Midland based Cyber/Information Security Consultancy and members of the Malvern Cyber Security Cluster, Advent IM announce a forthcoming visit from Halesowen and Rowley Regis MP, James Morris.
The visit is planned for the Advent IM Offices and Training Centre on February 20th at 11.30am. 5 Coombs Wood Court, Steel Park Road, Halesowen B62 8BF.
This visit will afford Mr Morris the opportunity to understand the impact of cyber security threats to businesses and public bodies in his constituency and their supply chain partners. He will also meet members of the team dedicated to improving organisational cyber security practice both nationally and internationally, through high quality consultancy and training.
Understanding cyber threat and the resultant risk to business is vital in the fight against cybercrime and data loss. Many research papers and surveys have been produced on the topic and if we were to select just one to illustrate the scope of the problem – According to Ponemon Institute research on corporate information security, “Corporate Data: A Protected Asset or a Ticking Time Bomb?” some major issues need to be addressed as a matter of urgency. Some of these include:
- 71% of all surveyed users found they had access to information that they shouldn’t have and 4 in 5 of the IT professionals who responded confirmed this poor practice by saying that their organisation did not use a ‘need to know’ data policy.
- Almost half of total respondents believed that the Data Protection controls and oversight were weak
- Almost 80% of respondents thought it was acceptable to transfer confidential documents to potentially insecure devices.
Segregation of data and appropriate access controls limit what users can find and use and also controls where hackers may be able to move if they actually do manage to gain network access. If end users can see gaps in security as evidenced in point 2, you can guarantee hackers will too.
Point 3 reveals that poor practice, lack of governance and poor or non-existent training are creating a perfect environment for cyber criminals to exploit in order to attack businesses.
If technical security hygiene is also found to be lacking e.g. out of date and/or unpatched software in use, no effective and updated anti-malware in place, systems and networks untested by regular IT Health Check including penetration testing, then any incursion from outside forces will be successfully executed and organisational information assets will be completely compromised. This can include staff personal information, as it did with the Target breach and that of clients and other supply chain partners.
Managing Director Mike Gillespie said, “Businesses are connected by the internet all over the world; local businesses may have supply chain partners thousands of miles away just as frequently as down the road. Organisations have a responsibility to each other to make sure they are taking adequate precautions both technically and corporately to ensure their information assets are properly secured”
We will be discussing this and other cyber security issues affecting the local community with Mr Morris during his visit.
Issued: 12.02.15 Ends Ref: VIP-200215- Advent
NOTES TO EDITORS
About Advent IM
Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats. Mike Gillespie is MD of Advent IM, Director of Cyber Strategy and Research for The Security Institute and a member of the CSCSS Global Cyber Security Select Committee.
From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.
Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project
Hacking and Cyber attacks have hardly been off our media front pages for a long time. But are businesses and organisations misleading themselves by referring to these incidents as ‘hacks’ or as ‘cyber attacks’? Are businesses actually limiting their thinking and thereby creating vulnerabilities by mislabelling these important events? There is a strong indication this might sometimes be the case.
When we talk about hacking we think about a variety of activities, from the lone, disruptive back-room coder, to the determined and resource-laden gurus of cyberspace who can
apparently enter our systems at will and remove whatever data they want – maybe government funded but definitely expert and dangerous. Of course, both of these exist but if recent surveys give us any indication of how much these remote threats actually affect our businesses and organisations on a daily basis, it would appear an important part of the threat puzzle is missing.
According to the Verizon Data Breach Report 2013, more than three quarters of breaches utilised weak or stolen credentials. So either the malfeasant has taken a solid guess that the password will be ‘password’ or has potentially stolen a passcard to a server room or a myriad of other activities which are not hacking but are breach enablers. So the myth of the remote hacker is revealed, at least in the majority of cases to be just that, a myth. With 35% involving some kind of interaction in the physical world, such as card-skimming or theft it underlines the need to move the security focus away from solely cyber.
