Category Archives: cybersecurity

Affinity Gaming and Trustwave legal action

A post from Chris Cope CISM, CISSP, MInstISP, CESG Certified Professional, PCBCM, ISO27001 Lead Auditor  and Advent IM Security Consultant

It had to happen at some point;  a cyber security company is being sued by a customer for not delivering the goods.  Las Vegas based Affinity gaming has initiated legal proceedings against Chicago firm Trustwave for making representations that were untrue and for carrying out work which was ‘woefully inadequate’.  The point of contention was a hack on the casino’s payment card system in 2013.  Affinity allege that Trustwave concluded that the intrusion had been contained and dealt with, but the casino operators later suspected this was not the case and engaged another security consultant, Mandiant, to confirm.  The breach had not, allegedly, been contained and now Affinity is looking to obtain damages from Trustwave.

This is not the place to suggest what did or didn’t happen; that will be discussed, at considerable length I suspect, in the American courts.  Rather, a better topic for discussion is that of contractor liability.  This lawsuit is a bit of a first for the cyber security industry, although the concept of suing contractors for damages is by no means new.  Countless companies and individuals have been sued for breaches of contract or for tort damages.  I suspect it was only a matter of time before our industry saw similar action.  But this should be taken as a wake up call.

In English Law, a consultancy firm is seen as providing a service to the customer. The 1982 Supply of Goods and Services Act, Section 13  states that ‘In a contract for the supply of a service where the supplier is acting in the course of a business, there is an implied term that the supplier will carry out the service with reasonable care and skill’.  The key term here is reasonable; what would a reasonable person judge to be a service that was carried out in a competent fashion? Note, the law does not require that a contractor provides the perfect service; there is a realisation that contractors are human and to expect perfection is unreasonable.

So how then can a cyber security contractor ‘prove’ its competence and ability to deliver a reasonable service?  Whilst the emphasis remains on the accuser to prove incompetence, it doesn’t hurt to ensure that a good, pro-active defence is in place.  First of all, the competence of employees must be evaluated and baselined.  There are a plethora of cyber security qualifications available, drawing comparisons between qualification awarded by different bodies can be difficult, but it remains perfectly possible to ensure that consultants are qualified for the tasks they are expected to perform, and perhaps most importantly of all, maintain those qualifications.  Secondly, cyber security is a very broad field and being an expert in every area is almost impossible, therefore assigning consultants to tasks which suit their skills sets is hugely important.  The supervision of less well qualified personnel must also be taken into account; junior staff members must be able to develop their skills, but for the customer’s sake, they must be supervised properly in the process. It’s worth companies remembering that they are responsible for the actions of their employees whilst delivering a contract, via vicarious liability.  Their mistakes will come back to haunt the employer unless sufficient care is taken.  We must also ensure that we appropriately manage the expectations of our customers.  No venture is ever risk free and there is no one piece of technology which will solve every problem; our goals should be clearly stated that we intend to reduce the risk to an acceptable level, not eradicate it completely.  If we promise too much then it’s no surprise that customers expect too much.  Finally, whilst the above is correct for English Law, other jurisdictions have different rules; companies that work globally would be wise to ensure they understand the local environment properly before signing a contract.

The cyber security profession is evolving and it is only to be expected that practitioners will face greater scrutiny.  Rather than adopt the position that companies like Affinity are looking for a scapegoat for their own failures, we must ensure that we are able to consistently deliver a good enough service.  This may be the first such action, but I doubt it will be the last.

Advertisements

Cyber Everything & PCI DSS – The Forgotten Standard?

Senior Security Consultant for Advent IM and PCI-DSS expert,  Mark Jones gives us his thoughts on the current awareness of this important payment industry standard.

In the current information security climate where everything has ‘cyber’ prefixing the topic e.g. cybersecurity, cyber risk, cyber threats and the list goes on, is it possible organisations have forgotten about existing and very important ‘cyber-related’ standards such as the Payment Card Industry’s Data Security Standard (PCI DSS)?

