PC PORTAL

Experienced. Trusted. Solutions.

Cyber Crime

By

UK NCSC chief highlights resilience as key to better security

Here’s a question for security professionals to ponder: why are we only ever a few clicks away from disaster? It’s inspired by a recent presentation in Dublin by Ciaran Martin, CEO of the UK National Cyber Security Centre. On a visit to Dublin earlier this month, the UK’s cybersecurity chief stressed the importance of building resilience into critical systems, and into security planning more generally.

Martin pointed out that the internet is fundamentally not designed to be secure. So, asking someone who isn’t a security expert to follow complicated advice, about using passwords for instance, is an unfair burden. “We rely on millions of citizens to do impossible things to ensure cybersecurity,” he argued.

“You have to assume that people are going to click on things; worry instead about what happens when the compromise happens,” he said. Part of this effort involves fixing things the user has very little control over, Martin said. “Whilst education and training are important, what we want to do – and this is open to debate – is to make sure the interventions are as far up the food chain as possible.”

In other words, those in charge of the Government’s social welfare payments system need to make sure it’s near-impossible for a criminal to defraud it for millions with a simple phishing email. Nor should it be possible for a single rogue individual to steal sensitive information without raising an alarm.

Damage control

Another part of a resilience strategy involves thinking about how much damage an attacker could do if they got into a system. That leads to building systems that don’t have an ‘off’ button. “Make it hard for an attacker to do systemic damage,” Martin said.

It also involves developing safe backup plans for when some part of the system isn’t available. Martin made an analogy with an air traffic control tower whose technical systems go offline. “The emphasis is not on recovering the system but [to prioritise] landing the planes in the old fashioned way,” Martin said.

The UK is already putting this approach into practice. The NCSC is working with the Bank of England while it phases out its legacy interbank payments clearance system. Part of the upgrade programme includes building in resilience, so a basic attack can’t bring down the entire system.

It’s encouraging to hear such a senior cybersecurity figure talk about the issue in these terms. Regular readers of this blog may remember Brian Honan talking about the need for resilience when developing cyber security strategies.

The post UK NCSC chief highlights resilience as key to better security appeared first on BH Consulting.

By

Security newsround: October 2018

We round up interesting research and reporting about security developments from around the web. This month: data breaches are up (again), help with hacks, incident response, attacks on trust providers and a numbers game.

Breach over troubled water

More than 4.5 billion data records were compromised in the first half of 2018. That’s a 133 per cent increase from last year and a staggering 1,751 per cent up on the first half of 2015. And if those stats aren’t scary enough, try this one: the total number of breached records equates to 291 every second, on average.

The findings come from Gemalto’s 2018 Breach Level Index. The company also found that the average records per incident is growing at an alarming rate. In 2015, the average was 276,936 records; by this year, the average stands at 4.8 million records per incident. The arrival of GDPR has cast a fresh spotlight on the risk of data breaches.

Common hacks and how to stop them

A new report throws the spotlight on commonly used hacking tools and ways of stopping them. The report is a joint collaboration between the cybersecurity authorities of Australia, Canada, New Zealand, the UK, and the US. The report gives an overview of tools that attackers are known to have used in recent incidents. They give the ability to plant backdoors or exfiltrate data, gain remote admin control of web servers or move laterally in compromised networks.

“The intel is designed to give enterprises a better awareness of what they’re up against so they are better positioned to prepare defences,” The Register reported. The report is for network and systems administrators, and anyone involved in incident response. It’s available free here.

Best practice incident response

Stuck for ideas to develop an incident response plan? The cybersecurity unit at the US Department of Justice might be able to help. It has updated its guide to best practice for victim response and reporting cyber incidents. The 25-page document includes sections covering pre- and post-event actions, as well as advice on what not to do. Also included: threat education for senior management, plus advice on engaging with law enforcement and with incident response specialist firms. It’s available to download at this link.

Breakdown of trust

ENISA has published its first full-year annual report about significant security incidents at trust service providers in the EU. The document covers all of the incidents during 2017 involving services that make electronic transactions more secure, like digital signatures and certificates, or electronic seals and timestamps. The report found that half of the security incidents rated as ‘severe’ and a similar number had impact across borders. The most affected services were e-signatures and e-seals. System failures and third-party failures were the most common root causes, each with 36 per cent. The report summary is here and the full report is free to download here.

