It’s the same with forensics tools – they are brilliant and can really help you find things, but for most of the commercial tools its another 5 figures per year for a licence. It’s ok if you have a big budget, but putting £50,000+ a year aside for just two DFIR tools is challenging for most people. When you add in the tools you need to cover the extra bits you will almost certainly need, then it really becomes a financial burden. This is without considering the cost of skilled staff.

The good news is that there are lots of alternative options. You can build a fully functional DFIR capability for a fraction of the cost, using a mix of free or low priced tooling. One caveat, free isn’t really free. You will need to pay with your own time to resolve any issues or purchase support contracts, but even these are often less than the annual cost of a commercial licence of the big-name products. In this post, we will look at some options you really should consider, even if you have an expensive tool already, as these can help cover the inevitable gaps.

Your Low-Cost DFIR Toolkit

First some caveats. This isn’t an in-depth look at the tools, that might come later. Also it wont cover everything – it cant. There will always be new projects or ones we haven’t heard of. If this spurs you into looking for a good tool then we have achieved our aim! Finally, it’s not going to cover things like SIEMs or Log Analysis/centralisation. That is critical for DFIR but requires additional focus. If we can, we will pick this up in a future post.

To help organise this, we can group the tools into categories.

Endpoint Detection and Response

Velociraptor – https://www.velocidex.com/

If you need support this is available for a fee but it is still significantly cheaper than some of its closed-source, commercial competitors.

The main challenge you are likely to face is the bandwidth between console and agent. However, this is true for all EDR products and any remote access solution. If you have a need to regularly collect full disk or memory images, then you either need to ensure incredibly high bandwidth (images can be 1tb or larger) or establish a way to do local evidence collections.

Evidence Collection

Kape – Kroll artifact parser extractor

CyLR – Live Response
Similar to Kape, this is a tool which runs rapid collection of pre-determined artifacts on the target system. It is less configurable than Kape but has some advantages in that it runs on multiple platforms and you can use to send the collected data to a remote system via SFTP. This can be invaluable if you need a sysadmin local to the victim system to capture data and send it back to your analysis server (or AWS S3 buckets).

Belkasoft RAM Capturer – https://belkasoft.com/ram-capturer
There are many tools you can use to capture RAM from a target system, but we’ve found Belkasoft’s tool one of the easiest to use. It is definitely something you should practice with and make sure it fits your DFIR workflow. One additional consideration, as endpoints become more secure, the ability to capture RAM (and analyse it) is reducing. If you are running the cutting edge versions of Windows, you need to make time to practice RAM dumping to make sure it is still feasible.

FTKImager – https://accessdata.com/product-download/ftk-imager-version-4-5
FTK, by Access Data, is one of two biggest forensic tool providers in the world. The full suite is pretty expensive, but the free Imager is very useful for collecting data from a suspect system. It works on a variety of platforms and stores images in standard formats. An additional advantage of FTKImager is that it also captures memory.

Forensic Suites

Autopsy / TheSleuthKit – https://www.sleuthkit.org/autopsy/

Autopsy is fully extensible, with a thriving community creating new modules to ingest and analyse data. You can even develop your own if there is a specific need.

Even on systems with limited resources (in forensics terms, this means under 32GB RAM) Autopsy is a fast tool. It allows the investigator access to the disk structures while it is still processing data. Once the processing is complete, it is packaged into useful categories – such as email, downloads, executables, etc – which helps the investigator quickly get the information they need. With the timeline, report generation and ability to search for threat intelligence in STIX format, this easily matches the capabilities of products costing £10,000 per user.

iBackUpBot – https://www.icopybot.com/itunes-backup-manager.htm
This is a little bit more of a niche product, but if you need to investigate iOS images, it can be invaluable. It isn’t really a forensic suite in the normal sense, but if your employees have iPhones or iPads it allows you to easily analyse the data including messages, contacts, installed applications and much more.

Analyst Tooling

There are a lot of products here and we can never do justice to all of them. Rather, in no specific order, this is a list of tooling which will help your day to day IR tasks, allow you to carry out basic analysis of malicious files and even extract malicious code out of office documents.

If you do DFIR, you want access to all of these tools.

• Zimmerman Tools – http://ericzimmerman.github.io/#!index.md
• Regrippper – https://github.com/keydet89/RegRipper3.0
• Sysinternals – https://docs.microsoft.com/en-gb/sysinternals/downloads/
• PEStudio – https://www.winitor.com/
• Oletools – https://www.decalage.info/python/oletools
• oledump – https://blog.didierstevens.com/programs/oledump-py/
• Volatility – https://www.volatilityfoundation.org/26
• Volatility 3 – https://github.com/volatilityfoundation/volatility3
• bulk_extractor – https://github.com/simsong/bulk_extractor

Operating Systems

This is fairly complex and heavily influenced by personal choice. We would strongly recommend your incident response “team” has access to Linux and Windows platforms. This gives maximum flexibility when it comes to assessing attacks and, generally speaking, its a lot “safer” to analyse malicious Windows code on a Linux platform and vice-versa. Virtual Machines are a good choice here.

Linux Sift – https://digital-forensics.sans.org/community/downloads
This is probably the main “go-to” Linux distro you’ll use in DFIR. It has most of the tools you need built in – at least the ones which run on Linux. Sift is especially useful if you need to analyse unusual file systems or structures which dont have widespread support. A good example here is the Linux LVM2 Logical Volume Manager which splits the filesystem across multiple disks. Most forensic tools – even expensive commercial ones – struggle to recreate these. However you can mount then natively on Linux Sift.

REMnux – https://remnux.org/
This is a Linux distro dedicated to reverse-engineering malware and malware analysis.

MS Windows and / or Flare Fireeye Flare VM
You will almost certainly need a windows machine to do DFIR. You can either build your own by installing tools you are comfortable using or you can use the Flare VM provided by FireEye. You will need your own windows licence, but Flare does provide a ready-made install of the tools you are most likely to need. It also includes some FireEye specific tools like Floss which you should consider installing if you go with a self-build VM.

Generally speaking, we strongly advise you use virtualisation for all your IR platforms. This allows you to take regular snapshots and if the inevitable accident happens and your investigation machine is infected, it is trivial to revert.

Summary – DFIR is affordable

So, as you can see there are very cost effective ways to build a robust DFIR environment. If you get all the tools here, including the ones where a commercial licence is needed (such as PEStudio), and the cost of Windows / VMWare licences you are probably looking at a budget of under £500 per year for almost unlimited endpoints. For a mall organisation, you could probably bring this down to the cost of a Windows licence.

Cyber attacks are inevitable. Incidents are inevitable. None of this has to leave you bankrupt.

The post DFIR on a Shoestring – Incident response for less appeared first on Halkyn Security Blog.

However, there are some important points to bear in mind. Most importantly, Linux is a very configurable platform so you may find that the system you are responding to is very, very different from other machines even if they run the same base OS.

This means that while you should go in with a plan, you also need to be open-minded enough to adapt things on the fly – especially if you discover your tools are producing unexpected output. If at all possible, test this on your Linux machines while there isn’t an incident, during the preparation phase, and this will allow you to fine-tune things to maximise the chance of success.

With that out of the way, let’s look at some key parts of the process.

Linux DFIR Workflow

As with everything in IR, it is really important to have an idea of the workflow you want to follow. The more you can document this, the better quality your evidence is. Even if you never intend to set foot in a court, a good evidence process means you can be more confident about findings and you can trust that you haven’t overlooked anything important.

NOTE: This guide is based on a responder who has direct access to the live system and will be working locally. This is not a guide for dead box/image-based forensics. The activity here will change the state of the target system and will generate log entries/history records. This reinforces the need to keep detailed notes so that the investigator’s activity can be eliminated from the evidence.

Example Collection Workflow

Set up documentation. You can keep notes by hand but Linux also includes the script command which logs output of each command as you type it and saves the data to file when you exit. You can invoke script -a to save the file to a separate device if you want to retain off-disk evidence. You can find out more about this often-overlooked command on the script man page.

Ensure you have trusted tools. Remember if you are on a compromised system, the attackers can modify binaries and you have no way to trust the output. Even simple tools like ls can be compromised effectively. Ideally, you will bring your own tools, either from bootable media or via statically linked binaries. If you have to use commands on the operating system bear in mind the risk and try to find multiple ways to validate the output.

Gather data. Your organisation may have specific requirements here but we would recommend something along the following lines:

• Document system name and the start date/time of the review.
• Dump memory for analysis at a later date. On Linux this can be complex but it is outside the scope of this post.
• Get OS details. uname -a and lsb_release -a are useful commands here.
• Confirm who is logged in. You can use w for this.
• Review bash history. Its worth capturing a copy of this early on so you can read each user’s .bash_history file later on, this is especially important if you may be adding commands to it.
• Get the system environment details. Run env and save the output to a text file.
• Get networking information. This is where ifconfig and arp -a are useful.
• Check network connections. You can use netstat or lsof here, or both. It is worth saving this to a text file as it can be verbose.
• Log running processes. It is worth starting with ps -aux here.
• Log loaded modules. Start with lsmod but consider using modinfo if more detail is needed.
• Check scheduled tasks. Look in the crontab and associated folders.
• Check auditing. For example, auditd on CentOS
• Check for binaries with SUID bit set. You can capture this with `find / -perm -4000 2>/dev/null` and if anything unexpected appears it is worth investigating.
• Validate group memberships. You can cat /etc/group and cat /etc/passwd to ensure there are no unexpected accounts or memberships. The sudo group is often targeted by attackers.

Combined with the memory image, you probably have enough information here to get a good understanding of what has happened on the system and allow you run triage as part of the Linux DFIR workflow. But to reiterate, it is important to tailor this to your environment.

If you need greater detail, you should consider taking a disk image and importing it into a forensic tool or deploying applications from TSK to do a more detailed file system analysis.

Finally, as we said, for all forms of DFIR (including Linux DFIR) it is good practice to keep notes. As a result, as well as running script, its worth making sure the output of all your tools is saved to a text file with a common naming convention. For example, you might want to run lsb_release -a >> lsb_release_YYYYMMDD.txt or lsb_release -a >> CASENUMBER_lsb_release.txt. This will allow you to recheck output without having to rerun tools and help when you review evidence at a later date.

The post Linux DFIR: Workflow for a busy responder appeared first on Halkyn Security Blog.

As a result of this, it is inevitable that sooner or later you will need to respond to an incident where your open-source OS skills are put to the test.

The good news is that the basics are the same. PICERL is a good framework to use. Preparation really, really matters. You need to build good processes. You also need to practice them regularly. Once you are into the incident, the normal workflow should still be followed. The big difference, however, is in how you do things. You may also find that a lot of the EDR tools you’d use in Windows DFIR aren’t available or simply don’t work. Even when they do, the data may be different.

A good example is when it comes to “evidence of execution.” In a Windows environment, we have access to prefetch, shimchache and other useful data repositories. There isn’t any real equivalence in Linux, which forces responders to be more inventive.

Linux Response – Preparation

As always in IR, if you get the preparation right, the response will work better. There are some key points you need to decide in advance because your decision will dictate how you respond.

The priority has to be your incident response plan. This needs to include who is responsible for the platform and who needs to be involved in the incident response team. If you have Linux admins, you probably need to include them as their knowledge will be invaluable. Your plan is also where you decide how you want your response to run and how much “evidential” care needs to be spent on the collection steps.

You also need to make sure your infrastructure is ready to help you respond. There are entire books on forensic readiness, but the key points to consider are:

• Sync time across the network. This is crucial if you want to be able to make sense of events.
• Normalise everything to UTC – this is vital if you are a global org or have endpoints in different timezones.
• Make sure logs are generated and sent to a SIEM (or equivalent for review). You need to check system logs, firewall logs, IDS logs, email logs and application logs are all being collected.
• Ensure backups are being created on a regular basis, ensure they are being tested for usability and ensure that some are kept offline.
• Baseline. Baseline everything you can. Gold images, reference hashes of installed applications etc. Hash as much as possible – your future self will thank you. Of course, you need to maintain the hashes after patches.

Linux DFIR – Responding!

Once you’ve triggered the incident process it is time to turn your plan into action. Just to reiterate, the high-level steps are basically the same on any platform and the workflow is reasonably straightforward. A good workflow is:

• Snapshot the scene/capture images
• Confirm the incident
• Analyze volatile information (typically memory)
• Analyse filesystem
• Build a timeline
• Carve deleted data & recover filesystem artefacts
• Close the incident (report / lessons learned)

In this blog post, we are going to look at some of the differences you need to consider when you run this workflow on a Linux host.

Confirming the incident

Incident response, on any OS, is a costly & resource-intensive activity. It is important that you limit the number of times you trigger full DFIR by thorough confirmation. When you respond, the first thing you want to do is find out what the attackers might have changed. In Linux, this includes, but isn’t limited to, unusual processes; hidden files & directories; altered system files; modified log entries and strange ports listening or with established connections.

Lots of this is easiest to find on the live file system. If you have an EDR tool which can give you access this will help but you may need to consider having to SSH in and run commands directly as part of your preparation phase. Where possible, taking a snapshot and mounting it is a better option.

Assuming you have access to the running system, start by looking at the running processes.

ps -auxww

You can also use lsof as a way to find backdoors. Remember, both commands are noisy so consider piping to less or using grep to find specifics. This can be very effective at finding subverted code such as fork()ed processes which have been renamed.

lsof
Example output:

COMMAND    PID  USER   FD  TYPE DEVICE NODE NAME
smbd       871  root   6u  IPv4   9001 TCP *:2003 (LISTEN)
smbd       871  root   6u  IPv4   9001 TCP *:443 (LISTEN)
initd    11201  root   3u  IPv4  10112 TCP 10.10.10.1:64213->54.13.13.13:1111
initd    11201  root   9u  IPv4  10112 TCP 10.10.10.1:1111->66.77.121.221:4444

In the example above the Samba server is listening on some strange ports – 2003 and 443. Also, the initd process has an active TCP connection to two external IP addresses, again with suspicious ports.

Combining ps and lsof gives an incident responder the ability to drill deeply into what is running on the suspect system. In turn, this helps confirm that something is amiss.

Linux Memory Analysis

This post is about Linux and, unfortunately, it can be difficult to capture a useable memory sample and even harder to analyse it. The issue is largely down to having the correct “profile” to allow your tools to know what structures exist in memory. With Windows, tools like Volatility (2.x or older) rely on pre-built profiles. With Volatility 3 (and rekall) the profile isn’t needed, but the tool still needs to know how to read the memory sample. With a Linux image this becomes complex at best.

Capturing the image.
The most important bit is how you capture the image. If you are running a Virtual Machine, then it might be as simple as taking a snapshot and using the memory file. However, you still need to get the right profile information. An example of this is on the Volatility github pages.

If you need to dump memory from the live system, the most used tools are:

• LinPMem – https://github.com/Velocidex/c-aff4/releases
• LiME – https://github.com/504ensicsLabs/LiME

It is worth noting that lots of commercial forensic platforms struggle with Linux memory, so it is worth practising the manual methods to make sure you can respond in a timely fashion.

There is a very useful tool which automates a lot of the capture & profile creation steps: LMG by Hal Pomeranz, who is widely regarded as the leading expert on Linux IR.

Capturing Disk Images

If you have an EDR platform or Linux-friendly forensics tool, then capturing a disk image should be reasonably simple. If your suspect device is a virtual machine, then you can use the VMDK files (or equivalent). However, if you find yourself needing to respond manually, there are some useful tools you can use.

Disk copying
You can create a bit for bit copy of the disk for analysis in pretty much any tool. This retains deleted data so you can recover lost files. You can use dd for this, but a better tool is dc3dd which allows you to create a checksum at the same time. The syntax is pretty simple:
dc3dd if=/dev/sda of=/mnt/usb/diskimage.raw hash=sha512 hlog=/mnt/usb/hash.txt
This will take a copy of sda and put it on a device at /mnt/usb. However, there are other tricks you can use.

Another example is if you want to take a disk image and send it over the network to your evidence machine. You can use netcat on both ends for this (or cryptcat if you want to use an encrypted tunnel).

dc3dd if=/dev/sda hash=sha512 | nc 10.10.10.10 5555
This will send the data to a listener which can, in turn, simply store the data to a local file.

Timelines – Linux Variations

The general process is the same as on Windows and the analysis of inode data is very valuable. The main point here is that there is a difference in how timestamps work. Windows has four timestamps in $STANDARD_INFO and four in $FILE_NAME. Most Linux environments have three – MAC – with EXT4 introducing a Born-on time to more closely resemble Windows.
Modification Time, also referred to as mtime. This is the last time data was written to the file.
Access Time, also referred to as atime. This is the last time the file was read.
Change Time, also referred to as ctime. This is the last time the inode contents were written.
Born-on time, also referred to as btime. EXT4 file systems also record the time the file was created.

Incident responders can use this to hunt across a file system to find things the attacker may have changed. For example, if you think an attack took place in the last week, you can run:
find / -mtime -7
This will return every file with a modification date in the last 7 days.

Attacker behaviour and profiling

To finish off, we are going to look at some of the more common files you should check as you profile a suspect system:
/etc/hosts: this shows any static IP assignments and can identify attackers trying to create routes in plain sight.
/etc/passwd: Look for unexpected accounts, especially UID 0 accounts.
/etc/shadow: Look for any unexpected modification which may indicate attackers have changed a legitimate password.
/etc/sudoers: shows users with the ability to run commands with elevated privileges.
/etc/group: check for changes to group memberships. GID27 is traditionally the SUDOERS group so special attention needs to paid here.
(user path)/.ssh/authorized_keys: Check to see if anything has been added. Attackers add keys to maintain access.
/etc/inittab: Attackers can add code here to have it execute when initd restarts.
Directory names starting with .: This is a technique to try and hide entire directories where the attacker can store tools/data.
Regular files in /dev: The /dev folder should hold devices. If you find any regular files in there its worth a closer look.

It is also worth looking at the modification times of binaries – anything changed recently is interesting, largely because Linux patching tends to be a lot less frequent than windows. When you build your timeline you should also check if files have a timestamp that is out of place for its inode number as this is often a sign of timestomping.

If your system uses a package management tool, you should check to see if anything is different from the “official” version. Changes should be considered for investigation.

Lastly, you should always check for SUID/SGID binaries to see if anything unusual has been created.

Linux Forensics – Summary

To summarise, your overall DFIR approach should be largely unchanged. You still need to have a plan and when you respond you still need to follow a suitable methodology. The biggest difference is that responders tend to have less direct exposure to Linux and, as a result, are less comfortable with the files and folders you need to analyse.

You should address this during the preparation phase of your IR cycle. Build response plans, checklists, train your team etc. It will all be useful at some point.

The post Linux Incident Response Guide appeared first on Halkyn Security Blog.

As the final step, this is probably the IR phase that gets most overlooked. But it is one of the two most important. After the excitement and stress of clearing out an incident, it is really important that you learn. Overlooking this step inevitably leads to repeating problems. First you never really solve the problem that let the attackers in. Secondly, any issues your responders faced remain. Together this means you see more incidents and they take longer to resolve.

Learning from experience really is important.

Lessons Learned

This phase goes by many names. For example, you might call it a “debrief” or a “wash up”. The exact name isn’t as important as making sure you do it. However, it is also important that this is a learning phase. Avoid falling into the trap of blaming people. Also, avoid any hint it is a witchhunt or an attempt to sack someone. This can be hard, as sometimes a person is responsible. But at a practical level, this should be something outside the IR process.

In this phase, you are trying to answer the following questions.

1. What happened?
2. How did it happen?
3. How did we deal with it?
4. What went well?
5. What went badly?
6. Most importantly, what do we need to change?

Now it is totally down to your organisation how formal you want this to be. What matters above all else, is that you go through this. For example, you might decide that major incidents need a formal report and review. But then decide that minor events simply need an email update. But other organisations might want a formal report for every incident. Remember, though, that this can be resource-intensive so keep in mind how many incidents you have when deciding this.

The ultimate goal of this phase is to understand what happened. That is really all that matters so the specifics can be quite “personal.” It certainly helps if, during planning, you decide how this phase will be run. In the same vein, planning allows you to make sure you capture the right data. Without the right data, you can’t learn, so you can see the problem here.

Take Note

One big caveat to remember is that sometimes the lesson is trivial. For instance, with a single malware event, you probably dont need a full report.

Also, try to focus on how to improve rather than punish. If your lesson learned is that a person messed up, this isn’t helpful. Instead, you can focus on the need for more training, or better still, improved processes. You might feel people are to blame, but most of the time that is only because technology or process failed.

Summary – what have we learned?

In short, the lessons learned phase is critical to good IR practices. However, it entirely depends on your planning and IR data collection. In addition, the exact process should depend on your specific needs and the nature of the incident. Some organisations have a formal process with pre-designed data capture forms. Others go for an ad-hoc meeting. The important thing is making sure it happens and doesn’t simply burn resources.

If you want to know more, or get some help with an incident or even building your own incident response process then get in touch and our consultants will be happy to assist.

The post Incident Response Phases – Lessons Learned appeared first on Halkyn Security Blog.

The incident is going well. First, you found something was wrong. Then you carried out an investigation and found evil. Next, you implemented containment measures. Finally, you eradicated all traces from your network. Now its time to recover.

As you will see, this is the second of the “shorter” posts. This isn’t because it is less important, rather it is just very dependant on your needs.

Recovery

Now we are in the phase where you return to normal, in as much as you can without opening new risks. Your goal is a restoration of services, but equally important is doing so without allowing the attackers back in. As you can guess, this means recovery hinges off your preparation and investigation. Like we’ve said before: if you fail to plan, you’ve planned to fail.

As with the previous phase, what you do here really depends on the situation. This means you can’t plan definitive actions, but it is important to plan goals. Usually, this means ensuring that you align with the business goals. However, there are some things to consider.

• One step at a time. It is really important to phase the return to normal service. Obviously, if only one machine is affected this might not matter. However, if you are trying to recover an enterprise, plan ahead. Remember, you eat the elephant one bite at a time.
• Monitor. When you bring systems back, monitor them for a while. Of course you investigated well, so your plan is sound. However, mistakes still happen. Dont bring everything back to discover a mistake.
• Document. Always with IR it is important to keep notes. This is no exception. Make a note of when each system is recovered. Importantly make notes of what you are monitoring for and what you find.

Generally Good Advice

Remember, the exact steps depend on your needs. They also depend on what the attacker has done. Lastly, they depend on your policies, plans and procedures.

However, having said this, there is some simple advice you should follow:

Step 1: Assess everything you need to recover and prioritise based on business impact. It is important to minimise disruption to the business. Because of this, you might want to recover critical systems first. However, if the risk is high, you might want to recover them last. It is up to you!

Step 2: Develop a recovery plan. This can be a simple list of items. On the other hand it can be a complex project.

Step 3: Recover the first things. First things first! Whatever you’ve picked to go first, bring it back into service. Monitor it. By this, we mean look for all the things. Dont just look for the attack you found. If you can, gather data and threat hunt. Above all else, do not rush this step. If you find evil, trigger an incident.

Step 4: Recover the next thing. When you are happy with the first thing, recover the next. Do the same with monitoring. If you can, threat hunt. If you find evil trigger an incident.

Step 5: Repeat step 4 until you run out of things.

Congratulations. Recovery is complete.

The post Incident Response Phases – Recovery appeared first on Halkyn Security Blog.

If you’ve got this far, you have identified that an incident took place. Then you carried out an awesome investigation to understand what happened. Consequently, you were able to contain the attack. Now you need to get the attackers out. You need to eradicate them from your environment.

Eradication

Containment is a short term solution. Now we are looking at a long-term solution. In other words, we want to get the attacker completely out. In addition, we want to keep them out in the future. It is important to remember that every incident is different. As a result of this, eradication measures can vary wildly. This is a good example of why it is critically important to investigate well. You can’t eradicate the attacker’s access if you dont know how they got it.

Sometimes you might manage this by simply deleting malware. In other incidents, you might need to completely rebuild the domain. Ultimately, you need to deal with the information you have and act decisively. Although speed of response matters, you must never, ever, be hasty.

Key Decisions

Previously we’ve talked about how important planning is. This is another phase where that is true. You cant plan the specific steps to be taken, but you can give guidance. For example, you need to give guidance on:

• Confidence of Compromise. By this, it means how sure do you need to be that a specific device was compromised. Generally speaking, your investigators will never be 100% confident they have identified every compromised machine. You need to decide how to deal with “might” type statements. Often you will want to treat this as confirmed, but eradication can have a cost. For example, rebuilding takes time and resources. You can’t rebuild every time you find malware. As a result, you need a management decision in advance.
• Rebuild, reinstall or remove. This seems simple but it isn’t. First, there is a difference in business impact. For example, simply deleting a virus is a lot cheaper than rebuilding an entire server. Next, it hinges on your risk tolerance. In general, you want to make sure your managers know this balance in advance.
• Pace. Previously we’ve said about skipping containment. You cant skip eradication. If you do, you’ve ignored the incident. However, you do need to decide how fast you want to move. Remember the saying “More Haste, Less Speed.” It really does apply in IR. If doing it completely is slow, that is still better.

Summary

As you can imagine, this is an important phase. You cant skip it. Also, you cant rush it.

For these reasons, you need to build a methodological approach, then follow it.

The post Incident Response Phases – Eradication appeared first on Halkyn Security Blog.

]]> 1775 http://www.halkynconsulting.co.uk/a/2019/07/incident-response-containment/ Sat, 13 Jul 2019 11:37:16 +0000 http://www.halkynconsulting.co.uk/a/?p=1758 Containment is the third phase of the IR Cycle. You investigate what happened and implement measures to stop the attack spreading or doing more harm than you are prepared to accept.

The post Incident Response Phases – Containment appeared first on Halkyn Security Blog.

]]> In a previous post we discussed Incident Response (IR) processes and our preference is one that runs Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned (PICERL). In this post, we are going to be looking a bit more into the Containment phase of IR.



You have identified an event. Then you confirmed it was an incident. So now you need to look at containment. This is where your IR team start to earn their pay. But there are some pitfalls – most importantly do not rush! Also, there are times you may even want to skip this step entirely. All of this should be decided in your preparation phase.

Containment

Simply, containment means stopping the attack spreading. Now, in practice, this can be complex but the theory is simple. Because incidents are varied try to avoid setting prescriptive plans. Instead, empower your IR team to make tactical decisions.

Keep in mind this is a short term strategy. You are trying to seize the initiative from the attacker. A common model here is the OODA-loop. Here you are trying to change the cadence so you no longer constantly react to the attacker. Good strategy here turns the tables and forces the attacker to react to your actions. Ultimately this means your containment strategy decides how successful your IR will be.

Warning!

First a quick warning. Never – ever – rush into containment. It is tempting and natural, to want to pull cables or shut systems down when you see an attack. But this can be a mistake. Rarely will this turn out to be a “good” strategy. More often you will undermine the IR process, destroy evidence and warn the attacker. Ultimately the decision should be taken by the Incident Manager, so your Plan needs to support them. However, you also need to remember that during the stress of IR, don’t add to it by panicking about containment.

One point to remember: as a human, you can never react as fast as a computer. This means waiting a bit longer is unlikely to make things significantly worse.

Containment Guidance

So, with the warning out of the way, how do we do this?

Unfortunately, there is no one-size-fits-all answer. In essence, it is simply “do good IR.” Because that isn’t helpful, there are some steps to consider.

Investigation

Begin by finding out as much as possible. Gather information about the incident. Then analyse it as much as you need. This is important – too much delays things, too little leads to mistakes. This can be more art than science, but experience improves things. Your incident manager should try to focus the investigation to minimise spurious activity.

As investigators find things, this “intelligence” should be fed back to the Incident Management Team to make decisions. Another important point here is to try to reduce noise. Lots of information will appear, avoid being distracted by irrelevant data or information you cant act on.

Action

Next, take the information and turn it into action. This is the primary role of the incident manager. As investigators provide more data, a containment strategy is likely to emerge. In turn, the manager should use this to direct investigators. Through this iterative process, a robust strategy will be formed.

Some examples include:

• Create an incident response VLAN. Move infected machines into it. This allows monitoring/response but prevents further spread or C2.
• Locking compromised user accounts. This prevents an attacker from continuing to use them to get access.
• Blocking external access to vulnerable websites. This prevent an attacker from using webshells.

Remember all this carries risk. Your actions are likely to alert the attacker. If they have other ways in, you might lose visibility. Only act based on your investigation.

Skip it

Occasionally you might decide to skip this phase. Yes, this is shocking! But remember, none of this is prescriptive.

Containment works best with low-skilled attackers. If you have an advanced adversary, you might only alert them. As a result, waiting until you can eradicate may be better. You can give guidance here in your Plans. However, the final decision should be based on the investigation.

Stopping the spread

In summary, this is the goal of containment. You need to try and prevent things from getting worse. Let your risk appetite guide decisions. Investigate well and build a robust strategy. When you are ready to implement, be decisive.

The post Incident Response Phases – Containment appeared first on Halkyn Security Blog.

]]> 1758 http://www.halkynconsulting.co.uk/a/2019/06/incident-response-identification/ Sun, 09 Jun 2019 14:42:00 +0000 http://www.halkynconsulting.co.uk/a/?p=1761 Identification is the second phase of the IR Cycle. This is where you determine if an incident has happened, what type of incident and how important it is to your business.

The post Incident Response Phases – Identification appeared first on Halkyn Security Blog.

]]> In a previous post we discussed the importance of having an Incident Response (IR) process and our preference is one that runs Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned (PICERL). This time we are looking at the second phase: Identification.



During this phase of IR, we start what most people recognise as Incident Response. As a result, the pressure will start to mount. However, responders must still understand and follow process.

Identification

Something has happened. Possibly something bad. Right now, no one really knows for sure. Incident responders need to act quickly, yet accurately, to assess the situation. By this we mean they need to IDENTIFY what has happened. You want them to understand it well enough to decide if this event really is an “incident”, or if this is something that can be addressed in other ways.

Although this sounds simple, it rarely is. The “fog of war” makes decisions difficult. There is never enough information. Also, you will feel there is never enough time. Resisting this is important. To do this, you need a good identification process/workflow. As an example of how important this is, the UK Government guidance on IR has THREE steps dedicated to incident identification.

Remember to prepare

Identification is the second step of the IR cycle. This means you should have prepared before you get here. Your preparation should include guides on classifying & prioritising incidents. Also, you probably want some playbooks on how to respond, but that’s the next step.

What does this all mean

In summary, “identification” here means being able to validate an event is an incident; putting it in a category to help responders & management reporting; prioritise it to protect resources; importantly, be able to determine if any regulator/government agency needs to be involved. In other words, it is easy.

Except it isn’t. However, if you plan & practice it becomes easier. Above all else, give your responders the authority & trust to make decisions here. Remember, until they assess it is an incident, you simply have an event. In other words, “something happened” and you dont know anything else for sure.

The Event

First, we need to look at the event. In IT lots of things happen all the time. For example, your firewall is almost constantly being probed. In addition, your mailboxes are bombarded with spam/phishing. Meanwhile, your staff are visiting websites and people are ringing up trying to bluff their way to speaking with the boss.

This is constant. There is no way you can treat every event as an incident. Apart from anything else, this would bankrupt you in days. So, clearly, we can see there needs to be a way to tell the difference between an “event” and an incident. This is why identification matters.

Sources

When looking at the event, consider the source. Some are more trusted than others. However, dont automatically dismiss sources, just weight your confidence appropriately. For example, if a random phone call says “you’ve been hacked”, you might want to worry less than if a Specialist Police Officer turns up and tells you the same thing. In your planning phase, you can document this. Alternatively, Responders should be trained to assess this on the fly.

Remember to consider possible internal and external sources. Additionally, be open to reporting. Above all else, you want people to report incidents early when you can respond, not after a breach.