The same report showed that in larger organisations, ex employees were the same level of threat as existing managers. If we refer to the previous stat then a proportion of those stolen credentials could actually come from ex employees using their old credentials or credentials they had access to, in order to access company networks as happened in the ‘Hacker Mum’ story
Nearly a third of breaches involved some kind of Social aspect, this could be coercion of an existing employee, a phishing campaign or simply walking into a building and charming a staff member such as a receptionist (mines of information that they are) on a regular basis to get information on staff comings and goings etc. It could also involve surveillance of a business over an extended period, including its staff, visitors and contractors.
So the actual ‘hack’ or ‘cyber attack’ is quite an extensive way down the line in this kind of breach. It could have been in planning for months. On one hand this is worrying because our language has encouraged us to focus our attention on only one part of the process. It enables the already prevalent, ‘IT deals with security’ mindset, we have discussed in previous posts. But in enabling this narrowed view, we are creating a vulnerability and ignoring the opportunities we will have had along the route of this breach to have halted it before anyone even logged on to anything.
A comprehensive program of Security Awareness training in-built into everyone’s role and that training being regular and refreshed, is one helping hand in preventing the attack reaching the actual hack stage. Simple things like ensuring everyone knows not to click on uninvited or suspicious looking links in emails for instance. Being aware of unfamiliar faces in a building, regardless of whether they are wearing a high vis jacket or lab coat for instance. Social engineers love to hide in plain sight.
So use of language has ruled out these elements being considered by all staff members, they hear the words ‘cyber’ and ‘hack’ and think it is IT’s responsibility and then carry on as normal. There are many points at which the hack could have been prevented by basic security hygiene or good practice.
It underlines to us that threat to our businesses and infrastructure are holistic and so should the response to that threat be. Yes, there is a threat from the faceless hacker, the determined and well funded professional as well as the random and opportunistic ‘back-bedroom warrior’. But many businesses and organisations are facing a people based threat first. An old vulnerability being enabled in a new way – language.
Readers of this blog will have encountered our security-based content on the concept of Social Engineering before. This post is a fascinating glimpse from a firsthand user – the pitfalls, the uses and the reactions.
Are your colleagues security aware enough to be able to keep their nerve and stick to policy when faced with challenging and anxiety-raising situations like we see detailed below?
Would you or your colleagues recognise any of the characteristics of a Social Engineering attempt? It’s not just about having a policy but about everyone understanding it and feeling confident enough to apply it…to everyone. Do manners and cultural norms play a part in how the social engineer gets either access to or information on, things that they shouldn’t? Reading this account, undoubtedly. Including a module on Social Engineering would be a very wise idea in any organisations’ Security Awareness Training program.
IT Helpdesk 1 to Helpdesk 2 – “Who was that on the phone? I could hear him shouting and threatening you from here”.
IT Helpdesk 2 to Helpdesk 1 – “The CFO… who’s trying to work on his laptop, from home. He can’t login……again, he said. He wouldn’t let me talk him through anything, said he’d done everything I tried to suggest, he just wouldn’t listen to any of our standard procedures. He just kept shouting and saying, he’d be in here tomorrow to fire me, and have me escorted off the premises. All he wanted was for me to reset his password and check his complete authentication process details, so he could get some work done. He said he didn’t want a confirmation email or a Helpdesk ticket on the system, telling everyone he couldn’t use his laptop, and I wouldn’t want him telling the head of ICT that I couldn’t or wouldn’t, help him out”.
IT Helpdesk 1 to Helpdesk 2 – “What an ar5e!”……..
“A common enough Social Engineering attack, from the perspective of the recipient of the attack, one I’ve used many times myself. The tools of the Social Engineer are Manipulation, Domination, Coercion and then end with the hope of a Carrot, after the Stick, to make them feel lucky to have escaped so lightly. Sometimes flattery and feigned stupidity will work, but the Social Engineer needs to be confident in his/her ability and flexible enough to adapt to the emerging responses they get from the subject of the attack. Confidence in eliciting in-depth information, by pre-loading the recipients mind with information to make your questions more readily accepted by them, is another key skill of the Social Engineer. In the example above the CFO was selected because their personal Facebook page showed he was on holiday with the family somewhere hot and sunny that looked like Mexico. Don’t get me started on Social Media, and the information people just broadcast out there, to the unknown, unrestricted and dark corners of the Internet.
