Lessons in War

NotPetya – does society need to start thinking differently?

Talking to a well-respected and hitherto successful businessman at an event recently, he mentioned the NotPetya malware attack and then dismissed it as  “another one of these spotty teenagers misbehaving – something I leave to my technical boys”.  It was very clear from his comments that his perception of cyber risk is that it is, at most, peripheral.  I will not identify his business out of courtesy, but I would have said he is likely to be a pretty high value target, and is probably custodian of a huge amount of valuable information belonging to 3rd parties.

One of the most striking things about the recent series of global cyber attacks is what appears to be a subtle shift in motivation for some of these events…. Whilst the analysis continues and our understanding will continue to develop, there is a clear shift in some of these attacks from cyber banditry to strategic attack. Whilst this is not necessarily a new phenomenon, it is now something that should be understood as mainstream operational risk by those running organisations.

Even if we set aside many of the practical and technical implications (which are widely covered elsewhere), the moment we become part of a strategic target, valuable for our collective value, rather than as an individual target, valuable for our own intrinsic value, then we can expect to see a very different attack tempo. Where attacks are motivated by anarchy rather than theft, the rules change significantly. When the rules change, our response may need to change too.

This shift is analogous to the evolution of the doctrine of asymmetric warfare over the past two decades where it has become clear that the fundamental differentiator is not the way that protagonists behave, but the fundamental value set and drivers that shape their strategy, behaviours and decisions. If, for example, our security strategy is based on the assumption that we can remain safe by creating conditions which are too unsafe for a potential attacker, we become vulnerable to attackers who either care little for safety, or perhaps define it differently to us. This, of course, is the paradigm that underpins suicide bombing as an attack strategy in the physical and space.

Where does this leave us?

As individuals and organisations, we need to think a little about those who might seek to compromise us and what drives them. It is no longer viable to dismiss these attackers as vandals those who behave badly; just as it is no longer sensible to repeatedly hit the “update later” button when our machines ask us whether we would like to update them. Senior decision makers dismiss cyber security as something purely for the technicians to manage at their peril.

Wherever we sit in society or in the workplace, we all need to make a little effort to understand a little about the digital environment and how to stay safe in it. Specifically, we need to think a little about those who may be using this environment to exploit us or do us harm. Whether we read e-books, tablets, hardbacks or red tops – there is material out there to suit most tastes. If that fails there are increasing numbers of people and companies who are able to advise.

Whilst we are not all expected to be experts, we should all have an informed view that is consistent with our role!

The environment we live and survive in is changing, and we either embrace that changing environment, and take responsibility for our own safety, or we should expect to be exploited as a a commodity.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

The flaw in the plan: business continuity management

When is a plan not a plan? When it is an out-of-date plan. The latest research from the industry-respected Ponemon Institute, reveals that 26 per cent of IT and IT security professionals from UK companies have some sort of cyber resilience plan, but that 49 per cent of these have either not reviewed or updated it since it was first put in place.

In a world where the sophistication and determination of malicious attackers is on the increase, this is concerning. Because it effectively means that nearly half of those who have actually made a concerted attempt to develop cyber resilience are not actually maintaining these defences. So, when even those who have put in place a strategic plan are failing to update it, where does this leave UK organisations and businesses? Well, at the very least, it puts those with an up to date, regularly reviewed plan at a sound competitive advantage.

Research shows that a Business Continuity Management (BCM) plan, applied consistently across the entire enterprise with senior management’s support makes a significant difference in the ability to achieve high level cyber resilience, thus protecting financial and reputational assets. Made up of the Business Continuity Plan (BCP), Disaster Recovery (DR) plan and Business Impact Assessment (BIA), the BCM process identifies risks, threats and vulnerabilities that could impact an entity’s continued operations in the face of potentially damaging attacks. An effective BCM plan provides a framework for building organisational resilience and the capability for an effective response; but it also goes further than that.

An overarching strategic plan also sets out how the individual BCM strategies will be delivered into the future. This includes the assigning of responsibilities, the establishment and implementation of BCM within the organisation and its ongoing management. Properly executed, this not only builds in a level of business resilience but also the capacity to continue to adapt quickly to disruptions, maintain continuous business operations and safeguard people, processes and technology into the future.

Planning is the key to an effective strategy, as is exercising the plan to ensure that it is effective and continues to support the business appropriately. It is worth considering bringing in professional expert support at this stage to assist in developing and maintaining an ongoing BCM plan that not only ticks the boxes but actually has a scheduled updating process, delivering optimum results in the event of a breach. The cost of professional input is cost effective in the context of restoring business function.

To find out more visit Business Continuity Management

What is an Incident Response Plan?

Information security breaches can and do happen, even to the best prepared organisations. Every year, companies that have demonstrated ongoing PCI DSS compliance will still fall victim to an information security breach. Because, in the war for our card data security, the enemy always has the element of surprise.

Most can imagine a scenario which would compromise their security. A serious fire destroying the whole office function. A rogue employee exposing customer data. A terrorist or criminal hacking their systems. With a war fought on so many fronts, however, it is impossible to defend against all attacks. Because an organisation that is defended to the hilt is also likely to be impenetrable, and therefore not in the business of doing business.

In this war of attrition, some attacks will get through. And the repercussions could be disastrous if there is a long delay in getting the business back on its feet. But the aftermath need not be catastrophic. Recovery can be accelerated to restore normal trading in the shortest possible time frame. That is where a robust Incident Response Plan comes in. Not only does it go a long way toward anticipating and avoiding potential disasters but if an organisation is compromised, it will mitigate the damage and accelerate the road to revenue and reputational recovery.