Internal Examples

• SIEM/Monitoring
• Firewall
• User reports
• Pentest/Red Teams
• Internal Threat Hunts

External Examples

• Customer reporting
• Client/supplier/3rd party notification
• Law Enforcement report
• News Reporter telling you
• Attacker notification

Clearly it is better to detect the incident internally. If a national news crew turn up at your office, things are probably already out of control. In short, you want to detect the incident rather than be notified.

However, if you are notified, good IR will still see you through the problem.

Congratualtions, its an INCIDENT!

So, you’ve confirmed the event is bad. Responders have declared an incident and your response process is gearing up. Meanwhile, staff, customers and clients are going about their business as normal. You need to decide how much disruption this incident is going to cause.

However, although this is important, it isn’t set in stone. During the response, you may learn new things which change your view. You might discover it’s all a mistake. Alternatively, you might discover what you thought was minor is a full breach. Whatever the outcome, never hesitate to reassess the incident.

Incident identification should lead to three bits of knowledge.

Categorisation

First, you want to categorise the incident. That is to say, describe it in a manner you can use to track against other incidents. This can be as simple or complex as you want. Some organisations have a basic model along the lines of:

• Malware
• Phishing
• Intrusion
• etc

While others go for lots of detail:

• Trojan – Windows
• Worm – Windows
• RCE – Windows
• Trojan – Linux
• etc

You need to pick whatever works best for your organisation. You can, if you want, build a huge model with a detailed taxonomy and ENISA has good guidance on this. But you may find this is overkill. All you really need is something Responders can use and provides some management information.

Prioritisation

It won’t always be an issue, but most incidents impact your normal activities. You need to establish how important this incident is compared with everything else that is going on. Also, you may need to divert resources from other parts of the business. You may need to shut down profit-generating functions to prevent further damage. Clearly you can’t treat every incident as if it was the end of the world. However, you cant treat all of them as if they dont matter either.

Consequently, you need some way to prioritise. Again, this should be part of your planning documentation. You can go for a simple 1 – 5 scale or you can do detailed assessments of potential costs and impact. Whatever you pick, it has to work and be useable by a responder under stress. As a result, simpler is probably better.

Escalation

Last part of identification is deciding what “level” this problem sits at. Escalation can be a responder deciding if they can deal with it or if they need help from a broader team. Also, it can be an entire organisation deciding if they need to bring a 3rd party in. Incidents frequently happen at weekends/holidays. Incident responders are almost always under pressure and isolated. As a result, clearly defined escalation criteria are essential. Minimise the guesswork needed. Provide a framework that supports your responder.

Examples of escalations include:

• Individual responder requiring support from network and sysadmins
• Response team calling in 3rd party support
• Identifying a breach and requiring legal/PR support
• Discovering criminal employee activity which needs Law Enforcement asssitance

As you can see, it varies wildly. Therefore make sure you plan this well.

Identification is…

To summarise, identification is how you tell the difference between an event and an incident. Good practices here will save you money, and stress, in the long term by minimising the disruption and cost of an incident. In addition, it reinforces the need to have strong preparation. The IR cycle works best when all the steps are carried out.

The post Incident Response Phases – Identification appeared first on Halkyn Security Blog.

]]> 1761 http://www.halkynconsulting.co.uk/a/2019/05/incident-response-phases-preparation/ Sat, 11 May 2019 10:12:46 +0000 http://www.halkynconsulting.co.uk/a/?p=1742 Preparation is the first phase of the IR Cycle. Doing well here is the difference between good incident response and dealing with a breach or crisis.

The post Incident Response Phases – Preparation appeared first on Halkyn Security Blog.

]]> In a previous post we discussed the importance of having an Incident Response (IR) process and our preference is one that runs Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned (PICERL). In this post, we are going to be looking a bit more into the Preparation phase of IR.




Preparation

Lots of people overlook this phase because it isn’t “dynamic” and doesn’t have the technical excitement of other phases, but the reality is you are either preparing for an incident or responding to an incident. What matters is how you spend your time in this phase. If you use this time well, every incident you deal with will be better managed with a significantly improved outcome. However, if you waste this time, every incident will be significantly harder, more costly and cause greater impact. Really the choice is yours!

Fail to Prepare, Prepare to Fail

It really is that simple.

Preparation Guide

There is a lot of work to do in this phase, even though some will think it is a case of Incident Responders not doing their job. The exact activity will be organisation specific but there are some key activities everyone should follow. If you are looking for even more succinct guidance, FireEye, a world leading IR company, have an excellent article on IR Preparation.

Key Elements

When we assist an organisation in building an IR capability, we focus on technical and non-technical elements of preparation. This allows defenders to have realistic goals – if you are new to this, it can seem like an insurmountable hurdle – and allows management to have good visibility of progress towards a continuously improving target.

Remember, you never finish the Incident Response Cycle. You remain in preparation, striving to get better until there is an incident. Then you respond, learn from it and improve your preparation for the next one.

Technical Preparation

Attack Surface Reduction. Also referred to as “system hardening” or “vulnerability management” and lots of other terms. This is the ongoing process of trying to minimise the entry points for an attacker. It is also looking at your internal systems, making sure that an attacker who gets in cant easily move around. Typical activities here include patching, turning off unnecessary services and account management. If you are fortunate enough to have a dedicated IR team, they should work closely with your SOC or IT Service Management teams to limit the scope of attacks.
Monitoring. If you can’t see an attack, you can’t respond. It isn’t good enough to think monitoring is in place, you need to check this. Check:

• The right things are logged
• That the right alerts fire
• The right people see the alerts
• People know what to do with the alerts

All of this is essential to give your IR team a fighting chance. This is a good thing to use a Red Team for, or an external security consultancy to give you some assurance.

Non-Technical Preparation

Documentation. This is essential. Your policies set the benchmark for how and when IR will work. Good documentation will help a stressed incident manager make the right decision under pressure. It should be readily available, remember your IT systems may be compromised, and easy to follow. While every organisation’s needs differ, you should look to cover the following points:

• Authorisations. What is an incident manager authorised to do? Also, what are responders authorised to do?
• Requirements. Are there timescales you want the IR team to adhere to? Do you need “court-ready” evidential collection? Decisions like this must be made in advance.
• Communications Plan. Establish who needs to be told. Plan how people can communicate if normal systems are compromised. Decide who would be responsible for notifying a regulator if needed. Likewise, set a process for reporting to customers/clients/suppliers. After that, establish how frequently are updates provided and who gets them.
• IR Processes. Help your responders out by giving them good guides. For example, give step by step instructions on how you want RAM captured. Similarly, instructions for dealing with phishing help focus the mind. However, ensure that your IR team are flexible to deal with the unknown.
• Environmental information. Most importantly, you need to document your environment. In other words, have a network diagram and CMDB for example. This means your team can quickly understand the impact. Also, it allows them to know who to call for assistance.

Practice. The saying “practice makes perfect” is accurate. Also, it is really important for IR preparation. Incident responders need to practice. Practice includes activities like external CTFs, Competitions or in-house exercises. You can practice rarely-used skills in a CTF. Conversely, you learn your environment with an in-house exercise. This is all good. However, avoid giving your responders “busy” work or “BAU” tasks. Responders need to be ready to drop everything.

Preparation really does matter

To summarise, and repeat a phrase, if you fail to prepare, you really need to prepare to fail. Preparation is a critical step of the incident response cycle. You are in this phase whenever you are not actively responding to an incident. As a result, you should make the most of it.

The post Incident Response Phases – Preparation appeared first on Halkyn Security Blog.

]]> 1742 http://www.halkynconsulting.co.uk/a/2019/04/incident-response-process-matters/ Thu, 11 Apr 2019 11:04:03 +0000 http://www.halkynconsulting.co.uk/a/?p=1724 Breaches are pretty much inevitable. Having good incident response processes can be the difference between it being painful and it being catastrophic to your organisation.

The post Incident Response – Process Matters appeared first on Halkyn Security Blog.

]]> In the last month, there has been news about a range of cybersecurity breaches. The Register reported over 620 million hacked accounts being available from breaches on popular apps like MyFitnessPal and ShareThis. At the same time ransomware continues to disrupt healthcare, government and private companies. It seems a redundant truth to say breaches are inevitable. This means incident response is a critical business process for every organisation. Incident Response really does matter.



When it comes to building an Incident Response process, you need to decide on a framework. This can be anything you want. The key is pick one you understand and covers the important stages. PICERL (shown left) is one of the more common frameworks used to build an incident response process. In this, the flow runs Preparation, Identification, Containment, Eradication, Recover and then Lessons Learned. Future blog posts will look at each stage of PICERL in a bit more detail.

If you are starting off, all that matters is that you have a process.

Incident Response Process Matters

Key areas to consider are the fundamental areas of incident response – the things you do before the incident, how you respond to the incident and what you do after the incident. It may seem strange but all three areas are equally important so make sure you don’t just focus on the bit in the middle. The more effort you, or your response team, put into the first and last stages, the better and faster the middle bit will happen.

Once you have built a framework (or adopted an existing one) you can start to flesh out the details. Avoid perfection here and don’t think that once a document is written, it has to be set in stone. You can’t predict every incident in advance and trying to do so is the path to madness. Start with some likely events and document how you want your incident response team to respond. Then, over time build new ones. When you have incidents, update and modify your process documents.

When you adopt new technology, or change business processes, update and change your documents. When you get new staff into the incident response team, have them read & review the documents to see if they have any suggestions for improvements. It doesn’t matter how you do it, just need to keep the documents living and current.

Avoid the trap of thinking you need a finalised version for Audit or Compliance (you might do, but that is a different problem), and focus on having a version which works, can be used by your responders and relates to your current business.

Summary

As always, if you want specialised training for your IR team, we can provide tailored courses on or off-site for your staff, as well as table-top scenarios and red team exercises to ensure practical experience. Alternatively, you can look to send your staff on public training such as SANS SEC504 and SANS FOR508.

If you want to find out more, as always, get in touch.

The post Incident Response – Process Matters appeared first on Halkyn Security Blog.

]]> 1724 http://www.halkynconsulting.co.uk/a/2019/02/security-certifications-is-x-good-or-bad/ Thu, 14 Feb 2019 11:39:09 +0000 http://www.halkynconsulting.co.uk/a/?p=1717 Security certifications are a hot topic. No one cert is intrinsically better than others, pick the one that opens the most doors for you.

The post Security Certifications – is X good or bad? appeared first on Halkyn Security Blog.

]]> One of the most common online discussions in the security industry is about security certifications. This normally starts when someone asks what they should work towards or is Cert X better than Cert Y. As you can imagine, the answers are mixed.

The cold hard truth is that there is no real way to say one cert is better than another. It is 100% down to personal opinion. As security is a very broad field, you can find amazing practitioners who have zero certs and you can meet very bad professionals who have the full catalogue of security certifications. The certification itself is rarely an indicator of how good someone will be for your team.

People will always have a preference. Some will like the more management approach, some want them to be more technical. Some think “open book” certs are cheating, others think closed book certs are a needless test of how well people memorise trivial information.

There isn’t a right answer for any of this. All education is good. If you want the tl;dr it is that you need to do the research to find out what is offered by various security certifications and pick the one that is best for you. There is a caveat here because it depends on what your motivation is.

You might be looking to learn something new and the cert itself is just a way to test your own understanding. This is good and if this is your motivation, pick any cert and you will learn something.

However, for lots of people, the cert is there to meet a professional need. Often this to land a job, keep a job or get a promotion. If this is your motivation then it really does matter which one you go for.

Security Certifications as a Gatekeeper



The reality for most job seekers is that you need to get through some strange HR / corporate practices. In the example job advert (found on jobserve.co.uk), there is a clear statement that “Professional Industry Recognised Certifications” are an essential requirement and it goes on to list some security certifications.

However, there is no logic behind this. The cert requirement is simply a way to eliminate people they don’t want to hire and make it harder for applicants. If you need a CISSP, you need someone with a very different skill set and knowledge than a CISM (which is mostly management, projects and stakeholder engagement) and drastically different from a CEH – which is a pentester qualification. If any of these security certifications are acceptable, then it should also be OK to apply with none. It’s not feasible to believe that they want either a junior pentester or senior program manager for the role. The only explanation is that they’ve asked for security certifications to act as a gatekeeper and eliminate a percentage of candidates.

If HR departments and hiring managers had any sense, life would be easier and fairer but it simply isn’t. As a result, you may be forced to get certificates you don’t like for no reason other than the job requires it. In the UK in 2019, the most common qualification this applies to is the CISSP.

This is not an intrinsically bad security certification. CISSP holders range from super skilled and knowledgeable to people you can’t believe passed the exam. This is true of every single qualification in the world, so don’t think it is a criticism of the CISSP. The marketing efforts which have gone into pushing the CISSP means that if you hold it, you can pretty much apply for any security role from pentester, to incident handler, to forensic investigator to management. Now you may think this makes no sense, and it doesn’t, but that doesn’t matter. It is the way the world is.

One other consideration

Most certs come in two big bucket flavours. Ones where you go and learn a lot of stuff and then sit an exam and ones where you should already know a lot of stuff before you go for the exam.

To explain this, these are examples:

• CISSP / CISM: Both certs where you need 5 years experience before you sit the exam. You can get “bootcamp” courses but these are largely sold as refreshers rather than teaching brand new knowledge.
• OSCP: This is largely a cert where you learn lots of new stuff then sit a very challenging practical exam. Yes, some people will already know everything before they start the course, but that is 100% not what is expected. The course is designed to teach new things, not simply refresh knowledge.

This can lead to a lot of the dissatisfaction with some security certifications, especially as the courses are often expensive. People frequently attend a CISSP bootcamp and complain the cert is lacklustre because they learned nothing new on the course. This should never be the purpose of the course.

What does this mean?

The upshot is that if you are looking for one qualification to rule them all, it probably doesn’t exist.

You really need to decide what matters to you. Is it for personal development or to influence your career? If it is the latter, the best thing to do is search for job adverts. Find the ones you are interested in and check what qualifications they ask for. Whichever qualification is asked for the most, is the one you really want.

In the UK, in the first half of 2019, for security roles, this is unquestionably the CISSP. But don’t take our word for it. Research it yourself. Find the jobs you like, find the career path you want and see what (if anything) is the required qualification.

The post Security Certifications – is X good or bad? appeared first on Halkyn Security Blog.

]]> 1717 http://www.halkynconsulting.co.uk/a/2018/01/memory-analysis-dfir/ Mon, 15 Jan 2018 13:00:08 +0000 http://www.halkynconsulting.co.uk/a/?p=1647 Incident response is often a stressful, high-pressure situation. Responders are desperately trying to claw together information. All around them the world is collapsing. Furthermore, everything important seems to be deleted or obfuscated. Yet it is not all doom and gloom. They have memory analysis. Life can be hard for the incident responder. You are faced […]

The post Memory analysis in incident response – never leave home without it appeared first on Halkyn Security Blog.

]]>

Incident response is often a stressful, high-pressure situation. Responders are desperately trying to claw together information. All around them the world is collapsing. Furthermore, everything important seems to be deleted or obfuscated. Yet it is not all doom and gloom. They have memory analysis.

Life can be hard for the incident responder. You are faced with malware and/or attacker tools, often heavily disguised. Attackers pack & obfuscate malware to avoid AV. Memory resident attacks can execute without ever touching a disk. Even when you think you’ve won, you discover the attackers are back in again. It can be demoralising.

Memory analysis can help you escape this nightmare cycle.

What do we mean by memory analysis?



At a very high level, we mean collecting RAM from a machine in support of incident response. This can come in many forms.

Computer memory can be thought of as the space your computer uses to do things. This is where things like the screen you see on login reside. You open a new application, it is loaded into memory. For Windows users, if you open Task Manager, that list of running processes are all in memory. Also increasing memory is a fast way to really boost performance.

Memory is really important. This is just as true for the investigator. Because of what it holds, memory analysis can be very revealing.

The most striking demonstration is in hunting malware.

Crafty attackers change their code to avoid detection. They encrypt payloads to fool monitoring. They armour their attacks to make life harder for reverse engineers. All of this can be very effective and it makes life hard for responders.

However, in memory, things are very different. Malware in RAM is exposed. It has to run, so it has to be readable. As a result of this, memory analysis can give a clear insight into attacks. For most investigations, this makes a significant difference.

Some problems

However, it isn’t simple perfection. As you might imagine, memory analysis has its own problems.



First of all, memory is volatile. This means it changes and when the system loses power, memory is often gone. Often but not always. In incident response, one of the first things you should do is capture the memory. Even if you later don’t need it. If you don’t grab it at the start, you may never get it.

Sometimes you don’t have any choices here. Often, troubleshooting involves a power cycle. People who panic may pull the power cord. All of this goes towards flushing volatile memory. Consequently, investigators get cold, dead, computers to analyse. Yet, despite this, there are still opportunities (hiberfil.sys/pagefile.sys). More on this in a future post.

Another issue is memory can be big. Modern computers often have at least 8GB of ram. If you are looking at servers then 32GB and upwards is normal. This is great for performance. Because of this size, however, memory capture can be slow. It can frequently take over an hour to capture RAM. This might sound trivial but during that time, the RAM will have changed a lot. The volatile nature can be a nightmare for unsuspecting investigators.

Memory analysis solutions

Above all, good incident response processes help. Have the right tools available to capture memory. Make sure captures start first. Make sure there are good records. All of this works towards mitigating problems.

There are lots of memory collection tools. Rather than think “TOOL X” is the best, try them all. Find the one which fits with your workflow the best. Then learn its strengths and weaknesses.



When it comes to analysis itself, there are two main tools to consider.

First of all, Volatility is one of the best-known tools. Every responder should have at least a basic understanding of how to use this. It is free, open source and cross-platform.  Volatility is written in Python, making it easy to extend. One of the best things is the sheer range of community plugins available.

The second tool you should look at is Rekall. In some respects, this is more polished but right now it has fewer plugins. Rekall can be faster with new operating systems and integrates well with IR tools.

Finally, out of the main tools, is Redline. This is a free product provided by Mandiant. Unlike the other two, this is a fully GUI tool. Redline provides an easy to use interface at the cost of some flexibility.

Just like with collection, never feel you have to pick one tool over others. Practice them all. Then use them all. Learn how the results from one tool lead to the next. Most of all, become proficient at using the right tool for the right task.

A good example is to use Redline first – giving you high-level insights. Then use Volatility to drill into details.

Memory Analysis – Volatility Plugins

Finally, as mentioned, the strength of Volatility is the community plugins. To this end, on Taz Wake’s GitHub pages we will be releasing IR plugins for everyone to use/ adapt/develop. Feedback is always welcome.

The post Memory analysis in incident response – never leave home without it appeared first on Halkyn Security Blog.

]]> 1647 http://www.halkynconsulting.co.uk/a/2017/12/christmas-seasonal-shutdown/ Thu, 21 Dec 2017 09:00:28 +0000 http://www.halkynconsulting.co.uk/a/?p=1637 Merry Christmas Halkyn Consulting will enter its Christmas shut down period on Friday 22 Dec. We remain closed to new business until Tuesday, 2 Jan 2018. As always, existing customers can still engage us through the normal means. So all that remains now is for us to wish all of you a Happy Solstice, Merry […]

The post Christmas – Seasonal Shutdown appeared first on Halkyn Security Blog.

]]> Merry Christmas



Halkyn Consulting will enter its Christmas shut down period on Friday 22 Dec. We remain closed to new business until Tuesday, 2 Jan 2018. As always, existing customers can still engage us through the normal means.

So all that remains now is for us to wish all of you a Happy Solstice, Merry Christmas and a Happy New Year. We look forward to working with you in 2018. Stay secure.

The post Christmas – Seasonal Shutdown appeared first on Halkyn Security Blog.

]]> 1637 http://www.halkynconsulting.co.uk/a/2017/12/memory-checklist/ Sat, 09 Dec 2017 23:40:44 +0000 http://www.halkynconsulting.co.uk/a/?p=1606 No matter how much expert knowledge you have, how good you think your memory is, using a checklist is simply good security practice.

The post Checklist or your memory, is one better? appeared first on Halkyn Security Blog.

]]>

Quite rightly, security professionals are proud of how much information they hold in their heads. There is no doubt that to be effective you need to have immediate access to lots of different concepts. However, the really effective ones also have a checklist.

First off – the problem. Lots of certificate exams are memory tests and lots of hiring managers believe tests “under pressure” show value. But really this is just a test of how much information you can hold for a short period of time. This is great if you are sitting a closed-book exam. It is also why boot camps work. Now ask yourself – is hearing something & remembering it long enough to answer an exam question a good thing? In practice, to be good at your job you just need to know what you have to look up and be able to look it up quickly. Having a checklist is a definite win.

Checklist vs You?

The next issue is simply ego. We believe we know security so having to stop and follow a guide is somehow embarrassing. Everyone has confidence issues and when we see other people reciting things from memory (for example, dropping into conversation that ISO27001 Annexe A, 9.3 is User Responsibilities), it can be daunting.

Here, the simple thing is to realise it is irrelevant. If someone has memorised Annex A, the CSA CCM, NIST SP800-53 or whatever, be pleased for them but it may help less than you think.

Other than a tiny percentage of people who are truly able to memorise and recall on demand, most people actually remember less than they think. They may truly believe they have memorised Annex A and, if they are good, they will be right 90% of the time.

And there is the point. They will be wrong 10% of the time. This may not matter (getting 9.3 and 9.4 mixed up isn’t really a life or death issue) but when it is important, you need a checklist.

Rather than say “you aren’t good enough to memorise (whatever)”, using a checklist says you are professional enough to realise that it is IMPORTANT that nothing gets overlooked. You realise it is IMPORTANT that every step gets followed. There is a reason why experienced pilots still go through a checklist before every flight.

When do I need a checklist?

So, the simple answer to this difficult question is – whenever it is important that every step is followed or every option is considered. Only you can be the judge of that, but try to avoid letting your ego take over and decide “hey, a true professional would know to do it this way.”

The main examples we recommend checklists are for:

• Incident Response. Here the importance is to make sure the right steps happen in the right sequence, every time, in a high-stress situation. Every collection must be forensically sound and every analysis must be methodological. This is crying out for a checklist response.
• Audit and Assessment. Different importance. Now, this isn’t about the stress it’s about dealing with tedium. Every audit must be repeatable and follow the exact correct steps. You can’t miss anything out and you need to deal with the fact that as you get bored, your mind wanders. Following a checklist can save you. An example of this is the ISO27001 self-assessment checklist we provide.

There will be lots of other situations – some of which you will need to decide for your organisation. Sadly we don’t have a checklist for “situations where you need a checklist”.

Whatever you do, don’t let your ego force you to try to remember things when you don’t need to. Save your brain power to think of innovative solutions to problems and use the checklist to manage your back-end processes.

The post Checklist or your memory, is one better? appeared first on Halkyn Security Blog.

]]> 1606 http://www.halkynconsulting.co.uk/a/2017/09/threat-hunting-essential-every-business/ Tue, 12 Sep 2017 19:17:32 +0000 http://www.halkynconsulting.co.uk/a/?p=1570 Lots of articles, blog posts and webcasts talk about threat hunting. Despite this few, if any, organisations do it. This is a mistake. Security hit the headlines again recently, when Equifax admitted to a breach exposing around 143 million records of personal data. While details are still emerging, it looks like the attackers compromised an […]

The post Threat Hunting – essential for every business appeared first on Halkyn Security Blog.

]]>

Lots of articles, blog posts and webcasts talk about threat hunting. Despite this few, if any, organisations do it. This is a mistake.

Security hit the headlines again recently, when Equifax admitted to a breach exposing around 143 million records of personal data. While details are still emerging, it looks like the attackers compromised an external website and exfiltrated the data. There are no specifics on the attack yet but it takes time to copy out that much data¹. Good threat hunting uses this time to detect attackers. This would have allowed Equifax to implement countermeasures to minimise the breach².

Any organisation can threat hunt. Threat hunting uses your existing security controls to identify attackers before they can destroy your business. It doesn’t replace anything. You cant use it to replace your AV or firewalls, no matter what vendors say. Hunting doesn’t mean you can get rid of your incident response teams.

In our experience, effective threat hunting simply makes everything else work better. The hunts give your IR teams better data to work from. Lessons you learn from hunting helps establish more effective controls.  In short, good threat hunting makes everything better.

Every organisation should hunt threats on their network. You don’t need to buy anything new and you can do it with your own staff. This post gives some tips to get you started but nothing beats experience and formal training. Halkyn Security offer a threat hunting service, which includes helping set up your teams to hunt. However if you want formal training we strongly recommend SANS courses, at least for key staff.

Cyber Security and Threat Hunting

Traditional security focuses on established controls. This is your firewall, endpoint antivirus, mail filter and similar tools. A very good example of traditional security is the Cyber Essentials scheme. As the name says, this is essential.

Next you need to ensure a way to respond to incidents. From Talk Talk to Equifax, it is apparent that incidents will continue to happen. As a result, incident response really does matter.

Even with this in place, problems will still happen. Advanced Persistent Threat might be a marketing term, but the reality is persistent attackers exist. Criminals, or nation states, will spend time subverting your controls.

Here lies the problem. If an attacker can bypass your controls, what triggers your incident response process? Often, sadly, it is public notification when other people discover your breach.



Defending your information relies on a simple equation. If the time to detect (D) the attackers and the time to respond (R) to the attack is less than it takes the attacker (A) to complete their mission, you win. If it isn’t, the attacker wins. The fundamental goal of threat hunting is to speed up your side. This is how you win.

When the dust settles, it turns out most breaches last months. Attackers spend time moving around. They collect sensitive data. The data is hoarded into staging servers. Eventually, the attackers exfiltrate the data. At this point it is too late for anything other than a PR exercise to limit the damage. However, in the weeks and months before this your organisation has thousands of opportunities to detect and defeat the attack. Threat hunting really does make the difference.

Threat hunting for beginners

You agree threat hunting is a good idea, now where do you start? This guide can help but remember nothing matches either skilled staff or bringing in dedicated threat hunting teams.

To get started, think of each threat hunt as a way of testing a theory. Build a theory. Decide what evidence would support it (or disprove it) and then collect the data.

Every environment is different so we cant give you a specific examples for your network here. However, we can provide some examples you might want to tailor:

Threat hunting example scenarios

Here are some example threat hunting scenarios. This is not an exhaustive list and the idea is you will build on this to develop good practices for your own organisation.

Network Threats

• Command and Control Channels. If you have a compromised device, it has to talk to the attackers. Collate your firewall and proxy logs. Split them into hourly segments. Find any device which is present in every segment. Establish why.
• Unusual protocols. Check the data going out of your organisation. If you see encrypted traffic on port 80 it is unusual. Establish what has caused this.
• Suspicious encryption. When your users visit HTTPS sites, there is a TLS/SSL handshake. When malware calls home it normally uses preset encryption. Look at your Port 443 traffic and investigate any connections without a handshake.

Endpoint Threats

• Persistence. Collate startup entries (registry keys, autoruns etc) from all endpoints and scan for unusual entries. Any machine with unique software in startup / run keys should be investigated.
• Account use. Collate event logs from all endpoints and scan for user account logins. Investigate outliers and unusual events like remote logins with local accounts.
• Unusual software. Audit the software installed on all your devices. Sort the list to identify what software is only on one or two devices. Investigate this software.

Threat Hunting – the future

As we said, this is just the start. Run some hunts with the information here and see what happens. If you find attackers, roll into your incident response. When it comes to the lessons learned feed back into your future threat hunting. As you mature, you can integrate threat intelligence feeds.

If you aren’t sure where to begin, consider sending your staff on training courses or bringing in external help.

The more you hunt, the better you will get and the more you will learn. The time to start is right now.

---

1 – If each record was 1kb in size, this is a 143gb data set for the attackers to exfiltrate without detection.

2 – We have no way of knowing if Equifax was running threat hunts or had other controls in place. This is not a dissection of their specific situation, it is just an example.

The post Threat Hunting – essential for every business appeared first on Halkyn Security Blog.

]]> 1570 http://www.halkynconsulting.co.uk/a/2017/03/uoc-cybersecurity-conference-2017/ Thu, 23 Mar 2017 09:15:50 +0000 http://www.halkynconsulting.co.uk/a/?p=1552 Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career […]

The post UOC – Cybersecurity Conference 2017 appeared first on Halkyn Security Blog.

]]>

Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017.

The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career development. Most of all this event provides an opportunity for you to ask any questions you might have. The current line up of speakers includes some genuine experts. As a result this presents a great opportunity to discuss what matters to you.

The event is at Thornton Science Park and UoC staff, students and guests are welcome.  Advance registration is required via EventBrite and it starts at 1700hrs. Attendance is free. So there really is no reason to miss out on this event.

UoC CyberSecurity Conference

The guest speakers include:

• Taz Wake – Cybersecurity and Risk Consultant at Halkyn Consulting Ltd, based in North Wales.
• James Simpson – Cybersecurity Consultant & Director at Secti Ltd, based in Shropshire.
• Matt Hull – MSc Student at the University of Chester & Detective Constable at Cheshire Constabulary
• GCHQ – GCHQ defends Government systems from cyber threat, provide support to the Armed Forces and strive to keep the public safe, in real life and online.
• Detective Superintendent Jon Betts – Head of Criminal Justice & Custody at Cheshire Constabulary

While the event is on, free refreshments, including pizzas, will be provided.

Please note, Thornton Science Park is an access controlled site. As a result all guests are required to register in advance. Also, all guests are to use car park B for parking. More details are available from the event organiser or the EventBrite page.

In conclusion, if you live in the North West and have even the slightest interest in Cybersecurity, you should attend this event. So dont hesitate, book it now on EventBrite.

The post UOC – Cybersecurity Conference 2017 appeared first on Halkyn Security Blog.

]]> 1552 http://www.halkynconsulting.co.uk/a/2017/03/dashboards-vs-security-really-helping/ http://www.halkynconsulting.co.uk/a/2017/03/dashboards-vs-security-really-helping/#comments Mon, 20 Mar 2017 14:06:24 +0000 http://www.halkynconsulting.co.uk/a/?p=1539 Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a […]

The post Dashboards vs Security – are they really helping? appeared first on Halkyn Security Blog.

]]> Metrics, Dashboards and Security



Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a bad thing either.

Really, dashboards are a good way of showing metrics. Metrics themselves aren’t inherently evil. As a result, you’d think dashboards would enhance your infosec work.

However, all to often the opposite is true. Metrics end up collected just for the sake of it. As a result, dashboards end up being nice shiny things for people to stare at. This is not good.

What do you mean?

First off, an example to explain this. Two of the most common metrics collected in security are patching and anti-virus status. Both are generally good things so people want to measure them. As a result, these are often cited in security guidance – such as CSO Online’s article. While this seems like a great idea it has problems.

• Patching. Nearly every program will measure things like the number of systems patched to “current” levels. Normally this means they’ve had all the patches applied within 48 or so hours. For most enterprises, hitting 95% here is a really good thing and will be green on the dashboards.
• Antivirus. Another common one where people measure the number of systems with recent AV updates. Most of the time this is “updates issued in the last 24 hours” with 98% compliance target. As a result, unless things break, it is often green.



The problem is that this dashboard doesn’t tell you anything useful. If your organisation has 200 systems, you could have 10 totally unpatched and 4 without any functional AV and still show green on the dashboard. One phishing campaign and 4 – 10 machines are compromised. All the while, your dashboards show green and the attacker steals data.

So, is there really any value in this obsession with metrics?

Actually, yes. Metrics do have a place in every organisation. Just not driving dashboard showing your executive view of security. Its important to pick good, effective metrics. It is more important to truly understand the message they give you.

Dashboards, what are they good for?

Actually, lots of things.

Metrics are best at showing things which are changing towards a target. They are brilliant at project measurements. Also, they are good at showing progress towards a goal. These are all areas where metrics excel.

