S is for …

Smishing

This is very similar in concept to phishing, but instead of email being used to deliver malicious code or links to malicious website, SMS text messages are used. The messages often look as though they’ve come from someone you know and / or trust, but they have typically been spoofed to make you think they are legitimate.

As with phishing, if you are in any doubt at all that the message has come from the person you think it has, contact them by another means eg phone them, access their website etc.

Social engineering

This is a broad term, but generally speaking it is the art of persuading someone to provide you with information, or access to something, which they shouldn’t really. It takes many forms, and just as with hacking there are people who do social engineering for good (eg red team members) and those who do it for nefarious purposes (eg con men).

Again in general terms, the good guys will only use techniques that only leave you feeling good about the experience, will not try to manipulate or coerce you into doing somehting you don’t want to. The bad guys will have no qualms about trying everything to bend you to their will.

Spam

This is the catch-all phrase used for unwanted email, much of which may contain viruses or malicious links. In many ways its the electronic version of junk mail (aka direct marketing) which most of us experience.  Over 45% of all email sent globally currently is spam, though in 2014 that figure was over 70%.

When you consider there are over 235 billion emails sent every day, it is clear this is a huge volume of spam, and it is therefore unsurprising that some of it makes it into your mailbox, irrespective of what anti-spam tools you are using.

Spear phishing

Spear phishing is a form of phishing (and whaling), and is different because the emails are directed at specific targets. Information about the target is normally found through Open Source Intelligence gathering, and an email is then crafted to take advantage of that information.

For example, if someone did some research on me and found that I was a fan of London Irish rugby and the band Coldplay, they could create an email designed specifically for me which could perhaps give me the opportunity to get 50% discount on tickets to see Coldplay or 75% off a hospitality package at the rugby. If I was a genuine fan of either I might be tempted by those offers, and might click on any link in the message or open an attachment.

Spoofing

There are software packages available which allow a person to mimic another person’s phone number, and there are also techniques which allow them to send email which looks as though it has come from someone else. This practice is called spoofing.

Imagine you have been receiving text messages from your bank, and one day you get another message (in the same message stream) which asks you to click on a link to update your details. This could be a spoofing attack. One way to check is to contact your bank by phone, in person or on their website.

Next, imagine you get an email from your boss, and it looks genuine. It may be formatted the same as your company email address, and may follow the same naming convention eg mary.brown@acme.corp, but the mail has come from outside your organisation and again it has malicious links or attachments in it. Many organisations protect against this by adding some text to the subject line of an email eg the phrase [EXT] or [external] if it has come from outside the organisation. This is a simple and obvious visual clue.

Stuxnet

Stuxnet was shrouded in secrecy but is now very well known. It was a sophisticated piece of code which targeted a specific make of industrial control system, and was used in an effort to cripple the Iranian nuclear programme. It featured a number of zero day exploits which targeted vulnerabilities in the centrifuges used in a specific power plant, causing them to spin out of control while in the control room everything looked normal. The intent was to prevent the Iranians from developing a nuclear weapons capability.

It is an infamous and ingenious piece of code. For more information, you may want to see the documentary made about it, called Zero Days.

Switch

This is a network device which helps segment a local area network into separate networks. It differs from a router in that it only knows one path from one network to another, whereas a router can search among multiple possible routes and determine the best path for network traffic to take.

 

Are you ready to be hacked?

Over the years there have been various statements to the effect that “there are two types of people, in the world: those who have been hacked, and those that don’t know they’ve been hacked”.

There are two types of people in the world: those who know they’ve been hacked, and those who will be.

It’s pretty much guaranteed that any organisation is a target for someone to attack. Whether that be for the data they hold, or as a route into one of their customers / suppliers, or because of their activities, or just for “fun”.

If we accept that we will be attacked, it makes sense for us to be prepared for what we’ll do when we are breached. What do we mean by being prepared though?

There are a number of aspects to this, which include (but aren’t limited to):

  • How will you respond to the press / social media / general public if they ask about it, or if the story gets out?
  • How will you identify what data has been stolen?
  • How will you determine the scope and scale of the breach?
  • How will you know how the breach happened, and how do you stop it happening again in future?

So what does this look like in practice? Let’s have a look…

Press / social media

For many organisations, how they respond and deal with public perception after a breach is paramount. A positive, well thought out and competent approach which demonstrates to the public that the organisation is in control will likely result in limited reputational damage and no significant decline in public confidence.

The opposite is true too. If the public perception is that the organisation doesn’t know what it is doing, or has no clear plan for addressing the breach, then confidence will drop and may have a significant effect on the organisation’s share price.

It’s often the first impressions that count in these circumstances. Your organisation should plan in advance how they are going to deal with an event, who they need to contact, who will talk to the press etc. They should also have contact details for appropriate people within the press and media to hand.

Identifying stolen data and determining the scope and scale of the breach

The average time taken for organisations to realise they have been breached is often quoted as being about 240 days.

