Some top security tips that ALL employees can use

When it comes to security, one thing is clear, people occasionally do daft things with computers and devices, and they frequently do these daft things at work. They occasionally do malicious things too but it’s mostly just daft. So we can train our employees (including managers and directors) in our procedures and policies and enforce them. In fact, spending as much time thinking about the best way to train different teams is never time wasted because it gives you the chance to use their language and create something nuanced that will make a genuine difference, which is, after all, the whole point of doing it.

Looking at some of the data that came out of Vormetric’s Insider Threat report, in actual fact, those privileged users are still posing a security headache to many of the respondents. They may be System Admins or senior colleagues who are simply not restricted or monitored in the way other employees are…these are the ones who can access very sensitive or valuable information and so need to be even more hyper-vigilant in their behaviour. But let’s face it, one phishing email clicked and payload of malware downloaded is all it takes and that could be done by an MD or a temp.

I asked the team here at Advent IM to come up with some practical tips that all employees can use, regardless of their role,  to help protect their organisations and enhance their understanding of the vital role they play in securing assets.

• That email telling you there’s a juicy tax rebate waiting for you but it needs to be claimed immediately, hasn’t come from the Government. It’s  a phishing email. Clicking that link will allow malware to be installed and all your personal information to be stolen. Do not click on links in emails you are not expecting and if in any doubt refer to your security manager.
• Never set your smartphone to allow download and installation of apps from sources other than an approved store. Changing this setting can allow malware to be installed without your knowledge and could result in you being a ransom ware victim.
• Always report security breaches immediately to your line manager to facilitate any counter compromise action to be undertaken as deemed necessary. If the organisation isn’t aware of it, the event could worsen or spread. Containment and control is vital as quickly as possible.
• Archive old emails and clear your deleted & sent folders regularly as a clean and tidy mailbox is a healthy mailbox.
• Never discuss work topics on social media as your comments may come back and bite you!! You could also be compromising your employers and colleagues security and increasing the likelihood or the ease of an attack.
• Don’t worry about challenging people you do not know who are not wearing ID or visitor badges. It may seem impolite but Social Engineers use inherent politeness to their advantage and can then move round a site, potentially unchallenged.
• Don’t allow colleagues to use your login credentials, this goes double for temps and contractors. Think of it like lending your fingerprints or DNA to someone, would you do that so easily? Any activity on your login will be attributed to you…
• Do you really need to take your work device to the pub with you? More than a quarter of people admit to having lost (or had stolen) up to 3 work devices and more than half of them were lost in a pub!
• Don’t send sensitive documents to your personal email address. If there is a security measure in place, it is there for a reason..
• Don’t pop any old USB into your PC. Nearly one in five people who found a random USB stick in a public setting proceeded to use the drive in ways that posed cybersecurity risks to their personal devices and information and potentially, that of their employer. It could have anything on it! exercise caution.

Some of the findings on Insider Threat from the Vormetric 2015 survey…

Social Engineering – Still the best attacker exploit – guest post from Dale Penn, Advent IM Security Consultant

Another great post from one of our consultants, this time from Dale Penn on the topic of Social Engineering.

Introduction

Social engineering is still the most prolific and successful method of hacking. It is a non-technical attack that relies on a user being tricked or coerced into some form of action which presents the attacker with a window of exploitation and can bypass even the most robust of technical controls. It is much easier to coerce a member of staff into providing information than is to mount a technical attack on a web application or network connection.

It is important to note that the threats from Social engineering tactics are almost always under rated by enterprise organisations even though they form an integral part of most modern day attacks. The reason behind this is that there currently exists a trend within enterprise organisations to fixate on the technical solutions to information security threats and neglect the human element.

Any organisation that wants to protect its information assets must be aware of the current Social Engineering threats.

The top 3 Social Engineering Methodologies

Phishing – This is the practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information. A Phishing email will usually contain a link which will redirect the user to a false webpage where they are asked to provide personal information such as usernames and passwords. Once entered this information is captured and ready for use by the hacker. Gone are the days were Phishing emails will contain poor grammar and spelling and were easy to pick out. Modern day Phishing emails are professionally created and very convincing.

