Category Archives: business continuity

Some top security tips that ALL employees can use

When it comes to security, one thing is clear, people occasionally do daft things with computers and devices, and they frequently do these daft things at work. They occasionally do malicious things too but it’s mostly just daft. So we can train our employees (including managers and directors) in our procedures and policies and enforce them. In fact, spending as much time thinking about the best way to train different teams is never time wasted because it gives you the chance to use their language and create something nuanced that will make a genuine difference, which is, after all, the whole point of doing it.

Looking at some of the data that came out of Vormetric’s Insider Threat report, in actual fact, those privileged users are still posing a security headache to many of the respondents. They may be System Admins or senior colleagues who are simply not restricted or monitored in the way other employees are…these are the ones who can access very sensitive or valuable information and so need to be even more hyper-vigilant in their behaviour. But let’s face it, one phishing email clicked and payload of malware downloaded is all it takes and that could be done by an MD or a temp.

I asked the team here at Advent IM to come up with some practical tips that all employees can use, regardless of their role,  to help protect their organisations and enhance their understanding of the vital role they play in securing assets.

  • That email telling you there’s a juicy tax rebate waiting for you but it needs to be claimed immediately, hasn’t come from the Government. It’s  a phishing email. Clicking that link will allow malware to be installed and all your personal information to be stolen. Do not click on links in emails you are not expecting and if in any doubt refer to your security manager.
  • Never set your smartphone to allow download and installation of apps from sources other than an approved store. Changing this setting can allow malware to be installed without your knowledge and could result in you being a ransom ware victim.
  • Always report security breaches immediately to your line manager to facilitate any counter compromise action to be undertaken as deemed necessary. If the organisation isn’t aware of it, the event could worsen or spread. Containment and control is vital as quickly as possible.
  • Archive old emails and clear your deleted & sent folders regularly as a clean and tidy mailbox is a healthy mailbox.
  • Never discuss work topics on social media as your comments may come back and bite you!! You could also be compromising your employers and colleagues security and increasing the likelihood or the ease of an attack.
  • Don’t worry about challenging people you do not know who are not wearing ID or visitor badges. It may seem impolite but Social Engineers use inherent politeness to their advantage and can then move round a site, potentially unchallenged.
  • Don’t allow colleagues to use your login credentials, this goes double for temps and contractors. Think of it like lending your fingerprints or DNA to someone, would you do that so easily? Any activity on your login will be attributed to you…
  • Do you really need to take your work device to the pub with you? More than a quarter of people admit to having lost (or had stolen) up to 3 work devices and more than half of them were lost in a pub!
  • Don’t send sensitive documents to your personal email address. If there is a security measure in place, it is there for a reason..
  • Don’t pop any old USB into your PC. Nearly one in five people who found a random USB stick in a public setting proceeded to use the drive in ways that posed cybersecurity risks to their personal devices and information and potentially, that of their employer. It could have anything on it! exercise caution.

Some of the findings on Insider Threat from the Vormetric 2015 survey…

2015 Vormetric data Insider Trheat v0.4

Incident Management – an explanation and example

Advent IM Security Consultant, Del Brazil, offers some guidance on best practice in Incident Management.

Incident Management is defined by the Information Technology Infrastructure Library (ITIL) is ‘To restore normal service operation as quickly as possible and minimise the impact on business operations, thus ensuring that agreed levels of service are maintained.’  Although this definition is very much aligned to the service delivery element of IT, organisations should translate it to all areas of the organisation to form the basis of any incident management strategy.

Any Incident Management process should include:-

Incident detection and recording – Ensuring that sufficient and appropriate means of both detecting and reporting of incidents is critical, as failure to report incidents can have a serious impact upon an organisation.  There maybe a legal requirement for incidents to be reported such as incidents associated with the loss of personal data or security breaches related to protectively marked information, although not applicable to every organisation.  Ensuring that an incident is correctly reported will facilitate the correct actions are taken in line with the incident management plan and thus ensure the correct allocation of resources.

