Well, only this blog….
We have decided to move our security blog onto our newly re-designed website.
There will still be regular comment, support and opinion of course…it will just sit alongside industry news and our latest events and content.
All you need to do is click here and don’t forget to update your bookmarks.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
We want to wish Outsource Magazine good luck as they relaunch their webinar program, Time to talk Talks.
This is the program in the words of the Editor, Jamie Liddell…
Each month (the third Wednesday of every month, to be specific) I’ll be sitting down with four or five luminaries from different corners of the community, to discuss what’s hot (and what’s not) for them in a series of short one-on-one interviews, before throwing the panel to the mercy of the audience for some general Q&A in the second half of the show.
We are also delighted that one of the luminaries on the launch webinar, will be our very own, Mike Gillespie. Don’t forget to email questions in ahead of the event and sign up via the link…
http://outsourcemag.com/time-to-talk-talks/
From Chris Cope – Advent IM Security Consultant
What’s the difference between a ‘white hat’ security researcher and a hacker? As a general rule of thumb, if someone discovers a vulnerability on your system and informs you (without undertaking any unauthorised or unlawful activity in the process) then a ‘thank you’ is generally considered to be in order. There are numerous ‘white hat’ researchers who trawl software and internet sites, detecting vulnerabilities and alerting the appropriate owners or developers. Many companies have benefited from a quiet advisory and it’s reasonable to suggest that without ‘white hats’, the policy of releasing software and patching later, adopted by many vendors, would be severely undermined.
oops there goes the sensitive data
So why is a white hat researcher, Chris Vickery to be precise, in the news? Mr Vickery discovered a database on a website. The website belongs to a company called uKnowKids, this provides a parental monitoring service for your technology savvy children. The database contained an array of information that the company did not want to be made public, including in the words of the BBC ‘detailed child profiles’. However, the company claims that the information was not personal data and no customer information was at risk. Mr Vickery was able to access the data base and take screenshots, which were sent to the company as proof of the vulnerability. However, rather than thank him, the company accused Mr Vickery of risking their continued viability and claimed that his access was unauthorised. By Mr Vickery’s account, the database was in a publicly accessible area and had no access controls in place.
Since the notification, uKnowKids has patched the vulnerability.
So what can we take from this? UKnowKids obviously intended for the database to remain private. Under UK law, Intellectual Property rights provide protection for confidential information, but there is one pretty fundamental requirement – the information needs to be protected. Placing a database on a publically accessible internet page, without protection is, however, akin to leaving a sensitive file in paper format on a train. Organisations shouldn’t be surprised if information left in such a public and insecure state is read by unintended third parties.
Before protecting information, an organisation needs to understand what information it holds, and what needs protecting. Once that is established, there are a variety of means that can be used to protect it; physical controls on physical copies, labelling of information, educating staff so they understand the required handling measures and routine audits all form part of the basic protections required for all types of information. For electronic information, then one needs to consider technical measures such as access controls and encryption. When a database, containing sensitive information, must be placed in an area where it is accessible from outside the organisation, then access to it must be very carefully controlled.
In this instance, the reputation of a company, which holds intelligence on children, could have been seriously undermined if a hostile breach had occurred, even without the loss of personal information. If personal information was lost, then the financial implications could have been severe; increasingly so as new EU legislation on data protection comes into effect. So make sure that you fully understand your assets (including information) and what level of protection they require and, when designing controls, its important to ensure that the full range of counter measures, including physical, personnel, procedural and technical, are considered, properly implemented and integrated. And if you do come across a publicly spirited individual who warns you of a potential breach in your security, remember to say ‘thank you’.
This Home Office event will soon be upon us (March 8-10) and we just wanted to let you know you will be able to find us on stand Z20 in the Cyber Zone. You can find details of this event here.
Mike Gillespie will also be presenting in the Cyber
Advent IM, Managing Director, Mike Gillespie
Briefing Zone on the 9th on the subject of the cyber security of Industrial Control Systems.