Security’s search for meaningful metrics

Better security starts with knowing what you need to defend against; data beats anecdotes every time. The problem is, cybersecurity metrics suffer from inconsistency. An article in Defense One reports that NATO member governments have different ways of counting what constitutes a cyber attack. That’s a problem, says the article’s author Stefan Soesanto. “Without published standards and discernable metrics … warnings are of no real value to the public. We simply do not know whether 6,000 annual attacks against NATO’s infrastructure is a lot or whether any of the 24,000 attacks against the French MoD were serious.”

John Pescatore of SANS Institute compared this to the retail sector, which uses revenue loss from shrinkage as a more reliable figure than the number of attempted thefts. “That is why reports looking at actual damage like the Verizon Data Breach Investigation Report and Microsoft’s Security Intelligence report [well, parts of it], are much more useful than the numerous ‘billions and billions of attacks are being observed’ reports,” he wrote.

Better security through privacy audits?

Here’s one interesting fact to emerge from the news that Google was finally killing off Google+. (Not counting the fact that Google+ still existed, surprising many of us who assumed it disappeared years ago). Up to 500,000 Google+ user accounts were potentially at risk of exposing their data to external developers. Here’s the kicker: Google reportedly discovered the exposure during GDPR and privacy checks as part of its Project Strobe initiative.

Some reports led with Google’s decision not to disclose the flaw because the company feared it would lead to closer regulatory scrutiny. But would this have actually happened? Stripe’s Tommy Collison noted that although the data was exposed, it’s not technically a breach since Google claims no-one has misused the information.

Things we liked

ISACA has introduced a new programme to help people to acquire and prove skills in auditing cybersecurity processes, policies and tools. MORE

Why return on investment calculations might not tell the whole story when it comes to cybersecurity investments. MORE

Brian Krebs interviews Tony Sager, former NSA bug hunter and now VP at the Center for Internet Security about a very timely subject: supply chain security. MORE

Finland’s data protection authority has some great guides for data subjects, including this English-language document about how to make a subject access request. MORE

A new Irish initiative aims to put 5,000 people to work in the field of cybersecurity over the next three years by upskilling them. MORE

IBM launched a free cybersecurity learning resource aimed at girls, called ‘’Securing the Internet of Things’. MORE

 

 

The post Security newsround: October 2018 appeared first on BH Consulting.

By

EU Cyber Security Month roundup – advice on staying secure

During October, BH Consulting has been sharing daily advice about digital security and privacy on its social media channels as part of EU Cyber Security Month. This blog gathers together all of these tips into a single place. As each week goes by, we will keep adding to the content, in descending order. By the end of October, it will be a single resource for security advice you can share with colleagues or friends and family.

EU Cyber Security Month – tips from week four

For week four of our campaign, we looked at ways to improve online security and privacy in our personal lives. With recent social media breaches still fresh in the memory – or at least they ought to be – it’s worth reviewing privacy settings on these sites. We shared a link to Europol’s page with excellent tips for adjusting the settings on some of the most popular social channels like Snapchat, Instagram, Twitter and Facebook.

Staying with social media, our following tip covered the risk of sharing misinformation. Sometimes we do it with good intentions, but it’s always worth checking the truth with a reliable source. As Brian blogged earlier this year, the internet is a breeding ground for urban myths and untruths. “Every time we unthinkingly share false news, we’re helping them to grow and spread.”

Our Wednesday warning covered the phenomenon of scam calls, which are still very prevalent. Apart from the nuisance value, they could be criminals tricking you into divulging bank details, or stealing your money. For this tip, we shared a link to the Office for Internet Safety, which has a range of guides on ensuring a safer online environment.

Our Thursday tip urged people to watch for suspicious web addresses and scam offers. Visiting fake websites could infect your tablet, mobile or laptop with malware – or steal your data. The consumer magazine Which has some excellent advice on how to spot fraudulent websites.

Continuing the theme from our previous message, our Friday post warned of face shopping websites. That’s a year-round risk but it’s especially true in the runup to the holiday season. As our blog from last year shows, if you plan to part with your money online, make sure you only visit safe, verified websites.

