How Businesses Can Utilise Penetration Testing

Understand your security vulnerabilities

Article by Beau Peters

The basic approaches like phishing simulations are good, but they tend to have limited reach. This is why more agile methods, penetration testing among them, have been getting increasing attention. In essence, this sees experts with a background in ethical hacking utilizing the techniques of cybercriminals to breach a business’ systems. This also receives a certain amount of hesitancy — business owners are often unsure about the idea of letting somebody hack their systems in the name of cybersecurity.

As always, there is more to this issue. So, let’s explore what penetration testing is, why businesses should engage with it and how they can do so to get the most impact.

What are the Benefits?
Penetration testing requires a significant amount of trust. Therefore, it’s important to look at what the payoffs of this approach are as opposed to ostensibly safer techniques.

Some of the key benefits include:

• Ascertaining Vulnerabilities

Penetration testing tends to be the most direct and reliable approach to identifying what parts of a company’s systems are vulnerable to attack. In general, testers will go through each aspect of the network architecture, the website and software code, applications, and hardware to identify where weaknesses lie. This doesn’t just apply to external threats but internal issues, too.

These experts are also approaching their review of a business’ systems with the creative, outside-of-the-box thinking cybercriminals are likely to use. As such, companies benefit from perspectives not usually offered by in-house information technology staff. Once points of vulnerability have been identified, the tester will often provide information about what issues are the highest priority to handle based on the severity of the risk and the consequences. 

• Maintaining Trust

Perhaps above all else, the benefit of penetration testing is the opportunity to maintain and strengthen trust between a business, its customers, and its supply chain. This is vital given the amount of consumer and partner data companies are gathering and storing. Security is particularly vital in cases when companies are undergoing data democratization — where important data is not just accessible to analysts and leadership but to all members of the organization.

This can be an empowering use of data, helping workers to understand how best to use and protect such information. However, alongside practical obstacles like deficient tools and siloed data, there is a need to prevent breaches. Penetration testing identifies where risks are throughout democratization practices, giving businesses the tools to strengthen their approaches. In turn, consumers and suppliers are assured their data is used to its best purpose and kept safe.

Understand the Needs
While penetration testing utilizes curious, creative ethical hackers, businesses shouldn’t be mistaken in thinking this means it’s a simple process. It requires technological experts who usually go through at least five stages of protocols — from planning the right approach for the goals of the test to analyzing the data they’ve received and compiling a detailed report. The testing methodologies, too, can vary depending on the circumstances. As such, to make the most out of the process, businesses need to have a clear idea of what their needs are.

Some of the common tests and the relevant needs they serve include:

• Application Testing

Many brands are producing their own apps to improve customer engagement. However, consistent data security can be difficult to achieve, particularly when working across multiple operating systems. Application penetration testing is used to spot flaws in the current security systems, as well as how they interact with user’s devices and represent vulnerabilities to consumers.

• Physical Testing

Businesses often think cybersecurity attacks will originate remotely. But when a company keeps its servers and equipment on-site, there is potential for criminals to break into the premises and cause a breach. Hacks may even come from staff. Physical penetration testing should, therefore, be sought to understand whether the equipment is vulnerable to the types of tools and methods in-person hackers may use.

• Wireless Testing

Businesses are increasingly utilizing wireless tools for integral parts of operations. This includes capturing sensitive data, through contactless payment machines or sensors on devices in the Internet of Things (IoT) that track and control the supply chain. Wireless penetration testing can be used to understand how easy it is to illicitly collect data or even disrupt operations through the connected ecosystem. They’ll also confirm where stricter measures need to be in place to prevent access.

Finding the Right Expert
Having established what pen testing is and how it can fit in with a business, how can companies find the right people for the job? After all, one of the key concerns companies have in this area is that they are essentially hiring hackers — there’s a lot of social and legal baggage accompanying this activity.

