Monday 25 January 2016

A Year in Vendor Patching: Does an Increase in Patches Mean we are More or Less Secure? [Link - Infosecurity]

I'm very proud to have a blog piece published by Infosecurity.


Vulnerabilities and subsequent vendor patches are part and parcel of a company’s use of different operating systems and product software. However, a significant increase in the number of vendor patches released in 2015, in comparison to 2014, alongside the number of high-profile breaches prompts the question: Why was 2015 such an insecure year for vendors and why did cyber-threats see a marked increase?

A recent report by PricewaterhouseCoopers suggests that incidents of cyber-attacks or breaches have risen by 38% from 2014. A study by HP Enterprise Security found that this growing phenomenon is costing UK firms an average of £4.1m a year.

In terms of patching, Apple lead the vendor list by experiencing 654 vulnerabilities, up an enormous 179% from 288 vulnerabilities in 2014. Microsoft was in second place with 571 vulnerabilities discovered, up from 376 vulnerabilities the year before.

Vendor Patches and the Inherent Risks

There are some basic recommendations when using a computer to access the internet such as; use anti-malware software, don’t use the same password for all your accounts and ensure the operating system and applications are regularly patched.

When it comes to vendor patches, the issue is that the user is only secure once the vulnerabilities are addressed. This leaves a window of exposure where everyone, including malicious hackers, is aware of the vulnerabilities, prior to the user applying the patches. The most appropriate recommendation is to ensure the application of patches as soon as possible, as well as using solutions that can shield the devices from vulnerabilities until the patch is applied.

A Reason for Concern

There were 273 patches from four vendors in just one week in December 2015. The four vendors included Apple, Adobe, Microsoft and Google. This means that organizations who operate devices which run on the software these vendors produce will have experienced a very busy week of implementing patches.

On one hand, companies should be comforted by the diligence of these vendors in picking up vulnerabilities and creating patches – however, a healthy fear and appreciation of the changing security landscape should also be evident for CISOs or CIOs.

The security industry has dealt with more targeted and sophisticated attacks in the past year, with attackers finding ways around existing security protection from vendors. A good example is the clever exploitation of the XGhost app development code, that allowed malware to be uploaded by unsuspecting app developers.

Are We More or Less Secure Than a Year Ago?

The security threat landscape has evolved considerably in the last 12 months. Not only have there been more DDoS and ransomware attacks, big software giants like Adobe and Facebook have both been under attack from bugs and malware that infect their software. These two breaches resulted in major data loss for both companies, in the form of contact and payment details, which attackers can use for brute force attacks or phishing scams.

The entire online community seems to be more at risk than a year ago. Cybersecurity has risen to the top of the agenda for the C-suite, who may have experienced or watched their peers deal with embarrassing leaks.

It may be the vast rewards that attackers can gain from data or the greater access to internet connected devices, but one thing is clear; attacks on software providers will only grow in frequency and sophistication throughout 2016, which will mirror the wider cyber-attacks on companies.

Tuesday 12 January 2016

Biggest security fails of 2015 and a look ahead to emerging threats in 2016 [Link - MTI Bytes]

A blog piece I wrote for the company website:


The last year has seen IT security at the forefront of the news agenda for all the wrong reasons. Various breaches and hackings, such as those on TalkTalk, Carphone Warehouse and Ashley Madison, have heightened discussion around IT security and the protection required to counter virtual incursions.

Yet, many of the attacks over the course of the year were avoidable. Had the companies in question been more diligent over their testing and security protocols, some of the breaches would not have been as successful.

Security fails of 2015
The biggest security failing of 2015 is arguably the vulnerability of companies to simple web application attacks. Organisations with large volumes of online customer interactions were targets for web application attacks, where cyber-criminals gain access to sensitive customer data. Techniques such as SQL injection and brute force attacks accessed valuable data for fraud or resale to third-parties

The other security failing this year has been phishing attacks, a method that can result in malware entering a network, leading to data theft. Phishing attacks can come in the form of a legitimate email from a company that redirects the user to a fake external site. Personal information is then requested and captured for future brute force attacks.

Prevention is simple
Following simple guidelines like OWASP is the first step to prevention. Regular testing of web facing applications before publishing them can also help avoid attacks.

Education within the company and targeted solutions aimed at monitoring data exfiltration should be a priority. A company’s security cannot be reliant on only using their security solutions as a shield – their workforce can and often will be a weak spot in their armour. Employee education on data governance, access and removal of data should be at the top of a company’s IT security resolutions for 2016.

Emerging security threats in 2016
The frequency and level of sophistication of ransomware threats looks set to increase in 2016, as the attacks are so effective. This is especially the case, as corrective measures to protect from attacks are rarely in place.

In addition, DDoS (distributed denial-of-service) attacks aimed at extracting data have been getting stronger and harder to defend against, as shown by the high profile TalkTalk and Carphone Warehouse breaches.

There have also been a growing number of blackmail attempts, threatening a company’s resources with DDoS attacks, unless they receive a sum of money.

What is interesting is that these two techniques do not demand high levels of technical ability, but the rewards can be great. Many companies cannot afford lengthy downtimes on their servers and will pay the sum demanded, even without any guarantee that the same attackers will not return.

Who will they affect the most?
Ransomware can affect a majority of computer users.  Assuming you will not be a victim of a cyber-attack is a major mistake and the risk of such an attack should be taken seriously.

Blackmail attacks/DDoS attacks on the other hand, will be targeting medium to large sized companies, who have the budget to pay the ransom money.

Invaluable security solutions for businesses in 2016
As ransomware is predominately distributed via email and Internet, a sandboxing solution is essential. The relevant solution has to be able to scan emails and Internet traffic delivered to computers on the network, remote workers using a VPN or BYOD users, who use wireless or mobile connections.

An attacker using ransomware infiltration techniques will execute with the user-credentials of the user who opens it, so there is a need to look at controlling administrative credentials of all computers, whether they are servers, workstations or laptops.

Thursday 7 January 2016

The dark web & business report: A seedy Dickensian underworld online [Link - IDG Connect]

I was asked to comment how the dark web could impact on businesses, and was fortunate enough to have them published in an IDG Connect artcle.


It is obviously imperative that businesses can secure themselves against any threat. And as the latest wave of breaches have proved, whilst most organisations spend money on traditional perimeter security, many fail to properly protect their biggest asset, their data.

“Personal Identifiable Information (PII) should be encrypted,” says Andrew Tang, Service Director, of Security at MTI Technology. This would make any information unreadable to the perpetrator.

“Many of the recent attacks, which have allowed thousands of records to be stolen have been achieved by using SQL Injection attacks,” he adds. “If information needs to be accessible to the internet, ensure OWASP standards are followed, the website is tested by a penetration testing organisation and critical data is encrypted.”