The Human Element Pt.2 & Email Security

Question 1

What are the three elements of usability?

Answer 1

Opportunity
It’s widely accepted that everyone makes mistakes, and users are more likely to make errors in complex security situations, especially when dealing with multiple systems, confusing processes, or unclear or conflicting policies. Human errors are inevitable when users lack a proper understanding of security issues or do not know how to apply appropriate security controls.

Environment
Environmental factors can increase the likelihood of mistakes. Users who are distracted, multitasking, or under pressure to meet deadlines or productivity goals may be more prone to errors that lead to security breaches. The physical workspace also plays a role; for example, construction workers often experience more errors during extreme weather conditions, and similar factors can affect office workers. Elements like temperature, privacy, noise levels, and even the layout of furniture can contribute to a more error-prone environment (Vischer and Wifi, 2017). Additionally, changes in the work environment, such as allowing remote work or using personal devices for work purposes, introduce new security risks.

Lack of Awareness
Many users are not sufficiently aware of potential security risks or lack the skills to identify potential threats. This raises the question: should users be expected to understand or even be aware of security risks when using a product? Should the responsibility lie with developers or the end users to recognise and address these risks?

Question 2

Under what circumstances is security software considered truly usable?

Answer 2

Security software is usable if the people who are expected to use it:

1. are reliably made aware of the security tasks they need to perform
2. are able to figure out how to successfully perform those tasks
3. don’t make dangerous errors
4. are sufficiently comfortable with the software to continue using it.

Security procedures must be clear and their purpose easily understood. If security measures are poorly designed or not suited to the users, there is a greater risk that they will not be followed, leading to potential security breaches.

Question 3

What is SMTP AUTH & STARTTLS used for?

Answer 3

The two most important service extensions to the Extended Simple Mail Transfer Protocol (ESMTP) are SMTP AUTH and STARTTLS, both of which significantly enhance email security.

1. SMTP AUTH: This extension enables client authentication when sending emails, requiring users to provide valid credentials (username and password) before the message can be sent. This prevents unauthorised users from sending emails through the server, helping reduce spam and ensuring the sender’s identity is verified.
2. STARTTLS: This extension upgrades a plain-text SMTP connection to a secure, encrypted one using Transport Layer Security (TLS). It protects the email content from eavesdropping and tampering during transmission. There are two types of STARTTLS:
   • Opportunistic STARTTLS: Attempts to use encryption if the receiving server supports it, but falls back to an unencrypted connection if not. While it provides encryption where possible, it may leave emails vulnerable when encryption isn’t supported.
   • Mandatory STARTTLS: Requires the receiving server to support encryption. If TLS is not available, the email is not sent, ensuring that communication is always encrypted, though it risks delivery failures if the receiving server does not support TLS.

Together, SMTP AUTH and STARTTLS enhance the security of email transmissions by ensuring sender authentication and encryption of communication, with varying levels of protection based on the type of STARTTLS used.

Question 4

What is the sender policy framework (SPF)?

Answer 4

Sender Policy Framework (SPF) is an email authentication method designed to prevent email spoofing by specifying which mail servers are authorised to send emails on behalf of a domain.

SPF works by leveraging the existing DNS (Domain Name System) infrastructure:

1. DNS Record: The domain owner publishes an SPF record in the DNS settings as a TXT entry, listing the authorised mail servers (IP addresses) allowed to send emails on behalf of the domain.
2. Email Check: When an email is sent, the receiving mail server checks the domain’s SPF record in the DNS and compares the sending server’s IP address against the authorised list.
3. Validation: If the IP matches an authorised address, the email is considered legitimate. If it doesn’t match, the email may be rejected or flagged as suspicious.

Despite its usefulness, SPF has limitations:

• Email Forwarding Issues: SPF can sometimes break when emails are forwarded. This is because the forwarding server’s IP address may not be included in the original domain’s SPF record, causing the forwarded email to fail SPF checks.
• Complex Maintenance: Managing SPF records can be complicated, as they need to be regularly updated when authorised mail servers change. Additionally, SPF lacks built-in reporting or auditing functionality, making it harder for domain owners to track failures or issues.
• Sender Field Spoofing: Although SPF checks the sending server’s IP, most email clients display the “From” field to users, which can still be spoofed. This means attackers can manipulate the sender field to mislead users, even if SPF fails.

For a more comprehensive protection against email spoofing, SPF is often combined with DKIM and DMARC to address these gaps.

