10 Steps to Cyber Security – Part 2 of 2

This is the second half of the article which I published last week. I have been overwhelmed with the positive responses to the first article, so I’ll take this opportunity to say thank you very much for your kind words. I’m glad that the article was useful for so many of you, and I hope you get just as much out of this edition. 

This article covers the remaining aspects of the UK Government’s 10 Steps to Cyber Security, and is again aimed at those of you with limited or no cyber / information security awareness. Again my aim is to explain the requirements in a simple manner with no jargon or buzzwords. As last week covered steps 1 to 5, this week we start at 6…

6. The first step we’ll look at in this article is all about User Education and Awareness. Yes, training is a very important part of our controls and which help protect our businesses. It forms a part of many regulatory frameworks, but we shouldn’t just do it because the regulations or contracts we work to require it. 

Within the 10 Steps, the guidance suggests that once you’ve produced all your policies and processes you ensure that those are described within the training you provide. It helps to maintain awareness of cyber risks, and at the very least should mean that all staff are aware of what is expected of them. 

Many companies have for years run this as a kind of “tick box” exercise, where people simply rush to the end as fast as possible just so they can say they’ve completed it for another year. That adds no value. The employee gains nothing and the business is not better protected – but it may be sufficient to meet our regulatory, legal or contractual obligations. 

Good awareness training should help to inform and change behaviour, to make it easier for people to do the right thing than the wrong thing. It should help explain the risks of certain actions in a way that matters and affects the individual: it should explain the “what’s in it for me” question. Humans are the weakest link in any security solution, so we should help them get it right by helping them understand what’s at stake. Many good training solutions now include gamification, or “what would you do” type scenarios. Get the attendees actively involved in the training, rather than passively clicking “Next” to get to the next screen. 

7. Managing User Privileges is the next step. This simply means restricting access to the highest privilege type of account to as few people as possible. You should also monitor user activity if possible, looking out in particular for unusual activity such as logging in at strange times of the day, or for large file transfers out of your business. This also involves looking at audit logs, which you may need help with. 

User accounts on most computers fall into two areas: administrator (also known as admin, superuser, root, or something like that) and standard user. 

The standard user cannot run new programs, cannot install software on their machine etc, because their access rights (another way of saying user privileges) don’t give them carte blanche access to the device.

The administrator account has full access to be able to run any software, to remove components, and to run administrative tools such as reformatting drives. This is very powerful and, as a result, users with this level of access should be restricted as much as possible. 

It is good practice to give most users standard user accounts, because for the most part they should not need to install software or make significant changes to their machines. It’s also good practice to review who has what level of access on a regular basis, and make sure that people only have access to systems and data that they need for their job. For example, someone working in a technical team doesn’t need access to payroll data, and someone working in HR doesn’t generally need to be able to install new software on a server. 

8. The next step is Incident Management. This is not only about how you deal with an incident when it occurs, but about being prepared for one when it happens. (Notice that I’ve said “when” rather than “if”. Statistically, if you’ve not had an incident then you will soon, so it helps to be prepared.) The key areas to bear in mind are:

  • Ensure that you have a documented incident response process, that you know what to do and who to contact. For example, where would you relocate your business / staff to if your offices were unavailable due to fire, flood or a chemical spill? How would you contact staff to tell them where to go and when? Are all staff required or just one or two? What equipment will they need and how would they access your systems? If you’re using a shared recovery office, how are you guaranteed space? What would you do if your office systems were infected by ransomware? This is the sort of thing that should be considered and the processes documented. This is all part of something called Business Continuity or Disaster Recovery Planning. 
  • Once you’ve got your plans in place, test them. You should aim to test them at least once a year. Some companies do a full test where they actively notify people and try running their business from the recovery offices for a day, and some run a table top exercise. Both work, and both have their risks and benefits. 
  • Just as your business will likely have fire marshalls, first aiders and health and safety experts, make sure staff are trained in what to do in the event of an incident. The training doesn’t have to be onerous and many businesses will include it as part of their User Education and Awareness activities described in 6 above. 

Where you find a criminal incident, it should be reported to law enforcement via Action Fraud – http://www.actionfraud.police.uk. You may also choose to inform your local police force. 

9. The penultimate step is Monitoring. As we’ve seen, there is some overlap with step 7, but monitoring covers more than just user account management. There are a couple of things to look at when dealing with this step: 

  • You should establish a strategy for monitoring, and document this – ideally include it in your overall Information Security Policy. Monitoring may also include email and internet use as well as systems and networks: if it does, then you need to make your staff aware that this is the case. 
  • Monitoring of systems and networks should be continuous, so you’ll need a way of identifying anomalies / unusual behaviour. This may be through log analysis or you may look for software which helps to visualise the data, which make the anomalies stand out. 
  • Though the guidance doesn’t specifically mention it, I’d suggest that your monitoring should also include details around key indicators, change management etc. For example, if you have a policy that requires all laptops to be encrypted, then you should check regularly to ensure that they are and report on those that aren’t. Or if you have a policy of removing user access when they leave the organisation, you should check to ensure that is happening on a regular basis. 

