Friday 18 November 2016

Three Mobile hit by a Data Breach

'What you need to know' about the Three Mobile Data Breach 

By Tarun Samtani
Group Cyber Security Advisor

Article Link


Three Mobile hit by a Data Breach 


Police have arrested three men in connection with a data breach at the Three mobile network.

The company said details, including names and addresses, had been accessed by using a login to its database of customers eligible for a phone upgrade.

It said the breach then allowed upgrade devices to be "unlawfully intercepted".

On Wednesday the National Crime Agency (NCA) said it had arrested two men from Manchester and one man from Kent as part of its inquiries.

A 48-year-old man from Orpington, Kent, and a 39-year old man from Ashton-under-Lyne, Greater Manchester, were arrested on suspicion of computer misuse offences, the NCA said.

The third man, a 35-year old from Moston, Greater Manchester, was arrested on suspicion of attempting to pervert the course of justice. All three have been released on bail pending further enquiries, an NCA spokeswoman said.

Three, which has nine million customers, is investigating how many accounts were accessed, but said the database did not contain payment, card or bank details.

A spokesman for the company said:

"Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.

"We've been working closely with the police and relevant authorities.To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity."

The company said it has since strengthened its data controls and is contacting the eight handset fraud victims.

Cited BBC News



Monday 14 November 2016

Top-Down, Bottom-Up - What Are the Gaps in Your Security Training?


Where Are The Gaps In Your Security Training Strategy?

Cyber criminals are attacking from all vectors; isn't it time we trained on all vectors too? 

There is a lot of debate in the industry about how Security Awareness Training for staff is a vital component to any security strategy but is it creating real behavioural change and is it enough?  

We have talked before about how training needs to be more creative; considering the individual's individual needs and motivations in order to create engagement and change but what is also vital, is ensuring the training strategy works across three strata, top-down and bottom-up.

Top-down: Senior Executive Training
It has long been said that business or management culture 'should come from the top'.  This is the same for a proactive security culture, particularly as the top executives hold the keys to the castle. Just with any other employee, there are two key factors at play here; both the organisation's and the individual's personal risk and how that can be reduced.

By educating senior executives using targeted threat intelligence research on not just the organisation and its brands but also willing volunteers within the executive group; one reveals the true risks of social engineering from both a personal and business perspective, the threat of criminality on the dark web, data theft, reputation, financial impacts and ultimately the all-important share price. 

Bottom-Up: Security Training for Developers
How many open doors to hackers are unknowingly keyed into your code? Security training for developers is key to creating resilience at source. By raising the developers' skillset in coding with security and hackers in mind, this not only makes your systems more robust but over time, reduces the costs for testing and remediation, as well as reducing the risk of attack. 

Again, creativity and taking a tailored approach delivers maximum results. Training can be implemented over multiple stages from online assessments to identify the individuals requiring training and the type of training required, to CBT, classroom training and lab-based modules.  

The result is immediate, actionable knowledge that gives businesses greater confidence and clarity over the standards utilised to build their code.  What's more, online assessments can be used on an on-going basis for recruitment.

The Meat in the Sandwich: Security Awareness Training for Staff
Everyone is talking about it but how do you make it truly effective? By engaging the 'What's In It for Me?' principle. Rather than a list of rules of what not to do, build a picture of what is going on and how it affects not only the business but the employee and their family at home.  However, there's more.  There are key groups within a business who should receive bespoke training for their role; for example, Executive Assistants who are regularly targeted to gain access to sensitive business information. 

Tesco Bank Data Breach update


Tesco Bank has enlisted the help of the National Cyber Security Centre (NCSC) following the most serious cyber-attack launched against a UK bank.

The attack against the supermarket giant's banking arm involved the theft of £2.5m from 9,000 customers' accounts, funds that the bank quickly reimbursed. Initially theft against 20,000 accounts was feared but this figure was revised downwards late on Tuesday night.

At the same time Tesco announced that it was restoring normal service. The company had suspended online and contactless transactions from current accounts in the immediate wake of the breach last weekend.

