Monday, 4 July 2016

Cyber Security Roundup for June 2016

Before Brexit (Why Brexit will be Business as Usual for Cyber Security & Data Protection in the UK) dominated the UK parliament agenda, a Commons Committee lambasted the Information Commissioner’s Office for not acting tough enough with TalkTalk in regards to their data breach earlier this year. 

The UK parliament also passed the controversial ‘Snoopers Charter’ bill this month.

For the fourth month in a row Adobe and Microsoft released critical patches to fix zero day exploited flash vulnerabilities. 

A spate of tech company chiefs had their twitter accounts hacked, including Facebook’s Mark Zuckerberg, who was also spotted on an Instagram picture with tape covering his MacBook's webcam.

The Ransomware epidemic continues to make headlines and cause issues across all industries, this month saw concern over a new strain of ransomware called RAA, which executes only using JavaScript. 


Friday, 24 June 2016

Why Brexit will be Business as Usual for Cyber Security & Data Protection in the UK

So it actually happened, they have gone and done it, its shocked the world, the UK populous have voted to leave the European Union today. Now what? Well we'll have to just get on with it and starting thinking how Brexit will impact Cyber Security and Data Protection in the UK from here on in. 

I didn't post a word on Brexit despite being asked numerous times during the "debating" season, or as we in the security industry call it, FUD!.  But now its done and dusted, here are my thoughts, which as always on this blog, are completely my own.

Cyber Security Defence
The UK is a significant player in the international cyber threat intelligence community, although a highly secretive business, the “snooping” documents leaked by Edward Snowden demonstrated how closely GCHQ works with their American counterpart agencies. When it comes to the business of protecting the UK’s critical national infrastructure, economy and businesses from cyber attacks, NATO membership trumps the EU membership every time. So I don’t believe UK citizens should be too concerned that Brexit will significantly weaken the UK’s cyber defence posture. I also don’t see that UK security agencies and services ties being cut with their European counterparts any time soon, given the common terrorist, criminal gangs, and cyber threats European countries share.

Privacy and Data Protection
Privacy is a fundamental right for all European Union citizens, and to address this right in the digital space, the EU have devised the General Data Protection Regulation (GDPR). The GDPR is a top to tails overhaul of Europe's current Data Protection Directive (law), upon which EU member states data protection laws is based, including the UK’s Data Protection (Act) law. Europe’s existing data protection legalisation is well past its sell by date, it was drafted without any knowing or consideration of social networking, borderless cloud services, and colossal personal data collection and mining. Yet despite desperate need for digital privacy protection legalisation in Europe, the GDPR has been held up by Brussels’ bureaucratic red tape for far too many years, and it has only recently made it an agreed final draft, which is due to come into European Union law in May 2018.

The GDPR applies not just each EU member state, but any business or organisation from countries outside the European Union which stores and/or process EU citizen’s data. So from the UK perspective, despite the uncertainty caused by Brexit, my advice is for UK businesses to assume the GDPR is still going to apply, and to continue preparations to be compliant by May 2018.

Why UK will still need to comply with GDPR

I believe it is highly likely that the UK government (executive) will adopt the GDPR into UK law despite Brexit, or at the very least the vast majority of the GDPR requirements. The EU is likely to insist on the UK replicating the GDPR in law as part of the trade negotiations. Given many businesses in the UK will store and/or process EU citizen data, they still have to comply with GDPR regardless of Brexit or even client contract clauses. Finally it would be extremely emotive and controversial if UK companies were to treat and regard UK citizen privacy and personal data at a lesser degree to that of ‘foreign’ EU citizens. So I do fully expect it to be business as usual in UK on the data protection front despite Brexit.

Tuesday, 31 May 2016

Cyber Security Roundup for May 2016

The business impact of under investing in IT security was felt by TalkTalk, their profits were halved after 160,000 customers walked away from using the company’s services following their recent high profile data breach. TalkTalk received wide criticism for poorly handling their customer data breach which further damaged TalkTalk's reputation with customers. 

Hugh volumes of stolen user credentials taken from the likes of LinkedIn, Tumblr and MySpace were dumped onto the dark web. 

Spear phishing continues to be a problem across all industries, with one attack costing the job of a CEO and CFO at a German aircraft company. 

The ICO publicly fined two NHS trusts and the Kent police following personal data breaches. One ICO £185,000 fine was due an emailed newsletter, the email “to” field displayed the email addresses of individuals infected with HIV to all recipients of the newsletter email. An issue simply prevented by using the BCC field instead of “To” or “CC”. 

Ransomware continues to be a major evolving problem, with new strains of the malware such as Petya detected, and existing strains such as CryptXXX receiving updates.



Friday, 29 April 2016

Cyber Security Roundup for April 2016

The European General Data Protection Regulation (GDPR) was finally approved by the European Parliament this month. Coming into force in 2018, the GDPR has serious teeth with an up to 4% global turnover fine for non-compliance, and 72 hour mandatory data breach reporting amongst ground breaking data protection changes geared at improving EU citizen's privacy rights. The new data protection regulation will have significant impact all businesses in UK, even if the UK votes to leave the EU. 

An updated version of PCI DSS was also released; there are a number of minor changes to requirements within V3.2 which PCI DSS compliant businesses need to be aware of in order to avoid being caught out during compliance assessments. 

There were several huge data breaches from around world, with entire country populations personal data being compromised.  There was what could be a very defining UK lawsuit by 6,000 Morrisons staff against their company, after an employee stole and posted their personal details online.


