Tuesday, November 29, 2016

My first visit to the TEDx event "Brave New World" by Saxion University

So let's talk about my first visit to a TEDx event, but if you first want to know what the difference between TED and TEDx is, click here to learn more about the TEDx program.

This event was hosted by Saxion University in the Schouwburg in Deventer, The Netherlands. The theme this year was "Brave New World". This is obviously a reference to the book Brave New World by Aldous Huxley (1932), as the theme is all about our future world and how we could envisage it.

Photo of the stage of TEDx SaxionUniversity
The hostess Dorothée Loorbach did an amazing job in introducing the speakers and to energize the audience. Well done! The topics were broader than expected, which I found very nice and refreshing. It went from envisioning a future in living on Mars, to an Anon inspired dance, to growing algae in solving world food resources and a skilled musician utilizing multiple instruments. But also from inspiring speakers in forgiving and love, even after a terrorist attack, to immigrating to the Netherlands and achieving amazing results in education, to learn to feel happy even while being incarcerated.

Four talks inspired me in different, but for me fundamental, ways. One of which was a video of a TED.com talk.

The first talk was that of Dorothy Oger with "Let’s change the world, one poem at a time". The talk she had was about a friend being killed in a terrorist attack in Brussels in 2016. The way she could inspire the world to give love, even in the worst time a person can experience in life, was breathtaking inspiring. After the poem was said by Dorothy it was spoken in several other languages. One of which was Vietnamese. Although I do not speak Vietnamese yet, my fiancé does. Hearing words of love in the mother-language of my loved one touched me deeply.

The second talk was that of Pamela Nicoletatos with "Future Beyond Earth". I recognize myself in her words about being drawn to the universe, the endless curiosity in what's out there and what it would be like setting foot on a planet much different from Earth. I am no way near being a pioneer as her though, so many props for that! The human species becoming a spacefaring species is my dream also, and I often let me take into other worlds through science fiction in books, movies, series and games.

The third talk was that of Wouter Kroese and Willem Herter with "Future of Healthcare". This talk really got my attention due to my profession as an Information Security Officer and my work experience at a health-insurance company. I believe we, as a society, have become a bit to protective over our medical data (although for good reasons) and I too agree that merging Big Data capabilities with medical research can greatly benefit overall healthcare while decreasing costs or at least stabilizing them. The privacy concerns need to be considered, but approaching this question with a "yes, when..." instead of a "no, unless..." can spark innovations while keeping the checks and balances.

The fourth talk was a video from TED.com by James Veitch with "This is what happens when you reply to spam email". You just must watch the video, because it is hilarious what can happen if you reply to scam email. It makes me think the next time I receive such an email. And for the Information Security Officers watching the video, although it is attempting to learn people through awareness campaigns to reply to spam, let's agree we stay away from that!

Overall an amazing experience which gave me new insights, a fun time, and inspiration to be on that red dot some day too!

Monday, October 3, 2016

Ben jij Alert-Online, of Alert-Offline? (Dutch)

De overheid is bezig met haar jaarlijkse campagne genaamd Alert-Online (1) om online veiligheid te promoten. Hoewel het soms op gespannen voet lijkt te staan met de alsmaar verruimende bevoegdheden van inlichtingendiensten, staat de discussie omtrent privacy (en vooral de bescherming ervan) stevig in het daglicht. Maar onderzoeken laten zien dat de gemiddelde burger (lees: jij en ik) het allemaal niet zo nauw neemt met de digitale veiligheid (3). Er is in een zekere mate een onwetendheid op dit gebied, maar ook een onuitgesproken verwachting dat bedrijven het wel voor jou doen.

Bij auto's is het allemaal wel duidelijk. Immers de remmen, gordels, airbags, kreukelzone, en de tal van andere opties worden allemaal geleverd en uitvoerig getest door de fabrikant. Vaak onder strikte toezicht van overheden volgens een bijna onuitputbare lijst met eisen en richtlijnen. Want als jij op de rem trapt moet het gewoon werken, en dan moet jij niet eerst nog wat ingesteld of geupdate moeten hebben. Helaas werkt dat in de digitale wereld nog wat anders. Het werkt zelfs niet vanzelfsprekend in het domein van diezelfde auto en de digitale wereld. Zaken zijn inmiddels bekend van auto's die op afstand gehackt worden en waarvan de controle overgenomen wordt (2). En met alle gevolgen van dien! Want heb jij een auto met Bluetooth? Tjee, mijn auto heeft zelfs een Wifi-antenne zodat, wanneer ik dicht genoeg bij mijn huis ben, de auto kan koppelen aan het netwerk (waarom?)...

Maar ook in huis zijn de nodige aandachtspunten. Als jij een webcam op je kinderen hebt gericht, denk jij er ook aan om de software daarvan te updaten? Wist jij dat er een tal van merken zijn die het niet zo nauw nemen met de digitale veiligheid van jullie kinderen? Want er is wederom een geval bekend dat camera's door derden (lees: onbevoegden) bekeken worden (4). En als je dan bedenkt dat je vast ook wel eens de luier verschoont voor zo'n camera, dan wordt jouw belang van veiligheid mogelijk in een oogwenk anders.

Nee, de digitale veiligheid gaan niet over rozen en het lijkt vaak een ver van je bed show. En toch raakt het je direct. Bankieren via de digitale wereld is nagenoeg zonder fraude met voor de banken verwaarloosbare fraude-cijfers (5), maar helaas verdwijnt criminaliteit niet. Het verplaatst alleen, en ditmaal dichterbij de burger. Vaak met behulp van phishing (het ontfutselen van inloggegevens) wordt je verleidt tot aankopen, of wanneer je actief bent met daten is het mogelijk dat je verleidt wordt tot situaties die eigenlijk net wat te mooi om waar te zijn.


Helaas is een veilige digitale wereld nog geen vanzelfsprekendheid en ligt er een deel van de verantwoordelijkheid echt bij jezelf. Een ketting om je toetsenbord zal je niet verder gaan helpen, daarom hieronder een kleine greep uit de maatregelen die je kan nemen.

