Webinar – Outsource Magazine – March 16th

We want to wish Outsource Magazine good luck as they relaunch their webinar program, Time to talk Talks.

This is the program in the words of the Editor,  Jamie Liddell…

Each month (the third Wednesday of every month, to be specific) I’ll be sitting down with four or five luminaries from different corners of the community, to discuss what’s hot (and what’s not) for them in a series of short one-on-one interviews, before throwing the panel to the mercy of the audience for some general Q&A in the second half of the show.

We are also delighted that one of the luminaries on the launch webinar, will be our very own, Mike Gillespie. Don’t forget to email questions in ahead of the event and sign up via the link…

http://outsourcemag.com/time-to-talk-talks/

 

 

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In February, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website…

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

TalkTalk advised not to talktalk about their breach?

According the International Business Times, the Metropolitan Police advised TalkTalk not to discuss their breach. (you can read the article here)

Here, in conversation on the topic , is Advent IM Directors, Julia McCarron and Mike Gillespie and Security Consultant, Chris Cope.

Chris Cope

“This is interesting as it shows the 2 different priorities at work.  For the police, the key aim is to catch the perpetrator.  This often means allowing an attacker to continue so they can be monitored on the network and their activities logged and traced without causing them to suspect that they are being monitored in such a way.  The Cuckoos Egg details how the Lawrence Berkeley Lab famously did just this in response to a hack of their system.  However, TalkTalk have a duty of care to their customers.  If personal information could be used to steal money, then they must weigh up the advice from the police, along with the potential impact of not publicising this attack on ordinary people. Its easy to see how a CEO can be caught in between trying to help the police, but also attempting to limit the damage to their customers.  Ultimately it’s a difficult decision, but one that could be made easier with correct forensic planning, i.e. working out how to preserve evidence of an attack, which can be provided to the police, whilst ensuring that normal services continue and customers are warned.  Making these decisions during an actual incident will only make a stressful time even more so; far better to plan ahead.”

Julia McCarron

“Totally agree … something to add…

This is a classic case of being stuck between a rock and a hard place. As Chris quite rightly says two different objectives were at play here and each had its merits. Ultimately it was a difficult decision to make but you can’t knock TalkTalk for once, as it appears to have been an informed one.

Whilst I also agree with Chris on the forensics front, experience has shown us that staff need to be aware of what to do ‘forensically’ in the event of an incident and this is often where the process falls down. Because such incidents are usually rare, the chain of evidence is often corrupted unintentionally because no-one knows what to do, or it’s no longer available due to the time lag in occurrence and detection.

Intrusion detection systems along with other technological measures will be an asset in reducing that time lag but key to success is scenario training. In the same way as we are seeing Phishing tests becoming the norm, especially in customer facing organisations like TalkTalk, is there a place for forensic readiness testing to ensure staff know what to do when a security attack occurs? Then vital evidence is at hand when hacks like this occur and the force awakens.”

Mike Gillespie

“Totally agree, Chris. It’s a tough balance but the protection of the consumer should always come first in my opinion.

Forensic readiness planning is key and continues to be a weak area for many organisations – linking this with an effective communication plan is vital – and as with any plan it needs to be properly tested and exercised…….as do all aspects of cyber response…..using appropriate scenario based exercises.

All of this should be designed to drive continual improvement and to ensure our cyber response evolves to meet emerging threats.”

If you would like support for Cyber Essentials and completing your questionnaire, you can find details here. 

SAFE HARBOUR RETURNS…

From Dale Penn, Advent IM Security Consultant

Safe Harbour was a process by which US companies could comply with the  EU Directive 95/46/EC on the protection of personal data when transferring data “across the pond”

Intended for organizations within the European Union or United States which store customer data, the Safe Harbour Principles are designed to prevent accidental information disclosure or loss. US companies can opt into the program, as long as they adhere to seven principles and 15 frequently asked questions and answers (FAQs) outlined in the Directive.

These principles must provide:

Notice – Individuals must be informed that their data is being collected and about how it will be used.

Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.

Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.

Security – Reasonable efforts must be made to prevent loss of collected information.

Data Integrity – Data must be relevant and reliable for the purpose it was collected for.

Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.

Enforcement – There must be effective means of enforcing these rules.

Businesses have been using Safe Harbour for the past 15 years to help them get around the cumbersome checks to transfer data between offices on either side of the Atlantic.

However earlier this month the Court of Justice of the European Union (CJEU) stuck down Safe Harbour largely due to the ability of US intelligence service to gain access to transferred personal data. It took the view that the intelligence service had access beyond what it considered strictly necessary and proportionate for the protection of national security. Coupled to this is a lack of any right for non-US persons to seek legal remedies in the US for misuse of their data.

Do not despair! On the 29^th October 2015 Reuters reported the following comments from the U.S. Secretary of Commerce, Penny Pritzker:

               “The so-called “Safe Harbour 2.0” agreement currently being negotiated will meet                               European concerns about the transfer of data to the United States, a solution is within hand”   

               “We had an agreement prior to the court case. I think with modest refinements that are                being negotiated we could have an agreement shortly”.

