The Art of Brute Force Attacks

Porsche discontinues models, how to increase your salary & AI governance

Author

Cal J Hudson
May 14, 2024

👋 Good morning, Cyber Pros!

This week’s issue brings you:

  • The Art of Brute Force Attacks

  • Why Porsche discontinued 3 models due to cyber security requirements

  • How you can increase your security salary

  • Is AI Governance a security issue?

Let’s dive in!

Read time: ~7 mins

LEARNING
THE ART OF BRUTE FORCE ATTACKS

What is a Brute Force Attack?

  • A brute force attack is a method employed by hackers to gain unauthorised access to systems or accounts by systematically testing various password combinations until the correct one is discovered.

  • These attacks exploit weak passwords and poorly secured accounts, making them a significant cybersecurity threat.

  • According to Verizon's 2021 data, 89% of attacks against web applications involve stolen credentials or brute force attacks.

How Brute Force Attacks Work:

  • Brute force attacks operate by iterating through every possible password combination until the correct one is identified.

  • Automated tools are utilised to accelerate the testing process, enabling hackers to test thousands of combinations per second.

  • While commonly associated with login pages, brute force attacks can also target cloud service APIs and database credentials, among other security mechanisms.

Why Attackers Use Brute Force:

  • Brute force attacks are highly effective against weak passwords, which are prevalent among users worldwide (75% have poor password habits).

  • Improperly configured cloud services often employ weak passwords, inadvertently exposing systems to brute force attacks.

  • Successful brute force attacks can result in sensitive data theft, service disruption, or unauthorised access to critical systems.

Types of Brute Force Attacks:

  1. Traditional Brute Force Attacks: These involve testing every possible character combination to find the correct password.

  2. Dictionary Attacks: Attackers use pre-computed lists of commonly used passwords or words from breaches to expedite the process.

  3. Reverse Brute Force Attacks (Password Spraying): Hackers target multiple accounts with a few common passwords, exploiting users' tendencies to use easily guessable passwords.

  4. Credential Stuffing: Attackers use stolen credentials from breaches to target accounts where users have reused passwords.

Brute Force Tools:

  • Hydra

  • Aircrack-ng

  • John the Ripper

  • Hashcat

  • Ncrack

Countermeasures Against Brute Force Attacks:

1/ Strong Password Policies:

  • Implement password policies requiring diverse character types and regular password changes to enhance security.

2/ Account Lockout Mechanism:

  • Utilise account lockout mechanisms to temporarily disable accounts after a certain number of failed login attempts, deterring automated attacks.

  • Implement rate limiting and captchas to slow down attackers and protect against brute force attempts.

3/ Two-Factor Authentication (2FA):

  • Introduce an additional layer of verification beyond passwords, such as SMS, email, app-based codes, or biometric factors, to strengthen authentication processes.

4/ Monitoring and Alerting Solutions:

  • Deploy monitoring and alerting systems to detect unusual login patterns indicative of brute force attacks and enable swift response by administrators.

5/ Password Managers:

  • Encourage or enforce the use of password managers to securely store passwords, eliminating weak password practices and reducing the risk of brute force attacks.

6/ User Training:

  • Conduct regular cybersecurity training sessions to raise awareness among users about potential threats and promote secure password practices and recognition of suspicious activities.

NEWS
PORSCHE DISCONTINUE 3 MODELS DUE TO CYBER SECURITY REQUIREMENTS

Summary: Recent news reveals that Volkswagen (VW) and Porsche are discontinuing several models, including the VW Up and T6.1, as well as three Porsche models. The reason? Stricter cybersecurity requirements mandated by the European Union (EU).

Unveiling UNECE R 155

  • The driving force behind these changes is UNECE R 155, a UN regulation focusing on "Cyber security and cyber security management system." Contrary to common misconceptions, this regulation is not the result of EU bureaucracy but is a global initiative.

  • Effective since January 22, 2021, R 155 mandates the implementation of a cyber security management system (CSMS) during the development of vehicles, ensuring they are protected from cyber threats.

Key Facts About R 155

  • Vehicles registered from July 2024 must have undergone an externally audited CSMS during their development.

  • CSMS entails a systematic risk-based approach, emphasizing security risk analysis to mitigate cyber threats.

  • Transitional regulations exist for vehicles developed before July 1, 2024, provided the manufacturer demonstrates adequate consideration of cybersecurity during the development phase.

Insights and Reflections

  • Underreported Impact: Despite its significance, UNECE R 155 has received minimal attention, despite its substantial impact on market entry and product development timelines.

  • Selective Discontinuation: The discontinuation of models by VW and Porsche underscores the varied responses across the automotive industry. While some brands adapt, others face challenges in meeting cybersecurity standards.

