Wednesday 23 December 2015

Cyber security in 2016: Cyber extortion, data breaches and legal reform [Link - v3]

My comments around Cyber extortion were used in an interesting article for v3.

http://www.v3.co.uk/v3-uk/feature/2438545/cyber-security-in-2016-cyber-extortion-data-breaches-and-legal-reform

============

Cyber extortion

The rapid expansion of online tools available for purchase on the dark web, including ransomware and denial of service (DoS) programs, will increase the threat of extortion.

"Ransomware and DoS attacks will increase in frequency in the next year. There have been a growing number of blackmail attempts, threatening a company's resources with distributed DoS attacks if they do not paid a sum of money," warned Andrew Tang, service director at MTI Technology.

"They do not demand high levels of technical ability and the rewards can be great. Many companies cannot afford lengthy downtime on their servers and will pay the sum demanded, even without any guarantee that the attackers will not return."

Tuesday 22 December 2015

Biggest security fails of 2015 and a look ahead to emerging threats in 2016

This year has seen IT security at the forefront of the news agenda for all the wrong reasons. Various breaches and hackings such as those on TalkTalk, Carphone Warehouse and Ashley Madison have heightened discussion around IT security and the protection required to counter virtual incursions.

However, many of the attacks over the course of the year were avoidable. Had the companies in question been more diligent over their testing and security protocols, some of the breaches would not have been as successful.  

Security fails of 2015

The biggest security failing of 2015 is arguably the vulnerability of companies to simple web application attacks. Organisations with large volumes of online customer interactions were targets for web application attacks, where cyber-criminals gain access to sensitive customer data. Techniques such as SQL injection and brute force techniques were used to access valuable data for fraud or resale to third parties.

The other security failing this year has been phishing attacks, a method that can result in malware entering a network, leading to data theft. Phishing attacks can come in the form of a legitimate email from a company that redirects the user to a fake external site. Personal information will then be requested and captured for future brute force attacks.

Prevention is simple

Following simple guidelines like OWASP is the first step to prevention. Regular testing of web facing applications before publishing them can also help avoid attacks such as TalkTalk.

Education within the company and targeted solutions aimed at monitoring data exfiltration should be a priority. A company’s security cannot be reliant on only using their security solutions as a shield – their workforce can and often will be a weak spot in their armor. Employee education on data governance, access and removal of data should be at the top of a company’s IT security resolutions for 2016.

Emerging security threats in 2016

As Ransomware threats are so effective, they are predicted to continue to increase in use in 2016, in conjunction with the level sophistication behind attacks.  This is especially the case, as corrective measures to protect from attacks are rarely in place.

In addition, DDoS (distributed denial-of-service) attacks aimed at extracting data have been getting stronger and harder to defend against, as shown by the high profile TalkTalk and Carphone Warehouse breaches.

There have also been a growing number of blackmail attempts, threatening a company’s resources with DDoS attacks, unless they receive a sum of money.

What is interesting is that these two techniques do not demand high levels of technical ability, but the rewards can be great. Many companies cannot afford lengthy downtimes on their servers and will pay the sum demanded, even without any guarantee that the same attackers will not return.

Who will they affect the most?

Ransomware can affect a majority of computer users.  Assuming you will not be a victim of a cyber-attack is a major mistake and the risk of such an attack should be taken seriously.

Blackmail attacks/DDoS attacks on the other hand, will be targeting medium to large sized companies, who have the budget to pay the ransom money.

Invaluable security solutions for businesses in 2016

As Ransomware is predominately distributed via email and internet, a sandboxing solution is essential. The relevant solution has to be able to scan emails and internet traffic delivered to computers on the network, remote workers using a VPN or BYOD users, who use wireless or mobile connections. 

An attacker using Ransomware infiltration techniques will execute with the user-credentials of the user who opens it, so there is a need to look at controlling administrative credentials of all computers, whether they are servers, workstations or laptops. 