Question 5

What is DKIM (DomainKeys Identified Mail)?

Answer 5

DKIM (DomainKeys Identified Mail) is an email authentication method designed to verify the integrity and authenticity of emails.

• Hashing and Public Key Cryptography: DKIM uses a combination of hashing and public key cryptography. When an email is sent, certain parts (e.g., headers and body) are hashed and signed with the domain’s private key.
• Digital Signature: The email is signed with a digital signature using the domain’s private key, which is added to the email as a DKIM-Signature header.
• Public Key in DNS: The corresponding public key is published as a TXT record in the domain’s DNS, allowing receiving servers to verify the signature.
• Verification: The receiving mail server retrieves the public key from DNS and uses it to verify the email’s signature, ensuring that the email was sent by the domain and hasn’t been tampered with.
• Prevents Spoofing and Tampering: By verifying the sender and the integrity of the email, DKIM helps prevent email spoofing and ensures the email hasn’t been altered in transit.

Sections of a DKIM Header:

• v: Defines the DKIM version (usually v=1).
• a: Specifies the cryptographic algorithm used for signing the email, typically rsa-sha256, which combines RSA encryption with the SHA-256 hashing algorithm.
• d: Identifies the domain that is responsible for the email. This domain’s private key is used to create the digital signature.
• s: Points to the selector used to locate the public key in the DNS. The selector allows multiple keys to be associated with the same domain and helps in key rotation without affecting existing signatures.
• h: Lists the email headers that are covered by the DKIM signature. These headers are concatenated and then hashed. This hash ensures that important header fields, like From, Subject, and others, are protected from tampering during transmission.
• bh: Contains the hash of the email body, which ensures the integrity of the email content. If the body is altered during transit, the hash will no longer match, causing the verification to fail.
• b: The digital signature created by using the domain’s private key to cryptographically sign both the hash of the headers (h) and the body hash (bh). These two hashes are combined as inputs for the cryptographic signing process. The resulting signature in the b field is sent along with the email. When the recipient’s server receives the email, it retrieves the public key from DNS (using the d and s fields) and decrypts the digital signature. The recipient then recalculates the hashes of the headers and the body and compares them to the decrypted value. If they match, it confirms that the email has not been altered and that it was indeed sent from the domain specified in the d field.

These sections together allow the recipient to authenticate the email and ensure its content hasn’t been modified.

Question 6

What are the four generals steps of classifying an organisations information as per Annex A of ISO27001?

Answer 6

The four general steps to classifying an organisation’s information, as per Annex A of ISO 27001, are:

1. Identify Information Assets:
   
   • The first step involves identifying all the information assets within the organisation that need to be protected. This includes documents, databases, intellectual property, customer data, and any other sensitive information.
2. Classify Information:
   
   • Once the assets are identified, they are classified according to their sensitivity, confidentiality, or importance. This classification could range from public to highly confidential, depending on the potential impact if the information were to be compromised.
3. Label Information:
   
   • After classification, the information should be labelled appropriately according to its classification. This ensures that everyone handling the information is aware of its sensitivity and treats it accordingly. Labels can be physical (e.g., on documents) or digital (e.g., metadata).
4. Handle Information According to Classification:
   
   • Finally, based on the classification, the organisation should establish guidelines for how the information is handled, stored, accessed, transmitted, and disposed of. This includes setting access controls, encryption requirements, and secure disposal methods for sensitive information.

These steps help ensure that information within an organisation is protected in line with its value and risk of exposure, aligning with the security management framework provided by ISO 27001.

Question 7

What are the techniques that can be used to securely destroy/delete data?

Answer 7

There are several techniques that can be used to securely destroy or delete data to ensure it cannot be recovered. These techniques vary depending on the type of storage media and the level of security required. Here are some of the most common methods:

• This involves overwriting existing data on a storage device with random data or specific patterns, typically multiple times, to ensure the original data cannot be recovered.
• Tools: Software such as DBAN, Blancco, or built-in operating system utilities.
• Use Case: Suitable for hard drives, SSDs, and other types of digital storage where the device will continue to be used.

• Degaussing uses a strong magnetic field to disrupt the magnetic properties of data on a hard disk drive (HDD), rendering the data irretrievable.
• Limitations: Effective only for magnetic storage devices like HDDs; not suitable for SSDs or optical media.
• Use Case: Ideal for securely wiping data from magnetic storage before disposal.