When bringing on a consultant or hiring an in-house tester, the best approach is to look for relevant certification. Some of the most recognized examples here include the Certified Ethical Hacker licenses issued by the International Council of E-Commerce Consultants (EC-Council), and the Certified Penetration Tester course offered by the Information Assurance Certification Review Board (IACRB). Global Information Assurance Certification (GIAC) also provides various specialized qualifications that are considered to be reliable. These courses are designed to provide knowledge not just about the technical skills to positively impact a business, but also the ethical standards to help make sure testers are staying on the right moral and legal track throughout their activities.

Conclusion
Penetration testing is an agile tool offering various benefits for businesses, including maintaining trust and highlighting points of vulnerability. However, it’s important to remember that getting the most out of the process requires clarity on the company’s challenges and goals for testing, alongside sourcing the relevant certified tester to collaborate with.

Security Threats Facing Modern Mobile Apps

We use mobile apps every day from a number of different developers, but do we ever stop to think about how much thought and effort went into the security of these apps?

It is believed that 1 out of every 36 mobile devices has been compromised by a mobile app security breach. And with more than 5 billion mobile devices globally, you do the math.

The news that a consumer-facing application or business has experienced a security breach is a story that breaks far too often. As of late, video conferencing apps like Zoom and Houseparty have been the centre of attention in the news cycle.

As apps continue to integrate into the everyday life of our users, we cannot wait for a breach to start considering the efficacy of our security measures. When users shop online, update their fitness training log, review a financial statement, or connect with a colleague over video, we are wielding their personal data and must do so responsibly.

Let’s cover some of the ways hackers access sensitive information and tips to prevent these hacks from happening to you.

The Authentication Problem
Authentication is the ability to reliably determine that the person trying to access a given account is the actual person who owns that account. One factor authentication would be accepting a username and password to authenticate a user, but as we know, people use the same insecure passwords and then reuse them for all their accounts.

If a hacker accesses a user’s username and password, even if through no fault of yours, they are able to access that user’s account information.

Although two-factor authentication (2FA) can feel superfluous at times, it is a simple way to protect user accounts from hackers.

2FA uses a secondary means of authenticating the user, such as sending a confirmation code to a mobile device or email address. This adds another layer of protection by making it more difficult for hackers to fake authentication. 

Consider using services that handle authentication securely and having users sign in with them. Google and Facebook, for example, are used by billions of people and they have had to solve authentication problems on a large scale.
Reverse Engineering

Reverse engineering is when hackers develop a clone of an app to get innocent people to download malware. How is this accomplished? All the hacker has to do is gain access to the source code. And if your team is not cautious with permissions and version control systems, a hacker can walk right in unannounced and gain access to the source code along with private environment variables.

One way to safeguard against this is to obfuscate code. Obfuscation and minification make the code less readable to hackers. That way, they’re unable to conduct reverse engineering on an app. You should also make sure your code is in a private repository, secret keys and variables are encrypted, and your team is aware of best practices.

If you’re interested in learning more ways hackers can breach mobile app security, check out the infographic below from CleverTap.



Authored by Drew Page Drew is a content marketing lead from San Diego, where he helps create epic content for companies like CleverTap. He loves learning, writing and playing music. When not surfing the web, you can find him actually surfing, in the kitchen or in a book.

How Safe and Secure are Wearables?

The ‘wearable technology’ market has been exponentially growing in recent years and is expected to exceed 830 million devices by 2020. One of the key drivers pushing this rapid expansion are fitness trackers, namely wristband tech and smartwatch apps which monitors our daily activity and health. But as we integrate wearables devices seamlessly into our everyday lives, what are the privacy and security risks they pose? How should wearable manufacturers and app developers be protecting consumers?

Insurance company Vitality offers customers a heavily discounted Apple Watch to customers in return for their fitness routines and health data, the more activity you do each month, the greater your reward through a monthly discount. While this exchange of information for rewards provides a great incentive for consumers to improve their health, the personal data consumers are sharing in return has a tangible value for the insurance company. However, providing an insurance company with a daily data breakdown of one's health is an unacceptable tradeoff for some, regarding such a practice as an invasion of their privacy. 

