Category Archives: guest blog

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

Advertisements

Big Data …. Friend or Foe?

Delighted to have a post from Advent IM Operations Director, Julia McCarron.

Ellie has been asking me for a while now to do a blog piece on ‘big’ data, and I must confess to dragging my heels because I wasn’t really sure what it was. I guess if I had put my mind to it essentially it must have been the aggregation of information that made it ‘big’ and I’m not far off with that. But last night’s edition of Bang Goes the Theory made me think about what it means … and the fact that ‘big’ is probably too small a word to describe its reach.

 ID-100180473If we want to be specific about it, big data is defined as a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications.[1]  But it seems to me that this 2-D definition doesn’t do it justice. From what I can see, it’s about taking these large data sets and analysing them to find patterns – that’s what makes it ‘useful’. What you do with those patterns can be for good or bad and can range from diagnostic to research to marketing to preventative in nature, and affect people, places, processes, objects … you name it basically.

I know this kind of analysis goes on because I have a ‘loyalty’ card that regularly sends me money off vouchers for the things I buy on a frequent basis/ I know internet banner ads show me handbags for a reason, usually because I’ve just purchased another one online. I understand that it’s the accumulation of data about my buying habits that is profiled to appeal to me; but I hadn’t realised just how far this can go. On the programme in question a big data collection company said that as a result of the release of DfT data on bicycle accidents, someone had within days written an app for people which told them where to avoid riding their bicycle and therefore minimise the risk of having said accident. Who would have thought that was possible? Rolls Royce engines contain computers that analyse their activity, whilst in the air, and report in real time on peaks and troughs outside the ‘norm’, which enable airlines to do maintenance work before a problem occurs.

But if you think about it big data isn’t new. Einstein’s Theory of relativity came about because he carried out hundred of experiments and analysed them painstakingly by hand. Intelligence services cracked Hitler’s codes by looking for recurring patterns, first totally reliant on the human brain before that human brain created freecrumpetsmachines to make the analysis easier and quicker. I only get 100 free ‘bonus’ points with my next purchase of Warburton’s crumpets because a computer looks at my buying habits and has identified that I buy them every week. (Other crumpets are available – actually no they aren’t). All that has changed is the scale, speed, selectiveness and sensitivity of the collection and review of that data.

The issue comes though when that big data is also personal data, and this is probably where most of us start to question whether it’s a good thing or bad thing. The BGTT Team demonstrated how easy it is to profile individuals from their online data footprints. It’s not just about what you put on various social media but it could also be an innocent publication of contact details by your local golf club. I’m a security conscious person, for obvious reasons, but I’m sure if someone really wanted to they could find out more about me than I thought was possible, just by running a few scripts and analysing trends. I’m a genealogy enthusiast and within minutes I could potentially find out when you were born within a 3 month window, the names of your siblings, your mother and father …. and those all important security questions; your mother’s maiden name and town of your birth.  So should we attempt to simply lock everything down?

 At the same time as all this personal big data is being analysed its also being put to good use.  Researchers are creating medical devices that can analyse brain activity and detect when a second brain trauma is occurring … and they’ve done this by analysing patterns and trends from hundreds of thousands of scan outputs to create a simply, non intrusive device that monitors pressures, electrical current and stimulus. If I opt out of my having my NHS patient record shared, I could make it that bit harder to find a cure … or be cured.

Ultimately, we wouldn’t be where we are today without big data but there is no doubt that in a digital age big data will just keep growing exponentially. I don’t think we can avoid big data and I don’t think we should, but from a security perspective I think we all just need to think about what we post, what we agree to make available, what we join up to and what we are prepared to say about ourselves in public forums. If a field isn’t mandatory don’t fill it in, don’t agree for your location to be published and maybe tell a little white lie about your age (girls we are good at that!). We can never be 100% secure – it’s not possible. Even our fridge can go rogue on us now and order food we’ve run out of but don’t actually want to replenish. But having a security conscious mind can protect us, whilst still providing a big data contribution. 

