Beyond the Breach

Posted on : 29-10-2015 | By : Jack.Rawden | In : Cyber Security

Tags: , ,

0

Almost every day a cyber security story appears in the press, a company has been breached, data has been stolen and a CEO apologises and ensures that they are doing everything they can to minimise the impact of the breach. With around 1.5 million annual cyber attacks per year, close to 4,000 cyber attacks every day there is a lot of data being stolen. It’s only recently after discussing the latest talk talk breach with a friend that it became clear that there is a lot of ambiguity of what happens to the data after it is stolen.  Why do people steal data and where does it go after its stolen?

To be able to discuss let’s set up a typical scenario of a data loss.  Let’s assume that a large, multinational organisation has had its main customer database hacked.  In this database were 3 million records containing: –

  • Names
  • Addresses
  • Contact Details
  • Financial Details

So after it has been stolen what are some of the potential permutations or what might occur?

The most obvious is the use of financial data.  Stolen financial details are the crown jewels for any hacker and is the fastest way a person can make financial gain from a hack. Fraudulent credit card transactions are a £1.2-Billion-pound industry in the UK alone and can be hard for card operators to track, especially as this data can be disseminated across the globe. Hackers have access to funds until the individual account holder realises and puts a stop that can often be too late to stop losses. But what about the slightly lesser known possibilities?

One of the biggest drivers of cybercrime is the ability to buy and sell stolen data.  It’s becoming more common for the individual that steals the data to trade it on, we have even heard stories of people specially commissioning specific data to be stolen. On the unregulated dark web there are numerous criminal market places in which people trade people’s private data.  In a recent Intel security report, “The hidden data economy”, this ‘cybercrime-as-a-service’ marketplace has been identified as a primary driver for the explosion in the size, frequency, and severity of cyber attacks. Your stolen data can be broken down into categories dependant on the type of data available and bought by criminals looking to misuse it.

Package

U.S.

U.K.

EU

Basic or “Random”

$5-$8

$20-$25

$25-$30

With Bank Details

$15

$25

$30

With Date of Birth

$15

$30

$35

With Full Info

$30

$35

$45

Cost per record as identified in “The Hidden Data Economy”

With the high price of an individual’s data it’s easy to see why attacks are becoming more common place.  If applying this to our scenario only selling 1% of the stolen data including date of birth would equate to a $900,000 pay day. Marketplaces are as detailed of being able to select the types and typical credit limits of cards, charging higher prices for cards with bigger balances or targeting records by address.

Financial data isn’t the only data that hackers will try and utilise.  Any linked account details of access to any infrastructure you might have or even your Netflix account and frequent flyer miles aren’t safe.

With any leak of personal data, the individual is exposed to potential social engineering and phishing attacks to try and source further details.  Social engineering can be defined as “a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.” This is particularly common where only partial data (without financial details) are stolen. Stolen data can be used to make an individual familiar to someone, for example a hacker might know your address, phone number, service type and try and use this against you as someone that appears to be a trusted individual.  This is often the hardest type of attack to protect against and its common to be able to trick individuals to pass on more sensitive data or even financial information. This data could also be used to get access to further accounts – Email addresses, passwords and answers to security questions can unlock access to social media or even banking applications.

A more recent trend for stolen data is again to not use the data but hold it in a state of ransom.  This has been known to work in to ways, either targeting the end user or the corporation itself.  In the case of the Ashley Madison hack, individual users have been targeted using stolen data and extorted for data to be kept silent, in essence a type of social engineering.  In similar circumstances organisations have been targeted for blackmail to buy back stolen data as a price for silence.  Examples of where this has occurred are hard to find as they often stay as internal affairs but a recent example of a public bribery is of the Talk Talk hack in which the CEO received an email from the group trying to extort talk talk to buy data back from the hackers.

The uses of stolen data is diversifying quickly.  The more data that gets breached and stolen from organisations the more data that will be available on the black market.  People with malicious intentions will find ways to use this data and the only real ways to protect yourself is to cut the data off at the source, or ideally disrupt the marketplace where this data is sold to reduce the value of a cyber attack.

 

Is Google the new Dr Johnson? The democratisation of spelling.

