Beware the GDPR Hackivist DDoS Threat

Posted on : 28-02-2018 | By : Tom Loxley | In : compliance, Cyber Security, Data, data security, GDPR, Uncategorized

Tags: , , , , , ,

0

Getting GDPReady is on most organisations agenda at the moment, however, what if, after all the effort, cost and times spent becoming compliant with GDPR I told you that you could have opened your organisation up to a serious distributed denial-of-service (DDoS) threat?

Whilst we all know that GDPR is a requirement for all businesses it is largely for the benefit of the public.

For instance, with GDPR individuals now have the right to have their personal data held by organisations revealed or deleted forgotten. Now imagine if masses of people in a focused effort decided to ask for their information at once overwhelming the target organisation. The result could be crippling and in the wrong hands be used as DDoS style attack

Before we go any further let’s just consider for one moment the amount of work, manpower, cost and time involved in processing a request to be forgotten or to produce all information currently held on a single individual. Even for organisations who have mapped their data and stored it efficiently and created a smooth process exactly for this purpose, there is still a lot of effort involved.

Hacktivism is the act of hacking or breaking into a computer system, for a politically or socially motivated purpose, so technically speaking your defences against other cyber attacks would normally protect you. But in this case, hacktivist groups could cause serious damage to an organisation without the need for any technical or cyber expertise and there is even uncertainty as to whether or not it would be illegal.

So, could GDPR requests for data deletion and anonymity be used as a legal method to disrupt organisations? I am not suggesting the occasional request would cause an issue but a coordinated mass of requests, which legally organisations will now be obliged to process, resulting in a DDoS style attack.

Organisations will be trapped by their compliance. What are the alternatives? Don’t comply with GDPR and there are fines of 4% of annual turnover or 20,000,000 euros (whichever is greater). The scary thing here is what is stopping the politically or morally motivated group who takes issue with your company from using this method? It’s easy and low risk for them and potentially crippling to some organisations so why not?

How will the ICO possibly select between the complaints of those organisations genuinely failing to comply with regulation and those which have been engineered for the purpose of a complaint?

With so many organisations still being reported as unprepared for GDPR and the ICO keen to prove GDPR will work and make some early examples of a those who don’t comply to show they mean business; my worry is that there will be a bit of a gold rush of litigation in the first few months after the May 2018 compliance deadline is issued in much the same way as PPI claims have affected the finical services lenders.

For many companies, the issue is that the prospect for preparing for GDPR seems complicated, daunting and the information on the ICO website is sometimes rather ambiguous which doesn’t help matters. The truth is that for some companies it will be far more difficult than for others and finding the help either internally or by outsourcing will be essential in their journey to prepare and implement effective GDPR compliant policy and processes.

Broadgate Consultants can advise and assist you to secure and manage your data, assess and mitigate your risks and implement the right measures and solutions to get your organisation secure and GDPReady.

For further information, please email thomas.loxley@broadgateconsultants.com.

 

The CIO Guide to a successful Information Security Practice

Posted on : 30-06-2015 | By : jo.rose | In : Cyber Security

Tags: , , , , , ,

1

Our colleagues at Corix Partners have recently published on their blog a series of articles highlighting the eight key management rules CIOs and CISOs should follow to build and deliver a successful Information Security practice. We publish below a summary of the series which deconstructs in-depth eight views commonly held by Information Security practitioners and explores the Governance and Leadership dynamics which surround Information Security.

1. Think of Information Security as a Control function and not as a Support function

Information Security within a large organisation is often simplistically seen as a support function, and, as such, many stakeholders expect it to help streamline or ‘enable’ the business. The reality is, Information Security needs to be seen as a control function – and rules (that may be perceived as restrictive) are a necessary part of ensuring its effectiveness. CISOs must have the management skills to effectively communicate the threats facing the information assets to all stakeholders across the business – and they must get everyone on the same page when it comes to ensuring the appropriate controls are put in place to protect these assets.

