Category Archives: IT

Are you still operating XP or Windows 2003? – A guest post from Julia McCarron, Advent IM Director

Whilst Microsoft’s utopia may be for us all to automatically upgrade every time there is a newAdvent IM Cyber Security Experts version of Windows, for many organisations this isn’t always an option. With some still coping with life after the recession the cost of upgrading to new platforms can be restrictive, especially if XP and Windows 2003 still works perfectly well and provides you with effective tools to operate business as usual. For others with large technical infrastructures, again the cost of upgrading can be a massive drain on time, resources and money and needs careful budgeting a planning over a period of time.

But with the withdrawal of support on Windows platforms and applications comes risk. Security patches no longer get issued, and as cyber security threats continue to be developed exponentially so these platforms become vulnerable to attacks.

Advent IM HMG accreditation concepts training

pics via digitalphotos.net

The obvious choice is upgrade as soon as possible. But if this is not an option you need to assess the risk of operating in a non-supported environment as part of your corporate risk strategy, and where required identify activities that can help you minimise risk. These could be more frequent external penetration tests, stricter acceptable usage policies, updates in security awareness programs or additional monitoring software. There are risk mediated options available but only if you go through the proper process of analysing the threats and impacts of not upgrading to your business.

But upgrade when you can …

Julia.

Advertisements

Ebay User Data Breach

Our MD, Mike Gillespie was speaking on BBC Radio 5 Live and BBC Radio Scotland about this disastrous data breach. There will be audio files soon for those who want to hear his comment and advice. Watch this space.

Phishing

One of the facts that has emerged so far is that this hack was in fact enabled by a spear phishing attack. For those of you who don’t know what this is, you are not alone. One if four UK employees does not know what phishing is and this major breach is a good example of why we have to get on top of security awareness training.

Phishing is when an untargeted,unsolicited email, purporting to be from  a valid source, such as a bank, invites you to click on a link or open a file. This is normally accompanied by some vague ‘issue’ such as suspicious account activity or the suspension of your account. Many of us can spot them on sight now as they are usually unsophisticated and badly spelled though this is starting to change. The payload is normally malware or spyware and might do anything from stealing logins, keystrokes or financial details.

Spear phishing is targeted at specific individuals and is normally more carefully constructed usually using some knowledge of them and with a specific purpose in mind. This may be access to a particular database, as it would appear in this case. The target may have been observed on social media or in person to establish some means of dialogue or establishing trust. this will increase the likelihood of the email being opened and activated and therefore the payload being delivered.

You may also have heard of Vishing or voice phishing and is probably best exemplified by the ‘Microsoft’ support call scam. This is when you receive a random call out of the blue from someone claiming to work in tech support for someone like Microsoft who tell you they have identified malware or issues on your PC and tell you they need access to it to clear it up for you. They will get the target to open up their PC normally by frightening them with stories of awful failures on their PC and may go as far as getting them to open up the PC’s event viewer which will show a few red flags or failures (which is normal) this will then be passed off as justification for the intervention – proof  if you like, of their timely intervention. This harmless activity then is used as the means of attack on an unsuspecting victim and their system is made vulnerable as they open up their PC to get it ‘fixed’.

This last one as well as being particularly cynical is also a cause for concern for employees who work from home or are mobile. Training staff in what they should or shouldn’t do, regardless of their geography has never been more important as cyberspace has no geography.

This is an old visual we produced but it is particularly relevant given recent events, feel free to share it with your business.

phishing

Heartbleed – some info and some advice

If we can help then get in touch but here is some information for you. Advent IM Help and Advice for Hearbleed

 

Big Data …. Friend or Foe?

Delighted to have a post from Advent IM Operations Director, Julia McCarron.

Ellie has been asking me for a while now to do a blog piece on ‘big’ data, and I must confess to dragging my heels because I wasn’t really sure what it was. I guess if I had put my mind to it essentially it must have been the aggregation of information that made it ‘big’ and I’m not far off with that. But last night’s edition of Bang Goes the Theory made me think about what it means … and the fact that ‘big’ is probably too small a word to describe its reach.

 ID-100180473If we want to be specific about it, big data is defined as a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications.[1]  But it seems to me that this 2-D definition doesn’t do it justice. From what I can see, it’s about taking these large data sets and analysing them to find patterns – that’s what makes it ‘useful’. What you do with those patterns can be for good or bad and can range from diagnostic to research to marketing to preventative in nature, and affect people, places, processes, objects … you name it basically.

I know this kind of analysis goes on because I have a ‘loyalty’ card that regularly sends me money off vouchers for the things I buy on a frequent basis/ I know internet banner ads show me handbags for a reason, usually because I’ve just purchased another one online. I understand that it’s the accumulation of data about my buying habits that is profiled to appeal to me; but I hadn’t realised just how far this can go. On the programme in question a big data collection company said that as a result of the release of DfT data on bicycle accidents, someone had within days written an app for people which told them where to avoid riding their bicycle and therefore minimise the risk of having said accident. Who would have thought that was possible? Rolls Royce engines contain computers that analyse their activity, whilst in the air, and report in real time on peaks and troughs outside the ‘norm’, which enable airlines to do maintenance work before a problem occurs.

But if you think about it big data isn’t new. Einstein’s Theory of relativity came about because he carried out hundred of experiments and analysed them painstakingly by hand. Intelligence services cracked Hitler’s codes by looking for recurring patterns, first totally reliant on the human brain before that human brain created freecrumpetsmachines to make the analysis easier and quicker. I only get 100 free ‘bonus’ points with my next purchase of Warburton’s crumpets because a computer looks at my buying habits and has identified that I buy them every week. (Other crumpets are available – actually no they aren’t). All that has changed is the scale, speed, selectiveness and sensitivity of the collection and review of that data.

