Could You Boost Your Cybersecurity With Blockchain?

Posted on : 28-11-2017 | By : Tom Loxley | In : Blockchain, Cloud, compliance, Cyber Security, Data, data security, DLT, GDPR, Innovation

Tags: , , , , , , , , , , , , , , ,

0

Securing your data, the smart way

 

The implications of Blockchain technology are being felt across many industries, in fact, the disruptive effect it’s having on Financial Services is changing the fundamental ways we bank and trade. Its presence is also impacting Defense, Business Services, Logistics, Retail, you name it the applications are endless, although not all blockchain applications are practical or worth pursuing. Like all things which have genuine potential and value, they are accompanied by the buzz words, trends and fads that also undermine them as many try to jump on the bandwagon and cash in on the hype.

However, one area where tangible progress is being made and where blockchain technology can add real value is in the domain of cybersecurity and in particular data security.

Your personal information and data are valuable and therefore worth stealing and worth protecting and many criminals are working hard to exploit this. In the late 90’s the data collection began to ramp up with the popularity of the internet and now the hoarding of our personal, and professional data has reached fever pitch. We live in the age of information and information is power. It directly translates to value in the digital world.

However, some organisations both public sector and private sector alike have dealt with our information in such a flippant and negligent way that they don’t even know what they hold, how much they have, where or how they have it stored.

Lists of our information are emailed to multiple people on spreadsheets, downloaded and saved on to desktops, copied, chopped, pasted, formatted into different document types and then uploaded on to cloud storage systems then duplicated in CRM’s (customer relationship management systems) and so on…are you lost yet? Well so is your information.

This negligence doesn’t happen with any malice or negative intent but simply through a lack awareness and a lack process or procedure around data governance (or a failure to implement what process and procedure do exist).

Human nature dictates we take the easiest route, combine this with deadlines needing to be met and a reluctance to delete anything in case we may need it later at some point and we end up with information being continually copied and replicated and stored in every nook and cranny of hard drives, networks and clouds until we don’t know what is where anymore. As is this wasn’t bad enough this makes it nearly impossible to secure this information.

In fact, for most, it’s just easier to buy more space in your cloud or buy a bigger hard drive than it is to maintain a clean, data-efficient network.

Big budgets aren’t the key to securing data either. Equifax is still hurting from an immense cybersecurity breach earlier this year. During the breach, cybercriminals accessed the personal data of approximately 143 million U.S. Equifax consumers. Equifax isn’t the only one, if I were able to list all the serious data breaches over the last year or two you’d end up both scarred by and bored with the sheer amount. The sheer scale of numbers here makes this hard to comprehend, the amounts of money criminals have ransomed out of companies and individuals, the amount of data stolen, or even the numbers of companies who’ve been breached, the numbers are huge and growing.

So it’s no surprise that anything in the tech world that can vastly aid cybersecurity and in particular securing information is going to be in pretty high demand.

Enter blockchain technology

 

The beauty of a blockchain is that it kills two birds with one stone, controlled security and order.

Blockchains provide immense benefits when it comes to securing our data (the blockchain technology that underpins the cryptocurrency Bitcoin has never been breached since its inception over 8 years ago).

Blockchains store their data on an immutable record, that means once the data is stored where it’s not going anywhere. Each block (or piece of information) is cryptographically chained to the next block in a chronological order. Multiple copies of the blockchain are distributed across a number of computers (or nodes) if an attempted change is made anywhere on the blockchain all the nodes become are aware of it.

For a new block of data to be added, there must be a consensus amongst the other nodes (on a private blockchain the number of nodes is up to you). This means that once information is stored on the blockchain, in order to change or steel it you would have to reverse engineer near unbreakable cryptography (perhaps hundreds of times depending on how many other blocks of information were stored after it), then do that on every other node that holds a copy of the blockchain.

That means that when you store information on a blockchain it is all transparently monitored and recorded. Another benefit to using blockchains for data security is that because private blockchains are permissioned, therefore accountability and responsibly are enforced by definition and in my experience when people become accountable for what they do they tend to care a lot more about how they do it.

One company that has taken the initiative in this space is Gospel Technology. Gospel Technology has taken the security of data a step further than simply storing information on a blockchain, they have added another clever layer of security that further enables the safe transfer of information to those who do not have access to the blockchain. This makes it perfect for dealing with third parties or those within organisations who don’t hold permissioned access to the blockchain but need certain files.

One of the issues with blockchains is the user interface. It’s not always pretty or intuitive but Gospel has also taken care of this with a simple and elegant platform that makes data security easy for the end user.  The company describes their product Gospel® as an enterprise-grade security platform, underpinned by blockchain, that enables data to be accessed and tracked with absolute trust and security.

The applications for Gospel are many and it seems that in the current environment this kind of solution is a growing requirement for organisations across many industries, especially with the new regulatory implications of GDPR coming to the fore and the financial penalties for breaching it.