As of May 2018, all EU citizen's privacy rights are legally protected by the General Data Protection Regulation (GDPR). GDPR compliance is required by all companies which process EU citizen data, including those based outside of the European Union. The privacy regulation requires wearable device and app providers to obtain each EU citizen's explicit consent before collecting their personal information, they must also clearly explain what types of personal information they intend to collect, how they intend to use the data, and inform consumers about any other organisation they intend to share their data with. If they don’t, wearable tech firms and app providers should brace themselves for heavy fines by European Information Commissioners.

For further details about the GDPR requirements and for Wearables Software Development Security Advice, read my IBM developerWorks 3 part guidance "A developer's guide to the GDPR" and my Combating IoT Cyber Threats

Wearable personal data is also of value to hackers and criminals, for instance, your fitness routine provides a clear picture of the best times to burglarise your home. With personal consumer data potentially at stake, fitness wearable manufacturers should incorporate both default privacy and security standards into the infrastructure of the device, to help ensure personal information remains safeguarded from known and future cyber threats.  UL, a global safety science company, has developed testing for cybersecurity threats and offers security verification processes to assist manufacturers in assessing security risks and helping mitigate them before the product even goes to market. If the industry takes these steps, wearable consumers will feel safe and secure as they reap the intended benefits of this new innovation, while the wearables industry will be well positioned to meet the promise of its growth projections.

Cyber Security Roundup for October 2018

Aside from Brexit, Cyber Threats and Cyber Attack accusations against Russia are very much on the centre stage of UK government's international political agenda at the moment. The government publically accused Russia's military 'GRU' intelligence service of being behind four high-profile cyber-attacks, and named 12 cyber groups it said were associated with the GRU. Foreign Secretary Jeremy Hunt said, "the GRU had waged a campaign of indiscriminate and reckless cyber strikes that served no legitimate national security interest".

UK Police firmly believe the two men who carried out the Salisbury poisoning in March 2018 worked for the GRU.

• What is Russia's GRU Intelligence Agency?
• The risks of cyber-conflict with Russia
• Russia accused of net hack attacks
• Russian spy: What happened to the Skripals?

The UK National Cyber Security Centre said it had assessed "with high confidence" that the GRU was "almost certainly responsible" for the cyber-attacks, and also warned UK businesses to be on the alert for indicators of compromise by the Russian APT28 hacking group.  The NCSC said GRU hackers operated under a dozen different names, including Fancy Bear (APT28), had targetted:

• The systems database of the Montreal-based World Anti-Doping Agency (Wada), using phishing to gain passwords. Athletes' data was later published 
• The Democratic National Committee in 2016, when emails and chats were obtained and subsequently published online. The US authorities have already linked this to Russia.
• Ukraine's Kyiv metro and Odessa airport, Russia's central bank, and two privately-owned Russian media outlets - Fontanka.ru and news agency Interfax - in October 2017. They used ransomware to encrypt the contents of a computer and demand payment 
• An unnamed small UK-based TV station between July and August 2015, when multiple email accounts were accessed and content stolen

FireEye attributed TRITON ICS attack to Russia,  the US Cyber Command launches its first acknowledged offensive action against individual Russians and worryingly, it was reported that MoD secrets exposed in dozens of cybersecurity breaches.

Facebook was fined the maximum amount of £500,000 under pre-GDPR data protection laws by the UK Information Commissioner's Office (ICO) over the Cambridge Analytica Scandal. Facebook could face a new ICO fine after revealing hackers had accessed the contact details of 30 Million users due to a flaw with Facebook profiles. The ICO also revealed a 400% increase in reported Cyber Security Incidents and another report by a legal firm RPC said the average ICO fines had doubled, and to expect higher fines in the future. Heathrow Airport was fined £120,000 by the ICO in October after a staff member lost a USB stick last October containing "sensitive personal data", which was later found by a member of the public.

