people assume or know that they will be fired or that their career in the company is over or on a dead end. Faced with this prospect, some people decide to damage the company, steal data, carry out acts of vandalism (even physical) or give third parties remote access for malicious purposes. Addictions and personal problems Another group that is often present in organisations are those people who, for different reasons, are in a complicated personal situation: financially, emotionally, suffering from an addiction, etc. This often makes it easier for them to carry out desperate acts to get money or to attract the attention of their superiors. It also facilitates, as we will see below, extortion-type scenarios. Bribery and extortion Especially related to the military ecosystem and patent-linked industries (pharmaceuticals, aerospace engineering, mobile device manufacturers, etc.), cases of bribery and extortion (especially through the use of deception, prostitution, etc.) are sadly frequent. By these means, external actors manage to influence internal staff to become their collaborators ("insiders"). Political, religious motivation - Activism In some cases, especially in sectors where ethics and personal beliefs can play an important role, "opinion or belief" type motivations can be critical: sectors such as the arms industry, pharmaceuticals, etc. They can provoke extreme reactions among their staff (the case of employees who left Google in 2018 because of the company's relations with the US DoD on the JEDI or Marven projects is very significant). Negligence and accidents This group also has its place in the general statistics: internal staff who through negligence cause security incidents: either by a constant effect (Example: not having condivd a system properly and leaving it exposed to the Internet without proper protection), or by a specific act at a given time (Example: forgetting a pendrive or confidential documents in a cafeteria which causes a scandal in the media). CYBER SECURITY Human factor key in cyber security September 28, 2022 What can we do as a company? All these circumstances often lead to an "insider" type of behaviour, where we must not forget that we also have other groups such as temporary staff, interns and trainees, temporary consultants and auditors or service companies (cleaning, catering, maintenance) who have access to our offices, sometimes at unusual times and with special access to systems or premises. The key question now is what can we do as a company? It is a really complex problem as the casuistry is very broad (what company does not often have isolated people in remote locations?). Early detection The main point to comment on is the early detection of potential high-risk or high-profile individuals. Normally, corporate security has a regular link with the Human Resources area (people management) and these people are usually identified jointly for supervision, sanctioning, etc. As mentioned above, one possible case would be that of people who are really angry with the company by vandalising it or people with clear addictions who ask for financial advances on their salary every month. Complaints or comments usually first reach human resources: fights in the cafeteria, vandalism in certain areas, people with symptoms of alcoholism or working under the influence of substances, etc. In the same block, some organisations use platforms generically called “People Analytics” to detect inconsistent or suspicious patterns of behaviour that may be predictive of future problems: long after-hours connections, failed attempts to access corporate systems, sudden unjustified changes in working hours, radical changes in their social activity in the company (on internal social networks, Intranet-type portals, etc...) Focus on the risk (not the motivation) In the field of cybersecurity, we must have our protection, prevention and detection systems well condivd to be able to cover the case of the insider actor in the right way. Obviously, the approach is to focus on the risk and not to analyse the motivation. Some commonly used platforms include: CASB (Cloud Access Security Broker) type platforms often detect many anomalous situations which, if properly dealt with, can be related to “insider” incidents (e.g., massive out-of-hours file movements to personal storage services) or recurrent use of unauthorised software to connect to atypical locations on the Internet. DLP (Data Loss Prevention) type functionalities which, being oriented to legal problems with data loss or data leaks, may be the first phase of a much bigger problem, if successful, as the insider will continue to escalate his attack in search of the greatest possible damage. IAM (Identity & Access Management) type services that will alert us in case of inconsistent or exceptional situations in terms of connections (logins, failed attempts, etc.). A typical case could be the use of a non-privileged account on a personal computer of a person using classified information. This case could correspond to that of an insider spying on the computer of the person in charge or the finance department (perhaps the owner did not lock the system during his or her lunch break...). Prepare a forensic report If we finally have an incident involving “insiders”: In this case, the way of working is usually the conventional one (DFIR type services, Threat Hunting type analysis on SIEM or EDR/XDR type platforms) but with the important nuance that we may have to produce a forensic report that can be used in a judicial process. In these cases, the extraction and custody of evidence must follow certain guidelines and the same with the legal aspects (especially if a report has been made to the police or corresponding security body). Most of the investigations into this type of situation will undoubtedly have to go through two types of systems: Authentication and access: As mentioned above, of the IAM type or similar, where we can carry out searches and checks on all types of accesses or access attempts to connect them with an account that will be completed on other platforms. Activity on personal computers: Normally, actors of this type will use their own or personal computers or those of colleagues or managers to carry out their malicious activity. Therefore, investigations of this type often use EDR or XDR type platforms to obtain these suspicious patterns based on complex queries. The rest of the systems to be used will almost always be the end systems affected (if applicable): financial or commercial platforms, document management systems, etc. And the aforementioned perimeter protection systems (SASE, CASB, DLP, etc.). Two final conclusions Not assuming that we may have the “enemy at home” is a fundamental mistake that precedes many serious security incidents. The motivations vary but the risk is always the same. If we as an organisation do not pay the same attention to the outside as we do to the inside, we are creating a significant risk. Early detection is the best measure we can take to try to minimise the occurrence of such events. Many of these people are just out for revenge, to send a message or to compulsively solve a personal problem. If we can identify them, there is room for peaceful resolution. Let us never forget the quote from “The Godfather (Part II)”, “Keep your friends close, but your enemies closer”. FF Coppola, 1974 CYBER SECURITY Human Factors in Cybersecurity: Protect Yourself November 10, 2022

