Category Archives: information security

When is a hack all-white?

From Chris Cope – Advent IM Security Consultant

hacker_d70focus_1What’s the difference between a ‘white hat’ security researcher and a hacker?  As a general rule of thumb, if  someone discovers a vulnerability on your system and informs you (without undertaking any unauthorised or unlawful activity in the process) then a ‘thank you’ is generally considered to be in order.  There are numerous ‘white hat’ researchers who trawl software and internet sites, detecting vulnerabilities and alerting the appropriate owners or developers.  Many companies have benefited from a quiet advisory and it’s reasonable to suggest that without ‘white hats’, the policy of releasing software and patching later, adopted by many vendors, would be severely undermined.

advent IM data protection blog

oops there goes the sensitive data

So why is a white hat researcher, Chris Vickery to be precise, in the news?  Mr Vickery discovered a database on a website.  The website belongs to a company called uKnowKids, this provides a parental monitoring service for your technology savvy children.  The database contained an array of information that the company did not want to be made public, including in the words of the BBC ‘detailed child profiles’.  However, the company claims that the information was not personal data and no customer information was at risk.  Mr Vickery was able to access the data base and take screenshots, which were sent to the company as proof of the vulnerability.  However, rather than thank him, the company accused Mr Vickery of risking their continued viability and claimed that his access was unauthorised.  By Mr Vickery’s account, the database was in a publicly accessible area and had no access controls in place.

Since the notification, uKnowKids has patched the vulnerability.

So what can we take from this?  UKnowKids obviously intended for the database to remain private.  Under UK law, Intellectual Property rights provide protection for confidential information, but there is one pretty fundamental requirement – the information needs to be protected.  Placing a database on a publically accessible internet page, without protection is, however, akin to leaving a sensitive file in paper format on a train.  Organisations shouldn’t be surprised if information left in such a public and insecure state is read by unintended third parties. 

Before protecting information, an organisation needs to understand what information it holds, and what needs protecting.  Once that is established, there are a variety of means that can be used to protect it; physical controls on physical copies, labelling of information, educating staff so they understand the required handling measures and routine audits all form part of the basic protections required for all types of information.  For electronic information, then one needs to consider technical measures such as access controls and encryption.  When a database, containing sensitive information, must be placed in an area where it is accessible from outside the organisation, then access to it must be very carefully controlled.

iStock_000014878772MediumIn this instance, the reputation of a company, which holds intelligence on children, could have been seriously undermined if a hostile breach had occurred, even without the loss of personal information.  If personal information was lost, then the financial implications could have been severe; increasingly so as new EU legislation on data protection comes into effect.  So make sure that you fully understand your assets (including information) and what level of protection they require and, when designing controls, its important to ensure that the full range of counter measures, including physical, personnel, procedural and technical, are considered, properly implemented and integrated.  And if you do come across a publicly spirited individual who warns you of a potential breach in your security, remember to say ‘thank you’.

Advertisements

Security and Policing Event 2016

s and p 2016This Home Office event will soon be upon us (March 8-10) and we just wanted to let you know you will be able to find us on stand Z20 in the Cyber Zone. You can find details of this event here.

Mike Gillespie will also be presenting in the Cyber

Mike Gillespie_headshot

Advent IM,  Managing Director, Mike Gillespie

Briefing Zone on the 9th on the subject of the cyber security of  Industrial Control Systems.

Come along and meet Mike and Gareth and enjoy some great presentations, content, updates and a bit of a chat.

Some top security tips that ALL employees can use

When it comes to security, one thing is clear, people occasionally do daft things with computers and devices, and they frequently do these daft things at work. They occasionally do malicious things too but it’s mostly just daft. So we can train our employees (including managers and directors) in our procedures and policies and enforce them. In fact, spending as much time thinking about the best way to train different teams is never time wasted because it gives you the chance to use their language and create something nuanced that will make a genuine difference, which is, after all, the whole point of doing it.

Looking at some of the data that came out of Vormetric’s Insider Threat report, in actual fact, those privileged users are still posing a security headache to many of the respondents. They may be System Admins or senior colleagues who are simply not restricted or monitored in the way other employees are…these are the ones who can access very sensitive or valuable information and so need to be even more hyper-vigilant in their behaviour. But let’s face it, one phishing email clicked and payload of malware downloaded is all it takes and that could be done by an MD or a temp.

I asked the team here at Advent IM to come up with some practical tips that all employees can use, regardless of their role,  to help protect their organisations and enhance their understanding of the vital role they play in securing assets.