Notable Significant ICO Security Related Fines

• Facebook fined £500,000 over Cambridge Analytica Scandal. The ICO said that the fine would have been considerably higher under the GDPR which came into force on 25 May this year but cannot be applied to this case due to the timing of events.
• Equifax fined £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017
• Carphone Warehouse fined £400,000 for failing to adequately protect customer and employee data
• TalkTalk fined £400,000 after 157,000 customer records were stolen in 2015
• Sony fined £250,000 following the PlayStation network hack in 2013
• The British and Foreign Bible Society fined £100,000 in June 2018 following a cyber-attack that compromised personal data of 417,000 people

Last month's British Airways website hack was worse than originally reported, as they disclosed a second attack which occurred on 5th September 2018, when the payment page had 22 lines of malicious Javascript code injected in an attack widely attributed to Magecart.  Another airline Cathay Pacific also disclosed it had suffered a major data breach that impacted 9.4 million customer's personal data and some credit card data.

Morrisons has lost a challenge to a High Court ruling which made it liable for a data breach, after an employee, since jailed for 8 years, stole and posted thousands of its employees' details online in 2014.  Morrisons said it would now appeal to the Supreme Court., if that appeal fails, those affected will be able to claim compensation for "upset and distress". 

Interesting article on Bloomberg on "How China Used a Tiny Chip to Infiltrate U.S. Companies". However, there was a counter-narrative to the Bloomberg article on Sky News. But didn't stop Ex-Security Minister Admiral Lord West calling the Chinese when he said Chinese IT Kit 'is putting all of us at risk' if used in 5G.  He raises a valid point, given the US Commerce Department said it would restrict the export of software and technology goods from American firms to Chinese chipmaker Fujian Jinhua BT, which uses Huawei to supply parts for its network, told Sky News that it would "apply the same stringent security measures and controls to 5G when we start to roll it out, in line with continued guidance from government". Recently there have been warnings issued by the MoD and NCSC stating a Chinese espionage group known as APT10 are attacking IT suppliers to target military and intelligence information.

NCSC is seeking feedback on the latest drafts 'knowledge areas' on CyBOK, a Cyber Security body of knowledge which it is supporting along with academics and the general security industry.

Google are finally pulling the plug on Google+, after user personal data was left exposed. Google and the other three major web browser providers in the world said, in what seems like coordinated announcements, businesses must accept TLS Version 1.0 and 1.1 will no longer support after Q1 2018.

• Google with Chrome, said it will depreciate the protocol versions from January 2020
• Mozilla with Firefox  have set a deprecation date of March 2020
• Apple with Safari  have a deprecation date of March 2020
• Microsoft said both Edge and IE will disable the protocols in the 'first half' of 2020.

So its time to move over to the more secure TLS V1.2 or the more secure & efficient TLS V1.3.

NEWS

• UK Blames Russian GRU for Cyber Attacks and Vows to Respond
• BA Website and Data Breach by Magecart deeper than first thought
• Morrisons Loses Court Appeal over Employee Data Theft
• Cathay Pacific Data Breach exposes PII of 9.4 million Customers
• CyBOK: Feedback sought on NCSC's Cyber Security Body of Knowledge
• Big Four Web Browser Providers say Businesses must Accept TLS v1.0 & v1.1 End of Life by Q1 2020
• Facebook fined £500k by ICO over Cambridge Analytica Scandal
• Hackers Accessed Names and Contact Details of nearly 30 Million Facebook Users
• Chinese IT Kit 'putting all of us at risk' if used in 5G says Ex-security minister Admiral Lord West 
• MoD Secrets Exposed in dozens of Cyber Security Breaches
• Plug pulled on Social Network Google+ after Users’ Data Left Exposed
• Heathrow fined £120K by the ICO for USB stick Data Breach
• Fifa Hacked again as officials fear Information has been illegally obtained
• US Weapons Systems can be 'easily hacked'
• UK Government Launches IoT Code of Practice
• Microsoft Patches 49 Vulnerabilities, 12 of which are Critical for Chakra, IE\Edge, MS XML, Scripting Engine & Hyper V
• Adobe Releases Fixes 86 Vulnerabilities for Acrobat and Acrobat Reader
• Adobe Patches Vulnerabilities in Adobe Digital Editions, Experience Manager, FrameMaker & Tech Comms Suite
• TP-Link (TL-WRN841N) Router Vulnerable to Remote Takeover Flaw
• Cisco release Patches for 36 Vulnerabilities, 3 of which are Critical
• Cisco Patches Command Injection Bug in WebEx Meetings Desktop App for Windows
• Vulnerability found in Sophos Anti-Malware Product
• Oracle release Security Updates for 45 Critical-Rated Vulnerabilities
• Amazon Patches IoT and Critical Infrastructure Security Flaws

