It’s just a Like…

What harm can it do? You know, seeing your favourite hairdresser or coffee shop on social media, and clicking on the Like button? And what about all those little quizzes and fun games that appear? Like what are your top 5 places to visit, what was your first pet called etc. Not to mention the “your rock star name is…” and you have to give two pieces of information and then share them with your friends. That’s just opened up a treasure trove for the bad guys.

This short video shows what can happen in the time it takes you to order and receive your coffee.

How can you protect yourself from giving away all this information? Just spend a little time going through the security settings on all your social media platforms. If you’re not sure how to do this, use Google to find the answer. Oh, and do this on a regular basis, as the social media firms can and do change your settings from time to time.

H is for…

Hacking

I’m pretty sure that you’ve all heard the term “hacking”, and you probably know that it has negative connotations. But what exactly is it?

Put simply, it’s trying to get access to a computer or network using vulnerabilities in the security of the target. Note that I don’t necessarily say software: people can be hacked too, which is effectively what social engineering is. I won’t go onto social engineering here as it’ll be covered under “S is for…” later this year, so for the moment I’ll concentrate on hacking software.

Almost all software has errors in it which can be used to make the software do things the manufacturer didn’t intend. The bad guys know this, and spend a lot of time looking for those errors, then writing their own software to make use of these vulnerabilities (weaknesses): this process is called writing exploits.

The bad guys have a number of ways of getting their exploits to run on your systems: phishing emails are perhaps the most common and well known method, as are infected websites which download and install software in the background.

The best ways to protect your systems from hackers are:

  • Change your passwords regularly and enforce long, complex passwords for administrator level accounts
  • Keep patching and antivirus updated
  • Ensure your systems are vulnerability scanned, preferably penetration tested, on a regular basis
  • Ensure you / staff are trained to spot phishing emails

Hacktivism

Hackers who attack systems in support of a specific cause are engaging in hacktivism. Organisations like Anonymous rose to attention because they attracted hacktivists supporting different causes to attack companies which were involved in those causes.

Hybrid cloud model

As the name suggests, this kind of model is a mix of cloud and on-premise service provision. Some of the data / servers being used are in data centres run by your organisation, and some are in the cloud.

How did Cambridge Analytica do what they did?

I wasn’t going to post any more on this topic, but found a really good video on the BBC which explains the psychology behind targeted adverts etc. I thought it might be helpful for you to see how it worked, so check out the video here.

One thing I really like about the video is that it’s very clear: it explains things in simple terms which is, after all, what this site is about.

Let me know what you think of it.

G is for…

GDPR

The General Data Protection Regulation (GDPR) is an EU regulation which sets out the minimum requirements for Data Protection in the EU. It is a bit more stringent than the Data Protection Act, which is the current legislation in the UK. The UK has been heavily involved in its development, and it will come into force on 28th May 2018.

As an EU Regulation it immediately becomes law in every member country the day it comes out, and every member state will have to comply from that date.

For further advice and guidance, go to the ICO website and check out these 12 Steps to GDPR which you should be following right now.

Governance

It’s all well and good having lots of security controls in place, lots of shiny hardware and the latest software, but how do you know that what you have is effective and is being used by everyone?

That’s what Governance is for. It’s about the oversight of all security related activities to make sure that they are fit for purpose and delivering benefit. It’s normally done through regular reporting, reviews of metrics (ie data which demonstrates how effective controls are) and key performance indicators.

What does this mean in practice? Let me give you an example. Let’s assume that an organisation is security policy states that all relevant critical patches from software vendors must be applied within 1 month of their release. A metric that might be used is to identify the number of machines which don’t have critical patches applied within 2 months, and for those machines to be inspected to find out why.

Grey Hat hacker

In an earlier post we talked about Black Hat hackers, who are effectively the bad guys, and we’ll talk about White Hats later this year (you’ve guessed it, they’re the good guys). Grey Hats fall somewhere in between. They see themselves as doing good, trying to help organisations, but technically they’re breaking the law.

