Monthly Archives: October 2015

PS21 Report: The Dark Web

PS21

technology-512210_640

  • The Dark Web is not fundamentally evil, though it can be used in ways that are morally reprehensible
  • Our privacy has been largely compromised in the age of the Internet, but the Dark Web offers confidentiality to both good and bad people
  • In light of the need to protect civil liberties, there are actually many legitimate uses of the dark web
  • At the same time, we have seen no end to the horrendous crimes facilitated by the Dark Web
  • Law enforcement faces immense difficulties in keeping up with the complexity of the crimes committed on the Dark Web, especially in terms of the ambiguity of jurisdiction
  • We might hope to differentiate between good and bad uses of the Dark Web with advances in psychological analyses and the modernization of existing legislation

On Monday 21st September, Project for the Study of the 21st Century hosted a panel discussion on…

View original post 1,828 more words

Advertisements

Banking on Good Cyber Security

Julia McCarron reflects on the news that regulators are almost at the point of requiring major financial services companies to participate in a cyber security testing programme, according to the Bank of England.

It was nice to see the Bank of England talking about cyber security recently, and the importance it sees in testing awareness and resilience amongst the financial sector.

iStock_000015672441MediumIn May 2015, the CBEST scheme for firms and FMIs considered core to the UK financial system, was launched to test the extent to which they are vulnerable to cyber attacks and to improve understanding of how these attacks could undermine UK financial stability.

The scheme is currently voluntary and testing services are delivered by an approved list of providers regulated by CREST, a not for profit organisation that represents the technical information security industry.

The voluntary aspect of this is arguably what could make, what appears on the face of it to be a worthwhile initiative, ultimately unsuccessful. That said vulnerability scanning, assessments and penetration testing should frankly already be part of a financial institutions make up. So, if it’s not, the Bank of England is right be “expressing concern”.

The most interesting element of the Bank of England’s discussions though was that when talking cyber security they acknowledged that it’s not all about technical controls. I quote in respect of them keeping their own house in security order,

“Technical controls put in place had strengthened the Bank’s ability to prevent, detect and respond to attacks. But no technical fix could guarantee security 100%, so at the same time significant effort had been made to improve security awareness among all staff, and incident handling procedures had been strengthened“.

iStock_000013028339MediumThis is something we have evangelised about for years. Technical controls are not the answer. They are only part of the answer. We all know that the majority of security beaches are caused by staff, mostly unintentionally, due to lack of security awareness and training. It’s all very well having a state of the art lock on the front door but if no one knows how to use it what is the point in it being there? You might as well invite the burglar in for a cup of tea and a slice of cake.

The Bank also jumped on the Advent band wagon by mentioning that regulators have been discussing the importance of cyber security being a board room issue for companies particularly in relation to governance. Again, check our archives. We’ve worn down the drum from beating that point so hard and for so long. A security culture will only be successful if it’s supported from the top down. Otherwise it’s a constant uphill walk on the down escalator.

phishOne initiative the Bank took to improve security awareness is one which is growing in popularity, especially amongst large organisations and data centres – ‘Phishing Attack Testing’. This is where a fake phishing email is sent to staff and monitored a) as to how many times its opened, b) as to how many times its reported c) as to how many times the link is clicked and by whom. This helps to raise awareness of the issues of suspicious emails and target staff training. The Bank claims it is personally seeing a decline in staff “taking the bait” and an increase in security incident reporting. A report by Verizon in 2014 stated that as many as 18% of users will visit a link in a phishing email which could compromise their data. This against a backdrop of phishing being not only on the rise but getting more sophisticated in its presentation. So more should follow in the Bank of England’s footsteps when it comes to raising awareness against this type of attack.

iStock_000015534900XSmallSo there are a number of positives we can take away from the Bank of England’s discussions on cyber security:

  1. Technical vulnerability testing is encouraged;
  2. It’s not all about the technical controls; don’t forget to train you staff;
  3. A security culture must start in the boardroom;
  4. Make staff aware of the perils of phishing emails through fake attack testing.

Have you got the energy for another breach…?

