Category Archives: risk assessment

Size Really Doesn’t Matter in Cyberspace

iStock_000015672441MediumSomething we have all long since suspected, today confirmed by Allianz – the insurance giant. Size does not matter. At least not when it comes to being a target of a malicious cyber attack.

According to Allianz, attackers are targeting large corporations by attacking their supply chains – smaller companies and SME’s that potentially offer more easily accessible ‘routes in’. Of course it is not always going to be the case but an SME perception of not being a viable target may be just that, a perception. Understanding what the real threat and therefore risk of an attack is, is vital. If you don’t fully understand what risk is posed to you and you potentially pose then you may be open to an incursion, even if you are not the prime target. You may not even know your systems have been used in this malicious manner.

So the question is, how robust is your security? Well, many large corporations are starting to demand evidence of stringent security as a matter of course. They understand some of the very real risks posed by their suppliers. According to an article in City AM today-

“Companies employing fewer than 250 employees are now almost twice as likely to be the subject of a targeted computer attack compared to 2011. By contrast, large organisations employing over 2,500 people have seen no increase in attacks over the same period”

A thorough independent and comprehensive Risk Assessment would be strongly advised in these circumstances. Being able to evidence your security posture is a positive enabler for many organisations, as it can open greater commercial opportunities up to work with larger corporations and Public bodies, however as the risk of these “piggy-back” attacks grows, these corporations are more and more likely to require evidence of the supply chain partners’ security.

Advertisements

Data Destruction – Passing the Buck – Guest blog from Malcolm Charnock – Icex

data protection act 1998 Advent IM  consultantsData Protection

Understanding your responsibilities as a data owner includes having proper policy and processes in place for safe removal and destruction of information that should no longer be stored. Its should form part of an organisation’s overall Information Security Policy with specific reference to the Data Protection Act (1998)

Through the power of Social Media we were delighted to meet Malcolm Charnock from Icex and even more delighted that he agreed to do a guest blog on Data Destruction for us. 

Data Destruction – Passing The Buck by Malcolm Charnock

MP900341374

One of the things that keeps me enthused about my job is every client has different requirements when it comes to ensuring all data is eradicated. “Different requirements”? Well maybe the truth is every client has different levels of understanding (or apathy) of their obligation and options when it comes to securely eradicating data.

I have spoken to organisations who insist on 2mm granulation of hard drives, after all this is the standard the MOD requires so their business should insist on this too??? Actually you have to take your hat off to an organisation who takes data destruction this seriously; until you find out this same organisation use a courier to send the hard drives to a data destruction “specialist” who they have no real knowledge of!

The fact is every organisation has the same responsibility and in most cases the process that is most suitable is the same. OK, the local shop losing data will clearly not have the same impact as the MOD but the thought process behind any Information Security Policy should be similar.

ICO Monetary Penalties, contrary to popular opinion, are not levied purely as a result of a breach occurring. Just as important are the organisation’s processes and policies. Have all reasonable precautions been taken to ensure the breach could not occur? Was due diligence carried out to check the suitability of your service provider, contractor or vendor? If the answer is yes and an unprecedented occurrence caused the breach I would personally not expect the ICO to take action other than to ensure you were not vulnerable to this type of event again.

SECURELY MANAGING DECOMMISSIONING AND DISPOSAL OF REDUNDANT IT ASSETS

There are an estimated 700 companies offering IT recycling as part of their capabilities so you would feel confident that in a competitive, open market you would reap the benefits of price checking and negotiating a free collection. The problem is that this is a largely unregulated industry so how do you choose a credible partner to trust with eradicating your data? There are a wide range of “accreditations” cited on most ITADs’ websites and literature, many of these I have never heard of while others require no audit to achieve. In other cases the accreditation is listed although the ITAD will not actually have achieved the standard. The buck stops with the data owner so it is important to do a little investigating before selecting the most suitable partner.

Advent IM Information Security Audit

  • Is your Data Destruction contractor approved? By whom? Have you audited them?
  • Do they use third party contractors? Are they approved? By whom? Have you audited them?
  • Are their processes and policies secure and approved? By whom?
  • Is there a contingency in place?
  • How are data holding items transported? By whom? Are they approved? Have you audited them?