  • That email telling you there’s a juicy tax rebate waiting for you but it needs to be claimed immediately, hasn’t come from the Government. It’s  a phishing email. Clicking that link will allow malware to be installed and all your personal information to be stolen. Do not click on links in emails you are not expecting and if in any doubt refer to your security manager.
  • Never set your smartphone to allow download and installation of apps from sources other than an approved store. Changing this setting can allow malware to be installed without your knowledge and could result in you being a ransom ware victim.
  • Always report security breaches immediately to your line manager to facilitate any counter compromise action to be undertaken as deemed necessary. If the organisation isn’t aware of it, the event could worsen or spread. Containment and control is vital as quickly as possible.
  • Archive old emails and clear your deleted & sent folders regularly as a clean and tidy mailbox is a healthy mailbox.
  • Never discuss work topics on social media as your comments may come back and bite you!! You could also be compromising your employers and colleagues security and increasing the likelihood or the ease of an attack.
  • Don’t worry about challenging people you do not know who are not wearing ID or visitor badges. It may seem impolite but Social Engineers use inherent politeness to their advantage and can then move round a site, potentially unchallenged.
  • Don’t allow colleagues to use your login credentials, this goes double for temps and contractors. Think of it like lending your fingerprints or DNA to someone, would you do that so easily? Any activity on your login will be attributed to you…
  • Do you really need to take your work device to the pub with you? More than a quarter of people admit to having lost (or had stolen) up to 3 work devices and more than half of them were lost in a pub!
  • Don’t send sensitive documents to your personal email address. If there is a security measure in place, it is there for a reason..
  • Don’t pop any old USB into your PC. Nearly one in five people who found a random USB stick in a public setting proceeded to use the drive in ways that posed cybersecurity risks to their personal devices and information and potentially, that of their employer. It could have anything on it! exercise caution.

Some of the findings on Insider Threat from the Vormetric 2015 survey…

2015 Vormetric data Insider Trheat v0.4

Cyber Everything & PCI DSS – The Forgotten Standard?

Senior Security Consultant for Advent IM and PCI-DSS expert,  Mark Jones gives us his thoughts on the current awareness of this important payment industry standard.

In the current information security climate where everything has ‘cyber’ prefixing the topic e.g. cybersecurity, cyber risk, cyber threats and the list goes on, is it possible organisations have forgotten about existing and very important ‘cyber-related’ standards such as the Payment Card Industry’s Data Security Standard (PCI DSS)?

MC900441317

As more and more business is done online in our ‘new’ cyber world – 2015 Online Retail Sales £52 Billion up 16.7% from £45 Billion in 2014 – payment cardholder (CHD) account data security is more important than ever. This includes the need for assured authentication, confidentiality and integrity of payment cardholder information as traditionally granted by the Secure Sockets Layer (SSL) protocol over HTTPS padlocked browser sessions in the past 20 years. In 2014, the US National Institute of Standards and Technology (NIST) determined that SSL and indeed early versions of SSL’s successor, the Transport Layer Security (TLS v1.0) protocol (also referred to as SSL), were found to have serious vulnerabilities with recent high-profile breaches POODLE, Heartbleed and Freak due to weaknesses found within these protocols.

iStock_000015534900XSmallSo, if you are an entity that that stores, transmits or processes Cardholder Data (CHD), specifically the 16 (can be up to 19) digit Primary Account Number (PAN), then you should seek to comply with the latest version v3.1 of the PCI DSS. This version was released in April 2015 by the PCI Security Standards Council (SSC) that removed SSL as an example of strong cryptography and that can no longer be used as a security control after 30 June 2016. However, the migration from SSL and early TLS to TLS v1.1 and 1.2 has caused issues for some organisations hence the SSC update in December 2015[1] that the deadline had been extended for 2 years, with a new end date of 30 June 2018 for existing compliant merchants. However, SSC is at pains to emphasise that this delay is not an extension to hold off migrating to a more secure encryption protocol (as defined by NIST) and entities that can update should do so as soon as possible.

If the entity is an Acquirer (typically the merchant’s bank), Payment Processor, Gateway or Service Provider, then they MUST provide TLS v1.1 or greater as a service offering by June 2016. Additionally, if it is a new PCI DSS implementation (i.e. when there is no existing dependency on the use of vulnerable protocols) then they must be enabled with TLS v1.1 or greater – TLS v1.2 is recommended.

