Gone Fishin’

Or did I mean Phishing?

I read that this Friday 25 November is the official start of the shopping ‘silly season’.  Black Friday and then Cyber Monday, more American import to our shores, kick off the spending frenzy to Christmas.

But it appears that shopping is not the only frenzy that this season brings.  According to a recent ITGovernance blog, the Anti-Phishing Working Group (That is for real)report an increase in Phishing during the Christmas period.  Last year there was a 250% increase in Phishing attacks between December 2015 and March 2016.

I would suspect this will increase this year if my personal experience is anything to go by.  Already this week I have seen 100 emails in my spam folder offering me ‘too good to be true’ Black Friday offers and as I write, it is only pale grey Tuesday (PM).  I don’t know what my mail box will look like on Thursday!

Taking a look at the latest Phishing trend analysis one can see why this is probably a popular time of year.  43% of Phishing attacks are targeted at the Retail/Service sectors and 13% at Payment Services, a total of 56% covering the most popular sectors at this tome of year.

The increase indicates that this approach to spreading malware or gaining access to data and/or networks is effective.  This has to raise concerns for business.  How many business owners have trained their staff to spot potential Phishing scams?  I bet is not many.  Most will assume that by employing intelligent adults they are safe.  Not true. Phishing is getting sophisticated and some are not easy to spot.

If I employed staff, I would expect to

  • Brief my staff on relevant health and safety annually;
  • Brief them on the fire procedure annual and have at least one practice;
  • Brief my staff on how to stay safe on-line.

On this latter point there are loads of resources on-line, but for a few hundred quid isn’t it worth getting an expert with up to date knowledge in to your organisation to give proper guidance?  No! Well here are a some people who would probably now pay that:

  • A small soft furnishing company who clicked on an invoice link in an email.  It was a malicious link containing ransom ware.  All their files were encrypted and it cost the over £2000 to recover their data.
  • The not-for-profit organisation the head of finance received an email from the CEO asking for urgent payment to a supplier.  The CEO’s email had been spoofed, he never sent it and £10,000 was transferred to a fraudster.
  •   The world leading heart hospital that narrowly missed a ransom ware attack.  A nurse unwittingly clicked on a link in an infected email. Thanks to the ‘lucky’ timing of a backup they escaped, but it was luck not judgement.
Featured Image by Snuzzy used under creative commons licence
Gone Fishin’

Can you afford to ignore cyber security

A quick scan of the Information Commissioner’s Office (ICO) website shows that since the beginning of August to 13 October, 17 enforcement notices have been made.  These range from a small fine for processing personal data when not registered with the commissioner, to the TalkTalk decision.  In total since August £840,650 has been levied in fines. Nearly a million pounds in just short of three months.  The TalkTalk decision makes up almost half of this amount, but two things are evident:  The ICO is looking at all types of business, small businesses are not immune; the TalkTalk decision sends a clear message to businesses of all sizes to take their IT security seriously.

In summary of the case the ICO states:

“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”

“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.  TalkTalk should and could have done more to safeguard its customer information.  It did not and we have taken action.”

The ICO found against TalkTalk on the 7th Data Protection Principle: Security.  This states that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data”.

As a result, by 2 November TalkTalk will have to hand over a cheque for £400,000 to the ICO. Ouch.  But added to this profits have reduced by 56% and according to The Register in the month after the breach 9,000 customers did the WalkWalk.  It isn’t just the fine that hurts

There is no doubt that the fines are increasing.  Hampshire Council have been fined £100,000 for leaving details of 100 people in a disused building. A GP surgery has been fined £40,000 for revealing details on one patient.  When the new General Data Protection Regulation is implemented the maximum fine that can be levied will increase to 4% of turnover.  That could be the ruin of some organisations.  It is clear from the ICO that they will not simply accept that a business has been hacked and that is a crime.  They will expect businesses to demonstrate they have done all they can to prevent unauthorised access.  This latest finding almost puts Cyber Security on a level with Health and Safety and all organisations should begin to take it seriously.

Reading the ICO statement, how many organisations can honestly say they do ‘all’ they can to avoid data loss?  When I, as a consumer share my details, how can I be sure that the organisation I am sharing with has done all it can?

I suppose the first step for most organisations is Cyber Essentials.  Launched by the UK government in 2014, some experts suggest that implementing the 5 basic controls could reduce the risk of simple commodity attacks, such as the one against TalkTalk by 80%.  One blogger, an early implementer of Cyber Essentials suggested that even though they held the ISO27001 certification (a much more complex assessment), they still learned from implementing Cyber Essentials. When the scheme was launched in 2014 Christopher Graham the Information Commissioner of the time was quoted as saying “Cyber Essentials enables businesses to demonstrate that they are taking action to control the risks”. Now it doesn’t say that they would be exempt from prosecution, but there are demonstrable mitigations to the risks.  A few hundred pounds on Cyber Essentials and time implementing and monitoring it annually has to be a reasonable investment.

