Monthly Archive August 2017
US statistics warn of new trends in cybercrime: how a retained PFI can mitigate the risks
Statistics provide useful evidence of the trends developing within the world of information security. Figures compiled from reported attacks in the United States for July 2017 give us a breakdown of attacks sector by sector, providing some useful insight into the minds of cyber attackers and their motivation. As we all know, cybercrime is international and these trends are likely to be reflected in the UK in the coming months. The key figures from this latest research show an increasing trend towards attacks on individuals and an increase in the number of attacks motivated by crime.
In fact, the number of cyberattacks on individuals in the US doubled between June and July 2017. In June 14.1 per cent of recorded attacks were targeted at single individuals but in July this figure had increased to 27.5 per cent. Of course, this still means that other sectors account for nearly three quarters of all cyberattacks. Industry (26.1%), Government (8.7%), Healthcare (8.7%) and Finance (5.8%) were the other major targets.
As for motivation, that 84.1 per cent of attacks in July 2017 were motivated by cybercrime is no great surprise. The fact that this particular motivation has increased by 15.3 per cent since June, however, is worthy of note. Rogue individuals with the requisite skill set have long been attracted by financial reward, yet in the past Cyber Espionage, Cyber Warfare and Hacktivism figures more significantly in these statistics. So theft is on the increase.
What does this mean for UK businesses? Given that the trend is toward an increase in crimes on individuals it may not be obvious. But we have noticed a correlation between an escalation in individual attacks and a heightened awareness among the business community. This is perhaps due to the power of the media but also to the even greater power of word-of-mouth. Because when a businessman becomes aware that someone they know has had their account hacked, he or she will be more likely to look to their business’ online security.
As far as we are concerned, any news of this type is helpful. Because the fact is that cybercrime is on the increase. Whether it is the slow and subtle syphoning off of funds from an unsuspecting retailer or a massive much publicised hack demanding ransoms like the one inflicted on HBO, theft is nowadays more likely to be an online activity than a physical one.
If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. That is why increased awareness is always a good thing. The more businesses that retain an information security consultant to ensure their defences are robust, the fewer will be hacked. Those who trade online also benefit from a PCI Forensic Investigator (PFI) to protect their card payments.
SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We also provide a bespoke retained PFI service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.
Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a company’s systems, remediation is rapid and disruption minimal.
Government 2017 cyber security health check reveals many FTSE 350 companies are not prepared
Monday’s Government survey of Britain’s FTSE 350 companies has revealed some worrying statistics. The report analyses how the boards of the UK’s largest businesses deal with cyber security and data protection challenges. When it comes to the results of the 2017 FTSE 350 Cyber Governance Health Check report, however, it is difficult to decide which figures should be the cause of greatest concern.
Is it the fact that two-thirds of FTSE 350 boards have not been trained to deal with cyberattacks? Or that 10 per cent have no response plan in the event of a cyberattack and over 40 per cent have no clear understanding of what impact an attack might have on them? Or, given the fact that the General Data Protection Regulation (GDPR) becomes law on 25th May 2018, is it the fact that only 6 per cent say they are completely prepared for the new data protection rules?
Of course there will be individuals within each of these companies who have specific responsibility for information security and compliance. In larger companies these will probably be Chief Information Security Officers (CISOs). But the fact that the report identified boards rather than CISOs reflects the importance of top level engagement to support and resource this important work.
Large fines, such as those imposed on TalkTalk may be going some way to putting information security to the centre of board agendas. But it is worth pointing out that when GDPR comes into effect next year, the Information Commissioner’s Office (ICO) will have the authority to impose fines that are 79 times higher than under current data protection legislation. This will take the monetary value of data protection fines to another level and make board level responsibility even more of a necessity. Boards cannot simply delegate responsibility to a data protection officer (DPO) or the CISO. Every member of the board must buy in to the cyber security process and support those on the front line of cyber defence and data protection compliance.
By developing a board-level strategic approach to cyber security and data protection, it is possible to build a robust defence against cyber criminals and stay on the right side of GDPR. SRM has experience and expertise in all areas of information security and works with every size and type of business from FTSE 350 companies to SMEs, charities and government organisations. We are able to both advise at board level and manage the process on the front line. Our approach is collaborative and is tailored to the specific requirements of the individual organisation.
If board level engagement provides support and resource for the challenges ahead, there is every chance that the 2018 FTSE 350 health check will bring better news.