No one will be surprised if we suggest that social networks and other large Internet platforms base their business model on advertising and that all of them, in some way, try to direct us towards the consumption of certain products or services. It is quite another thing to explain, as we will do in this article, how technology (especially big data and artificial intelligence) is combined with the most basic principles of social psychology to turn us all into targets of personalised digital marketing campaigns whose sole and clear objective is to transform us into future buyers of a product. Let's use the specific case of the worldwide event called "Black Friday" as a mental reference. This "special day" has its origins in the United States and is celebrated every year on the Friday after Thanksgiving Day, becoming, since 2005, the busiest shopping day of the year. It is considered, globally, as the unofficial start of the Christmas shopping season, breaking records for online transactions year after year. As an international benchmark, it is only comparable - in volume - to "China's Single's Day". Today's digital marketing relies on the principles of social psychology to create a huge population profiling platform to support international advertising campaigns. The efficacy of the approach, leaving aside possible ethical nuances, is beyond question. First element: Technology The first thing we need when launching a successful advertising campaign is a target audience and sufficient knowledge about that population. For the last 20 years we have had widespread use of social networks on the Internet, universal web access and more active mobile devices than inhabitants, which certifies that it is an environment where we can safely have a chance to succeed with our campaign. The large mass Internet environments offer their "customers" (not paying to use email does not imply that "you are not part of the product") two great benefits (in the case of advertisers on Google Search or Facebook, it is obvious): precise profiling at the level of the individual and an adequate level of engagement. Let's look at both concepts. Accurate profiling: If we use a platform like Spotify regularly, we are unintentionally giving the platform information such as what device we connect from, what day/time we usually do it, what kind of music we usually listen to, what kind of playlists we follow (e.g. if we search for the word "workout" we might be doing sports activity at the same time) and whether or not we use external devices which, in turn, can give additional information (we listen to music from "Android Auto" in a car, for example). The same could happen with our favourite video streaming platform and with all so-called social networks, without exception. With all this information (which can be combined in many cases, due to being publicly visible or being platforms of the same business group) the level of detail of each user is too tempting to resist using machine learning techniques and automatically profiling the millions of users in our environment (for a small fee as an advertiser on a social network, we automatically benefit from this). Thus, as advertisers, we can target our digital marketing budget at "young teenagers from peripheral areas" or "women with studies and liberal professions" or homosexual groups or followers of certain political ideologies. The model is not perfect, but we will be fine-tuning our campaign. The data is inside the platforms, updated every second and with simple automatic models, each user is tagged by age range, gender, sexual orientation, political ideology, musical tastes, purchasing power, sports routines, specific brands they use, etc. The list is endless. Engagement: Every advertiser's dream is to keep their target audience in touch with their product (those shop windows in the high street where people spend minutes looking inside, now on the Internet). To achieve and maximise the effect in today's network of networks, the resource is to constantly feed the user with new stimuli, so that they are reluctant to stop watching videos on YouTube or a new series on Netflix. Recommendation algorithms play a central role here: the profiling we have just discussed allows the platform, in a really simple way, to calculate which new video you might be interested in if you have just watched several in a row on a certain theme. The rest is predictable: you'll find the new video or song interesting and you'll stay connected for a few more minutes. The new "cop" series will seem most suggestive once the main menu starts showing you the trailer (without having asked for it) and once you have logged in with your "personal" user (so that your partner and your children can use their own profiles and the whole family can be properly profiled). Instead of going to bed early, you might decide to try your luck by watching the pilot episode. It should be remembered that profiling and engagement form a never-ending virtuous circle: the better the profiling of the person, the higher the level of engagement which, if it occurs, will improve the profile of the new person. Second element: Social psychology Now that we have profiled the population (we are talking about more than 4.5 billion people using the Internet worldwide) and we have kept them nicely "hooked" (a high level of engagement produces frequent and loyal access to the corresponding digital platform), we only have to decide how to approach each and every one of these people to convince them of the benefits of the product, its reasonable price and the needs (often social) that they will cover if they buy it. The universal recipe in this case is to resort to the basic principles of social psychology and to remember the current doctrine on the mechanisms of persuasion. (We have, therefore, to try to persuade millions of people around the world in two ways. The need (basically, socially) to buy something on Black Friday That what we buy is what the advertisers are offering and not something else. In the second half of the 20th century, several famous social psychology experiments (which could not be repeated today due to obvious ethical problems) highlighted how effective good persuasion can be. Stanley Milgram's experiments on the influence of "authority" (this YouTube documentary describes them perfectly) and, years later, the case of the "Stanford Prison" (in