10. Finally, Home and Mobile Working is an area that you need to look at. 

  • Make sure that your Information Security Policy includes a section on mobile working. Do you allow it or not? If you do allow it, what are the rules, how is data protected? Do you allow users to use their own devices, or do you provide laptops, tablets, smartphones etc. What security is in place to protect the data, both at rest and in transit (ie when being sent across networks – do you use Virtual Private Networks, encryption, two factor authentication etc)? Make sure you’ve documented what your security baseline is and ensure that is being complied with through regular monitoring as discussed in step 9.  
  • Make sure that users know what is and isn’t allowed, what is acceptable behaviour and what is expected for them if they are working from home or on the road. This is a great topic to include in step 6, your User Education and Awareness.

As you can see, these steps are relatively straightforward, and there is a degree of overlap between them. For the most part it all boils down to how you protect your data, how you ensure the data cannot be tampered with, and how you get access to it in the event of an incident. In Information Security terms, this is known as the CIA triad, Confidentiality, Integrity and Availability. Make sure you’ve documented your requirements and communicated them with staff on a regular basis, and review your requirements regularly too. 

Are there any areas I’ve not explained well? I’m happy to answer any questions you may have so please just ask! 

Things you do on Social Media which you shouldn’t

As a regular and long time Facebook user, I’m often surprised at some of the behaviour that goes on there. I’m not just talking about the harassment and ridicule of people, the cat videos and all that, but there are a number of things which are putting you and other users at risk. I’ll going to explain what some of those risky behaviours are here. 

If it sounds too good to be true, it probably is…

1. Competitions where you simply have to “Like” and share a page to enter in order to win a free Maserati or holiday to Bora Bora, things like that. I talked about this in my previous article, but it’s worth reiterating. You have access to Facebook, Google etc for free, and the price you pay for that free access is that your data is shared with their partners. You then start to receive targeted advertising for products they know you’re likely to want. When you “like” one of these targeted adverts that decision also gets added to the data they hold on you, which gets sold on. Have you ever personally known anyone win one of these contests? The advertisers are paying the likes of Facebook and Google because you clicked a link and what do you get? More and more adverts! 

If all you get is more adverts, that’s harmless though, isn’t it? I’m afraid not. Some unscrupulous businesses will use this as a means to target you with scams, with malware, with all sorts of things with the aim of ripping you off, infecting your machine or getting access to all your contacts. 

2. Images of starving or sick children and animals, asking you type “amen” etc rather than scroll by. This is just another way of getting your details, for the same reasons as above. Click on enough of these and your changes of being sent some sort of scam mail asking you to donate money to help prevent starvation etc increase. 

This may sound cruel and heartless, but for the bad guys this is just a numbers game, it’s just business to them. They. Don’t. Care. The more people they can sign up, the more money they can make. Manipulation is the name of the game. 

3. Lists where you have to fill in details like have you ever been in a police car, had a tattoo, been whale watching etc. Part of the information you give up (and the fact you participated) feed into 1 above, with the attendant consequences. You’ve just given advertisers a good idea of the sort of things you like to do, or are prepared to participate in. They can work out what level of risk you’re prepared to take, what sort of person you are – and that means they can target your vulnerabilities and weaknesses and work out what you’re likely to fall for.

Some of these lists can be quite long and hidden within them are questions which you may have used for your security information with your bank or other online services. These include questions like what your first pet’s name was, what your first school was etc. These can then be used to try to steal your identity, get access to your accounts, open credit cards in your name and so on.

4. Offers of free software or add-ons to existing products, which I’ve seen more and more often on LinkedIn. Even seasoned security professionals are clicking to “like” the post, or reply with “yes”. This is no different from 1 above, and these people should know better. I often feel like chiming in to remind them of what they’re doing –  but my responses would also be captured and I’d be targeted in a different way! 

It’s worth pointing out here that 1-4 are sometimes known as “click baiting”, because it’s a bit like fishing. The bad guys put bait on their hook, cast it out into the water and see who or what bites. 

5.  Adverts for products you may be interested in may just be the advertisers confirming what they think they know about you. Or, it could be less subtle with the adverts taking you to fake sites in order to obtain your credit card details, or offering you goods which don’t appear or are substandard. The links you click on may contain malware, or may take you to a site which is infected. If you really want that product, go to a reputable web site that you know to be genuine and buy from there. 

6. Another favourite is when you get a friend request on the likes of Facebook or LinkedIn. What do you to do to verify that the request is from who they say they are? What happens if you’re already friends with that person? Could their account have been cloned? Do you check by another route to see if the request is legitimate? Do you just accept the request because they’re connected to other people you know? This is all potentially dangerous and may leave you open to a variety of different attacks, from the click baiting sort of thing we’ve seen above, to social engineering and requests for money / other assistance. 

Hopefully this hasn’t all scared you, but has made you more aware of the risks of doing the things listed above. Think before you click on that link, or before “liking” that post. One of the things the bad guys do is try to elicit a reaction from you by preying on your emotional responses. So leave your computer, tablet or mobile device for a minute or two and give yourself a chance to think. Just remember the adage: “if it sounds too good to be true, it probably is”. 

