Changes to Data Protection laws

I’m sure that many of you will have heard of the Data Protection Act (DPA) which is used to help protect an individual’s personal data. You’ll also probably have heard mutterings about GDPR and Brexit, how one is affected by the other, but you may not be too clear what this means in terms if the DPA. I’m going to try to explain it for you here. I apologise in advance because there will be more acronyms than I normally use, but hopefully you’ll see why!

First, let’s start with DPA. This law sets out 8 Principles which dictate how personal data must be treated, and what people can do with that data if they’ve been given permission to use it. A company must tell you how it’s going to handle your data and what it will use it for, and if it wants to change that use it must request your permission: this is all usually held in their Terms and Conditions, which is why you should always read them. The principles are summarised below.


The regulator i.e. the organisation you go to if there’s been a breach is the Information Commissioner’s Office, or ICO.

The General Data Protection Regulation (GDPR) is an EU regulation which sets out the minimum requirements for Data Protection in the EU, and is a bit more stringent than the DPA. The UK has been heavily involved in its development, and it will come into force on 28th May 2018. As an EU Regulation it immediately becomes law in every member country the day it comes out, and every member state will have to comply from that date.

How does this affect Brexit? Well, that will take up to 2 years to implement following invocation of Article 50. That means Brexit is highly unlikely to have occurred by 28th May 2018, which means that GDPR will become a legal requirement in the UK on that date, so companies will have to comply with it. Whatever happens once the UK leaves the EU, it stand as to reason that UK companies wishing to do business with the EU will have to continue to comply, and I’d suggest therefore that the UK will not implement anything weaker than GDPR as a replacement for the DPA.

For further advice and guidance, go to the ICO website and check out these 12 Steps to GDPR which you should be following right now.

DDoS – what’s that?

I’m sure that if you’ve been watching the news recently, you’ll have heard the phrase DDoS, which stands for Distributed Denial of Service. It sounds fancy and complicated, but it’s actually pretty straightforward.

Let’s start at the beginning. A website is typically nothing more than one (or several, perhaps up into hundreds for some big companies) servers which all publish specific web pages. These may link back into the company that runs them, but that’s not important for our purposes. These servers are, unsurprisingly, called webservers, and again for simplicity we’ll just assume that a website only has one webserver.

If you had one computer that was constantly sending lots and lots of messages to the webserver, for example trying constantly to open multiple pages at a rate of hundreds or even thousands of requests per second, until it couldn’t cope with all that web traffic and stopped working, that would be called a Denial of Service attack, or DoS.

You can imagine that this would be straightforward to do as you would only need access to one machine, an internet connection and the relevant software.

A DDoS attack is very similar, except instead of using one machine to attack the server, multiple machines are used to  attack it.

These can be anywhere in the world, and are typically recruited by the bad guys to perform the attack as part of what is called a botnet. This is just a term for a collection of machines which are connected to the internet and which are being controlled from a single source. The way they are recruited is typically through the use of viruses and other malware (“bad” software), which then listen out for messages from their controller machine. This is called a Command and Control structure, and there may be a hierarchy to the structure, a bit like you find tiers of management in large companies. The owners of those machines typically have no idea that this is happening, and the problem is now exarcebated by the involvement of machines other than laptop and desktop computers. These are other devices connected to the internet which may include fridges, cookers, kettles etc – this is the Internet of Things. I’ll write a separate post about IoT in the future,  it for now it’s enough to know that these devices can be added to a botnet relatively easily.

In a DDoS attack then, the constituent machines in the botnet are ordered to attack a specific website or webserver on a specific date and time, by trying to access one or more pages at the same time as all the rest. When they all do that, the website may not be able to handle so many requests, and stops working.

Scary stuff, huh? Try not to worry too much about it though, because there are ways to reduce the risk of this happening, from hardware and software which recognises the attack to hosting the website in different locations, to buying services from companies which specialise in preventing such attacks.

You can also play your part in reducing the scale of botnets by practicing good cyber hygiene: make sure you use a reputable antivirus product and ensure it is update regularly; apply patches frequently; change your passwords regularly; and don’t click on email attachments or links which you weren’t expecting or from sources you don’t know.

What’s the deal with passwords?

In an earlier post I talked about password hygiene, and about the challenges we have in keeping passwords secret.  I realised that I’d missed the opportunity to talk about why we need passwords – so I thought I’d cover it now.