2. Create a sense of reality around the threats and do not focus only on IT aspects

A commonly held view among Information Security communities is that businesses don’t care enough about Information Security – and decisions are often made from a convenience or cost avoidance perspective. However, a disproportionate focus on technical details and IT issues by the security teams themselves is often to blame for the disengagement with the subject. It’s down to the CISO to effectively communicate to the business the real threats faced by information assets, how this could translate into real consequences across the organisation – and how protective controls can prevent this from happening. If the level of Risk (resulting from the presence or absence of controls) is presented in a language that the businesses can understand, the CISO will build a meaningful dialogue with them that should drive the right decisions.

3. Focus resources on the proper implementation of key Controls and sell success

It’s often believed that Information Security is a chronically underfunded practice, and budgetary limitations are a barrier to its success. However, research by the World Economic Forum (‘‘Risk and Responsibility in a Hyper-connected World’) has shown that many large organisations in fact spend more than 3% of their total IT budgets on cyber security. Despite this, few have reached an acceptable level of cyber security maturity. Instead of requesting budgets to fund new technical initiatives, CISOs should tilt the magnifying glass and focus the resources they do have on the proper implementation of key controls – which have been mapped for a long time and alone can be highly successful in preventing most cyber attacks. Implementing demonstrable controls will give the business confidence that real protective measures are being put in place and that the spend is justified.

4. Pin tactical initiatives against a long-term Information Security roadmap

Within Information Security communities, the CISO is frequently regarded as a ‘firefighter’, working mostly in a reactive manner around cyber security incidents and attacks. This approach is often further fuelled by management’s short-term obsession with audit and compliance issues. While reacting to breaches or acting on regulatory demands will always remain a priority, especially as cyber threats continue to evolve and regulation increases, the key focus should be on addressing the root cause of the underlying problems. The CISO must pin tactical initiatives against the backdrop of a long term transformative Information Security roadmap and think beyond mere technical and tactical solutions. But to be truly successful, the CISO must also have the gravitas to influence lasting change and the personal skills to drive security transformation.

5. Assign Information Security Responsibilities and Accountabilities

Countless security awareness programmes follow the train of thought that Information Security is everyone’s business – across the organisation. While it’s true that everyone in an organisation can do something at their level to protect the business against threats, it cannot be ‘everyone’s responsibility’ – as this attitude can quickly derive towards becoming ‘nobody’s responsibility’. The CIO must ensure that the CISO is accountable for ensuring that the appropriate controls are in place across the organisation, backed by a sound Information Security Governance Framework. They must ensure that accountabilities and responsibilities are cascaded down to all relevant stakeholders across all silos (e.g. HR, Legal, Business units, third-parties etc.).

6. Operate Information Security as a cross-silo practice and not just as a technical discipline

Information Security practice is regularly considered a purely technical discipline. However, information exists in both digital and physical forms and more importantly – is constantly manipulated by people during the business day. While technology should undoubtedly play a strong role, in many industries, a stronger focus on the other elements of Information Security is often required. In order to implement an effective Information Security practice, CISOs need to establish a controls based mind-set across all silos of their organisation.

7. Operate Information Security as an ongoing structured practice and not just a series of technical projects

Information Security practitioners always seem busy with technical projects. In fact, Information Security should be there to provide continuous and long-term protection to the business. Therefore, it should not be approached just as a series of tactical projects with a set start date, end date and check-list of deliverables. All technical projects and tactical initiatives within an organisation’s Information Security practice should be seen as forming part of a structured practice and aligned with a long term Information Security strategic roadmap – aiming to achieve an Information Security vision and deliver lasting change across the organisation.

8. Operate Information Security to focus on People and Process supported by Technology, not just the implementation of the latest Technical Products

In order to ‘keep up with the hackers’ as technology evolves and cyber attacks become increasingly more advanced, many believe that business protection is derived primarily from the implementation of the latest technical products and solutions. While it can be tempting to believe that the latest technology products are going to be the ‘silver bullet’ needed to keep the business safe, in reality there’s often more to consider. It’s critical that the Information Security practice addresses any weaknesses in the organisation’s functional structure (people and processes), before turning to technical products as potential solutions.