So there you have it Safe harbour will be modified and reborn as Safe Harbour 2.0. And as the CJEU have imposed a 3 month deadline to find an appropriate solution, it should be here by early next year.

Have you got the energy for another breach…?

Julia McCarron, Advent IM Director, looks at the British Gas breach that saw customer details published online and the energy giant claiming they had not been breached and the details must have come from elsewhere…

So let’s get this straight. The email addresses and passwords definitely belonged to British Gas customers? Tick. They definitely accessed British Gas customer accounts? Tick. But the data didn’t come from British Gas? Dot. Dot. Dot.

It appears that where there’s blame there’s a claim. British Gas are blaming everyone else’s recent security incident misfortunes and claiming it’s the result of information from other data breaches being pieced together, testing passwords which were re-used across multiple accounts. Or they’ve been uncovered from the result of a phising campaign. One or the other …. They’re not sure which.

Is this possible? Well yes in today’s sophisticated technological world it probably is to be honest. And that’s quite scary and brings us round to a common theme of ours …. Password management.

Every action we do online these days requires a password. Shopping accounts, banks, building societies, utility suppliers, pensions, social media, YouTube, movie streaming, e-reader accounts ….. And what do we have a tendency to do? Use the same password so that we don’t forget it. What else do we do? Use the cat’s name and granny’s date of birth. For those of us working in security, or an organisation with a good security culture, we are aware of the bad practice this demonstrates but many consumers out there have not grown up in an electronic information security environment. This makes British Gas’ claim a distinct possibility given the sophistication of the unethical hacker community.

Recent guidance issued by CESG and the Centre for the Protection of National Infrastructure (CPNI) explains how passwords are discovered.

Attackers use a variety of techniques to discover passwords, which include:

• social engineering eg phishing; coercion.
• manual password guessing, perhaps using personal information ‘cribs’ such as name, date of birth, or pet names.
• intercepting a password as it is transmitted over a network.
• ‘shoulder surfing’, observing someone typing in their password at their desk.
• installing a keylogger to intercept passwords when they are entered into a device.
• searching an enterprise’s IT infrastructure for electronically stored password information.
• brute-force attacks; the automated guessing of large numbers of passwords until the correct one is found.
• finding passwords which have been stored insecurely, such as handwritten on paper and hidden close to a device.
• compromising databases containing large numbers of user passwords, then using this information to attack other systems where users have re-used these passwords.

In business we can do something about this through implementing policies and procedures, providing security awareness training to our staff and implementing technical controls that prevent, detect and monitor activity to reduce the risk of a data breach.

The general public may not have the knowledge or resources to implement these controls, and arguably the likes of British Gas need to help their users cope with password overload. The same CESG/CPNI guidance suggests how service providers might do this.

“Users are generally told to remember passwords, and to not share them, re-use them, or write them down. But the typical user has dozens of passwords to remember – not just yours. Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.

• Only use passwords where they are really needed.
• Use technical solutions to reduce the burden on users.
• Allow users to securely record and store their passwords.
• Only ask users to change their passwords on indication or suspicion of compromise.
• Allow users to reset passwords easily, quickly and cheaply.
• Do not allow password sharing.
• Password management software can help users, but carries risks.”

So rather than simply saying “this isn’t our fault” British Gas could perhaps be ‘looking after our world’ by improving how their customers manage their passwords? They may have got to 9/10 boiler breakdowns the same day last year but 9/10 password breaches won’t be good enough.

https://www.gov.uk/government/publications/password-policy-simplifying-your-approach/password-policy-executive-summary

Attack Trees

Following on from his last popular post, Advent IM Consultant, Del Brazil turns his attention to Attack Trees.

Recently the SPF Mandatory Requirement to use the HMG IS 1&2 Technical Risk Assessment methodology was withdrawn and has resulted in organisations being afforded the luxury of identifying and using a more appropriate and manageable risk assessment applicable to their business.

It was well known that the HMG IS 1&2 methodology was somewhat cumbersome resulting in Risk Management Document Set (RMADS) being over 200 pages long.  The HMG IS 1 & 2 risk assessment generally produced very technical and jargon filled results which were not very presentable or understandable to stakeholders.

Amongst the plethora of risk assessment methods is the Attack Tree concept which was first developed by Bruce Schneier.  This method seeks to highlight any attack by focusing specifically on the root of any attack and what the potential conditions the attacker requires to meet to commission the attack.  It is widely used throughout the United States and is a recognised risk assessment method used in defence and aerospace industries for the analysis of threats against computer systems and tamper resistant electronics systems.

Although it is possible to compile/generate an Attack Tree from scratch using some form of document to capture the tree accompanied by a spread sheet to formulate any calculation.  The benefits of Attack Trees can only be truly realised through the use of bespoke software which enables the risk assessor to input a number of variables and/or countermeasures.

The Attack Tree method allows the risk assessor to compile various reports and presenting them to stakeholders in a more manageable and/or graphical format.  The manipulation of the results/data enables stakeholders and risk assessors to test the potential effectiveness of any proposed countermeasure prior to outlaying any funds or resources in order to defeat or deter any potential attack.

