Tuesday, 9 February 2016

The Internet is Fast running out of IP Addresses - IPv6 V IPv4

The explosion in the number of connected devices on the Internet, as fuelled with more users worldwide getting cheap access to net, now over 3.2 billion users, and the rapid growth of the Internet of Things (IoT), means the Internet is fast running out of IP addresses.

IP addresses are important on the World Wide Web and every internet-enabled device has at least one IP address. Unfortunately, the current IP addressing system has a limited number of IP addresses, which means they’ll soon be running out. This outdated system, IPv4 was deployed more than three decades ago and it is still in use. IPv6 is an improvement on IPv4 and it’s seen as its replacement since it offers almost an infinite number of IP addresses.

The New Jersey Institute of Technology has created and asked I share an excellent Infographic on How Engineers can insure the web doesn't run out of IP Addresses, comparing IPv4 to IPv6 .  

Sunday, 24 January 2016

10 Steps to Building a Secure Network Infrastructure

Irish based Exigent Networks has produced the following Infographics on Building a Network Infrastructure. The graphic outlines the steps that need to be taken in building a network infrastructure, detailing each part of the process, while also advising as to the benefits of having a quality network infrastructure in place, and provides security tips.

Considering all the security requirements at the design stage is far cheaper, and indeed results in a more secure network infrastructure, as opposed to trying to bolt on security to a poorly designed network. Also remember keeping the network infrastructure secure is an ongoing process, vulnerability testing, patching systems and devices, including switches, firewalls and routers, requires a continued process.

Thursday, 31 December 2015

2016 Cyber Security Predictions

In 2015 saw the rise of hackers motivated to steal data for the purpose of public extortion and public shaming. The Ashley Madison data breach was one highest profile examples, where the hackers attempted to blackmail the company to close down its infidelity website operations. When the company failed to comply with hacker's demands, the hackers released millions of Ashley Madison members account details online. In 2016 I think we will see more company sensitive user databases targeted for the purpose of blackmail by cybercriminals, and for the purpose of public shaming by hacktivists, hell bent on causing reputational damage to any companies they take a dislike to.

2016 will finally see the demise of arguably the greatest user inconvenience and 'Achilles Heel' in cyber security, the humble password. In the coming year more organizations will embrace ‘no password’ authentication models, using authentication alternatives to a password, such as biometrics, picotographs, and Bluetooth/geotagging proximity. These methods are not only more secure to passwords, but offer a quicker and more convenient authentication experience to users, as proven with Apple’s iPhone 6s and ApplePay. The iPhone’s clever biometric fingerprint scanning authentication allowing users to securely unlock their smartphone at speed, and is even secure enough to be used to make payments at shops without the user having to key in a passcode or password.

As manufacturers continue to rush towards IoT technology, namely the network connectivity and monitoring or controlling of physical world objects, it will led to more insecure IoT devices, caused inadequate IoT software development and post support. As I explained in my recent IoT article for IBM. We can expect to see state sponsored hackers, cyber criminals, hacktivists and even terrorists target this new found low hanging fruit. In 2015 we saw cars, planes, various kitchen appliances and even toys with network connectivity were shown to be insecure by IoT security researchers. This situation could be a frightening  precursor to more significant IoT attacks in 2016 and beyond. IoT cyber attacks carries risks well beyond the traditional data theft and IT systems outage scenarios, such IoT attacks could specifically target the destruction of physical world infrastructure, and endanger human life.

A key priority in 2016 for any European company, and non-European company which stores or processes EU citizen personal data, is to prepare for the EU General Data Protection Regulation (GDPR), as I blogged about here.

The GDPR comes into force in 2018 and is biggest shake up in history, to how enterprises legally must meet information security and individual citizen privacy rights. The new regulation comes with serious financial teeth for any compliance failure, with fines of up 20 million Euros or 4% of enterprise's annual global turnover. Businesses must also disclose any personal data breaches within 72 hours, which is another major game charger, as currently under the existing EU data protection directive, companies do not have to disclose any personal data breaches to a body or the public.  There are new individual rights which will require redesigns of IT systems and business processes, such as the right to be forgotten and data portability. Even though the GDPR doesn’t come into force until 2018, give the major changes required to businesses handling personal data, together with the risk of large financial penalties if not done correct, 2016 should be a year to commence preparation the GDPR.

Thursday, 19 November 2015

What is Tor and Should your website block Tor users?

Great infographic by State of the Internet which raises an interesting question, should websites block Tor users?  Certainly one for debate, my view is it depends on your website 'marketplace', function and risk, in other words perform a risk assessment, a lazy answer I know.

But if like me you find yourself often explaining what Tor is to business folk, so they can perform those risk assessments properly, you'll find this infographic comes in quite handy. As it does a simple job of explaining Tor; who uses it, how it provides anonymity online, and how cyber criminals are embracing the tool for various illicit purposes.

I recommend checking out the State of the Internet website for further info, statistics and reports on Web and DDoS attacks, which continue to blight the Internet.

