Phil Denham from HBP Systems & Ed Jennison from Rollits LLP presented a dual aspect IT security and employee/employer cyber relations seminar for Humber BizWeek 2016 @ Smailes Goldie in Hull.
13. 13
“For many years, we have used
encryption to protect our
customers’ personal data
because we believe it’s the only
way to keep their information
safe.”
Tim Cook, CEO of Apple
14. 14
Up to 35% would Sell company
information
Computing.co.uk
26. 26
rollits.com
Employers have a duty to train employees
• Tell them
○ Be vigilant, if something looks strange be cautious
○ Be aware of Spoofing
○ Are you expecting it?
○ Would you expect more/less detail?
○ Do not click the link in an unexpected email
○ Browse on safer devices if possible (such as tablets)
27. 27
rollits.com
At home …
• Keep anti-virus software up to
date
• Ensure your firewall is turned
on and up to date
• Keep your devices operating
system and Apps/Programs up
to date
• Browse using a tablet (only
download apps from official
app stores (Google/Apple)
• Be cautious!
28. 28
rollits.com
Browsing at work because we keep security system up to
date can be not safe. Key in web site addresses, don’t click
on links to them
30. 30
rollits.com
What if an employee causes a security breach?
What action can be taken?
• Misconduct?
• Incompetence?
31. 31
rollits.com
What loss has been
suffered?
Carry out a proper
investigation to establish
the facts.
Look at the training
record.
Apply appropriate
sanction following a
disciplinary/ capability
hearing with employee.
33. 33
rollits.com
Employee walks out of the door with your most valuable assets:
Customer lists / supplier lists / pricing structure / business strategy /
trade secrets / product information
What can an employer do to protect itself?
34. 34
rollits.com
Look at disciplinary rules and procedure whilst in
employment
Look to the contract if an employee quits
Post-termination restrictions
Must be drafted correctly
“No wider than necessary”
“Legitimate business interest to protect”
Take legal advice before drafting
The 2014 Information Security Breaches Survey from the UK government and pwc found…
These findings are unfortunately supported by almost daily stories of large scale cyber incidents, but we only hear about the stories that are going to grab our attention…
and I’m afraid the scale and rate of these attacks shows little sign of abating.”
And as we can see, the cost of breaches continues to soar…
The number of security breaches has increased, the scale and cost has nearly doubled. Eleven percent of respondents changed the nature of their business as a result of their worst breach.
Nearly 9 out of 10 large organisations surveyed now suffer some form of security breach – suggesting that these incidents are now a near certainty. Businesses should ensure they are managing the risk accordingly.
3. Despite the increase in staff awareness training, people are as likely to cause a breach as viruses and other types of malicious software.
If 2015 was the year of big breaches, 2016 is set to be the year of bigger problems! As we saw last year, certain attacks touched organisations and people who never thought that they might be involved in such high-profile data breaches.
Ashley madison breaches affected those who never had direct contact with the organisation, and certainly didn’t ever think they would be involved with such a high profile incident….
It revealed new levels of negative effect as individuals reacted to having the information put on blast.
Firings, grief, divorce, ruin, and suicide were all over the news, thereby intensifying public scrutiny of many people who had no business relationship to Ashley Madison.
active-duty members of the military found in the database could be subject to dishonorable discharge—meaning that unemployment and loss of pension are genuine possibilities.
At the same time, technological change continues to disrupt how organizations compete and create value in ways that often alter operating models. Some of today’s most significant business trends— the explosion of data analytics, the digitization of business functions and a blending of service offerings across industries, to name a few—have expanded the use of technologies and data, and that is creating more risk than ever before.
More than 4,000 data breaches (4,236 to be precise) occurred in local councils in a three-year period (between April 2011 and April 2014)
More than 170 law firms investigated by ICO over data breaches in 2014
ALL of the UK's major banks and lenders have reported data breaches in the past two years
Three-quarters of customers would reconsider using a company in event of data breach
Who's to blame for a data breach?
It's a question that everyone has a different answer to. While some, such as Reckitt Benckiser CIO Darrell Stein, are willing to take full accountability for a data breach others, such as Johnson Matthey CIO Patrick Seeber, suggest that the CISO or CFO ought to be held accountable instead.
CEO Dido Harding - she was accountable because cyber security is a board issue. Mention bounceback and difference between smb & enterprise.
TalkTalk has lost nearly 300,000 customers since it was hit by a crippling cyber-attack in which it admitted that 156,959 customer accounts were compromised.
The company said that the cyber attack knocked off £15m in trading value of the company, with "exceptional costs" for the attack coming in at between £40m and £45m - significantly more than the £35m that TalkTalk suggested the cyber attack would cost back in November.
TalkTalk also saw its share of the home services market fall by 4.4 percentage points, quarter-on-quarter, in terms of new customers - only 1.4 per cent of whom gave reliability as a reason for joining the provider in the last three months, which Choudhary said was well below the market average.
