Category Archives: BYOD

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

Advertisements

Email Insecurity

At Symbol

This time of year, there is an upsurge in phishing and other malicious emails for us to contend with. From phony delivery notices to hoax PayPal problem emails, our inboxes are awash with attempts to invade, defraud and otherwise cause us chaos or loss. So the news that people are not taking the threat from email seriously after all the years of phish and spam, is worrying to say the least. Advent IM Security Consultant, Dale Penn, takes a look at the facts.

For far too many people, email security isn’t an issue until it suddenly is. Often, people won’t take threats against email seriously, believing that data breaches only happen to large companies as these are the only breaches that are reported in the news.

Alternatively, companies tend assume that email security is just something that’s already being taken care of as they have purchased the most up to date  technical defences such as anti-virus firewalls, Data loss prevention software etc etc, and it’s true that these can help in a layered approach however one large piece missing from the puzzle is education and awareness.

SC magazine reports that 70% of Brits don’t think that email is a potential cyber threat. And almost half admit opening non work related or personal emails at work.

Corporate Email Vulnerabilities

Bring Your Own Device (BYOD)

This refers to the practice of employees to bringing personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to using those devices to access privileged company information and applications.  This corporate ‘bring your own device’ trend is on the rise, according to a new study.

Ovum’s 2013 Multi-Market BYOD Employee Survey found that nearly 70% of employees who own a smartphone or tablet choose to use it to access corporate data.

The study surveyed 4,371 consumers from 19 different countries who were employed full-time in an organisation with over 50 employees.

Computer bugs red greyThe study has discovered that 68.8% of smartphone-owning employees bring their own smartphone to work, and 15.4% of these do so without the IT department’s knowledge. Furthermore, 20.9% do so in-spite of a BYOD policy.

These statistics are quite alarming as uncontrolled devices accessing corporate information represent a significant vulnerability.

Uploading to Personal Email account or Cloud Account

It doesn’t matter how strong your security standards are, or how much money you’ve dumped into the fanciest, most secure cloud storage systems, often employees won’t use them preferring to bypass red tape and send the information to uncontrolled home accounts therefore bypassing any company security.

Risk - Profit and LossWe’d all like to think that those that hold upper management positions in our businesses have higher standards, especially when it comes to security, but the statistics don’t lie. In a Stroz Friedberg survey, almost three-quarters of office workers admitted to uploading their business files to personal accounts and senior managers were even worse, with 87% of them failing to use their company’s servers to store sensitive company documents.

Conclusion

The fact of the matter is that the general security culture of the UK is not as it should be. The public in general (and many organisations) are unaware of, or not interested in applying, the most basic security principles to protect their personal information

Recognising this culture is the first step in treating it. Individuals still treat cyber-attacks with a degree of separation and the view that “it will never happen to them”.  Few people realise that a cyber-attack could potentially be as invasive and disruptive as a physical home invasion. Few people leave their house without taking appropriate security steps. We need to introduce awareness to the masses and embed the culture that has them locking there cyber door as well as the ones at home.

Top email Security tips

  1. Share your e-mail address with only trusted sources.
  2. Be careful when opening attachments and downloading files from friends and family or accepting unknown e-mails.
  3. Be smart when using Instant Messaging (IM) programs. Never accept stranger into your IM groups and never transmit personal information
  4. Watch out for phishing scams. Never click on active links unless you know the source of the email is legitimate.
  5. Do not reply to spam e-mail.
  6. Create a complex e-mail address as they are harder for hackers to auto generate.
  7. Create smart and strong passwords using more than 6 characters, upper and lower case, numbers and special characters i.e. £Ma1l5af3

The Insider that rarely gets questioned…

Insider Threat certainly isn’t going away, is it? Reading the continual survey results and news items I see published, it will still be an issue for a long time to come. We know that a lot of the Risk that Insiders bring can be mitigated with good policy and process combined with tech that is fit for purpose. But what of those insiders we don’t really like to  challenge? I speak of the C-Suite; our boards and senior management… surely they couldn’t possibly indulge in risky behaviour?

