Tag Archives: Julia McCarron

Security Predictions for 2016

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how  the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Image courtesy of Vlado at FreeDigitalPhotos.net

Vlado at FreeDigitalPhotos.net

 

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations.  These attacks are likely to be followed by sweeping phishing scams from the African continent.  There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same.  Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people.  I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees.  I also predict a significant challenge for many organisation which hold personal data.  The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens.  With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO).  Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited.  This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

  • Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017
  • Related to the above, more Data Centre Security certifications due to contractor (customer) requirements
  • More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target
  • Cyber Essentials leads to more demand for ISO27001 certifications from SMEs
  • Privileged insider remains the main Threat Source & Actor
  • More incidents relating to online cyber-extortion / ransomware
  • With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever
  • More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware  in business.  Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

A word from our Directors…

Julia McCarron

Julia McCarron – Advent IM Operations Director – I predict a RIOT – Risks from Information Orientated Threats.

 

 

Mike Gillespie_headshot

 

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

Advertisements

“Five Eyes” intelligence document leak – Australian Defence bureaucrat off to jail

This week saw the news that the junior bureaucrat from the Australian Department of Defence, has been jailed for one year, following his guilty plea in the ACT Supreme Court to posting a secret Defence Intelligence Organisation, to an online forum. Julia McCarron gives her take on this quite staggering series of events.

Not a ‘Gooday’ for the Canberra APS

Surprise!

Well this a strange one for sure. So, Michael Scerba, a former junior Defence bureaucrat has been jailed in Australia for uploading secret information online. He downloaded a 15 page document from a secret Defence Intelligence report, burnt it to disk, took it home and posted the first two pages on an on-line forum. The post was viewed and commented on by a dozen people and re-posted but disappeared an hour after its original post.

This is bad on so many levels …

When they say he was a junior bureaucrat, he was actually a 21 year old Department of Defence (DoD) graduate … with only 8 months on the job behind him and a secret (negative vetting level one) clearance … and apparently “his mental health had impaired his judgement”. I accept that the article does not expand on these mental health issues or when these issues occurred, and I am in no way implying that mental health of any kind should be a barrier to employment as I do not believe it should in general. However, we are talking about a position in National security here with access to secret information, so assuming his issues occurred pre-employment. So first question: Why was a 21 year old graduate with mental health issues given a level of clearance high enough to enable access to, and the capability to download, information relating to National security?

You've got to have a system.

Something has to have gone wrong with the vetting process and/or the employment process where access rights and privileges are determined and applied. If he had underlying mental health issues surely these should have been detected prior to his employment or during the induction process. I would presume DoD staff have to go through stringent mental stability checks checks for security clearance purposes to minimise the risk of coercion or subversion? This seeming lack of procedure demonstrates the importance of a robust vetting process, particularly in a role so critical to the security of the nation. It also demonstrates the need to ensure privileges are granted relevant to the job role and on a ‘need to know’ basis. Did he really need to access to information that revealed the identity of intelligence sources, gathering methods and classified aspects of strategic partnerships between Australia and other countries?

Advent IM Cyber SecurityIt also opens up the question of removable media access and control in sensitive areas. Second question: Did he really need to be granted the ability to burn information to disk or USB at the level he was working at? Are there not search facilities at access points a la ‘Spooks’ that detect unauthorised media? I would have thought again that some sort of policy would have existed that meant staff were only allowed use of authorised removable media and that no media was allowed to be removed from the premises?

And finally, the claim by the Judge that, “Scerba had not intended to compromise national security, although he knew the disclosure could cause harm”. I find this claim quite astonishing. So he’s employed in a DoD job, with access to information pertinent to National security and he didn’t know the disclosure could cause harm or compromise National security? Really? Question 3: What kind of induction training was the DoD providing? I can’t believe they do not put employees through extensive security training highlighting how to handle data at various classification levels, the importance of data classification and handling and the consequences of failing to comply with policy. If they don’t then some serious questions need to be asked!

I think I’m with retired Lieutenant General Peter Leahy on this one though; jail time was definitely required for this serious National security data breach. But 12 months with only 3 served does not send out a good message to others employed by the DoD who, like Scerba, believe Julian Assange is their hero. This could just be the beginning unless changes to process are tightened up.

Post comment based on an online article in the Canberra Times dated 5th November 2015.

This isn’t just poor security….a post on the M&S security incident from Julia McCarron


Advent IM Director, Julia McCarron has turned her eye to the M&S security breach…

Well as our Marcomms Manager, Ellie superbly put it, “This isn’t just poor security, this is M&S poor security”.

Image result for M and s logoThe brand synonymous with quality has let the side down following what it claims was an internal system glitch that caused M&S online account users a bit of a surprise. They logged on only to find their account wasn’t theirs.

Following a number of complaints, M&S were quick to take the site off-line and the problem was resolved in 2 ½ hours, but not before 800 people’s personal details including names, dates of birth, contact details and previous order histories were exposed. Thankfully, financial details do not seem to have been breached.