  • Hergebruik nooit je wachtwoorden. Gebruik voor elk online account een ander wachtwoord van tenminste 12 posities. Een uniek wachtwoord van 12+ posities voor elk account is belangrijker dan een extreem moeilijk wachtwoord. En een wachtwoordbeheer applicatie kan hierbij helpen (6).
  • Denk even na over welke apparatuur in je huis allemaal een Wifi verbinding heeft. Mijn huis telt er al tenminste 12. Denk daarbij aan apparaten als de TV, thermostaat, tablets, telefoons, en soms zelfs de koelkast en de smart-wasmachine. En onderzoek (bijvoorbeeld via de website van de leverancier) of er (security) updates zijn. Vandaag heb ik ontdekt dat ik mijn Essent E-Thermostaat ook kan updaten, en dat ga ik vanavond na 2 jaar dan ook maar eens doen. 'Zelfs' ik denk dus niet aan alles.... In het kort: installeer altijd alle security updates van elk apparaat dat aan het internet gekoppeld is.
  • Voor het geval dat je toch gehackt bent, zorg ervoor dat de webcam van je laptop of desktop fysiek dicht kan. Dit kan vaak al met een paar euro kostende webcam cover. Dit voorkomt dat er privé foto's en video's van jouw of je kinderen gemaakt worden.

Wil je meer weten over je digitale veiligheid? Surf dan eens naar de website van Alert Online (1) en Fraude Helpdesk (7) en onderzoek hoe offline jij wel of niet bent!

  1. Alert Online: https://www.alertonline.nl/
  2. NOS.nl: http://nos.nl/artikel/2135670-we-waren-echt-de-sigaar-want-alles-stond-op-die-computer.html
  3. NOS.nl: http://nos.nl/artikel/2123374-hackers-kraken-opnieuw-een-jeep-cherokee.html
  4. Metro Nieuws: http://www.metronieuws.nl/xl/digitaal/2016/08/russische-website-hackt-cameras-en-kijkt-met-je-mee
  5. NVB: https://www.nvb.nl/nieuws/2016/4991/daling-fraude-met-internetbankieren-zet-door.html
  6. Gratis Software: http://www.gratissoftware.nu/gratis-wachtwoord-beheer-software.php
  7. Fraude Helpdesk: https://www.fraudehelpdesk.nl/
UPDATE: Ik heb inmiddels mijn E-thermostaat bijgewerkt naar de meest actuele firmware versie :).

Monday, September 12, 2016

Cyber, just as old as ancient human history

Recently I visited a seminar on which the question was asked about what was new on the phenomenon cyber. Although I somehow find we still should #ditchcyber, I started thinking about that question. After some internal computing time I came to the conclusion that cyber is nothing new and that is just as old as ancient human history. Well, that is, the paradigm in which cyber resides is ancient.

Fifth paradigm of warfare

In June 2016 the NATO officially declared the cyberspace as the fifth domain of warfare. The other four are land, sea, air and space. With the ongoing attacks and governments ranking up their cyber-capabilities, our precious infrastructure is becoming ever more a potential zone of conflict. But why is this a development that needs real attention?

Every paradigm strengthens the other

Once there was merely conflict on land. People attacked each other with ordinary weapons. First it was all melee combat which ‘soon’ was strengthen by ranged combat. But still, everything was done on land and defenses grew in time to withstand such attacks. When the second paradigm, sea, came into play battles changed quickly. Not only were battles fought on sea, but sea was also used to strengthen land combat. Troops could be sent in through ships in (at first) defenseless harbors.

The third paradigm took a while to arise in our arsenal of conflict zones, but it came with devastating capabilities. Through the air many defenses became almost pointless (like city walls) and aerial combat strengthen both land and sea warfare. Even planes could take off from carriers to strike on land, sea and in the air.

Space was the fourth paradigm, and as far as we know all countries uphold the international treaty about not bringing warfare to space. Often people do not know that the treaty is only about ground-to-space and space-to-space combat and that it does not include space-to-ground combat. So it is ‘allowed’ to use satellites for ground bombardments, but you will have to violate the treaty to take down the satellite that is attacking.

We should be thankful for countries upholding the treaties so far. When you look at the four paradigms combined with our increasing capabilities you see that the potential casualties of conflict increase. And I want to emphasize on the potential part, because since 1945 the absolute casualties due to conflict has been decreasing ever since (Our World in Data).

Screenshot of Kaspersky Lab Cybermap
Cyber, the fifth paradigm, recently emerged from our endless increasing capabilities in computing, storage and networking power. The Internet came to life and our lives and everything else are becoming ever more interconnected. But also already present land, sea, air and space capabilities are strengthened by the use of cyber technologies. Just think about drones that are bombing regions remotely and critical infrastructures like power grids that are taken offline through the means of cyber. The potential damages (most often economical for now) are increasing all the time. And sooner, rather than later, casualties will also be the result of cyber-attacks.

Casualties just might seem far-fetched, but think about remotely interrupting pacemakers and taking down critical infrastructure like electricity and fresh water. Taking does down in regions suffering from extreme heat might result in many fatalities due to dehydration and overheating. But also driverless cars crashing into each other, or planes that can be hacked from the ground.

Cyber is not new, but it has a key new characteristic

Most often our government is taking care of the defense of land, sea, air and space. There is an army for external intruders, and there is often a police-force for internal advisories. Countries also have intelligence agencies that feed the governments they represent with intel on what (potential) enemies our doing and planning. We as citizens might have a good night sleep without worrying to much about being invaded, knowingly that this sadly does not apply to all of us.

The new aspect of the cyber domain is that we cannot depend on the government alone for proper protection of, well, kind of everything and more than that. Companies and individuals alike also have to contribute to the overall safety of our world. It is imperative that those with power use such powers with responsibility. And I do not mean superheroes, but nation leaders, CEOs, CIOs, CTOs, CISOs and everyone else that can influence budgets to rank up the cyber defense. And in essence, they just might be the modern-day cyber-heroes.

So is Cyber new? No, it’s paradigm is ancient, just like any other. It has opportunities, risks, weapons and defenses. But the fact that it needs to be protected by everyone, instead of only the government, with the power to influence its security is new.

Oh, and again #ditchcyber, it most often clouds (no pun intended) discussions on the things that matter.

Wednesday, August 17, 2016

Make Security and Privacy Awareness ubiquitous

"Yeah, let's create a page and put all information there that our users and/or customers need to stay secure!” Sounds familiar? Do you have a so called awareness page somewhere on your intranet or website? But are you suffering from lack of traffic, or at least, a lack of success of that page?


In my recent post “Need Security Awareness? You're doomed!” I talked about that Security Awareness is the last thing you should focus at (I was overstating that on purpose of course). For the worse part of it, with awareness you are depending on the weakest link in the chain, and that are humans. And humans have proven to be relentless in not following guidelines whenever they feel they need to. So how we can inspire to follow the guidelines? Well, with proper awareness...

I think that there are two fundamental principles that needs to be taken into account with awareness. First of all, do not only tell how, but focus on why. And when you tell it, tell it when it happens. Tell it when there is a change! I will zoom in on those two principles, but first I want to make another difference. There are also two types of awareness. One is about Security and the other is about Privacy. A good understanding of the differences of these two types will help you in telling why and how.