He said there was no doubt that TalkTalk also lost potential customers following the attack, and that if the company was to recover from recent events, it would need to offer more than just good value. Its latest marketing campaign involves offering broadband free to new customers.
For TalkTalk, though, the news has gone from bad to worse: last week, workers at one of its outsourced call centres in India were arrested over allegations of security breaches involving customer records.
Police in India arrested three employees of contractor Wipro who were accused of stealing customer data, which was then subsequently used in a bid to scam customers.
The arrests were the culmination of a year or more of complaints from TalkTalk customers over phone calls from scammers who were able to quote account numbers and other details that only an insider would be able to access.
Since then, the company has lost many of its existing customers in the fourth quarter of 2015, with seven per cent of its broadband base - or around 300,000 customers - dumping TalkTalk in favour of a different provider, according to research from Kantar Worldpanel ComTech.
Imran Choudhary, consumer insight director at the research firm, said that BT appeared to be the biggest winner, picking up as many as 40 per cent of the customers who left TalkTalk. "Customers have lost faith in TalkTalk as a trustworthy brand," he said.
Especially as so many people are Gearing up for the IoT
By now, the Internet of Things (IoT) needs no introduction. This ecosystem of Internet-connected devices, operational tools and facilities is poised to soar in the coming years. The industry anticipates exceponential growth over the next five years. Gartner forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected every day.
Most organizations understand that the Internet of Things will bring enormous advantages but also increase risks to data security and privacy.
_______________
In the coming years, new vectors of access to IT and operational systems will be exposed as more businesses deploy connected sensor- based devices and machine-to- machine technologies. This type of equipment typically lacks the fundamental security safeguards of traditional enterprise IT, potentially enabling threat actors to penetrate an organization’s systems and exploit data, disrupt operations and compromise the integrity of products and services.
Encryption is the only way to keep information safe
Encryption is getting attention from news headline like these stories, and from high profile hacking. C-execs and board member now understand the importance of data privacy, and protection corporate proprietary information from hackers and other adversaries. , even government’s prying eyes.
encryption has been in the press a lot recently. Apple vs FBI, encryption has always caused debates, do i have access, do i not have access, and that is crypto, it has even gone back so far as Julius Ceaser.
The idea is to keep something secret, and nothing has really changed since then.
Encryption is a dual purpose technology. It can be used for good and bad. If however you reduce the capability of one actor, you reduce it for both #nobackdoor – check Sophos blog.
If surveillance manages time and again to seem like a white knight after terrorist incidents, encryption is often the dragon.
In the days after the Paris attacks, various encryption-related debates were back, despite evidence that encryption played no role in the terrorists’ planning. The United Kingdom was already dealing with rushed calls by legislators for Internet providers and social-media sites to provide unencrypted access and/or backdoors to encrypted communications to law enforcement and spy agencies.
By the end of the year some American legislators were making similar calls, stating that law enforcement is unable to access necessary data. Those arguments were countered by equally venerable arguments by crypto experts about the certainty that backdoors—or, worse, giant stores of unencrypted data—are a recipe for unwanted, sustained, and ultimately catastrophic attention from attackers.
One hardware manufacturer left an entire market rather than bend to government demands for unfettered backdoor access, as BlackBerry prepared
to leave the Pakistan market at year’s end rather than expose its BlackBerry Enterprise Service (BES) traffic to wholesale traffic monitoring.
#NOBACKDOORS – Sophos belives:
Encryption protects the fundamental rights individuals should have to privacy and security
Encryption is essential for effective cybersecurity
Encryption is vital for our modern, Internet-driven global economy
Governments should not undermine the effectiveness of legitimate technology
But there is of course another way round encryption….anyone? End users.....thats right, why bother trying to hack into the devices when you could just pay off an end user to give you the data.....How much do you think people would sell their data for? 100k, 50k?
End users…..and the survey showed…..
It found that 35 per cent of employees would be prepared to sell company information for "the right price". And, of those, three per cent would consider selling out their organisation for just £100. Eighteen per cent, meanwhile, would flog the information for £1,000 and 29 per cent for a £10,000.
Even more shameless - and cheap - is the one per cent who said they'd sell it to persons unknown for just £100. No wonder companies say the biggest security risk is people, rather than technology!
But we see sooo many examples, time and time again, where weak passwords and the fault or mis-educated actions of users leads to major security incidents.
To demonstrate how bad people are at creating secure passwords, a password management company called SplashData has just released a list of the 25 worst passwords used in 2015, and it’s not pretty.
SplashData created its list of worst passwords by counting up the most common passwords out of over 2 million passwords leaked in the past year.*
And just like every year since 2011, when SplashData first released its list, the top two most common passwords (and therefore, the worst) are “123456” (#1) and “password” (#2).
