Category Archives: social engineering

Some top security tips that ALL employees can use

When it comes to security, one thing is clear, people occasionally do daft things with computers and devices, and they frequently do these daft things at work. They occasionally do malicious things too but it’s mostly just daft. So we can train our employees (including managers and directors) in our procedures and policies and enforce them. In fact, spending as much time thinking about the best way to train different teams is never time wasted because it gives you the chance to use their language and create something nuanced that will make a genuine difference, which is, after all, the whole point of doing it.

Looking at some of the data that came out of Vormetric’s Insider Threat report, in actual fact, those privileged users are still posing a security headache to many of the respondents. They may be System Admins or senior colleagues who are simply not restricted or monitored in the way other employees are…these are the ones who can access very sensitive or valuable information and so need to be even more hyper-vigilant in their behaviour. But let’s face it, one phishing email clicked and payload of malware downloaded is all it takes and that could be done by an MD or a temp.

I asked the team here at Advent IM to come up with some practical tips that all employees can use, regardless of their role,  to help protect their organisations and enhance their understanding of the vital role they play in securing assets.

  • That email telling you there’s a juicy tax rebate waiting for you but it needs to be claimed immediately, hasn’t come from the Government. It’s  a phishing email. Clicking that link will allow malware to be installed and all your personal information to be stolen. Do not click on links in emails you are not expecting and if in any doubt refer to your security manager.
  • Never set your smartphone to allow download and installation of apps from sources other than an approved store. Changing this setting can allow malware to be installed without your knowledge and could result in you being a ransom ware victim.
  • Always report security breaches immediately to your line manager to facilitate any counter compromise action to be undertaken as deemed necessary. If the organisation isn’t aware of it, the event could worsen or spread. Containment and control is vital as quickly as possible.
  • Archive old emails and clear your deleted & sent folders regularly as a clean and tidy mailbox is a healthy mailbox.
  • Never discuss work topics on social media as your comments may come back and bite you!! You could also be compromising your employers and colleagues security and increasing the likelihood or the ease of an attack.
  • Don’t worry about challenging people you do not know who are not wearing ID or visitor badges. It may seem impolite but Social Engineers use inherent politeness to their advantage and can then move round a site, potentially unchallenged.
  • Don’t allow colleagues to use your login credentials, this goes double for temps and contractors. Think of it like lending your fingerprints or DNA to someone, would you do that so easily? Any activity on your login will be attributed to you…
  • Do you really need to take your work device to the pub with you? More than a quarter of people admit to having lost (or had stolen) up to 3 work devices and more than half of them were lost in a pub!
  • Don’t send sensitive documents to your personal email address. If there is a security measure in place, it is there for a reason..
  • Don’t pop any old USB into your PC. Nearly one in five people who found a random USB stick in a public setting proceeded to use the drive in ways that posed cybersecurity risks to their personal devices and information and potentially, that of their employer. It could have anything on it! exercise caution.

Some of the findings on Insider Threat from the Vormetric 2015 survey…

2015 Vormetric data Insider Trheat v0.4

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

Security Predictions for 2016

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how  the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Image courtesy of Vlado at FreeDigitalPhotos.net

Vlado at FreeDigitalPhotos.net

 

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations.  These attacks are likely to be followed by sweeping phishing scams from the African continent.  There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same.  Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people.  I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees.  I also predict a significant challenge for many organisation which hold personal data.  The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens.  With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO).  Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited.  This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

  • Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017
  • Related to the above, more Data Centre Security certifications due to contractor (customer) requirements
  • More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target
  • Cyber Essentials leads to more demand for ISO27001 certifications from SMEs
  • Privileged insider remains the main Threat Source & Actor
  • More incidents relating to online cyber-extortion / ransomware
  • With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever
  • More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware  in business.  Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

A word from our Directors…

Julia McCarron

Julia McCarron – Advent IM Operations Director – I predict a RIOT – Risks from Information Orientated Threats.

 

 

Mike Gillespie_headshot

 

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

What is TOR ?

An opinion piece post from Advent IM Consultant, Del Brazil

TOR is a service that is freely downloadable that assists in providing anonymity or improves privacy for users who wish to keep, among other things, their internet location secure.  In essence it provides a defensive mechanism against traffic analysis, network surveillance and assists in protecting confidential business activities, relationships and potentially assists in maintain security.  It can also be used to circumnavigate certain country restrictions such as the ‘Great Firewall of China.’

TOR operates by operating through a series of virtual tunnels or a system of TOR relays (other TOR users) which facilitates the use of the TOR network.  In essence the more TOR relays (users) the faster, the more secure and more robust the TOR network is.  TOR relays (users) can be either Middle Relays, Exit Relays or Bridges each with a distinctive role to play in the TOR Network.  A Middle Relay allows internet traffic to be passed onto the next relay whilst the Exit Relay is the final relay before any internet traffic reaches its destination.  A user operating as a Middle Relay will have their IP Address masked and hence be hidden to the rest of the internet but visible to the TOR Network.  Any user/organisation conducting illegal or objectionable activities whilst operating as an Exit Relay may be answerable to policing agencies, complaints or copyright infringement notices etc.    TOR Bridges are vital TOR relays that enable users to circumnavigate censorship software deployed by various countries to ensure that information is freely available or distributed to all persons.

