NASA hacking?

A post on allegations of NASA being hacked from Del Brazil of Advent IM

There have been allegations of numerous hacks into the systems controlled or operated by NASA. These have ranged from secret UFO files being accessed, through to drones being infiltrated and subsequently controlled by unauthorised persons.

This raises the questions about how secure the NASA websites, servers and systems are.  There are a whole host of individuals who claim to have hacked NASA including a 15 year old who is alleged to have caused a 21 day shutdown of NASA computers, through to an individual who claims to have found evidence that NASA has or is in the process of building ‘space warships’ and finding lists of ‘non-terrestrial military officers.’

The latest alleged hack involves the release of various videos, flight logs and personal data related to NASA employees.  This hack is believed to originally to have started over 2 years ago with a hacker paying for initial access; although it is not yet confirmed, it is fair to assume that this purchase would be associated with a NASA employee.  The hacker then carried out a ‘brute force’ attack against an administers SSH password, resulting in a successful compromise within 0.32 seconds as the password is alleged to have been still set to the default credentials.  Having infiltrated the system with an administrator’s password the hacker was then pretty much free to navigate his/her way around various NASA systems collecting information as they went.  It’s not unusual to find CCTV systems and/or other Base Management Systems Administrator settings being still set on their default setting, what is unusual is to find that NASA has systems are potentially falling foul of this too.  There were also claims that one of NASA’s unmanned drones used for high altitude and long duration data collections had been partially taken control of during the hacking with a view to potentially crashing it in the Pacific Ocean.

The information claimed to have been obtained includes 631 videos of weather radar readings and other in-flight footage from manned and unmanned aircraft between 2012 and 2013 along with personal information related to NASA employees.  It is widely

image courtesey digitalart on freedigitalphotos.net

 

reported on the internet that the personal information obtained relating to the NASA employees has been verified by another media client, as they have allegedly attempted to contact those individuals by telephone; although it is further reported that no actual conversations took place and that verification was obtained from answerphone machines pertaining to those NASA employees.   There is no reports that the same media client has received any return calls from the alleged NASA employees nor is there any documented communication from NASA’s IT Security Division, the Glenn Research Center, the Goddard Space Flight Center, the Dryden Flight Research Center, the NASA Media Room or the FBI.

This is certainly not the first and won’t be the last alleged hack of NASA.  It is well known that there are a whole host of individuals who are continuously attempting to attack large organisations; whether their motive be criminal or just inquisitive you can be assured that any alleged successful hack will make headline news. Hackers are widely regarded as kudos- seekers; reputation and status hungry within their own fields and targets like this are very highly sought after.

Let’s consider the sensitivity of the alleged data?  Any sensitive or ‘secret’ information is likely to be securely stored in a manner to prevent or at least deter any potential hacker; however no system is 100% secure and so there is, albeit very small a possibility that a hacker maybe successful.

NASA have responded by stating that ‘Control of our Global Hawk aircraft was not compromised. NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data. NASA takes cybersecurity very seriously and will continue to fully investigate all of these allegations.’  So the old ‘he said, she said’ playground argument continues with neither party being proved or dis-proved but what we do know is that hackers will continue to attack high profile organisations for ‘Kudos’ status or bragging rights.

Cyber Everything & PCI DSS – The Forgotten Standard?

Senior Security Consultant for Advent IM and PCI-DSS expert,  Mark Jones gives us his thoughts on the current awareness of this important payment industry standard.

In the current information security climate where everything has ‘cyber’ prefixing the topic e.g. cybersecurity, cyber risk, cyber threats and the list goes on, is it possible organisations have forgotten about existing and very important ‘cyber-related’ standards such as the Payment Card Industry’s Data Security Standard (PCI DSS)?

