Monthly Archives: June 2015

Social Engineering – Still the best attacker exploit – guest post from Dale Penn, Advent IM Security Consultant

Another great post from one of our consultants, this time from Dale Penn on the topic of Social Engineering.

Introduction

Social engineering is still the most prolific and successful method of hacking. It is a non-technical attack that relies on a user being tricked or coerced into some form of action which presents the attacker with a window of exploitation and can bypass even the most robust of technical controls. It is much easier to coerce a member of staff into providing information than is to mount a technical attack on a web application or network connection.

It is important to note that the threats from Social engineering tactics are almost always under rated by enterprise organisations even though they form an integral part of most modern day attacks. The reason behind this is that there currently exists a trend within enterprise organisations to fixate on the technical solutions to information security threats and neglect the human element.

Any organisation that wants to protect its information assets must be aware of the current Social Engineering threats.

The top 3 Social Engineering Methodologies

phishingPhishing – This is the practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information. A Phishing email will usually contain a link which will redirect the user to a false webpage where they are asked to provide personal information such as usernames and passwords. Once entered this information is captured and ready for use by the hacker. Gone are the days were Phishing emails will contain poor grammar and spelling and were easy to pick out. Modern day Phishing emails are professionally created and very convincing.

 

Vishing – This is the practice oAdvent IM Social Engineering securityf eliciting information or attempting to influence action via the telephone, may include such tools as “phone spoofing.”  A common attack method is to call a user within an organisation and pretend to be the IT Helpdesk. From there the attacker will coerce the user into “confirming” their user name and password

Advent IM social engineering expert

We all want to help – naturally. We also want to make the shouting stop…

Pretexting – This is the practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system. This is where where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity. More advanced attacks will also try to manipulate their targets into performing an action that enables them to exploit the structural weaknesses of an organisation or company. A good example of this would be an attacker who impersonates an external IT services auditor and manipulates a company’s physical security staff into letting them into the building.

Advent IM HMG accreditation concepts training

Counter Measures

  1. Education, Education, Education – All users should be appropriately trained to recognise these methods of attack. The work force should adopt a culture of healthy scepticism when approached for sensitive information and not take things at face value.
  2. Develop policies and procedure to identify and handle sensitive information so staff will know what is sensitive to the organisation and what they can and can’t do with it.
  3. Introduce appropriate technical defences which limit the methods of these attacks (i.e. block inbound emails with active links)
  4. Review your security controls regularly to ensure they are still appropriate.

New Whitepapers added to the Website…

Go to the Advent IM Website for FREE downloads of these and other Whitepapers from Advent IM specialists

 Independent_schools

Security in Independent Education Sector – this whitepaper discusses some of the challenges and threats that Independent Education facilities need to consider along with some advice and guidance

_

Security for SMEs – this whitepaper looks at the highly diverse sector of SMEs and looks for cost effective security methodologies to improve the security posture of small organisations.

EU Data Protection Changes – What You Need To Know

Thank you to Dale Penn, one of the talented Advent IM Security Consultants for this informative guest post.

Folder

GDPR (General Data Protection Regulation)

Introduction

This January the European Commission revealed a draft of its GDPR. The European Commission is hoping to introduce the GDPR by this end of 2015 to replace the outdated EU Data Protection Directive 95/46/EC as this current standard is not really inadequate to deal with issues such as globalization, Social networks, Cloud Computing etc etc.

 The GDPR is a Regulation and not a directive and so this means it will have immediate effect on all 28 EU member states after a 2 year transition period.

The GDPR includes a strict data protection compliance regime with severe penalties of up to 100M euros or up to five percent of worldwide turnover for organisations in breach of its rules.

What should it achieve?

The GDPR should provide a single set of regulations for data protection across the EU which deal with the current global environment and the advances made in communication technology and foster a baseline standard of data protection across the EU.

Key Changes

  1. Non EU Businesses may still have to comply with the Regulation.

Non EU controllers (and possibly non-EU processors) that do business in the EU with EU data subjects’ personal data should prepare to comply with the Regulation. Although regulation beyond EU borders will be a challenge given the huge proposed fines, those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.

  1. The definition of personal data will become broader, bringing more data into the regulated perimeter.

The Regulation proposes that data privacy should encompass other factors that could be used to identify an individual, such as the genetic, mental, economic, cultural or social identity of an individual. Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

  1. Rules for obtaining valid consent will change.

The consent document should be laid out in simple terms, and there is a proposal that the consent have an ‘expiry date’. Silence or inactivity should not constitute consent.

  1. The appointment of a data protection officer (DPO).

At the moment, there is still no agreement on the thresholds for appointing a DPO. There have been proposals to appoint a DPO for each company over 250 employees, and, in other instances, where companies process more than 5,000 data subjects a year.

  1. The introduction of mandatory privacy risk impact assessments.

A number of proposals have suggested conditions under which a privacy risk impact assessment will be required. What seems to be clear is that a risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers are likely to have to conduct privacy impact assessments to analyse and minimise the risks to their data subjects.

