hacking image

Coming to terms with a ‘man in the middle attack’

The term a ‘man in the middle attack’ is becoming well known as more instances of them take place.

What exactly does ‘man in the middle attack’ mean?  It is when a cyber-criminal secretly intercepts and possibly alters a communication between two parties, who both believe they are directly communicating with each other.

A common example is where the cyber-criminal uses bogus emails to trick solicitors into issuing the proceeds of a house sale, to their own bank account, rather than the bona fide person.

Another example, is where an Internet connection is intercepted, often by a user not checking that they are using a valid Wi-Fi. The hacker uses a device to emulate the valid Wi-Fi in, say, a hotel and the unsuspecting victim connects to this. The hacker allows them to browse as normal until the victim goes to a site of interest, such as a bank account. Then the hacker will allow the user to log on to their account but will break the connection to the victim keeping the link to the bank open. The victim thinks the connection was lost due to the hotels poor Wi-Fi but the hacker continues to empty the victim’s bank account.

These kinds of attacks highlight weaknesses in an organisation’s data security strategy. Either the business has been hacked with malware, which allows the monitoring of systems, it may be due to an insider attack, where someone with internal system access is selling information to third parties, or simply poor user education or monitoring.

Data protection rackets

Increasingly today, incidents of data protection rackets, where malware is embedded and cunningly hidden, are being reported.  These attacks are designed to be undetected by the organisation and the data held by the organisation scanned. The objective is, that when valuable data is found or a file changed, such as an intellectual property modification, the content is sent to the hacker who can then sell on the information to competitors. Another data mine is where an organisation is bidding for  a large contract and the hacker gains access to the proposal and sells it to other competitor bidders, so they can undercut. Overtime the hacker might make the organisation aware of its activities and use this, just like the old fashioned protection rackets during the prohibition era, demanding money not to send out information.

And, a ‘man in the middle attack’ is not confined to email correspondence. It could also include voice communications, as most telephone systems use VOIP (Voice Over Internet Protocol).

Systems must be strengthened

Steps must be taken to strengthen systems against such attacks. Strong internal controls and audit procedures are needed in order to stop malware infiltrating systems in the first place, taking over the network.

Adopting advanced threat protection is vital as it stops bad processes starting, instantly blocking malware attacks. It can signal any unusual behaviour of staff and systems i.e. showing when an application is sending out data when it should not.

And of course, robust internal controls and checks should be employed when using support companies as well as the checking of system logs and user access, to understand who is touching the data, ensuring that access to it is normal. Anything odd should raise a flag.

Emails should be secure, especially if personally identifiable information is being sent and use clarification techniques, such as send and receive reports. These should not be under the control of the receiver, such as in Outlook, where a receiver can block read receipts.

Adopting Cyber Essentials Plus

The Cyber Essentials Plus Certification can offer solutions too. A government information assurance scheme, operated by the National Cyber Security Centre (NCSC), launched in 2014 and has become a key element of excellence for cyber security, in all its forms.

It does this by encouraging organisations to adopt good practice in information security and includes a simple set of security controls to protect information from threats coming from the Internet.

The Cyber Essentials Plus Certification requires verification of cyber security, carried out independently by a Certification Body, a more rigorous form of certification.

Joining up to the scheme can ensure that systems are regularly assessed and weaknesses dealt with so as to stop any security breaches, not just ‘man in the middle’.

Every organisation can benefit from added protection.

Give us a call on 0844 586 0040, or email intouch@digitalpathways.co.uk, and we’ll be happy to advise you.


cyber security image

Fileless Attacks: How do you protect your organisation from a threat you can’t see?

Fileless Attacks: The Threat You Can’t See

Fileless attacks are on the rise. A study by the Ponemon Institute found that 29% of the attacks faced by organisations during 2017 were fileless. This number has been increasing year on year and is expected to reach 35% in 2018.

The reason for this increase is simple. Hackers know they stand a greater chance of succeeding with a fileless attack because they are more difficult to detect. Traditional anti-malware and anti-virus tools search for malicious software by scanning a computer’s hard drive. This has led cybercriminals to pursue attacks that avoid the hard drive altogether.

