Posts by: Tom F

Can Decision Cycles help us maintain the initiative in cyberspace?

As our world gets increasingly complex we must choose the levers we use to influence it with care. One way to look at this is through the lens of decision cycles.

For those not familiar with this concept, decision cycles are the cyclic process through which we perceive a stimulus, understand its implications, decide on a response and implement that decision. (There are a number of models and references). Simplistically, if we can make effective decisions quicker than our opponents, then we will, theoretically, hold the initiative.

The decision cycle lens is a useful one for those responsible for making decisions about cyber related issues as it throws any dangerous policies into harsh relief.

Most businesses work in a world where their policies, and here I’m talking about management intent rather than paperwork, refresh on a 12 month cycle based on standards which tend to refresh on a 5 year cycle. I note many will be smiling ruefully at this optimistic view!

In today’s information environment many of our risks are changing on a much smaller (faster) cycle, measured in days and weeks rather than months. Our operational tempo is defined not just by the speed of change, but by the way that the speed of change is accelerating.

This presents us with an exciting challenge; if we rely on static policy and processes – and many organisations still do – then we must expect our adversaries to outmanoeuvre us, and our risks to out evolve.

Where does this take us? Decision Cycle theory gives us a number of areas where we can hard wire agility into our business systems.
* Firstly, we can ensure that our warning, reporting, alarm and monitoring systems (Technical and Procedural) are tuned to report those events that most concern us.
* Secondly, we can ensure that we fully understand our own vulnerabilities and sensitivities, and the impact that adverse events will have on our operations. We can test and exercise those scenarios that most concern us. We can challenge our own assumptions. This will enable us to understand impacts and qualify outcomes more quickly.
* Thirdly, we do need to understand our own options, their limitations, and review these on a regular basis. This will enable us to make decisions more quickly.
* Finally, we need to ensure that our implementation of these decisions are well planned and where possible, practiced. We must also review effectiveness at every level and make changes that are required at any part of the cycle.

All of this would seem to be common sense… though is often not done in practice. There are many reasons for this, ranging from technical inertia to process stagnation. The important thing is that we acknowledge and track our challenges – then we can mitigate the changing risks.

If we are able to design agility into our business systems and processes, and if we tune our organisations so that we can take a proactive posture, then we can keep the initiative. The simple decision cycle model then gives us an easy way to challenge our posture on a regular basis to establish where and when change is required.

This is not rocket science, but many of us do seem to find it surprisingly hard. This simple model is one way of stepping forward and bringing effect to bear in our defence.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Security by Design.. a little thought can save a great deal of expense!

Security consultants talk about “Security by design” … and to be fair, most of us believe in it! The trouble is that to much of society, it is at best, an intangible aspiration, and at worst… a mindless industry cliche. As a result the benefits are often missed in practice. This is particularly true in many smaller organisations where it is often seen as an expensive luxury.

There is a perception that cyber security is a complex technical issue that is beyond most normal folk. Whilst there are some aspects of Cyber which can be horribly complex, there are also powerful actions that we can all take to make ourselves a harder nut to crack… regardless of our technical ability or our role in society or in organisations.

The key is to acknowledge that we are not alone, and that our actions (or lack of them) influence the way potential attackers behave….and the opportunities open to them. We can make a potential attacker’s job hard or easy just as we can make ourselves appear an attractive target… or make it clear that we are not worth the effort.

This is more than basic cyber hygiene (eg antivirus, passwords and firewalls – these are, I’m afraid, a given) …it is about how we think and how we behave. Specifically, it is how we set ourselves up – as individuals or as organisations.

For example, as individuals…rather than blindly carrying everything around on a laptop, we might decide that particularly sensitive information needs special protection and we might decide to make it less available to an attacker … perhaps we might decide to save it on encrypted drives or keys and lock it up safely with our critical paperwork when we are not using it. In doing so we are applying the common sense and thought processes we use with our tangible belongings – to our intangible ones; our information.