Example with thanks to Bob

A customer, let’s name him Bob, logs on your website and decides he wants to change his password. He goes to his accounts settings and to the tab about his passwords. He just sees two blank fields, fills in the same password as his e-mail account twice and hits the button OK. Some algorithm approved his password, as it is complex enough. Say something like: [email protected]. It is long and difficult. Right?

Two things failed here. First of all, he re-used his password and his password is anything but complex. It is probably far from ‘unique’ (for as far that it is literally possible) and likely ill-often used and present in password-guessing tools. But there is a third thing that failed tremendously. The chance for an effective awareness message presenting to Bob has not been given.

What if there was a message like below, before Bob could change is password?

When choosing your password it is important that you choose one that you do not use with other services. It is possible that your password gets stolen through another service than ours, but that it is being misused on our service. Your privacy is then compromised and that is something we really want to prevent. To remember all your passwords you can use a password manager tool which will help you better protect your own privacy. Click here to see our central privacy protection page to learn more.

And then present the form to change the password. Chances are that he will not re-use a password. It is not a 100% guarantee, but it has higher potential than saying nothing. Why? Because you tell why (it’s about privacy), you tell how (that’s about security) and you tell it when it matters (when the change happens)! I strongly state that this type of awareness is more effective than a distant page.

But what about [email protected] ?

And this is where we need technology to help our colleagues and customers (instead of failing awareness). Implement good filters and regular expressions to enforce a good password policy, but also check it against often used passwords. Also prevent (whenever possible) the use of compromised passwords in combination with the name of the account. Just do not tell the user how a password should look like, but help him or her with it. It’s far more effective!

I am not going into the debate now what the complexity of a password should be. But I rather have it unique and long, than complex and shorter. From a computing perspective, no combination of characters is more complex than another combination of characters. The password ‘A Purple Bunny is swimming in the Ocean’ is more likely to be secure than the example of Bob. Why? Because it makes no sense to people building brute-force algorithms and it has more characters. And it is easier to remember and therefore chances of it being written down are slimmer.

Next step is deleting the awareness page?

Now I am not stating we all should deleting our awareness page, and move to a system like a described above. It’s smart to have a page which contains all the important details combined together. Sometimes people do get interested and it would be a wasted opportunity to not satisfy their information hunger. Let these two co-exist, but focus your time and energy in making awareness training ubiquitous. Make it present everywhere it matters.

Oh, and try to avoid the word awareness. It says something about a person not having something (you are not aware!) then that it is about gaining something (better protection of their privacy).

In other words

Make awareness training ubiquitous by incorporating it within your entire environment by telling how, why and by telling it precisely on the moment it has the greatest impact. The place where change is done, the place where it matters.

Sunday, July 17, 2016

Single Sign On, potentially your biggest Security headache

It is not uncommon for companies pursuing the principle of Single Sign On (SSO) for their information systems, often disguised with the claim to ‘improve’ security. Although I agree that the usability for users are increased in almost in every case, I do not agree that the same applies towards security. On the contrary, if not implemented in a good manner it decreases your security and increases your headache!

To explain my statement, I will take you through some layered thinking about the subject and address some things to do to address SSO in a secure manner.

Password ethics

The ethics towards password use are most often not that of the standards that we as Security Officers would like to see it. This concerns many aspects, such as password uniqueness, password length, and password secrecy. Passwords (or passphrases for that matter) are often not unique, are to short and are kept secret in a rather insecure manner.


Imagine an IT-environment with full-blown SSO with primary accounts that have the same password as somebody’s home computer, combined with passwords that are way to short (anything less than 12 positions is short) and are kept in an spreadsheet on a computer without disk-encryption. And now imagine that such password gets compromised and all extremely sensitive data can be accessed on your corporate network through that one account, just because you implemented SSO.

When thinking about SSO, you need to re-think your password ethics.

Password uniqueness

It is hard to address uniqueness and it is for the most part pure awareness of the people. But there are some things you can address. First of all, make sure passwords cannot be re-used. Whenever a user changed his or her password, it should be at least 20% new. When considering a password of 12 characters, you already have to change at least 3 positions.

Also audit the passwords of your users on regular intervals. On the Internet you can find sources with the most often used passwords. Take a big amount (for instance, the 20, 30 or 100) of most used passwords and make sure users cannot use those passwords and if they do, forcible reset their accounts. Apply these tactics also when password databases of other companies get compromised and compare (if possible) those passwords against your database to prevent misuse of accounts due to hacks at other companies.

Password length

Password length is rather easy to fix. First of all, bump it up from the pretty much default of 8 positions to 12 positions. There is some debate about whether or not it should be a difficult password with special characters and all. I tend to say that when your password is unique within the scope of all accounts of yourself and that it is at least 12 positions long, you are good (enough).

Password secrecy

And now password secrecy. Who doesn’t know that one guy who saves all his passwords in an spreadsheet, so it is convenient for accessing them? Do you realize that you’ll probable have some of those as your co-workers? And that they are likely have access rights to important data-sources?

So give your users the tools to safely store every password. Whether or not this is an on-premise tool or a Cloud-based tool, make sure it has enterprise features like central management for your admins and a full audit trail for your auditors. It will make everybody’s life easier and users can keep their passwords safe. The fact that you are on the verge of implementing SSO, does not mean you can skip the password manager.

Data classification ethics

And then there is the aspect of data classification. The ethics of topics such as these can be made extremely complex or extremely simple (to simple). In many organizations data classification is not really done and for the better part of it, I can totally understand that. But for an improved SSO you will need to have some form of classification.

If you have data classification, you can skip this part. Otherwise this might come in handy. When there is a lack of data classification you can approach this subject with three types of classifications. The first is public.

Public data

Public data may be read by at least anyone in the organization. It does not mean it needs to be readable to everyone, but it might be just as well.

Corporate data

The second one is corporate data. Corporate data is data that may not be read by everyone in the organization. This type of data is important for the business to function, but it lacks protection of laws and it is also not intellectual property.

Secret data

The third one is secret data. All personal identifiable information (PII), intellectual property (IP), and all other information that is subject to law or regulators must be considered as secret data. Most often of the time you can find the crown-jewel data in this category. Think about information that is vital to stock-trading and may not leak due to regulators and think about personal information of your customers that is subject to the EU Privacy Directive.

And now grab some engineers in a team and divide the information systems into these categories. I bet that in 90% of the time these assessments can be done out the top of the head of the engineers.

Stepping up your SSO

When you have put the controls in place to improve password uniqueness, length and secrecy you can move forward to implementing SSO. When implementing SSO you really need to factor in the two-factor authentication (2FA). And this principle is easy.

