Author Archives: Dave Whitelegg

Cyber Security Roundup for October 2016

Posted on by
Cyber security experts have long predicted that thousands of vulnerable Internet of Things (IoT) devices such as internet-connected CCTV systems would be hacked on mass and directed to perform huge DDoS attacks. That’s exactly what happened on 21st October when 152,000 IoT devices infected with malware were remote controlled by hackers and then used to orchestrate a 1Tb DDoS attack, the largest in history. A tsunami of network traffic was directed at a company called Dyn, a major domain name registrar, and it impacted their client’s web services, including Twitter, Yammer, PayPal, Starbucks, The Guardian, PlayStation, Wix, CNN, Spotify, Github, Weebly and Reddit.


Those IoT developers may want to read up on my IoT guidance on the IBM developersWorks website – Combating IoT cyber threats Top security best practices for IoT applications

The UK National Cyber Security Centre HQ went operational, which is part of the UK government’s 5 year £1.9 billion cyber defence strategy,  a much-needed investment to help safeguard the UK’s digital economy from cyber attacks during these uncertain economic times for the country.

Ransomware continues to cause problems, especially within NHS, but on the flipside the https://www.nomoreransom.org/ website continues to be supported, with site providing excellent advice to both home users and businesses.  I have even added a separate Ransomware Help section on my own website – https://itsecurityexpert.co.uk/en/securityhelp/ransomware-help

A couple of surveys show UK businesses are still struggling to understand what they need to do in order to comply with new strict General Data Protection Regulation (GDPR), which comes into force in May 2018 despite brexit. I plan to do a blog post providing business help the GDPR in the coming weeks.

News
Awareness, Education and Intelligence
Reports

Continue reading Cyber Security Roundup for October 2016

Cyber Security Roundup for October 2016

Posted on by
Cyber security experts have long predicted that thousands of vulnerable Internet of Things (IoT) devices such as internet-connected CCTV systems would be hacked on mass and directed to perform huge DDoS attacks. That’s exactly what happened on 21st October when 152,000 IoT devices infected with malware were remote controlled by hackers and then used to orchestrate a 1Tb DDoS attack, the largest in history. A tsunami of network traffic was directed at a company called Dyn, a major domain name registrar, and it impacted their client’s web services, including Twitter, Yammer, PayPal, Starbucks, The Guardian, PlayStation, Wix, CNN, Spotify, Github, Weebly and Reddit.


Those IoT developers may want to read up on my IoT guidance on the IBM developersWorks website – Combating IoT cyber threats Top security best practices for IoT applications

The UK National Cyber Security Centre HQ went operational, which is part of the UK government’s 5 year £1.9 billion cyber defence strategy,  a much-needed investment to help safeguard the UK’s digital economy from cyber attacks during these uncertain economic times for the country.

Ransomware continues to cause problems, especially within NHS, but on the flipside the https://www.nomoreransom.org/ website continues to be supported, with site providing excellent advice to both home users and businesses.  I have even added a separate Ransomware Help section on my own website – https://itsecurityexpert.co.uk/en/securityhelp/ransomware-help

A couple of surveys show UK businesses are still struggling to understand what they need to do in order to comply with new strict General Data Protection Regulation (GDPR), which comes into force in May 2018 despite brexit. I plan to do a blog post providing business help the GDPR in the coming weeks.

News
Awareness, Education and Intelligence
Reports

Continue reading Cyber Security Roundup for October 2016

Cyber Security Roundup for October 2016

Posted on by
Cyber security experts have long predicted that thousands of vulnerable Internet of Things (IoT) devices such as internet-connected CCTV systems would be hacked on mass and directed to perform huge DDoS attacks. That’s exactly what happened on 21st October when 152,000 IoT devices infected with malware were remote controlled by hackers and then used to orchestrate a 1Tb DDoS attack, the largest in history. A tsunami of network traffic was directed at a company called Dyn, a major domain name registrar, and it impacted their client’s web services, including Twitter, Yammer, PayPal, Starbucks, The Guardian, PlayStation, Wix, CNN, Spotify, Github, Weebly and Reddit.


