Business Continuity in Uncertain Times

Coronavirus – How can we help?

Covid-19 is in the news throughout the day, social media alerts on every platform. We are now officially in ‘Lockdown’ and we need to make sure as many of our employees can work from home, safely & securely.

How can we help your business continuity in uncertain times?

As a remote worker myself; I know of the many benefits this can bring but also know that you need to make sure that you have the right security parameters in place to make working from home as seamless and secure as possible.

If your business does not currently have facilities to offer home working to your staff, Digital Pathways are offering a FREE service to identify and scope out what would be required to facilitate remote working, as well as for those businesses that are looking to expand their current set up to add additional homeworkers to an already existing solution.

Please be aware!!!

We are hearing of increased threats and cyber-attacks taking place with regard to email phishing, scam emails and hackers utilising weak security defences on unsecured networks as more and more people are working from home.

One particular email supposedly coming from Public Health England offering a free hand sanitiser if you click the link.

Please DO NOT click links unless you can confirm it is from a reliable source, check this by hovering over the email sender.

More information and guidelines are available here in our recent blog on email scams.

How we can help

If your organisation already has the facilities for remote working, we can help with:-

If your organisation is looking at a remote working environment for your staff and don’t know where to start

We can help

  • With a scoping exercise to identify what would be needed to facilitate secure remote access and home working
  • With identifying any additional equipment or hardware that might be needed
  • With email protection
  • With endpoint protection
  • With security monitoring
  • With staff online training for working from home

We also have a range of Managed Security Services for businesses that do not have any internal security resource.

During this time of uncertainty and concerns we are offering a FREE scoping exercise to all businesses in need of assistance in preparation, planning and projects to enable remote working environments.

If you have any concerns about remote working or need any advice or recommendations on working from home securely or are looking to put in place the facilities for your teams to be able to work from home securely and efficiently, please do not hesitate to get in touch either call 0844 586 0040 or email [email protected]. We are here to help in these uncertain times.

 

 

secure email image

Email Scams & Email Security

Email Scams

I received a phone call today from a gentleman (who shall remain anonymous) regarding email scams and concerns with regard to email security, stating that he had received a threatening email claiming “to have set up malware on an adult web site that was recording the gentleman through his webcam”. The email was received on his work email address and he was obviously embarrassed at the content and concerned; even though he hadn’t been watching/viewing adult websites; he was embarrassed to mention it to his IT department (as he didn’t think they would believe his innocence). He had remembered reading an article recently by Digital Pathways, where we had alerted people to this scam. He had called for advice and I guess some reassurance. Here are the links to the articles in EssexLive, Daily Mail & The Mirror

These scams are malicious and can have a devastating effect. Our previous articles state that there have been instances whereby people have committed suicide as a result of these horrible threats and perfectly stable relationships have broken down.

It is thought that around £30 Million per year could be made from threatening innocent people. If you pay the demand you will undoubtedly receive more unsubstantiated threats and demands for payment.

Our recommendation is to ‘delete’ the email. If you feel comfortable doing so, then report it to your IT department, they can then decide if they want to investigate further and put the necessary defences in place to block future emails from the sender.

“DO NOT PAY THE DEMAND”

This leads me to email security in general; and some basic recommendations on how to stay safe.

  1. Learn to recognise fake emails and websites (see a more detailed description on how to do this below)
  2. Recognise incorrect URL’s
  3. Do not use unsecured websites (Look out for the padlock symbol in the URL bar)

Recognising malicious and fake emails.

  1. Firstly, check the email address of where the email is coming from. Email scammers can use extremely clever ways to make it look like the email is coming from a legitimate sender by creating similar looking email addresses or by masking the email sender under a legitimate address. The simplest way to check this is by hovering over the email sender. Does the address match the genuine address? The spoof email addresses are usually quite unusual underneath.
  2. Recognising incorrect URL’s – the links in spoof emails usually don’t match the genuine URL’s of legitimate websites, again these can be checked by hovering over the link. If you are unsure DO NOT CLICK ON THE LINK!
  3. Genuine websites will have the padlock symbol, especially if they are from well-known brands or official sites; like Banks & Government web sites.

2 out of 3 Phishing attempts use malicious links and over half contain malware. Please be vigilant. If you are unsure please contact the official company/contact direct.

Companies can and should invest in a security solution that can identify an attack and stop it before it reaches your inbox. For more information on Email Security and you can check out some of your other options here.

internet connected devices

New Year, New Gadget?

