N is for …

Network

This is an often used phrase, but what exactly is a network? In its simplest form, it is several computers connected to each other. In a single building, these would typically form a Local Area Network (LAN), or if several offices are connected together these would be called a Wide Area Network (WAN).There are several different network components, such as routers, switches and firewalls. These will be explained in the relevant posts on this site.

Non-repudiation

Non-repudiation means that an event or action can be attributed to a person or process and cannot be denied.

This is a cornerstone of information security, but doesn’t attract the same attention as the CIA triad for example. Without it, it would be impossible to prove without doubt who was responsible for something.

One of the reasons you typically have a unique username and password at work is so that audit logs can show what actions were carried out using your account. If you share your password with others, then it is difficult to prove that you were the only one using your account. This can have negative as well as positive connotations, but we’ll look at them when we talk about passwords.

M is for …

MacOS

This is the Operating System used by Apple Macintosh desktop computers, not to be confused with that used by their smartphone and tablet devices which is iOS.

Man in the middle (MITM)

As the name suggests, this is a form of hacking where network traffic or messages are intercepted by someone sitting between the sender and intended recipient.

Typically, the attacker will either take a copy of the traffic so they can see what was being sent, or they will actually change the content of the traffic.

For example, they may change an email which says “I do not want to buy this product” to “I want to buy this product”. It’s therefore quite a dangerous means of attack, particularly as the recipient may not know the messages have been intercepted.

Malware

This is the catch-all term for all types of software which is “bad”, including viruses, worms, trojans and ransomware. Antivirus software is now often labelled Antimalware because it does much more than simply protect against viruses.

Alexa – can you eavesdrop on us please

After my post last week about the Panorama programme here in the UK, there was a story in the news today about a couple in the US who were surprised by a call from a friend who had been emailed a recording of their conversation. Read all about it here. And no, I couldn’t believe Amazon’s excuse either!

K is for…

Keeping it Simple

OK, so this isn’t strictly a security term, but it is hugely important. Do the simple things well, and you’ll address many of the main issues. In terms of cyber security, this really boils down to:

  • Keep your patching up to date
  • Keep your antivirus signatures up to date
  • Ensure you have good password hygiene
  • Penetration test your internet regularly
  • Ensure your staff have good security awareness training
  • Manage your joiners, movers and leavers process well

If you do only those things, you’ll be in a reasonably good place to start implementing good security practice.

Keylogger

This is either a hardware or software device which, as the name suggests, records all the keys that are pressed and either holds them in memory until the device is collected or sends them across the internet to the person who implanted the code. If you think about what you type on a keyboard, this could include passwords, passphrases, salary details, contract information etc.

Connected at home – what’s the problem?

You’ve probably heard by now of the Internet of Things (IoT). It’s essentially anything that is connected to the internet that isn’t a “standard” laptop or computer. But how secure is it? And how secure is your car? Just because your key fob is in your house doesn’t mean your car can’t be stolen.

The TV show Panorama here in the UK aired a really interesting episode this week, looking at just these issues. Have a watch here and see what you think.

I think the show does really well at showing how quickly systems can be compromised and what the effects could be. New iPad anyone? The truly horrifying part came with the expose of home CCTV footage available to anyone on the web, particularly baby monitors.

This should be a wake up call to everyone with a home router. Change the password and make it complex, at least 15 characters or more. Do it today.

Presentations – an update

Last week I shared some tips on how to produce good presentations. Earlier this week I found out that at a different conference I’d been voted one of the top speakers at the event. As you can imagine I was very pleased to hear this.

I’m convinced that this was a direct result of all the effort I put in to making sure it wasn’t just another bland PowerPoint. I’d prepared well, taken time to have good graphics, tried to engage the audience and most of all didn’t just stand there and drone on, reading out the slides.

Security is more than just a set of controls. Raising awareness, helping people understand the risks and what they can do to minimise those risks, is a key part of any security professional’s role.

Yes, public speaking takes a lot of hard work, but I’m positive that work is worthwhile. Watch TED talks, read up on what makes them work well and what doesn’t work well, and above all, be prepared. You’ll get a lot out of it too!

J is for…

JML – Joiners, movers and leavers

This is an often overlooked component of security, but it’s very important. As the name suggests, it comes in three parts.

Joiners

This addresses issues such as staff vetting, which typically ensures that they:

  • are who they say they are. Not checking up on this can lead to issues when you e.g. check to see if someone has a criminal record
  • have no criminal record (or at least declared it: you probably wouldn’t want to employ someone with a history of financial fraud or bankruptcy to be in control of you company’s finances)
  • are eligible to work in your country (checking things like visa stipulations, expiry etc)
  • are able to pass security screening eg on government contracts so they can access classified systems. This sort of screening may involve background checks and interviews with family and friends.

Movers

Once in an organisation, people may change roles, move around. It is important when they do move that their access to systems and data is reviewed each time, otherwise there is a potential for people to accrue access to systems they don’t need, which is a risk to the organisation. For example, if they move from HR into Finance, their access to HR systems should be revoked and they should be granted access to Finance.

Leavers

This is all about making sure that when someone leaves your organisation, their access to systems and data is revoked. It means checking and removing (or at least suspending) account access eg email, office details, HR, remote access etc

It’s also about making sure that you remove their physical access eg keys to the office, swipe cards etc. It also makes sense to change keypad codes where they’re used eg into secure areas, car parks etc.

