Ransomware: Can we finally start learning from past mistakes?

ransomwareMy latest opinion piece for HelpNet Security Magazine is now available online.  In this article I highlight how ransomware, CEO Fraud, and DDoS attacks are old attacks that we as an industry should be better able to defence against.

The article is below with a link to the complete piece

“There is a phrase I am finding quite relevant lately. It is attributed to the philosopher George Santayana and it goes like this: “Those who cannot remember the past are condemned to repeat it.” The reason it comes to my mind a lot these days is the headlines we are seeing relating to the latest ransomware attacks against companies’,hospitals’ and government departments’ systems.”

Getting Ready for the EU General Data Protection Regulation

cropped-IT.jpg

Information is the lifeblood of today’s business world. With timely and accurate information business decisions can be made quickly and confidently. Thanks to modern technology, today’s business environment is no longer constrained by physical premises or office walls. We can work on laptops, smartphones or tablet computers and with nearly ubiquitous internet connectivity we can work from any location.

This technology evolution allows us to be more productive and work with clients in many different ways. We can engage with them over the internet, visit their homes or offices, or they can come into our offices where their requests can be processed quickly and effectively. While bringing many benefits technology also brings with it many threats. With companies gathering more and more information on their customers to provide them with more services there is the increased risk of damage to those individuals should a company suffer a security breach. This information if improperly exposed could cause a lot of embarrassment to the people affected or, should it fall into the hands of cyber criminals, could have severe financial impact on them.

The European Union’s Data Protection Directive Data Protection is concerned about any information, either by itself or used with other pieces of information, that could identify a living person.  This information could be items such as email addresses, passport numbers, driver’s license numbers, financial details, union membership, medical history or information relating to a person’s sexual, religious or political beliefs.

On the 15th of December 2015 the EU agreed to replace the existing EU Data Protection Directive with the EU General Data Protection Regulation (EU GDPR).

The EU GDPR brings in new obligations to companies that handle information belonging to individuals and this will come into effect over on May 25th 2018. Under the EU GDPR there will be a number of new rules for companies such as companies who process a lot of personal data will be obliged to appoint a Data Protection Officer, companies who suffer from a security breach will be obliged to notify “the supervisory authority” without delay or within 72 hours, and there will be fines for companies who are proven negligent in the case of a security breach, to name but a few.

This new rules will have implications for how businesses handle and secure the personal data entrusted to it by its customers and staff. While it will take time for the EU GDPR to come into full effect, it will also take time for companies to be properly prepared for that eventuality.

The following checklist will help you obtain better assurance regarding how your company is prepared for these new regulations.  An incomplete or negative response to any of the following items means that area of risk needs to be addressed.

Infosecurity Hall of Fame Interview

infosechalloffameI was honoured to be inducted into the Infosecurity Hall of Fame earlier this month. It is an award which I hope to live up to. I was interviewed during the ceremony and I talked about how companies should be better prepared for computer security incidents. The key points of that interview are covered in this article.

I was also interviewed after the ceremony and below is the video of that interview

Many thanks to all who supported me over the years and helped me get to where I am today and also a big thank you to all who passed on their best wishes.

Securing Business Podcast

securingbusinessWe are delighted to announce that a new podcast focusing on the business aspects of information security and cyber security is now available. The Securing Business Podcast is a joint effort with our own Brian Honan, journalist Gordon Smith, and Matt Houlihan from the International Radio Company.  It is available from Soundcloud and iTunes

Every fortnight, Brian Honan and Gordon Smith discuss the latest news in Cybersecurity and Cybercrime and its implications for business.

The first episode has a feature on the challenges in cybercrime and what research the UCD Centre for Cybercrime and Cybersecurity Investigations,

The second episode features Lance Spitzner from Securing the Human and Dr Ciaran  McMahon talk about the human side of cybersecurity and what we should do to improve security from that aspect.

Have a listen and do let us know you thoughts and comments

 

Parting is Such Sweet Sorrow – Farewell Lee & Thanks

parting is such sweet sorrow cats_Lee Munson has been a valuable member of the BH Consulting family acting as our Social Media Manager. Our blog has received many awards and plaudits which have all been down to Lee’s hard work, dedication, professionalism, and his unique ability to transform complex technical security issues into easy to understand commentary. While our Twitter feed has also grown steadily under his stewardship.

So it was with a heavy heart that I received an email from Lee to say he will be stepping down as our Social Media Manager as he has achieved his ambition of findinrecently taken on a new role to allow his ambition of working full time in infosec.

While we are sad to see Lee go, we are delighted about his new role and wish him all the best for the future.

Thanks for everything Lee and may you achieve the success you surely deserve.

Go n-éirí an bóthar leat

Brian and team

ICO hands out record fine, puts cap in hand and has a chat with the official receiver

Just because the Information Commissioner’s Office can hand out some pretty sizeable fines, doesn’t mean that it actually does.

