Tuesday, 15 October 2019

The Increasing UK Cyber Skills Gap

As organisations throughout the UK embrace Cyber Security Awareness Month, Intelligencia Training looks at why businesses are continuing to battle an increasing cyber skills gap.

Following an audit in 2018, the UK government recently announced plans to conduct its second audit into the state of the country’s cyber security workforce. The initial audit published last year found that more than half of UK businesses had a “basic technical cyber security skills gap”.

These findings didn’t come as a surprise, as Intelligencia, whose qualifications consist of the UK’s highest levels of vocational training available in intelligence and the only cyber security awareness programme with an official UK Government regulated qualification attached, explain that many organisations are overlooking the key weakness in their security infrastructure; their staff.


With IT infrastructure becoming more robust and cyber threats from social engineering and spear phishing increasing, cyber security should be just as much the responsibility of the wider workforce, as it is those in IT and network security. Even more so when you consider that over 90% of successful cyber breaches are facilitated by human error and a lack of general cyber security awareness.

One report found that between April and June 2019, UK businesses faced an average of 146,000 attempted cyber-attacks.

So how do we counter the threat?
Intelligencia highlight that social engineering and phishing are responsible for over 85% of human error breaches and that businesses need to educate the wider workforce – the prime target for cyber criminals - to identify and prevent such attacks.

The specialist training provider further explains that while some have taken action on increasing cyber security awareness, the assessments and training used are commonly ineffective.

Many organisations fail to recognise the true sophistication of professional attacks and monitor awareness levels through generic assessments, such as mass phishing tests based on click-rate, and limit training to more traditional programmes, which often become outdated the moment a learner completes the course.

Learning and development shouldn’t end on course completion and providing staff with a sustainable solution to cyber security awareness in an ever-evolving landscape is key. New threats evolve daily and it is essential that awareness is sustained to minimise the risk of a breach.

About Intelligencia 'Cyber Stars' Training:Intelligencia Training are cyber security specialists that operate within both the public and private sectors. They continue to deliver the leading Cyber Stars Initiative to a wide-range of high profile organisations to support them in increasing cyber security resilience.

For further information on the Cyber Stars Initiative, visit www.intelligenciatraining.com/cyber-stars or contact info@intelligenciatraining.com.

Monday, 14 October 2019

Network Security Observability & Visibility: Why they are not the same

Guest article by Sean Everson, Chief Technology Officer at Certes Networks

In today’s increasingly complex cyber landscape, it is now more important than ever for organisations to be able to analyse contextual data in order to make informed decisions regarding their network security policy. This is not possible without network observability. Organisations can now see inside the whole network architecture to explore problems as they happen. Observability is a property of the network system and should not be confused with visibility which provides limited metrics for troubleshooting.

With observability, organisations can make the whole state of the network observable and those limitations no longer exist. Observability provides the contextual data operators need to analyse and gain new and deeper insights into the network. This enables teams to proactively make more informed decisions to improve network performance and to strengthen their overall security posture because context is now available to troubleshoot incidents and make policy changes in real-time.

Unfortunately, observability is often miscommunicated and misunderstood, as visibility is repackaged by some vendors and sold as observability, when the two are not the same. Visibility and monitoring have an important role to play but observability is different. Visibility and the metrics it provides limits troubleshooting, whereas observability provides rich contextual data to gain deeper insights and understanding based on the raw data collected from the network or system.

With research showing that the average lifecycle of a data breach is 279 days, it is clear that organisations are slowly putting observability into practice and adopting ‘observability as a culture’. In the case of some well-known breaches, however, the timescales were much longer than that. The Marriott International breach, which was discovered in November 2018, saw hackers freely access the network since 2014. During this time, no unusual activity was detected and no alerts of the hacker’s access were raised.

Additionally, in the British Airways data breach in 2018, data was compromised over a two-week period, affecting 500,000 customers. This resulted in the Information Commissioner's Office (ICO) announcing that it intended to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).

These two examples alone demonstrate how essential it is for organisations to begin to value the ability to understand their systems and behaviour by making their network observable.

