CL: CUI
"It can’t be reasoned with. It doesn’t feel pity, or remorse, or fear. And it absolutely will not stop, ever..." - KR
Intel of Note
Investigating Vulnerabilities via Socio-Technical Assessments
What Are CVIs?
Cyber Vulnerability Investigations or CVIs are a form of Socio-Technical Assessment or STA used to assess the threat landscape and risk profile of a given entity or organization. An STA is a type of Investigation that pays close, almost exclusive, attention to the interactions between the people, technology & processes present within the target of the assessment.
Who can benefit from CVIs and how?
Organizations and entities of all sizes can benefit from assessing their exposure to certain threats. This is an increasingly useful process in today's world of cyber attacks & state-sponsored hacking. Humans are usually the weakest link in any security situation therefore it is a crucial aspect that needs to be analyzed & understood. CVIs are an unorthodox assessment tool because they approach from the perspective of the opponent, using their methods and techniques to identify threats & risks.
What actions are involved in conducting a CVI?
CVIs, like most investigations, vary in size and complexity depending on the objective and scope. The employment of a framework to shape and guide the investigations is advised. As a general rule, any framework should be structured enough to produce consistent results but flexible enough to adapt to the ever-changing conditions of your operational environment. Frameworks help facilitate CVIs that are effective & efficient in their investigation so that the procedure can produce quality results in the form of actionable intelligence.
A Simple CVI Framework
The following is a basic CVI Framework
Identify the target of your investigation
Define the Scope of the investigation
Understand & assess your target
Identify and quantify the risks & threats present within your target
Develop strategies to mitigate the identified risks
Summarize the findings in a report
Take the appropriate action in response to the findings
Learn and Improve
Considerations
When was the last time you conducted a threat and risk assessment of your operations?
When was the last time your organization conducted a threat and risk assessment of its operations?
Has the "as-a-Service" model gone too far?
The Subscription Business Model takes many forms, the most common is Software-as-a-Service or SaaS. SaaS applications are usually web-based and provide a service to customers in exchange for a recurring fee commonly charged monthly. However, most SaaS apps will allow for a user to prepay for an extended period of Time (6 months, a year, etc.) at a reduced rate. The SaaS Business Model is a valuable model for individual entrepreneurs with some programming knowledge as well as small teams (like those prized by the Skunk Works-esque operations) due to its potential low cost of setup and high scalability. SaaSes (SaaSi?) include entertainment services such as Netflix and Hulu, music streaming services like Spotify and Apple Music, productivity apps like Notion and Drafts. If there's a problem that can be solved with software you can probably turn it into a SaaS but that is a topic for a future briefing.
Subscription services are not always software-based, a gym is technically a subscription service in which you pay for the "service" of being able to utilize the gym's equipment and resources instead of purchasing your own. In recent years the subscription service model has expanded into the automotive industry where Automakers have experimented with vehicle ownership and other features "as-a-Service."
Many issues arise from allowing an automotive company, especially when some possess the capability to assist in the repossession of your car or deactivate features remotely. For example, the Mercedes-Benz EQS sold in Germany comes standard with 4.5 degrees of rotation for the vehicle's rear-wheel steering with a 10-degree option available. The 10-degree option can be remotely activated or deactivated depending on if the owner has opted for the $576 yearly fee Mercedes charges for the feature. What makes this especially problematic is that the car has the mechanical capability to reach the full 10 degrees, Mercedes has just chosen to lock it behind a subscription paywall. Toyota's subscription service is equally as bad as they have turned remote start into a service. As pointed out in the linked article the reason most services charge a fee is to cover the costs of infrastructure and upkeep (or just because you can if you're Mercedes) such as servers and domain names. The remote start feature requires none of that as it is built into the car, yet Toyota bundles this with their audio packages. The question is where does this end, if it ends at all, or will brakes become a service that you must subscribe to in the near future?
Considerations
What subscription services do you use?
Can you still access your data in the event that the internet goes down or a subscription lapses?
Less Important Intel
Third Test Of The Air Force's Hypersonic Weapon Has Failed Like The Ones Before It
Ever here of JANET Airlines? Well, now you have. Godspeed if you choose to jump down that rabbit hole
What would the effect of a blackout of your country's internet have on your operations?