As more and more business is done online in our ‘new’ cyber world – 2015 Online Retail Sales £52 Billion up 16.7% from £45 Billion in 2014 – payment cardholder (CHD) account data security is more important than ever. This includes the need for assured authentication, confidentiality and integrity of payment cardholder information as traditionally granted by the Secure Sockets Layer (SSL) protocol over HTTPS padlocked browser sessions in the past 20 years. In 2014, the US National Institute of Standards and Technology (NIST) determined that SSL and indeed early versions of SSL’s successor, the Transport Layer Security (TLS v1.0) protocol (also referred to as SSL), were found to have serious vulnerabilities with recent high-profile breaches POODLE, Heartbleed and Freak due to weaknesses found within these protocols.

So, if you are an entity that that stores, transmits or processes Cardholder Data (CHD), specifically the 16 (can be up to 19) digit Primary Account Number (PAN), then you should seek to comply with the latest version v3.1 of the PCI DSS. This version was released in April 2015 by the PCI Security Standards Council (SSC) that removed SSL as an example of strong cryptography and that can no longer be used as a security control after 30 June 2016. However, the migration from SSL and early TLS to TLS v1.1 and 1.2 has caused issues for some organisations hence the SSC update in December 2015[1] that the deadline had been extended for 2 years, with a new end date of 30 June 2018 for existing compliant merchants. However, SSC is at pains to emphasise that this delay is not an extension to hold off migrating to a more secure encryption protocol (as defined by NIST) and entities that can update should do so as soon as possible.

If the entity is an Acquirer (typically the merchant’s bank), Payment Processor, Gateway or Service Provider, then they MUST provide TLS v1.1 or greater as a service offering by June 2016. Additionally, if it is a new PCI DSS implementation (i.e. when there is no existing dependency on the use of vulnerable protocols) then they must be enabled with TLS v1.1 or greater – TLS v1.2 is recommended.

As you can see, PCI DSS can play a significant part in any cyber security programme providing the entity in question is compliant with the latest version 3.1. If you have yet to start, or are part way through a PCI DSS implementation project, what can and should you do NOW? We recommend the following 3 actions:

• Migrate to a minimum of TLS v1.1, preferably v1.2;
• Patch TLS software against implementation vulnerabilities; and
• Configure TLS securely.

If you need any further help and guidance with PCI DSS, please contact Advent IM…

[1] http://blog.pcisecuritystandards.org/pci-changes-date-for-migrating-from-ssl-and-early-tls

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In February, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website…

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

TalkTalk advised not to talktalk about their breach?

According the International Business Times, the Metropolitan Police advised TalkTalk not to discuss their breach. (you can read the article here)

Here, in conversation on the topic , is Advent IM Directors, Julia McCarron and Mike Gillespie and Security Consultant, Chris Cope.

Chris Cope

“This is interesting as it shows the 2 different priorities at work.  For the police, the key aim is to catch the perpetrator.  This often means allowing an attacker to continue so they can be monitored on the network and their activities logged and traced without causing them to suspect that they are being monitored in such a way.  The Cuckoos Egg details how the Lawrence Berkeley Lab famously did just this in response to a hack of their system.  However, TalkTalk have a duty of care to their customers.  If personal information could be used to steal money, then they must weigh up the advice from the police, along with the potential impact of not publicising this attack on ordinary people. Its easy to see how a CEO can be caught in between trying to help the police, but also attempting to limit the damage to their customers.  Ultimately it’s a difficult decision, but one that could be made easier with correct forensic planning, i.e. working out how to preserve evidence of an attack, which can be provided to the police, whilst ensuring that normal services continue and customers are warned.  Making these decisions during an actual incident will only make a stressful time even more so; far better to plan ahead.”

Julia McCarron

“Totally agree … something to add…

This is a classic case of being stuck between a rock and a hard place. As Chris quite rightly says two different objectives were at play here and each had its merits. Ultimately it was a difficult decision to make but you can’t knock TalkTalk for once, as it appears to have been an informed one.