this TED talk, Professor Zimbardo himself explained this whole line of experiments) demonstrated, without a doubt, that any of us, under certain conditions and with the right level of persuasion, will perform actions that under normal conditions we would not do. Compulsive buying of products we dubiously need could clearly be another desired outcome, using similar approaches. When human beings understand that an issue is not important or a priority in our lives (choosing whether or not the pizza we order has cheese on it) we resolve it using what is known in psychology as the "peripheral route" and act in a basically impulsive way to make that micro-decision. If, on the other hand, we are changing jobs to another country, we are more than likely to use the "central route" and reflect for long hours with our immediate environment before making a decision. E-commerce and digital marketing focus exclusively on the first case, trying to persuade us that we really need certain products and that the offer we have one click away on our mobile is the best ever, so it makes no sense for others to buy the product before us. We must buy that product and we have to buy it immediately. This is the goal on Black Friday. The American psychologist, Robert B. Cialdini explored in detail these decisions and this influence in the case of "peripheral routing" (decisions we choose to spend very little time on). His work has been used to develop many of today's sales techniques, as well as personalised digital marketing on the internet. We can see his six principles clearly used in the case at hand. Commitment and coherence: If the narrative persuades us that the product fits our profile, we will have half a purchase won. It is logical (coherent) that a person like me (profile) buys this product because it fits perfectly with my lifestyle (the message adapts to the profile). Reciprocity: How can I not buy something from this kind portal that gives me vouchers to buy at a discount and congratulates me on my birthday; it even reminds me of my last purchases, suggesting the next ones! Social approval: Again, persuasion will be in charge of convincing us, no doubt that, if we buy this product, all our close environment (your partner, your friends, the people at the office) will approve it socially and your valuation by all of them will go up again (as in the last purchase, the profile will detail it). Authority: The (alleged) doctor in the ad explains to me how germ-free my mouth will be if I use the toothpaste. I cannot doubt (remember Milgram's experiments and the value of authority) that this is true, if an expert says so. Sympathy: If my favourite actress, singer or media celebrity appears wearing those shoes or using that cologne, I can't be any less. They can't make the wrong choice. Scarcity: The famous (and not always "accurate") "only 3 units left" banner pushes our mind to the maximum on its peripheral decision route: "Only 3 units left and it's so cheap! It goes with my personality and others will accept me better! What can I do if there are only 2 units left now? The formula for success in mass e-commerce on the Internet is obvious and public, but this does not detract from its effectiveness: Accurate profiling + appropriate level of engagement + appropriate use of persuasion techniques (peripheral route) = Maximum influence on platform users and increased likelihood of purchase... Let's keep this in mind next Black Friday, especially before we click on the " Buy " button.

According to statcounter, Apple's operating system, macOS (formerly OSX) in particular, has a market share of around 17%, making it the second most widely used desktop operating system. This makes for an attractive market where cybercriminals are constantly on the lookout for vulnerabilities that can be effectively exploited. Likewise, today's use of cross-platform malware through new programming languages facilitates much wider deployment and a broader scope of victims. This type of malicious code is designed to attack multiple operating systems, including macOS. This would provide potential "tools" for cybercrime to make the most of them, obviously in a malicious way. For this reason it is important to be aware of certain considerations beyond the operating system so that, as an IT user or administrator, you can strengthen these types of systems. While there are recommendations and good practices that should be followed to keep the device and the information it manages as secure as possible, the focus of this article is to share some additional security tools that you can have at hand beyond the operating system. Security Tools to Be More Protected The following are some of the most important (open source and free) tools for protecting your operating system: BlockBlock: monitors the most common locations used by malware to gain persistence and triggers alerts each time they are modified with a new file FSMonitor: is an application that monitors and visualises, in a user-friendly graphical environment, all changes in the file system. KnockKnock: you can identify illegitimate software installed on your computer and potential malware persistently installed on your system LinkLiar: in particular cases, in order to protect your privacy, you may need to change your MAC Address and this programme will allow you to easily do so Lynis: allows you to perform an exhaustive diagnosis of the system and measure the level of hardening of the system. It is a very complete tool OverSight: monitors the system's webcam and microphone, alerting whenever any process tries to access them RansomWhere?: continuously monitors encrypted files for suspicious processes, can stop the process that is running the ransomware and attempts to minimise the consequences of infection within the system ReiKey: identify malware by monitoring the user's actions, mainly by looking for keyloggers on the system Santa: developed by Google, consists of a macOS kernel extension that monitors application white/blacklisting. Stronghold: simple program to easily condiv macOS security settings from the terminal TaskExplorer: allows you to see all the processes running on your computer, including any malware that may be present. In addition, it integrates with VirusTotal As I mentioned at the beginning of this article, don't forget that the operating system itself has several security and privacy controls that you should be aware of. In addition, tools change and the important thing is to remain updated from the various sources that exist today through repositories, initiative procedures, specialised technical articles, videos and much more that can add up to your devices, or your infrastructure if you are a company, being more protected from threats to macOS systems. Apple devices in general are increasingly being targeted by cybercrime, so you should adopt each of these recommendations to avoid becoming a victim of online attackers.