Posts Tagged ‘security awareness’

Security awareness is taught, not bought

February 3, 2013 1 comment

Whenever there’s a security incident, two things happen:

  • security vendors scream, ‘it happened because they weren’t using our product, so clearly you should or it will happen to you’
  • governments scream, ‘we need to enact the Cybersecurity Act/CISPA/Communications Bill/delete-as-applicable/and substitute-at-will in order to protect you, you-know-it-makes-sense’

Both have an axe to grind, and grind it they will. The only group that doesn’t have an axe is the poor bloody CISO working away at the coalface; underfunded, overworked and making do – and it’s a welcome relief to hear what it’s actually doing.

wisegateWisegate recently published a paper on CISO discussions between themselves. It followed an earlier analysis that showed a major, if not the major, threat that concerns them is their own staff awareness – or lack of awareness – about cyber security issues. This actually makes a lot of sense. Trend Micro’s study towards the end of 2012 showed that more than 90% of successful APT attacks start with spear-phishing. Spear-phishing is harmless until the target clicks on a link or opens an attachment – so if you can teach staff how to avoid being phished, then you immediately avoid possibly the most serious threat of today.

The only way you can do that is by increasing user awareness – and Wisegate’s paper, CISOs Share Innovative & Practical Ways to Improve Security Awareness, tells us how CISOs are actually tackling the problem. It’s worth reading, so I won’t give everything away here – except perhaps to point out that one of the biggest problems is silo security; the users’ view of an unapproachable arbiter of what the user can and cannot do… That needs to go. And the Wisegate report gives useful pointers on how to do it.

You can download the report from here

See also
Spear-phishing is the single biggest threat to cyber security today
Fear sells – and governments are accomplished salesmen
The art of social engineering

Categories: All, Security Issues

Infosecurity Magazine news stories for 10-13 April 2012, and 16-18 April 2012

April 18, 2012 Leave a comment

My news stories on Infosecurity Magazine from Tuesday 10 April until Friday 13 April, and Monday 16 April until Wednesday 18 April

NHS needs a security czar to prevent continuous data walkabout
While the South London Healthcare NHS Trust signs a Data Protection Undertaking, the security industry wonders why we have learnt nothing in the last two years – and calls for a new NHS data protection czar.
18 April 2012

PwC 2012 Information Security Breaches Survey: Preliminary findings report continued mobile insecurity
New statistics show that while many companies appear to understand the business threat from BYOD, many others are taking no precautions whatsoever.
18 April 2012

(ISC)² launches its new EMEA advisory board
In a move designed to offer genuine hands-on security experience to EMEA’s different security initiatives, professional body (ISC)² has launched a new Advisory Board for Europe, the Middle East and Africa (EAB).
18 April 2012

Google co-founder worries about the future of the internet
In an interview with the Guardian, the co-founder of Google lists the threats facing the future vitality of the internet.
17 April 2012

Shadowserver uncovers campaign against Vietnam in Hardcore Charlie’s file dump
An analysis of the hacked files dumped by hacker Hardcore Charlie fails to prove Chinese culpability, but finds evidence of ‘yet another cyber espionage campaign against Vietnam.’
17 April 2012

Iranian software manager hacks and dumps card details of 3m Iranians
Khosrow Zarefarid found and reported a flaw in the Iranian POS system. He reported it, but was ignored – so he used it and hacked 3 million Iranian debit card details.
17 April 2012

Dutch Pirate Party forced to take its Pirate Bay proxy off-line
In a move that will be monitored by the UK’s music industry association (BPI), its Dutch equivalent BREIN (translates as ‘Brain’) has obtained a court injunction forcing the political party, the Pirate Party, to take down the proxy site that was allowing users to continue using the blocked Pirate Bay (TPB).
16 April 2012

Is ACTA dead in the water, or is it resurfacing via the G8?
David Martin, European Parliament’s rapporteur on the ACTA treaty, is expected to recommend that parliament should reject ACTA. Does this mean the end for the Anti-Counterfeiting Trade Agreement?
16 April 2012

Commotion Wireless: an open source censorship buster
The great contradiction in modern techno-politics is the need for democracies to promulgate free speech in other countries while controlling it in their own.
16 April 2012

Boston police release unredacted Facebook data of ‘Craigslist killer’
The complete Facebook account of Philip Markoff, in hard copy and including friend IDs, was given by the Boston Police to the Boston Phoenix newspaper.
13 April 2012