For larger infrastructures, a little thought about structure can give defenders a significant advantage over attackers. We can make sure that access to our systems are controlled and force everyone entering a system to pass through or over areas that are closely monitored. If we are working on particularly sensitive information, we might choose to change the frequency that we test our systems.  We can seek to create an environment where we have the upper hand!

This logic isn’t new…Think of medieval spiral staircases which were generally designed to favour a right handed defender..(though I note that in the fortresses of the Kerrs, an Anglo-Scottish Riever family who were reputed to be mainly left handed, the spiral allegedly went the other way! Someone had clearly thought about it!)

If we treat our intangible and invisible information assets in the same way that we treat our physical valuables… then we can make things a lot harder for an attacker.

If we fail to control our own behaviour and our environment then we will undermine even the most effective (and expensive) technology. A little thought and common sense can save a great deal of expense.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

NotPetya – does society need to start thinking differently?

Talking to a well-respected and hitherto successful businessman at an event recently, he mentioned the NotPetya malware attack and then dismissed it as  “another one of these spotty teenagers misbehaving – something I leave to my technical boys”.  It was very clear from his comments that his perception of cyber risk is that it is, at most, peripheral.  I will not identify his business out of courtesy, but I would have said he is likely to be a pretty high value target, and is probably custodian of a huge amount of valuable information belonging to 3rd parties.

One of the most striking things about the recent series of global cyber attacks is what appears to be a subtle shift in motivation for some of these events…. Whilst the analysis continues and our understanding will continue to develop, there is a clear shift in some of these attacks from cyber banditry to strategic attack. Whilst this is not necessarily a new phenomenon, it is now something that should be understood as mainstream operational risk by those running organisations.

Even if we set aside many of the practical and technical implications (which are widely covered elsewhere), the moment we become part of a strategic target, valuable for our collective value, rather than as an individual target, valuable for our own intrinsic value, then we can expect to see a very different attack tempo. Where attacks are motivated by anarchy rather than theft, the rules change significantly. When the rules change, our response may need to change too.

This shift is analogous to the evolution of the doctrine of asymmetric warfare over the past two decades where it has become clear that the fundamental differentiator is not the way that protagonists behave, but the fundamental value set and drivers that shape their strategy, behaviours and decisions. If, for example, our security strategy is based on the assumption that we can remain safe by creating conditions which are too unsafe for a potential attacker, we become vulnerable to attackers who either care little for safety, or perhaps define it differently to us. This, of course, is the paradigm that underpins suicide bombing as an attack strategy in the physical and space.

Where does this leave us?

As individuals and organisations, we need to think a little about those who might seek to compromise us and what drives them. It is no longer viable to dismiss these attackers as vandals those who behave badly; just as it is no longer sensible to repeatedly hit the “update later” button when our machines ask us whether we would like to update them. Senior decision makers dismiss cyber security as something purely for the technicians to manage at their peril.

Wherever we sit in society or in the workplace, we all need to make a little effort to understand a little about the digital environment and how to stay safe in it. Specifically, we need to think a little about those who may be using this environment to exploit us or do us harm. Whether we read e-books, tablets, hardbacks or red tops – there is material out there to suit most tastes. If that fails there are increasing numbers of people and companies who are able to advise.

Whilst we are not all expected to be experts, we should all have an informed view that is consistent with our role!

The environment we live and survive in is changing, and we either embrace that changing environment, and take responsibility for our own safety, or we should expect to be exploited as a a commodity.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Emerging Trend: Persistent JavaScript Ecommerce Malware

Our analysts report another trend that Administrators should be aware of.  This is a JavaScript-based eCommerce malware that enables the malware to re-infect websites automatically upon incomplete removal.  It has been identified as a new technique being used by cyber criminals.

This type of malware obtains its persistence by modifying databases to force the injection of a malicious JavaScript file into an eCommerce webpage. By targeting databases, the malware therefore becomes resilient to normal removal attempts. Cyber criminals have recently used this technique to target eCommerce merchants by successfully injecting the JavaScript code into a database field of a merchants website and compromising payment card data.