Whilst I also agree with Chris on the forensics front, experience has shown us that staff need to be aware of what to do ‘forensically’ in the event of an incident and this is often where the process falls down. Because such incidents are usually rare, the chain of evidence is often corrupted unintentionally because no-one knows what to do, or it’s no longer available due to the time lag in occurrence and detection.

Intrusion detection systems along with other technological measures will be an asset in reducing that time lag but key to success is scenario training. In the same way as we are seeing Phishing tests becoming the norm, especially in customer facing organisations like TalkTalk, is there a place for forensic readiness testing to ensure staff know what to do when a security attack occurs? Then vital evidence is at hand when hacks like this occur and the force awakens.”

Mike Gillespie

“Totally agree, Chris. It’s a tough balance but the protection of the consumer should always come first in my opinion.

Forensic readiness planning is key and continues to be a weak area for many organisations – linking this with an effective communication plan is vital – and as with any plan it needs to be properly tested and exercised…….as do all aspects of cyber response…..using appropriate scenario based exercises.

All of this should be designed to drive continual improvement and to ensure our cyber response evolves to meet emerging threats.”

If you would like support for Cyber Essentials and completing your questionnaire, you can find details here. 

Security Predictions for 2016

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how  the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Vlado at FreeDigitalPhotos.net

 

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations.  These attacks are likely to be followed by sweeping phishing scams from the African continent.  There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same.  Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people.  I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees.  I also predict a significant challenge for many organisation which hold personal data.  The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens.  With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO).  Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited.  This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

• Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017
• Related to the above, more Data Centre Security certifications due to contractor (customer) requirements
• More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target
• Cyber Essentials leads to more demand for ISO27001 certifications from SMEs
• Privileged insider remains the main Threat Source & Actor
• More incidents relating to online cyber-extortion / ransomware
• With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever
• More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware  in business.  Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

A word from our Directors…

Julia McCarron – Advent IM Operations Director – I predict a RIOT – Risks from Information Orientated Threats.

 

 

 

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

‘Tis the season to be jolly… careful.

Thanks to Chris Cope for this look at Festive scams.

Its that time of year when we all spend plenty of money buying presents for loved ones and, in a trend that increases year on year, many of these transactions are carried out online.  Online transactions are worth millions of pounds to retailers and its no surprise that criminals are interested in trying to get a piece of that action.  We posted earlier this week on the risks of trusting web sites that seemed too good to be true, or not confirming the authentication of the web page as spoofing, and outright mis-selling, remain common tricks.  However, some criminals are looking at another vulnerability; deliveries.  For those of use who do order a substantial number of items online, the sight of the delivery driver bringing another box or parcel becomes a common one; as does the sight of the “Sorry we missed you” card posted through the letter box. Now it appears that some

criminals are trying to exploit this element of online shopping.  My wife received an email yesterday from, what at first glance, appeared to be a reputable delivery company.  The contents of the email were, in summary, that a parcel was due to be delivered and the company had found no one in.  Could we please complete the attached word document and send it back to them to arrange an alternative delivery time and date?  Seems straight forward enough, but on closer examination, the  attachment contained malware.  Criminals are attempting to cash in on the sheer volume of such deliveries at this time of year, particularly when online retailers use a variety of delivery agents.  With so many deliveries, its easy to forget how many parcels you have received out of the number you are expecting. 

So how to protect yourself?  Well firstly most retailers will state which company they use to deliver your items, so an unexpected communication should be treated with caution.  Many delivery agents will leave a physical card if they miss you, so an unsolicited email that doesn’t match those details should cause concern.  Naturally, keeping your anti-virus up to speed is important, don’t ignore warnings that appear.  Finally, check out the email address of the sender.  Some legitimate email addresses have been used in the past, but word of such cons quickly gets around.  When we googled the email address of the email sender, there were a large number of warnings from other victims.  There really is nothing wrong with learning from the experience of others.