It works something like this. A white hacker has written permission in advance before trying to test a system for vulnerabilities. A grey hat doesn’t have that permission, but tests systems for them anyway. When they find a vulnerability, they either notify the organisation or the company that makes the software they’ve found the vulnerability in, often in the hope they’ll get some kind of reward. It has been known for them to be arrested because they’ve not had that ore-authorisation to carry out their tests.

Cambridge Analytica – who knew?

Err, we did!

Regular readers will have seen my post last year which talked about the dangers of over sharing. It described pretty much exactly what’s happened with Cambridge Analytica, on a massive scale.

I’m not going to go into detail on what they did – there’s a lot of news coverage you can check out – but basically an individual’s details and those of their friends were harvested and used for targeted advertising with the aim of swaying voting in the US election in 2016. Other elections may also have been influenced in this way.

This is a great example of why you should regularly check your privacy settings on social media, and be careful what information you decide to share.

Do you have privacy fatigue?

It’s a fact of life these days that we constantly seem to have people giving out dire warnings about being careful what information you share online, who can overhear you giving out your credit card numbers etc. It seems like we’re being warned that there are ears everywhere.

Do you know what? There are.

But these constant messages of your impending doom could also have a negative effect, a sort of “it doesn’t matter what I do, the bad guys will get my data anyway” attitude. This sort of apathy and resignation could be a form of privacy fatigue, and is discussed in this excellent article which my better half kindly shared with me.

It describes how you can tell if you’re suffering from privacy fatigue, and explains what the term means and is based on academic research, which I liked.

There are a couple of points to note about the article though: the sample was quite small – less than 400 people, and the demographic was quite narrow – only people in their 40s and early 50s.

Perhaps the biggest shortcoming in the article as far as I could see was that it didn’t talk about the “so what” aspect of what it had to say (but then it’s in a psychology publication, not a security one so that makes sense). What are the risks of sharing, and why is it important not to become fatigued?

I can still remember the days when mobile phones, smartphones, email, social media and computers didn’t exist. Back then, you wouldn’t dream of standing in the middle of the street and handing out your bank details including statements, or shouting out details of when you were going on holiday. You almost certainly wouldn’t go up to everyone you met and told them where you kept your cheque book and cheque guarantee card (told you I remember a long way back!). Would you have stood on one side of a wall and shouted over it, to whoever might have been listening, who you’re thinking of employing and how much you’re thinking of paying them, or details of a business proposal you’re writing?

I’m guessing that you would agree all of those would be pretty foolish things to do. But effectively, that’s what you’re doing when you drop your guard in respect of privacy.

If you don’t lock down your privacy settings on your social media applications, you’re making every aspect of your life visible to anyone else on the internet.

If you use the same password on multiple websites, you’re making it easier for the bad guys to get access to more of your life.

If you’re talking about confidential things, knowing who else is listening is really important.

Please don’t be complacent. Please be careful. Please don’t get privacy fatigue.

F is for…

Firewall

Computers talk to each other using different protocols (these are just different formats for messages) and different protocols use different ports. Common protocols include http, which is used by most internet traffic, https which is an encrypted version of http, or FTP which is used for file transfers (File Transfer Protocol). Http uses port 80, https uses port 443, and FTP commonly uses port 21. Sounds complicated, doesn’t it?

Maybe this will help. Remember those children’s toys, with different shaped blocks that you have to push through holes in a board, like the one shown in the picture below? Think of the different shaped blocks as network traffic using different protocols, and the holes in the board are ports. The question then becomes – what is the board? That’s the firewall. A firewall sits between the internet and your internal network. In order to improve protection on your network, you close off all the ports and protocols which you don’t use on your network, which reduces the number of different ways for the bad guys to get in to your network – or to receive data from yours. Penetration testers can help you identify vulnerabilities and advise which ports and protocols should be blocked.

Forensics

You probably know what forensics are when used in crime dramas. They’d very popular, and typically you’ll see people in one piece overalls combing painstakingly through a crime scene looking for clues. Digital forensics aren’t a lot different, but instead of the overalls analysts doing the work are most likely in a lab of some sort. They use various tools to examine the hard drives and memory on devices to work out who did what and when. Whether they’re looking at individual fragments of files, or using software packages to trawl to email records and logs, they’re trying to piece together what happened. As more of the world does business on line, digital forensics experts are going to be in more and more demand.

