Tuesday, 6 December 2016

Cyber security in 2016 – why is it still not happening? [Link - ITProPortal]

I was asked to write an article reviewing the cyber security challenges for 2016, Here is the article that was published on the ITProPortal website: 


It's 2016, and businesses are generally still not taking security seriously.

Image source: Shutterstock/jijomathaidesigners

Perhaps the surprising, and damning, thing about 2016 in terms of security is that businesses are generally still not taking security seriously. Nobody wants to admit to being slack when it comes to cyber security, but the indisputable fact is that during 2016, many organisations simply didn’t show up, whatever they claimed.  

The basics are still not being done. Updates aren’t being applied, patching strategies are not in place, admin credentials are easy to find. Let’s be blunt, people are still trying to do security on the cheap, using, for example, free antivirus software.  This was most evident in the amount of ransomware that infected companies. 

A Trend Micro report claimed that 45 per cent of UK businesses were hit by ransomware this year. We believe the figure is much higher, closer to 60 or 70 per cent. 

Ransomware scourge

In the US, hospitals have paid massive amounts of money when their databases have been encrypted by ransomware. The Hollywood Presbyterian Medical Center paid a $17,000 bitcoin ransom for the decryption key for patient data. It was infected by the delivery of an email attachment disguised as a Microsoft Word invoice. In the UK some hospitals had to cancel operations.  

Hundreds of planned operations, outpatient appointments, and diagnostic procedures were put on hold at multiple hospitals across Lincolnshire.  The damage done by ransomware in 2016 is largely attributable to the infamous Locky and its many variants. It was first identified in February and made it to the top of the ransomware charts only two weeks later. 

It initially used malicious macros in Office documents to infect its victim’s computer, and these documents were distributed attached to spam emails. Locky has been through several versions since then. A new version was released on October 24, and less than 24 hours later yet another version was launched. It’s carried through phishing campaigns and the email subjects are centred on pay cheques, receipts, invoices, orders, or wrong credit card charges all of which are themes designed to fool recipients into opening attached files.   

Heads in the sand

In a sense it’s staggering that people are still falling for these tricks, given the exposure about ransomware dangers. There still seems to be a general mindset that ‘it will never happen to me’, when it clearly is happening to lots of businesses and individuals.  It’s frustrating because basic security measures offer protection. Being on the front line we tend to get a good sense of what is happening on the ground and it can be best summed up with the phrase ‘blind panic’ when a company is hit.  

But this lack of awareness, or ‘head in the sand’ scenario, is also playing out across other areas. Security in 2016 can also be defined by the large number of replay attacks that have taken place. Ransomware is included in this but it’s not exclusive. Yahoo is perhaps one of the biggest culprits. 

In 2012, a security breach exposed 450,000 usernames and passwords from a site on the huge web portal with the company failing to take even basic precautions to protect the data. Two years later it happened again with 500 million account details stolen.

Enormous DDoS attacks

Yahoo cried ‘state-sponsored actor’ in its defence but clearly it’s still not adequately protecting its customer data. This defence is usually code for ‘don’t blame us, it was a really sophisticated attack’. And Yahoo only came clean in 2016. These serious errors are clearly an illustration of some fundamental flaws at the online giant. Is it any wonder that it’s gone from an operation worth close to $100 million at its peak to today’s evaluation of $4.8 million? 

Another large 2016 security event, which ironically few noticed at the time, was the largest DDoS attack recorded, a whopping 540Gbps directed at public facing websites belonging to organisations affiliated with the 2016 Rio Olympics. These attacks were sustained, sophisticated, and actually started months before the Olympics began.  

These attacks were clearly aimed at the global stage and foreshadowed the equally massive IoT botnet based DDoS attacks which, in contrast, caught the attention of the mainstream media because they were launched from compromised everyday household devices such as internet connected video recorders and cameras.  

Plundering millions

The industry, at large has been warning about the parlous state of IoT security for some time, but it seems no one really wants to listen until an attack hits home and hurts bank balances.  

The Swift’s global payments network hack that resulted in $81 million being siphoned from Bangladesh central bank was also noteworthy due to the huge amounts of money involved.  Hackers also exploited the Swift system to steal a reported $10 million from an unnamed bank in Ukraine, while back in Bangladesh an eye watering $1 billion cyber theft was only stopped when an eagle-eyed employee spotted a typo. 

In an ironic way it’s almost fitting that a hack to see out 2016 was the attack on Tesco Bank. The company was forced to repay £2.5 million of losses to 9,000 customers in a heist described as ‘unprecedented’ by regulators. It may seem small when compared to the Swift system hacks but there’s worrying significance that the company apparently ignored warnings that its vulnerable software was being targeted by cyber criminals for months before the attack. What is just as shocking is that the bank didn’t even encourage two-factor authentication for its customers. 