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• FireEye outs APT38 as North Korean Cyber Bank Heist Gang
• APT28 Threat: National Cyber Security Centre warning to UK Companies 
• DDoS and Ransomware tools for Starter and Experienced Cybercriminals Exposed
• Cobalt Gang targets Banks and Financial Service providers by sneaking PDFs past staff
• Enigmatic Cyber Espionage Campaign revives source code from old foe APT1
• Exploit Kits: Autumn 2018 Update 
• Crypto-Locking Kraken Ransomware Looms Larger

REPORTS

• ICO reveals 400% Increase in Reports of Cyber-Security Incidents
• ICO Average data breach fines have doubled as ICO hints at Higher Fines
• Radware 2018 State of Web Application Security Report 
• Abandoned Web Applications 'hidden threat to Corporate Security’ says High-Tech Bridge Report

Cyber Security Roundup for September 2018

September 2018 started with a data breach bang, with British Airways disclosing a significant hack and data loss. 380,000 of the airlines' website and mobile app customers had their debit and credit card details lifted via a maliciously injected script.  The breach even caused BA owners, IAG, to drop in value 4%. And to compound matters, there were several claims made that the BA website wasn't PCI DSS compliant, implying if they were PCI DSS compliant, their customer's personal and payment card information would still be safe.  For further details about this breach see my blog posts; British Airways Customer Data Stolen in Website and Mobile App Hack and British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected.

Facebook continues to make all the wrong kind of privacy headlines after a massive user data breach was confirmed by the social media giant at the end of the month. Facebook said at least 50 million users’ data was at risk after hackers exploited a vulnerability the Facebook code. Facebook CEO Mark Zuckerberg said he doesn’t know who is behind the cyber attack, however, the FBI are investigating. 

There was a good measure of embarrassment at the Tory Conference after a flaw in the conference App revealed the personal data of senior UK government cabinet ministers, with Boris Johnson, Michael Gove, Gavin Williamson among those whose their personal information and phones numbers made available.

There was a number of large data breach fines handed out in September, Tesco Bank was hit by a whopping £16.4 by the Financial Conduct Authority (FCA), the fine would have been doubled if it weren't for Tesco's good co-operation with the FCA investigation. The FCA said Tesco had security deficiencies which left their bank account holders vulnerable to a cyber attack in November 2016. The attack netted the bad guys, via 34 transactions, a cool £2.26 million. The FCA report said the cyber criminals had exploited weaknesses in the bank's design of its debit card, its financial crime controls and in its financial crime operations team, to carry out the attack over a 48-hour period. 

Equifax was fined the maximum pre-GDPR law amount of £500K by the Information Commissioner's Office (ICO) after the US-based credit reference agency failed to protect the personal data of 15 million UK citizens. The ICO ruled Equifax's UK branch had "failed to take appropriate steps" to protect UK citizens' data. It added that "multiple failures" meant personal information had been kept longer than necessary and left vulnerable.

