Category Archives: expert security

Webinar – Outsource Magazine – March 16th

Outsource magazine: thought-leadership and outsourcing strategyWe want to wish Outsource Magazine good luck as they relaunch their webinar program, Time to talk Talks.

This is the program in the words of the Editor,  Jamie Liddell…

Each month (the third Wednesday of every month, to be specific) I’ll be sitting down with four or five luminaries from different corners of the community, to discuss what’s hot (and what’s not) for them in a series of short one-on-one interviews, before throwing the panel to the mercy of the audience for some general Q&A in the second half of the show.

Mike Gillespie_headshotWe are also delighted that one of the luminaries on the launch webinar, will be our very own, Mike Gillespie. Don’t forget to email questions in ahead of the event and sign up via the link…

http://outsourcemag.com/time-to-talk-talks/

 

 

Advertisements

October 1st – Government Suppliers will be required to have Cyber Essentials

From 1 October 2014, Government will require all suppliers bidding for certain contracts which are assessed as higher risk to be Cyber Essentials certified. The suppliers and contracts affected are likely to be from the following sectors: IT managed or outsourced services, commercial services, financial services, legal services, HR services and business services. This will not be mandatory for suppliers through G-Cloud or the Digital Services Framework. Further guidance for suppliers will be issued later this year. (GOV.UK)

Cyber Essentials Badge Small (72dpi)      Regular readers of this blog will know that not only have we recently gained Cyber Essentials certification, we have also been mentoring clients through the process to enable a painless and swift certification. Whilst we don’t normally ‘sell’ via the blog, given the tight deadline and the apparent confusion around this Government requirement, we thought it would be a good idea to provide a link to our Cyber Essentials consulting in case readers need it. You may require a little you may require a lot or you may want to do most of it yourself and just want some reassurance from a consultant that your submission is right. If you have ISO27001 you will be well prepared, if you haven’t then you may well already have a lot of what you need but don’t yet realise it.

iStock_000016426779SmallDon’t worry, just ask. http://www.advent-im.co.uk/cyber_essentials.aspx

DDoS attacks cause an average jump of 36% in customer complaints

According to research commissioned by BT through Vanson Bourne, on average customer complaints to businesses increase by 36% in the aftermath of a Distributed Denial of Service (DDoS) attack.

It seems like a staggering uplift but when you consider that in the UK alone the same research revealed that almost 60% of businesses admitted DDoS attacks had bought down their systems for six hours or more…a whole working day, it becomes less staggering. Around half (49%) of UK organisations to not have a response plan in place, so in actual fact the damage from a DDoS attack could potentially continue for a considerable period after the event.Add to that the reputational damage and you can start to see why it is so vital for businesses to really get to grips with what they are dealing with.

So if a DDoS attack takes out a network or possibly a data centre for six hours and this is apparently increasing and becoming more sophisticated, surely this should be much higher up the boardroom agenda than it is? I recently read that Cyber security ranked third in importance in boardrooms (KPMG). This initially seemed a little ambitious to be honest. Though when I examine the statement more carefully…third in importance in the boardroom, so that means of the businesses that actually have cyber security represented in the board room (alongside other business functions such as HR or Finance), it is averaging in third place. However we know that around half of organistions don’t ever discuss Information Security at the top level of their organisation.(Ponemon Institute). So effectively what we are actually saying is that we have a handful of organisations discussing this as a Business critical function but even they don’t have it as top priority despite the fact it could effectively be a deal breaker in terms of customers and reputation…

Advent IM Cyber Security Experts

 

 

 

Mike presenting at ST14 Autumn

ST14 program has been unveiled and Mike will be joining the great and the good in security, on the rostrum.

Mike will be presenting on Threat Convergence. Watch this space for more details or visit the official site so you can sign up for this free event. 

http://www.professionalsecurity.co.uk/events-conferences/security-twenty-14-home/st14-autumn/

 

Advent IM Mike Gillespie

Mike Gillespie – Advent IM MD and Director for Cyber Strategy and Research for The Security Insititute member of the CSCSS Global Select Committee on Cyber Intelligence

 

Ebay User Data Breach

Our MD, Mike Gillespie was speaking on BBC Radio 5 Live and BBC Radio Scotland about this disastrous data breach. There will be audio files soon for those who want to hear his comment and advice. Watch this space.

Phishing

One of the facts that has emerged so far is that this hack was in fact enabled by a spear phishing attack. For those of you who don’t know what this is, you are not alone. One if four UK employees does not know what phishing is and this major breach is a good example of why we have to get on top of security awareness training.