Whenever a user accesses information in a higher level category, you will need to ask for a new 2FA-code.

There is no need for re-asking the password, just the code from the authenticator app, physical token, YubiKey, SMS or whatever you use for 2FA. This mechanism prevents that when a password gets compromised, that all data can be accessed without further obstruction. 2FA also helps users to detect (in case of SMS) login attempts on their accounts.

There is on caveat though…

There is one caveat in SSO that is often overlooked. The moment you start using a system (such as Active Directory) as the primary source for identity management, it is then by definition the most critical system in your network. You really need to be rigorously protective towards that system.

Therefore, never allow unencrypted traffic towards and from such central system. Never use insecure APIs to connect and make obsolete technologies impossible to use. All security controls are completely irrelevant when some old system that is not SSO compatible transmits the username and password unencrypted over the network just to get it to work.

Summary

To implement a secure single sign on (SSO) you will need to improve the password uniqueness, length and secrecy. You will also need to have at least three categories of data classification. With these controls you can implement SSO with the use of two-factor authentication (2FA). Whenever a system in a higher level of category is accessed, the principle of 2FA needs to be applied. And harden the central system with all its identities and make sure that all data exchanges are well secured.

If you have done the above, you are a big step further to lessen your headache.

Sunday, June 26, 2016

Boek review: Komt een vrouw bij de [email protected], van Maria Genova (Dutch)


Een poosje geleden zag ik wat tweets over het boek "Komt een vrouw bij de [email protected]" van een ene @genova2 voorbijkomen. Hoewel ik dacht dat het boek in de categorie fictie viel besloot ik Maria Genova (de schrijfster van het boek en de persoon achter de hiervoor genoemde Twitter-handle) te gaan volgen. Toen ik enkele maanden later op de conferentie van (ISC)² SecureNetherlands 2016 aanwezig was zag ik in de agenda dat Maria kwam spreken over haar boek. Na een boeiende talk kwam ik met haar via Twitter in contact en kocht ik via haar een persoonlijk signeerde boek! Oh trouwens, het boek is helaas allesbehalve fictie...

Komt een vrouw bij de [email protected] gaat over identiteitsfraude. Ze beschrijft waargebeurde cases ten aanzien van het misbruiken van gegevens door anderen om zich voor te doen als jou. Meestal met nadelige financiële gevolgen voor de originele identiteit (lees: jij). Situaties zoals fraude met betrekking tot het inschrijvingen op je woonadres, mobiele telefoonabonnementen, bestellingen bij online winkels, misbruik van bankgegevens en ga zo maar door, komen allemaal aan bod. Ook gaat ze in op overheidsinstanties en hoe slordig daar (soms?) wordt omgegaan met gevoelige persoonsgegevens. Vaak overigens op de meest eenvoudige manier, zonder complexe hacks door hackers.

Dit is allemaal bijna niet voor te stellen en dus besloot Maria om contact te leggen met een echte hacker om zodoende uit eerste hand te zien hoe eenvoudig digitaal inbreken is. En de informatie op onze computers laten weinig tot de verbeelding over, want nagenoeg alles is te vinden op onze computers. Denk hierbij aan volledige kopieën van identiteitsbewijzen zoals paspoorten en rijbewijzen, maar ook accounts en wachtwoorden die we opslaan in eenvoudig te lezen bestanden, en intieme en soms ook pikante foto's. En niet te vergeten de slechte discipline die gehanteerd wordt ten aanzien van het installeren van alle updates en het hebben van een malware (virus) scanner. Het is een snoepwinkel voor de digitale inbreker.

Dat identiteitsfraude bestaat en plaatsvindt kan ik me nog wel mee verzoenen. Criminaliteit bestaat nu eenmaal en hoewel we het zeker moeten bestrijden, moeten we niet de illusie hebben dat we het kunnen uitbannen. Niet op korte termijn in ieder geval. Wat ik zelf gewoon bijzonder vind en eigenlijk gewoon weg niet begrijp is de mate waarin een slachtoffer wordt ondersteund in dit proces (althans, de mate waarin hij of zij niet wordt ondersteund).

Op het moment dat we iemand op straat zien overlijden krijgen we slachtofferhulp aangeboden (sterker nog, ik kreeg het zelfs aangeboden toen ik aangifte kwam doen van diefstal van mijn fiets). Maar slachtofferhulp bij identiteitsfraude gebeurd gewoon niet. Vaak krijg je al niet eens een aangifte goed verwerkt, is de politie niet deskundig (genoeg) om je te ondersteunen en heb je vaak de schijn al tegen want het is toch 'jouw' handtekening!

De financiële schade is vaak al niet te overzien. Van enkele duizenden tot vele tienduizenden euro's die je gewoon kan ophoesten omdat je in de rechtbank niet geloofd wordt. Onschuldig gevangen zitten is helaas hierbij ook geen uitzondering! Maar ook de impact op je persoonlijke leven is voorbij het denkbare. Geliefden die je niet meer geloven en van je gaan scheiden, vrienden en familie die je in de steek laten want "waar rook is, is vuur" en eveneens het verliezen van je baan en huis.

Identiteitsfraude is realiteit, het krijgt te weinig aandacht van de overheid en justitie, de pakkans is klein en de hoeveelheid aan onschuldige slachtoffers groot! Het boek samengevat in één woord: doodeng...

Maria gaat gelukkig ook in op wat eenvoudige en toepasbare oplossingen die al een groot verschil kunnen maken. Denk hierbij aan het hebben van een uniek wachtwoord voor elk online account, geen kopieën van je legitimatie meer verstrekken tenzij dit van de wet moet (meer info hier), terughoudend zijn met welke informatie je deelt en het installeren van alle updates voor je computer, tablet en telefoon. De tips beslaan meerdere pagina’s en ze zijn erg nuttig en helpen allemaal een beetje bij het (hopelijk) voorkomen van identiteitsfraude.

Wat mij betreft een must-read voor iedereen, ongeacht leeftijd, opleidingsniveau, werkniveau en geslacht. Want iedereen kan slachtoffer worden!

Eerste publicatie: 2014
Pagina’s: 224
ISBN: 978-9-089-75292-5
Link: mariagenova.nl
Lezing: mariagenova.nl/lezingen

Friday, June 17, 2016

My talk at US Consulate about Cyber Security and Agile Development

I had a talk at the United States (US) Consulate in Amsterdam last Tuesday (June 14, 2016) on a Cyber Security v. Agile eCommerce event. Companies like SBS Broadcasting, KLM, ION-IP, WhiteHat Security, Bureau Brandeis, Isatis Group and many more attended this event. I was asked by ION-IP to speak at this event and, of course, I immediately said yes!