And that’s the one criticism I have of an agency that, as far as I can tell, does some pretty sterling work in policing the privacy rules here in the UK.

But, in an interesting move, the ICO has perhaps addressed its apparent lack of bite by handing out its record fine, asking a Brighton-based nuisance telephone caller to place three hundred and fifty thousand shiny pound coins on its desk.

Interesting because of the amount you ask?

Well, yes, there is that, but far more interesting is the fact that, despite the size of the ask, the Commissioner may not actually receive enough to nip out and get a Tesco lunch deal.

That’s because the company in question – Prodial Ltd – is defunct.

At the first whiff of ICO interest the business expired. Ceased to exist. It is no more.

The company, which operated out of residential premises in the seaside town, peppered unwitting recipients with some 46 million automated calls related to the PPI claims they may, or may not, have been entitled to make.

Either way, the shady operating practices likely turned over a million quid, according to the ICO.

Nice work – if you can get it – and don’t mind pissing off a large proportion of the mainland in the process.

Talking of which, over a thousand people – which is a minute proportion of those affected – gave the ICO a call of their own to let them know how miffed they were with the situation. The prominent complaints included a doctor who couldn’t help but answer a phone that could have been used to dial in an emergency call, and someone else who claimed they were being called at all hours, day and night.

And of course there was nothing anybody could do about it either, save blocking numbers off – Prodial Ltd, which went to great lengths to obscure its identity, offered no means of opting out of its telephonic spam which, as you may have already guessed, came thick and fast despite none of its victims ever consenting to such nuisance behaviour in the first place.

In a blog post, Information Commissioner Christopher Graham wrote:

This is one of the worst cases of cold calling we have ever come across. The volume of calls made in just a few months was staggering.

This was a company that knew it was breaking the law. A company director admitted that once the ICO became involved, the company shut down. That stopped the calls, but we want to send a clear message to other firms that this type of law-breaking will not pay. That is why we have handed out our highest ever fine.

No matter what companies do to try to avoid the law, we will find a way to act.

So, job done, no more nuisance calls ever again, eh Chris?

I suspect such action, while welcome, will not quell the scourge of unwanted calls so much as encourage those behind them to become a little smarter and far quicker at winding their companies up when the ICO comes knocking.

Nothing to hide, nothing to fear? Stop being so British!

There’s a famous phrase that says something along the lines of if you have done nothing wrong, you have nothing to fear.

I’m not sure how well used that phrase is around the world but I suspect it may well be uniquely British.

Why?

Well I’m not entirely sure – is it because we’re a nation filled with apathy or one that lacks understanding? Or perhaps we just don’t care about the bigger picture, wrapped up as we are in our own individual worlds.

But it is a potential problem in certain areas of our lives and, perhaps, the most significant factor that comes into play here is within the domain of politics.

Love her or hate her, Margaret Thatcher (please correct me if I’m wrong) once said “Power corrupts. And absolute power corrupts absolutely”.

And while I don’t think all our politicians are corrupt, and I doubt even more that any intend to turn to the dark side when they begin their careers as least unelectable representatives of the people, there certainly is some degree of evidence to suggest that such people don’t always have our best interests at heart, either through wilful choice or lack of understanding of the legislation they propose to impose on us, the sheep of these isles.

And so it is disappointing to see the results of a survey conducted by Comparitech which says well over half the population (60%) of the UK would trade some privacy for extra security.

I think a famous American once had something to say about that.

A survey has shown that an overwhelming majority of the UK population (60%) believe that, when it comes to national security, the Government should be able to monitor mass communications… the study found that 49 percent of the 1000 people questioned from the UK (nationally representative) cite national security as having more importance than an individual’s right to privacy.

Sure, security is important.But how valuable is it when you give up your human rights to obtain it?

Not all would be my answer.

And yet we are arguably heading in that direction with the Draft Investigatory Powers Bill which politicians are just itching to get written into the statute books.

As Amar Singh of Give01Day says:

Let’s not forget that no government has a stellar record in protecting its own information; and if technologies are updated to allow “free access” for the government, then criminals will no doubt be able to obtain the same.

Good point sir.

And the same could be said for Comparitech director Richard Patterson who said:

While we wait to see the final outcomes of the Draft Investigatory Powers Bill here in the UK, and who will be victorious between the FBI and Apple, what is clear is that individuals need to understand that using electronic communications comes with provisos. On the one hand, laws designed to protect civil liberties shouldn’t then be used to provide a safe haven for those compelled to breach them and on the other, consumers shouldn’t have to give up their rights to privacy. It’s a thorny subject, with many grey areas, making clarity a necessity.

Balancing security and privacy is no easy affair and I for one don’t have the answer but what I do know is you can’t pick one at the total exclusion of the other.

It just doesn’t work that way, unless you want to live in a world where everyone potentially has something to fear and nothing left to hide.