• Physically destroying the storage device ensures data cannot be recovered. Techniques include:
  
  • Shredding: Devices are shredded into small pieces using specialised shredders.
  • Drilling: Drilling holes through hard drives to damage the platters or storage components.
  • Crushing: Using a hydraulic press or similar device to crush the storage media.
• Use Case: Often used when disposing of storage media that will no longer be reused, such as old hard drives or optical discs.

• Encrypting data before storing it and then securely deleting the encryption key renders the data irretrievable, even if the storage media itself cannot be wiped or destroyed.
• Use Case: Useful for cloud storage or encrypted SSDs, where secure deletion of keys can effectively erase data.

• SSDs require special methods due to their wear-leveling and data storage mechanisms:
  
  • Secure Erase: A built-in feature in SSDs that securely wipes all data by erasing the entire drive, including any hidden or reserve areas.
  • ATA Secure Erase Command: A command issued to the SSD controller that ensures the secure deletion of data by resetting cells to their original state.
• Use Case: For securely wiping SSDs before reuse or disposal.

• File shredding tools securely delete individual files by overwriting the data multiple times before removing them from the file system.
• Tools: Programs like Eraser or CCleaner can shred specific files.
• Use Case: Suitable for securely deleting sensitive individual files without wiping an entire drive.

• In extreme cases, physical media such as CDs, DVDs, or paper records can be incinerated to destroy data completely.
• Use Case: Used for physical documents and optical media, ensuring that no trace of the data remains.

• This method involves overwriting the entire storage medium with zeros. While not as secure as multi-pass wiping, it can be effective for non-sensitive data.
• Use Case: A basic method for erasing data from hard drives.

Each of these techniques provides varying levels of data destruction security, and the appropriate method depends on the sensitivity of the data and the type of storage device.

Question 8

What are the risks of BYOD (bring your own device) and what are the associated mitigations?

Answer 8

Some of the key security issues associated with BYOD (Bring Your Own Device) include:

1. Insecure Networks:
   Employees may use unprotected or inadequately secured networks, such as home Wi-Fi or public networks in places like railway stations, airports, and coffee shops, exposing sensitive data to potential interception.Mitigations:
   - Implement VPNs to ensure secure, encrypted connections when accessing company resources.
   - Encourage the use of secure Wi-Fi at home by enabling WPA3 encryption and setting strong passwords.
   - Provide employee training on the risks of using public networks and recommend the use of mobile hotspots.
2. Insecure Devices:
   Employees may use outdated hardware or software, lack antivirus protection, or fail to implement adequate authentication methods. Additionally, devices may be shared with household members, increasing the risk of unauthorised access.Mitigations:
   - Enforce device policies that require up-to-date operating systems, regular security patches, and antivirus software.
   - Require strong authentication methods, such as multi-factor authentication (MFA), for device access.
   - Implement device encryption to protect data in case of loss or theft.
   - Use Mobile Device Management (MDM) solutions to remotely monitor, update, and secure devices.
3. Insecure File Sharing:
   Remote working may lead employees to share data through insecure channels, such as personal email accounts or unapproved file-sharing services, putting sensitive information at risk.Mitigations:
   - Use enterprise-grade file-sharing platforms with built-in encryption and access controls.
   - Educate employees on the dangers of using unapproved tools for sharing sensitive information.
   - Set clear guidelines for data handling and sharing, with monitoring to ensure compliance.
4. Lost or Stolen Devices:
   Ensuring device security is more challenging outside the office, where devices may be lost or stolen while being carried between locations or left in less secure environments.Mitigations:
   - Use remote wipe and lock capabilities to protect data on lost or stolen devices.
   - Encourage the use of tracking software to locate lost devices.
   - Implement strong encryption on all devices to protect data in case of theft.

By addressing these issues, organisations can mitigate the risks associated with BYOD and ensure better security for remote workers and their devices.

Question 9

What are the Mobile Device Management (MDM), Mobile Application Management (MAM), and Mobile Information Management (MIM) frameworks?

Answer 9

1. Mobile Device Management (MDM)

How it works:
MDM is focused on managing the entire mobile device, offering centralised control over everything from hardware settings to applications and data. It allows IT administrators to enforce security policies, configure settings, monitor device usage, and manage applications on both company-owned and employee-owned (BYOD) devices.