Before I say something about my talk, let me first start with the US Consulate itself. This was a very nice and new experience for me, especially from a Security perspective because it has airport-tight Security levels. First of all, I needed to get a personal invite the Commercial Specialist of the US Commercial Service of the consulate itself (besides the invite by ION-IP and WhiteHat Security). No invite from the consulate itself means no access. For obvious reasons I had to show my passport (driver’s license was also possible) and had to turn over all my electronic devices.
US Consulate in Amsterdam - Source: Wikipedia
Thinking to be efficient, I had already switched of my phone, but I had to turn it on again. The reason for this was so they could see it was actually a phone. Then it was tested for drugs and explosive substances, and then I had to switch it off again and turn it over. I decided to not bring my smartwatch, because that would have been submitted also. The next step was to walk through a detector and, thankfully, I had to only take of my belt and no other clothing. We were then escorted by an employee towards to meeting room (through a couple of locked doors). We also could not leave the building without an employee present.

My talk was about Security Awareness and why we should stop it, or at least have the ambition to make it obsolete. This is obviously a statement to make the audience think about the value of Security Awareness and when and when not to invest in it. When looking to the organization I work for I see that the most value comes from Security Awareness on the level where change is done. Whether it is IT, HR or the Legal department, everywhere there can be made a change there can be made a difference. Obviously the Security Awareness in every department is for the most part completely different.

I ended with my talk with an advice that Security Awareness for IT departments should focus on automation. The more you automate, the more predictable and agile you will become. And when you are agile, you can even become anti-fragile. Every time an IT-department consider training users on Security, we should first ask ourselves if we can make our technology better. If not, then we need to question if we can make our policies, procedures and baselines better. And then, and only then, we can start training users. Because leaning on awareness for security, is leaning on the weakest link in the chain of security, the humans.

And again, for Security Awareness in general, focus it at the places where changes are done in order to really make a difference!

If you want to read more about my point-of-view concerning awareness, read these posts of mine.
I really want to share my gratitude towards ION-IP, WhiteHat Security and the United States Consulate in Amsterdam for giving me the opportunity to talk at the event and help creating awareness within the field of Cyber Security and Agile Development.

If you have questions or want to debate or challenge my point-of-view! Please do so! Sharing opinions is creating knowledge and knowledge leads to wisdom! So feel free to comment below.

Sunday, June 12, 2016

Awareness and Cyber Security versus Agile Development

Let me start with a message (yet again): "If you want an agile environment, you need Security Awareness". What did I just say? I recently said in another blogpost of mine that if you need Security Awareness to be secure, then you are doomed in the first place. I still think that is true, but it is only a part of the case I want to make. In this post you will read the rest of my point of view on this topic.

On June the 14th of 2016 I will talk about this specific topic on the “Cyber Security v Agile eCommerce”, hosted by ION-IP, WhiteHat Security & The Embassy of the United States of America in Amsterdam. In this post I will dig a bit deeper on this topic, why I have this opinion and why I want to share it with you and the rest of the world (the world, because if I may believe Google Analytics, my readers are from everywhere, thank you all!).

Security awareness by itself is by no means the holy grail to a secure environment to work, play, and live in. Though many companies and security professionals alike often focus heavily on security awareness, and to be more precise, security awareness focused at user level. I believe that when you cannot make security ubiquitous by nature, you will fail for sure at creating awareness at that level.

A couple of months ago I was looking for a replacement car (my former broke down) and as I really do not know anything about cars, other than how to drive one at least, I noticed a certain behavior of mine. And that behavior is commonly known as “a typical user who does not know anything technical about the topic at hand and therefore lacks any sensible judgement about its mechanics”. And it gave me a valuable insight concerning security awareness at user level.

This insight was the very fact that I literally did not ask one question about the security of the car. I did not ask anything about the airbags, brakes, seat-belts, electronic brake-force distribution, lane detection, and the security features accompanied with cruise control. I asked myself why as me being a security officer, and the only answer that pops up is this: “If I do not know anything technical about a car, I for sure cannot influence its security, I can only use it as it is build”. I think that the security of the car should ubiquitous. And this changed my perspective on creating security awareness at user level.

The point that I am making in this talk is that your focus or drive should be to eliminate security awareness at user level. This focus helps you to become more creative by building solutions so non-technical users are working secure by design, instead of working insecure and hopefully with some awareness stuff will not hit the fan. But this needs security awareness at another level in the organization.

My statement in the talk is this: “Move security awareness to the level where change is done…”. If the people with the power to change are aware of security, chances are more likely that a securely designed system is being created. So instead of focusing all that energy, time, and money on security awareness for everyone in the organization, try focusing it all on your IT staff. I firmly believe that when you do that, nice things start happening. Part of this firm believe is the experiences I had with this principle in the company where I am fortunate enough to work at.

Security and privacy are not the same thing, so I also advocate to start working on privacy awareness. And, in contrast to security awareness, that topic should be addressed to everyone in the organization. It is by far more effective than security awareness, because the topics are more relevant by nature, and people can really influence them by their behavior. It is easier to teach a user to not share a social security numbers or medical details by phone and e-mail, than learn such user to recognize specially targeted and crafted phishing mail and to not click on the link.
Source: VISTA infosec
Let me end my post with an advice and a question.

When you focus security awareness on the place where change is done, you get more (and this will grow over time) systems designed securely. Awareness should also focus on automation. Because I firmly believe automation is imperative for an increased security. And the more you automate, the more agile you will become. And the more agile you are, the more anti-fragile you can become. And anti-fragility helps making your business become weatherproof for (sudden) changes in its environment.

So, Security awareness at IT-level leads to secure design, which leads to automation, which leads to increased agility which can lead to anti-fragility. Cyber Security can go hand in hand with Agile Development. And let me turn that around, a strong Agile Development culture can greatly increase your security!

What can you design and automate in order to make security awareness obsolete, while increasing the agility of your business?

Monday, April 25, 2016

Big Brother in the Brave Real World

Roughly a year ago I decided it was time to start reading two classic science fiction literature. One of them was Brave New World, by Aldous Huxley (1932) and, you probable guessed it right, the other one is 1984 by George Orwell (1949). As I read through the books I was fascinated by the ability of both writers to envision a future that is in a creepy way comparable to our present world.

They both are stories of course and I personally do not envision such aerie and desolate dystopian future as laid out in the books. I see patterns of similarity though, but different than what we say in the mainstream (information security) media. At least, that is what I think. In this post I will enlighten you on my point of view concerning these two stories and how they relate to the real world. And since it is almost May the 5th, the Day of Freedom in The Netherlands, it is a nice moment to publish this post.

As this is not really a book review, I will not tell you about the story itself, but rather the context in which the story exists. In both books, the real main character is the world and society itself, rather than people in the story.