When it comes to “steady state” measurements, it is a bit different. They can do it, but you need to realise they are telling you something different. Metrics tell you what your risk level is and help drive improvements. They help support compliance programs. This is all useful stuff.

However, most dashboards don’t give you situational awareness. Don’t let them trick you into thinking they do. Real operational dashboards take a lot of effort to create and manage. If you have an out-of-the box product, you don’t have this.

What should you do?

If your dashboards are basically compliance reports, then accept it. Compliance is good but it isn’t security. Educate yourself that green doesn’t mean secure, it just means things are operating. Use them to inform your risk management but remember 1 vulnerable device is enough to compromise your entire network.

Take time to decide if you want security metrics. If you do, fully understand what you want them for. Without this, your dashboards will be pointless. Try to avoid simply googling for ideas. Good security metrics come from your organisations controls & requirements – not a template.

If you really want security monitoring, then don’t go for dashboards, monitor your enterprise. Centrally log events, look for malicious activity and threat hunt. You can measure this but it will never look good on a dashboard.

 

 

The post Dashboards vs Security – are they really helping? appeared first on Halkyn Security Blog.

]]> http://www.halkynconsulting.co.uk/a/2017/03/dashboards-vs-security-really-helping/feed/ 1 1539 http://www.halkynconsulting.co.uk/a/2017/03/security-incident-response-matters/ Wed, 08 Mar 2017 21:42:00 +0000 http://www.halkynconsulting.co.uk/a/?p=1523 Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces […]

The post Security Incident Response Really Does Matter appeared first on Halkyn Security Blog.

]]> Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces after a breach.

This has stood out a couple of times recently. Someone appears to have breached the US Central Intelligence Agency and, at the opposite end of the spectrum, a small business in the UK looks seriously hacked. Two events which, although unrelated, show that whoever you are, security events are inevitable. Equally inevitable, some will turn into a full blown incident. At this point you realise you have either planned and prepared properly or suffer the consequences.

The UK angle – SME hacked



Chiltern Seeds is a UK based, family run business offering seeds and plants with a personal touch from a small team. They have a web presence which enables them to service customers across the UK. From the available information, they didn’t cut corners. A custom built website supports customers. Payments go to a dedicated provider. Good web practices.

All of this is good stuff. It isn’t enough to guarantee never having an incident though.

At the end of February, they suffered a web outage, followed over the next few days with customers (and curiously some non-customers) getting a very well phrased phishing email. This took them to a page trying to steal payment card information. Details of this stage of the incident are online and well worth reading.

This is a terrible situation for any business, especially a small one who is unlikely to have a dedicated incident response (IR) team. The problem is that this is fairly common. Equally common is the lack of IR preparation. This is where “bad” gets worse. No preparation basically means no real incident response.

There is more pain for Chiltern Seeds with IR work happening in the public domain. Customers (admittedly tech savvy ones) are looking into the incident and drawing conclusions. Customers are challenging the claims made by Chiltern Seeds and for a time at least, they have lost control of the narrative. A bad situation is at risk of spiralling out of control.

IR is there to stop this.

Incident Response – do better!

This post cant cover every possible situation or every possible response scenario. If we tried, it would still fail because IR has to align to your business. However, there are principles to follow.

Plan. Then plan. And then plan some more.



First of all, if you take no other action, come up with an incident response plan. Decide right now what you will do if bad things happen. Don’t try to plan for every possible incident, just plan for high level events. Involve key stakeholders are ensure everyone has an idea of what to do. This is essential if you don’t want to panic when something goes wrong in the middle of the night.

Examples of high level events you should plan for:

• Denial of service attack on your websites
• Malicious software or unusual code on your sites
• Customers reporting suspicious activity
• Unusual events on your firewall or web proxy
• Phishing emails

A fundamental rule is that more planning leads to a better response. There is no escaping this. Accept it and plan.

Scan and Monitor

Your incident response plan is useless if it never triggers. This is more important than you might imagine. If you don’t know you’ve been hacked, you cant respond to it. Additionally, if you only find out about an incident from your customers, it is way too late.

You fix this problem by creating awareness. This includes scanning, logging and, most importantly, analysing the data. However you do this doesn’t matter, just do it. Some key considerations are:

• Learn what your customer facing website code should look like and scan for changes
• Monitor the traffic going through your firewall
• Monitor changes on your PCs, Databases and code repositories
• Scan for vulnerabilities and missing patches
• Scan for sensitive data in the wrong place (such as a PHP include with DB login credentials stored in the root of your webserver)

Respond to the incident at a speed you can manage.

When the inevitable happens, you have to take action. This is where your planning earns its money. Don’t allow the stress and uncertainty of the incident to make you take action before you are ready. One major mistake from the 2015 TalkTalk hack was engaging with the media faster than the incident response teams could gather information. This meant that the message to the public was often confusing and contradictory.

It is vital to engage with the media and your customers quickly. But it is more important to do it accurately. If your message is slow, people will complain. A constantly changing message will create confusion. However, if your message is wrong, it can be catastrophic.

The important thing to remember is that the better you plan, the better your incident response will be. If you want to communicate fast and often, your plan must support it.

Incident Response Matters. Take it seriously.

That is the crucial message here. No matter the size of your organisation, if you have computers or a website, something bad will happen. Don’t be surprised when it does, because you know you need an incident response plan.

 

The post Security Incident Response Really Does Matter appeared first on Halkyn Security Blog.

]]> 1523 http://www.halkynconsulting.co.uk/a/2016/04/north-wales-cyber-security-cluster/ Mon, 18 Apr 2016 07:45:00 +0000 http://www.halkynconsulting.co.uk/a/?p=1481 The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security. Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions! Clusters […]

The post North Wales Cyber Security Cluster – April 2016 Meeting appeared first on Halkyn Security Blog.

]]>

The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security.

Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions!

Clusters exist across the UK and grew out of the UK Governments Cyber Security Strategy. In North Wales, meetings are monthly. Each session comprises a mix of presentations, information sharing and networking.

Halkyn Consulting is proud to be presenting a session on cyber attacks for the April meeting. We will look at why cyber security is different & why it matters. Following this, we will cover hackers. This will include what motivates them and what techniques they use.

In this session we will also present a case study involving a live “hacking” demonstration. This is based on an investigation we carried out for a UK client. The demonstration will show, in near real time, how swiftly hackers can compromise a system. This is true, even for a fairly well secured system.

If time allows, we will cover some additional cases involving blended attacks and newer tools. All of this is based on real-world examples of attacks hitting UK businesses.

To close our session, we will talk about incident response. This is a crucial part of every cyber security plan. We will look at three common IR models. We will also briefly cover the six steps of incident response. A future session will concentrate this in more detail.

Everyone really is welcome to the Cyber Security Cluster. Free up a couple of hours on Thursday and pop in to say hello. Please help to spread the word. North Wales can be a centre of Cyber Security excellence.

You can register for a seat via EventBrite or even just turn up on the day. See you there!

The post North Wales Cyber Security Cluster – April 2016 Meeting appeared first on Halkyn Security Blog.

]]> 1481 http://www.halkynconsulting.co.uk/a/2016/03/ransomware-dont-panic-deal/ http://www.halkynconsulting.co.uk/a/2016/03/ransomware-dont-panic-deal/#comments Tue, 22 Mar 2016 22:32:51 +0000 http://www.halkynconsulting.co.uk/a/?p=1468 Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most […]

The post Ransomware: Don’t panic – deal with it appeared first on Halkyn Security Blog.

]]>

Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most Anti-Virus products update their definition files. If you are infected, your files really are lost unless you pay.

All of this points to a specific type of malicious software which is causing some very, very big problems to businesses and home users across the globe. In late 2015, even the FBI suggested paying the ransom was the only option for some victims.

But it doesnt have to be this way. Simple steps can prevent infections. Simple steps can allow you to recover.

If you access the internet or read email ransomware is attacking you. Dont be scared about it. Dont be overwhelmed. Dont think it is not important enough. Dont procrastinate. Just deal with it today.

What is ransomware?

From Wikipedia:

Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction.

Although only really in the news a lot now, this type of malware has been around for a long time. In 1989 “PC Cyborg” was locking users computers and spreading via floppy disks. As the internet evolved, so did the ransomware. For a long time, the attacks came in via email and only hit Windows users. However, things are changing. Research indicates that over 50% of infections are from users accessing malicious webpages. This year (2016) has now seen the first OSX ransomware infections hitting Mac users.

The reality is that this is so profitable, criminals will put a lot of effort into keeping it working. If your defences stand still, it will beat you.

Common Myths

There are some common misconceptions around ransomware which hinder investigations. Don’t hinder your response by barking up the wrong tree.

• Myth 1: Ransomware is always sent by email. Far from it. Two years ago this was true, but in the last 18 months things have changed. While email is still a common attack vector, more users are compromised by browser exploits.
• Myth 2: Ransomware is infectious. Most people’s experience of malware is with a virus that spreads by infecting machine after machine. Current versions of ransomware, however do not do this. By its nature, this type of attack tends to be a single shot, with each user having to be infected directly by the source.
• Myth 3: Ransomware targets businesses. No. Most attacks are targeting home users. This is where the attackers make their money. The assumption is corporate environments can recover without paying. However, attackers don’t tend to be choosy, so businesses do get hit.
• Myth 4: Multiple attacks mean targeting. Still no. Ransomware is so common you cant ever assume that several users getting infected is sign that your business is being targeted. It just means attackers have a big list of your email addresses or your users all visit the same sites.
• Myth 5: Only people who visit dodgy sites get attacked. Modern attacks are delivered through otherwise legitimate content delivery networks. Ransomware has infected visitors to newspaper websites, Yahoo pages and much more. Any internet activity can lead to an infection.

Dealing with Ransomware – Simple Steps



For all the trouble it causes, dealing with this form of malware is actually quite simple.

First and foremost is preventing the attacks. This is really important.

However before you go any further, you need to fully understand that nothing will be 100% effective. The more users you have, the greater the chance of an infection. Our experience is that in a given month, you should expect 1 successful infection for every 5000 users you have.

Accept this. Put good controls in place but realise that you will still need to respond.

Prevention first

Good preventive controls will eliminate 80 – 90% of all malware attacks, including ransomware. The exact level of detail will depend on your environment so make sure you plan this properly.

Start with the basics:

1. Patch. Most ransomware attacks exploit unpatched systems. When patches are released you need to apply them as soon as practical. The longer you delay, the greater the risk.
2. Filter emails. You need to inspect anything coming into your environment. Use a good mail filter. Block incoming phishing attacks. Block spoofed mails. Block suspicious attachments. Never trust email. Never allow files with .js, .exe, .wsf or .scr extensions. Scan zip files. Still dont trust email.
3. Run AntiVirus. While it isn’t perfect, AV really isnt dead. If you run a good AV tool, with regular updates and heuristics enabled, most ransomware attacks will be blocked. Brand new variants will still get through, but you will be protected against the thousands and thousands of older versions.
4. Use your firewall. Make sure your firewall blocks outbound connections to known C&C servers. This can disrupt the ransomware as it tries to get the encryption keys, preventing it from running. It isn’t perfect but without it, life is harder.
5. Minimise privileged accounts. Administrator accounts must never be used for routine activity. Privilege escalation must be controlled and, ideally, requires manual credential entry each time. If you absolutely must allow privileged accounts access to the internet, this should be whitelisted. Privileged accounts must never be used to access email. If a privileged account is infected by ransomware everything is much, much worse.
6. Backup. Backup. Backup. Backup. Take backups. Backup everything you can. Data storage is cheap so there is very little reason to not take copies of everything. The more you backup, the faster you can recover from ANY problem. Take daily, weekly, monthly backups. Test and verify them on a regular basis. It is important to make sure any backups you take are “offline” otherwise ransomware can hit them as well as your life system.

Once you have all that, look to up your game:

1. Manage Network Shares. This is the biggest problem for most businesses. Infected users end up destroying files belonging to everyone else because network shares are badly managed. Make sure users only access folders they need to access. If you can, make sure network shares are not mapped as drive letters. Never allow the everyone or all users AD groups to have read/write access.
2. Harden your browsers. Restrict what people can do with downloaded files. Make sure browser activity is AV scanned.
3. Manage application paths. Use GPO or similar to prevent software from running in “unusual” locations. Never allow files to run from %LocalAppData% locations. Ideally whitelist applications you allow to run rather than try to block the ones you dont want.
4. Aggressively filter email. Scan everything. Block macros in attachments. Block anything you cant scan. Sandbox everything which comes in.
5. Install ad-blockers and disable flash. This closes the door on two of the most common web-based attack vectors.

If ransomware prevention fails, respond

Respond, but respond properly. Most of the harm from ransomware is the result of confused, delayed or inconsistent activity by the people tasked with responding.

Step 1: Have an incident response plan and stick to it. Don’t allow panic or knee-jerk reactions to dominate during an attack or things will go wrong. Make the plan when things are calm and trust it. If its bad, fix it after the incident, not during.

Step 2: Dont panic. Ransomware doesnt spread from machine to machine. Take rational steps to minimise business impact. Ignore the people who are screaming about disconnecting everything or shutting everything down. Follow your IR Plan.

Step 3: Know where you are in the attack chain. If you’ve discovered the “ransom note” its too late to do anything to prevent the attack. However if your SIEM has alerted to an blocked outbound connection to a C&C server, you can do things.

Step 4: Dont panic. Seriously. Think carefully about what has happened. If you find the ransom note, there is almost zero value in shutting things down or disconnecting services. The attack is already over. All you are doing is hurting your business more.

Step 5: Identify the point of infection. The first rule is that if you find encrypted files on a server, it probably isn’t the source of the infection. Remember, ransomware attacks people so only systems which allow web-browsing or email can be the source. Don’t waste time looking in the wrong place. Use file modification timestamps and ownership to identify the source. This means you shouldn’t rush in and destroy the evidence.

Step 6: Still dont panic. It is only ransomware. It wont spread from machine to machine. It has either been blocked or finished its attack. Stay calm and follow your IR plan.

Step 7: Clean the source. When you find Patient Zero, clean their system. Ideally rebuild the OS and reset all account credentials. Find out what let the ransomware in and implement fixes.

Step 5: Clean and restore the rest of the environment. Delete the encrypted files and restore from backups. Get your business up and running again quickly.

Assuming you have good backups, following this process means you will lose, at most, a few hours work for one user and a couple of hours to restore backup files.

This is a far cry from the Hollywood Presbyterian Medical Center which paid a ransom of US$17,000 or Kentucky’s Methodist Hospital which declared a state of emergency to deal with a ransomware attack. It is also quite different from Lincolnshire County Council which had to shut down all its IT services for five days to deal with one ransomware attack. On a smaller scale, although possibly with much greater impact, dont be like the Denbighshire based small business which was nearly wiped out by ransomware.

Don’t make the same mistakes. Implement good practices. Plan well. Prepare for attacks and respond to ransomware in an appropriate manner. Don’t make a bad situation worse, just deal with the attack.

Keep in mind, Cyber Essentials is a UK government initiative which is geared towards organisations implementing cost-effective controls which are very effective at minimising the risks from attacks like ransomware. If you achieve certification then there is a good chance you’ve covered the basic requirements! Get in touch if you want to find out more about how you can become Cyber Essentials certified and protect your business & your supply chain.

The post Ransomware: Don’t panic – deal with it appeared first on Halkyn Security Blog.

]]> http://www.halkynconsulting.co.uk/a/2016/03/ransomware-dont-panic-deal/feed/ 5 1468 http://www.halkynconsulting.co.uk/a/2016/02/cyber-essentials-would-it-have-saved-lincolnshire-county-council/ Mon, 01 Feb 2016 09:00:47 +0000 http://www.halkynconsulting.co.uk/a/?p=1451 Cyber Essentials is a UK Government driven scheme which is designed to help businesses of all size reduce the risk and impact from malware attacks. It is mandatory for those who provide services to the MOD. Cyber Essentials is becoming mandatory for those who provide services to any other government department – including local government […]

The post Cyber Essentials – Would it have saved Lincolnshire County Council? appeared first on Halkyn Security Blog.

]]>

Cyber Essentials is a UK Government driven scheme which is designed to help businesses of all size reduce the risk and impact from malware attacks. It is mandatory for those who provide services to the MOD. Cyber Essentials is becoming mandatory for those who provide services to any other government department – including local government and councils.

This is a good thing.

Despite there being some criticisms of Cyber Essentials, the scheme does what it says on the tin. It helps businesses prevent things like ransomware knocking them out.

Sadly, not every government department practices what they preach.



Around 26 January 2016, Lincolnshire County Council was hit with a ransomware attack. Initial reports from the BBC claimed the demands were for £1m. However by the end of the week this had been corrected to the more normal £300.

Ransomware can be devastating for home users. It has the potential to destroy priceless data. Few home users take proper back ups and end up having to pay. This means there is a lot of money to be made.

Organisations are different. The assumption is they will have backups. There is also an assumption they will never pay. This all means criminals very rarely target businesses with ransomware. What is likely to have happened is simply a user made a mistake with their email.

This happens a lot. It is also one of the reasons why Cyber Essentials was created and why it is so valuable for businesses.

Would Cyber Essentials Have Helped?

Within the Cyber Essentials framework there are five security control areas. These are the foundations of good security.

1. Boundary Firewalls & Internet Gateways.
2. Secure Configuration.
3. Access Control.
4. Malware Protection.
5. Patch Management.

As you can see, it is simple. It is also very effective. Good controls for all five are likely to have prevented the ransomware attack. Even if they didn’t, the Council could have bounced back in less than a week.

If Cyber Essentials had been in place, the following should have worked:

• The initial phishing attack should have been detected at the boundary.
• If devices were properly configured, ransomware would struggle to run. There would also be no fear of lateral movement. This fear forced the council to shut down all services for a week.
• Secure configuration also includes a working backup policy. Taking a week to restore from backups is shocking.
• Good access control policies would prevent the ransomware encrypting anything other than the files belonging to the infected user.
• Having effective anti-malware means using more than “signature based” detection. The news reports all state this ransomware variant was too new for AV signatures. This means that they were not using heuristics….
• Most, if not all, ransomware relies on systems missing critical patches.

In a nutshell, Cyber Essentials would have saved the Council here. The worst that ransomware should do is a few hours downtime for one user while you restore from backups. Everything else means you’ve made major mistakes.

Ransomware isn’t new. It shouldn’t be unexpected. Suffering from it should no longer be acceptable. If you outsource, you absolutely MUST ensure your provider knows what they are doing. This does not seem to be the case here.

Cyber Essentials is not a silver bullet. However, it will prevent 80% of cyber attacks.

Is there a good reason to not have Cyber Essentials?

The post Cyber Essentials – Would it have saved Lincolnshire County Council? appeared first on Halkyn Security Blog.

]]> 1451 http://www.halkynconsulting.co.uk/a/2016/01/infosec-3-essential-elements-of-your-team/ Fri, 08 Jan 2016 21:06:55 +0000 http://www.halkynconsulting.co.uk/a/?p=1436 As the news often shows, Information Security (infosec) is a big part of any organisation. From the small business with just a couple of computers to the global enterprise, infosec wraps around what you do, keeping you safe. Infosec is the function which keeps you servicing your customers. It protects your data. It ensures that […]

The post 3 essential elements of any Infosec function appeared first on Halkyn Security Blog.

]]>

As the news often shows, Information Security (infosec) is a big part of any organisation. From the small business with just a couple of computers to the global enterprise, infosec wraps around what you do, keeping you safe.

Infosec is the function which keeps you servicing your customers. It protects your data. It ensures that you have a reasonable chance of still working tomorrow.

The challenge is not in realising the need for information security, it is in making it work.

At a very high level you need to ensure that three key elements are in place. With them, you can get world class security. Without them, you will always be behind the curve.

Essential Elements for World Class Infosec in your Business

Good, internal, security team.



This forms the foundations of everything you do so they need to be good. If your team is “average” or worse, fix that before you do anything else.

A good, internal, infosec team will allow you to improve and grow. These will be the people who know everything about your organisation. Your internal team will know where the problems are. They will know who is responsible for systems. They will know what is normal and what isn’t.

With a good internal team, you can parachute in external support and things will just work. It is hard to overstate how important this actually is. One of the biggest mistakes companies make is paying for external services without the internal framework to support it. Avoid this mistake at all costs.

Good external infosec consultants.



Your internal team learn your environment inside out. They become experts in it. However you also need experts on the outside world. Techniques change. Good practice evolves.

Your great internal team needs fresh ideas and fresh input. Rather than have a staff churn, external consultants can provide this.

External consultants can also provide the infosec “bigger picture.” By bringing experience from other companies, they can help you change your ways for the better. This allows you to learn from the pain others have felt.

Sometimes internal infosec teams feel threatened by external consultants, so you need to manage this. Make it clear that the external experts are there to help and support. If you get this right, you will significantly enhance your security.

If you are building a security team from the ground up, then external consultants can give you the knowledge to get things moving. The consultants can help you select a team. They can train your team. They can test and benchmark your team.

Good, ideally external, testers.

Test. Test as much as possible. Pentest, VA scans, etc., they are all good. The more testing you do, the more confidence you can have in your systems. Without testing, you are basically hoping things work well.

You can use internal test teams. These will know where to really probe for dirt. However, they will also suffer from this knowledge. They will attack in the paths you’ve predicted. They will use the exploits you are expecting.

This is good, and much better than nothing. It isn’t perfect and it really isn’t world class.

In the same way external consultants bring new ideas, external testers really push your infosec teams. They will think of things you have never considered. They will test systems in ways you cant imagine. They will show you what an attacker can learn. They will highlight the mistakes better than anything internal.

The biggest “lesson learned” from a real external pentest comes at the end. When your internal team get the report and try to work out how the attackers got in. Spend time looking at how the controls were bypassed. Spend time finding ways to detect it next time. There will be a next time, you just have to hope you are ready before an attacker finds it.

Conclusion – 3 elements for world class infosec

So, in summary, there are three essential building blocks for every infosec team. It is easy to identify them, but it is also easy to overlook one or more. All are essential if you want to drive the maximum security benefit for your organisation.

The real challenge is in making sure you implement all three properly. You need good teams to start with and a plan to make them all better. You need to drive continual improvement. You need to learn from everything that goes wrong. If you do this, you will have a great security team and your infosec processes will be robust.

Need help?

If you need help with this, Halkyn Consulting can offer advice, support, assistance and mentorship at every stage.

We can help you build your internal infosec team from the ground up. We can help you improve them. We can help you benchmark them. We can train your incident responders, we can support your forensics collections.

If you have a good, trusted, internal information security team, we can help bring in new ideas. We can provide external frames of reference. We can help you learn from the lessons other companies suffer.

Take the first steps to improving your security today and get in touch with us to find out more.

 

The post 3 essential elements of any Infosec function appeared first on Halkyn Security Blog.

]]> 1436 http://www.halkynconsulting.co.uk/a/2015/12/incident-response-key-stakeholders/ http://www.halkynconsulting.co.uk/a/2015/12/incident-response-key-stakeholders/#comments Mon, 07 Dec 2015 08:59:40 +0000 http://www.halkynconsulting.co.uk/a/?p=1421 Incident response is a vital component of every organisations security. It provides the safety net for when the inevitable happens and other controls fail. A good incident response team will also have subject matter experts who can guide your entire organisation’s security strategy. If you take security even slightly seriously, you will have an incident […]

The post Incident Response – 5 key stakeholder groups appeared first on Halkyn Security Blog.

]]>

Incident response is a vital component of every organisations security. It provides the safety net for when the inevitable happens and other controls fail. A good incident response team will also have subject matter experts who can guide your entire organisation’s security strategy.

If you take security even slightly seriously, you will have an incident response team. Often called a “CSIRT,” but you may use other titles like SIRT, IRT or CERT. Ideally, you’ve put your technical expertise here so that they can respond to incident across the board. You’ve manned it properly so the team have resources to deal with the volume of incidents you face and you’ve given them the tools to detect, confirm, investigate and contain incidents in a timely manner.

If you’ve done all this, you’ve done well and your response will be pretty good.

However, even the best CSIRT team needs help. Your handlers may be experts but you want them spending time on incidents, not constantly refreshing their knowledge of the ins and outs of your environment.

You can solve this by making sure they interact with key stakeholders in your business.

5 Key Stakeholders for Incident Response

Every organisation is different. However, your CSIRT must find a way to engage with the equivalents of the following groups:

1. IT Services.  Your incident response team need to establish solid relationships with all the key parts of your IT Services organisation. Internally, this includes networking, database teams and developers. Externally you need to include hosting providers and service providers. This is the most crucial relationship they can have.
2. Security Management. You need more than a CSIRT. The incident responders can be expected to own every aspect of security. You need to ensure they have a route to engage other parts of security and especially security management / leadership teams.
3. Legal. Incidents open the door for lots of legal considerations. You need to make decisions about what to report and how significant an event may be. Your incident responders should be technical experts, not legal experts. This means your handers must have a way of seeking guidance from real lawyers. Ignore legal at your peril.
4. Human Resources. Users are a frequent cause of security incidents. Your incident response team need to be able to handle these in the correct way. To enable this, the CSIRT need to engage with HR. Ideally, there will be regular links to ensure compliance and an ad-hoc link when an incident happens. As with legal, ignore HR at your peril.
5. Public Relations. Incidents can go public with very little warning. No one wants to make the Talk Talk mistake with a CEO talking faster than your incident response team can work. It is vital that your incident response guys engage with PR before and during incidents. Your PR team are experts in making sure the incident response message is the right one. If you need to go public and there is no link between incident response and PR, you will feel pain. Lots of pain.

Incident Response Communications

So, you know it makes sense to engage, but how can you do it?

Step 1: Identify the right people. Find or nominate key individuals within the stakeholder groups. These do not need to be security experts, but they need to be aware of the incident response team’s existence. Make them aware of their duties – normally act as a support point for any incident activity.

Step 2: Set up regular security cadence meetings. People forget things. You can minimise this with a regular meeting between all the stakeholders. You can use this to drive improvements, review previous incidents or just remind everyone.

Step 3: Incident Response Escalations. Your team is in-flight with an incident, have them set up pro-active alerting. Don’t call everyone, every time, but your handlers need to be planning ahead. Your incident response team need to be warming up key contacts so when they have to press the button, it doesn’t shock anyone.

Incident Response Really Matters!



No matter how good your security is, there will be a time when it fails. An attacker will get through.

This doesn’t mean you should ignore other controls. It doesn’t mean you should give up hope.

However, it does mean you need to have a plan B. A good incident response team gives you this plan B.

Your incident response team need your security controls. They need your logs. They need tools to contain incidents. They need skills and knowledge.

When they have all this, the need engagement with others!

With all this, you make it less likely the attackers will “get lucky.”

The post Incident Response – 5 key stakeholder groups appeared first on Halkyn Security Blog.

]]> http://www.halkynconsulting.co.uk/a/2015/12/incident-response-key-stakeholders/feed/ 1 1421 http://www.halkynconsulting.co.uk/a/2015/11/halkyn-consulting-site-redesign/ Sun, 22 Nov 2015 18:10:39 +0000 http://www.halkynconsulting.co.uk/a/?p=1402 As you may have noticed, the Halkyn Consulting website has undergone a redesign. This is aimed to improve our responsiveness on multiple platforms, allow us to expand our services without compromising readability and to help showcase our new activities. The new site is now fully live. If you have any comments or feedback we would […]

The post Halkyn Consulting – Site Redesign / Cyber Security Cluster appeared first on Halkyn Security Blog.

]]>

As you may have noticed, the Halkyn Consulting website has undergone a redesign. This is aimed to improve our responsiveness on multiple platforms, allow us to expand our services without compromising readability and to help showcase our new activities.

The new site is now fully live. If you have any comments or feedback we would love to hear from you. You can get in touch with us via the blog or our contact page.

Over the coming months we will continue to improve, based on your feedback. Additionally, we are continuing to add services and this will be the subject of a future blog post. This is all part of our drive to provide world class services across all security disciplines.

Linked to this, we are proud to be active supporters of the North Wales Cyber Security Cluster. This group meets monthly and everyone is welcome to attend. The objective is to help all members learn about cyber security. Each month, different guest speakers cover a relevant topic. This is then followed with extensive group discussion and information sharing. Since joining the Cluster, Halkyn Security is proud to now be considered a core member. If you are interested in cybersecurity, please get in touch with the cluster organiser and come to the next session.

Our plans for the next year are to increase the awareness training packages we deliver. To meet this, we will be speaking to Cluster members about running free sessions across North East Wales. If this would interest you please get in touch. At the end of November Halkyn Consulting is assisting Heimdallr & the GTA. For this event we will deliver a 2 day package on Cybersecurity. Find out more on the GTA Website. Further courses are planned next year.

The post Halkyn Consulting – Site Redesign / Cyber Security Cluster appeared first on Halkyn Security Blog.

]]> 1402 http://www.halkynconsulting.co.uk/a/2015/10/av-is-not-dead-it-just-has-limits/ Mon, 26 Oct 2015 09:00:42 +0000 http://www.halkynconsulting.co.uk/a/?p=1384 Antivirus (AV) has been around for decades now and this is both a good and bad thing. On one hand, AV is so well known most people already understand that they need to have it. But on the other, all the attackers know about it. This means the first step in pretty much every attack […]

The post AV is not dead – it just has limits appeared first on Halkyn Security Blog.

]]> Antivirus (AV) has been around for decades now and this is both a good and bad thing. On one hand, AV is so well known most people already understand that they need to have it. But on the other, all the attackers know about it. This means the first step in pretty much every attack is “bypass AV.”



The reality is, bypassing AV is actually not that hard. Partly this is because there is a tendency for antivirus software to use “signature” based detection. Here, all an attacker needs to do is make an insignificant change and the signatures can be totally different.

Even the better AV products, which uses things like heuristics can be bypassed with freely available tools.  An example is the Shikata ga nai framework designed to leave AV helpless.

The availability of these tools is now so widespread that lots of security professionals are confidently making statements like “AV is dead” or posts titled “Why antivirus protection is a joke.” You can even watch an excellent YouTube video on how to bypass antivirus.

Basically, everything these people are saying is correct. Attackers can and will bypass antivirus. Often they will do it with very little effort.

Despite what the vendor may tell you, you can have a top end, fully updated AV product and still get hacked. A lot.

But this is missing the point. It doesn’t mean that the product is useless or that we should all give it up and live in an AV-free world. It just means that, like every security product, it has its place. Remember, there is no holy grail, silver bullet, product that can do everything and protect you from every cyber threat.

The important thing to remember is if you DONT have antivirus, even the lazy attackers who cant be bothered to bypass it will get in to your system.

Bringing AV Back to Life

So, we’ve established that the reports of antivirus being dead are premature, but what do we do about it?

Remember, security is all about defence in depth. You need to be adding so many layers of controls that the attacker runs out of steam long before they hit your important assets. Within this model, AV has a crucial part to play.

With this in mind, here are our handy hints on how to keep AV alive in your organisation and make sure it is providing the value you expect.

• Review your security model. AV has a part to play but it is only a part. Make sure you have other controls.
• Fund AV properly. Dont blow your budget on an incremental improvement to AV but also dont scrimp and get some freeware version which you cant manage.
• Implement good security practices. Whatever else you do, you need to consider the top three security controls: Application Whitelisting; Patching; Privilege Management. With these in place, your AV works much better. Without them, you will still get hacked. A lot.
• Use your antivirus. We’ve lost count of the number of incidents we are called to support which have an origin in a machine where AV has been disabled or not updated in months. This is poor practice.

The key point here is that AV needs to be part of your security controls. It should never be the only control you have but that isn’t enough of a reason to not have it. While it is possible for reasonably low skilled attackers to circumvent your antivirus controls, you would be amazed at how much it will still stop.

If you implement the three security good practices mentioned above, and run an up-to-date AV tool, 90% (or more) of attacks will fail.