Julia McCarron, Advent IM Director, looks at the British Gas breach that saw customer details published online and the energy giant claiming they had not been breached and the details must have come from elsewhere…

So let’s get this straight. The email addresses and passwords definitely belonged to British Gas customers? Tick. They definitely accessed British Gas customer accounts? Tick. But the data didn’t come from British Gas? Dot. Dot. Dot.

phishIt appears that where there’s blame there’s a claim. British Gas are blaming everyone else’s recent security incident misfortunes and claiming it’s the result of information from other data breaches being pieced together, testing passwords which were re-used across multiple accounts. Or they’ve been uncovered from the result of a phising campaign. One or the other …. They’re not sure which.

Is this possible? Well yes in today’s sophisticated technological world it probably is to be honest. And that’s quite scary and brings us round to a common theme of ours …. Password management.

At Symbol

Every action we do online these days requires a password. Shopping accounts, banks, building societies, utility suppliers, pensions, social media, YouTube, movie streaming, e-reader accounts ….. And what do we have a tendency to do? Use the same password so that we don’t forget it. What else do we do? Use the cat’s name and granny’s date of birth. For those of us working in security, or an organisation with a good security culture, we are aware of the bad practice this demonstrates but many consumers out there have not grown up in an electronic information security environment. This makes British Gas’ claim a distinct possibility given the sophistication of the unethical hacker community.

Recent guidance issued by CESG and the Centre for the Protection of National Infrastructure (CPNI) explains how passwords are discovered.

Attackers use a variety of techniques to discover passwords, which include:

  • social engineering eg phishing; coercion.
  • manual password guessing, perhaps using personal information ‘cribs’ such as name, date of birth, or pet names.
  • intercepting a password as it is transmitted over a network.
  • ‘shoulder surfing’, observing someone typing in their password at their desk.
  • installing a keylogger to intercept passwords when they are entered into a device.
  • searching an enterprise’s IT infrastructure for electronically stored password information.
  • brute-force attacks; the automated guessing of large numbers of passwords until the correct one is found.
  • finding passwords which have been stored insecurely, such as handwritten on paper and hidden close to a device.
  • compromising databases containing large numbers of user passwords, then using this information to attack other systems where users have re-used these passwords.

Business Development Consultant - Cyber Security.

In business we can do something about this through implementing policies and procedures, providing security awareness training to our staff and implementing technical controls that prevent, detect and monitor activity to reduce the risk of a data breach.

The general public may not have the knowledge or resources to implement these controls, and arguably the likes of British Gas need to help their users cope with password overload. The same CESG/CPNI guidance suggests how service providers might do this.

“Users are generally told to remember passwords, and to not share them, re-use them, or write them down. But the typical user has dozens of passwords to remember – not just yours. Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.

  • Only use passwords where they are really needed.
  • Use technical solutions to reduce the burden on users.
  • Allow users to securely record and store their passwords.
  • Only ask users to change their passwords on indication or suspicion of compromise.
  • Allow users to reset passwords easily, quickly and cheaply.
  • Do not allow password sharing.
  • Password management software can help users, but carries risks.”

Good Better BestSo rather than simply saying “this isn’t our fault” British Gas could perhaps be ‘looking after our world’ by improving how their customers manage their passwords? They may have got to 9/10 boiler breakdowns the same day last year but 9/10 password breaches won’t be good enough.

https://www.gov.uk/government/publications/password-policy-simplifying-your-approach/password-policy-executive-summary

This isn’t just poor security….a post on the M&S security incident from Julia McCarron


Advent IM Director, Julia McCarron has turned her eye to the M&S security breach…

Well as our Marcomms Manager, Ellie superbly put it, “This isn’t just poor security, this is M&S poor security”.

Image result for M and s logoThe brand synonymous with quality has let the side down following what it claims was an internal system glitch that caused M&S online account users a bit of a surprise. They logged on only to find their account wasn’t theirs.

Following a number of complaints, M&S were quick to take the site off-line and the problem was resolved in 2 ½ hours, but not before 800 people’s personal details including names, dates of birth, contact details and previous order histories were exposed. Thankfully, financial details do not seem to have been breached.

