W is for …

Whaling

When people launching spear phishing attacks against senior members of staff, this is known as whaling (because they’re after the big fish). That’s the only real difference in the terms, though the types of attack may differ slightly.

Whales are more likely to be the target for mandate fraud, where an email purporting to be from eg the Chief Executive of an organisation goes to the Finance Director, or Finance team, asking them to make an urgent payment to a particular bank account.

White Hat

Ethical hackers, ie those who carry out lawful penetration tests with written permission from a client, are often called white hats. This is because they’re the good guys: hackers who attack without permission are black hats. The name comes from 50s and 60s films set in the Wild West, where the colour of the cowboy’s hat told you whether they were good or bad.

WiFi

Wireless connections to computers often use WiFi (rather than Bluetooth). Good practice dictates that the WiFi connections should be encrypted, using WPA2 encryption. WEP and WPA are both weak encryption prpotocols and should not be used.

Worm

A worm is a form of malware which replicates iteself in order to infect the computer it is on and any others it can find.

P is for …

Password

There has been much written about passwords, but for this entry I thought it worth defining what a password actually is. It’s a code, phrase or sequence of letters and numbers which is used to validate that you are who you say you are. It’s often used in conjunction with a username or when you login to a device or system.

You’re advised to keep your password secret, known only to you, because this helps with non-repudiation.

Patching

Pretty much all software has vulnerabilities in it. The more complex the software, the more likely it is to have vulnerabilities. Patches are pieces of code written by software developers to fix those vulnerabilities once the manufacturers become aware of them.

Patching is the process of applying these bespoke pieces of code. Typically patches are given a severity based on the risk the vulnerability contains. Urgent patches should be applied as soon as possible, whereas low risk patches don’t need to be applied so quickly.

When applying patches in a work environment, it is advisable to test the patch on several machines first, before applying it to every device, just in case there are any issues or conflicts which the patch causes with existing software.

Payload

Viruses often contain malware, some of which contains special code to try to compromise a device. This is typically called a payload. Different viruses carry different payloads, and some carry multiple different payloads.

An analogy which might explain this is where you have bomber aircraft, the bombs they carry are referred to as the payload.

Penetration test

A common way of testing web sites and web applications is to run a penetration test. This is where ethical hackers i.e. people with prior permission from an organisation, run tests to see if they can find vulnerabilities, and find out what would happen if those vulnerabilities are exploited.

Typically, the testers will provide a report documenting their findings, and the organisation being tested will then fix any issues found by the testers.

This should be run on a regular basis, because new vulnerabilities, including zero day threats, are constantly being discovered.

There are also physical penetration tests, where people are hired to try to access a business. This is called a red team test.

Phishing

Phishing is a form of attack where the bad guys send email to a list of email addresses (which they’ve often bought on the dark web). The email typically either has an infected attachment or a link to an infected website, or it contains a message asking you to help someone release money from their bank account or some equally ridiculous plea for help.

These messages are indiscriminate and are not targeted at specific individuals. Those which are specifically targeted are known as spear phishing or whaling.

Principle of Least Privilege

A key feature of cyber security is making sure that users only have access to the programs or data they need access to for their job. This is known as the principle of least privilege.

For example, there’s generally no reason why someone working in the accounts department needs access to personnel records, or someone working in HR probably doesn’t need access to files for a specific project. Access would normally be restricted to help protect data.

G is for…

GDPR

The General Data Protection Regulation (GDPR) is an EU regulation which sets out the minimum requirements for Data Protection in the EU. It is a bit more stringent than the Data Protection Act, which is the current legislation in the UK. The UK has been heavily involved in its development, and it will come into force on 28th May 2018.

As an EU Regulation it immediately becomes law in every member country the day it comes out, and every member state will have to comply from that date.

For further advice and guidance, go to the ICO website and check out these 12 Steps to GDPR which you should be following right now.

Governance

It’s all well and good having lots of security controls in place, lots of shiny hardware and the latest software, but how do you know that what you have is effective and is being used by everyone?

That’s what Governance is for. It’s about the oversight of all security related activities to make sure that they are fit for purpose and delivering benefit. It’s normally done through regular reporting, reviews of metrics (ie data which demonstrates how effective controls are) and key performance indicators.

What does this mean in practice? Let me give you an example. Let’s assume that an organisation is security policy states that all relevant critical patches from software vendors must be applied within 1 month of their release. A metric that might be used is to identify the number of machines which don’t have critical patches applied within 2 months, and for those machines to be inspected to find out why.

Grey Hat hacker

In an earlier post we talked about Black Hat hackers, who are effectively the bad guys, and we’ll talk about White Hats later this year (you’ve guessed it, they’re the good guys). Grey Hats fall somewhere in between. They see themselves as doing good, trying to help organisations, but technically they’re breaking the law.