From our point of view as a consultancy in the Cyber Security space, we see the genuine concern and need for clarity, understanding and assurance for our clients and the organisations that we speak to on a daily basis. The realisation that data and cyber security is now something that can’t be taken lighted has begun to hit home. The issue for most businesses is that there are so many solutions out there it’s hard to know what to choose and so many threats, that trying to stay on top of it without a dedicated staff is nearly impossible. However, the good news is that there are good quality solutions out there and with a little effort and guidance and a considered approach to your organisation’s security you can turn back the tide on data security and protect your organisation well.

GDPR & Cyber-threats – How exposed is your business?

Posted on : 28-11-2017 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, Data, data security, GDPR

Tags: , , , , , , , , , , , ,

0

With the looming deadline approaching for the ICO enforcement of GDPR it’s not surprising that we are increasingly being asked by our clients to assist in helping them assess the current threats to their organisation from a data security perspective. Cybersecurity has been a core part of our services portfolio for some years now and it continues to become more prevalent in the current threat landscape, as attacks increase and new legislation (with potentially crippling fines) becomes a reality.

However, the good news is that with some advice, guidance, consideration and a little effort, most organisations will find it easy enough to comply with GDPR and to protect itself again well against the current and emerging threats out there.

The question of measuring an organisations threat exposure is not easy. There are many angles and techniques that companies can take, from assessing processes, audit requirements, regulatory posture, perimeter defence mechanisms, end-user computing controls, network access and so on.

The reality is, companies often select the approach that suits their current operating model, or if independent, one which is aligned with their technology or methodology bias. In 99% of cases, what these assessment approaches have in common is that they address a subset of the problem.

At Broadgate, we take a very different approach. It starts with two very simple guiding principles:

  1. What are the more critical data and digital assets that your company needs to protect?
  2. How do your board members assess, measure and quantify secure risks?

Our methodology applies a top-down lens over these questions and then looks at the various inputs into them. We also consider the threats in real-world terms, discarding the “FUD” (Fear, Uncertainty and Doubt) that many service providers use to embed solutions and drive revenue, often against the real needs of clients.

Some of the principles of our methodology are:

  • Top Down – we start with the boardroom. As the requirements to understand, act and report on breaches within a company become more robust, it is the board/C-level executives who need the data on which to make informed decisions.

 

  • Traceability – any methodology should have a common grounding to position it and also to allow for comparison against the market. Everything we assess can be traced back to industry terminology from top to bottom whilst maintaining a vocabulary that resonates in the boardroom.

 

  • Risk Driven – to conduct a proper assessment of an organisations exposure to security breaches, it is vital that companies accurately understand the various aspects of their business profile and the potential origin of threats, both internal and external. For a thorough assessment, organisations need to consider the likelihood and impact from various data angles, including regulatory position, industry vertical, threat trends and of course, the board members themselves (as attacks are more and more personal by nature). Our methodology takes these, and many other aspects, into consideration and applies a value at risk, which allows for focused remediation plans and development of strategic security roadmaps.

 

  • Maturity Based – we map the key security standards and frameworks, such as GDPR, ISO 27001/2, Sans-20, Cyber Essentials etc. from the top level through to the mechanics of implementation. We then present these in a non-technical, business language so that there is a very clear common understanding of where compromises may exist and also the current state maturity level. This is a vital part of our approach which many assessments do not cover, often choosing instead to present a simple black and white picture.

 

  • Technology Best Fit – the commercial success of the technology security market has led to a myriad of vendors plying their wares. Navigating this landscape is very difficult, particularly understanding the different approaches to prevention, detection and response.

At Broadgate, we have spent years looking into what are the best fit technologies to mitigate the threats of a cyber-attack or data breach and this experience forms a cornerstone of our methodology. Your business can also benefit from our V-CISO service to ensure you get an executive level of expertise, leadership and management to lead your organisation’s security. Our mantra is “The Business of Technology”. This applies to all of our products and services and never more so when it comes to really assessing the risks in the security space.

If you would like to explore our approach in more detail, and how it might benefit your company, please contact me at john.vincent@broadgateconsultants.com.

Scammers Go Phishing For Fake News

Posted on : 31-05-2017 | By : richard.gale | In : Cyber Security, Uncategorized

Tags: , , ,

0

Fake news is everywhere these days. It may seem like a new phenomenon, but the concept of propaganda is not a new one. Stock markets thrive on the latest headlines and traders throughout history have attempted to manipulate markets by releasing information to influence prices. Today fake news combined with social media has changed the game with powerful consequences. This potent combination of false and misleading information online flooding the internet can cause devastating effects to your company and should be something that Information Security departments take seriously. During the US Presidential campaign a false story was propagated which said that Pepsi refused to serve Trump supporters at a rally. The story did a huge amount of damage to Pepsi’s brand and reputation which can be a costly business!

 
Tackling the fake news problem and controlling the flow of fake information in and out of an organisation is a huge task. There are tools already available that can monitor traffic so it could possible to extend this to include external activity on social media sites such as Twitter, Facebook and LinkedIn. There are companies and technology products available in the market which can trawl these sites looking for malicious or misleading links. But technology is only one way of looking at the problem. More important are the other influences that drive our behaviour. It is critical to look at people and the processes that drive our behaviour.