The ICO also fined Bupa £175K, for not having good enough security to prevent the theft of 547,000 customer records by an employee.  Uber has paid £133m to settle legal claims to customers and drivers, as a result of trying to cover up a huge breach which occurred in 2016 from their regulators. The ride-hailing company admitted to paying off hackers to the tune of $100,000 to delete the data they robbed from Uber's cloud servers. The personal data stolen was from 57 million Uber accounts, also included information about 600,000 driving license numbers. 

Looks like the MoD and GCHQ are looking to beef up Britan's Cyber Offense capabilities, announcing a plan to recruit a 2,000 strong 'cyber force' to take on the Russian threat. Meanwhile across the pond, the Mirai creators have done a deal to keep themselves out of jail in return for helping the FBI catch cybercrooks, which has echoes of the approach the FBI took with con artist and cheque fraud expert Frank Abagnale, the subject of book and movie "Catch me if you Can".

Bristol Airport was impacted by a ransomware attack, which took down their arrival and departure screens for a couple of days, and a Scottish Brewery was also hit by ransomware attack through infected CV it had received through an online job advertisement. 

Europol warned of 15 ways you could become a Cyber Crime Victim, and there was an excellent article in the New York Times on the Bangladesh’s Central Bank Cyber Theft

NEWS

• British Airways Hacked, 380,000 Customer Payment Card details Stolen via Website & Mobile App
• Equifax fined £500K by ICO over Cyber Attack that Breach UK Citizen Personal Information
• 50 Million Facebook Accounts Exposed after Security Breach
• Major Security flaw in Tory Conference App reveals Personal Data 
• Tesco Bank fined £16.4m by FCA over ‘Avoidable’ Cyber Attack
• Uber pays £113m to settle Legal action after Cyber Attack exposed 57 million Customers & Drivers
• Bupa fined £175,000 for Personal Email Data Theft by an Employee affecting 547,000 Customers
• Amazon investigates claims Staff are Selling Data for Bribes
• Equifax fined £500,000 for failing to protect Customer details in Cyber Attack
• Ransomware Attack led to Bristol Airport Blank Screens
• Scottish Brewery Ransomware attack leverages job opening
• Veeam MongoDB left unsecured, 440 million records exposed after AWS Misconfiguration
• MEGA Chrome extension compromised to steal credentials and cryptocurrency
• Staff and Students behind Hacks on UK Universities
• Britain to create 2,000-strong Cyber Force to Tackle Russia Threat
• Mirai creators sentenced to probation after assisting FBI with Cyber Investigations
• Microsoft Patches 61 Vulnerabilities for Windows, IE\Edge, Office, SharePoint, Chakra,  Flash, and .NET
• Cisco Patches Critical Default Password Vulnerability
• Vulnerability in Cisco Routers could allow DoS attacks
• Adobe Releases Important Fixes for Flash Player
• Adobe Releases Critical Fix for Acrobat and Acrobat Reader
• Adobe Releases Critical Fixes for ColdFusion
• Cisco Releases 29 Patches, 3 Critical, including one for Apache Struts
• Apple pushes out Mojave 10.14 to Patches numerous Vulnerabilities
• Google Desktop Update for Chrome

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• CrowdStrike verifies portions of a report linking APT10 activity to Chinese government actors
• Fraudsters Targeting NHS Suppliers, using with Phishing Email Tactics
• Viro Botnet Ransomware Breaks Through
• Ransomware Gains Force as Prominent Cyber Threat 
• USB Malware and Cryptominers are Threat to Emerging Markets
• Malware Campaign infects Thousands of Magento e-Commerce websites

REPORTS

• Europol warns of 15 ways of becoming a Cyber Crime victim
• Billion Dollar Bank Job – Article by New York Times detailing the Bangladesh’s Central Bank Cyber Theft
• Palo Alto Web-based Threat – 2018 Q2 Reports: Out of date Enterprise Systems Targeted by Criminals

