Wednesday 20 July 2016

Gemalto hunts for partners for its encryption solutions as GDPR approaches [Link - CRN Magazine]

I was asked to give my opinion on our working relationship with Gemalto and GDPR by CRN and may comments were published: http://www.channelweb.co.uk/crn-uk/news/2465454/gemalto-hunts-for-partners-for-its-encryption-solutions-as-gdpr-approaches 

============================

MTI has been a partner with Gemalto for around eight years, and its services director Andrew Tang said that he has noticed the increased demand for the encryption products Gemalto provides in the run-up to GDPR.

"We have had a couple of organisations in the finance industry that have started asking us about how we can help them with their GDPR strategy. There are organisations out there that are on the ball, but more companies were in limbo because of the referendum," he said.

"People forget that when you look at all the different options, whether it's the Norway, Switzerland, Canada or Turkey models, they all have to adhere to EU regulation, which means GDPR in some fashion or another. It is still about education and evangelisation at the minute."



Saturday 16 July 2016

Euro 2016: A lesson in BYOD security best practice [Link - ITProPortal]

I was asked to write some thoughts around the security during Euro 2016 for ITProPortal: http://www.itproportal.com/2016/07/16/euro-2016-a-lesson-in-byod-security-best-practice/

==================================

One of the stories away from the pitch at this year’s Euro 2016 event was the significant spike in cybercrime on mobile devices.

Attending football fans, trying to keep on top of work or attempting to access tournament information, became victims to cyberthreats as hackers took advantage of insecure public Wi-Fi networks and applications.

Reports suggest that the host country was targeted in a highly calculated way by hackers during the event, with 72 per cent of malicious websites and 41 per cent of exposed passwords were detected on smartphones in France alone.

The UEFA EURO 2016 Fan Guide App, one of the official UEFA mobile applications, was a prime target for hackers during Euro 2016, having been being downloaded onto more than five million devices.

Designed to provide practical tourist information for fans travelling to France for the tournament, the app leaked user data including usernames, addresses, phone numbers, and passwords due to an insecure connection.

The BYOD threat is real

The scale of the attack during the event highlights just how strong the threat is for businesses, especially for companies operating BYOD policies, as employees are free to access malicious websites, fake apps and connect to unsecured Wi-Fi on the same device they store corporate data.

An additional report also suggests business travellers are more likely to be mugged of valuable private and corporate data than of their travel money. The report found that 59 per cent of staff in senior roles claim to log on as quickly as possible upon arrival abroad, while 48 per cent of senior managers and more than 43 per cent of mid-level managers use unsecure public access Wi-Fi networks to connect their work devices when abroad.

So how can businesses protect themselves against mobile threats and prevent mobile hardware and apps from leaking corporate data, and what are best practices around BYOD security?

Mobile management

With company owned mobile pools now rapidly becoming out of date and workplace bring your own device (BYOD) policies steadily growing, controlling what an employee does on their device has become far more difficult and complex.

Enterprise Mobility Management (EMM) platforms have become crucial in protecting corporate data. Apps and documents can operate separately from the rest of the device, allowing employers to create a ‘wall’ around sensitive information to prevent infection from compromising data.

EMM also allows for robust security policies to be put in place on an employee’s personal phone without invading privacy or forcing too much control of a personal device to an employer.

Right apps, right channels

It is also important to consider where employees are storing data. Some cloud-based storage applications can present a risk as the data is often entrusted to a third party. This means businesses have to rely on the strength of an employee’s password for protection.

Using the appropriate channels for storing information, such as an encrypted VPN, and making these available to employees’ mobile devices is another step towards protecting business assets. This ensures all information is properly encrypted through storage managed by the company itself, rather than entrusted to a separate party.

Another consideration for most businesses is how to prevent staff downloading apps that can leak data. Companies that issue a fleet of managed devices can place restrictions on what apps can be downloaded, but with BYOD, employees are free to download what they want.

By creating a separate corporate app store on the device, IT departments can then ensure that only approved apps can be used to access corporate information, while still allowing employees the freedom to download whatever they wish to use on their device.

Public dangers

One of the biggest threats during the Euro 2016 tournament was the use of free Wi-Fi facilities.

Public, password-free Wi-Fi is a particular threat to both individuals and businesses due to the lack of encryption which allows hackers to access almost all information on a user’s device.

The Wi-Fi Pineapple, for example, makes man-in-the-middle attacks easy. In this type of attack, a hacker sits in between the device and the Wi-Fi to which it is connected in order to extract information from the device.

