V is for …


A virtual private network (VPN) is a form of network connection between two points which is encrypted. This helps protect the network traffic from being intercepted by others, and helps to keep the message secure.

It’s a really good idea to use a VPN if you’re away from home eg in cafes or using other public WiFi connections. There are quite a few available, for mobile phones as well as for laptops etc, they’re quite easy to find, and there are free as well as paid for versions on the market.


A computer virus is a form of malware which can carry different payloads. Just like a virus which infects people, a computer virus is designed to infect devices by a number of different methods. Using antivirus software, and keeping the software updated, as well as regularly applying patches, is a good way of reducing the risk of infection.


Vishing is a form of phishing which is done over the phone (voice phishing) rather than by email. It’s often used in conjunction with phishing to add credibility to the email which was sent, and to try to improve the chances of the target being successfully socially engineered.


Almost all software has faults in it, which may take some time to discover. These faults are called vulnerabilities, and they are fixed when patches are issued.

Vulnerability scan

A vulnerability scan is similar to a penetration test, but doesn’t go into as much detail. It’s the equivalent of a burglar trying the doors and windows on a house to see if they’re open – and then not going into the house (which would be a penetration test).

All it does is identify how an application, website or other system is vulnerable, but it doesn’t tell you what you could do if you exploited the vulnerability.

Town dusts off typewriters after cyber-attack

This story appeared on the BBC website the other day. Basically the town’s borough council was hit with ransomware and their systems were brought to their knees.

It’s not unusual for one or two devices in an organisation to be infected with Ransomware. Typically those devices are isolated from the network and all other machines checked to ensure that patching and antivirus signatures are up to date. In this case, it would appear that the entire network, including servers, has been infected and devices are having to be built from scratch, with alternative technology (typewriters – some younger readers may need to look these up) being used in the meantime.

This incident immediately raises a number of questions:

  • How did the organisation allow all machines to get infected?
  • Did they have an incident response plan and did it include this scenario?
  • Were there patching and antivirus regimes appropriate, and was there any kind of reporting in place to identify gaps?
  • Does the organisation have a standard build, and were the build states of all 500 devices known?
  • If the ransomware has been dormant since May, does that mean that backups are also infected? How does the organisation know that restoring from backup won’t reinfect their network?
  • What scanning of incoming attachments was carried out?
  • What training have staff had in respect of phishing emails and incident response procedures?

From those questions, it is relatively easy to identify what good practice would be e.g. document and test your incident response plans, make sure patching is kept up to date, and train your staff.

F is for…


Computers talk to each other using different protocols (these are just different formats for messages) and different protocols use different ports. Common protocols include http, which is used by most internet traffic, https which is an encrypted version of http, or FTP which is used for file transfers (File Transfer Protocol). Http uses port 80, https uses port 443, and FTP commonly uses port 21. Sounds complicated, doesn’t it?

Maybe this will help. Remember those children’s toys, with different shaped blocks that you have to push through holes in a board, like the one shown in the picture below? Think of the different shaped blocks as network traffic using different protocols, and the holes in the board are ports. The question then becomes – what is the board? That’s the firewall. A firewall sits between the internet and your internal network. In order to improve protection on your network, you close off all the ports and protocols which you don’t use on your network, which reduces the number of different ways for the bad guys to get in to your network – or to receive data from yours. Penetration testers can help you identify vulnerabilities and advise which ports and protocols should be blocked.


You probably know what forensics are when used in crime dramas. They’d very popular, and typically you’ll see people in one piece overalls combing painstakingly through a crime scene looking for clues. Digital forensics aren’t a lot different, but instead of the overalls analysts doing the work are most likely in a lab of some sort. They use various tools to examine the hard drives and memory on devices to work out who did what and when. Whether they’re looking at individual fragments of files, or using software packages to trawl to email records and logs, they’re trying to piece together what happened. As more of the world does business on line, digital forensics experts are going to be in more and more demand.


Before any kind of electronic storage eg hard drive or USB stick can be used, it needs to be prepared to receive data. Different operating systems (like Microsoft Windows, MacOS or UNIX) prepare the storage in different ways, through a process called formatting.

E is for…


The process of scrambling a message or data as part of cryptography is called encryption. This is what makes the message impossible to read unless you know how to unscramble it using decryption. As the years have gone by this process has become more and more complicated, and there is heavy reliance on computing power and very advanced maths to make it work without risk of the message being compromised.