Posted on : 29-10-2015 | By : richard.gale | In : Innovation

Tags: , , , ,

0

The recent re-brand of Google to Alphabet may be seen as a way to enable the group to consider different and more radical products. It started us thinking about Google and its hold over the English language.

Historically language evolved through word of mouth and then written. The English language was formalised  by Dr Johnson into dictionaries, currently the  Oxford English Dictionary being UK the  ‘bible’  – if a word makes it the new year’s edition then it has officially  ‘arrived’.

But now so many words are typed into the Google search bar. We have noticed, over the years, it is getting more sophisticated at guessing which word you meant to type when you misspell or type a word. Environment is a particular favourite of mine (even though I have programmed in COBOL….) but I don’t really need to worry too much if I type into Google as it still finds what I’m looking for.

So with this auto-correction in our search engines, our phones and our word & mail applications how important is spelling and should we really care too much? There are already alternative spellings for colour/color, program/programme etc. In fact the blogging application I’m using at the moment constantly tries to turn all my ‘s’s into ‘z’s. So as long as whoever the words are meant for can understand them is there a problem with spelling?

If enough people misspell tomorrow should tommorrow be the new correct way to spell it? Google has all this data stored in its servers and it would be interesting to see if some words are spelled incorrectly more often than not.

Language has a political element to it too. In 1806 the American Noah Webster created a dictionary, “An American Dictionary of the English Language” which introduced American English spellings and simplification of the language. The French have been famously defensive of their language, creating a multitude of words to protect against English and American ‘language imperialism’. Google’s innocuous search bar could bring far more change, more quickly to many languages. How long before language gets Googlefied (it’s a word according to Google)?

And on the subject of Google – This quote from the author of the first definitive dictionary could have been written for it…

“Knowledge is of two kinds. We know a subject ourselves, or we know where we can find information upon it.”
Samuel Johnson

THE NEXT BANKING CRISIS? TOO ENTANGLED TO FAIL…

Posted on : 29-10-2015 | By : Jack.Rawden | In : Finance

Tags: , , , , , , ,

0

Many miles of newsprint (& billions of pixels) have been generated discussing the reasons for the near collapse of the financial systems in 2008. One of the main reasons cited was that each of the ‘mega’ banks had such a large influence on the market that they were too big to fail, a crash of one could destroy the entire banking universe.

Although the underlying issues still exist; there are a small number of huge banking organisations, vast amounts of time and legislation has been focused on reducing the risks of these banks by forcing them to hoard capital to reduce the external impact of failure. An unintended consequence of this has been that banks are less likely to lend so constricting firms ability to grow and so slowing the recovery but that’s a different story.

We think, the focus on capital provisions and risk management, although positive, does not address the fundamental issues. The banking system is so interlinked and entwined that one part failing can still bring the whole system down.

Huge volumes of capital is being moved round on a daily basis and there are trillions of dollars ‘in flight’ at any one time. Most of this is passing between banks or divisions of banks. One of the reasons for the UK part of Lehman’s collapse was that it sent billions of dollars (used to settle the next days’ obligations) back to New York each night. On the morning of 15th September 2008 the money did not come back from the US and the company shut down. The intraday flow of capital is one of the potential failure points with the current systems.

Money goes from one trading organisation in return for shares, bonds, derivatives, FX but the process is not instant and there are usually other organisations involved in the process and the money and/or securities are often in the possession of different organisations in that process.

This “Counterparty Risk” is now one of the areas that banks and regulators are focussing in on. What would happen if a bank performing an FX transaction on behalf of a hedge fund stopped trading. Where would the money go? Who would own it and, as importantly, how long would it take for the true owner to get it back. The other side of the transaction would still be in flight and so where would the shares/bonds go? Assessing the risk of a counterparty defaulting whilst ensuring the trading business continues is a finely balanced tightrope walk for banks and other trading firms.

So how do organisations and governments protect against this potential ‘deadly embrace’?

Know your counterparty; this has always been important and is a standard part of any due diligence for trading organisations, what is as important is;

Know the route and the intermediaries involved; companies need as much knowledge of the flow of money, collateral and securities as they do for the end points. How are the transactions being routed and who holds the trade at any point in time. Some of these flows will only pause for seconds with one firm but there is always a risk of breakdown or failure of an organisation so ‘knowing the flow’ is as important as knowing the client.