  • Flexible Transitional Regulations: The transitional regulations offer flexibility, requiring manufacturers to demonstrate cybersecurity considerations during development. However, the discontinuation of certain models suggests challenges in meeting these requirements for older vehicle designs.

The intersection of automotive innovation and cybersecurity regulations highlights the evolving landscape of vehicle development and underscores the imperative for robust cybersecurity measures in the automotive industry.

CAREER
THE BEST WAY TO INCREASE YOUR SALARY

Summary: In the corporate landscape, loyalty is often undervalued by most companies. Staying loyal to a single company might not necessarily result in significant salary increases. Let me explain…

Details:

1/ The Power of Job Switching

  • One of the most effective ways to boost your salary as a cyber security professional is by changing jobs.

  • Many individuals have experienced substantial pay increases, sometimes doubling or even tripling their salaries, simply by transitioning to a new employer that values their skills and expertise.

  • I personally can vouch for this. Many friends and former colleagues have substantially increased their pay by moving to companies that prioritise their contributions.

2/ Data-Driven Insights

  • Research conducted by the Atlanta Fed corroborates this trend, indicating that employees who opt to leave their current positions often experience more substantial pay increases within just 12 months (see chart above).

3/ Don't Fear Change

  • If you find yourself undervalued or under-appreciated in your current role, don't hesitate to explore new opportunities.

  • Remember, most companies prioritise their bottom line over employee loyalty, so it's essential to prioritise your own career advancement and financial well-being.

AI & SECURITY
IS AI GOVERNANCE A SECURITY ISSUE?

Last week, I read an interesting LinkedIn post by Walter Haydock, Founder and CEO of StackAware. He wrote about 5 potential options for determining ownership in AI governance. Here are the benefits and drawbacks of those options:

1/ Security

Benefits:

  • Data Protection Focus: Prioritises safeguarding data confidentiality, integrity, and availability, aligning with AI risk mitigation.

  • Existing Infrastructure: Likely equipped with established tools and procedures for managing new technologies.

Drawbacks:

  • Limited Scope: May overlook non-security risks like environmental and social impacts.

  • Technical Familiarity Gap: Potential mis-prioritisation due to lack of technical expertise.

  • Risk-Averse Stance: Tendency towards caution may impede agile deployment.

2/ Legal/Compliance

Benefits:

  • Regulatory Acumen: Proficient in navigating complex regulatory frameworks.

  • Clarity Amid Complexity: Skilled at distilling legal jargon to extract key compliance requirements.

Drawbacks:

Technical Shortfall: Likely less technically adept than security teams, potentially hindering understanding of AI impacts.

Risk Aversion: Overwhelming focus on downside risks, potentially overlooking benefits.

3/ Privacy

Benefits:

  • Regulatory Alignment: Addresses privacy challenges inherent in AI, aligning with regulations like GDPR and CCPA.

  • Customer Trust Focus: Prioritises clear communication and controls to maintain customer trust.

Drawbacks:

  • Value Trade-Off: Over-indexing on privacy may sacrifice functionality, impacting customer value.

  • Intellectual Property Oversight: May compromise design to a level exceeding the organisation's IP risk tolerance.

4/ Data Science / AI

Benefits:

  • Technical Proficiency: Deep understanding of AI capabilities and limitations.

  • Business Outcome Focus: Driven by delivering business value through AI initiatives.

Drawbacks:

  • Limited Scope: Less versed in security, compliance, and privacy domains.

  • Risk Blindness: Potential oversight of non-technical risks due to business outcome orientation.

5/ Dedicated AI Governance Function

Benefits:

  • Expertise Specialisation: Deep subject matter knowledge in AI risks, frameworks, and compliance.

  • Neutral Mediation: Serves as impartial mediator among various stakeholder teams.

Drawbacks:

  • Administrative Overhead: Additional bureaucracy and expense.

  • Silo Risk: Potential isolation of AI governance from broader business and technology efforts.

Thoughts on AI Governance Committees:

While AI governance committees have merits, challenges arise when:

  • Decision-making processes lack clarity.

  • Timelines for decisions are ambiguous.

  • Risk appetite remains undefined or overly conservative.

While assigning AI governance to a single department doesn’t solve all these issues, it may streamline bureaucratic hurdles.

How do you think AI Governance should be managed?

FEEDBACK
Did you enjoy this one?

If you’ve got a question or feedback, you can reply to this directly!

I want to create a newsletter that you can’t wait to open every week.

Your feedback will help me do that.

REFERRALS
Share Cyber Pro Club!

If you found this newsletter valuable, share this link with others: https://www.cyberproclub.com/subscribe

Thanks for reading.

Cal J Hudson