Don’t give up on AV simply because it cant work on its own.

The post AV is not dead – it just has limits appeared first on Halkyn Security Blog.

]]> 1384 http://www.halkynconsulting.co.uk/a/2015/10/supplier-security-a-lesson-for-t-mobile/ Sat, 03 Oct 2015 20:34:29 +0000 http://www.halkynconsulting.co.uk/a/?p=1363 Supplier security is something most organisations are at least aware of, and lots actually realise they need to do something about it. However, most of the time, “doing something” about it involves a quick chat with the supplier, possibly a generic check-list and a review that the contract at least mentions security. The problem is thinking […]

The post Supplier Security – A lesson for T-Mobile appeared first on Halkyn Security Blog.

]]>

Supplier security is something most organisations are at least aware of, and lots actually realise they need to do something about it. However, most of the time, “doing something” about it involves a quick chat with the supplier, possibly a generic check-list and a review that the contract at least mentions security. The problem is thinking if the supplier drops the ball, the supplier will suffer the harm.

This week, T-Mobile USA were unfortunate enough to be the example showing why that mindset is really, really wrong. There is no escaping the fact that supplier security matters. If you aren’t driving them hard things will end badly.

Supplier security – what went wrong for T-Mobile?

First off, for the avoidance of doubt, there is no reason to think T-Mobile have done anything wrong. Nothing here is meant to imply they failed to implement good supplier security controls.

Yesterday, it was reported (here and here) that the credit checking agency Experian had suffered a major breach. The breach exposed personal data belonging to T-Mobile USA customers. Initial reports are that the breach lasted over 2 years and around 15 million records have been compromised.

It seems the attacker(s) accessed a file containing every credit check Experian has ever conducted for T-Mobile. The customers put their faith in T-Mobile and there was no breach at T-Mobile. However, they are still the ones who will feel the impact here.

As an immediate damage limitation exercise, Experian have offered anyone affected by this a free 2 year account on ProtectMyID. Unfortunately this means you need to continue trusting Experian and its not clear how effective a credit checking agency will be at general ID protection.

For T-Mobile, this is a pretty painful situation. They had no breach, but their customers suffered. Some customers will blame T-Mobile for this. Some customers may leave T-Mobile. Customers don’t care about supplier security.

Don’t forget, if this was the UK/EU, the Data Controller is the one who gets the fine not necessarily the data processor.

Supplier security – what should you do?

No one wants to be in the same boat as T-Mobile but every business needs suppliers of some description. So, the question is, how can you check your supplier security is good enough?

Step 1 – actually take your supplier security seriously. Don’t assume it is just a task you have to tick off on an audit list. Don’t assume all your suppliers are the same. You need to fully integrate your supplier security processes in to everything you do.

Step 2 – risk assess your suppliers. Not all suppliers carry the same risk. Not all suppliers need the same level of scrutiny. Supplier security is never a one-size-fits all problem. Some suppliers will provide business critical services. Some will be able to cause you massive reputational damage. Some wont. You need to understand every supplier. In some cases, it may even be necessary to war game possible scenarios so you can really understand how things can go wrong. Figure out what happens if they go bust, get breached or just mess up. Once you know this, you know how much pain you can feel from this supplier.

Step 3 – drive the supplier security process. The low risk suppliers can probably stay with the check list approach. The high risk suppliers really need a dedicated supplier security assessment. This means you need to dedicate resources to go and fully understand how the supplier protects your services. If they aren’t up to scratch, find a new one.

Supplier security doesn’t need to be hard.



There are lots of resources available to help with supplier security assessments – such as our free Supplier Security Assessment Questionnaire, or if you are willing to pay, the Supplier Security Evaluation Tool (SSET) provided by the ISF.

Whatever approach you decide, the most important thing is having an approach to supplier security which you actually use.

Never allow yourself to fall into the trap of thinking your suppliers don’t need supervision. Never fall into the trap of thinking that their problems will only be their problems. Never fall into the trap of assuming contracts will protect you.

Supplier security is important. Never forget that.

The post Supplier Security – A lesson for T-Mobile appeared first on Halkyn Security Blog.

]]> 1363 http://www.halkynconsulting.co.uk/a/2015/09/phishing-and-malware-fedex-missed-delivery/ http://www.halkynconsulting.co.uk/a/2015/09/phishing-and-malware-fedex-missed-delivery/#comments Tue, 08 Sep 2015 22:26:23 +0000 http://www.halkynconsulting.co.uk/a/?p=1356 It seems that every day, new script kiddies discover the likes of the Social Engineering Toolkit or Metasploit and launch a new wave of phishing attacks. Unfortunately it seems that this time the attackers are too lazy to even try. Today’s email – screenshot on the right – is a reasonably straight forward phishing attempt. The […]

The post Phishing and Malware – FedEx missed delivery appeared first on Halkyn Security Blog.

]]> It seems that every day, new script kiddies discover the likes of the Social Engineering Toolkit or Metasploit and launch a new wave of phishing attacks. Unfortunately it seems that this time the attackers are too lazy to even try.



Today’s email – screenshot on the right – is a reasonably straight forward phishing attempt. The idea is to convince the victim that the attachment is interesting enough to open. When it is opened, bad things happen.

Normally, a phishing attack will put at least a bit of effort in, but not this time.

As you can see, the text itself is very short. This may be an attempt to avoid spam filters but it also has the effect of making this email look like almost NO other commercial email. As an example, When was the last time you got an official email without a pointless disclaimer somewhere?

Secondly it ticks every box in the “anti-Phishing” awareness lessons:

• The from address name doesnt relate to the displayed address.
• It doesnt mention me by name.
• The English doesnt make sense.
• The dates are the wrong way round (for British people!)
• Having an email address of @tauntsociety.com just seems designed to raise suspiciouns.
• It makes no sense to send a shipping label by email, let alone have it in a zip file.

None of this is encouraging me to open the file. Hopefully no one reading this would open the file either. However, sadly, there are enough people who will, to make the attacks continue.

Newbie Phishing or did it get some things right?

Amazingly some parts of this attack are effective, but I dont think that is a result of the phishing source. Its more a case of chance.

• The email arrived into Exchange today and was not detected as malicious by two web based mail scanners.
• The email was delivered to the client machine and not detected as malicious by the local AV (Avast) or Windows Defender. (This is unusual as a check on the hashvalue at Virus Total says Microsoft detects it as malware)
• The payload is detected by Sophos as a ransomware trojan dropper so any unwitting home users who have run this are likely to either lose all their data or pay the ransom.

Ransomware is very big business so it is surprising that the attackers here have gone to the trouble of finding malware less than half the AV clients will detect (and most only with very recent database updates), but spoiled the phishing attack with terrible execution.

Surprising and fortunate for a lot of people really.

Phishing is here to stay

The main take-away lesson here is that phishing attacks will never go away. Some will get through every technological defence you have so it is critically important that you secure the human.

There is no escaping this. If your users are not security aware, you will lose data to these attacks as long as you are on the internet.

Techie Bits – The Phishing Attack Path

Looking at the message headers, it looks like this attack has been launched by someone using a form t0 email script on either a site they manage, or one with very weak controls.

Below is the list of message headers, and I’ve marked in bold the interesting bits. (And yes, I’ve redacted a couple of bits because it shows some internal data I dont want webscrapers to pull out of the text, no other reason).

Received: from [REDACTED] ([REDACTED]) by mx.kundenserver.de
(mxeue106) with ESMTPS (Nemesis) id 0LbeXr-1YonOk26NH-00lDRc for
<REDACTED>; Tue, 08 Sep 2015 07:01:13 +0200
Received: from gateway36.websitewelcome.com ([50.116.126.2]) by
mx.kundenserver.de (mxeue106) with ESMTPS (Nemesis) id
0Lo4jI-1Z2KB721JA-00fwNj for <REDACTED>; Tue, 08 Sep 2015
07:01:13 +0200
Received: by gateway36.websitewelcome.com (Postfix, from userid 1000)
id 079D6A7914FD7; Tue, 8 Sep 2015 00:01:12 -0500 (CDT)
Received: from sheridan.websitewelcome.com (sheridan.websitewelcome.com [192.185.83.170])
by gateway36.websitewelcome.com (Postfix) with ESMTP id 02213A7916142
for <REDACTED>; Tue, 8 Sep 2015 00:01:12 -0500 (CDT)
Received: from valence by sheridan.websitewelcome.com with local (Exim 4.85)
(envelope-from <valence@sheridan.websitewelcome.com>)
id 1ZZB1r-000SER-Po
for REDACTED; Tue, 08 Sep 2015 00:01:11 -0500
To: REDACTED
Subject: Shipment delivery problem #00963055
X-PHP-Script: tauntsociety.com/post.php for 195.228.155.205
Date: Tue, 8 Sep 2015 00:01:11 -0500
From: “FedEx 2Day” <marion.estes@tauntsociety.com>
Reply-To: “FedEx 2Day” <marion.estes@tauntsociety.com>
Message-ID: <d82c38c685b2827699dc64547da46f1d@tauntsociety.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”b1_4ea1c7b3b292b76548671d11a5513ac6″
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – sheridan.websitewelcome.com
X-AntiAbuse: Original Domain – halkynconsulting.co.uk
X-AntiAbuse: Originator/Caller UID/GID – [2477 32007] / [47 12]
X-AntiAbuse: Sender Address Domain – sheridan.websitewelcome.com
X-BWhitelist: no
X-Source-IP:
X-Exim-ID: 1ZZB1r-000SER-Po
X-Source: /opt/php54/bin/php-cgi
X-Source-Args: /opt/php54/bin/php-cgi /home/valence/public_html/tauntsociety.com/post.php
X-Source-Dir: valencestreet.com:/public_html/tauntsociety.com
X-Source-Sender:
X-Source-Auth: valence
X-Email-Count: 2
X-Source-Cap: dmFsZW5jZTt2YWxlbmNlO3NoZXJpZGFuLndlYnNpdGV3ZWxjb21lLmNvbQ==
Content-Transfer-Encoding: 7bit
Envelope-To: <REDACTED>
X-UI-Filterresults: notjunk:1;V01:K0:qdxaUM074Do=:ERu/AyiRUwE+dkIYUTry1QLuld
RiwUfU76tsxGWh3tj7pO8+nRn2+93rW0rJF/SYfshLWPyLBZTtkmTI5nPp1KlrYWjeqls+5tM
2Yii7RrJuUdm1835qim6c9yqTBiwuL+ite7F2RDuJzaAKUS4TppyZc/CZyV09CcSOA4hN8It/
7weuLi/lsI9Ni90Bpj2l2UJdkCOSblgS/wfSVYc7/VUgT64ibY5VWmRGIlyNEeOuR8KSpdHp0
JKgGwUvHOXR9vSOP6lNhwgeJNWbKWBDnDmqud4C9h3uJUq/Nf5AcmGG3sVjFrIiMGPAssglbe
OgFpYDplFUOyrRyVqnMf2WrqmbChGruU8RgW7fD9limqkBwAXq8bO0iSjg/c48W0rnyqwaHZR
zlc4PWu98IDpXgkOllcXAOyZHIoimL7JW8xdXaZCsYkiRMvebQFWG7rYVX2j5gG1KeYR1PdMG
amFuVrQL1D5nCpCByoOXIMfIk8dEsH81B+whRv2rUUC3w1rHiIgOMv9NQNRp+7Vp/aL6xaw6b
pVt39gmDo6kF/OnWxL+pY7tdkrz96aILPs6Smz29I+dDFJ0i0GZtcKMFCdjnfWe+GTkf6TNAp
yJp3xIPCOABU9oauWLaPib3ZFY8rLmxwdrG3lHoceq85oVx0rId4Hm0jgu581hV5dF36T1w62
Ud2qputDDhD4Wsmy3Km8tp7x31LkimF3q9VLVPjuBewfHClw1EK1xmvhKyXXm+oKh33NDbm+N
8pFKxmx6xhWz1KxT6cWyzc8nYAGQpESX6w==
X-Antivirus: avast! (VPS 150907-1, 07/09/2015), Inbound message
X-Antivirus-Status: Clean

This appears to show a couple of things:

• The attack was launched from a post.php script on tauntsociety.com
• The from and reply-to addresses are completely untrustworthy as this is a phishing attack designed to get the victim to open a payload, not reply. This means there is no reason to assume they point to a valid mailbox. However in this instance, they point to one on tauntsociety.com.
• The mail went via websitewelcome.com’s email server using an account called valence@sheridan.websitewelcome.com
• Websitewelcome.com appears to provided to resellers by HostGator and it appears that sheridan.websitewelcome.com hosts a CPanel portal for webmail.
• Both valencestreet.com and tauntsociety.com are registered by the same person at 2400 Valence Street, New Orleans. This appears to be a residential address and the owner has used a gmail account to sign up.
• The tauntsociety website looks like it hasn’t been cared for in a while although there is an associated twitter feed which is very active.
• The header data here does not give us any better insight into the source of the phishing attack than it came from “valence”.

Based on the totality of information here, the most likely attack path is that a malicious party has used the script on tauntsociety to send an email. It is also likely that the script is hardcoded to present the valence@sheridan.websitewelcome.com account credentials.

While this instance has been a private individual, who may or may not have the knowledge to properly secure a website, similar attacks happen using corporate servers every day.

At Halkyn Consulting we research this out of curiousity, but some attack victims will be reporting it to the police. It may be possible for them to be more accurate than the “Valence” account but this is very much a gamble and it is just as likely that websitewelcome.com don’t store any more details than the credentials used.

As a result, if your company owns sites with scripts that fall out of good management, you will find yourself liable for the misuse. And you really dont want that.

The post Phishing and Malware – FedEx missed delivery appeared first on Halkyn Security Blog.

]]> http://www.halkynconsulting.co.uk/a/2015/09/phishing-and-malware-fedex-missed-delivery/feed/ 4 1356 http://www.halkynconsulting.co.uk/a/2015/08/finphishing-8-steps-to-criminal-profits/ Fri, 28 Aug 2015 14:33:12 +0000 http://www.halkynconsulting.co.uk/a/?p=1345 FinPhishing – or financial spear phishing – is a form of social engineering attack which is becoming massively profitable for the criminal enterprises involved. Unfortunately for the victims it is very cheap to deploy and nearly always gets past technological security controls such as spam filtering and malware detection. As a result of this, businesses […]

The post Finphishing – 8 steps to criminal profits appeared first on Halkyn Security Blog.

]]> FinPhishing – or financial spear phishing – is a form of social engineering attack which is becoming massively profitable for the criminal enterprises involved. Unfortunately for the victims it is very cheap to deploy and nearly always gets past technological security controls such as spam filtering and malware detection.



As a result of this, businesses across the globe are losing fortunes in fake wire transfers to overseas bank accounts with only limited hope of ever getting their money back.

FinPhishing (under various names) isn’t new – there are reports of Scoular Co.,(a US based private equities trader) losing $17.2m to a FinPhishing attack in June 2014. This has been followed in January by the Internet Crime Complaint Centre reporting that US businesses had lost $214m to scams similar to this in the previous 14 months.

More recently, in early August, Ubiquiti Networks disclosed a loss of US$46m to a FinPhishing scam which was discovered in June.

FinPhishing is big business for criminals.

What is FinPhishing

In summary – financial spear phishing (FinPhishing for ease) is a type of social engineering attack which tricks the victim into making a large sum transfer to a bank account managed by the attackers.

The attacks are all very similar and rely very heavily on corporate culture to work. Unfortunately the tendency of designers to make email user interfaces more “user friendly” actually helps the attacker here.

The FinPhishing Attack

The screenshot accompanying this post shows an initial finphishing email received by a target company. From this we can see the key elements of how the attack is constructed:

1. Attackers look over public websites for information to identify the business structure. This includes obvious sites such as LinkedIn but also ones people don’t tend to directly post their own data to, such as ZoomInfo.com.
2. Once they build up your organisation chart, they try to identify a person in a position of authority (CEO, MD etc) and a person working in a finance role. The finance person is now the target of the attack (victim).
3. The attackers craft an email looking like it has come from the CEO/MD etc., often including the correct email address in the message “From:” field, but it will have a different email in the Reply-To or X-Sender headers.
4. The message makes a terse request about sending funds for some urgent business activity. The brevity means it bypasses most spam filters and the lack of payload or malicious link allows it to bypass AV or threat monitoring.
5. The victim reads the email and it looks like it is legitimately from the CEO/MD – unfortunately most email systems only show the From address – so they reply either asking for more details or in some cases starting the process.
6. Very alert victims may notice the email client now shows a new email address in the “To:” box but this is actually very rare and sophisticated attackers can mask this.
7. Once the victim responds, the phishers know they have access to a live person who at least partly thinks the request is legitimate and they can begin the second stage of the attack which is an initial transfer of a reasonably small amount of funds (often in the $50 – 100k region).
8. If this works, the attackers will go all out and generate increasingly urgent, demanding requests to get as much as possible before they are detected.

Security measures

At its core, FinPhishing is just a social engineering attack. This means you need to concentrate on the people involved.

• Provide all your workforce security awareness training which emphasises the risks from social engineering attacks.
• Ensure anyone working in finance understands what this sort of attack looks like and what to look out for in a phishing email.
• If possible configure your mail clients to give as much detail as possible about the message headers.
• Establish authorisation processes so that no one can transfer large amounts of money out of your business without solid confirmation – no matter how urgent it may be.
• If you are caught by this scam alert your bank and  involve the police or law enforcement as quickly as possible. Recovering funds is always going to be difficult, so any delay will just make it worse.

Summary

FinPhishing is cheap, easy and lucrative. This means there is currently little or no incentive for attackers to stop and the low technological requirements mean that even if current attackers are caught and move on, others will fill the gap.

The best, possibly only, defence is to ensure you have robust processes and alert staff. If you do fall victim to an attack, make sure you can react quickly and hopefully you will save your business.

The post Finphishing – 8 steps to criminal profits appeared first on Halkyn Security Blog.

]]> 1345 http://www.halkynconsulting.co.uk/a/2015/07/security-breaches-do-you-know-what-to-do-next/ http://www.halkynconsulting.co.uk/a/2015/07/security-breaches-do-you-know-what-to-do-next/#comments Wed, 22 Jul 2015 22:51:07 +0000 http://www.halkynconsulting.co.uk/a/?p=1318 One sad fact about security is that no matter what controls you put in place, you will suffer breaches and if you are on the internet it is likely to happen sooner rather than later. People sometimes hold to a “physical world” security model which has a clearly defined threat actor (e.g. a burglar) casing […]

The post Security breaches – do you know what to do next? appeared first on Halkyn Security Blog.

]]> One sad fact about security is that no matter what controls you put in place, you will suffer breaches and if you are on the internet it is likely to happen sooner rather than later.



People sometimes hold to a “physical world” security model which has a clearly defined threat actor (e.g. a burglar) casing properties in their target area for an eventual break in. if you are unlucky enough to leave a door open on the night they are casing you, you get robbed.

This is a good way of thinking but it is crucial to remember that on the internet, the burglars are worldwide and they are running automated tools which are constantly casing your property to see if there is something they can exploit. This means any momentary lapse (such as not applying a software patch, or changing a configuration setting) can be found by attackers and exploited faster than most people realise. The lesson is simple: Breaches can, and will, happen at any time of the day or night, while you are working, sleeping or on holiday.

This is not saying your security controls are useless – far from it. Without them, the breaches will be more frequent, more damaging and harder to recover from. You do however, have to avoid the mindset that security is putting in place controls and then saying “job done.”

If breaches are inevitable, why do I need controls?

Let’s clear this up first. You need your security controls. You really do.

Security is best delivered by applying layers of controls and constantly striving to maintain and improve them. Good security controls help you with:

• Making you a hard enough target that lots of attackers, especially script kiddies, will simply go elsewhere.
• Delaying attackers enough that your detection systems will be alerted to their presence.
• Collecting enough data to allow you to investigate breaches.
• Being adaptive enough to respond to attacks in real time.

If you come from a physical security background, this might be familiar as all security controls have the same basic requirements.

So, breaches happen, what do I need to do?

First off, if you are reading this as a breach happens, it is too late. Sorry. Incident response is all down to planning. If you don’t plan properly, any successful incident response activity is pretty much down to random chance. Secondly, if you handle regulated data such as personal data/PII, credit card data etc., then you need to make sure your plans are acceptable. The advice here is generic and high level.

So, to answer the question:

1. You need to plan, plan and plan some more. Your plans need to include who is responsible for doing what. Your plans need to cover everything from minor incidents to breaches which put your very companies existence at risk.
2. Test your plans. This is crucial. Make sure everyone involved knows what they need to do. Make sure the communications channels you have work. Make sure it all works at any time of the night or day. Make sure it works when your key decision makers are unavailable. Then test it all again. And again.
3. Provide resources for incident response. This isn’t free. If you are a small business with limited internet facing systems you might just be able to get away with an ad-hoc incident response team, but don’t assume a good sysadmin or a good networks person makes a good incident responder. Also remember breaches are stressful. Your incident responders will burn out if you ask them to do too much.
4. Learn from your mistakes. Just as breaches are inevitable, so are incident response mistakes. You need to be mature enough to analyse your behaviours and learn from what went wrong. Your attackers are constantly improving, you need to do the same.

In practical terms



As part of your plans, you need to be aware of the six high-level steps of incident response (see image), and your processes need to cover each step.

You need to make sure that you have an incident response team who have the right skills and knowledge to do the job. You also need to make sure you resource the team well enough that they aren’t trying to juggle a day job as well as respond to incidents and you have some way to rotate people.

There are no hard and fast rules on how much of your security budget should go on incident response – it really depends on your individual circumstances – but two things are always true. You need a security budget and some of it must be spent on incident response. Don’t fool yourself into thinking anything else is financially sensible or a long term option.

Make sure your incident response team either have the authority to act or the ability to seek this authority at very, very short notice any time of the day or night. The last thing you want is the complete loss of your network because the incident responders didn’t have the authority to pull the plug on an infected machine and couldn’t find the person to who did.

All of this goes a long way to making sure your organisation is resilient enough that an incident can’t kill you. At the end of the day, that is what really matters.

The post Security breaches – do you know what to do next? appeared first on Halkyn Security Blog.

]]> http://www.halkynconsulting.co.uk/a/2015/07/security-breaches-do-you-know-what-to-do-next/feed/ 2 1318 http://www.halkynconsulting.co.uk/a/2015/05/halkyn-consulting-vacation-and-course-period/ http://www.halkynconsulting.co.uk/a/2015/05/halkyn-consulting-vacation-and-course-period/#comments Fri, 15 May 2015 20:04:46 +0000 http://www.halkynconsulting.co.uk/a/?p=1301 As our existing clients may be aware, Halkyn Consulting has entered into a three week period where we maximise our courses and vacation time. During this period we will be unable to respond to new clients but will continue to service existing clients. During this period there will be a delay in our responses and […]

The post Halkyn Consulting – Vacation and Course Period appeared first on Halkyn Security Blog.

]]> As our existing clients may be aware, Halkyn Consulting has entered into a three week period where we maximise our courses and vacation time. During this period we will be unable to respond to new clients but will continue to service existing clients.

During this period there will be a delay in our responses and we may be unable to provide copies of the ISO27001 checklist as quickly as normal.

The post Halkyn Consulting – Vacation and Course Period appeared first on Halkyn Security Blog.

]]> http://www.halkynconsulting.co.uk/a/2015/05/halkyn-consulting-vacation-and-course-period/feed/ 1 1301 http://www.halkynconsulting.co.uk/a/2015/05/security-researchers-demo-gpu-keylogger/ Wed, 13 May 2015 21:17:37 +0000 http://www.halkynconsulting.co.uk/a/?p=1297 Reported on the Register today, security researchers have demonstrated how malicious code can be run on graphics processors (GPUs) rather than the central processing unit (CPUs) at the heart of a computer: http://www.theregister.co.uk/2015/05/13/graphics_card_malware_gpu_keylogger/

The post Security researchers demo GPU Keylogger appeared first on Halkyn Security Blog.

]]> Reported on the Register today, security researchers have demonstrated how malicious code can be run on graphics processors (GPUs) rather than the central processing unit (CPUs) at the heart of a computer: http://www.theregister.co.uk/2015/05/13/graphics_card_malware_gpu_keylogger/

The post Security researchers demo GPU Keylogger appeared first on Halkyn Security Blog.

]]> 1297 http://www.halkynconsulting.co.uk/a/2015/05/security-patches-internet-explorer/ Wed, 13 May 2015 21:06:48 +0000 http://www.halkynconsulting.co.uk/a/?p=1289 For lots of enterprises, security patches are a pain to test, a pain to deploy and frequently frustrating when they require downtime for the inevitable system reboots. However, security patches are also a significantly important mechanism for protecting your environment against attacks. They really are. This month, Microsoft have announced 13 security patches – three of which are […]

The post Security Patches – Internet Explorer – Act Fast appeared first on Halkyn Security Blog.

]]> For lots of enterprises, security patches are a pain to test, a pain to deploy and frequently frustrating when they require downtime for the inevitable system reboots.

However, security patches are also a significantly important mechanism for protecting your environment against attacks. They really are.



This month, Microsoft have announced 13 security patches – three of which are rated as “critical” by both Microsoft and SANS despite there being no known exploits in the wild.

Unfortunately for lots of organisations, this means that they will downgrade the priority and, in some cases, will delay patching for weeks if not months.

This is a mistake.

On the day security patches are announced, it is rarely clear if exploits are out in the wild. The nature of vulnerability research means that lots of the specifics are kept quiet and often different researchers hit upon the same vulnerability at the same time.

The problem is that it isnt JUST the researchers who find vulnerabilities.

So, on the day the security patch is released, we know that there are “white hat” researchers who can exploit the vulnerability but we dont know if there are any (or how many) nasty “black hat” types have also found it. If Metasploit doesnt have a module for the exploit then we sort of guess its not in the wild, but this is just a guess.



From here things get worse. As soon as patches are released, the bad guys will be able to start reverse engineering the code and building exploits. Worryingly this can happen an awful lot faster than most IT managers would ever imagine.

It is realistic to assume that within about 24 hours of a security patch being released, high end hackers will have a way of exploiting the vulnerability. Within 48 – 72 hours more will have it and by the end of the first week, exploits will be available to pretty much any malicious hacker who wants it. It might not yet be a metasploit module, but that just means you are safe from the bottom end script kiddies.

Delaying patches is a massive mistake. Check them, test them and get them into the environment as quickly as possible or make sure you fully understand the risks and have some compensating controls in place.

The post Security Patches – Internet Explorer – Act Fast appeared first on Halkyn Security Blog.

]]> 1289 http://www.halkynconsulting.co.uk/a/2015/04/phishing-attacks-continue-to-evolve-and-spread-malware/ http://www.halkynconsulting.co.uk/a/2015/04/phishing-attacks-continue-to-evolve-and-spread-malware/#comments Sun, 26 Apr 2015 14:30:04 +0000 http://www.halkynconsulting.co.uk/a/?p=1273 As most internet users know, phishing attacks are very common. The term itself dates back to 1995 (e.g. AOHell) and social engineering (which is basically what phishing is) goes back as long as we have had societies. At a basic level, phishing is an attempt by a malicious party to get the recipient (victim) to […]

The post Phishing attacks continue to evolve and spread malware appeared first on Halkyn Security Blog.

]]> As most internet users know, phishing attacks are very common. The term itself dates back to 1995 (e.g. AOHell) and social engineering (which is basically what phishing is) goes back as long as we have had societies.



At a basic level, phishing is an attempt by a malicious party to get the recipient (victim) to carry out an action. Over the years this has ranged from giving up sensitive details (passwords, credit card details etc) to simply opening a malicious file.

Following on from the success of these attacks, banks and credit card companies have taken significant steps to combat fraud so, now, the majority of phishing attacks look to get you to open a file. Examples include documents such as “invoice.xlsx” or “payment.pdf” type files. These are normally “trojans” which, when opened, will carry out attacks on your operating system directly.

Most of the time, these phishing messages are generated by scripts across multiple languages. Frequently this results in the awkward English which alerts the recipient and forms the brunt of most anti-phishing awareness training.

However, the attackers are always evolving and today our email systems started getting this message:

Dear Sir,

I am trying to call you on phone now to explain to you about the amendment of the invoice as discussed on tuesday but your number is not connecting. regards to our phone call on tuesday afternoon, i have attached to you the  profoma invoice for the new order.

You have to know that attached is the amended proforma invoice and design for our shipment, because price in invoice was not our agreement after the confirmation of the order. please you have to confirm that the stated prices are correct.

We expect to receive the shipment of goods within the specified time on this order. kindly give me your confirmation and your profoma for payment arrangement.

Any questions, kindly let me know.

Best regards,

Ishmel Zahab

 

Manager
Business Empire International
Marketing, Trading, Consulting
Suite # 15, 2nd Floor, Rehmat Center,
I-8 Markaz Islamabad, Pakistan.
Tel:   +9251 4138116, 4938119
Cell:  +92 865 506 6191
Fax:   +9211 4861 376

URL: www.empireinternational.com    sales@empireinternational.com

Skype: businesempire

 

* This is a system generated document and does not require signature.

As you can see, there is a massive element of legitimacy around the content here, it is able to get through lots of spam filters and it is likely to be convincing enough for a lot of people to open the attached RAR file. (The attached file contains a trojan downloader which can flood the target machine with lots of unwanted additional software).

The bad news here is that the attackers are becoming more advanced in their trickery.

The good news is that they are still quite obvious when you know what to look for and this phishing provides lots of examples to use in your awareness training packages.

Phishing Indicators

Using this email, we can list the key indicators which should make any recipient suspicious enough to look into things further. Some are more technical than others, but all internet users should be aware enough to at least consider there.

• The email is unexpected. We have never done business with this organisation, have never given them a phone number, never had a phone call with this organisation and never made an order. Note: the attackers are trying to take advantage of people who might assume someone else in the organisation has made an order. Don’t fall for this.
• The email is vague. There are no specifics. The recipient name isn’t used. There is no indication as to what the goods might be. Note: the attackers have to be vague because they don’t know what the target organisation is likely to sell. This is a good clue it is phishing.
• The language used is awkward. This is harder for non-native English speakers and should only be a weak indicator of phishing. However, for native English speakers, the grammar and language is very unusual. The first sentence of the middle paragraph is trying to get the recipient to open the attachment, but the language used is unfathomable. Note: Attackers tend to use scripts to generate phishing messages which leads to this weird use of language.
• The recipients are hidden. The attacker has used a mailing list of targets but the content implies this should be a very one to one message. It seems unlikely that they would have had the same phone problems with multiple organisations so it makes no sense for this message not to be to a named person. Note: the attackers are trying to mask the size of their mailing list. Any message which is to a hidden list should be treated as suspicous and is almost certainly spam.
• The from address doesn’t match the company name. As you can see in the screenshot above, the message appears to come from lima@generalemballage.com but the signature line is empireinternational.com. This is unusual and should make any reader wary of the content. Note: Attackers often have to use hijacked mail relays or compromised accounts which is why the recipient address is often unusual. Always check it.
• The URL is wrong. Business Empire International has a web presence and the postal address matches the details given in the email – however it’s website is http://bei.com.pk/ not www.empireinternational.com (which at the time of writing appears to not be in use). This indicates that the scammers may have been gearing up to create a “backstory” website to give credibility, but a google search indicates the correct URL to visit. Note: Phishing counts on people not checking the details, so make sure you do check any emails you are suspicious of.
• Finally, a technical check indicates that none of the information presented in the email headers is trustworthy, making the entire message suspicious. Note: it is probably not worth checking every email but learn how to check file headers in your chosen mail client.