PCI DSS Requirement 12.10 states that entities must “be prepared to respond immediately to a system breach.” Guidance notes go on to state that such a plan should be “thorough, properly disseminated, read, and understood by the parties responsible”; and include proper testing at least annually to ensure the process works as designed and to mitigate any missed key steps to decrease exposure.

In reality, while all PCI DSS compliant organisations have a degree of incident response capability, in some cases this is simply a box ticking exercise. Few have an adequate Incident Response plan which fully outlines the process for recovery in any number of situations and provides a framework for rapid restoration.

Planning is the key to an effective strategy. It is also important to consider bringing in professional expert support at this stage to assist in developing and maintaining an Incident Response plan that not only ticks the boxes but actually delivers in the event of a breach. If a breach does occur, having engaged professional support, it means that there are expert investigators with an intimate knowledge of your organisation on standby. They will ensure the breech is stemmed, card holder data is secured and revenue generating activities suffer minimal impact. The cost of professional input must be seen as cost effective in the context of restoring business function.

Multi Factor Authentication – why is this something that is so commonly misunderstood?

“The single biggest problem in communication is the illusion that it has taken place.” said George Bernard Shaw. This can be true in so many aspects of life and unfortunately, it is all too often reflected within the world of Information Security. It is common for many of us to think we have got to grips with a solution to a problem, only to realise half way through that the problem is not quite as we envisaged.

Take the case of “Multi Factor Authentication” (MFA), meaning the use of multiple methods of authenticating ourselves to one another, or to a computer system or application. We had all become used to the phrase “Two Factor Authentication”, meaning that we need two different credentials to provide this authentication. Seem simple enough to extend this out to “Multiple” means of authentication right?

Well – as it turns out, this is still an area that causes confusion, even before we changed the wording to make things even more vague! So, what is the problem? Let’s go back to the start.

We all use MFA without giving it much thought on a regular basis. Whenever we go shopping or take money out from an ATM, we are using MFA. In short, in any Chip and Pin transaction there must be multiple authentication methods, and these usually fall into the following categories:

  • Something you know (such as a password or PIN)
  • Something you have on your person (such as a Bank card or a USB stick generating a Token)
  • Something you inherently are (such as a biometric like fingerprint or retinal scan)

When accessing a system that requires you to authenticate yourself in more than one way we present two or more of these values to the authentication system. So why is there still confusion?

Well – it is easy enough to get this mixed up. Take the following scenario into consideration; “I log onto a system with my username and password, and then I access a database application with a separate user name and password. That is Multi Factor isn’t it?” – NOPE!……this is single factor being used multiple times, and is often the cause for much confusion.

In order for Multi Factor authentication to be truly implemented, at least two of the above means of authenticating yourself must be presented as part of the same log on procedure. So I present my User name and Password to my access application, which then also requests my fingerprint. This is two factor authentication. MFA is any access method that requires 2 or more authentication factors.

In the case of the trip to the shops, when I purchase something I present my payment card (something I have) and then I must enter my PIN, (something I know). 2 Factor Authentication. Apple Pay brings in another element in that it uses biometrics as the second factor, which is another step up the security ladder.

This is something that will affect us all in our daily lives as security tightens up to reduce identity theft and online fraud. How many of us have been given a PIN reader for use with our online banking accounts? This is generating a ‘second factor’ token for you to use alongside your password.

The PCI DSS version 3.2 now requires the use of Multi Factor Authentication for administrators accessing Payment Card systems from within the local network. MFA was previously reserved for remote access but the additional security that MFA brings is such that it is a useful tool, even from within trusted systems.

So, MFA is here to stay and when it is implemented well it should be easy and intuitive to use. There are lots of solutions out there, so finding one that suits your needs should no longer be a barrier to increased security.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

What are the common failure points of repeat info-security assessments?


Maintaining Compliance with any Information Security Standard is often a long and winding journey. You never quite know what is over the horizon or around the bend, so what things should we look out for when the times comes for that difficult second audit?

Long and Winding road

‘To lose one parent may be regarded as a misfortune; to lose both looks like carelessness’. So said Oscar Wilde. Of course, he was referring to human relationships rather than info-security audits and, like Mr Worthing in ‘The Importance of Being Ernest’, sometimes it is no one’s fault when a second misfortune strikes. But in the case of repeat info-security audits, we can see from the common failure points that there are lessons to be learned.

Common failure points in repeat assessments are:

  • Staff are not accountable and as a result, various tasks have not been completed. For example, the six-monthly Firewall Review. If it has not been diarised and no one has been given the task, who will remember?
  • Internal scanning is not always performed with the same diligence as external scanning. In reality they both require the same approach.
  • Payment procedures have been introduced that are at odds with the established methods for processing card data. A defined payment strategy is a great help here.
  • System patching: critical patches have not been risk assessed and may not have been applied within the 30 day window. A robust patching procedure is essential to limit exposure to risk.
  • Vulnerability scanning has identified errors that have not been fixed within the correct timescale or have not followed the correct change control or remediation process. Please note, an auditable process is required here.
  • Storage of encrypted card data: as part of the data discovery process, unencrypted card data is often found on desktops and servers. This is often in the form of unsolicited emails but breakdown in the payment strategy can lead to staff using unapproved methods of communication with customers.

A repeat info-security assessment tells you that whatever you did first time round was not sufficient to keep your organisation compliant. Like an MOT, a security audit is only a ‘snapshot’ of an environment at a given time. All too often, a security assessment is seen as a ‘tick box’ exercise rather than a programme of ongoing maintenance. For more on developing an effective Info-Security strategy, read our blog on ‘Navigating the minefield of info-security compliance’.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.