An example maybe that an individual receives an email from an untrusted source and without realising any inherent risk, opens an attachment, which in turn causes their terminal to become unresponsive.  The individual contacts the IT department in the first instance in order to initiate some form of containment measures, whilst also documenting down how the incident occurred.

Classification and initial support – There are various levels of severity associated with different types of incident and ensuring that they are correctly classified will mean that the appropriate resources or emergency services are tasked accordingly.  These levels of severity range from low impact/minor incident requiring a limited number and type of resources, through to a major incident, which has the potential to impact on the whole organisation and requires a substantial amount of resources to manage or recover from.  In the early stages of any incident the support provided by a designated incident response team is vital as their initial actions can have potentially massive implications on the organisations ability to resume normal operations.

Following on from the previous example the incident may be classified as a low priority at this stage as only one terminal/user has been affected.  The IT department may have tasked a limited number of resources in tracking down the suspicious email on the mail server and then taken the appropriate quarantining and/or deleting procedures.

Investigation and diagnosis – Further and ongoing investigations into the incident may identify trends or patterns that could further impact on the organisation, once normal operations have been resumed.

Keeping in mind the example previously discussed, should the initial findings of the IT department reveal that the email has been received by a large number of users, then further impact analysis should be undertaken to establish the impact or effect on services before any additional resources are dedicated to resolving the issue.  This further investigation requires an organisation-wide broadcast, highlighting the incident and what actions should be taken in the event that users received suspicious emails or attachments.

Resolution and recovery – Ensuring that the correct rectification method is deployed is paramount, as no two incidents are the same and as such any incident management plan should have a degree of flexibility to accommodate potential variations.

Using our example scenario, the correct rectification solution in this instance would be to purge the mail server of any copies of the suspicious email and then to execute the scanning of the mail server with an anti-virus and/or anti-spam product.  Consideration should be given as to whether to take the mail server off line to perform the relevant scans, however any potential down time may impact on the output of the organisation.  In the event that the mail server is taken off line, it is imperative that communication is maintained with all staff, contractors, customers and third party suppliers etc.

Incident closure – The closure of an incident should be clearly communicated to all parties involved in managing or effecting rectification processes as should a statement stating ‘Business has resumed to normal’ to clearly indicate to all concerned that normal operations can continue.

In our example , it’s essential that all persons involved or impacted by the incident are informed accordingly which formally closes the incident.  This also reassures any interested parties that normal service has been resumed thus preventing any additional business continuity plan being invoked.

Incident ownership, monitoring, tracking and communication – An Incident Manager/Controller should take clear ownership of any incident so that all relevant information is communicated in an effective way to facilitate informed decisions to be made along with the correct allocation of resources.

As always, good communication is vital not only with staff, emergency services and the press but also with key suppliers and customers, as these may have to invoke their own business continuity plans as a result of the incident.  Business continuity plans ensure critical outputs are maintained but the invoking of a plan comes at a cost, whether it be financial or an impact to operational outputs.  It is therefore imperative that once an incident has been deemed formally closed then key suppliers and customers should be informed accordingly, this will  enable them to also return to normal operations.  Post incident analysis or ‘Lessons learnt’ meetings should be held after any incident to highlight any weaknesses or failings so that rectification measures can be introduced accordingly.  Likewise, should there be any good practices or solutions highlighted during the incident, then these should also be captured as they may be used in other areas of the organisation.

Now our example has been correctly identified, treated and business has returned to normal it is imperative that an incident ‘wash up’ meeting takes place to clearly identify those areas for improvement and those that performed well.  The correct allocation of resources during the initial stages of the incident to address what was deemed to be initially a minor incident, resulted minimal impact to not only business outputs, but also to customers or third party suppliers.  The findings of the ‘wash up ‘ meeting should be correctly recorded and analysed for any trends or patterns that may indicate a weakness in security.  In this instance the mail server’s spam filters may have been incorrectly configured or not updated resulting in a vulnerability being exploited.

Any incident management plan should be suitably tested and its effectiveness evaluated with any updates/amendments implemented accordingly.  It would be prudent to exercise any incident management plan annually or when there is a change in the key functions of the organisation.  It is also additionally recommended that all users are reminded of how to report incidents during any annual security awareness education  or training.