How poor data-stripping can expose organisations to Spear Phishing attacks
A survey for the BBC has discovered that poor data-stripping on websites leaves information in place which provides valuable intelligence for Spear Phishing attackers. By not removing key metadata, organisations are providing potential hackers with a doorway into systems which are otherwise well-defended.
This survey comes at a time when the number and extent of breaches continues to rise, with hacking reportedly accounting for 41% of disclosed breaches. At the same time, organisations are racing to comply with the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018. With significantly larger fines in prospect, many organisations will do well to include data-stripping in their information security defence strategy or risk being unknowing victims of a sophisticated breach.
In the BBC’s research, target websites were ‘scraped’ for several days, with samples taken from files, pictures, PDFs, spreadsheets and other publicly available documents. During this process, metadata was retrieved which betrayed key information about the people who created the files, when they did it, and the version of the software and machine which they used.
This type of data cache provides a perfect starting point for a sophisticated Spear Phishing attacker to relate the names buried in the documents to real people. Using social media, useful information on individuals can be obtained. The more information hackers can obtain, the better they will be able to customise their attack.
Emails are then sent out which appear to the majority of recipients to be authentic. But they contain booby-trapped attachments. In some cases, the virus code that attackers bury in the malicious attachments can lurk until it hits the device used by a particular target.
This is because Chief Executives and senior directors are rarely targeted directly. It is much more usual for their assistants or teams to be the first point of contact. These people are often in positions where they will have access to company sensitive information or records as well as direct online access to the real targets. Sometimes even passwords are secured this way and all this happens long before any breach is discovered. Emails requesting information will not in these instances be seen as suspicious and once armed with details a range of criminal activities can be undertaken from re-directing payments to the criminals’ bank accounts to demanding ransomware payment from the organisation itself.
It is, of course, wise to include meta-searching for information from website files and stripping out data as part of routine security. While it is policy in many firms to do so, however, there is not always the due diligence and process to do it. A public information search can, however, be included as a phase within a penetration test. Penetration tests conducted by qualified experts will provide intelligence on specific areas of weakness within a system. If included in the scope, meta-searching and data-stripping can ensure that the company’s digital footprint leaves no traces for potential hackers to exploit.
Bespoke Penetration Testing
How US internet giants are tackling the issue of GDPR compliance
It is rare that anyone ever feels much sympathy towards the behemoths of the internet, Facebook and Google. But spare a thought for these giants when it comes to them implementing the upcoming General Data Protection Regulation (GDPR). Due to become law for all organisations handling the data of EU citizens from 25th May 2018, the GDPR’s reach extends much wider than Europe itself, meaning that in spite of the fact that US data protection laws are significantly less onerous, global companies will be compelled to fall into line. With the capacity to impose fines of up to £17m or 4 per cent of global turnover (whichever is higher) even Facebook and Google are having to sit up and take notice. Yet the two companies are currently handling the issue of data protection very differently.
One of the main principles of GDPR is the ‘right to be forgotten’. Under GDPR people must give explicit consent for their personal information to be collected online, meaning that ‘opt out’ boxes will be replaced with ‘opt in’. Individuals will also be able to ask for any personal data held by companies to be deleted and details of any information held must be easily available and at no cost.
Google has publicly stated that it will be ready. Two Google executives blogged in May that “Our users can count on the fact that Google is committed to GDPR compliance across G Suite and Google Cloud Platform service when the GDPR takes effect on May 25, 2018… We’re working to make additional operational changes in light of the new legislation, and will collaborate closely with our customers, partners and regulatory authorities throughout this process”. Given the scope of Google’s business this commitment will require detailed process and a significant investment but it will no doubt have a beneficial impact on the organisation’s worldwide reputation.
Facebook has made no such promises. Having already dropped into hot water when the European Commission fined it £95m for providing misleading information when they purchased WhatsApp in 2014, it was also fined £129,000 by French authorities in May 2017. This was because of its questionable data sharing and user tracking. In Italy, its new acquisition WhatsApp was recently fined 3 million Euros for making users agree to share personal data with Facebook. In addition, Facebook is also being investigated by authorities in Belgium, the Netherlands, Germany and Spain for data privacy violations around the tracking of users and non-users and the use of their data for advertising. This is all before GDPR becomes law.