Phishing is when an untargeted,unsolicited email, purporting to be from  a valid source, such as a bank, invites you to click on a link or open a file. This is normally accompanied by some vague ‘issue’ such as suspicious account activity or the suspension of your account. Many of us can spot them on sight now as they are usually unsophisticated and badly spelled though this is starting to change. The payload is normally malware or spyware and might do anything from stealing logins, keystrokes or financial details.

Spear phishing is targeted at specific individuals and is normally more carefully constructed usually using some knowledge of them and with a specific purpose in mind. This may be access to a particular database, as it would appear in this case. The target may have been observed on social media or in person to establish some means of dialogue or establishing trust. this will increase the likelihood of the email being opened and activated and therefore the payload being delivered.

You may also have heard of Vishing or voice phishing and is probably best exemplified by the ‘Microsoft’ support call scam. This is when you receive a random call out of the blue from someone claiming to work in tech support for someone like Microsoft who tell you they have identified malware or issues on your PC and tell you they need access to it to clear it up for you. They will get the target to open up their PC normally by frightening them with stories of awful failures on their PC and may go as far as getting them to open up the PC’s event viewer which will show a few red flags or failures (which is normal) this will then be passed off as justification for the intervention – proof  if you like, of their timely intervention. This harmless activity then is used as the means of attack on an unsuspecting victim and their system is made vulnerable as they open up their PC to get it ‘fixed’.

This last one as well as being particularly cynical is also a cause for concern for employees who work from home or are mobile. Training staff in what they should or shouldn’t do, regardless of their geography has never been more important as cyberspace has no geography.

This is an old visual we produced but it is particularly relevant given recent events, feel free to share it with your business.

phishing

UK at the forefront of the fight against cybercrime

The UK is uniquely placed to spearhead the global response to cybercrime, according to Andy Archibald, Head of the National Crime Agency’s (NCA) National Cyber Crime Unit (NCCU). But does the UK have it’s cyber-ducks inline? There are many areas to consider as we push forward to promote a global response to cyberthreat.

The UK is affiliated with all the right people to help move the global response forward such as Five Eyes Alliance, the EU, G8 cybercrime working groups, Europol and Interpol. The UK has also introduced initiatives such as Cyber Streetwise, designed to highlight and educate people in the risks to security and privacy online, both at home and at work. This is much needed as our culture has changed so much, with flexible working seeing more of the workforce mobile and using their own devices (BYOD). Consequently, the line between these two life areas has blurred. Additionally, there has been the introduction of the new cyber information sharing platform, part of the new Cert UK. But what do we really need to grasp in order for standards of cybercrime detection and prevention to be improved?

However, according to a recent BT report1,  UK plc is not as concerned as the rest of the world about some key cyber topics. The UK under-indexed in perceived threat from malicious and non-malicious insider threat, organised crime, nation state and terrorism. Add to that the same research revealed that the UK lags behind Brazil, US, Singapore, France, Hong Kong and Germany in the percentage of businesses that see cyber security as a major priority. Raising levels of concern and C-Suite engagement must surely form a key part of the battle against cybercrime.

Under reporting of cyber dependent and cyber enabled crime is a significant issue. In business the report rate is around 2% and 1% from private individuals3. This is for a variety of reasons including: not realising it is a crime, thinking it has been dealt with  internally, reputational damage (in business) and not knowing where to report such matters.  Add to this the fact that cybercrime is not broken out in police statistics, as these crimes are recorded as the individual law they have broken, such as fraud. So a phisher for instance may have not have physically taken a credit card and fraudulently used it; it may all have been done electronically. However, they are more likely to be tried for Fraud than under the Computer Misuse Act. This makes it very hard to measure and therefore benchmark, making improvement or dis-improvement hard to quantify.

Less than a quarter of UK employees do not know what phishing2 is yet this is one of the most common cybercrimes. In 2009 there were 51,000 “Bank” phishing websites, this increased fivefold to 256,641 in 2012.  Add to this the fact that we cannot accurately attribute all fraudulent activity and financial loss experienced due to phishing as it is often hard to identify. However, given the growth in these specific bank-related phishing sites, we can be fairly certain that this too is spectacularly under-reported. Action Fraud suggest that one third of reported frauds during January to December 2012 were cyber enabled. That is basically 48,000 frauds in one year. Yet these frauds will not have been reported or recorded as cybercrimes.

Taking all of this into consideration then, estimating the cost of cybercrime is very hard. This is recognised by The Cabinet Office in the UK Cyber Security Strategy, “A truly robust estimate will probably never be established but it is clear the costs are high and that they are rising.” The general consensus informally is that we are talking billions of pounds.