Given a security camera or voice-activated device this Christmas?  Here’s what you need to know!

The ultimate Christmas present and just what you always wanted, a voice-activated device to cater to your every command and a security camera tool to help keep you, your family or your business safe.

Hoorah!

You’ve set them up and are enjoying making use of their many benefits.

If you work from home or are using your new connected device in a corporate environment, please be aware.

Do you know who else is using them too? 

No, not other members of your family, not even friends. Total strangers, hackers, yes, hackers!

There have been several reported incidents recently, mainly in the USA, where hackers have gained access to these devices and have been able to monitor activity within the home and even to speak directly to children in their own bedrooms. Very scary stuff indeed.

Such devices are often not designed with security as a key feature as it is not as sexy as having a high-resolution camera or massive storage capabilities. Also, a low price point, when it comes to sales, means features are removed and sadly, security is often one of those to go or to be reduced in scope or quality.

So, if you have been the recipient of such a device, here are some essential steps to take, in order to ensure the hackers don’t invite themselves into your home.

  1. Check your security settings. Any quality device will allow you to view the security options and make changes. Never leave a device at ‘factory settings’ as these are the starting point for any hacker attack.
  2. Look at the passwords you are using.  Passwords should be strong, that is to say that they should, ideally, be long, include upper and lower case letters, numerals and special characters.  Try to avoid personal information and do not fall into the trap of opting for your birthday or pets name!  Default passwords should be changed immediately.
  3. And, ensure that you regularly review and change your passwords.
  4. If you find it hard to think of suitable passwords or have difficulty in remembering them, try using a password manager such as LastPass. These services can generate strong passwords for you as well as storing them, where only you have access.
  5. Definitely establish two-factor authentication security, if an option. This process involves you not only entering a strong password but also a unique, one time used password, which is sent via text or a code and taken from your Smartphone.  This code is then used to establish your identity. These password generators are often free and are available from many companies such as Google and Microsoft.
  6. A voice-activated device will usually connect to your internal network to gain access to the worldwide web, so always check your router settings and ensure you have enabled strong passwords and encryption (you will see terms such as WEP in your settings for the encryption).
  7. Be aware of any device being activated in an unusual or unexpected manner. If you have not sent instructions for it to do something, it is possible that someone else did.
  8. Check your router’s activity log to see if any device is communicating out to the world wide web. This could indicate your device has been compromised and is sending out your personal data. Or, it could be being used along with thousands of other devices to be used to attack other web sites, as was the case with Spotify, Netflix, and PayPal, who were temporarily shut down due to such an attack.
  9. Switch off any features you don’t need on a device or router such as remote access. Many options appear as default settings. The less that are enabled, the smaller the attack footprint there will be.
  10. Change the device or router name so it does not identify the manufacturer or ISP, this makes it harder to identify from the outside. Also never use your surname or address as an identifier, this will expose your personal information which could be used against you

Words of wisdom from Colin Tankard, our Managing Director at Digital Pathways,

“These voice-activated devices have become commonplace in many of our homes and are a useful and helpful addition. However, we must consider their downsides too. Remember, many of these devices are driven by voice command and consequently, are also listening. There have been accusations of companies ‘listening’ in, storing data in order to send through tailored advertisements.”

“A voice-activated device and systems that monitor activity, such as CCTV, are good at alerting you to intruders but they are two-way and can be used by outsiders to watch you. So when installing these, consider not only all of the security steps above but also, where you locate them. If your device is compromised you might not want your bedroom or bathroom activities seen!

“Such technology is only likely to grow and evolve.  The onus of keeping safe must rest with us. Employ the simple password control strategy backed up with two-factor authentication and you are in a much safer space.”

Green question mark

What would a data breach do to your business?

Could a breach be the End for Your Business?

Building a business is hard work. To lose it all as a result of a data breach would be devastating.

Unfortunately, we recently learned of an SME who found themselves in this situation. Facing the threat of legal prosecution following a data breach, the company had no other option than to close its doors for good.

With the EU General Data Protection Regulations (GDPR) that came into force in May 2018, there is a real risk we could see more companies folding, unable to face the litigation and fines following a breach.

What’s at stake?

On 25th May 2018, GDPR replaced the Data Protection Act in the UK. The new regulations were designed to give individuals greater control over what happens to their personal data when in the hands of organisations or businesses.