EC asks how we would want the internet of things to be controlled
The European Commission (EC) has issued an online ‘consultation’ document: How would you envisage ‘governance’ of the ‘Internet of Things’?
13 April 2012

City trader fined £450,000 by the FSA
“For the reasons given in this Notice…”, says an FSA Decision Notice, “…the FSA has decided to impose on Mr Ian Charles Hannam a financial penalty of £450,000.”
13 April 2012

MPAA’s attempted takedown of Hotfile gets more and more difficult
Don’t throw the baby out with the bathwater says Google; and there’s more baby than bathwater suggests Prof. James Boyle.
12 April 2012

UK private members bill designed to censor pornography on the internet
Baroness Howe of Ildicote has introduced the Online Safety Act 2012, designed to force ISPs to install and operate pornography filters.
12 April 2012

Financial services the target in massive DDoS increase
A new analysis from Prolexic shows a huge increase in DDoS attacks, largely sourced in Asia and primarily attacking financial institutions.
12 April 2012

Smartphones are still firmly ‘enterprise-unready’
Research from by Altimeter Group, Bloor Research and Trend Micro shows that the ‘consumer marketing’ legacy of many smartphones makes them ill-equipped to meet enterprise security demands.
11 April 2012

EU trade committee’s draft opinion on ACTA: Don’t ratify
The European Parliament’s Industry, Research and Energy committee for the Committee on International Trade has published its draft opinion on ACTA. Don’t ratify, it tells parliament.
11 April 2012

DHS gets California company to hack game consoles
In a project that started from law enforcement agencies’ request to the US Department of Homeland Security (DHS), which was then farmed out to the US Navy, Obscure Technologies of California has been awarded a contract to find ways of hacking game consoles.
11 April 2012

Real-time data mining comes to Twitter
Twitter is usually described as a micro-blogging social network. To many who monitor its ‘trending topics’ it is also an early warning news service, frequently pointing users to breaking news before the traditional news media reports it.
10 April 2012

Iran bids farewell to the internet; welcomes its own halal intranet
Iran’s answer to ‘criminality’ on the internet is not to fight criminality, but to block the internet. In the future, Iranians will have access to only the official national intranet and a whitelist of acceptable foreign sites.
10 April 2012

What an Englishman does in bed
Companies that monitor the end point behavior of their remote workers will have to start monitoring their (internet) behavior in bed. That at least is the inference to be drawn from a new street survey conducted by Infosecurity Europe.
10 April 2012

Categories: All, Security News

Infosecurity Magazine news stories for 20 March 2012

March 21, 2012 Leave a comment

My news stories on Infosecurity Magazine for Tuesday 20 March…

New twist in social engineering rogue AV
Rogue anti-virus products continue to be a major source of malware. The trick for the criminal is in getting the victim to click the link; and GFI has spotted a new development.
20 March 2012

Cost of data breaches outstripping inflation
The average cost to UK business per record lost, according to the latest Symantec/Ponemon study, has increased from £47 in 2007 to £79 in 2011. Had it been inflation alone, it would have increased to just over £53.
20 March 2012

Infosec human factor solved only by education
Information security is among the most popular of all the training courses offered by SkillSoft, with ‘An introduction to Information Security’ second only to the ‘Fundamentals of Networking’ in the top 100 IT courses says the company.
20 March 2012

Categories: All, Security News

The UK Cyber Security Strategy – Protecting and promoting the UK in a digital world

December 2, 2011 Leave a comment

“The UK will become the best country in the world for e-commerce, the prime minister has promised.” His promise includes “a raft of measures to boost internet use in the UK, including a £1bn drive to get all government services online [within three years] and £15m to help businesses make the most of the web.”

This is not from the new UK cyber security strategy published by the Cabinet Office last week. It came from Tony Blair in 2002. And it didn’t happen.

I always worry when government says we will abide by the rule of law. Since government makes the law, it is the same as saying ‘you must do what we tell you’. Last week, the Cabinet Office explained that “Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society.”

Cameron is perhaps less ambitious than Blair, allows more time (four rather than three years) and is focused on security. But is the end any more achievable?

I doubt it – and offer a few observations. Firstly, by far the majority of security companies and their experts have openly welcomed and praised this report. They have no option. The power of government purchasing makes it difficult for any business to openly criticise government. Indeed, the report acknowledges this lever:

To ensure smaller companies can play their part as drivers of new ideas and innovation we will bring forward proposals as part of the Growth Review to help small and medium sized enterprises fully access the value of public procurement.