If you can answer all of the above questions you really should have little to fear from the ICO, but you would also be in the minority. If in doubt, speak to ADISA (Asset Disposal and Data Security Alliance) or check their website to see if your preferred IT Recycling partner meets with this DIPCOG recognised industry standard.

The data, regardless of the terms of any contract, remains the responsibility of the data owner and does not pass to an IT recycler at any stage of the process. Yes, immeasurable damage would be done to the reputation of any ITAD who failed to 100% eradicate data presumably resulting in the death of the organisation, but the ICO will look to the Data Owner and levy penalties and broadcast its findings regarding the failure of the company’s Data Security policy which led to the breach. – Malcolm Charnock

Images courtesy of Microsoft Clipart and istock

ICEX-jpg-1

Social Engineering – a fascinating look from a real expert….

Advent IM Social Engineering security
Helpdesk1 to Helpdesk 2, come in. Over.

Readers of this blog will have encountered our security-based content on the concept of Social Engineering before. This post is a fascinating glimpse from a firsthand user – the pitfalls, the uses and the reactions.

Are your colleagues security aware enough to be able to keep their nerve and stick to policy when faced with challenging and anxiety-raising situations like we see detailed below?

Would you or your colleagues recognise any of the characteristics of a Social Engineering attempt? It’s not just about having a policy but about everyone understanding it  and feeling confident enough to apply it…to everyone. Do manners and cultural norms play a part in how the social engineer gets either access to or information on, things that they shouldn’t? Reading this account, undoubtedly. Including a module on Social Engineering would be  a very wise idea in any organisations’ Security Awareness Training program.

IT Helpdesk 1 to Helpdesk 2 – “Who was that on the phone?  I could hear him shouting and threatening you from here”.

IT Helpdesk 2 to Helpdesk 1 – “The CFO… who’s trying to work on his laptop, from home.  He can’t login……again, he said.  He wouldn’t let me talk him through anything, said he’d done everything I tried to suggest, he just wouldn’t listen to any of our standard procedures.  He just kept shouting and saying, he’d be in here tomorrow to fire me, and have me escorted off the premises.  All he wanted was for me to reset his password and check his complete authentication process details, so he could get some work done.   He said he didn’t want a confirmation email or a Helpdesk ticket on the system, telling everyone he couldn’t use his laptop, and I wouldn’t want him telling the head of ICT that I couldn’t or wouldn’t, help him out”.

IT Helpdesk 1 to Helpdesk 2 – “What an ar5e!”……..

“A common enough Social Engineering attack, from the perspective of the recipient of the attack, one I’ve used many times myself. The tools of the Social Engineer are Manipulation, Domination, Coercion and then end with the hope of a Carrot, after the Stick, to make them feel lucky to have escaped so lightly.  Sometimes flattery and feigned stupidity will work, but the Social Engineer needs to be confident in his/her ability and flexible enough to adapt to the emerging responses they get from the subject of the attack.  Confidence in eliciting in-depth information, by pre-loading the recipients mind with information to make your questions more readily accepted by them, is another key skill of the Social Engineer.  In the example above the CFO was selected because their personal Facebook page showed he was on holiday with the family somewhere hot and sunny that looked like Mexico.  Don’t get me started on Social Media, and the information people just broadcast out there, to the unknown, unrestricted and dark corners of the Internet.

Advent IM social engineering expert

We all want to help – naturally. We also want to make the shouting stop…

It’s in the human makeup to want an unpleasant or embarrassing problem to be someone else’s and not yours.  The human mind can be likened to Software we all understand, it is possible to overload the targets mind and insert custom instructions.  Just as a Hacker executes code to cause a stack or buffer overflow.  A favourite Social Engineering attack to illustrate this is when you need to get buzzed through from reception without being escorted.  You rush in trying to explain you’re there to see someone important at the company mentioned by name, you’ve been there many times before and know the way.  You rush on to say that you’re terribly late, you’re also trying to sign in and keep the initiative before the receptionist can process this overload of information, or think to do what their procedure says they should do.  This is known as ‘Pretexting’, preloading the human mind with information to support your story and persona to make it all more credible.  You then receive your pre-planned imaginary phone call, “Sorry, I have to take this” you say, the call quickly escalates and you launch into a blistering verbal assault on the person who isn’t really on the other end.  Phone still to your ear, and still giving full vent to your ire, you motion in the direction of the receptionist and towards the controlled door they will have been watching and listening most intently as you start walking towards the door.  You’ve overloaded them, you’ve inserted the belief you’re someone important, not to be denied or argued with, especially if you’re off to see one of the senior officers of the organisation, the subject of the attack will want you to say how helpful they were.   