 

Vishing – This is the practice of eliciting information or attempting to influence action via the telephone, may include such tools as “phone spoofing.”  A common attack method is to call a user within an organisation and pretend to be the IT Helpdesk. From there the attacker will coerce the user into “confirming” their user name and password

We all want to help – naturally. We also want to make the shouting stop…

Pretexting – This is the practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system. This is where where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity. More advanced attacks will also try to manipulate their targets into performing an action that enables them to exploit the structural weaknesses of an organisation or company. A good example of this would be an attacker who impersonates an external IT services auditor and manipulates a company’s physical security staff into letting them into the building.

Counter Measures

1. Education, Education, Education – All users should be appropriately trained to recognise these methods of attack. The work force should adopt a culture of healthy scepticism when approached for sensitive information and not take things at face value.
2. Develop policies and procedure to identify and handle sensitive information so staff will know what is sensitive to the organisation and what they can and can’t do with it.
3. Introduce appropriate technical defences which limit the methods of these attacks (i.e. block inbound emails with active links)
4. Review your security controls regularly to ensure they are still appropriate.

2013 over the shoulder

Time for a bit of a look back…sort of

The rise and rise of BYOD, the discovery that Ebay is not the appropriate place to divest yourself of NHS Patient data and the increase in malware and not just any malware – mobile malware. These were a few of my (least) favourite things of 2013.

It may seem churlish to poke a stick at the rise of the enormously populist BYOD but its actually connected to the concern around the rise of mobile malware. 2013 saw Blackberry drop off the business cliff and Android devices rise to start to fill the gap. According to the latest stats from Gartner 4 out of every 5 devices in the last quarter were Android powered (driven by growth in China). This proliferation has a knock on effect because this means more employees with be BYODing with Android devices and also more business are choosing them as their business issued device. At the same time, we are reading that Android devices are the top target for malware and malicious apps. I recently heard BYOD described as ‘anarchic chaos’. Let’s see what epithet we can come up with after another year of Android malware…

Looking at Ebay as the place to send your old drives full of (personal) data…hopefully everyone has learned some massive lessons from this incident in Surrey NHS and will be doing due diligence on whoever they procure/source to carry out the destruction of this kind of data in future. Remember, any organisation that has certified to a standard like ISO27001 will welcome an audit so they can prove to you how seriously they take IS processes. This can offer some kind of reassurance and form part of that due diligence.

‘Cyber’ has been a headline grabber all year for many different reasons. Some of the time has been related to the NSA and GCHQ revelations and so Cyber could also have meant privacy. Some of those headlines have related to Cyber Security and the Government commitment to getting UK PLC fully on board with knowledge, understanding and protection. Of course, “hacker” is another word rarely out of the headlines and previously on this blog I have taken issue with media use of both of these words. Largely because it can be misleading, I won’t bang on about it again and you can read the previous blog post if you choose. However, I do think that this continued laziness will encourage people to think that security is an IT issue and therefore, someone else’s problem as opposed to a business issue that needs to be addressed at C-Level.

Phishing and Spear Phishing continue to bleep away on every Security professional’s radar. Whilst scatter gun phishing may not be growing especially, its clear that targeted or spear phishing is increasing. This also relates to my previous point about ‘hacking’ and ‘cyber’ as frequently these can be pre-emptive strikes for a full on attack or part of a broader Social Engineering attack to facilitate or enable a hack or cyber attack. If you want to read more or hear more about that then you can read our posts here and see our presentation here.

The phishing issue is a serious business and employees need proper and regular training on what these attempts look like and how to deal with them. That is not just your standard phishing attempt from someone telling you your bank account is compromised (I had an amusing one recently from Honestly Barclays Security), but a sophisticated phish from soemone who has obtained your email address and is trying to pass themselves off as someone else in order to gain access of information. This requires bespoke training from an employer. Software or a firewall may not protect you from them…

Lastly how our physical world interacts with our cyberworld. 2013 saw Google Glass arrive and the invention of a whole new insult, Glassholes (not mine, don’t shoot the messenger). Some misgivings and some misunderstandings around Google Glass merely serve to remind us that though we are raising a generation that thinks nothing of handing over their privacy in order to get a free app or free wi-fi, there are still enough people concerned about the march of technology ahead of security to make pursuing secure progress worthwhile.

