Recent Hacks Highlight Need For Intelligence Threat Detection

The recent cyber-attacks on both British Airways and Stena Line, highlights the growing need for any entity that stores sensitive information, to install intelligence threat detection software, in order to try to avert hackers before they cause damage.

British Airways saw some 380,000 passenger’s card details accessed, whilst Stena Line had 800 of their staff’s bank accounts and personal details taken.

In the case of Stena, it appears that hackers gained access via ‘phishing’ emails, whilst there is concern that British Airways’ Payment Card Industry (PCI) compliance may not have been robust enough. As a result of the attacks, both could face major fines under the GDPR, should they be seen to have not had sufficient data security in place.

“There is no doubt, that cyber-attacks are going to increase and, become more and more sophisticated”, says Colin Tankard, Managing Director of data security company, Digital Pathways.

“Because of this, installing robust, Intelligence threat detection, software becomes a ‘no brainer’”.

Advanced threat detection (ATD), goes beyond basic security analysis. It works at a deeper level in order to fix vulnerabilities and help prevent cyber threats before they take hold.

In traditional anti virus software, known ‘signatures’ of malware, which could cause damage or leak out data, are the focus. Such systems, recognises the program and stops it, putting it into quarantine. However, the modern threats tend not have a signature, do not look like a program and so, go undetected by anti virus.

Even odd data movement can be disguised by these programs, making it look legitimate. For example, the data flowing out could be seen as a normal batch process, being undertaken by a website, say, transferring user data over to a billing system.

Adds Tankard, “File less attacks often go undetected. It is vital therefore, to have a system in place that can instantly recognise the threat once it is revealed and is able to take the necessary action to stop it. Otherwise, the data will be gone before anyone knows about it”.

Read the full article in Global Security Magazine here

Hackers steal details of 380,000 BA Customers

EXCLUSIVE: As hackers steal details of 380,000 BA customers, we are given unique access to the agents fighting masterminds of financial crime

The recent data breach at British Airways saw hackers steal the financial details of 380,000 customers.

It is the latest in a maelstrom of cyber attacks that are spreading computer viruses and installing malware to plunder bank accounts and make ransom demands.

The Mail on Sunday gained exclusive access to the secret service’s National Cyber Security Centre to discover more about this growing dark web threat.

These days James Bond requires more than just a poison dart-firing fountain pen or an Aston Martin with revolving number plates. He also needs the skills of an IT expert.

While the secret agent may be a fictional character, his evil nemesis Spectre is becoming a reality. Led by super-villain Blofeld – portrayed by cat-stroking actor Donald Pleasence in You Only Live Twice – Spectre stands for Special Executive for Counter Intelligence, Terrorism, Revenge and Extortion. The shadowy organisation could also be used as a 21st Century description for the dark web.

To combat this growing threat of cyber terrorism, the National Cyber Security Centre was set up two years ago as a new arm of the Government’s intelligence service that includes the Security Service (MI5) and Secret Intelligence Service (MI6).

Controlled by the Government Communications Headquarters (GCHQ), which cracked the German Enigma codes in World War Two, it is housed in a grand office block close to the Secret Intelligence Service headquarters in Millbank, Central London.

Its cyber security technical director is Dr Ian Levy, who invited The Mail on Sunday into his lair to learn how its secret technology is defending us from an avalanche of cyber attacks.

Welcomed by half a dozen sharply dressed security guards in the foyer, we are ushered through two security level checks requiring separate colour code passes. A guide taps digits into the wall as we walk through bank vault-style doors to an open plan office.

There is no sign of Daniel Craig sitting at a desk doing his expenses and outside M’s meeting room Miss Moneypenny appears to have gone to lunch. Even the hat stand in the corner is missing.

The intelligence service has gone smart-casual. Dr Levy arrives sporting a trendy Ted Baker jacket, two-tone brown brogues and blue jeans.

He says: ‘There is a common misconception that cyber security is all spooks on the trail of hackers in hoodies. The reality is that cyber security is something we need to be open about. We use our technical expertise and knowledge to block an average of 4.5 million malicious emails a month that would otherwise reach computer users.’

A dedicated army of computer boffins housed within the top-security building works around the clock to keep up this cyber ring of steel for the nation.

Staying one step ahead of the hackers is a constant challenge and requires the best IT brains in Britain to develop new software to block the fraudster attacks. The moment a new phishing website targets our shores, an ‘active cyber defence’ unit pounces – blocking the criminal in an hour.