It was developed by the US Department of Defense and is still currently used today by the US Navy for open source intelligence gathering whilst some Journalists use it to contact whistle blowers.  A few organisations use TOR to allow their workers to connect to their home website while they’re in a foreign country, without notifying everybody nearby that they’re working with that organisation. For example if you’re travelling abroad and you connect to your employer’s computers to check or send mail, you can inadvertently reveal your national origin and professional affiliation to anyone observing the network, even if the connection is encrypted.  Some TOR users, such as research development engineers, journalists and seekers of democracy are clear that their use of TOR is for legitimate purposes; however it is clear that criminals are frequently using TOR to conduct illegal activities.  There are concerns from various organisations that TOR assists the criminal underworld in conducting illegal activities whilst remaining near enough un-discoverable such as drugs, person or arms trafficking, child abuse or identity theft; That said there has been a few high profile convictions of persons conducting illegal activities whilst using TOR, this includes the Silk Road investigation which resulted in the hidden underground illegal-drugs website being shut down in October 2013.

It has been reported that in the USA the NSA have attempted to target TOR users through cyber-attacks aimed at security weaknesses within various internet browsers.  These targeted attacks only go to reinforce the necessity to ensure that security measures are developed with browsers, applications, operating systems, software and hardware and are also updated on a regular basis.

There are a few security experts that have highlighted TOR as being the first step in attempting to remain secure against cyber-attacks; however as attacks methods and frequency increase, the likelihood of TOR remaining secure are rapidly diminishing.  This will not deter some elements of the internet community from utilising TOR as they strive to remain anonymous whilst corporate and government surveillance increases.

Is there a future for TOR in the corporate or even the government sector within the UK?  In the author’s opinion TOR is unlikely to be used in its current form as potentially throws up a multitude of questions as to why persons or organisations feel the need to conduct business behind ‘closed doors’.  In this age of where transparency and honesty go hand in hand the use of TOR may invoke a distrusting attitude which can harm business opportunities despite the legitimate use of TOR.  TOR does have its uses and in certain circumstances can assist with maintaining confidentiality whilst ensuring that the freedom of speech is maintained.  It is, as always, a fine balance between promoting a business whilst also protecting it as even though using of TOR is not illegal it may, if disclosed or later discovered deter businesses or organisations from interacting with each other.

Social Engineering – Still the best attacker exploit – guest post from Dale Penn, Advent IM Security Consultant

Another great post from one of our consultants, this time from Dale Penn on the topic of Social Engineering.

Introduction

Social engineering is still the most prolific and successful method of hacking. It is a non-technical attack that relies on a user being tricked or coerced into some form of action which presents the attacker with a window of exploitation and can bypass even the most robust of technical controls. It is much easier to coerce a member of staff into providing information than is to mount a technical attack on a web application or network connection.

It is important to note that the threats from Social engineering tactics are almost always under rated by enterprise organisations even though they form an integral part of most modern day attacks. The reason behind this is that there currently exists a trend within enterprise organisations to fixate on the technical solutions to information security threats and neglect the human element.

Any organisation that wants to protect its information assets must be aware of the current Social Engineering threats.

The top 3 Social Engineering Methodologies

phishingPhishing – This is the practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information. A Phishing email will usually contain a link which will redirect the user to a false webpage where they are asked to provide personal information such as usernames and passwords. Once entered this information is captured and ready for use by the hacker. Gone are the days were Phishing emails will contain poor grammar and spelling and were easy to pick out. Modern day Phishing emails are professionally created and very convincing.

 

Vishing – This is the practice oAdvent IM Social Engineering securityf eliciting information or attempting to influence action via the telephone, may include such tools as “phone spoofing.”  A common attack method is to call a user within an organisation and pretend to be the IT Helpdesk. From there the attacker will coerce the user into “confirming” their user name and password

Advent IM social engineering expert

We all want to help – naturally. We also want to make the shouting stop…

Pretexting – This is the practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system. This is where where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity. More advanced attacks will also try to manipulate their targets into performing an action that enables them to exploit the structural weaknesses of an organisation or company. A good example of this would be an attacker who impersonates an external IT services auditor and manipulates a company’s physical security staff into letting them into the building.

Advent IM HMG accreditation concepts training

Counter Measures

  1. Education, Education, Education – All users should be appropriately trained to recognise these methods of attack. The work force should adopt a culture of healthy scepticism when approached for sensitive information and not take things at face value.
  2. Develop policies and procedure to identify and handle sensitive information so staff will know what is sensitive to the organisation and what they can and can’t do with it.
  3. Introduce appropriate technical defences which limit the methods of these attacks (i.e. block inbound emails with active links)
  4. Review your security controls regularly to ensure they are still appropriate.

SMEs and Security or How SMEs can impact UK PLC Security (image)

BIS visual v2.0

Hacking Pacemakers, Traffic Systems and Drones – Cyber and Physical Worlds Collide

The Telegraph today ran a piece on a subject close to our hearts here at Advent IM, namely the cyber threat to our physical world. You can read it here

Regular readers will know we have expressed concern before that language can create barriers or false realities that can leave vulnerabilities and the prevalence of the use of the word ‘cyber’ is a good example of this. Cyber to most people conjures up the ethereal world of the hacker – that strange and dangerous electronic hinterland that few really grasp. Of course, this is dangerously inaccurate as many systems that control our physical world are networked and can therefore be hacked.

The late Barnaby Jack showed the world how he could hack into an insulin delivery system in a patient to effectively overdose that patient, he also managed to hack into an ATM system which then dispensed cash like a waterfall. The two worlds are converging quicker than our security awareness is growing.

Bringing the threat to our critical national infrastructure to the attention of the public at large is in one way unnerving but also very necessary.

Please have a look at our presentation on the topic, you will need sound…

Advent IM, Cyber Threat to Built Estate

Presentation with voice over from Mike Gillespie