Sadly, at the time of year, in what should be a time of celebration, there are plenty of criminals who look to take advantage.  Don’t become a victim, take a few basic precautions and enjoy a Happy Christmas.

Cyber Monday top tips

Cyber Monday is upon us again.. or should I say #cybermonday. Anyway, I asked our Security Consultants to come up with some top tips to help you shop a bit more securely for your Christmas gifts and decorations. Thanks to Chris Cope and Del Brazil for this.

•  (other online vendors are available)   Always check for the padlock or green URL to confirm the ID of the website. If your security software is highlighting a problem then don’t ignore it;
• Use secure passwords on websites you set up accounts with;
• Pay on credit card if possible to gain on insurance;
• Use reputable websites, sites that look too good to be, true usually are;
• Be wary of being transferred to another webpage –Don’t follow links emailed to you, visit the website yourself;
• Make sure no one is looking over your shoulder capturing your card details etc;

• If there are any issues then remember to complain promptly. Consumer rights cover the internet but don’t leave it too long to complain if goods aren’t what you expected. 

Wishing you a secure Cyber Monday experience…

Email Insecurity

This time of year, there is an upsurge in phishing and other malicious emails for us to contend with. From phony delivery notices to hoax PayPal problem emails, our inboxes are awash with attempts to invade, defraud and otherwise cause us chaos or loss. So the news that people are not taking the threat from email seriously after all the years of phish and spam, is worrying to say the least. Advent IM Security Consultant, Dale Penn, takes a look at the facts.

For far too many people, email security isn’t an issue until it suddenly is. Often, people won’t take threats against email seriously, believing that data breaches only happen to large companies as these are the only breaches that are reported in the news.

Alternatively, companies tend assume that email security is just something that’s already being taken care of as they have purchased the most up to date  technical defences such as anti-virus firewalls, Data loss prevention software etc etc, and it’s true that these can help in a layered approach however one large piece missing from the puzzle is education and awareness.

SC magazine reports that 70% of Brits don’t think that email is a potential cyber threat. And almost half admit opening non work related or personal emails at work.

Corporate Email Vulnerabilities

Bring Your Own Device (BYOD)

This refers to the practice of employees to bringing personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to using those devices to access privileged company information and applications.  This corporate ‘bring your own device’ trend is on the rise, according to a new study.

Ovum’s 2013 Multi-Market BYOD Employee Survey found that nearly 70% of employees who own a smartphone or tablet choose to use it to access corporate data.

The study surveyed 4,371 consumers from 19 different countries who were employed full-time in an organisation with over 50 employees.

The study has discovered that 68.8% of smartphone-owning employees bring their own smartphone to work, and 15.4% of these do so without the IT department’s knowledge. Furthermore, 20.9% do so in-spite of a BYOD policy.

These statistics are quite alarming as uncontrolled devices accessing corporate information represent a significant vulnerability.

Uploading to Personal Email account or Cloud Account

It doesn’t matter how strong your security standards are, or how much money you’ve dumped into the fanciest, most secure cloud storage systems, often employees won’t use them preferring to bypass red tape and send the information to uncontrolled home accounts therefore bypassing any company security.

We’d all like to think that those that hold upper management positions in our businesses have higher standards, especially when it comes to security, but the statistics don’t lie. In a Stroz Friedberg survey, almost three-quarters of office workers admitted to uploading their business files to personal accounts and senior managers were even worse, with 87% of them failing to use their company’s servers to store sensitive company documents.

Conclusion

The fact of the matter is that the general security culture of the UK is not as it should be. The public in general (and many organisations) are unaware of, or not interested in applying, the most basic security principles to protect their personal information

Recognising this culture is the first step in treating it. Individuals still treat cyber-attacks with a degree of separation and the view that “it will never happen to them”.  Few people realise that a cyber-attack could potentially be as invasive and disruptive as a physical home invasion. Few people leave their house without taking appropriate security steps. We need to introduce awareness to the masses and embed the culture that has them locking there cyber door as well as the ones at home.