However, regardless of what they say in public, many of these security experts have serious doubts. One, whose company statement had him praising the initiative, privately mailed me worrying about how many different government departments, quangos, committees, off-shoots and different law enforcement and intelligence agencies are involved in this strategy. It is always the joint that provide weaknesses, and this strategy has many joints.

amichai shulman - cto imperva

Amichai Shulman, CTO, Imperva

The second observation, which to his credit, has also been highlighted by Amichai Shulman, CTO and co-founder of Imperva, is that there is no emphasis on protecting the individual.

The strategy has given only a few insights on how government is going to help businesses and individuals protect themselves. In fact, it has taken the traditional approach of non-intrusive, general advisor for tasks left to the individuals to do, e.g., keep safe and stay current with the latest threats. As we know, most consumers and enterprises don’t do that which explains why we’re in the cyber crime mess we live in today.
Amichai Shulman, Imperva

It would appear from the report that the government expects its GetSafeOnline website to be sufficient to protect the public. (You can see my attitude to GetSafeOnline here: UK Internet Security: State of the Nation – The Get Safe Online Report, November 2011.) I have serious doubts about its effectiveness. But I am more concerned there is no mention anywhere in the new cyber security strategy report of an existing CPNI-inaugurated initiative that has the potential to help the individual: the Warning Advice and Reporting Point, or WARP.

The WARP project is stagnating if not contracting. But the concept is still good. Given the right input and impetus WARPs could develop into a form of security-based social networking system, where individuals would share threat experiences between themselves, learn about new threats, and automatically report them back up the line eventually to CPNI. By sharing their information, by warning others, by offering help and advice to colleagues within any particular WARP, the individual security stance becomes much stronger.

This approach could help protect home computers from being recruited into botnets; and fewer active botnets means a more secure national infrastructure. I am worried that if the new strategy isn’t aimed at protecting the NI by protecting the individuals, how else is it to do it? Possibly by ramping up co-operation with and control over the ISPs. We will, says the report

Seek agreement with Internet Service Providers (ISPs) on the support they might offer to internet users to help them identify, address, and protect themselves from malicious activity on their systems.

It is too easy to move from this position to one of getting the ISPs to cut off infected users until they can prove their system is clean.

But it’s not all depressing; I have always known that there are comedians in government. Always leave them laughing when you say goodbye. And this report does just that:

  • the Ministry of Justice will develop ‘cyber-tags’ as a form of online ASBO
  • police forces are to recruit ‘cyber-specials’ (the internet traffic warden?)
  • ‘kitemarks’ to help consumers distinguish between genuinely helpful products and advice and the purveyors of ‘scareware’.
  • “…partnerships between the public and private sectors to share information on threats, manage cyber incidents, develop trend analysis and build cyber security capability and capacity.”

CESG share intelligence with the private sector? Now that one really made me laugh.

The UK Cyber Security Strategy – Protecting and promoting the UK in a digital world 

Categories: All, Politics, Security Issues

Joe User is the weakest link – a presentation at the Infosecurity Virtual Conference

October 14, 2011 Leave a comment

Eighteen months ago we had news of a sophisticated attack against Google. It became known as the Aurora attack and it spawned a new term: advanced persistent threat, or APT. It may or may not have had the direction, connivance or knowledge of the Chinese government. But it made us rethink the threat landscape.

A year ago we heard about Stuxnet, a new intricate attack originally targeting the Iranian nuclear programme. This too may or may not have had government direction, connivance or knowledge. But again, we had to rethink the landscape: the unhackable, computers not even attached to the internet, had become hackable.

A few months ago, one of the world’s leading security companies, RSA, was breached and SecurID tokens were compromised. A while later, Lockheed Martin and Northrop Grumann, two leading US defence companies, were both attacked with the stolen RSA data. Another new development – the implication is that the RSA attack was a planned precursor of the defence attacks – and once again the finger has been pointed at China.

What can we conclude from all this? That cybercrime has been taken over by government cyber warfare agencies? Well, yes and no. Cybercrime today is a PPP, a public/private partnership, with freelance cybercriminals employed by and selling to government agencies. And these same criminals also work for highly organized criminal gangs.

Do we deduce, then, that our security industry has failed us? Again, yes and no. The security industry failed in these and many more instances. But without that industry, without the anti-malware companies, without our firewalls and filters and intrusion prevention, it would be chaos. The security industry stops far more than it lets through.