As organisations become ever increasingly reliant on internet and IT services, it is imperative that an effective, appropriate and fully tested, Incident Management Procedure is embedded within the organisation.  Failure to ensure this may result in an organisation struggling to deal with or recover from any kind of security incident.

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

TalkTalk advised not to talktalk about their breach?

According the International Business Times, the Metropolitan Police advised TalkTalk not to discuss their breach. (you can read the article here)

Here, in conversation on the topic , is Advent IM Directors, Julia McCarron and Mike Gillespie and Security Consultant, Chris Cope.

Chris Cope small headshot

Chris Cope

“This is interesting as it shows the 2 different priorities at work.  For the police, the key aim is to catch the perpetrator.  This often means allowing an attacker to continue so they can be monitored on the network and their activities logged and traced without causing them to suspect that they are being monitored in such a way.  The Cuckoos Egg details how the Lawrence Berkeley Lab famously did just this in response to a hack of their system.  However, TalkTalk have a duty of care to their customers.  If personal information could be used to steal money, then they must weigh up the advice from the police, along with the potential impact of not publicising this attack on ordinary people. Its easy to see how a CEO can be caught in between trying to help the police, but also attempting to limit the damage to their customers.  Ultimately it’s a difficult decision, but one that could be made easier with correct forensic planning, i.e. working out how to preserve evidence of an attack, which can be provided to the police, whilst ensuring that normal services continue and customers are warned.  Making these decisions during an actual incident will only make a stressful time even more so; far better to plan ahead.”

Julia McCarron

Julia McCarron

“Totally agree … something to add…

This is a classic case of being stuck between a rock and a hard place. As Chris quite rightly says two different objectives were at play here and each had its merits. Ultimately it was a difficult decision to make but you can’t knock TalkTalk for once, as it appears to have been an informed one.

Whilst I also agree with Chris on the forensics front, experience has shown us that staff need to be aware of what to do ‘forensically’ in the event of an incident and this is often where the process falls down. Because such incidents are usually rare, the chain of evidence is often corrupted unintentionally because no-one knows what to do, or it’s no longer available due to the time lag in occurrence and detection.

Intrusion detection systems along with other technological measures will be an asset in reducing that time lag but key to success is scenario training. In the same way as we are seeing Phishing tests becoming the norm, especially in customer facing organisations like TalkTalk, is there a place for forensic readiness testing to ensure staff know what to do when a security attack occurs? Then vital evidence is at hand when hacks like this occur and the force awakens.”

Mike Gillespie_headshot

Mike Gillespie

“Totally agree, Chris. It’s a tough balance but the protection of the consumer should always come first in my opinion.

Forensic readiness planning is key and continues to be a weak area for many organisations – linking this with an effective communication plan is vital – and as with any plan it needs to be properly tested and exercised…….as do all aspects of cyber response…..using appropriate scenario based exercises.

All of this should be designed to drive continual improvement and to ensure our cyber response evolves to meet emerging threats.”

If you would like support for Cyber Essentials and completing your questionnaire, you can find details here

No more Safe Harbour…or Harbor

European Court of Justice has ruled that transatlantic data sharing agreement is invalid. What does this mean for UK businesses that utilise US datacentres or Cloud services?

Advent IM Director Mike Gillespie, “There are issues arising from this ruling that require the urgent attention of UK businesses and they need to be aware of the legislative implications of how they plan to store and manage data”.

For some time now, hosting companies, system support and system management companies, contact centres and most recently cloud providers have been selling their services, some or all of which reside in the US, into the EU. These companies have consistently cited Safe Harbor as the assurance that EU citizen data would be afforded the commensurate level of protection that it would receive from an EU/EEA member state.

The inception of Safe Harbor predates the US Patriot Act, legislation which, many people feel made a nonsense of Safe Harbor. This has been widely documented and discussed by Data Protection practitioners for some time now and, whilst there have been ongoing negotiations, the European Commission appears to have made little progress. Meanwhile any EU Citizen data resident in US servers remained vulnerable to release to US authorities.

