Category Archives: Insider Threat

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

Advertisements

Security Predictions for 2016

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how  the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Image courtesy of Vlado at FreeDigitalPhotos.net

Vlado at FreeDigitalPhotos.net

 

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations.  These attacks are likely to be followed by sweeping phishing scams from the African continent.  There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same.  Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people.  I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees.  I also predict a significant challenge for many organisation which hold personal data.  The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens.  With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO).  Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited.  This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

  • Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017
  • Related to the above, more Data Centre Security certifications due to contractor (customer) requirements
  • More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target
  • Cyber Essentials leads to more demand for ISO27001 certifications from SMEs
  • Privileged insider remains the main Threat Source & Actor
  • More incidents relating to online cyber-extortion / ransomware
  • With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever
  • More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware  in business.  Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

A word from our Directors…

Julia McCarron

Julia McCarron – Advent IM Operations Director – I predict a RIOT – Risks from Information Orientated Threats.

 

 

Mike Gillespie_headshot

 

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

“Five Eyes” intelligence document leak – Australian Defence bureaucrat off to jail

This week saw the news that the junior bureaucrat from the Australian Department of Defence, has been jailed for one year, following his guilty plea in the ACT Supreme Court to posting a secret Defence Intelligence Organisation, to an online forum. Julia McCarron gives her take on this quite staggering series of events.

Not a ‘Gooday’ for the Canberra APS

Surprise!

Well this a strange one for sure. So, Michael Scerba, a former junior Defence bureaucrat has been jailed in Australia for uploading secret information online. He downloaded a 15 page document from a secret Defence Intelligence report, burnt it to disk, took it home and posted the first two pages on an on-line forum. The post was viewed and commented on by a dozen people and re-posted but disappeared an hour after its original post.

This is bad on so many levels …

When they say he was a junior bureaucrat, he was actually a 21 year old Department of Defence (DoD) graduate … with only 8 months on the job behind him and a secret (negative vetting level one) clearance … and apparently “his mental health had impaired his judgement”. I accept that the article does not expand on these mental health issues or when these issues occurred, and I am in no way implying that mental health of any kind should be a barrier to employment as I do not believe it should in general. However, we are talking about a position in National security here with access to secret information, so assuming his issues occurred pre-employment. So first question: Why was a 21 year old graduate with mental health issues given a level of clearance high enough to enable access to, and the capability to download, information relating to National security?

You've got to have a system.

Something has to have gone wrong with the vetting process and/or the employment process where access rights and privileges are determined and applied. If he had underlying mental health issues surely these should have been detected prior to his employment or during the induction process. I would presume DoD staff have to go through stringent mental stability checks checks for security clearance purposes to minimise the risk of coercion or subversion? This seeming lack of procedure demonstrates the importance of a robust vetting process, particularly in a role so critical to the security of the nation. It also demonstrates the need to ensure privileges are granted relevant to the job role and on a ‘need to know’ basis. Did he really need to access to information that revealed the identity of intelligence sources, gathering methods and classified aspects of strategic partnerships between Australia and other countries?

Advent IM Cyber SecurityIt also opens up the question of removable media access and control in sensitive areas. Second question: Did he really need to be granted the ability to burn information to disk or USB at the level he was working at? Are there not search facilities at access points a la ‘Spooks’ that detect unauthorised media? I would have thought again that some sort of policy would have existed that meant staff were only allowed use of authorised removable media and that no media was allowed to be removed from the premises?

And finally, the claim by the Judge that, “Scerba had not intended to compromise national security, although he knew the disclosure could cause harm”. I find this claim quite astonishing. So he’s employed in a DoD job, with access to information pertinent to National security and he didn’t know the disclosure could cause harm or compromise National security? Really? Question 3: What kind of induction training was the DoD providing? I can’t believe they do not put employees through extensive security training highlighting how to handle data at various classification levels, the importance of data classification and handling and the consequences of failing to comply with policy. If they don’t then some serious questions need to be asked!

I think I’m with retired Lieutenant General Peter Leahy on this one though; jail time was definitely required for this serious National security data breach. But 12 months with only 3 served does not send out a good message to others employed by the DoD who, like Scerba, believe Julian Assange is their hero. This could just be the beginning unless changes to process are tightened up.

Post comment based on an online article in the Canberra Times dated 5th November 2015.

The Insider that rarely gets questioned…

Insider Threat certainly isn’t going away, is it? Reading the continual survey results and news items I see published, it will still be an issue for a long time to come. We know that a lot of the Risk that Insiders bring can be mitigated with good policy and process combined with tech that is fit for purpose. But what of those insiders we don’t really like to  challenge? I speak of the C-Suite; our boards and senior management… surely they couldn’t possibly indulge in risky behaviour?