So M&S can expect a knock on the door from the ICO. Commenting on the incident, Phil Barnett, VP Global at Good Technology of M&S, said that many companies are flying blind when it comes to security, because they don’t think it affects them. In this day and age, when cyber security incidents seem to happen every 5 minutes, companies are becoming more aware of the risks and need for good, security controls and practices. I would sincerely hope that companies such as M&S would be acutely aware of the perils. As Mr Barnett points out, “Data is a company’s biggest asset, and as mobility becomes more ingrained across every enterprise, security must become a higher priority”.

risk balance

So I guess M&S need to ask themselves why this happened? I cannot comment specifically as to the root cause of this particular incident, but often what can be the reason is that ICT systems change management process are either not in existence, not robust enough and/or do not consider the ramifications to security when updates, upgrades, code changes etc… are made. Security must be a key consideration and testing should be carried out before the change is made live, especially on personal data critical systems such as these. In addition, regular penetration testing both external and internal to the system is a must, especially when a major system change is made. Today’s technical vulnerabilities are evolving hourly but these simple actions can be the difference between being a successful big brand today and share prices falling through the floor tomorrow #talktalk #justsaying.

Advent IM HMG accreditation concepts training

However, I will concede that smaller businesses often don’t see security as a priority. They see it as a business disabler and costly. If there has been no incident to date why worry about? These companies are doing business on luck. The luck of the draw. But luck runs out for us all at some point. Good security is a must for each and every company, be it a self-employed nanny or a multi-national conglomerate. It doesn’t have to be expensive and can in fact give you the edge when dealing with clients or bidding for projects. Who wouldn’t choose the company they know will handle their data securely over the company that does nothing? Often no-cost processes and procedures can mitigate risk simply and quickly, particularly with data handling. We also have the Cyber Essentials certification, which is aimed at small businesses and is a set of technical controls companies can be measured against to ensure they are implementing a baseline level of technical security.

Whatever happens, in a week where security breaches have literally been big business, you need to think carefully about what your company is doing (or not doing) to protect its biggest asset. This isn’t just good security advice, this is Advent security advice.

Are you still operating XP or Windows 2003? – A guest post from Julia McCarron, Advent IM Director

Whilst Microsoft’s utopia may be for us all to automatically upgrade every time there is a newAdvent IM Cyber Security Experts version of Windows, for many organisations this isn’t always an option. With some still coping with life after the recession the cost of upgrading to new platforms can be restrictive, especially if XP and Windows 2003 still works perfectly well and provides you with effective tools to operate business as usual. For others with large technical infrastructures, again the cost of upgrading can be a massive drain on time, resources and money and needs careful budgeting a planning over a period of time.

But with the withdrawal of support on Windows platforms and applications comes risk. Security patches no longer get issued, and as cyber security threats continue to be developed exponentially so these platforms become vulnerable to attacks.

Advent IM HMG accreditation concepts training

pics via digitalphotos.net

The obvious choice is upgrade as soon as possible. But if this is not an option you need to assess the risk of operating in a non-supported environment as part of your corporate risk strategy, and where required identify activities that can help you minimise risk. These could be more frequent external penetration tests, stricter acceptable usage policies, updates in security awareness programs or additional monitoring software. There are risk mediated options available but only if you go through the proper process of analysing the threats and impacts of not upgrading to your business.

But upgrade when you can …

Julia.

Francis Maude visits Midlands Cyber Security Firm

The Rt. Hon. Francis Maude MP called in to meet the team at a West Midlands based Cyber Security Consultancy today.

Today, Advent IM was pleased to host a visit by the Rt. Hon Francis Maude MP as part of his remit as the Minister for Cyber Security. 

AdventIMMDMikeGillespiewithFrancisMaudeMr. Maude met with co-founders of Advent IM, Mike Gillespie and Julia McCarron, to find out more about the cyber security work the company delivers as the UK’s leading independent information security consultancy, its history, ethos and the challenges they face as an SME. 

Topics were wide and varied. Mike Gillespie explained the principles of a holistic and risk based approach to security and Mr Maude was particularly interested in how this translated into solid governance in business. Mr Maude was also keen to find out more about threat convergence and how cyber threats can now impact our physical environments and steps we can take to mitigate those threats. 

Francis Maude and Mike Gillespie Copyright Advent IM ltdThe team expanded on Advent IM’s development of cyber security training courses specifically for the Police in the areas of SIRO and IAO responsibilities and accountability, general cyber security awareness training opportunities currently being developed and Advent IM’s mentoring approach to consultancy delivery, ensuring it is seen by those involved as a business enabler. 

Mr Maude and the team discussed the merits of the G-Cloud procurement process and how there is room to improve perception that it is more for technology purchases than consultancy, and how Government is starting to drive the requirement for best practice information security and ISO27001 through its outsourced service providers.  Changes to the Government Security Classification scheme and the lack of understanding on its application were touched on, as were the issues faced by local authorities in connecting to PSN and how the latest changes would impact on those connecting or acting as a provider. 