 
Trust is a key feature which allows fake or misleading news into an organisation. Take a scenario where a friend or colleague sends you a link, you instinctively trust the information and click on the link. The same applies to brands that we trust. If you take the Microsoft pop up which is a favourite with scammers. They send a fake pop up to your screen. Most people trust this established branded name see the Microsoft Badge and click thinking this must be true. These unsuspecting users click on the box or call a fake hotline number thereby generating a malware event opening the door for scammers straight into your organisation.

 
Email is another example of a very trusted way of communication, making it a hot spot for scammers looking to retrieve your information or get you to click on a malicious link. A popular route for scammers is to send emails that pretend to be from the IT Department asking employees to do a certain task such as reset your password. You click the reset button and the scammers are in.

 
Phishing scams are one of the most commonly used ways in which your organisation can be infiltrated. User training which includes sending out a phishing email will find that 10-20% of emails are clicked on each time the test is run. Even after training this stays fairly consistent so alternative ways of dealing with the problem need to be investigated. Some technology firms such as Menlo Security isolate the user from the internet and can capture most of these types of issues.

 
These technology options offer some valuable tools to protect organisations but ultimately there is no magic piece of software that can filter out the fake news and ward off the scammers. The only way to deal with the problem is education. Companies need to invest in proper cyber security training for all their employees. The traditional annual training update is not enough. Training needs to be done on a more regular basis with a more modern approach that can produce long term behavioural changes.

 
It is crucial to remember that staff are the front-line defence against the fraudsters and we need to ensure that they are armed with the right knowledge to combat the threat. In a week where we have seen the Governor of the Bank of England fall prey to a fraudster who emailed the Governor impersonating a Bank of England colleague this is no easy task!

Next Generation Security – Finally goodbye to Antivirus

Posted on : 30-09-2016 | By : richard.gale | In : Cyber Security

Tags: , , , , ,

0

Over the past two years, the market for what we know as Next Generation Endpoint security tools has doubled each year and looks set to continue in a similar vein for the coming period. Whilst the market represents a current spend of around $500m per annum this compares, according to IDC, an estimated $9Bn in the traditional antivirus market.

Though antivirus and endpoint protection have been around for over 20 years, the next-generation endpoint security market, whilst still relatively young, is accelerating very quickly along the growth curve. New start-ups are constantly emerging at a rapid pace, moving away from the traditional signature based AV, who are being left only to deal with the “noise” or as a basic hygiene factor/safety net.

So is the traditional AV market dead? Arguably yes. Are many companies taking the plunge and removing their AV endpoint agents in favour of next generation technologies? From what we see, not quite yet.

It is understandable that the switch hasn’t quite reached the tipping point. It takes somewhat of a leap of faith in order to turn –off a security technology that has served us well for decades. Indeed, against a backdrop of technology budgets being reduced overall, except in the areas of compliance, risk and security, there is perhaps no rush (for now).

“Whilst speaking to one of our clients recently, they explained that doubling the 2016 budget for security products was a directive from the top. The fact that physically being able to implement them this year is irrelevant, in fact, they may actually just start again in 2017. They just need to be seen to be doing everything to mitigate risks”

What will change the market, without organisations staying behind the risk card, will be widespread certification of the next generation market as an auditable replacement. If this happens, then we can expect businesses to pin their colours firmly to the more effective next generation solution and ditch the legacy AV Note: some vendors are already certified as replacements, on an individual choice and investment basis.

So, in a crowded and somewhat confusing market, who are some of the key players that we expect to emerge as the winners in eating into that $8.5Bn deficit? Let’s take a look at a few;

 

Palo Alto (Traps) prevents security breaches through using a number of techniques, including machine learning. It focuses on the core exploitation techniques used by all attacks which must use a series of these exploitation techniques to successfully subvert an application. Traps renders these techniques ineffective by blocking them the moment they are attempted.

Broadgate View“a strong contender, specifically for customers who use, or are thinking about, Paolo Alto in the next generation firewall space”

 

Cylance (CylanceProtect) – The architecture consists of a small agent that integrates with existing software management systems or Cylance’s own cloud console. The endpoint will detect and prevent malware through the use of tested mathematical models on the host, independent of a cloud or signatures. It is capable of detecting and quarantining malware in both open and isolated networks without the need for continual signature updates. The mathematical approach stops the execution of harmful code regardless of having prior knowledge or employing an unknown technique.

Broadgate View – “An interesting proposition and one that is gaining a lot of interest in the market. The small footprint, mathematical intelligence based approach and minimal updates needed, make this one to watch”

 

Menlo Security – Lastly, let’s say a small word about Menlo. Whilst not in effect an endpoint solution, falling into the Isolation camp, it moves the executable code to a secure platform away from the client browser, where it is processed and cleansed of any possible threats”

Broadgate View – “We see this type of technology as another key component in the prevent category, which will compliment new generation endpoints in the coming years.