MC900441317

As more and more business is done online in our ‘new’ cyber world – 2015 Online Retail Sales £52 Billion up 16.7% from £45 Billion in 2014 – payment cardholder (CHD) account data security is more important than ever. This includes the need for assured authentication, confidentiality and integrity of payment cardholder information as traditionally granted by the Secure Sockets Layer (SSL) protocol over HTTPS padlocked browser sessions in the past 20 years. In 2014, the US National Institute of Standards and Technology (NIST) determined that SSL and indeed early versions of SSL’s successor, the Transport Layer Security (TLS v1.0) protocol (also referred to as SSL), were found to have serious vulnerabilities with recent high-profile breaches POODLE, Heartbleed and Freak due to weaknesses found within these protocols.

iStock_000015534900XSmallSo, if you are an entity that that stores, transmits or processes Cardholder Data (CHD), specifically the 16 (can be up to 19) digit Primary Account Number (PAN), then you should seek to comply with the latest version v3.1 of the PCI DSS. This version was released in April 2015 by the PCI Security Standards Council (SSC) that removed SSL as an example of strong cryptography and that can no longer be used as a security control after 30 June 2016. However, the migration from SSL and early TLS to TLS v1.1 and 1.2 has caused issues for some organisations hence the SSC update in December 2015[1] that the deadline had been extended for 2 years, with a new end date of 30 June 2018 for existing compliant merchants. However, SSC is at pains to emphasise that this delay is not an extension to hold off migrating to a more secure encryption protocol (as defined by NIST) and entities that can update should do so as soon as possible.

If the entity is an Acquirer (typically the merchant’s bank), Payment Processor, Gateway or Service Provider, then they MUST provide TLS v1.1 or greater as a service offering by June 2016. Additionally, if it is a new PCI DSS implementation (i.e. when there is no existing dependency on the use of vulnerable protocols) then they must be enabled with TLS v1.1 or greater – TLS v1.2 is recommended.

As you can see, PCI DSS can play a significant part in any cyber security programme providing the entity in question is compliant with the latest version 3.1. If you have yet to start, or are part way through a PCI DSS implementation project, what can and should you do NOW? We recommend the following 3 actions:

  • Migrate to a minimum of TLS v1.1, preferably v1.2;
  • Patch TLS software against implementation vulnerabilities; and
  • Configure TLS securely.

If you need any further help and guidance with PCI DSS, please contact Advent IM…

[1] http://blog.pcisecuritystandards.org/pci-changes-date-for-migrating-from-ssl-and-early-tls

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

Security Predictions for 2016

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how  the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Image courtesy of Vlado at FreeDigitalPhotos.net

Vlado at FreeDigitalPhotos.net

 

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations.  These attacks are likely to be followed by sweeping phishing scams from the African continent.  There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same.  Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people.  I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees.  I also predict a significant challenge for many organisation which hold personal data.  The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens.  With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO).  Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited.  This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

  • Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017
  • Related to the above, more Data Centre Security certifications due to contractor (customer) requirements
  • More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target
  • Cyber Essentials leads to more demand for ISO27001 certifications from SMEs
  • Privileged insider remains the main Threat Source & Actor
  • More incidents relating to online cyber-extortion / ransomware
  • With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever
  • More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware  in business.  Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

A word from our Directors…

Julia McCarron

Julia McCarron – Advent IM Operations Director – I predict a RIOT – Risks from Information Orientated Threats.

 

 

Mike Gillespie_headshot

 

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

Email Insecurity

At Symbol

This time of year, there is an upsurge in phishing and other malicious emails for us to contend with. From phony delivery notices to hoax PayPal problem emails, our inboxes are awash with attempts to invade, defraud and otherwise cause us chaos or loss. So the news that people are not taking the threat from email seriously after all the years of phish and spam, is worrying to say the least. Advent IM Security Consultant, Dale Penn, takes a look at the facts.

For far too many people, email security isn’t an issue until it suddenly is. Often, people won’t take threats against email seriously, believing that data breaches only happen to large companies as these are the only breaches that are reported in the news.

Alternatively, companies tend assume that email security is just something that’s already being taken care of as they have purchased the most up to date  technical defences such as anti-virus firewalls, Data loss prevention software etc etc, and it’s true that these can help in a layered approach however one large piece missing from the puzzle is education and awareness.

