W is for …

Whaling

When people launching spear phishing attacks against senior members of staff, this is known as whaling (because they’re after the big fish). That’s the only real difference in the terms, though the types of attack may differ slightly.

Whales are more likely to be the target for mandate fraud, where an email purporting to be from eg the Chief Executive of an organisation goes to the Finance Director, or Finance team, asking them to make an urgent payment to a particular bank account.

White Hat

Ethical hackers, ie those who carry out lawful penetration tests with written permission from a client, are often called white hats. This is because they’re the good guys: hackers who attack without permission are black hats. The name comes from 50s and 60s films set in the Wild West, where the colour of the cowboy’s hat told you whether they were good or bad.

WiFi

Wireless connections to computers often use WiFi (rather than Bluetooth). Good practice dictates that the WiFi connections should be encrypted, using WPA2 encryption. WEP and WPA are both weak encryption prpotocols and should not be used.

Worm

A worm is a form of malware which replicates iteself in order to infect the computer it is on and any others it can find.

P is for …

Password

There has been much written about passwords, but for this entry I thought it worth defining what a password actually is. It’s a code, phrase or sequence of letters and numbers which is used to validate that you are who you say you are. It’s often used in conjunction with a username or when you login to a device or system.

You’re advised to keep your password secret, known only to you, because this helps with non-repudiation.

Patching

Pretty much all software has vulnerabilities in it. The more complex the software, the more likely it is to have vulnerabilities. Patches are pieces of code written by software developers to fix those vulnerabilities once the manufacturers become aware of them.

Patching is the process of applying these bespoke pieces of code. Typically patches are given a severity based on the risk the vulnerability contains. Urgent patches should be applied as soon as possible, whereas low risk patches don’t need to be applied so quickly.

When applying patches in a work environment, it is advisable to test the patch on several machines first, before applying it to every device, just in case there are any issues or conflicts which the patch causes with existing software.

Payload

Viruses often contain malware, some of which contains special code to try to compromise a device. This is typically called a payload. Different viruses carry different payloads, and some carry multiple different payloads.

An analogy which might explain this is where you have bomber aircraft, the bombs they carry are referred to as the payload.

Penetration test

A common way of testing web sites and web applications is to run a penetration test. This is where ethical hackers i.e. people with prior permission from an organisation, run tests to see if they can find vulnerabilities, and find out what would happen if those vulnerabilities are exploited.

Typically, the testers will provide a report documenting their findings, and the organisation being tested will then fix any issues found by the testers.

This should be run on a regular basis, because new vulnerabilities, including zero day threats, are constantly being discovered.

There are also physical penetration tests, where people are hired to try to access a business. This is called a red team test.

Phishing

Phishing is a form of attack where the bad guys send email to a list of email addresses (which they’ve often bought on the dark web). The email typically either has an infected attachment or a link to an infected website, or it contains a message asking you to help someone release money from their bank account or some equally ridiculous plea for help.

These messages are indiscriminate and are not targeted at specific individuals. Those which are specifically targeted are known as spear phishing or whaling.

Principle of Least Privilege

A key feature of cyber security is making sure that users only have access to the programs or data they need access to for their job. This is known as the principle of least privilege.

For example, there’s generally no reason why someone working in the accounts department needs access to personnel records, or someone working in HR probably doesn’t need access to files for a specific project. Access would normally be restricted to help protect data.

Connected at home – what’s the problem?

You’ve probably heard by now of the Internet of Things (IoT). It’s essentially anything that is connected to the internet that isn’t a “standard” laptop or computer. But how secure is it? And how secure is your car? Just because your key fob is in your house doesn’t mean your car can’t be stolen.

The TV show Panorama here in the UK aired a really interesting episode this week, looking at just these issues. Have a watch here and see what you think.

I think the show does really well at showing how quickly systems can be compromised and what the effects could be. New iPad anyone? The truly horrifying part came with the expose of home CCTV footage available to anyone on the web, particularly baby monitors.

This should be a wake up call to everyone with a home router. Change the password and make it complex, at least 15 characters or more. Do it today.

It’s just a Like…

What harm can it do? You know, seeing your favourite hairdresser or coffee shop on social media, and clicking on the Like button? And what about all those little quizzes and fun games that appear? Like what are your top 5 places to visit, what was your first pet called etc. Not to mention the “your rock star name is…” and you have to give two pieces of information and then share them with your friends. That’s just opened up a treasure trove for the bad guys.

This short video shows what can happen in the time it takes you to order and receive your coffee.