Understanding Observability
Simply defined, observability is a measure of how well something is working internally, concluded from what occurs externally. Observability is creating applications with the idea that someone is going to observe them with the aim of strengthening and making system access decisions. The right combination of contextual data can be used to gain a deeper understanding of network policy deployment and every application that tries to communicate across the network. With an observability capability, attackers will therefore have a hard time attempting to make lateral ‘east-west’ movements or remaining hidden in the data centre or across the WAN. In turn, observability can provide a global view of the network environment and visual proof that the security strategy is effective and working.

Unfortunately, it’s not uncommon for infiltrations to go undetected in networks for days, weeks or months. This means infiltrations are going undetected for longer and networks systems are more increasingly vulnerable. To effectively do this, all roles need to see inside the entire architecture. And, when this capability is built in, it is observability that enables greater insight into the overall reliability, impact and success of systems, their workload and their behaviour.

Conclusion
Research shows that companies who are able to detect and contain a breach in less than 200 days spend £1 million less on the total cost of a breach. That’s a figure no organisation can - or should - ignore. Organisations need a cyber security solution that can be measured and traced. Observability provides the contextual data so organisations can take measurable steps towards controlling system access of the network environment. With this type of observable analysis, organisations can gain deeper insights into how to enhance their security policy and detect unwanted access as it occurs.



Sean Everson, Certes Networks CTO

Wednesday, 9 October 2019

NCSC Cyber Essentials Scheme to be Streamlined

The UK National Cyber Security Centre (NCSCCyberEssentials Scheme is to be streamlined from 1st April 2020, with IASME named as sole partner.

It will become easier for UK businesses to protect themselves from the most common cyber-attacks as the UK government-backed cybersecurity scheme is streamlined.
  • The Cyber Essentials Scheme is supported by the UK government to help businesses guard against the most common cyber threats.
  • Over 30,000 UK businesses have gained Cyber Essentials certification since its launch in 2014 and this number is growing year on year.
  • Naming IASME as the sole Cyber Essentials partner will streamline and grow the Scheme and ensure it keeps pace with the changing nature of the cybersecurity threat.
Cyber Essentials Scheme launched in 2014

Since its launch in 2014 the Cyber Essentials Scheme has helped to protect over 30,000 UK businesses from the most common cyber-threats. NCSC and IASME are committed to growing the Scheme, recognising its role in helping to make the UK one of the safest places to live and do business online.

The Cyber Essentials Scheme was developed to protect organisations against low-level “commodity threats”. It focuses on the five most important technical security controls that businesses should have in place to prevent malicious attacks. These controls were identified by the government as those that, if they had been in place, would have stopped the majority of the successful cyber-attacks over the last few years.

The success of Cyber Essentials Scheme means that it remains at the heart of the UK Government’s National Cyber Security Strategy, but an extensive consultation process highlighted the need to evolve the Scheme.

Since its launch, Cyber Essentials has been delivered through multiple Accreditation Bodies and their respective Certification Bodies. In order to simplify the customer experience and improve consistency, the NCSC have appointed a single Cyber Essentials partner to take over running the Scheme from 1st April 2020. This will make the Scheme easier to run on a day to day basis and streamline the development process to ensure Cyber Essentials remains relevant. From now until 1st April 2020 the Scheme will be  very much business as usual with organisations able to gain accreditation from all five Accreditation Bodies.

The current Certification Bodies have been instrumental in the success of the Cyber Essentials Scheme. Existing Certification Bodies will be encouraged to apply to the new Cyber Essentials Partner to continue to provide Cyber Essentials as part of the revised scheme. The Scheme also welcomes new Certification Bodies or anyone from the cyber security industry interested in promoting the Scheme.

IASME Chief Executive, Dr Emma Philpott, MBE, said: We are extremely excited about the prospect of working in partnership with the NCSC to develop and grow the Cyber Essentials scheme. We have seen such a positive effect already over the last 5 years where Cyber Essentials has increased the basic levels of security across all sectors. We are so pleased that we can be part of the future developments, working closely with the excellent Certification Bodies, trade bodies, police and other key stakeholders, to ensure further growth of the scheme.”

Anne W, NCSC Head of Commercial Assurance Services, added: “The NCSC is looking forward to working in partnership with the IASME team to ensure that the scheme continues to evolve and meet the cyber security challenges of tomorrow; a scheme that puts cyber security within reach of the vast majority of UK organisations.”