Those IoT developers may want to read up on my IoT guidance on the IBM developersWorks website – Combating IoT cyber threats Top security best practices for IoT applications

The UK National Cyber Security Centre HQ went operational, which is part of the UK government’s 5 year £1.9 billion cyber defence strategy,  a much-needed investment to help safeguard the UK’s digital economy from cyber attacks during these uncertain economic times for the country.

Ransomware continues to cause problems, especially within NHS, but on the flipside the https://www.nomoreransom.org/ website continues to be supported, with site providing excellent advice to both home users and businesses.  I have even added a separate Ransomware Help section on my own website – https://itsecurityexpert.co.uk/en/securityhelp/ransomware-help

A couple of surveys show UK businesses are still struggling to understand what they need to do in order to comply with new strict General Data Protection Regulation (GDPR), which comes into force in May 2018 despite brexit. I plan to do a blog post providing business help the GDPR in the coming weeks.

News
Awareness, Education and Intelligence
Reports

Continue reading Cyber Security Roundup for October 2016

How to Protect Against Mobile Malware

Posted on by
IBM Security recently released a white paper on the mobile malware threat, which included general guidance on managing the mobile threat and an overview of IBM’s MaaS360 Mobile Threat Management tool, I thought it was good advice and well worth sharing.


According to Arxan Technologies. 97% and 87%t of the top paid Android and iOS apps, respectively, have been hacked and posted to third-party app stores.
Mobile Security Guidance (by IBM Security)
  • Educate Employees about Application Security: Educate employees about the dangers of downloading third-party applications and the potential dangers that can result from weak device permissioning.
  • Protect BYOD devices: Apply enterprise mobility management capabilities to enable employees to use their own devices while maintaining organisational security.
  • Permit Employees to download from Authorised App Stores Only: Allow employees to download applications solely from authorised application stores, such as Google Play, the Apple App Store and your organisation’s app store, if applicable.
  • Act Quickly when a Device is Compromised: Set automated policies on SmartPhones and tablets that take automatic action if a device is found compromised or malicious apps are discovered. This approach protects your organisation’s data while the issue is remediated.

Continue reading How to Protect Against Mobile Malware

Cyber Security Incident Management, Response and Recovery Guidance

Posted on by

Yesterday I spoke at the R3 Summit (Resilience, Response and Recovery) in London, on the topic of Cyber Security Incident Management and response. Given the Q & A and the ensuing discussion after my talk, the attendees were particularly interested in my views on incident containment ahead of recovery. Below is a summary of what I said.


Step 1: Incident Management Planning and Preparation
The most crucial part of incident management is the preparation, it is important to always consider cyber security incidents as a ‘When’ not an ‘If’ as you plan ahead. So here’s my ‘brain dump’ of an incident management planning strategy:

  • A company Cyber Security Incident Management Policy
    • It must define what the company (aka the board) consider as a cyber security incident
  • Cyber Security Incident notification communications channel or even better a reporting application/system
    • Upon identifying an incident who do staff notify (the incident management team)
    • Staff awareness of how to detect and report incidents is a key element.
  • Verify the ability to detect incidents, not just IT system alerts, but human side (staff)
  • Document the Incident Management Team and Response Plan
  • Incident Management Team
    • A pool of contacts with responsibility or expertise covering every possible type and aspect of a cyber security incident
    • An Incident Management Team will be assembled based on what’s required for specific cyber security incident types
      • Note. Every team member must play an active part or not be in the team
    • Communication plan i.e. document team member phone numbers and a have dedicated incident management telephone conference call line
      • Do not rely on computer IT systems like email (what if they are taken down)
    • Tools (forensics) and an ability to IT access systems and logs (to investigate and obtain incident facts)
  • Business Risk Assessment
    • The business critical services must be risk assessed, so the business impact of any incident can be known and understood by the incident management team
  • Cyber Threat Assessment
    • Performing a cyber threat assessment against critical business services, aside from possible risk mitigation, threat assessing enables various cyber attack scenarios to be documented and incident response planned for and tested. Threat assessments can play a key role in helping the cyber security incident management teams prepare for incidents.
  • Test the Cyber Security Incident Management Plan regularly. (at the very least annually)
    • Use different attack / breach scenarios
  • Always keep Incident Management Team documentation up to date (at least a quarterly review of documentation)