All businesses and organisations that store, manage, or process the personal data of EU citizens will be expected to comply with the GDPR.

Under GDPR, businesses are more accountable for personal data breaches and data loss. Failing to understand your responsibilities could see your company facing a fine of up to 4% of your global, annual turnover, or €20,000,000, whichever is greater. What would a data breach do to your business?

For SMEs, the ‘whichever is greater’ element of these rules is the key phrase. It is easy to see how a smaller organisation would be unable to face this level of financial penalty, leaving them more vulnerable to collapse following a breach, than larger companies who might be more able to weather the impact of a fine.

Alarmingly, the Zurich SME Risk Index suggested that many of the UK’s SME may be non-compliant with regard to the GDPR. This isn’t a risk businesses can afford to take.

 What can you do?

 If you don’t fully understand the issue, finding out how the GDPR works or what it means for your business and industry should be your first priority.

It is likely you will need to update your IT and privacy policies to ensure you are compliant. It is also vital that you communicate the new regulations and any changes to your policies to your staff.

If you don’t have the time to fully investigate and prepare, the best option is to work with an experienced cybersecurity company with a thorough understanding of GDPR.

At Digital Pathways, we have the expertise to audit your current systems and identify which elements are in line with GDPR and what needs to change. We can ensure your company is compliant and ready for these digital security regulations.

Don’t let a data breach be the end for your business. Contact us today on 0844 586 0040 or email [email protected]

Single Pane Of Glass Security Platform Now Available

Cybercrime is an increasing threat to both business and the individual.  In fact, it is estimated at currently costing some £4billion per annum, a figure that will continue to grow.

As a result, there have been a plethora of defence solutions flooding the market place and this has caused its own difficulties, in that the cyber defence solutions environment now requires significant maintenance, relying on a limited skill pool.

On top of this, regular routine tasks like reconfiguration, additions, conversions and migrations have become increasingly time-consuming and expensive.

Subsequently, not only have costs have been rising but the defence environment has become hard to both manage and control.

Help Is Available

SIEM systems help, providing a way to manage, correlate and deliver context from the many alerts generated by normal and abnormal network activities. It is often bolstered by Security Orchestration, Automation and Response (SOAR), which leverages the power of automation to add consistency in operational security processes and can provide huge cost savings and efficiencies.

 A Universal Cyber Defence Platform

But now, Digital Pathways can offer a universal cyber defence management platform to meet these challenges.

The iCyber-Shield Platform can:

*   Reduce the cost of defence maintenance and management

*   Reduce the meantime to detect and react to threats by at least 70%

*   Give total one-stop management control of all cyber defence resources

*   Efficiently and economically manage change

*   Enable a platform for migration of devices and systems without downtime or risk

*   Allow best of breed choices

*   Control custom application and legacy devices

*   Facilitate the automation of many cyber defence tasks

*   Ensure compliance to regulation (PCI etc).

It provides the ability to view and manage all cyber defence resources through one ‘pane of glass’, as well as exercising control, which makes the execution of routine tasks such as reconfiguration, migration and extension virtually a ‘one-click’ operation.

It also introduces the capability of automation of routine processes and the possibility of AI guided defence management actions to improve threat detection and resistance.

Through ‘Playbooks’ we can enable the threat landscape faced by any organisation to be handled in a way that matches business dynamics on a day-to-day basis. For example, during peak times the drive to take off-line critical systems can be outweighed by business drivers. In these cases, an alternative approach to protection might be required, such as introducing a ‘honeypot’ to divert the attack, giving the organisation time to deal with the threat, whilst maintaining a level of business continuity.

 Gaining Control

The iCyber-Shield capability will enable enterprises to gain control and management of their cyber defence environment economically, and effectively, thus dramatically reducing the risk of damaging and expensive cyber attacks.

If you are looking for a single ‘pane of glass’ cyber defence solution, this could be the answer.

 

 

Managed Security Services

The benefits of using a managed security service

Most organisations understand the importance of keeping data secure, but the cost of doing so, on an on-going basis, can prove prohibitive, especially to medium to small businesses, where budget constraints and lack of in-house expertise are often areas of concern, so what are the benefits of using a managed security services?

What are organisations choosing?

Managed cloud providers can enable access to technology services in a cost-effective way, bypassing the need to perform functions in-house. But, these services can leave a company’s data exposed to theft, tampering or even seizure by law enforcement agencies, from many jurisdictions, exposing the data owner to large fines, bad press and possible business collapse.

