Friday 30 September 2016

Responding to the Boardroom (Cyber), SOS

Stuart Peck, Cyber Security Strategist, ZeroDayLab

When 90% of all successful cyber attacks begin with just one (double) click and with an average company's network being hit every 4 seconds with malware, according to a recent report release by Checkpoint,  the risk to the business is continuously heightened.

The challenge facing executives is not only the threat of a cyber attack at work but also at home with threats such as Ransomware, identity theft, personal and professional reputation damage attacks, Doxing and Phishing, all having a direct impact on business and personal affairs.

The problem is compounded with the amount of publicly (and privately) available dumps (passwords and usernames), in social media accounts.  Take the Last.FM dump released recently (21.09.2016) which also included my very own details; or the very high profile Yahoo mega-breach which included over 500 million affected users.  An issue that can be mitigated by never using the same password for different accounts and enabling 2FA (Two-Factor Authentication) for every account; but how many users or execs follow the same routine? The reality will come as little surprise - very few.

These details are an easy route for hackers to breach an organisation, especially at board level, as passwords may not be rotated as often and work emails are sometimes used for personal accounts, such as social media.

Figure 1. Recent notification of public dump of accounts. 

Technology won't fix the problem.

"Amateurs hack systems, professionals hack people." 
Bruce Schneier.

Whilst there has been a vast improvement in technology to prevent and detect malicious activity, it is never guaranteed to catch everything, especially social engineering.  Attacks such as Whaling (otherwise known as the CEO scam) have seen a huge rise in the last 24 months and are estimated to cost businesses $3.1 billion globally with over 22,000 victims - according to recent figures released by global law enforcement agencies. 

So, when technology (inevitably), fails, the executives are not necessarily left defenceless against attack but the odds are definitely stacked in favour of the attacker who uses guile and technical skill to outfox the average executive IT user. 

Answering the Boardroom (Cyber), SOS

Executives, in general, are more informed than ever that cyber security is a real problem.  The challenge is not understanding how attackers look to exploit the 'human firewall' and how this directly impacts their personal and business assets... until it is too late. 

The strategy for answering the Boardroom (Cyber) SOS is made up of the following activities:

1) Situation Threat Awareness - through continous education and briefings. 

"Information is not knowledge.  The only source of knowledge is experience."
Albert Einstein

Prevent is key to defeating cyber attacks and arming your executives through awareness of the techniques used by the adversary; with practical advice on how best to protect themselves from the most-used and effective methods deployed by cyber criminals.

Improving executives ability to detect social engineering and spear phishing attempts through adapting behaviours in the use of email and web browsing, can reduce exposure to the most common forms of attack by up to 70%.

Training that is engaging and interactive ensures adoption of the message and helps cement behavioural changes. 

2) Executive Cyber Threat Monitoring

Understanding the threats facing key board members is key to developing the appropriate defensive strategy.  By consuming threat intelligence services to monitor sources such as hacker forums, doxbins, darknet sites and social media, you can pre-empt any attacks that specifically relate to key individuals, or the board as a whole. 

This information should then be fed into the Situational Threat Awareness sessions, providing additional context and relevance. 

3) Simulated attacks and incident scenario testing

And finally, conducting simulated attacks such as phishing is very commonplace, but how many organisations run cyber incident response scenario workshops with their executives?

Testing the executives' ability to navigate a highly complicated breach, alongside the Incident Response function of an organisation, will help improve awareness of the impact of a cyber breach not only to individuals but also to the business as a whole. 

By combining Situational Threat Awareness, Threat Monitoring and Simulated Incident Scenarios with your executives, you are not only answering the Boardroom (Cyber) SOS but actively arming your execs so that they can better defend themselves when technology fails. 

Tuesday 27 September 2016

Brexit means Brexit and so does the EU GDPR

Nick Prescot, Senior Information Security Manager, ZeroDayLab

Since the 23rd June this year, the word 'Brexit' has been the most overused word in the English language; with some saying that we need a 'heavy Brexit' and some saying that we should have a 'Brexit lite'. Whilst one can debate endlessly about the proposed route taken by the UK Government, there is on inalienable fact that holds a certain evident truth; the EU GDPR will become law in 27 countries and if we're still in the EU, 28 countries on 25th May 2018.

