Banking Security

PCI – Europe Community Meeting Barcelona 24 – 26 October 2017

James Hopper and Paul Brennecker of SRM will be attending the Europe Community Meeting in Barcelona 24th – 26th October. Organised by the Payment Card Industry Security Standards Council (PCI SCC) the focus of the three day event will be the security of payment card data. Those who are attending are invited to make appointments with James and Paul to discuss any specific issues they may have and receive free advice from two of the industry’s experts.

James Hopper

James is skilled at providing strategic insight into the management and implementation of business-wide information security solutions. He is a clear-thinking no-nonsense problem-solver with wide experience in both the corporate and SME markets.

James joined SRM in 2016 and brings extensive senior management experience from within the worlds of Consultancy and IT. Previously with a large FTSE 100 Outsourcing Company as a Managing Consultant and the Operations & Innovation Director for a large NHS Organisation, he has overseen the scoping and implementation of plans from the very small to extensive national projects. His experience also includes delivery of major IT Transformation Programmes and senior assurance roles.

Paul Brennecker

Paul is a PCI DSS compliance guru. He regularly speaks at PCI conferences and writes on issues relating to card payment security. He is also a practising senior Information Security Consultant at SRM. He is currently engaged with a number of high-profile organisations, assisting them with their compliance programmes. Ranging from programme management, and mobilisation of their PCI DSS compliance projects, Paul also advises clients on their information security policies, their implementation and training requirements. Paul has considerable skill at conducting pre-compliance scoping and de-scoping exercises, conducting gap analysis assessments, creating remediation plans and assisting with intrusion detection and prevention systems.

Paul joined SRM in March 2008 from Barclaycard. As their former PCI Compliance Manager, Paul successfully drove the compliance programme forward and worked closely with both VISA and MasterCard to raise awareness of the standard and was a regular key-note speaker at the industry’s security forums. Due to his substantial network of colleagues and industry contacts Paul is a well-known and highly respected consultant, recognised for his approachable manner and depth of knowledge.

Simply email james.hopper@srm-solutions.com or paul.brennecker@srm-solutions.com to make an appointment.

US statistics warn of new trends in cybercrime: how a retained PFI can mitigate the risks

Statistics provide useful evidence of the trends developing within the world of information security. Figures compiled from reported attacks in the United States for July 2017 give us a breakdown of attacks sector by sector, providing some useful insight into the minds of cyber attackers and their motivation. As we all know, cybercrime is international and these trends are likely to be reflected in the UK in the coming months. The key figures from this latest research show an increasing trend towards attacks on individuals and an increase in the number of attacks motivated by crime.

In fact, the number of cyberattacks on individuals in the US doubled between June and July 2017. In June 14.1 per cent of recorded attacks were targeted at single individuals but in July this figure had increased to 27.5 per cent. Of course, this still means that other sectors account for nearly three quarters of all cyberattacks. Industry (26.1%), Government (8.7%), Healthcare (8.7%) and Finance (5.8%) were the other major targets.

As for motivation, that 84.1 per cent of attacks in July 2017 were motivated by cybercrime is no great surprise. The fact that this particular motivation has increased by 15.3 per cent since June, however, is worthy of note. Rogue individuals with the requisite skill set have long been attracted by financial reward, yet in the past Cyber Espionage, Cyber Warfare and Hacktivism figures more significantly in these statistics. So theft is on the increase.

What does this mean for UK businesses? Given that the trend is toward an increase in crimes on individuals it may not be obvious. But we have noticed a correlation between an escalation in individual attacks and a heightened awareness among the business community. This is perhaps due to the power of the media but also to the even greater power of word-of-mouth. Because when a businessman becomes aware that someone they know has had their account hacked, he or she will be more likely to look to their business’ online security.

As far as we are concerned, any news of this type is helpful. Because the fact is that cybercrime is on the increase. Whether it is the slow and subtle syphoning off of funds from an unsuspecting retailer or a massive much publicised hack demanding ransoms like the one inflicted on HBO, theft is nowadays more likely to be an online activity than a physical one.