Thursday, 3 October 2019

UK Youngsters seeking to Win the European Cyber Security Challenge

This October, ten of the UK’s sharpest young cybersecurity minds will head to Bucharest in Romania to compete against teams from 20 countries across Europe in this year’s European Cyber Security Challenge (ECSC). Managed by Cyber Security Challenge UK and led by Team Captain Sophia McCall, the team has spent the summer training with NCC Group and honing their skills using Immersive Labs. Now, they’re ready to bring home gold.

Sophia Mcall, UK Team Captain

Established in 2009, 'Cyber Security Challenge UK' is a non-profit organisation backed by some of the UK’s leading public, private and academic bodies with a longstanding mission to encourage more cybersecurity talent into the pipeline. 

Cyber Security Challenge UK selects, nurtures and mentors young talent to build the UK team, and strives to include individuals with diverse backgrounds and experiences. The team, from across the UK, has a strong mix of different cyber skills and brings a broad range of experiences to the competition. 
Cyber Security Challenge UK - helping to encourage new talent

In a sector facing an acute shortage of fresh talent, competitions like the ECSC are crucial as they allow competitors to meet industry leaders, network with peers from across the continent and get a taste for working in cybersecurity. By taking part, the team set themselves apart as outstanding individuals, equipped with the skills they need to pursue a career in the industry.

Run by ENISA, the European agency responsible for cybersecurity for the European Union, the ECSC is a three-day competition that challenges competitors to complete a series of security-related tasks from domains such as web and mobile security, reverse engineering and forensics. This year, the competition will be held in Bucharest, Romania from 9th to 11th October 2019.

Team Captain Sophia McCall: I have the Cyber Security Challenge and my lecturers in college to thank for the fact I’m pursuing a cybersecurity degree. I had no exposure to cybersecurity when I was younger, so without them I may never have ended up in the industry. It’s now my passion to get other young girls and people from all backgrounds involved, and competitions like the ECSC are an incredible way to explore opportunities in the industry and find out if it’s the right career for you.”

Dr Robert Nowill, Chairman, Cyber Security Challenge UK: Our mission is to be as inclusive as we can in order to increase the number of people entering the cybersecurity industry, and competitions like the ECSC are an integral part of our efforts to broaden the reach of cyber. We have always looked to encourage participation by those who may not otherwise have considered career pathways into cyber, and this year’s team represents an incredible mix of ages, genders and backgrounds. We’re already extremely proud of the team! They’ve been training hard all summer, and we can’t wait to see how they fare in Bucharest.”

Colin Gillingham, Director of Professional Services at NCC Group:Our long-standing training partnership with the Cyber Security Challenge is part of our mission to increase diversity in cybersecurity. Our aim is to make society safer and more secure, but this will only be achieved when the industry is as diverse and representative as the society that we are working to protect. This year’s Team Captain, Sophia McCall, has just completed a placement year at NCC Group, and we’re delighted to have supported her as she blazes a trail for the female cyber professionals of the future.”

James Hadley, Founder and CEO at Immersive Labs said: We believe strongly that challenge-based training exercises are by far the best way for cybersecurity experts to keep themselves ahead of the latest threats. We’re delighted to be supporting the UK team with access to our on-demand and gamified cyber skills content. Their points haul from our CTFs and Malware Analysis labs have been particularly impressive. We wish the team every success not just as they head to Bucharest but in their bright futures as professional cyber defenders.

Wednesday, 2 October 2019

Cyber Security Roundup for September 2019

Anyone over the age of 40 in the UK will remember patiently browsing for holidays bargains on their TV via Teletext. While the TV version of Teletext Holidays died out years ago due to the creation of the world-wide-web, Teletext Holidays, a trading name of Truly Travel, continued as an online and telephone travel agent business. Verdict Media discovered an unsecured Amazon Web Services Service (Cloud Server) used by Teletext Holidays and was able to access 212,000 call centre audio recordings with their UK customers. The audio recordings were taken between 10th April and 10th August 2016 and were found in a data repository called 'speechanalytics'. Businesses neglecting to properly secure their cloud services is an evermore common culprit behind mass data breaches of late. Utilising cloud-based IT systems does not absolve businesses of their IT security responsibilities at their cloud service provider. 