Step 2: Incident Identification
Upon initially identifying a cyber security incident, the very first question to answer is; what is the actual or potential business impact of the incident? On the face of it this can be a difficult question to answer, as the facts tend to be rather scant upon initial incident identification. However, the worse case scenario, the potential business impact, must be regarded as the actual business impact until facts are presented, through incident investigation, to prove otherwise. For example, take an online database holding 10,000 user accounts, in the space of a few hours, 20 users report via the company helpdesk that their accounts have been hacked into. Without further facts it should be assumed the entire database, all 10,000 user accounts, are compromised. This should remain the case until further facts are established to disprove which accounts have been and not been compromised. Cyber security incident investigations can take weeks to complete, and may never reach a conclusive finding on the scope of IT system or data compromise, in which case the worst case scenario must remain adopted.

Step 3: Incident Containment
Once the actual or potential business impact is understood, the next thought should be to contain the incident. The objective of containment is to limit the business impact of an incident. This is where the preparation work and the identification stage in knowing the business impact comes into play, if the potential cost and reputational damage caused by an incident, is greater than taking down business services over a period of time, then the correct business decision is to pull the plug on the service. So incident recovery may have to take a back seat for a while in order to protect the business’s overall interests. If this means pulling a plug on a busy ecommerce website, or downing an entire company network, if this course of action is the lesser of the two evils in terms of business impact, it is always the correct decision to take. Judging the business impact in knowing how long business systems need to remain down depends on Step 4.

Step 4: Incident Investigation and Forensics
As most cyber security incidents involve law breaking, whether external hackers or internal disgruntled staff, your servers and infrastructure must to be regarded as a crime scene, and so processed accordingly. There is always forensic data to collect, which may hold vital clues to the incident cause and scope, often these data clues are volatile, and can be lost if not collected quickly and correctly. Therefore any investigation and forensics work must be performed by an appropriate qualified internal or third party, while ensuring there is a legal ‘chain of custody’, in case either criminal or civil action occurs down the line. The amount of time to engage and complete computer forensic investigations can be significantly reduced, if you plan for them as part of the incident management preparation (step 1). If you do not have any qualified resource within your organisation, I recommend arranging to have a third party provided external computer forensic investigator on a retainer; typically they will provide a 4 hour call out response time.

Aside from the potential court room battles, the other primary reason to perform a proper forensic investigation is to establish the facts of an incident occurred. Without knowing the detailed facts of just how the breach occurred, you cannot know whether restored systems (step 5) will be still vulnerable or not. For example if you intend to restore systems from a backup, how do you know which backup is compromised or still vulnerable? It is imperative you know exactly when and how a cyber security incident occurred before engaging a recovery process, as in repeating an incident. there can be significant business impact, especially reputationally.

Step 5: Incident Recovery
Only once the facts of the incident are fully known, can you ensure eradication of the incident vulnerabilities and/or malware, and confidently recover systems and business services.

Step 6: Learning the Lessons
The final stage of cyber security incident management, and arguably the second most important step after the incident management preparation, is ensuring the business learns lessons from incidents. This is a healthy way to improve the business security posture, and there is nothing worse than repeating an incident.