Friday, 23 October 2015

TalkTalk Hacked (again) - Consumer Advice

A lot of TalkTalk customers have been contact with me today asking for my advice following TalkTalk's announcement of yet another major data breach.

The TalkTalk press release states "there is a chance that some of the following data may have been accessed:

Date of birth
Phone numbers
Email addresses
TalkTalk account information
Credit card details and/or bank details"

And given TalkTalk are unable to confirm whether any of this data was encrypted when assessed, if you are a TalkTalk customer you should take this statement seriously and assume your personal information, bank account and/or credit card details you held with TalkTalk are now in the hands of cyber criminals and fraudsters.

What to Do
In summary all TalkTalk customers must be extra vigilant in checking their bank and credit card accounts for fraudulent transactions, and for attempts of fraud by covert cyber criminals using their personal information against them.

Statement Checking
From this point on all TalkTalk customers should regularly check bank and credit card accounts shared with TalkTalk for fraudulent transactions. Transactions such as multiple mobile phone pay-as-you top-ups transactions, online casino and betting payments are common ways in which cyber criminal cash out on stolen account details. Even legitimate looking transactions with companies you know for low amounts need to be verified, as often criminals will test a stolen bank account or credit card by performing a transaction for a low amount before committing further fraud at a later date. Criminals tend to go for lower transaction amounts at first, as they tend to go under radar of some bank fraud detection systems. Some banks and credit card providers are better than others at detecting fraud, but it is important not rely on any bank or credit card company to detect the fraud for you, as they are far from 100% in their detection.

If you do find any fraudulent or even suspicious transactions, contact your bank or credit card company immediately. Do not report it to the Police, TalkTalk or the company for which the fraudulent transaction was made, only the bank and the credit card provider can take immediate steps like cancelling your card/account and reissuing new one, and they are best placed to investigate the fraud and are ultimately the party in a position to return your money, even if they can't get the cash back. Do not worry you will quickly get your money back as long as you have done nothing wrong.

Identity Theft
You may wish to consider registering yourself with a credit checking company to ensure no one is using your stolen personal information to take out finance in your name (identity theft). Expect to pay £10 to £15 a month for privilege, you never know TalkTalk might provide this service to you for free as way of an apology.

Beware of Phishing and Phone Scams
Criminals may use your stolen personal information against you, for example they could use your information to send you highly realistic and personally customised email, enticing or scaring you into visiting a compromised website, or opening an attachment which installs malware onto your computer or smart phone, or general messaging that attempts to harvest further personal and financial data from you. These targeted email scams are known as spear phishing in the cyber security industry, and can even originate from criminals that don't have your TalkTalk info, but are seeking to take advantage of the situation by impersonating TalkTalk, guessing you are a TalkTalk customer.

Beware of phone call scams where criminals use your stolen information to convince you the call is genuine, as we know TalkTalk customer phone numbers have also been compromised in this breach. These types of phone scam attacks are known as vishing attacks in the cyber industry. Always hang up on such calls and call the contact number on your bills and statements if you are concerned.

The TalkTalk statement doesn't say that passwords were compromised in this breach, but I strongly advise to not take any chances and to change your TalkTalk password immediately. Also make sure you aren't using your old TalkTalk password with any of your other online accounts, especially your email account and bank/credit card online accounts.

Choose Who you Share Your Personal and Financial Information With
Consumers should always consider the “cyber security hygiene” of companies that they intend to trust with their personal and financial information before using them. This is the third data compromise TalkTalk has reported in the last 12 months, in my experience these types of cyber attacks aren't carried out elite master hackers, the real cause tends to be due to companies under investing in protecting your information properly. Indeed encrypting financial data is considered an industry security best practice, while encrypting debit/credit card data at rest is a fundamental requirement of the Payment Card Industry Data Security Standard (PCI DSS), which for the last 9 years is a security standard which all companies handling and storing debit/credit card data are suppose to comply with.

Tuesday, 29 September 2015

Top security best practices for IoT applications - Combating IoT cyber threats

I have written the following article for IBM which was published today on IBM Development Works.

The Internet of Things is changing the way that businesses operate, especially in the areas of warehousing, transportation, and logistics. These changes make the security of IoT devices even more crucial, given the time and money that is required if a hacker breaks through the defenses. This article outlines the best practices for securely developing robust IoT solutions.

Wednesday, 10 June 2015

To Firewall or not to Firewall – Trusted & Untrusted Networks

The big danger of firewall deployments within a complex dynamic network infrastructure (a typical enterprise) is you end up with placebo network security. It is a problem that creeps in with each firewall rule change over the course of time. No one ever seems to be concerned when adding a new rule to a firewall ruleset, but removing a rule is a fearful business, so often it is not risked, so not to break anything.  The general adhoc adding of rules without first understanding the entire ruleset is what seriously weakens firewall security, it makes rulesets hard to understand and can mushroom into an ineffective firewall configuration. So instead of allowing a network range through on specific set of ports as a single rule, you end up with tens of rules allowing individual IPs each on a specific port. I have seen firewall rulesets with thousands of unnecessary individual rules, caused by a combination of poor firewall management, lack of change control, lack of ruleset documentation and to be honest a lack of staff expertise.

