Sunday, 2 October 2016

Cyber Security Roundup for September 2016

The theft of over half a billion Yahoo user accounts by hackers has dominated the news headlines in the last couple of weeks. Since announcing the largest hack in history, Yahoo has come in for heavy criticism, given it took two years for Yahoo to notice the massive data theft, talk of lacklustre security behind the scenes at the company, and doubts over Yahoo’s claims the cyber attack was state-sponsored. Lawyers representing users, the US Senate and the UK ICO have all lined up to take pop-shots at Yahoo and are threatening action.  I posted known Yahoo hack information and advice, and Yahoo hack industry analysis

Interesting example of Hacktivism after a Russian group called "Fancy Bears" hacked and released the World Anti-Doping Agency medical records of prominent British and American Olympic athletes. The motivate appears to be a revenge protest aimed at causing embarrassment to medal winning Western athletes following the banning of several Russian athletes at the recent Rio Olympic games for banned sport enhancing drug use. The posted stolen records showed western athletes had taken a variety of banned drugs for legitimate reasons and conditions, which all were approved by the Anti-Doping Agency. Fascinating case for both athletics and data protection worlds, as even athletes in the public eye still have a right to privacy, especially when it concerns information about any medical conditions they have.

UK payment card fraud has risen by 53% over the last 12 months. The shock increase was blamed on scammers using more sophisticated attack methods. This spike in payment card fraud certainly would have been noted by the UK National Cyber Security Centre (NCSC), as it gears up to launching next month. The NCSC is part of the UK government’s £1.9 billion investment plan to beef up the UK’s cyber security capabilities over the next 5 years.

There is an interesting video webinar posted this month, which reviews the $81 million SWIFT Bank Hack by the company that investigated it. It concludes with the SWIFT Bank investigators firmly pointing the finger of blame at weak endpoint security at the bank. Elsewhere the Locky Ransomware continues to be evolved by hackers seeking to make their fortune out of the nefarious tool.

On Tuesday 27th September I spoke at the R3 Summit (Resilience, Response and Recovery) in London, and summarised my advised approach with cyber incident management in a blog post the following day - Cyber Security Incident Management, Response and Recovery Guidance

Awareness, Education and Intelligence

Wednesday, 28 September 2016

Cyber Security Incident Management, Response and Recovery Guidance

Yesterday I spoke at the R3 Summit (Resilience, Response and Recovery) in London, on the topic of Cyber Security Incident Management and response. Given the Q & A and the ensuing discussion after my talk, the attendees were particularly interested in my views on incident containment ahead of recovery. Below is a summary of what I said.

Step 1: Incident Management Planning and Preparation
The most crucial part of incident management is the preparation, it is important to always consider cyber security incidents as a ‘When’ not an ‘If’ as you plan ahead. So here’s my ‘brain dump’ of an incident management planning strategy:

  • A company Cyber Security Incident Management Policy
    • It must define what the company (aka the board) consider as a cyber security incident
  • Cyber Security Incident notification communications channel or even better a reporting application/system
    • Upon identifying an incident who do staff notify (the incident management team)
    • Staff awareness of how to detect and report incidents is a key element.
  • Verify the ability to detect incidents, not just IT system alerts, but human side (staff)
  • Document the Incident Management Team and Response Plan
  • Incident Management Team
    • A pool of contacts with responsibility or expertise covering every possible type and aspect of a cyber security incident
    • An Incident Management Team will be assembled based on what’s required for specific cyber security incident types
      • Note. Every team member must play an active part or not be in the team
    • Communication plan i.e. document team member phone numbers and a have dedicated incident management telephone conference call line
      • Do not rely on computer IT systems like email (what if they are taken down)
    • Tools (forensics) and an ability to IT access systems and logs (to investigate and obtain incident facts)
  • Business Risk Assessment
    • The business critical services must be risk assessed, so the business impact of any incident can be known and understood by the incident management team
  • Cyber Threat Assessment
    • Performing a cyber threat assessment against critical business services, aside from possible risk mitigation, threat assessing enables various cyber attack scenarios to be documented and incident response planned for and tested. Threat assessments can play a key role in helping the cyber security incident management teams prepare for incidents.
  • Test the Cyber Security Incident Management Plan regularly. (at the very least annually)
    • Use different attack / breach scenarios
  • Always keep Incident Management Team documentation up to date (at least a quarterly review of documentation)
Step 2: Incident Identification
Upon initially identifying a cyber security incident, the very first question to answer is; what is the actual or potential business impact of the incident? On the face of it this can be a difficult question to answer, as the facts tend to be rather scant upon initial incident identification. However, the worse case scenario, the potential business impact, must be regarded as the actual business impact until facts are presented, through incident investigation, to prove otherwise. For example, take an online database holding 10,000 user accounts, in the space of a few hours, 20 users report via the company helpdesk that their accounts have been hacked into. Without further facts it should be assumed the entire database, all 10,000 user accounts, are compromised. This should remain the case until further facts are established to disprove which accounts have been and not been compromised. Cyber security incident investigations can take weeks to complete, and may never reach a conclusive finding on the scope of IT system or data compromise, in which case the worst case scenario must remain adopted.