The issue comes though when that big data is also personal data, and this is probably where most of us start to question whether it’s a good thing or bad thing. The BGTT Team demonstrated how easy it is to profile individuals from their online data footprints. It’s not just about what you put on various social media but it could also be an innocent publication of contact details by your local golf club. I’m a security conscious person, for obvious reasons, but I’m sure if someone really wanted to they could find out more about me than I thought was possible, just by running a few scripts and analysing trends. I’m a genealogy enthusiast and within minutes I could potentially find out when you were born within a 3 month window, the names of your siblings, your mother and father …. and those all important security questions; your mother’s maiden name and town of your birth.  So should we attempt to simply lock everything down?

 At the same time as all this personal big data is being analysed its also being put to good use.  Researchers are creating medical devices that can analyse brain activity and detect when a second brain trauma is occurring … and they’ve done this by analysing patterns and trends from hundreds of thousands of scan outputs to create a simply, non intrusive device that monitors pressures, electrical current and stimulus. If I opt out of my having my NHS patient record shared, I could make it that bit harder to find a cure … or be cured.

Ultimately, we wouldn’t be where we are today without big data but there is no doubt that in a digital age big data will just keep growing exponentially. I don’t think we can avoid big data and I don’t think we should, but from a security perspective I think we all just need to think about what we post, what we agree to make available, what we join up to and what we are prepared to say about ourselves in public forums. If a field isn’t mandatory don’t fill it in, don’t agree for your location to be published and maybe tell a little white lie about your age (girls we are good at that!). We can never be 100% secure – it’s not possible. Even our fridge can go rogue on us now and order food we’ve run out of but don’t actually want to replenish. But having a security conscious mind can protect us, whilst still providing a big data contribution. 

[1] Wikepedia

some images courtesy of freedigitalphotos.net

Sunday Times – Mike Gillespie on SME Cyber Security

Excerpt from The Sunday Times dated 16th February 2014

Small firms can be targeted for their clients’ data as well, said Mike Gillespie, director
of cyber research at the Security Institute, the industry body. “Look at the number of
small businesses that are suppliers or subcontractors to government and big business,”
he said.

 

Read the article in full here

Cyber Attack and Hack – Is Our Use of Language Creating Security Vulnerabilities in Our Thinking?

Hacking and Cyber attacks have hardly been off our media front pages for a long time. But are businesses and organisations misleading themselves by referring to these incidents as ‘hacks’ or as ‘cyber attacks’? Are businesses actually limiting their thinking and thereby creating vulnerabilities by mislabelling these important events? There is a strong indication this might sometimes be the case.

When we talk about hacking we think about a variety of activities, from the lone, disruptive back-room coder, to the determined and resource-laden gurus of cyberspace who can 

cube

apparently enter our systems at will and remove whatever data they want – maybe government funded but definitely expert and dangerous. Of course, both of these exist but if recent surveys give us any indication of how much these remote threats actually affect our businesses and organisations on a daily basis, it would appear an important part of the threat puzzle is missing. 

According to the Verizon Data Breach Report 2013, more than three quarters of breaches utilised weak or stolen credentials. So either the malfeasant has taken a solid guess that the password will be ‘password’ or has potentially stolen a passcard to a server room or a myriad of other activities which are not hacking but are breach enablers. So the myth of the remote hacker is revealed, at least in the majority of cases to be just that, a myth. With 35% involving some kind of interaction in the physical world, such as card-skimming or theft it underlines the need to move the security focus away from solely cyber.

The same report showed that in larger organisations, ex employees were the same level of threat as existing managers. If we refer to the previous stat then a proportion of those stolen credentials could actually come from ex employees using their old credentials or credentials they had access to, in order to access company networks as happened in the ‘Hacker Mum’ story

Nearly a third of breaches involved some kind of Social aspect, this could be coercion of an existing employee, a phishing campaign or simply walking into a building and charming a staff member such as a receptionist (mines of information that they are) on a regular basis to get information on staff comings and goings etc. It could also involve surveillance of a business over an extended period, including its staff, visitors and contractors.

So the actual ‘hack’ or ‘cyber attack’ is quite an extensive way down the line in this kind of breach. It could have been in planning for months. On one hand this is worrying because our language has encouraged us to focus our attention on only one part of the process. It enables the already prevalent, ‘IT deals with security’ mindset, we have discussed in previous posts.  But in enabling this narrowed view, we are creating a vulnerability and ignoring the opportunities we will have had along the route of this breach to have halted it before anyone even logged on to anything.

A comprehensive program of Security Awareness training in-built into everyone’s role and that training being regular and refreshed, is one helping hand in preventing the attack reaching the actual hack stage. Simple things like ensuring everyone knows not to click on uninvited or suspicious looking links in emails for instance. Being aware of unfamiliar faces  in a building, regardless of whether they are wearing a high vis jacket or lab coat for instance. Social engineers love to hide in plain sight. 

So use of language has ruled out these elements being considered by all staff members, they hear the words ‘cyber’ and ‘hack’ and think it is IT’s responsibility and then carry on as normal. There are many points at which the hack could have been prevented by basic security hygiene or good practice.

It underlines to us that threat to our businesses and infrastructure are holistic and so should the response to that threat be. Yes, there is a threat from the faceless hacker, the determined and well funded professional as well as the random and opportunistic ‘back-bedroom warrior’. But many businesses and organisations are facing a people based threat first.  An old vulnerability being enabled in a new way – language.

Advent IM Cyber Threat and security consultants

Advent IM Security Cyber Security experts

 Advent IM cyber security experts