Key Features of MDM:
- Device Enrollment: When a device is enrolled into the MDM platform, the software installs a management profile on the device, giving the IT department control over the device.
- Security Enforcement: IT admins can enforce security policies such as password complexity, screen lock, and encryption.
- Remote Wipe: MDM allows for remote wipe capabilities, which is essential if the device is lost or stolen.
- App Management: Administrators can push apps, block or restrict certain apps, and ensure that only approved apps are installed.
- Device Monitoring: MDM can track device usage, location, and compliance with company policies.

Use Case: MDM is ideal for organisations that provide company-owned devices to employees and need full control over how the device is used. It’s also useful for securing BYOD devices but can raise privacy concerns as it manages the entire device, not just work-related apps.

2. Mobile Application Management (MAM)

How it works:
MAM focuses on controlling and securing specific applications on a mobile device rather than the entire device. This framework is especially useful in BYOD environments, where employees use personal devices for work. MAM ensures that only approved apps (typically work-related ones) are secured and managed, leaving personal apps and data untouched.

Key Features of MAM:
- App-Level Security: IT admins can control which apps can be installed or accessed, and can enforce policies on individual apps (e.g., encryption, copy-paste restrictions).
- App Wrapping: A method of adding security controls around apps without modifying the underlying code. For instance, certain features like the ability to save files to the device might be disabled.
- Selective Wipe: In the event an employee leaves the organisation, MAM allows the IT team to wipe only work-related apps and data, leaving personal data intact.
- Data Loss Prevention (DLP): MAM ensures that sensitive work-related data is protected within the application, often preventing data from being shared between apps unless approved.

Use Case: MAM is ideal for organisations that allow employees to use personal devices but need to protect corporate apps and data without controlling the entire device. It provides flexibility and respects user privacy by focusing on work-related apps only.

3. Mobile Information Management (MIM)

How it works:
MIM focuses on controlling access to and protecting the organisation’s data, regardless of the device or application being used. This framework ensures that sensitive data is encrypted, access is restricted based on permissions, and that data remains secure even if it’s being accessed on an unmanaged device or application.

Key Features of MIM:
- Data Encryption: Sensitive corporate data is encrypted whether it is stored locally on a device, in transit, or in the cloud. Only authorised users and apps can decrypt and access the data.
- Access Control: MIM allows for fine-grained access control over corporate data, ensuring that only authorised users and devices can view or manipulate the data.
- Data Storage Policies: MIM can enforce policies regarding where data can be stored (e.g., preventing corporate data from being stored on unsecured cloud services or personal devices).
- Remote Access: MIM often supports secure remote access to corporate data (e.g., through a VPN), ensuring that even when employees work from home or on the go, sensitive information remains secure.
- Data Monitoring: MIM can monitor who accesses sensitive data, how it is used, and if it is shared externally, offering transparency and helping to prevent data breaches.

Use Case: MIM is useful when the organisation wants to protect sensitive data, regardless of where it is stored or accessed. It is ideal for cloud-based environments and BYOD policies where the device may not be fully managed, but the data itself needs to be secure.

Key Differences Between MDM, MAM, and MIM:

• MDM controls the entire device, including its hardware, apps, and data. It’s comprehensive but may be too invasive for BYOD environments.
• MAM controls and secures specific applications on a device, offering more flexibility in BYOD environments while still protecting corporate data.
• MIM focuses on protecting the data itself, independent of the device or app being used, ensuring data security across different devices and environments, including the cloud.

Question 10

What are the human related security issues for IoT devices?

Answer 10

1. Lack of Agreed Security Standards for IoT Devices:
   Until recently, there has been no unified security standard for IoT devices, leading to fragmented, proprietary standards and making interoperability difficult. Many IoT devices lacked proper security measures. The introduction of Matter, an industry-wide standard backed by major companies like Google, Amazon, and Apple, aims to address these issues by creating an open, secure standard for IoT device interoperability. The first Matter-compatible devices were released in 2022.
2. Insecure Devices:
   Many simple IoT devices use low-power CPUs and minimal memory to reduce costs and energy consumption. However, this limits their ability to implement robust security measures, such as strong encryption or digital signature verification.
3. Lack of Compliance with Best Practices:
   Some IoT devices do not follow existing security best practices. Issues include the use of outdated Wi-Fi protocols, hard-coded passwords, failure to update vulnerabilities, and insecure data storage and transmission.
4. Data Ownership During Bankruptcy or Takeover:
   Personal data can become a valuable asset when a company goes bankrupt or is acquired. It can be sold to cover debts, or ownership may shift during a takeover. When this happens, original privacy and security policies may no longer apply, and data may be transferred to jurisdictions with different legal protections for individual rights.
5. Securing Data with Vendors and Cloud Providers:
   IoT devices often share data with manufacturers and third parties, who must implement strong security measures to protect it from attackers. This includes securing the data during transmission and ensuring it is safeguarded when shared with other entities.