Booking Holidays on Ceefax in the 1980s

Within the Teletext Holidays call recordings, customers can be heard arranging holiday bookings, providing call-centre agents partial payment card details, their full names and dates of birth of accompanying passengers. In some call recordings, Verdict Media advised customers private conversations were recorded while they were put on hold. Teletext Holidays said they have reported the data breach to the ICO.

Separately, another poorly secured cloud server was discovered with thousands of CVs originating from the Monster.com job-hunting website.  Monster.com reported the compromise of CVs was between 2014 and 2017 and was due to a 'third-party' it no longer worked with.

Wikipedia was the subject to a major DDoS attack, which impacted the availability of the online encyclopaedia website in the UK and parts of Europe. While the culprit(s) behind the DDoS attack remains unknown, Wikipedia was quick to condemn it, it said was not just about taking Wikipedia offline, "Takedown attacks threaten everyone’s fundamental rights to freely access and share information. We in the Wikimedia movement and Foundation are committed to protecting these rights for everyone."

CEO Fraud
The BBC News website published an article highlighting the all too common issue of CEO Fraud, namely company email spoofing and fraud which is costing business billions.  

Criminals are increasingly targeting UK business executives and finance staff with ‘CEO Fraud’, commonly referred to as ‘whaling’ or Business Email Compromise (BEC) by cybersecurity professionals. CEO fraud involves the impersonation of a senior company executive or a supplier, to social engineer fraudulent payments. CEO fraud phishing emails are difficult for cybersecurity defence technologies to prevent, as such emails are specifically crafted (i.e. spear phishing) for individual recipients, do not contain malware-infected attachments or malicious weblinks for cyber defences to detect and block.

Criminals do their research, gaining a thorough understanding of business executives, clients, suppliers, and even staff role and responsibilities through websites and social media sites such as LinkedIn, Facebook, and Twitter.  Once they determine who they need to target for maximum likelihood of a financial reward return, they customise a social engineering communication to an individual, typically through email, but sometimes through text messages (i.e. smishing), or over the phone, and even by postal letters to support their scam. They often create a tremendous sense of urgency, demanding an immediate action to complete a payment, impersonating someone in the business with high authority, such as the MD or CEO. The criminal’s ultimate goal is to pressurise and rush their targetted staff member into authorising and making a payment transaction to them. Such attacks are relatively simple to arrange, require little effort, and can have high financial rewards for criminals. Such attacks require little technical expertise, as email spoofing tools and instructions are freely available on the open and dark web. And thanks to the internet, fraudsters globally can effortless target UK businesses with CEO fraud scams.

UK Universities are being targetted by Iranian hackers in an attempt to steal secrets, according to the UK National Cyber Security Centre and the UK Foreign Office. The warning came after the US deputy attorney general Rod Rosenstein said: “Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries."

Security Updates
'Patch Tuesday' saw Microsoft release security updates for 78 security vulnerabilities, including 17 which are 'Critical' rated in Windows RDP, Azure DevOps, SharePoint and Chakra Core.  

On 23rd September 2019, Microsoft released an ‘emergency update’ (Out-of-Band) for Internet Explorer (versions 9, 10 & 11), which addresses a serious vulnerability (CVE-2019-1367) discovered by a Google researcher and is said to be known to be actively exploited.  The flaw allows an attacker to execute arbitrary code on a victim's computer through a specially crafted website, enabling an attacker to gain the same user rights as the user and to infect the computer with malware. It is a particularly dangerous exploit if the user has local administrator rights, in such instances an attacker gain full control over a user's computer remotely. This vulnerability is rated as 'Critical' by Microsoft and has a CVSS score of 7.6. Microsoft recommends that customers apply Critical updates immediately.