How can you protect yourself from giving away all this information? Just spend a little time going through the security settings on all your social media platforms. If you’re not sure how to do this, use Google to find the answer. Oh, and do this on a regular basis, as the social media firms can and do change your settings from time to time.

H is for…

Hacking

I’m pretty sure that you’ve all heard the term “hacking”, and you probably know that it has negative connotations. But what exactly is it?

Put simply, it’s trying to get access to a computer or network using vulnerabilities in the security of the target. Note that I don’t necessarily say software: people can be hacked too, which is effectively what social engineering is. I won’t go onto social engineering here as it’ll be covered under “S is for…” later this year, so for the moment I’ll concentrate on hacking software.

Almost all software has errors in it which can be used to make the software do things the manufacturer didn’t intend. The bad guys know this, and spend a lot of time looking for those errors, then writing their own software to make use of these vulnerabilities (weaknesses): this process is called writing exploits.

The bad guys have a number of ways of getting their exploits to run on your systems: phishing emails are perhaps the most common and well known method, as are infected websites which download and install software in the background.

The best ways to protect your systems from hackers are:

  • Change your passwords regularly and enforce long, complex passwords for administrator level accounts
  • Keep patching and antivirus updated
  • Ensure your systems are vulnerability scanned, preferably penetration tested, on a regular basis
  • Ensure you / staff are trained to spot phishing emails

Hacktivism

Hackers who attack systems in support of a specific cause are engaging in hacktivism. Organisations like Anonymous rose to attention because they attracted hacktivists supporting different causes to attack companies which were involved in those causes.

Hybrid cloud model

As the name suggests, this kind of model is a mix of cloud and on-premise service provision. Some of the data / servers being used are in data centres run by your organisation, and some are in the cloud.

G is for…

GDPR

The General Data Protection Regulation (GDPR) is an EU regulation which sets out the minimum requirements for Data Protection in the EU. It is a bit more stringent than the Data Protection Act, which is the current legislation in the UK. The UK has been heavily involved in its development, and it will come into force on 28th May 2018.

As an EU Regulation it immediately becomes law in every member country the day it comes out, and every member state will have to comply from that date.

For further advice and guidance, go to the ICO website and check out these 12 Steps to GDPR which you should be following right now.

Governance

It’s all well and good having lots of security controls in place, lots of shiny hardware and the latest software, but how do you know that what you have is effective and is being used by everyone?

That’s what Governance is for. It’s about the oversight of all security related activities to make sure that they are fit for purpose and delivering benefit. It’s normally done through regular reporting, reviews of metrics (ie data which demonstrates how effective controls are) and key performance indicators.

What does this mean in practice? Let me give you an example. Let’s assume that an organisation is security policy states that all relevant critical patches from software vendors must be applied within 1 month of their release. A metric that might be used is to identify the number of machines which don’t have critical patches applied within 2 months, and for those machines to be inspected to find out why.

Grey Hat hacker

In an earlier post we talked about Black Hat hackers, who are effectively the bad guys, and we’ll talk about White Hats later this year (you’ve guessed it, they’re the good guys). Grey Hats fall somewhere in between. They see themselves as doing good, trying to help organisations, but technically they’re breaking the law.

It works something like this. A white hacker has written permission in advance before trying to test a system for vulnerabilities. A grey hat doesn’t have that permission, but tests systems for them anyway. When they find a vulnerability, they either notify the organisation or the company that makes the software they’ve found the vulnerability in, often in the hope they’ll get some kind of reward. It has been known for them to be arrested because they’ve not had that ore-authorisation to carry out their tests.

B is for…

Backup

I’ve talked about these in a previous post, but essentially backups are copies of your data or computer which you can use to replace files which are inadvertently deleted, or as an alternative to paying the ransom in a ransomware attack.

You should make backups on a regular basis, whether by simply copying your important files to another hard drive or perhaps a USB stick, or using specific software for backups. The really important bit is this though: once your backup is complete, disconnect the backup media from your computer. If your computer is encrypted in a ransomware attack and your backup media is still attached, your backup likely to be encrypted too.

When trying to decide what to backup, think about what files at most important to you, about those which you really can’t do without. That’ll probably be financial information, including mortgage and insurance, but think about your photos and videos too. Put another way, if your house was on fire what would you save first, once family and pets were safe?

Biometrics

Biometrics are used as a form of authentication. They sound really technical, but all they really mean is a physical part of your body which is unique to you. That means fingerprints, palm prints, scans of your retinas and other unique factors which you’ve probably seen in spy movies etc, like ear prints. Some mobile devices eg the latest iPhones already use fingerprint recognition, so it’s not entirely all Hollywood make believe!

