PC PORTAL

Experienced. Trusted. Solutions.

Cyber Crime

By

Games people play: testing cybersecurity plans with table-top exercises

If a picture is worth a thousand words, and video is worth many multiples more, what value is an interactive experience that plants you firmly in the hot seat during a major security incident? Reading about cyberattacks or data breaches is useful, but it can’t replicate the visceral feeling of a table-top exercise. Variously called war-gaming scenarios or simulated attacks, they can be a valuable way of helping boards and senior managers understand the full implications of cyber threats. More importantly, they can shed light on gaps where the business can improve its incident response procedure.

These exercises are designed to be immersive. They might start with a scenario like a board meeting, or a company orientation day. All participants will get a role to play; for the purpose of the session, they might be designated as a head of HR, finance, legal, or IT. As the scenario starts to unfold, a message arrives. The press has been enquiring about a major data breach or a ransomware attack on the company.

Muscles tighten, a wave of nausea passes over the stomach. The fight-or-flight instinct starts to take hold. Your role might say manager, but you don’t feel like you’re in control.

What happens next?

That will depend on how much preparation your business has done for a possible cybersecurity threat. Some companies won’t have anything approaching a plan, so the reaction looks and feels like panic stations. At various points during this exercise, the facilitator might introduce new alerts or information for the group to react to. For example, that could be negative commentary on social media, or a fall in the company stock price.

The exercise should prompt plenty of questions for the participants. What exactly is going on? How do we find out what’s happened? How is this affecting operations? Who’s taking charge? What do we tell staff, or the public, or the media?

A growing sense of helplessness can be a powerful spur to make rapid changes to the current cybersecurity incident response plan (assuming there is one).

Other organisations may already have a series of steps for what to do in the event of an incident or breach. In these cases, the table-top exercise is about testing the viability of those plans. You can be prepared, but do the steps on paper work in practice? Or as Mike Tyson memorably put it, “everybody has a plan until they get punched in the mouth”.

The exercise can show the value of having a playbook that documents all procedures to carry out: “if X happens, then do Y”. This will also shed light on missing steps, such as contact numbers for key company executives, an external security consultant, regulators, law enforcement, or media.

Fail to prepare, prepare to fail

When it comes to developing or refining an incident response plan, the devil is in the detail, says David Prendergast, senior cybersecurity consultant at BH Consulting. Here are some useful questions to ask:

  • If your policy says: ‘contact the regulator’, ask which one(s)
  • Who is the specific point of contact at the regulators office?
  • Does the organisation have the email address or phone numbers for that person?
  • Who in your company or agency is authorised to talk to the regulator?
  • What information are they likely to need to have that conversation?
  • Do you have pre-prepared scripts or statements for when things might go wrong (for customers, stakeholders, staff, and media (including social media channels)?

It might also force the company into making certain decisions about resources. Are there enough internal staff to carry out an investigation? Is that the most appropriate use for those employees, or is it better to focus their efforts on recovering IT systems?

That’s the value in table-top exercises: they afford the time to practice when it’s calm and you can absorb the lessons. There are plenty of examples of companies that handled similar situations spectacularly badly in full public view. (We won’t name names, but the list includes anyone who uttered the words “sophisticated attack” before an investigation even started.)

By the (play)book

It’s more helpful to learn from positive examples of companies that showed leadership in the face of a serious incident. That can be as simple as a statement of business priorities while an organisation copes with the fallout. In 2017, as Maersk reeled from a ransomware infection, CEO Soren Skou gave frontline staff in 130 countries clear instructions. As the Financial Times reported, the message was unequivocal even as the company was forced into shutting down IT systems. “Do what you think is right to serve the customer – don’t wait for the HQ, we’ll accept the cost.”

Some larger companies will run an exercise just for themselves, but some organisations run joint war-gaming scenarios with industry peers. Earlier this month, financial institutions and trade associations from around Europe carried out a simulated ransomware attack.

According to FinExtra, the scenario took the form of an on-site technical and hands-on-keyboard experience. There were 14 participants at CISO and CIO level, along with many more observers from other companies in the financial sector. The aim of the event was to encourage collaboration and information sharing with other teams and organisations to improve collective defences against cyber threats.

Whether it’s a war-gaming exercise or a table-top event, the goal is the same: to be ready for the worst ahead of time, and knowing what steps are available to you when bad things happen for real.

The post Games people play: testing cybersecurity plans with table-top exercises appeared first on BH Consulting.