Come along and meet Mike and Gareth and enjoy some great presentations, content, updates and a bit of a chat.
When it comes to security, one thing is clear, people occasionally do daft things with computers and devices, and they frequently do these daft things at work. They occasionally do malicious things too but it’s mostly just daft. So we can train our employees (including managers and directors) in our procedures and policies and enforce them. In fact, spending as much time thinking about the best way to train different teams is never time wasted because it gives you the chance to use their language and create something nuanced that will make a genuine difference, which is, after all, the whole point of doing it.
Looking at some of the data that came out of Vormetric’s Insider Threat report, in actual fact, those privileged users are still posing a security headache to many of the respondents. They may be System Admins or senior colleagues who are simply not restricted or monitored in the way other employees are…these are the ones who can access very sensitive or valuable information and so need to be even more hyper-vigilant in their behaviour. But let’s face it, one phishing email clicked and payload of malware downloaded is all it takes and that could be done by an MD or a temp.
I asked the team here at Advent IM to come up with some practical tips that all employees can use, regardless of their role, to help protect their organisations and enhance their understanding of the vital role they play in securing assets.
Some of the findings on Insider Threat from the Vormetric 2015 survey…
A post on allegations of NASA being hacked from Del Brazil of Advent IM
There have been allegations of numerous hacks into the systems controlled or operated by NASA. These have ranged from secret UFO files being accessed, through to drones being infiltrated and subsequently controlled by unauthorised persons.
This raises the questions about how secure the NASA websites, servers and systems are. There are a whole host of individuals who claim to have hacked NASA including a 15 year old who is alleged to have caused a 21 day shutdown of NASA computers, through to an individual who claims to have found evidence that NASA has or is in the process of building ‘space warships’ and finding lists of ‘non-terrestrial military officers.’
The latest alleged hack involves the release of various videos, flight logs and personal data related to NASA employees. This hack is believed to originally to have started over 2 years ago with a hacker paying for initial access; although it is not yet confirmed, it is fair to assume that this purchase would be associated with a NASA employee. The hacker then carried out a ‘brute force’ attack against an administers SSH password, resulting in a successful compromise within 0.32 seconds as the password is alleged to have been still set to the default credentials. Having infiltrated the system with an administrator’s 
password the hacker was then pretty much free to navigate his/her way around various NASA systems collecting information as they went. It’s not unusual to find CCTV systems and/or other Base Management Systems Administrator settings being still set on their default setting, what is unusual is to find that NASA has systems are potentially falling foul of this too. There were also claims that one of NASA’s unmanned drones used for high altitude and long duration data collections had been partially taken control of during the hacking with a view to potentially crashing it in the Pacific Ocean.
The information claimed to have been obtained includes 631 videos of weather radar readings and other in-flight footage from manned and unmanned aircraft between 2012 and 2013 along with personal information related to NASA employees. It is widely
image courtesey digitalart on freedigitalphotos.net
reported on the internet that the personal information obtained relating to the NASA employees has been verified by another media client, as they have allegedly attempted to contact those individuals by telephone; although it is further reported that no actual conversations took place and that verification was obtained from answerphone machines pertaining to those NASA employees. There is no reports that the same media client has received any return calls from the alleged NASA employees nor is there any documented communication from NASA’s IT Security Division, the Glenn Research Center, the Goddard Space Flight Center, the Dryden Flight Research Center, the NASA Media Room or the FBI.
This is certainly not the first and won’t be the last alleged hack of NASA. It is well known that there are a whole host of individuals who are continuously attempting to attack large organisations; whether their motive be criminal or just inquisitive you can be assured that any alleged successful hack will make headline news. Hackers are widely regarded as kudos- seekers; reputation and status hungry within their own fields and targets like this are very highly sought after.
Let’s consider the sensitivity of the alleged data? Any sensitive or ‘secret’ information is likely to be securely stored in a manner to prevent or at least deter any potential hacker; however no system is 100% secure and so there is, albeit very small a possibility that a hacker maybe successful.