The technical details mentioned above are the internet headers (file – > properties in MS Outlook). For this message the key bits were:

The initial mail header reads:
Received: from [91.236.116.134] (port=50012 helo=[10.116.134.14]) by cpanel.puninar.com with esmtpa (Exim 4.85) (envelope-from <lima@generalemballage.com>) id 1Ylw02-000758-81; Sat, 25 Apr 2015 16:03:51 +0700

This tells us where the message originated and from this, it looks like the phishers had access to a Dedicated Server account hosted in Sweden. It is likely that they have actually compromised a workstation and are using this connection rather than a direct attack on the servers.

Next we look at the from and reply-to fields:
From: "Ishmel Zahab "<lima@generalemballage.com>
Date: Sat, 25 Apr 2015 17:03:05 +0800
Reply-To: sales@empireinternational.com
This is a very good indicator of phishing – the from account is a different domain to the reply-to. Attackers often use this to make sure any curious reply messages are captured by them, rather than the person they are impersonating.

Lastly, with this message, we have some useful headers the mail transport agent have added to assist in tracking down malicious use:
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cpanel.puninar.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - generalemballage.com
X-Get-Message-Sender-Via: cpanel.puninar.com: authenticated_id: hrd@puninaryusen.com

Here we have some useful information.

1. The compromised service appears to be cpanel.puniar.com but this doesn’t exist as a web address.
2. The sender domain claims to be generalemballage.com – which exists but appears to be located in Algeria and Tunisia.
3. The User ID apparently associated with the outbound email is hrd@puninaryusen.com. This email address is associated with a lot of job adverts in Indonesia.

All of this gives us some useful background into the phishing message. We can, with reasonable confidence, conclude that the hrd@puninaryusen.com email account has been compromised (probably by malware) and is being used to spread more malware via some open mail relays and possibly a compromised mail account owned by generalemballage.com.

It also gives us utmost confidence in deleting the message without ever reading the attachment.

As there are a couple of other organisations who already appear to be compromised by this email, it would be good practice to notify them – however this may be difficult if they don’t have public “abuse” or technical support contacts. As an example, puninaryusen.com doesn’t have a functioning site so may not have any one to respond to the phishing report.

So, in summary, phishing is likely to remain with us as long as people interact with other people. It is important to make sure you (and your employees etc.) remain far enough ahead of what the attackers do that you can spot their methods and understand your systems well enough to realise when someone is trying to trick you.

If they get past your defences, then it is time to roll out the incident response but that is for another day.

 

The post Phishing attacks continue to evolve and spread malware appeared first on Halkyn Security Blog.

]]> http://www.halkynconsulting.co.uk/a/2015/04/phishing-attacks-continue-to-evolve-and-spread-malware/feed/ 2 1273 http://www.halkynconsulting.co.uk/a/2015/03/budgets-securitys-friend-or-foe/ Mon, 09 Mar 2015 09:55:24 +0000 http://www.halkynconsulting.co.uk/a/?p=1250 Budgets are integral to every business. The start up’s business plan has to include budgets and the multinational will have an entire finance unit geared around making sure that every year the numbers are crunched, and budgets allocated. At a very fundamental level, a budget allows businesses to grow. It allows them to develop without going […]

The post Budgets – Security’s friend or foe appeared first on Halkyn Security Blog.

]]> Budgets are integral to every business. The start up’s business plan has to include budgets and the multinational will have an entire finance unit geared around making sure that every year the numbers are crunched, and budgets allocated.



At a very fundamental level, a budget allows businesses to grow. It allows them to develop without going bankrupt. It mitigates the risks from excessive or wayward employees. Possibly most importantly, budgets can limit financial exposure and ensure that the company can continue to pay dividends.

This is good. This is all good.

This is also essential for business security. Without defined budgets, it is impossible for a company to even know if it is overspending, or taking too much risk, and this seriously undermines security.

Unfortunately budgets frequently develop a life of their own. As organisations grow, so does the budget and so does the complexity. This is where, suddenly, your budget strategy can start to work against you.

For start ups, it isn’t a problem. Most of the time, the financial data will be theoretical and simple. The budget is there to get funding and it is all controlled by one business.

As businesses get bigger, one of the first changes which happens is creating different “business units” or budget categories. This can be hidden under lots of different names (cost centre, billing unit etc), but the effect is the same.

It is easy to see why businesses do this. Having separate budgets for separate functions helps focus spending. It also helps identify weak / strong parts of the business.

The problem is that security is all encompassing but organisations create “security” budgets. This can create a major risk.

When budgets create risk – cutting costs

For most managers with budget responsibility, certain mindsets evolve:

1. Budgets should be reduced whenever possible, often every year.
2. Any budget not spent is lost in subsequent years.
3. Subordinates who come in under-budget get rewarded (but the budget is reduced each year).
4. Subordinates who increase budget are penalised.

In very basic terms, this makes sense. The idea is that it increases efficiency and rewards innovation. These are good traits.

It also means that business units become very focussed on what “rewards” them specifically and what they have to pay for. This is still good.

Where it goes wrong is when one cost centre realises it can cut costs because any impact will be carried elsewhere. This is a double-whammy for the business itself, not only will the impact be felt somewhere, but the person leading to this gets rewarded.

As mentioned before, security is really everyone’s business but gets parcelled off into its own department. Oddly, IT Security seems to be the worst affected by this, frequently seen as an unwanted part of IT rather than an essential business enabler.

By creating departmental budgets, your organisation may be unwittingly encouraging people to undermine security. Is this really what you want?

Security-damaging budgets – case study



In the last two months, Halkyn Consulting has worked with two organisations who have suffered from this. Both encountered costly security issues which arose from the application of discrete budgets. Both had very good security teams, who we assisted in developing improvements. Both could have saved significant amounts of money by not cutting budgets earlier on. Both rewarded the personnel responsible for the savings but had no mechanism to hold them accountable for the costs.

Just to reiterate: Both companies implemented “savings” which led to the overall organisation losing significantly more than they saved.

To explain this, we will use one of the clients as a case study into how budgets can bite.

Case Study: National business services provider.

Our client had a well developed IT infrastructure supporting 24 office locations across the country, a single data centre and a large field sales team. The sales team were entirely reliant on portable devices. The organisation took its security seriously and has a well resourced IT Security team. All is good so far.

The cost of purchasing mobile devices was taken from the regional sales teams budgets. The cost of responding to security incidents was taken from IT Security. The cost of managing security infrastructure was taken from IT Security.

About 24 months ago, a well meaning sales executive saw a way to reduce costs. The sales teams were purchasing “approved” devices which were built to meet the IT Security requirements. It turned out to be a lot cheaper to let users bring their own devices (BYOD) or purchase more basic ones off the shelf.

In all, the sales executive shaved approximately £150,000 off the costs of purchasing assets. This aligned to a major move towards mobile technology and data sharing applications.

The problem was that now, the IT Security team had little or no control over what was happening. Worse than that, the IT Security team had no knowledge of what was happening. The move to BYOD was done in such a way that monitoring was removed and after the first wave of new devices, no one even thought to engage the IT people.

After a few months problems started to occur. Malware was on the rise. Users were falling victim to phishing attacks. Devices containing commercially sensitive data were lost.

In hindsight, the increase security costs in responding to these incidents was assessed to be £170,000 in the first twelve months alone.

Then a pretty nasty bit of malware hit. One of the field sales team was hit with malware. This then sent emails to everyone in his address book and the vast majority of users became infected and started sending outbound spam. Now, the field sales team were, in effect acting as a massive criminal botnet. More than a few users were then hit with ransomware and critical data was encrypted. As a final nail, only now it was discovered that the users with trendy BYOD devices didn’t have centrally managed backups and the data was irretrievably lost.

The final assessment was that in the 24 month period, security incidents had cost the company a total of £385,000 in direct costs and an unknown amount of lost sales.

Because of the company structure, however, the costs were carried by the IT Security department and the savings were carried by the field sales department. The executive who led this change was rewarded with a large bonus 18 months ago and left the company 12 months ago.

The bottom line? The sales executive was rewarded for losing the company over £235,000 simply because the budget structure made it initially look like a saving.

The post Budgets – Security’s friend or foe appeared first on Halkyn Security Blog.

]]> 1250 http://www.halkynconsulting.co.uk/a/2015/03/staysure-security-breach-leads-to-ico-fine/ Mon, 02 Mar 2015 09:00:48 +0000 http://www.halkynconsulting.co.uk/a/?p=1243 The Information Commissioner’s Office announced on 24 Feb 2015 that it had levied a monetary penalty of £175,000 against the holiday insurance company Staysure. The fine came about as a result of Staysure suffering a security breach on their website which exposed more than 100,000 customer records and led to more than 5,000 customers having their credit […]

The post Staysure security breach leads to ICO Fine appeared first on Halkyn Security Blog.

]]> The Information Commissioner’s Office announced on 24 Feb 2015 that it had levied a monetary penalty of £175,000 against the holiday insurance company Staysure. The fine came about as a result of Staysure suffering a security breach on their website which exposed more than 100,000 customer records and led to more than 5,000 customers having their credit cards used by fraudsters.

What is really surprising about the ICO investigation – and almost certainly led to the fairly large fine for a private sector body – is the discovery that Staysure had some very serious security failings.

The ICO reported that:

Attackers potentially had access to over 100,000 live credit card details, as well as customers’ medical details. Credit card security numbers, the number on the signature strips on the back of the cards, were also accessible despite industry rules that they should not be stored at all.

The important bit is the last sentence. Staysure have massively failed to comply with the PCI-DSS guidelines and by retaining this data have exposed their customers to monumental risks.

This is bad practice and any security professional would advise against it. In fact it is hard to see how this can be done while still complying with any of Staysure’s IT security policies, until you read further on in the announcement:

The company had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software which could have prevented this incident. This left security flaws in the system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.

So, it seems that despite providing an insurance product, in a heavily regulated industry and handling large amounts of very sensitive personal and financial data for their customers, Staysure failed to implement some basic security controls.

Staysure has been in business for ten years and has been exploited for at least five of them.



It is hard to know what the impact to Staysure’s business will be as a result of this breach. It may be minor – beyond the fine- but for any company dealing with customer data this is a massive risk to have carried for so long.

The post Staysure security breach leads to ICO Fine appeared first on Halkyn Security Blog.

]]> 1243 http://www.halkynconsulting.co.uk/a/2015/02/retail-security-in-an-online-world/ http://www.halkynconsulting.co.uk/a/2015/02/retail-security-in-an-online-world/#comments Sat, 21 Feb 2015 21:23:34 +0000 http://www.halkynconsulting.co.uk/a/?p=1225 The internet has been changing the world for decades now, and nowhere has this been more obvious than the retail sector. Internet access has opened up new markets, invented new businesses and allowed retailers to grow in ways never before imagined. However, along with this growth, the internet has also shown that retail security needs […]

The post Retail security in an online world appeared first on Halkyn Security Blog.

]]> The internet has been changing the world for decades now, and nowhere has this been more obvious than the retail sector. Internet access has opened up new markets, invented new businesses and allowed retailers to grow in ways never before imagined. However, along with this growth, the internet has also shown that retail security needs to evolve and adapt to keep up.



Earlier this year, we talked about the BRC Retail Crime Survey, which highlighted that retailers in the UK are quite rightly concerned about the security risks they face as they go online. Correctly, the BRC placed a lot of emphasis on the police to investigate crime and arrest criminals, however the basics of retail security really need to be driven by the retailers themselves.

Retail security in an online world needs to follow on from the good practices driven by centuries of experience – shops lock up at night, tills are kept safe, stock is protected – it just needs to adapt.

Retail security – online threats

The first step to adapting is understanding how things are different online. This is important because all too often retailers leave their doors wide open, their tills abandoned and their stock exposed simply because they don’t realise where the walls and doors have move to.

By learning how criminals will leverage the internet, retailers can also learn what they need to do to avoid becoming a victim of crime.

While we can’t cover everything in one blog post – we can look at one common attack which frequently leaves a retailer out of pocket with very little risk to the criminal.

Triangulation attacks

One type of threat which retail security faces in the online world is called a “triangulation attack.”



The way this attack works is quite simple – which is why it presents a growing problem for retail security and can cost businesses dearly.

1. A criminal gets hold of a stolen credit card. This is surprisingly easy and criminals can either steal them by hacking other retailers or purchase them directly on the black market.
2. The criminal posts an advert online. Often on eBay, but other second-hand sales portals (such as Craigslist, Facebook marketplace etc) are used. This is normally for a fairly high value item such as the latest iPhone or games console. However, as retail security becomes more aware, criminals are moving to sell less obvious items.
3. The innocent customer bids or purchases the item. The customer is pretty innocent in all this and normally just thinks they are getting an excellent bargain.
4. The criminal places the customers order with an innocent retailer. This is where the triangulation begins. Using the stolen credit card, the criminal orders the goods to be shipped to the innocent customer. The customer, however, pays the criminal – normally via a difficult to trace PayPal, Moneygram or Western Union transaction.
5. The credit card company’s security kicks in. At some point the stolen card will be reported and blocked. Unfortunately this is often after the order has been placed and the innocent retailer has shipped the product. This is one reason why retail security needs to link up with other sectors to function properly.
6. The bank / card payment company refuse to pay or reclaim funds. For the retailer, this is where it really hurts. Frequently, the retailer has shipped the product when the bank reverse the payment leaving the innocent retailer out of pocket.
7. Retailer has to make a choice. When a retailer becomes a victim of this scam, they have to decide if they can absorb the loss and move on, or if they are going to try and recover the product from the customer. Having a good retail security policy in place before this happens will help you decide which is best for your business as both options carry costs.
8. Everyone but the criminal loses out. As a retailer, even if you manage to get the product back from the customer, you will have lost time and money in recovering it and you will have certainly lost a lot of goodwill with the innocent customer. The criminal, however, has made off with the customers money and is likely to be very difficult to trace.

As you can see, for very little effort, the criminal has made a profit and without good retail security measures in place, the retailer and customer have lost out.

A few years ago this sort of attack was pretty much entirely aimed at Amazon, eBay and the likes, however this is no longer true. The big targets have spent massive amounts of money on building anti-fraud teams, retail security specialists and e-crime investigators so the criminals have moved on.

Now, any retailer, in any sector, is at risk.

Dont wait until it is too late and dont rely on the police to lock your doors. Good retail security is the responsibility of every retailer.

 

The post Retail security in an online world appeared first on Halkyn Security Blog.

]]> http://www.halkynconsulting.co.uk/a/2015/02/retail-security-in-an-online-world/feed/ 1 1225 http://www.halkynconsulting.co.uk/a/2015/02/iso27001-self-assessment-checklist-record-downloads/ http://www.halkynconsulting.co.uk/a/2015/02/iso27001-self-assessment-checklist-record-downloads/#comments Thu, 19 Feb 2015 10:56:55 +0000 http://www.halkynconsulting.co.uk/a/?p=1235 The ever popular ISO27001 self assessment checklist is now being downloaded at around 1000 times a month. Since we published it in October 2013, there have been over 13000 copies downloaded and we have provided unprotected versions to over 900 different organisations and individuals. Hopefully this is a sign that security is being taken seriously […]

The post ISO27001 Self Assessment Checklist hits record downloads appeared first on Halkyn Security Blog.

]]> The ever popular ISO27001 self assessment checklist is now being downloaded at around 1000 times a month. Since we published it in October 2013, there have been over 13000 copies downloaded and we have provided unprotected versions to over 900 different organisations and individuals.

Hopefully this is a sign that security is being taken seriously across the globe! As always, if there is anything your organisation would like advice on, we’d be more than happy to assist.

The post ISO27001 Self Assessment Checklist hits record downloads appeared first on Halkyn Security Blog.

]]> http://www.halkynconsulting.co.uk/a/2015/02/iso27001-self-assessment-checklist-record-downloads/feed/ 76 1235 http://www.halkynconsulting.co.uk/a/2015/01/retail-security-business-protection-loss-reduction/ Tue, 20 Jan 2015 22:21:59 +0000 http://www.halkynconsulting.co.uk/a/?p=1200 Retail security is in the news again as the British Retail Consortium (BRC) report that crime in this sector has reached a 10 year high. This reporting appears to indicate crime accounts for almost 0.2% of the total sector turnover. As reported by the BBC this includes the possibly obvious activities such as shoplifting, but […]

The post Retail security, business protection, loss reduction appeared first on Halkyn Security Blog.

]]>

Retail security is in the news again as the British Retail Consortium (BRC) report that crime in this sector has reached a 10 year high. This reporting appears to indicate crime accounts for almost 0.2% of the total sector turnover.

As reported by the BBC this includes the possibly obvious activities such as shoplifting, but also some more high tech twists as cyber crime and internet fraud are being included.

The summary of this is that crime, in general, presents a fairly significant risk for any retail business, even though the sector itself is quite large:

(source: BBC News)

Crime cost the UK retail industry £603m in the 2013-14 financial year, 18% higher than the previous 12 months, according to new research.

This is the highest level of crime in the retail sector reported since the BRC began keeping records in 2003. For some retailers, especially within the small – medium business sector, the losses incurred by criminal activities outweigh any other operating costs and for all assets stolen the business owner not only loses a sale, but must pay to replace the loss.

For most retailers, crime in this sector is assumed to be mostly shoplifting with jewellers and electronics stores also facing the risk of more obvious robberies.

However, the BRC report also shows that online activity presents a very significant issue for UK retailers and, combined with fraud, this criminal activity has more than made up for a reduction in the traditional methods: (Again, from the BBC News item, emphasis mine)

• customer theft made up the bulk of the criminal activity, accounting for 81% of all incidents
• retailers reported a total of 135,814 incidents of fraud, up 12% on the previous financial year
• there were five robberies per 100 stores in 2013-14, a 29% decrease but the cost per robbery fell only marginally, from £1,316 per incident in 2012-13 to £1,280 per incident in 2013-14

It seems that for every robbery or burglary, there are over 100 fraud cases, driven by online / cyber criminals attacking the business.

This is captured in the Report itself with the following bullet point:

Retailers reported that cyber attacks pose a critical threat to their business.

Retail sector and Cybercrime

It shouldn’t come as a surprise that, as more of the retail sector moves online, so do the criminals targeting this sector. The BRC British Retail Crime report contains this statement:

The majority of retailers reported an increase in cyber attacks in 2013-14 and that they pose a critical threat to their business. These ranged from Denial-of-Service attacks to data theft.

The benefits from being online are significant – from direct engagement with customers to rationalisation of supply chains – so there is genuine value for all retailers to have some sort of presence.

However, as with all business decisions, this needs to be done with a clear understanding of the security risks and what sensible measures should be taken to minimise them. No retail organisation would open a store in a new area without doing at least some research but it seems the rush to get online bypasses this common sense approach.



In 2013-2014, the biggest cyber risks to the retail sector came from online fraud – largely credit and debit card fraud, however the report also captures the growing trend in more asymmetric cyber attacks such as denial of service, data theft and ransomware.

Although no major UK retailer has hit the news, in the US cyber attacks in the retail sector have produced massive headlines with Target, Home Depot and many other large chains falling victim.

Unfortunately for most smaller organisations, the internet is a great equaliser. It gives retailers the opportunity to sell their products with the same impact as the big chains.

However this means you face the same risks as the big chains, so can you afford the same security?

Retail cyber security – key risks

• Cyber Fraud. Criminals will make fake orders, use fake payment cards and many more malicious tricks to get you to give them things for free. This can be harder to spot than real world fraud so you need to be on your guard.
• Customer data. If you collect customer information, such as name & home address, you need to make sure you properly protect it or you could be fined under the Data Protection Act 1998 (with up to £500,000 in fines for a breach).
• Credit / debit card data. If you process this yourself, you need to make sure it cant be breached and dont forget this is very, very high value information for hackers.
• Cyber vandals. Sometimes you will fall foul to “script kiddies” and other low-level miscreants. This is likely to lead to website defacements or denial of service attacks. Even though these seem trivial, they can become very costly to deal with and cause your business a lot of damage.
• Competitors. Still rare in the UK, but the internet gives greater scope, especially in more competitive retail markets, for hard to detect and hard to prosecute corporate espionage.
• Customers. Last but not least, there are always risks around what your customers do when they are on your websites or in your retail stores. For lots of businesses it makes sense to offer customers things like free WiFi access, but you need to make sure you have considered the implications – such as a customer using the free WiFi to commit criminal acts. In 2009, for example, a UK pub was fined £8k for allowing a customer to commit a copyright breach.

Retail cyber security – what to do

There is no magic bullet, one-size-fits-all, solution for cyber security, in the retail sector or elsewhere. If anyone claims they can provide this, it is likely to be a scam.

Cyber security is fundamentally the same as the rest of your security. It is about understanding the risks and taking the correct measures to minimise them.

Don’t be put off using the internet for your business. Yes, there are risks, but there are lots of benefits and lots of ways you can protect yourself.

Some things to consider include:

• Firewalls
• Antivirus
• Email filtering
• Patch management
• Proxy servers for all internet traffic
• Network filtering and acceptable use banners for guest/customer services
• Robust business continuity planning
• Encryption of all sensitive data
• Outsourcing payment card processing
• Good physical security
• Penetration testing for all online applications

No article or blog post is every going to compensate for detailed, specific, expert advice so please make sure you seek out a specialist to make sure what you are doing is sensible and effective.

The post Retail security, business protection, loss reduction appeared first on Halkyn Security Blog.

]]> 1200 http://www.halkynconsulting.co.uk/a/2014/12/insider-threat-apple-employee-jailed-fined/ Tue, 09 Dec 2014 20:39:53 +0000 http://www.halkynconsulting.co.uk/a/?p=1185 The insider threat is in the news again. On 8 December it was reported that ex-Apple employee, Paul Devine, had been sentenced to jail and a fine following a guilty plea on counts of wire fraud and money laundering . From the news reporting, this trusted insider was involved in providing Apple suppliers with confidential information […]

The post Insider Threat – Apple Employee Jailed and Fined appeared first on Halkyn Security Blog.

]]>

The insider threat is in the news again. On 8 December it was reported that ex-Apple employee, Paul Devine, had been sentenced to jail and a fine following a guilty plea on counts of wire fraud and money laundering .

From the news reporting, this trusted insider was involved in providing Apple suppliers with confidential information about forthcoming products, which in turn allowed them to establish more favourable deals with Apple.

Apple filed its own civil suit against the insider, charging him with accepting more than $1 million in bribes from at least six supplier companies (as reported by C|Net).

Insider threat and crime



This situation highlights what is likely to happen when an insider breaks the company policies as well as the law.

Paul was charged with very serious crimes – wire fraud, conspiracy and money laundering – which meant he faced 20 years in prison if found guilty. As a result of this, law enforcement investigative resources were involved and he had a very strong incentive to plead guilty for a lesser charge.

However, it is unlikely that even if Apple gets all $4.5 million of the fine, it will cover the business lost over the 5 years he was providing insider information to suppliers and the costs of the subsequent legal actions.

Insider security breaches can be significantly harmful, even for the most technologically advanced company.

Insider threats and your business

The unfortunate reality is that most insider security breaches are not this high profile, are not this clearly a crime but significantly more harmful to the company involved.

Your trusted workers are the vital lifeblood for your business, they have to know secrets you want to keep from your competitors (or suppliers, or even customers) and this is why the insider threat is so harmful.

When it comes to risk assessments ask yourself how well you would cope if your key employees were cutting deals to get kickbacks from suppliers, customers or even competitors.

Can you cope with this happening?

Would you be able to detect it?

What could you do about it?

Combating the insider threat

There are no simple answers and any action you take to minimise the insider threat has to be driven by your own organisational risk assessments and prevailing circumstances. Your controls should evolve as your business changes and if you are ever in any doubt, specialist advice is available from Halkyn Consulting.

However, in very general terms, there are three things you need to consider in minimising the insider risk:

• Pre-employment / Background Screening. Before you hire a new employee you should carry out some checks. As a bare minimum in the UK, you need to verify they have a right to work, but over and above this you should be checking that their application or CV is true and they are who they say they are. For sensitive posts you can consider additional checks into financial probity or criminal records, but this has to be proportionate for the role.
• Employee Aftercare. Once you hire someone it is important that your organisation keeps your employees feeling welcome and part of the overall team. Your managers should be alert to the indicators of disaffected or dishonest employees and co-workers should feel able to discuss concerns. Remember, it is in every employees interest that you stay in business.
• Monitoring. Employees with access to sensitive or business critical information should be monitored and made aware of this monitoring. As part of your overall security environment, you should consider having audit controls in place to alert you to suspicious events (such as suppliers suddenly taking a hard line, or emails from an employee to a competitor) and a way to track behaviours back to the correct insider.

Of course, none of this guarantees you will be safe from insider breaches, but they do mean you can minimise the risk and maximise your ability to detect and recover from them.

Remember, your employees are your lifeblood but it only takes the poison of one bad insider to kill off your business. Make sure your trust is well placed and remain alert to problems.

The post Insider Threat – Apple Employee Jailed and Fined appeared first on Halkyn Security Blog.

]]> 1185 http://www.halkynconsulting.co.uk/a/2014/10/employee-security-high-risk-terminations/ Thu, 23 Oct 2014 21:31:12 +0000 http://www.halkynconsulting.co.uk/a/?p=1162 Employee security really does matter. Your employees are the lifeblood of every organisation. You put a lot of effort into hiring new staff, you train them, you nurture them and in return you get a massive amount of value. However, like it nor not, there will come a point in time when even your best […]

The post Employee Security – High risk terminations appeared first on Halkyn Security Blog.

]]>

Employee security really does matter. Your employees are the lifeblood of every organisation. You put a lot of effort into hiring new staff, you train them, you nurture them and in return you get a massive amount of value. However, like it nor not, there will come a point in time when even your best employee goes.

This is when your employee security program gets really tested. Even an amicable departure, where the employee is happily leaving for a new job, retirement or just to live a life of luxury after winning the lottery, carries with it risks for your business.

When the employee is being dismissed things are much worse. If the employee has access to company secrets, or special privileges, then you have a very high risk termination on your hands.

No one ever wants to plan for layoffs, downsizing or employee misconduct but if one of these bad things happens to your business, if you haven’t planned for it, the pain will be significantly greater.



When you dismiss an employee, for whatever reason, everyone involved is in an emotional state. This means mistakes will be made, tempers lost and bad things may happen. Bad things can range from losing data and clients, to acts of violence and vandalism.

You prevent this by having a clearly understood process, documented beforehand and agreed with any unions or employee representation. While this wont make anyone any happier, it does mean you have the best possible chance to minimise any further harm.

Planning your employee security program to cover the whole career of your employees makes much more sense.

Employee Security – the basics

Fundamentally, there are three stages to employee security:

• Pre-employment. This is what you do before you hire them. This includes, interviews, reference checks, tests etc. For sensitive posts you should consider BS7858 screening and for sensitive Government work clearances  and vetting are likely to be needed.
• During employment. Once you employ someone, it is crucial you dont just drop end your employee security at the screening. Make sure employees are engaged and supported by your organisation throughout their career.
• Resignation and dismissals. This is the high risk area, the employee is about to leave and no longer has any loyalties or formal obligations. Disgruntled employees may steal or break things, aggressive employees may become violent and even otherwise perfect employees may take company secrets to their new employer.

Employee Security – your plans

Planning your employee security program is essential. Good planning will show your stakeholders your commitment to security and, in the event of a dispute, will provide evidence that your organisation has acted fairly and in a pre-agreed manner. If a dismissal goes to an employment tribunal, following a pre-arranged plan is pretty much essential.

You need to plan for each stage and should look to produce a published policy on employee security, laying out the objectives and reinforcing management commitment to the principles of fairness and security.

From this build in a list of plans for how you will address each of the three stages and what your expectations are.

An example would be documenting what pre-employment checks will take place, who carries them out, how decisions should be made on findings and how long data will be retained for both people offered a job and those turned down.

Employee Security – Resignations and Dismissals

Planning around employee exits is so important, it is suggested that you create several plans depending on the nature of your employees. You need to consider the role of the employee and what assets they have access to as well as the nature of the departure.

At a minimum, your plans must consider the following employee groups:

• Employees with access to commercially sensitive information. This includes sales teams, commercial managers, developers etc. It is good practice to ensure Non Disclosure Agreements are in place and the employee is reminded of any obligations on exit.
• Employees with privileged access. When it comes to system administrators, key holders and the like, you need to ensure your process fully revokes all access and is able to check that nothing has been subverted before the employee is finally let go. Discovering a problem after they have gone is going to cause you all kinds of pain.
• Employees with high value assets. If you have team members who look after large amounts of cash, company cars etc, your plan should document how these are accounted for before the employee leaves.

Additionally, at a minimum, you need to plan for the following types of departure:

• Retirement. Here the employee is likely to leave on good terms but you will lose corporate knowledge and should look to capture as much as possible.
• Resignation to move to a new line of work. Similar to retirement, the employee is likely to be on good terms but you need to be sure all assets are returned and any commercially sensitive knowledge is protected.
• Resignation to move to a competitor. While the employee may be on good terms, there is an increased risk of knowledge theft or the employee looking to access your clients for their new organisation. Ensure all plans include reinforcement of any NDA / Non-Compete agreements.
• Dismissal from downsizing / restructuring. The employee is likely to be angry and annoyed at the organisation so efforts should be made to minimise any confrontation or situations which could lead to escalation. In most circumstances, once an employee is notified of a dismissal they should not be expected to continue with productive work.
• Dismissal for misconduct. This is the highest risk. The employee is likely to be shocked and angry with a significant tendency to lash out. Your plan should look to minimise stress on all parties, ideally ensuring that the employee is notified by at least two people and once notified, the employee should not be permitted to return to any form of work or retain any company assets.

Planning your security

There is a lot to consider with employee security but it is crucially important to your business.

When you are a new or growing company, frequently taking on new, great, staff, the prospects of dismissal may seem impossibly distant. Unfortunately this is not true and it is a very real event for pretty much every business.

If you plan properly – in advance – when your employees leave everyone will be happier and able to move on. If you fail to plan properly, the outcomes can be catastrophic.

The post Employee Security – High risk terminations appeared first on Halkyn Security Blog.

]]> 1162 http://www.halkynconsulting.co.uk/a/2014/06/prison-service-ni-warned-data-breach/ Sun, 22 Jun 2014 21:07:15 +0000 http://www.halkynconsulting.co.uk/a/?p=1143 The prison service in Northern Ireland has been warned by the ICO over another data breach. The ICO press release is available online: http://ico.org.uk/news/latest_news/2014/prison-service-warned-after-maze-records-sold-at-auction-18062014 This incident relates to the Prison Service auctioning off a cabinet containing records from the Maze prison. Interestingly, this breach took place in 2004, when the Northern Ireland Office was responsible, but nothing […]

The post Prison Service in NI Warned over Data Breach appeared first on Halkyn Security Blog.

]]> The prison service in Northern Ireland has been warned by the ICO over another data breach. The ICO press release is available online: http://ico.org.uk/news/latest_news/2014/prison-service-warned-after-maze-records-sold-at-auction-18062014



This incident relates to the Prison Service auctioning off a cabinet containing records from the Maze prison.

Interestingly, this breach took place in 2004, when the Northern Ireland Office was responsible, but nothing was reported at the time. In the end the breach was discovered while the ICO was investigating a Prison Service breach from 2012, which resulted in the Department of Justice being fined.

ICO Assistant Commissioner for Northern Ireland, Ken Macdonald, said:

“This is a story of basic errors and poor procedures, which if the incident happened today would see us issuing a substantial fine.

“The loss of this information represents not only an embarrassing episode for the prison service in Northern Ireland, but a serious breach of the Data Protection Act that could have had damaging repercussions for the individuals affected.

“The incident went unreported for eight years and the same mistakes were allowed to occur. It is only now that we have seen a commitment from the Department of Justice Northern Ireland to tackle these problems and keep people’s information secure.”

Sadly this is a common problem – basic security controls are either not in place or are allowed to be ignored.