It’s in the human makeup to want an unpleasant or embarrassing problem to be someone else’s and not yours. The human mind can be likened to Software we all understand, it is possible to overload the targets mind and insert custom instructions. Just as a Hacker executes code to cause a stack or buffer overflow. A favourite Social Engineering attack to illustrate this is when you need to get buzzed through from reception without being escorted. You rush in trying to explain you’re there to see someone important at the company mentioned by name, you’ve been there many times before and know the way. You rush on to say that you’re terribly late, you’re also trying to sign in and keep the initiative before the receptionist can process this overload of information, or think to do what their procedure says they should do. This is known as ‘Pretexting’, preloading the human mind with information to support your story and persona to make it all more credible. You then receive your pre-planned imaginary phone call, “Sorry, I have to take this” you say, the call quickly escalates and you launch into a blistering verbal assault on the person who isn’t really on the other end. Phone still to your ear, and still giving full vent to your ire, you motion in the direction of the receptionist and towards the controlled door they will have been watching and listening most intently as you start walking towards the door. You’ve overloaded them, you’ve inserted the belief you’re someone important, not to be denied or argued with, especially if you’re off to see one of the senior officers of the organisation, the subject of the attack will want you to say how helpful they were.
I’ve found that 9 times out of 10, to make this horrid person go elsewhere and be someone else’s problem, you’ll get buzzed through usually with a comment from the receptionist that they’ll call ahead to say you’re coming. As that isn’t where in the building you are really heading, that’s not a problem. It’ll take some time for them to realise you haven’t arrived, by which time you will have found your next security obstacle to overcome or target of your next Social Engineering attack and started to penetrate deeper into the building and closer to your final goal.
The key to becoming less susceptible to Social Engineering is to find out more about how the attackers influence and control people. As with software Hackers, the process is not a ‘one time attack’, there will be supporting or enabling attacks, probing enquiries, all building the picture of the target organisation before the ‘Big-One’. Remember credibility during the attack will be enhanced by the use of morsels of the truth, names or organisational details of the target organisation. Social Engineers are hackers of people. You need to start to think of them in that more familiar way and then your perceptions will change and you will tune in to the attack indicators that will allow earlier detection of their activities, as you already do with software hackers and malware writers. Staff awareness of the techniques of Social Engineering can dramatically improve the resistance to Social Engineering attacks, just as the Police try to educate the vulnerable about the local activities of Con Men.”
Senior Advent IM Security Consultant
Photos: Microsoft Office
Further viewing on this topic can be found on our Slideshare stream here http://www.slideshare.net/Advent_IM_Security/social-engineering-insider-and-cyber-threat you will need sound
According to the latest Deloitte Global Technology, Media and Telecomms (TMT) survey, 88% of respondents felt their organisation was not vulnerable to cyber attack, despite almost 60% of them having already experienced at least one security breach. (you can download the full report here)
Employees – Insider Threat
Companies also said that employee mistakes were the top threat when it comes to Information Security. Whilst it isn’t a surprise that this is the top threat, the reluctance to face the insider threat (let’s face it, it doesn’t have to be malice aforethought) has seemed hard to shake. It is something we have discussed on this blog before. It’
s disappointing that having acknowledged that employees are a real issue, only 48% of businesses offer Security Awareness training. This is creating vulnerability needlessly. Security Awareness should be an integrated part of business. Having said that the tendency to push Security onto IT is part of the problem. IT can look after IT security but information has to be safeguarded in all its forms and that means anyone who uses it has to be responsible for its security. That means all employees have a part to play. This also explains why employees are the top threat to security.
There is a growing awareness of the potential threat from increased use of mobile devices.
The co-existence of personal and business data and applications make mobile devices highly prized for theft and also marvelous new entry points for a cyber attack. Figures from a previous survey from Ponemon Institute showed that the majority of respondents carried sensitive data on mobile devices ‘frequently or very frequently’ , yet the same survey showed that over a third of data breach had come from lost or stolen devices and that almost 60% of employees spent no time whatsoever on data protection activities.
Given these figures, a firm grip on your organisation’s Risk Appetite and Tolerance is a must before an informed decision can be made on BYOD…