Continue reading Cyber Security Incident Management, Response and Recovery Guidance

Yahoo, The Largest Data Breach in History…so far

Posted on by
Yahoo have just disclosed over 500 million of its user accounts have been compromised, that’s a huge number, think about it for second, that’s half a billion people across the globe affected and at risk. This is largest known data breach in history to date. We know the Yahoo account data were stolen in late 2014, said the hack is said to have been orchestrated by state-sponsored actors, although there’s no evidence to back this claim up.
Yahoo has not disclosed how the data was hacked, or why it has taken almost two years to either discover the breach or disclosure the breach publically. A cynic might say Yahoo delayed informing its massive user base until after it’s recent £3.7 billion sale to Verizon was done and dusted. However in late July 2016 hackers were found offering 200 million Yahoo accounts for sale on the dark web (www.telegraph.co.uk/200-million-yahoo-account-details-for-sale-online), so it is likely the 2014 data theft was discovered on the back of investigating that.
The stolen Yahoo account data included names, email addresses, telephone numbers, dates of birth, and security questions and answers. Surprisingly a chunk of the security questions and answers were not encrypted by Yahoo. I always recommend companies treat the protection of account security questions and answers at the same degree as account passwords, given they can be typically used just like a password access an account via a password reset function, including accounts used with other websites. This is especially important on email accounts, as often that is where the password reset links are sent as part of the password reset process.
Advice 1: Reset Your Yahoo Password
Yahoo stated account passwords were stored as a hashed value using bcrypt. That’s good practice, especially in using bcrypt. However my advice is to play it safe and reset the password, it’s good practice to change your password regularly anyway. And if you use that same password on any other websites, change it there too. 
Advice 2: Change Your Security Questions and Answers
Yahoo users should change their security question and answers, click here to do this on the Yahoo website. If users use the same Yahoo security questions and answers on other accounts, they also need to be changed, especially where they can be used to reset passwords and/or gain access to the account. Sure this will be a difficult task to check and complete, but Yahoo users should assume their Yahoo ‘security questions and answers’ together with their name, email address and date of birth, are known by cyber criminals.

Advice 3: Be Extra Vigilant
Yahoo users should be extra vigilant for phishing scam emails, which may be crafted using the stolen Yahoo personal information to look highly authentic. Also check for any suspicious activity in the email account, especially any signs that someone else has been using it.

Continue reading Yahoo, The Largest Data Breach in History…so far

Yahoo, The Largest Data Breach in History…so far

Posted on by
Yahoo have just disclosed over 500 million of its user accounts have been compromised, that’s a huge number, think about it for second, that’s half a billion people across the globe affected and at risk. This is largest known data breach in history to date. We know the Yahoo account data were stolen in late 2014, said the hack is said to have been orchestrated by state-sponsored actors, although there’s no evidence to back this claim up.
Yahoo has not disclosed how the data was hacked, or why it has taken almost two years to either discover the breach or disclosure the breach publically. A cynic might say Yahoo delayed informing its massive user base until after it’s recent £3.7 billion sale to Verizon was done and dusted. However in late July 2016 hackers were found offering 200 million Yahoo accounts for sale on the dark web (www.telegraph.co.uk/200-million-yahoo-account-details-for-sale-online), so it is likely the 2014 data theft was discovered on the back of investigating that.
The stolen Yahoo account data included names, email addresses, telephone numbers, dates of birth, and security questions and answers. Surprisingly a chunk of the security questions and answers were not encrypted by Yahoo. I always recommend companies treat the protection of account security questions and answers at the same degree as account passwords, given they can be typically used just like a password access an account via a password reset function, including accounts used with other websites. This is especially important on email accounts, as often that is where the password reset links are sent as part of the password reset process.
Advice 1: Reset Your Yahoo Password
Yahoo stated account passwords were stored as a hashed value using bcrypt. That’s good practice, especially in using bcrypt. However my advice is to play it safe and reset the password, it’s good practice to change your password regularly anyway. And if you use that same password on any other websites, change it there too. 
Advice 2: Change Your Security Questions and Answers
Yahoo users should change their security question and answers, click here to do this on the Yahoo website. If users use the same Yahoo security questions and answers on other accounts, they also need to be changed, especially where they can be used to reset passwords and/or gain access to the account. Sure this will be a difficult task to check and complete, but Yahoo users should assume their Yahoo ‘security questions and answers’ together with their name, email address and date of birth, are known by cyber criminals.