Social engineering – There is no patch to human stupidity!
Like footprinting this is a very big aspect of hacking these days, its not something people can teach, but more of a ‘practice makes perfect’.
I love the phrase there is no patch to human stupidity, while I agree, this has zero to do with social engineering as it would make you think only stupid people are stupidly engineered….
Everybody at some point in their life has been socially engineered, we have it all the time, it is not a new concept.
It comes down to how humans are built, we have this very complex and rational side to us that works and does risk assessments to determine if we should do something or should we not do it….that works fine…..but we also have these very prehistoric very strong emotions that will sometimes flare up, and when they do, they outweight the rational and logical side of our brain.
The way social engineering works is I want you to think emotionally, not logically. Now this doesn’t mean I have to make you angry or mad or happy with me, I can use any emotion you have, and if I can make you think emotionally, I can socially engineer you….
For the guys…..how many when you were younger went to a bar and bought a drink for a girl who you knew you never knew you had zero chance with, but you bought her a drink anyway – you were socially engineerd.
Women, just like my wife, how many times do you go shopping and there is a sign for BOGOF, you had no plan on buying that to begin with but its such a good deal that you can’t pass it up – that’s social engineer.
They are just knee-jerk reactions……I’ve been socially engineered, everybody has been socially engineered, we will continue to be in the future. We just have to understand when our emotions are taking over and be aware of this when someone tries to socialy engineer us and try to think logically and not perform knee-jerk reactions.
Volume & Quality increasing
More and more of the same – not just volume but quality is also increasing alongside techniques utlized in targeted attacks.
To represent this, I want to Introduce threat counters….
Suspicious samples analysed - Malicious URI’s published - Suspicious Android Apps analyzed - Spam messages analyzed
War against cybercrime is a war of attrition, no silver bullet for protection – Sophos perfectly positioned provide in-depth, layered security, unified security.
[But what does cybercrime really entail?]
BREACH
With the great variety of potential vulnerabilities in any IT system, there is a similar diversity in the often highly technical and innovative mechanisms used to exploit them. Although attackers continue to develop novel techniques to exploit vulnerabilities, attackers are ultimately successful due to an unfixed flaw, misused feature or user error. Some types of attack are much more obvious or easier to detect than others. DDOS attacks are often quickly noticed by system users, as they struggle to access or simply cannot use the targeted service. On the other hand, most malware is designed to be stealthy, hiding from users and detection mechanisms alike.
Preventing, detecting or disrupting the attack at the earliest opportunity limits the business impact and the potential for reputational damage. Once the attacker has consolidated their presence they will be more difficult to find and remove.
Breaking the attack pattern
Even though it’s normally the most motivated attackers who have the persistence to carry out multiple stage attacks, they will frequently do this using commodity tools and techniques, which are cheaper and easier for them to use. So putting in place security controls and processes that can mitigate these will go some way to making your business a hard target. Equally, adopting a defence-in-depth approach to mitigate risks through the full range of potential attacks will give your business more resilience to cope with attacks that use more bespoke tools and techniques.
Reducing your exposure using essential security controls
Fortunately, there are effective and affordable ways to reduce your organisation’s exposure to the more common types of cyber attack on systems that are exposed to the Internet. The following controls are contained in the Cyber Essentials, together with more information about how to implement them:
boundary firewalls and internet gateways - establish network perimeter defences, particularly web proxy, web filtering, content checking, and firewall policies to detect and block executable downloads, block access to known malicious domains and prevent users’ computers from communicating directly with the Internet
malware protection - establish and maintain malware defences to detect and respond to known attack code
patch management - patch known vulnerabilities with the latest version of the software, to prevent attacks which exploit software bugs
whitelisting and execution control - prevent unknown software from being able to run or install itself, including AutoRun on USB and CD drives
secure configuration - restrict the functionality of every device, operating system and application to the minimum needed for business to function8
password policy - ensure that an appropriate password policy is in place and followed
user access control - include limiting normal users’ execution permissions and enforcing the principle of least privilege.
If your organisation is likely to be targeted by a more technically capable attacker, give yourself greater confidence by putting in place these additional controls set out in the 10 Steps to Cyber Security:
security monitoring - to identify any unexpected or suspicious activity
user training education and awareness - staff should understand their role in keeping your organisation secure and report any unusual activity.
Mitigating the survey stage
User training, education and awareness
Mitigating the delivery stage
Malware protection, firewalls and proxy servers. Technically enforced password policy, secure configurations of systems
Mitigating the breach stage
Patch management, malware protection within the gateway, gateway configuration, UAC, user training and awareness
Simple IT controls.
Visibility – using the tools you have in place.
Configured things correctly? Build the house – but you still have to remember that there is some idiot in the house that can leave the keys in the door.
Sr. Management
Educate
Think before you click
Verify the call – check
Passphrases not Passwords – you don’t need to leet speak to have a good password.