How do file-less attacks work?

To avoid the hard drive, hackers hide malicious code in memory instead, using authorised native programs and tools within the operating system to attack by stealth.

This is how an attack against your organisation could occur:

  1. An employee receives a spam email with a link to a malicious website.
  2. The employee clicks on the link.
  3. The malicious website loads an authorised program, such as Flash, on the employee’s computer and exploits its known vulnerabilities.
  4. The program then opens Windows PowerShell, a native Windows tool, which is able to execute instructions through the command line while operating in memory.
  5. PowerShell downloads and runs a malicious script.
  6. The PowerShell script locates data on the employee’s computer and sends it to the attacker.

Using authorised applications already installed on the target’s computer is more discrete than placing a file on the user’s computer. The hacker can undertake the same types of attack as they otherwise could, such as ransomware attacks for example, but is far less likely to be noticed. This is why it is essential to swiftly patch and update your operating systems and software applications.

Although not truly a ‘fileless’ attack, the same attack could occur if an employee opens a Word or PDF document sent from a malicious source. With a Word document, for instance, the attack will use a Microsoft Office macro to launch PowerShell and run the hacker’s script. Programmes such as Adobe PDF Reader and Javascript all have known vulnerabilities which hackers seek to use to their advantage.

Fileless attacks will continue to rise until organisations become effective at identifying and defending themselves from this type of attack. Cybersecurity tools that learn and analyse patterns of behaviour are better placed to spot unusual activity on your networks, which could afford some protection against fileless attacks.

However, relying on cybersecurity tools alone is not enough. Training staff to recognise fraudulent and spam emails also needs to be a crucial element of your cybersecurity strategy. Spam emails are becoming less obvious to spot, often looking near identical to emails from a legitimate source. The few seconds it takes an employee to check the sender’s email address is accurate could be the difference between a successful and unsuccessful attack against your company.

As new modes of threat emerge, organisations must rethink the ways they protect themselves, and analyse the cybersecurity tools they use.


survival in the digital age

How are Word-based fileless attacks targeting aid organisations?

Imagine you have opened a Word file that was emailed to you by a prominent organisation in your field. On the surface, nothing else happens. You notice no changes and your antivirus system doesn’t detect anything suspicious. Would you (or your employees) expect to be spied on by hackers?

This March, McAfee identified a new fileless hacking operation which is targeting humanitarian aid organisations worldwide. ‘Operation Honeybee’ tricks its targets into opening compromised Word documents. When this is achieved, their malware takes hold in the computer and allows the hackers to spy on their target undetected. They are able to escape scrutiny because of their fileless strategy.

There has been a surge in fileless attacks. A study by the Ponemon Institute predicts they will comprise 35% of all cyberattacks in 2018. As hard drive-focused antivirus scanners become more effective, hackers are resorting to strategies which do not leave files in your directory. Instead, they exploit known weaknesses in legitimate programs which are already on your computer. Once they have gained a foothold there, they can run commands which allows them to spy on you, mine cryptocurrency, ransom your files, and even take over your entire system.

 Honeybee and spear phishing pierce your defences

Another dangerous aspect of the Honeybee operation is its use of ‘spear phishing’; a more sophisticated form of phishing. Where ordinary phishing campaigns send out misleading emails in bulk, and cross their fingers, spear phishing tailors its message to appeal to a particular target in order to increase its chances of success.

In the case of Honeybee, the hackers designed their initial email to pass for a message from the International Red Cross. They then used the decoy document to ambush employees of the aid organisations they wanted to spy on.

The Red Cross is a perfect disguise for a spear phishing operation, as it is a well-known, trusted organisation. Combining this with the fileless nature of the attack, it is even more likely to escape detection. This joint strategy can be adapted to target any industry.

Joint strategy; twofold solution

If hackers are purposefully evading traditional antivirus strategies, how can you keep your system safe? There is a twofold solution.

First of all, there are innovative antivirus programs which do protect against fileless attacks. The latest cybersecurity tools use machine learning to pinpoint unusual activity on your system. This allows them to eliminate threats which would otherwise remain hidden.