You may often hear the phrase endpoint when talking about computer equipment. The term refers to devices such as laptop and desktop computers, smartphones and tablet devices ie things which the end user uses to access data.


Code written to take advantage of vulnerabilities in software is known as an exploit. It may be used to inject code, to run a different program, or to cause other damage to the system.


An extranet is a controlled network environment which is used to give non company staff members access to company resources (for example, data files) typically through some sort of remote access solution.

D is for…

Dark Web

Most of us are familiar with the Internet, and using search engines such as Google and Bing to find information we need. Those operate in a part of the World Wide Web that is often called the Surface Web. It seems like we can find a huge amount of data on the surface web, but in actual fact it’s only about 5% of all material that is available online. A large portion of the remaining data is found on the Deep Web – see below – but there’s a very murky area which is hidden away and can only be accessed by using special web browser software, the most well known being The Onion Router, or ToR. Most users will never have cause to visit this area, because it’s where various illegal web sites / services are found, including drugs, stolen goods, child abuse, false identity documents, counterfeit money etc. It’s therefore an area where criminals globally congregate to deal in and share their services.

Data Centre

A data centre is typically a large room – or set of rooms – with multiple servers in it. It can vary in size from one room with a few racks of servers, to a site with many thousands of servers. Typically they will have redundant power supplies, some form of backup solution, and will often provide services to multiple companies at the same time. Some organisations will run their own data centres, some will outsource their services to a Third Party, and some will operate a mix.

Data centres are typically where cloud services live. Companies such as Microsoft, Google and Amazon offer multiple data centres across most of the continents.


Distributed Denial of Services (DDoS) are a method of attack on a company’s services (typically internet based, like web sites or file sharing). They are carried out by multiple internet connected devices including PCs, laptops and IoT machines, often using botnets. The word Distributed is used to signify that the devices are spreads around, possibly even al over the globe.

When a DDoS attack is carried out, the target is overwhelmed by multiple messages being sent from all the devices in the botnet, to the extent that it is rendered unusable.

A way of thinking of this is if you have a crowd of people trying to get through a door. If they move one at a time through the door, there’s no problem. If everyone tries to get through the door at the same time, it will become blocked and take time to become unblocked.

Deep Web

As mentioned above in Dark Web, the Deep Web makes up a huge proportion of the World Wide Web. The sites in this area are not indexed, which means they can’t be found by search engines like Google and Bing, but that doesn’t mean that they are providing illegal services.

Deep Web sites are typically where you can find information that isn’t really for public consumption, but which is used by special interest groups. This will include research groups, academic communities, file sharing sites etc. Users access the sites only if they know the exact address, but can use standard browsers such as Internet Explorer and Chrome – other browsers are available.


Decryption is how cryptography makes messages readable again after they have been encrypted. Depending on how data is encrypted, decryption may happen automatically, or you may have to carry out a specific routine using special software.

Disaster Recovery

Disaster Recovery (DR) is most commonly seen as the provision of the IT part of a Business Continuity Plan. It’s about getting your IT systems back up and running within set timescales in order to enable key resources to work as normal.

For example, if you’ve planned to move to an alternate location in the event of an outage with your business, your DR solution will probably include appropriate network connections, having enough desktop or laptop devices available and having the relevant data and software available from the alternate location.

It’s not uncommon for businesses to run tabletop exercises to work out who would do what in the event of a problem, but it’s also a good idea to actually test that the plan works. For example, if your DR plan is to have 20 people up and running within 4 hours at the alternate site, but there are only 10 devices available for them to use at the site, then your plan will fail.

It’s important to note that when testing your plan, things not working are good things to find. It’s better to find that out during a test than when you actually need it.


Denial of Service (DOS) is similar to DDoS, but instead of being based on multiple devices acting concurrently, is based on a single device. That single device will send multiple messages consecutively at a very high rate, with the aim of overloading the target device.

C is for…


We don’t really hear this term very often any more, but it refers to probably the most common form of network cabling in offices and homes over the last 15-20 years. It’s the cable you may connect from your home router to your laptop if you don’t use Wi-Fi – it’s almost certainly been provided with the router and you may have left it in the box.