Ransomware
Research by AT&T Cybersecurity found 58% of IT security professionals would refuse to pay following a ransomware attack, while 31% said they would only pay as a last resort. A further 11% stated paying was, in their opinion, the easiest way to get their data back. While 40% of IT Security Pros Would Outlaw Ransomware Payments. It is clear from the latest threat intelligence reports, that the paying of ransomware ransoms is fuelling further ransomware attacks, including targetted attacks UK businesses.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
HUAWEI NEWS AND THREAT INTELLIGENCE AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Monday, 23 September 2019

Growing Cyber Threat Facing the UK Legal Sector

Guest Article by Andy Pearch, Head of IA Services at CORVID

Andy Pearch outlines one of the biggest cyber threats facing the legal sector, and steps that can be taken to save law firms from the devastating consequences.

Cyber crime is a growing concern for all businesses across every industry, and even more so for those who operate in vulnerable sectors, such as law firms. A threat report from the NCSC highlighted that 60% of law firms reported an information security incident in 2018, an increase of 20% from 2017.

Law firms, as with all modern day working practices, are heavily reliant on technology – the sheer amount of expected connectivity makes everyone vulnerable. Research enforces the scale of the problem: in 2017,
60% of law firms reported an incident, but that’s only those who identified an issue. There has also been a significant 42% increase in reported incidents in the last five years. This could mean that either businesses are more aware so are reporting cases, or cyber crime is on the rise. It's most likely a combination of both.

Facing Vulnerabilities
The legal sector is particularly vulnerable to cyber attacks due to the volume of data, sensitive information, financial responsibility and authority it holds. If a law firm specialises in corporate or property law, they are at greater risk, as the potential for financial gain is unprecedented. Although the main reason law firms are targeted is for financial gain, there is also a growth in cyber adversaries seeking political, economic or ideological goals.

Law firms are perceived to be an easy target – particularly smaller firms, as they don’t have the same resources as larger practices, but still hold significant funds. Also, they most likely have a small team managing their entire business infrastructure, with limited IT security resources available. It is often misconstrued that cyber security is the sole responsibility of the IT department, but the reality is that every department is accountable. Cyber security is part of the bigger information risk management picture, and requires emphasis from business leaders.

Not only do law firms and their clients have to consider the financial impact of a cyber attack, but reputational damage for their practice can be irreversible. Therefore, to ensure law firms are protected, they need to be aware of the consequences of a phishing attack.

Acknowledging Threats

Email is the main route in for cyber criminals. Phishing attacks can take the form of impersonation, intercepted emails and/or malicious attachments. The aim of threat actors responsible for these attacks is to coerce users into making a mistake, such as disclosing sensitive information, providing users’ credentials or downloading malware.

Unfortunately, not a single law firm – or any organisation, for that matter – is exempt from being the next victim of a cyber attack. Law firms need to take action and be prepared. When it comes to mitigating email compromise, law firms cannot expect employees to bear the burden of identifying threats, but instead must utilise the technology available to spot incoming threats as they arise.

The use of multiple detection engines and threat intelligence sources transforms email security and threat protection. Real-time fraud detection and content checking automatically highlight phishing and social engineering techniques, removing the burden from users and bringing a level of sophistication to current cyber strategies that is needed to keep today’s threats at bay. By automatically flagging potentially concerning emails – such as those attempting to mislead, harvest credentials or spread malicious elements – individuals can make fast, informed and confident decisions regarding their legitimacy.

Without doubt, impersonation attacks, payment diversion fraud and business email compromise attacks are on the rise, but there are robust solutions in place to mitigate the associated risks. There is no need for – and indeed no excuse for – passing the buck to the user community. There is an abundance of resources available to help law firms adopt a proactive cyber security mindset – notably, the
threat report from the NCSC raises awareness and highlights specific safeguards that can be put in place.

It is time for the legal sector to take cyber security seriously. Failing to do so will only lead to devastating repercussions in the not-so-distant future. For a sector that is so protective of its reputation, every precaution should be put in place to keep it safe.

Monday, 2 September 2019

Cyber Security Roundup for August 2019

Twitter boss, Jack Doresy, had his Twitter account was hacked at the end of August, with hackers using his account to send a stream of offensive messages to his 4.2 million followers. It appears Jack was using his mobile phone to provide multi-factor authentication access to his Twitter account, a good solid security practice to adopt, however, it appears his Twitter account password and his mobile phone SMS service were both compromised, the latter probably due to either sim card swap fraud social engineering by the hacker, or by an insider at his mobile network service provider.

