What is the password?
By Gerard Thompson, Information Security Consultant
With over 3,500 MPs, lords and staff, being a computer security administrator in the Houses of Parliament must be a stressful job. They have a lot to think about. There is the possibility of state-sponsored brute force cyberattacks, much like the one that compromised 90 ministerial accounts in June 2016. There are also other, more delicate issues to be negotiated; like the fact that there were 113,208 attempts to access pornographic material within Westminster in 2016 alone. Yet in actual fact one of the most alarming revelations from the Houses of Parliament this month, has been the admission by a number of MPs that their passwords are far from secure.
Admittedly, the social media admissions by MPs that they shared log in details with staff were posted to help defend Damien Green who has recently been accused of accessing thousands of pornographic images on his House of Commons computer back in 2008. They wanted to make the point that it might not have been him, given the fact that others might have his password information. Yet, for information security professionals, these admissions were probably more shocking than the news story they were attempting to deflect.
One MP tweeted: ‘My staff log onto my computer on my desk with my login every day. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous!!’
The same MP went further that afternoon: ‘All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?’’
Unsurprisingly, cybersecurity professionals on Twitter have been shocked by such admissions, with many pointing out that it demonstrates a severe lack of privacy and security understanding within Westminster. To the consternation of the information security industry, however, other MPs have proceeded to jump in, tweeting their own confessions. One such tweet said: ‘I often forget my password and have to ask my staff what it is.’
Another tweeted: ‘Less login sharing and more that I leave my machine unlocked so they can use it if needs be.’
With these admissions, it might be believed that the House of Commons does not have an Information Security policy. Of course it does. The House of Commons Staff Handbook has a specialised section on Information Security Responsibilities and the House of Commons Advice for Member and their staff specifically states that MPs should not share passwords. It is therefore more a question of awareness and training rather than policy. After all, the majority of breaches occur through user error so Westminster staff need to be reminded of their responsibilities.
Other government departments are exemplary in their information security procedures, providing best practice examples of how it should be done. With GDPR and the UK Data Protection Bill soon to be enacted, making the responsibilities of data holders even more stringent, the Houses of Parliament should also lead the way in demonstrating a robust stance on data defence.
SRM provides a complete range of information security services, from GDPR compliance to advanced penetration testing; from its Virtual CISO service to full blown Incident Response. To find out more, for a no-obligation discussion contact email@example.com or call 03450 21 21 51.
Law practices are prime targets for criminals
PWC’s 25th Annual Law Firms Survey found that 73 per cent of respondents had suffered a security incident in 2016. These ranged from insider threats to the phishing of login credentials and ransomware. Routinely keeping large amounts of extremely sensitive data on file for long periods of time, law firms need to be particularly vigilant. Yet awareness, training and a top-of-the range technology solutions will only go some way in providing a defence. Given the ingenuity of hackers, they are unlikely to be sufficient in the long term.
The good news is that the solution is not about buying lots of additional products or simply throwing money at the problem. A strategic approach will provide a more robust and more cost-effective solution. The effective scoping of the risks and vulnerabilities to which an individual firm is exposed means that defences are maximised using only precisely-targeted and relevant services.
When the EU General Data Protection Regulation (GDPR) becomes effective in May 2018 the regulatory obligations of any organisation which holds data on EU citizens becomes even stricter. The new legislation will not just apply to those with European customers. The current UK Data Protection Bill, which is also due to be enacted in May, enshrines the principles of GDPR into UK law. In addition to new reporting requirements, there will be a greater emphasis on mapping data, knowing exactly what information is held and where.
A specialist consultancy has the experience and expertise to ensure that top level security is provided in the most cost-effective way possible. From advanced penetration testing to compliance and regulatory issues; from data mapping to ensuring there are no gaps anywhere in the system; it is important to have an overall strategic and correctly scoped plan.
While Data Protection Officers (DPOs) and Chief Information Security Officers (CISOs) take on the day-to-day responsibility, every member of the board or partnership is also responsible for compliance. To ensure that the ever-changing cyber threat landscape is fully understood, additional support and resource is required. Just as a finance director receives support from accountants, a consultancy which operates at all levels of the cyber security spectrum will be able to provide additional expert guidance to DPOs, CISOs, boards and partners. The reputational and financial consequences of a breach can have devastating effect on the whole firm. Board or partner level support for information security and compliance is therefore essential.