Secondly, you can implement a training strategy which will increase awareness of the strategies used by hackers. When properly prepared, members of your organisation can neutralise a threat by taking as little as a minute to verify the source of emails they receive. It really can be that simple.

Every organisation can benefit from added protection. Give us a call on 0844 586 0040, or email intouch@digitalpathways.co.uk, and we’ll be happy to advise you.


Flag of Europe

Building trust: what GDPR can do for your council

In 2017, Basildon Council was fined £150,000 for failing to store personal data securely. Because there was no adequate data protection policy in place, details of a family’s disabilities, including mental health issues, were published online. They remained publicly accessible for weeks. This incident had huge reputational and financial repercussions for the Council.

The £150,000 fine was imposed under the old Data Protection Act. With the enforcement of GDPR in May, ICO are now able to impose higher fines, which go up to 4% of the organisation’s turnover, or €20,000,000, whichever is greater. What’s more, the scope of the new legislation is far broader, setting higher standards of transparency for any organisation that handles EU citizens’ data.

Councils are already failing internal audits and incurring fines on an annual basis. What will happen now GDPR is enforceable? Unless action is taken now, councils stand to fall short of the new rules and be subject to the new fines. The purpose of GDPR is to protect citizens’ rights, not to cause councils to incur avoidable costs. How can GDPR help councils prevent the kind of incident Basildon has seen, and foster trust among residents?

How can GDPR help?

There is a lot of apprehension among residents regarding their privacy. Who holds my data, and why? If personal data is stored, is it being held securely? GDPR is designed to provide answers to those questions.

If an organisation is GDPR compliant, it means that personal data is only being stored when strictly necessary and under the best possible safeguards. More than that, GDPR puts control over data back into citizens’ hands, creating a new era of transparency. This is how GDPR, instead of remaining a looming spectre, can become a tool for councils to build trust.

The task for councils is clear: they must be able to map out the exact course data takes through their systems. When a resident requests to see their personal data, the council must be able to recover it. If you imagine the amount of data currently in the hands of councils, much of it in archival storage, you will see that this is a huge undertaking.

There are other liabilities councils may not even be aware of, such as their Active Directory management. Too often, when council employees change roles, their accounts remain active. This means that they can be exploited by disgruntled ex-employees, and even become targets for hackers. By implementing a system which closes obsolete accounts, councils can ensure that access is granted only to the right people.

There are big cost-saving benefits to be achieved by creating a safe, streamlined and transparent data policy. As well as avoiding fines and passing internal audits, in the process of becoming GDPR compliant, councils can effect substantial savings by reducing their storage of obsolete data.

We have the experience and expertise to reform your data management. If you are a council looking for a GDPR compliancy solution, please contact us on 0844 586 0040 or intouch@digitalpathways.co.uk.


secure email image

Private Schools and Parents Face Cyber Threat

Cybercriminals are always seeking new targets. Organisations receiving large payments, and with poorly secured IT systems are a treasure trove for hackers. Their latest campaign attacks private schools, with the aim of tricking parents into paying thousands of pounds of school fees to fraudsters’ accounts.

Unfortunately, many private schools lack adequate digital security. Cybercriminals are using phishing attacks to compromise school email systems to obtain parent’s data and contact details. A common tactic involves emailing parents to explain the school’s payment details have changed and issuing a new invoice with their own bank details. Parents who reply to the email for confirmation, risk emailing the hackers instead.

It has been reported that one parent with three children at an independent school paid £70,000 to hackers after being offered a 10 per cent “early bird” discount.

“These emails can seem very real,” says Colin Tankard, Digital Pathway’s Managing Director, “And, while the private school sector seems to be the latest target of these fraudsters, they are certainly not the first or will be the last.

“Always hover your cursor over the URL and check that the address is correct.  Sometimes it may differ by one digit or letter, so vigilance is key”, he adds.

Schools and parents who find themselves the victim of these attacks are unlikely to recover their money. Payment by bank transfer is not protected, and few schools have taken out cyber insurance. For the few that have, only 38 percent of policies cover this type of crime.