Format

Before any kind of electronic storage eg hard drive or USB stick can be used, it needs to be prepared to receive data. Different operating systems (like Microsoft Windows, MacOS or UNIX) prepare the storage in different ways, through a process called formatting.

E is for…

Encryption

The process of scrambling a message or data as part of cryptography is called encryption. This is what makes the message impossible to read unless you know how to unscramble it using decryption. As the years have gone by this process has become more and more complicated, and there is heavy reliance on computing power and very advanced maths to make it work without risk of the message being compromised.

Endpoints

You may often hear the phrase endpoint when talking about computer equipment. The term refers to devices such as laptop and desktop computers, smartphones and tablet devices ie things which the end user uses to access data.

Exploit

Code written to take advantage of vulnerabilities in software is known as an exploit. It may be used to inject code, to run a different program, or to cause other damage to the system.

Extranet

An extranet is a controlled network environment which is used to give non company staff members access to company resources (for example, data files) typically through some sort of remote access solution.

D is for…

Dark Web

Most of us are familiar with the Internet, and using search engines such as Google and Bing to find information we need. Those operate in a part of the World Wide Web that is often called the Surface Web. It seems like we can find a huge amount of data on the surface web, but in actual fact it’s only about 5% of all material that is available online. A large portion of the remaining data is found on the Deep Web – see below – but there’s a very murky area which is hidden away and can only be accessed by using special web browser software, the most well known being The Onion Router, or ToR. Most users will never have cause to visit this area, because it’s where various illegal web sites / services are found, including drugs, stolen goods, child abuse, false identity documents, counterfeit money etc. It’s therefore an area where criminals globally congregate to deal in and share their services.

Data Centre

A data centre is typically a large room – or set of rooms – with multiple servers in it. It can vary in size from one room with a few racks of servers, to a site with many thousands of servers. Typically they will have redundant power supplies, some form of backup solution, and will often provide services to multiple companies at the same time. Some organisations will run their own data centres, some will outsource their services to a Third Party, and some will operate a mix.

Data centres are typically where cloud services live. Companies such as Microsoft, Google and Amazon offer multiple data centres across most of the continents.

DDoS

Distributed Denial of Services (DDoS) are a method of attack on a company’s services (typically internet based, like web sites or file sharing). They are carried out by multiple internet connected devices including PCs, laptops and IoT machines, often using botnets. The word Distributed is used to signify that the devices are spreads around, possibly even al over the globe.

When a DDoS attack is carried out, the target is overwhelmed by multiple messages being sent from all the devices in the botnet, to the extent that it is rendered unusable.

A way of thinking of this is if you have a crowd of people trying to get through a door. If they move one at a time through the door, there’s no problem. If everyone tries to get through the door at the same time, it will become blocked and take time to become unblocked.

Deep Web

As mentioned above in Dark Web, the Deep Web makes up a huge proportion of the World Wide Web. The sites in this area are not indexed, which means they can’t be found by search engines like Google and Bing, but that doesn’t mean that they are providing illegal services.

Deep Web sites are typically where you can find information that isn’t really for public consumption, but which is used by special interest groups. This will include research groups, academic communities, file sharing sites etc. Users access the sites only if they know the exact address, but can use standard browsers such as Internet Explorer and Chrome – other browsers are available.

Decryption

Decryption is how cryptography makes messages readable again after they have been encrypted. Depending on how data is encrypted, decryption may happen automatically, or you may have to carry out a specific routine using special software.

Disaster Recovery

Disaster Recovery (DR) is most commonly seen as the provision of the IT part of a Business Continuity Plan. It’s about getting your IT systems back up and running within set timescales in order to enable key resources to work as normal.

For example, if you’ve planned to move to an alternate location in the event of an outage with your business, your DR solution will probably include appropriate network connections, having enough desktop or laptop devices available and having the relevant data and software available from the alternate location.