Cyber Essentials may go some way to satisfying the ICO, but what about the customers of a business?  The Cyber Essentials badge should also go some way to satisfying the customer that the business takes security seriously.  However, the badge isn’t everything.  Before trusting it completely ask the business when they were last certified.  One weakness of the certification is a lack of an expiry date.  Technically a business who certified at the start of the scheme can still say they have Cyber Essentials today, even though they haven’t done anything since. It isn’t a one-off process, to keep current businesses should renew yearly, just like a Cyber MoT.

Featured image by Alexander Baxevanis (used under Flickr Creative Commons Licence)
Can you afford to ignore cyber security

Tech-NO!

The title of this blog is possibly a little misleading.  I’m not advocating no technology. For a start, I couldn’t write this blog without it. I just want to make the point tech isn’t the answer to everything and particularly that solutions to Cyber-Crime are not purely technical.

In a speech at the Billington Cyber Security Summit last week, Ciaran Martin, the incoming CEO of the National Cyber Security Centre set out how this new organisation will work.  I applaud the establishment of this organisation.  Cyber defences in the UK are currently disparate, competitive and confusing.  You can’t fight a war with an army that is competing internally so to bring all functions under ‘one roof’ has to be a good start.  Providing a ‘one stop shop’ for Cyber Security advice and guidance is great.  However will it be a ‘one stop shop’?

After reading Mr Martin’s speech, I was concerned that there appears to be little or no focus on the softer side of Cyber Security.  Nearly all of the speech concentrates on the technology solutions the organisation will put into place.  There is no doubt that the solutions are innovative and as such possibly a little controversial, but even the best technology solutions cannot be the complete solution.

Let’s use an analogy of a secure building.  We may build big walls and high fences, to ensure that these are not scaled we install anti-climb technology.  We put access control on the doors with pin code assess for added security.  The alarm systems cover any eventuality and there are cameras covering every perceivable angle.  Shatterproof windows and break alarms are also a must.  At great cost, we have it all covered.  But we fail to tell staff the importance of keeping their access cards and details safe and the reasons why.  Someone’s access card is stolen and because the pin code is difficult to remember they have written it on the card.  Suddenly all the security mechanisms are redundant a potential villain has the keys to the castle.

This analogy can easily be aligned to Cyber-Crime.  We can put all the security technology in place, but if one of the system users gives away the keys to the ‘IT Castle’ it will be in vain.  Kevin Mitnick, probably the world’s most famous hacker stated in his book The Art of Deception: ‘the human factor is truly security’s weakest link’.  This view is supported by the rise in social engineering attacks taking place in an attempt to circumvent the increases in technical security.

It is for this reason I was very disappointed not to see a ‘human’ element to the National Cyber Security Centre.  UK businesses not only need technical advice, but they need to know how to educate their staff and what to educate their staff in.  Let’s hope that tech is seen as a higher priority at this point and the Human Factors will soon follow.

Featured image by: Charles Stanford Flickr Commons

Tech-NO!

Let’s reduce the use of the ‘C’ Word

JCB Backhoe Loader
An Asset – Picture by Ramesh NG

Prior to acquiring a new asset like the lovely digger in the picture above, a business would assess:

  • Can we afford it?
  • Do we buy outright or lease?
  • What will be the on-going costs be?
    • insurance;
    • maintenance; etc.
  • Do we have the skills in the organisation to us it?
    • Can anyone use it or do we need to train a specific cohort of people to use it?
  • What risk come with owning it?
    • Could it be stolen?
    • What happens if it breaks down?
    • Could it increase the damage we could do,over a man and a spade? (I don’t work in construction)
    • if we become reliant on it what will be happen if it is no longer there?

So why don’t these similar questions get asked about the information assets a company owns. But would the company who buy the digger necessarily think the same way about their information assets?  Do they view information as an asset?  It appears that many business, large and small don’t and don’t view the tools they use to access information as an asset either.  What would they do though if the information they have come to rely on and take for granted was unavailable?

Without access to information, how long would the average company last? There is a massive amount of information about this on the internet,  some ‘facts’ I have found include:

  • 30% of all businesses that have a major fire go out of business within a year. 70% fail within five years. (Home Office Computing Magazine).
  • 60% of companies that lose their data will shut down within 6 months of the disaster.
  • 93% of companies that lost their data centre for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately. (National Archives & Records Administration in Washington).
  • Companies that aren’t able to resume operations within ten days (of a disaster hit) are not likely to survive. (Strategic Research Institute).