Thanks to JC Gaillard and Neil Cordell for this contribution. The full series, ‘The CIO Guide to Information Security Practice: 8 Key Management Pitfalls to Avoid’ can be found on the Corix Partners’ blog.

Who’s hacking your organisation? Seems like just about everyone

Posted on : 30-04-2013 | By : jo.rose | In : Cyber Security

Tags: , , , , , , , , ,

0

Last month we wrote about The Evolution of the Cyber Criminal and highlighted how they had developed from the lone (and often lonely) hacker, into organised and “employed” online assailants.

So where are the key locations orchestrating these attacks? Recently informed commentators have pointed towards China as the key driver behind cyber attacks with the primary goal to steal sensitive information, such as intellectual property. However, during 2012 FireEye, the leading solution provider to protect against Advanced Persistent Threats (APTs), monitored more than 12 million malware communications, thus creating a rich view of the threat landscape.

The key findings were;

  • Malware is truly multinational: callbacks were found to 184 countries which had increased 42% over the previous 2 years. The distribution of the countries has also evolved significantly, with the US, Ukraine and Russia top in 2011 whilst in the recent analysis the top countries were US, South Korea and China. The top 20 countries hosting command and control servers is shown below;

  • Asia and Eastern Europe hotspots: contributing 24% and 22% of the malware callbacks respectively. North America still actually topped the league but this was due to them hosting more control servers, both from an evasion and target perspective.
  • The majority of APTs originate from tools “Made in China”: by analysing the DNA of the malware families and matching with callbacks, FireEye some 89% originate from Chinese hackers.
  • Technology Organisations targeted most: there is a large concentration of attacks towards technology organisations, mainly due to their high level of intellectual property.
  • In-country callback evolution: in order to evade detection, malware is increasingly contacting control servers within the target nation (indeed, some 66% of servers were located within the United States).
  • Techniques to evade detection: control servers are using more and more advanced mechanisms to mask against capture, increasingly leveraging social networking infrastructure and embedding in common files.

To see an interactive cyber threat map and to download the full report, go to http://www.fireeye.com/cyber-attack-landscape/.

With such a dynamic landscape, APTs becoming more advanced and cyber criminals adopting a truly global approach to their activities, it is difficult for organisations to stay ahead.

Indeed, arguably it is really about staying close enough to limit the impact to your company sensitive information and assets.

Let’s look at some other key facts from the recent Advanced Threat Report for the second half of 2012.

On average, a malware event occurs once every three minutes within an internal company network. Whilst organisations deploy varying layers of protection such as Firewalls, Antivirus and Intrusion Protection Systems, the sophistication of malware has become so pervasive and successful at penetrating these defences, that without a new approach the fight will be lost.

Whilst some industry verticals are attached cyclically or consistently, such as technology organisations, others such as healthcare tend to be more experience more volatility within cyber criminals focusing on specific events.

Spear phishing remains the most common entry method for cyber attacks, with the initiators using more common business terms and associated file names to lure unsuspecting users into the attack. Indeed, they typically fall into three categories, those being 1) shipping and delivery (the top phrase in malware file names was “UPS”) 2) finance and 3) general business.

File-wise, ZIP remains by far the preferred delivery mechanism for malware over email, with it being used in some 92% of attacks. Also, attackers are avoiding the more common .exe file types as the infection propagates in favour of system files such as DLLs to avoid detection and be more persistent.

Cyber criminals have also spent a lot of time “innovating” in the way that the malware payload is delivered and to avoid detection. Example of these is malware executing when the user moves a mouse (hence duping some detection systems as it doesn’t generate any activity) or incorporating virtual machine detection to bypass sandboxing.

This is certainly a battle that will rage for many years to come.

If you would like more information on how FireEye can assist in protecting your organisation against cyber threats, please contact jo.rose@broadgateconsultants.com.