Step 3: Incident Containment
Once the actual or potential business impact is understood, the next thought should be to contain the incident. The objective of containment is to limit the business impact of an incident. This is where the preparation work and the identification stage in knowing the business impact comes into play, if the potential cost and reputational damage caused by an incident, is greater than taking down business services over a period of time, then the correct business decision is to pull the plug on the service. So incident recovery may have to take a back seat for a while in order to protect the business’s overall interests. If this means pulling a plug on a busy ecommerce website, or downing an entire company network, if this course of action is the lesser of the two evils in terms of business impact, it is always the correct decision to take. Judging the business impact in knowing how long business systems need to remain down depends on Step 4.

Step 4: Incident Investigation and Forensics
As most cyber security incidents involve law breaking, whether external hackers or internal disgruntled staff, your servers and infrastructure must to be regarded as a crime scene, and so processed accordingly. There is always forensic data to collect, which may hold vital clues to the incident cause and scope, often these data clues are volatile, and can be lost if not collected quickly and correctly. Therefore any investigation and forensics work must be performed by an appropriate qualified internal or third party, while ensuring there is a legal ‘chain of custody’, in case either criminal or civil action occurs down the line. The amount of time to engage and complete computer forensic investigations can be significantly reduced, if you plan for them as part of the incident management preparation (step 1). If you do not have any qualified resource within your organisation, I recommend arranging to have a third party provided external computer forensic investigator on a retainer; typically they will provide a 4 hour call out response time.

Aside from the potential court room battles, the other primary reason to perform a proper forensic investigation is to establish the facts of an incident occurred. Without knowing the detailed facts of just how the breach occurred, you cannot know whether restored systems (step 5) will be still vulnerable or not. For example if you intend to restore systems from a backup, how do you know which backup is compromised or still vulnerable? It is imperative you know exactly when and how a cyber security incident occurred before engaging a recovery process, as in repeating an incident. there can be significant business impact, especially reputationally.

Step 5: Incident Recovery
Only once the facts of the incident are fully known, can you ensure eradication of the incident vulnerabilities and/or malware, and confidently recover systems and business services.

Step 6: Learning the Lessons
The final stage of cyber security incident management, and arguably the second most important step after the incident management preparation, is ensuring the business learns lessons from incidents. This is a healthy way to improve the business security posture, and there is nothing worse than repeating an incident.

Friday, 23 September 2016

Yahoo Megabreach Industry Analysis

Today I received several interesting cyber security expert views on the Yahoo breach following my blog post yesterday - Yahoo, The Largest Data Breach in far, 

Broken Security Model?
Paul German, VP EMEA at Certes, a specialist in cyber security and encryption, believes the Yahoo hackers were able to steal such vast amounts of account data due to a problem with the cyber security model of 'Protect, Detect and React'. Specifically the time in detecting the protection had been overcome. In Yahoo's case this time lag appears to be months and possibly even years, which allowed the hackers plenty of time to scout around the inside network undetected and extract such huge amounts of data out. To counter this lag, Paul suggests any potential hacker access to the data should be contained, I'm guessing by cranking down on data access control. Here's his full comments below.

“The problem lies in the face that once hackers cross a company’s carefully laid out cyber defences, the network, and the treasure trove of data within it, is their oyster. Moving laterally, they are able to siphon off huge swathes of valuable information difficulty until they are detected, often months after the initial breach.

