Category Archives: eu security

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

Advertisements

SAFE HARBOUR RETURNS…

From Dale Penn, Advent IM Security Consultant

Safe Harbour was a process by which US companies could comply with the  EU Directive 95/46/EC on the protection of personal data when transferring data “across the pond”

Intended for organizations within the European Union or United States which store customer data, the Safe Harbour Principles are designed to prevent accidental information disclosure or loss. US companies can opt into the program, as long as they adhere to seven principles and 15 frequently asked questions and answers (FAQs) outlined in the Directive.

These principles must provide:

Notice – Individuals must be informed that their data is being collected and about how it will be used.

Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.

Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.

Security – Reasonable efforts must be made to prevent loss of collected information.

Data Integrity – Data must be relevant and reliable for the purpose it was collected for.

Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.

Enforcement – There must be effective means of enforcing these rules.

Businesses have been using Safe Harbour for the past 15 years to help them get around the cumbersome checks to transfer data between offices on either side of the Atlantic.

However earlier this month the Court of Justice of the European Union (CJEU) stuck down Safe Harbour largely due to the ability of US intelligence service to gain access to transferred personal data. It took the view that the intelligence service had access beyond what it considered strictly necessary and proportionate for the protection of national security. Coupled to this is a lack of any right for non-US persons to seek legal remedies in the US for misuse of their data.

Do not despair! On the 29th October 2015 Reuters reported the following comments from the U.S. Secretary of Commerce, Penny Pritzker:

               “The so-called “Safe Harbour 2.0” agreement currently being negotiated will meet                               European concerns about the transfer of data to the United States, a solution is within hand”   

               “We had an agreement prior to the court case. I think with modest refinements that are                being negotiated we could have an agreement shortly”.

iStock_000014878772MediumSo there you have it Safe harbour will be modified and reborn as Safe Harbour 2.0. And as the CJEU have imposed a 3 month deadline to find an appropriate solution, it should be here by early next year.

Infosec 2014 and Counter Terror Expo – come and see us

 

Mike will be chairing a workshop at 10am at Counter Terror Expo on 29th April. Mike will also be on the Security Institute stand (B31) afterward. At InfoSec 2014 members of the team will be available on the Malvern Cyber Security Cluster stand (C85) and on the IISP stand (D50) so come along and meet us. Alternatively you can tweet us @Advent_IM at the events Sec Inst Supp logo CMYK

IISP

malvernMember

Guest post from Darlingtons Solicitors: Holistic and practical approach to business risks is best

We would like to thank Darlingtons for this guest post on a business imperative.  Its always reassuring to have a legal perspective on Security.

“As a law firm offering specialist advice in areas including employment law and fraud, at Darlingtons Solicitors, we see on a day to day basis the impact of legal and security threats which turn into issues causing at best, significant damage, in financial and other terms to a business, and at worst, which can literally put a business out of business.

In our experience, all clients, big or small, do have a sense of threats to their businesses, internal and external, but many tend to somehow try and put these to the back of their mind, and this ties in with the general problem both legal and security professionals face – we are not selling something which clients see as a clear benefit to their business.

Benefit has a traditional sense of a positive outcome, generally financial, and in that sense, preventing damage does not fit with the traditional sense of the word. However, when thinking of bottom line figures, preventing or mitigating losses does have a real impact on any business.

Failing to advise is failing a client

Accepting as a starting point that pushing an argument, however correct, too hard on the lines of “failing to plan is planning to fail” will be unlikely to result in a client handing over a blank cheque to either lawyers or security consultants, what perhaps differentiates the better companies is an ability to understand proportionate threats, limited budgets and to provide advice to clients tailored for that client and based on experience.

Take data protection as an example. Most businesses know that there are laws about data protection, most also understand that their business data, client lists, product information, suppliers and other data are a critical part of their business, but a smaller business with a limited budget may not know which are the biggest threats and what options there are which they may be able to afford to limit the potential damage that could be caused by doing nothing.

It makes sense for professionals to work together when advising clients on risk prevention, something which lawyers should frankly embrace more than most have in the past.

For example, it is all very well advising a client that they need a data protection policy, a social media policy, a contract of employment with strong restrictive covenants and so on, but ultimately, these are pieces of paper. A determined, desperate or foolhardy employee intent on stealing business or vindictive damage on an employer may not even care whether they get sued later and are quite possibly not worth suing.

However, if lawyers work closely with security professionals, the legal paperwork can more easily dovetail with practical safeguards which may prevent loss, such as IT security controls.

In turn, security professionals need to take on board legal issues, such as, for example, where a business decides to monitor it’s employees online activities. In that situation, serious legal consequences would result if the business does not advise the employees it is monitoring them, which can be criminal as well as civil.

Solution ?