The picture below shows the ends of a CAT5 cable. Recognise it?

CIA Triad

This is a common term used to refer to the three main pillars of information security, Confidentiality, Integrity and Availability. Information Security is all about addressing these three topics when applied to data.


“The Cloud” is a term used by many, and the common reference for it is “someone else’s computer”. That’s a pretty good explanation, in that cloud services are provided by a range of companies where they have buildings housing lots of servers, and you effectively rent out one or more of those servers. The benefits are that you don’t have to manage the servers, procurement of parts or maintenance. You don’t have to worry about ensuring the power is always on and quite often your backups are done for you. You can also generally flex storage space up and down as you need it, rather than having to own lots when you don’t always use it. Cloud can therefore seem quite attractive from a cost point of view. The disadvantages – which are actually things you need to ask about – are that you don’t know who has access to your physical servers, you don’t know who you’re sharing server space with, and you don’t necessarily know which country your data is being held in. You therefore need to have a good handle on the security of data, and make sure your Governance / audit processes take this into account.


Part of the CIA triad, confidentiality is concerned with making sure only authorised people have access to data.

For example, you would not want just anyone to be able to read your medical records: your doctor’s surgery or hospital will keep that information confidential.


Put simply, cryptocurrency is an electronic form of currency which is not regulated, managed or overseen by any banks or governments. Based on cryptographic techniques, it uses blockchain technology to validate every transaction. There is no single point of control. Some stock exchanges and banks are starting to recognise the various currencies, such as Bitcoin, Ripple and Ethereum, and to actively trade in them, while others are banning cryptocurrency altogether. At the time of writing this article, values for the various currencies have been fluctuating massively and it’s likely that they will take some time to settle down.


Cryptography is all about scrambling data to make it unreadable or impossible to understand without first unscrambling it. The technical terms for these processes are encryption and decryption. Many methods have been used over the years to encrypt data.

Manual manipulation of messages eg using one time pads (as the name infers, these were sheets of paper which were to be used only once: messages were scrambled using the random set of letters on the pad and the recipient would have to be using the same pad to decrypt the message) has been done for at least 2000 years or more.

Computers have been increasingly used for this process in the last 70 years. Enigma was a machine used by the Germans in WW2 to securely swap messages and was the name given to the code which was broken by Polish mathematicians in the 1930s and again by a team led by Alan Turing at Bletchley Park during the war, as dramatised in the film The Imitation Game. Later in the war, a code called Lorenz was broken using a machine devised by Bill Tutte and built by Tommy Flowers. The machine was called Colossus and was the first real computer in the world. It was destroyed after the war and its creation kept secret until many years later, so an American invention in the late 1940s called ENIAC has until recently been thought to be the first computer.

Modern cryptography relies on complicated maths and massive processing power, which can only be provided by computers. Techniques are continuously evolving, and manual cracking of codes is nigh on impossible now.


We all use the term, but what exactly is cyber? There are many different definitions, all of which are right. The most basic is probably “something to do with computers”. It’s important that all people in a business share the same definition, so you all know exactly what you mean by the term.

I believe that in 5 to 10 years we won’t be talking about cyber- anything. Cybersecurity, cyberwarfare etc will have lost the prefix and we’ll just be talking about security, warfare etc.

B is for…


I’ve talked about these in a previous post, but essentially backups are copies of your data or computer which you can use to replace files which are inadvertently deleted, or as an alternative to paying the ransom in a ransomware attack.

You should make backups on a regular basis, whether by simply copying your important files to another hard drive or perhaps a USB stick, or using specific software for backups. The really important bit is this though: once your backup is complete, disconnect the backup media from your computer. If your computer is encrypted in a ransomware attack and your backup media is still attached, your backup likely to be encrypted too.

When trying to decide what to backup, think about what files at most important to you, about those which you really can’t do without. That’ll probably be financial information, including mortgage and insurance, but think about your photos and videos too. Put another way, if your house was on fire what would you save first, once family and pets were safe?


Biometrics are used as a form of authentication. They sound really technical, but all they really mean is a physical part of your body which is unique to you. That means fingerprints, palm prints, scans of your retinas and other unique factors which you’ve probably seen in spy movies etc, like ear prints. Some mobile devices eg the latest iPhones already use fingerprint recognition, so it’s not entirely all Hollywood make believe!