“The problem lies in the current cyber security model which takes a, ‘protect’, ‘detect’, ‘react’ approach. There is a significant lag between the protection being sidestepped and the criminal being detected. Currently this leaves a hacker free rummage through a company’s most sensitive data, wreaking havoc. There is a fundamental step missing – at whatever point a hacker enters a network they must be contained, restricting the data they can access and the damage they can inflict before they are detected.  

“Most businesses now see a security breach as a ‘when’ rather than an ‘if’ situation, and it is vital that they take steps limit the damage and protect the data of thousands, if not millions of consumers.” Paul German, VP EMEA at Certes.

I think Paul raises a fair point on breach containment, but that is easier said than done in reality, as information is typically a lifeblood of business services, so needs flow and be accessible by the business systems and customers, so can be difficult to restrict within its trusted zone. I do agree Paul's view that a security breach should be regarded as a 'when' not an 'if', business should have a proven incident management plan which reflects that.

In better detecting security breaches, businesses should invest more in a combination of technology, business management processes (i.e. risk & cyber threat assessments) and staff awareness to improve breach detection capabilities. In addition investing in an external cyber threat intelligence service adds another string to the data breach detect bow, with such services able to spot when cyber criminals peddle stolen company data on the dark web. Remember it is believed Yahoo first learnt of their data breach following reports of a hacker trying to sell 200M Yahoo accounts on the dark web, which is said to have sparked their investigations.

Jamie Graves Ph.D, co- founder and CEO of Cyber Security company,, focused on the sophistication of the attack, given Yahoo's claim that it was compromised by a nation state.

A National State Attack?
“Yahoo claims that it was compromised be a nation state, which means that a hacking team with the resources of a government had penetrated their defences. This type of attack is often difficult to defend against, and a number of other well defended organisations have fallen victim to this type of attack."

“Although the size of the breach is staggering, what has stunned the industry most is the fact that it has taken Yahoo 2 years to disclose. In this time, a great deal of additional harm will have occurred to the comprised accounts ranging from account hijacking through to identity theft and fraud. 

“The Yahoo attack highlights the reason why good detection capabilities, aligned with laws that force this form of disclosure in a short period, such as the GDPR, are crucial to help protect personal information. Furthermore, organisations must not only have rigorous Cyber Security measures in place but also a disaster recovery plan to respond immediately to a breach if the, sometimes, inevitable occurs.” Jamie Graves Ph.D, co- founder and CEO of Cyber Security

I am yet to be convinced this data theft was conducted by a nation state, and here's why. Nation state email account attacks tend to be targetted to email accounts, not entire email accounts on mass, and the fact that a large chunk of the Yahoo stolen email account data was attempted to be sold on the dark web doesn't fit the nation state MO either, but hacker(s) trying to monetise from the attack. 

There have been countless occasions where companies blamed data breaches on highly cyber sophisticated attacks by teams of super hackers, for it to be later confirmed as being conducted by a schoolkid script kiddie taking advantage of 12 year SQL injection vulnerability. The TalkTalk breach PR comes to mind in this regard. I have no reason to think Yahoo's security posture is poor, but without them explaining the attack methodology and presenting evidence to back up their nation-state attack claim, and there should always be evidence if they are decent at security, I will remain highly sceptical of the nation state claim.

Yahoo, The Biggest Cyber Data Theft in far

Yahoo have just disclosed over 500 million of its user accounts have been compromised, that's a huge number, think about it for second, that's half a billion people across the globe affected and at risk. This is largest known data breach in history to date. We know the Yahoo account data were stolen in late 2014, said the hack is said to have been orchestrated by state-sponsored actors, although there's no evidence to back this claim up.

Yahoo has not disclosed how the data was hacked, or why it has taken almost two years to either discover the breach or disclosure the breach publically. A cynic might say Yahoo delayed informing its massive user base until after it's recent £3.7 billion sale to Verizon was done and dusted. However in late July 2016 hackers were found offering 200 million Yahoo accounts for sale on the dark web (, so it is likely the 2014 data theft was discovered on the back of investigating that.