In our experience and view, the best approach to legal and security threats, particularly for small businesses is to consider seriously an annual security and legal audit. Progressive law firms and security companies are now offering these at low cost or in some cases even free. A composite report, identifying threats based on risk level and potential ramifications, both legal and practical, presenting the commercial and legal argument for taking action, based on priority and cost is reasoned, proportionate method and good business sense.

For further advice or assistance on legal risks, legal problems you currently have or to discuss a legal audit, we would be happy to assist, please get in touch.” –  Darlingtons Solicitors.

And if you need support, consultation or mentoring with Data Protection or Information Security including ISO27001, contact Advent IM bestpractice@advent-im.co.uk www.advent-im.co.uk

Watching you, watching me – CCTV in school toilets and why we need to consider more than numbers

Every once in a while, some stats will appear that capture everyone’s imagination and prove to be a sub editor’s dream for headlines. The Big Brother Watch FOI report release this week has brought with it a wealth of headline opportunities, many of them toilet related and all quite breathless in their indignation. But the placing of cameras in private places is just the beginning of the story.

Whilst as security professionals we can totally understand the general public’s shock at the level of CCTV use in secondary schools and academies, we were as disquieted as everyone else about the use of CCTV in areas such as toilets, showers and changing areas. Not everyone realises the complexity of securing a school, college or university. There may be several buildings with varying traffic and visitors. Effective security looks at all threats and risks and treats them appropriately. So it’s not very surprising that the hue and cry has erupted over the acceptability of placing CCTV cameras in such intrusive areas. When performing one day School Security Health Checks we suggest that a Privacy Impact Assessment be carried out, for what will be now be obvious reasons.

For us though it shows the beginning of the problem and isn’t an isolated issue. We deal with schools, colleges and universities frequently. One of the main things they like help with is CCTV and the Data Protection Act. A head teacher is a head teacher not a security expert but the responsibilities that come with managing the images that come from CCTV are quite expansive and are not limited to where the cameras are placed.

We find that for instance, external cameras may inadvertently be recording images that they should not be. So if the camera’s field of vision includes perhaps an area of a neighbouring garden or there is a view of someone’s home, then the use of that camera is contravening the Data Protection Act and the user could be fined. Its irrelevant that this was not the intention of the user, it simply can’t be done.

Also, there may be issues around storing and deleting the images. Schools need to be fully conversant with how to  secure the images they have captured. Security isn’t just about the camera, the images have to be handled carefully – as happens with pupil and staff personal data and protected from either malicious or accidental breach. Deleting images when they should no longer be stored is also covered by the Data Protection Act and once again a user could find themselves in hot water if images are not being securely deleted after the allotted period has expired.

Who views the images created by CCTV systems? Again this falls into the policy and procedure area when we perform health checks. Only appropriate and necessary staff should have access to CCTV images as would apply with any sensitive data for pupils or staff. If we are to use the wonderful security opportunity that CCTV affords us, we must do it securely and appropriately is the message that most comes out of the Big Brother Watch report. You can access the full report on a pdf here.

We plan to publish a White Paper on this topic and if you follow this blog you will receive a notification of when it has been released and where you can obtain a copy. Alternatively you can email us and ask for one. bestpractice@advent-im.co.uk or keep an eye on the website www.advent-im.co.uk

We have visualised some of the key elements we thought you may find interesting. These relate to both the number and ratio of CCTV cameras as well as those found in private areas in school. Whilst we don’t mind you using them if you wish, can you just drop us a note to let us know and make sure you credit both ourselves and Big Brother Watch.

Cookies and Implied Consent

The recently much publicised ‘Watering Down’ of the UK implementation of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which were enacted on 25th May 2011 through the Privacy and Electronic Communications (EC Directive)  (Amendment) Regulations 2011 (PECR 2011 for short).

Much has already been written about the lack of compliance of websites, and those offering subscriptions to online services ahead of the 26th May 2012 deadline for enforcement, which has just passed.

The simple answer is that the ICO have changed their position on ‘Consent’ between their earlier, and their most recent statements of the last few days.  The reasons for this are irrelevant if you are the one subject to the ongoing enforcement enquiries of the ICO, seeking evidence as to what action you have ‘already’ taken towards your being compliant with PECR 2011.

So what do you need to know?

√      Audit what types of cookies you have got, why and where they are used within your website;

√      Analyse the intrusiveness of your cookies; and

√      Depending on the intrusiveness of your cookies, put in place appropriate notices and consent messages.

How does the change in the ICO’s position affect you today?

The updated guidance provides additional information around the publicised issue of ‘Implied Consent’, and the ICO says:

  • ‘Implied consent’ is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
  • If you are relying on ‘implied consent’ you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
  • You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
  • In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that ‘explicit’ consent is more appropriate.

