Category Archives: phishing

Some top security tips that ALL employees can use

When it comes to security, one thing is clear, people occasionally do daft things with computers and devices, and they frequently do these daft things at work. They occasionally do malicious things too but it’s mostly just daft. So we can train our employees (including managers and directors) in our procedures and policies and enforce them. In fact, spending as much time thinking about the best way to train different teams is never time wasted because it gives you the chance to use their language and create something nuanced that will make a genuine difference, which is, after all, the whole point of doing it.

Looking at some of the data that came out of Vormetric’s Insider Threat report, in actual fact, those privileged users are still posing a security headache to many of the respondents. They may be System Admins or senior colleagues who are simply not restricted or monitored in the way other employees are…these are the ones who can access very sensitive or valuable information and so need to be even more hyper-vigilant in their behaviour. But let’s face it, one phishing email clicked and payload of malware downloaded is all it takes and that could be done by an MD or a temp.

I asked the team here at Advent IM to come up with some practical tips that all employees can use, regardless of their role,  to help protect their organisations and enhance their understanding of the vital role they play in securing assets.

  • That email telling you there’s a juicy tax rebate waiting for you but it needs to be claimed immediately, hasn’t come from the Government. It’s  a phishing email. Clicking that link will allow malware to be installed and all your personal information to be stolen. Do not click on links in emails you are not expecting and if in any doubt refer to your security manager.
  • Never set your smartphone to allow download and installation of apps from sources other than an approved store. Changing this setting can allow malware to be installed without your knowledge and could result in you being a ransom ware victim.
  • Always report security breaches immediately to your line manager to facilitate any counter compromise action to be undertaken as deemed necessary. If the organisation isn’t aware of it, the event could worsen or spread. Containment and control is vital as quickly as possible.
  • Archive old emails and clear your deleted & sent folders regularly as a clean and tidy mailbox is a healthy mailbox.
  • Never discuss work topics on social media as your comments may come back and bite you!! You could also be compromising your employers and colleagues security and increasing the likelihood or the ease of an attack.
  • Don’t worry about challenging people you do not know who are not wearing ID or visitor badges. It may seem impolite but Social Engineers use inherent politeness to their advantage and can then move round a site, potentially unchallenged.
  • Don’t allow colleagues to use your login credentials, this goes double for temps and contractors. Think of it like lending your fingerprints or DNA to someone, would you do that so easily? Any activity on your login will be attributed to you…
  • Do you really need to take your work device to the pub with you? More than a quarter of people admit to having lost (or had stolen) up to 3 work devices and more than half of them were lost in a pub!
  • Don’t send sensitive documents to your personal email address. If there is a security measure in place, it is there for a reason..
  • Don’t pop any old USB into your PC. Nearly one in five people who found a random USB stick in a public setting proceeded to use the drive in ways that posed cybersecurity risks to their personal devices and information and potentially, that of their employer. It could have anything on it! exercise caution.

Some of the findings on Insider Threat from the Vormetric 2015 survey…

2015 Vormetric data Insider Trheat v0.4

Advertisements

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

Banking on Good Cyber Security

Julia McCarron reflects on the news that regulators are almost at the point of requiring major financial services companies to participate in a cyber security testing programme, according to the Bank of England.

It was nice to see the Bank of England talking about cyber security recently, and the importance it sees in testing awareness and resilience amongst the financial sector.

iStock_000015672441MediumIn May 2015, the CBEST scheme for firms and FMIs considered core to the UK financial system, was launched to test the extent to which they are vulnerable to cyber attacks and to improve understanding of how these attacks could undermine UK financial stability.

The scheme is currently voluntary and testing services are delivered by an approved list of providers regulated by CREST, a not for profit organisation that represents the technical information security industry.

The voluntary aspect of this is arguably what could make, what appears on the face of it to be a worthwhile initiative, ultimately unsuccessful. That said vulnerability scanning, assessments and penetration testing should frankly already be part of a financial institutions make up. So, if it’s not, the Bank of England is right be “expressing concern”.