Know the regulations; of course trading organisations spend time & understand the regulatory framework but in cross-border transactions especially, there can be gaps, overlaps and multiple interpretations of these regulations with each country or trade body having different interpretation of the rules. Highlighting these and having a clear understanding of the impact and process ahead of an issue is vital.

Understanding the impact of timing and time zones; trade flows generally can run 24 hours a day but markets are not always open in all regions so money or securities can get held up in unexpected places. Again making sure there are processes in place to overcome these snags and delays along the way are critical.

Trading is getting more complex, more international, more regulated and faster. All these present different challenges to trading firms and their IT departments. We have seen some exciting and innovative projects with some of our clients and we are looking forward to helping others with the implementation of systems and processes to keep the trading wheels oiled…

Imperva Hacker Intelligence Initiative Report Analyses Hidden Enterprise Risks of Consumer-Centric Malware

Posted on : 27-10-2015 | By : Maria Motyka | In : Cyber Security

Tags: , , , ,

0

As part of its initiative to investigate trending hacking techniques and attack campaigns case studies, Imperva, Inc. has recently released a new cyber security research report: “Phishing Trip to Brazil”.

The document discusses the impact of cyber attacks, which target consumers on enterprise data security, looking at a case study of a Trojan monitoring the online banking activity of major Brazilian banks.

“Our research underscores that work life and personal life intersect, and when an employee receives a suspicious email from a vendor they trust, like a bank, they are more likely to open it. Unfortunately, if an employee reads one of these emails on a home computer while connected to an enterprise Virtual Private Network (VPN), they are opening up their employer to a potential attack,” Amichai Shulman, Co-founder and CTO, Imperva

For the purpose of the report, Imperva evaluated 14 different command and control (C&C) servers comprised of more than 10,000 records across almost 5,000 different IP addresses.

Key report findings are as follows:

  • The majority of Trojan infections found took place during office hours, which leads to the conclusion that the infected computers were being used for business.

 

  • At least 17 percent of infected computers were directly attached to enterprise networks, showing the ease with which cyber-attacks targeting consumers still put enterprises at risk.

 

  • Consumer-centric cyber crimes used malware that rely on social engineering, sending its victims legitimate-appearing e-mail massages containing a link to a zipped file.

 

Imperva is a leading provider of cyber and data security products. The company offers cyber security solutions, which protect business-critical data and applications in the cloud and on-premises.

To discover ways in which Imperva’s products could enhance your company’s security, contact Broadgate Consultants.

A full version of the Phishing Trip to Brazil report is available here.

Cyber Slackers: Millennials fail at Cyber Security

Posted on : 26-10-2015 | By : Maria Motyka | In : Cyber Security

0

Nearly half of Millennials are concerned about cybercrime, yet the majority of them fail to take basic IT security precautions.

As many as 86 percent of people aged 18-34 store bank account information on their mobiles and 84 percent check financial accounts while connected to public Wi-Fi, a survey carried out by Trans Union in honour of the US National Cyber Security Awareness month reveals. Such actions put them at high risk of identity theft, which is experienced by 19 people every minute.

“Cybercriminals don’t care about your age; they just want access to your identity and credit. It is important for people of all ages to be aware of the behaviours that make them vulnerable to identity theft and to not sacrifice security for convenience.”  Ken Chaplin, Senior VP at TransUnion

Baby Boomers (people 55 to 70) on the other hand, while the least concerned with cyber threats, are much more likely to take action to protect themselves online. According to survey results, at least half of them take basic IT precautions; 50 per cent store important information on mobile devices and only 54 per cent access financial accounts using public Wi-Fi.

TransUnion recommends three basic steps to reduce the risk of becoming a cyber theft victim:

•Protecting mobile devices with a unique password.

•A cautious approach to NFC applications.

•Refraining from accessing sensitive information when connected to public Wi-Fi.

With a growing number of Millennials entering their professional lives, companies need to stay alert in terms of how and where their employees access and share company-related data (on Social Media? Using public Wi-Fi perhaps?), as well as educate the younger generation about Cyber Security and its importance in a business context.

To assess your company’s security and check your Cyber Risk Score using Broadgate’s Assurity Risk Assessment click here

Follow us on Twitter