Monthly Archives: May 2012

Watch out FLAME – Malvern’s new ‘dirty lab’ is open…

Francis Maude with MP Harriet Baldwin and Baroness Pauline Neville-Jones opening the ‘dirty lab’ at Malvern. Picture Worcester News

As members of the Malvern Cyber Security Network, we were lucky enough to be invited to the opening of the country’s first ‘dirty lab’ on Friday (25th May 2012). The lab was opened by Cabinet Office Minister Francis Maude, who was accompanied by Baroness Pauline Neville-Jones, Special Minister to Business on Cyber Security, and has been set up by local companies, including our very own Trusted Partner encription, to help test IT systems and prevent one of the 21st Century’s biggest threats – cyber attacks.

Commenting ahead of the trip, Francis Maude said, “My visit to Malvern is an excellent opportunity to see and hear about the work local business and SME’s are undertaking. Government is working to raise awareness of the potential cyber threat to business reputation, revenues and intellectual property. But cyber security also offers huge benefits for business and is an important growth area for our economy.”

Following the official opening, the Minister and Baroness Neville-Jones joined members of the Networking Group to discuss issues affecting SME’s including how Government would encourage an integrated approach to cyber security with business and academia, how SME’s access the £650m budget being made available to combat cyber security threats, barriers to procurement for SME’s delivering innovative products and services to mitigate against cyber attacks and the best way for SME’s to gain information on cyber security policy and guidance. All too soon the interesting discussions came to a close but it was clear that the Minister and Baroness have a number of areas they both want to develop, and we hope their next visit will be a round table discussion to move things to another level and provide two-way dialogue on what is clearly a key national threat in an increasingly technological world..

The opening of the lab was made all the more apt with news on Monday 28th May of the latest cyber threat to be discovered – Flame. According to researchers, Flame is a complex targeted cyber attack that has collected private data from countries such as Israel and Iran. Having only recently been detected, it is believed to have started its attack in 2010. This new threat appears not to cause physical damage, but once a system is infected it collects huge amounts of sensitive information by beginning a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations and intercepting the keyboard etc….

The United Nations has only today (30/5/12) stated that it is to issue a warning to governments about the Flame worm, which it perceives to be the “most serious warning ever” as the worm could possibly attack critical infrastructure.

The attack is thought to be state sponsored but its exact origins remain unknown. So why are these attacks such a threat and how can the Malvern Cyber Security Group (MSCG) help UK businesses protect itself?

Tony McDowell, Managing Director of encription explains.

“Threats, like the recently discovered Flame malware, have been all too apparent within commercial and Government systems over the past two decades.  The increasing sophistication of malware, such as Flame, is of concern to all individuals and organisations; in fact the size and sophistication of Flame takes malware to a new level.  Although this malware appears to have been targeted at specific organisations it is only a matter of time before it  will be available on the open market., as has historically been the case when exploit writers are continually developing new attacks.  This is one of the key reasons for the formation of the MCSG , to assist all organisations in combating cyber attacks and theft”.

The lab will not only be used for research purposes into understanding cyber attacks such as Flame, their origins, modus operandi and complexities but also to provide training for people learning cyber defence techniques.

It is clear that if we can understand the threats we can stay one-step ahead in protecting UK businesses from cyber attack.  We look forward to bringing you news on success stories at the lab in the future.

School Security – brand new service for Schools, Colleges and further education establishments

School Security from Advent IM – the one day health check

After a highly successful pilot scheme, Advent IM Ltd announces the launch of its UK wide, Information Security and Data Protection audits for schools and educational facilities – a one day health check for policies and procedures.

Unprecedented levels of staff and pupil personal data, even fingerprints are held by schools and other educational establishments.                              

The level of personal information held by schools and educational establishments on pupils and students has never been so high. For instance, as well as standard, individual information on address, medical conditions, results, social services reviews etc… many schools now employ fingerprint technology for the issue of school meals and other services. This is highly personal data and schools need to have more than technology in place to secure it. It’s not just about how data is stored but also about who has access to it and how it is moved about and later sanitised or destroyed. To ensure data is adequately secured requires a full understanding of actual and not perceived risks to the security of its data. This means that focus needs to be on where the data needs to be and ensuring appropriate levels of security are in place to mitigate those risks.

Advent IM Ltd, the UKs leading Holistic Security Consultancy, understands the education sector, having worked with many different establishments, from primary schools to Universities. Our new service offering is designed to provide a health check on school policies and procedures to ensure appropriate processes are in place for safeguarding pupil and staff data. This includes not only electronic management of data but also physical control of access to and storage of hard copy data. It underlines internal awareness of the Data Protection Act and can help schools build sustainable policies and procedures to ensure best practice within the Act and wider information security.