It will be challenging to gauge our response If we don’t know how cybercrime is evolving based on an accurate assessment of reporting and UK plc cyber preparedness. Placing the UK at the forefront of the fight means the UK needs to significantly up its cyber-game. Global index 2014

_________________________________________________________________

 

Source: 1BT Cyber Readiness Survey 2014;  2Onepoll survey for Phishme;  3Home Office “Cyber Crime: A review of the Evidence

2013 over the shoulder

Time for a bit of a look back…sort of

The rise and rise of BYOD, the discovery that Ebay is not the appropriate place to divest yourself of NHS Patient data and the increase in malware and not just any malware – mobile malware. These were a few of my (least) favourite things of 2013.

It may seem churlish to poke a stick at the rise of the enormously populist BYOD but its actually connected to the concern around the rise of mobile malware. 2013 saw Blackberry drop off the business cliff and Android devices rise to start to fill the gap. According to the latest stats from Gartner 4 out of every 5 devices in the last quarter were Android powered (driven by growth in China). This proliferation has a knock on effect because this means more employees with be BYODing with Android devices and also more business are choosing them as their business issued device. At the same time, we are reading that Android devices are the top target for malware and malicious apps. I recently heard BYOD described as ‘anarchic chaos’. Let’s see what epithet we can come up with after another year of Android malware…

Looking at Ebay as the place to send your old drives full of (personal) data…hopefully everyone has learned some massive lessons from this incident in Surrey NHS and will be doing due diligence on whoever they procure/source to carry out the destruction of this kind of data in future. Remember, any organisation that has certified to a standard like ISO27001 will welcome an audit so they can prove to you how seriously they take IS processes. This can offer some kind of reassurance and form part of that due diligence.

‘Cyber’ has been a headline grabber all year for many different reasons. Some of the time has been related to the NSA and GCHQ revelations and so Cyber could also have meant privacy. Some of those headlines have related to Cyber Security and the Government commitment to getting UK PLC fully on board with knowledge, understanding and protection. Of course, “hacker” is another word rarely out of the headlines and previously on this blog I have taken issue with media use of both of these words. Largely because it can be misleading, I won’t bang on about it again and you can read the previous blog post if you choose. However, I do think that this continued laziness will encourage people to think that security is an IT issue and therefore, someone else’s problem as opposed to a business issue that needs to be addressed at C-Level.

Phishing and Spear Phishing continue to bleep away on every Security professional’s radar. Whilst scatter gun phishing may not be growing especially, its clear that targeted or spear phishing is increasing. This also relates to my previous point about ‘hacking’ and ‘cyber’ as frequently these can be pre-emptive strikes for a full on attack or part of a broader Social Engineering attack to facilitate or enable a hack or cyber attack. If you want to read more or hear more about that then you can read our posts here and see our presentation here.

The phishing issue is a serious business and employees need proper and regular training on what these attempts look like and how to deal with them. That is not just your standard phishing attempt from someone telling you your bank account is compromised (I had an amusing one recently from Honestly Barclays Security), but a sophisticated phish from soemone who has obtained your email address and is trying to pass themselves off as someone else in order to gain access of information. This requires bespoke training from an employer. Software or a firewall may not protect you from them…

Lastly how our physical world interacts with our cyberworld. 2013 saw Google Glass arrive and the invention of a whole new insult, Glassholes (not mine, don’t shoot the messenger). Some misgivings and some misunderstandings around Google Glass merely serve to remind us that though we are raising a generation that thinks nothing of handing over their privacy in order to get a free app or free wi-fi, there are still enough people concerned about the march of technology ahead of security to make pursuing secure progress worthwhile.

We also saw the mainstream expansion of household items that are web enabled and several furores over TVs that apparently spy on their owners. Add to the list fridges and cars for next year and lets see what else is either causing ‘spying’ headlines or is being hacked by cybercrims. In the business world, smart buildings with IP security and building management systems are becoming increasingly aware of the threat from cyberspace. You can watch our presentation on the topic here. You will need sound. Making sure we buy secure security systems sounds mad, but actually it isn’t happening enough. These systems are sat on networks, needing firewalls and patching and anti virus just like our other systems. We cannot assume because a system is a security system then it is inherently secure.

Remember, everyone in an organisation is part of that organisations’ security. An information asset might be an email or electronic document, but it might also be a fax, a cardboard file,a piece of paper or an overheard conversation about intellectual property. They all have to be protected and a firewall isn’t going to cover it all.

1. Christmas visuals

No doubt we will have some predictions for 2014 soon….