So M&S can expect a knock on the door from the ICO. Commenting on the incident, Phil Barnett, VP Global at Good Technology of M&S, said that many companies are flying blind when it comes to security, because they don’t think it affects them. In this day and age, when cyber security incidents seem to happen every 5 minutes, companies are becoming more aware of the risks and need for good, security controls and practices. I would sincerely hope that companies such as M&S would be acutely aware of the perils. As Mr Barnett points out, “Data is a company’s biggest asset, and as mobility becomes more ingrained across every enterprise, security must become a higher priority”.

risk balance

So I guess M&S need to ask themselves why this happened? I cannot comment specifically as to the root cause of this particular incident, but often what can be the reason is that ICT systems change management process are either not in existence, not robust enough and/or do not consider the ramifications to security when updates, upgrades, code changes etc… are made. Security must be a key consideration and testing should be carried out before the change is made live, especially on personal data critical systems such as these. In addition, regular penetration testing both external and internal to the system is a must, especially when a major system change is made. Today’s technical vulnerabilities are evolving hourly but these simple actions can be the difference between being a successful big brand today and share prices falling through the floor tomorrow #talktalk #justsaying.

Advent IM HMG accreditation concepts training

However, I will concede that smaller businesses often don’t see security as a priority. They see it as a business disabler and costly. If there has been no incident to date why worry about? These companies are doing business on luck. The luck of the draw. But luck runs out for us all at some point. Good security is a must for each and every company, be it a self-employed nanny or a multi-national conglomerate. It doesn’t have to be expensive and can in fact give you the edge when dealing with clients or bidding for projects. Who wouldn’t choose the company they know will handle their data securely over the company that does nothing? Often no-cost processes and procedures can mitigate risk simply and quickly, particularly with data handling. We also have the Cyber Essentials certification, which is aimed at small businesses and is a set of technical controls companies can be measured against to ensure they are implementing a baseline level of technical security.

Whatever happens, in a week where security breaches have literally been big business, you need to think carefully about what your company is doing (or not doing) to protect its biggest asset. This isn’t just good security advice, this is Advent security advice.

Nuclear Power Plant Worker caught looking at bomb-making websites….

A nuclear power plant worker in Scotland has been escorted from  EDF’s West Kilbride premises and the police called, after allegedly viewing bomb-making websites whilst at work.  The full story is here.

Some comment from Advent IM DIrector, Julia McCarron.

Panic meterTrying to find out how to build a bomb whilst working on-site at a nuclear power plant probably wasn’t the smartest thing for the worker at Hunterston B, West Kilbride to do. And his alleged stupidity is luckily what got him caught. But the situation poses a number of positives, negatives and discussion points.

The positives. There would appear to be a decent security culture within the plant as demonstrated by the fact that a fellow worker spotted nefarious activity and reported it. There would also appear to be stringent security checks following government guidelines carried out by EDF in the employment process.

The negatives. Whilst the individual concerned may or may not have been a British National (this is not clear) the fact that he had only recently moved to England should have been flagged during the vetting process and highlighted a risk. Arguably this would have indicated that he was not suitable for employment and certainly not deployment near the nuclear core.

The Discussions. It could be that EDF did (almost) everything right and nothing flagged indicating the individual was a risk (the recent move to England not withstanding). It’s perfectly possible that no background on the individual would have led them to believe there was an issue with employing him. There could be hundreds of cases like this for many of our CNI organisations – he wasn’t flagged because there was nothing in his past to flag … you can’t cater for this in the vetting process. But what you can do is maybe provide ‘probation’ periods that don’t allow these individuals access to critical or sensitive areas until they have proven themselves reliable and capable. This still isn’t foolproof but could act as a deterrent for individuals wanting to gain access to CNI quickly in order to carry out an act of terrorism. I’m not saying that was the case here, but it could be a prudent move as a general policy.

