Posts

Showing posts from 2017

Scan your app to find and fix OWASP Top 10 - 2017 vulnerabilities

Following the updated release of OWASP Top Ten (2017) , I have updated my IBM developerWorks article " Scan your app to find and fix OWASP Top 10 - 2017 vulnerabilities ", which was released  on the  IBM Developer Works website  today

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen . Uber revealed around 2.7 million of the stolen records were British riders and drivers . As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet.  The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had " huge concerns " about the breach and was investigating. Jewson , Cash Converters , and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of persona...

Cyber Security Roundup for October 2017

State-orchestrated cyber attacks have dominated the media headlines in October, with rogue state North Korea and its alleged 6,800 strong cyber force blamed for several cyber attacks. International intelligence scholars believe the North Korean leadership are using cyber warfare to up the political ante with their ongoing dispute with the United States. The North Koreans, as well as terrible security practices, were directly blamed by the UK National Audit Office for the recent  NHS WannaCry attack  ( despite North Korea denying it ). North Korea was also reported to be implicated in the  stealing US War Plans from South Korea , and for a spear phishing campaign against the US Power Grid . The possible Russian manipulation of the US election with cyber attacks and rogue social media campaigns is still a story not going away, while the Chinese are alleged to be behind the data theft of  Australian F-35 fighter jet, in what is described as an 'extensive' Cyberattack ....

How to start a Career in Cyber Security

Image
I received an infographic by  cybersecurityjobs.net  on the top ten tips on landing a cyber security job, I  thought it provided excellent advice for budding cyber security professionals looking to gain a foothold.  There is a considerable shortage of experienced cyber security professionals in the UK, but starting out in cyber security is a 'chicken and egg' scenario, in that it can be difficult to land a cyber security job without having the experience, but you can't get the necessary experience without being in a dedicated cyber security role.  If you are struggling to get into the industry I recommend initially specialising in a specific area of security, undertake training and gain qualifications. Be patient, expand upon your areas of knowledge and experience, working your way up in different roles to your dream cyber security job. Dream big, but think small.

Krack WiFi Attack: Vulnerabilities in WPA2 Protocol

All Wi-Fi connections are potentially vulnerable to a newly discovered security attack called "Krack", which allows an attacker to listen in on internet traffic (a Man-in-the-Middle Attack) over a wireless network.  In theory, a hacker could read your web and email communications, and even inject malware like ransomware onto your device. Krack takes advantage of unpatched Apple, Android, and Windows operation systems, while unpatched Wi-Fi access points can be manipulated to orchestrate the man-in-the-middle attack. The sky is not falling in on WiFi, this is not like the WEP protocol situation of many years ago, WEP is a security protocol fundamentally flawed by design, WPA2 encryption is not broken, the software that uses it needs to be corrected to secure it. Wireless Access Points (APs) and operating systems that use WPA2 are (or soon will be) patchable, which protects them from this attack. For a video demo of the attack see -  https://www.krac...

Cyber Security Roundup for September 2017

A massive data breach at Equifax dominated the UK media finance headlines this month, after 143 million customer records were compromised by a cyber-attack, 400,000 of which were UK customer accounts. Hackers took advantage of Equifax’s negligence in not applying security updates to servers. The data breach has already cost the CEO, CIO and CISO their jobs. In the UK Equifax faces investigations and the prospect of significant fines by both the Financial Conduct Authority and the Information Commissioner's Office over the loss of UK customer financial and personal data respectively. Hackers stole a quarter of a million Deloitte client emails , follow the breach Deloitte was criticised by security professional for not adopting two-factor authentication to protect the email data which they hosted in Microsoft’s Azure cloud service. September was an extremely busy month for security updates, with major patches releases by Microsoft , Adobe , Apache , Cisco and Apple to fix a...

Science of CyberSecurity: Latest Cyber Security Threats

As part of a profile interview for  Science of Cybersecurity  I was asked five questions on cyber security last week, here's question 5 of 5. Q. What keeps you up at night in the context of the cyber environment that the world finds itself in? The growing dependence and integration of connected computers within our daily lives, means we are embarking on an era where cyber attacks will endanger our lives. Networked and complex IT systems are inherently insecure, meaning it is open season for nation-states, cyber terrorists and the curious to attack these life integrated emerging technologies, from driverless cars and countless new home IoT devices. I fear it will only be a matter time before a cyber attack causes human harm or even loss of life. The impact of the recent NHS ransomware attack serves as a warning, this cyber attack directly caused the closure of accidental and energy departments and the cancellation of operations. The future threats posed arti...

Science of CyberSecurity: What Cyber Security Blogs to Follow

As part of a profile interview for  Science of Cybersecurity  I was asked five questions on cyber security last week, here's question 4 of 5. Q. Do you recommend a particular cyber security blog that our readers could follow? Of course, my own  IT Security Expert Blog , and my Twitter accounts  @SecurityExpert  and  @SecurityToday  are well worth following.  My two favourite blogs are  Bruce Schneier’s blog , Bruce is a true rock star of the industry, and  Krebs on Security blog  is also an excellent read, Brian provides the behind the scenes details of the latest hacking techniques and data breaches, and pulls no punches with his opinions. Both these bloggers have books that are a must read for budding cyber security professionals as well.