As you can see, PCI DSS can play a significant part in any cyber security programme providing the entity in question is compliant with the latest version 3.1. If you have yet to start, or are part way through a PCI DSS implementation project, what can and should you do NOW? We recommend the following 3 actions:

  • Migrate to a minimum of TLS v1.1, preferably v1.2;
  • Patch TLS software against implementation vulnerabilities; and
  • Configure TLS securely.

If you need any further help and guidance with PCI DSS, please contact Advent IM…

[1] http://blog.pcisecuritystandards.org/pci-changes-date-for-migrating-from-ssl-and-early-tls

Incident Management – an explanation and example

Advent IM Security Consultant, Del Brazil, offers some guidance on best practice in Incident Management.

Incident Management is defined by the Information Technology Infrastructure Library (ITIL) is ‘To restore normal service operation as quickly as possible and minimise the impact on business operations, thus ensuring that agreed levels of service are maintained.’  Although this definition is very much aligned to the service delivery element of IT, organisations should translate it to all areas of the organisation to form the basis of any incident management strategy.

Any Incident Management process should include:-

Incident detection and recording – Ensuring that sufficient and appropriate means of both detecting and reporting of incidents is critical, as failure to report incidents can have a serious impact upon an organisation.  There maybe a legal requirement for incidents to be reported such as incidents associated with the loss of personal data or security breaches related to protectively marked information, although not applicable to every organisation.  Ensuring that an incident is correctly reported will facilitate the correct actions are taken in line with the incident management plan and thus ensure the correct allocation of resources.

An example maybe that an individual receives an email from an untrusted source and without realising any inherent risk, opens an attachment, which in turn causes their terminal to become unresponsive.  The individual contacts the IT department in the first instance in order to initiate some form of containment measures, whilst also documenting down how the incident occurred.

Classification and initial support – There are various levels of severity associated with different types of incident and ensuring that they are correctly classified will mean that the appropriate resources or emergency services are tasked accordingly.  These levels of severity range from low impact/minor incident requiring a limited number and type of resources, through to a major incident, which has the potential to impact on the whole organisation and requires a substantial amount of resources to manage or recover from.  In the early stages of any incident the support provided by a designated incident response team is vital as their initial actions can have potentially massive implications on the organisations ability to resume normal operations.

Following on from the previous example the incident may be classified as a low priority at this stage as only one terminal/user has been affected.  The IT department may have tasked a limited number of resources in tracking down the suspicious email on the mail server and then taken the appropriate quarantining and/or deleting procedures.

Investigation and diagnosis – Further and ongoing investigations into the incident may identify trends or patterns that could further impact on the organisation, once normal operations have been resumed.

Keeping in mind the example previously discussed, should the initial findings of the IT department reveal that the email has been received by a large number of users, then further impact analysis should be undertaken to establish the impact or effect on services before any additional resources are dedicated to resolving the issue.  This further investigation requires an organisation-wide broadcast, highlighting the incident and what actions should be taken in the event that users received suspicious emails or attachments.

Resolution and recovery – Ensuring that the correct rectification method is deployed is paramount, as no two incidents are the same and as such any incident management plan should have a degree of flexibility to accommodate potential variations.

Using our example scenario, the correct rectification solution in this instance would be to purge the mail server of any copies of the suspicious email and then to execute the scanning of the mail server with an anti-virus and/or anti-spam product.  Consideration should be given as to whether to take the mail server off line to perform the relevant scans, however any potential down time may impact on the output of the organisation.  In the event that the mail server is taken off line, it is imperative that communication is maintained with all staff, contractors, customers and third party suppliers etc.

Incident closure – The closure of an incident should be clearly communicated to all parties involved in managing or effecting rectification processes as should a statement stating ‘Business has resumed to normal’ to clearly indicate to all concerned that normal operations can continue.

In our example , it’s essential that all persons involved or impacted by the incident are informed accordingly which formally closes the incident.  This also reassures any interested parties that normal service has been resumed thus preventing any additional business continuity plan being invoked.

Incident ownership, monitoring, tracking and communication – An Incident Manager/Controller should take clear ownership of any incident so that all relevant information is communicated in an effective way to facilitate informed decisions to be made along with the correct allocation of resources.

As always, good communication is vital not only with staff, emergency services and the press but also with key suppliers and customers, as these may have to invoke their own business continuity plans as a result of the incident.  Business continuity plans ensure critical outputs are maintained but the invoking of a plan comes at a cost, whether it be financial or an impact to operational outputs.  It is therefore imperative that once an incident has been deemed formally closed then key suppliers and customers should be informed accordingly, this will  enable them to also return to normal operations.  Post incident analysis or ‘Lessons learnt’ meetings should be held after any incident to highlight any weaknesses or failings so that rectification measures can be introduced accordingly.  Likewise, should there be any good practices or solutions highlighted during the incident, then these should also be captured as they may be used in other areas of the organisation.