These type of attacks are especially dangerous for travelling football fans and business people alike, as users often try to avoid having to pay expensive data roaming charges while in foreign countries.

By educating employees of the dangers posed by using unsecured Wi-Fi and unauthorised applications, organisations can help to mitigate at least some of the potential threat.

Part of this process should involve advising employees of the dangers hacking poses, the reasoning behind approved corporate channels for storing information, and clearly defining the role they need to play in securing their device.

IT departments need to be working with the HR team and heads of departments to create a corporate culture around security and convey that the protection of company data is as much their responsibility as it is for IT professionals.


Monday 11 July 2016

EU General Data Protection Regulation (GDPR)

Before I start on this blog piece, I have to make it clear that I'm not a lawyer and I have no legal training.  The blog piece below does not constitute as law, but these are areas I have researched and may make some assumptions along the way, especially with the uncertainty in the UK and it's relationship with the EU.


Data Protection Directive

The EU Commision were looking at replacing the Data Protection Directive.  So we are clear, an EU directive is a goal that the EU must achieve, but it's up to the individual countries to devise their own laws on how to reach the goal.

In January 2016, a draft form of the EU General Data Protection Regulation was released.  The difference between a directive and a regulation, is that an EU regulation is a binding act, that is applied in its entirety across the EU.

Why GDPR important?

GDPR is there to strengthen and unify data protection for individuals in the EU.  It addresses the export of personal data outside of the EU.

When will GDPR happen?

The regulation has now been released and enters into force on 25th May 2018


What is the impact of GDPR?

  • A Data Protection Officer is needed if an organisation processes 5000+ EU data subjects; or employs more 250+ employees
  • Mandatory disclosure of incidents within 72 hours to the national authority
  • Maximum fines of up to €20 million or 4% of worldwide revenue
  • “Right to be forgotten”: The data subject will have the right to retract consent, request data erasure or portability
  • EU Referendum has no impact to organisations – If you hold personal data on an EU citizen, GDPR still applies
  • Live May 2018 – Two budget cycles left

The Data Protection Officer

If the core activities of an organisation involves “systematic monitoring of data subjects on a larger scale”, or large scale processing of "special categories", such as racial/ethnic origin, political opinions, religious/philosophical beliefs, biometric data, heath/sex life or sexual orientation, then a Data Protection Officer is required.

The function is also there to advise on, and the monitoring of GDPR compliance, as well as representing the organisation when contacting supervising authorities.

Disclosure and Notification

The controllers are required to notify the appropriate supervisory authority of a personal data breach within 72 hours (at the latest) on learning about the exposure if it results in risk to the consumer. But even if the exposure is not serious, the company still has to keep the records internally.

According to the GDPR, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, the EU’s term for PII is considered a breach.

The GDRP notification is more than just reporting an incident, there is a need to include categories of data, records touched, and approximate number of data subjects affected. This will require detailed intelligence on what the hackers and insider were doing.

There is a term known as "Dwell time", which is the period of time that someone malicious is on your network and systems undiscovered.  Most people are shocked to learn that this on average is 206 days (from Cost of a Data Breach Study: Global Analysis, Ponemon Institute, 2015)

Fines

The GDPR has a tiered fine structure, so a company can be fined up to 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessments, while more serious infringements merit a 4% fine. This includes violation of basic principles related to data security and conditions for consumer consent. 

The EU GDPR rules apply to both controllers and processors that are in “the cloud”. So cloud providers are not off the hook when it comes to GDPR enforcement.

"Right to be Forgotten"

Individuals can request the erasure of their personal data without undue delay by the data controller in certain situations. 

Consent can be withdrawn and no other legal ground for processing applies. This topic has attracted a huge amount of interest, particularly following the CJEU decision in the Google vs. Spain case.

Alongside this obligation is one to take reasonable steps to inform third parties that the data subject has requested the erasure of any links to, or copies of, that data.

Outside of the EU

The law applies to your company, even if it markets goods or services in the EU zone.  If you don’t have a formal presence in the EU zone but collect and store the personal data of EU citizens, GDPR still applies and the extra-territoriality requirement is especially relevant to ecommerce companies.

Is GDPR still required now that Brexit may happen?

If Article 50 is initiated in July 2016 & UK exits July 2018; GDPR will apply from May 2018. Also the UK were instrumental to writing and strengthening the GDPR.  Receiving personal data from EU member states would need to demonstrate to the European Commission that the law provides an adequate level of protection through its domestic laws or international commitments.

