Monthly Archives: May 2014

Ebay User Data Breach

Our MD, Mike Gillespie was speaking on BBC Radio 5 Live and BBC Radio Scotland about this disastrous data breach. There will be audio files soon for those who want to hear his comment and advice. Watch this space.


One of the facts that has emerged so far is that this hack was in fact enabled by a spear phishing attack. For those of you who don’t know what this is, you are not alone. One if four UK employees does not know what phishing is and this major breach is a good example of why we have to get on top of security awareness training.

Phishing is when an untargeted,unsolicited email, purporting to be from  a valid source, such as a bank, invites you to click on a link or open a file. This is normally accompanied by some vague ‘issue’ such as suspicious account activity or the suspension of your account. Many of us can spot them on sight now as they are usually unsophisticated and badly spelled though this is starting to change. The payload is normally malware or spyware and might do anything from stealing logins, keystrokes or financial details.

Spear phishing is targeted at specific individuals and is normally more carefully constructed usually using some knowledge of them and with a specific purpose in mind. This may be access to a particular database, as it would appear in this case. The target may have been observed on social media or in person to establish some means of dialogue or establishing trust. this will increase the likelihood of the email being opened and activated and therefore the payload being delivered.

You may also have heard of Vishing or voice phishing and is probably best exemplified by the ‘Microsoft’ support call scam. This is when you receive a random call out of the blue from someone claiming to work in tech support for someone like Microsoft who tell you they have identified malware or issues on your PC and tell you they need access to it to clear it up for you. They will get the target to open up their PC normally by frightening them with stories of awful failures on their PC and may go as far as getting them to open up the PC’s event viewer which will show a few red flags or failures (which is normal) this will then be passed off as justification for the intervention – proof  if you like, of their timely intervention. This harmless activity then is used as the means of attack on an unsuspecting victim and their system is made vulnerable as they open up their PC to get it ‘fixed’.

This last one as well as being particularly cynical is also a cause for concern for employees who work from home or are mobile. Training staff in what they should or shouldn’t do, regardless of their geography has never been more important as cyberspace has no geography.

This is an old visual we produced but it is particularly relevant given recent events, feel free to share it with your business.


Vote in the IFSEC Most Influential in Security 2014

Our very own Mike Gillespie has been nominated and you can use the vote/nomination form to vote whomever you choose here 

If you would like to see the reach Mike has had in the last 12 months,have a look at here at sample of some of the knowledge and opinion sharing output. 

Mike was very pleased to hear he had been nominated and said, “Security, in all its disciplines – physical, information and cyber, is something I am deeply passionate about.  I have long campaigned for greater understanding of the convergence of physical and cyber, and the convergence of home and work, to be greater understood by the security community and continue to seek greater collaboration across both security and business domains. I am extremely fortunate to be a hobbyist practitioner able to do something that I am passionate about, as a career. I seek to introduce subsequent generations to the world of security and am a huge supporter of the drive towards professionalism” 

Advent IM BBC Radio 5 Live

Mike Gillespie – Advent IM Managing Director and Director for Cyber Strategy and Research for The Security Insititute

UK at the forefront of the fight against cybercrime

The UK is uniquely placed to spearhead the global response to cybercrime, according to Andy Archibald, Head of the National Crime Agency’s (NCA) National Cyber Crime Unit (NCCU). But does the UK have it’s cyber-ducks inline? There are many areas to consider as we push forward to promote a global response to cyberthreat.

The UK is affiliated with all the right people to help move the global response forward such as Five Eyes Alliance, the EU, G8 cybercrime working groups, Europol and Interpol. The UK has also introduced initiatives such as Cyber Streetwise, designed to highlight and educate people in the risks to security and privacy online, both at home and at work. This is much needed as our culture has changed so much, with flexible working seeing more of the workforce mobile and using their own devices (BYOD). Consequently, the line between these two life areas has blurred. Additionally, there has been the introduction of the new cyber information sharing platform, part of the new Cert UK. But what do we really need to grasp in order for standards of cybercrime detection and prevention to be improved?

However, according to a recent BT report1,  UK plc is not as concerned as the rest of the world about some key cyber topics. The UK under-indexed in perceived threat from malicious and non-malicious insider threat, organised crime, nation state and terrorism. Add to that the same research revealed that the UK lags behind Brazil, US, Singapore, France, Hong Kong and Germany in the percentage of businesses that see cyber security as a major priority. Raising levels of concern and C-Suite engagement must surely form a key part of the battle against cybercrime.

Under reporting of cyber dependent and cyber enabled crime is a significant issue. In business the report rate is around 2% and 1% from private individuals3. This is for a variety of reasons including: not realising it is a crime, thinking it has been dealt with  internally, reputational damage (in business) and not knowing where to report such matters.  Add to this the fact that cybercrime is not broken out in police statistics, as these crimes are recorded as the individual law they have broken, such as fraud. So a phisher for instance may have not have physically taken a credit card and fraudulently used it; it may all have been done electronically. However, they are more likely to be tried for Fraud than under the Computer Misuse Act. This makes it very hard to measure and therefore benchmark, making improvement or dis-improvement hard to quantify.

Less than a quarter of UK employees do not know what phishing2 is yet this is one of the most common cybercrimes. In 2009 there were 51,000 “Bank” phishing websites, this increased fivefold to 256,641 in 2012.  Add to this the fact that we cannot accurately attribute all fraudulent activity and financial loss experienced due to phishing as it is often hard to identify. However, given the growth in these specific bank-related phishing sites, we can be fairly certain that this too is spectacularly under-reported. Action Fraud suggest that one third of reported frauds during January to December 2012 were cyber enabled. That is basically 48,000 frauds in one year. Yet these frauds will not have been reported or recorded as cybercrimes.

Taking all of this into consideration then, estimating the cost of cybercrime is very hard. This is recognised by The Cabinet Office in the UK Cyber Security Strategy, “A truly robust estimate will probably never be established but it is clear the costs are high and that they are rising.” The general consensus informally is that we are talking billions of pounds.

It will be challenging to gauge our response If we don’t know how cybercrime is evolving based on an accurate assessment of reporting and UK plc cyber preparedness. Placing the UK at the forefront of the fight means the UK needs to significantly up its cyber-game. Global index 2014



Source: 1BT Cyber Readiness Survey 2014;  2Onepoll survey for Phishme;  3Home Office “Cyber Crime: A review of the Evidence

Cyber for Beginners and UK Cyber Security Posture…

It was great to connect with some of you at Infosec Europe and Counter Terror Expo. These events were more challenging than normal with the tube strike but as you would expect, everyone rallied round and made the best of it. In the end I think a good time was had by all.

Of course, time doesn’t stand still and there are some upcoming events you might want to know about/attend.

MM900254443[1]Mike Gillespie, our MD and Director of Cyber Strategy & Research for the Security Institute will be delivering a Cyber Master Class for the Institute on June 5th. You do not need any kind of technical cyber background, this is a beginners guide and designed for Security professionals who would like to expand their knowledge and understand the impact of cyber. It is open to non members too.

It will be delivered at our training centre in the Midlands (just off M5) and details and booking can be done via the Security Institute website

Moving on, June 17th sees the start of IFSEC at its new location at ExCel in Docklands. You may interested in a presentation from Mike Gillespie on the UK posture on Cyber Security and what research is showing us, looks like a lag in understanding from UK plc. This is on day 2 (18th) Again the Security Institute will have full details.