If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. That is why increased awareness is always a good thing. The more businesses that retain an information security consultant to ensure their defences are robust, the fewer will be hacked. Those who trade online also benefit from a PCI Forensic Investigator (PFI) to protect their card payments.

SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We also provide a bespoke retained PFI service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.

Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a company’s systems, remediation is rapid and disruption minimal.

 

How poor data-stripping can expose organisations to Spear Phishing attacks

A survey for the BBC has discovered that poor data-stripping on websites leaves information in place which provides valuable intelligence for Spear Phishing attackers. By not removing key metadata, organisations are providing potential hackers with a doorway into systems which are otherwise well-defended.

This survey comes at a time when the number and extent of breaches continues to rise, with hacking reportedly accounting for 41% of disclosed breaches. At the same time, organisations are racing to comply with the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018. With significantly larger fines in prospect, many organisations will do well to include data-stripping in their information security defence strategy or risk being unknowing victims of a sophisticated breach.

In the BBC’s research, target websites were ‘scraped’ for several days, with samples taken from files, pictures, PDFs, spreadsheets and other publicly available documents. During this process, metadata was retrieved which betrayed key information about the people who created the files, when they did it, and the version of the software and machine which they used.

This type of data cache provides a perfect starting point for a sophisticated Spear Phishing attacker to relate the names buried in the documents to real people. Using social media, useful information on individuals can be obtained. The more information hackers can obtain, the better they will be able to customise their attack.

Emails are then sent out which appear to the majority of recipients to be authentic. But they contain booby-trapped attachments. In some cases, the virus code that attackers bury in the malicious attachments can lurk until it hits the device used by a particular target.

This is because Chief Executives and senior directors are rarely targeted directly. It is much more usual for their assistants or teams to be the first point of contact. These people are often in positions where they will have access to company sensitive information or records as well as direct online access to the real targets. Sometimes even passwords are secured this way and all this happens long before any breach is discovered. Emails requesting information will not in these instances be seen as suspicious and once armed with details a range of criminal activities can be undertaken from re-directing payments to the criminals’ bank accounts to demanding ransomware payment from the organisation itself.

It is, of course, wise to include meta-searching for information from website files and stripping out data as part of routine security. While it is policy in many firms to do so, however, there is not always the due diligence and process to do it. A public information search can, however, be included as a phase within a penetration test. Penetration tests conducted by qualified experts will provide intelligence on specific areas of weakness within a system. If included in the scope, meta-searching and data-stripping can ensure that the company’s digital footprint leaves no traces for potential hackers to exploit.

Bespoke Penetration Testing

Time running out for GDPR compliance

Time is running out for UK businesses. By 25th May 2018 every business, charity and organisation needs to be ready for the General Data Protection Regulation (GDPR). Because from that date, EU regulators will start enforcing compliance. Yet a recent survey found that only 11 per cent of companies said their preparations are ‘well underway’ while 61 per cent admitted they had not even started the task of GDPR implementation. There are just 300 days to go.

GDPR compliance requires commitment and action and with only ten months to go the pressure is on to take it very seriously indeed. An estimate by Gartner states that only 50 per cent of companies will be ready by the end of 2018, let alone May. With the power to impose much larger fines, GDPR needs to be taken very seriously indeed. To put it in context, the fines imposed on UK organisations by the Information Commissioner’s Office (ICO) last year totalled £880,500. Under GDPR those fines would be closer to £69 million.

So, why are British companies lagging behind? Perhaps some feel that the challenge and expense of embedding GDPR in their organisation is mitigated by the fact that only a few will be caught by regulators during the early bedding-in period. This may be true to an extent. We are unlikely to see thousands of cases being brought. But it is possible that EU regulators will go for shock and awe tactics in the first few months, imposing bold enforcement actions and large fines on a few transgressors to serve as a lesson to all. No one wants to be made an example of.