Source: Absolute Strategy Research Ltd

As you can see from the chart above, with many of the options open to the UK, compliance with EU regulation is required in order to trade with Europe.  In my opinion, GDPR will be relevant to the UK, and will need to be in place with UK organisations holding data of EU citizens.

Adopting GDPR

I believe there are some steps that will need to be taken with all organisations that wish to comply with GDRP:
  • Locate the critical data for GDPR
  • Protect the data (and the applications that access it) through segmentation and/or encryption
    • If encryption is used, ensure the encryption keys are secured
  • Use strong Access Controls to servers holding the data, such as two factor authentication
  • Use DLP/Insider Threat technology to prevent data exfiltration
  • Monitor all exfiltration data channels, including web and email
  • Collate logs from the network, so they can be analysed
  • Secure domain and local administrator accounts
  • Penetration test the environment

Final Thoughts

GDPR goes live in May 2018, which means there are two budget cycles left to get the education, processes, workflow and technology in place.  One of those budget cycles are underway already, so if GDPR planning hasn't begun, start it now, so you'll be ready for next years budget.

Thursday 7 July 2016

Euro 2016 breaches [Link - Professional Security Magazine Online]

I was asked some questions around around breaches due to Euro 2016 mobile applications by Professional Security Magazine Online: http://www.professionalsecurity.co.uk/news/commercial-security/euro-2016-breaches/ 

==================================

During the 2016 UEFA European Championships, the SmartWire Labs Team at Wandera has been analysing the mobile data traffic patterns across its enterprise customers in the European countries that make up this year’s tournament. Wandera said that during the research period, the number of data leaks observed increased. The IT firm predicted this number will continue to rise as the tournament goes on as a result of more people travelling across Europe and using unfamiliar apps and websites to access match information. The company suggested that data leaks will peak in late June towards the end of Euro 2016, before going back to normal levels in late July.
The firm summed up that the increased data usage for the beginning of Euro 2016 was no surprise to anyone. The risks associated with this increase in traffic have implications. With more people travelling across Europe, using unfamiliar websites and apps, as well as the discovery that the official UEFA app is leaking data could all lead to serious security breaches with thousands of fans’ data being put at risk, according to the firm.

Comments
Andrew Tang, Service Director, Security at MTI Technology, spoke of two ways organisations can protect corporate data. The first is through a fleet of corporate devices, which can control what apps are installed and which websites can be visited. However, with fleets of devices becoming old-fashioned and bring your own device (BYOD) policies ever more common in the workplace, controlling what an employee uses their device for, has become more complex. Enterprise Mobility Management (EMM) platforms are key to protecting corporate data. By separating company information from the rest of the phone; including apps, emails and documents; employers can ensure that a ‘wall’ is created around sensitive information and as a result, can prevent infection from compromising data.

Can organisations prevent downloading of apps that leak data?
With a fleet of managed devices, this is less of a problem as companies can place restrictions on what apps can be downloaded. With BYOD however, employees can be free to download what they want to. Through a EMM platform, businesses can create a corporate app store that restricts what employees can use through the platform. This allows IT departments to restrict access to certain apps on Google Play or the Apple Store, ensuring that only approved apps are used to access corporate information, while still allowing employees are free to download whatever they wish to use on their device.

What are the best practices for protecting infrastructure during major sports events?
Public Wi-Fi is a particular threat when it comes to malware penetrating a mobile device. Open, password free Wi-Fi connections are not encrypted, which means that they are easy targets for hackers. For example, the WiFi Pineapple makes man-in-the-middle attacks easy. In this type of attack, a hacker sits in between the device and the Wi-Fi it is connected to in order take information away from the device. This is especially dangerous in foreign countries as some users try to make the most of avoiding having to pay roaming charges through free Wi-Fi. Education is key here. By informing employees of the dangers free and open Wi-Fi connections can pose, organisations can hopefully mitigate some of the threat. However, this is far from foolproof.

Tuesday 5 July 2016

The scourge of social engineering [Link- SC Magazine]

I was asked to write a piece on Social Engineering for SC Magazine.  It's in a section called "Last Word" and as it's the last print copy before it moves to digital only, I literally have the last word in SC Magazine! http://www.scmagazineuk.com/the-scourge-of-social-engineering/article/504950/



==============================

Today, social media platforms are no longer just a forum for online chat but an important every day work and communication tool. Facebook alone has more than a billion users, while social media business platform LinkedIn has more than 400 million users.