Probably the best known cryptocurrency, the value of Bitcoin soared towards the end of 2017, but many financial experts believe that this is a bubble which will burst soon. Created by someone called Satoshi Nakamoto – no-one knows who that really is – there can only ever be 21 million Bitcoins. Each Bitcoin can be split into 100 million units, known as a satoshi. The process of creating bitcoins is based on cryptography and maths, and is called mining.

Black Hat hacker

Taken from the old western movies, a black hat hacker is one of the bad guys. They’re the ones trying to break into systems without permission, probably either to steal data or to cause damage to the organisation. They’re the ones you are most likely to hear about in the news, often with a White Hat hacker talking about what they’ve done. (White Hats are the good guys, and there are also Grey Hats which we’ll cover later in the year.)

Block chain

Blockchain is the technology used to create cryptocurrency, but in future it will be used for much more. If you think of blockchain as a sort of bank account where every transaction is visible to everyone in the world, where it is possible to track the origin and path of every piece of currency since the currency began, but without knowing who owns each account, that’s pretty much the principle behind it.

The first ever transaction contained details of how much was spent and what account number (technically, which wallet) it went to, as well as the date and time, along with some other information. All the details were encrypted into one block.

The second transaction did much the same, but also which wallet the transaction originated in and where it ended up. When encrypted it also included the details from the first block.

The third transaction was the same, but on encryption it included the first and second block.

And so on – that’s how the blockchain was born.

One of the benefits of blockchain is that each transaction is validated by all other participants, so it is pretty much impossible to falsify a record: fraud is therefore unlikely, and provenance has an unbroken chain.

This is useful in cryptocurrency, but has many other uses too. For example:

  • When buying a house, wouldn’t it be great to have a complete list of every transaction ever carried out from land purchase to addition of a conservatory or work to fix a problem with rot, which could not be falsified.
  • When new drugs are created to treat specific illnesses and diseases, think about how beneficial it would be to hold details of all tests and their results as part of the proof that they work, and which cannot be tampered with.


When a device has been compromised, it may be used to attack other computers over the Internet. When this is the case, it is said to be running as a bot (like a robot). When multiple bots are used to carry out a simultaneous attack, or to run in a similar way, this is called a botnet ie a network of robots.

Business Continuity

Often used almost synonymously with Disaster Recovery (DR), Business Continuity is all about making sure that your business can carry on working in the event of an issue eg power cut, loss of data, flooding. It’s not all about cyber, though cyber is a constituent part.

Most commonly people talk about Business Continuity Planning (BCP) which is all about determining, documenting and testing how you will react to something that affects your business. For example, you may have an alternate site for people to work from, or they may be able to work from home, but how do you tell people that’s what they need to do? How do you know that they will be able to access systems from the alternate location? How do you know they will have access to all the software and data they need from that alternate location?

A key part of BCP is understanding who your key assets are, and what they need to do their job. You also need to understand the impact to your business if various components are unavailable, and how long you can afford to not be working. For example, if your business only provides services through the internet, having no internet access for several days could kill your business: your BCP will set out what you will do to get back online quickly.

It’s not uncommon for businesses to run tabletop exercises to work out who would do what in the event of a problem, but it’s also a good idea to actually test that the plan works. For example, if your BC plan is to have 20 people up and running within 4 hours at the alternate site, but it takes more than 4 hours to travel to the site, then your plan will fail.

It’s important to note that when testing your plan, things not working are good things to find. It’s better to find that out during a test than when you actually need it.

How does your security measure up?

I published this article on LinkedIn on Monday 3rd July 2017, and I’ve copied it here for you.

If you don’t know what you have, how can you measure it?

We read a lot these days about equipment and training to help combat cyber attacks and reduce risks, but I don’t see much about today’s topic. It’s really good that you have controls in place, with defence in depth etc, but how do you know they’re working?

