Showing posts from June, 2021

The TOCTTOU attack

Intriguing attack name isn’t it? Pronounced as TOCKTOO, this is a time-of-check/time-of-use (TOC/TOU) attack. This deals with the sequence of steps a system uses to complete a task. This type of attack takes advantage of the dependency on the timing of events that take place in a multitasking operating system. Let’s take some routine day-to-day examples to better understand this concept. Note that these examples are mentioned to help you better understand the concept. Do you love Netflix? Well, I do. When you watch a series on Netflix, you need to authenticate yourself. Let’s break this into 2 steps: Process 1: Validates your credentials to check your subscription validity. Process 2: Open up the series for you. In a TOC TOU attack, the attacker ensures that process 2 is executed before process 1. If you may wonder how can this happen, consider that operating systems and applications are, in reality, just lines and lines of instructions. An operating system must carry out instruction 1

Horizon Scanning: A Beginner’s Guide

“Horizon scanning is a technique for detecting early signs of potentially important developments through a systematic examination of potential threats and opportunities, with emphasis on new technology and its effects on the issue at hand.” With the world interconnected than ever before, an event in one place has the power to impact people across the world. Recently when a ship was stuck in the Suez canal, it resulted in shipping delays and the loss of millions of dollars. This event further created sub-events of its own and impacted in ways we are yet to identify. Volatility in Dow Jones affects the Asian markets and climate crisis in a country has the potential to increase the prices for consumers across the world. Despite the efforts of witches and mages throughout the ages, the future can never be accurately foretold. In our modern world, our organizations turn to risk management as the latter-day shaman to divine the potential pitfalls and opportunities lurking in the midst of tom

Data Security Lifecycle 2.0

The Cloud Security Alliance Guidance explains the Data Security Lifecycle which mentions the various phases data undergoes in the cloud. This lifecycle was adopted from a blog article on Securosis. Rich Mogull, Analyst & CEO, stated that he was not happy with his work since it seemed rushed and did not sufficiently address the cloud aspects. They have released the Data Security Lifecycle 2.0 and this blog post is an attempt to present it in simple terms. Before we delve into the nuances of the improved version of the life cycle, a sneak peek into the old one would help us appreciate the changes. The V1.0 is depicted below.  The lifecycle has a total of six phases - Create, Store, Use, Share, Archive, and Destroy. While the depiction in a circular step-by-step manner may seem that one phase follows the other, it is not so. Creating and storing may happen simultaneously and archive may not happen if the information is not required to be stored for long-term purposes. In essence, the

Crypto-Shredding is NOT panacea for The right to be forgotten (RTBF)

A recent survey by Trend Micro revealed alarming results. When asked for feedback on companies’ approaches to cloud data destruction, 25% of the population responded with “What’s that?” as the response. Another 31% said their cloud provider handles cloud data destruction, but they are not aware as to what happens in that case. Given the growth of cloud computing, it's imperative for security professionals to understand the details of data destruction in the cloud. This is required from a contractual point of view and a regulatory point of view. Crypto shredding is the concept of destroying data through the destruction of the cryptographic keys protecting the data. Without the decryption keys, the encrypted data is unusable — like a safe without the combination. From a cloud perspective, there are multiple tenants that a cloud provider serves. From a cloud customer perspective, the data is stored in physical locations where they cannot visit, let alone perform any data destructions