Working out what has been taken, and when, can be very challenging for many organisations. Typically, they will need to have been capturing and retaining system and event logs from their servers and network devices (including firewalls and routers), and probably also endpoint devices (including laptops and desktops), and those logs may have to have been retained for quite some time. Logs take up a huge amount of disk space, which in the past has been very expensive, so it’s unlikely that everything has been logged or that logs have been held for the 8 or 9 months needed.

Trawling through those logs to identify “normal” operations, then to find “abnormal” actions is not practical for a human, but there are many tools available which can interrogate and map the logs. These are usually advertised as (Security Information and Event Management) SIEM tools, but there may be individual tools for specific requirements or sets of logs.

These tools are used along with forensic techniques to determine exactly what happened and when. Typically, specialist incident response teams and digital forensics experts are called in to help identify exactly what happened, and when.

Preventing it from happening again

Once you know what happened, and how, you need to review existing security practices to protect your organisation from a recurrence. For example, if the initial attack came through an infected email, you may look at better email scanning or phishing awareness training for staff.

It’s clear that this would be an iterative process, and that from each successive attack you look to strengthen defences.

R is for …

Red Team

Just as penetration testers try to get access to an organisation electronically, red teams try to get physical access to the organisation. They use a combination of Open Source Intelligence gathering and social engineering to get access.

These teams are typically engaged by senior management to test processes such as visitor registration, tailgating, signing in, staff challenging non-wearers of passes etc.

Remote access

As the name suggests, this is the process of providing access to systems from a remote location. For example, many people are given access to their work systems when not in the office. This uses remote access tools including VPNs and Two Factor Authentication, or a combination of multiple tools. It means you don’t physically have to be in the office to access your work systems.

RAT

A Remote Access Trojan (RAT) is a piece of malware which enables attackers to gain control of a target machine from a remote location. When attackers use phishing techniques, the first step after a link is created is often to implement a RAT. This enables an attacker to get access to the device and carry on their attack using other tools.

Router

A router is a network device which examines network traffic and forwards it to the most appropriate part of the network.

 

Gatwick Continuity Planning

It was reported on the BBC today that flight departure screens had failed at Gatwick airport for much of the day. The airport authorities implemented their contingency plans – whiteboards – and apparently no flights were delayed or cancelled. Some passengers have complained about a lack of information, but I think that the fact no flights had to be cancelled is a real credit to all involved.

This is a great example of good contingency planning in action. The authorities had obviously thought about what they’d do in advance, so when the screens were unavailable they knew what to do. I can’t imagine they had whiteboards and pens etc just sitting waiting to be used, but it’s a really good effort nonetheless.

What can we learn about this from an Information Security perspective? Business Continuity Planning is vital, but it doesn’t always hinge on having spare technology available. Take it back to basics: what is needed to keep the business running? In this case, electronic boards were replaced with whiteboards and marker pens, but what would be your equivalent?

Try to think about what could happen, and what you could do to react if there was a problem.

Q is for …

Quantum computing

You probably know by now that typical computers function by using 1s and 0s, using binary maths. The transistors in them are either off (0) or on (1), with data being held as binary digits (bits).

In quantum computing, quantum mechanics form the basis of the machine. Rather than bits and bytes, quantum computers use quantum digits (qubits). I have to confess that I don’t understand the maths involved, but the two things to bear in mind are these:

  • There are more than just 1s and 0s: qubits can be in multiple states at the same time
  • Viewing the state of a qubit changes it
  • What these mean is that quantum computers have the potential to be incredibly fast, but it’s difficult to make use of their multiple states because looking at their state changes them.
  • Some organisations eg IBM have built small prototype quantum computers, but the technology is in its infancy. It will probably be several years before this sort of processing becomes commercially available.
  • When they are finally built, processing speeds will be massively increased, which also means that existing cryptography techniques will be at risk because even brute force attacks will be able to be carried out so much faster. A new form of quantum cryptography will have to be developed and implemented.
  • US names arrested Fin7 cyber-gang suspects

    This story appeared recently on the BBC website.

    Three members of a notorious hacking group, variously called Fin7, Carbanak and JokerStash, have been arrested and named. The three individuals were arrested in Germany, Poland and Spain: one has already been extradited to the US and extradition proceedings have begun against the other two. The hacking group had attacked targets in the US, UK, France and Australia, and is still active today.

    The remarkable thing about these arrests is that law enforcement had to overcome one of the largest obstacles to law enforcement in the digital age: legal jurisdiction.  Where computers are connected to each other globally, with actions being carried out from different countries, often in different continents, it’s hard to know which laws have been broken, and which law enforcement agency takes priority / precedence.

    In this case, those answers appear to have been solved. There has been a lot of collaboration between the various law enforcement agencies in the US and Europe, resulting in these arrests. It is to be hoped that this level of collaboration becomes the norm, and that countries are able to work together to bring criminals to justice, wherever they are active and irrespective of where their targets are.

    Town dusts off typewriters after cyber-attack

    This story appeared on the BBC website the other day. Basically the town’s borough council was hit with ransomware and their systems were brought to their knees.

    It’s not unusual for one or two devices in an organisation to be infected with Ransomware. Typically those devices are isolated from the network and all other machines checked to ensure that patching and antivirus signatures are up to date. In this case, it would appear that the entire network, including servers, has been infected and devices are having to be built from scratch, with alternative technology (typewriters – some younger readers may need to look these up) being used in the meantime.