A database holding over a million fingerprints and personal data was exposed on the net by Suprema, a biometric security company. Researchers at VPNMentor didn't disclose how they were able to find and access the 'Biostar 2' database, nor how long the data was accessible online. Biostar 2 is used by 5,700 organisations, including governments, banks and the UK Metropolitan Police. In a similar fashion, an independent researcher found a 40Gb Honda Motor Company database exposed online.

TfL took their Oyster system offline to 'protect customers' after a credential stuffing attack led to the compromise of 1,200 Oyster customer accounts. A TfL spokesman said 'We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites.' I was also directly made aware that restaurant chain TGI Friday was also hit were a credential stuffing attack(s) after it urgently warned its UK customers on the importance of using strong unique passwords for its reward scheme.

It was another bumper 'Patch Tuesday', with Microsoft releasing security updates for 93 security vulnerabilities, including 31 which are 'critical' rated in Windows, Server 2019, IE, Office, SharePoint and Chakra Core. 

Amongst the Microsoft patch release were patches for two serious 'bluekeep' or 'WannaCry' wormable vulnerabilities in Windows Remote Desktop Services, CVE-2019-1181 and CVE-2019-1182.  A Microsoft Security Response Center (MSRC) blog post said Microsoft had found the vulnerabilities as part of a project to make Remote Desktop Services more secure, and stated 'future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.” The fixes for these are available for download in the Microsoft Security Update Guide.

A United Nations report concluded North Korea funded its weapons programme to the tune of $2 billion from profits from cyber attacks. 'Democratic People’s Republic of Korea cyber actors, many operating under the direction of the Reconnaissance General Bureau, raise money for its WMD (weapons of mass destruction) programmes, with total proceeds to date estimated at up to two billion US dollars,' the UN report said. The report referred at least 35 instances of North Korean-sponsored cryptomining activity or attacks on financial companies and cryptocurrency exchanges. The attacks spanned a total of 17 countries and were designed to generate funds the would be hard to trace and elude regulatory oversight.

NEWS

VULNERABILITIES AND SECURITY UPDATES
HUAWEI NEWS AND THREAT INTELLIGENCE
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Thursday, 8 August 2019

Cyber Security Roundup for July 2019

July was a month of mega data privacy fines. The UK Information Commissioners Office (ICO) announced it intended to fine British Airways £183 million for last September's data breach, where half a million BA customer personal records were compromised. The ICO also announced a £100 million fine for US-based Marriot Hotels after the Hotel chain said 339 million guest personal data records had been compromised by hackers. Those fines were dwarfed on the other side of the pond, with Facebook agreeing to pay a US Federal Trade Commission (FTC) fine of $5 billion dollars, to put the Cambridge Analytica privacy scandal to bed. And Equifax paid $700 million to FTC to settle their 2017 data breach, which involved the loss of at least 147 million personal records. Big numbers indeed, we are seeing the big stick of the GDPR kicking in within the UK, and the FTC flexing some serious privacy rights protection punishment muscles in the US. All 'food for thought' when performing cybersecurity risk assessments.

Through a Freedom of Information request, the UK Financial Conduct Authority (FCA) disclosure a sharp rise of over 1000% in cyber-incidents within UK financial sector in 2018. In my view, this rise was fueled by the mandatory data breach reporting requirement of the GDPR, given it came into force in May 2018. I also think the finance sector was reluctant to report security weakness pre-GDPR, over fears of damaging their customer trust. Would you trust and use a bank if you knew its customers were regularly hit by fraud?

Eurofins Scientific, the UK's largest forensic services provider, which was taken down by a mass ransomware attack last month, paid the cybercrooks ransom according to the BBC News. It wasn't disclosed how much Eurofins paid, but it is highly concerning when large ransoms are paid, as it fuels further ransomware attacks.

A man was arrested on suspicion of carrying out a cyberattack against Lancaster University. The UK National Crime Agency said university had been compromised and "a very small number" of student records, phone numbers and ID documents were accessed. In contrast, the FBI arrested a 33 old software engineer from Seattle, she is alleged to have taken advantage of a misconfigured web application firewall to steal a massive 106 million personal records from Capital One. A stark reminder of the danger of misconfiguring and mismanaging IT security components.

