Phishing – do employees recognise it when they see it?
In the last week I have received around twenty phishing emails. These have varied from Linkedin connection requests, to Bank Account reset instructions and Paypal alerts that my security had been compromised…the irony of the last one did not escape me. In this period, I also took a worried phone call from a friend who had been called by someone who said they were working on behalf of Windows and that his PC needed to be remote cleansed and could they have access to it please…. they gave him a fake website address and refused a phone number for call back, then hung up. Its a scam that has been doing the rounds since about 2008 ( I’m sure you’ll correct me if I’m wrong!) He was working from home at the time and connected to his businesses network.
So in the first cases of the emails, it was fairly clear to me that these were phishing attempts. They were not targeted at me or at Advent IM specifically, just chancers doing what chancers do. The Paypal email was the most disturbing because it was better designed than the others. In all cases though, a brief visit to my Linkedin inbox, online bank account and paypal account respectively (and not through the ‘helpful’ links offered in the phishing emails) proved that each were fake and I reported them. It made me wonder how many businesses actually train their staff in recognising them as security threats and how to subsequently deal with them. I saw a debate on Linkedin recently about holding individual employees responsible for security breaches and terminating their employment as a result. It included a poll. Many felt that if adequate (no definition included, sorry) training were supplied and a properly enforced and educated policy were in place, the breach was felt to be a result of employee negligence and therefore they should be held accountable. ‘Adequate’ is a relative term I appreciate, I do feel however that it should include ‘regular refresh and update’ within it as well as regular review of the scope – threat changes.
The other part of the example I mentioned at the start was altogether more sinister. This was an individual actually picking up the phone and posing as an IT expert, offering a free service on behalf of a household name. It is easy to see how many people could be duped by this. Working at home in this case, means that the person was connected to their company’s email systems and information network. Luckily, the person concerned smelled a rat and asked awkward questions which resulted in the phishers exiting as quickly as possible. Not everyone might realise this was actually an attack and the result could be not only the loss of their personal information or even financial compromise but also potential compromise of their employers network. In this case, no training had been given in spotting an attack of this kind. If the individual involved had not realised this was nefarious, would it be fair to penalise them? After all this kind of attack was not included in the ‘adequate’ security awareness training they received.
This IT support approach was also employed in the recent attacks on Barclays and Santander, when an individual actually entered branches of those banks and installed or attempted to install desktop cameras to enable a hack. The individual was posing as an IT repair engineer in both cases. It is far more targeted and part of a concerted campaign. Phishing emails are also sometimes targeted toward individuals, again normally part of a broader campaign and not a scatter-gun phishing expedition to see who bites. This is more aligned to the Social Engineering approach. Specific information or access will be the target and so it differs from the mainstream approach and by definition makes it far more difficult to quantify and therefore provide training for awareness. That doesn’t mean that we shouldn’t do it. Particularly if we are keen to move down the road toward individual accountability.
Incidentally if anyone is interested in watching a video in which the ‘Windows/Microsoft” scammer tries it on the wrong person…..click here
Originally published in HR Zone http://www.hrzone .co.uk April 2013
Monitoring employees for potential disciplinary reasons is a standard part of the HR role, however a lack of awareness of how to do this within ICO guidelines and Data Protection best practice could end up in a costly tribunal for employers.
Do you monitor your employees? At a recent Employment Law Seminar (1), I asked that question and hardly anyone showed hands. So I asked if anyone used CCTV, indoors or outdoors. I asked if their vehicles had trackers on them and if they did, were the vehicles allowed for personal use. I asked if they were allowed for personal use, did they switch the tracking off outside of business hours. I asked if internet use was monitored or restricted. Lastly I asked if they monitored phone or email use. I pointed out that even something installed for the safety and security of employees like CCTV is in fact monitoring them and the images could potentially form part of a disciplinary if required. Then I asked again if anyone monitored their employees and virtually everyone raised their hand.
