A Phisher of Men: Learn How to Turn Social Engineering Techniques Around to Improve Your Security at the RANT Forum

The dangers of phishing and social-engineering attacks are well known and understood by businesses, NGOs and public bodies, so why are they still
effective? And what if there was a way to use the same psychological
pivots attackers use, and improve cyber security? Well, those attending
this month’s RANT Forum in London are about to find out just how to make
that happen.

The speaker at this month’s event is Barry Coatesworth, a highly regarded
cyber-security expert and a member of the government’s industry advisory
group for cyber-security standards, the Information Assurance Advisory Council. In almost 25 years in the business, Barry has experienced first-hand the good, the bad and the ugly of cyber security.

Phishing and associated attacks remain a hot topic, and Coatesworth will
show how and why they still work. “What I do is look at the psychology
behind these attacks,” he tells the Acumin Blog. “Security is constantly
changing, and it’s difficult at the best of times for CISOs to level the
playing field in a constantly changing threat landscape. It’s a case of
adapt or fail – so I look at why attacks work or don’t work, and at how
that understanding can be used to improve security.”

There are any number of scenarios that attackers can use to identify weak
links in an organisation and exploit these to access information: the more
obvious examples include masquerading as executives or colleagues,
relatives or other trusted contacts. But what Coatesworth is more
interested in is the methodologies that underpin these attacks. By unpicking
them and understanding them, he believes infosec professionals can get
ahead of the curve.

“It all depends what the attacker wants to do,” Coatesworth says. “Attacks
tend to be against personnel with access to sensitive information or with
admin access to systems. Opportunity is key, as well as the time and
effort needed to orchestrate a successful phishing attack. It’s not
one-glove-fits-all, but when you look at the psychology behind how the
attacks work, there are some common themes.”

Most businesses use some of the principles of social engineering already,
but probably don’t realise it. “The psychology behind these attacks is all
about marketing and PR,” Coatesworth says. “It’s more in the generalities
than the specifics. They all follow similar proven methods to seduce or
manipulate you to click on that link or download that file. If you
understand these strategies you can use them internally: it’s like a form
of guerrilla warfare, but you can use it in a positive way.”

If you want to learn how – or even if you’ve tried it and don’t think it
can be done and want to argue about it – then Wednesday’s RANT Forum is
the place to be. Wednesday 25th September, email Gemma on gpaterson@acumin.co.uk if you would like to be added to the guest list. We hope to see you there.

Advertisement

Laughing all the way to the bank: Why banks need to rethink their approach to social media

by Angus Batey

Every day, I check my bank accounts online. Every time I check, my bank is encouraging me to send it Tweets. So every day I find myself wondering whether I am the only one of their customers to find this bordering on insane.

The social-media revolution has changed the way all companies do business and interact with their customers, and it would be naive to imagine that banking hadn’t been as affected as everybody else. Facebook, Twitter, Google Plus and the rest are powerful tools, enabling individuals and corporations to strengthen relationships through easy interaction – and best of all, the costs are met by somebody else. What’s not to like?

Just about the only other thing I can guarantee on happening every day is that I’ll receive an email telling me that my bank account has developed some problem or other, but that help is at hand, if I’d just click on the link and resubmit my details. I’ve been getting them for the thick end of 20 years and they’ve not evolved greatly in their wit or sophistication. We all know the more obvious telltale giveaways, from the hilariously inept salutations (“Dear esteemed beneficiary…”) to the clumsily hidden address they really come from. Yet these scams still manage to fool some users – according to a 2010 report by Cyveillance [PDF], a spammer can expect to get about 250 people to hand over their data for every half-million phishing emails sent. This is a tiny fraction, but a significant number.

Usually, the first thing that lets you know a purported banking email is a fraud is that it claims it comes from a bank you’ve never had an account with. But what if the scammers knew who you banked with, and took a little more care to make their emails plausible? Wouldn’t that low rate of success quickly start to climb?

Every major High Street bank has a range of official Twitter accounts it uses to communicate with the outside world – often little more than a stream of links to corporate press releases or items of perceived interest to customers. But even if that’s all a bank uses Twitter for, its accounts represent an incredible intelligence-gathering opportunity for anyone willing to spend a couple of hours to better target phishing attacks.