At Symbol

Also, was the laptop his own or EDF provided. Two issues spring to mind here. If it was EDF supplied the individual would surely have been in breach of an acceptable use policy. So even if this was ‘innocent’, was the individual aware of the policy and had he agreed in writing that he understood it and would comply with it? If it was his own, EDF should review/develop a BYOD policy. I would not expect employees at a CNI site to be able to use their own devices and be able to connect to the internet. Again, was there a policy and was the individual in breach of it? If BYODs aren’t allowed how did he get his laptop in? Is there a role CNC could play in policing the policy (no pun intended)?

In the end danger, if there was any, was averted.  But something in the process wasn’t right and EDF need to review the incident to discover the root cause and make improvements to the employment process.

Aviva 2nd Data Breach

Advent IM Security Consultant Del Brazil, gives us his thoughts on the Aviva data breach.

iStock_000015672441MediumFor the second time in less than two years Aviva have reported a data breach in which customer data has been released to person(s) unknown.  It is unclear at this time as to whether it a procedural issue, a technical misconfiguration or an actual hacking attack.  Although Aviva has been quick to admit to the breach, they have yet to confirm its full extent and the number of affected customers. 

The previous breach in February 2014 was the result of two employees selling customer data to external agencies. These two employees have since been arrested and released on bail pending charges related to suspicion of fraud by abuse of position.

Is it possible to prevent this kind of incident occurring or re-occurring? In essence no, they is no way that you can completely prevent this type of insider threat; however you can put measures in place in an attempt to deter or detect dishonest/disgruntled staff from carrying out illegal activities.  Potential measures include but are not limited to protective monitoring, staff awareness and staff vetting.  Let’s look at each one of these possible measures:-

istock_000011991144medium.jpgProtective Monitoring – Briefly put, protective monitoring is where a company monitors its staff computer use and network activities.  It’s not a ‘Big Brother’ approach but has certain levels of monitoring to identify any suspicious activities such as large data transfers or inappropriate user activity, such as logging on at unusual times. If you would like to learn about the employer responsibilities around monitoring of staff and compliance with legislation such as the Data Protection Act, we have a presentation on this link, you will need sound.

Business Development Consultant - Cyber Security.

Staff Awareness – This involves educating staff in a number of things, for instance reporting out-of- character mood swings or habits or just inappropriate computer or device related activities. Staff can also be educated on other potential threats to increase their awareness and how to report any suspicious activity.  An example of this maybe when a normally bubbly person suddenly becomes a recluse which may indicate that they have some personal problem that they are struggling with.  It is appreciated that it maybe a personal problem but highlighting it to the management chain may firstly prompt extra or additional support made available to that person but secondly, dependent upon the personal problem, may warrant additional safeguard measures being introduced to highlight/detect inappropriate or suspicious activity.

 Access DeniedStaff Vetting – Vetting or Security Checking staff does provide an element of assurance; however it is never 100% effective; just like a car’s MOT is really only valid on the day it’s issued. Vetting provides a snapshot of a member of staffs suitability to hold a position of responsibility and unless properly maintained loses its credibility.  Vetting can include a number of checks into an individual’s personal life and/or circumstances such as their finances, nationality, last employment and/or personal references.  The degree of vetting carried out is dependent upon the role of the individual within the organisation.  For example IT staff with enhanced privileges could have a more in-depth vetting check carried out to provide a degree of assurance that they are less likely to be susceptible to bribery, coercion etc.; although this is not mandatory it can be a risk management decision made by an organisation.

Possible next steps for Aviva

  1. Fully investigate the breach and establish as to how, why, where, who and what was taken.
  2. Inform all affected customers
  3. Look for trends and patterns related to previous incidents
  4. Identify appropriate additional controls that may assist in re-occurrence
  5. Ensure all breaches are reported to the ICO accordingly
  6. Remind all staff of their responsibility to report irregularities or suspicious activity
  7. Educate staff on the current threats

Is it actually possible to prevent this from happening again?  Insiders will always make great efforts to circumnavigate controls and safeguards and if your insider has privileged access (such as System Admins or senior management) then the problem can increase exponentially. The key is to try and make it so difficult for these kind of insiders to succeed or increase their perception of likelihood they will be revealed. We know we cannot make 100% of networks 100% secure 100% of the time but if we make it difficult enough then we can reduce the risk of it happening even if we can never guarantee it won’t happen again.