Some businesses choose to use an encryption service offered by their service provider. However, this leaves them in a weak position as the encryption is tied to that service provider and can’t expand across multiple hosting companies.

A further concern is where encryption keys are stored.  If with the hosting company it means their staff could still view your data as they have the keys and if they are not UK based, data may be made available to, for example, government agencies, especially relevant if the storage company is US-based since the Patriot Act came into force.

And, whilst the best way to protect data is by encryption, which renders it unreadable to unauthorised people, it is vital that the data can be monitored, reporting on who, or what is accessing the data and when.  This is a service that many cloud hosting services do not provide.

Simply going with one provider and not thinking of the wider consequences is leading many businesses down a false path of confidence, taking a ‘head in the sand’ stance, thinking data loss just won’t happen to them whist with a big hosting provider.

 The solution: managed security services

But, there is a solution and it is the use of a managed security service.  Such a service offers functionality that can smooth out many of the problems involved with managing data security systems. It can control on-going budgetary pressures and separate the duties between cloud service providers, data owners and data protection.

Digital Pathways managed security service

The Digital Pathways Managed Security Service uses the nCrypt solution that can handle the full range of encryption needs, both for data in transit and at rest, including full-data encryption of any server and it is transparent to the application or data structure (i.e. databases). This means that encryption and key management are provided as a unified service across all platforms.

Security server appliances are located in a protected UK based Network Operations Centre (NOC). All encryption keys and security policies are stored. The encryption is enforced at the point of data access whether that is in the cloud or within clients’ premises. It provides separation of duty between security policy and data access.

Once deployed the system provides extensive auditing of all access to data, both authorised and unauthorised, which can then be used to report to management on system activities, compliance reporting, such as GDPR and PCI or data breaches where detailed analysis is required across multiple systems, to identify any weakness or rogue activity.

Reports are generated in an easy to understand format and are emailed to designated contacts on an agreed schedule. All logs gathered, applications or proprietary systems, are stored securely in their raw format to meet auditing requirements. They are also available for use in wider reporting and management, internal audits or as evidence during an investigation.

The Digital Pathways Managed Security Service takes away the ‘pain points’, including interoperability, associated with deploying a robust data protection and auditing system. It provides organisations with reduced costs in terms of encryption deployment, maintenance and management and offers more effective controls through the provision of centralised monitoring, logging and reporting capabilities.

Using a managed security service can ensure that your digital assets remain secure, keeping your company compliant.

Every organisation can benefit from added protection. call us on 0844 586 0040, or email [email protected] and we’ll be happy to advise you.

Artificial Intelligence, Friend or foe?

AI, Friend or Foe?

Artificial Intelligence (AI) and Machine Learning (ML) in Cybersecurity

The buzzwords, Artificial Intelligence (AI) and Machine Learning (ML) are often interchanged. However, they are not the same thing, which can lead to confusion.

What is Machine Learning?

Machine Learning is a type of Artificial Intelligence (AI) that allows software applications to become more accurate in predicting outcomes, without being explicitly programmed.

What is Artificial Intelligence?

Artificial Intelligence (AI) is the process of simulating human intelligence, using machines, especially computer systems. The process includes learning (the acquisition of information and rules for using the information), reasoning (using the rules to reach approximate or definite conclusions) and self-correction.

AI is already used in many circumstances including in our buildings. For example, to control the environmental needs of people working within an office where, by monitoring of the volume of people in any area, AI can control whether or not the air-conditioning should be switched on or, if the lowering of shades or the opening of windows, will suffice.

And, AI will continue to expand into our daily business and personal lives.

Can Artificial Intelligence (AI) programmes ‘go rogue’?

But, although the benefits look good, there is a fear that such AI programmes could ‘go rogue’ and turn on us or, be hacked by other AI programmes.

Hackers love Artificial Intelligence (AI) and Machine Learning (ML) as much as everyone else in the technology space and are increasingly using it to improve their phishing attacks. The need for innovative and robust data security therefore becomes even more important.

Imagine a hacker taking over a building’s security system by accessing the system’s intelligence and having all key personnel move to one room, under the auspice of a ‘gunman threat’. Once the key people are in the room, through the AI’s skill in facial identification, it is locked by the system and ransom threats sent to all the computer screens in the building, using Ransomware tactics, to make people react quickly i.e. ‘the ticking count down clock’.

