W is for …

Whaling

When people launching spear phishing attacks against senior members of staff, this is known as whaling (because they’re after the big fish). That’s the only real difference in the terms, though the types of attack may differ slightly.

Whales are more likely to be the target for mandate fraud, where an email purporting to be from eg the Chief Executive of an organisation goes to the Finance Director, or Finance team, asking them to make an urgent payment to a particular bank account.

White Hat

Ethical hackers, ie those who carry out lawful penetration tests with written permission from a client, are often called white hats. This is because they’re the good guys: hackers who attack without permission are black hats. The name comes from 50s and 60s films set in the Wild West, where the colour of the cowboy’s hat told you whether they were good or bad.

WiFi

Wireless connections to computers often use WiFi (rather than Bluetooth). Good practice dictates that the WiFi connections should be encrypted, using WPA2 encryption. WEP and WPA are both weak encryption prpotocols and should not be used.

Worm

A worm is a form of malware which replicates iteself in order to infect the computer it is on and any others it can find.

T is for …

Tailgating

Tailgating is very easy to spot. It’s when you follow someone through a barrier without swiping your entry card, adding your pin number etc. You might have seen someone do this in a car park or elsewhere, following another vehicle in without paying: it’s the same principle.

Trojan

Taking its name from the Trojan Horse of ancient Greek tales, a Trojan is a form of malware in which the malicious code is hidden inside what looks like an innocuous application or other piece of code.

Two Factor Authentication / 2FA

2FA is becoming increasingly common, and is a really good idea for any accounts you may have where you have to enter bank or credit card details. Single (one) factor authentication is usually something your username and password.

With two factor, you’re normally asked either for your fingerprint (on iPhones for example), or you may be sent a code to your registered phone, which you need to enter after your password (PayPal operates like this). It’s really just an extra layer of security, based on something you know (eg your password) and something you have (a fingerprint or code from a mobile devices.

R is for …

Red Team

Just as penetration testers try to get access to an organisation electronically, red teams try to get physical access to the organisation. They use a combination of Open Source Intelligence gathering and social engineering to get access.

These teams are typically engaged by senior management to test processes such as visitor registration, tailgating, signing in, staff challenging non-wearers of passes etc.

Remote access

As the name suggests, this is the process of providing access to systems from a remote location. For example, many people are given access to their work systems when not in the office. This uses remote access tools including VPNs and Two Factor Authentication, or a combination of multiple tools. It means you don’t physically have to be in the office to access your work systems.

RAT

A Remote Access Trojan (RAT) is a piece of malware which enables attackers to gain control of a target machine from a remote location. When attackers use phishing techniques, the first step after a link is created is often to implement a RAT. This enables an attacker to get access to the device and carry on their attack using other tools.

Router

A router is a network device which examines network traffic and forwards it to the most appropriate part of the network.

 

Town dusts off typewriters after cyber-attack

This story appeared on the BBC website the other day. Basically the town’s borough council was hit with ransomware and their systems were brought to their knees.

It’s not unusual for one or two devices in an organisation to be infected with Ransomware. Typically those devices are isolated from the network and all other machines checked to ensure that patching and antivirus signatures are up to date. In this case, it would appear that the entire network, including servers, has been infected and devices are having to be built from scratch, with alternative technology (typewriters – some younger readers may need to look these up) being used in the meantime.

This incident immediately raises a number of questions:

  • How did the organisation allow all machines to get infected?
  • Did they have an incident response plan and did it include this scenario?
  • Were there patching and antivirus regimes appropriate, and was there any kind of reporting in place to identify gaps?
  • Does the organisation have a standard build, and were the build states of all 500 devices known?
  • If the ransomware has been dormant since May, does that mean that backups are also infected? How does the organisation know that restoring from backup won’t reinfect their network?
  • What scanning of incoming attachments was carried out?
  • What training have staff had in respect of phishing emails and incident response procedures?

From those questions, it is relatively easy to identify what good practice would be e.g. document and test your incident response plans, make sure patching is kept up to date, and train your staff.

M is for …

MacOS

This is the Operating System used by Apple Macintosh desktop computers, not to be confused with that used by their smartphone and tablet devices which is iOS.

Man in the middle (MITM)

As the name suggests, this is a form of hacking where network traffic or messages are intercepted by someone sitting between the sender and intended recipient.

Typically, the attacker will either take a copy of the traffic so they can see what was being sent, or they will actually change the content of the traffic.

For example, they may change an email which says “I do not want to buy this product” to “I want to buy this product”. It’s therefore quite a dangerous means of attack, particularly as the recipient may not know the messages have been intercepted.