 

Of course, there are a whole raft of others out there, Carbon Black, FireEye HX, SentinelOne, Tanium etc… to name a few.

Whatever your flavour, we’ve reached the tipping point. You might need to say it quietly, but AV is officially now on the endangered species list.

 

There’s no such thing as free Wi-fi…

Posted on : 28-06-2016 | By : richard.gale | In : Cyber Security, Uncategorized

Tags: , , , , , , , ,

0

Every day thousands of business travellers arrive at their destination searching for the “free Wi-Fi” sign so that they can stay in touch. What most people don’t realise is this creates an excellent opportunity for the cyber criminals to get their hands on your personal information and sensitive corporate data. We are all familiar with some high profile hacks – Sony and Talk Talk to name just a few but there isn’t a week that goes by without another hitting the headlines.  It is all too easy to see cyber security as problem only for large corporates and not something that we mere mortals have to deal with.  An expression very familiar to most cyber security experts is; “why would anyone be interested in me or my information…”

If you have a device with information stored on it, and/or you send information over the internet this is exactly what the cyber criminals are looking for! 

Remember the phrase “one man’s trash is another man’s treasure”!

Why Do Cyber Criminals Want Your Information

So why are cyber criminals so keen to get their hands on your information?  They want your personal details, your clients or suppliers’ details, your trade secrets, or simply a list of email addresses. All of these details are highly valuable when traded on the dark web. The value of a laptop maybe $600 but if you have confidential merger plans on the disk then the PC could be worth millions of dollars to a criminal or business rival.

Even if you think you don’t have any of this information you may still be of interest.

You may be a target as the weakest link and the way in to a more valuable target further up the supply chain.

How Do They do It?

One of the most common way for hackers to steal your data is to use software to intercept the Wi-Fi network at which point they can see everything on a fellow free Wi-Fi user’s screen. They can then see all the traffic travelling to and from to extract important information.

Another popular method used by hackers is to set up rogue Wi-Fi hotspots in areas where large numbers of users are likely to be searching for a connection. These hotspots can use generic names like “free Wi-Fi” to cause trusting users to connect, at which point their personal information can be collected.

The easiest way for thieves get their hands on your data is get the device itself. Home Depot and Pfizer suffered from huge data compromise due to laptops holding confidential information that had been stolen from laptops left in the back of a taxi. A recent study found that nearly half of all executives have lost a device in the past year!  It is estimated that over 2 million laptops are lost or stolen in the US each year.

It’s nearly impossible to secure against an opportunistic thief or simple forgetfulness, so it’s important to take precautionary steps..

 

 

What Steps Can You Take to Protect Your Devices And Your Information

There are a number of steps that you can take to protect your information when you travel.

Before You Go

Back Up

Save all the information on the devices that you are required to take on your trip.

Do You Need The Device/Data for the Trip

Think about the device you are taking and what information is on that device. Ask yourself are you travelling with data that you cannot afford to lose?

Be suspicious of emails you receive

Before you travel especially if they are linked to large international events.

Do not post your travel plans on any social networking site.

Many of the CEO email scams where scammers impersonate the CEO email to defraud the company happen while the executives are out of the country.

 

Whilst Travelling

Protect Your Device

Never pack it in the hold, or leave it on a hotel table while you grab a coffee.  If you do need to leave it behind then lock it away in the hotel safe. Always pin code/ password your device. Last year a report found that 50 per cent of executives had lost their device.

Install Anti-Virus Software

There are a number of mobile device security software solutions available. Install on all your devices for added protection.

Disable Bluetooth Access

When you allow access to a device via Bluetooth connection, once connected this connection stays open and data can flow freely with very little or no user confirmation. How often have you connected your phone to the Bluetooth in a hire care, when you connect your phone you can see details of the previous which if still in range would enable access to their data.

Don’t Use Public Wi-Fi

Public Wi-Fi networks are available everywhere these days. The traveller should use with extreme caution as they are often poorly protected and easily imitated by cyber criminals who set up their own “hotel” networks. The names of Wi-Fi networks are manually created so anyone can set up using any network name. Criminals might set up a network called “official hotel Wi-Fi”.  Once you click and connect to the scammers rogue network they have their hands on all of your data. Always verify with the hotel, café, airport lounge etc. that you are connecting to the official network and check that it has the padlock sign in the top bar. If possible avoid using any public network.

Don’t Use Shared Computers

Often hotel lobby’s will have some shared computers with internet access.  You have no idea how safe the network is so again avoid using wherever possible.

Don’t Do Any Financial/Sensitive Transactions

Take extra precautions whilst connecting to Wi-Fi. Do not send any financial information or business critical information whilst abroad and save it until you are back in the office safely within your secure network.

 

When You Return

Change all your password in case they have been stolen.

Look out for any suspicious emails

When The Unthinkable happens – What to Do If Your Data Is Lost Whilst Travelling

Assess – What has happened, what is the potential impact?

If your laptop has been stolen with company data on then; if it was password protected, encrypted and you have the ability to track and remote ‘wipe’ the disk then you are probably in a reasonable position. The cost will be a new laptop not a new career.