The stolen Yahoo account data included names, email addresses, telephone numbers, dates of birth, and security questions and answers. Surprisingly a chunk of the security questions and answers were not encrypted by Yahoo. I always recommend companies treat the protection of account security questions and answers at the same degree as account passwords, given they can be typically used just like a password access an account via a password reset function, including accounts used with other websites. This is especially important on email accounts, as often that is where the password reset links are sent as part of the password reset process.

Advice 1: Reset Your Yahoo Password
Yahoo stated account passwords were stored as a hashed value using bcrypt. That's good practice, especially in using bcrypt. However my advice is to play it safe and reset the password, it's good practice to change your password regularly anyway. And if you use that same password on any other websites, change it there too. 

Advice 2: Change Your Security Questions and Answers
Yahoo users should change their security question and answers, click here to do this on the Yahoo website. If users use the same Yahoo security questions and answers on other accounts, they also need to be changed, especially where they can be used to reset passwords and/or gain access to the account. Sure this will be a difficult task to check and complete, but Yahoo users should assume their Yahoo 'security questions and answers' together with their name, email address and date of birth, are known by cyber criminals.

Advice 3: Be Extra Vigilant
Yahoo users should be extra vigilant for phishing scam emails, which may be crafted using the stolen Yahoo personal information to look highly authentic. Also check for any suspicious activity in the email account, especially any signs that someone else has been using it.

Sunday, 4 September 2016

Cyber Security Roundup for August 2016

The fallout from massive data breaches in recent years continued to dominate the August headlines. Dropbox enforced password changes for 68 million users after accounts as a result of the 2012 Dropbox breach, when a Dropbox employee stole a load of account details. Meanwhile over 200 million Yahoo user credentials were found up for sale on the dark web. The large user account data breaches didn’t stop there; several large online user forums operating on vBulletin were found to be vulnerable and compromised with SQL injection attacks, leading to the theft of millions of forum user account details.

Ransomware continues to plague all industries, especially the UK health sector, with half of all NHS Trusts confirming ransomware infiltrations. The Locky ransomware continues to be updated by cybercriminals, making the malware much harder for anti-virus software to detect and prevent.

Finally a report by ‘Cybersecurity Ventures’ predicts a Cyber-Apocalypse, estimating that cybercrime will cost the world in excess of £4.5 trillion annually by 2021.

Awareness,Education, and Intelligence

Monday, 1 August 2016

Cyber Security Roundup for July 2016

In July there were several reports affirming the continued escalation of Cybecrime in the UK, with the National Crime Agency (NCA) including cybercrime in its crime statistics for the first time, confirming there were more incidents of cybercrime than physical crime in the UK. NCA concluded that UK businesses and law enforcement were losing a “cyber arms race” with online criminals. The Information Commission’s Office (ICO) highlighted the UK Health and Local Government as the worse industries for data protection, accounting for 41% of data breaches reported to the ICO in Q1 of this year. 

The EU approved “EU-US Privacy Shield” as a replacement for ‘Safe Harbor’, however there is speculation this is merely a temporary fix, as the EU data protection committee, Working Party 29, raised concerns with the Privacy Shield agreement, which they intend to address in 2017.

BT's broadband outages in July has led to concern about the resilience of the UK's national digital infrastructure to cyber attacks.

In the games industry Pokemon Go dominated the gaming industry and cyber security headlines, with many gamers running into personal cyber security issues in their attempts to play Pokemon Go ahead of its official UK launch in mid July. Gamers were duped into downloading malicious versions of the game, and there were reports of gamers having account credential compromises as a result of signing up with dubious game downloading websites. A hacking group also claimed to had taken down the Pokemon Go servers for several hours with a DDoS attack. In other games industry news Clash of Kings and Warframe account credentials were reported to have been compromised on mass via a support forum.

There was plenty of speculation and evidence of a 'cold war' Cyberwarfare escalation, with reports of hacks against democratic (Clinton) groups in the US presidential race, and reports of large scale and 'professional' cyber attacks hitting Russian government agencies.


Monday, 4 July 2016

Cyber Security Roundup for June 2016

Before Brexit (Why Brexit will be Business as Usual for Cyber Security & Data Protection in the UK) dominated the UK parliament agenda, a Commons Committee lambasted the Information Commissioner’s Office for not acting tough enough with TalkTalk in regards to their data breach earlier this year. 

The UK parliament also passed the controversial ‘Snoopers Charter’ bill this month.