Some 80,000 cyber attacks were thwarted last year – including 590 ‘significant instances’ that might have led to widespread computer virus infections and ransomware stealing our personal data. The centre also provides online security advice to up to 100,000 computer users a month.

The Secret Service’s behind-the-scenes work has been funded with a £1.9 billion cash injection from the Government. It is not only stopping millions of unwanted emails getting through but the centre’s work is also helping to crack down on copycat websites and block 120,000 spoof ‘@gov.uk’ addresses.

Foreign government hackers – from Russia, China and North Korea – are also regularly intercepted from the tell-tale way their software codes are written.

Levy says: ‘Our job is to make Britain an unattractive target for cyber criminals, but we are not a regulator. We are here to offer real support. There is no need to panic but we must all take cyber security seriously. As a computer user you should not only always back up data but consider using security software and password managers that store complex password codes on your behalf.’

The National Cyber Security Centre offers advice to combat fraud at ncsc.gov.uk. It also supports businesses wanting to improve their cyber security. Last year, it worked with the National Health Service when WannaCry ransomware hacked into the computers of 47 trusts.

Fight email ‘phishing’ fraudsters

About 17 million victims in Britain were swindled out of a total of £4.6 billion last year as a result of cyber fraud, according to the software security firm Norton.

One of the most common methods employed by criminals to steal our money was by getting computer users to reveal key personal banking information through the sending of bogus emails.

Known as ‘phishing fraud’ the sender often pretends to be someone official to gain trust, perhaps posing as a bank official or tax inspector. There is usually a sense of urgency involved, such as a claim that someone else is emptying your bank account, thereby panicking you into taking rash action.

The best response is to stay calm and not reply. Often just checking the details of the email address from which the message was sent is enough to send alarm bells ringing. Spelling mistakes are rife because the senders are often based overseas.

Phone the company the email sender claims to be representing to check if they are real. A bank will never ask you to share your personal details with them or with anyone else.

Colin Tankard, of Harlow-based data security company Digital Pathways, says: ‘Look at whether the email address tallies with whom it claims to be from. Small spelling mistakes are a tell-tale sign something is up.

‘You might also do a search of an email address on Google to see if it is flagged up as a security risk.’

It is not just bogus emails that can trick you into revealing key personal information.

Also keep an eagle eye out for copycat websites. Accommodation websites, passport assistance and tax support services can look the real thing until you study the email’s suffix. For example, ‘co.uk’ is normally an indication of an official website. But ‘co.com’ could well suggest the website is a copycat, hoping to trick you into paying for services free from official websites.

Website ActionFraud offers advice to victims but you must first contact your bank and the police.

Read the full article in Mail on Sunday here

Smart cities and GDPR: What’s next?

GDPR came into force in May this year. Now what?

Colin Tankard from Digital Pathways takes a look.

So, the General Data Protection Regulation (GDPR) has been introduced and city leaders are happy, knowing their IT people have instigated the right policy statements and that they have adhered to the regulations. But just how happy should they be?

What happens, for example, when someone submits a Subject Access Request (SAR)? The policy may be there, but are the systems in place to locate the data required to respond to an SAR, and has it been properly secured in the first place?

While much of the GDPR is about process, some elements can only be enabled and made manageable or cost-effective with technology. The challenge for city leaders, therefore, is to ensure that systems are in place that will find the data and protect it – not only from potential data breaches but also from incorrect handling by individuals.

GDPR provides citizens with the right to access, rectify, erase or restrict their personal data. Search is core to any technology implemented to support compliance with the regulation. Currently, many organisations will struggle to comply within the stipulated 30-day SAR window, and will breach the rules.

Smart buildings

There is a particular risk within smart buildings due to their multitude of different systems. These include scanning of documents such as passports and other forms of ID for the issuing of ID tags, etc.; CCTV and facial recognition, used to scan people in public areas; and legacy facilities management systems which log users’ activities within the building, such as movements or secure room access.

 

These systems use multiple file formats such as image, skin tone mapping or even proprietary file formats, especially on older systems. Therefore, scanning emails, Word or PDF documents and picture files – all of which could be in backup vaults as well, which is complex in itself – becomes a major task.

Read the full article in Smart Cities World here

 

Knowing What you Have: The Road to Effective Data Discovery

It’s hard to keep data secure when you’re not sure what information you have. While your databases might be neatly ordered and well understood, much of the information washing around in organisations is likely to be in the form unstructured data – emails.PDFs, word processor and spreadsheet files and many other types in a wide variety of formats. In this interview, Colin Tankard, managing director of Digital Pathways, explains the security challenge posed by this ad hoc information and what you can do about it.

What’s the problem?