Application Development GDPR Compliance Guidance

Last week IBM developerWorks released a three-part guidance series I have written to help 
Application Developers develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

• Part 1: A Developer's Guide to the GDPR
• Part 2: Application Privacy by Design
• Part 3: Minimizing Application Privacy Risk

The GDPR
The General Data Protection Regulation (GDPR) was created by the European Commission and Council to strengthen and unify Europe's data protection law, replacing the 1995 European Data Protection Directive. Although the GDPR is a European Union (EU) regulation, it applies to any organizations outside of Europe that handle the personal data of EU citizens. This includes the development of applications that are intended to process the personal information of EU citizens. Therefore, organizations that provide web applications, mobile apps, or traditional desktop applications that can indirectly process EU citizen's personal data or allow EU citizens sign in are subject to the GDPR's privacy obligations. Organizations face the prospect of powerful sanctions should applications fail to comply with the GDPR.

Part 1: A Developer's Guide to the GDPR
Part 1 summarizes the GDPR and explains how the privacy regulation impacts and applies to developing and supporting applications that are intended to be used by European Union citizens.

Part 2: Application Privacy by Design

Part 2 provides guidance for developing applications that are compliant with the European Union’s General Data Protection Regulation. 

Part 3: Minimizing Application Privacy Risk
Part 3  provides practical application development techniques that can alleviate an application's privacy risk.

Scan your app to find and fix OWASP Top 10 - 2017 vulnerabilities

Following the updated release of OWASP Top Ten (2017), I have updated my IBM developerWorks article "Scan your app to find and fix OWASP Top 10 - 2017 vulnerabilities", which was released on the IBM Developer Works website today

Science of CyberSecurity: Reasons Behind Most Security Breaches

As part of a profile interview for Science of Cybersecurity I was asked five questions on cyber security last week, here's question 2 of 5.

Q. What – in your estimation – are the reasons behind the many computer security breaches/failures that we see today?

Simply put insecure IT systems and people are behind every breach, insecure IT systems are arguably caused by people as well, whether it is poor system management, lack of security design, insecure coding techniques, and or inadequate support, it all boils down to someone not doing security right. For many years seasoned security experts have advocated that people are the weakest link in security, even hackers say ‘amateurs hack systems, professionals hack people’, yet many organisations still focus most of their resources and funds heavily on securing IT systems over providing staff with sustained security awareness. Maybe this is a result of an IT security sales industry over hyping the effectiveness of technical security solutions. I think most organisations can do more to address this balance, starting with better understanding the awareness level and risk posed by their employees. For instance, the security awareness of staff can be measured by using a fake phishing campaign to detect how many staff would click on a link within a suspicious email. While analysing the root causes of past cyber security incidents is a highly valuable barometer in understanding the risk posed by staff, all can be used as inputs into the cyber risk assessment process.

A developer's guide to complying with PCI DSS 3.2 Requirement 6 Article

My updated article on "A developer's guide to complying with PCI DSS 3.2 Requirement 6" was released on the IBM Developer Works website today.

This article provides guidance on PCI DSS requirement 6, which breaks down into 28 further individual requirements and sits squarely with software developers who are involved in the development of applications that process, store, and transmit cardholder data.

Combating IoT Cyber Threats Article

My updated article on Combating IoT cyber threats post released on the IBM Developer Works website today.

This article outlines the best practices for secure coding techniques and security functions that will help development teams to produce resilient IoT applications that mitigate IoT security risks.

Cyber Security Roundup for October 2016

Cyber security experts have long predicted that thousands of vulnerable Internet of Things (IoT) devices such as internet-connected CCTV systems would be hacked on mass and directed to perform huge DDoS attacks. That’s exactly what happened on 21^st October when 152,000 IoT devices infected with malware were remote controlled by hackers and then used to orchestrate a 1Tb DDoS attack, the largest in history. A tsunami of network traffic was directed at a company called Dyn, a major domain name registrar, and it impacted their client’s web services, including Twitter, Yammer, PayPal, Starbucks, The Guardian, PlayStation, Wix, CNN, Spotify, Github, Weebly and Reddit.