Risky behaviour is actually quite prevalent in our board rooms, security-wise I mean. (Check out https://uk.pinterest.com/pin/38632509277427972/) Unfortunately, some of the info assets that this level of colleague has access to is quite privileged and so in actual fact, the security around their behaviour actually needs to be tighter but in reality things are not always this watertight and IT security and other security functions will make huge exceptions, based upon the role and seniority instead of looking at the value of the information asset and how it needs to be protected. (Check out https://uk.pinterest.com/pin/38632509276681553/)

Its worth noting that senior execs are frequently the targets of spear phishing and given the level and sensitivity of assets they have access to, this is a huge risk to be taking with organisational security. Ransomware could also be deployed through this method and as a means of coercion. Whilst considering this level of access, we also need to think about the purpose of attack. If this was part of an industrial espionage type of operation, the plan might not be to steal data, it could be to destroy or invalidate it, in situ, in order to affect stock prices, for instance.  It is also worth noting that ex-execs or managers can still be a target and that means they still constitute a potential organisational threat.

Privileged access users like system administrators (sysadmins) also pose a potential threat in the same way as senior business users as there may little or no restrictions on what they can access or edit. A rogue sysadmin or similar could cause absolute chaos in an organisation, but the organisation might not even realise it, if they have also got the ability to cover their tracks. According to the Vormetric 2015 Insider Threat Report, the biggest risk group was privileged users and Executive Management categories were responsible for 83% of the overall risk from Insiders. Yet according to the same piece of research, only 50% have Privileged User Access Management in place and just over half had Data Access monitoring in place.

One more layer to add on top of this would be BYOD. Many businesses have considered whether BYOD is a good choice for them and many have decided to adopt it. Whilst data suggests it may contribute to data breach in adopting organisations, it can be a problem even for those who do not adopt it, as yet again senior execs are allowed latitude regarding the devices they use and may not be subject to the same scrutiny or oversight that general employees are. We know that almost a third of employees have lost up to 3 work mobile devices, we do not know how many have lost their own device also or whether it contained sensitive or valuable business data. We do know that some of these will be senior executives though and this, combined with other risky behaviours (check this out https://uk.pinterest.com/pin/38632509277975844/) will be a major contributor to the risk profile that they represent.

Ebay User Data Breach

Our MD, Mike Gillespie was speaking on BBC Radio 5 Live and BBC Radio Scotland about this disastrous data breach. There will be audio files soon for those who want to hear his comment and advice. Watch this space.

Phishing

One of the facts that has emerged so far is that this hack was in fact enabled by a spear phishing attack. For those of you who don’t know what this is, you are not alone. One if four UK employees does not know what phishing is and this major breach is a good example of why we have to get on top of security awareness training.

Phishing is when an untargeted,unsolicited email, purporting to be from  a valid source, such as a bank, invites you to click on a link or open a file. This is normally accompanied by some vague ‘issue’ such as suspicious account activity or the suspension of your account. Many of us can spot them on sight now as they are usually unsophisticated and badly spelled though this is starting to change. The payload is normally malware or spyware and might do anything from stealing logins, keystrokes or financial details.

Spear phishing is targeted at specific individuals and is normally more carefully constructed usually using some knowledge of them and with a specific purpose in mind. This may be access to a particular database, as it would appear in this case. The target may have been observed on social media or in person to establish some means of dialogue or establishing trust. this will increase the likelihood of the email being opened and activated and therefore the payload being delivered.

You may also have heard of Vishing or voice phishing and is probably best exemplified by the ‘Microsoft’ support call scam. This is when you receive a random call out of the blue from someone claiming to work in tech support for someone like Microsoft who tell you they have identified malware or issues on your PC and tell you they need access to it to clear it up for you. They will get the target to open up their PC normally by frightening them with stories of awful failures on their PC and may go as far as getting them to open up the PC’s event viewer which will show a few red flags or failures (which is normal) this will then be passed off as justification for the intervention – proof  if you like, of their timely intervention. This harmless activity then is used as the means of attack on an unsuspecting victim and their system is made vulnerable as they open up their PC to get it ‘fixed’.

This last one as well as being particularly cynical is also a cause for concern for employees who work from home or are mobile. Training staff in what they should or shouldn’t do, regardless of their geography has never been more important as cyberspace has no geography.

This is an old visual we produced but it is particularly relevant given recent events, feel free to share it with your business.

phishing

Cyber Skill Shortage interview

If you missed the Cyber Skills Shortage piece on Radio 5 Live (and iplayer) recently then you might like this… needs sound, obviously.

NB. Mike appears at about 11.37 but we strongly recommend you listen to the whole piece. It lasts roughly half an hour.

Slide1