Lets roll back to the fundamental purpose of a network firewall, which is to control network traffic between trusted and untrusted networks, only allowing specific required and trusted network communication between an untrusted and trusted network segment.  The obvious example is the Internet (untrusted) and the office LAN (trusted). However the textbook Internet facing firewall is not typically where the issues are in a complex internal network infrastructure, where often there are countless individual networks making up a WAN.
It is important to define what we mean by an ‘untrusted’ network in the context of the ‘trusted’ network we seek to protect. I would define it as such, an untrusted network is any network you do not have the ability to control or manage.  So (typically) an external client network is untrusted, a third party service provider network is untrusted, but as for networks within the enterprise WAN, well that all depends on whether they are controlled and managed, in other words are they secured to same degree as the trusted network you seek to protect. 

In the context of a WAN, we should not overlook internal network security is a part of a layered security approach, and that data transit through the networks are also are controlled logically at the application layer (access control) and perhaps even encryption. However this multi-layered security approach may not suit the needs and risk for internal network interconnectivity. To understand where firewalls are required it must start with assessing which networks are considered as untrusted and which ones are consider trusted.

Some network environments won't be as simple as the duplex of an untrusted and trust network, however they can still be logically defined in a levelled trust relationship model, allow zones of trust within the network infrastructure, a bit complicated to explain fully in this post but for example:
  • Network A: Network B & C are trusted (untrusted zone)
  • Network B: Network A is untrusted, Network C is trusted (trusted zone level 1)
  • Network C: Network A & B are untrusted (trusted zone level 2)
A network firewall device may not even be necessary to segregate networks, as an adequate degree of network security to a firewall can be provided by network devices, for instance by creating Access Control List (ACL) on a Managed Switch, and a Router can be used to secure network traffic between networks.

Finally, firewall deployments and the network layer security needs to be tested and assured. I recommend regular firewall ruleset reviews, however the most effective way is test the security like a hacker or malware would, by performing regular network discovery and vulnerability scanning, which help ensure firewalls continue to secure communications between trusted and untrusted networks as designed. Internal network discovery and vulnerability scans can even be a fully automated process by using tools such as Outpost24's Hacker In A Box (HIAB)

Friday, 5 June 2015

Enviable Business Cloud Adoption & Cloud Security

I was quoted in an interesting discussion type article on Business Cloud Adoption at CIO.com 

How Line Of Business Is Driving The Move To The Cloud

I have picked out my quotes which underlines my view that IT and Security functions must be agile and accommodating to the business cloud wants. While the business in turn must be careful not be so bamboozled by the efficiency & cost saving gains, and all those sexy sales buzzwords, they neglect the security question when procuring cloud services.

On Cloud Adoption
“Quite often businesses adopt cloud services outside the IT function whether is it Sales using Salesforce or HR using LinkedIn for recruitment, or general staff using Dropbox,” said UK-based Information Security Expert Dave Whitelegg. “The traditional internal-facing IT department can be quickly left behind by buy-and-go cloud service adoption"

On Cloud Security
“Cloud data security concerns should be addressed by IT carrying out due diligence and risk assessments with the cloud service provider, an approach often neglected when business departments decide to go commando and adopt loud services on their own,” said Whitelegg."

However, he added that the onus should be on IT to move with the times and make sure solutions put forward by Line of Businesses (LOB) are properly considered.

“The IT function definitely needs to come down from the ivory towers, stop saying no and tune into the addressing the business requirements and the benefits cloud services can provide.”

Monday, 1 June 2015

Security Today - Cyber Information Security News Stream & Alerts Twitter Feed

I was an early adopter to Twitter, opening my @securityexpert account back in October 2008, I found Twitter has been an excellent tool for picking up and sharing information security news, articles, major breaches and critical vulnerability alerts. As well as making my own contributions I often retweet tweets of InfoSec interest, education and intrigue, however I have always had a strict policy of never allowing my @securityexpert account to send any automated tweets, every tweet is manually sent or is retweeted by yours truly. Once you go down that road the personal nature of the account goes. I recognise that many of followers of the account are interested are in the latest news, so with that in mind I have launched a new Twitter account to provide a more comprehensive and more regular stream of InfoSec news.

@securitytoday has been launched to just tweet cyber information security related news and alerts. The account steadily tweets information/cyber security related news, articles and critical vulnerability alerts from a variety of sources. Most of the tweets are from a world wide context, but the service also has a focus on providing news and alerts from the UK InfoSec space. For example it picks up specific UK cyber threats & incidents, and the latest news from the UK & European Data Protection legalisation space.

If you are looking for a steady stream of cyber news or wish to drop into a snapshop of what's going on in the world of information security at any point in time, rather than security snip-bits tweets which are intertwined with what someone has eaten for breakfast, @securitytoday will be for you.

Follow @securitytoday and dive into the a news stream of cyber / information security tweets at your convenience.