Staff need to receive ongoing training to help them identify phishing scams that enable hackers to gain access to their systems.

Also, schools need to act quickly to ensure they are protecting the personal data they store and process. On 25th May 2018, the General Data Protection Regulations (GDPR) will replace the Data Protection Act. Failure to protect their systems from unauthorised access could see independent schools hit with colossal fines.

Compliance requires preparation, including auditing what information is held, and where, assessing threats, training staff, and updating policies and systems.

In light of the current email scam, independent schools should use a GDPR-compliant secure email service. Utilising end-to-end encryption, messages are protected from unauthorised access and e-mails rendered trusted and binding. Hackers are unable to decrypt the information being passed between the organisation and individuals. This restores confidence in email communications, knowing messages have come from a trusted source and are being sent to the intended recipient.

Our secure email service turns regular email into secure electronic communication. It is convenient, integrating with existing email solutions, and makes regular email compliant with GDPR.

With schools holding large amounts of sensitive and personal data, independent school fees attracting cyber criminals, and the imminent arrival of GDPR, it is essential schools invest in their digital security to protect themselves, their students and parents.

For advice and support with protecting your organisation from cyber security threats, contact us on 0844 586 0040 or email intouch@digitalpathways.co.uk.





Flag of Europe

GDPR: Is Your Law Firm in the 75%?

In November 2017, it was reported that 75% of UK law firms aren’t ready for the General Data Protection Regulation (GDPR). With less than three months to go until the compliance deadline of 25th May 2018, it is more important than ever for law firms to be prepared.

The legal sector is already highly regulated, with firms needing to comply with money laundering obligations, for instance. However, we have encountered some firms who believe this degree of regulation means they will already comply with GDPR. This isn’t true. Compliance with GDPR requires its own preparation, auditing, and changes to systems and policies surrounding the processing and storing of personal data.

GDPR places greater responsibility on organisations to review third party agreements for compliance too. Depending on your current processes and use of third parties, this could take significant time and resource.

As a firm, you must decide if you need to appoint a Data Protection Officer, based on criteria specified in the incoming legislation, as well as reviewing (or in some cases, implementing) your data protection policy, data breach notification procedure, subject access request forms and procedures, data protection impact assessments, and consent forms.

If you aren’t sure where to begin, the Law Society is collating guidance and support to help law firms prepare for GDPR.

Cybersecurity remains as important under GDPR as it is under the current data protection framework. The legal sector is an especially attractive target for cybercriminals seeking the sensitive data and significant funds held by law firms. Alarmingly, 62% of law firms reportedly suffered a cybersecurity incident last year.

Here are three ways you can protect your law firm from cybersecurity attacks:

Cyber training for staff

Every member of your firm is responsible for protecting your data. This is why it is essential to educate your staff through cybersecurity training. From spotting attempted social engineering attacks, to understanding the risk posed in finding an unidentified USB, being able to identify risks and threats could prevent a successful attack against your firm.

Secure email

Standard email is not a secure option for law firms. Unencrypted emails travel through servers located all over the world. Anyone who intercepts these communications will have access to the information being sent.

Law firms are especially likely to send emails containing sensitive information. Secure email is essential for the legal sector, and has come a very long way, offering both security and convenience. Our trusted partner, Regify, provides an encrypted email service that protects messages from unauthorised access and renders e-mail trusted and binding, making ordinary email compliant with GDPR.

Secure file sharing

The legal sector relies on document sharing. A secure file sharing system will protect your important documents and the sensitive data you hold. Cloud services such as Dropbox and OneDrive do not encrypt your documents, leaving you vulnerable to an attack on the cloud storage provider or access requests by government authorities. Through our partnership with Regify, we also offer a secure file sharing solution. Utilising end-to-end encryption and anonymised key management via a trusted third party, all data is securely stored within the UK.

Would you like to discuss GDPR or cybersecurity for your law firm? We’d be happy to help. Contact us on 0844 586 0040 or email intouch@digitalpathways.co.uk.



law image

Client Data: Is Your Law Firm the Weakest Point in the Cyber Security Chain?