In the end, however, it is not fear of punishment but pressure from within that will push GDPR compliance forward. With processors, vendors, data controllers and suppliers all tied in to each other’s compliance, those that do not comply will be dropped in favour of those that do.

To support GDPR readiness, the ICO has produced a range of guidelines to help businesses with the implementation of GDPR. This includes  website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations. The practical realities of assessing your existing level of readiness together with a targeted schedule of actions is best produced in partnership with a specialist information security consultant. In this way, you can prioritise and plan according to your organisation’s unique requirements.

SRM has a wide range of knowledge and practical experience. Our teams are GCHQ approved and GDPR practitioners, working with clients to build robust and cost-effective defences. Because hackers are ingenious and constantly changing their tactics, breaches can and do occur. However, with appropriate defences in place a business would be much better placed when it comes to an ICO investigation. Our consultants are ready to help you understand the risks to your information and to provide the strategic and practical guidance to manage that risk effectively.

GDPR – The General Data Protection Regulation

GDPR: the impatient tiger

 

Phishing and GDPR compliance

By Paul Brennecker, Principal Consultant, CISM | PCI QSA | PCI PFI | PCIP

There is a saying that a chain is only as strong as its weakest link. This, unfortunately, is true. When a company manages and handles sensitive customer data it does not matter how robust the security measures if one unsuspecting employee inadvertently opens up the system to hackers. Yet the danger this presents is sometimes underestimated.

Failure to protect customer data adequately already results in serious sanctions and fines under the current Data Protection Act (DPA) legislation. In 2016 twenty-one fines were levied in the UK totalling £2.1 million. When the General Data Protection Regulation (GDPR) comes into effect next May, however, things will become even tougher. With a theoretical maximum fine of up to £500,000 or 4 per cent of global turnover, these sanctions alone have the potential to bring a company down.

A common data security breach is through what is known as phishing. Defined as an attempt to obtain sensitive information such as usernames, passwords, and credit card details for malicious reasons, by disguising as a trustworthy entity in an electronic (or telephone) communication. They mislead unsuspecting individuals into giving hackers a foothold in a corporate system.

Typically, they will appear to come from a popular, well-known or reputable-sounding company. Microsoft, LInkedin and Google Drive have been subject to their names being hijacked for fraudulent purposes. Then the cybercriminal will set out a fictitious issue with a user account, threaten that action will be taken if it is not remedied and provide a link to click. At first glance the corporate branding, email address and link will look genuine. This type of phishing email is indiscriminate in its approach and is out to catch any unwary soul who takes the bait.

A more worrying trend is the ‘Spear Phishing’ attack, where a specific individual or number of individuals is targeted within an organisation. These people are often in positions where they will have access to company sensitive information or records, such as the finance or marketing teams. With a little research, the source of the spear phishing attack can ascertain the name of a senior member of staff within the company and trick the recipients into believing it has originated from the boss. These emails will be positioned to members of the team further down the chain in order to gain further information or even to directly ask for payments to be made. Once you understand the anatomy of a spear phishing attack, you can see why having an organisational chart and email book becomes invaluable data to the attacked. This may have been gathered as part of the initial phishing attack, through the use of malware injected onto email or active directory servers.

So – If an unsolicited email of any type appears, it should not be opened. If it is, it is worth checking the spelling and grammar. Unlike professional companies who use copy editors to check their content, cybercriminals are not known for written English. Links should also be checked.  By hovering a mouse over the link (while not clicking through) an entirely different web address may appear. All requests which lead to requests for sensitive account information should be treated as phishing attempts. Genuine companies never request password or bank account information online. Yet, if an employee has got to this stage it is likely that a malicious attack will already be underway.

Training staff how to recognise and deal with suspicious emails is just one element of a robust information security plan. SRM’s specialist consultants have the experience and expertise to manage all elements of information security from employee training to forensic investigations; from penetration testing to preparing for GDPR compliance. To discuss any aspect of information security please contact us.

SRM Blog