I’ve found that 9 times out of 10, to make this horrid person go elsewhere and be someone else’s problem, you’ll get buzzed through usually with a comment from the receptionist that they’ll call ahead to say you’re coming.  As that isn’t where in the building you are really heading, that’s not a problem.  It’ll take some time for them to realise you haven’t arrived, by which time you will have found your next security obstacle to overcome or target of your next Social Engineering attack and started to penetrate deeper into the building and closer to your final goal. 

The key to becoming less susceptible to Social Engineering is to find out more about how the attackers influence and control people.  As with software Hackers, the process is not a ‘one time attack’, there will be supporting or enabling attacks, probing enquiries, all building the picture of the target organisation before the ‘Big-One’.  Remember credibility during the attack will be enhanced by the use of morsels of the truth, names or organisational details of the target organisation.  Social Engineers are hackers of people.  You need to start to think of them in that more familiar way and then your perceptions will change and you will tune in to the attack indicators that will allow earlier detection of their activities, as you already do with software hackers and malware writers.  Staff awareness of the techniques of Social Engineering can dramatically improve the resistance to Social Engineering attacks, just as the Police try to educate the vulnerable about the local activities of Con Men.”

Senior Advent IM Security Consultant

Photos: Microsoft Office

Further viewing on this topic can be found on our Slideshare stream here http://www.slideshare.net/Advent_IM_Security/social-engineering-insider-and-cyber-threat you will need sound

Why Physical Security in NHS Trusts needs a major health check

Young Nurse Tending to Young Woman with Neck Brace and Arm Cast

Traditionally the NHS has primarily focused its security efforts on the problems associated with violence and aggression toward staff.  This is because it is still perceived as the major concern and so continues to be the main focus of resource expenditure. Whilst the threat of aggression is clearly an issue that needs to be in scope, there are other areas that not only need attention for the wellbeing of the people involved, but also to help guard against spiralling cost – a pariah to any NHS Trust.

Looking at the Threat Landscape

In many cases, NHS Trust security is managed by former Police Officers who have a wealth of experience in dealing with aggression. .  However, it has to be acknowledged that the threat landscape, is far more varied than this head-on threat. Security threats come from a variety of sources and not all revolve around outright aggression.

The perception of the Security Officers duties in NHS Trusts is that they are to provide reassurance to the public, hospital staff and visitors in the event of violent behaviour.  In fact, there are a myriad of duties that they are called upon to carry out, some of which they are not trained to perform. These duties can include; searching for missing patients; attending patients on suicide watch; supervision of patients awaiting Mental Health professionals; foot patrols; cashier runs;  car park patrols; smoking patrols and issuing parking contravention notices, to name but a few.

Drugs: Expensive and potentially dangerous

Drugs: Expensive and potentially dangerous

The NHS is no different from any other organisation as far as security is concerned, security components are more often than not, bolted on as funding becomes available and usually without any long term objective in mind.  In a recent NHS Trust project, we was discovered that the absence of a strategic vision meant that funding had in fact, been wasted.  For example; additional CCTV cameras were installed without an understanding of what they were actually needed to do.  The CCTV system was not integrated with other security systems and this lack of integration represented not only a wasted opportunity to increase efficiency as well as improve security, it also wasted scarce financial resources. A CCTV audit revealed that there were actually too many cameras but few were positioned where they were needed. Furthermore, many cameras were capturing images that were actually unusable. (This problem only increases when you add in multi sites, using different systems.)  A rationalisation of the CCTV estate and review of their fitness for purpose is in many cases, the best way to proceed.

