Tag Archives: advent IM

We are moving!

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Well, only this blog….

We have decided to move our security blog onto our newly re-designed website.

There will still be regular comment, support  and opinion of course…it will just sit alongside industry news and our latest events and content.

All you need to do is click here and don’t forget to update your bookmarks.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Advertisements

Webinar – Outsource Magazine – March 16th

Outsource magazine: thought-leadership and outsourcing strategyWe want to wish Outsource Magazine good luck as they relaunch their webinar program, Time to talk Talks.

This is the program in the words of the Editor,  Jamie Liddell…

Each month (the third Wednesday of every month, to be specific) I’ll be sitting down with four or five luminaries from different corners of the community, to discuss what’s hot (and what’s not) for them in a series of short one-on-one interviews, before throwing the panel to the mercy of the audience for some general Q&A in the second half of the show.

Mike Gillespie_headshotWe are also delighted that one of the luminaries on the launch webinar, will be our very own, Mike Gillespie. Don’t forget to email questions in ahead of the event and sign up via the link…

http://outsourcemag.com/time-to-talk-talks/

 

 

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

Security Predictions for 2016

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how  the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Image courtesy of Vlado at FreeDigitalPhotos.net

Vlado at FreeDigitalPhotos.net

 

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations.  These attacks are likely to be followed by sweeping phishing scams from the African continent.  There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same.  Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people.  I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees.  I also predict a significant challenge for many organisation which hold personal data.  The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens.  With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO).  Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited.  This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

  • Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017
  • Related to the above, more Data Centre Security certifications due to contractor (customer) requirements
  • More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target
  • Cyber Essentials leads to more demand for ISO27001 certifications from SMEs
  • Privileged insider remains the main Threat Source & Actor
  • More incidents relating to online cyber-extortion / ransomware
  • With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever
  • More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware  in business.  Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

A word from our Directors…

Julia McCarron

Julia McCarron – Advent IM Operations Director – I predict a RIOT – Risks from Information Orientated Threats.

 

 

Mike Gillespie_headshot

 

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

“Five Eyes” intelligence document leak – Australian Defence bureaucrat off to jail

This week saw the news that the junior bureaucrat from the Australian Department of Defence, has been jailed for one year, following his guilty plea in the ACT Supreme Court to posting a secret Defence Intelligence Organisation, to an online forum. Julia McCarron gives her take on this quite staggering series of events.

Not a ‘Gooday’ for the Canberra APS

Surprise!

Well this a strange one for sure. So, Michael Scerba, a former junior Defence bureaucrat has been jailed in Australia for uploading secret information online. He downloaded a 15 page document from a secret Defence Intelligence report, burnt it to disk, took it home and posted the first two pages on an on-line forum. The post was viewed and commented on by a dozen people and re-posted but disappeared an hour after its original post.

This is bad on so many levels …

When they say he was a junior bureaucrat, he was actually a 21 year old Department of Defence (DoD) graduate … with only 8 months on the job behind him and a secret (negative vetting level one) clearance … and apparently “his mental health had impaired his judgement”. I accept that the article does not expand on these mental health issues or when these issues occurred, and I am in no way implying that mental health of any kind should be a barrier to employment as I do not believe it should in general. However, we are talking about a position in National security here with access to secret information, so assuming his issues occurred pre-employment. So first question: Why was a 21 year old graduate with mental health issues given a level of clearance high enough to enable access to, and the capability to download, information relating to National security?

You've got to have a system.

Something has to have gone wrong with the vetting process and/or the employment process where access rights and privileges are determined and applied. If he had underlying mental health issues surely these should have been detected prior to his employment or during the induction process. I would presume DoD staff have to go through stringent mental stability checks checks for security clearance purposes to minimise the risk of coercion or subversion? This seeming lack of procedure demonstrates the importance of a robust vetting process, particularly in a role so critical to the security of the nation. It also demonstrates the need to ensure privileges are granted relevant to the job role and on a ‘need to know’ basis. Did he really need to access to information that revealed the identity of intelligence sources, gathering methods and classified aspects of strategic partnerships between Australia and other countries?

Advent IM Cyber SecurityIt also opens up the question of removable media access and control in sensitive areas. Second question: Did he really need to be granted the ability to burn information to disk or USB at the level he was working at? Are there not search facilities at access points a la ‘Spooks’ that detect unauthorised media? I would have thought again that some sort of policy would have existed that meant staff were only allowed use of authorised removable media and that no media was allowed to be removed from the premises?

And finally, the claim by the Judge that, “Scerba had not intended to compromise national security, although he knew the disclosure could cause harm”. I find this claim quite astonishing. So he’s employed in a DoD job, with access to information pertinent to National security and he didn’t know the disclosure could cause harm or compromise National security? Really? Question 3: What kind of induction training was the DoD providing? I can’t believe they do not put employees through extensive security training highlighting how to handle data at various classification levels, the importance of data classification and handling and the consequences of failing to comply with policy. If they don’t then some serious questions need to be asked!

I think I’m with retired Lieutenant General Peter Leahy on this one though; jail time was definitely required for this serious National security data breach. But 12 months with only 3 served does not send out a good message to others employed by the DoD who, like Scerba, believe Julian Assange is their hero. This could just be the beginning unless changes to process are tightened up.

Post comment based on an online article in the Canberra Times dated 5th November 2015.

This isn’t just poor security….a post on the M&S security incident from Julia McCarron


Advent IM Director, Julia McCarron has turned her eye to the M&S security breach…

Well as our Marcomms Manager, Ellie superbly put it, “This isn’t just poor security, this is M&S poor security”.