We also saw the mainstream expansion of household items that are web enabled and several furores over TVs that apparently spy on their owners. Add to the list fridges and cars for next year and lets see what else is either causing ‘spying’ headlines or is being hacked by cybercrims. In the business world, smart buildings with IP security and building management systems are becoming increasingly aware of the threat from cyberspace. You can watch our presentation on the topic here. You will need sound. Making sure we buy secure security systems sounds mad, but actually it isn’t happening enough. These systems are sat on networks, needing firewalls and patching and anti virus just like our other systems. We cannot assume because a system is a security system then it is inherently secure.

Remember, everyone in an organisation is part of that organisations’ security. An information asset might be an email or electronic document, but it might also be a fax, a cardboard file,a piece of paper or an overheard conversation about intellectual property. They all have to be protected and a firewall isn’t going to cover it all.

No doubt we will have some predictions for 2014 soon….

Phishing, accountability and security awareness

Phishing – do employees recognise it when they see it?

In the last week I have received around twenty phishing emails. These have varied from Linkedin connection requests, to Bank Account reset instructions and Paypal alerts that my security had been compromised…the irony of the last one did not escape me. In this period, I also took a worried phone call from a friend who had been called by someone who said they were working on behalf of Windows and that his PC needed to be remote cleansed and could they have access to it please…. they gave him a fake website address and refused a phone number for call back, then hung up. Its a scam that has been doing the rounds since about 2008  ( I’m sure you’ll correct me if I’m wrong!) He was working from home at the time and connected to his businesses network.

So in the first cases of the emails, it was fairly clear to me that these were phishing attempts. They were not targeted at me or at Advent IM specifically, just chancers doing what chancers do.  The Paypal email was the most disturbing because it was better designed than the others. In all cases though, a brief visit to my Linkedin inbox, online bank account and paypal account respectively (and not through the ‘helpful’ links offered in the phishing emails) proved that each were fake and I reported them. It made me wonder how many businesses actually train their staff in recognising them as security threats and how to subsequently deal with them.  I saw a debate on Linkedin recently about holding individual employees responsible for security breaches and terminating their employment as a result. It included a poll. Many felt that if adequate (no definition included, sorry) training were supplied and a properly enforced and educated policy were in place, the breach was felt to be a result of employee negligence and therefore they should be held accountable. ‘Adequate’ is a relative term I appreciate, I do feel however that it should include ‘regular refresh and update’ within it as well as regular review of the scope – threat changes.

The other part of the example I mentioned at the start was altogether more sinister. This was an individual actually picking up the phone and posing as an IT expert, offering a free service on behalf of a household name. It is easy to see how many people could be duped by this. Working at home in this case, means that the person was connected to their company’s email systems and information network. Luckily, the person concerned smelled a rat and asked awkward questions which resulted in the phishers exiting as quickly as possible. Not everyone might realise this was actually an attack and the result could be not only the loss of their personal information or even financial compromise but also potential compromise of their employers network. In this case, no training had been given in spotting an attack of this kind. If the individual involved had not realised this was nefarious, would it be fair to penalise them? After all this kind of attack was not included in the ‘adequate’ security awareness training they received.

This IT support approach was also employed in the recent attacks on Barclays and Santander, when an individual actually entered branches of those banks and installed or attempted to install desktop cameras to enable a hack. The individual was posing as an IT repair engineer in both cases.  It is far more targeted and part of a concerted campaign. Phishing emails are also sometimes targeted toward individuals, again normally part of a broader campaign and not a scatter-gun phishing expedition to see who bites. This is more aligned to the Social Engineering approach. Specific information or access will be the target and so it differs from the mainstream approach and by definition makes it far more difficult to quantify and therefore provide training for awareness. That doesn’t mean that we shouldn’t do it. Particularly if we  are keen to move down the road toward individual accountability.