Science of CyberSecurity: Where to get CyberSecurity Science

As part of a profile interview for  Science of Cybersecurity  I was asked five questions on cyber security last week, here's question 3 of 5. Q. Where do you go to find your “science” of cybersecurity? While cyber security controls appear simple to follow in policy statements and best practice guides, the reality is they are not always easy to implement across diverse organisations. When attempting to resolve complex security problems it can be easy for security professionals to lose sight of the goal of cyber security. To keep clarity, I think it helps to strips away the technology from the problem, and learn the security science and lessons from history.  So reading military strategy books like Sun Tzu’s “The Art of War” can improve how you think about and assess the cyber adversaries facing the organisation. Delving into the science of psychology is invaluable when seeking to bring about effective and positive staff security awareness and behavioura...

Science of CyberSecurity: Reasons Behind Most Security Breaches

As part of a profile interview for  Science of Cybersecurity  I was asked five questions on cyber security last week, here's question 2 of 5. Q. What – in your estimation – are the reasons behind the many computer security breaches/failures that we see today? Simply put insecure IT systems and people are behind every breach, insecure IT systems are arguably caused by people as well, whether it is poor system management, lack of security design, insecure coding techniques, and or inadequate support, it all boils down to someone not doing security right. For many years seasoned security experts have advocated that people are the weakest link in security, even hackers say ‘amateurs hack systems, professionals hack people’, yet many organisations still focus most of their resources and funds heavily on securing IT systems over providing staff with sustained security awareness. Maybe this is a result of an IT security sales industry over hyping the effectiveness...

A developer's guide to complying with PCI DSS 3.2 Requirement 6 Article

My updated article on " A developer's guide to complying with PCI DSS 3.2 Requirement 6 " was released on the  IBM Developer Works website  today. This article provides guidance on  PCI DSS requirement 6, which breaks down into 28 further individual requirements and sits squarely with software developers who are involved in the development of applications that process, store, and transmit cardholder data.

Science of CyberSecurity: Thoughts on the current state of Cyber Security

As part of a profile interview for  Science of Cybersecurity I was asked five questions on cyber security last week, here's question 1 of 5. Q. What are your thoughts on the current state of cybersecurity, both for organizations and for consumers? Thanks to regular sensational media hacking headlines most organisational leaders are worried about their organisation’s cyber security posture, but they often lack the appropriate expert support in helping them properly understand their organisation’s cyber risk. To address the cyber security concern, an ‘off the peg’ industry best practice check box approach is often resorted to. However, this one-size-fits-all strategy is far from cost effective and only provides limited assurance in protecting against modern cyber attacks, given every organisation is unique, and cyber threat adversaries continually evolve their tactics and methodologies. In these difficult financial times of limiting cyber security budgets, it is important...

Combating IoT Cyber Threats Article

My updated article on  Combating IoT cyber threats  post released on the  IBM Developer Works website  today. This article outlines the best practices for secure coding techniques and security functions that will help development teams to produce resilient IoT applications that mitigate IoT security risks.

Cyber Security Roundup for August 2017

TalkTalk yet again made all the wrong cyber security headlines in the UK this month, after it was handed a £100,000 fine by the Information Commissioner's Office (ICO) for not adequately protecting customer records from misuse by its staff. The ICO investigated the Internet Service Provider after receiving complaints from customers, who said they received cold calls from scammers who knew their TalkTalk account information. Second-hand goods firm CeX disclosed a compromise of up to 2 million online customer accounts due to a hack, however, CeX has yet to disclose any details about the cyber attack. My blog post and advice about this is here  http://blog.itsecurityexpert.co.uk/2017/08/up-to-2-million-cex-customer-account.html Hackers had a field day taking over social media accounts, from Real Madrid and FC Barcelona to Game of Thrones , much embarrassment could have been avoided if they had adopted multi-factor authentication on the accounts, aside from the spate of...

Up to 2 Million CeX Customer Accounts Compromised by Security Breach

Image
If you are a CeX online customer, change your account password now, as the second hand UK goods chain has been informing over two million of its customers their personal details have been hacked. In a customer email CeX discloses they have been the subject of a security breach by a third party, and that's about as much detail as CeX are presently admitting about the cyber attack at the moment. Despite the CeX email referring to a " sophisticated breach of security " without any further detail about what happened, it is impossible to judge whether it was actually a sophisticated cyber attack or not. Rather oddly CeX have not forced a password change on their compromised customer accounts despite admitting account passwords were at risk.   My CeX Customer Advice Change your CeX password straight away. Ignoring the CeX website advice of using a 6 character password, which is too weak - see the Account Password section of this post below.  Alternatively you could als...