OK so there were some areas of monitoring employers might not have realised they were doing as they had not actively instigated them for monitoring employees with a view to disciplining them. There are other areas of monitoring that are started for clear improvement or disciplinary reasons. It might be an employee using company email for more than the occasional personal purpose or an employee constantly online shopping or browsing porn in work hours on a work computer, or an accusation of physical intimidation of one employee by another. These are example scenarios that might require a business to start surveillance on its employees. However, before swinging into action a business needs to be absolutely certain how to proceed or there may be unintended consequences for the business. These unintended consequences could prove to be costly, not only financially but reputationally.
Certain things need to be in place before effective surveillance can take place. Robust policy is obviously the first place to start. For instance, if employees are allowed to use laptops for personal use and an employee uses it to view porn outside of work hours, have they contravened the policy? Was the policy absolutely crystal clear as to whether or not this would be a disciplinary offense? Do they understand it? The other part of the equation is the policy on monitoring. Are both employers and employees clear on the policy and procedures around monitoring? If you are going to monitor them, you have to be certain. You also cannot simply blanket monitor all employees. You cannot covertly monitor them, your intention or objectives must to be clear and consistent. You must be able to explain to employees:
• Why you are monitoring
• What the process is
• What you are monitoring – systems, applications, hardware etc
• When you will be monitoring
• Who will be responsible for monitoring
• Who will have access to the data generated by the monitoring
• How that resulting data will be held, managed and eventually destroyed
It is vital that the last four points are not overlooked. In our IT driven environment, it frequently falls to IT to roll out the software to carry out monitoring or surveillance. This may be the most practicable solution to initiating the monitoring process, but is it appropriate for IT to have access to the resulting data? Any resulting data from surveillance is sensitive and so employees have every right to expect it to be treated with the same care of duty that their other sensitive or personal information is treated. The data generated from monitoring will be covered by the Data Protection Act (1998) and so clear understanding of who can access it, when they can access it or when it should be destroyed, is vital. Remember, employees have every right to request the data (through a Subject Access Request and this would include CCTV images) that employers hold on them or demand that it be destroyed, if it is felt that retention is not appropriate and in accordance with the Act and local policy. This is because the Act states that the data and images are their property and not their employers. Interestingly a recent survey (3) on Insider Fraud indicated CCTV surveillance as a new monitoring means being enabled by businesses, specifically to combat fraud by employees and not, as has traditionally been, to ensure their safety and security.
Emails or browser histories are fairly obvious data generators, as is call-monitoring. It is worth noting that this kind of information is possibly best routed directly to HR, rather than monitored by IT. Serious misconduct such as viewing child pornography could be inadvertently compounded if it is handled by someone unaware of the law around such matters. In the case of something like child porn, then a well-meaning person accessing whatever images had been viewed or downloaded and saving or downloading them as proof would perhaps not realise that every time they are viewed or downloaded it is an offence…
So making sure that employees know, understand (and confirm they understand) relevant policies relating to their conduct is the start. Ensuring they know, understand (and confirm they understand) the employee monitoring policy is the next stage and presuming the policy is fit for purpose, monitoring can commence. Employers need to be absolutely certain they are conducting monitoring in accordance with the ICO guidelines and within the Data Protection Act (1998). A simple guide exists on the ICO website (2), which is a good place to start.
Clarity, openness and best practice – the cornerstones of good business are the bywords for effective employee monitoring and also help keep a business out of Employment Tribunals.
1 Waldrons Solicitors Breakfast Seminar Employment Law – available on Slideshare http://www.slideshare.net/Advent_IM_Security
2 Quick Guide to Employment Practices Code http://www.ico.gov.uk/for_organisations/sector_guides/~/media/documents/library/Data_Protection/Practical_application/quick_guide_to_the_employment_practices_code.ashx
3 Ponemon Institute – The Risk of Insider Fraud – Second Annual Study.
Understanding your responsibilities as a data owner includes having proper policy and processes in place for safe removal and destruction of information that should no longer be stored. Its should form part of an organisation’s overall Information Security Policy with specific reference to the Data Protection Act (1998)
Through the power of Social Media we were delighted to meet Malcolm Charnock from Icex and even more delighted that he agreed to do a guest blog on Data Destruction for us.