Image result for M and s logoThe brand synonymous with quality has let the side down following what it claims was an internal system glitch that caused M&S online account users a bit of a surprise. They logged on only to find their account wasn’t theirs.

Following a number of complaints, M&S were quick to take the site off-line and the problem was resolved in 2 ½ hours, but not before 800 people’s personal details including names, dates of birth, contact details and previous order histories were exposed. Thankfully, financial details do not seem to have been breached.

So M&S can expect a knock on the door from the ICO. Commenting on the incident, Phil Barnett, VP Global at Good Technology of M&S, said that many companies are flying blind when it comes to security, because they don’t think it affects them. In this day and age, when cyber security incidents seem to happen every 5 minutes, companies are becoming more aware of the risks and need for good, security controls and practices. I would sincerely hope that companies such as M&S would be acutely aware of the perils. As Mr Barnett points out, “Data is a company’s biggest asset, and as mobility becomes more ingrained across every enterprise, security must become a higher priority”.

risk balance

So I guess M&S need to ask themselves why this happened? I cannot comment specifically as to the root cause of this particular incident, but often what can be the reason is that ICT systems change management process are either not in existence, not robust enough and/or do not consider the ramifications to security when updates, upgrades, code changes etc… are made. Security must be a key consideration and testing should be carried out before the change is made live, especially on personal data critical systems such as these. In addition, regular penetration testing both external and internal to the system is a must, especially when a major system change is made. Today’s technical vulnerabilities are evolving hourly but these simple actions can be the difference between being a successful big brand today and share prices falling through the floor tomorrow #talktalk #justsaying.

Advent IM HMG accreditation concepts training

However, I will concede that smaller businesses often don’t see security as a priority. They see it as a business disabler and costly. If there has been no incident to date why worry about? These companies are doing business on luck. The luck of the draw. But luck runs out for us all at some point. Good security is a must for each and every company, be it a self-employed nanny or a multi-national conglomerate. It doesn’t have to be expensive and can in fact give you the edge when dealing with clients or bidding for projects. Who wouldn’t choose the company they know will handle their data securely over the company that does nothing? Often no-cost processes and procedures can mitigate risk simply and quickly, particularly with data handling. We also have the Cyber Essentials certification, which is aimed at small businesses and is a set of technical controls companies can be measured against to ensure they are implementing a baseline level of technical security.

Whatever happens, in a week where security breaches have literally been big business, you need to think carefully about what your company is doing (or not doing) to protect its biggest asset. This isn’t just good security advice, this is Advent security advice.

Planes, Trains and Automobiles (and news stories about hacking them)

A guest post from Dale Penn, an Advent IM Security Consultant – taking a look at vehicle hacking and questioning how much we really need to fear.

Image courtesy of njaj at FreeDigitalPhotos.net

Image courtesy of njaj at FreeDigitalPhotos.net

Even though the title is a tribute to a classic, well-loved comedy, the subject I am about to discuss is no joke!

All of us have seen recent news such as individuals claiming to be able to hack planes and cars and the more recent grounding of LOT airlines. So is there any substance behind these claims or is it little more than hype?

Planes

A US Government watchdog has recently warned that “Modern aircraft are increasingly connected to the internet. This interconnectedness can potentially provide unauthorised remote access to aircraft avionics system”

The report highlights the fact that cockpit electronics are indirectly connected to the passenger cabin through shared IP networks. The connection between passenger-accessible systems and the avionics of the plane is heavily moderated by firewalls, but information security experts have pointed out that firewalls, like all software, can never be assumed to be totally infallible.

While on a flight, a security researcher was reading about these new warnings that planes were hackable via their Wi-Fi network and tried to add to the debate by pointing out flaws on the aircraft he was sitting in.

So he tweeted from the aircraft that he could hack into the plane’s Wi-Fi network and as a result gain access to the flight’s communications systems.

The Researcher was subsequently detained and questioned by the FBI.

Bearing everything said above, am I going to cancel my holiday abroad later this year? I don’t think so!

Trains

Professor David Stupples told the BBC that the new European Rail Traffic Management System (ERIMS) is potentially a weak point in railway security.

Stupples is concerned that malware could be introduced into the system, either externally or perhaps more likely internally via rogue staff, which could cause trains across Europe to crash.

ERIMS is replacing the railway signals we are all used to with an in-cab computer display instead. Although tests have been underway since 2008, the full ERIMS system is expected to be rolled out and running sometime in the next decade. Which should give plenty of time for weaknesses to be found and closed down, but also plenty of time for the bad guys to find ways around the defences and new malware to exploit the system.

That, of course, is nothing new and is the same fight that every enterprise has when it comes to protecting networks, systems and data. The difference being that when an enterprise system crashes it doesn’t, ordinarily, have the potential to cause loss of life.

Personally from an information perspective I believe the biggest threat to enterprises is the threat from theft, loss, shoulder surfing and eaves dropping as your work force use the commuting time aboard trains as an extension of their office.  Personnel should receive appropriate training as to how they should conduct business outside the office environment.

Automobiles

As information technology advances more and more of it is used in cars to improve performance and driving experience.  Car these days are a rolling network with a suite of processes and wireless communication methods. Is it possible to hack your car and take remote control of its system? Yes it is! But you have to take a step back from this scary thought and view it from a different angle. Who would want to take control of my car? What would they gain from such an attack? The fact of the matter is if someone wanted to sabotage or steal your car there are much easier ways of achieving this without hacking your car. Frankly the effort involved is not worth the reward and the chance of your car being hacked is very, very low.

In my opinion, even though the capability exists, the likelihood of this attack is so low that the recent car hacking claims are little more than hype.