Category Archives: RISK

Some top security tips that ALL employees can use

When it comes to security, one thing is clear, people occasionally do daft things with computers and devices, and they frequently do these daft things at work. They occasionally do malicious things too but it’s mostly just daft. So we can train our employees (including managers and directors) in our procedures and policies and enforce them. In fact, spending as much time thinking about the best way to train different teams is never time wasted because it gives you the chance to use their language and create something nuanced that will make a genuine difference, which is, after all, the whole point of doing it.

Looking at some of the data that came out of Vormetric’s Insider Threat report, in actual fact, those privileged users are still posing a security headache to many of the respondents. They may be System Admins or senior colleagues who are simply not restricted or monitored in the way other employees are…these are the ones who can access very sensitive or valuable information and so need to be even more hyper-vigilant in their behaviour. But let’s face it, one phishing email clicked and payload of malware downloaded is all it takes and that could be done by an MD or a temp.

I asked the team here at Advent IM to come up with some practical tips that all employees can use, regardless of their role,  to help protect their organisations and enhance their understanding of the vital role they play in securing assets.

  • That email telling you there’s a juicy tax rebate waiting for you but it needs to be claimed immediately, hasn’t come from the Government. It’s  a phishing email. Clicking that link will allow malware to be installed and all your personal information to be stolen. Do not click on links in emails you are not expecting and if in any doubt refer to your security manager.
  • Never set your smartphone to allow download and installation of apps from sources other than an approved store. Changing this setting can allow malware to be installed without your knowledge and could result in you being a ransom ware victim.
  • Always report security breaches immediately to your line manager to facilitate any counter compromise action to be undertaken as deemed necessary. If the organisation isn’t aware of it, the event could worsen or spread. Containment and control is vital as quickly as possible.
  • Archive old emails and clear your deleted & sent folders regularly as a clean and tidy mailbox is a healthy mailbox.
  • Never discuss work topics on social media as your comments may come back and bite you!! You could also be compromising your employers and colleagues security and increasing the likelihood or the ease of an attack.
  • Don’t worry about challenging people you do not know who are not wearing ID or visitor badges. It may seem impolite but Social Engineers use inherent politeness to their advantage and can then move round a site, potentially unchallenged.
  • Don’t allow colleagues to use your login credentials, this goes double for temps and contractors. Think of it like lending your fingerprints or DNA to someone, would you do that so easily? Any activity on your login will be attributed to you…
  • Do you really need to take your work device to the pub with you? More than a quarter of people admit to having lost (or had stolen) up to 3 work devices and more than half of them were lost in a pub!
  • Don’t send sensitive documents to your personal email address. If there is a security measure in place, it is there for a reason..
  • Don’t pop any old USB into your PC. Nearly one in five people who found a random USB stick in a public setting proceeded to use the drive in ways that posed cybersecurity risks to their personal devices and information and potentially, that of their employer. It could have anything on it! exercise caution.

Some of the findings on Insider Threat from the Vormetric 2015 survey…

2015 Vormetric data Insider Trheat v0.4

Affinity Gaming and Trustwave legal action

A post from Chris Cope CISM, CISSP, MInstISP, CESG Certified Professional, PCBCM, ISO27001 Lead Auditor  and Advent IM Security Consultant

It had to happen at some point;  a cyber security company is being sued by a customer for not delivering the goods.  Las Vegas based Affinity gaming has initiated legal proceedings against Chicago firm Trustwave for making representations that were untrue and for carrying out work which was ‘woefully inadequate’.  The point of contention was a hack on the casino’s payment card system in 2013.  Affinity allege that Trustwave concluded that the intrusion had been contained and dealt with, but the casino operators later suspected this was not the case and engaged another security consultant, Mandiant, to confirm.  The breach had not, allegedly, been contained and now Affinity is looking to obtain damages from Trustwave.

This is not the place to suggest what did or didn’t happen; that will be discussed, at considerable length I suspect, in the American courts.  Rather, a better topic for discussion is that of contractor liability.  This lawsuit is a bit of a first for the cyber security industry, although the concept of suing contractors for damages is by no means new.  Countless companies and individuals have been sued for breaches of contract or for tort damages.  I suspect it was only a matter of time before our industry saw similar action.  But this should be taken as a wake up call.

In English Law, a consultancy firm is seen as providing a service to the customer. The 1982 Supply of Goods and Services Act, Section 13  states that ‘In a contract for the supply of a service where the supplier is acting in the course of a business, there is an implied term that the supplier will carry out the service with reasonable care and skill’.  The key term here is reasonable; what would a reasonable person judge to be a service that was carried out in a competent fashion? Note, the law does not require that a contractor provides the perfect service; there is a realisation that contractors are human and to expect perfection is unreasonable.

So how then can a cyber security contractor ‘prove’ its competence and ability to deliver a reasonable service?  Whilst the emphasis remains on the accuser to prove incompetence, it doesn’t hurt to ensure that a good, pro-active defence is in place.  First of all, the competence of employees must be evaluated and baselined.  There are a plethora of cyber security qualifications available, drawing comparisons between qualification awarded by different bodies can be difficult, but it remains perfectly possible to ensure that consultants are qualified for the tasks they are expected to perform, and perhaps most importantly of all, maintain those qualifications.  Secondly, cyber security is a very broad field and being an expert in every area is almost impossible, therefore assigning consultants to tasks which suit their skills sets is hugely important.  The supervision of less well qualified personnel must also be taken into account; junior staff members must be able to develop their skills, but for the customer’s sake, they must be supervised properly in the process. It’s worth companies remembering that they are responsible for the actions of their employees whilst delivering a contract, via vicarious liability.  Their mistakes will come back to haunt the employer unless sufficient care is taken.  We must also ensure that we appropriately manage the expectations of our customers.  No venture is ever risk free and there is no one piece of technology which will solve every problem; our goals should be clearly stated that we intend to reduce the risk to an acceptable level, not eradicate it completely.  If we promise too much then it’s no surprise that customers expect too much.  Finally, whilst the above is correct for English Law, other jurisdictions have different rules; companies that work globally would be wise to ensure they understand the local environment properly before signing a contract.

The cyber security profession is evolving and it is only to be expected that practitioners will face greater scrutiny.  Rather than adopt the position that companies like Affinity are looking for a scapegoat for their own failures, we must ensure that we are able to consistently deliver a good enough service.  This may be the first such action, but I doubt it will be the last.