[1] Wikepedia

some images courtesy of freedigitalphotos.net

European Security Blogger Awards – Voting Time! (Get yours in before Sunday 21st April)

ID-10045442We are delighted to have been nominated in the following categories:

  • Best Corporate Security Blog as has our Security for UK Legals Blog
  • Most Entertaining Blog
  • Most Educational Blog
  • Best New Security Blog (For our School Security Blog)
  • And Grand Prix for Best Overall Security Blog

You can vote for your choice here. https://www.surveymonkey.com/s/EUSecurityBloggerAwards

Winners Announced during Infosec (At the Security bloggers Meet-Up http://securitybloggersmeetup.eventbrite.ie/ ) – watch this space for news

image courtesy of freedigitalphotos.net

Data Destruction – Passing the Buck – Guest blog from Malcolm Charnock – Icex

data protection act 1998 Advent IM  consultantsData Protection

Understanding your responsibilities as a data owner includes having proper policy and processes in place for safe removal and destruction of information that should no longer be stored. Its should form part of an organisation’s overall Information Security Policy with specific reference to the Data Protection Act (1998)

Through the power of Social Media we were delighted to meet Malcolm Charnock from Icex and even more delighted that he agreed to do a guest blog on Data Destruction for us. 

Data Destruction – Passing The Buck by Malcolm Charnock

MP900341374

One of the things that keeps me enthused about my job is every client has different requirements when it comes to ensuring all data is eradicated. “Different requirements”? Well maybe the truth is every client has different levels of understanding (or apathy) of their obligation and options when it comes to securely eradicating data.

I have spoken to organisations who insist on 2mm granulation of hard drives, after all this is the standard the MOD requires so their business should insist on this too??? Actually you have to take your hat off to an organisation who takes data destruction this seriously; until you find out this same organisation use a courier to send the hard drives to a data destruction “specialist” who they have no real knowledge of!

The fact is every organisation has the same responsibility and in most cases the process that is most suitable is the same. OK, the local shop losing data will clearly not have the same impact as the MOD but the thought process behind any Information Security Policy should be similar.

ICO Monetary Penalties, contrary to popular opinion, are not levied purely as a result of a breach occurring. Just as important are the organisation’s processes and policies. Have all reasonable precautions been taken to ensure the breach could not occur? Was due diligence carried out to check the suitability of your service provider, contractor or vendor? If the answer is yes and an unprecedented occurrence caused the breach I would personally not expect the ICO to take action other than to ensure you were not vulnerable to this type of event again.

SECURELY MANAGING DECOMMISSIONING AND DISPOSAL OF REDUNDANT IT ASSETS

There are an estimated 700 companies offering IT recycling as part of their capabilities so you would feel confident that in a competitive, open market you would reap the benefits of price checking and negotiating a free collection. The problem is that this is a largely unregulated industry so how do you choose a credible partner to trust with eradicating your data? There are a wide range of “accreditations” cited on most ITADs’ websites and literature, many of these I have never heard of while others require no audit to achieve. In other cases the accreditation is listed although the ITAD will not actually have achieved the standard. The buck stops with the data owner so it is important to do a little investigating before selecting the most suitable partner.

Advent IM Information Security Audit

  • Is your Data Destruction contractor approved? By whom? Have you audited them?
  • Do they use third party contractors? Are they approved? By whom? Have you audited them?
  • Are their processes and policies secure and approved? By whom?
  • Is there a contingency in place?
  • How are data holding items transported? By whom? Are they approved? Have you audited them?

If you can answer all of the above questions you really should have little to fear from the ICO, but you would also be in the minority. If in doubt, speak to ADISA (Asset Disposal and Data Security Alliance) or check their website to see if your preferred IT Recycling partner meets with this DIPCOG recognised industry standard.

The data, regardless of the terms of any contract, remains the responsibility of the data owner and does not pass to an IT recycler at any stage of the process. Yes, immeasurable damage would be done to the reputation of any ITAD who failed to 100% eradicate data presumably resulting in the death of the organisation, but the ICO will look to the Data Owner and levy penalties and broadcast its findings regarding the failure of the company’s Data Security policy which led to the breach. – Malcolm Charnock

Images courtesy of Microsoft Clipart and istock

ICEX-jpg-1