 Incidentally if anyone is interested in watching a video in which the ‘Windows/Microsoft” scammer tries it on the wrong person…..click here

Hacking Pacemakers, Traffic Systems and Drones – Cyber and Physical Worlds Collide

The Telegraph today ran a piece on a subject close to our hearts here at Advent IM, namely the cyber threat to our physical world. You can read it here

Regular readers will know we have expressed concern before that language can create barriers or false realities that can leave vulnerabilities and the prevalence of the use of the word ‘cyber’ is a good example of this. Cyber to most people conjures up the ethereal world of the hacker – that strange and dangerous electronic hinterland that few really grasp. Of course, this is dangerously inaccurate as many systems that control our physical world are networked and can therefore be hacked.

The late Barnaby Jack showed the world how he could hack into an insulin delivery system in a patient to effectively overdose that patient, he also managed to hack into an ATM system which then dispensed cash like a waterfall. The two worlds are converging quicker than our security awareness is growing.

Bringing the threat to our critical national infrastructure to the attention of the public at large is in one way unnerving but also very necessary.

Please have a look at our presentation on the topic, you will need sound…

Presentation with voice over from Mike Gillespie

Cyber Attack and Hack – Is Our Use of Language Creating Security Vulnerabilities in Our Thinking?

Hacking and Cyber attacks have hardly been off our media front pages for a long time. But are businesses and organisations misleading themselves by referring to these incidents as ‘hacks’ or as ‘cyber attacks’? Are businesses actually limiting their thinking and thereby creating vulnerabilities by mislabelling these important events? There is a strong indication this might sometimes be the case.

When we talk about hacking we think about a variety of activities, from the lone, disruptive back-room coder, to the determined and resource-laden gurus of cyberspace who can 

apparently enter our systems at will and remove whatever data they want – maybe government funded but definitely expert and dangerous. Of course, both of these exist but if recent surveys give us any indication of how much these remote threats actually affect our businesses and organisations on a daily basis, it would appear an important part of the threat puzzle is missing. 

According to the Verizon Data Breach Report 2013, more than three quarters of breaches utilised weak or stolen credentials. So either the malfeasant has taken a solid guess that the password will be ‘password’ or has potentially stolen a passcard to a server room or a myriad of other activities which are not hacking but are breach enablers. So the myth of the remote hacker is revealed, at least in the majority of cases to be just that, a myth. With 35% involving some kind of interaction in the physical world, such as card-skimming or theft it underlines the need to move the security focus away from solely cyber.

The same report showed that in larger organisations, ex employees were the same level of threat as existing managers. If we refer to the previous stat then a proportion of those stolen credentials could actually come from ex employees using their old credentials or credentials they had access to, in order to access company networks as happened in the ‘Hacker Mum’ story

Nearly a third of breaches involved some kind of Social aspect, this could be coercion of an existing employee, a phishing campaign or simply walking into a building and charming a staff member such as a receptionist (mines of information that they are) on a regular basis to get information on staff comings and goings etc. It could also involve surveillance of a business over an extended period, including its staff, visitors and contractors.

So the actual ‘hack’ or ‘cyber attack’ is quite an extensive way down the line in this kind of breach. It could have been in planning for months. On one hand this is worrying because our language has encouraged us to focus our attention on only one part of the process. It enables the already prevalent, ‘IT deals with security’ mindset, we have discussed in previous posts.  But in enabling this narrowed view, we are creating a vulnerability and ignoring the opportunities we will have had along the route of this breach to have halted it before anyone even logged on to anything.

A comprehensive program of Security Awareness training in-built into everyone’s role and that training being regular and refreshed, is one helping hand in preventing the attack reaching the actual hack stage. Simple things like ensuring everyone knows not to click on uninvited or suspicious looking links in emails for instance. Being aware of unfamiliar faces  in a building, regardless of whether they are wearing a high vis jacket or lab coat for instance. Social engineers love to hide in plain sight. 

So use of language has ruled out these elements being considered by all staff members, they hear the words ‘cyber’ and ‘hack’ and think it is IT’s responsibility and then carry on as normal. There are many points at which the hack could have been prevented by basic security hygiene or good practice.

It underlines to us that threat to our businesses and infrastructure are holistic and so should the response to that threat be. Yes, there is a threat from the faceless hacker, the determined and well funded professional as well as the random and opportunistic ‘back-bedroom warrior’. But many businesses and organisations are facing a people based threat first.  An old vulnerability being enabled in a new way – language.