Although AI looks good, many of our current systems are not so ‘smart’ and use old technology. Simply bolting on AI will not give the perceived benefits, as it will be held back by the lack of integration. Given the high cost of system replacement, such as Heating Ventilation Air Conditioning (HVAC), it will be sometime before there are the platforms available to exploit the benefits of AI.

The GDPR and Artifical Intelligence (AI) Conundrum

The General Data Protection Regulation (GDPR )poses another conundrum. Will it be permissible to A let a user give an application permission to make automated decisions on their behalf, such as recommendation systems? These were first implemented in music content sites but now extend to many different industries.

For example, the AI system may learn of a user’s content preferences and push content that fits those criteria. This can help companies reduce bounce rate, by keeping the user interested. Likewise, you can use the information learned by your AI to craft better-targeted content to users with similar interests.

However, GDPR will see the AI application as holding User Personally Identifiable Information (PII), which might include age, gender and location, to present the information it has learnt from one user to others, with similar profiles. The GDPR requires that the data be secure and used appropriately. But, with the AI program constantly learning and sampling data, this becomes a problem.

And, if a user does give permission for their data to be modelled, will it be accompanied by a comprehensible explanation of how the AI makes decisions and how these decisions may impact that user? This would be very difficult to achieve as GDPR calls for ‘clear language’ and AI code learning is far from easy to explain.

From a technical perspective, the level of granularity GDPR requires, in explaining automated decisions, is unclear. Until the picture is clarified, some innovators may choose to forge ahead with super algorithms. Others, worryingly, may ban European citizens from using some highly valuable functionality.

Three laws of robotics

When thinking about automating important decisions and giving high-stake autonomy to AI machines, particular attention should be given to constraining their behaviour by defining what is desired, what is acceptable and what is not acceptable. This is what the Three Laws of Robotics of the science-fiction writer, Isaac Asimov, say:

1. A robot may not injure a human being or, through inaction, allow a human being to come to harm
2. A robot must obey the orders given by human beings, except where such orders would conflict with the First Law
3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Laws.

The need for human intervention

AI power will need to be controlled and the three Laws of Robots need to be the mantra for AI programs. It should be mandated in all code that the AI programs should ask for human intervention when unusual situations are detected, or when the computed uncertainty in predictions/decisions, is above a certain threshold. This may go against the vision of AI, but until we can have total trust in the underlying code being used to develop it, we must show caution. Remember, humans, are still writing the code and can make mistakes or, more worryingly, add code that will allow for future control of the AI, for malicious means.

It is almost impossible to say how an organisation can have trust in any AI unless they have access to the source code and the ability, or contacts, to read and debug it. As AI is introduced it will fall on the facilities teams to question what level of code review has been undertaken within the AI module. This might be possible if the designer of the AI is a large vendor who can show in-depth test results and other customer implementations but, most AI vendors leading the technology revolution are small and do not have the client base, or the volume, of test data.

At this point, a difficult decision needs to be taken by management as to how far they ‘dip their toe’ into AI. A bit like autonomous cars, they do work but governments are still wary of allowing legislation to be brought in, to allow the technology.

AI is with us and will increasingly be integrated into our lives. Whilst the potential benefits are far-reaching, making lives better, the environment cleaner and providing efficiency to our personal and business lives, we must be aware of the possible threats it can create and take the appropriate action from the very beginning.

Need advice on Artificial Intelligence and Machine Learning? 

Every organisation can benefit from added protection if you have concerns with regard to Artifical Intelligence and Machine Learning give us a call on 0844 586 0040, or email [email protected], and we’ll be happy to advise you.

Cyber Ess Plus logo

Why do Businesses need the Cyber Essentials Programme?

The government’s Cyber Essentials Programme was developed in collaboration with industry and is intended to help businesses mitigate common, online threats.

Operated by the National Cyber Security Centre (NCSC), it was launched in 2014 and has become a key element of excellence for cybersecurity, in all its forms.

Helping build robust data security strategies 

Applicable to all sizes of organisations, from small to large, it offers help to those seeking to implement a robust data security strategy in order to protect both themselves and their clients.

It does this by encouraging organisations to adopt good practice in information security and includes a simple set of security controls to protect information from threats coming from the Internet.

Most cyber attacks are basic in form and are often implemented by unskilled individuals.  The controls, suggested by the Cyber Essentials platform, are designed to prevent such attacks.