So why would an organisation spend time and effort assessing the business risk around a asset like a digger and not do the same for their information assets.  It is no more difficult is it?

Well it probably is.  For one thing information is not tangible any more. Pre-computers it was , one could hold it, see it know where it was.  Today it is a bit mysterious.  But there is more of it and we are actually more reliant on it. Secondly, for years the technology industry has been selling the message – information is safer stored electronically.

A whole industry has grown up around information security and with it a culture.  One that is cloaked in mystery and techno speak.  Language that is not aligned to business. A language that can generate massive amounts of FUD (Fear Uncertainty and Doubt) and this is probably the major issue.

Nearly 30 years ago when I first ventured into IT we revelled in our own language.  A language that made us feel special, aloof and expensive!  After many spectacular IT failures the profession realised that to achieve success it had to align to business needs and work alongside the business to deliver goals.  I see parallels emerging with the Security Industry.  We need to better align with business and make the risks associated with information relevant to the business.  Understand what the business wants to achieve and help them do that safely, easily and cost.  We need to work alongside the business. The ‘C’ word – Cyber (oh heck I’ve said it), it  scares many businesses leaders into inertia, so let’s reduce the use of it and speak our cutomers’ language and we where that get us.

Feature image by: www.gotcredit.com

Let’s reduce the use of the ‘C’ Word

Password INCORRECT

Art of Deception

I have just finished reading The Art of Intrusion’  by Kevin Mitnick and William M. Simon.  Some may remember the name Mitnick, he is probably one of the most famous hackers of all time.  In this book Mitnick and Simon present real life cases of computer hacking.  Whilst it is now ten years old, many of the stories told in the book are, sadly, still relevant today.  What took my attention was the statement at the very end of the book: pages 258 & 259 to be precise, which I hope Mr Mitnick and Mr Simon don’t mind me reproducing here:

And that seems like a powerful message to end with. If every computer user were to improve his or her passwords tonight — and not leave new passwords in some easy-to-find place — then tomorrow morning, we would suddenly find ourselves living in a much more secure world.

We hope that will be an action message for every reader of this book.”

I’m sure the book has had success, but how many people have taken note of that last paragraph and actioned it?  The message about passwords is forever being talked about.  Every year SplashData produce a list of the top passwords used worldwide. In 2015 the number 1 position was held by the password ‘123456’ closely followed in second position by ‘password’ and then ‘12345678’.  One of the first things hackers want, is to get hold of a password.  Once they have one of these, their task is much easier and it looks like the users of computers are not making this too difficult.

Passwords are a pain though.  I think I have over 70 now and trying to dream up new passwords for every site/system and then changing them regularly is even harder.  It is recommended that passwords are complex, between 8 and 12 characters and also contain special characters such as #^&? etc.. So personally, I am expected to remember:

  • 840 characters;
  • the associations of those characters to sites/systems;
  • the reminders that will help me remember my password!

And change them all regularly.  If I follow security recommendations of changing passwords every 90 days, that means annually I am having to remember 3,360 characters just in connection with my computer activity.  That’s hard and is probably the reason people reuse, write them down or have ridiculously simple ones. But until something more reliable comes along we are stuck with the dreaded things and we have to make the best of them.

When reading Mitnick’s final paragraph, I remembered the work that had recently been published by CESG in cooperation with CPNI – Password Guidance Simplifying your Approach.  In what seems to be a very well written and straightforward document they recommend, amongst other things, lightening the burden on users.  Specifically they state:

  • Users have a whole suite of passwords to manage, not just yours.
  • Only use passwords where they are really needed.
  • Use technical solutions to reduce the burden on users.
  • Allow users to securely record and store their passwords.
  • Only ask users to change their passwords on indication or suspicion of compromise.
  • Allow users to reset passwords easily, quickly and cheaply.
  • Do not allow password sharing.
  • Password management software can help users, but carries risks.

This seems sound practical advice.  So I would recommend that if tomorrow, every business looks at their password policy and revises it in line with the CESG advice then we could find ourselves living in a much more secure world.

Reducing the risk of the risk of this:

Password - Incorrect

Featured image by: Eric Schumuttenmaer

Password INCORRECT

Now have I patched my wet ware?

Divers in Peaches
Picture by: Hans-Peter

No this blog is not about diving or any other type of sports where one might get wet.  Wet Ware is a rather unattractive name some security professionals give to the user of a computer system.  It is claimed that it is impossible to ‘patch’ Wet Ware which results in it being the most vulnerable part of most systems.

In my last blog, I suggested that not all cyber (I am growing to dislike this term) incidents can be prevented by technology.  There had been a recent incident at Lincoln County Council, which had been caused by a user opening a bad email and clicking the link it contained.  Patching our wet ware (last reference I promise) is actually becoming more important than ever.  It is not impossible, but it is not a small task.