Friday, 1 April 2016

Cyber Security Roundup for March 2016

Ransomware attacks continue soar across all UK industry sectors, Trustwave SpiderLabs provided a excellent overview of how one of the most prolific ransomware strains works in How the Locky Ransomware Works

March saw media headlines dominated by Apple refusal to co-operate with the FBI in breaking the iPhone’s security, which concluded with the FBI successfully hacking iPhone via an anonymous third party, sparking the old but much needed Privacy V Security debate. 

There were also notable hacks of Law Firms and a major ‘Cyber Heist’ at the Federal Reserve Bank of New York by hackers. Another major TLS vulnerability named ‘DROWN’, highlights the importance of patching OpenSSL and not using weak crypto.


Tuesday, 1 March 2016

Cyber Security Roundup for February 2016

This month saw the trend in Spear Phishing and Ransomware cyber attacks continues across all industry sectors. Snapchat disclosed their CEO had fallen victim to a spear phishing attack which led to disclosure of Snapchat employee payroll information. 

Two German hospitals were victim to ransomware after a member of staff opened a malware infected email attachment. The ransomware crippled X-ray machines and email systems for two weeks, underlining the business risk ransomware presents.



Tuesday, 9 February 2016

The Internet is Fast running out of IP Addresses - IPv6 V IPv4

The explosion in the number of connected devices on the Internet, as fuelled with more users worldwide getting cheap access to net, now over 3.2 billion users, and the rapid growth of the Internet of Things (IoT), means the Internet is fast running out of IP addresses.

IP addresses are important on the World Wide Web and every internet-enabled device has at least one IP address. Unfortunately, the current IP addressing system has a limited number of IP addresses, which means they’ll soon be running out. This outdated system, IPv4 was deployed more than three decades ago and it is still in use. IPv6 is an improvement on IPv4 and it’s seen as its replacement since it offers almost an infinite number of IP addresses.

The New Jersey Institute of Technology has created and asked I share an excellent Infographic on How Engineers can insure the web doesn't run out of IP Addresses, comparing IPv4 to IPv6 .  

Sunday, 24 January 2016

10 Steps to Building a Secure Network Infrastructure

Irish based Exigent Networks has produced the following Infographics on Building a Network Infrastructure. The graphic outlines the steps that need to be taken in building a network infrastructure, detailing each part of the process, while also advising as to the benefits of having a quality network infrastructure in place, and provides security tips.

Considering all the security requirements at the design stage is far cheaper, and indeed results in a more secure network infrastructure, as opposed to trying to bolt on security to a poorly designed network. Also remember keeping the network infrastructure secure is an ongoing process, vulnerability testing, patching systems and devices, including switches, firewalls and routers, requires a continued process.

Thursday, 31 December 2015

2016 Cyber Security Predictions

In 2015 saw the rise of hackers motivated to steal data for the purpose of public extortion and public shaming. The Ashley Madison data breach was one highest profile examples, where the hackers attempted to blackmail the company to close down its infidelity website operations. When the company failed to comply with hacker's demands, the hackers released millions of Ashley Madison members account details online. In 2016 I think we will see more company sensitive user databases targeted for the purpose of blackmail by cybercriminals, and for the purpose of public shaming by hacktivists, hell bent on causing reputational damage to any companies they take a dislike to.

2016 will finally see the demise of arguably the greatest user inconvenience and 'Achilles Heel' in cyber security, the humble password. In the coming year more organizations will embrace ‘no password’ authentication models, using authentication alternatives to a password, such as biometrics, picotographs, and Bluetooth/geotagging proximity. These methods are not only more secure to passwords, but offer a quicker and more convenient authentication experience to users, as proven with Apple’s iPhone 6s and ApplePay. The iPhone’s clever biometric fingerprint scanning authentication allowing users to securely unlock their smartphone at speed, and is even secure enough to be used to make payments at shops without the user having to key in a passcode or password.

As manufacturers continue to rush towards IoT technology, namely the network connectivity and monitoring or controlling of physical world objects, it will led to more insecure IoT devices, caused inadequate IoT software development and post support. As I explained in my recent IoT article for IBM. We can expect to see state sponsored hackers, cyber criminals, hacktivists and even terrorists target this new found low hanging fruit. In 2015 we saw cars, planes, various kitchen appliances and even toys with network connectivity were shown to be insecure by IoT security researchers. This situation could be a frightening  precursor to more significant IoT attacks in 2016 and beyond. IoT cyber attacks carries risks well beyond the traditional data theft and IT systems outage scenarios, such IoT attacks could specifically target the destruction of physical world infrastructure, and endanger human life.

A key priority in 2016 for any European company, and non-European company which stores or processes EU citizen personal data, is to prepare for the EU General Data Protection Regulation (GDPR), as I blogged about here.

The GDPR comes into force in 2018 and is biggest shake up in history, to how enterprises legally must meet information security and individual citizen privacy rights. The new regulation comes with serious financial teeth for any compliance failure, with fines of up 20 million Euros or 4% of enterprise's annual global turnover. Businesses must also disclose any personal data breaches within 72 hours, which is another major game charger, as currently under the existing EU data protection directive, companies do not have to disclose any personal data breaches to a body or the public.  There are new individual rights which will require redesigns of IT systems and business processes, such as the right to be forgotten and data portability. Even though the GDPR doesn’t come into force until 2018, give the major changes required to businesses handling personal data, together with the risk of large financial penalties if not done correct, 2016 should be a year to commence preparation the GDPR.