Another very important aspect to using CCTV systems that is often overlooked or perhaps not fully understood is the Data Protection Act.  The images that are recorded, stored and deleted constitute personal data that has to be properly handled and then when appropriate, properly destroyed.  This means everyone who monitors, has access to, stores or manages these images, needs to be properly trained, aware of their responsibility and understand how to treat the data properly.

In any organisation, loss creates cost and this is something each and every Trust is currently facing.  A recent Daily Mail article highlighted theft from the NHS as a serious issue.  Some equipment and facilities are very expensive. Loss or damage not only drive cost but can endanger lives.  The absence of a security-aware culture or one that is almost entirely focused on an aggression-based threat, allows loss to flourish as the investment can be made ineffectually, as we read about the CCTV example. Staff may prop open frequently used doors, or share door entry cards for convenience.  These are commonly found issues in security procedures in Trusts. What if that door gave access to drugs, vital equipment or confidential medical data?  If the cameras are also ineffectual, a thief could wander around and help themselves to thousands of pounds worth of equipment, or steal personal data that the NHS trust would be held accountable for.

During a recent project, a consultant found that no one challenged his presence in a medical record archive and said he could have easily made his way into a RESTRICTED information area by tailgating through the door; such was the lack of awareness.

iStock_000015534900XSmallSo how do Trusts shift the security mind set?

  • The Threat environment has changed and security needs to be approached as a cyclical, on-going process.  It needs to be reviewed and tested regularly.
  • The narrow view of security within the NHS as being aggression-based and the responsibility of the manned guarding component needs to be dispelled.  Everyone working within any organisation has a personal responsibility for security; an NHS Trust is no different.   A cultural change within Trusts is required to instil awareness . Only this way will everyone feel part of the security fabric and not something that is done by someone else.
  • Security Training and education should be standard in all Trusts; this should include an understanding of the real rather than perceived threat landscape.
  • Senior management need to understand how to maximise the effectiveness of their security infrastructure for the benefit of the Trust. This encompasses understanding all of the above plus a willingness to forget the mantra of “this is the way we’ve always done it” and move toward excellence. After all, effective security will prevent harm to staff, patients, visitors and contractors, protect costly equipment and dangerous drugs, prevent damage to other assets and loss of sensitive or personal information.
  •  A proper security review can identify areas where cost savings can be made or wasted costs controlled, such as the CCTV estate review – removing cameras that are not fit for purpose will reduce the maintenance bill. The review will also determine if cameras are fit for their purpose and placed in an appropriate location to mitigate the identified threats thus ensuring that the Trust meets its Duty of Care for staff, visitor and patient safety.

Advent IM Senior Security Consultant – Paul Smith MSc MSyI

FREE White paper: CCTV in Schools: Is surveillance in schools appropriate?

FREE to download click the download button    whitepaper buttonjoint logo

Schools face a difficult challenge – balancing security and privacy. Whilst pupil and staff safety has to be paramount, Senior Security Consultant for Advent IM explores this challenging area as an expert in this field.

Young Boy at School Raising His Hand to Answer in Class

Top Down Security (or “How To Learn To Love Information Security And Get It Into The Boardroom”)

Originally published on the Darlingtons Solicitors Blog 23.11.12

You say the word ‘security’ to people and get a variety of responses or perceptions. Some people think of manned guarding and a nice guy who works the barrier and checks the CCTV images to keep everyone safe.  Others go a bit ‘Mission Impossible’ and imagine consultants dangling from wires, testing floor pressure pads in secure areas whilst hacking into the Pentagon. And yet more others regale you with tales of every night club they have been asked to leave by a man in a black puffy jacket.

This post is not really about any of those perceptions, it is about a business enabler and how it is placed in successful organisations. I can appreciate that compared to Tom Cruise dangling from the ceiling this may appear dull, but as far as business goes, it’s a bit more useful.

“Yeah, IT does Security”

According to the Ernst & Young Global Information Security Survey 2012, there is a real gap between where Information Security sits within organisations and where it needs to sit. As Security Consultants we know this to be true and are also aware that other disciplines, FM for instance have also had a bit of a battle to get a voice in the boardroom. Given the interconnected nature of so many business areas, joining the dots and having top-down policy and behaviour, has never been more important.