Cyber Essentials formats

Cyber Essentials comes in two formats:

  1. Cyber essentials – a self-assessment application that addresses basic threats and helps to prevent the most common attacks.
  2. Cyber Essentials Plus – this is the same as for Cyber Essentials but rather than being self-assessed it instead, requires verification of cybersecurity, carried out independently by a Certification Body.  This is a more rigorous form of certification, better at demonstrating to potential customers that your data security position is good and tested.

Offering a sound foundation of basic hygiene elements that all types of businesses can implement and potentially build upon. The government believes that implementing these measures can significantly reduce an organisation’s vulnerability. However, it does not offer a silver bullet to remove all cybersecurity risk; for example, it is not designed to address more advanced, targeted attacks and hence, organisations facing these threats will need to implement additional measures as part of their security strategy. What it can do is to define a focused set of controls which will provide cost-effective, basic cybersecurity for organisations of all sizes.

The Assurance Framework for Cyber Essentials

The Assurance Framework, leading to the awarding of Cyber Essentials and Cyber Essentials Plus Certificates, has been designed in consultation with SMEs to be light of touch and achievable at low cost. The two options give a choice over the level of assurance given, as well as the cost of doing so. It is important to recognise that certification only provides a snapshot of cybersecurity practices at the time of assessment.  Maintaining a robust cybersecurity stance requires additional measures, such as a sound risk management approach as well as on-going updates to the Cyber Essentials control themes, i.e. patching. But, the scheme does offer the right balance between providing an additional commitment to implementing cyber security to third parties, while retaining a simple and low-cost mechanism for doing so.

Delivering many benefits

For businesses who are willing to adopt these measures, the benefits can be many, including: the ability to tender for contracts that require a Cyber Essentials Certified supplier, enhanced customer trust and confidence, the provision of market differentiation and competitive advantage, protection of company assets and IP, the mitigation of common cyber threats and reduced insurance premiums.

The General Data Protection Regulations (GDPR) 

And, becoming accredited helps to meet the requirements of GDPR. For example, GDPR talks about controlling who has access to data and understanding where PII data is held. Cyber Essentials covers this and therefore, is able to provide evidence for your GDPR statements/policies, that as an organisation, you have considered these areas and have had the controls verified by an independent assessor.

Businesses now live with the spectre of cyber attacks as the norm. Adopting the Cyber Essentials Platform is one way of taking control and starting the process of fighting back.

Every organisation can benefit from added protection. Give us a call on 0844 586 0040, or email [email protected], and we’ll be happy to advise you.

 

Man in hoody

Coming to terms with a ‘man in the middle attack’

The term a ‘man in the middle attack’ is becoming well known as more instances of them take place.

What is a ‘Man in the middle attack’?

What exactly does ‘man in the middle attack’ mean?  It is when a cyber-criminal secretly intercepts and possibly alters communication between two parties, who both believe they are directly communicating with each other.

A common example is where the cyber-criminal uses bogus emails to trick solicitors into issuing the proceeds of a house sale, to their own bank account, rather than the bona fide person.

Another example, is where an Internet connection is intercepted, often by a user not checking that they are using a valid Wi-Fi. The hacker uses a device to emulate the valid Wi-Fi in, say, a hotel and the unsuspecting victim connects to this. The hacker allows them to browse as normal until the victim goes to a site of interest, such as a bank account. Then the hacker will allow the user to log on to their account but will break the connection to the victim keeping the link to the bank open. The victim thinks the connection was lost due to the hotels’ poor Wi-Fi but the hacker continues to empty the victim’s bank account.

These kinds of attacks highlight weaknesses in an organisation’s data security strategy. Either the business has been hacked with malware, which allows the monitoring of systems, it may be due to an insider attack, where someone with internal system access is selling information to third parties, or simply poor user education or monitoring.

Data protection rackets

Increasingly today, incidents of data protection rackets, where malware is embedded and cunningly hidden, are being reported.  These attacks are designed to be undetected by the organisation and the data held by the organisation scanned. The objective is, that when valuable data is found or a file changed, such as an intellectual property modification, the content is sent to the hacker who can then sell on the information to competitors. Another data mine is where an organisation is bidding for a large contract and the hacker gains access to the proposal and sells it to other competitor bidders, so they can undercut. Over time the hacker might make the organisation aware of its activities and use this, just like the old fashioned protection rackets during the prohibition era, demanding money not to send out information.