Oppression by the government

Both stories talk about a government oppressing people, but in a rather fundamental different way. The story by Huxley is about a government called World State that ‘accepts’ exceptions, but you can hardly participate in society when you are an exception. There are even reservations in which people can live differently, although very poor and with lack of proper healthcare. Both government and citizens are rather dismissive towards people who do not follow the normal (predetermined) steps of their society and deviate from the normal course of… well, just being. Everyone is literally grown and raised into specific roles in society and due to a drug called Soma, everyone is kept chemical happy.

The story by Orwell is about a government that does not tolerate any deviations that threaten the existence of the so called Party; not even in the slightest way. Everyone is being monitored by the so called Big Brother, and due to fear people often betray each other. No action, no feeling and no thoughts are allowed, because when you do, you will become a liability. There is even a new language in the works called Newspeak, which it is stripped of any emotion and sensitivity. In this world, most people are miserable and the general population is poor and underfed.

No parenthood versus no intimacy

In the society of Brave New World parenthood is strange to people and having a baby through the means of giving birth is nasty, gross, and downward silly to do. Instead, babies are home-grown in baby-factories where they are even conditioned towards their predestined roles in society. During the initial phases of growth some babies might get forced oxygen shortage or alcohol submitted. The reason for this is that not everyone can be smart and the same. People also still need to work to cause no trouble due to being bored, so babies are grown into a certain class for certain purposes.

In the world of 1984 parenthood exists, but children are conceived and given birth to in the most mundane situation imaginable. Intimacy is not allowed between any human. Children and adults alike are confronted with daily propaganda distributed by so called telescreens that can be found anywhere in the society, even within one’s home. It is not uncommon that children betray their parents due to behavior that is disallowed by the Party. So, keeping your head down, even towards your children, is a matter of survival.

Thought Police versus Citizens

As I mentioned earlier, in the story by Huxley it is not even the World State itself that monitors people, but the citizens itself due to rather intensive social control. When you deviate from your path to much and too often, people will eventually report you. It is not because of fear, but by a true believe in that the World State knows best. Therefore, there is no Thought Police like in 1984. Of course there is a police-force, but it plays a different role than in 1984.

The situation in Orwell’s story is different. Citizens also do report each other, but it is more based on fear of getting ‘caught’ themselves, than it is about truly believing in the Party. Whereas an exceptional deviation in the world of the World State is allowed, no exception is allowed in the world of the Party. But because people cannot be trusted, the Party instated also a Thought Police. This police-force has the ‘honorable’ duty to look for dissidents and to get them out of the public asap.

Sexual liberty versus Banished sexuality

The World State encourages sexual liberty in every way imaginable. If people want to make love with each other, they just do it. Whether it is between two people, four or entire groups, anything is allowed and anything is acceptable. Homosexuals are no outcasts and people are free to do anything they like, for as long as it is consensual.

The Party totally thinks different on this topic. Intercourse is only meant for procreation and surely not for pleasure (by punishment of death). And rest assured, a telescreen is monitoring the activities. Homosexuality is strictly forbidden as it also applies to any other form of sexual activity, including love itself, between people.

1984 versus the real world

The story in 1984 is about oppression, surveillance, persecution, sexual oppression, and fear. People are not allowed to enjoy anything in any way and the general population is poor and mostly underfed. When you take this parallel to the real world, can you recognize this in the Western world? Are Western nations generally poor and relatively unhappy? Is sexual oppression of non-heterosexuals still the norm? And is the government actively oppressing its citizens?

When you look at the analogy with the real world, states in Eurasia resemble on some parts more to the world as described by George Orwell. Often not as extreme as 1984, but the general view is rather the same. I personally cannot recognize the Western world in the view of Orwell, besides the fact of surveillance by the government. And even that is relative, as it is more surveillance by corporations. It is also more like a Some Brother type of thing, than a full blown Big Brother type of thing. Besides that, I still like to believe that for the most part intelligence agencies are really trying to improve security of the general public, in contrast to the Thought Police who does its job mainly to protect the Party.

Brave new world versus the real world

When you look at the story of Huxley though, I found it more similar with the Western societies. The focus is on being happy (without drugs for now), sexual freedom that fits the individual person, doing and saying whatever anyone wants to do or say and not to mention one's desire to predetermine characteristics (like prevention of down syndrome) of fetus. The believe in this system is so strong that is often considered by other (mostly non-Western) nations as imperialistic. There are also many groups within society that propagate democracy, (almost) unlimited freedom for everyone, freedom of speech and a common thrive for general happiness. Anything is or should be allowed for you to feel happy, no matter the cost.

In the Western world there are citizens who defend such believes in ways that it may almost be considered fundamentalistic, just as the citizens do under the rule of the World State. You can count on a strong backfire whenever you hold an opinion that is not aligned with that of the general mass or consensus. If you think that homosexuals are not okay or they should at least be unable to marry, then you are in for a treat. And do not even start by saying that abortion is murder. And when you think freedom of speech should not always be applicable, then you are considered an extremist of the right (or left) wing of politics or perhaps even an aspirant-terrorist.

Of course there are many more variations in opinions allowed in the real world, far more than in Brave New World and yes, I am on purposely overstating the previous paragraph. But somehow and somewhere there is a fine line between taking part of society and being treated as an outcast just for thinking differently. This behavior is what I believe to be like that of the citizens in Brave New World.

And I explicitly state that the paragraphs above are not necessarily my opinion or believes, they are not relevant in this post. They are merely the patterns that I see around me, whether it is on the news or in my daily life.

Recap

Whenever we compare the Western world (where I live in) to 1984, I think we somehow miss the point that Orwell was stating in his book. He states that a totalitarian government is about keeping power instead of prospering its citizens. Whenever I look around I see way too many idealists in our midst who devote their lives to better the lives of others. I see governments that really try to improve life of the people here and abroad, although it may be sometimes or often ill-executed. And I see also people fighting for the rights of others and people fighting to prevent or correct a (semi-)corrupt government. Do we have issues like mass-surveillance we need to address? Yes, we do! And do we have issues concerning non-conventional thinkers and believers? Yes, we do.

I feel that the Western world is more like Brave New World, than it is as in 1984. Let us prevent the movement to create outcasts of non-conventional thinkers and let us continue the debate what real freedom and freedom of speech is. I believe it is imperative to let everyone's voice heard, in order to prevent people becoming outcasts, and outcasts becoming radicals. And remember, diversity is what created our beautiful freedom in the first place.

Freedom of speech is not about me having the right to write this blog. It is the right I give to you to whole heartily disagree with what I wrote. Whether what you think or feel, if you want to share it, you can use the comment section below. I will not treat you as an outcast for thinking differently.