Conversely if you had sent your corporate takeover plans to Dropbox, uploaded them onto your personal un-protected iPad and lost that then the significance of loss is much higher.

Inform – Relevant people about what has happened.

Depending on what has been lost this could be your IT department, management, bank, customers, suppliers, partners, police, insurance firm and potentially shareholders.

Forward looking firms have a policy explaining what to do in this situation with contact and help points. The main point is to make sure relevant people are aware and so can help make the right decisions to minimize the consequences of loss.

Remediate – Resolve the problem as quickly and effectively as possible

Change your passwords immediately. This may help prevent criminals accessing your emails and sensitive information.

Disable the lost device if possible and wipe data from it. Track it and keep law enforcement and your IT department informed.

If you think banking/financial information may be compromised then inform your bank and accounts department.

Monitor activity. It may be useful to explain to customers/suppliers what has happened so they can monitor too. An all too common fraud is to imitate a CFO and give customers new bank account details to send their payments to.

Replace compromised, lost equipment

Review policies and ensure they are communicated and enforced

 

Losing information whilst travelling be very worrying, the main thing is not to panic. Having a clear understanding of how to protect yourself helps significantly to reduce this and the likelihood of loss in the first place.

 

Raising Awareness

The most important tool in the battle against the cyber criminals is awareness. Training is crucial in helping people to understand what the issues are, what is at stake and the simple steps they can take to drastically reduce the risk.

Develop a cyber security culture that becomes a part of everyday corporate life whether in the office or on the road.

Imperva Hacker Intelligence Initiative Report Analyses Hidden Enterprise Risks of Consumer-Centric Malware

Posted on : 27-10-2015 | By : Maria Motyka | In : Cyber Security

Tags: , , , ,

0

As part of its initiative to investigate trending hacking techniques and attack campaigns case studies, Imperva, Inc. has recently released a new cyber security research report: “Phishing Trip to Brazil”.

The document discusses the impact of cyber attacks, which target consumers on enterprise data security, looking at a case study of a Trojan monitoring the online banking activity of major Brazilian banks.

“Our research underscores that work life and personal life intersect, and when an employee receives a suspicious email from a vendor they trust, like a bank, they are more likely to open it. Unfortunately, if an employee reads one of these emails on a home computer while connected to an enterprise Virtual Private Network (VPN), they are opening up their employer to a potential attack,” Amichai Shulman, Co-founder and CTO, Imperva

For the purpose of the report, Imperva evaluated 14 different command and control (C&C) servers comprised of more than 10,000 records across almost 5,000 different IP addresses.

Key report findings are as follows:

  • The majority of Trojan infections found took place during office hours, which leads to the conclusion that the infected computers were being used for business.

 

  • At least 17 percent of infected computers were directly attached to enterprise networks, showing the ease with which cyber-attacks targeting consumers still put enterprises at risk.

 

  • Consumer-centric cyber crimes used malware that rely on social engineering, sending its victims legitimate-appearing e-mail massages containing a link to a zipped file.

 

Imperva is a leading provider of cyber and data security products. The company offers cyber security solutions, which protect business-critical data and applications in the cloud and on-premises.

To discover ways in which Imperva’s products could enhance your company’s security, contact Broadgate Consultants.

A full version of the Phishing Trip to Brazil report is available here.

The security threat: Do you know your real business risk?

Posted on : 31-03-2015 | By : john.vincent | In : Cyber Security

Tags: , , , , , , , , , , , , ,

0

We are asked by our clients increasingly to assist in helping them assess the current threats to their organisation from a security perspective. Indeed, this is now a core part of our services portfolio.

The question of measuring an organisations threat exposure is not easy. There are many angles and techniques that companies can take, from assessing processes, audit requirements, regulatory posture, perimeter defence mechanisms, end user computing controls, network access and so on.

The reality is, companies often select the approach that suits their current operating model, or if independent, one which is aligned with their technology or methodology bias. In 99% of cases, what these assessment approaches have in common is that they address a subset of the problem.

At Broadgate we take a very different approach. It starts with two very simple guiding principles;

  1. What is the more critical data and digital assets that your company needs to protect?
  2. How do your board members assess, measure and quantify secure risks?

Our methodology applies a top down lens over these questions and then looks at the various inputs into them. We also consider the threats in real world terms, discarding the “FUD” (Fear, Uncertainty and Doubt) that many service providers use to embed solutions and drive revenue, often against the real needs of clients.