And, a ‘man in the middle attack’ is not confined to email correspondence. It could also include voice communications, as most telephone systems use VOIP (Voice Over Internet Protocol).

Systems must be strengthened

Steps must be taken to strengthen systems against such attacks. Strong internal controls and audit procedures are needed in order to stop malware infiltrating systems in the first place, taking over the network.

Adopting advanced threat protection is vital as it stops bad processes starting, instantly blocking malware attacks. It can signal any unusual behaviour of staff and systems i.e. showing when an application is sending out data when it should not.

And of course, robust internal controls and checks should be employed when using support companies as well as the checking of system logs and user access, to understand who is touching the data, ensuring that access to it is normal. Anything odd should raise a flag.

Emails should be secure, especially if personally identifiable information is being sent and use clarification techniques, such as send and receive reports. These should not be under the control of the receiver, such as in Outlook, where a receiver can block read receipts.

Adopting Cyber Essentials Plus

The Cyber Essentials Plus Certification can offer solutions too. A government information assurance scheme, operated by the National Cyber Security Centre (NCSC), launched in 2014 and has become a key element of excellence for cybersecurity, in all its forms.

It does this by encouraging organisations to adopt good practice in information security and includes a simple set of security controls to protect information from threats coming from the Internet.

The Cyber Essentials Plus Certification requires verification of cybersecurity, carried out independently by a Certification Body, a more rigorous form of certification.

Joining up to the scheme can ensure that systems are regularly assessed and weaknesses dealt with so as to stop any security breaches, not just ‘man in the middle’.

Every organisation can benefit from added protection.

Give us a call on 0844 586 0040, or email [email protected], and we’ll be happy to advise you.

 

cyber security image

Fileless Attacks: How do you protect your organisation from a threat you can’t see?

Fileless Attacks: The Threat You Can’t See

Fileless attacks are on the rise. A study by the Ponemon Institute found that 29% of the attacks faced by organisations during 2017 were fileless. This number has been increasing year on year and is expected to reach 35% in 2018.

The reason for this increase is simple. Hackers know they stand a greater chance of succeeding with a fileless attack because they are more difficult to detect. Traditional anti-malware and anti-virus tools search for malicious software by scanning a computer’s hard drive. This has led cybercriminals to pursue attacks that avoid the hard drive altogether.

How do fileless attacks work?

To avoid the hard drive, hackers hide malicious code in memory instead, using authorised native programs and tools within the operating system to attack by stealth.

This is how an attack against your organisation could occur:

  1. An employee receives a spam email with a link to a malicious website.
  2. The employee clicks on the link.
  3. The malicious website loads an authorised program, such as Flash, on the employee’s computer and exploits its known vulnerabilities.
  4. The program then opens Windows PowerShell, a native Windows tool, which is able to execute instructions through the command line while operating in memory.
  5. PowerShell downloads and runs a malicious script.
  6. The PowerShell script locates data on the employee’s computer and sends it to the attacker.

Using authorised applications already installed on the target’s computer is more discrete than placing a file on the user’s computer. The hacker can undertake the same types of attack as they otherwise could, such as ransomware attacks for example, but is far less likely to be noticed. This is why it is essential to swiftly patch and update your operating systems and software applications.

Although not truly a ‘fileless’ attack, the same attack could occur if an employee opens a Word or PDF document sent from a malicious source. With a Word document, for instance, the attack will use a Microsoft Office macro to launch PowerShell and run the hacker’s script. Programmes such as Adobe PDF Reader and Javascript all have known vulnerabilities which hackers seek to use to their advantage.

Fileless attacks will continue to rise until organisations become effective at identifying and defending themselves from this type of attack. Cybersecurity tools that learn and analyse patterns of behaviour are better placed to spot unusual activity on your networks, which could afford some protection against fileless attacks.

Cybersecurity Training

However, relying on cybersecurity tools alone is not enough. Training staff to recognise fraudulent and spam emails also needs to be a crucial element of your cybersecurity strategy. Spam emails are becoming less obvious to spot, often looking near identical to emails from a legitimate source. The few seconds it takes an employee to check the sender’s email address is accurate could be the difference between a successful and unsuccessful attack against your company.

As new modes of threat emerge, organisations must rethink the ways they protect themselves, and analyse the cybersecurity tools they use.

If you have concerns about your cybersecurity, give us a call on 0844 586 0040 or email:[email protected].

We’re here to help.