 

Upcoming Event – The Security Institute Annual Conference

Mike Gillespie – Advent IM MD, and Director for The Security Institute

We are delighted to announce that Mike Gillespie will be one of the guest speakers at this important and prestigious event.

It will be held in London on June 19th and you can download the flyer with details of the event and how to book  here A5 Delegate Flyer.

Mike will be talking about Insider Threat, Social Engineering and Cyber Attack, details of the modules and other speaker topics are on the flyer. It promises to be a highly informative event with some excellent speakers and topical subject matter.

It is open to members and non-members and offers the conference, exhibition and dinner.

We hope to see you there and don’t forget if you would like to meet up you can tweet us on the day @Advent_IM

Social Engineering – a fascinating look from a real expert….

Helpdesk1 to Helpdesk 2, come in. Over.

Readers of this blog will have encountered our security-based content on the concept of Social Engineering before. This post is a fascinating glimpse from a firsthand user – the pitfalls, the uses and the reactions.

Are your colleagues security aware enough to be able to keep their nerve and stick to policy when faced with challenging and anxiety-raising situations like we see detailed below?

Would you or your colleagues recognise any of the characteristics of a Social Engineering attempt? It’s not just about having a policy but about everyone understanding it  and feeling confident enough to apply it…to everyone. Do manners and cultural norms play a part in how the social engineer gets either access to or information on, things that they shouldn’t? Reading this account, undoubtedly. Including a module on Social Engineering would be  a very wise idea in any organisations’ Security Awareness Training program.

IT Helpdesk 1 to Helpdesk 2 – “Who was that on the phone?  I could hear him shouting and threatening you from here”.

IT Helpdesk 2 to Helpdesk 1 – “The CFO… who’s trying to work on his laptop, from home.  He can’t login……again, he said.  He wouldn’t let me talk him through anything, said he’d done everything I tried to suggest, he just wouldn’t listen to any of our standard procedures.  He just kept shouting and saying, he’d be in here tomorrow to fire me, and have me escorted off the premises.  All he wanted was for me to reset his password and check his complete authentication process details, so he could get some work done.   He said he didn’t want a confirmation email or a Helpdesk ticket on the system, telling everyone he couldn’t use his laptop, and I wouldn’t want him telling the head of ICT that I couldn’t or wouldn’t, help him out”.

IT Helpdesk 1 to Helpdesk 2 – “What an ar5e!”……..

“A common enough Social Engineering attack, from the perspective of the recipient of the attack, one I’ve used many times myself. The tools of the Social Engineer are Manipulation, Domination, Coercion and then end with the hope of a Carrot, after the Stick, to make them feel lucky to have escaped so lightly.  Sometimes flattery and feigned stupidity will work, but the Social Engineer needs to be confident in his/her ability and flexible enough to adapt to the emerging responses they get from the subject of the attack.  Confidence in eliciting in-depth information, by pre-loading the recipients mind with information to make your questions more readily accepted by them, is another key skill of the Social Engineer.  In the example above the CFO was selected because their personal Facebook page showed he was on holiday with the family somewhere hot and sunny that looked like Mexico.  Don’t get me started on Social Media, and the information people just broadcast out there, to the unknown, unrestricted and dark corners of the Internet.

We all want to help – naturally. We also want to make the shouting stop…

It’s in the human makeup to want an unpleasant or embarrassing problem to be someone else’s and not yours.  The human mind can be likened to Software we all understand, it is possible to overload the targets mind and insert custom instructions.  Just as a Hacker executes code to cause a stack or buffer overflow.  A favourite Social Engineering attack to illustrate this is when you need to get buzzed through from reception without being escorted.  You rush in trying to explain you’re there to see someone important at the company mentioned by name, you’ve been there many times before and know the way.  You rush on to say that you’re terribly late, you’re also trying to sign in and keep the initiative before the receptionist can process this overload of information, or think to do what their procedure says they should do.  This is known as ‘Pretexting’, preloading the human mind with information to support your story and persona to make it all more credible.  You then receive your pre-planned imaginary phone call, “Sorry, I have to take this” you say, the call quickly escalates and you launch into a blistering verbal assault on the person who isn’t really on the other end.  Phone still to your ear, and still giving full vent to your ire, you motion in the direction of the receptionist and towards the controlled door they will have been watching and listening most intently as you start walking towards the door.  You’ve overloaded them, you’ve inserted the belief you’re someone important, not to be denied or argued with, especially if you’re off to see one of the senior officers of the organisation, the subject of the attack will want you to say how helpful they were.   