Now our example has been correctly identified, treated and business has returned to normal it is imperative that an incident ‘wash up’ meeting takes place to clearly identify those areas for improvement and those that performed well.  The correct allocation of resources during the initial stages of the incident to address what was deemed to be initially a minor incident, resulted minimal impact to not only business outputs, but also to customers or third party suppliers.  The findings of the ‘wash up ‘ meeting should be correctly recorded and analysed for any trends or patterns that may indicate a weakness in security.  In this instance the mail server’s spam filters may have been incorrectly configured or not updated resulting in a vulnerability being exploited.

Any incident management plan should be suitably tested and its effectiveness evaluated with any updates/amendments implemented accordingly.  It would be prudent to exercise any incident management plan annually or when there is a change in the key functions of the organisation.  It is also additionally recommended that all users are reminded of how to report incidents during any annual security awareness education  or training.

As organisations become ever increasingly reliant on internet and IT services, it is imperative that an effective, appropriate and fully tested, Incident Management Procedure is embedded within the organisation.  Failure to ensure this may result in an organisation struggling to deal with or recover from any kind of security incident.

The cyber-buck stops in the boardroom…

Advent IM Security Consultant, Del Brazil gives us his view of some of the comments and take-outs that ALL boards need to be aware of, following Dido Harding’s appearance before a parliamentary committee on the TalkTalk Breach.

The TalkTalk security breach continues to roll on with the TalkTalk CEO Dido Harding telling a parliamentary committee on 23.12.15 that she was responsible for security when the telecoms firm was hacked in October. Although there was indeed a dedicated security team in place within TalkTalk it is unrealistic to place the blame solely at the feet of the security team as security is a responsibility of the whole organisation.  It is fair to assume that in the event of an security related issue, as in this case, one person must take overall responsibility and be held to account for the potential lack of technical, procedural measure that may have prevented the breach occurring.

It is a fair assumption to make that in the event that the security breach can be attributed to a single individual then that is an internal disciplinary matter for TalkTalk to resolve unless there is a clear criminal intent associated with the individual concerned.

It is worth noting that although every effort maybe taken to implement the latest security techniques or measures that there is always the possibility that a hacker, like minded criminal organisation or even a disgruntled member of staff may find a way through or around them.

As long as an organisation can demonstrate that they have taken a positive approach to security and considered a number of possible attacks and taken steps to mitigate any potential attack, this may satisfy the ICO that the one of the key principles of the DPA has been considered.

Organisations should always consider reviewing their security measures and practices on a regular basis to ensure that they are best suited to the ever changing threat.  It is appreciated that no one organisation will ever be safe or un-hackable but as long as they conduct annual threat assessments and consider these threats in a clear documented risk assessment they can sleep at night knowing that they have taken all necessary steps to defeat, deter and/or detect any potential attack.

advent IM data protection blog

The TalkTalk security breach has highlighted a number of failings, in the opinion of the author and although they are deemed to be of a serious nature praise should go to the TalkTalk team for being open, honest and up front from the onset.  This has resulted in quite a lot of bad press from which TalkTalk are still feeling the effects from; although some people say that ‘all publicity is good publicity.’  It is clear that TalkTalk are taking the security breach very seriously and are fully engaged with the relevant investigation bodies whilst making every effort to bolster their current security posture.

It is very easy for board members to assume to the role of Director of Security without fully understanding the role or having any degree of training or background knowledge.  Any organisation should ensure that it employs or appoints staff with the correct level of knowledge and experience to specific posts thus facilitating the ‘best person for the best role’ approach.  Currently security, but more specifically IT Security, is seen as a secondary role that can be managed by a senior person from any area within an organisation; however it is finally becoming more apparent to organisations that the IT Security role warrants its own position within the organisational structure of the organisation. Pin Image courtesy of Master isolated images at FreeDigitalPhotos.net

In the author’s opinion it is the organisations that have yet to report security breaches that are more of a concern as no one knows what level of security is in place within these organisations.  It’s not that the author is skeptical that there is an insufficient amount of security in place within these organisations but the fact that they do not report or publicise any cyber security related incidents that is of concern.  No one organisation is that secure that a breach of cyber security or at least a cyber related security incident doesn’t occur.  It’s far better for organisations to highlight or publish any attempted or successful attacks to not only assist other organisations in defeating or detecting attacks but it also shows a degree of transparency to their customers.

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015