But what does get through is now so sophisticated that many security experts privately admit that there is no defence against a determined, targeted attack. And if the big companies, and even security companies, cannot defend themselves, what hope is there for the rest of us? Dr Kevin Curran, a lecturer in computer science and senior member of the I Tripple E told me in a conversation about the recent Sony hacks, “There’s nothing we can do to stop a targeted attack. We’re all vulnerable.”

So, do we load ourselves up with layers of cyber defences, and then just hope? Do we have to accept that if our name is on the bullet, that’s it? That if a foreign government wants our inventions for its own industry we have to accept it? That if a criminal gang wants our card details for themselves they will take them?

No,  we don’t have to, and shouldn’t, just give up. There is a common factor, a common weak link exploited by all hackers; and if we strengthen that link, we will do much to prevent the attacks. What is this weak link? It’s you. It’s me. It’s all of us. It’s Joe User.

Joe User is both the cause and the solution. We have to change our behaviour. Consider these details from the Spanish anti-malware company Panda Labs.

PandaLabs successful malware statistics

It shows the type of successful malware attack currently out there. Similar graphs could be drawn for the different types of email scam or spam. Others could be drawn for categories of phish attacks. Endless graphs could be drawn to help us understand the threats we face from the e-criminals. But there is one statistic always left off. 100% of all these attacks depend upon just one element. Joe User.

Somewhere, Joe User is involved in every single successful attack

If we were to include Joe User’s involvement in these attack graphs, he would always stand at 100%. Think about this. Not one single successful hack from the nerd in his bedroom to the Russian Mafia to the secretive government cyberwarfare agency has ever succeeded without the conscious or unconscious connivance of Joe. Joe, of course, is the single user at his desk in the corner, or working on the train going home – but he is equally the body corporate. It may be that he doesn’t do what he should, or does do something he shouldn’t; he might do it willingly or unwillingly or in ignorance – but if that act of collusion doesn’t happen, then the hacker can’t get in.

Unless Joe lets the hacker in, either actively or passively, he cannot enter...

The hacker is like a vampire at the door. If Joe doesn’t invite him in, he can’t get in. But if Joe does let him in, he’ll own you, and he’ll bleed you dry. And the good hacker won’t even leave a shadow while he’s doing it.

We can illustrate this with a reconstruction of the way in which the Aurora attack was probably perpetrated. The attackers first chose their target. How? Possibly by using a business network like LinkedIn. Try it yourself. Choose any company and check it on LinkedIn. You’ll get a list of many of the internet-active employees, and probably which department they work in or what they do. Choose the person most likely to have good access to the corporate network or have direct knowledge of the company information you want to steal. Then switch to Facebook. See if he is there – probably he, or she, is. You already know what Joe does; now you can find out what he likes. Who his friends are. What interests him outside of work.
Now you have to hack one of those friends. It’s not as hard as you would hope. For example, there are long lists of stolen passwords available to the criminal. Maybe an innocuous gaming site was hacked, and user details stolen. From Sony, perhaps. Sony seems to have stored Joe’s password in plaintext. If you can find your friend-target on one of these lists, the chances are, because we all do it, don’t we, he’s using the same password throughout the internet.

So now we can own Joe User’s friend’s Facebook account. We already know what Joe does, and we now know what interests him – and we’re his friend.

The next step is to forge a personal message from the friend, based around something of mutual interest to both parties. The intent is to get Joe to visit a particular site that we have already compromised. Again, that’s not too difficult – drive-by downloading from compromised sites is one of the cybercriminals’ current weapons of choice. But this is where the hacker might play his trump card – the use of a zero-day vulnerability in Joe’s browser.

The problem with zero-day vulnerabilities is that the security industry doesn’t know anything about them. We don’t even know how many there are. In this instance it was an unknown vulnerability in the old browser (IE6) that Joe was still using; and it was just one of a string of doors left open. This open door allowed the hacker to install a Trojan on Joe’s network – a Trojan designed to find and quietly steal information.

What users get wrong: fail part 1

Joe left the doors open – an open invitation to the hacker – and the hacker quietly slipped in. And we all do it, all of the time. We do the wrong things. We click on bad links in emails we receive, we open attachments and we respond to spam. On the internet we get carried away and visit dubious sites using old and unpatched browsers, and we allow scripts to run willy-nilly rather than blocking them with something like a combination of the latest version of Firefox and NoScript. In short, we trust the internet to do us no harm; when we really shouldn’t.