Top email Security tips

1. Share your e-mail address with only trusted sources.
2. Be careful when opening attachments and downloading files from friends and family or accepting unknown e-mails.
3. Be smart when using Instant Messaging (IM) programs. Never accept stranger into your IM groups and never transmit personal information
4. Watch out for phishing scams. Never click on active links unless you know the source of the email is legitimate.
5. Do not reply to spam e-mail.
6. Create a complex e-mail address as they are harder for hackers to auto generate.
7. Create smart and strong passwords using more than 6 characters, upper and lower case, numbers and special characters i.e. £Ma1l5af3

Aviva 2nd Data Breach

Advent IM Security Consultant Del Brazil, gives us his thoughts on the Aviva data breach.

For the second time in less than two years Aviva have reported a data breach in which customer data has been released to person(s) unknown.  It is unclear at this time as to whether it a procedural issue, a technical misconfiguration or an actual hacking attack.  Although Aviva has been quick to admit to the breach, they have yet to confirm its full extent and the number of affected customers. 

The previous breach in February 2014 was the result of two employees selling customer data to external agencies. These two employees have since been arrested and released on bail pending charges related to suspicion of fraud by abuse of position.

Is it possible to prevent this kind of incident occurring or re-occurring? In essence no, they is no way that you can completely prevent this type of insider threat; however you can put measures in place in an attempt to deter or detect dishonest/disgruntled staff from carrying out illegal activities.  Potential measures include but are not limited to protective monitoring, staff awareness and staff vetting.  Let’s look at each one of these possible measures:-

Protective Monitoring – Briefly put, protective monitoring is where a company monitors its staff computer use and network activities.  It’s not a ‘Big Brother’ approach but has certain levels of monitoring to identify any suspicious activities such as large data transfers or inappropriate user activity, such as logging on at unusual times. If you would like to learn about the employer responsibilities around monitoring of staff and compliance with legislation such as the Data Protection Act, we have a presentation on this link, you will need sound.

Staff Awareness – This involves educating staff in a number of things, for instance reporting out-of- character mood swings or habits or just inappropriate computer or device related activities. Staff can also be educated on other potential threats to increase their awareness and how to report any suspicious activity.  An example of this maybe when a normally bubbly person suddenly becomes a recluse which may indicate that they have some personal problem that they are struggling with.  It is appreciated that it maybe a personal problem but highlighting it to the management chain may firstly prompt extra or additional support made available to that person but secondly, dependent upon the personal problem, may warrant additional safeguard measures being introduced to highlight/detect inappropriate or suspicious activity.

 Staff Vetting – Vetting or Security Checking staff does provide an element of assurance; however it is never 100% effective; just like a car’s MOT is really only valid on the day it’s issued. Vetting provides a snapshot of a member of staffs suitability to hold a position of responsibility and unless properly maintained loses its credibility.  Vetting can include a number of checks into an individual’s personal life and/or circumstances such as their finances, nationality, last employment and/or personal references.  The degree of vetting carried out is dependent upon the role of the individual within the organisation.  For example IT staff with enhanced privileges could have a more in-depth vetting check carried out to provide a degree of assurance that they are less likely to be susceptible to bribery, coercion etc.; although this is not mandatory it can be a risk management decision made by an organisation.

Possible next steps for Aviva

1. Fully investigate the breach and establish as to how, why, where, who and what was taken.
2. Inform all affected customers
3. Look for trends and patterns related to previous incidents
4. Identify appropriate additional controls that may assist in re-occurrence
5. Ensure all breaches are reported to the ICO accordingly
6. Remind all staff of their responsibility to report irregularities or suspicious activity
7. Educate staff on the current threats

Is it actually possible to prevent this from happening again?  Insiders will always make great efforts to circumnavigate controls and safeguards and if your insider has privileged access (such as System Admins or senior management) then the problem can increase exponentially. The key is to try and make it so difficult for these kind of insiders to succeed or increase their perception of likelihood they will be revealed. We know we cannot make 100% of networks 100% secure 100% of the time but if we make it difficult enough then we can reduce the risk of it happening even if we can never guarantee it won’t happen again.

