Category Archives: Defence

Got a Drone for Christmas? Don’t forget Registration and Regulation

Whilst trying to contain my disappointment at not getting Millennium Falcon drone in my stocking, I asked Advent IM Security Consultant, Del Brazil, what the implications are for those of us who do have drones, Star Wars based or not…

Civil Aviation Authority (CAA)

Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net

Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net

As Christmas has been and gone many of us will now be the proud owner of a drone in some form or another.  The excitement and thrill of being in control of your own flying machine coupled with maybe a camera of some description is only matched by the recent hype related around the new Star Wars movie.  Some people including the author may disagree including; however some people may view the freedom of flying a drone quite a fun hobby but we all have our own vices.

The CAA defines a drone as an unmanned aircraft which unlike traditional remote controlled model aircraft, which have been used by enthusiasts for many years, have the potential to pose a greater risk to the general public and other aircraft.   Unlike manned or model aircraft there are currently no established operating guidelines so operators may not be aware of the potential dangers or indeed the responsibility they have towards avoiding collisions.  Anyone flying a drone either recreationally or commercially has to take responsibility for doing so safely.

The CAA’s focus is purely safety. For the criminal use of drones, including harassment, anti-social behaviour or damage to property, it is a police matter. If people have concerns about a drone being flown in public they should call the police, a CAA spokesman says. “Local police can assess the situation in real time and, if there is any evidence of breaching the air navigation order, they will pass on any information on to us.”

It has been reported that the CAA has prosecuted two Unmanned Aerial Vehicle (UAV) operators relating to safety breaches with another four investigations pending. The Association of Chief Police Officers was unable to say how many prosecutions the police have made over drones but there have been a few; although during the ongoing House of Lords select committee inquiry on remotely piloted aircraft systems, Chief Inspector Nick Aldworth of the Metropolitan Police said: “We do not have a criminal privacy law in this country, so it is not the concern of the police to try to develop or enforce it.”

Is there any other legislation that drone operators may fall foul of?  Well according to Chief Inspector Aldworth “The most obvious example to date is the Sexual Offences Act 2003 and the specific offence of voyeurism.”

The number and frequency of incidents being report around the world is on the increase which include a Euro 2016 qualifier in Belgrade being stopped after a drone trailing an Albanian flag was flown over the stadium whilst in France a number of nuclear power stations were buzzed by drones in a number of mysterious incidents.

A number of associations affiliated with flying and/or airspace The British Airline Pilots Association (BALPA) is campaigning for drones to be programmed not to enter certain airspace – known as geo-fencing. The Phantom series of drones, sold by manufacturer DJI, already includes geo-fencing. The GPS of the drone is programmed with the co-ordinates of thousands of airports around the world. It cannot enter these areas. If it tries to it will be forced to land. And within a 2km radius of a major airport its height will be capped at just 10m.

Another step that BALPA is calling for is that, just like with a car or television, people purchasing a drone would have to give their personal information to the retailer and that this information should be logged or that there is a requirement for users to register their drones with the relevant authority.  This has a twofold effect in that if a drone is apprehended the owner can be traced to ensure that it is returned to its rightful owner and that it may also assist in any investigation relating to illegal activity that may have been undertaken by the operator.

Another possible solution would be to build in strict height limitations just like the Phantom 2 which is limited to a height of 400 feet; although this is likely to be easily circumvented with software.

Regulations have just come into play in the United States which requires hobbyists to register drones as small unmanned aircraft systems on the Federal Aviation Administration website.  The online registration service is active but it is unclear as to the scale of uptake and amount of registrations that have actually taken place thus far.

In Ireland as of 21st December 2015 it is now mandatory for all drone operators to register any drone that weighs more than 1kg in accordance with the Small Unmanned Aircraft (Drones) and Rockets Order S.I. 563 of 2015.  There is clear ‘do’s and don’t guide’ available on the Ireland Aviation Authority (IAA) website.

At present there is no actual regulation in place within the UK that requires operators to register their drones; however that is likely to change as more incidents occur that not only threaten life but also privacy.  There are plans afoot within the House of Lords EU Committee for a drone register to be created which initially would capture business and professional operators and eventually normal consumers too.  There is an Official UK Drone Register but this is specifically for drone operators/owners who voluntarily add their details to a public register to aid in returning drones if they go astray.

Advertisements

Security Predictions for 2016

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how  the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Image courtesy of Vlado at FreeDigitalPhotos.net

Vlado at FreeDigitalPhotos.net

 

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations.  These attacks are likely to be followed by sweeping phishing scams from the African continent.  There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same.  Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people.  I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees.  I also predict a significant challenge for many organisation which hold personal data.  The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens.  With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO).  Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited.  This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

  • Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017
  • Related to the above, more Data Centre Security certifications due to contractor (customer) requirements
  • More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target
  • Cyber Essentials leads to more demand for ISO27001 certifications from SMEs
  • Privileged insider remains the main Threat Source & Actor
  • More incidents relating to online cyber-extortion / ransomware
  • With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever
  • More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware  in business.  Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

A word from our Directors…

Julia McCarron

Julia McCarron – Advent IM Operations Director – I predict a RIOT – Risks from Information Orientated Threats.

 

 

Mike Gillespie_headshot

 

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

Trident vulnerable to hacking?

By Julia McCarron with contribution from Chris Cope.

There have been a number of press stories in the last few days that could have us searching for our 3 pronged spears to protect these shores because, if the news is to be believed, the missile version of Trident could be rendered useless or obsolete from a cyber-hack.

I don’t know about you but I viewed these articles with some skepticism as I can’t believe that the MOD and Government haven’t thought to test the technical vulnerabilities of such a critical system before now, especially one with such far reaching consequences if it were breached?

As I understand it from those who have knowledge of MOD workings, all military systems, including Trident and its associated communications networks, are assured via the Defence Information Assurance Services (DIAS) Accreditors.  This assurance process takes into account the likely threats and resulting risks that apply to those systems, including hacking and other forms of cyber-attack.  There is a stringent policy of assessment and review for all major systems, and Trident will be one of the most assured systems due to its importance.  Clearly, though details of this assurance are highly unlikely to ever be released into the public domain; information on risks and counter measures taken against them will be very closely guarded. And I would hope so too!

The MOD will employ a number of safeguards to protect its most important systems.  Many of these will be familiar to the wider information security field and it’s no surprise that ISO27001 features heavily.  The greater the risks to the system, and the more critical it is, the more stringent the controls in place. Many high level MOD systems are effectively air-gapped and have no connection to the internet, even via a controlled gateway. That means they are effectively isolated from other communications networks, even the authorised users are heavily constrained in what they can and cannot do; use of mobile media for example is highly regulated.  Given Trident’s role as a potential counter-strike weapon, the communications to the deployed vessels receive very careful attention.  Not only will there be good level of assurance against the normal range of attacks, but there will be significant redundancy in place, just in case one fails.  Trident is carried by the Vanguard class submarine, which is designed to operate virtually undetected.  Commanders of these vessels have clear direction from the Prime Minister on what to do if there is evidence of a nuclear attack and all communication from the political leadership in the UK fails.

The comments made by a former Defence Secretary about potential vulnerabilities around the Trident system make interesting reading in light of recent concerns over cyber-attack, but the timing of these comments is telling. The House of Commons is due to vote on the future of the UK’s nuclear deterrent … there I go being skeptical again but as my hero Leroy Jethro Gibbs often says, Rule 39# There’s no such thing as a coincidence…