InfoSec – you get nothing for nothing

I don’t know about you but I have a few acquaintances who want to change their lives, some of them in quite dramatic ways.

Their dreams all have a commonality about them too – if they do X and get Y then then the sun will shine upon them 24/7 for evermore.

Of course the reality would be somewhat different but by simply having something to work toward they are already on the way to some degree of enrichment.

Or at least that would be the case if any of them could so much as take the first step on their chosen path.

Why haven’t they, you may ask?

My best guess is a degree of fear of the unknown in one or two of them but, for the majority, it’s more a case of laziness or a misguided sense of entitlement.

It’s a sad indictment of society but both seem to be on the rise, and not just in the youth who appear to have been painted as the wasters of society.

Of course such an attitude pervades all areas of life and so you won’t be surprised to learn that the same approach is often taken where security is concerned.

In a new survey commissioned by VPN provider Hide My Ass, the major finding was that people want to be secure online.. as long as it doesn’t require any effort.

In questioning 2,000 people, the privacy company discovered that close to two-thirds of them had experienced some kind of online security issue but only 56% of them had done anything to change their behaviour afterwards.

Hmmm… if you’re not going to react after an event, when are you going to react?

Curiously, 67% of the respondents claimed they would like more security than they have now, citing privacy concerns as one of their biggest issues, and yet only 13% took advantage of two factor authentication, less than 5% used Tor, and a considerable number were slapdash with their personal information – jut over half were happy to plaster their email address across online public gathering places, 26% would have no problem sharing their home address online and 21% would have no qualms about posting their telephone number on the web.

Continuing the privacy theme, only 11% of the respondents used a VPN and a whopping 44% didn’t even know what a Virtual Private Network was in the first place.

Hide My Ass is obviously in need of an awareness program!

Ending on a slightly more positive note, just over half (55%) of those surveyed had at least given their privacy a knowing look by asking someone else to delete a post they were featured in or untag them in the photo though, as some of you are no doubt aware, shutting the door after the horse has bolted is often a futile gesture.

More encouragingly, 60% of those surveyed said they had fobbed online marketers off with duff info, though I doubt any would have noticed as they are far too busy following all and sundry on Twitter these days instead of actually working.

Oh, and 69% said they “consciously limit” the amount of personal information they share on the net, despite that figure flying in the face of their other responses.

Go figure!

Up, up and away… cybercrime costs have tripled over the last 5 years

The cost of cybercrime is going up and up, according to a new report published by Hamilton Place Strategies.

In its Cybercrime Costs More Than You Think paper, it says the total global cost of online crime is around $450 billion (£318 billion/408 billion Euros), a figure which would give ‘cyber’ a market capitalisation second only to Apple.

Offering further perspective, Hamilton valued the cost of cybercrime in terms of a nation’s Gross Domestic Product (GDP), which would have made it the world’s 27th largest ‘economy,’ placing it between Norway and Austria.

So I guess the report’s opening line is in fact a tad understated:

In an increasingly interconnected world fueled by the expansion of digital technology, cybercrime has become a big business.

But it’s not always been that way – the study explains how the cost of online crime has actually surged in a very short period of time, up by around 200% in just 5 years. And if the media is any kind of barometer, I expect it to keep on growing, at least in the short-term.

The report highlights how money itself is not the only growth area – information (an equally valuable commodity) is also increasingly at the mercy of the dark side of the global network with some 828 million records having been pilfered since 2005. To put that into perspective, that’s the equivalent of everyone in the UK having their personal info stolen around 12 times each in 10 years!!

I myself think the loss of people’s data is the most important statistic but this article is more interested in the financial aspects, highlighting what many of us already know – a data breach is not a one-time cost but rather an event that can cause extreme reputational damage (think TalkTalk) or additional loss of revenue when the damage is widespread:

While the direct cost of a cyberattack can be significant, the reputational damage can be even more impactful to the bottom line. In the Target data breach of 2013, which affect-ed millions of U.S. customers, the company incurred $252 million in data breach-related expenses, with only $90 million of that expected to be offset by insurance recoveries.

Hamilton Place Strategies also outlined what it called the “ricochet effect,” in which other organisations also observe a business impact following the breach of one of their competitors.

Using Target as an example again, the report says its breach raised questions about the security posture and preparedness of other players in the retail sector which, as we found out later, were not entirely unwarranted.

The report ends with a rather simplistic view of how businesses can be better prepared to withstand or deal with a cyber attack, though its basic premise of being prepared and having an incident response plan in place is of course sound.

Given the warning that –

If you’re in business today, it’s nearly a guarantee you’ll be hacked at some point over the next couple of years.

– I would say there is much more you can do to minimise the risks of being breached in the first place which is, of course, a preferable outcome to having to engage the incident response plan.

If you’d like to know more, click here for a list of our services.