The most interesting element of the Bank of England’s discussions though was that when talking cyber security they acknowledged that it’s not all about technical controls. I quote in respect of them keeping their own house in security order,

“Technical controls put in place had strengthened the Bank’s ability to prevent, detect and respond to attacks. But no technical fix could guarantee security 100%, so at the same time significant effort had been made to improve security awareness among all staff, and incident handling procedures had been strengthened“.

iStock_000013028339MediumThis is something we have evangelised about for years. Technical controls are not the answer. They are only part of the answer. We all know that the majority of security beaches are caused by staff, mostly unintentionally, due to lack of security awareness and training. It’s all very well having a state of the art lock on the front door but if no one knows how to use it what is the point in it being there? You might as well invite the burglar in for a cup of tea and a slice of cake.

The Bank also jumped on the Advent band wagon by mentioning that regulators have been discussing the importance of cyber security being a board room issue for companies particularly in relation to governance. Again, check our archives. We’ve worn down the drum from beating that point so hard and for so long. A security culture will only be successful if it’s supported from the top down. Otherwise it’s a constant uphill walk on the down escalator.

phishOne initiative the Bank took to improve security awareness is one which is growing in popularity, especially amongst large organisations and data centres – ‘Phishing Attack Testing’. This is where a fake phishing email is sent to staff and monitored a) as to how many times its opened, b) as to how many times its reported c) as to how many times the link is clicked and by whom. This helps to raise awareness of the issues of suspicious emails and target staff training. The Bank claims it is personally seeing a decline in staff “taking the bait” and an increase in security incident reporting. A report by Verizon in 2014 stated that as many as 18% of users will visit a link in a phishing email which could compromise their data. This against a backdrop of phishing being not only on the rise but getting more sophisticated in its presentation. So more should follow in the Bank of England’s footsteps when it comes to raising awareness against this type of attack.

iStock_000015534900XSmallSo there are a number of positives we can take away from the Bank of England’s discussions on cyber security:

  1. Technical vulnerability testing is encouraged;
  2. It’s not all about the technical controls; don’t forget to train you staff;
  3. A security culture must start in the boardroom;
  4. Make staff aware of the perils of phishing emails through fake attack testing.

Watch out for those iPhone/iPad phishing emails

For reasons far too dull to expand upon, there were no Apple products in my stocking this year. I have however, had a mountain of email telling me to click through various links in order to re-register my iPad, to download a free app or piece of music, and a variety of other things. Also for my iPhone (that I don’t have) a variety of free apps and other vital pieces of software I must have/register or otherwise obtain. I hope that you have not been subjected to any of this opportunistic phishing. For that is what it is.

ID-10067364Given that Apple products dominated Christmas this year in terms of phones and tablets, it looks like a safe bet for a phisher. Add to that some of the recipients might be kids/inexperienced/slightly merry on Christmas day and therefore more likely to click an unexpected link or file and thereby deliver the toxic payload or whatever the email was designed to do..

At this point I would refer you to my previous post about making sure you are allowed to use your device on your employers networks, before you actually do. Especially if you have not been careful about what you have clicked on when you had your party hat on…

Happy 2015 everyone.

The U2 Album and some phishing

GrrOpinions vary on the success and indeed the ethics of Apple’s decision to place a copy of U2’s new music in iTunes libraries. Some people have welcomed it, though I assume these are the ones who did not have their personal preferences overridden. Apparently, it appears many people had not selected the auto download option in their settings but this seems to have made little or no difference. (These may or may not be some of the contributors to the Twitter hashtag #IblameBono currently occupying a space in my recommended trends. I hasten to add Advent IM has not contributed)

It has also become apparent that the album is not too easy to remove either… indeed the news today includes an update from Apple, who have now created a remove U2 with one click tool after the clamour from iTunes users. They do say that there is no such thing as bad publicity but I can’t help but wonder if invading people’s privacy in this way would ever be good news for a brand. Knowing that your wishes can be overridden with impunity is not reassuring. Realistically, I would think that regular reassurance and demonstration of privacy and security being respected would be a far better approach.

ID-10067364One of the unintended consequences of this has been a massive increase in the number of iTunes and Bono-based phishing emails. Some have offered a ‘delete the U2 album link or tool’ (either carrying or linking to malware). Others have capitalised on the fact that Apple have given something away by purporting to carry a link to a free film from Apple. Users who were suitably impressed by being given the free U2 album have been ‘softened’ into thinking it was perfectly believable Apple would now be sending them links to free movies. 

So users who were less than happy with the sneaking of U2 into their library may get caught by the first kind and those who were thrilled and were then happy to have more free Apple stuff may be caught by the second…

Whatever way you look at this, the U2 album has been a bit of a nightmare from a security perspective. #IMightBlameBono…