Data Destruction – Passing The Buck by Malcolm Charnock
One of the things that keeps me enthused about my job is every client has different requirements when it comes to ensuring all data is eradicated. “Different requirements”? Well maybe the truth is every client has different levels of understanding (or apathy) of their obligation and options when it comes to securely eradicating data.
I have spoken to organisations who insist on 2mm granulation of hard drives, after all this is the standard the MOD requires so their business should insist on this too??? Actually you have to take your hat off to an organisation who takes data destruction this seriously; until you find out this same organisation use a courier to send the hard drives to a data destruction “specialist” who they have no real knowledge of!
The fact is every organisation has the same responsibility and in most cases the process that is most suitable is the same. OK, the local shop losing data will clearly not have the same impact as the MOD but the thought process behind any Information Security Policy should be similar.
ICO Monetary Penalties, contrary to popular opinion, are not levied purely as a result of a breach occurring. Just as important are the organisation’s processes and policies. Have all reasonable precautions been taken to ensure the breach could not occur? Was due diligence carried out to check the suitability of your service provider, contractor or vendor? If the answer is yes and an unprecedented occurrence caused the breach I would personally not expect the ICO to take action other than to ensure you were not vulnerable to this type of event again.
SECURELY MANAGING DECOMMISSIONING AND DISPOSAL OF REDUNDANT IT ASSETS
There are an estimated 700 companies offering IT recycling as part of their capabilities so you would feel confident that in a competitive, open market you would reap the benefits of price checking and negotiating a free collection. The problem is that this is a largely unregulated industry so how do you choose a credible partner to trust with eradicating your data? There are a wide range of “accreditations” cited on most ITADs’ websites and literature, many of these I have never heard of while others require no audit to achieve. In other cases the accreditation is listed although the ITAD will not actually have achieved the standard. The buck stops with the data owner so it is important to do a little investigating before selecting the most suitable partner.
- Is your Data Destruction contractor approved? By whom? Have you audited them?
- Do they use third party contractors? Are they approved? By whom? Have you audited them?
- Are their processes and policies secure and approved? By whom?
- Is there a contingency in place?
- How are data holding items transported? By whom? Are they approved? Have you audited them?
If you can answer all of the above questions you really should have little to fear from the ICO, but you would also be in the minority. If in doubt, speak to ADISA (Asset Disposal and Data Security Alliance) or check their website to see if your preferred IT Recycling partner meets with this DIPCOG recognised industry standard.
The data, regardless of the terms of any contract, remains the responsibility of the data owner and does not pass to an IT recycler at any stage of the process. Yes, immeasurable damage would be done to the reputation of any ITAD who failed to 100% eradicate data presumably resulting in the death of the organisation, but the ICO will look to the Data Owner and levy penalties and broadcast its findings regarding the failure of the company’s Data Security policy which led to the breach. – Malcolm Charnock
Images courtesy of Microsoft Clipart and istock
Traditionally the NHS has primarily focused its security efforts on the problems associated with violence and aggression toward staff. This is because it is still perceived as the major concern and so continues to be the main focus of resource expenditure. Whilst the threat of aggression is clearly an issue that needs to be in scope, there are other areas that not only need attention for the wellbeing of the people involved, but also to help guard against spiralling cost – a pariah to any NHS Trust.
Looking at the Threat Landscape
In many cases, NHS Trust security is managed by former Police Officers who have a wealth of experience in dealing with aggression. . However, it has to be acknowledged that the threat landscape, is far more varied than this head-on threat. Security threats come from a variety of sources and not all revolve around outright aggression.
The perception of the Security Officers duties in NHS Trusts is that they are to provide reassurance to the public, hospital staff and visitors in the event of violent behaviour. In fact, there are a myriad of duties that they are called upon to carry out, some of which they are not trained to perform. These duties can include; searching for missing patients; attending patients on suicide watch; supervision of patients awaiting Mental Health professionals; foot patrols; cashier runs; car park patrols; smoking patrols and issuing parking contravention notices, to name but a few.