It seems to me that we often forget to take into account the requirement to measure key components on our systems, so that we know when things are working well and when they’re not. This isn’t about audit, which gives you a snapshot, a point in time view. This is about consistent, regular (possibly even real-time) monitoring and reporting on systems.
The first step in this process is to identify what matters to you most – in many, if not all, cases this will be the data your systems hold. 
Then, look at the controls you have in place, and think about what information would give you assurance that your controls are effective. 
For example, if you have highly sensitive data on all your laptops, knowing which devices are not encrypted might be a really key measurement for you. In this instance, you may decide it is unacceptable for any laptops to be unencrypted, or you may decide you’re happy with a tolerance of 5% or 10%.
One of the fundamental features of reporting is knowing what you have, where it is, and what software is loaded on it. If we look at the recent ransomware outbreaks of Wannacry and Petya, we know that these malware packages make use of specific vulnerabilities which were addressed by specific patches. If your inventory is up to date, you can check for the devices missing those specific patches, and target them immediately, rather than checking every single machine. The same held true with Heartbleed and other outbreaks of a similar nature. 
Some would say that regular reporting on critical patches which have not been installed is a waste of time: personally, I think it’s a good metric and invaluable in deploying resources effectively. You should already have a patch schedule, but does it take into account Critical patches? If not, time to start thinking about being proactive with them and pushing them out outside the patch schedule.  
Similarly, you will probably want to know what devices have aged (out of date) antivirus signatures: if they’re not within a couple of days release then in this day and age you’re running a risk. Report / alert on devices where this is the case, or where AV isn’t running at all. (While you’re at it, you might want to investigate ways of determining whether AV is running but not scanning anything – I have seen this on several occasions.)
You will also probably want to baseline the traffic profile coming into and out of your network so that you know what looks normal, making it easier to spot unusual activity. Pay attention to the days and times that traffic is present: if you get a lot of traffic at 3 in the morning, why is that? 
Finally, when presenting this information to your senior management, don’t leave it as raw figures. Present it in terms of risk and impact, from a financial and reputational viewpoint. That makes it easier to understand why something needs to be done and should help with getting additional resources to address those risks. 

If you don’t measure what you have, how can you improve it?

Global Cyber Attack 

Yesterday, May 12th 2017 saw a mass global cyber attack launched with impeccable timing just before the weekend. Over 75000 machines were affected in around 100 countries – so far. 

It is believed that a hacking group called Shadow Crew is behind the attack. This is the same group that hacked the CIA in the USA and a couple of months ago released hacking tools developed by that agency and the NSA.

The effect was for many businesses and government departments to be hit with Ransomware (which I’ll cover on here soon). This encrypted files and could only be removed by paying a ransom in a virtual currency called Bitcoin. 

Once the ransom is paid the bad guys may or may not decrypt the files – there are no guarantees. 

I said it was good timing because the Ransomware gives users 3 days to pay the fine. Many users will have started their weekend already (and in much of the Middle East the weekend is Friday and Saturday) so there’s a good chance that some users will not get to their devices in time and will have to pay – or trash their machines and rebuild them.

Many businesses and government agencies such as the NHS simply shut all systems down in order to prevent them being infected. This is one reason why the impact has been so huge.

No doubt the plan is that once the fix is known (for devices which are infected) then it will be applied to machines individually as they are restarted. 

It’s also worth mentioning that at present this doesn’t look like any kind of data breach. Files have been encrypted so the data is inaccessible, but the data hasn’t been accessed or copied – as far as we can tell at the moment. 

That’s what happened, so how do you protect yourself and your business? The answer is surprising straightforward. 

  1. Install the MS-17-010 patch on all Microsoft Windows devices. This Critical patch was released by Microsoft on 14 March this year, and the Ransomware takes advantage of a vulnerability which the patch fixes. If your machine has been set to apply updates automatically, then assuming you’ve rebooted your machine since the update was applied you should be safe. If you don’t have Auto Update enabled – manually search for updates and install them now. 
  2. If you’re on a network, make sure that your network administrators have disabled the SMB protocol on all devices that don’t need it. This is how the Ransomware spreads on an internal network.  
  3. Make sure your antivirus software is up to date and running 
  4. Be extra careful when clicking on links you don’t recognise and on unsolicited documents.
  5. Make sure any devices you use for backing up your data are not physically connected to your computer – if they are, then chances are your backups could get infected too. 

That’s all you need to do. It’s clear from this outbreak that the things I’ve been talking about – patching, antivirus, backups, phishing awareness etc – which are all simple things to do but often neglected, are all really good protection against even global attacks. 

I’ll be releasing a podcast about this later today, so keep your eyes peeled for that! 