Experience shows us time and again that data loss, breach or compromise is more often than not due to human error. In a recent survey by the Ponemon Institute, it was discovered that almost 80% of data breaches came from within, whether it was accidental or intentional.  In a school environment, the possibility of a curiosity-based breach via a pupil cannot be ruled out.  Indeed, most pupils know technology better than we do and see finding ways to circumnavigate the system as a challenge, but staff can also be a weak link. There are many reasons why the human element is so vulnerable to security lapses. They can be a lack of policy or understanding, or a failure to ensure the policy is understood by all staff. It is rare that a data breach is a malicious act, but making sure all the human aspects are battened down, in addition to the technological security elements, is a “must do” for any school.

One of the schools to go through the pilot scheme was Wren’s Nest in the West Midlands.

“The Consultant gave Wren’s Nest a thorough, detailed information security audit which we found extremely helpful. The report, advice and guidance have provided our organisation with a valuable insight into information security. We will now investigate our current procedures and policies to enable us to move forward and identify further e-safety tools and policies to meet current legislation and reassure all key stakeholders of how seriously we take Information Security. It has clearly highlighted what additions/amendments we need in our action plan for security of IT and data protection for staff and children. The benefit will be; reassuringly robust security for everyone. Thank you.”

Another pilot scheme member was Sutton School and Special College, a repesentative commented:

“It [the audit] highlighted many areas that were not currently being monitored effectively. I will use this report to further enhance policies and procedures within the school. The report is an effective guidance for structured and continuous improvement.”

 

Advent Im Ltd MD, Mike Gillespie

Advent IM Ltd’s Managing Director,Mike Gillespie said, “This service is a really quick and simple way for a school, academy or college to understand what really needs to be done to ensure its compliance with information security good practice and the Data Protection Act. More than that though, it means that the school gets a realistic picture of where its real threats and risks lie as well as guidance on how to enter a cycle of continuous improvement”

Social Engineering – What exactly is it and who might be victims?

Social Engineering – If you don’t work in either the security or IT industry, you may wonder what the term means and if it forms any real threat to you organisation. If you have heard the term, then assuming it is an IT issue in isolation, would be a mistake.

Social engineering can be likened to hacking attacks against information systems where a tool is used to probe those systems to exploit vulnerability.  In the case of social engineering, human attackers use guile, perhaps inside knowledge or just plain bluff to try to penetrate the defences of the individual to obtain the knowledge they are not entitled to know.  In other words, they hack information or access it from an individual.

More often than not attacks to obtain information, including sensitive personal data, are targeted against organisations by using techniques to manipulate unsuspecting staff to willingly provide information, usually because they have been duped into passing information to an individual, even though they do not know them.

The ability of an attacker to develop a rapport with the target is important, which together with some inside knowledge, acquired from research or the use of an insider, will often pay dividends to establish that familiarity that puts front line staff off their guard.  Particularly vulnerable are those at the “coal-face” – customer facing staff such as receptionists, telephone exchange or help-desk support staff.

The approaches are often apparently innocent in nature and the attacker could pose as a new or former employee exchanging gossip or advice and may request help perhaps for lost passwords.  The attacks are insidious and over time may provide nuggets of information about the organisation or individuals within it.

Another example is where access into a particular site is sought, an attacker may try to gain access by reporting to reception that they have something within a box for delivery to a named individual that research has identified is within the site.  Reception may be busy, or the attacker may time his moment by observing reception from a distance to find the right opportunity to prosecute his attack.  When challenged the suggestion that “it’s OK, I know where he is and I need a signature anyway” will often create that familiarity that will grant the intruder access.

As described above, social engineering is often linked to insider attacks, since the majority of physical or electronic attacks can be assisted in some way by an insider.  The little tit-bit of inside knowledge is used to get past the initial security perimeter be it verbal or physical.

Human nature enables social engineering to develop and become increasingly sophisticated as well as technical.  It is essential for all organisations, but particularly those that have sensitive or valuable assets to ensure that front-line staff are provided with regular training to be aware of the threat and be conscious to attack techniques.

Further information on Social Engineering and Insider threat can be found on our Slideshare account here http://www.slideshare.net/Advent_IM_Security/social-engineering-insider-and-cyber-threat you will need sound

Cloud post #2 – The Revenge

Growth in the ‘usage of Cloud services’ is in growth what do we think about that? Assess the real risks and don’t cloud the security issues.

OK so there aren’t any actual sharks and the leader does have a shameless pun, but it is an addendum, or part 2, to our original Cloud blog post which you can read here if you haven’t already. (It will open in a new window so you won’t lose you place)

Reading a survey from CIF last week (here), its clear to see that the number or at least the percentage of organisations using Cloud services, is increasing. This includes the public sector, perhaps an enlightened reader can tell us how much of that is driven in UK by G-Cloud.

However, its clear that the research term ‘Use of Cloud services’ could be a bit misleading. There are variations in service types – Platform services, Software Services and Infrastructure services and they are not all in growth.

Geographical references beyond ‘Europe’ are not available in the report, which makes it difficult to deep dive on the cause. However, according to the PWC Global State of Information Security Survey – in terms of ‘Government’, as we had noted Public Sector increased interest, IaaS is over-indexing in terms of uptake on this particular service type.