Some of the principles of our methodology are:

  1. Top Down – we start with the board room. As the requirements to understand, act and report on breaches within a company become more robust, it is the board/C’Level executives who need the data on which to make informed decisions.
  2. Traceability – any methodology should have a common grounding to position it and also to allow for comparison against the market. Everything we assess can be traced back to industry terminology from top to bottom whilst maintaining a vocabulary that resonates in the board room.
  3. Risk Driven – to conduct a proper assessment of an organisations exposure to security breaches, it is vital that companies accurately understand the various aspects of their business profile and the potential origin of threats, both internal and external. For a thorough assessment, organisations need to consider the likelihood and impact from various data angles, including regulatory position, industry vertical, threat trends and of course, the board members themselves (as attacks are more and more personal by nature). Our methodology takes these, and many other aspects, into consideration and applies a value at risk, which allows for focused remediation plans and development of strategic security roadmaps.
  4. Maturity Based – we map the key security standards and frameworks, such as ISO 27001/2, Sans-20, Cyber Essentials etc. from the top level through to the mechanics of implementation. We then present these in a non technical, business language so that there is a very clear common understanding of where compromises may exist and also the current state maturity level. This is a vital part of our approach which many assessments do not cover, often choosing instead to present a simple black and white picture.
  5. Technology Best Fit – the commercial success of the technology security market has led to a myriad of vendors plying their wares. Navigating this landscape is very difficult, particularly understanding the different approaches to prevention, detection and response. At Broadgate we have spent years looking into what are the best fit technologies to mitigate the threats of a cyber attack or data breach and this experience forms a cornerstone of our methodology.

At Broadgate our mantra is “The Business of Technology”. This applies across all of our products and services and never more so when it comes to really assessing the risks in the security space.

If you would like to explore our approach in more detail, and how it might benefit your company, please contact myself or kerry.housley@broadgateconsultants.com.

Why is cyber so popular with today’s criminal?

Posted on : 30-01-2015 | By : richard.gale | In : Cyber Security

Tags: , , , ,

0

In a recent interview Manhattan District Attorney Cyrus Vance Jr stated that a third of the crimes his office investigates are now related to cyber crime and identity theft. Cyrus referred to it as a ‘Tsunami’ and it has forced significant changes in the way his department works.

Cybercrime in all its forms is accounting for 200 – 300 complaints per month and is rising fast. Cyber is one of the few areas of crime that is actually rising. Most other types of crime are decreasing and this pattern continues into the UK.

 

So why is cyber crime on the increase, what sorts of crime are occurring, who are the criminals and how do they operate?

 

Why do criminals carry out cybercrime?

Ease – The ability to carry out cybercrime is getting easier. There are plenty of tools available, some of the crimes are the simplest such as the scamming emails which purport to be from your bank or someone who has lost their wallet abroad do not need any special equipment. There is still a perception from some consumers that emails with the correct logos are official and should be taken seriously. More complex frauds using targeted malware and tools are more difficult to commit but are becoming widespread as the value of theft can be far greater. The ‘cost of entry’ to the Cyber market is getting lower and the tools becoming more prevalent.

Lower sentencing – Traditional crime, especially where violence or threat of violence is concerned is usually severely punished. Cybercrime generally comes under the banner of ‘white collar’ crime and the price criminals have to pay for this can be far lower in the form of lighter/suspended sentences or even just fines. This attracts criminals to the lower risk/reward ratio. Punishment of cybercrime may change as it matures but for the moment it is an easy option.

Higher Risk/Rewards – The average ‘take’ for a bank robbery in the U.S. is $1,200, the sentence for a violent crime can be life. Conversely the average loss for a cyber crime is $4,600 and the likelihood of any custodial sentence is low. In addition the chance of being caught is very low compared to a bank robbery.

Comfort – Traditional crime is weather dependent, burglary rates go down when it is cold and raining (partially due to the lack of open windows but also because burglars dislike going out in bad weather as much as the rest of us). A significant amount of cybercrime can be carried out from anywhere including the comfort of a criminal’s house.

 

What cybercrimes are popular? How are they carried out?

Hacking: This is a type of crime wherein a computer is broken into so that sensitive, confidential or personal information can be accessed by an unauthorised party. In hacking, the criminal uses a variety of software to enter a person’s computer and the person may not be aware that his computer is being accessed from a remote location.

Theft: This crime occurs when a third party steals credentials to access and reuse or sell unauthorised data. This can include reproducing copyrighted material such as music, movies, games and software. There are many peer sharing websites which encourage software piracy, these get shutdown on a regular basis but spring up again very quickly.

Cyber Stalking: This is a kind of online harassment wherein the victim is subjected to a barrage of online messages and emails. Typically, these stalkers fall into two groups. Ones who know their victims and instead of resorting to offline stalking, they use the Internet to stalk and the other where there is no previous connection to the victim except that they are in the public eye for some reason.

Identity Theft: This has become a major problem with people using the Internet for cash transactions and banking services. In this cybercrime, a criminal accesses data about a person’s bank account, credit or debit cards and other sensitive information to siphon money or to buy things online in the victim’s name. It can result in major financial losses for the victim and is an increasing overhead for financial services companies.

Malicious Software: These are Internet-based software or programs that are used to disrupt a network. The software is used to gain access to a system to steal sensitive information or data or causing damage to software present in the system. DDOS – denial of service and malicious encryption tools are often used for extortion purposes.

Child soliciting and Abuse: This is also a type of cyber crime wherein criminals solicit under age children through a variety of mechanisms for the purpose of child pornography. Government agencies are spending a lot of time targeting these types of crime and monitor chat rooms frequented by children to prevent this sort of child abuse.