Milky Way and our Solar System – image Ecology.com

As we are talking about Information Security (IS) let’s put it in perspective. IT security is the vital technical security of IT such as firewalls, encryption, password policy, patches etc. How an organisation behaves with regard to security of information is a much larger area. (If the organisation’s use of Information were the Milky Way for instance, IT might be our solar system– see picture). The rest of the organisation uses information in a myriad of ways, not always electronically and not always on a device (at least not one that IT is aware of…) the rest of the organisation may be vast and so the potential for compromised information is exponentially increased. Especially if everyone thinks that “IT do security….”

IT departments traditionally do not have a formal risk assessment mechanism. Risk is something a whole business faces not simply the systems in IT – important as they may be.

An organisation’s IS needs to be aligned to its Risk Appetite – but if accountability for it is placed in IT then realising this will be challenging.

Business solutions are not always technical or IT based. At the end of the day the users are people and people make mistakes or behave in questionable ways. Around 80% of data breach is generally accepted to be human error or malice. Technology can’t mitigate all of that risk; you need to consider policy, procedure and education of these concepts through your organisation.  Hopefully you can see now why we are moving out of the realms of IT and into the realms of business centric solutions that cut across silos, not reinforce them.

“Place your bets! Place your bets!”

Risk is a part of business, without risk there is no innovation and nothing can exist for long in a vacuum. Therefore it is vital to know how far you can push something before it becomes too great a risk. Not from an instinctual level but from a tried, tested and accepted level that comes from the boardroom via regular review. So understanding your organisation’s risk appetite and tolerance is vital. Aligning your IS policy and procedure to that appetite seems logical if not essential, yet 62% of organisations surveyed did not align IS to Risk Appetite.

How then can an organisation securely implement something like Bring Your Own Device (BYOD) which sounds on the surface like an IT project – which won’t be aligned to Risk Appetite? So in other words, the risk attached to allowing employees to use their own devices, which may mean access to corporate networks and drives, access to sensitive information, has not been assessed in terms of the business’s overall appetite. So rogue apps (which we hear about every week) for instance could be scalping data from the device on a regular basis and the user would be unaware. Previously, it was the user’s data alone that was compromised, with BYOD the scope of data available increases vastly as an organisation’s information assets open up to that user.

InfoSecurity – share the love

The Ernst & Young survey highlighted the need to bring Information Security into the boardroom. Perhaps asking who owns the risk or who is accountable for the Information risk is where to start. Well according to this survey only 5% have Information Security reporting to the Chief Risk Officer, the person most responsible for managing the organisations risk profile. Placing responsibility within IT can cause ineffective assessment and alignment with not only Risk but with Business priorities.

If 70% of the respondents are stating that their organisations IS function only partially meets the organisational needs, it becomes clear that this is a ship that has set sail without a map. IS needs C level direction and input, it needs to have the support of the board, be implemented and understood top-down and really start to make a positive impact on business growth by enabling it to happen securely, with threat and risk awareness, accountability and mitigation.

It was initially encouraging to read that almost 40% of organisations planned to spend more on IS over the next 12 months. But on reflection, if this is going to be mainly directed by IT departments – unaligned to Risk, unconnected to the board and occupying a similar space as the sun in the Milky Way or an organisation’s Information usage, it is doubtful that the dissatisfied 70% of organisations who feel IS is not currently meeting their needs, will reduce. What is concerning is that this could end up looking like wasted spend on Security, when in actual fact it is merely a potentially unwise or undirected spend. The upshot could be through a lack of board level understanding, that future spend then has a line run through it instead of under it.


All data sourced from Ernst & Young Global Information Security Survey 2012, all visual representation copyright of Advent IM and not to be reproduced without express permission.

Our School Security Service has won an award!

We are delighted to announce that our School Security service is now an award winning service. Thank you very much to the judges at Tomorrow’s FM.

For those unfamiliar with this one day health check, it provides assurance and guidance relating to Information Security,  Data Protection and the physical security of data in schools, academies, colleges etc.

We are delighted to have our expertise and experience in this field recognised and we look forward to helping many more schools reassure their key stakeholders that they have Information Security very much under control. You can find out more here.