Those IoT developers may want to read up on my IoT guidance on the IBM developersWorks website - Combating IoT cyber threats Top security best practices for IoT applications

The UK National Cyber Security Centre HQ went operational, which is part of the UK government's 5 year £1.9 billion cyber defence strategy,  a much-needed investment to help safeguard the UK's digital economy from cyber attacks during these uncertain economic times for the country.

Ransomware continues to cause problems, especially within NHS, but on the flipside the https://www.nomoreransom.org/ website continues to be supported, with site providing excellent advice to both home users and businesses.  I have even added a separate Ransomware Help section on my own website - https://itsecurityexpert.co.uk/en/securityhelp/ransomware-help

A couple of surveys show UK businesses are still struggling to understand what they need to do in order to comply with new strict General Data Protection Regulation (GDPR), which comes into force in May 2018 despite brexit. I plan to do a blog post providing business help the GDPR in the coming weeks.

News

• World Biggest DDoS attack blows away Dyn, impacting Twitter, Yammer, and others
• UK National Cyber Security Centre HQ Operational
• NHS Attacked by Ransomware 'Dozens' of Times
• 'Hackable' Apple watches banned from UK Government Cabinet meetings
• Hackers steal 43 million credentials from Weebly
• In wake of Massive Data Breach, Verizon reassessing price for Yahoo Acquisition
• Student discovers security flaw in Virgin Media Recruitment System
• MasterCard plans to authenticate transactions using Selfies
• European Ransomware initiative gains 13 new Member Countries
• Over £1 Billion Lost by UK businesses to Online Crime in the Last Year
• UK Banks not Reporting Cyber-Attacks
• Hackers hiding Stolen Credit Card Details in Images
• Forged Rail Tickets sold on 'Dark Web', BBC investigation reveals
• Microsoft bundles Security Updates - no more pick and choose
• Microsoft release 7 Critical Patches for Windows, Edge, IE, Office & Flash Player
• Throw your Backdoored D-Link DWR-932B Router in the bin, urges Security Researcher

Awareness, Education and Intelligence

• BAE releases online Cyber-Risk Tool Assessor
• Top Five Email Phishing Attack Lures Revealed and How to Prevent Them

Reports

• EU GDPR - Nine out of Ten Don't Understand it
• Thales Survey: 84% of Brits reconsider Brands affected by Data Breaches
• PCI SSC: The UK Business CyberSecurity Threat
• Mobile is the New Playground for Thieves: How to Protect against Mobile Malware
• 73% of organisations across the globe have suffered a DDoS attack – Neustar Study
• 82% of Global and IT business Pros are concerned about GDPR compliance
• Network Security Playbook Guide

How to Protect Against Mobile Malware

IBM Security recently released a white paper on the mobile malware threat, which included general guidance on managing the mobile threat and an overview of IBM’s MaaS360 Mobile Threat Management tool, I thought it was good advice and well worth sharing.

Mobile is the New Playground for Thieves: How to Protect against Mobile Malware

According to Arxan Technologies. 97% and 87%t of the top paid Android and iOS apps, respectively, have been hacked and posted to third-party app stores.

Mobile Security Guidance (by IBM Security)

• Educate Employees about Application Security: Educate employees about the dangers of downloading third-party applications and the potential dangers that can result from weak device permissioning.
• Protect BYOD devices: Apply enterprise mobility management capabilities to enable employees to use their own devices while maintaining organisational security.
• Permit Employees to download from Authorised App Stores Only: Allow employees to download applications solely from authorised application stores, such as Google Play, the Apple App Store and your organisation’s app store, if applicable.
• Act Quickly when a Device is Compromised: Set automated policies on SmartPhones and tablets that take automatic action if a device is found compromised or malicious apps are discovered. This approach protects your organisation’s data while the issue is remediated.