At the most fundamental level, the Prison Service (or the Northern Ireland Office in 2004), should have maintained a record of what assets it was responsible for and their locations. This would have prevented the cabinet being sold off at auction.

Failing that, before any assets (information assets, technology or physical products such as cabinets and furniture) are disposed, they absolutely must be checked to ensure no sensitive data is being accidentally leaked.

Hopefully the Prison Service has learned from this, and it should also act as a reminder to all organisations that they should review all asset lifecycle policies to make sure they are suitable.

The post Prison Service in NI Warned over Data Breach appeared first on Halkyn Security Blog.

]]> 1143 http://www.halkynconsulting.co.uk/a/2014/06/download-truecrypt-still-possible/ Sat, 31 May 2014 23:32:53 +0000 http://www.halkynconsulting.co.uk/a/?p=1132 It seems that Truecrypt is too popular a tool for people to give up on it and version 7.1a is still available for download. A website has sprung up at truecrypt.ch offering downloads of Truecrypt binaries and source code. The download site appears to have been set up by a Swiss national and provides links […]

The post Truecrypt encryption software still available for download appeared first on Halkyn Security Blog.

]]> It seems that Truecrypt is too popular a tool for people to give up on it and version 7.1a is still available for download.



A website has sprung up at truecrypt.ch offering downloads of Truecrypt binaries and source code.

The download site appears to have been set up by a Swiss national and provides links to multiplatform version of Truecrypt 7.1a – as well as an archive hosting everything going back to version 1.0 of the software.

Unfortunately the site does not host a download of the source code, but it does link to a GitHub repository with it in.

This is an excellent resource, as truecrypt is a genuinely useful tool for people wishing to keep information private.

There is one important caveat here, however, in that there is no way to confirm the provenance or validity of any software you download from this site. It is not owned by the truecrypt developers and, most people, will not be able to determine if the binaries have been tampered with.

As a result, and this is always good practice, if you opt to download Truecrypt from this site make sure you also check the digital signature (a “hash” value) against something you know to be correct.

The hash values will differ depending on how you generate them but most sites will list a selection. As an example, you can use the following sites to verify the signature of a truecrypt download:

• http://truecryptcheck.wordpress.com/
• http://video2.golem.de/files/1/8/13138/truecrypt_7.1a_download_und_hashwerte.txt?start=0.00 (note: this site is provided by Truecrypt.ch)
• https://defuse.ca/truecrypt-7.1a-hashes.htm

And yes, the third site provides different hashes because it has assessed different versions of the Truecrypt 7.1a binary.

So, in summary, you can still download truecrypt but you need to put a lot more effort into make sure what you get the real thing. If this is important to you, you need to download a different encryption package.

The post Truecrypt encryption software still available for download appeared first on Halkyn Security Blog.

]]> 1132 http://www.halkynconsulting.co.uk/a/2014/05/truecrypt-encryption-software-ceases/ Sat, 31 May 2014 22:50:40 +0000 http://www.halkynconsulting.co.uk/a/?p=1116 On 28 May 2014, the developers of the reasonably infamous encryption software Truecrypt apparently announced that the program was over and that the risk of security weaknesses meant people should stop using it. Since this announcement, the Truecrypt website at http://truecrypt.org now redirects to the Sourceforce page (http://truecrypt.sourceforge.net/) which reports that development ended in “5/2014” following Microsoft […]

The post Truecrypt encryption software ceases production appeared first on Halkyn Security Blog.

]]> On 28 May 2014, the developers of the reasonably infamous encryption software Truecrypt apparently announced that the program was over and that the risk of security weaknesses meant people should stop using it.

Since this announcement, the Truecrypt website at http://truecrypt.org now redirects to the Sourceforce page (http://truecrypt.sourceforge.net/) which reports that development ended in “5/2014” following Microsoft moving Windows XP out of support.

It also contains an ominous warning:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

(screenshot of the page below)



Taken at face value, this is certainly a shame for millions of users across the world. Truecrypt, although never a profitable bit of software, has been used by countless reporters, dissidents and others wishing to protect their sensitive & private data. We frequently recommend Truecrypt to personal users and the only thing preventing it being an enterprise class tool was the lack of centralised management.

Most famously, Truecrypt was used by Edward Snowden and the journalist Glenn Grenwald to protect the NSA reports Snowden was trying to make public. Snowden’s continued use of Truecrypt has been taken by many to imply that the NSA hadn’t been able to compromise its encryption technology.

Unusually, as part of its closure notice, Truecrypt is encouraging users to migrate to Bitlocker (on Windows platforms), a whole disk encryption tool. This is only available to Ultimate, Pro and Enterprise licence holders, preventing this being an option for most non-Enterprise users.

Additionally, while it provides whole disk encryption, Bitlocker is not an exact alternative for Truecrypt as it lacks the following:

• Cross platform encryption.
• The ability to provide encrypted containers on removable media.
• Hidden partitions allowing for deniable containers and mitigating the risks of “rubber hose cryptanalysis“

For some people, the ultimate issue is that Bitlocker is provided by Microsoft and there have long been accusations that backdoors or other covert accesses have been established to allow the US Government / Law Enforcement the ability to decrypt data. This has never been proven and is frequently denied by Microsoft. Bitlocker does have an option to place the encryption key in Escrow which may have led to these worries, but this is not mandatory.

As a result of the Snowden / NSA leaks casting doubt about a lot of security products, a crowdfunded audit of Truecrypt was set up. This produced its first set of reports on 14 April which found a total of 11 vulnerabilities, of which four were medium, four were low and three were informational-only (full copy of the report is available online).

If you have ever had any software, especially a complex one, audited & tested, you will agree this is a very positive set of findings and the report concludes that the bugs appear to be the result of code errors rather than intentional backdoors or malicious activity.

While a follow up report is due in the second half of 2014, overall this audit appears to be saying that Truecrypt version 7.1a is an acceptable product.

Truecrypt site – dire warnings and a new version

The audit findings and the warning notice on the Truecrypt page are actually pretty compatible. The notice says it may contain unfixed security issues and, assuming the developers never intend to change another line of code this is true.

Bugs in software sometimes only come to light years after they were coded (Heartbleed is a good example of this) and if the developers are planning to retire from this project, then any future bugs will not only remain unfixed but may be backwards compatible enough to compromise data containers people create today.

However, the unusual thing here is that the site also provides a “new” version of Truecrypt (version 7.2) to enable users to decrypt their containers and migrate to Bitlocker (or their chosen encryption tool). This makes sense in the context that someone might find an encrypted container in the future and have no other way of accessing the data.

So, What happened to Truecrypt, and what is the future?



At the moment, the short answer is “Nobody except the developers really know.”

The way the development ended has, unsurprisingly, stirred up huge amounts of theories ranging from it being sulky pout when the developers realised that they were getting very little in the way of donations but the audit project exceeded its crowdfunding goals – to the conspiracy theories that this is a “canary” warning Truecrypt users that they have been subjected to something similar to a National Security Letter by the US Government, forcing them to hand over secrets which compromise the software.

With this notification, the development teams have pulled the binaries and source code bundles for all the older versions of Truecrypt, meaning the hobbled version 7.2 is the only one you can get now. This version will not allow you to create new encrypted containers and is simply there to help you migrate to a different platform.

Unfortunately there doesn’t seem to be one that currently matches the feature set of Truecrypt so, for most people, this will mean moving to a variety of tools.

As a brief checklist for home users / small businesses you might want to consider the following:

• Something which provides you with whole disk encryption. This is essential for portable devices (laptops) and prevents people accessing your data if they steal your device.
• Something which allows you to encrypt files or folders and move them on portable devices. This means you can create an encrypted object and move it from one place to another on portable devices such as USB sticks.
• Something which works the same on all the platforms you use. This is essential if you have more than one operating system – such as Windows and Apple devices.
• Something which allows plausible deniability. This means if you are ever threatened with violence or punishment, you can surrender one key and still protect the important data.

Unfortunately this can be a very complicated topic and we aren’t in a position to make blanket recommendations in a blog post. The choice of encryption tools will depend very heavily on your personal circumstances and reasons for protecting the data.

You can get a comparison of different encryption software packages online and if you want to discuss this further, or engage our security specialists for an in depth review of your needs then get in touch.

The post Truecrypt encryption software ceases production appeared first on Halkyn Security Blog.

]]> 1116 http://www.halkynconsulting.co.uk/a/2014/03/physical-security-data-protection/ Sun, 23 Mar 2014 20:56:29 +0000 http://www.halkynconsulting.co.uk/a/?p=1081 Physical security has always been a cornerstone of any Information Security program. As a topic, it is covered by every major security standard. Most have entire sections dedicated to physical security: ISO27001:2013 has A.11 “Physical and Environmental Controls“ The SoGP has CF3.3 “Sensitive Physical Information” and CF19 “Physical and Environmental Security” PCI-DSS Requirement 9 mandates […]

The post Physical security is important for data protection appeared first on Halkyn Security Blog.

]]>

Physical security has always been a cornerstone of any Information Security program. As a topic, it is covered by every major security standard. Most have entire sections dedicated to physical security:

• ISO27001:2013 has A.11 “Physical and Environmental Controls“
• The SoGP has CF3.3 “Sensitive Physical Information” and CF19 “Physical and Environmental Security”
• PCI-DSS Requirement 9 mandates “Restrict physical access to cardholder data“
• The NIST Cybersecurity framework includes PR.AC-2: “Physical access to assets is managed and protected.”
• Even the 1995 NIST SP800-12 “Introduction to Computer Security: The NIST Handbook,” has Chapter 15 dedicated to physical security.
• The UK Government’s Security Policy Framework (SPF) October 2013 version includes it as Security Policy 4 “Physical security and counter terrorism.”

Despite this, controls are still being neglected. Private sector organisations and government agencies spend fortunes on security, but then compromise it by missing out physical controls.

What makes this stranger is that most physical security controls are cheap and easy to implement. Maybe it is just they aren’t flashy and aren’t normally excitingly high-tech. Good security controls just work.

The perils of ignoring physical security

The Information Commissioner’s Office (ICO) has been busy enforcing the Data Protection Act this month, with a couple of actions being directly down to poor physical security practices.

First, on 13 March 2014, the ICO announced that it had issued an enforcement notice on Neath Care, with the following message:

[Neath Care] has been found in breach of the Data Protection Act after the files of 10 vulnerable and elderly people were found on a street in Neath Port Talbot.

It appears that the care agency failed to implement basic physical security controls such as asset management, monitoring and transport. This led to an employee taking the documents out of the office, dropping them and not realising until a member of the public reported it.

Often organisations have excellent controls around the expensive things (e.g. computers, laptops) but then forget everyone once the data has come off the printer. It seems unlikely that an employee would leave a laptop on the pavement and not notice.

When handling sensitive data, organisations should have a comprehensive security strategy which includes handling, and accounting for, paper copies. All employees should be made aware of this and, as always, records must be kept.

The next breach of interest was reported by the ICO in a 19 March announcement. This time it was serious enough that Kent Police were fined £100,000. This was quite a shocking example of how people can forget to track old, low-financial-value physical assets:

The Information Commissioner’s Office has served a monetary penalty of £100,000 on Kent Police after confidential information, including copies of police interview tapes, was left in the basement of a former police station.

The highly sensitive information included records relating back to the 1980s, thought to have been left at the site when the building was vacated in July 2009.

The information was discovered when a police officer was visiting a business owner about an unrelated matter on 27 November 2012 and noticed a pile of tapes with the logo of Kent Police stuck on them. The business owner confirmed that he had found the tapes in the basement of the old police station, after purchasing the site two months before, and was planning on watching them for entertainment.

It is almost certain that none of the officers or staff abandoned these tapes on purpose. It is almost certain that the business owner took them with malicious intent. However, the breach still happened.

Most people will agree that police interview tapes are pretty sensitive affairs. The officers will be asking questions about crimes, possibly including otherwise unreported information, and the interviewee will be providing information they may not expect anyone else to hear.

Given that these tapes may have ended up being used as evidence, it seems strange that they weren’t properly accounted for when the station moved offices. The problem is often that boring, “old-fashioned,” equipment is frequently overlooked when people concentrate on the modern equivalents.

The ICO’s Head of Enforcement sums it up well:

How a police force could leave such information unattended in a basement for several years is difficult to understand.

Ultimately, this breach was a result of a clear lack of oversight, information governance and guidance from Kent Police which led to sensitive information being abandoned.

Good information governance has to include good physical security controls – the most basic of which is making sure you know where your assets are. Anything else is basically asking for a breach.

Physical security underpins everything

This is the crucial point. Good physical security controls are so important that, without them, all your other controls are undermined to the degree that they may become pointless.

Good physical security controls are cheap – in the two cases here, a simple asset register would have saved both organisations – and easy to implement. They don’t make headline news, they don’t get people exited on twitter, they don’t come with flashy vendor presentations, but they do work. Isn’t that what actually matters?

Physical Security Assessment Form – Free Download



Halkyn Consulting has produced a physical security assessment form as a freely downloadable resource to help organisations get a baseline of their current security and see what areas need improving.

In addition to this form, our security resources area has a selection of other tools you can use to assess, understand and improve your physical security controls.

As part of our commitment to improving security awareness in general, if there is a specific tool you cant find but think would help people then please get in touch and we will see if we can help you out.

Remember – all good security builds on good physical security controls.

The post Physical security is important for data protection appeared first on Halkyn Security Blog.

]]> 1081 http://www.halkynconsulting.co.uk/a/2014/03/dpa-registration-important/ Wed, 12 Mar 2014 20:55:18 +0000 http://www.halkynconsulting.co.uk/a/?p=1070 Here in the UK, the Data Protection Act (DPA) has been law for 14 years now (the act is dated 1998 and commenced in 2000). Despite this, there are some organisations who are not aware of their obligations to comply, even when it is clear they are handling data which would be protected under the […]

The post DPA Registration is important if you want to avoid a fine appeared first on Halkyn Security Blog.

]]>

Here in the UK, the Data Protection Act (DPA) has been law for 14 years now (the act is dated 1998 and commenced in 2000). Despite this, there are some organisations who are not aware of their obligations to comply, even when it is clear they are handling data which would be protected under the act.

On 11 March, the Information Commissioner’s Office (ICO) announced another fine for a DPA breach, and as with so many cases before it, this was easily avoidable. When it comes to the DPA, very small amounts of preparation really can make a difference.

The latest DPA fine was levied against a Cardiff-based company providing “green deals” energy assessments called Becoming Green (UK) Ltd.

The ICO’s press release reports:

The offence was uncovered when the company was being monitored following concerns about compliance. An ICO case worker noticed Mr Muhith [Green Deal(UK) Ltd’s company director] had not registered the company with the ICO. As Becoming Green (UK) Ltd processed customers’ personal data this was a breach of the DPA.

As a result of this failing, the company director, Mr Abdul Muhith, was fined £597 personally. The company was also fined an additional £597. Although not covered in the ICO press release, other reporting (the Mirror, online) on the company implies that the ICO was investigating as a result of Green Deal Ltd (a previous company run by Mr Muhith) using inmates at an open-prison to run telesales. This behaviour is likely to be seen as putting DPA regulated personal data at risk, justifying ICO involvement.

DPA Registration – what should have happened

As always, we can only work on the published information but it seems that this is a very clear cut example of spending £35 to prevent a £1194 fine. It is especially strange that a company already under the ICO spotlight didn’t take measures to ensure DPA compliance.

The DPA can seem daunting to some people, but the ICO provides a lot of free guidance (or you can engage specialist consultants to help ensure compliance) to help businesses determine what they need to do.

If you aren’t sure if you need to register under the DPA, the ICO website provides a self-assessment tool. This has very simple question sets and helps you quickly work out your obligations.

Should you need to register, this can also be done online and costs £35 a year to maintain. If you decide to risk it and not register, remember you need to last 35 years without being caught before it becomes cost effective…

Basically, registration under the DPA is simple, cheap, easy and a legal obligation. Failing to do so is madness.

The post DPA Registration is important if you want to avoid a fine appeared first on Halkyn Security Blog.

]]> 1070 http://www.halkynconsulting.co.uk/a/2014/02/security-logs-can-save-you/ Fri, 28 Feb 2014 20:57:54 +0000 http://www.halkynconsulting.co.uk/a/?p=1050 It goes without saying that security logs are not the most interesting of topics. They are often viewed as a necessary evil, and in some instances they are even minimised to prevent storage or bandwidth issues. Both of these approaches are wrong. Boring or not, security logs are one of, if not the, the most […]

The post Security logs can save your systems and data appeared first on Halkyn Security Blog.

]]> It goes without saying that security logs are not the most interesting of topics. They are often viewed as a necessary evil, and in some instances they are even minimised to prevent storage or bandwidth issues.



Both of these approaches are wrong.

Boring or not, security logs are one of, if not the, the most fundamental aspects of your IT security controls. Without good security logs you don’t even know if your system has been breached, let alone what you need to do about it.

Logging is so fundamental to security that most of the time, you have to make a concious effort to turn it off. For most people, the hard part is actually just deciding on how much they want to store.

Unfortunately, even if you are sensible enough to have good logging turned on, there is one extra little step you need to take. Monitor the logs.

In January 2014, the US luxury department store Neiman Marcus announced it had been subjected to a major security breach (as reported by Krebs on Security) which may have compromised significant numbers of customer credit cards, charge cards and store cards. Some reports have stated that of the breached cards, over 9000 have been used fraudulently since the attack and this has fuelled significant debate over how it could have been prevented.

Based on a report published in February 2014, it seems the answer is actually – security logs. Bloomberg’s BusinessWeek reported an except from the post-incident forensic investigation stating:

The company’s centralized security system, which logged activity on its network, flagged the anomalous behavior of a malicious software program—although it didn’t recognize the code itself as malicious, or expunge it, according to the report.

So far, this is good news. Security logs capturing unexpected behaviour is a good thing and exactly how you would expect a SIEM system to work.

However, things didn’t go as well as it should have:

The system’s ability to automatically block the suspicious activity it flagged was turned off because it would have hampered maintenance, such as patching security holes, the investigators noted.

This is the first major problem people face with security logs and event monitoring. Too often they are perceived as getting in the way of business and turned off…

In all, the report by Protivi mentions 59,746 security alerts that were ignored or suppressed for one reason or another.

We are not saying that security logs alone would have defeated the attack here. However, if someone at Neiman Marcus had been alerted to the malicious activity, they could have done something. Instead, thanks to suppressed or ignored logs, the attack went through.

Security logs – what should you do?

Good security logs and good log management is critical for security. Top tips for implementing this are:

• Collect as many logs as possible. Hard disk space is cheap. Turn on all logging and store the logs as long as your business can justify. This really cant be overstated. Collect logs. If you have security logs you can be alerted to incidents and you can investigate. If you didn’t collect the logs you can never create them. Whatever you do, make sure you collect logs.
• Correlate the logs. You can do this with software or by “hand”. Correlation means having a way to know how one log entry relates to another.
• Set up alerting. No human being will ever pay proper attention to log files themselves. Even if you find one who does, software will be faster, cheaper and work 24/7.
• Fine tune your alerting. All logging creates false positives and false negatives. Tune the alerting until you get the right balance. Only you will know how important false positives are, so we cant tell you how to tune. We can tell you that you should tune. If you dont, your logs will swamp you. Just dont tune too much, otherwise you miss important things.
• Respond to your alerts. This is why tuning matters. Once you have tuned your system, alerts are important. If development or business processes generate alerts, fix the problem, dont suppress the alert. If you find yourself ignoring alerts, you’ve got something wrong.

Logging really is important. Security logs tell you what is happening on your network and support incident response. If you dont log, you are blind. If you dont enable logging before you get hacked it is too late for you.

Just as important, and as Neiman Marcus has shown, is actually paying attention to the alerts your security logs generate.

Security is important to every business, not just technology or government workers. Retail organisations are increasingly targeted by hackers and criminals and security threats are evolving. It is no longer possible to assume that because you work in an unregulated environment, security doesn’t matter. Security does matter, so make sure you do it properly.

The post Security logs can save your systems and data appeared first on Halkyn Security Blog.

]]> 1050 http://www.halkynconsulting.co.uk/a/2014/02/city-of-london-police-update/ Sat, 01 Feb 2014 16:13:48 +0000 http://www.halkynconsulting.co.uk/a/?p=1036 As part of the cross-sector safety and security communications plan, the City of London police have announced today some significant changes being made to reinforce the ring of steel around the Square Mile. City of London Police: Ring of steel just got tougher New tactics, new tools and new technology will be launched in February […]

The post City of London Police – update appeared first on Halkyn Security Blog.

]]> As part of the cross-sector safety and security communications plan, the City of London police have announced today some significant changes being made to reinforce the ring of steel around the Square Mile.

City of London Police: Ring of steel just got tougher



New tactics, new tools and new technology will be launched in February to help protect the Square Mile from the threat of terrorism and wider crime.

New tactics: Following a successful pilot scheme towards the end of 2012 and further refinements throughout last year, a new, multi-layered approach to deter hostile reconnaissance throughout the City will be adopted as ‘business as usual’ from 10 February under the new name of Project Servator.

The new policing tactics involve replacing the old-style, single staffed entry points with highly visible deployments that can occur anywhere in the City at any time and draw on a range of varying resources including specially trained overt and plain-clothed officers, marked and unmarked vehicles, cycles, horses and dogs and other measures that may not be visible including CCTV.

This activity will be supported by officers trained to engage with and reassure visitors and the local community who also have an important role to play by reporting any suspicious behaviour and explaining to their staff and customers about the nature of the operations.

New tools and technology: In-car Automatic Number Plate Recognition (ANPR) and video systems have been fitted to 22 marked police vehicles and new, back office, software will ensure that all intelligence can be produced more efficiently and used in a more targeted way. Months of extensive trials are now complete and the new system goes live in February. ​​​​​​​​​​​

​​​​​​​​This significant capital spend will bring important benefits to officers working out on the streets. ​

​​​​​​​Commander Operations, City of London Police, Wayne Chance, said:

“Protecting the City as a global financial centre remains a key priority for the City of London Police and, as the nature of the threat evolves, deterrence and detection measures need to develop accordingly.”

​​”As a force, we are the pioneers of a new approach to policing that aims to deter and detect criminal and terrorist activity, as well as to reassure the general public.”

​​​”These new tactics, coupled with the new technology and tools to support our officers out on the street, will mean a more enhanced and strategic approach to protecting the Square Mile and is part of our drive to deploy our resources more effectively and more intelligently.”

The post City of London Police – update appeared first on Halkyn Security Blog.

]]> 1036 http://www.halkynconsulting.co.uk/a/2014/01/data-protection-physical-security/ Thu, 30 Jan 2014 22:11:16 +0000 http://www.halkynconsulting.co.uk/a/?p=1022 Data protection is frequently in the news as organisations more become aware of just how important it is to their business. Unfortunately all too often data protection measures focus on the technical aspects, overlooking the basic need for good physical security controls. Technical controls, such as encryption & access management are important for data protection […]

The post Data protection needs good physical security appeared first on Halkyn Security Blog.

]]>

Data protection is frequently in the news as organisations more become aware of just how important it is to their business. Unfortunately all too often data protection measures focus on the technical aspects, overlooking the basic need for good physical security controls.

Technical controls, such as encryption & access management are important for data protection but they need to build on good physical security.

Security is all about providing layers of protection. If you ignore or weaken one layer, you weaken everything. If you don’t protect your physical assets, you are’t providing proper data protection measures.

The multinational Coca-Cola recently discovered the importance of asset protection when it reported the compromise of 74,000 people’s data (as reported by Techworld):

Coca-Cola has admitted falling prey to bizarre slow-motion data breach in which an employee apparently stole dozens of laptops over several years containing the sensitive data of 74,000 people without anyone noticing.

According to the reporting, over a six year period, a former employee removed 55 laptops containing a mix of employee records. The data put at risk included information such as social security numbers and may have had significant market value.

An interesting twist here is: (from the same article)

The mystery of how the laptops disappeared is almost as strange as the fact that they later reappeared, allowing the breach to be characterised as temporary.

It seems the laptops were not being stolen for their resale value. This does raise the question about what the previous employee was looking to do with them.

Data protection – asset control

When we talk about temporary breaches on network assets, we normally mean that there hasn’t been time or evidence that a hacker got in and stole data. This gives some reassurance to the data subjects and helps narrow down process and policy failures.

In this example it may not be so reassuring.

The “missing” laptops were not encrypted. This means the whole time they were out of Coca-Cola’s control anyone could have extracted any of the personal data on them. It only takes a few minutes to copy thousands of files to USB so it would have been possible for every record here to have been copied thousands of times.

Importantly, the apparent total lack of any form of asset control here means it isn’t really possible for Coca-Cola to know how long they were missing. The available reporting indicates that if they hadn’t returned, no one would have even realised the breach took place.

Asset control is a pretty fundamental aspect of both good service management and good security. It is not just a “Physical Security” issue that IT teams can pass off to the site security teams, it is a fundamental requirement. If you don’t manage all your assets properly, all your other controls suffer.

ISO27002:2013 spells out the requirement for asset control in 8.1:

Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained.

It seems in this instance, the inventory either did not exist or it was not maintained. Without a well maintained asset list you can never be sure that other controls are working. In this case, if Coca-Cola had kept an inventory, it could have identified the lack of encryption.

Remember, data protection needs good security. Don’t miss out on vital steps. Asset control really is vital.

The post Data protection needs good physical security appeared first on Halkyn Security Blog.

]]> 1022 http://www.halkynconsulting.co.uk/a/2013/12/127-0-0-1-redirect-causing-wordpress-connectivity-problems/ http://www.halkynconsulting.co.uk/a/2013/12/127-0-0-1-redirect-causing-wordpress-connectivity-problems/#comments Mon, 30 Dec 2013 20:12:49 +0000 http://www.halkynconsulting.co.uk/a/?p=1012 There seems to be a problem with either WordPress or one of its plugins that is redirecting the login script to a non-existent listener on local host (127.0.0.1). At the moment we have implemented a work-around, but any contributors may have difficulty logging in. A quick google search shows that this is happening to other […]

The post 127.0.0.1 redirect causing wordpress connectivity problems. appeared first on Halkyn Security Blog.

]]>

There seems to be a problem with either WordPress or one of its plugins that is redirecting the login script to a non-existent listener on local host (127.0.0.1). At the moment we have implemented a work-around, but any contributors may have difficulty logging in. A quick google search shows that this is happening to other users so hopefully we can resolve it soon.

The post 127.0.0.1 redirect causing wordpress connectivity problems. appeared first on Halkyn Security Blog.

]]> http://www.halkynconsulting.co.uk/a/2013/12/127-0-0-1-redirect-causing-wordpress-connectivity-problems/feed/ 1 1012 http://www.halkynconsulting.co.uk/a/2013/12/december-dpa-breach-fines/ Mon, 30 Dec 2013 20:07:14 +0000 http://www.halkynconsulting.co.uk/a/?p=1001 The run up to Christmas 2013 has shown that the Information Commissioners Office is still busy fining organisations and individuals for breaches of the Data Protection Act (DPA). In December two new civil monetary penalties were issued with a total of over £175,000. Both cases highlighted the value of being proactive and implementing good security […]

The post December DPA Breach Fines appeared first on Halkyn Security Blog.

]]>

The run up to Christmas 2013 has shown that the Information Commissioners Office is still busy fining organisations and individuals for breaches of the Data Protection Act (DPA). In December two new civil monetary penalties were issued with a total of over £175,000. Both cases highlighted the value of being proactive and implementing good security controls in advance of a DPA breach, albeit in two very different ways.

Unusually, December saw one of the rare instances where the ICO levied a DPA fine (albeit a small one) against an individual working in the health sector. The second item was a much more significant penalty for a payday loans firm. This is less surprising as several organisations in that sector appear to operate as if regulations don’t apply.

DPA Fine for GP Surgery Manager

Early in December, the ICO announced the outcome of a case against a former-GP surgery’s finance manager who pleaded guilty to unlawfully accessing patient medical records on over 2000 occasions.

Discussing the DPA breach, the ICO Head of Enforcement, Stephen Eckersley, said:

We may never know why Steven Tennison decided to break the law by snooping on hundreds of patients’ medical records. What we do know is that he’d received data training and knew he was breaking the law, but continued to access highly sensitive information over a 14-month period.

As a result of this activity, Mr Tennison was fined a total of £996 and ordered to pay a £99 victim surcharge and £250 prosecution costs.

In this case, the GP’ surgery appears to have functioning detective controls which allowed them to identify Mr Tennison’s unlawful behaviour and provide sufficient evidence to the ICO to avoid suffering any sanctions themselves.

We have discussed issues around the insider threat (and the importance of pre-employment screening) before, but the sad fact is even the most trusted employees can go off the rails. What has worked here, and helped the Surgery remain compliant with the DPA, is that there were correct processes and policies in place.

This is a very good example of the benefits of investing in proper security processes before a breach happens. For organisations within the health sector, the alternative tends to be a hefty fine from the ICO, or worse:

The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

Payday loans firm breaches Privacy and Electronic Communications Regulations (PECR)



The other case from December centred on the marketing tactics of a Payday Loans firm which breached the Privacy and Electronic Communications Regulations rather than the DPA directly.

The company, First Financial, and it’s director had been fined over £1000 each in October for DPA breaches (failing to register) although it seems that this wasn’t enough to help them avoid falling into the ICO’s clutches a second time.

This time, the £175,000 penalty followed over 4000 complaints that First Financial were sending out unsolicited text messages to people. These messages purported to be from friends and encouraged the recipient to take out a very high interest loan.

Commenting on the company, and the director’s behaviour, Simon Entwisle, said:

People are fed up with this menace and they are not willing to be bombarded with nuisance calls and text messages at all times of the day trying to get them to sign up to high interest loans. The fact that this individual tried to distance himself from the unlawful activities of his company shows the kind of individuals we’re dealing with here.

We will continue to target these companies that continue to blight the daily lives of people across the UK. We are also currently speaking with the government to get the legal bar lowered, allowing us to take action at a much earlier stage.

In this instance, the company were trying to hide their tracks by using un-registered SIM cards to send the messages indicating that this was a blatant deliberate violation of the DPA / PECR rather than ignorance of the law.

While it is unlikely that the director of First Financial would have been willing to implement good security controls to comply with the DPA, the fact is any organisation involved in direct marketing risks allowing this sort of behaviour. Without security controls, breaching the DPA / PECR can result in extensive fines undermining any profit made and risking a collapse of the business.

Good security and governance controls would have enabled First Financial to identify the risky behaviours in advance giving them the opportunity to remain legally compliant while still driving the business forward.

It is a shame that so many organisations believe they need to play fast and loose with the regulations rather than working to succeed in a legal and compliant manner. As long as this behaviour continues, the ICO (and others) will push for harsher and harsher penalties. In anything but the very shortest term, businesses which need to cheat the law to make a profit are doomed to fail.

Security and Governance controls really do protect the business and help it thrive in any environment.

* Image courtesy of Jeroen van Oostrom / FreeDigitalPhotos.net

The post December DPA Breach Fines appeared first on Halkyn Security Blog.

]]> 1001 http://www.halkynconsulting.co.uk/a/2013/11/business-continuity-5-things/ Fri, 01 Nov 2013 15:27:15 +0000 http://www.halkynconsulting.co.uk/a/?p=984 In the northern hemisphere at least, winter is now upon us and this is time for all business owners to think about how well their business can cope if the weather turns bad. In the UK, we have had a succession of very bad winters and all size of organisations have suffered. In 2009, the […]

The post Business continuity – 5 things to consider this winter appeared first on Halkyn Security Blog.

]]>

In the northern hemisphere at least, winter is now upon us and this is time for all business owners to think about how well their business can cope if the weather turns bad. In the UK, we have had a succession of very bad winters and all size of organisations have suffered. In 2009, the snow is reported to have cost UK business in excess of £1bn. This rose to £6bn over the winter of 2010 and in the long winter of 2012/2013 businesses reported lost £500m a day.