Risky behaviour is actually quite prevalent in our board rooms, security-wise I mean. (Check out https://uk.pinterest.com/pin/38632509277427972/) Unfortunately, some of the info assets that this level of colleague has access to is quite privileged and so in actual fact, the security around their behaviour actually needs to be tighter but in reality things are not always this watertight and IT security and other security functions will make huge exceptions, based upon the role and seniority instead of looking at the value of the information asset and how it needs to be protected. (Check out https://uk.pinterest.com/pin/38632509276681553/)

Its worth noting that senior execs are frequently the targets of spear phishing and given the level and sensitivity of assets they have access to, this is a huge risk to be taking with organisational security. Ransomware could also be deployed through this method and as a means of coercion. Whilst considering this level of access, we also need to think about the purpose of attack. If this was part of an industrial espionage type of operation, the plan might not be to steal data, it could be to destroy or invalidate it, in situ, in order to affect stock prices, for instance.  It is also worth noting that ex-execs or managers can still be a target and that means they still constitute a potential organisational threat.

Privileged access users like system administrators (sysadmins) also pose a potential threat in the same way as senior business users as there may little or no restrictions on what they can access or edit. A rogue sysadmin or similar could cause absolute chaos in an organisation, but the organisation might not even realise it, if they have also got the ability to cover their tracks. According to the Vormetric 2015 Insider Threat Report, the biggest risk group was privileged users and Executive Management categories were responsible for 83% of the overall risk from Insiders. Yet according to the same piece of research, only 50% have Privileged User Access Management in place and just over half had Data Access monitoring in place.

One more layer to add on top of this would be BYOD. Many businesses have considered whether BYOD is a good choice for them and many have decided to adopt it. Whilst data suggests it may contribute to data breach in adopting organisations, it can be a problem even for those who do not adopt it, as yet again senior execs are allowed latitude regarding the devices they use and may not be subject to the same scrutiny or oversight that general employees are. We know that almost a third of employees have lost up to 3 work mobile devices, we do not know how many have lost their own device also or whether it contained sensitive or valuable business data. We do know that some of these will be senior executives though and this, combined with other risky behaviours (check this out https://uk.pinterest.com/pin/38632509277975844/) will be a major contributor to the risk profile that they represent.

Ebay User Data Breach

Our MD, Mike Gillespie was speaking on BBC Radio 5 Live and BBC Radio Scotland about this disastrous data breach. There will be audio files soon for those who want to hear his comment and advice. Watch this space.

Phishing

One of the facts that has emerged so far is that this hack was in fact enabled by a spear phishing attack. For those of you who don’t know what this is, you are not alone. One if four UK employees does not know what phishing is and this major breach is a good example of why we have to get on top of security awareness training.

Phishing is when an untargeted,unsolicited email, purporting to be from  a valid source, such as a bank, invites you to click on a link or open a file. This is normally accompanied by some vague ‘issue’ such as suspicious account activity or the suspension of your account. Many of us can spot them on sight now as they are usually unsophisticated and badly spelled though this is starting to change. The payload is normally malware or spyware and might do anything from stealing logins, keystrokes or financial details.

Spear phishing is targeted at specific individuals and is normally more carefully constructed usually using some knowledge of them and with a specific purpose in mind. This may be access to a particular database, as it would appear in this case. The target may have been observed on social media or in person to establish some means of dialogue or establishing trust. this will increase the likelihood of the email being opened and activated and therefore the payload being delivered.

You may also have heard of Vishing or voice phishing and is probably best exemplified by the ‘Microsoft’ support call scam. This is when you receive a random call out of the blue from someone claiming to work in tech support for someone like Microsoft who tell you they have identified malware or issues on your PC and tell you they need access to it to clear it up for you. They will get the target to open up their PC normally by frightening them with stories of awful failures on their PC and may go as far as getting them to open up the PC’s event viewer which will show a few red flags or failures (which is normal) this will then be passed off as justification for the intervention – proof  if you like, of their timely intervention. This harmless activity then is used as the means of attack on an unsuspecting victim and their system is made vulnerable as they open up their PC to get it ‘fixed’.

This last one as well as being particularly cynical is also a cause for concern for employees who work from home or are mobile. Training staff in what they should or shouldn’t do, regardless of their geography has never been more important as cyberspace has no geography.

This is an old visual we produced but it is particularly relevant given recent events, feel free to share it with your business.

phishing

Appy Valentine’s Day? Or the Valentine’s Day Mobile Massacre?