By

Security for startups: why early-stage businesses can’t neglect this risk

In the early days of a startup, it’s easy to get caught up in the buzz of building a new business. Keeping so many plates spinning – from
fundraising and hiring to shipping product – can mean security sometimes falls off the priority list. But in the face of ever-rising volumes of data breaches and security incidents, it’s a subject that early-stage companies can’t afford to ignore.

That was one of the key themes from a wide-ranging discussion at Dogpatch Labs, the tech incubator in Dublin’s docklands. The speaker was Todd Fitzgerald, an information security expert and Dogpatch member. His ‘fireside chat’, as the event organisers dubbed it, looked at why no company is too small to develop a cybersecurity strategy.

Pragmatic approach

Todd shared insights into a pragmatic approach to cybersecurity strategy and the implications of recent security and privacy breaches. “Any company that doesn’t have cybersecurity as one of their top five risks is really not addressing cybersecurity,” he said.

Recent ransomware outbreaks have shown cybercrime’s huge impact, no matter the size of the victim. FedEx and Maersk each suffered $300 million in damages from the NotPetya ransomware. Data breaches are a growing risk. In 2005, there were an estimated 55 million reported breaches in the US. Now, that figure is somewhere close to 1.4 billion. As Todd pointed out, those are only the ones we know about because victims have reported them.

Startups, in tech especially, often rely heavily on data but that brings added responsibility. “If you don’t know where your data is and you don’t know the privacy laws around it, how can you give any kind of assurance [to customers] that you’re protecting that?” asked Todd.

Strategy vs execution

The moderator asked the obvious question: why should startups care about cybersecurity when they’re concerned about getting product out the door? Financial loss due to ransomware is one reason, and there are many other common security issues a startup needs to think about. Protecting valuable intellectual property is critical. If a startup’s bright idea falls into the wrong hands, a competitor could reverse engineer the code and bring out a copycat product in another market. “It’s the same issues, just the scale is different,” Todd said.

Startup teams can change quickly while the business is still evolving, so another risk to watch is staff turnover. Without proper authentication, ex-employees could still have access to confidential files after they leave the company. Simple carelessness is another potential threat: someone might accidentally delete important code from a server. Startups need to put incident response processes in place in case the worst happens. “There is business benefit to having good security,” Todd said.

For founders with no infosecurity experience, Todd also offered advice on protecting an early-stage company on a shoestring budget. He recommended speaking to an independent consultant who can advise on a cybersecurity strategic plan that reflects the business priorities.

Starting on security

Startup founders can start to familiarise themselves with the subject by reading cybersecurity frameworks like ISO 27001. The information security standard costs around €150 to buy, is easy to read and is suitable for companies of any size. “Walk through it and ask yourself: ‘would I be protected against these cybersecurity threats?’ That will probably prompt you to do a vulnerability assessment against your environment,” he said.

Todd Fitzgerald has more than 20 years’ experience in building, leading and advising information security programmes for several Fortune 500 companies. He has contributed to security standards and regularly presents at major industry conferences. A published author, he wrote parts of his fourth and most recent book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, in Dublin.

The post Security for startups: why early-stage businesses can’t neglect this risk appeared first on BH Consulting.

By

It’s oh so quiet: get ready for stealthy malware in 2019

It’s unlikely we’ll ever look back fondly to a time when ransomware would announce itself noisily. But at least victims knew they were under attack. Now, the signs are that malware’s adopting sneaky tactics to avoid detection.

Fileless malware looks set to be a significant security threat in 2019, and that could be bad news for anyone using traditional antivirus tools. In the past, most infections involved installing malicious software on a target’s hard disk. But in doing so, it left a signature that alerted security software to its presence. Fileless malware, on the other hand, exists only in memory. It leaves none of the traces that traditional infections do, making it much harder to identify, stop, and remove.

That’s leading to a potential gap in security defences that attackers seem to be exploiting in growing numbers. SentinelOne tracked a 94 per cent rise in fileless attacks during the first half of last year. Research from the Ponemon Institute and Barkly found fileless attacks accounted for 35 per cent of all attacks during 2018.

Under the radar

Now, most leading security software companies like Symantec, Trend Micro and McAfee Labs recognise this type of undetected malware. It was also the subject of a recent webinar by Malwarebytes. Its senior product marketing manager Helge Husemann namechecked SamSam, Sorebrect, Emotet and TrickBot as some of the biggest fileless malware types from 2018.

Emotet is the biggest example of this type of “under the radar” malware. It’s been around since 2014 and it acts as a downloader for other malware. It uses leaked NSA exploits and it comes with a built-in spam module that allows it to spread to other systems. The attack often starts as an email that pretends to come from a government service, like the tax office.