 

Who are the cyber criminals?

Professor Marcus Rogers, Director of the Cyber Forensics & Security Program and Purdue University has produced a taxonomy of offenders;

Script kiddies: who are motivated by “immaturity, ego boosting, and thrill seeking.” Rogers says they tend to be “individuals with limited technical knowledge and abilities who run precompiled software to create mischief, without truly understanding what the software is accomplishing ‘under the hood.’ ”

Cyber-punks: who “have a clear disrespect for authority and its symbols and a disregard for societal norms.” According to Rogers, “they are driven by the need for recognition or notoriety from their peers and society,” and are “characterized by an underdeveloped sense of morality.”

Hacktivists: who, in Rogers’ estimation, might just be “petty criminals” trying to “justify their destructive behaviour, including defacing websites, by labelling [it] civil disobedience and ascribing political and moral correctness to it.”

Thieves: who are “primarily motivated by money and greed” and are “attracted to credit card numbers and bank accounts that can be used for immediate personal gain.”

Virus writers: who tend to be drawn to “the mental challenge and the academic exercise involved in the creation of the viruses.”

Professionals: who are often ex-intelligence operatives “involved in sophisticated swindles or corporate espionage.”

Cyber-terrorists: who are essentially warriors, often members of “the military or paramilitary of a nation state and are viewed as soldiers or freedom fighters in the new cyberspace battlefield.”

 

To conclude, cybercrime is a fast growing, multi-faceted problem with new participants entering the arena every day. It will be interesting to see how technology and other commercial organisations approach the problem and how society and government organisations attack the cyber hordes. We will be following this article with our thoughts on how it can be approached in the coming months.

Cyber Warfare: Protection is vital but it’s how you respond

Posted on : 23-12-2014 | By : john.vincent | In : Cyber Security

Tags: , , , , , , , , , ,

0

Last month we wrote an article entitle “Are we heading for a new Cyber Cold war?” – with a focus on the emerging threat from Russia and the fact they are investing some $500m in recruiting a new online army.

The events since then involving the cancelled release of a film by Sony Pictures, following what the US described as an alleged state sponsored act of “cybervandalism”by North Korea, have certainly elevated the narrative to a new level. It will take months for Sony to assess the complete financial impact. Of course there is the obvious loss of revenue by not releasing  the film (it was expected to gross $30m in the first weekend) and millions on marketing wasted…but the most difficult will be the potential cost of a reported 50,000 employees who are suing Sony over leaked personal information.

Whilst President Obama stopped short of calling the attack an act of war, he did label “very costly”, and could land Pyongyang back on the administration’s terror list, a designation lifted by the Bush administration in 2008 during nuclear talks.

To balance the argument, we must point to the fact that the infosec world is somewhat wary of the FBI’s accusations that North Korea was to blame for the attack against Sony. In an interview with The Register, the renowned security commentator Bruce Schneier stated;

“I’ve been very sceptical throughout and now I have no idea,” adding that the evidence the Feds had presented so far was “flimsy at best”.

However, putting the “who did what to who” question to one side, what the whole event has highlighted is the importance for all parties, whether nation state or commercial, to have a clearly defined, understood and rehearsed Incident Response process.

On the positive side, unlike some organisations, Sony Pictures Entertainment (SPE) do have a Global Security Incident Response Team (GSIRT) which monitors systems across the business for indicators of compromise. That said, leaked files related to a security audit show that Sony was having to cope with a significant number of potential breaches, with 193 incidents escalated between September 1st 2013 and 30th June 2014. Also, it reported that out of total number of 869 systems some 149 were not being monitored, stating;

“As a result, security incidents impacting these network or infrastructure devices may not be detected or resolved timely,”….“In addition, procedures have not been developed to reconcile the population of security devices that are being monitored by GSIRT to the actual SPE security devices that should be monitored to validate accuracy and completeness.”

So, what should organisations look at in terms of their readiness to deal with the increasing cyber threat? Mandiant, the leading security response organisation (and part of FireEye), identify a number of areas that companies need to assess, including;

  1. Regulatory Compliance: Do your response strategies support applicable regulatory and legal requirements? This is an increasingly important consideration across all industries. As new regulation emerges to protect customer data off the back of high profile breaches, we can only expect more rigour and oversight moving to the board level.
  2. Organisation: Are staff organised effectively and do they clearly understand their roles and responsibilities during an attack? This is vital. During significant data breaches all staff need to have clarity on how to respond, what the governance process is, who is leading and coordinating activities and very importantly, what the communication channels are.
  3. Training: Do staff have the training they need to respond effectively and efficiently when incidents arise? We take time to ensure that staff are trained on the technical aspects of their job, but we also need to ensure that education of the incident response process is not only performed but also reinforced at regular intervals.  
  4. Incident Detection: Does the organisation have the mechanisms in place to rapidly detect an incident? The statistics vary a little, but it is generally accepted that the average time between infiltration and detection is still over 200 days. More importantly, it is estimated that it takes an average of 32 days to respond to a data breach with the majority actually being notified by their customers! 
  5. Processes: Do you have a clear process for rapidly responding to potential data breaches? We’ve spent many years testing and rehearsing our business continuity and disaster recovery processes for dealing with external threats or infrastructure failures. Organisations need to ensure that the various cyber threat scenarios are added and tested at regular intervals.
  6. Technology: Does the organisation have the necessary hardware and software to respond across your enterprise? Sadly, whilst often breaches are inevitable, there is much that can be done to ensure that the security mechanisms implemented at the technology level are as robust as possible. Indeed, the systems and software to do this have evolved significantly from traditional firewall and perimeter defences. It’s an ongoing process, so if you haven’t assessed your own controls recently then it’s time to do so!