How many more financial organisations are going to be nailed by cyber thieves before the message gets through? If the EU General Data Protection Regulation had been in force, which is due to come into effect in 2018, Tesco would have been hit by a fine up to £1.9bn. And who could say that Tesco and other organisations with terrifyingly lax cyber security wouldn’t deserve it?

Monday, 5 December 2016

Cyber-security in 2017 – brace yourself [Link - ITProPortal]

I was asked to gaze into my crystal ball and write a piece around the Cyber Security challenges for 2017.  Here is the article as it appeared on the ITProPortal website: 


If there’s one thing you can say with certainty about cyber-security in 2017, it’s that many companies are going to fail because they are simply not doing the right thing. Fundamental flaws still exist.

Image source: Shutterstock/jijomathaidesigners

It's about the business

Until the technical people lift their heads up and see that security and business are different sides of the same coin, we will inevitably see more damaging attacks. When security people learn to speak in the language of business they will begin to understand just where in the organisation they need to apply their expertise. 

This might be smart configuration options, cautious security policies, vigilance and a willingness to read server logs like some people read the newspaper in the morning to identify targeted attacks.  

Of course, this won’t stem the malware tsunami but it will help defend against it. Leading the malware charge in 2017 will be ransomware. Like 2016 it will be more of the same, with an important and fundamental exception; ransomware will be more sophisticated.

Advanced attack vectors

Encryption keys are becoming more complex while ransomware attack vectors are becoming alarmingly advanced. Ransomware can mount previously mapped drives, encrypt them, and then unmount them, reaching deeper into the network.  

However, the efficiency of ransomware as a tool for fraud will also be slowly undermined. One misconception about ransomware is that once the ransom is paid, the victim receives the keys to unlock their files. Increasingly we are seeing instances of this not happening. The fraudsters are simply taking the money and running.

Criminals dumbing down

As ransomware is now available as-a-service, it is reaching down into the lower levels of the criminal underworld and organised crime networks. The type of villain who uses the ‘service’ might have previously been involved with keeping crooked books for instance.

As such they can’t be bothered to send decryption keys which of course will erode the value of ransomware as victims increasingly refuse to pay the ransom.

IoT security

Another major area of concern is the security of IoT devices. It’s fair to say that the existing state of device security isn’t great. Some devices are managed by web consoles that don’t even have encryption. Some devices have passwords hard coded into them that you can’t change. It would be good to see manufacturers take some responsibility but this is unlikely as they operate with tight margins and are unlikely to take on tasks that eat into thin profits. 

If we’re lucky, we will see the emergence of pressure groups consisting of industry vendors and third parties who are no longer willing to sit back and watch major hacks unfold. 

Questioning machine learning

Another area to keep an eye on is machine learning. As with any new technology it’s usually proclaimed with a loud fanfare and over exaggerated claims that often fall just short of guaranteeing freedom for all and world peace. In terms of security, machine learning does promise a lot of potential but when you drill down some serious questions need to be asked.  

In 2017 we’re likely to see these questions put forward with some force, as it becomes apparent that machine learning in the security realm has flaws. For instance, how are the machines learning, are millions of good and bad results being fed into the machine to ensure accurate analytics and what kind of input is coming from security labs and research teams?  

These are important questions and with the advent of next-generation endpoints, such as mobile devices and laptops designed to respond to machine learning security in depth is vital to ensure success. If machine learning vendors can’t answer these questions with confidence, then you can expect to see machine learning and security take a dive.

Shock of GDPR

An area where you can expect to see panic break out is the European Union’s General Data Protection Regulations or GDPR as it’s more commonly known. At the moment UK organisations are displaying naivety towards GDPR which comes into effect in May 2018. Many are hiding behind Brexit and taking the view that the UK won’t be in the EU come May 2018 so GDPR won’t affect them. However, if a business operates in Europe, it will.  

To meet GDPR requirements, measures need to be put in place in 2017. Many companies have already finalised budget for 2017 but haven’t made any provision for GDPR. With no budget provision, there’s going to be an awful lot of flapping when companies realise that it’s nowhere near compliance ready. 

Big fines, big panic

GDPR also reaches up to the board and any data breaches can result in enormous fines of up to 4 per cent of revenue. This can and will translate in some cases, to fines that run into millions of pounds. Are executive directors aware that if they show negligence in protecting customer data they’re going to be hit really hard?  

In summary, it would be uplifting to say that we’re not going to see any more major breaches, that fundamental flaws will be addressed, that new technologies are going to change the security landscape for the better and everyone is set for GDPR. In reality, while we will see some positives we also need to prepare our businesses for more breaches and more hacks. 