Facebook’s seemingly cavalier attitude toward data protection is perhaps better understood in the context of the new American administration. On 3rd April 2017 President Trump signed a new law making more personal data legally available. Overturning the previous legislation, Internet Service Providers in the United States are now able to access and use all but the most sensitive personal information. Much of this personal data is likely to be harvested and sold to digital advertisers. Yet as long as its reach is global, Facebook is still bound to the legislation in Europe, just like the rest of us. Mark Zuckerberg would be wise to embrace the change rather than fight it, because the cost of non-compliance will be immense.
Data protection – the gap widens across the Atlantic
GDPR – General Data Protection Regulation
Time running out for GDPR compliance
GoT2: What the Game of Thrones HBO ransom reveals about White Hat Hackers
As Game of Thrones fans watch the unfolding drama in Westeros on their TV screens, corporations around the world are equally riveted by the now public battle for HBO’s data. The ransom message sent to Richard Piepler, CEO of HBO, not only outlines the terms of the attack team’s demand, including an image of the Night King balancing out HBO’s options, but also reveals a great deal about the hackers themselves.
Identifying himself as Mr Smith, the spokesperson makes a few things clear. Although demanding an undisclosed number of millions of dollars, the ransom note which is now being publicly shared on Facebook, states (in his own words): ‘Our motives isn’t political nor financial. (Even we hate trump like other Americans do). Its like a game for us, we enjoy to get data. Money isn’t our main purpose.’
Mr Smith is also at pains to differentiate himself and ‘his colleagues’ from other hackers who were notably involved with the Netflix breach earlier in the year: ‘We are whitehat hackers and it’s very shameful if you compare us with some noisy & amateur blackhat ones like Darkoverlord’. The term ‘white hat’ comes from Western films, where the heroic cowboy wears a white hat and the bad guy wears a black one. It is now used as internet slang for an ethical computer hacker, or a computer security expert who specialises in penetration testing and in other testing methodologies to ensure the security of an organisation’s information systems. Whether an organisation demanding millions of dollars ransom can ever be described as ‘white hat’ is doubtful, although Mr Smith is at pains to disagree.
‘Don’t call us nasty Hackers, we are IT professionals, consider what is done to you as a huge pentest‘, he writes. In fact Mr Smith’s email reveals that ‘HBO was one of our difficult targets to deal with but we succeeded. (It took about 6 months)’. But keen to elevate his whitehat ethics he continues: ‘You will see in future steps in our operation that we fulfil any promises made and any given word…The answer is simply: we are white-Hat. You must trust us. The HBO is our 17th Target. Only 3 of our past targets refused to pay and were punished very badly and 2 of them collapsed entirely’.
Ridiculing the ‘greedy CEO or an Idiot one who doesn’t understand the new era of cyberspace’ Mr Smith explains why his organisation has out-foxed a number of corporate giants. He asks, ‘How are you able to stop a group like us that spends about 400 – 500,000 dollars in a year to buy Odays exploits? We often launch two major operations in a year and our annual income is 12 – 15 million dollars. We are serious enough to do our business, the main question is: How much is your seriousness to keep your empire on its feet in a BRAVE NEW WORLD?’
Providing a leakage schedule, Mr Smith has given Richard Piepler three days to respond to the group’s demands and warned against bringing in the FBI or ‘other f***ing IT idiots’. It is too late for that, he claims. Providing a simple choice between a Bitcoin transfer and the destruction of the HBO empire, he invites them to ‘declare your surrender!’ and decide between falling or standing as a media giant.
How HBO’s CEO feels right now is anyone’s guess. His situation is in some ways comparable to that of the warring houses of George R R Martin’s creation. For years they thought their enemies were each other but are now realising that the real enemy is one few of them has ever seen. Richard Piepler and HBO had probably considered their competitors to be their enemies, but now see in this Brave New World of cyberspace that the real enemy is also the unseen one; and on this occasion, one who claims to wear a white hat.
Instances like the HBO attack are, thankfully, rare but the case brings to light a number of important points for CEOs everywhere. Firstly, do not underestimate the determination, ingenuity and skill of hackers. Secondly, that conducting your own penetration testing and vulnerability assessments are preferable to having a hostile outsider do it for you. SRM has many years’ experience in all aspects of information security and has a team which is experienced and highly skilled in penetration testing, vulnerability assessments and ethical hacking. In short, we are the good guys; the real White Hat Hackers.
Calling in the Red Team: going above and beyond the vulnerability scan and penetration test
Information Security Testing & Compliance
Game of Thrones: data theft and pen testing
The penetration test – a test of faith?
The real risk of ransomware