ID-100103981It’s that time of year when thoughts turn to love,romance and cupid firing his arrows at unsuspecting victims. (That may have come out wrong) It is also the time of year when the volume of threats to the security of computers and mobile devices rapidly increases, as we are offered new and exciting e-methods of wooing a would-be mate.

Malware and privacy violations are rife in these Valentine or romance styled apps and though many people are familiar with the old phishing emails that purported to show you who was in love with you if you would just click the link or open the file, it still goes on and some people are still caught out.

Nowadays mobile app stores are awash with apps that will frame your photos in a suitably cupid-ey frame, or offer your lover romance-filled quotes. We need to be hyper-vigilant when downloading any apps of course, but with the misty eyed romance comes additional danger. Some apps demand access to your email, texts, location, calendar and even phone calls. So the best outcome might be unwanted advertising the worst outcome could mean it basically taking control of your device. Always check the permissions, even on paid for apps. If you think it seems reasonable for a wallpaper app to need to know your location and have access to your contacts then go ahead, if you don’t, then maybe you should reconsider if this is what you want on our phone or device. Some apps that do these things are also available from Google Play, so you really need to keep your wits about you. Of course this advice applies to any time of of year, not specifically Valentine’s Day.

According to Bitdefender researchers, Valentine related scams are growing and a 10% rise on a single day was recorded in January. Of course, singling out one day from a period can make a trend look more volatile, but even if the overall trend for the period is half this, it is still a worrying uplift. If you BYOD or the device you use to e-woo is ever connected to your employers network (with or without their permission, we know what you are like…) then this has the potential to cause a lot of trouble. 

Online scams are still alive and well as we mentioned earlier. Be wary of sites offering roses, designer jewelry and other wooing weapons at massively discounted prices. If it feels too good to be true, then it probably is. Apart from  your loved one of course…

Happy Valentines Day, Security Lovers

ID-10069384

images courtesy of freedigitalphotos.net

SME Information Risk: 48% suffered reputational damage already from lost data

Originally published in Outsource Magazine August 2012

According to a recent survey by Iron Mountain and PricewaterhouseCoopers LLP (PWC), in Europe, mid-sized businesses are placing themselves at unnecessary Information Security risk.  The average index score for Information Risk maturity in this group was only 40.6 (a score out of 100), which sharply highlights the gap between what business is currently doing and what it is supposed to be doing.

Are businesses listening to the warnings about Insider Threat?

Are we listening yet?

Shockingly, 64% of the mid-sized businesses surveyed had no information risk strategy in place, which was effectively monitored.  Given that almost half of the businesses surveyed said they had already suffered reputational damage as a result of lost or misplaced data, this lack of information security appears cavalier at best. It could be your personal data or your organisations data being handled, managed or stored by these businesses.

According the Norwich Union Business Continuity survey (of which information security and reputational damage would be important elements) only 8% of businesses without a plan, which had suffered a serious incident, survived 5+ years, 40% never re-open after a serious incident. If the failings within mid-sized businesses are as widespread as the PWC data suggests this is very bad news for many businesses and could be the one area we start to see them over index, sadly.

Hiding in plain sight

So what does a small or medium sized business do to protect itself, its own valuable data and potentially that of its customers and supply chain? Well, Information Security issues are not like the monster under the bed, despite what the popular press may have us believe.  They don’t frequently leap out to shock you and grab your ankle. More frequently they hang around, waiting to be noticed by someone until it’s just too late and the worst has happened. No amount of finger crossing can spare you from its teeth by then – or the ICO’s teeth in this case. It is normally a series of failings or an extended period of time when risks have been ignored or misunderstood.

Being an SME can make an organisation more ‘fleet of foot’ than many larger businesses. The advantages of being reactive and able to quickly change course or take advantage of a sudden opportunity is a great flexibility to have. Potentially though, the risk side of things can be pushed to one side or ignored and then a lack of due diligence can mean that the new undertaking or direction is being done effectively ‘on the hoof’ and without the anchor of proper governance.  This can also be reflected in the approach to procurement when the questions about the correct checks and balances for security are simply not being asked.  This is possibly because there may not be a dedicated FTE for each role and employees wear several hats. It may be a naiveté about accountability and responsibility either from a legislative or industry requirement basis.  If your organisation is lucky enough to have employed someone with and Information Security or Data Protection background, then this is less of an issue. That is assuming that the resource to have an FTE with these expert skills is available. Generally this is not the case and whilst many businesses are more than familiar with the old outsource service of security, they do not necessarily make the connection to Information and Data.