To certify or not

I published this article on LinkedIn on May 3rd 2017. Here it is in its entirety for you.

The age old question of whether certification is important or not reared its head again recently. I was talking to two prospective clients, and they held opposing views.

One wanted their staff to be well trained, but didn’t want them to complete any certifications. They were concerned that once the member of staff was trained they’d look elsewhere for [and get] a better paid job.

The other wanted their staff to be well trained, and saw the certification process as a way of validating that the learning on the course had stuck. They thought they would be able to market themselves better with certified staff, and make more money that way.

I can see both side of the arguments, as I’m sure you can. Perhaps the main differentiator is that in the first case, they may not be able to charge their clients as much, and will therefore have lower income / profit margins, which would mean they couldn’t pay their staff as well. In the second case, their ability to charge higher rates could be reflected in higher income and therefore they may be able to meet the wage demands of their teams.

To be honest though, neither of these scenarios floats my boat. I’d much rather employ someone with appropriate experience than just take someone who has passed a course and may have a piece of paper telling you that.

Many years ago – you’ll realise how long ago shortly – I received a salutary lesson in this very topic. I had a member of staff come to me to say that they had done a lot of self study and had not only passed their Microsoft CSE but their Novell CNE (I told you it was a long time ago). As a result, they wanted a massive pay rise – something like 35% as I recall. Naturally I said I would have to think about it and, if appropriate, ask approval from my manager.

Fast forward to the following week. I was disinclined to award the rise as I had concerns about the person’s ability, but had yet to tell them that. They came to me (because at the time I was still relatively hands on technically) and asked how to bind an IP address to a network card. (Again a sign of how long ago this was, TCP/IP was only just starting to appear on Windows-based networks.) Naturally, my first question was whether this had been covered in either the Microsoft or Novell courses – it was – and I then suggested that the staff member in question focus on getting experience before thinking about pushing for a pay rise.

I recently had cause to consider the benefits of certification for, shall we say, more senior people (myself included). Some clients seem to not worry too much about the letters after your name and prefer to see the experience you can bring to bear on their needs.

It is very helpful being able to speak from first hand knowledge about the process for obtaining various certificates and accreditation, but I find that I don’t get to talk to prospective clients because I’ve done a few exams. They are more interested in what experience I’ve had, where, and whether any of it has relevance to their requirements / situation.

My advice is therefore this: make sure you gain experience in several sectors including SME, government, public sector, etc, and make sure you know how to apply that experience in a range of scenarios. Being flexible and adaptable in your approach to client requirements is what you should be aiming for. Having some experience of the certification process and perhaps even a degree is helpful, but it’s not what is really needed by the clients out there.

Who should the CISO report to?

This article appeared on LinkedIn on 25th April 2017. Rather than publish a link to that post, I thought I’d repost the whole thing here.  

This question caused a lot of head scratching in the past, and it continues to be a very contentious issue. 

Historically, the Chief Information Security Officer (CISO) has typically reported to the CTO (Chief Technical Officer) or perhaps the CIO (Chief Information Officer) – if a company had either of those roles. The majority of companies viewed (and perhaps continue to view) Information Security as an IT or Technology issue, and those that are a bit more forward thinking ally Information Security to Information Management, hence these two traditional locations in the company hierarchy. 

The other most common reporting lines which I’ve witnessed are reporting in to the CFO (Chief Finance Officer), or reporting in to the CRO (Chief Risk Officer). There are good reasons for both of these – one holds the purse strings (and security rarely costs less than not having any) and the other is concerned with risk (and security is all about risk mitigation).

What should we be doing?

I think it is very much accepted these days that the CISO should be a full board member, and this fact has to be welcomed. To my mind, there should be strong dotted line from the CTO, the CIO and the heads of HR and facilities in to the CISO. I know it’s a bit chicken and egg, particularly with the CIO role, but I think that all of these roles must be accountable to the CISO in terms of security. 

The CISO should not be telling any of the other roles how to do their jobs, but they should be defining the security requirements which fall within the remit of each of these roles. 
For example, the CISO shouldn’t be worried about whether Windows, MacOS or Linux is used as an Operating System, but they should be concerned with whether those machines are patched, have antivirus installed, are encrypted if necessary etc. They should let the CTO work out how to do all of that, on whatever OS is required, but the CTO must ensure that the CISO’s requirements for security are met. 

As another example, the CISO shouldn’t concern themselves with HR issues such as appraisals, pay etc., but they do have an interest in ensuring that new starters are appropriately vetted, that access rights are revoked on termination of employment etc. 

Please note that I’m not suggesting that HR, Facilities, IT etc. should report to the CISO: that just wouldn’t make sense. All I’m suggesting is that they have a level of accountability in to the CISO and that companies would do well to recognise that going forward. Who’s with me? 

You may also be interested in this article from Dark Reading, about why CISOs have a different view of the primary objectives of cyber security compared to some other board members.  

Cyber Essentials and ISO 27001 explained

At some point in your working life, you’ll probably come across these two terms, and you may want to know more about them. Look no further than this article on LinkedIn, where I’ve gone into a bit of detail about the two, what their similarities are, what the key differences are, and I’ve even given some advice on how to choose between them.