  1. The Introduction of data breaches notification

The Data Protection Officer (DPO) will be under a legal obligation to notify the Supervisory Authority without undue delay and this is still subject to negotiations at present. The reporting of a data breach is not subject to any minimum standard and it is likely that the GDPR will provide that such breaches must be reported to the Supervisory Authority as soon as they become aware of the data breach. Individuals have to be notified if adverse impact is determined.

  1. The right to erasure.

The right to be forgotten has been replaced by a more limited right to erasure. A data subject has the right to request erasure of personal data related to him on any one of a number of grounds.

  1. Data Portability

A user shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system.

Are you still operating XP or Windows 2003? – A guest post from Julia McCarron, Advent IM Director

Whilst Microsoft’s utopia may be for us all to automatically upgrade every time there is a newAdvent IM Cyber Security Experts version of Windows, for many organisations this isn’t always an option. With some still coping with life after the recession the cost of upgrading to new platforms can be restrictive, especially if XP and Windows 2003 still works perfectly well and provides you with effective tools to operate business as usual. For others with large technical infrastructures, again the cost of upgrading can be a massive drain on time, resources and money and needs careful budgeting a planning over a period of time.

But with the withdrawal of support on Windows platforms and applications comes risk. Security patches no longer get issued, and as cyber security threats continue to be developed exponentially so these platforms become vulnerable to attacks.

Advent IM HMG accreditation concepts training

pics via digitalphotos.net

The obvious choice is upgrade as soon as possible. But if this is not an option you need to assess the risk of operating in a non-supported environment as part of your corporate risk strategy, and where required identify activities that can help you minimise risk. These could be more frequent external penetration tests, stricter acceptable usage policies, updates in security awareness programs or additional monitoring software. There are risk mediated options available but only if you go through the proper process of analysing the threats and impacts of not upgrading to your business.

But upgrade when you can …

Julia.

Attack Trees

Following on from his last popular post, Advent IM Consultant, Del Brazil turns his attention to Attack Trees.

Recently the SPF Mandatory Requirement to use the HMG IS 1&2 Technical Risk Assessment methodology was withdrawn and has resulted in organisations being afforded the luxury of identifying and using a more appropriate and manageable risk assessment applicable to their business.

It was well known that the HMG IS 1&2 methodology was somewhat cumbersome resulting in Risk Management Document Set (RMADS) being over 200 pages long.  The HMG IS 1 & 2 risk assessment generally produced very technical and jargon filled results which were not very presentable or understandable to stakeholders.

Amongst the plethora of risk assessment methods is the Attack Tree concept which was first developed by Bruce Schneier.  This method seeks to highlight any attack by focusing specifically on the root of any attack and what the potential conditions the attacker requires to meet to commission the attack.  It is widely used throughout the United States and is a recognised risk assessment method used in defence and aerospace industries for the analysis of threats against computer systems and tamper resistant electronics systems.

Although it is possible to compile/generate an Attack Tree from scratch using some form of document to capture the tree accompanied by a spread sheet to formulate any calculation.  The benefits of Attack Trees can only be truly realised through the use of bespoke software which enables the risk assessor to input a number of variables and/or countermeasures.

The Attack Tree method allows the risk assessor to compile various reports and presenting them to stakeholders in a more manageable and/or graphical format.  The manipulation of the results/data enables stakeholders and risk assessors to test the potential effectiveness of any proposed countermeasure prior to outlaying any funds or resources in order to defeat or deter any potential attack.

One of the drawbacks to using bespoke software is that the user needs to receive a degree of training to ensure that they have the ability to fully utilise the software.  As with all software and training requirements there is an associated cost which has to be considered by the organisation.  There is also the danger that the organisation becomes reliant upon a limited number of personnel being trained/familiar in the use of the software resulting in the possibility of a select few individuals within the organisation being able to produce Attack Trees.

A major benefit to using the Attack Tree methodology is that the same risk assessment results can be presented numerous ways to different stakeholders easily highlighting any potential risk to the organisation.  This can be either from a perspective of financial loss, likelihood of attack or cost to the attacker etc.

It is the opinion of the author that although the Attack Tree methodology has a great deal to offer and has the potential to be more useful to organisations; however the cost of the software and time taken for individuals to be trained and become familiar with the methodology should be considered before organisations jump into the unknown.

At present there are numerous organisations who are continuing to use the HMG IS 1& 2 methodology to carryout risk assessments.  As there is no longer a mandated methodology to be followed it is of the opinion of the author that organisations should consider seeking a more manageable, repeatable, understandable and business orientated methodology.

Currently there is no approved or recommended risk assessment methodology being highlighted by  CESG – National Technical Authority for Information Assurance, which is the technical arm of GCHQ; although there is still the potential for CESG to recommend a specific methodology potentially resulting in organisations having to realign themselves to this approved method after investing heavily in Attack Trees.  Obviously there is the possibility that the Attack Tree methodology is adopted by CESG and being recognised as the standard for which all HMG systems are to be risk assessed against.  At present no decision has been made by CESG on any methodology and there are no timescales for any decision to be made.