The NHS is no different from any other organisation as far as security is concerned, security components are more often than not, bolted on as funding becomes available and usually without any long term objective in mind. In a recent NHS Trust project, we was discovered that the absence of a strategic vision meant that funding had in fact, been wasted. For example; additional CCTV cameras were installed without an understanding of what they were actually needed to do. The CCTV system was not integrated with other security systems and this lack of integration represented not only a wasted opportunity to increase efficiency as well as improve security, it also wasted scarce financial resources. A CCTV audit revealed that there were actually too many cameras but few were positioned where they were needed. Furthermore, many cameras were capturing images that were actually unusable. (This problem only increases when you add in multi sites, using different systems.) A rationalisation of the CCTV estate and review of their fitness for purpose is in many cases, the best way to proceed.
Another very important aspect to using CCTV systems that is often overlooked or perhaps not fully understood is the Data Protection Act. The images that are recorded, stored and deleted constitute personal data that has to be properly handled and then when appropriate, properly destroyed. This means everyone who monitors, has access to, stores or manages these images, needs to be properly trained, aware of their responsibility and understand how to treat the data properly.
In any organisation, loss creates cost and this is something each and every Trust is currently facing. A recent Daily Mail article highlighted theft from the NHS as a serious issue. Some equipment and facilities are very expensive. Loss or damage not only drive cost but can endanger lives. The absence of a security-aware culture or one that is almost entirely focused on an aggression-based threat, allows loss to flourish as the investment can be made ineffectually, as we read about the CCTV example. Staff may prop open frequently used doors, or share door entry cards for convenience. These are commonly found issues in security procedures in Trusts. What if that door gave access to drugs, vital equipment or confidential medical data? If the cameras are also ineffectual, a thief could wander around and help themselves to thousands of pounds worth of equipment, or steal personal data that the NHS trust would be held accountable for.
During a recent project, a consultant found that no one challenged his presence in a medical record archive and said he could have easily made his way into a RESTRICTED information area by tailgating through the door; such was the lack of awareness.
- The Threat environment has changed and security needs to be approached as a cyclical, on-going process. It needs to be reviewed and tested regularly.
- The narrow view of security within the NHS as being aggression-based and the responsibility of the manned guarding component needs to be dispelled. Everyone working within any organisation has a personal responsibility for security; an NHS Trust is no different. A cultural change within Trusts is required to instil awareness . Only this way will everyone feel part of the security fabric and not something that is done by someone else.
- Security Training and education should be standard in all Trusts; this should include an understanding of the real rather than perceived threat landscape.
- Senior management need to understand how to maximise the effectiveness of their security infrastructure for the benefit of the Trust. This encompasses understanding all of the above plus a willingness to forget the mantra of “this is the way we’ve always done it” and move toward excellence. After all, effective security will prevent harm to staff, patients, visitors and contractors, protect costly equipment and dangerous drugs, prevent damage to other assets and loss of sensitive or personal information.
- A proper security review can identify areas where cost savings can be made or wasted costs controlled, such as the CCTV estate review – removing cameras that are not fit for purpose will reduce the maintenance bill. The review will also determine if cameras are fit for their purpose and placed in an appropriate location to mitigate the identified threats thus ensuring that the Trust meets its Duty of Care for staff, visitor and patient safety.
Advent IM Senior Security Consultant – Paul Smith MSc MSyI
Originally published on the Darlingtons Solicitors Blog 23.11.12
You say the word ‘security’ to people and get a variety of responses or perceptions. Some people think of manned guarding and a nice guy who works the barrier and checks the CCTV images to keep everyone safe. Others go a bit ‘Mission Impossible’ and imagine consultants dangling from wires, testing floor pressure pads in secure areas whilst hacking into the Pentagon. And yet more others regale you with tales of every night club they have been asked to leave by a man in a black puffy jacket.
This post is not really about any of those perceptions, it is about a business enabler and how it is placed in successful organisations. I can appreciate that compared to Tom Cruise dangling from the ceiling this may appear dull, but as far as business goes, it’s a bit more useful.
