On the flip side

A day in the life of... cybersecurity

Fábio Bagagem (Order Management & Integration team) went behind the scenes to discover cybersecurity.

What is it about?

Our world depends 100% on technology, and that won’t change anytime soon or ever. Due to the nature of the Telco business, technology fully relies on data and it must be available anywhere and at any time.

Customers trust Telecom Operators with their personal, sensitive data and we – Celfocus – leverage Telcos to handle such precious data.

However, software systems and devices have vulnerabilities. We shouldn’t close our eyes on these flaws because they are present, and we won’t be able to eliminate them. When these vulnerabilities are exploited, not only are customers affected but it also significantly impacts our organization’s health and objectives.

Cybersecurity is the branch of Information Security responsible for ensuring the CIA triad: confidentiality, integrity and availability of data. This is a small concept for such a vast area of operation, where the protection of data, devices, programs and networks from unauthorized access or attacks is the prime purpose. And to make it worse, attackers will always be one step ahead!

Zero-day refers to a newly discovered vulnerability that vendors did not fix yet and may be exploited by attackers; zero-day implies that developers have “zero days” to fix the problem that has just been exposed

Prevention is, therefore, the mandatory approach to anticipate, at all costs, predictable flaws and minimize the impacts of unpredictable ones.

Does anyone care about it?

Ask yourself these questions:

• If you are a developer, what does your code say about your cybersecurity knowledge? Would you feel comfortable if an expert checked your code?
• Aside from SQL injection (probably the most known type of vulnerability and YES it still exists in 2019!), what other types of vulnerabilities do you know?
• Look around you… Do you think your teammates are comfortable in this area?

If I had to guess your answers… Not many people care about it.

Fortunately, there are multiple communities, foundations and non-profit organizations worldwide that help us remember common mistakes and known issues, so that we don’t have to reinvent the wheel over and over again. Although they are very active, they are also relatively small and with a presence that most of the times goes unnoticed.

As an example, CVE (Common Vulnerabilities and Exposures, cve.mitre.org) is a knowledge source operated by a non-profit organization with a massive amount of vulnerabilities identified over the years in websites, applications and other types of software systems (try searching CVE List on ‘Google’ , and you’ll find over 2000 results!).

And… Do we need it?

As mentioned before, it is not possible to have a perfectly safe system, either caused by a software malfunction or human error.

Even the biggest and most prepared organizations have difficulties, such as the following examples:

• In 2017, sensitive data of 14 million Verizon’s customers was publicly exposed on the internet because a vendor placed this information in an unprotected AWS storage server (https://www.zdnet.com/article/millions-verizon-customer-records-israeli-data/).
• Occasionally, security concerns in the web browsers are raised, and Google Chrome is no exception. Earlier this year, a zero-day critical vulnerability was found in Google Chrome that allowed attackers to run arbitrary code inside our laptops. The issue was reported to CVE -here – and Chrome’s engineering director advised everyone to update the software immediately to the latest version (https://www.forbes.com/sites/daveywinder/2019/03/07/google-confirms-serious-chrome-security-problem-heres-how-to-fix-it).

Simply put, everyone is affected by cyber issues. Including us.

So… Answering to answer the question: Yes, obviously we need it.

And what are we doing in this field?

At Celfocus, we have people dedicated to Cybersecurity, more specifically to exploring Penetration Testing.

Penetration Testing, curiously also known as Ethical Hacking, consists in finding security weaknesses that hackers may find as well. In other words, it’s the effort to predict what hackers will do and, as long as possible, to stay ahead of them.

José Ramos has a vast background in Cybersecurity and is currently leading the stream that investigates and consolidates knowledge and experience in Penetration Testing.

As you may expect, there’s an extensive scope, so strategic decisions must be done on where to dedicate the brain power… Therefore, three major working streams are in place: training sessions, investigation and internal audits.