Malware

This is the catch-all term for all types of software which is “bad”, including viruses, worms, trojans and ransomware. Antivirus software is now often labelled Antimalware because it does much more than simply protect against viruses.

H is for…

Hacking

I’m pretty sure that you’ve all heard the term “hacking”, and you probably know that it has negative connotations. But what exactly is it?

Put simply, it’s trying to get access to a computer or network using vulnerabilities in the security of the target. Note that I don’t necessarily say software: people can be hacked too, which is effectively what social engineering is. I won’t go onto social engineering here as it’ll be covered under “S is for…” later this year, so for the moment I’ll concentrate on hacking software.

Almost all software has errors in it which can be used to make the software do things the manufacturer didn’t intend. The bad guys know this, and spend a lot of time looking for those errors, then writing their own software to make use of these vulnerabilities (weaknesses): this process is called writing exploits.

The bad guys have a number of ways of getting their exploits to run on your systems: phishing emails are perhaps the most common and well known method, as are infected websites which download and install software in the background.

The best ways to protect your systems from hackers are:

  • Change your passwords regularly and enforce long, complex passwords for administrator level accounts
  • Keep patching and antivirus updated
  • Ensure your systems are vulnerability scanned, preferably penetration tested, on a regular basis
  • Ensure you / staff are trained to spot phishing emails

Hacktivism

Hackers who attack systems in support of a specific cause are engaging in hacktivism. Organisations like Anonymous rose to attention because they attracted hacktivists supporting different causes to attack companies which were involved in those causes.

Hybrid cloud model

As the name suggests, this kind of model is a mix of cloud and on-premise service provision. Some of the data / servers being used are in data centres run by your organisation, and some are in the cloud.

10 Steps to Cyber Security – Part 1 of 2

Through discussions with various clients and perspective clients, at conferences, events and forums, it is very apparent that a lot of companies know that they need to do “something about cyber” but many, particularly in the Small and Medium Enterprise (SME) arena, are unsure of what that something should be.

My response to them is generally along the same lines, and I thought I’d share it with you now. My apologies for those of you who are seasoned cyber professionals, as you will no doubt know this subject inside out, but for those of you who are wondering just how to get started and are looking for a jargon free, pragmatic explanation, read on…

As far back as 2012 the UK government produced the 10 Steps to Cyber Security which companies should follow to help make them more secure, as part of the drive to make the UK a safe place to do business. Those were followed in 2014 by the Cyber Essentials scheme. Both the 10 Steps and Cyber Essentials have had updates over the years, but those updates relate more to guidance and clarification rather than changes to content.

This article sets out the first 5 requirements of the 10 Steps to Cyber Security: I’ll provide the remaining 5 in my next post which will be in a week or so. You will see that a number of these topics overlap, and that’s absolutely fine. There are some very blurred lines, but so long as the topics are covered then that has to be a good thing, right?

1. The first step is to set up a Risk Management regime. This sounds scary, but could be as simple as having an Excel spreadsheet or a Word document where you list all the risks to your business, determine how severe those risks are, and document how you will mitigate those risks. It doesn’t have to be onerous – it could just be your top 5 or 10 risks to start with.

  • For example, if your business relies exclusively on internet orders eg as a retail outlet, then lack of access to the internet would be a serious risk and mitigation measures could involve something like hosting your website with a specialist hosting provider which can provide protection against physical issues like flooding or power cuts and some technical measures such as denial of service attacks.
  • You should bear in mind that this is a regular, repeated process, where you review your risk register regularly and agree with the board appropriate measures based on a cost benefit analysis and your company’s risk tolerance.

2. The second step is to look at Secure Configuration of your systems. All this really means is that you need to make sure that your systems are patched appropriately, that anti-virus / anti-malware software is installed, updated and running, that you have an inventory of the equipment you have and what software is installed on it, and that where possible you’ve documented a standard build for all your devices. Let’s look at those in turn, as it all sounds very complicated:

  • Patches are software updates provided by vendors to address vulnerabilities which are found in all software. These are typically graded in terms of severity from low to critical, the idea being that you apply all critical patches as fast as possible, while low severity are less important. One of the reasons the Wannacry ransomware outbreak hit people so hard in May was because a Critical patch released by Microsoft in March hadn’t been applied to the systems affected: that’s a good example of what can go wrong if you don’t keep patches up to date. Many systems allow patches to be downloaded and installed automatically and, if you don’t have an IT department, it’s a good idea to use that option.
  • Antivirus software is similar to patches, in that vendors release regular updates to tackle new viruses. With the volume of viruses increasing massively on a daily basis, it’s a good idea to install these updates as they come out – at least daily. Many of the larger virus companies such as McAfee and Symantec have products which update automatically, and are well worth considering.
  • As an aside, there are rumours that Mac devices aren’t susceptible to or targeted by viruses: this is not the case anymore so make sure those devices are protected too.
  • Keeping an inventory is sensible: if you don’t know what you’ve got, how can you protect it? And if you don’t know what software is running, how do you know you have all the licenses you need, and how do you know how to rebuild the machine if it is damaged or unavailable for some reason? It just stops you starting from the very beginning, and allows you to be more proactive. Knowing what should be on each machine also helps you to develop a strategy for removing or disabling unnecessary functionality on it. Again, going back to Wannacry in May, one of the methods used by the ransomware from machine to machine was through a network protocol which wasn’t really necessary on most machines. Maintaining an up-to-date inventory could help you identify vulnerabilities like that and close them down quickly.
  • The benefits of having a documented standard build have pretty much been covered in above. It also means that when a new machine is bought, your IT team / support company knows exactly what to install and how to configure it to meet your business needs. This saves time and effort.

3. The third step concerns Network Security. Again there are some jargon words around what this means and what has to be done, but I’ve broken it down as follows:

  • One of the reasons for network security is to protect your networks from attack. A simple way of checking to see how well the network is protected is by engaging a company such as the one I work for to run a penetration test against all your public facing connections. All that this means is that a trusted person, with your permission, tries to see how far they can get into your network: they then report back to you with details of the vulnerabilities they found and how these can be fixed / remediated. They are actually using the same tools and techniques as hackers, but because they have your permission this is known as ethical hacking.
  • Another area to look at in network security is defending your network perimeter. This means that you should have firewalls installed and configured correctly: the penetration test mentioned just now is one way of ensure that they are. Firewalls are typically installed at the place where your internal network meets the internet, often in a specially segregated area called a DMZ or “De-militarised zone”. It’s a way of stopping traffic from the internet getting directly on to your network.
  • As part of firewall configuration, you should ensure that unauthorised access and malicious content is filtered out. There are a range of companies which provide solutions for this sort of thing, but in simple terms your penetration test will help identify the biggest areas of concern. Network protocols are the ways in which computers talk to each other, and run across a range of different ports. You can think of the firewall as a giant colander, where you block up most of the holes (ports) other than those which are needed for passing a specific strand of spaghetti through a specific hole (port).
  • Last and not least in this section is the requirement to monitor and test security controls. We’ve already talked about testing – penetration testing – and monitoring is a way of measuring the effectiveness of your controls. There are a lot of monitoring toolsets available, ranging from reasonably cheap to quite expensive. It’s worth working out what you want to monitor / measure before starting to look for tools to help. This is one area where engaging a consultant may be beneficial.

4. We’ve already talked a little about Malware Prevention, the fourth step, when we talked about Secure Configuration above. What we didn’t mention is that it’s important to develop a policy around how you will use anti-malware software. For example, what happens when a virus is detected. Should it be deleted automatically or perhaps quarantined for analysis? Is there a process for testing removable media such as USB sticks for malware before connecting them to corporate systems (this is often called a sheepdip process). It’s also important that anti-malware software is running on all devices connected to your business environment: monitoring and measurement will help confirm this.

5. Overlapping malware prevention is the fifth step, Removable Media Control. This again requires specific policy statements about the use of removable media: do you allow it or not, are only specific users in specific roles allowed to use it etc, and also sets out the requirements for scanning media for malware, perhaps using the sheepdip process outlines in 4 above.

Hopefully this all makes sense. Please look out for the next installment when I’ll cover the remaining 5 steps, which are:

6. User education and awareness

7. Managing User Privileges

8. Incident Management

9. Monitoring

10. Home and Mobile Working

How does your security measure up?

I published this article on LinkedIn on Monday 3rd July 2017, and I’ve copied it here for you.

If you don’t know what you have, how can you measure it?

We read a lot these days about equipment and training to help combat cyber attacks and reduce risks, but I don’t see much about today’s topic. It’s really good that you have controls in place, with defence in depth etc, but how do you know they’re working?