This malware reinfection method can be used on any eCommerce platform that uses database fields to populate content on the shopping cart webpage. Reinfection of websites can be done with the following processes:
1. A database trigger is added to the order table, which injects the malicious JavaScript link into the website template fields.
2. The trigger is executed every time a new order is made.

Scanning for malicious code in HTML files is not sufficient enough to detect this malware alone. Analysis of the database is required to ensure a proper clean-up of JavaScript eCommerce malware is conducted.
Regular scanning of webservers for malware is one recommended mitigation measure eCommerce websites can take to identify security vulnerabilities. Another recommended best practice is to check for malicious database triggers on eCommerce websites and subsequently remove these.

If you are in doubt, contact the SRM  team who can arrange to run a check for you!

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Ransomware – Could it be you?….

Complacency has always been the enemy of safety; in today’s world, we are all vulnerable!

The digital (cyber) environment may sometimes be opaque and difficult to understand, but it is a contested environment. If we seek to operate within it, and exploit its advantages, we must actively engage or expect to become a victim.

As I write a number of organisations worldwide, are reeling under the hammer of what appears to be a thoroughly industrialised Cyber Attack. Many of these affected organisations have (or claim) a reputation for strong governance. There is no-one, reading this, who doesn’t have actions that they should have taken or should be taking now.

Whilst it is tempting to view this sort of event as spectators, anyone reading this is unlikely to be invulnerable, whether we are part of an organisation or an individual. There are steps we should all be taking to reduce risk to ourselves or our organisations. We ignore these responsibilities at our peril.

Those who are responsible for the safety of organisations will have already taken actions to ensure that they are as safe as possible. This is part of baseline governance needed in today’s world and no organisation can claim to be competently run if it doesn’t have an effective Information or Cyber Security Management System. If you have one – you will probably know about it!

If you haven’t – then now is a good time to start – and if necessary get in touch with someone who can help you. (if you can’t think of anyone specific or are worried, www.srm-solutions.com is a good place to start!) There are a number of excellent schemes and established practices that you can use to raise the bar for attackers. If you have done nothing else yet – at least look at the Cyber Essentials Scheme as a first step.

If you don’t know who is responsible in your company – check – it could be you!

As individuals, however, we are still potential victims of attacks like this, but if we practice basic Cyber Hygiene we dramatically reduce the risks to ourselves and those around us.

Make sure our defences are strong:

Ensure our Anti Virus (even on a mac!), firewalls and software are all up to date and switched on.
Scan our systems with Anti Virus, and do this regularly when attacks are going on.
Stay alert to any suspicious emails, messages and don’t open anything suspicious. If someone sends you something suspicious. Contact them separately to check it is legitimate.
Check that we are using difficult to guess passwords, and that we are not exposing the password protecting our “crown jewels” on untrusted internet sites or unprotected devices.
Check our bank and card statements – Regularly!
Think it through from an attacker’s perspective.

Make sure we are resilient:

Ensure our information is backed and kept somewhere where it isn’t connected to the internet or our main system (e.g. a CD or a Backpack Drive).
Ensure we keep all backup data safe – and if possible encrypted. Ideally under lock and key.
Ensure that any critical information is held safely so that it will be available in the event that our main system is unavailable.

Make sure we know what to do if we are compromised:

Write down a simple plan – stick it on the fridge or the filing cabinet – somewhere we can find it!
Don’t pay ransoms – we shouldn’t need to!
Know who we are going to contact for further advice in emergency.

Don’t Assume – Check that you are as safe as you think you are. Do this periodically and when the risk rises:

Check our Backups are being taken (and that your drive is not full). Check that we can restore them and that they are not corrupted.
Check that you can access your critical data and files if your main system is down.
If you don’t know how to do any of this – learn now – these are basic survival skills! If you have friends or family members who may not be able to do this – it may be worth contacting them to check they are not exposing themselves inadvertently.

Whether we are acting as individuals or are responsible for the safety of an organisation, this is no longer something for someone else to do – we all have a part to play, and must play it to the best of our ability.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

SRM Blog

SRM Blog