Training is always a wise investment, because the knowledge we sow today will grow to reap in tomorrow’s harvest. Theorical Training sessions are being prepared – and many others in pipeline to work on; in the near future sessions will be scheduled for those who want to attend.
Additionally, scattered ideas are on the table, such as promoting internal lectures (celfocus.bites, for instance) on a specific topic or to arrange internal Capture The Flag competitions to instill a culture of cyber safety and to help disseminate hacking – and their counter measures – techniques.

Catch The Flag (CTF) is a type of competition where hacking skills are tested; the attack-defense version of CTF consist on attacking (red) team trying to hack an infrastructure protected by a defense (blue) team

When it comes to investigation, David Daud is working on an interesting use case where IT and biology come together to forecast results that wouldn’t be possible in other way.
David is building a genetic algorithm to explore Cross-site scripting (XSS) vulnerabilities.

Cross-site scripting (XSS) attacks are a type of code injection where scripts are illegitimately included into otherwise trusted web sites. As an example, in a login form if we type the expression “<script>alert('XSS Rocks!')</script>” the web site should ignore it; if there is a reaction to the code added, then there is a high chance to have a vulnerability

Confused? Let’s break it down.
An individual is built up from a set of genes. A sample of n individuals, during a generation, will behave differently, and only those that fit the most will survive over generations. Therefore, the most adequate genes will prevail over time.
When we bring this to our scope, we’ll identify genes as small expressions that are likely to mess with the code, such as (one gene per line):

When we randomly gather a fixed number of genes we get an individual. There is no recommended value for the number of genes, and it may be as small as 3 or as many as 10; the key is to find the balance between precision of the result and how fast to find an acceptable result.
Each individual will be used to test the web page, and depending on the way the page behaves the individual is given a rating. The higher the rating, the greater the impact the individual caused on the web page.
In a generation of, let’s say, 100 individuals, we will have an ordered ranking for individuals. The genes of the individuals with higher rating, will transit to the next generation; the genes with lower rating are discarded.

When we repeat this process iteratively – which means, generation after generation – we tend to have only the genes that cause problems.

Under a reactive approach, occasionally the team is summoned to perform internal auditing sessions to projects and tools.
For instance, the EOL project requested a vulnerability analysis in a narrow scope, to ensure that some changes made to code wouldn’t spoil the solution.

Zero assumption analysis is a technique used regularly in a multitude of scenarios, when the only piece of information provided is the web site address. All assumptions are put aside, and the analysis consists on cracking the infrastructure, layer by layer, exploring all possible elements. As an example, check out the following diagram:

Celfocus’ official password management tool – TeamPass – was also a target of José’s audit, resulting in the discovery of an XSS vulnerability which is in the process of acceptance at CVE!

Obviously, the work pipeline of Cybersecurity team is highly dynamic they showed full availability

Can I do it? Where can I start?

Unlike what Chef Gusteau mentioned in the Ratatouille movie, I would not dare to say that “anyone can cook” it; first, because it is not food… But in reality, this is not an easy matter and requires a lot of curiosity and persistence as this a very dynamic and an always-on-the-move subject.

However, everyone is able to give it a try and should be encouraged to do so!

Take a look at the “Cybersecurity for dummies” book, available at https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/education/cybersecurity-for-dummies.pdf for a nice introduction to this world (the digital version of the book has a Ctrl+F function that is way more effective than the paper version).

If you already have some knowledge in this area but want to explore Penetration Testing, have a look at the book “Ethical Hacking and Penetration Testing Guide”, by Rafay Baloch, available at http://www.lepointdeau.fr/Ethical%20Hacking%20and%20Penetration%20Testing%20Guide%20-%20Baloch,%20Rafay.pdf .

In the case you want to skip the reading material and get your hands dirty in the hacking world, take a look at http://www.itsecgames.com/ where you’ll have an extremely buggy web application and you need to find all vulnerabilities.

Or, if you want to explore XSS in particular, jump to https://xss.shift-js.info/ where you can find many challenges with different difficulty levels.

And last but not least, feel free to have a chat with José Ramos and David Daud! They will be glad to help you with your questions and to discuss ideas!