It seems to me that we often forget to take into account the requirement to measure key components on our systems, so that we know when things are working well and when they’re not. This isn’t about audit, which gives you a snapshot, a point in time view. This is about consistent, regular (possibly even real-time) monitoring and reporting on systems.
The first step in this process is to identify what matters to you most – in many, if not all, cases this will be the data your systems hold. 
Then, look at the controls you have in place, and think about what information would give you assurance that your controls are effective. 
For example, if you have highly sensitive data on all your laptops, knowing which devices are not encrypted might be a really key measurement for you. In this instance, you may decide it is unacceptable for any laptops to be unencrypted, or you may decide you’re happy with a tolerance of 5% or 10%.
One of the fundamental features of reporting is knowing what you have, where it is, and what software is loaded on it. If we look at the recent ransomware outbreaks of Wannacry and Petya, we know that these malware packages make use of specific vulnerabilities which were addressed by specific patches. If your inventory is up to date, you can check for the devices missing those specific patches, and target them immediately, rather than checking every single machine. The same held true with Heartbleed and other outbreaks of a similar nature. 
Some would say that regular reporting on critical patches which have not been installed is a waste of time: personally, I think it’s a good metric and invaluable in deploying resources effectively. You should already have a patch schedule, but does it take into account Critical patches? If not, time to start thinking about being proactive with them and pushing them out outside the patch schedule.  
Similarly, you will probably want to know what devices have aged (out of date) antivirus signatures: if they’re not within a couple of days release then in this day and age you’re running a risk. Report / alert on devices where this is the case, or where AV isn’t running at all. (While you’re at it, you might want to investigate ways of determining whether AV is running but not scanning anything – I have seen this on several occasions.)
You will also probably want to baseline the traffic profile coming into and out of your network so that you know what looks normal, making it easier to spot unusual activity. Pay attention to the days and times that traffic is present: if you get a lot of traffic at 3 in the morning, why is that? 
Finally, when presenting this information to your senior management, don’t leave it as raw figures. Present it in terms of risk and impact, from a financial and reputational viewpoint. That makes it easier to understand why something needs to be done and should help with getting additional resources to address those risks. 

If you don’t measure what you have, how can you improve it?

I told you so…

Just thought I’d share this piece from the Hoax-Slayer website (great site to visit often, in my opinion) which basically confirms everything I said in my previous article on here. It’s good to know I wasn’t giving you false information! 

Other things to look out for, which I hadn’t mentioned previously are:

  • the sensationalist videos, like one purportedly showing a snake which has eaten a man
  • the enticing videos, like those purportedly showing celebrities flashing parts of their body
  • the desperate videos, where people are going to be in distress and need your help

All of these are deliberately crafted to get you to click on the initial link. From there, who can tell what you’ll be persuaded to do…

DDoS – what’s that?

I’m sure that if you’ve been watching the news recently, you’ll have heard the phrase DDoS, which stands for Distributed Denial of Service. It sounds fancy and complicated, but it’s actually pretty straightforward.

Let’s start at the beginning. A website is typically nothing more than one (or several, perhaps up into hundreds for some big companies) servers which all publish specific web pages. These may link back into the company that runs them, but that’s not important for our purposes. These servers are, unsurprisingly, called webservers, and again for simplicity we’ll just assume that a website only has one webserver.

If you had one computer that was constantly sending lots and lots of messages to the webserver, for example trying constantly to open multiple pages at a rate of hundreds or even thousands of requests per second, until it couldn’t cope with all that web traffic and stopped working, that would be called a Denial of Service attack, or DoS.

You can imagine that this would be straightforward to do as you would only need access to one machine, an internet connection and the relevant software.

A DDoS attack is very similar, except instead of using one machine to attack the server, multiple machines are used to  attack it.

These can be anywhere in the world, and are typically recruited by the bad guys to perform the attack as part of what is called a botnet. This is just a term for a collection of machines which are connected to the internet and which are being controlled from a single source. The way they are recruited is typically through the use of viruses and other malware (“bad” software), which then listen out for messages from their controller machine. This is called a Command and Control structure, and there may be a hierarchy to the structure, a bit like you find tiers of management in large companies. The owners of those machines typically have no idea that this is happening, and the problem is now exarcebated by the involvement of machines other than laptop and desktop computers. These are other devices connected to the internet which may include fridges, cookers, kettles etc – this is the Internet of Things. I’ll write a separate post about IoT in the future,  it for now it’s enough to know that these devices can be added to a botnet relatively easily.

In a DDoS attack then, the constituent machines in the botnet are ordered to attack a specific website or webserver on a specific date and time, by trying to access one or more pages at the same time as all the rest. When they all do that, the website may not be able to handle so many requests, and stops working.

Scary stuff, huh? Try not to worry too much about it though, because there are ways to reduce the risk of this happening, from hardware and software which recognises the attack to hosting the website in different locations, to buying services from companies which specialise in preventing such attacks.

You can also play your part in reducing the scale of botnets by practicing good cyber hygiene: make sure you use a reputable antivirus product and ensure it is update regularly; apply patches frequently; change your passwords regularly; and don’t click on email attachments or links which you weren’t expecting or from sources you don’t know.