Tesco Bank manages around 136,000 current accounts. Security pundits have variously blamed credential stuffing, an inside job, and exploitation of a third-party supplier retail partner for the breach.

NCSC is working alongside the National Crime Agency to look into the cyber-attack, which is believed to be the biggest of its kind in the history of British banking.

Ian Mann, chief exec of cyber-security service ECSC, said the size of the breach indicates that is it likely that either Tesco's internal systems, or its mobile application, have been hacked.

Tesco Bank's method of access for customers is "weak for this type of system", according to Mann. "Username is your email by default, and you only need digits from a numeric PIN. By requiring limited digits from the PIN on login, they make it virtually impossible to hash (encrypt) the PINs they have stored. This means a compromise of their customer database will reveal all logins and passwords to the attacker."

Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, said: "While the details are still patchy, there's no doubt that this was a hugely sophisticated, coordinated and advanced attack – and as recent months have proven, no organisation is immune from similar attacks going forward. With cloud computing, hackers have so many more points of entry, and organisations need to put security in place to guarantee the safety of data, even if it falls into the wrong hands. In practice, this means putting multiple layers of control around their most sensitive data and closely monitoring access to stop theft on the way out rather than betting on the 'hard shell' approach with a sealed perimeter."

Tesco might face a huge fine under the recently revamped EU data protection rules over the breach, according to Hawthorn.

"When it comes to data security, the silent spectre of EU General Data Protection Regulation is slowly kicking organisations into action, and incidents such as this will only accelerate this trend," Hawthorn said. "One estimate is that Tesco Bank could be fined nearly £2bn under GDPR rules for this incident. The bottom line is that data security is no longer simply an issue for the IT department to tackle, and organisations can no longer sit back and ignore it. The stakes are higher than they have ever been, so when it comes to reviewing your security position, tomorrow may just be too late."

Cited at The Register  

Thursday 3 November 2016

Where Are The Gaps In Your Security Training Strategy?


Alison Prangnell, ZeroDayLab

Cyber criminals are attacking from all vectors; isn't it time we trained on all vectors too?

There is a lot of debate in the industry about how Security Awareness training for staff is a vital component to any security strategy but is it creating real behavioural change and is it enough?

We have talked before about how training needs to be more creative; considering the individual's needs and motivations in order to create engagement and change but what is also vital, is ensuring the training strategy works across three strata, from the top-down to the bottom-up.

Top-Down: Senior Executive Training

It has long been said that business or management culture 'should come from the top'.  This is the same for a proactive security culture, particularly as the top execuitives hold the keys to the castle.  Just as with any other employee there are two key factors at play here; both the organisation's and the individual's risk and how that can be reduced.

By educating senior executives using targeted threat intelligence research on not just the organisation and its brands but also willing volunteers within the executive group; one reveals the true risks of social engineering from both a personal and business perspective, the threat of criminality on the dark web, data theft, reputation, financial impacts and ultimately the all-important share price.

Bottom-Up: Security Training for Developers

How many open doors to hackers are unknowingly keyed into your code? Security training for developers is key to creating resilience at source.  By raising the developers' skillset in coding with security and hackers in mind, this not only makes your systems more robust but over time, reduces costs for testing and remediation as well as reducing the risk of attack.

Again, creativity and taking a tailored approach delivers maximum results.  Training can be implemented over multiple stages from online assessments to identify the individuals requiring training and the type of training required, to CBT, classroom training and lab-based modules.  The result is immediate, actionable knowledge that gives businesses greater confidence and clarity over the standards utilised to build their code.  What's more, online assessments can be used on an on-going basis for recruitment.

The Meat in the Sandwich: Security Awareness Training for Staff

Everyone is talking about it but how do you make it truly effective? By engaging the 'What's In It For Me?' priniciple; rather than having a list of rules of what not to do, you  build a picture of what is going on and how it affects not only the business but the individual and their families at home.   However, there's more.  There are key groups within a business who should receive bespoke training for their role: for example, Executive Assistants who are regularly targeted to gain access to business information.

Speak to our consultants to find out more about how training can be best implemented to help secure your organisation on +44 207 979 2067