Advice 3: Be Extra Vigilant
Yahoo users should be extra vigilant for phishing scam emails, which may be crafted using the stolen Yahoo personal information to look highly authentic. Also check for any suspicious activity in the email account, especially any signs that someone else has been using it.

Continue reading Yahoo, The Largest Data Breach in History…so far

Why Brexit will be Business as Usual for Cyber Security & Data Protection in the UK

Posted on by
So it actually happened, they have gone and done it, its shocked the world, the UK populous have voted to leave the European Union today. Now what? Well we’ll have to just get on with it and starting thinking how Brexit will impact Cyber Security and Data Protection in the UK from here on in. 

I didn’t post a word on Brexit despite being asked numerous times during the “debating” season, or as we in the security industry call it, FUD!.  But now its done and dusted, here are my thoughts, which as always on this blog, are completely my own.


Cyber Security Defence
The UK is a significant player in the international cyber threat intelligence community, although a highly secretive business, the “snooping” documents leaked by Edward Snowden demonstrated how closely GCHQ works with their American counterpart agencies. When it comes to the business of protecting the UK’s critical national infrastructure, economy and businesses from cyber attacks, NATO membership trumps the EU membership every time. So I don’t believe UK citizens should be too concerned that Brexit will significantly weaken the UK’s cyber defence posture. I also don’t see that UK security agencies and services ties being cut with their European counterparts any time soon, given the common terrorist, criminal gangs, and cyber threats European countries share.

Privacy and Data Protection
Privacy is a fundamental right for all European Union citizens, and to address this right in the digital space, the EU have devised the General Data Protection Regulation (GDPR). The GDPR is a top to tails overhaul of Europe’s current Data Protection Directive (law), upon which EU member states data protection laws is based, including the UK’s Data Protection (Act) law. Europe’s existing data protection legalisation is well past its sell by date, it was drafted without any knowing or consideration of social networking, borderless cloud services, and colossal personal data collection and mining. Yet despite desperate need for digital privacy protection legalisation in Europe, the GDPR has been held up by Brussels’ bureaucratic red tape for far too many years, and it has only recently made it an agreed final draft, which is due to come into European Union law in May 2018.

The GDPR applies not just each EU member state, but any business or organisation from countries outside the European Union which stores and/or process EU citizen’s data. So from the UK perspective, despite the uncertainty caused by Brexit, my advice is for UK businesses to assume the GDPR is still going to apply, and to continue preparations to be compliant by May 2018.

Why UK will still need to comply with GDPR
I believe it is highly likely that the UK government (executive) will adopt the GDPR into UK law despite Brexit, or at the very least the vast majority of the GDPR requirements. The EU is likely to insist on the UK replicating the GDPR in law as part of the trade negotiations. Given many businesses in the UK will store and/or process EU citizen data, they still have to comply with GDPR regardless of Brexit or even client contract clauses. Finally it would be extremely emotive and controversial if UK companies were to treat and regard UK citizen privacy and personal data at a lesser degree to that of ‘foreign’ EU citizens. So I do fully expect it to be business as usual in UK on the data protection front despite Brexit. Continue reading Why Brexit will be Business as Usual for Cyber Security & Data Protection in the UK

Cyber Security Review April 2016

Posted on by

The European General Data Protection Regulation (GDPR) was finally approved by the European Parliament this month. Coming into force in 2018, the GDPR has serious teeth with an up to 4% global turnover fine for non-compliance, and 72 hour mandatory data breach reporting amongst ground breaking data protection changes geared at improving EU citizen’s privacy rights. The new data protection regulation will have significant impact all businesses in UK, even if the UK votes to leave the EU. 


An updated version of PCI DSS was also released; there are a number of minor changes to requirements within V3.2 which PCI DSS compliant businesses need to be aware of in order to avoid being caught out during compliance assessments. 

There were several huge data breaches from around world, with entire country populations personal data being compromised.  There was what could be a very defining UK lawsuit by 6,000 Morrisons staff against their company, after an employee stole and posted their personal details online.

News

Continue reading Cyber Security Review April 2016