SC magazine reports that 70% of Brits don’t think that email is a potential cyber threat. And almost half admit opening non work related or personal emails at work.

Corporate Email Vulnerabilities

Bring Your Own Device (BYOD)

This refers to the practice of employees to bringing personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to using those devices to access privileged company information and applications.  This corporate ‘bring your own device’ trend is on the rise, according to a new study.

Ovum’s 2013 Multi-Market BYOD Employee Survey found that nearly 70% of employees who own a smartphone or tablet choose to use it to access corporate data.

The study surveyed 4,371 consumers from 19 different countries who were employed full-time in an organisation with over 50 employees.

Computer bugs red greyThe study has discovered that 68.8% of smartphone-owning employees bring their own smartphone to work, and 15.4% of these do so without the IT department’s knowledge. Furthermore, 20.9% do so in-spite of a BYOD policy.

These statistics are quite alarming as uncontrolled devices accessing corporate information represent a significant vulnerability.

Uploading to Personal Email account or Cloud Account

It doesn’t matter how strong your security standards are, or how much money you’ve dumped into the fanciest, most secure cloud storage systems, often employees won’t use them preferring to bypass red tape and send the information to uncontrolled home accounts therefore bypassing any company security.

Risk - Profit and LossWe’d all like to think that those that hold upper management positions in our businesses have higher standards, especially when it comes to security, but the statistics don’t lie. In a Stroz Friedberg survey, almost three-quarters of office workers admitted to uploading their business files to personal accounts and senior managers were even worse, with 87% of them failing to use their company’s servers to store sensitive company documents.

Conclusion

The fact of the matter is that the general security culture of the UK is not as it should be. The public in general (and many organisations) are unaware of, or not interested in applying, the most basic security principles to protect their personal information

Recognising this culture is the first step in treating it. Individuals still treat cyber-attacks with a degree of separation and the view that “it will never happen to them”.  Few people realise that a cyber-attack could potentially be as invasive and disruptive as a physical home invasion. Few people leave their house without taking appropriate security steps. We need to introduce awareness to the masses and embed the culture that has them locking there cyber door as well as the ones at home.

Top email Security tips

  1. Share your e-mail address with only trusted sources.
  2. Be careful when opening attachments and downloading files from friends and family or accepting unknown e-mails.
  3. Be smart when using Instant Messaging (IM) programs. Never accept stranger into your IM groups and never transmit personal information
  4. Watch out for phishing scams. Never click on active links unless you know the source of the email is legitimate.
  5. Do not reply to spam e-mail.
  6. Create a complex e-mail address as they are harder for hackers to auto generate.
  7. Create smart and strong passwords using more than 6 characters, upper and lower case, numbers and special characters i.e. £Ma1l5af3

Banking on Good Cyber Security

Julia McCarron reflects on the news that regulators are almost at the point of requiring major financial services companies to participate in a cyber security testing programme, according to the Bank of England.

It was nice to see the Bank of England talking about cyber security recently, and the importance it sees in testing awareness and resilience amongst the financial sector.

iStock_000015672441MediumIn May 2015, the CBEST scheme for firms and FMIs considered core to the UK financial system, was launched to test the extent to which they are vulnerable to cyber attacks and to improve understanding of how these attacks could undermine UK financial stability.

The scheme is currently voluntary and testing services are delivered by an approved list of providers regulated by CREST, a not for profit organisation that represents the technical information security industry.

The voluntary aspect of this is arguably what could make, what appears on the face of it to be a worthwhile initiative, ultimately unsuccessful. That said vulnerability scanning, assessments and penetration testing should frankly already be part of a financial institutions make up. So, if it’s not, the Bank of England is right be “expressing concern”.

The most interesting element of the Bank of England’s discussions though was that when talking cyber security they acknowledged that it’s not all about technical controls. I quote in respect of them keeping their own house in security order,

“Technical controls put in place had strengthened the Bank’s ability to prevent, detect and respond to attacks. But no technical fix could guarantee security 100%, so at the same time significant effort had been made to improve security awareness among all staff, and incident handling procedures had been strengthened“.

iStock_000013028339MediumThis is something we have evangelised about for years. Technical controls are not the answer. They are only part of the answer. We all know that the majority of security beaches are caused by staff, mostly unintentionally, due to lack of security awareness and training. It’s all very well having a state of the art lock on the front door but if no one knows how to use it what is the point in it being there? You might as well invite the burglar in for a cup of tea and a slice of cake.