A while back I mentioned in my post on Backups that we needed to talk about Encryption, so here we are. First of all, I need to explain what encryption is. At its simplest, its a way of making a message unreadable by anyone other than the intended recipient.  

I should also point out that there is a difference between a code and a cipher, though they tend to be used interchangably. A code is where each word in a message is replaced with a code word or symbol, whereas a cipher is where each letter in a message is replaced with a cipher letter or symbol. In fact, when most people say “code,” they are actually referring to ciphers.

Why encrypt anything?

Why would you want to use encryption though? You may say that you’ve nothing to hide, but think about that for a second. Say you’re accessing your bank account – would you want anyone who is able to intercept the messages you send to be able to read them? What about if you’re paying for something online? Would you want someone to be able to read your credit card number and security code? What about if you’re in contact with your doctor or hospital about a medical condition? You get the idea I hope…

For these reasons, and many more, communications between our computers, our laptops, tablets and smartphones and a whole host of services, whether financial or health related, or just generally private, are encrypted for us.  If you’ve noticed some web pages start with https rather than http – that means that the former are encrypted and should be more secure.

How does it work?

Encryption has been around for millennia, though with the advent of more and more complicated maths and now computers, the processes have changed dramatically.  I’m not going to go into the detail of how it all works here, other than with a very simple example. 

Going back 2000 years, a common method of encryption would be to substitute one letter for another.  The most popular way of doing this was called a Caesar Cipher (after the Roman emperor), and worked like this:

First of all, write down the alphabet


Then, move the letters along a number of places. In the example below, I’ve moved them 3 places, so A now sits below where D was:


Write your message using the new letters.  In this example, HELLO would be:


As you can imagine, this would not take long to decode, but worked quite well in a time when a lot of people were illiterate.

Jump forward to today and you use huge prime numbers, really clever maths and quantum computers in an ever changing, rapidly evolving battle to keep messages confidential.

Encryption in history
There are two really interesting stories about encryption from World War II which I’d like to share with you.

The first is all about Bletchley Park and Enigma. I’m sure you’ll have heard of them, or at least of the film The Imitation Game, one of several which have covered the activities of Britain’s code breakers. Their work in breaking the German codes are said to have shortened the war by at least 2 years, but it’s relatively unknown that Enigma was actually broken in the mid-1930s by Polish code breakers. Not long before war broke out the machines were changed to make them more difficult to break. If you ever have the chance to visit Bletchley (it’s near Milton Keynes in England) you should do so -it’s a fascinating and absorbing day out.

The second story is less well known. Clever maths and computers are all well and good, but there’s another way to make messages unintelligible. Write them in a language that only the sender and recipient understand.  That’s what the Americans did, using teams of Navajo tribesmen. Other than members of the tribe, only a handful of other people spoke their language. The Navajo working in this way were known as Windtalkers, and were deployed throughout the Pacific. 

Passwords and encryption

Sorry, but I have to bring passwords into this.  You may have heard of plain text password storage – that’s where a password is stored and isn’t encrypted. Most systems now use a process called hashing, which is a form of encryption. This involves taking the password and applying some maths to it to get an unrelated string of text, which is then stored. When you log in again and enter your password, it is typically hashed again and that string compared against the one which has been stored. If you type the same passsword, the hashes will match, but even a small change will result in no match. Note that you don’t “unhash” the text.

Here’s an example to illustrate this. I used a common tool called an MD5 hash generator (try it, you can find free ones using Google), and ran it against the word password. The hash which was generated was:


I used the same tool, and this time used a capital letter P in Password. The result?


You can see that they’re totally different.

When hackers try to break into systems, they have ways of accessing the stored passwords, which as you now know are hashed. BUT – they have a pregenerated list of common passwords and even dictionary words with their associated hashes. It’s easy for them to scan the hashes looking for a match in their list. (The lists are called Rainbow Tables.) This is one reason why you should never use common passwords, or dictionary words: they’re the first ones to be tried by hackers and therefore the first to be broken.

Further reading

If you want to know more about the history and how things have changed, I’d recommend reading Simon Singh’s The Code Book, though be warned that towards the end the maths gets quite heavy! You’ll also learn more about Enigma, the Windtalkers, dead languages and about Alice, Bob and Eve (aka Mallory) who are used to explain a common form of encryption used today which uses a Public Key Infrastructure (PKI).