Monthly Archive December 2015

LinkedIn phishing scams

By Chris Ince, Information Security Consultant, Security Risk Management Ltd

LinkedIn recruiting scams are not a new threat to most. Many users of the professional network face this ever present gauntlet every day. Recently these have been targeting professional executives. The scams aim to socially engineer both professional and personal information as well as contact networks : specifically email address’ and telephone numbers.

There have been several reports from security vendors, F-secure, Dell Cyber Threat Intelligence (CPU) and Symantec SecureWorks regarding LinkedIn scams.

Most of the reported attacks have taken the format of posing as legitimate employers offering non-existent positions. Most utilise a combination of stock-image or other LinkedIn photos of women, with profiles copied and pasted from real professional accounts. This is often termed sockpuppet scams.

All of the reports offer a detailed analysis of the scams, as well as examples of scam profiles.

https://labsblog.f-secure.com/2015/09/03/linkedin-sockpuppets-targeting-security-researchers/

http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/

http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf

http://www.symantec.com/connect/fr/blogs/fake-linkedin-accounts-want-add-you-their-professional-network

According to a separate Symantec report “The FBI estimates that the amount lost to BEC (Business Email Compromise) between October 2013 and August 2015 was over $1.2 billion. With such huge returns, it’s unlikely that these scams will cease any time soon.”

Assuming the information you publish on Twitter, Facebook etc is public (even if some is only to select people or groups) you should apply the same principle to LinkedIn. The upsurge in current scams will not be an issue as you will already be cautious with the information you share and how you respond to any requests.

For those that that don’t air on the side of caution “User education is the most effective means of protecting companies against BEC,” the researchers pointed out.

Have you educated all your employees on the threat of phishing and spear phishing emails? Please let SRM know if you’d like to discuss this further.

Understanding the role of Chief Information Security Officer (CISO)

Making a case for the VirtualCISO

Few company directors have a deep knowledge of corporate law, or a detailed understanding of investment planning or tax implications. They employ offsite experts to ensure that they keep on the right side of the relevant legal requirements and to stay abreast of changes in regulations as and when they occur. Yet when it comes to data security many businesses attempt to manage with their own resources, relying on whoever has been assigned the role of Chief Information Security Officer (CISO); sometimes with disastrous consequences.

The cost of data breaches can run to hundreds of thousands. Even sole traders are not immune from the devastating financial consequences of a reported breach. The Payment Card Industry (PCI) will call in investigators if a trader is linked to a case of data fraud or theft and that trader has no choice but to pick up the bill. In addition, there is the cost of reputational damage. Some are however almost totally unaware of the risks they face until they hear of the breach, yet they are completely responsible for the data in their systems and have a legal obligation to keep it protected.

In larger companies, responsibility for data protection falls to whoever has been given the mantle of Senior Information Risk Owner (SIRO) or Chief Information Security Officer (CISO); and while most are aware of their responsibility to protect customer data, the details of how and why this should be done may elude them. When it comes to SMEs and sole traders, the CISO role is often just one of a portfolio held by the managing director.

For the majority, both in large corporations and SMEs, the actual language of information security (commonly referred to as cyber) makes the process appear baffling. Its standards are riddled with acronyms which often just add to the air of impenetrability: PCI DSS, GDPR, IASME, ISO 27001. As a result, there are times when discussions around a board table may sound like a Monty Python sketch when no one actually knows what anyone else is talking about, but the reality is far from amusing.

In fact, not only is a company’s reputation and financial viability at stake if a data breach occurs, but legislation is coming into force in May 2018 which will make adherence to a new European-wide standard compulsory for everyone. So the question is, if company directors do not think twice about instructing corporate lawyers and accountants to act on their behalf, why would they task their in-house team with something as fundamentally important as information security? Or worse, with ever tightening budgets, ignore the challenge altogether?

The prospect of employing a balanced CISO team, with a comprehensive range of expertise, may sound prohibitively expensive. But it isn’t if a range of experts are in-sourced on demand via a virtual team model. Or a fully outsourced model is considered, delivered by an industry leader.

The role of SIRO is one that is can now be delegated to specialists who take on the full responsibility on behalf of a client company. At SRM we have developed the VirtualCISO, a totally bespoke service, providing as much or as little as required depending on the individual company. Some may know exactly what they need and have the technical expertise to deliver it, while others may simply want to have the whole problem removed from their desks, in the certain knowledge that everything is being dealt with on their behalf.