Bitcoin

Probably the best known cryptocurrency, the value of Bitcoin soared towards the end of 2017, but many financial experts believe that this is a bubble which will burst soon. Created by someone called Satoshi Nakamoto – no-one knows who that really is – there can only ever be 21 million Bitcoins. Each Bitcoin can be split into 100 million units, known as a satoshi. The process of creating bitcoins is based on cryptography and maths, and is called mining.

Black Hat hacker

Taken from the old western movies, a black hat hacker is one of the bad guys. They’re the ones trying to break into systems without permission, probably either to steal data or to cause damage to the organisation. They’re the ones you are most likely to hear about in the news, often with a White Hat hacker talking about what they’ve done. (White Hats are the good guys, and there are also Grey Hats which we’ll cover later in the year.)

Block chain

Blockchain is the technology used to create cryptocurrency, but in future it will be used for much more. If you think of blockchain as a sort of bank account where every transaction is visible to everyone in the world, where it is possible to track the origin and path of every piece of currency since the currency began, but without knowing who owns each account, that’s pretty much the principle behind it.

The first ever transaction contained details of how much was spent and what account number (technically, which wallet) it went to, as well as the date and time, along with some other information. All the details were encrypted into one block.

The second transaction did much the same, but also which wallet the transaction originated in and where it ended up. When encrypted it also included the details from the first block.

The third transaction was the same, but on encryption it included the first and second block.

And so on – that’s how the blockchain was born.

One of the benefits of blockchain is that each transaction is validated by all other participants, so it is pretty much impossible to falsify a record: fraud is therefore unlikely, and provenance has an unbroken chain.

This is useful in cryptocurrency, but has many other uses too. For example:

  • When buying a house, wouldn’t it be great to have a complete list of every transaction ever carried out from land purchase to addition of a conservatory or work to fix a problem with rot, which could not be falsified.
  • When new drugs are created to treat specific illnesses and diseases, think about how beneficial it would be to hold details of all tests and their results as part of the proof that they work, and which cannot be tampered with.

Botnet

When a device has been compromised, it may be used to attack other computers over the Internet. When this is the case, it is said to be running as a bot (like a robot). When multiple bots are used to carry out a simultaneous attack, or to run in a similar way, this is called a botnet ie a network of robots.

Business Continuity

Often used almost synonymously with Disaster Recovery (DR), Business Continuity is all about making sure that your business can carry on working in the event of an issue eg power cut, loss of data, flooding. It’s not all about cyber, though cyber is a constituent part.

Most commonly people talk about Business Continuity Planning (BCP) which is all about determining, documenting and testing how you will react to something that affects your business. For example, you may have an alternate site for people to work from, or they may be able to work from home, but how do you tell people that’s what they need to do? How do you know that they will be able to access systems from the alternate location? How do you know they will have access to all the software and data they need from that alternate location?

A key part of BCP is understanding who your key assets are, and what they need to do their job. You also need to understand the impact to your business if various components are unavailable, and how long you can afford to not be working. For example, if your business only provides services through the internet, having no internet access for several days could kill your business: your BCP will set out what you will do to get back online quickly.

It’s not uncommon for businesses to run tabletop exercises to work out who would do what in the event of a problem, but it’s also a good idea to actually test that the plan works. For example, if your BC plan is to have 20 people up and running within 4 hours at the alternate site, but it takes more than 4 hours to travel to the site, then your plan will fail.

It’s important to note that when testing your plan, things not working are good things to find. It’s better to find that out during a test than when you actually need it.

Vehicle Security

You’ve no doubt heard the stories about cars being hacked over WifI or Bluetooth, but today I want to talk about an easier security risk: second-hand, hire and courtesy cars…

I’ve recently had my car in the garage to have it serviced, and I was provided with a reasonably new courtesy car. I had to drive a fair distance so paired my mobile phone over Bluetooth so I could listen to podcasts while driving. As part of the pairing process I was asked if I wanted to replace the existing contact list for the phone in the car, and that set me thinking…

I looked at the sat nav, and guess what? Several pages of addresses were listed, none of which I’d added: these had been created by those who had the car before me.

I looked at the list of connected phones, other than mine, and there were a couple of pages of paired phones, including some which said things like “John Smith’s iPhone”.

I looked at the existing phone contacts listed on the car – none of them were mine.

What does all this mean? It’s all pretty innocent stuff, right? Wrong.

I can now try to match “John Smith” with the addresses listed. I can use the phone contact list to look for people that “John Smith” might know: for example, on social media and sites like LinkedIn. I know what kind of phone he uses, so that tells me more about him too. This is all information I could use to mount a spear phishing attack, if I was so inclined.