Books

1984
  • Author: George Orwell
  • First released: 1949
  • Pages: 336
  • ISBN: 978-0-451-52493-5
  • Linkwww.penguin.com

Brave New World
  • Genre: Thriller, Science Fiction
  • Author: Aldous Huxley
  • First released: 1932
  • Pages: 229
  • ISBN: 978-0-099-47746-4
  • Linkwww.vintage-books.co.uk

Wednesday, April 20, 2016

Need Security Awareness? You're doomed!

Let me start with a blunt message: "If you need user awareness to be secure, then you are doomed in the first place!". And let me elaborate on that one. Often you see, read and hear about how crucial security awareness among people is towards the fact of being secure. But recently I had a thought that I want to share with you. My thought was that if we need awareness in order to let security work, then the security controls are not organic enough in order to function properly. And very likely, they are also not ubiquitous.


Image source: F.U.D. - Fear, Uncertainty and Doubt (funny blog!)

And then I have read a couple of days later this post on the Google Security Blog: Android Security 2015 Annual Report (the full report can be found here). Among many things, one got my attention specifically, and that was the fact about the use of fingerprints.

Starting with version 6.0, Android supports fingerprint scanners. This allows applications to use biometrics for authentication, reducing the number of times a user needs to enter their password or unlock pattern, thus decreasing friction around lockscreen use. Lockscreen use is higher on devices with a fingerprint scanner. For example, 55.8% of Nexus 5 and 6 devices (which have no fingerprint scanner) have a lockscreen, compared to 91.5% on fingerprint-enabled Nexus 5X and 6P devices. We are seeing an increase in lockscreen usage for other Android devices that provide fingerprint scanner support.

Somehow, when there is an improvement on how the security works, the use of it increases. And this supported my thoughts on this matter. Because fingerprint is easier to use, relatively speaking just as safe as a pin, devices are more often secured from unauthorized access.

Let's take a look at an analogy of the physical world. There are many threats towards the physical world. There is the threat of terrorism, but also non-friendly states invading your own country. When you would give the same advice in the physical world as in the cyber world, then the following would happen.

You would give advice to install metal-detectors at one's home, anti-aircraft machinery, a couple of drones to strike down enemy combatants, and of course a radar to check for incoming aircraft. Besides the fact that it is expensive stuff, you do not want to give such responsibilities to civilians. This because of the threat and the impact of such threat and its countermeasures are too big to handle on an individually basis.

When the threat is small though, security measures are sensible. Think about a lock to lock your door and an alarm for burglary, smoke and fire detection. But the reason why these systems work, is because they are friction-less. There is no friction in the use of such security features and therefore they are used. Everyone is on auto-pilot locking and unlocking their home. And one does not even have to think about the alarm, it just works and at 'worst', a pin needs to be remembered to disable the alarm.

Back to the Cyber World. When you say to your employees that it is also their responsibility to prevent state-actors, or actors with such capabilities, for penetrating the defenses through phishing, malware, hacking and more, you will definitely lose your audience. And rightfully so. The threat, or the impact of such threat, is to big to be managed on an individual scale. The countermeasures we give them are hardly effective, because most often people do not really understand the gravity of these cyber-attacks.

Are you still saying "Do not click on that link in that e-mail!"? You thought yes? Seriously? I find it harder and harder to recognize phishing mail myself (if I see one to be frank). While every service provider can become way more spam-resilient by using techniques such as TLS, DMARC, Reverse DNS, SPF, DKIM, DNS-based blacklists, and Spam URI Real-time Block Lists (SURBL), we ask users not to click on links... These controls cut down spam (and phishing) emails significantly, and improves security (and privacy) also.

And the bright side of it all is that the user of the system has to do absolutely nothing to benefit from it. Why do I not receive spam and phishing on my personal email account, while I read organizations constantly struggling with them? Is it that people are more aware of phishing on their personal accounts, or is it because a billion-dollar company just configured it better? And phishing is most often number one step for Evil Jimmy to hack into the corporate network, so it might be smart to better protect your mail-servers instead of telling people not to click on links.

If we can make our systems smarter and more secure by really implementing security features, and if we can prevent users (or processes within users-space) for disabling such features, we dramatically improve the overall security. Just tell users never ever to share their password, and let them easily travel and room over the network. And whenever they need higher security clearance for more sensitive data, incorporate 2-factor authentication instead of yet another account. And that should be the end of the security awareness session. It can be done in 5 minutes.

Do not get me wrong, there is also a thing called privacy. And privacy awareness is a whole different ball-game compared to security awareness. Privacy awareness is way more important, and far more easily trained then security awareness. Because the issues and solutions on that front are close to the actual users themselves. They can recognize it, and they can truly make a difference there. It is about not leaving printed documents on your desk, it is about not sharing credentials and sensitive data by any means. People can relate to that, because no one wants their medical files on public display. Users can have a tremendous positive impact on these topics. Just don't bother them with (semi-)technical stuff that well-functioning IT-departments instead should do for them.

When all systems are well configured, hardened and compartmentalized, there is far less threat from the user from a security perspective, and we need to train them far less than we need to now. Think about that for a brief moment, before asking an user to remember Yet-Another-Weak-Security-Control.

Feel free to comment below, I would for sure appreciate it!

Sunday, April 3, 2016

Peeling the onion of data-leakage

I recently tweeted a formula about data-leakage. In this post I will further explain with what this means. This formula was a thought-experiment by my friend and co-security-professional Rick Veenstra and myself.


In this thought-experiment we wanted to explain what the concept of a data-leakage is, of what components it exists of and how we can use that knowledge to hopefully prevent them. We started with the basics and moved down the ladder from there.

Data-leakage = actor + vulnerability

On the highest level, a data-leak can only emerge when a certain actor exploits a certain vulnerability. There are probably multiple vulnerabilities needed in order to succeed, but you need to exploit at least one. The actor in this case can range from the black-hat hacker, to the cyber-criminal, to the disgruntled employee of your organization.

Vulnerability = asset + access platform

But when you look at the vulnerability you will notice that it consists of multiple components. These are the assets which often are called the crown-jewels of the organization, and the platform which can access them. This platform can be the Internet (likely the first stage), but also an internal platform that is being exploited.

Asset = unencrypted data | credentials | other access platform

In this case, the asset is either the actual data itself, or the credentials needed to access the data, or another platform which will enable access and thus moving closer to the target data. The data needs to be unencrypted in order to have value for the one stealing it. Therefore, we explicitly mentioned that it needs to be unencrypted. Credentials are the usernames and passwords from within the organization. And the other access platform can function as a stepping stone to another system.