NASA have responded by stating that ‘Control of our Global Hawk aircraft was not compromised. NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data. NASA takes cybersecurity very seriously and will continue to fully investigate all of these allegations.’ So the old ‘he said, she said’ playground argument continues with neither party being proved or dis-proved but what we do know is that hackers will continue to attack high profile organisations for ‘Kudos’ status or bragging rights.
As it is Data Protection Day, we thought we would take a look at the current state of play when it comes to business impact from data breach and its not pretty reading…
With increasing levels of data being collected every year, now more than ever we need to ensure very high quality processes and practice in our businesses. It is certainly not something to be taken lightly and the changes to EU DP regulations which could result in penalties of 5% of global turnover for serious data breaches, it could actually mean some of the worst offenders face a very uncertain future.
If you are unsure or need some support with Data Protection, don’t leave it to chance; get some proper guidance. Data Protection done well can be a business-enhancing function; raising everyone’s game and awareness of security. It can also mean closer examination of the need to keep all of the data a business currently stores in order to comply with the Data Protection Act.
Here are some of the latest findings on the cost to UK of Data Breach.
With thanks to one of our highly experienced, Senior Security Consultants, Mark Jones…
Traditionally in our experience law firms, such as solicitors, have relied on compliance with Lexcel regulations, and the Data Protection Act, to provide adequate security measures to combat threats from say typically malicious insiders or burglars to their attractive data and information databases. In these days of cyber-based threats these traditional defences are clearly inadequate to deal with far more complex and persistent threats posed by external individuals and groups (such as Serious and Organised Crime) that have far more capability and motivation than ever before out in the Internet. Perhaps this is due to increased (or in many cases new) connectivity of law firm systems to being online 24/7 to the outside world and the additional threats that it poses and typically no single individual within the business having responsibility for information security? It is certainly…
View original post 556 more words
A post from Chris Cope CISM, CISSP, MInstISP, CESG Certified Professional, PCBCM, ISO27001 Lead Auditor and Advent IM Security Consultant
It had to happen at some point; a cyber security company is being sued by a customer for not delivering the goods. Las Vegas based Affinity gaming has initiated legal proceedings against Chicago firm Trustwave for making representations that were untrue and for carrying out work which was ‘woefully inadequate’. The point of contention was a hack on the casino’s payment card system in 2013. Affinity allege that Trustwave concluded that the intrusion had been contained and dealt with, but the casino operators later suspected this was not the case and engaged another security consultant, Mandiant, to confirm. The breach had not, allegedly, been contained and now Affinity is looking to obtain damages from Trustwave.
This is not the place to suggest what did or didn’t happen; that will be discussed, at considerable length I suspect, in the American courts. Rather, a better topic for discussion is that of contractor liability. This lawsuit is a bit of a first for the cyber security industry, although the concept of suing contractors for damages is by no means new. Countless companies and individuals have been sued for breaches of contract or for tort damages. I suspect it was only a matter of time before our industry saw similar action. But this should be taken as a wake up call.
In English Law, a consultancy firm is seen as providing a service to the customer. The 1982 Supply of Goods and Services Act, Section 13 states that ‘In a contract for the supply of a service where the supplier is acting in the course of a business, there is an implied term that the supplier will carry out the service with reasonable care and skill’. The key term here is reasonable; what would a reasonable person judge to be a service that was carried out in a competent fashion? Note, the law does not require that a contractor provides the perfect service; there is a realisation that contractors are human and to expect perfection is unreasonable.