Of course, I’m not so inclined: I’d much rather tell you about it so you can protect yourself.

So, what can you do? Simple: if you borrow a car, whether as a hire car, courtesy car, or if you’re selling your car, make sure you delete all your details including addresses and contact information before you hand the car back.

Should we be worried about our MPs security awareness?

Over the weekend a couple of tweets by a UK Member of Parliament (MP) have generated a wave of outrage and comment amongst the security community. Nadine Dorries mentioned that she routinely shares her password with her staff and often has to ask them what it is. (Incidentally, Nadine should make sure all her other accounts don’t use the same password eg her online banking and shopping accounts.) The big question appears to be “is this a big deal”? I think it is, and here’s why.

Earlier this year there was a cyber security attack on MPs by an unknown government – variously reported as Russia or Iran – and a number of MPs fell for phishing attempts. You have to ask now whether it was the MP or a member of their staff: either way it shows that more awareness and better controls are needed.

In the last couple of weeks an MP was accused of viewing pornography on his work PC, a charge which he has denied despite the investigating police officer presenting comments which might indicate it was likely. Nadine Dorries’ comments were (I’m sure) meant to illustrate that just because the MPs credentials had been used to log on to the computer it didn’t necessarily mean that he had accessed the material. And this is the main point, why it’s important for individuals to take ownership of and responsibility for their log on credentials (their user name and password), why they should keep the password secret.

In the staff handbook at Parliament, section 5.8 states clearly that “you must not… share your password”. One of the reasons why we’re advised (told) not to share passwords is to protect us. If any wrongdoing is discovered or suspected using our user name, we are responsible. If someone else has had access to your machine using your details – you are still responsible.

If you have colleagues who you think should have access to your email, give them delegated access, which means they can access it using their own credentials. If they need to access documents etc, put them on a shared network drive where again they use their own credentials. This protects both parties and is more in line with industry best practice.

I’m hoping that the events of the weekend will encourage MPs and their staff to improve their working practice, but I’m not sure it’ll happen because there doesn’t seem to be anyone holding them to account, taking them to task for these flagrant breaches of policy. I’m also hoping that those in charge of systems in Parliament (who I know are very capable and knowledgeable) will get the backing they need to bring working practices more in line with the rest of industry. Finally, I’m also hoping that all passwords will be reset over the next day or two.

10 Steps to Cyber Security – Part 1 of 2

Through discussions with various clients and perspective clients, at conferences, events and forums, it is very apparent that a lot of companies know that they need to do “something about cyber” but many, particularly in the Small and Medium Enterprise (SME) arena, are unsure of what that something should be.

My response to them is generally along the same lines, and I thought I’d share it with you now. My apologies for those of you who are seasoned cyber professionals, as you will no doubt know this subject inside out, but for those of you who are wondering just how to get started and are looking for a jargon free, pragmatic explanation, read on…

As far back as 2012 the UK government produced the 10 Steps to Cyber Security which companies should follow to help make them more secure, as part of the drive to make the UK a safe place to do business. Those were followed in 2014 by the Cyber Essentials scheme. Both the 10 Steps and Cyber Essentials have had updates over the years, but those updates relate more to guidance and clarification rather than changes to content.

This article sets out the first 5 requirements of the 10 Steps to Cyber Security: I’ll provide the remaining 5 in my next post which will be in a week or so. You will see that a number of these topics overlap, and that’s absolutely fine. There are some very blurred lines, but so long as the topics are covered then that has to be a good thing, right?

1. The first step is to set up a Risk Management regime. This sounds scary, but could be as simple as having an Excel spreadsheet or a Word document where you list all the risks to your business, determine how severe those risks are, and document how you will mitigate those risks. It doesn’t have to be onerous – it could just be your top 5 or 10 risks to start with.

  • For example, if your business relies exclusively on internet orders eg as a retail outlet, then lack of access to the internet would be a serious risk and mitigation measures could involve something like hosting your website with a specialist hosting provider which can provide protection against physical issues like flooding or power cuts and some technical measures such as denial of service attacks.
  • You should bear in mind that this is a regular, repeated process, where you review your risk register regularly and agree with the board appropriate measures based on a cost benefit analysis and your company’s risk tolerance.