Monday 21 December 2015

Cyber-Security Predictions for 2016 [Link - Information Security Buzz]

I was asked to write a piece about Cyber Security predictions for 2016, which was published on Information Security Buzz.

http://www.informationsecuritybuzz.com/articles/cyber-security-predictions-for-2016/

================

Cyber-security Predictions for 2016

What will be the emerging IT security threats in 2016 and do you expect as many or even more attacks as 2015?

Although Ransomware attacks have been talked about a lot in 2015, the number of attacks has risen significantly during Q4 2015. Ransomware attacks are so effective that the number of attacks will rise, as well as the level sophistication behind the attack. Especially as corrective measures to protect from the attack are rarely in place.

DDoS (distributed denial-of-service) attacks aimed at extracting data have been getting stronger and harder to defend against, as evidenced by the high profile TalkTalk and Carphone Warehouse breaches.

There have also been a growing number of blackmail attempts, threatening a company’s resources with DDoS attacks if they are paid a sum of money.

Ransomware and DDoS attacks will only increase in frequency in the next year. They do not demand high levels of technical ability and the rewards can be great. Many companies cannot afford lengthy downtimes on their servers therefore will pay the sum demanded, even without any guarantee that the same attackers will not return.

Who will they affect the most?

Ransomware can affect a majority of computer users. Assuming you will not be a victim of a cyber-attack is a major mistake, and the risk of such an attack should be taken seriously.

Blackmail attacks with a threat of DDoS attacks will affect medium to large sized companies who have the budget to pay the sum of money demanded. The transaction is usually in the form of crypto-currency, bitcoin.  The companies that have the same budget to invest in the right protection against these types of attacks are likely to be the ones under attacked.

What security solutions will become invaluable to businesses in 2016?

As Ransomware is typically distributed via email, an email sandboxing solution will be required. The relevant solution has to be able to scan emails whether they are being delivered to computers on the network, remote workers using a VPN or BYOD users, who use wireless or cellular connections. As Ransomware will execute with the user-credentials of the user who opens it, there is a need to look at controlling administrative credentials of all computers, whether they are servers, workstations or laptops.

How will the IT security cope with the lack of talent in the UK?

There is not a lack of talent in the IT Security sector, but rather qualified talent.  The challenges have been the roles that have been advertised where the skills required are beyond many technical people, or looking for specific certifications and accreditations.  I believe there are many good universities in the UK producing excellent candidates for IT Security, as well as many people with the right aptitude and attitude to learn. Although this may not give companies the “right” skillsets immediately, they can be learnt with the right program of education and mentorship.

Wednesday 2 December 2015

Questions about the Dark Web

What do large organisations need to understand about the dark web?

The term Dark Web has many sinister undertones, and can be use used for illegal activities.  The World Wide Web  that we know and use, is accessible by a browser and is indexed using software called crawlers.  Crawlers allow the sites such as Google to know where websites are and the sort of content they contain.  There are elements that can not be indexed such a dynamic content, which generates the content on the fly, which is often referred to as the Deep Web.

What do many fail to grasp at the moment?

The Dark Web contains sites that require specific software to access it, and the network is encrypted to conceal the activity whether through privacy concerns or to cover illegal activities.  It should also be considered that the Dark Web is tiny compared to the World Wide Web.  A recent article believed there are between 7,000 to 30,000 hidden sites on the Dark Web, equating to around 0.03% of the Web.

How can understanding this space help them stay secure? 


The Dark Web is often referenced as the location of where stolen credentials are sold.  Rather than monitor or access the Dark Web, it is more important to protect the data in the first place.  Personal Identifiable Information (PII) should be encrypted, so it would render the information to being gibberish to the perpetrator.  Many of the recent attacks, which have allowed thousands of records to be stolen have been achieved by using SQL Injection attacks.  If information needs to be accessible to the internet, ensure OWASP standards are followed, ensure the website is tested by a penetration testing organisation and ensure critical data is encrypted.