Husemann said Emotet’s primary focus has been English-speaking, Western countries. Many of its targets were in the US, while the UK had more Emotet infections than any other European country in 2018. Last October, Emotet was used to spread ransomware to the North Carolina Water Authority.

Malwarebytes categorises the SamSam ransomware as semi-fileless. Husemann said attackers usually install it manually through patch scripts once they have already broken into a victim’s network. The city of Atlanta, which suffered a major outbreak of SamSam in March 2018, has spent around $2.6 million on recovery.

A common attack vector for fileless malware is via PowerShell, which is a legitimate Windows scripting tool but is also popular with cybercriminals. “It provides an opportunity for the attacker to hide the malware and make system modifications if they need to. We will definitely see the usage of PowerShell happening much more,” Husemann said.  

Watching for weak points

Another way to get an infection is by visiting a compromised website. The site’s code then exploits a vulnerability like an unpatched browser or an unsecured Flash plugin on the user’s computer.

Rebooting a system will usually get rid of a fileless infection – but you would need to know you’re infected in the first place. What’s more, rebooting creates challenges for digital forensics investigations because of how fileless malware operates in-memory. Once the infected system is turned off, it leaves no evidence behind.

With thousands of new malware variants coming out every day, it won’t be enough to rely only on signature-based security tools to spot threats. “Malware may be hiding in the one place you’re not checking, which is process memory. After years of loud and obvious ransomware we are entering the stage of quiet information stealers,” Husemann said.  

An effective endpoint solution should consist of three components, Husemann said. First is the ability to prevent a cyberattack through multiple protection layers including web protection, application hardening and behaviour, exploit mitigation, and payload analysis. The second component is the ability to detect threats, using advanced techniques. The third element concerns response: being able to remediate an incident in the fastest possible time, to minimise disruption to business and reduce the impact on end users.

BH Consulting is independent so we don’t have ties to any one product vendor. No matter which security tool you use, it’s clear that the software we used to call “antivirus” still has an important role in protecting organisations’ valuable data.

The post It’s oh so quiet: get ready for stealthy malware in 2019 appeared first on BH Consulting.

By

Security newsround: January 2019

We round up interesting research and reporting about security and privacy from around the web. This month: the security year in review, resilience on rails, incidents in depth, phishing hooks millennials, Internet of Threats, and CISOs climbing the corporate ladder.

A look back at cybercrime in 2018

It wouldn’t be a new year’s email without a retrospective on major security incidents over the previous 12 months. Credit to CSO Online for assembling a useful overview of some of last year’s most common risks and threats. To beef up this resource, it sourced external research and stats, while adding plenty of links for further reading. Some of the highlights include the massive rise in cryptocurrency mining. “Coin miners not only slow down devices but can overheat batteries and sometimes render a device useless,” it warned.

The article also advises against posting mobile numbers on the internet, because criminals are finding ways to harvest them for various scams. CSO also advises organisations about knowing the value of their data in order to protect it accordingly. Threatpost has a handy at-a-glance guide to some of the big security incidents from the past year. Meanwhile, kudos to Vice Motherboard for its excellent ‘jealousy list’ which rounds up great hacking and security stories from 2018 that first appeared in other media outlets.

Luas security derails tram website

The new year got off to a bad start for Dublin’s tram operator Luas, after an unknown attacker defaced its website in a security incident. On January 2nd, the Luas site had this message: “You are hacked… some time ago i wrote that you have serious security holes… you didn’t reply… the next time someone talks to you, press the reply button… you must pay 1 bitcoin in 5 days… otherwise I will publish all data and send emails to your users.”

The incident exposed 3,226 user records, and Luas said they belonged to customers who had subscribed to its newsletter. News of the incident spread widely, possibly due to Luas’ high profile as a victim, or because of the cryptocurrency angle.

The tram service itself was not affected, nor was the company’s online payments system. While the website was down, Luas used its Twitter feed to communicate travel updates to the public, and warned people not to visit the site. Interviewed by the Irish Times, Brian Honan said the incident showed that many organisations tend to forget website security after launch. As we’ve previously blogged, it’s worth carrying out periodic vulnerability assessments to spot gaps that an attacker could exploit. With the Luas site not fully back six days later, Brian noted on Twitter that it’s important to integrate incident response with business continuity management.

One hacked laptop and two hundred solemn faces

When an employee of a global apparel company clicked on a link in a phishing email while connected to a coffee shop wifi, they unwittingly let a cybercrime gang onto their corporate network. Once in, the attackers installed Framework POS malware on the company’s retail server to steal credit card details. It’s one real-life example from CrowdStrike’s Cyber Intrusion Casebook. The report details various incident response cases from 2018. It also gives recommendations for organisations on steps to take to protect their critical data better. In addition to coverage in online news reports, the document is available as a free PDF on CrowdStrike’s site.