Computers will – if set up “normally” – ask for a username and password after you switch it on.  This is a process called authentication (though more commonly we call it logging in or logging on), and in the early days (before the Internet existed) was seen as quite a good way of ensuring that the person entering the username is who they say they are.  One reason why this is important is so that there is some accountability on systems: if something bad has happened, it can often be tracked back to a specific username. The person who “owns” that user name can be held accountable – and those who don’t “own” it can be discounted as the culprit.  It’s therefore quite a good protection mechanism for the other users.

Once that single computer was connected to lots of others, and particularly when connected over the Internet, some people found a challenge in trying to access those remote systems by trying to guess usernames and passwords (at a very basic level this is what hackers try to do).  Passwords which are easy to guess mean that the bad guys don’t have to work very hard to access your account.  Once they have access to your computer, they will often try to see what else they can get access to, such as your bank account, financial details, holiday plans etc.

Have a look at the image below:

image

It’s obvious that the most common passwords (and therefore the easiest to guess) haven’t changed much over the previous 5 years.  This is bad!

The bad guys use a range of software tools to try to break (or crack) passwords, and generally speaking the longer the password, the better.  But, length alone isn’t the answer.  If the password is just numbers, the bad guys “only” need to try combinations of 0 to 9 in increasing lengths i.e. 0,00,01,02,03 etc. If it’s just lower or upper case letters ie a to z or A to Z, then there are 26 variables which they need to try before moving on to a longer length.

Mixing numbers, upper and lower case letters and special characters (eg !@£$%^) gives a much longer set of variables which need to be tried, and this mix is what is called a complex password.  In all cases, the longer the combination of these the better, but the industry standard is a minimum of 8 characters long.  Personally, I prefer at least 15 characters, because the maths shows that with current computing power complex passwords of that length are very, very difficult to crack

Obviously, the longer and more complex the password, the more likely you are to forget it, which is why good password hygiene is required.  Password hygiene can be compared to personal hygiene, and more particularly your underwear.

image

So – keep your passwords to yourself, change them regularly, and don’t show them to anyone else!

Password hygiene

By now, we probably all know that we should have different passwords for every account we have, and use different ones for each website.  You probably also know that they should be a mix of upper and lower case letters, numbers and special symbols. They should be more than 8 characters – and no that doesn’t mean $now White and the 7 Dwarves.  This is what’s known as password hygiene.

That’s all well and good, but how do you remember them all?  Most security professionals would express horror at the suggestion that you have to write them down, but unless the bad guys are actually in your house, they have no access to them if you do. One word of caution before you go and document everything – be sensible.

It might seem like a good idea having a book like the one in the image, but then the bad guys in your house know exactly what they’re taking!  If you are going to write your passwords down, make sure you lock the book away in a secure location where it’s not easily found by intruders.

An alternative is to use one of the many password management apps that are around, but as that’s connected to the Internet then by definition it is vulnerable – especially as it tends to require a master password and if you’ve not chosen a good one of those then your other passwords are easily found.  At the very least, make sure it encrypts your passwords with something like 128 or 256 bit AES.

As with all things, the choice is yours and based on your level of risk appetite.  Personally, I like the flexibility of the electronic app, but I’d combine it with a master password and another token, eg a PIN number sent to my mobile or use of a fingerprint reader.

Phishing and Whaling

I’m guessing that you’ve heard of phishing, and I thought I’d provide some words around related topics.  Let’s start at the beginning though.

Phishing

Most people with email will have received a phishing email at some point.  Essentially, it’s a mass mail sent to a lot of people indiscriminately, in the hope that one or more of the recipients will reply or click on a link in the message. The bad guys have either provided a link to a compromised website, or which will download and install malware, or something like that, or they note the replies they receive and build a list of people to target with the sort of fake IT support calls you’ve probably read about.  These types of attack are relatively simple and unsophisticated.  They don’t target individuals and are effectively a random attempt, a bit like fishermen on a trawler using a net: their catch is indiscriminate.

Spear Phishing

This type of attack is a bit more sophisticated.  It follows the same sort of approach as above, but focuses on specific individuals.  These emails typically include your name and may also include a little bit of information about you, and will likely be more targeted around some of your likes and interests.  Because they are specifically directed at you, and you are they prey, you become the fish that the bad guys try to get without looking at others around you: hence “spear phishing”.