Mr Maude also took the time to discuss areas of work with members of Advent staff from our Consultancy, Marketing and Sales teams and the challenges they face with implementing and promoting cyber security within the UK, and spoke to our Business Administration Apprentice on his social media role within the company. 

The visit, which lasted approximately an hour, was a privilege to host for Advent IM. “We appreciate the time Mr. Maude has taken to visit us today,” said Advent IM’s Operations Director Julia McCarron. “As Cyber security specialists a number of us have attended events where Mr Maude was present but we rarely have the opportunity to discuss what is happening in the market with him or air our views fact-to-face. To be singled out and given the chance to discuss our company, the industry and involve all of our staff in that forum was an honour for the team.”  

Mr Maude thanked everyone for a useful exchange of views and thoughts before departing for his next appointment.

 

Issued:  21 Jan 2015                        Ends                                     Ref: VIP- 210115 Advent

 

 

 

NOTES TO EDITORS

 

About Advent IM

Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats.

 
From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.

Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project management methodology widely used within the public sector, CISSP qualified and Home Office trained physical security assessors.

Big Data …. Friend or Foe?

Delighted to have a post from Advent IM Operations Director, Julia McCarron.

Ellie has been asking me for a while now to do a blog piece on ‘big’ data, and I must confess to dragging my heels because I wasn’t really sure what it was. I guess if I had put my mind to it essentially it must have been the aggregation of information that made it ‘big’ and I’m not far off with that. But last night’s edition of Bang Goes the Theory made me think about what it means … and the fact that ‘big’ is probably too small a word to describe its reach.

 ID-100180473If we want to be specific about it, big data is defined as a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications.[1]  But it seems to me that this 2-D definition doesn’t do it justice. From what I can see, it’s about taking these large data sets and analysing them to find patterns – that’s what makes it ‘useful’. What you do with those patterns can be for good or bad and can range from diagnostic to research to marketing to preventative in nature, and affect people, places, processes, objects … you name it basically.

I know this kind of analysis goes on because I have a ‘loyalty’ card that regularly sends me money off vouchers for the things I buy on a frequent basis/ I know internet banner ads show me handbags for a reason, usually because I’ve just purchased another one online. I understand that it’s the accumulation of data about my buying habits that is profiled to appeal to me; but I hadn’t realised just how far this can go. On the programme in question a big data collection company said that as a result of the release of DfT data on bicycle accidents, someone had within days written an app for people which told them where to avoid riding their bicycle and therefore minimise the risk of having said accident. Who would have thought that was possible? Rolls Royce engines contain computers that analyse their activity, whilst in the air, and report in real time on peaks and troughs outside the ‘norm’, which enable airlines to do maintenance work before a problem occurs.

But if you think about it big data isn’t new. Einstein’s Theory of relativity came about because he carried out hundred of experiments and analysed them painstakingly by hand. Intelligence services cracked Hitler’s codes by looking for recurring patterns, first totally reliant on the human brain before that human brain created freecrumpetsmachines to make the analysis easier and quicker. I only get 100 free ‘bonus’ points with my next purchase of Warburton’s crumpets because a computer looks at my buying habits and has identified that I buy them every week. (Other crumpets are available – actually no they aren’t). All that has changed is the scale, speed, selectiveness and sensitivity of the collection and review of that data.

The issue comes though when that big data is also personal data, and this is probably where most of us start to question whether it’s a good thing or bad thing. The BGTT Team demonstrated how easy it is to profile individuals from their online data footprints. It’s not just about what you put on various social media but it could also be an innocent publication of contact details by your local golf club. I’m a security conscious person, for obvious reasons, but I’m sure if someone really wanted to they could find out more about me than I thought was possible, just by running a few scripts and analysing trends. I’m a genealogy enthusiast and within minutes I could potentially find out when you were born within a 3 month window, the names of your siblings, your mother and father …. and those all important security questions; your mother’s maiden name and town of your birth.  So should we attempt to simply lock everything down?

 At the same time as all this personal big data is being analysed its also being put to good use.  Researchers are creating medical devices that can analyse brain activity and detect when a second brain trauma is occurring … and they’ve done this by analysing patterns and trends from hundreds of thousands of scan outputs to create a simply, non intrusive device that monitors pressures, electrical current and stimulus. If I opt out of my having my NHS patient record shared, I could make it that bit harder to find a cure … or be cured.

Ultimately, we wouldn’t be where we are today without big data but there is no doubt that in a digital age big data will just keep growing exponentially. I don’t think we can avoid big data and I don’t think we should, but from a security perspective I think we all just need to think about what we post, what we agree to make available, what we join up to and what we are prepared to say about ourselves in public forums. If a field isn’t mandatory don’t fill it in, don’t agree for your location to be published and maybe tell a little white lie about your age (girls we are good at that!). We can never be 100% secure – it’s not possible. Even our fridge can go rogue on us now and order food we’ve run out of but don’t actually want to replenish. But having a security conscious mind can protect us, whilst still providing a big data contribution. 

[1] Wikepedia

some images courtesy of freedigitalphotos.net