The Huawei international political rhetoric and bun fighting has gone into retreat. UK MPs said there were no technological grounds for a complete Huawei banwhile Huawei said they were 'confident' the UK will choose to include it within 5G infrastructure. Even the White House said it would start to relax the United States Huawei ban. It seems something behind the scenes has changed, this reversal in direction is more likely to be financially motivated than security motivated in my rather cynical view.

A typical busy month for security patch releases, Microsoft, Adobe and Cisco all releasing the expected barrage of security updates for their products. There was security updates released by Apple as well, however, Google researchers announced six iPhone vulnerabilities, including one that remains unpatched.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
HUAWEI NEWS AND THREAT INTELLIGENCE

Thursday, 25 July 2019

Four Key Questions to ask following a Cyber Attack

Guest Article by Andy Pearch, Head of IA Services at CORVID

Cyber attacks are inevitable, but it’s how an organisation deals with them that can make or break their business. Have they got all the answers, and do they fully understand the implications? Can they be sure the attack won’t happen again?

Swift and comprehensive incident response is a critical step to ensuring the future security of a business and protecting its reputation. It’s not enough to be aware that an attack is taking (or has taken) place. There are four key questions organisations need to be able to answer following a cyber security breach – if a single answer is missing, the security team won’t have the full picture, leaving the business vulnerable to impending attacks. Not having this level of insight can also damage an organisation’s relationships with suppliers and affect customer confidence, as it means the business itself is not in control of the situation.

Andy Pearch, Head of IA Services at CORVID, outlines four key questions all organisations must be able to answer after a cyber attack.

1. How and where did the Security Breach take place?The first step of an effective incident response strategy is to identify how the attackers got in. Quite simply, if an organisation misses this first crucial step, attackers will exploit the same vulnerability for future cyber attacks. Guesswork won’t cut it – any security professional can hypothesise that “it was probably an email”, but security teams need clear evidence so they can fully analyse all aspects of the problem and devise an appropriate solution.

2. What Information was Accessed?
Understanding specifically what information was accessed by the attacker is paramount to knowing what impact the attack will have on the organisation. Identifying which departments were targeted or what types of information might have been stolen isn’t good enough; organisations need to be able to articulate exactly which files were accessed and when. 

Headlines about attackers stealing information are common, but just as importantly, you need to know the scope of the information they’ve seen, as well as the information they’ve taken. Not only will this inform the next steps that need to be taken, and shed light on which parts of the business will be affected, but it will also enable the organisation to remain compliant with legal obligations, for example, identifying if a data breach needs to be reported under GDPR.

3. How can Systems be Recovered Quickly?
Organisations will understandably want to get their IT estate back to normal as soon as possible to minimise damage to their business, service and reputation. If the compromise method is identified and analysed correctly, IT systems can be remediated in seconds, meaning users and business operations can continue without downtime for recovery.

4. How do you prevent it from happening again?
Knowing the IT estate has been compromised is useless without taking steps to make sure it doesn’t happen again. Managed Detection and Response (MDR) is all about spotting the unusual activity that indicates a potential breach. If a user is accessing files they would never usually touch, sending unexpected emails or reaching out to a new domain, for example, such activity should prompt a review. The problem for most companies, however, is they lack not only the tools to enable such detection, but also the time and skills to undertake thorough analysis to determine whether it is a breach or a false positive.

A managed approach not only takes the burden away from businesses, but also enables every company to benefit from the pool of knowledge built up as a result of detecting and remediating attacks on businesses across the board. With MDR, every incident detected is investigated and, if it’s a breach, managed. That means shutting down the attack’s communication channel to prevent the adversary communicating with the compromised host, and identifying any compromised asset which can then be remediated.

Shifting Security Thinking
Clearly, GDPR has raised awareness that the risks associated with a cyber attack are not only financial, as hackers are actively seeking to access information. Security plans, therefore, must also consider data confidentiality, integrity and availability. But it is also essential to accept the fundamental shift in security thinking – protection is not a viable option given today’s threat landscape. When hackers are using the same tactics and tools as bona fide users, rapid detection and remediation must be the priority.