“Yeah, IT does Security”
According to the Ernst & Young Global Information Security Survey 2012, there is a real gap between where Information Security sits within organisations and where it needs to sit. As Security Consultants we know this to be true and are also aware that other disciplines, FM for instance have also had a bit of a battle to get a voice in the boardroom. Given the interconnected nature of so many business areas, joining the dots and having top-down policy and behaviour, has never been more important.
As we are talking about Information Security (IS) let’s put it in perspective. IT security is the vital technical security of IT such as firewalls, encryption, password policy, patches etc. How an organisation behaves with regard to security of information is a much larger area. (If the organisation’s use of Information were the Milky Way for instance, IT might be our solar system– see picture). The rest of the organisation uses information in a myriad of ways, not always electronically and not always on a device (at least not one that IT is aware of…) the rest of the organisation may be vast and so the potential for compromised information is exponentially increased. Especially if everyone thinks that “IT do security….”
IT departments traditionally do not have a formal risk assessment mechanism. Risk is something a whole business faces not simply the systems in IT – important as they may be.
An organisation’s IS needs to be aligned to its Risk Appetite – but if accountability for it is placed in IT then realising this will be challenging.
Business solutions are not always technical or IT based. At the end of the day the users are people and people make mistakes or behave in questionable ways. Around 80% of data breach is generally accepted to be human error or malice. Technology can’t mitigate all of that risk; you need to consider policy, procedure and education of these concepts through your organisation. Hopefully you can see now why we are moving out of the realms of IT and into the realms of business centric solutions that cut across silos, not reinforce them.
“Place your bets! Place your bets!”
Risk is a part of business, without risk there is no innovation and nothing can exist for long in a vacuum. Therefore it is vital to know how far you can push something before it becomes too great a risk. Not from an instinctual level but from a tried, tested and accepted level that comes from the boardroom via regular review. So understanding your organisation’s risk appetite and tolerance is vital. Aligning your IS policy and procedure to that appetite seems logical if not essential, yet 62% of organisations surveyed did not align IS to Risk Appetite.
How then can an organisation securely implement something like Bring Your Own Device (BYOD) which sounds on the surface like an IT project – which won’t be aligned to Risk Appetite? So in other words, the risk attached to allowing employees to use their own devices, which may mean access to corporate networks and drives, access to sensitive information, has not been assessed in terms of the business’s overall appetite. So rogue apps (which we hear about every week) for instance could be scalping data from the device on a regular basis and the user would be unaware. Previously, it was the user’s data alone that was compromised, with BYOD the scope of data available increases vastly as an organisation’s information assets open up to that user.
InfoSecurity – share the love
The Ernst & Young survey highlighted the need to bring Information Security into the boardroom. Perhaps asking who owns the risk or who is accountable for the Information risk is where to start. Well according to this survey only 5% have Information Security reporting to the Chief Risk Officer, the person most responsible for managing the organisations risk profile. Placing responsibility within IT can cause ineffective assessment and alignment with not only Risk but with Business priorities.
If 70% of the respondents are stating that their organisations IS function only partially meets the organisational needs, it becomes clear that this is a ship that has set sail without a map. IS needs C level direction and input, it needs to have the support of the board, be implemented and understood top-down and really start to make a positive impact on business growth by enabling it to happen securely, with threat and risk awareness, accountability and mitigation.
It was initially encouraging to read that almost 40% of organisations planned to spend more on IS over the next 12 months. But on reflection, if this is going to be mainly directed by IT departments – unaligned to Risk, unconnected to the board and occupying a similar space as the sun in the Milky Way or an organisation’s Information usage, it is doubtful that the dissatisfied 70% of organisations who feel IS is not currently meeting their needs, will reduce. What is concerning is that this could end up looking like wasted spend on Security, when in actual fact it is merely a potentially unwise or undirected spend. The upshot could be through a lack of board level understanding, that future spend then has a line run through it instead of under it.
All data sourced from Ernst & Young Global Information Security Survey 2012, all visual representation copyright of Advent IM and not to be reproduced without express permission.