Tuesday, 8 November 2016

Trump or Clinton? DDoS or Protection? Who will be the winner?

In a recent blog post by Arbor Networks, it was shown that DDoS attacks increase significantly during global events.

With the Presidential election in the United States happening in a matter of hours, will we see another significant, sustained attack on major websites, such as US media sites, political parties websites, etc?

I suspect we will, but much like the US election, we won't know who wins for a couple of days.

We can only hope that these sites have adequate protection from such an attack.  As for the election, we'll see...

Thursday, 3 November 2016

How businesses can protect Office 365 from ransomware attacks [Link - MTI Bytes]

After a recent webinar from Chris Taylor, Director of Product Marketing from Trend Micro around Ransomware, I created a blog post around this: https://www.mti.com/mtibytes/how-businesses-can-protect-office-365-ransomware-attacks/


In the last year, businesses have seen a large increase in ransomware threats. The Guardian recently reported that 54 per cent of businesses have been threatened with ransomware in the last 12 months alone. When we consider the money that can be made from a career in cyber crime, this is hardly surprising.

Ransomware refers to malicious software (malware) which is designed to block access to a computer system until a sum of money is paid.

But how can you protect your cloud environments from it? In a recent webinar, Chris Taylor, Director of Product Marketing, Trend Micro, looked at exactly that:

How does malware work?

Email is a common method that attackers will use to infect their victims, most often businesses. The malware is embedded in an email either in the form of a web link in the body of the text, which vulnerable users click on or a link within the attachment.

It is becoming increasingly more common for malware to be laced within documents in email attachments. Embedded JavaScript within the text encourages users to unknowingly click, starting the download of malicious software. It can be more difficult to detect the malware via the email attachment as it could be compressed within a common office file, such as a CV from a job-hunter, or an invoice, which seem convincing.

Prevention is better than cure

There are a number of recommendations that can be made, such as always back up your system, make sure it’s fully patched and train users not to open suspicious attachments. However, there are opportunities to stop many ransomware attacks before it even gets to that point. The best way is to block ransomware before it has a chance to reach users. There are certainly fix measures that can come in and save the day should the worst happen, but this can take up a lot of the IT team’s time.

What can businesses do to protect their Office 365 environment?

Office 365 includes anti-spam and anti-malware protection, which block every known malware. But the majority of malware is unknown, as criminals are increasingly using automated tools to change their malware, to beat the system.

In order to remain one step ahead from threats, businesses can implement advanced threat protection, which looks for malware in different ways, malicious URLs in attachments as well as the body of emails, and full data loss protection.

To set up a free evaluation of your Office 365 protection, email ukmarketing@mti.com

Saturday, 22 October 2016

VMworld 2016 Europe - Barcelona

After a number of years of meaning to go, I have finally attended my first VMworld.  As the recent strategy is the incorporate security into VMware solutions, it makes sense that my years in the security field would finally coincide with the virtual world.

I attended with my friend and work collegue, Anthony Poh, who runs this blog dedicated to all things virtual: https://thevirtualunknown.co.uk/

The experience was incredibly valuable from a work front.  VMworld allowed me to meet and engage with some very high level executives, allowing me to honestly share our thoughts, challenges and ideas.  I got the opportunity to attend a number of roundtables with my peers from across the world and understand where they are at.

It also led me to be asked participate in a Q&A session around MTI's strategy and approach to VMware NSX.  It meant going on stage in front of 400-500 people and be quizzed about what we do, which led me to write a LinkedIn post about it: https://www.linkedin.com/pulse/stage-fright-presence-andrew-tang

My only criticisms about VMworld is the amount of walking between the breakout sessions, Solution Exchange and lunch.  While I'm talking about lunch, it would have been good if there was enough to feed everyone who attended.

Despite these issues, the value from attending outweigh the minor niggles, and I hope to enjoy VMworld Europe again in 2017.

Below is a transcript of my LinkedIn post:


I've just got back from my first VMworld in Barcelona. I had no idea of the scale, content and knowledge available in one massive conference centre, predominantly around one vendor.

My world has been IT Security for over a decade, with little appreciation that virtualisation is on a completely different scale in IT minds. I would have been very lost were it not for my colleague and friend, Anthony Poh, who is much more experienced in all things VMware and VMworld!

I was asked to attend a Q&A session at one of the Partner Exchange, which turned out to be Accelerate Network Virtualization presented by Rajiv Ramaswami, EVP and GM, Networking and Security at VMware; Dom Delfino, VP of Worldwide Sales and Systems Engineering, Networking & Security at VMware; and Louise Ostrom, VP Network & Security, EMEA at VMware.