Going after the big guns


A well-publicised incident was a three-year social engineering campaign carried out by Iranians. It targeted US military officials, diplomatic and congressional staff, and defence contractors in the country and abroad.

The Iranian spies used Facebook, LinkedIn, Twitter and Google+ to carry out a sophisticated attack. They developed fake social media personas and posed as recruiters from major international companies including Northrop Grumman and General Motors. The targets were largely in telecom, government and defence industries.

When a connection was established emails were sent to victims with malware hidden in links and attachments. The aim was to get the target to download malware into their computers which would give the hackers access to highly sensitive information. The striking thing about this social engineering-based attack was its scope and sophistication. It's certainly not an isolated event; for some cyber-criminals it's a career path.

You don't need state resources or an encyclopaedic knowledge of psychology and social media surfing habits. You don't even need to be well-versed in the dark arts of black hat coding. All you need is a bit of patience to trawl the web and the knowledge that too many people put far too much information online than is necessary.

It doesn't take much to create a complete profile including place of work, employment history, address, age, family, likes, dislikes, bank, shopping, recent purchases, family members, their locations and so on.

All information to create a complete profile can be gleaned within a few hours. There are even open source tools designed to help trawl social media platforms and scoop up as much information about any one individual as possible.

This information can be used for targeted phishing attacks at a place of work or brute force password attacks on a company's network. Personal information is gathered on the ‘target' from social media and a phishing email is sent to their place of work.

Malware-laden messages


A phishing email is usually mocked up to look as though it's from an organisation the target has recently dealt with. For instance, the victim may have posted something about his or her brand new iPhone, so the hacker creates an email that purportedly comes from Apple with a message about the phone. A link in the email is clicked by the ‘target' and malware is downloaded into the retailer's system. This provides the means for a hacker to steal the contents of a customer database.

This data is put up for sale on a deep net website that trades in credit card and identity information. The hacker is set to make hundreds of thousands of pounds for a task that in all likelihood took a few days to carry out.


A need to click


Organisations today are, by and large, aware of cyber-threats that come from malware such as trojans, viruses and to some extent, ransomware. However, many haven't yet fully grasped the implications of social engineering with people freely giving away information and casually downloading files from the Internet. As a result, education and awareness programmes for employees can make a significant difference.

At the very least, education programmes will hammer home the point that there are cyber-criminals circling corporate firewalls who are only too keen to get into the network.

Education will make employees aware of sophisticated phishing techniques and how sharing too much of their personal information on a social media platform could well provide the starting point for a crippling network attack.

This can also make personal practice tighter so they don't post workplace information or inadvertently reveal pathways to corporate crown jewels.

Monday 4 July 2016

Stopping ransomware in the public sector [Link - MTI Bytes]

This is a blog piece that was created for the company blog site: http://blogs.mti.com/blog/stopping-ransomware-in-the-public-sector

===============================================

In just over 10 years, ransomware has become a serious threat for many organisations across the world. In 2016, we have already seen a 300 per cent increase in attacks, which roughly equates to approximately 4,000 a day. Worse still, this figure is predicted to double year on year.

While there is no perfect solution to stop organisations from ever fully preventing these attacks, arming yourself with knowledge is the first and best defence to mitigate them should they arise.

Risk to the public sector

The public sector in particular is at risk from ransomware attacks. With a great deal of important and personal data stored in these organisation’s databases, the potential damage caused by workers being locked out of their systems can be significant.

In January 2016, Lincolnshire County Council shut down its entire IT network after a new strain of ransomware demanding £1 million was found to have penetrated the system. This new malware forced the council to shut down to protect personal data – including those it provides social care for.

Triggered by one user, and on a system that was up-to-date with the latest protection, the intrusion meant that operations were left without any IT for a number of days, which of course has a knock on effect for service delivery.

The above example, along with a recent spate of attacks against hospitals in the US, Canada, Germany and New Zealand, show that public sector organisations in wealthy countries are amongst those at the highest risk, presumably due to the greater likelihood of them being able to pay the ransom.

Knowing the threat

Ransomware is a form of malware that can affect a device without the user knowing. The first instances of ransomware came to attention in 2005 and were comparatively crude. However, in the following 11 years, it has become far more sophisticated as hackers re-invest profits into new malware.