Safety: the condition of being protected from or unlikely to cause danger, risk, or injury 

What is important to note that one shouldn't just add 'EU GDPR' to the risk register and then make it all red because it's a big thing...The risk isn't the regulation, it the level of controls that are required around the processing of personal data. This means that there are many risks that have stemmed from this regulation; this being data that is 'at rest', data 'in transit' and data 'managed by 3rd parties. What is interesting is the European approach to the premise that personal data is a valuable currency not only to the individual but also to the adverse party.  

Security: the state of being free from danger or threat   

In English, ‘Safety’ and ‘security’ are 2 separate words, but in many European Languages these are conjoined words (France= la sécurité; German= Sicherheit; Italian= sicurezza; Spanish = seguridad). It's not only a cyber security premise but also a cyber safety premise as well. This being that in many European languages cyber security and cyber safety mean the same thing and in the English language, they are not always meaning the same outcome. I get the sense that cyber security is looking at dynamics from the 'outside-in' and cyber safety is looking at dynamics from the 'inside-out' - This is a personal view and I'm sure that lots of people will be thinking, thanks for that but not sure what you mean here!

The regulation is quite specific in article 25 about data encryption. To me, this is the essence as to what the majority of European countries are thinking when they are talking about this new privacy act. In English, we see data protection as a cyber security thing whereas in Europe, the word for ‘safety’ is also the word for ‘security’ This makes somewhat perfect sense because of a lot of the legislative comments are focused towards words such as psuedonymisation, which means that separation of data from a direct identifying component. This to me is a safety factor when one is trading one’s personal data with 3rd parties. There is also the recital 75 that states that there should be a process where there is ‘the prevention of unauthorised reversal psuedonuymisation’ which basically means one-way hashing of personal information through encryption.

This is potentially a huge impact for the processing, storing and holding of personal data. Not only will this protect the rights of the individual, it will require the companies that are holding this data to adequately protect with the well known security measures that are in place. Encryption at rest isn't cheap but it looks more than likely to be a regulatory requirement that can't be avoided.

In a recent Ponemon Survey, the perceived risk to brand recognition from mandatory breach notifications emerged as the major upcoming headache for many European organisations, with 51% of survey respondents noting it as a concern, followed jointly by the risk of distraction from more important security topics and cost, both of which were cited by 48% of respondents. Other concerns noted were the potential for over-delivering on compliance (38%), fines for non-compliance (36%), ensuring compliance for data transfers across borders (36%) and the inability to make data transfers to chosen providers (31%).

So whilst Brexit means Brexit and we don’t know what that means, we know that Safety and Security for our European cousins are the same thing (on the whole) and my message is this, if you’re having trouble banging that ‘cyber security’ message to the internal business continuity and Health/Safety teams and swap it to ‘Cyber Safety’, I’d be interested to know what the reaction is and especially in the context of EU GDPR.

Friday 9 September 2016

Wells Fargo fire 5300 employees after 2 million fake accounts discovered

Since at least 2011, Wells Fargo employees have been creating fake accounts using customers’ identities to boost their sales numbers, federal regulators said on Thursday.
The Consumer Financial Protection Bureau (CFPB) fined the bank $100 million after a third-party consulting firm found that 2 million fake deposit and credit card accounts had been made without the consent of the person whose name was on the account. According to CNN Money,the bank fired 5,300 employees for taking part in the scheme, which constitutes about 1 percent of the bank’s payroll.
In order to boost their sales numbers, employees opened 1.5 million deposit accounts and 565,000 credit card accounts on customers’ behalf but without authorization from those customers. “Employees then transferred funds from consumers’ authorized accounts to temporarily fund the new, unauthorized accounts,” the CFPB wrote. “This widespread practice gave the employees credit for opening the new accounts, allowing them to earn additional compensation and to meet the bank’s sales goals.”
In the meantime, customers real accounts were temporarily drained, leaving them with insufficient funds charges and overdraft fees.
The CFPB also noted that employees were issuing and activating debit cards without authorization, "going so far as to create PINs without telling consumers." In addition, some employees created fake e-mail addresses to sign customers up for online banking programs without their knowledge.
In a statement on its website, Wells Fargo wrote that it “is committed to putting our customers’ interests first 100 percent of the time.”
“We regret and take responsibility for any instances where customers may have received a product that they did not request,” the company added.
Wells Fargo refunded the fees to the harmed customers, in a payment totaling $2.6 million, with $25 in refunds per customer on average. The company also said it would invest in “enhanced team-member training and monitoring and controls” and focus on performance goals based on customer satisfaction.
In a statement, CFPB Director Richard Cordray said, “Because of the severity of these violations, Wells Fargo is paying the largest penalty the CFPB has ever imposed. Today’s action should serve notice to the entire industry that financial incentive programs, if not monitored carefully, carry serious risks that can have serious legal consequences.”
In addition to the $100 million fine the CFPB levied on it, Wells Fargo will also have to pay the City and County of Los Angeles $50 million as well as a $35 million fine to the Office of the Comptroller of the Currency.