The Bank also jumped on the Advent band wagon by mentioning that regulators have been discussing the importance of cyber security being a board room issue for companies particularly in relation to governance. Again, check our archives. We’ve worn down the drum from beating that point so hard and for so long. A security culture will only be successful if it’s supported from the top down. Otherwise it’s a constant uphill walk on the down escalator.

phishOne initiative the Bank took to improve security awareness is one which is growing in popularity, especially amongst large organisations and data centres – ‘Phishing Attack Testing’. This is where a fake phishing email is sent to staff and monitored a) as to how many times its opened, b) as to how many times its reported c) as to how many times the link is clicked and by whom. This helps to raise awareness of the issues of suspicious emails and target staff training. The Bank claims it is personally seeing a decline in staff “taking the bait” and an increase in security incident reporting. A report by Verizon in 2014 stated that as many as 18% of users will visit a link in a phishing email which could compromise their data. This against a backdrop of phishing being not only on the rise but getting more sophisticated in its presentation. So more should follow in the Bank of England’s footsteps when it comes to raising awareness against this type of attack.

iStock_000015534900XSmallSo there are a number of positives we can take away from the Bank of England’s discussions on cyber security:

  1. Technical vulnerability testing is encouraged;
  2. It’s not all about the technical controls; don’t forget to train you staff;
  3. A security culture must start in the boardroom;
  4. Make staff aware of the perils of phishing emails through fake attack testing.

Nuclear Power Plant Worker caught looking at bomb-making websites….

A nuclear power plant worker in Scotland has been escorted from  EDF’s West Kilbride premises and the police called, after allegedly viewing bomb-making websites whilst at work.  The full story is here.

Some comment from Advent IM DIrector, Julia McCarron.

Panic meterTrying to find out how to build a bomb whilst working on-site at a nuclear power plant probably wasn’t the smartest thing for the worker at Hunterston B, West Kilbride to do. And his alleged stupidity is luckily what got him caught. But the situation poses a number of positives, negatives and discussion points.

The positives. There would appear to be a decent security culture within the plant as demonstrated by the fact that a fellow worker spotted nefarious activity and reported it. There would also appear to be stringent security checks following government guidelines carried out by EDF in the employment process.

The negatives. Whilst the individual concerned may or may not have been a British National (this is not clear) the fact that he had only recently moved to England should have been flagged during the vetting process and highlighted a risk. Arguably this would have indicated that he was not suitable for employment and certainly not deployment near the nuclear core.

The Discussions. It could be that EDF did (almost) everything right and nothing flagged indicating the individual was a risk (the recent move to England not withstanding). It’s perfectly possible that no background on the individual would have led them to believe there was an issue with employing him. There could be hundreds of cases like this for many of our CNI organisations – he wasn’t flagged because there was nothing in his past to flag … you can’t cater for this in the vetting process. But what you can do is maybe provide ‘probation’ periods that don’t allow these individuals access to critical or sensitive areas until they have proven themselves reliable and capable. This still isn’t foolproof but could act as a deterrent for individuals wanting to gain access to CNI quickly in order to carry out an act of terrorism. I’m not saying that was the case here, but it could be a prudent move as a general policy.

At Symbol

Also, was the laptop his own or EDF provided. Two issues spring to mind here. If it was EDF supplied the individual would surely have been in breach of an acceptable use policy. So even if this was ‘innocent’, was the individual aware of the policy and had he agreed in writing that he understood it and would comply with it? If it was his own, EDF should review/develop a BYOD policy. I would not expect employees at a CNI site to be able to use their own devices and be able to connect to the internet. Again, was there a policy and was the individual in breach of it? If BYODs aren’t allowed how did he get his laptop in? Is there a role CNC could play in policing the policy (no pun intended)?

In the end danger, if there was any, was averted.  But something in the process wasn’t right and EDF need to review the incident to discover the root cause and make improvements to the employment process.