With VirtualCISO a company board – or a sole trader – can understand their responsibilities and company risk profile, prioritise mitigating actions, confirm adherence (or not) to industry/sector standards and regulations, and find out how best to proceed in ensuring compliance in a cost effective manner. In this way they will also be evidencing that they put the needs of their clients first, thus maintaining or gaining reputational and financial advantage amongst their competitors.

GDPR and the strengthening of individual data protection rights

By Chris Ince, Information Security Consultant

“The processing of personal data should be designed to serve mankind.” (Council of the European Union, 2015)

On 8th December the European Parliament, Council and Commission (the trilogue) agreed the text for the new General Data Protection Regulation. Although there are still some additional bodies that have to provide their approval, the path to full implementation across all 28 member states in 2018 has really begun.

For those of you that have allowed this to slip under the radar the General Data Protection Regulation will replace the current EU Data Protection directive. With it being implemented as a regulation rather than a directive it will also replace any local laws across all 28 member states without having to go through any local legislative process.

The GDPR is billed as strengthening individuals’ data protection rights, giving Europeans a greater say in how their data is used — as well as seeking to streamline some elements of compliance for businesses.

Within the GDPR existing rights are not majorly extended but they are clarified:

  • The right to be provided with fair processing information will be expanded. At a basic level the data controller will need to provide more detailed information, such as the source of the data and the retention period (why would you not be doing this already?). In addition, the GDPR requires this information to be provided in an intelligible form, using clear and plain language that is adapted for the individual (again why would you not be doing this already?). If you are subject to laws on equality this requirement will present you with little challenge. Minor tweaking will be needed with minor inflections in language used depending on whether they are aimed at children or adults.
  • Regarding the right of access, under the GDPR proposals, data controllers will be required to provide additional information to individuals (e.g. storage period of the data). The new requirements will be somewhat more burdensome for businesses – in particular, businesses will need to set up a specific process in order to deal with access requests. Unless the request is “manifestly excessive“, data controllers will in principle be obliged to provide the information free of charge (say good bye to the £10 fee).
  • The rectification right is mostly the same and the changes will have very limited practical impact.
  • More significantly, the right to object is now broader as, when the processing is based on the legitimate interests of the controller or is undertaken for direct marketing purposes, the individual can object without having to provide specific justifications.
  • The right to be forgotten where the retention of such data is not in compliance with this Regulation or with Union or Member State law to which the controller is subject. This could cover instances were consent to process data was given as a child but the individual was not fully aware of the implications of such processing. Removing such data could prove difficult for most organisation if they hold not register of information assets. Certainly for online processors there is an expectation that you take reasonable measures to remove data from other processors. You responsibility does not end with your copy of the data.
  • The right of data portability has been created in order to improve the interoperability of data processing. It will however place a heavy burden on the data controller as it imposes a requirement to provide personal data to the data subject in a commonly used format. It will not be enforced on processors that process personal data for compliance with legal requirements, or process it in the public interest, or in the exercise of an official authority vested in the controller.

In simple terms:

  • All businesses will have to update and revamp their privacy policies and data protection notices to make sure that the extended rights are properly addressed. Businesses should check that the data protection notices that they provide to individuals contain all the required information and it’s accessible and tailored to the data subject’s needs.
  • Businesses will need to assess whether they should put in place new or updated processes and procedures to deal with the practical implications of the extended rights, e.g. a specific data procedure for dealing with access requests.
  • The right to be forgotten and the right of portability will almost certainly require changes to organisations’ operational processes and IT systems. In simplistic terms you really must get a handle on what personal data you have, where it is and if you provide it to any secondary processors. How do you ensure you can provide it to a data subject or ensure you fully remove it from your system and other processors remove it from theirs?

The Weatherspoons Breach – and why you should ensure historic personal data is secured

By Paul Brennecker, PCI QSA, PCI PFI, PCIP, Principal QSA, Security Risk Management Ltd

 

Last week we saw another significant breach of over 650,000 records of customers’ data from pub chain Weatherspoons.

See article http://www.theregister.co.uk/2015/12/04/wetherspoons/

This data was historic and was residing on a webserver that was no longer current, going to show that knowing just what data is hanging around (and dealing with it) is so important. Not all of this data was captured in the traditional transaction environment, with sales of vouchers being the primary source.

When conducting a PCI assessment it is always important to identify every source of incoming data, otherwise it is all too easy for things to get missed and sit around waiting for some unwanted attention.

It is worth noting that the law has specific requirements regarding the storing of historical data; in particular Principle 5 of the Data Protection Act which says that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes” and Requirement 3 of the PCI standard which provides guidelines on protecting stored cardholder data.

Hopefully the small number of credit card details included in this hack will not cause significant problems but it is going to cause a headache for those involved.