Presenting…presentations

A big aspect of information security for me is awareness ie helping spread the word about what Security is and how it affects individuals (after all, this Easy Cyber blog site is all about that). I thought I’d share this story about a presentation I gave last year, and how I did my best to avoid it being dull.

Last year I was fortunate enough to present to a room full of fellow professionals at an event in Europe. I’d known for several months that I’d be doing so, and for me it was a big deal. It was the first time I’d had the opportunity, and there was the potential to be presenting to well over 100 people – but I wouldn’t know the real figure till I got started.

The room I was due to present in…

I was determined that I wasn’t going to blow it.

I’m guessing that most of you have, like me, sat through your fair share of presentations. I’m also guessing that many of those have been dire, where the presenter spent most of the time droning on in a monotone, reading verbatim from every slide, and every slide was covered in dense text with occasional bullet points.

I’m guessing that the number of presentations which has given you a lightbulb moment, an “aha” moment, some kind of inspiration and which have left you feeling energised and enthusiastic is few and far between.

For my talk, I was determined that I wasn’t going to produce a dire presentation, and that I would do my best to be inspirational and have the attendees enthused by my presentation.  I was also aware that the topic – retraining existing staff to work in cyber security – had the potential to be very dull indeed.

I really like TED talks, and I watch or listen to a lot of them, so I thought I’d try to produce my own version.  I therefore did a lot of background reading, with emphasis on how to prepare and deliver TED-worthy presentations (yes, there are a lot of books out there which cover that topic).

I learned that even before starting on my slides, I should work out what messages I wanted to convey, what the key points were. I should work on having a killer opening, one which engaged and intrigued the audience from the outset, one which grabbed their attention.

I also learned that when it comes to slides, words = bad, pictures or images = good. After all, you want people to be focussed on what you’re saying, not on reading what’s on the slide. If you’re reading off the slide, why are you there? The attendees could simply be sent the slide deck and read that for themselves. Slides are an aide memoire, nothing more.

And I learned that your body gives a lot away when you’re talking. Moving around, shuffling from one foot to the next, fidgeting with your hands, jingling keys, says “so” or “um” a lot, all those sort of things detract from the message you’re hoping to convey, and reduce the perception that you’re an expert in the topic.

I practiced what I was going to say – many times. I wrote out my introduction and honed that, many times.  I recorded clips of me presenting so I could see what bad habits I had – and tried not to do them. I ran through the slides over and over, reducing them to no more than 5 or 6 words on each.  All of this helped boost my confidence and reduce my nerves.  Unfortunately for Dee she also had to hear it several times, and her feedback was invaluable.

Did it work?  Yes, I think it did.  Of the 60 or so people who came along, less than half left feedback, but on the whole the presentation was well received. For my first attempt at a big event like that, I was really pleased with the feedback.

Will I take the same approach in future? Absolutely, if time permits.  I think the attendees benefited and I think I benefited from the process.

The days of wordy slides and boring presenters should be at an end.  Make sure you’re not stuck in the past with them.

I is for…

Integrity

Along with confidentiality and availability, integrity makes up what is known as the CIA triad, the three main pillars that Information Security is built on.

Integrity is all about making sure that data has not been changed or tampered with by unauthorised people. For example, if someone was able to access a hospital’s systems and change a medicine dosage from 30mg of a drug to 3g, it could have potentially fatal consequences: that’s a change to the integrity of the data.

Internet

Ok, I know we all use it (at least to visit this website) but what exactly is the internet? It’s a group of computers which are all connected through a variety of technologies. Crucially, the Internet specifically refers to computers which are not on the same local network (your business computers within one office building are probably on the same local network) and are not within the same business.

The internet is the way that unrelated computers are connected to each other: it’s what allows you to browse to this website, to use Google or Bing (or other search engines) to find information that interests you not only in the Surface Web, but also in the Dark Web and the Deep Web.

Internet of Everything

The IoE, Internet of Everything, is exactly what it suggests. It’s used to refer to anything that is connected to the internet, irrespective of whether it’s a traditional computer, smartphone or one of the devices that make up the Internet of Things.

Internet of Things

There are many things other than your PC, laptop or server which are connected to the internet. Commonly referred to as the IoT, the Internet of Things is made up of all the other connected devices, such as your smart TV, your smart energy meter, some toys, perhaps your CCTV so you can check who’s in your house when you’re away, but also industrial control systems like the heating controls for office blocks, pumping stations on pipelines etc.

These are all connected so that people don’t physically have to be present to monitor and operate the controls: they connect to the Internet and make whatever changes are necessary remotely.

Intranet

An intranet is a network used to provide information within an organisation. It most likely include sections with HR documentation, IT support contacts, social events, marketing information, policies and procedures, health and safety and news about the company among other things. It’s not intended to be viewed by anyone other than employees, hence it is not available to the wider world.

iOS

This is the Operating System used by Apple mobile devices like iPads and iPhones. It’s the software that allows applications on the devices to “talk” to the device itself. It means that developers don’t have to write code to talk directly to the device, but instead use a common platform with a common set of instructions which talk to the device on their behalf.