Recent evolutions have seen the virus become more effective and hard-line. Some now include a sleep timer, which means that the encryption process can begin at a time of the virus writer’s choosing and be executed over an extended period, which also makes it harder to notice.

The Petya strains of the virus, which came to light in the first quarter of 2016, takes encryption to a new level. Discovered after emails with Dropbox links to download a file containing ransomware were found, Petya encrypts the hard disk itself, deleting the backup files which were previously used as a solution to counter-act ransomware. It also avoids detection by signature-based anti-virus software, making it even harder to find.

This new strain could have massive implications for the public sector, leading to vital information being lost or even stolen while IT teams scramble to try and stop it from spreading across the whole system.

Education is essential

So how can councils, hospital trusts, and other public sector organisations protect themselves against this threat and remain online?

The attack on Lincolnshire County Council happened because a new strain of the malware had not been encountered before, therefore there was no protection against it. It was also a human error, as it took only one person downloading it onto their system to cause a significant issue.

While IT professionals are always trying to stay ahead of the game, there is no form of protection that is 100 per cent perfect all the time, especially when human error is factored in.

The main solution to mitigating attacks lies in educating staff to understand why security processes are in place, and what happens when they circumvent them or use applications not authorised by the company, for example, downloading files from unknown contacts via Dropbox.

Alongside educating staff, IT departments should enact a principle of least privilege when it comes to local administrators. This will be essential in ensuring that if a device is infected, the information it can encrypt will be minimal and does not spread through the system.

There also needs to be a protocol in place for when an attack does happen. Directors need to work with their IT departments to come up with a plan of action, deciding whether or not to take the precaution to shut down systems, to go public with the attack or keep it in-house and – crucially – if the ransom should be paid.

Ransomware is pervasive and very dangerous for public sector organisations, considering the sensitive data they hold, so education is vital. Get the knowledge and learn more best practises in our complete guide to ransomware by downloading it here.

Friday 1 July 2016

General Data Protection Regulation – what you need to know [Link - MTI Bytes]

This is a blog piece for the company blog site around the new General Data Protection Regulation: http://blogs.mti.com/blog/general-data-protection-regulation-what-you-need-to-know

===============================================

Signed into law in May 2016, the European Union’s General Data Protection Regulation (GDPR) act will force change in the way businesses approach data protection when it is enforced in two years’ time.

The scope of the act, which replaces the EU Data Protection Directive, will increase significantly as it standardises and unifies data privacy requirements not just across member states, but for any businesses that markets to EU data subjects.

Carrying heavy fines for non-compliance, either €20 million or 4 per cent of global turnover, whichever is greater, the GDPR enacts stricter guidelines for getting consent for data collection, individual profiling and also contains more comprehensive definitions of data.

GDPR also enhances the current legislature around data security and breach notification standards, so it is imperative the compliance teams, CIOs and data protection officers take notice of these changes.

Breach notification

As part of the new rules set by the EU, companies must alert the authorities without undue delay and have up to 72 hours – where feasible – to provide notification of a breach of EU national’s data, or risk a fine for non-compliance.

Currently, UK firms are not under any such requirement to announce a data breach, with many choosing not to as the cost of doing so for a business can be enormous. For example TalkTalk and Carphone Warehouse saw their profits and trust in their brands fall dramatically following public data leaks.

This will be a significant change for many businesses, and will see current systems overhauled in order to ensure breach protocols are compliant with the new legislation. It will also apply to all UK firms trading in Europe, as any company that holds the personal details of an EU ‘data subject’ will have to comply.

The devil is in the detail and the final text of the new directive needs to be closely studied.

Getting technical

The GDPR also separates responsibilities and duties for both data controllers and processors – requiring controllers to only engage processors that provide sufficient guarantees to meet the GDPR’s standards of protecting data subjects’ rights.

Article 32 of the GDPR outlines these responsibilities. While it is similar to the Directive’s Article 17, the GDPR expands this by providing specific suggestions for the type of security activities which might be ‘appropriate to the risk’.

From encryption of data to testing and assessing security systems – everything needs to be compliant with the GDPR’s new code of conduct.

Looking forward

There are just under two years and in turn two budget cycles remaining until the law enforces the act, yet GDPR readiness is not a priority amongst IT professionals in Europe.

There is a lot to assess in that time, especially in terms of the security aspects of GDPR, so now is the time to be getting systems ready for compliance and for implementing new breach notification policies.

This will require working with legal teams and other branches of the business to ensure compliance is watertight to prevent heavy fines for businesses.