It works something like this. A white hacker has written permission in advance before trying to test a system for vulnerabilities. A grey hat doesn’t have that permission, but tests systems for them anyway. When they find a vulnerability, they either notify the organisation or the company that makes the software they’ve found the vulnerability in, often in the hope they’ll get some kind of reward. It has been known for them to be arrested because they’ve not had that ore-authorisation to carry out their tests.

B is for…

Backup

I’ve talked about these in a previous post, but essentially backups are copies of your data or computer which you can use to replace files which are inadvertently deleted, or as an alternative to paying the ransom in a ransomware attack.

You should make backups on a regular basis, whether by simply copying your important files to another hard drive or perhaps a USB stick, or using specific software for backups. The really important bit is this though: once your backup is complete, disconnect the backup media from your computer. If your computer is encrypted in a ransomware attack and your backup media is still attached, your backup likely to be encrypted too.

When trying to decide what to backup, think about what files at most important to you, about those which you really can’t do without. That’ll probably be financial information, including mortgage and insurance, but think about your photos and videos too. Put another way, if your house was on fire what would you save first, once family and pets were safe?

Biometrics

Biometrics are used as a form of authentication. They sound really technical, but all they really mean is a physical part of your body which is unique to you. That means fingerprints, palm prints, scans of your retinas and other unique factors which you’ve probably seen in spy movies etc, like ear prints. Some mobile devices eg the latest iPhones already use fingerprint recognition, so it’s not entirely all Hollywood make believe!

Bitcoin

Probably the best known cryptocurrency, the value of Bitcoin soared towards the end of 2017, but many financial experts believe that this is a bubble which will burst soon. Created by someone called Satoshi Nakamoto – no-one knows who that really is – there can only ever be 21 million Bitcoins. Each Bitcoin can be split into 100 million units, known as a satoshi. The process of creating bitcoins is based on cryptography and maths, and is called mining.

Black Hat hacker

Taken from the old western movies, a black hat hacker is one of the bad guys. They’re the ones trying to break into systems without permission, probably either to steal data or to cause damage to the organisation. They’re the ones you are most likely to hear about in the news, often with a White Hat hacker talking about what they’ve done. (White Hats are the good guys, and there are also Grey Hats which we’ll cover later in the year.)

Block chain

Blockchain is the technology used to create cryptocurrency, but in future it will be used for much more. If you think of blockchain as a sort of bank account where every transaction is visible to everyone in the world, where it is possible to track the origin and path of every piece of currency since the currency began, but without knowing who owns each account, that’s pretty much the principle behind it.

The first ever transaction contained details of how much was spent and what account number (technically, which wallet) it went to, as well as the date and time, along with some other information. All the details were encrypted into one block.

The second transaction did much the same, but also which wallet the transaction originated in and where it ended up. When encrypted it also included the details from the first block.

The third transaction was the same, but on encryption it included the first and second block.

And so on – that’s how the blockchain was born.

One of the benefits of blockchain is that each transaction is validated by all other participants, so it is pretty much impossible to falsify a record: fraud is therefore unlikely, and provenance has an unbroken chain.

This is useful in cryptocurrency, but has many other uses too. For example:

  • When buying a house, wouldn’t it be great to have a complete list of every transaction ever carried out from land purchase to addition of a conservatory or work to fix a problem with rot, which could not be falsified.
  • When new drugs are created to treat specific illnesses and diseases, think about how beneficial it would be to hold details of all tests and their results as part of the proof that they work, and which cannot be tampered with.

Botnet

When a device has been compromised, it may be used to attack other computers over the Internet. When this is the case, it is said to be running as a bot (like a robot). When multiple bots are used to carry out a simultaneous attack, or to run in a similar way, this is called a botnet ie a network of robots.

Business Continuity

Often used almost synonymously with Disaster Recovery (DR), Business Continuity is all about making sure that your business can carry on working in the event of an issue eg power cut, loss of data, flooding. It’s not all about cyber, though cyber is a constituent part.

Most commonly people talk about Business Continuity Planning (BCP) which is all about determining, documenting and testing how you will react to something that affects your business. For example, you may have an alternate site for people to work from, or they may be able to work from home, but how do you tell people that’s what they need to do? How do you know that they will be able to access systems from the alternate location? How do you know they will have access to all the software and data they need from that alternate location?

A key part of BCP is understanding who your key assets are, and what they need to do their job. You also need to understand the impact to your business if various components are unavailable, and how long you can afford to not be working. For example, if your business only provides services through the internet, having no internet access for several days could kill your business: your BCP will set out what you will do to get back online quickly.

It’s not uncommon for businesses to run tabletop exercises to work out who would do what in the event of a problem, but it’s also a good idea to actually test that the plan works. For example, if your BC plan is to have 20 people up and running within 4 hours at the alternate site, but it takes more than 4 hours to travel to the site, then your plan will fail.

It’s important to note that when testing your plan, things not working are good things to find. It’s better to find that out during a test than when you actually need it.