And then there’s social networking, a Pandora’s Box of goodies for the hacker. Where there are privacy options, we ignore them, and upload vast amounts of personal and sensitive and often embarrassing information. We indulge in ‘my Friend List is bigger than your Friend List’, becoming a friend or contact or follow of any stranger that asks – and then, because it’s a social network, we trust those strangers as if they really are long-lost buddies from school.

But it’s not just a case of actively doing the wrong thing.

What users get wrong: fail part 2

We also fail to do the right thing. Too many of us are still not using adequate and up-to-date anti-malware and firewall defences. We forget to patch or update our software when the supplier issues an update to solve a vulnerability, leaving that software vulnerable to the hacker. In short, we behave with insufficient paranoia about the internet. Paranoia is the best security defence.

Joe Corporate is no better. He often fails to develop and enforce a strict security policy. He forgets the importance of adequate provisioning and deprovisioning procedures – sometimes giving Joe User greater privileges than necessary, and not taking them away again fast enough; allowing disaffected Joe User to become Joe Hacker. He almost invariably fails to encrypt sensitive data, and once again fails the paranoia test.

So are we saying that all cybercrime could be stopped if every Joe only did the right thing? Yes, we are. Are we saying it will ever happen? No. It won’t. But the fact remains that e-crime would be dramatically reduced if more of us users were less inviting to the criminals. We need to take a leaf out of physical policing and architecture: crime prevention through environmental design, known as CPTED. We make our systems so difficult to penetrate that the criminals go elsewhere. And if there’s nowhere else to go, they give up. That’s the theory. But if Joe continually opens or leaves open the doors, then no amount of other defences will help.

Security is a partnership – a partnership between the company defences supplied by the security industry, and Joe’s personal practices. We need anti-virus products, and firewalls and intrusion detection and content filters; but more than anything we need Joe User to behave in a responsible manner. Cybercrime, whether it emanates from the lone computer nerd in his bedroom or a nation state’s cyberwarfare agency, can only be defeated if Joe User closes the door in the face of hackers.

Whatever way you look at it, Joe User is security's weakest link

That means we need to take security awareness more seriously. The message is simple: to defeat cybercrime companies need to spend as much time, effort and money on educating Joe User as they do on buying security products. It’s not an either or situation. We need both. But at the moment, Joe User is the weakest link.

Categories: All, Security Issues

Infosecurity Virtual Conference: featuring the great and the good and me

September 24, 2011 Leave a comment

Mark this day and keep it clear: Tuesday 27 September. That’s this coming Tuesday. It’s the day of Infosecurity’s Autumn Virtual Conference. And it’s packed full of goodies: secure software development, responsible breach disclosure, tablets in the enterprise, governance and compliance, e-crime, a career in security and, of course, APTs.

And the speakers! Marc van Zadelhoff, Director of Strategy at IBM Security Solutions; Professor John Walker; Microsoft’s Jeremy Dallman; Raj Samani, Strategy Advisor for the Cloud Security Alliance and CTO EMEA at McAfee; Chenxi Wang from Forrester; Paul Simmonds, co-founder of the Jericho Forum; and many more.

Oh yes. And me. E-crime. 11:00am. 27 September. Be there.

2011 UK Infosecurity Virtual Conference – Conference Programme
2011 UK Infosecurity Virtual Conference – Registration

Categories: All, Security News

Sorry – we can’t protect you against your own stupidity

October 18, 2010 Leave a comment


click for full size

Amit Klein, CTO, Trusteer


I was talking to Amit Klein, the CTO of Trusteer, because I wanted a better understanding of how Rapport works. Rapport is Trusteer’s anti-banking trojan product. It’s free if your bank is a participating bank. The product prevents online bank transaction fraud; so it saves the banks money. If it saves the banks money, it is only fair that they pay for it. You get it free.

It works by protecting your browser. It recognises worrying behaviour and stops it. So, if I’m infected with Zeus (or some other bank trojan) and start an online bank transaction, Rapport sees Zeus trying to interfere and steps in to protect me.

Ah, I said. OK, you can protect my browser/bank interaction; but what if I’ve got a completely separate root-kit infection that doesn’t try to interfere with the transaction, just tries to steal my credentials?

Amit was very polite. He said, “We will protect your credentials when you’re online to your bank. But if you leave them lying around in some file on your computer…”

What he was saying was that security software can do what it is designed to do: but no software can protect against user stupidity. And that’s something we sometimes forget. We can install all the security we want: it won’t work if we forget to teach our users about security awareness.


Categories: All, Security Issues