In one fell and rather final swoop, the Court removed the blanket approval for data transfers to the US. This now allows for individual national Data Protection Authorities (ICO in UK) to scrutinise any proposed transfers to ensure that transfers guarantee the rights to privacy and freedom from surveillance afforded each of us by the Charter.

Of course one way to attempt to get round the issue could be by following the EU Model Clauses route, an option often deployed by organisations in the past wanting to transfer data to/allow data processing in non-EEA or other trustworthy countries ie India. This option required the inclusion of a series of model clauses into contracts which effectively bind the Data Processor to abide by the principles of EU Data Protection. However, which takes precedence, contract law or the Patriot Act? Can a commercial contact ensure the privacy of EU Citizens personal data and guarantee it to be free from disclosure to US Authorities? This seems highly unlikely.

A further option could be implementing Binding Corporate Rules (BCRs) which are “designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA”. So far so good as this sounds just the ticket especially for multinational hosting providers and cloud computing providers?

However for BCRs to work, applicants must demonstrate that their BCRs “put in place adequate safeguards for protecting personal data throughout the organisation”.

How can any company hosting data inside the US offer this? In reality they probably cannot.

The truth is, EU Citizens data protection cannot be guaranteed once it’s transferred to the US, this has been acknowledged so finally that the EU Commission and member states’ Data Protection Authorities have an imperative to do something about it.

The fallout from the decision is yet to be felt but could have far reaching for some organisations. The ICO has been at pains to point out that the ruling does not mean there is an increase in threat to people’s personal data. However, companies will need to review how they ensure that data transferred to the US complies with legislation. Safe Harbor was not the only regulation available for transfers between the US and EU but it was the most widely used.

So what does this mean in the short term? Immediately little will probably happen. The ICO are considering the judgement and will be issuing guidance in due course. A new Safe Harbor agreement is also currently being negotiated between the EU and US, and has been in negotiation for the last two years, following the Snowden revelations. Once various authorities have cogitated over the ruling we will then need to assess the full impact on organisations moving forward as more guidance is released. In the meantime, a review of current practices is recommended by those organisations transferring data to the US.

Issued:  08.10.15                             Ends                                     Ref: safeharbor-01-Advent -MG

NOTES TO EDITORS

About Advent IM

Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats.
From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.

Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project management methodology widely used within the public sector, CISSP qualified and Home Office trained physical security assessors.

Does Santa Have ISO28000?

During a festive office pondering, the topic of ISO28000 popped up. That might seem random to most people but this is Advent IM and you simply never know when a security standard might become pertinent.

ID-100298301In this instance we were discussing Santa; it being the season to be jolly etc. Here is a logistics expert and manufacturer (via Elves, obviously) with one of the most complex and dynamic supply chains one could imagine. He is a logistics supplier for parents as well as supporting his own goods; this is an assurance nightmare surely?!

So how do you secure your supply chain and offer assurance to key stakeholders that you have an evolved posture on transport security? ISO 28000 seems like a good option for Santa to consider and he can integrate with his ISO9001 and ISO14001 too!

Santa, if you’re reading this; the phone is always on the hook for you 🙂

Those with less complex supply chain, transport or logistic assurance needs may also benefit.

HoHoHo and Merry Christmas to you all.

 

pictures courtesy of Freedigitalphotos.net

santa gifts

Top Down Security (or “How To Learn To Love Information Security And Get It Into The Boardroom”)

Originally published on the Darlingtons Solicitors Blog 23.11.12

You say the word ‘security’ to people and get a variety of responses or perceptions. Some people think of manned guarding and a nice guy who works the barrier and checks the CCTV images to keep everyone safe.  Others go a bit ‘Mission Impossible’ and imagine consultants dangling from wires, testing floor pressure pads in secure areas whilst hacking into the Pentagon. And yet more others regale you with tales of every night club they have been asked to leave by a man in a black puffy jacket.

This post is not really about any of those perceptions, it is about a business enabler and how it is placed in successful organisations. I can appreciate that compared to Tom Cruise dangling from the ceiling this may appear dull, but as far as business goes, it’s a bit more useful.