Whaling

This is really just a version of Spear Fishing, but targeted at the biggest fish (OK, so I know that whales are mammals, not fish, but that’s beside the point).  As these are the big fish, you can imagine that these are the biggest prize.  Typically the bad guys try to get their hands on large sums of money, and may involve more skillful techniques like phoning an employee (a technique sometimes called voice phishing, or vishing) in finance and pretending to be one of the big fish, saying that they’ll be emailing shortly to request immediate payment of a bill.  Who queries the boss, right?  This type of attack is definitely on the increase.

So how do you protect yourself from these sorts of attack?  The following tips may help:

  • If it seems too good to be true, it probably is
  • Don’t click on unknown links in email
  • Don’t reply to messages from people you don’t know
  • If at work and you get an email from senior management which eg doesn’t follow normal processes, ask for confirmation / clarification – but not by replying to the mail
  • Be vigilant – phishing and related attacks are on the increase

Virus attacks and what can be done about them

I decided it would be a good thing to share some information other bloggers have written, as well as to present my own material. After all, if one of the key parts to good security is to keep things simple, then including information others have already produced probably helps, right? 

So, please check out this siteand I hope you enjoy it. I’ll add some thoughts of my own on virus defence in the next few weeks. 

Certified Information Security Manager

Back in 2010 I attended a three day course with Net Security training in Wembley, in preparation for a Certified Information Security Manager (CISM) exam a couple of weeks later. All of the work was theoretical, and it was assumed that you already had experience in most of not all of the domains covered.

The exam itself was paper based, with four hours given to complete 250 multiple choice questions. You then have to wait a few weeks before you get your results, at which point you can then apply for the certification from ISACA. You need to be able to demonstrate at least five years worth of experience in two or more of rhe domains as part of the certification process.

The certification lasts for three years, and in that time you need to complete a minimum of 120 hours of Continuing Professional Education (CPE), with at least 20 hours in each of the three years. I have recertified in this way once, and have already reached my target for this recertification period.

Certified Ethical Hacker

In spring 2013 I attended a Certified Ethical Hacker (CEH) training course with Firebrand in Wyboston, England. It was a week long bootcamp, with classes starting on the Sunday evening, 12 hour days in the classroom and a 3 hour exam on the Friday morning.

The classes were made up of a mixture of theory and practical work. All attendees had a number of virtual environments to work in, and we were able to use a number of the tools we’d talked about in a safe environment. After class we had two to three hours reading every night, to read the courseware, so we spent roughly 15 hours a day on the topic.

As you can imagine, this kind of intense training crams a lot in and leaves you pretty drained at the end, but it was worth it. The course “only” gives the background, and it is then down to the individual to keep their education up by reading more on the topic, by trying the tools out and by carrying out this kind of work.

While I don’t currently do any kind of hacking as part of my job, the course gave a very good understanding of the techniques and methods used, and the risks and potential impact that each kind of attack could bring to an organisation. From that perspective, it meant I was well prepared for writing policies and standards to help counteract the threats from this angle.

Recertification takes place every three years, and in that time you have to be able to demonstrate completion of at least 120 hours of Continuing Professional Education (CPE) in related topics. I have recently completed my first recertification and am therefore entitled to use the CEH designation, approved by the EC-Council, until 2019.

The Cloud – Vapourware made real?

One of the things that’s been a petty annoyance for me professionally over recent years is all the hype about Cloud services. Things like Amazon Web Services, Dropbox, Google Docs and Microsoft OneDrive. There have been pages and pages written about this new wonderful thing called the cloud, how it’ll revolutionise our lives, but at the end of the day, it’s your data on someone else’s machine. That’s it!

The only major difference I can see between services like the ones I named above and other remote services is scale. But the issues are the same. Where is the data held, who has access to it, how is it deleted when you don’t want it any more, how secure is that deletion.

Nearly 20 years ago there was a lot of hype about “e-business’, i.e. trading and doing business online. Nowadays (as I predicted back then) we don’t bother with the e- prefix, it’s all just business. [Though many companies are finding out that without the e- portion to their business, they struggle to stay afloat.]

The Cloud is no different. It’s the latest and greatest, a buzzword used to make business sexy, but at the end of the day you’re just renting out space on some machines that someone else owns. So you better believe it’s down to you to make sure it’s secure. The big providers have all sorts of physical security (fences, guards, access controls etc) and IT security (redundant disks and power supplies, industrial scale UPS etc) but if you want the data encrypted, or backed up securely etc then you need to sort that yourself.

We’re going to see it more and more, and it’ll become a de facto standard, but please just remember it’s nothing special!