    This incident immediately raises a number of questions:

    • How did the organisation allow all machines to get infected?
    • Did they have an incident response plan and did it include this scenario?
    • Were there patching and antivirus regimes appropriate, and was there any kind of reporting in place to identify gaps?
    • Does the organisation have a standard build, and were the build states of all 500 devices known?
    • If the ransomware has been dormant since May, does that mean that backups are also infected? How does the organisation know that restoring from backup won’t reinfect their network?
    • What scanning of incoming attachments was carried out?
    • What training have staff had in respect of phishing emails and incident response procedures?

    From those questions, it is relatively easy to identify what good practice would be e.g. document and test your incident response plans, make sure patching is kept up to date, and train your staff.

    P is for …

    Password

    There has been much written about passwords, but for this entry I thought it worth defining what a password actually is. It’s a code, phrase or sequence of letters and numbers which is used to validate that you are who you say you are. It’s often used in conjunction with a username or when you login to a device or system.

    You’re advised to keep your password secret, known only to you, because this helps with non-repudiation.

    Patching

    Pretty much all software has vulnerabilities in it. The more complex the software, the more likely it is to have vulnerabilities. Patches are pieces of code written by software developers to fix those vulnerabilities once the manufacturers become aware of them.

    Patching is the process of applying these bespoke pieces of code. Typically patches are given a severity based on the risk the vulnerability contains. Urgent patches should be applied as soon as possible, whereas low risk patches don’t need to be applied so quickly.

    When applying patches in a work environment, it is advisable to test the patch on several machines first, before applying it to every device, just in case there are any issues or conflicts which the patch causes with existing software.

    Payload

    Viruses often contain malware, some of which contains special code to try to compromise a device. This is typically called a payload. Different viruses carry different payloads, and some carry multiple different payloads.

    An analogy which might explain this is where you have bomber aircraft, the bombs they carry are referred to as the payload.

    Penetration test

    A common way of testing web sites and web applications is to run a penetration test. This is where ethical hackers i.e. people with prior permission from an organisation, run tests to see if they can find vulnerabilities, and find out what would happen if those vulnerabilities are exploited.

    Typically, the testers will provide a report documenting their findings, and the organisation being tested will then fix any issues found by the testers.

    This should be run on a regular basis, because new vulnerabilities, including zero day threats, are constantly being discovered.

    There are also physical penetration tests, where people are hired to try to access a business. This is called a red team test.

    Phishing

    Phishing is a form of attack where the bad guys send email to a list of email addresses (which they’ve often bought on the dark web). The email typically either has an infected attachment or a link to an infected website, or it contains a message asking you to help someone release money from their bank account or some equally ridiculous plea for help.

    These messages are indiscriminate and are not targeted at specific individuals. Those which are specifically targeted are known as spear phishing or whaling.

    Principle of Least Privilege

    A key feature of cyber security is making sure that users only have access to the programs or data they need access to for their job. This is known as the principle of least privilege.

    For example, there’s generally no reason why someone working in the accounts department needs access to personnel records, or someone working in HR probably doesn’t need access to files for a specific project. Access would normally be restricted to help protect data.

    O is for …

    On-premise

    This term is used to describe equipment which is physically located in your offices. The alternative would be a third party hosted service such as those offered by cloud hosting providers.

    Open Source Intelligence

    The internet is full of many sources of information, many of which are free. This is known as Open Source Intelligence (commonly called OSINT).

    The most well known sources of information are social media sites like Facebook, LinkedIn and Twitter. If users do not lock down their accounts, potential attackers can learn a lot about them just by trawling their details. For example, Facebook allows you to list family members, friends, schools, colleges and work places, all of which are invaluable to attackers.

    Operating System

    All computers need code to tell them how to interact with their components eg keyboards, mice, monitors etc. They also need code which tells them what to do when switched on, how to store files and how the file store is structured. All of these services are provided by the Operating System, or OS for short. The most common operating systems for desktop and laptop computers are Microsoft Windows, Mac OS and Linux. Smartphones and tablet devices also have operating systems, the most common being Apple iOS, Android, Blackberry and Windows Mobile.

    N is for …

    Network

    This is an often used phrase, but what exactly is a network? In its simplest form, it is several computers connected to each other. In a single building, these would typically form a Local Area Network (LAN), or if several offices are connected together these would be called a Wide Area Network (WAN).There are several different network components, such as routers, switches and firewalls. These will be explained in the relevant posts on this site.

    Non-repudiation

    Non-repudiation means that an event or action can be attributed to a person or process and cannot be denied.

    This is a cornerstone of information security, but doesn’t attract the same attention as the CIA triad for example. Without it, it would be impossible to prove without doubt who was responsible for something.

    One of the reasons you typically have a unique username and password at work is so that audit logs can show what actions were carried out using your account. If you share your password with others, then it is difficult to prove that you were the only one using your account. This can have negative as well as positive connotations, but we’ll look at them when we talk about passwords.