Now, obviously these numbers include huge losses suffered by major organisations, but for most small to medium enterprises there was noticeable pain. The Federation of Small Businesses reported that in March 2013 alone, the snowfall cost small businesses an average of £1,580 and an average of 2.2 days trading were lost. For some, another bad winter might be enough to put them out of business entirely.

However, it doesn’t have to be this way.

Sensible business practices and a view to ensuring “business continuity” is in place can mitigate most, if not all, the problems associated with bad weather conditions.

This doesn’t mean you need to go through a full blown BS25999 / ISO22301 process and produce reams of documents covering what your business will do if there is a volcano or aliens invade. However it does mean you should take a good look at your business and see what you would need to do in the event of a problem. As the saying goes, failing to plan is planning to fail and if your business is important to you, you should plan to keep it going.

Five key steps to protecting your business

At a very high level, there are five steps you can walk through to make sure you have considered the most likely and most relevant issues in protecting your business.

1. Location. Think about where your business is located – not just your head office, but any important sales locations, warehouses, depots etc. For example: If you are on a flood plain, you need to anticipate being flooded. Once you have a good understanding of this, you will have a clearer idea of what risks your business faces.
2. Services. Next you need to consider what services are essential to your day to day running. Can your business function if the telephone lines go down? Do you depend on an internet connection for all your activities? Do you have your own electricity generators? Can your offices remain open if the water mains burst? When you identify what is important you can begin to plan how your business will react to likely problems.
3. Supply Chain. Once you are happy with your location and services, you need to consider what impact supply chain problems will have on your day to day operations. If you have “Just in Time” supply strategy, you need to know you can cope if your suppliers are unable to deliver. A lot of this may highlight a need to check supplier contracts and carry out robust assessments of your suppliers.
4. Workforce. It may seem obvious, but making sure your employees and contractors can do the job you are paying them to do is often overlooked. It may seem strange to do this after the earlier steps but this doesn’t indicate it is less important. Once you understand the risks your business faces and what you will need to do to keep office locations / warehouses (etc.) open, you will have a clearer idea of how best to manage your workers. Things to consider include allowing your workforce to work from home or arranging a way of getting people to alternative locations. All of this must be driven by your business needs and planning ahead gives you the greatest chance of getting it right.
5. Infrastructure. The last in our list of high level concerns is the impact any infrastructure problems might have on your plans. By now you should have an idea of what risks your locations face, what services are required and where you need your suppliers and workforce. From this, you can now get a picture of what problems with national and local infrastructure may impact your business. Here you need to consider things like your employees ability to get to the locations – in the March 2013 snowfalls lots of roads and train routes were closed and this can significantly impact your plans to send employees to remote locations. Ideally you should try to make sure your business continuity plans are not reliant on vulnerable routes. Additionally, you should consider how infrastructure issues will impact your customers – if you rely on an out of town sales location, consider how you can cope if snow cuts off the access roads for a couple of days.

When you have gone through each of the five steps, you will have an excellent idea of how your business can be impacted by unexpected situations. This doesn’t mean you can sit back and relax – now you need to make sure your business continuity plans make sense, address the issues and, most importantly, actually work.

In an ideal world, you will test your business continuity plans by playing out every possible scenario in real time, moving your employees around. However, for most small businesses this is overkill and will actually cause more harm than it will prevent.

This is no excuse, though, to not sit down with key members of your organisation and talk through the plan, looking for problems and challenging assumptions. This approach allows you to cover off dozens of situations for almost no cost – just a bit of time.

No one can really predict the future and the weather remains as unpredictable now as it was 2000 years ago but there is no excuse for not planning to keep your business up and running. Good planning can, for small businesses, be the difference between success and failure. Even if we have the mildest winter on record, it isn’t a waste of time.

If you want to know more about this, please get in touch and our security consultants will help you build a tailor-made business continuity plan and then work with you to make sure it is robust and tested.

The post Business continuity – 5 things to consider this winter appeared first on Halkyn Security Blog.

]]> 984 http://www.halkynconsulting.co.uk/a/2013/10/iso27001-compliance-checklist/ http://www.halkynconsulting.co.uk/a/2013/10/iso27001-compliance-checklist/#comments Fri, 25 Oct 2013 20:42:30 +0000 http://www.halkynconsulting.co.uk/a/?p=961 As mentioned previously, we have now uploaded our ISO 27001 (also known as ISO/IEC 27001:2013) compliance checklist and it is available for free download. Please feel free to grab a copy and share it with anyone you think would benefit. Designed to assist you in assessing your compliance, the checklist is not a replacement for […]

The post ISO27001 compliance checklist available for download appeared first on Halkyn Security Blog.

]]>

As mentioned previously, we have now uploaded our ISO 27001 (also known as ISO/IEC 27001:2013) compliance checklist and it is available for free download. Please feel free to grab a copy and share it with anyone you think would benefit.

Designed to assist you in assessing your compliance, the checklist is not a replacement for a formal audit and shouldn’t be used as evidence of compliance. However, this checklist can assist you, or your security professionals:

• to assess your current security measures in a structured way;
• to make sure you that  have looked at all the relevant controls;
• to identify areas where your current controls are strong and areas where you can achieve  improvements;
• to achieve compliance with the standards;
• to consider what evidence you have that could  demonstrate your compliance to an external party.

Additionally, the tool can provide dashboards allowing you to present management information (MI) across your organisation. This shows where you are in your compliance program and how much progress you have achieved. Presenting information in this manner can be beneficial when it comes to winning stakeholder support in your security improvement plan, as well as demonstrating the value added by security.

You can grab the checklist directly (in Excel format) or visit the Security Resources part of our website for this checklist and many more useful security tools and documents. Halkyn Security makes these documents available to help people improve their security and we never demand you log in, or register, for access.

If you want the document in a different format (such as OpenOffice) get in touch and we will be happy to help you. The checklist uses basic office protection (to prevent accidental modification) but we are  happy to provide unprotected versions on request.

We have tried to make the checklist easy to use, and it includes a page of instructions to assist users. If you do have any questions, or want to talk through the process then let us know. Our security consultants are experienced in delivering ISO27001 compliant security solutions across a wide range of environments and we love’d love the opportunity to help you improve your security.

The post ISO27001 compliance checklist available for download appeared first on Halkyn Security Blog.

]]> http://www.halkynconsulting.co.uk/a/2013/10/iso27001-compliance-checklist/feed/ 73 961 http://www.halkynconsulting.co.uk/a/2013/10/twitter-social-engineering-attack/ http://www.halkynconsulting.co.uk/a/2013/10/twitter-social-engineering-attack/#comments Tue, 15 Oct 2013 22:42:04 +0000 http://www.halkynconsulting.co.uk/a/?p=940 This evening I managed to end up getting my personal twitter account hijacked and malicious users were able to send out direct messages before I got at least some element of control back. First off, I want to apologise to anyone who got a strange DM from me, telling them to click on a suspicious […]

The post Twitter – Possible social engineering attack appeared first on Halkyn Security Blog.

]]>

This evening I managed to end up getting my personal twitter account hijacked and malicious users were able to send out direct messages before I got at least some element of control back.

First off, I want to apologise to anyone who got a strange DM from me, telling them to click on a suspicious looking link. I’ve tried to delete them all now and I hope no one clicked on any links.

Although, I cant fully confirm this yet, the attack appears to have been the result of following a link to reset my twitter password. The email came from a very legitimate looking email account and the headers (see image) appear to be from twitter. However, when I did follow the link, and reset my password, I was immediately booted into a sort of limbo where I could neither log in or out of my account. Eventually I got control back by opening a new browser session and forcing yet another password reset. In the three minutes while I couldn’t get access, several direct messages were sent out to people trying to get them to click on a suspicious looking link.

Twitter password reset email – background

At 2313 (all times UK BST) an email landed in my inbox saying it was from twitter and reporting that they had reset my password:

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.

Now, at this point, I hadn’t used my twitter account since 14 October and I certainly hadn’t added any new services or visited any websites trying which needed a twitter login. This meant I was a bit suspicious about the email so I checked the headers. Everything here checked out – and it still does which is why I am a bit dubious about this being the attack vector – so, at 2320hrs I clicked on the link.

From here, I was taken to a legitimate looking twitter password reset page. I created a new password and things went a bit strange. When I put the new password in, I was redirected to a log in page again, which seemed a bit more unusual but I had no warnings about HTTPS errors or the like, so I tried to log in with the new password.

When I clicked to submit the password, I was immediately bounced back to the login page and this happened a couple of times. After the fourth attempt, I tried to click on the forgotten password link, but I just got a message saying I needed to log out again first – with no mechanism to log out.

At this point I realised something was up and that my twitter account was probably genuinely compromised now. Yes, I can be a bit slow on the update.

Twitter account recovery

When the penny finally dropped I started trying to recover my account. First I went to a new browser session, which was clear of any twitter cookies or saved data and requested a password reset. I got the password reset email at 2329, leaving a gap of 9 minutes between when I thought I had reset my password and when I got control of it again.



Being a bit paranoid now, I double checked the reset details but with some extra confidence as I had genuinely requested it this time. A copy of the message source is shown in the image here.

Worryingly it was pretty much identical to the previous one. As I didn’t have much to lose, I clicked on the link and reset my password.

This time, it went very differently and I was given proper access as you would expect. Once I had got in (2330hrs), I checked my direct messages and it seems that between 2320 and 2329hrs, my account had been sending out direct messages to my followers asking them to click on a link. Fortunately not that many had been sent (about 3 a minute) which may have been an attempt to avoid detection.

Analysis

Without access to twitter’s logs or the like, I cant ever really be sure what happened, but there are clues available.

First off – the malicious direct messages were only sent in the period of time between my click on the first email and the password reset request. This means that the first email has to be treated with some increased suspicion, for the following reasons:

1. It was unsolicited.
2. It was unspecific.
3. It mentioned my twitter user name but not my “name” (which the later, legitimate email did)
4. It created the sense of panic about my account being compromised.

Despite this, the email has been digitally signed using twitter’s RSA key and the URL it referenced looks to all intent and purposes to be a legitimate twitter link for password resets.

The only difference I can find between the original message and the second (presumed legitimate) one is in the tracking string attached to it. On the first email, the link has the following appended to it:

?utm_campaign=twitter20080313004041&utm_medium= email&utm_source=resetpwnotice

On the second one, the tracking link reads:

?utm_campaign= resetpw20100823&utm_content=action&utm_medium= email&utm_source=resetpw

However, it is hard to see how this can be converted into an attack vector, so it is probably nothing more than an artefact in the way twitter tracking works.

If the email hadn’t been compromised in some way, the next alternative is that some form of attack is being mounted when the password is being reset. During this time, as far as my browser was showing, I was connected over HTTPS and no alerts were shown.

Unfortunately it is unlikely I will ever get to the bottom of this, and it may have been a problem with a connected service or even a website and all the emails were legitimate – it was just a timing error that meant the attack took place in the gap.

If you have ever been in this situation, I would love to hear about it. Hopefully it can add some more knowledge and help solve the puzzle.

The main lesson here is to be on guard for any suspicious activity with social networking accounts. Even if you get a legitimate email, take time to double check what is happening and if things go wrong, act quickly to regain control.

The post Twitter – Possible social engineering attack appeared first on Halkyn Security Blog.

]]> http://www.halkynconsulting.co.uk/a/2013/10/twitter-social-engineering-attack/feed/ 1 940 http://www.halkynconsulting.co.uk/a/2013/10/isms-new-version-isoiec-27001/ Mon, 14 Oct 2013 21:13:08 +0000 http://www.halkynconsulting.co.uk/a/?p=929 As you may be aware, the ISO/IEC 27001 standard for Information Security Management Systems (ISMS) was updated and the 2013 version became the “official” version at the start of October 2013. The previous version for ISMS requirements was ISO/IEC 27001:2005, and for eight years now, organisations have been working towards, and achieving, certification to that […]

The post ISMS: New version of ISO/IEC 27001 – Time to update? appeared first on Halkyn Security Blog.

]]>

As you may be aware, the ISO/IEC 27001 standard for Information Security Management Systems (ISMS) was updated and the 2013 version became the “official” version at the start of October 2013. The previous version for ISMS requirements was ISO/IEC 27001:2005, and for eight years now, organisations have been working towards, and achieving, certification to that standard.

ISMS Requirements – Changes?

The change between the 2005 version and the current 2013 standard is more than just cosmetic and there is a lot of improvements for your ISMS. There are some areas where controls have been regrouped within Annex A, but there are also new controls for project management, outsourcing, design & engineering and information security events. Additionally the risk management approach has been brought more in line with ISO 31000.

What should you do?

Overall, the main impact is that a lot of existing ISMS document will need to be reviewed (and possibly references changed) and anyone working towards certification needs to make a decision as to which path they will go down.

• If you are close to completing your implementation and will be able to get through all the required visits by the assessors no later than the end of September 2014, then you can opt to certify your ISMS against ISO/IEC 27001:2005.
• Alternatively you can make the changes required to realign your ISMS to ISO/IEC 27001:2013 now and work towards certification that way. If your are more than 12 months away from full implementation of your ISMS, this is your only option.

Unless you really are very, very close to finishing your ISMS certification against the 2005 standard, we would strongly recommend you use the new 2013 version.

If your ISMS is currently certified to the 2005 version of the standard, your certification will remain valid until the end of your 3 year renewal cycle. However once you come up for re-certification you will need to work against the 2013 standard.

As far as we are aware, it is not possible to recertify against the 2005 during the twelve month “grace period” that has been offered for new certifications.

Supply chain ISMS certification

When it comes to your supply chain, one of the benefits of ISO/IEC 27001 certification is that it allows you to develop a level of trust. If your supplier has managed to achieve and maintain certification, then you have a reasonable level of assurance that they have implemented a working ISMS and will protect your data to at least some degree.

It is of critical importance that as part of this assurance you get access to copies of the documentation sets provided for certification, evidence that the ISMS is properly implemented and a good understanding of the scope submitted for certification audit. If you can tick these three boxes, you can have quite a good level of assurance around your supplier.

Now that the 2013 standard is official, you should also make sure that your supply chain move to meet the new requirements in a timely fashion. As mentioned above, any certifications currently valid will remain so, but it will help for you to engage your suppliers and find out what their plans for the transition are. By October 2016 all your suppliers should have had to recertify and it is unlikely that any ISO/IEC 27001:2005 certifications will be valid.

Coming Soon

To assist you with moving towards the 2013 standard, we will be providing a free downloadable checklist document that you can use to self-assess your ISMS compliance. Hopefully this will be ready before 25 October 2013.

Following on from that, we will also look to update our Security Policy Framework (SPF) mapping to assist suppliers to the Government / MOD. That is likely to be ready by the end of the year.

The post ISMS: New version of ISO/IEC 27001 – Time to update? appeared first on Halkyn Security Blog.

]]> 929 http://www.halkynconsulting.co.uk/a/2013/09/physical-security-still-matters/ Fri, 20 Sep 2013 22:21:43 +0000 http://www.halkynconsulting.co.uk/a/?p=908 When it comes to security, there is an unfortunate tendency for organisations (large and small) to fall into the trap of treating their physical security as something separate or different from their information security needs. Despite physical security having a place in every international security standard (such as ISO 27001), ownership of physical risks often […]

The post Physical Security – It still matters appeared first on Halkyn Security Blog.

]]>

When it comes to security, there is an unfortunate tendency for organisations (large and small) to fall into the trap of treating their physical security as something separate or different from their information security needs. Despite physical security having a place in every international security standard (such as ISO 27001), ownership of physical risks often ends up being moved away from the “Information Security” specialists and bundled in with safety or facilities management.

As we have said in the past, physical security really does matter to your organisation. If you don’t take it seriously, it doesn’t matter how much cybersecurity you have in place, you will suffer losses.

There is an assumption that the big global banks are very much leaders when it comes to security and preventing criminals getting access to their money. Banks have led the way with development of anti-theft measures, counter-fraud, hacker prevention and much more. Most banks spend inordinate amounts of money building very robust networks with strong firewalls and access controls. This all makes sense, because when it comes to robbing money, most criminals dream of getting a big score from a big bank.

With this sort of threat level, spending lots of money on security is actually very sensible for a bank. As you may imagine, they really do spend lots of money.

This means that the recent news was a bit of a surprise. Not one, but two global banks were targeted by a reasonably unsophisticated type of attack which has been known about for over a decade and is countered by pretty basic physical security measures.



The first news broke around 13 September 2013 with reports that the Police Central e-crime Unit (PCeU) had foiled a planned attack by a criminal group in London to pose as an engineer then plant a “KVM” switch in the Salford Quays branch. When this happened, the BBC News reported a gang of 12 people had been arrested in connection with the planned attack.

A week later (20 Sept 2013), a very similar news item appeared when eight men were arrested following the theft of £1.3 million from Barclays Bank using an identical attack. As reported, again by the BBC, This time a fake engineer visited the Swiss Cottage branch of Barclays and attached a malicious KVM switch to a computer. This enabled the gang to get remote access and siphon out the money.

While intelligence led policing seems to have saved Santander from any loss, Barclays was not so lucky. Even if they do recover most of the money, the harm has still been done. This is a very good example spending a fortune on technical security controls not mattering. If there is a physical security weakness, attackers will get in.

(Note: a KVM is a “keyboard, video, mouse” switch which is normally used to allow one person to control several devices. In these attacks the KVM appears to have been linked to a device controlled by the criminals allowing them to access the bank’s networks)

Physical security protects assets – lessons learned

Although we may never know all the details, from the published reports there are some lessons for everyone here.

The criminals appear to have been trying to exploit two weaknesses – lack of physical security sweeps and a relaxed approach to service engineers. The fact that two global banks appear to have suffered the same issues is especially interesting and may be a sign that this is prevalent across business sectors.

First – how to combat the two main weaknesses that the criminals wanted to exploit:

1. Physical security is important. If your organisation separates physical and IT security, you will have a weakness that a criminal will exploit. Don’t fall into this trap.
2. Ensure your staff are security aware enough that they can spot when strange things appear on their machines or in the office.
3. If you have security guards / officers on site, make sure they carry out regular physical security sweeps. This should include checking for documents left out, cabinets left unlocked and any strange devices attached to machines.
4. Unless there is a business reason for it, lock down your computer ports. This wont prevent a KVM switch attack but it will prevent similar attacks on USB ports.
5. Manage your service providers. If an engineer comes on-site in a sensitive area you should be supervising them. No engineer should ever get access without having their credentials checked and any unexpected engineer visits should be treated with extreme caution.

Security, including physical security, is never perfect but if you can implement these five steps you will significantly reduce your risks.

One extra issue worth considering – although there is no indication it is relevant to the two cases here – is the risk of an insider being involved. If the criminal gangs had managed to subvert an employee, then they wouldn’t have had to sneak in as an engineer and the attacks become significantly harder to detect.

This is one reason why good background screening and employee after care is essential to your overall security posture. Without it, you are just creating a new opportunity for criminals to get access.

Physical Security – Information Security – Personnel Security – Security

The overarching lesson here is that security is security. Protecting your business, preventing theft, guarding your reputation, keeping your assets safe (and so on) is all part of the same mission.

The more you fragment your security into different areas the more you increase the chance that a gap will appear which a criminal will exploit. You may not have the threat profile of a bank, but eventually criminals will notice your weakness and take advantage of it.

In recent years there has been a tendency to split information security off to the IT Department, personnel security gets pushed to HR and physical security ends up with the facilities management team. This is a mistake.

In an ideal world, your organisation will have a “security” department which covers all of this and has links to other departments as needed. Even if we don’t live in an ideal world, you need a centralised “Chief Security Officer” type role to join up the competing interests and make sure that all your security controls join up properly.

Frequently this is called “Holistic” security and buzzword or not, it just makes sense.

To finish, a quote from Alex Grant, Managing Director, Fraud Prevention, Barclays

Barclays has no higher priority than the protection and security of our customers against the actions of would-be fraudsters.

Well said. Every business should take a similar position, but remember – actions speak louder than words. If you value your security, do it properly.

The post Physical Security – It still matters appeared first on Halkyn Security Blog.

]]> 908 http://www.halkynconsulting.co.uk/a/2013/08/encryption-it-is-your-responsibility/ Tue, 20 Aug 2013 21:54:29 +0000 http://www.halkynconsulting.co.uk/a/?p=890 Encryption is important. This has always been well known, and with the recent revelations about PRISM and related Government monitoring of communications, people have become understandably more interested in the topic. However, keep in mind the fact that doing encryption wrong is worse than not doing it. In recent years it has become more and […]

The post Encryption – it is your responsibility appeared first on Halkyn Security Blog.

]]>

Encryption is important. This has always been well known, and with the recent revelations about PRISM and related Government monitoring of communications, people have become understandably more interested in the topic. However, keep in mind the fact that doing encryption wrong is worse than not doing it.

In recent years it has become more and more common for people to store personal data and commercial data on a variety of 3rd party platforms – Google Docs, Skydrive, Dropbox, Box.net etc.

Encryption needs to be locally managed

At the most basic level, if you host your data somewhere outside your control – be that a cloud provider or more traditional hosting session – then you really should be encrypting it. When you do use encryption it is of the utmost importance that you manage the keys yourself. Anything else is giving you a very dangerous false sense of security and means your encryption can be trivially bypassed without you even knowing.

However, this fundamental principle seems to have been overlooked with Google’s latest PR campaign which looks to allay customer fears by implementing automatic encryption to all uploads. This is a very bad idea.

The Telegraph reported the news of Google automatic encryption with the following:

“We know that security is important to you and your customers. Our goal is to make securing your data as painless as possible,” Google product manager Dave Barth said in a blog post introducing the update.

Now, it is true that implementing encryption can be difficult, but that is largely down to the level of experience and expertise your staff have. If security is important, then you absolutely must make sure you have the right people to do it. If security is important, then this is really not the place to cut costs.

The article continues with this, also from Dave Barth:

“If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys. We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing.”

Now this is a bit calculating and presents an image which isn’t really true.

Remember the fundamental principle – if you dont manage your own encryption keys, your data is insecure? Well it applies here. It especially applies here.

Managing your own encryption keys may be a hassle, but it is less of a risk than trusting a third party to do it for you – especially a third party which has no real obligation to your stakeholders, is big enough to likely shrug off any legal efforts you make, refuses to acknowledge the jurisdiction of the ICO / Data Protection Act and was reportedly complicit in revealing data to the Government agencies it is implying it will protect your data from.

If you rely on Google’s (or anyone) automatic encryption then you are relying on them making sure all their employees are honest and legitimate, making sure that that they never go out of business, making sure that they never engage in covert arrangements with Government agencies or other companies, making sure they never get hacked, making sure they never have an outage when you need access etc.

You may be confident that one or two of the above will never happen to your provider, but you actually need to be 100% confident that nothing bad will happen. Isn’t that asking a bit much?

Using automatic encryption may remove some hassle, but it significantly increases the risks your data faces, often to the point at which you are better leaving it unencrypted and assuming it has been compromised.

Encryption – the basic rules

When it comes to your encryption, there are actually some simple rules to keep in mind and the whole thing is easier than it looks. With encryption, the only hard parts are working out what technology to use and picking a suitable key (e.g. password).

1. All your data must be encrypted locally. Even if your provider uses SSL, before you send anything out of your immediate control you absolutely need to know that it is encrypted to whatever standard you have decided upon.
2. You must manage encryption keys yourself. These are the crown jewels and if you lose them or compromise them, your data is lost or compromised. However, keep in mind, things that are important to you might not be as important to other people so you are the best person to look after your encryption keys.
3. Store encryption keys separately from the data. If someone has your data and your key, the encryption is meaningless. Keep them apart unless you need to decrypt / encrypt.
4. Guard your encryption keys. It should go without saying that your encryption keys need to be backed up and protected. If you have an information classification scheme, your encryption keys should be treated the same as the information they protect. Try to avoid falling into the trap of encrypting your encryption keys though… that just gets confusing.

If you live in a country where the state can force you to reveal keys (such as the United Kingdom, China etc) or there is a risk someone could place you under duress, then consider a deniable container. This is offered by products such as Truecrypt and gives you the ability to surrender the outer encrypted data while keeping your secrets safe. This is especially useful if you or your employees travel and there is a risk of unwanted attention as it means they can comply with any demands (lawful or otherwise).

The bottom line is that encryption is not hard, it is not hassle and if you really do think security is important you should be doing it. The key phrase, however, is that you should be doing it, not someone else.

Anything else means you don’t really think security is important.

The post Encryption – it is your responsibility appeared first on Halkyn Security Blog.

]]> 890 http://www.halkynconsulting.co.uk/a/2013/08/suspicious-mail-advice-advice-from-nactso/ Mon, 19 Aug 2013 16:34:53 +0000 http://www.halkynconsulting.co.uk/a/?p=875 This communication regarding suspicious mail has been issued by the National Counter Terrorism Security Office (NaCTSO) and the Centre for Protection of the National Infrastructure (CPNI). Please feel free to forward it on wherever appropriate. If you would like more advice about your specific situation, what risks you might face from suspicious mail (or other […]

The post Suspicious mail advice – Advice from NaCTSO appeared first on Halkyn Security Blog.

]]>

This communication regarding suspicious mail has been issued by the National Counter Terrorism Security Office (NaCTSO) and the Centre for Protection of the National Infrastructure (CPNI). Please feel free to forward it on wherever appropriate.

If you would like more advice about your specific situation, what risks you might face from suspicious mail (or other security related issues), or would like help training your staff in handling packages, then get in touch.

You can download advice on Suspicious Package Indicators and some Police advice on suspected contaminated mail.

Suspicious mail advice

The recent delivery of a number of packages to an address in London led the recipient to believe that the contents were contaminated and request police assistance.

While the packages were found to contain a harmless substance and the matter was resolved, it has highlighted an opportunity to provide guidance on the safe handling of mail and the initial response when recipients have concerns regarding potential contamination.

This is especially the case with businesses and charitable organisations connected with the Department of Work and Pensions’ mandatory work activity placement scheme who may be the recipients of unsolicited packages sent as part of a campaign of protest against the scheme.

While we are not aware of any specific threat, details available on websites may have been used to identify such companies and encourage protest against them

This is an important reminder for security managers to review their mail handling procedures and ensure that all relevant staff are aware of and understand the correct protocols. This in turn means that any item of concern can be dealt with appropriately and a proportionate police response can be provided.

Further advice and threat reporting is available from: http://www.nactso.gov.uk/ | http://www.cpni.gov.uk/

In an emergency call 999
For non emergencies call 101
For the Anti Terrorist Hotline call 0800 789 321
http://www.met.police.uk/so/at_hotline.htm

The post Suspicious mail advice – Advice from NaCTSO appeared first on Halkyn Security Blog.

]]> 875 http://www.halkynconsulting.co.uk/a/2013/08/sensitive-data-should-not-go-by-fax/ Fri, 09 Aug 2013 22:57:44 +0000 http://www.halkynconsulting.co.uk/a/?p=850 You may want to check your calendars again. Even though we are now well into the 21st century, it seems that some organisations are still sending sensitive data by fax machine – and not just the NHS (who were fined £55,000 for the inevitable breach). It seems banks, who really should know better, cant help […]

The post Sensitive data should not go by fax! appeared first on Halkyn Security Blog.

]]> You may want to check your calendars again. Even though we are now well into the 21st century, it seems that some organisations are still sending sensitive data by fax machine – and not just the NHS (who were fined £55,000 for the inevitable breach). It seems banks, who really should know better, cant help themselves.



This month (August 2013), the ICO has issued a Civil Monetary Penalty (fine) of £75,000 to Bank of Scotland for repeatedly faxing customer’s sensitive data to incorrect fax numbers.

In the press release about the fine, the ICO notes that Bank of Scotland were even notified about the problem in 2009 but failed to take any corrective action. As a result, over 30 faxes were sent incorrectly. The faxes themselves included pay statements, bank account details, names, addresses etc. In all, an ideal haul for anyone looking to commit identity theft.

In light of this, the fine itself seems pretty trivial compared to what the ICO is able to issue. To emphasise this point, this is what Stephen Eckersley, Head of Enforcement at the ICO said:

To send a person’s financial records to the wrong fax number once is careless. To do so continually over a four year period, despite being aware of the problem, is unforgivable and in clear breach of the Data Protection Act.

It is unforgivable.

Protecting sensitive data – lessons learned

The first point we want to hammer home is that you should not use fax machines for sensitive data. You really shouldn’t. If you are doing this, then stop now.

However, if you really must, and you have it on your risk register, then learn to do it properly.

• If you send sensitive data use pre-programmed numbers. Do not rely on busy staff hitting the correct buttons.
• Manage the process. Have a way in which errors can be rectified when you discover them.
• Keep records of what you are sending and who it is going to.
• Work to eliminate the use of fax machines for your processes.

The last point is worth looking at in more detail.

If you use fax machines for sensitive data you absolutely must be looking at a way to remove them. Sending data by fax is only slightly better than a totally unencrypted email and, in some respects, has more room for error. Remember, your fax goes unencrypted over what is now likely to be an IP switched network. At least with email you can put controls on your exchange server and firewall.

If you are capturing sensitive data from your customers, you owe it to them and your business to do it properly. It is even more cost effective to do it properly.

Continuing to send sensitive data by fax is begging for an ICO sanction.

Take this opportunity to review your processes. Determine what sensitive data you are collecting and how you move it around your organisation.

In this example, Bank of Scotland were collecting application forms physically from customers and faxing them to a central processing unit. It is hard to think of a reason why this wouldn’t have been better sent over internal email. Most modern business copiers have an option to copy to internal email, so this would have even been possible from the branches themselves.

Banks, and the NHS, aren’t alone here. US-based organisations (e.g. the EC-Council, who should know better) seem to frequently ask for customers to fax credit card & bank details, which is crying out for problems. There are numerous online payment processors which reduce the need to have a member of staff collect the faxes and manually process the payment, as well as provide security to the customer. While US companies might not fear the ICO, the fact is they are risking their customers security, and this is rarely good for business.

Whatever  your situation, wherever you are based, stop using fax machines to send sensitive data. There really is a better way.

The post Sensitive data should not go by fax! appeared first on Halkyn Security Blog.

]]> 850 http://www.halkynconsulting.co.uk/a/2013/07/nhs-trust-fined-data-disposal/ Mon, 15 Jul 2013 19:08:21 +0000 http://www.halkynconsulting.co.uk/a/?p=798 Although it has a well structured, well run and reasonably well resourced security management service, the NHS still seems to struggle with some aspects of compliance with the Data Protection Act. As a result, another NHS trust has fallen foul of the Information Commissioner’s Office (ICO) and fined a significant amount of money. Based on […]

The post NHS Trust fined £200,000 following data disposal errors appeared first on Halkyn Security Blog.

]]> Although it has a well structured, well run and reasonably well resourced security management service, the NHS still seems to struggle with some aspects of compliance with the Data Protection Act. As a result, another NHS trust has fallen foul of the Information Commissioner’s Office (ICO) and fined a significant amount of money.



Based on the ICO’s press release, it appears that NHS Surrey had outsourced the disposal of its computers and related assets. Unfortunately, after 2 years, they were notified by a member of the public that a disk purchased from eBay contained patient data.

According to the press release, when NHS Surrey collected the computer and processed it, they discovered records belonging to 900 adults and 2000 children. Faced with this information, the trust was able to recover 39 further devices from the trading arm of the data destruction provider. Of this batch, 10 were previously owned by NHS Surrey and three contained sensitive patient data.

NHS Surrey appear to have entered into an arrangement whereby the data disposal company removed the devices for free on the grounds that they could sell on any salvageable materials. From the ICO’s report, this appears to have been a bit of an informal arrangement and no contract was in place and no monitoring conducted.