In the PWC Information Security Breaches Survey 2015 It has been reported that 50% of the worst security breaches in the year were caused by inadvertent human error.  The numbers are rising as well.  There was a 58% increase in large companies and 31% increase in small companies of breaches as a result of human error.

Dealing with this is multifaceted:

  • The top of the organisation has to be seen to ‘do the right thing’.  If top management are ‘gun ho’ handling company information, then you can be sure the rest of the organisation will be.
  • Policies and procedures.  I know these are considered a pain.  But they don’t have to be, they can be short and only cover what is needed.  Policies and procedures are important they give employees a reference point.  I have very different standards in the management of my information to that of some of my customers, but their policies give me a point of reference to how I should behave.  Without that I may do my own thing.  What policies should a business consider?  That depends largely on the risks they feel they are mitigating but as a minimum the following could be considered:
    • Document control.  Where and how is information stored, who can access the stores? How long do you retain the information for your records?
    • Protective marking of information.  Ask yourself a question:  If I rang your company, spoke to a secretary, sounded knowledgeable and asked for some information would they know if I was allowed to see it?  A simple marking systems which indicates the level of sensitivity of the information would provide that guidance.  So if I rang and ask to see a document that was marked Company Eyes Only, they would instantly know that they could not send it outside of the organisation.
    • Joiners, Movers and Leavers actions.  What do you do with system access rights on each of these occasions?
    • Use of removable media like USB sticks, CDs or Cloud transfer services such as OneDrive, DropBox etc.  Once data leaves your system and enters one of these environments, what control do you have?
    • Bring you own device.  What devices of their own are you going to allow you employees to use for work related activity?  What are their responsibilities if they do use their own technology?  What are you going to do to prevent loss of data on that device etc.
  • Training. You have your policies and procedures and now you have to inform people what they are how to use them and why they are relevant.  In addition to training on the policies, I would also include training on responsible business use of the internet and especially social networking.

In the bullet points above, I have skimmed the surface of what organisations should consider to ensure their employees don’t become the weakest link in the Information Security Chain.  Combine this with general development and it will not become too onerous a task.  Certainly a lot less hassle than a breach, which the PWC report says now costs on average £40,000 – £250,000 for small companies and between £800,000 and £2.1m.  Ouch!

www.sandettie.co.uk

 

 

Now have I patched my wet ware?

Do I need a cyber-proof widgimewit?

Cyber Widget
Picture by Dan Zen

Cyber Security is not about technology.  Cyber Security is about managing a corporate risk and that means assessing it as a whole: People, Process and Technology and putting up the correct level of mitigation.  When I read about Cyber Security all I seem to see is technology that I need to buy to prevent bad people gaining access to my network, PC, Tablet or Phone.  Technology is one element and to my mind something the technologist should be left to once the risk is evaluated and understood.  Without understanding the risks it is easy to spend a fortune on the latest cyber-proof widgimewit which is actually unnecessary for your level of risk and isn’t doing much for you.

One area I see constantly neglected is staff training.  When I first started to work in an office, we were fairly good at managing and protecting our information.  We were trained on the filing system, and cabinets and offices were locked at the end of the day.  If a file was loaned, tracers were used and the office I worked in used a marking system so we know how much of various pieces of information we could share, which I understand was common practice in most large companies.  If you dare mess up the filing, not complete a tracer card or not enter a new document into the register you risked the wrath of the office manager.

With the use of electronic filing systems discipline seems to have gone out of the window, along with the training that went with it.  After all the technology will take care of it won’t it? No.  And these bright young people we employ will work it out from themselves won’t they? No.  The technology not only brings with it a potential for poor information management processes, it also brings additional information security headaches and they can’t all be solved with technology.  Take the recent example of Lincolnshire County Council.  Last week they experienced the dread of a Ransomeware attack.  A piece of malicious software that scrambles the data on computers rendering it useless.  For a fee the attackers claimed they would provide the key to unscramble the data.  It was reported that the council did not pay the ransom. That was the right thing to do, but they subsequently spent considerable time fixing the problem during which no IT was available and effectively, business was suspended.  This must have cost the Council, not only cash, but also damage to their reputation.  What caused the problem?  A link in an email was clicked by a member of staff and this triggered the malware.  I have to say,  there but for the grace of god go I.  Only this week I was nearly fooled by one of these emails, but the knowledge I have makes me a little more cautious and makes me always have a second read.  It is time that we re-instilled the discipline and training that we used to have around information. I am not saying that training would have prevented the particular incident in Lincoln, but it could have.

Do I need a cyber-proof widgimewit?