During 2016, 73 out of 100 top UK law firms were targeted by hackers. Meanwhile, many smaller firms mistakenly believe they are too small or niche to attract the interest of cybercriminals. As a law firm, the information you store and process is highly valuable. By aggressively targeting law firms, hackers seek to steal sensitive information, such as commercial secrets, intellectual property, personal information, mergers and acquisitions, and market strategies. This is why you are and will continue to be the target of cyber-attacks.

Unfortunately, several high-profile breaches indicate that the legal sector has a cyber-security problem. This is something cybercriminals are acutely aware of and seek to exploit. The issue is global, affecting firms all over the world. The revelation of the Panama Papers, for instance, was the result of a single cyberattack against Mossack Fonseca, a small Panamanian law firm. It is the largest data breach in history. Read more

network image

Internet of Things: Balancing Benefits and Risks in the Workplace

A recent survey of over 1000 buyers of IT across Europe and North America showed that 29% of companies have already embraced IoT, with an additional 19% planning to adopt IoT within their organisation over the next year. By the end of 2018, these figures suggest IoT will be adopted by nearly half of all businesses.

The benefits of IoT are already being seen in the home, with smart thermostats and smart speakers becoming commonplace over the last year.

Naturally, IoT brings infinite potential and possibilities for businesses, with everyday devices able to connect, monitor, and transfer large amount of data between each other. Read more

survival in the digital age image

Will we be haunted by Spectre and Meltdown for decades to come?

Fundamental vulnerabilities in modern devices: Will we be haunted by Spectre and Meltdown for decades to come?

2018 began with the alarming news that nearly every computer chip manufactured in the last 20 years contains basic security flaws. These flaws have been collectively named Spectre and Meltdown, and were discovered by security analysts at Google.

In contrast to malware and viruses, which affect software, these vulnerabilities are inbuilt into the hardware. The scale of the risk is unprecedented, as the flaws are not unique to one type of chipmaker or device. Instead, billions of devices, from desktop PCs to tablets and smartphones, are vulnerable. Read more

cyber security image

Could a Data Breach be the End for Your Business?

Building a business is hard work. To lose it all as a result of a data breach would be devastating.

Unfortunately, we recently learned of a SME who found themselves in this situation. Facing the threat of legal prosecution following a data breach, the company had no other option than to close its doors for good.

With the new and extensive EU General Data Protection Regulations (GDPR) coming into force in May 2018, there is a real risk we could see more smaller companies folding, unable to face the litigation and fines following a breach.

What is at stake?

On 25th May 2018, GDPR will replace the current Data Protection Act in the UK. These new regulations have been designed to give individuals greater control over what happens to their personal data when in the hands of organisations or businesses.

All businesses and organisations that store, manage, or process the personal data of EU citizens will be expected to comply with the new legislation.

Under GDPR, businesses will be more accountable for personal data breaches and data loss. Failing to understand your responsibilities could see your company facing a fine of up to 4% of your global, annual turnover, or €20,000,000, whichever is greater.

For SMEs, the ‘whichever is greater’ element of the new rules is the key phrase. It is easy to see how a smaller organisation would be unable to face this level of financial penalty, leaving them more vulnerable to collapse following a breach, than larger companies who might be more able to weather the impact of a fine.

Alarmingly, the Zurich SME Risk Index has suggested that many of the UK’s SME may be non-compliant on the GDPR implementation deadline. This isn’t a risk businesses can afford to take.

What can you do?

With less than 2 months left to prepare for GDPR, there is no time to waste. If you don’t fully understand the issue, finding out how the new regulations will work or what it will mean for your business and industry should be your first priority.

It is likely you will need to update your IT and privacy policies to ensure you are compliant. It is also vital that you communicate the new regulations and any changes to your policies to your staff.

If you don’t have the time to fully investigate and prepare, the best option is to work with an experienced cybersecurity company with a thorough understanding of GDPR.

At Digital Pathways, we have the expertise to audit your current systems and identify which elements are already in line with GDPR and what needs to change. We can ensure your company is compliant and ready for these new digital security regulations.

Don’t let a data breach be the end for your business. Contact us today on 0844 586 0040 or email intouch@digitalpathways.co.uk