CRIME OF OUR GENERATION – A Look at the TalkTalk Breach

A review from Advent IM Security Consultant, Chris Cope.

The TalkTalk hack has left another major UK business reeling from a cyber attack and customers angry as, once again, there is a possibility that sensitive information is now in the public domain.  The telecommunications company decided to take its own website offline on Wednesday following the presence of unusual traffic, with a ‘Russian Islamist’ hacking group taking responsibility and the Metropolitan Police’s Cyber Crime unit now investigating. Detail on precisely how the attack took place are not yet publicly available, but there are some points that are immediately apparent.

Customer security.  The BBC is reporting that personal information and bank account details may have been stored in an unencrypted format and are now available to hacker groups.  Some TalkTalk customers have complained about hoax communications already; it is likely that this is just the start. Customers will need to rely on Talk Talk to identify precisely which customers are affected, but in the interim they must monitor their bank accounts closely.  Any suspicious activity must be reported to their bank immediately as potential fraud.  When the Talk Talk website becomes accessible again, customers should immediately change their passwords, taking care to avoid passwords which are easily guessable.

Undoubtedly this is the crime of our generation as more and more cyber attacks are reported.  But organisations should not despair, it is perfectly possible to reduce the risk from cyber attack by following the basic security precautions contained with ISO27001.  These can be applied to any organisation, large or small.  From what we know of the attack already, there are some specific controls from that standard which become immediately apparent:

• Use of encryption. Many networks are designed to be hard on the outside, but soft on the inside.  Once an attacker gain access into the network, they can wreak havoc.  The use of encryption is not the solution to all threats, but encrypting sensitive information is an important consideration.  This will not prevent the initial attack, but the impact of a breach is hugely reduced.  Its also a practical option that the Information Commissioners Office would deem as reasonable, and its absence may be difficult to justify during any follow on investigation.  A good standard of encryption will make personal data unreadable to an attacker and at the very least will buy time for customers to make any changes to their account information they deem necessary.

• In February of this year, TalkTalk reported that a third-party contractor, based in India, that had legitimate access to its customer accounts had been involved in a data breach.  The use of suppliers is wide spread and many organisations now off-shore certain practices for sound business reasons.  But, devolving the process does not devolve the responsibility and organisations must make sure that their suppliers follow a suitable set of security controls that is consistent with their own.  Included in this suit of controls relating to suppliers is the right to audit supplier activities and a linked up incident management reporting structure.  As further details on this incident emerge, it will be intriguing to discover how much Talk Talk knew of that incident and what steps they took to prevent follow on attacks against their own network.  No matter how secure a network may be, authorised connections from trusted third parties remain a very attractive exploit and they must be managed accordingly.

• The use of defensive monitoring will not prevent an attack, but it can help to radically reduce the impact.  TalkTalk took the decision to take their services off line following the detection of unusual behaviour within their network. This is a brave call and how much that will cost them in terms of financial or reputational impact is yet to be established.  However, just how much worse could it have been without such monitoring?  What if the first indication of the attack was when personal information was being publicly sold, and exploited?  There is a cost to effective defensive monitoring, but it is a cost often worth paying in order to lessen the eventual impact of a breach.

As the list of cyber attacks in 2015 grows again, and shows no sign of tailing off any time soon, organisations must look to their own defenses.  The threat is varied and very real.  Cyber Crime is here to stay, but why make it easy for criminals to succeed?  There are steps that can be taken to reduce the risks of compromise and the impact following an incident.  Customers are now expecting higher levels of cyber security, if organisations wish to maintain their reputation, they should look to deliver it.