I’ve found that 9 times out of 10, to make this horrid person go elsewhere and be someone else’s problem, you’ll get buzzed through usually with a comment from the receptionist that they’ll call ahead to say you’re coming.  As that isn’t where in the building you are really heading, that’s not a problem.  It’ll take some time for them to realise you haven’t arrived, by which time you will have found your next security obstacle to overcome or target of your next Social Engineering attack and started to penetrate deeper into the building and closer to your final goal. 

The key to becoming less susceptible to Social Engineering is to find out more about how the attackers influence and control people.  As with software Hackers, the process is not a ‘one time attack’, there will be supporting or enabling attacks, probing enquiries, all building the picture of the target organisation before the ‘Big-One’.  Remember credibility during the attack will be enhanced by the use of morsels of the truth, names or organisational details of the target organisation.  Social Engineers are hackers of people.  You need to start to think of them in that more familiar way and then your perceptions will change and you will tune in to the attack indicators that will allow earlier detection of their activities, as you already do with software hackers and malware writers.  Staff awareness of the techniques of Social Engineering can dramatically improve the resistance to Social Engineering attacks, just as the Police try to educate the vulnerable about the local activities of Con Men.”

Senior Advent IM Security Consultant

Photos: Microsoft Office

Further viewing on this topic can be found on our Slideshare stream here http://www.slideshare.net/Advent_IM_Security/social-engineering-insider-and-cyber-threat you will need sound

Social Engineering – What exactly is it and who might be victims?

Social Engineering – If you don’t work in either the security or IT industry, you may wonder what the term means and if it forms any real threat to you organisation. If you have heard the term, then assuming it is an IT issue in isolation, would be a mistake.

Social engineering can be likened to hacking attacks against information systems where a tool is used to probe those systems to exploit vulnerability.  In the case of social engineering, human attackers use guile, perhaps inside knowledge or just plain bluff to try to penetrate the defences of the individual to obtain the knowledge they are not entitled to know.  In other words, they hack information or access it from an individual.

More often than not attacks to obtain information, including sensitive personal data, are targeted against organisations by using techniques to manipulate unsuspecting staff to willingly provide information, usually because they have been duped into passing information to an individual, even though they do not know them.

The ability of an attacker to develop a rapport with the target is important, which together with some inside knowledge, acquired from research or the use of an insider, will often pay dividends to establish that familiarity that puts front line staff off their guard.  Particularly vulnerable are those at the “coal-face” – customer facing staff such as receptionists, telephone exchange or help-desk support staff.

The approaches are often apparently innocent in nature and the attacker could pose as a new or former employee exchanging gossip or advice and may request help perhaps for lost passwords.  The attacks are insidious and over time may provide nuggets of information about the organisation or individuals within it.

Another example is where access into a particular site is sought, an attacker may try to gain access by reporting to reception that they have something within a box for delivery to a named individual that research has identified is within the site.  Reception may be busy, or the attacker may time his moment by observing reception from a distance to find the right opportunity to prosecute his attack.  When challenged the suggestion that “it’s OK, I know where he is and I need a signature anyway” will often create that familiarity that will grant the intruder access.

As described above, social engineering is often linked to insider attacks, since the majority of physical or electronic attacks can be assisted in some way by an insider.  The little tit-bit of inside knowledge is used to get past the initial security perimeter be it verbal or physical.

Human nature enables social engineering to develop and become increasingly sophisticated as well as technical.  It is essential for all organisations, but particularly those that have sensitive or valuable assets to ensure that front-line staff are provided with regular training to be aware of the threat and be conscious to attack techniques.

Further information on Social Engineering and Insider threat can be found on our Slideshare account here http://www.slideshare.net/Advent_IM_Security/social-engineering-insider-and-cyber-threat you will need sound