“It’s not just a problem of all those Office files on your laptop, explains Tankard. The things that people forget about are things like back-ups, the stuff you have in tape storage etc. How do you find all of it?”

As usual, says Tankard, the problem depends on the organisation and the nature of the data it’s handling.

“Obviously we have recently seen a lot of change coming around because of the General Data Protection Regulation (GDPR),” he says “and people needing to find data to respond to, say, a subject access request – or they simply need to know where their sensitive data is.”

“The example I always use is to do with things like CV’s. A CV comes into an organisation but it doesn’t just stay with HR – it gets sent to the hiring manager, who probably shares it with three of four colleagues. And then that CV stays there. Organisations are trying to find that sort of information and they have to earch across laptops and desktops, then on file servers and in back-ups. It could be in emails. That’s what ‘s started a lot of this data discovery.”

GDPR has had a significant impact on pretty much every organisation, one way or another. But the need for data discovery started long before its arrival. There are many regulations out there – such as Payment Card Industry Security Standard (PCI-DSS), or the US Health Insurance Act (HIPAA) that required organisations to know what data they have and where it is. And even those few that escape such regulatory oversight face simple business pressures that encourage them to get their data management in order. Storage costs money, not just in terms of disks or cloud space but also in management and other overheads.

Read the full article on page 15 in Network Security

Education & Training: The Downfall of File-less Attacks (AVT)

Whilst we are all aware of the file-less or zero-footprint attack, the growth in their use has been alarming. With regular anti-virus tools less likely to detect them, how can the ‘savvy’ CIO ward against them?

The answer lies squarely in the need for the education and training of employees, ensuring they fully understand exactly what an advanced volatile threat (AVT) is and what to do should one be suspected.

AVTs live in memory; they never touch the disk and can only steal information when the computer is running. The exposure ends when the user shuts down the machine.

From a technical point of view, the only way to deal with AVTs is with anomaly-based detection tools, which live on each individual computer/server. These tools look at all system activity, even down to keystroke patterns and analyze normal from abnormal behavior.

In the case of an AVT, detection is likely because it will probably open a service, to enable an external connection. It is through this service that data, is sent. Hence, the behavior would be deemed abnormal, detected and shut down.

The Business Continuity Institute’s (BCI) Cyber Resilience Report called for improved user education after revealing that nearly two thirds (64%) of global firms have experienced at least one cyber ‘disruption’ in the past year. The report comprised of interviews with 734 respondents from 69 countries, showing that user education is a global issue.

Phishing and social engineering were found to be the primary cause of more than half (57%) of disruptions, highlighting the urgent need for improved user education.In the case of an AVT, detection is likely because it will probably open a service, to enable an external connection. It is through this service that data, is sent. Hence, the behavior would be deemed abnormal, detected and shut down.

The Business Continuity Institute’s (BCI) Cyber Resilience Report called for improved user education after revealing that nearly two thirds (64%) of global firms have experienced at least one cyber ‘disruption’ in the past year. The report comprised of interviews with 734 respondents from 69 countries, showing that user education is a global issue.

Phishing and social engineering were found to be the primary cause of more than half (57%) of disruptions, highlighting the urgent need for improved user education.

Click here to read the full article in Info Security Magazine

GDPR Breach: Ready, Get-Set, Go!

So here we go, GPPR has been in force for just under two months and already two well known brands have been caught in its net.

Luxury retailer, Fortnum & Mason, have detailed the loss of some 23,000 customer records, which include emails, telephone numbers and delivery addresses of customers who filled out a survey, or took part in an online competition, being affected.

Fortnum had used Typeform, who specialise in creating such surveys, to organise these forms. It was Typeform who discovered that an unknown third party had gained access to its server and downloaded the data.

And, Travelodge has announced that 180,000 personal details of its clients were taken, which included date of birth, passport numbers and billing information.

As a result and under the new GDPR regulations (disclosure within 72 hours of a breach), both company’s have been forced to contact each person whose data has been lost, all of whom will need to change their details, such as passwords, and will need to monitor their personal credit rating closely, as well as any bank accounts and credit card statements, as there could be indications of ID fraud.

Colin Tankard, Managing Director of data security company, Digital Pathways, suggests, that this level of diligence can go on for a couple of years. Stolen data could be held for such a period until the ’heat goes down,’ with those affected forgetting about their details being taken, then the hackers strike.

Image of Colin Tankard, Managing Director of Digital Pathways    Colin Tankard, Managing Director of Digital Pathways

“If both of these brands had encrypted their data, they would not need to contact each customer as, under GDPR, if the data is encrypted, it is only the Information Commissioners Office (ICO) who need to be advised, as the encryption protects the data from being read.