Wednesday 7 September 2016

Why Data Breach Notifications are like car crashes

Guest Blogger: Nick Prescot Senior Information Security Manager at ZeroDayLab
I have not been very active at all on the blogging scene so far in 2016 since I thought that I would keep my powder and think of something different and interesting to write. So nine months into the year where I have been most busy and seem to be spending a fair amount of time in airport lounges and getting good at working out time zones.

One headline continuum that I have been noticing is the size and the depth of the breaches that seem to be happening; they are a daily occurrence, and they are the norm. We are not talking of 100,000’s of PII details missing but we are talking about millions and millions, and the problem is not going to go away.

They seem like car crash statistics; they are there, but they are becoming common news. It is a bit late to have a state of shock to say that, ‘OMG, hackers have taken all these personal clumps of data. What are we going to do about it and the hackers need to go to jail.’ We need to stop being surprised by PII details being hacked as a reason for getting a new box with green flashing lights to solve the problem; the root cause of the problem can be found closer to home than that...

Perhaps the first indicator on this is that the most popular password that is used in corporate environments is still ‘Password1.' Passwords are not going to be the first and the last line of defence not matter how trendy you make the password. On the one hand, there is a website that gives you the chance to create a very ‘strong’ password and giving you the confidence that you are never, ever gonna get hacked.

On the flipside of this is the CESG Password Guidance ( . In the introduction of the document, Ciaran Martin the Director General for Cyber Security states in quite explicit terms,

Worse still, the rules - even if followed - don't necessarily make your system more secure. Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk.’
So I think that we can take it that passwords that are 25 characters long and using all the &,$, £ signs look and sound cool, but the reality is that they are nothing better in safety terms of a cyber infrastructure than one might think.

So how do we make our internet lives safer when the main premise is that the password is the key to our cyber happiness? Well, like most things in law and tech, they are slow to start off with but when enough pace and momentum is given, there is a piece of new legislation. There are now lots of bits of legislation (Data Protection Act, the new EU GDPR, etc.) but the focus is to ensure that if you are a business processing the personal data (and payment card data) that you keep it as safe as possible. The same thing happened with cars in the post-war period and now cars are deemed quite safe in everyday driving; one only has to look at the car crashes in F1 in the 1970’s (Nikki Lauda being a case in point) and the way in which F1 cars can survive some quite big crashes.

In the corporate world, best practice in cyber safety/security starts with good governance and then understanding the risks that are out there…there is no point if you are an online publisher to have the same security as a retail bank because you are not going to be processing their money or personal data. Compliance is only a guide to the levels of resilience that you should have, because it’s how you prepare yourself for what you do before the data  breach/loss and after the breach/loss that counts and learning from the mistakes.

 Yes, the statistics are getting worse and more personal (think of a recent adult site where people were discussing adult things and that was leaked) but once the investigators come across the ‘accident’ scene, a lot of the time it’s down to do the lack of people's maturity behind the governance and security controls of their website/infrastructure. It does hark to the days when on the scene of a car crash, the cause of the accident was down to ‘driver error’ and not the technology. Technology does what it is supposed to and within the remits of the parameters in which it is supposed to operate; but it requires the pragmatic and risk-balanced approach of the human operator to get the basics right!

There are standards that are being mandated such as cyber essentials and cyber essentials plus that are being promoted as some form of 'cyber-MOT' but that will keep you 'in check' to a certain degree, but the main point is to adopt, promote and enhance a culture of good information governance...rather like the way your driving instructor told you how to drive.