So how then can a cyber security contractor ‘prove’ its competence and ability to deliver a reasonable service? Whilst the emphasis remains on the accuser to prove incompetence, it doesn’t hurt to ensure that a good, pro-active defence is in place. First of all, the competence of employees must be evaluated and baselined. There are a plethora of cyber security qualifications available, drawing comparisons between qualification awarded by different bodies can be difficult, but it remains perfectly possible to ensure that consultants are qualified for the tasks they are expected to perform, and perhaps most importantly of all, maintain those qualifications. Secondly, cyber security is a very broad field and being an expert in every area is almost impossible, therefore assigning consultants to tasks which suit their skills sets is hugely important. The supervision of less well qualified personnel must also be taken into account; junior staff members must be able to develop their skills, but for the customer’s sake, they must be supervised properly in the process. It’s worth companies remembering that they are responsible for the actions of their employees whilst delivering a contract, via vicarious liability. Their mistakes will come back to haunt the employer unless sufficient care is taken. We must also ensure that we appropriately manage the expectations of our customers. No venture is ever risk free and there is no one piece of technology which will solve every problem; our goals should be clearly stated that we intend to reduce the risk to an acceptable level, not eradicate it completely. If we promise too much then it’s no surprise that customers expect too much. Finally, whilst the above is correct for English Law, other jurisdictions have different rules; companies that work globally would be wise to ensure they understand the local environment properly before signing a contract.
The cyber security profession is evolving and it is only to be expected that practitioners will face greater scrutiny. Rather than adopt the position that companies like Affinity are looking for a scapegoat for their own failures, we must ensure that we are able to consistently deliver a good enough service. This may be the first such action, but I doubt it will be the last.
Senior Security Consultant for Advent IM and PCI-DSS expert, Mark Jones gives us his thoughts on the current awareness of this important payment industry standard.
In the current information security climate where everything has ‘cyber’ prefixing the topic e.g. cybersecurity, cyber risk, cyber threats and the list goes on, is it possible organisations have forgotten about existing and very important ‘cyber-related’ standards such as the Payment Card Industry’s Data Security Standard (PCI DSS)?
As more and more business is done online in our ‘new’ cyber world – 2015 Online Retail Sales £52 Billion up 16.7% from £45 Billion in 2014 – payment cardholder (CHD) account data security is more important than ever. This includes the need for assured authentication, confidentiality and integrity of payment cardholder information as traditionally granted by the Secure Sockets Layer (SSL) protocol over HTTPS padlocked browser sessions in the past 20 years. In 2014, the US National Institute of Standards and Technology (NIST) determined that SSL and indeed early versions of SSL’s successor, the Transport Layer Security (TLS v1.0) protocol (also referred to as SSL), were found to have serious vulnerabilities with recent high-profile breaches POODLE, Heartbleed and Freak due to weaknesses found within these protocols.
So, if you are an entity that that stores, transmits or processes Cardholder Data (CHD), specifically the 16 (can be up to 19) digit Primary Account Number (PAN), then you should seek to comply with the latest version v3.1 of the PCI DSS. This version was released in April 2015 by the PCI Security Standards Council (SSC) that removed SSL as an example of strong cryptography and that can no longer be used as a security control after 30 June 2016. However, the migration from SSL and early TLS to TLS v1.1 and 1.2 has caused issues for some organisations hence the SSC update in December 2015[1] that the deadline had been extended for 2 years, with a new end date of 30 June 2018 for existing compliant merchants. However, SSC is at pains to emphasise that this delay is not an extension to hold off migrating to a more secure encryption protocol (as defined by NIST) and entities that can update should do so as soon as possible.
If the entity is an Acquirer (typically the merchant’s bank), Payment Processor, Gateway or Service Provider, then they MUST provide TLS v1.1 or greater as a service offering by June 2016. Additionally, if it is a new PCI DSS implementation (i.e. when there is no existing dependency on the use of vulnerable protocols) then they must be enabled with TLS v1.1 or greater – TLS v1.2 is recommended.
As you can see, PCI DSS can play a significant part in any cyber security programme providing the entity in question is compliant with the latest version 3.1. If you have yet to start, or are part way through a PCI DSS implementation project, what can and should you do NOW? We recommend the following 3 actions:
If you need any further help and guidance with PCI DSS, please contact Advent IM…
[1] http://blog.pcisecuritystandards.org/pci-changes-date-for-migrating-from-ssl-and-early-tls
Advent IM 