It’s not uncommon for businesses to run tabletop exercises to work out who would do what in the event of a problem, but it’s also a good idea to actually test that the plan works. For example, if your DR plan is to have 20 people up and running within 4 hours at the alternate site, but there are only 10 devices available for them to use at the site, then your plan will fail.

It’s important to note that when testing your plan, things not working are good things to find. It’s better to find that out during a test than when you actually need it.

DOS

Denial of Service (DOS) is similar to DDoS, but instead of being based on multiple devices acting concurrently, is based on a single device. That single device will send multiple messages consecutively at a very high rate, with the aim of overloading the target device.

C is for…

CAT5

We don’t really hear this term very often any more, but it refers to probably the most common form of network cabling in offices and homes over the last 15-20 years. It’s the cable you may connect from your home router to your laptop if you don’t use Wi-Fi – it’s almost certainly been provided with the router and you may have left it in the box.

The picture below shows the ends of a CAT5 cable. Recognise it?

CIA Triad

This is a common term used to refer to the three main pillars of information security, Confidentiality, Integrity and Availability. Information Security is all about addressing these three topics when applied to data.

Cloud

“The Cloud” is a term used by many, and the common reference for it is “someone else’s computer”. That’s a pretty good explanation, in that cloud services are provided by a range of companies where they have buildings housing lots of servers, and you effectively rent out one or more of those servers. The benefits are that you don’t have to manage the servers, procurement of parts or maintenance. You don’t have to worry about ensuring the power is always on and quite often your backups are done for you. You can also generally flex storage space up and down as you need it, rather than having to own lots when you don’t always use it. Cloud can therefore seem quite attractive from a cost point of view. The disadvantages – which are actually things you need to ask about – are that you don’t know who has access to your physical servers, you don’t know who you’re sharing server space with, and you don’t necessarily know which country your data is being held in. You therefore need to have a good handle on the security of data, and make sure your Governance / audit processes take this into account.

Confidentiality

Part of the CIA triad, confidentiality is concerned with making sure only authorised people have access to data.

For example, you would not want just anyone to be able to read your medical records: your doctor’s surgery or hospital will keep that information confidential.

Cryptocurrency

Put simply, cryptocurrency is an electronic form of currency which is not regulated, managed or overseen by any banks or governments. Based on cryptographic techniques, it uses blockchain technology to validate every transaction. There is no single point of control. Some stock exchanges and banks are starting to recognise the various currencies, such as Bitcoin, Ripple and Ethereum, and to actively trade in them, while others are banning cryptocurrency altogether. At the time of writing this article, values for the various currencies have been fluctuating massively and it’s likely that they will take some time to settle down.

Cryptography

Cryptography is all about scrambling data to make it unreadable or impossible to understand without first unscrambling it. The technical terms for these processes are encryption and decryption. Many methods have been used over the years to encrypt data.

Manual manipulation of messages eg using one time pads (as the name infers, these were sheets of paper which were to be used only once: messages were scrambled using the random set of letters on the pad and the recipient would have to be using the same pad to decrypt the message) has been done for at least 2000 years or more.

Computers have been increasingly used for this process in the last 70 years. Enigma was a machine used by the Germans in WW2 to securely swap messages and was the name given to the code which was broken by Polish mathematicians in the 1930s and again by a team led by Alan Turing at Bletchley Park during the war, as dramatised in the film The Imitation Game. Later in the war, a code called Lorenz was broken using a machine devised by Bill Tutte and built by Tommy Flowers. The machine was called Colossus and was the first real computer in the world. It was destroyed after the war and its creation kept secret until many years later, so an American invention in the late 1940s called ENIAC has until recently been thought to be the first computer.

Modern cryptography relies on complicated maths and massive processing power, which can only be provided by computers. Techniques are continuously evolving, and manual cracking of codes is nigh on impossible now.

Cyber

We all use the term, but what exactly is cyber? There are many different definitions, all of which are right. The most basic is probably “something to do with computers”. It’s important that all people in a business share the same definition, so you all know exactly what you mean by the term.

I believe that in 5 to 10 years we won’t be talking about cyber- anything. Cybersecurity, cyberwarfare etc will have lost the prefix and we’ll just be talking about security, warfare etc.