Access platform = resources + privileges

The resources in this case is anything that can be a landing zone for the intruder. This can be the operating system of a server, a workplace of an employee, an application or an active network-component. Obviously there are many more examples thinkable here. Privileges are needed to actually access and use the before mentioned resource.

The formula

The summary of this thought-experiment is as follows.

Data-leakage = actor + vulnerability

Data-leakage = actor + ((unencrypted data | credentials | access platform) + (resources + privileges))

A data-leak exists of an actor in combination with access to unencrypted data, or the access to the credentials of the data, or access to the platform which has access to it. In order to actual utilize the resources to get to the data, privileges are needed in combination with the access platform. From there, when everything is in place, a non-authorized person just might succeed in his or her mission.

And what's next?

When executing a risk-analyses on this topic you need to factor all variables mentioned above into the equation. You need to, as far as it is possible, give some level of attention to the actor. You might want to consider encrypting important data, and keep credentials secure in password-managers. Privileges should follow the "least-privilege" principle and resources should be hardened and isolated within in zones in your IT-infrastructure.

Obviously it is easier said than done due to complexity and budgets. But it might help bringing focus to what is important and help deciding which security issue needs to be addressed first.

If you have any comments, feel free to post them. Thank you for reading this post!

Friday, March 25, 2016

Implementing https on Blogger using Cloudflare


Google is busy, as stated on Google I/O 2014, with updating all its web-services to support https connection, instead of http. Connections based on https are likely more secure than http. I say likely, because using https and using https good can be a difference like Earth and Mars. But, Google will likely implement it thoroughly tested. This movement is called #HTTPSeverywhere.


First steps to bit more https

The reason I post this blog is because Google has updated its Blogger service a while ago. On September the 30th of 2015, Google announced in a blogpost that it has implemented support for https. There is one caveat though, it only supports default domains, such as teusink.blogspot.com. When you have a full-domain (or custom domain) enabled, like www.teusink.eu, https support is not yet implemented.

As a Security Professional I was, and still am, a bit disappointed to say the least. I even would want to pay a small fee for https support. Google promised to bring https support somewhere in the future though.

But that did not keep me waiting to change something in this blog of mine. I have checked the template, and every post and every page for any reference to any resource and any URL I linked to and changed it to https wherever possible. I can say that all resources (like images, scripts, and such) have changed to https. Some weblinks I reference to could not be changed though, but that has nothing to do with the technicality (and security) of this blog.

So when support is finally coming I can flip the switch easily and the blog would (or should...) work without any security errors. In the meantime, all scripts are executed from trusted sources, so my blog is a bit safer now than it was before.

Using Cloudflare for more https

Luckily you can do more concerning the implementation of https on your blog. And no, Google still does not support full https for blogs on blogger using a custom domain-name. But there is a work-around to that and you need Cloudflare (or a similar service) to do that.

I started using Cloudflare (the free account to be precise) a month ago to improve the security of my blog, but also to better the privacy of my visitors. With using Cloudflare in front of my blog I can enforce encryption and enable threat protection. In the cases where there is a doubt on the maliciousness of the visitor, Cloudflare will present a captcha which will, upon entering the right value, grant access.

In the steps below I'll highlight what needs to be done to get this working.

Implementing Cloudflare

Step 1: Sign-up, add domain and configure DNS

  • Sign-up for a free account at Cloudflare.
  • Add your domain to Cloudflare.
  • Change the DNS of your domain to the ones of Cloudflare. You might need to ask your provider or registrar to do that.
  • The rest is done automatically.
You might want to enable DNSSEC, but it requires some more configuration at your registrar.

Step 2: Configure Crypto

  • Set SSL to Flexible
  • Set Authenticated Origin Pulls to On.
  • Set Opportunistic Encryption to On.
  • Set TLS 1.3 to On.
  • Set Automatic HTTPS Rewrites to On.
The https rewrites are important to redirect all requests from http:// to https://. When Blogger starts to support full TLS support for custom domain-names, you could enable HSTS using a free Origin Certificate.

Step 3: Configure Firewall

  • Set Security Level to High.
  • Set Challenge Passage to 1 day.
  • In Web Application Firewall, set Browser Integrity Check to On.
  • In IP Firewall, white-list the IP-addresses of Google Blogger.

Step 4: Configure Speed

  • Set Auto Minify enabled on JavaScript, CSS and HTML.
  • Set Rocket Loader to Off.

Step 5: Configure Caching

  • Set Caching Level to Standard.
  • Set Browser Cache Expiration to 4 hours.
  • Set Always Online to On.
When not developing, leave Development Mode at Off.

Step 6: Configure Page Rules

  • Add a page rule to Always Use HTTPS for http://*.yourdomain.tld/* and set it to On.
This not to only redirect http traffic to https, but also to enforce it.

Step 7: Configure Network

  • Set IPv6 Compatibility to On.
  • Set WebSockets to On.
  • Set Psuedo IPv4 to Off.
  • Set IP Geolocation to On.
IP Geolocation might be needed for proper analytics (such as Google Analytics) of your blog. If you want to use Google Analytics you need to configure the app within Cloudflare for that.

Step 8: Configure Scrape Shield

  • Set Email Address Obfuscation to On.
  • Set Server-side Excludes to On.
  • Set Hotlink Protection to Off.
You might want to configure some different settings here (especially when you are hosting images that you don't want to be hotlinked).

Some considerations

There are a two things you will need to considerate.
  • Update your template, code and scripts: It is likely possible that you will need to update the template and all your posts. It is possible that content is being loaded through embedded code or scripts through a insecure channel (http) instead of a secure one (https) and this will result in an error (http is ignored on https websites) in the browser. Therefore, test every page and post of your blog for such errors.
  • There is still no end-to-end encryption: Keep in mind that there is still no end-to-end encryption. All the traffic from the browser to Cloudflare is encrypted. Cloudflare gets the resources from Blogger and sends it to the browser. That way, for instance, the Internet Service Provider does not know which pages on the blog you are visiting.

My results so far on my move to Cloudflare

  • 2,257 unique visitors with 21,855 requests in total.
  • 62% of the traffic was served over SSL.
  • 197 threats stopped:
    • 151 originated from Ukraine.
    • 30 originated from France.
    • 12 originated from United States of America.
    • 4 originated from Israel.

Conclusion

Although full https is the best way to protect your website, the maximum has been done now concerning hosting a blog on blogger with a custom domain-name. All traffic between the visitor and Cloudflare is encrypted. And only Cloudflare requests http request at my blog. This way the privacy is better protected, and due to firewalling the security of the blog is better protected.

And last but not least, it also reduced spam comments on my blog also which became quite a nuisance!