I felt like a little known support act to some of greatest artists in the world, worried that what I had to say in front of other partners and vendors wouldn't be of interest and value, but when you get a chance to get your thoughts straight, I realised that MTI had a lot to offer and I was comfortable talking about it on a big stage to an audience of a few hundred people.

The confidence of being on stage came from a familiarity of the topic, rather than memorising a script. I was able to show that MTI is a solutions and service provider in Europe; having offices in the UK, Germany and France, providing Datacentre, Security and Managed Services. We discussed MTI's adoption of VMware NSX and how NSX is the foundation to some of our offerings with integration to our key security partners in Trend Micro and Palo Alto.

Like life, the presentation wasn't scripted and, equipped with my new found confidence, I hope I get the opportunity to do some more in the future!

Tuesday, 27 September 2016

CLOUDSEC takeaway – Cyber security is not just an IT issue [Link - Trend Micro Blog]

After attending CLOUDSEC 2016, I was asked to create a guest blog on the Trend Micro blog site, including standout statistics and take-away lessons: http://blog.trendmicro.co.uk/cloudsec-takeaway-cyber-security-is-not-just-an-it-issue/


With a fantastic turnout at CLOUDSEC 2016, attendees comprised of security and IT practitioners from numerous industries. Despite these varying sectors, one thing became abundantly clear: the same issues are keeping IT security professionals awake at night – securing cloud environments, securing privileged access accounts and user education.

Many enlightening statistics were shared. Trend Micro’s research found that in the last two years, 44% of UK businesses were hit by ransomware attacks, and a third (33%) of their employees were affected by the infection. We also heard that over $2.3 billion was lost to phishing attacks over the past three years (FBI), though the real figure is likely to be higher.

While this makes the somewhat abstract world of cyber threats very real indeed, if there’s one point to take away from CLOUDSEC, it’s that cyber security isn’t just an IT issue. When the entire workforce is educated around safe IT usage, the chance of a business network being hacked is significantly reduced.

Everyone needs best practice training 

Organisations can defend against cyber-attacks; they don’t have to be victims. While in any organisation the CIO ultimately takes responsibility for cyber security, the rest of the organisation needs to accept responsibility too and not just shrug their collective shoulders. Regardless of seniority, companies should invest in best practice training when using a corporate network.

Best practice knowledge should percolate through the entire organisation from board directors, to employees and IT people involved in daily operations. It should explain why businesses have approved channels for storing data, the risks of using personal cloud storage platforms for data storage, and the need to question email content if it arouses suspicion – even if it’s from the CEO’s office.

Employees must understand the importance of cyber defences within the context of the business and how to safeguard against internal and external intrusions. Are they aware of the importance of setting difficult to crack passwords, as well as understanding that password variations of existing passwords are a source of vulnerability when used in other parts of the network? Do they know that in the last six months or so, ransomware attacks have spiralled as ransomware-as-a-service kits became commonplace on the dark web?

Serious business implications

The whole organisation must realise the possible business implications of a major hack – spiralling revenues, lost customers and plummeting share price, and this could all happen well after the event. Furthermore, jobs could be on the line if declining income hits the business badly.

Despite the growing evidence suggesting otherwise, many organisations still believe they won’t be hacked. With that said, however, if cyber security education is a part of the organisational culture, the chances of a serious breach are dramatically reduced.

Wednesday, 21 September 2016

The Right Train of Thought [Link - Computing Security]

I was asked to contribute to an article for Computing Security, focusing on IT security practices on how an effective cybersecurity strategy must include employee training: http://www.btc.co.uk/Articles/index.php?mag=Security&page=compDetails&link=7074



Any effective cybersecurity strategy should include information about how employees can safeguard against, not only external threats, but insider threats too, cautions Andrew Tang, service director, security, MTI Technology. "It also needs to include perimeter protection, but, as companies are increasingly working with cloud-based solutions, remotely and from various devices, it also needs to be sophisticated and fool-proof. Companies should invest in training all employees, regardless of seniority, on best practice when using a corporate network.

"Staff should understand how to protect against internal and external intrusions, as well as how to stay safe when accessing and sharing sensitive corporate data, opening emails from non-trusted sources and why businesses have approved corporate channels for storing data. It shouldn't just be a case of setting procedures and guidelines; staff should understand the consequences and risks of misuse or misjudgement when accessing corporate networks," he says.

"Employees should also be educated on the importance of password setting, as those that use a variation of the same password across different platforms leave the network vulnerable to attack. IT can also implement two-way authentication to add an extra layer of protection," adds Tang. "While the CIO should ultimately be responsible for implementing and monitoring employee guidelines and policies around cyber security, they should work closely with the HR team and heads of departments to ensure that safe computer usage becomes company culture. When a workforce is educated around safe IT usage, the chance of a business network being hacked is significantly reduced."