The ICO themselves have a prominent text box at the top of every page which says “The ICO would like to place cookies on your computer to help us make this website better.  To find out more about the cookies, see our privacy notice (which is a Hypertext Link to their full policy description)” with a box for the User to tick if they agree with the statement “I accept cookies from this site” and a button to ‘Continue’ either way.  The ICO don’t mind anyone copying their solution but point out they will monitor and possible amend their solution in the future.

This approach by the ICO clearly meets the 2 requirements of the Regulation 6, that you must provide clear and comprehensive information about any cookies you are using and you must obtain consent to store a cookie on a user or subscribers device.

When you are doing your cookie audit you need to collect the following data:

  • Identify which cookie are operating on or through your website;
  • Confirm the purpose(s) of each of these cookies;
  • Confirm whether you link cookies to other information held about users – such as usernames;
  • Identify what data each cookie holds;
  • Confirm the type of cookie – a ‘session’ or ‘persistent’ type;
  • If it is a ‘persistent’ cookie how long is its lifespan;
  • Is it a first or third party cookie? – If it is a third party cookie who is setting it; and
  • Double check that your privacy policy provides accurate and clear information about each cookie.

The fuss in recent days relates to the new position of the ICO that ‘Implied Consent’ for cookies is a reasonable proposition in the context of the Data Protection Act 1998 in particular Principle 3 – ‘Personal Data must be adequate, relevant and not excessive’.  What it is not is a euphemism for ‘Doing Nothing’, in many cases you may still need to follow the ICO guidance to be able to successfully rely upon it.  Whether the consent is ‘Implied’ or ‘Specific or Prior’ it must still be given by the user ‘Freely’ therefore some action must be taken by the ‘consenting individual’ from which their consent can be inferred.

The consenting individual must be ‘informed’ of that cookies are being set or information being accessed on their device and just visiting the website is insufficient, even when there is an explanation deep in the small online print, of the Policy or Terms and conditions statement.  If a user is browsing from page to page on a website by clicking a button the individual must have a reasonable understanding that by doing so they are agreeing to cookies being set.

Many comments and commentators have said that implied consent puts the onus on the User, the ICO does not share this view and have made it clear that the “understanding is all on the website operator’s side and the user  ‘giving’ consent is unaware that their actions are being interpreted in this way”.  Where ‘implied consent’ is being relied upon, the provider must ensure that clear and relevant information explaining to users what is likely to happen while the user is accessing the site, is made readily available them.  The ICO says that it does not feel it’s their place to determine exactly how the provider does this.

So if you want to know more about how to steer a safe path through this complex issue, come and talk to us.

www.advent-im.co.uk

Social Engineering – What exactly is it and who might be victims?

Social Engineering – If you don’t work in either the security or IT industry, you may wonder what the term means and if it forms any real threat to you organisation. If you have heard the term, then assuming it is an IT issue in isolation, would be a mistake.

Social engineering can be likened to hacking attacks against information systems where a tool is used to probe those systems to exploit vulnerability.  In the case of social engineering, human attackers use guile, perhaps inside knowledge or just plain bluff to try to penetrate the defences of the individual to obtain the knowledge they are not entitled to know.  In other words, they hack information or access it from an individual.

More often than not attacks to obtain information, including sensitive personal data, are targeted against organisations by using techniques to manipulate unsuspecting staff to willingly provide information, usually because they have been duped into passing information to an individual, even though they do not know them.

The ability of an attacker to develop a rapport with the target is important, which together with some inside knowledge, acquired from research or the use of an insider, will often pay dividends to establish that familiarity that puts front line staff off their guard.  Particularly vulnerable are those at the “coal-face” – customer facing staff such as receptionists, telephone exchange or help-desk support staff.

The approaches are often apparently innocent in nature and the attacker could pose as a new or former employee exchanging gossip or advice and may request help perhaps for lost passwords.  The attacks are insidious and over time may provide nuggets of information about the organisation or individuals within it.

Another example is where access into a particular site is sought, an attacker may try to gain access by reporting to reception that they have something within a box for delivery to a named individual that research has identified is within the site.  Reception may be busy, or the attacker may time his moment by observing reception from a distance to find the right opportunity to prosecute his attack.  When challenged the suggestion that “it’s OK, I know where he is and I need a signature anyway” will often create that familiarity that will grant the intruder access.

As described above, social engineering is often linked to insider attacks, since the majority of physical or electronic attacks can be assisted in some way by an insider.  The little tit-bit of inside knowledge is used to get past the initial security perimeter be it verbal or physical.

Human nature enables social engineering to develop and become increasingly sophisticated as well as technical.  It is essential for all organisations, but particularly those that have sensitive or valuable assets to ensure that front-line staff are provided with regular training to be aware of the threat and be conscious to attack techniques.

Further information on Social Engineering and Insider threat can be found on our Slideshare account here http://www.slideshare.net/Advent_IM_Security/social-engineering-insider-and-cyber-threat you will need sound