Recent incidents have highlighted how important it is for companies to really understand the risk posed by cyber threats, specifically in terms of what are the “crown jewels”, and the fact that they should be central to any operational risk strategy. We believe it is only a matter of time before companies are required to disclose all breaches and include in the annual reports (we also expect to see a rise in cyber insurance and a need to demonstrate that adequate controls are in place).

So, as we move into 2015 we can only expect to see more focus on combating the cyber threat.

 

Broadgate Consultants work with clients to assess their security readiness – if you would like to find out more please contact:

jo.rose@broadgateconsultants.com.

 

Are we heading for a new “Cyber Cold War”?

Posted on : 28-11-2014 | By : john.vincent | In : Cyber Security

Tags: , , , , , , , , , , , ,

1

For a while now the Chinese have been the focal point of attention when it comes to nation state sponsored espionage (and, not without reason). However, the latest report from the fastest growing cyber security company, FireEye, delves for the first time into the threat Russia poses in cyber space.

The report looks at a group named as APT28, which FireEye are tracking, and explores how they are organised together with the methods employed. We start with a few key themes from this research.

The first point to note is that the characteristics of APT28 are very different. Unlike other China based threat actors, FireEye did not find evidence that they were interested in widespread Intellectual Property theft or gaining from stealing financial account information. What they did observe was a skilled group collecting intelligence on defence, espionage and geopolitical issues with targets that would benefit the Russian government, including;

  • Georgia – Russia potentially seeking to gain intelligence about political and security affairs
  • Eastern Europe governments/military – these targets would provide Russia with valuable insights an ability to predict policymaker intentions
  • European security organisations – targeting individuals affiliated to provide intelligence, particularly during periods of increased tension

Evidence of APT28 has been around since 2007, and has evolved significantly over that period, suggesting a high level of skill within an organised development environment. Over 96% of the malware samples attributed to APT28 were compiled during the working week and within a timeframe which parallels the working week in Moscow and St Petersburg.

 Indicators in APT28 malware suggest that the group consists of Russian speakers operating during business hours in Russia’s major cities

The tools are suggestive of the group’s skills, ambitions, and identity. APT28 is most likely supported by a group of developers creating tools intended for long-term use and versatility, who make an effort to obfuscate their activity. This suggests that APT28 receives direct ongoing financial and other resources from a well-established organization, most likely a nation state government.

The report goes into a lot of detail about the mechanisms used by these cyber criminals, the whole “malware ecosystem” and the commonly used tools with colourful names such as Sourface, Eviltoss, Chopstick and Oldbait. It provide a great, although somewhat disconcerting, insight into the techniques.

Of course, not everyone is convinced of the threat that there has been a step change in activity, with many IT analysts (particular in Russia) more inclined to blame the spike in attack reports on the media and cybersecurity companies exploiting clients’ fears. That said, one of Russia’s foremost experts on domestic security services, Andrei Soldatov, said the pattern of the attacks did indicate a possible state sponsored covert cyber war offensive.

In a twist on this analysis, Russia recently announce that it is actually recruiting  for new dedicated cyber-forces in the army, with an investment upfront of US$ 500 million (roughly £315m), according to Sergei Shoigu, Russia’s Minister of Defence.

Within the main tasks of the new division will be monitoring and processing of information coming from the abroad, as well as stepping up the fight against cyber threats and attacks. As part of these plans, the Russian government plans to accelerate training of programmers, mathematicians, engineers, cryptographer, interpreters and other staff, who will be asked to sign a contract for service in Russian army.

There does seem to have been a shift to unconventional, information based warfare techniques. A recent report by the US Army Special Operations Command on the subject states;

The challenge is hybrid warfare combining conventional, irregular, and asymmetric means, to include the persistent manipulation of political and ideological conflict

The report outlines techniques used across a number of nation states, including Russia, China and Iran, with the latter apparently also mobilising significant resources to weaken adversaries’ with the objective of gaining military superiority as well as countering external actions. Indeed, Iran have been blamed for a cyber attack on the Navy and Marine Corp computer networks (as well as backing the Syrian Electronic Army cyber group).

It seems that the soldiers of the future may well spend less time dealing with the likes of Sergeant Hartman (“Full Metal Jacket”) and more training in the relative comfort of cyber space.