Stephen Eckersley, Head of Enforcement, described this as “one of the most serious the ICO has witnessed” with the following points noted in the press release:

The ICO’s investigation found that NHS Surrey had no contract in place with their new provider, which clearly explained the provider’s legal requirements under the Data Protection Act, and failed to observe and monitor the data destruction process.

NHS Surrey mislaid the records of the equipment passed for destruction between March 2010 and 10 February 2011, and was only able to confirm that 1,570 computers were processed between 10 February 2011 and 28 May 2012. The data destruction company was unable to trace where the computers ended up, or confirm how many might still contain personal data.



This is similar to the incident reported last year where the Scottish Borders Council was fined £250,000 for failing to protect data during the disposal process and personal data ended up in public waste bins.

One major difference is that, unlike the local Councils in the UK, the NHS has a well structured, centrally managed system to enforce security compliance on third party suppliers. It appears to have failed here.

Lessons learned from the NHS – Supplier Security Management

There is a lot that can be learned here, even if you don’t work for the NHS. If you handle personal data or if you just have commercially sensitive information, you need to make sure you dispose of your assets properly. If your files end up on eBay then you face a regulator fines, loss of competitive advantage and reputational damage.

You can avoid this. Quite easily actually.

The Data Protection Act is quite clear about the obligation and the 7th principle states

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Even if you don’t process personal data, this is a good principle to adhere to when it comes to protecting your corporate data.

With this in mind, there are some steps you can take to avoid following NHS Surrey’s footsteps:

1. Have a policy and plan in place to manage your information lifecycle. This needs to document how you create, maintain and dispose of all your information assets. 
2. Keep an accurate, and well maintained record, of where your sensitive information is stored. You should always be able to tell if a hard disk has had “important” information on it or not.
3. If you outsource your disposal you absolutely must make sure there is a robust contract in place. This contract must oblige the service provider to securely dispose of any data. If nothing else, this means that in the event some data surfaces, you have options to protect yourself.
4. Make sure you manage your disposal process. In-house or outsourced, you should nominate a suitable person to be responsible for ensuring data is properly disposed.

Following these four steps will help you avoid following in the footsteps of NHS Surrey and the Scottish Borders Council. More importantly, it will help you avoid you suffering a fine in the region of £200,000.

Good supplier security management is not free, but it is a lot cheaper than the alternatives.

The post NHS Trust fined £200,000 following data disposal errors appeared first on Halkyn Security Blog.

]]> 798 http://www.halkynconsulting.co.uk/a/2013/07/governance-failure-costs-45000/ Sat, 13 Jul 2013 21:49:13 +0000 http://www.halkynconsulting.co.uk/a/?p=768 A breakdown of internal governance processes has led to the Information Commissioner’s Office (ICO) issuing a civil monetary penalty (fine) on Tameside Energy Services Ltd, a Manchester based company claiming to offer a range of energy improvements and making heavy use of cold-call sales tactics. Showing a growing tendency to fine private companies, the ICO reported […]

The post Governance failure costs £45,000 appeared first on Halkyn Security Blog.

]]>

A breakdown of internal governance processes has led to the Information Commissioner’s Office (ICO) issuing a civil monetary penalty (fine) on Tameside Energy Services Ltd, a Manchester based company claiming to offer a range of energy improvements and making heavy use of cold-call sales tactics.

Showing a growing tendency to fine private companies, the ICO reported that Tameside Energy Services was responsible for over 1000 complaints from customers over failures to remove people from their contact lists and a failure to properly check the Telephone Preference Services (TPS) lists before making cold calls.

In the statement announcing the fine, Simon Entwisle, Director of Operations for the ICO said:

This is not the first and will not be the last monetary penalty issued by the ICO for unwanted marketing calls. These companies need to listen – bombarding the public with cold calls will not be tolerated. Were it not for the company’s poor financial position, this monetary penalty would have been £90,000.

We are continuing our work with the industry, government and other regulators, including OFCOM, to co-ordinate our efforts to tackle this problem. We would like to see the law changed to make it simpler for us to punish companies responsible for repeated and continuous breaches of the law.

The lack of organisation governance appears to be part of a larger problem with this company. However if they had spent a trivial sum of money on implementing a governance process, they would have saved ten times that amount of money in fines.

It seems to go without saying that cold calling is largely unpopular and it is likely that as issues like this get more coverage, more people will know to complain. The ICO has even set up a reporting tool (available online) to make it easier to report nuisance calls.

Cold calling needs good governance

However, lots of companies still use cold calling telesales and it can be a very effective way to get new business. So, the question is, how do you make sure it works for your company rather than open you up to potentially massive fines?

The simple answer is governance.

In this example, the existence of a governance team would have driven compliance – both with removal requests and TPS checks – and prevented both customer annoyance and the ICO fine.

Whatever your line of business, whatever size your organisation, you need to address governance, risk and compliance. It doesn’t matter if this is one department, three or a dozen. It doesn’t even matter if this is part of your security team, audit team or even sales teams. The only thing that matters is that you have it.

Risk management is not just about preventing people stealing your assets, it is also about ensuring you have proper governance processes to stop your own business cannibalising itself. Sales methods are there to grow your business, not to have you fined.

The sad truth is that if your sales methods need to bypass these checks to make money for your business, something is fundamentally wrong. Good governance would identify this in advance and help you regain control.

Don’t cut corners with your risk management, governance or compliance. Ever.

The post Governance failure costs £45,000 appeared first on Halkyn Security Blog.

]]> 768 http://www.halkynconsulting.co.uk/a/2013/06/fax-machines-not-suitable-for-sensitive-data/ Fri, 14 Jun 2013 20:21:40 +0000 http://www.halkynconsulting.co.uk/a/?p=722 It seems some technologies are hard to get rid of and it seems that people are still using fax machines to send data despite them being slow, cumbersome, unreliable and, most importantly, insecure. As it is 2013, it should go without saying that fax machines are not an appropriate mechanism to send anything sensitive and […]

The post Fax machines – not suitable for sensitive data appeared first on Halkyn Security Blog.

]]> It seems some technologies are hard to get rid of and it seems that people are still using fax machines to send data despite them being slow, cumbersome, unreliable and, most importantly, insecure. As it is 2013, it should go without saying that fax machines are not an appropriate mechanism to send anything sensitive and certainly not sensitive personal data.



However, this is exactly what has cost the North Staffordshire Combined Healthcare NHS trust £55,000 this week. To make matters worse, the Trust has a set of policies to cover sending data over fax machines, but they appear to have been ignored. As a reminder – normal fax machines are insecure. And we would even go as far as to say even if you set up good cryptography to secure your fax machines, they are still the worst option.

In an announcement on 13 May 2013, the Information Commissioners Office (ICO) reported that the NHS Trust had sent sensitive medical data over their fax machines to the wrong number on three separate occasions. The Trust only became aware of the problem when the recipient eventually wrote to them.

It appears that this breach was the result of a combination of factors. First off, fax machines are a bad idea for sensitive data. To make it worse, it appears the trust staff were not aware of how to use fax machines in a secure manner. Combining these two almost guarantees a security breach.

The ICO is less damning over the use of fax machines and concentrates on the process and user awareness:

Let’s make no mistake, this breach was entirely avoidable. One phone call ahead to the trust’s Wellbeing Centre would have alerted its staff to the fact that the number they were entering was incorrect. This would have stopped highly sensitive information about the care of vulnerable people being sent to a member of the public on three separate occasions.

This case should act as a warning to all organisations that routinely send out sensitive personal information by fax. Make sure you have appropriate procedures and controls in place, so that errors can be spotted before it is too late.

We would suggest that this is the bare minimum to consider if you use fax machines – for any data  – but first you should review why you are using them in the first place.

Recently we have been engaged with a couple of organisations who have used fax machines to send corporate data. In two instances this included information that would be considered sensitive in most context (although not covered Data Protection Act 1988).

Both companies have detailed security policies governing the transmission of data and what encryption is required. However, neither appeared to realise that data over fax machines was sent in the clear with very little way of knowing who the recipient was.

Fax machines are not suitable for sensitive information.

Just in case you aren’t convinced, lets look at some reasons why fax machines are risky.

• The data is (normally) unencrypted. Fax machines simply scan the image and send the bits over the phone line. Anyone between you and the recipient can read the data.
• You cant be sure the line between sender and recipient is direct. Most telephone connections use IP somewhere along the path. This means the day of a single bit of copper between each machine are long gone. When you use fax machines, you have as much control over what equipment is between parties as you do with email.
• Using fax machines gives you no control, or assurance, over who is at either end. Most of the time, documents you fax end up falling out of the machine onto the floor where they wait to be found.
• When you send documents over fax machines, you have no real way of knowing if they arrived unless you implement a laborious process of telephone calls before and after.



Obviously you can implement mitigating controls (such as telephone calls before and after, or expensive encrypted fax lines) and still use fax machines. The problem is this all creates a cost just to allow you to use an outmoded communications path. Would you put this much effort in to allow your business to still use smoke signals?

What compounds the problem is the vast majority of documents sent by fax are generated on internet connected computers, using networked data, and then printed off before being sent. This creates the new problem of having to secure the printed copy at both ends.

A much easier solution is to email the document and use any of the good (often free) encryption tools that are available. Now the only challenge is to share the encryption key (password) with the other side, but this can be easily done over different channels. If you regularly exchange sensitive information with a single endpoint (as in the NHS example), rather than use fax machines, you can set up an end to end encrypted email system. If that  is too technical, then you can still pre-arrange what your passwords will be and use any free encryption packages.

Of course, nothing in security is perfect and every solution will have risks. The problem with fax machines is that they actually increase the risks over what you would get using unencrypted email.

Now, having said all that, one use for fax machines is as a third line disaster recovery option. If your online comms are down and you absolutely must send a document, then fax it. Just don’t think it is in any way secure.

Take this opportunity to review your processes. If you have fax machines, find out why you use them and what business functions they provide that cant be replicated using email. Don’t accept the argument that you need to capture signatures – this can be done electronically or even scan a signature in. Make sure there is a good, strong business reason to take this risk.

If you absolutely must use fax machines make sure that you have good policies and processes to secure their use.

Finally, and this is the important bit, make sure all your staff are 100% sure how to use them and have the time and space to do it properly. Do not allow your managers to rush staff into unsafe practices and do not allow your staff to develop bad habits.

Fax machines are bad news from a security standpoint, so if you want them, you have to work hard to minimise your risks.

Our security experts can help you secure your use of fax machines, or better still help you move to a more secure communications path. Get in touch to find out more.

The post Fax machines – not suitable for sensitive data appeared first on Halkyn Security Blog.

]]> 722 http://www.halkynconsulting.co.uk/a/2013/06/lack-of-laptop-encryption-costs-city-council-150000/ Fri, 07 Jun 2013 20:29:05 +0000 http://www.halkynconsulting.co.uk/a/?p=707 The Information Commissioner’s Office (ICO) has announced today that it has fined Glasgow City Council £150,000 following the loss of two laptops because neither had any encryption software applied. The fine follows an incident where two laptops were stolen from Council offices during refurbishment. To complicate matters, the Council had already been made aware of […]

The post Lack of Laptop Encryption costs City Council £150,000 appeared first on Halkyn Security Blog.

]]> The Information Commissioner’s Office (ICO) has announced today that it has fined Glasgow City Council £150,000 following the loss of two laptops because neither had any encryption software applied.



The fine follows an incident where two laptops were stolen from Council offices during refurbishment. To complicate matters, the Council had already been made aware of the risks of theft and although one laptop was locked in a storage drawer, the key to the drawer was kept insecure along with the second laptop.

The investigation into the two stolen laptops revealed that the council had issues a large number of devices without any encryption and, although lots of these were later encrypted,  74 remain unaccounted for (and without encryption) with at least six known to have been stolen. Two years previously the Council had been issued with an enforcement notice following the loss of unencrypted memory sticks.

Kevin Macdonald, the ICO’s Assistant Commissioner for Scotland said:

To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow. The council should be held to account, and the penalty goes some way to achieving that.

It is staggering to think that in such a short time, the Council has managed to fall into such a bad habits around basic security principles.

Encryption is the essential last resort for IT

Security – be it around IT hardware, portable devices (laptops or tablets or phones), documents, people, or anything – is built on a framework of overlapping security controls. The idea being that if one control fails, security is still in place because the other controls still work.

When it comes to portable IT assets – especially laptops – the sad truth is that they are at significantly greater risk of loss or theft than pretty much anything else in your inventory. Users will consistently circumvent your physical security controls (i.e. leaving them on trains, forgetting to lock drawers etc), and they are an attractive target for criminals.

This means it is essential that you assume they will be stolen and ensure that encryption is part of every single build.

Four main lessons

There are a lot of lessons that can be learned from the fine issued to Glasgow City Council, so you should take this opportunity to review your processes and see where you can improve.

The four main take away points from this are:

• Ensure all portable devices are encrypted – with laptops this should be whole disk encryption at a minimum, for tablets or smartphones your mobile device management policy should include mandatory file encryption and strong passwords.
• Ensure all your employees are properly trained in how to care for portable devices and how to use your security furniture. Keys must always be properly secured.
• Maintain a working, accurate asset register. Without it you don’t even know if your devices have been lost / stolen.
• Have a functioning risk management process in place which is able to respond to changing threat levels (such as the reports of increased crimes) and is able to drive security practices within your business.

Without these four simple steps, your security activity is fundamentally undermined and it is only a matter of time before you suffer a loss and (if it relates to personal data) a penalty from the Information Commissioner.

Security must never be seen as a cost to your business, it is there to protect against greater losses and allow you to continue to operate. Cutting corners is not a good use of your resources and, as we keep saying, unless you put aside enough resources to deal with the inevitable security breaches, it is a massive risk management failure.

Implementing encryption would have been a lot cheaper for Glasgow City Council.

The post Lack of Laptop Encryption costs City Council £150,000 appeared first on Halkyn Security Blog.

]]> 707 http://www.halkynconsulting.co.uk/a/2013/06/security-design-physical-security-measures/ Mon, 03 Jun 2013 21:09:17 +0000 http://www.halkynconsulting.co.uk/a/?p=677 Physical security really does matter. When it comes to protecting your property, stock, customers, employees or other assets, the physical security measures you can put in place form the foundations for any other loss prevention or information security program. Implementing good physical security measures saves you money in the long run and is often a […]

The post Security design – physical security measures appeared first on Halkyn Security Blog.

]]> Physical security really does matter. When it comes to protecting your property, stock, customers, employees or other assets, the physical security measures you can put in place form the foundations for any other loss prevention or information security program. Implementing good physical security measures saves you money in the long run and is often a basic requirement for insurance coverage.



Unfortunately, physical security measures are frequently overlooked. Even when they are considered, often organisations devolve this to the facilities management team rather than a centralised security domain. To make matters worse, even when physical security is a part of the organisation it is unfortunately common for this function to remain on a separate reporting chain to the rest of the security and risk management activities.

This is not good for your business because physical security is important. Just to reiterate something we have said lots of times – not having robust physical security processes, properly implemented, in your organisation undermines all your other security controls.

The problems with physical security

The world isn’t a perfect place and there are some factors which lead to problems when it comes to perfecting your security measures.

1. Physical security isn’t generally exiting or newsworthy.  It doesn’t matter how important physical protection measures are, information security and the threat of Cyber-Hackers is always going to grab the headlines. When it comes to spending priorities, headlines win.
2. Physical security is sometimes (wrongly) seen as something anyone can do. Even though it is a very specialised field, there is an assumption that anyone can look at locks or put up a fence.
3. It is often too late for the most cost effective physical security controls and this leads to organisational inertia against implementing new ones. The best time to implement security controls is at the design stage but for most, this is not an option and you are faced with bolting controls onto existing facilities.

Physical security – solutions?

The hardest solution is also the most important one. Security is important and all your key stakeholders need to realise this and fully understand the implications. If your organisation has a Chief Security Officer (CSO) then it is a step in the right direction, but there still needs to be continued effort to ensure that security gets the right profile. If you don’t have a CSO, then the job of selling security is yours. Work hard.

The second solution is to realise that physical security is very much a discipline that needs skilled, qualified and experienced professional staff for it to work. This comes at a price, but remember, if paying an unskilled, unqualified person to do physical security is not a saving – it is just a waste of money. You wouldn’t try to cut corners asking your sales manager to double as an accountant or legal advisor, so don’t do it with the security professionals. Facilities management is linked to physical security but it is not the same thing and there is no automatic assumption that someone good at one role is good at the other.

The last bullet point is where it gets interesting.

If you are moving to a new home, your business is building new premises or even just expanding, then you have the chance to get the best possible value from your physical security measures. Designing in security allows you to ensure that every control is suitable for your needs and implemented for as little cost as possible.

Sadly, this is a very rare situation.

It is more likely that you need to build security into an operating environment – be it a home built years ago, offices in constant use or a busy warehouse. Here you no longer have the option to specify what the walls will be made out of, or how high the windows will be from the floor, you simply have to implement physical security in the best possible manner.

The best way to do this is by using good physical security design.

This is not design in the way you might do it for a new site, where the physical security professional sits down with architectural drawings. Instead, it is using your experts to design a robust physical security program that fits your situation.

A well designed physical security plan will follow some common steps, similar to the normal quality assurance / continual improvement process models:

1. Identify the goals of the physical security plan. [Plan]
2. Design & implement the physical security system. [Do]
3. Evaluate and test the system. [Check]
4. Monitor and manage (and improve) the physical security system as part of your normal business. [Act]

It is a mistake to allow this process to turn into a box-ticking, check-list, exercise but for some stages having reference lists can help ensure that nothing gets overlooked and you can demonstrate due diligence to an external party.

An example of where a physical security check-list might help is during the planning stages when you need to carry out surveys of the site and determine what is already there and can be used. We have produced a physical security assessment form [available for free download] which can be used for this purpose or can form the basis of one developed for your own purposes.

At Halkyn Consulting we offer a wide range of physical security services, including design assessments for new build, risk management and physical security improvements. If you have your own security team, we are always happy to provide support, guidance and mentorship to help improve your security, protect your assets and reduce any losses. Get in touch to find out more.

The post Security design – physical security measures appeared first on Halkyn Security Blog.

]]> 677 http://www.halkynconsulting.co.uk/a/2013/05/passwords-are-not-bad-just-dont-trust-vendors/ http://www.halkynconsulting.co.uk/a/2013/05/passwords-are-not-bad-just-dont-trust-vendors/#comments Thu, 16 May 2013 19:32:11 +0000 http://www.halkynconsulting.co.uk/a/?p=634 Passwords are in the news again, with yet another headline crying out for the death of the password and claiming that everyone should move to two factor authentication (2FA) for all their online activities. As with all these claims, it is worth looking at them in greater detail before we give up on of the […]

The post Passwords are not bad, just dont trust vendors appeared first on Halkyn Security Blog.

]]>

Passwords are in the news again, with yet another headline crying out for the death of the password and claiming that everyone should move to two factor authentication (2FA) for all their online activities. As with all these claims, it is worth looking at them in greater detail before we give up on of the single most cost effective methods for getting a certain level of assurance around someone’s identity.

The Register reported PayPal’s Chief Information Security Officer (CISO) Michael Barrett speaking as a representative of the Fast Identity Online (FIDO) Alliance, saying:

Our [FIDO’s] intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole internet — including internally in enterprises — obliterate user IDs and passwords and PINs from the face of the planet.

This is interesting and may appear to be a worthy goal, but we strongly disagree.

Quick primer on passwords and how you should use them

What are passwords?

First off, as a bit of a quick background, Passwords are one type of “Single Factor Authentication” and, often combined with a User ID (name, number, email address, whatever), are used to authenticate a user to a service. Other types of single factor would be fingerprints, retina scans, smart cards and the like. When you combine these factors you get “Multi factor Authentication” and this is often what most people talk about for replacing passwords.

Single factor authentication gives a basic level of assurance that the person is who they say they are and, in situations where this is insufficient you should add additional layers but bear in mind that this increases cost, complexity and poor installations are often worse than no authentication.

Generally, the more importance you place on knowing “who” the person you are interacting with, the more factors you should use, but you must use them properly.

Keep this in mind: If you implement your authentication badly, it doesn’t matter how many factors you use.

Are passwords bad?

The simple answer is “No.” Passwords are not inherently bad and the use of passwords (or more properly an ID & Password) for authentication is perfectly reasonable for 99.999% of the situations where they are deployed. In our consulting work, we encounter more situations where people have used more factors than they need, then situations where they haven’t used enough.

Are some passwords bad?

Possibly. Various security & IT related websites will regularly announce how “password” or “123456” are the most common passwords (such in this article on the Register), often implying this is why passwords are inherently broken and how users cant be trusted to select stronger passwords.

It is certainly true that using “common” or easily guessed passwords is a bad idea, and it can significantly increase the ease with which a malicious party (hacker, spy, jealous co-worker, whatever) can compromise your password, but this is normally going to be a weakness about how the authentication is implemented, rather than the actual password itself.

A “bad” password is really one which can be broken by an attacker and while this is a simple statement, the practicality is a bit more involved. If you have a login screen which allows three attempts before lock out, it is unlikely that the malicious user is going to get to “Monkey” (number 6 on the list) before the account has locked – and if “monkey” is different from “Monkey” in the system then you can be reasonably sure it wont fail when attacked.

Another issue with bad passwords is that we often look at them the wrong way round. When you see a password written down as “zaq12wsx”, it can be easy to realise this is obvious from the left hand side of a UK keyboard but unless the attacker has this knowledge they need to cycle through billions of possible other combinations.

What makes a good password?

With passwords two things are important – length and complexity. More of either is good and more of both is better. A long password will be difficult enough to compromise that most attackers will give up – as an example, a 15 character password made from single case letters will take about 53,000 years to crack (source). If you make it complex (mix of upper and lower case, numbers and other keyboard characters) you can make it even harder.

Unfortunately, sometimes systems are badly designed and enforce shorter password sequences – this is where complexity becomes much more important and the use of random generators becomes worthwhile. Despite what you may think, humans are terrible at thinking up random passwords and even worse when it comes to recognising them.

Interestingly, once you move out of the most glaringly obvious passwords (e.g. “1234”) it doesn’t really matter if you use a random generator or not, as the attacker is still going to have to brute force the keyspace to work out what your password is. This means that to an attacker “easypwd1” is just as hard (or easy) to compromise as “t8yuas1e” -even though the first one looks like it should be trivial to crack.

Keep this in mind when you visit sites that offer to rate your password strength or when security professionals try to lecture you on how passwords are broken.

The important thing for a password is keyspace which is, as we said, driven by length and complexity, randomness is a distant second (third) in this unless your attacker has access to what ever process you use to invent your password.

Can you give us an example of good passwords?

Possibly, but remember that once they are printed on the internet, they are likely to end up in a dictionary list somewhere so, rather than search for a password you want to use, take the advice here and use it to construct your own.



Good passwords are long and complex, but length is the most important so the oft-posted advice from XKCD.com works here.

Dont fixate on trying to come up with impossible to remember strings of what you think are random letters and numbers – cracking tools will easily bypass most things you can invent.

Instead, use sentences with spaces and relevant capital letters. If you must (company password policy rules etc.  use symbols then you can add them or replace letters with them but remember to keep it long. As passwords go “This is my massively long password with little complexity” is harder to crack than “ExdYx4G53PmXSH” and you are only likely to remember one of them. Obviously if it is a service you have to authenticate to frequently, you might not want such a long password or you may need to improve your typing speed.

 Should you write passwords down?

This may come as a shock but there is no automatic reason why you shouldn’t write your password down, but in a work environment you may have rules about what you can and can’t do.

It all boils down to what your threat assessment says – unfortunately when it comes to passwords, too many people fall into the trap of blindly following default rules no matter what the situation is.

For people who are responsible for developing password policy, ask yourself if your threat actors really do have the ability to read passwords written down on post-it notes next to your employees monitors. If your main threat is internet based script kiddies, then they are not going to find someone to come and work as a janitor in your offices so they can desk surf for passwords to your corporate facebook account. Seriously.

Every security decision you make must be based on a realistic threat and risk assessment otherwise it is pointless.

So, what is the problem with Passwords?

Passwords are far from perfect. If nothing else they are but a single factor of authentication   and that implies there is only a certain amount of trust you can ever give them. Passwords also have a long history so people tend to take them for granted and feel that because so much else has changed, it must mean passwords are “old fashioned” now.

This is combined with lots of high profile cracks of various databases and regular news items about how a whole directory of passwords has been dumped on pastebin or similar sites.

Is it all bad?

No, far from it. Few, if any, corporate security breaches are the result of hackers directly compromising a user password (more on that in a bit). Unless you are a famous celebrity on twitter, the chances are no one is going to bother even trying to guess your password, let alone actually manage it.

So how do the hacks happen?

The overwhelming majority of hacks are the result of other techniques (such as SQL injection) which then allow the attackers to get a dump of the password file for offline attack. This is frequently what makes the news and is nothing at all to do with passwords being unfit for purpose.

There are still some instances where attackers can subvert a password implementation but, again, nearly every instance is actually the result of something being fundamentally wrong in how the passwords are used.

How do you implement passwords badly?

For the user, passwords should be easy. For the system owner / manager, passwords should also be easily implemented (they come built into pretty much every operating system in the world) but this is frequently where things go wrong.

If you have a system which requires user authentication, you need to make sure you implement it properly.

This means things like not allowing unlimited attempts, not sending passwords in plain text over the internet, not storing passwords in clear text and not allowing trivial bypasses of your authentication steps. All of these are easily avoidable, yet account for almost all the reasons why passwords (and user identities) fall into the hands of hackers.

None of this shows passwords themselves are a bad choice of single factor authentication, poor implementation will undermine any technology choice. If anything, poor implementation of other authentication methods (or multi-factor authentication) is going to be worse because it undermines a greater assumed trust.

So, why are passwords in the news all the time?

Normally, this happens when a product vendor decides to announce their new, all singing, all dancing smartcard, finger print reader or retinal scan device.

The recent Register article is a good example, FIDO is looking to produce an authentication device that they would like you to spend money purchasing and implementing so it is in their best interests to remind people about the “weaknesses” of passwords.

Unfortunately no device overcomes the fundamental problems with poor implementations, they just become expensive ways to create a device management nightmare.

Smartcard and fingerprint readers appear to be good, but at some stage your data has to be encrypted and sent to the server for authentication – if this is done badly, it opens a clear attack channel and gives the hacker a massively enhanced level of authentication on your network.

Devices (smartcards, scanners etc.  have to be managed so you can trust what is coming in from the other end. If a hacker has your device they can spend months working out how it encodes authentication data and then use this to attack you. Token devices that get lost have to be withdrawn and replaced. You even have to consider how the user authenticates to their device in the first place.

All of this creates a huge headache and is off putting for most (non-governmental) organisations, so it is understandable that there is a commercial need to play down the utility of passwords as a single authentication factor and if they can make customers scared of anyone who doesn’t use multi-factor authentication, all the better.

But, do you really want a product vendor to do your risk assessment for you? Should you listen to the vendor when they tell you what is, or isn’t, good for your network? I would suggest not, but you might have more money than you know what to do with.

The bottom line is security must always be driven by a threat based risk assessment and you should never, ever, trust a product vendor to do this on your behalf.

The post Passwords are not bad, just dont trust vendors appeared first on Halkyn Security Blog.

]]> http://www.halkynconsulting.co.uk/a/2013/05/passwords-are-not-bad-just-dont-trust-vendors/feed/ 2 634 http://www.halkynconsulting.co.uk/a/2013/04/security-awareness-training-value-or-not/ Sun, 21 Apr 2013 16:15:52 +0000 http://www.halkynconsulting.co.uk/a/?p=606 Last month (27 March), the security and cryptography expert Bruce Schneier posted an article on his blog about Security Awareness Training. Now, it should go without saying that Bruce Schneier is one of the leading lights in the IT Security world, he has written several very informative books which would always top our suggestions for […]

The post Security awareness training – value or not? appeared first on Halkyn Security Blog.

]]>

Last month (27 March), the security and cryptography expert Bruce Schneier posted an article on his blog about Security Awareness Training. Now, it should go without saying that Bruce Schneier is one of the leading lights in the IT Security world, he has written several very informative books which would always top our suggestions for recommended reading lists and, most of the time, what he says about security is completely spot on.

However, this time it seems he has made a significant mistake and it is largely driven by his focus on the IT part of information security.

In the article, Bruce writes:

I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere. Moreover, I believe that our industry’s focus on training serves to obscure greater failings in security design.

The two statements here aren’t really as linked as Bruce makes out.

It is almost certainly true that a lot of security training is worthless and driven simply by external compliance requirements and it is true that focus on training can be used to avoid having to implement good security practices, but once we move away from a very narrow sphere of security, for all practical purposes this breaks down.

The result of this is that security awareness training is currently one of the most cost effective methods of improving your security.

It should always be the primary goal of any security implementation to ensure that security exists even if the end user is clueless, but unfortunately user activity is almost always required to support and supplement the built in security controls and this is where security awareness training becomes paramount.

Bruce address his main concerns to those who think security awareness training is good (which is why it seems appropriate to address it in a post here), saying: [Emphasis added]

To those who think that training users in security is a good idea, I want to ask: “Have you ever met an actual user?” They’re not experts, and we can’t expect them to become experts. The threats change constantly, the likelihood of failure is low, and there is enough complexity that it’s hard for people to understand how to connect their behavior to eventual outcomes. So they turn to folk remedies that, while simple, don’t really address the threats.

The problem seems to be less driven by the value of “security awareness training” but more by what Bruce expects the outcome of this training to be.

No one in their right mind expects a security awareness training program to turn people into security experts. No one. This is a strawman which undermines what the real value of security awareness training actually is – and that is employees who are more alert about security risks and more able to help you protect your business, its assets and themselves from a variety of threats.

Security awareness training does not replace the need to have a competent, skilled, motivated and professional security team. It does not remove the need to have properly implemented security controls. It doesn’t mean you can blame your employees for every breach. It doesn’t even mean that you can sit back and assume you will never experience a security breach.

Security awareness training does mean, however, that you have taken the proper steps to help ensure your employees are part of your overall security posture.

Security is about much more than protecting IT assets, it is about much more than ensuring your employees don’t click on dodgy facebook links and it is about much more than making sure they aren’t careless with their account credentials.

If your awareness program only looks at this, or if your awareness program is trying to create IT Security experts in one session a year, then you are getting it wrong. You are missing a major point with how to best use the time and how to best engage your employees into your security process.

Good Security Awareness Training

Your security awareness training needs to be driving three main themes to your employees:

1. Why security is important to your business. You need to make your employees understand their responsibilities and how their actions are important to the bottom line (their jobs).
2. How security is implemented in your business. What alarms do you have? What are the rules for lone workers? Where are phones allowed? Are employee owned devices allowed etc. This is the meat of the training and is how you make your employees aware of the security around them. (It is awareness training after all)
3. What do your employees have to do. Once they know the why and how, it is time to explain to your employees what is expected of them when they are going about their business: How do they summon help? How do they report a breach? What is the process for locking the office at night? How do they get access outside normal working hours? and so on.

None of this will turn them into experts, but equally it is far from a waste of your resources. Failing to provide security training means – in the current world at least – that you will spend more on security controls and / or suffer more security breaches.

Security training – do’s and don’t’s

As Bruce Schneier says, it would be great if we could engineer out the need for your employees to play a part but the reality is that the spectrum of security risks is so wide, so complicated and so changeable, that this is unlikely to ever happen.

Don’t fixate on the computer user part of your security, don’t believe that security awareness training is wasted but also don’t think of it as a magic bullet.

Do provide good quality, appropriate and effective security awareness training for your employees.

The post Security awareness training – value or not? appeared first on Halkyn Security Blog.

]]> 606