“Sometimes I feel like the conversation itself is encrypted”

That is how it feels to have a conversation with a security guru. Within minutes the language becomes dense and acronym laden and the eyes of the non-security person may start to glaze or dart about like a frightened rabbit in car headlights.

The concept of Information Security is understandably daunting. Many businesses are put off by the language and apparent complexity. Everyone is put off by things they don’t’ understand but that is what outsourcing is for. Part of the issue is that organisations and those within them responsible for security of information, do not want to feel daft, the language and complex terminology they are coming up against makes them feel inadequate and sounds potentially expensive.

Although security has a long relationship with outsourcing, this has been largely around physical security and areas such as manned guarding. For some reason, outsourcing an organisation’s Information Security, Data Protection or Business Continuity appears to have passed many organisations by as a possibility.

When you think about it though, it makes perfect sense. Areas that are complex and needs and expert help, that may not require and FTE or be too cost sensitive to resource on an FTE basis or maybe required to move an organisation through an accreditation to assist with perhaps getting onto a Government supply framework, or supplying the NHS for instance. Whilst every organisation needs to be security aware and educate their staff effectively, understanding the accountabilities, policies and processes are far more relevant to an SME than having an inside out knowledge of security terminology and the dazzling amount of acronyms. Outsourcing is the natural choice.

One of the 64%?

So the data security inertia may not solely come from a lack of interest or concern about what happens to client, customer or internal information. True some organisations have a genuinely laissez-faire attitude, but many don’t and some of the lack of appropriate action can have come from fear, confusion and misinformation.

Given the ICO’s power to fine up to £500k for serious incidents, this could potentially see a number of the unprepared 64% close for good. It makes much more sense to find an expert outsource partner to translate and guide. Security is a business enabler. Once the security is in hand and under control, an organisation can go on with the business of growing in a secure environment for both the organisation and its partners. It allows organisation to tender for business that they may not normally have been in a position to. It brings likeminded businesses together, allowing them to partner and support each other knowing that they are on the same page and that their respective information assets are properly managed.

Outsourcing Information Security may be a newer area of outsourcing but as with all good outsourcing it is there to provide the expertise it would appear is lacking in the SME arena. Ensuring the best quality, independent advice from an outsource partner could provide the competitive edge and reassurance an SME needs to realise its true potential.

Data sources: PWC Iron Mountain survey “Beyond cyber threats: Europe’s first information risk maturity index” and Norwich Union Business Continuity Survey

9 out of 10 TMTs think they are not vulnerable to cyber attack…think on..

According to the latest Deloitte Global Technology, Media and Telecomms (TMT) survey, 88% of respondents felt their organisation was not vulnerable to cyber attack, despite almost 60% of them having already experienced at least one security breach. (you can download the full report here)

Employees – Insider Threat

Companies also said that employee mistakes were the top threat when it comes to Information Security. Whilst it isn’t a surprise that this is the top threat, the reluctance to face the insider threat (let’s face it, it doesn’t have to be malice aforethought) has seemed hard to shake. It is something we have discussed on this blog before. It’
s disappointing that having acknowledged that employees are a real issue, only 48% of businesses offer Security Awareness training. This is creating vulnerability needlessly. Security Awareness should be an integrated part of business. Having said that the tendency to push Security onto IT is part of the problem. IT can look after IT security but information has to be safeguarded in all its forms and that means anyone who uses it has to be responsible for its security. That means all employees have a part to play. This also explains why employees are the top threat to security.

Advent IM Security Experts

Can’t happen to us….

BYOD

There is a growing awareness of the potential threat from increased use of mobile devices.

The Human Effect on Data Protection 2

The co-existence of personal and business data and applications make mobile devices highly prized for theft and also marvelous new entry points for a cyber attack. Figures from a previous survey from Ponemon Institute showed that the majority of respondents carried sensitive data on mobile devices ‘frequently or very frequently’ , yet the same survey showed that over a third of data breach had come from lost or stolen devices and that almost 60% of employees spent no time whatsoever on data protection activities.

The Human Effect on Data Protection 3

Given these figures, a firm grip on your organisation’s Risk Appetite and Tolerance is a must  before an informed decision can be made on BYOD…

Deloitte TMT visual 3