EU Cyber Security Month – tips from week three

Week three of EU Cyber Security Month began with a reminder about the importance of reading. Well researched, highly regarded reports like Europol’s IOCTA (internet organised crime threat assessment) and the Verizon Data Breach Investigations Report are valuable sources of intel.

Improving security culture is often a matter of taking some simple steps to improve readiness. The UK’s National Cyber Security Centre looks at 10 of these areas with a series of free guides. The advice includes making security a board-level responsibility, through to implementing secure configuration and managing user privileges to stop threats.

With threats and risks changing all the time – while your organisation also adapts and grows – it’s essential to stay on top of current best practice. Our Thursday tip reminded that it’s always worth refreshing your knowledge of network and information security. We linked to a quick-fire quiz from the organisers of EU Cyber Security Awareness Month. Taking the quiz might identify areas where you can up your game.

Our fourth tip of the week was aimed at organisations with mature security controls. For those with confidence in their defences but wanting to improve, a red team exercise can identify possible weak points. Here’s our blog about the benefits of red teaming.

Now that we accept that security incidents can lead to business downtime, what can we do about it? We start by making the organisation resilient. This happens through agreed processes and careful preparation so that if the worst happens, the business can keep operating. BH Consulting CEO Brian Honan has spoken about this very topic, and that was our link for the final tip of the week.

EU Cyber Security Month – tips from week two

We kicked off week two of EU Cyber Security Month with a reminder that information security covers more than just data. Having a clean desk policy at work can protect important information in physical documents, as well as computers. Here’s a good sample policy developed by SANS Institute.

Our second tip of week two covers a key starting point for any good security plan. Knowing what data you hold helps in making choices about what level of protection it will need. (This is also an important part of privacy and data protection strategy, too.) We recently blogged about classifying data in this way, referring to IBM’s recent decision to ban USB storage keys.

Day three was a reminder that data breaches and security incidents are crimes. By reporting these cases to police, victims not only help with the investigation of their own incident, they also contribute valuable information to help law enforcement tackle cybercrime.

Next, we explained how digital forensics capability can help in tracing internal security incidents. Companies with the security resources in place can set up their own digital forensics lab without needing a large investment. Having an in-house lab allows security teams to carry out inquiries into everything from a security breach to HR issues.

Rounding out our advice for the week, we focused on the importance of risk assessment. This is where security and business goals meet. The key to developing solid risk assessment is to have a repeatable approach that guides your decisions. For this tip, we linked to David Prendergast’s excellent blog with advice on developing just such a risk assessment framework.

EU Cyber Security Month – tips from week one

Our first tip raised awareness of the need to prevent CEO fraud and fake invoice scams in your business. This is easy to do and doesn’t need technical fix; it’s just a matter of changing your business processes. Anyone with access to payment systems should check with a colleague before paying money to unfamiliar accounts. Here’s a link to a recent blog we posted about this.

Tip number two covers ransomware, which is one of the most widespread security threats today. Regularly backing up your data can help you recover from a ransomware infection. You’ll find more details here.

For our third tip of the week, we looked at phishing: one of the most effective tactics in an attacker’s arsenal. One of the best investments you can make is in security awareness: train company staff to spot fake emails.

We use so many different online services and invariably, they all ask us for a password. It’s vital to use different pass phrases a password manager when logging in to these services as securely as possible. Here are our tips on what to do – and not to do – when choosing a password.

For our last tip of week one, we covered data breaches. Unfortunately, they’re all too common and there seems to be a new incident on an almost weekly basis. Planning and preparation in advance of a possible breach means you’ll be ready to react if the worst happens. In today’s climate, you’ll be judged not on having suffered a breach but how well you respond to it. Here’s our advice for putting that plan in place.

Be sure to check back as we update the page throughout October. You can also catch the daily tips as they land by following BH Consulting on Twitter or on LinkedIn.

 

The post EU Cyber Security Month roundup – advice on staying secure appeared first on BH Consulting.