Question 11

What are the key aspects of secure by design?

Answer 11

Making Developers Aware of Security Threats
Most software developers are not experts in cybersecurity, so it’s crucial for them to collaborate with security specialists. These discussions help raise awareness of common threats specific to similar applications. By understanding these risks early, developers can ensure vulnerabilities are “designed-out” before writing any code, preventing issues from emerging later in the development process.

Using Proven Security Technologies
Developers have access to extensive libraries for handling security functions like encryption, certificate exchange, and secure communication. These libraries have been rigorously tested, and using them is far more reliable than developing new security methods. Security experts discourage creating new solutions (sometimes called “rolling your own crypto”) due to the high risk of flaws in the design or implementation. Even when using established libraries, developers must stay informed about updates and replace deprecated algorithms or fix vulnerabilities as they are discovered. Compliance with regulatory and government standards must also be maintained.

Using Modern Software Design Tools and Processes
To ensure long-term usability, software needs to be easily maintainable and well-documented. Poorly structured code, often referred to as “spaghetti” code, is difficult to maintain and fix. By following best practices, developers can produce clean, maintainable code. Automated and manual testing processes are essential, and external experts may need to be consulted to ensure the software undergoes thorough security and functional testing. In some cases, algorithms may need to be mathematically proven for correctness and security.

Question 12

What are the OWASP’s 10 principles for the secure by design process?

Answer 12

The OWASP (Open Web Application Security Project) provides ten principles for Secure by Design to help guide the development of secure software. These principles are foundational to building applications with security embedded throughout the development process. Here are the ten principles:

1. Minimise Attack Surface Area
   
   • Limit the exposed areas of an application to reduce the opportunities for attackers to exploit. This involves only enabling necessary features and functionality.
2. Establish Secure Defaults
   
   • Ensure that the default configurations of applications are secure. Users should not need to tweak settings to improve security—security should be the default setting.
3. Least Privilege
   
   • Grant users and processes the minimal level of access or permissions necessary to perform their tasks. This limits the potential damage if an account or process is compromised.
4. Defence in Depth
   
   • Use multiple layers of security so that if one control fails, others will still provide protection. This could involve using firewalls, encryption, authentication, and intrusion detection systems all working together.
5. Fail Securely
   
   • Ensure that if an application encounters an error, it fails in a secure manner. Error handling should not expose sensitive information or provide an attacker with more control.
6. Don’t Trust Services
   
   • External systems and services (such as APIs) should be treated as untrusted unless verified. Always validate inputs and outputs from external systems.
7. Separation of Duties
   
   • Divide key functions and tasks among multiple users or processes to reduce the risk of a single person or system having too much control. This mitigates insider threats and accidental misuse.
8. Avoid Security by Obscurity
   
   • Security should not depend on hiding information or keeping the system’s internal workings secret. Instead, rely on strong, well-tested security controls that are effective even when the system’s design is public.
9. Keep Security Simple
   
   • Simpler designs are easier to manage and less prone to security flaws. Avoid complexity, as it can introduce vulnerabilities and make systems harder to secure.
10. Fix Security Issues Correctly
    - When fixing vulnerabilities, ensure that the fix is comprehensive and does not introduce new issues. Always use proper root-cause analysis to avoid quick, temporary fixes.

These principles are meant to be applied throughout the software development lifecycle, helping to build applications that are resilient to both common and emerging security threats.

Question 13

What are the NCSC’s secure by default principles?

Answer 13

The full set of Secure by Default principles are:

• Security should be integrated into products from the outset, not added afterward.
• Security measures should address the root cause of a problem, rather than just treating the symptoms.
• Security is an ongoing process, not a one-time goal, and must be maintained throughout the product’s entire lifecycle.
• Security must not come at the expense of usability; products should be secure enough while maximising ease of use.
• Security should work effectively without needing complex configurations and should function reliably where applied.
• Security must evolve continually to counter emerging threats, ensuring new security features are more resilient than the time it takes to develop them.
• Avoid relying on security through obscurity.
• Users should not need specialised technical knowledge or engage in hidden behaviours to benefit from security.