2. The second step is to look at Secure Configuration of your systems. All this really means is that you need to make sure that your systems are patched appropriately, that anti-virus / anti-malware software is installed, updated and running, that you have an inventory of the equipment you have and what software is installed on it, and that where possible you’ve documented a standard build for all your devices. Let’s look at those in turn, as it all sounds very complicated:

  • Patches are software updates provided by vendors to address vulnerabilities which are found in all software. These are typically graded in terms of severity from low to critical, the idea being that you apply all critical patches as fast as possible, while low severity are less important. One of the reasons the Wannacry ransomware outbreak hit people so hard in May was because a Critical patch released by Microsoft in March hadn’t been applied to the systems affected: that’s a good example of what can go wrong if you don’t keep patches up to date. Many systems allow patches to be downloaded and installed automatically and, if you don’t have an IT department, it’s a good idea to use that option.
  • Antivirus software is similar to patches, in that vendors release regular updates to tackle new viruses. With the volume of viruses increasing massively on a daily basis, it’s a good idea to install these updates as they come out – at least daily. Many of the larger virus companies such as McAfee and Symantec have products which update automatically, and are well worth considering.
  • As an aside, there are rumours that Mac devices aren’t susceptible to or targeted by viruses: this is not the case anymore so make sure those devices are protected too.
  • Keeping an inventory is sensible: if you don’t know what you’ve got, how can you protect it? And if you don’t know what software is running, how do you know you have all the licenses you need, and how do you know how to rebuild the machine if it is damaged or unavailable for some reason? It just stops you starting from the very beginning, and allows you to be more proactive. Knowing what should be on each machine also helps you to develop a strategy for removing or disabling unnecessary functionality on it. Again, going back to Wannacry in May, one of the methods used by the ransomware from machine to machine was through a network protocol which wasn’t really necessary on most machines. Maintaining an up-to-date inventory could help you identify vulnerabilities like that and close them down quickly.
  • The benefits of having a documented standard build have pretty much been covered in above. It also means that when a new machine is bought, your IT team / support company knows exactly what to install and how to configure it to meet your business needs. This saves time and effort.

3. The third step concerns Network Security. Again there are some jargon words around what this means and what has to be done, but I’ve broken it down as follows:

  • One of the reasons for network security is to protect your networks from attack. A simple way of checking to see how well the network is protected is by engaging a company such as the one I work for to run a penetration test against all your public facing connections. All that this means is that a trusted person, with your permission, tries to see how far they can get into your network: they then report back to you with details of the vulnerabilities they found and how these can be fixed / remediated. They are actually using the same tools and techniques as hackers, but because they have your permission this is known as ethical hacking.
  • Another area to look at in network security is defending your network perimeter. This means that you should have firewalls installed and configured correctly: the penetration test mentioned just now is one way of ensure that they are. Firewalls are typically installed at the place where your internal network meets the internet, often in a specially segregated area called a DMZ or “De-militarised zone”. It’s a way of stopping traffic from the internet getting directly on to your network.
  • As part of firewall configuration, you should ensure that unauthorised access and malicious content is filtered out. There are a range of companies which provide solutions for this sort of thing, but in simple terms your penetration test will help identify the biggest areas of concern. Network protocols are the ways in which computers talk to each other, and run across a range of different ports. You can think of the firewall as a giant colander, where you block up most of the holes (ports) other than those which are needed for passing a specific strand of spaghetti through a specific hole (port).
  • Last and not least in this section is the requirement to monitor and test security controls. We’ve already talked about testing – penetration testing – and monitoring is a way of measuring the effectiveness of your controls. There are a lot of monitoring toolsets available, ranging from reasonably cheap to quite expensive. It’s worth working out what you want to monitor / measure before starting to look for tools to help. This is one area where engaging a consultant may be beneficial.

4. We’ve already talked a little about Malware Prevention, the fourth step, when we talked about Secure Configuration above. What we didn’t mention is that it’s important to develop a policy around how you will use anti-malware software. For example, what happens when a virus is detected. Should it be deleted automatically or perhaps quarantined for analysis? Is there a process for testing removable media such as USB sticks for malware before connecting them to corporate systems (this is often called a sheepdip process). It’s also important that anti-malware software is running on all devices connected to your business environment: monitoring and measurement will help confirm this.

5. Overlapping malware prevention is the fifth step, Removable Media Control. This again requires specific policy statements about the use of removable media: do you allow it or not, are only specific users in specific roles allowed to use it etc, and also sets out the requirements for scanning media for malware, perhaps using the sheepdip process outlines in 4 above.

Hopefully this all makes sense. Please look out for the next installment when I’ll cover the remaining 5 steps, which are:

6. User education and awareness

7. Managing User Privileges

8. Incident Management

9. Monitoring

10. Home and Mobile Working