For the fourth month in a row Adobe and Microsoft released critical patches to fix zero day exploited flash vulnerabilities. 

A spate of tech company chiefs had their twitter accounts hacked, including Facebook’s Mark Zuckerberg, who was also spotted on an Instagram picture with tape covering his MacBook's webcam.

The Ransomware epidemic continues to make headlines and cause issues across all industries, this month saw concern over a new strain of ransomware called RAA, which executes only using JavaScript. 


Friday, 24 June 2016

Why Brexit will be Business as Usual for Cyber Security & Data Protection in the UK

So it actually happened, they have gone and done it, its shocked the world, the UK populous have voted to leave the European Union today. Now what? Well we'll have to just get on with it and starting thinking how Brexit will impact Cyber Security and Data Protection in the UK from here on in. 

I didn't post a word on Brexit despite being asked numerous times during the "debating" season, or as we in the security industry call it, FUD!.  But now its done and dusted, here are my thoughts, which as always on this blog, are completely my own.

Cyber Security Defence
The UK is a significant player in the international cyber threat intelligence community, although a highly secretive business, the “snooping” documents leaked by Edward Snowden demonstrated how closely GCHQ works with their American counterpart agencies. When it comes to the business of protecting the UK’s critical national infrastructure, economy and businesses from cyber attacks, NATO membership trumps the EU membership every time. So I don’t believe UK citizens should be too concerned that Brexit will significantly weaken the UK’s cyber defence posture. I also don’t see that UK security agencies and services ties being cut with their European counterparts any time soon, given the common terrorist, criminal gangs, and cyber threats European countries share.

Privacy and Data Protection
Privacy is a fundamental right for all European Union citizens, and to address this right in the digital space, the EU have devised the General Data Protection Regulation (GDPR). The GDPR is a top to tails overhaul of Europe's current Data Protection Directive (law), upon which EU member states data protection laws is based, including the UK’s Data Protection (Act) law. Europe’s existing data protection legalisation is well past its sell by date, it was drafted without any knowing or consideration of social networking, borderless cloud services, and colossal personal data collection and mining. Yet despite desperate need for digital privacy protection legalisation in Europe, the GDPR has been held up by Brussels’ bureaucratic red tape for far too many years, and it has only recently made it an agreed final draft, which is due to come into European Union law in May 2018.

The GDPR applies not just each EU member state, but any business or organisation from countries outside the European Union which stores and/or process EU citizen’s data. So from the UK perspective, despite the uncertainty caused by Brexit, my advice is for UK businesses to assume the GDPR is still going to apply, and to continue preparations to be compliant by May 2018.

Why UK will still need to comply with GDPR

I believe it is highly likely that the UK government (executive) will adopt the GDPR into UK law despite Brexit, or at the very least the vast majority of the GDPR requirements. The EU is likely to insist on the UK replicating the GDPR in law as part of the trade negotiations. Given many businesses in the UK will store and/or process EU citizen data, they still have to comply with GDPR regardless of Brexit or even client contract clauses. Finally it would be extremely emotive and controversial if UK companies were to treat and regard UK citizen privacy and personal data at a lesser degree to that of ‘foreign’ EU citizens. So I do fully expect it to be business as usual in UK on the data protection front despite Brexit.

Tuesday, 31 May 2016

Cyber Security Roundup for May 2016

The business impact of under investing in IT security was felt by TalkTalk, their profits were halved after 160,000 customers walked away from using the company’s services following their recent high profile data breach. TalkTalk received wide criticism for poorly handling their customer data breach which further damaged TalkTalk's reputation with customers. 

Hugh volumes of stolen user credentials taken from the likes of LinkedIn, Tumblr and MySpace were dumped onto the dark web. 

Spear phishing continues to be a problem across all industries, with one attack costing the job of a CEO and CFO at a German aircraft company. 

The ICO publicly fined two NHS trusts and the Kent police following personal data breaches. One ICO £185,000 fine was due an emailed newsletter, the email “to” field displayed the email addresses of individuals infected with HIV to all recipients of the newsletter email. An issue simply prevented by using the BCC field instead of “To” or “CC”. 

Ransomware continues to be a major evolving problem, with new strains of the malware such as Petya detected, and existing strains such as CryptXXX receiving updates.