One of the drawbacks to using bespoke software is that the user needs to receive a degree of training to ensure that they have the ability to fully utilise the software.  As with all software and training requirements there is an associated cost which has to be considered by the organisation.  There is also the danger that the organisation becomes reliant upon a limited number of personnel being trained/familiar in the use of the software resulting in the possibility of a select few individuals within the organisation being able to produce Attack Trees.

A major benefit to using the Attack Tree methodology is that the same risk assessment results can be presented numerous ways to different stakeholders easily highlighting any potential risk to the organisation.  This can be either from a perspective of financial loss, likelihood of attack or cost to the attacker etc.

It is the opinion of the author that although the Attack Tree methodology has a great deal to offer and has the potential to be more useful to organisations; however the cost of the software and time taken for individuals to be trained and become familiar with the methodology should be considered before organisations jump into the unknown.

At present there are numerous organisations who are continuing to use the HMG IS 1& 2 methodology to carryout risk assessments.  As there is no longer a mandated methodology to be followed it is of the opinion of the author that organisations should consider seeking a more manageable, repeatable, understandable and business orientated methodology.

Currently there is no approved or recommended risk assessment methodology being highlighted by  CESG – National Technical Authority for Information Assurance, which is the technical arm of GCHQ; although there is still the potential for CESG to recommend a specific methodology potentially resulting in organisations having to realign themselves to this approved method after investing heavily in Attack Trees.  Obviously there is the possibility that the Attack Tree methodology is adopted by CESG and being recognised as the standard for which all HMG systems are to be risk assessed against.  At present no decision has been made by CESG on any methodology and there are no timescales for any decision to be made.

Infosec and IFSEC 2015…how to find us

It’s that time of year again!

If you are hoping to meet up with us at either of these two important events, you can find Gareth Williams on stand S70 near the BIS Innovation Zone on Day 1 (2nd June) of Infosecurity2015. You can email us at bestpractice@advent-im.co.uk or tweet us @Advent_IM to arrange to meet him.

Mike Gillespie is presenting and chairing several events this year at IFSEC  (June 16th, 17th and 18th) and new dates/slots are being added to the IFSEC website shortly.  You can keep updated via our website too or contact us as per above, if you would like to meet up with Mike or Ellie at IFSEC.

Successful Cyber Essentials and IASME Certifications for Advent IM!

Successful Cyber Essentials and IASME Certifications for Advent IM

The independent holistic security specialists gain successful certifications to both schemes

Advent IM Ltd, the UKs leading independent holistic security consultants today announced their successful certification to both Cyber Essentials, the UK Government’s cyber security assurance scheme and IASME  Information Assurance standard for SME’s.

Operations Director, Julia McCarron said, “We are delighted to have gained these two worthwhile certifications. It was a natural step for Advent IM as we already have ISO27001 and were keen to embrace the UK Government’s schemes. It is a great way of continuing to assure our supply chain partners of how seriously we take Information Security and having ISO27001 meant we were already very well placed for success.  We walk the walk as well as talk the talk! We are already helping our clients through Cyber Essentials with great success.”

Some further information on the Cyber Essentials Scheme

The UK government’s Cyber Essentials scheme was developed earlier this year with the IASME Consortium, a local Malvern company, representing small companies on the drafting panel. The development of this scheme resulted from a review of the successful cyber attacks over the last few years. They found that the majority would not have been successful if 5 simple technical controls had been implemented. These controls are quite detailed and so plenty of companies who have the international cyber standard, ISO27001, may not actually have all these technical controls in place.  Cyber Essentials is also available as a self assessment or audited version, called Cyber Essentials PLUS.

The  Government has announcement that, from 1^st October 2014, all new Government contracts associated with personal or sensitive data will only go to companies with Cyber Essentials certification. Large companies will also be encouraged to enforce this down through their supply chains.

 Some further information on the IASME Standard

A recent call for evidence by the UK Government concluded that the best governance standard for small companies was the IASME standard developed and run by a local small Malvern company.  The standard itself was developed using government funding with the aim of finding a small company alternative to the international standard (ISO27001). The IASME standard focuses on both governance and technical security. It includes aspects like a security policy, staff awareness, risk assessments, business continuity plans and back-up processes. These ensure that you understand your risk and are managing your security effectively. Accreditation is available either as a self assessment or a fully audited assessment

 

 

 

Issued:  26.09.14                             Ends                                                    Ref: CE/IASME/1/ Advent

 

 

 

 

NOTES TO EDITORS

 

About Advent IM

Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats.

 
From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.

Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project management methodology widely used within the public sector, CISSP qualified and Home Office trained physical security assessors.

Public Sector Senior Information Risk Owner Training

There are a couple of places left on the 9th July intake.

Details here http://www.advent-im.co.uk/siro.aspx

Hurry, its first come first served.

You can book the October course from the same link.

NB. This is Public Sector only. If you are from the private sector and are looking for Information Security training, please contact us on 0121 559 6699 or 0207 100 1124 or email us at bestpractice@advent-im.co.uk

Heartbleed – some info and some advice

If we can help then get in touch but here is some information for you.