By

Plan for potential incidents and breach scenarios, cybersecurity conference hears

Businesses should prepare an incident plan for security breaches in advance to know what resources they’ll need to deal with it. Speaking at the Technology Ireland ICT Skillnet Cybercrime Conference earlier today, Brian Honan said that running different scenarios can help businesses identify whether they’ll need assistance from IT, legal, HR or public relations.

Research from the Institute of Directors in Ireland has found that 69 per cent of SMBs claim they’re prepared for a data breach. Brian flipped that statistic to point out that this means almost one third of business owners have no such plan.

Never mind cyber; it’s crime

He also encouraged companies to report incidents like ransomware, CEO fraud or a website infection. “Don’t forget you’re the victim of a crime. In most cases, a cybersecurity incident is treated as an IT problem, not even a business issue or a crime. It’s a mindset change. It’s not separate to your business, it’s integral to it.” To help make that change, he suggested: “we should drop the name ‘cyber’.”

When businesses have to disclose an incident, Brian called on them not to use the phrase ‘we suffered a sophisticated breach’ – because most times, it’s not true. In many cases, incidents are due human error, or to bad practices like poor passwords. “If you’re using cloud email, enable two-factor authentication and educate people in using secure passwords. Encourage them not to click on suspicious links,” he said.

Other attacks exploit platforms like WordPress and Joomla. Businesses using those tools to run their websites need to continuously manage and update them, Brian said. “Many web vulnerabilities and threats like attack types like SQL injection are known about for over 10 years,” he said.

Steps to better security

Companies can take several steps to improve their security, such as establishing policies. “They’re very important – they set the strategy for the business and help everybody to meet it,” said Brian. Having systems to monitor and respond to suspicious activity is also essential. “Look at the physical world: you can’t guarantee your business won’t be burgled. It’s the same in online world, but we need to be able to detect when it happens,” he said.

The best security investment a business can make is in awareness training for employees, Brian added. These programmes educate staff about how to identify potential attacks, and how to handle information in a secure way.

He also encouraged businesses to disclose when they have suffered an incident, to help improve overall security. “Everybody will have a breach, there’s no shame in that, so let’s get over that and share information to help each other,” he said.

Tackling the cybersecurity skills gap

Research shows a high proportion of security breaches take months to recover from, which is partly due to an industry skills shortage. “The biggest problem we have is a lack of skilled staff in cybersecurity,” Brian said. The conference saw the launch of a new programme to train 5,000 people in cybersecurity over the next three years. The Cybersecurity Skills Initiative aims to address the shortage in skilled security personnel.

It’s worth asking whether the industry is open to candidates without formal degrees in cybersecurity or computer science. Brian said some companies may need to relax restrictive HR policies such as requiring formal degrees in security or computer science to attract the right people into security roles. Otherwise, they could be missing out on enthusiastic, experienced and skilled people.

 

 

The post Plan for potential incidents and breach scenarios, cybersecurity conference hears appeared first on BH Consulting.

By

BH Consulting marks EU Cyber Security Month with daily tips on staying secure

October is EU Cyber Security Month and to mark the occasion, BH Consulting will be sharing advice about digital security and privacy. Every working day during October, we’ll post useful information on our Twitter feed and on our LinkedIn page.

These short tips will draw attention to common security risks and threats that many of us face. We’ll be using various hashtags as appropriate, including #CyberSecMonth, #Cybersecuritymonth2018 #cyberaware, #cyberhygiene and #saferinternet4EU. (We also recommend you visit the official website for the EU-wide awareness campaign, at www.cybersecuritymonth.eu.)

Staying secure at work and in the home

The themes we plan to cover include staying secure in the workplace by preventing CEO fraud, ransomware, phishing and spam. As the month goes on, we’ll also give advice you can pass on to family members about protecting personal information and using digital technology securely.

Many of our posts will link to blogs we have written or to other open source security awareness material. At the end of each week, we’ll round up those tips into a post which we’ll publish here on our blog. This will be a ‘living’ post about EU Cyber Security Month that we’ll keep adding to as each week passes during October.

Please like and share widely to help us spread the word and improve security awareness for everyone. And a quick reminder: we also publish a monthly newsletter for information security professionals and people working in related roles. You can sign up for the newsletter

The post BH Consulting marks EU Cyber Security Month with daily tips on staying secure appeared first on BH Consulting.