SRM is at the forefront of information security in the UK. As cyber security supplier to H M Government, we understand large organisations, but our clients also include corporates, charities and SMEs. Our GDPR team provides expert guidance and is also able to scope a client’s system for frailties and vulnerabilities through bespoke penetration testing, assist with accurate data mapping and provide a whole range of additional services developed to support CISOs and DPOs at various levels from compliance to disaster recovery.
Our eDiscovery team is also on hand to provide technical expertise and resource for all aspects of eDiscovery, from the reduction and redaction of data to the presentation of evidence in a legally acceptable manner. SRM provides a range of highly professional cost-effective solutions, suitable for all sizes of law firms. From the provision of a low cost ‘E-Discovery Lite’ package to the involvement of Expert Witness Forensic Consultants or the use of a Virtual Chief Information Security Officer VCISOtm.
For a no obligation chat, contact Mark Nordstrom or call 0345 21 21 51
Find out more:
Test and exercise
Read our other blogs:
eDiscovery: the issues facing law firms
Client files on home computers must be encrypted
The technology gap which leaves organisations vulnerable to attack
eDiscovery: the issues facing law firms and solicitors
by Alan Batey
Information Security Consultant and Forensic Investigator
In today’s world, evidence in legal cases is sourced from the vast quantities of Electronically Stored Information (ESI) that exists across a range of platforms and devices. Acting on behalf of clients, large law firms may have access to eDiscovery platforms to sift, sort, redact and reduce the amount of data that is made available, keeping only those files with relevance to the case in a legally recognised format which preserves the integrity of the data and stands the ultimate test of court acceptance. Smaller firms may not have operated an eDiscovery platform, considering it too expensive or shying away from the complex technology. This is not altogether surprising.
ESI comes from a number of sources; from emails, texts, voicemails messages, word-processed documents and databases, including documents stored on portable devices such as memory sticks and mobile phones. In totality it includes an unfeasibly large and complex volume of files. SRM was recently involved in an eDiscovery case where the original ESI involved 1.2TB of data which, in this particular instance, was reduced to 160GB. Although hundreds of gigabytes is more usual, this is still more data than can effectively be processed in a legally acceptable manner without the use of sophisticated management and tools.
Yet many who engage with eDiscovery Platforms find the process is unsatisfactory. They may require assistance with the forensic discovery of electronic documents or need more support in managing the information security risks surrounding the placing of confidential information on a Cloud or server based platform. They may feel their technology partner is unsupportive or that the cost of the exercise lacks transparency. Ultimately, some are worried about the security issues of releasing sensitive information to a third party.
eDiscovery projects require extremely high levels of skill, technical expertise and diligence. At SRM we work in conjunction with the legal team to advise and execute the eDiscovery requirement for their client. We define each stage and advise on the ongoing process and progress giving a full breakdown of costs for each stage. Our service is at the cutting edge of eDiscovery technology, saving the clients time and money while achieving best results. We also work effectively and strategically to ensure that disruption to the client’s business is minimal.
When such large volumes of data are made available to a third party, trust is crucial. Our eDiscovery team includes individuals who have worked with the police, MOD and FTSE100 companies. We are the leading PCI Forensic Investigation company in the UK and cyber security supplier to HM Government.
SRM provides a range of highly professional cost-effective solutions, suitable for all sizes of law firms. From the provision of a low cost ‘E-Discovery Lite’ package to the involvement of Expert Witness Forensic Consultants or the use of a Virtual Chief Information Security Officer VCISOtm.
Can Decision Cycles help us maintain the initiative in cyberspace?
As our world gets increasingly complex we must choose the levers we use to influence it with care. One way to look at this is through the lens of decision cycles.
For those not familiar with this concept, decision cycles are the cyclic process through which we perceive a stimulus, understand its implications, decide on a response and implement that decision. (There are a number of models and references). Simplistically, if we can make effective decisions quicker than our opponents, then we will, theoretically, hold the initiative.
The decision cycle lens is a useful one for those responsible for making decisions about cyber related issues as it throws any dangerous policies into harsh relief.