“Yeah, IT does Security”

According to the Ernst & Young Global Information Security Survey 2012, there is a real gap between where Information Security sits within organisations and where it needs to sit. As Security Consultants we know this to be true and are also aware that other disciplines, FM for instance have also had a bit of a battle to get a voice in the boardroom. Given the interconnected nature of so many business areas, joining the dots and having top-down policy and behaviour, has never been more important.

Milky Way and our Solar System – image Ecology.com

As we are talking about Information Security (IS) let’s put it in perspective. IT security is the vital technical security of IT such as firewalls, encryption, password policy, patches etc. How an organisation behaves with regard to security of information is a much larger area. (If the organisation’s use of Information were the Milky Way for instance, IT might be our solar system– see picture). The rest of the organisation uses information in a myriad of ways, not always electronically and not always on a device (at least not one that IT is aware of…) the rest of the organisation may be vast and so the potential for compromised information is exponentially increased. Especially if everyone thinks that “IT do security….”

IT departments traditionally do not have a formal risk assessment mechanism. Risk is something a whole business faces not simply the systems in IT – important as they may be.

An organisation’s IS needs to be aligned to its Risk Appetite – but if accountability for it is placed in IT then realising this will be challenging.

Business solutions are not always technical or IT based. At the end of the day the users are people and people make mistakes or behave in questionable ways. Around 80% of data breach is generally accepted to be human error or malice. Technology can’t mitigate all of that risk; you need to consider policy, procedure and education of these concepts through your organisation.  Hopefully you can see now why we are moving out of the realms of IT and into the realms of business centric solutions that cut across silos, not reinforce them.

“Place your bets! Place your bets!”

Risk is a part of business, without risk there is no innovation and nothing can exist for long in a vacuum. Therefore it is vital to know how far you can push something before it becomes too great a risk. Not from an instinctual level but from a tried, tested and accepted level that comes from the boardroom via regular review. So understanding your organisation’s risk appetite and tolerance is vital. Aligning your IS policy and procedure to that appetite seems logical if not essential, yet 62% of organisations surveyed did not align IS to Risk Appetite.

How then can an organisation securely implement something like Bring Your Own Device (BYOD) which sounds on the surface like an IT project – which won’t be aligned to Risk Appetite? So in other words, the risk attached to allowing employees to use their own devices, which may mean access to corporate networks and drives, access to sensitive information, has not been assessed in terms of the business’s overall appetite. So rogue apps (which we hear about every week) for instance could be scalping data from the device on a regular basis and the user would be unaware. Previously, it was the user’s data alone that was compromised, with BYOD the scope of data available increases vastly as an organisation’s information assets open up to that user.

InfoSecurity – share the love

The Ernst & Young survey highlighted the need to bring Information Security into the boardroom. Perhaps asking who owns the risk or who is accountable for the Information risk is where to start. Well according to this survey only 5% have Information Security reporting to the Chief Risk Officer, the person most responsible for managing the organisations risk profile. Placing responsibility within IT can cause ineffective assessment and alignment with not only Risk but with Business priorities.

If 70% of the respondents are stating that their organisations IS function only partially meets the organisational needs, it becomes clear that this is a ship that has set sail without a map. IS needs C level direction and input, it needs to have the support of the board, be implemented and understood top-down and really start to make a positive impact on business growth by enabling it to happen securely, with threat and risk awareness, accountability and mitigation.

It was initially encouraging to read that almost 40% of organisations planned to spend more on IS over the next 12 months. But on reflection, if this is going to be mainly directed by IT departments – unaligned to Risk, unconnected to the board and occupying a similar space as the sun in the Milky Way or an organisation’s Information usage, it is doubtful that the dissatisfied 70% of organisations who feel IS is not currently meeting their needs, will reduce. What is concerning is that this could end up looking like wasted spend on Security, when in actual fact it is merely a potentially unwise or undirected spend. The upshot could be through a lack of board level understanding, that future spend then has a line run through it instead of under it.


All data sourced from Ernst & Young Global Information Security Survey 2012, all visual representation copyright of Advent IM and not to be reproduced without express permission.