Examples like these show the need for resilience, which we’ve blogged about before. No security is 100 per cent perfect. But it shouldn’t follow that one gap in the defences brings the entire wall crumbling down.

Digitally savvy, yes. Security savvy, not so much

Speaking of phishing, a new survey has found that digital natives are twice as likely to have fallen victim to a phishing scam than their older – sorry, we mean more experienced –  colleagues. Some 17 per cent in the 23-41 age group clicked on a phishing link, compared to 42-53 years old (6 per cent) or 54+ (7 per cent). The findings suggest a gap between perception and reality.

Out of all the age groups, digital natives were the most confident in their ability to spot a scam compared to their senior peers. Yet the 14 per cent of digital natives who weren’t as sure of their ability to spot a phish was strikingly close to the percentage in the same age bracket who had fallen for a phishing email. The survey by Censuswide for Datapac found that 14 per cent of Irish office workers – around 185,000 people – have been successfully phished at some stage.

OWASP’s IoT hit list

Is your organisation planning an Internet of Things project in 2019? Then you might want to send them in OWASP’s direction first. The group’s IoT project aims to improve understanding of the security issues around embedding sensors in, well, anything. To that end, the group has updated its top 10 list for IoT. The risks include old reliables like weak, guessable passwords, outdated components, insecure data transfer or storage, and lack of physical hardening. The full list is here.

The number’s up for CISO promotions

Why do relatively few security professionals ascend to the highest levels of business? That’s the provocative question from Raj Samani, chief scientist with McAfee. In an op-ed for Infosecurity Magazine, Samani argues that security hasn’t yet communicated its value to the business in an identifiable way. Proof of this is the fatigue or indifference over ever-mounting numbers of data breaches. Unlike a physical incident like a car accident where the impact is instantly visible, security incidents don’t have the same obvious cause and effect.

“The inability to determine quantifiable loss means that identifying measures to reduce risk are merely estimated at best. Moreover, if the loss is rarely felt, then the value of taking active steps to protect an asset can simply be overlooked,” Samani writes. “We can either bemoan the status quo or identify an approach that allows us to articulate our business value in a quantifiable way.”

The post Security newsround: January 2019 appeared first on BH Consulting.

By

Nine for 2019: New Year tips for cybersecurity and privacy professionals

A new year is almost upon us, and that means one thing: resolutions. Easily made, even more easily broken, they’re nevertheless a useful way of setting goals for the next 12 months. We asked Brian Honan, Tracy Elliott, Sarah Clarke, Valerie Lyons and David Prendergast to share their tips for information security practitioners and privacy professionals. Here’s what you can do differently or better to protect your organisation and its critical data in 2019.

1 Attend security conferences

The first resolution is to attend at least two cybersecurity conferences this coming year. Choose the events well, and they can be a great source of knowledge and learning to apply in the daily security role. “It’s important to pick conferences that you feel will help you learn, not a vendor event that’s about how great their products are. Look for conferences that provide independent speakers, or topics on areas of interest to you,” says Brian.

Another reason to go to more conferences is the valuable opportunity to network with peers. “Sometimes we learn more from talking to others thanfrom training courses or reading articles,” adds Brian.

2 Collaborate more with your peers

Resolve to take key business leaders in your organisation out to lunch, to discuss the challenges they face and understand how security can help them to address those challenges. Those lunchtime conversations can uncover important business needs. For example, HR might have difficulty retaining staff. Devising a secure way to let certain employees work remotely, or from home, could help employee retention rates without putting sensitive data at risk. Similarly, the marketing department might need a way of exchanging large documents and files with external design houses or ad agencies. But how is this possible if the company restricts mailbox sizes and blocks file sharing platforms like Dropbox?

These lunches can help to position the security function as a business enabler, not an obstacle to getting things done. It’s about finding workable solutions that maintain security because otherwise, people will find their own workarounds – and that introduces risk. “When you meet with your business peers, you can better understand their challenges. It becomes about how I as a security professional support that business objective while protecting the company’s key assets. Rather than ‘no”, the security practitioner says ‘yes, but’. Or better still, ‘yes and this is how we recommend you do it’,” says Brian.