‘Global’ vs. ‘Government’ vs. ‘Europe’ Cloud Service % of organisations taking this service. Source PWC Global State of Information Security 2012

The same source highlights security concerns amongst Cloud users and if we refer these back to some of the points made in our original blog, the security policies of the data end location is clearly a very important and sensitive issue, this comes through with over 30% of respondents flagging this up and making it the top security threat in this survey.

One of the other things we highlighted back in January was the ability to be able to audit the data centre where your organisation’s data is held, this also comes through as a concern from Cloud users, including ‘Government’ users.

What is the greatest risk to your Cloud computing strategy? ‘Government’ vs. ‘Global’

Being able to audit where your data goes or is moved to, as well as fixing the end points for moving your data are very important, as we said back in January. Whether this is achievable if going through a ‘broker’ style relationship for instance, is debatable. In these situations, the cost model the driver and so wherever the broker can source will be where the data sits or is moved to and this may not mean all of the data  is in the same place either. Specifying end points, for instance, in a service level agreement may start to push the price up and so it is crucial you understand just what your risk appetite is in terms of what you will allow to happen to your data. Disturbingly, as a footnote to all the security issues highlighted in the PWC data, the CIF survey  identified that 1 in 5 respondents were expecting to put their IT security services in the Cloud…

The CIF report states “One sign of the immaturity of the cloud market is reflected in terms of contractual process, as barely half (52 per cent) of cloud users negotiated the legal terms of their contract with their cloud service provider (CSP), with larger organisations more likely to do so. This also infers an evolution of the culture that led to the click-thru agreement online more than a business critical supply agreement.”

Its clear then that  organisations need to go into the Cloud with its eyes wide open and armed with a comprehensive Risk Assessment.  Whilst it’s easy to label security consultants as Luddites who want to hold back the tide of progress, it is in fact not true. We are realists who want businesses to protect themselves, their clients, their supply chain and their employees and progress into the future securely.

How to get all over your security training – like a pigeon on a chip.

We recently read Joe Ferrara’s excellent article found on CSOonline.com:  ‘Ten Commandments for effective security training’, and as security consultants who provide training, it got us thinking.

So, diving into our pool of expert resource here are some handy hints and tips which you can use in addition to Mr Ferrara’s observations (which you can read if you click here and it will open in a new window).

Always conduct a Risk Assessment and gear your training toward contributing to the mitigation of the identified top risks.

  1. Security training and awareness is just another security control.  Fact.  So make sure all your security controls, including training, contribute to the mitigation of your security risks.  This means that just turning up and telling people to lock their computers, put stuff away at night and report breaches is not good enough.  Do a risk assessment followed by a training needs analysis so you can be sure the right messages are getting to the right people.  So if spam, unauthorised third party access, burglary or whatever are your top risks make sure your training contributes to mitgating these.
  2. ‘S’ is for security, strategy (and sausages).  Your security training strategy can be (and probably should be) as simple as four columns: who (needs training), what (do they need to know), when (do we do it) and how (classroom, online, during team meetings)?  Sausages are optional and because your strategy will cater for everyone you will need some meat-free ones.
  3. Monty Python – delivering Spanish Inquisiton – style security promotion. OK, not really.

    No one expects the Spanish Inquisition.  But everyone expects the Information Security Manager to promote security awareness.  So why not get IT, estates management, HR, reception and anyone else who is responsible for delivering security controls in your organisation to help out with planning and delivery.  It will keep your training varied, get your colleagues involved and ‘on message’, take the weight off your shoulders and keep your powder dry for another time.

  4. Big bangs are for fireworks night only.  Under sell and over achieve.  As Mr Ferrara points out, information security is an iterative and continuous process so go easy on the dry ice and audio visuals to begin with.  On this point, don’t ignore the value of ‘watercooler moments’ (management speak for those daily discussions we have).  Reinforcing and reminding good practice one a one-to-one basis is just as valid and effective as a presentation to the Board.
  5. Don’t forget your 3rd parties.  Suppliers, contractors and customers may have access to your information assets, so make sure you include them in your security training strategy.
  6. Get feedback.  Make sure you have a clear method for understanding the effectiveness of your security training BEFORE you deliver it, whether that is a survey, ‘happy sheet’, group discussion or whatever. Someone will be monitoring the effectiveness of some of your other security controls (e.g. the Firewall) so do the same for your training – it is just as important.
  7. Get buy-in.  Before you start make sure management are on board.
  8.  Is security training ‘on pain of death’?  Our energies should be focused on making

    “As you didn’t turn up for security training, I now have to smash up your laptop. You were warned.”

    the training a fantastic experience that people want to engage with, rather than expending time and effort brandishing a big stick to non-attendees.

Thank you to Mark Goddard, one of our expert consultants.

Security training needs to be seen as it truly is, an enabler for business.

Advent IM can help with training or out-sourced security management. www.advent-im.co.uk