“Data discovery tools can locate any sensitive data which has been created and stored within a network, even in back up tapes. And, such tools make a subject access request simple, as the name of the requester is used for the search and any relevant data is tagged and its location identified.

Click here to read the full article in Global Security Magazine

Implementing responsible AI from the start

Digital Pathways’ Colin Tankard looks at how we reap the rewards of AI while avoiding the risks.

Artificial intelligence (AI) and machine learning (ML) are two very hot buzzwords right now and often seem to be used interchangeably. They are not quite the same thing, but the perception that they are can sometimes lead to confusion.

Machine learning is a type of artificial intelligence (AI) that allows software applications to become more accurate in predicting outcomes, without being explicitly programmed.

AI is the process of simulating human intelligence, using machines, especially computer systems. The process includes learning (the acquisition of information and rules for using the information), reasoning (using the rules to reach approximate or definite conclusions) and self-correction.

In smart buildings, AI is already being used to control the environmental needs of the people working within the building. For example, monitoring the volume of people in any area and using this intelligence to decide if ’air-con’ should be switched on or if the lowering of shades or opening of windows will suffice.

Another example is the controlling of the smart building environment outside of hours, by counting the number of people in the building, or noting when unusual events happen, and acting accordingly.

All of this, and more, is with us today and will continue to expand into our daily business and personal lives.

Data security

Although the benefits look good, there is a fear that such AI programs could ’go rogue’ and turn on us, or be hacked by other AI programs. Hackers love artificial intelligence as much as everyone else in the technology space and are increasingly using AI to improve their phishing attacks. The need for innovative and robust data security therefore becomes even more important to the management of the smart building than it is at present.

Read the full article here in Smart Cities World

Tesla Feel The Heat Of An Insider Threat

Tesla, the luxury electric car maker, seem to have fallen foul of an insider threat episode, with Elon Musk, warning that a disgruntled staff member had altered the company’s IT system code, harvesting highly sensitive information and giving it to others.

Traditionally, the term ‘Insider Threat’ does indeed invoke images of malicious employees lurking in the shadows of an office attempting to steal company secrets or bring down the system. The reality is, that this form of ‘evil insider’ is infrequent at most companies, though clearly not Tesla, with instances of such threats occurring once in a ‘blue moon’. The real issue and biggest risk to confidential data, is the negligent employee, more commonly categorised as the ‘Unintentional Insider Threat’.

It is common that when a cyber security professional attempts to speak with C-level management about mitigating and even preventing the Insider Threat, the feedback they receive is along the lines of, ‘everyone here is happy. We don’t have disgruntled employees, so we don’t have to worry about Insider Threat!’

Perhaps that is true. But, if you ‘turn the conversation on its head’ and talk about the Insider Threat as unintentional threats; employees who make mistakes – inadvertently causing harm – executives listen.

A Verizon 2015 data breach investigation report showed that ‘Insiders’ are responsible for 90% of security incidents and of these 29% are deliberate and malicious whilst 71% are unintentional, with misuse of systems, log-in/log-out failures, with cloud storage leading the way.

There is no doubt that organisations that understand, address & focus on minimising the damage from the Insider Threat, are going to be the companies that win. And, remember, even if your technologies are not obsolete, you will still need to augment your security protocols for Insider Threats and Unintentional Insider Threats.

Read the full article here in Global Security Magazine 

Streamlining data discovery

Understanding what unstructured data exists in the enterprise is not easy. Massive volumes of documents, spreadsheets, presentations and emails are typically scattered about an organisation.

With no real tools to manage it based on business value, it accumulates with no end in sight. The easy option is to buy more storage but that doesn’t fix the problem. Continue and you have hundreds of terabytes or petabytes of unstructured user content with no way to classify and manage the data according to its value. But by breaking it down into multiple iterative steps, starting high and working down to a level of detail to satisfy all stakeholders, order can be achieved.

Read the full article in Network Security Magazine here on page 20

Defend at all costs!

Legal sector must ‘step up a gear’ in Cyber technology.

Hackers view the legal sector, which tends to store and process critical and invaluable information, as a potential weak point in the cyber security chain and are constantly pursuing different ways to access legal organisations, both large and small. It is high time that the business of law makes cyber security its absolute priority to ensure its present and future is well – protected from the ruthless criminals out there ready to attack at every given opportunity. It is time the legal industry brought these cyber criminals to justice.

Read the full article in Intercontinental Finance & Law here on Page 21