3 Rest up

Brian’s third tip for security practitioners is to try and sleep more. By his own admission, it’s slightly tongue-in-cheek but there’sa serious point behind it. There’s a growing conversation around the high levels of fatigue and stress in the profession, leading to burnout. “To be effective, we need to look after our own personal health. It’s important to take steps to ensure we can keep ourselves in the best condition to do our jobs. It’s trying to make sure you’re compliant as well as your security programme,” Brian advises.

4 Get Detailed on Privacy Regulations [GDPR]

Turning to privacy, Tracy Elliott predicts 2019 will see activity around the General Data Protection Regulation [GDPR] move from theory to practice. “A lot of 2018 was about writing data protection policies and putting governance structures in place. The next 12 months will focus on training people in specific jobs in what they need to know about data protection,” she says. 

The responsibility for training and awareness falls to an organisation’s designated data protection officer (DPO). That ranges from simple things like posters in staff canteens to help refresh people’s memory about, and awareness of, GDPR. Then DPOs should identify key roles in an organisation,who need tailored data protection training that reflects their specific job. For example, a nursing home healthcare assistant needs to know about speech privacy as part of protecting sensitive patient information.

5 Batten down for Brexit

Even as confusion surrounds Brexit, it’s time to plan for whatever the outcome might be. (Insert your own joke about seeing the words ‘Brexit’ and ‘plan’ in the same postcode, let alone the same sentence.)

Sarah Clarke points out that a future adequacy agreement is not certain between the UK and the EU. It’s possible that in the event of a no-deal Brexit, the UK will become a third country outside of the EEA. That would mean all transfer of data between Ireland and the UK will be considered as international transfers.

With this in mind, Tracy Elliott says data protection officers should review their organisation’s processing activities. They should identify what data they are transferring to the UK, and whether that includes data about EU citizens. “Consider your options of using a contract or possibly changing that supplier. If your data is hosted on servers in the UK, contact your hosting partner and find out what options are available,” she says.

Larger international companies may already have data sharing frameworks in place, but SMEs that routinely deal with UK, or that havesubsidiaries in the UK, might not have considered this issue yet. All communication between them, even if they’re part of the same group structure, will need to becovered contractually for data sharing. “There are five mechanisms for doing this, but the simplest and quickest way to do this is to roll out model contract clauses [MCCs]. They are a set of guidelines issued by the EU,” Tracy advises.

6 Plan for all outcomes

Here’s where contingency planning is vital. “Use of MCCs has its own risks as they are due an update to bring them into line with GDPR,and Privacy Shield [the EU-US data transfer mechanism] is still on trial,” Sarah warns. However in the short term, MCCs fits the bill both for international transfers between legal entities in one organisation, and for transfers between different organisations. “For intra-group transfers, binding corporate rules are too burdensome to implement ‘just in case’. You can switch if the risk justifies it when there is more certainty,” she adds.

Sarah points out that regulators won’t tolerate inactivity. That said, they may grant some leeway if an organisation decides on a particular approach and documents its reason for doing so – even if that approach needs to change later. In other words, doing nothing is not an option – a bit like the best New Year’s resolutions.

7 Prepare beyond regulations

Valerie Lyons writes: “If we look to the US patents office, we see the top patents of 2017 fell into cloud, AI, machine learningand big data. Privacy regulation alone will not be able to address the challenges associated with many of these technologies. Gartner agrees, highlighting Digital Ethics and Privacy as one of its top trends of 2019. Privacy practitioners should familiarise themselves with digital ethics frameworks and look not just at privacy governance but information strategy and data management.”

8 Complete one thing

Sometimes, working as a security or privacy professional can feel like the circus act who keeps plates spinning. There are so many things to do, and so many places in the organisation to start mitigating risks. All the time, there’s an audience of compliance officers, auditors, regulators and bosses, waiting to see if one of the plates will drop. “Stop prevaricating. Pick one initiative and get it done, rather than starting three things and finishing none. That way, you’ve achieved something tangible you can point to. And it’s one less task on the list,” says David Prendergast.

9 Just do it

When it comes to security awareness strategy, as a certain sportswear company might say, just do it. “Don’t wait for a big budget. You don’t need huge sacks of money to explain to people what the risks are, and why they need to change behaviour,” says David. “Security professionals can often be quite shy of talking to IT people because we think they want us to fail. They don’t. They read different press, and if you just tell them the basics, you might just win some allies.” David also agrees with Brian’s point about collaborating more during 2019. “Talk to your colleagues and talk to your peers; they’re probably struggling with the same issues you are. The only daft question is the one you didn’t ask,” he says.

What resolutions have you made for 2019? Let us know in the comments below.

The post Nine for 2019: New Year tips for cybersecurity and privacy professionals appeared first on BH Consulting.