Most businesses work in a world where their policies, and here I’m talking about management intent rather than paperwork, refresh on a 12 month cycle based on standards which tend to refresh on a 5 year cycle. I note many will be smiling ruefully at this optimistic view!
In today’s information environment many of our risks are changing on a much smaller (faster) cycle, measured in days and weeks rather than months. Our operational tempo is defined not just by the speed of change, but by the way that the speed of change is accelerating.
This presents us with an exciting challenge; if we rely on static policy and processes – and many organisations still do – then we must expect our adversaries to outmanoeuvre us, and our risks to out evolve.
Where does this take us? Decision Cycle theory gives us a number of areas where we can hard wire agility into our business systems.
* Firstly, we can ensure that our warning, reporting, alarm and monitoring systems (Technical and Procedural) are tuned to report those events that most concern us.
* Secondly, we can ensure that we fully understand our own vulnerabilities and sensitivities, and the impact that adverse events will have on our operations. We can test and exercise those scenarios that most concern us. We can challenge our own assumptions. This will enable us to understand impacts and qualify outcomes more quickly.
* Thirdly, we do need to understand our own options, their limitations, and review these on a regular basis. This will enable us to make decisions more quickly.
* Finally, we need to ensure that our implementation of these decisions are well planned and where possible, practiced. We must also review effectiveness at every level and make changes that are required at any part of the cycle.
All of this would seem to be common sense… though is often not done in practice. There are many reasons for this, ranging from technical inertia to process stagnation. The important thing is that we acknowledge and track our challenges – then we can mitigate the changing risks.
If we are able to design agility into our business systems and processes, and if we tune our organisations so that we can take a proactive posture, then we can keep the initiative. The simple decision cycle model then gives us an easy way to challenge our posture on a regular basis to establish where and when change is required.
This is not rocket science, but many of us do seem to find it surprisingly hard. This simple model is one way of stepping forward and bringing effect to bear in our defence.
What is Red Team engagement?
By Andrew Linn, Principal Consultant
The news this year has been full of high profile hacks on large organisations. These have included viral and ransomware attacks which have brought associative notoriety to a number of mysterious hacking groups and their victims: Shadow Brokers captured US National Security Agency (NSA) tools in April while The Mr Smith hackers breached HBO’s security in August.
Of course, anyone reading the news knows these were not isolated incidents. Other notable attacks included WannaCry ransomware, various forms of Petya malware and Cloudbleed. With ingenuity, intelligence and malicious intent on their side, hacker groups use their collective skills to exploit any weaknesses in an organisation’s cyber defences. So how can an organisation defend itself from the bad guys? By working with the good guys through Red Team engagement.
To counteract the offensive strategies of gifted hackers, you need equally gifted counter-hackers. Red Teaming is not a penetration test; it is more of a philosophy which involves acting as a potential adversary. The Red Team focuses on the objective of the engagement and examines this from a number of different angles pulling together a plan of attack using a range of different techniques and abilities; testing procedural, social and physical components of security in addition to technical controls. Penetration testing techniques and skills form one aspect of Red Teaming but the service goes well beyond that; to the use of an adversarial mindset to determine strategy and policy making.
In practice, Red Team engagement involves working with ethical, skilled and experienced professionals who act like true hackers, simulating internal and external hacking attempts to test the response on a client’s system. With client permission, the Red Team seeks to break through the hardened perimeter, using the weakest identifiable point, to gain access to the organisation’s system. Using common hacking techniques they seek to gain a foothold; tunnelling traffic back through ports that are commonly open within a business, usually via the web, so they can communicate with their own servers on the outside without being detected. These benign servers are then used to control devices, which have either been placed or hacked, on the inside of the client’s organisation.
In addition to a rigorous examination of the organisation’s security controls, a Red Team engagement will exercise incident detection, response and management. This can be linked to a wider incident simulation process testing procedures and response capability throughout the business.
Opening up an organisation’s entire network and allowing a third party to effectively breach security defences requires a high degree of trust. Experienced, highly qualified Red Teams are few and far between. At SRM our Red Team is comprised of ex-police High Tech Crime Unit officers, qualified ethical hackers and includes holders of the Offensive Security Certified Professionals (OSCP). At SRM OSCP training is part of our ongoing professional development programme.