Unless you’re an avid student of the banking industry you’re unlikely to subscribe to a bank’s social-media feed if you don’t hold an account with them – and on Twitter, where you don’t even need to be a registered site user to view details of who is following a particular account, the High Street banks’ feeds are a potential scammer’s goldmine. True, a list of followers will only give you a list of Twitter account names: but, obligingly, a significant number of Twitter users include their real names on their publicly accessible profile pages, sometimes with a link to a personal website which will contain contact information: some users even include email addresses and phone numbers on those public pages.

Worse – from a security perspective – most banks also operate helpline-style Twitter accounts, where users publicly out themselves as customers, often of products including mortgage, insurance and share-dealing services as well as just ordinary current accounts: and while conversations requiring detailed information are conducted via email or private Twitter direct messages, initial queries are asked and answered in full public view.

In the real world, someone wishing to target you for banking fraud would either have had to have sold you something and have you give them a cheque to know where you banked, or followed you up and down the High Street on the off-chance you might visit your local branch. Following your bank on Twitter is like walking up and down that High Street wearing a t-shirt emblazoned with the name of the bank; Tweeting a question to your bank, from a Twitter account that includes your email address, is like walking around in that t-shirt, and with a flashing neon sign fixed to your head saying “Please rob me”.

The criminals clearly prefer to spend their time counting the loot, not finding more effective ways to raise it – and for that we should be thankful. Because, in their enthusiasm to embrace the new opportunities for customer engagement that social media provide, our banks are giving criminals an unprecedented opportunity to improve their phishing success rate. Clearly the banks’ market research has told them that no new method of customer interaction should be shunned: and to the average internet user, who thinks anything free and convenient is to be applauded, a bank refusing to embrace social media will look out of touch. But by encouraging customers to publicly reveal information about the products and services they use, banks are playing a dangerous game – undermining security to promote customer dialogue seems a curious business decision for an industry that relies, more than most, on protecting its clients’
data.

* Angus Batey is a freelance journalist who has covered cyber defence and data security for titles including the Sunday Telegraph and Digital Battlespace. He doesn’t follow his bank on Twitter.

Upcoming RANT Forum to focus on communication and collaboration

Last month’s RANT Forum was one of the best attended so far, and saw Sarb Sembhi, director of IncomingThought, present on EU Data Protection Regulation.

This month’s event will be held at The Counting House, London on Wednesday August 28th 2013 and is set to be just as interesting, with a new speaker and an engaging topic.

Darren Hodder, vice-president of cyber fraud intelligence at the Centre for Strategic Cyberspace & Security Science, will give a talk about just how important the crossover between information security and anti-fraud is, entitled ‘Different Disciplines, Same Goals: Where is the Communication & Collaboration?’.

Mr Hodder has attended RANT previously and was surprised to find he did not know many of the attendees personally, especially considering he is so well connected and spoken at numerous industry events.

“Perhaps we need to get better at communication, rather ironic since our disciplines facilitate global communication on an unprecedented scale! In order to be better understood by the board we need to get back to what is at the heart of all the problems we are trying to solve and in my view it is all about people.”

He believes IT security professionals can get so caught up in the latest technical trends and challenges that they may forget there is always a human behind these threats and that technology is simply a facilitator for age-old crimes and scams.

Mr Hodder wants IT professionals to get to know one another better in order to reach their overall goals more effectively.

RANT is certainly the perfect location for this subject as the event encourages interaction and engagement by making the whole thing a little less formal.

The idea of the event  is to put people at ease so that key issues can really be explored in an open forum. It gives a great opportunity for people to network and get to know each other, something Mr Hodder would like to see more of in the coming months.

There are many threats facing the IT security industry and many of these will be discussed at the next RANT Forum on August 28th.

What are the biggest challenges when sourcing information security professionals?

During each RANT forum and conference information security professionals gather together to talk about some of the most pressing issues in the industry.

One of the topics that often gets brought up is recruitment and how organisations in both the public and private sector go about bringing in the most talented individuals.

During the latest conference, some of the industry’s top professionals gave an insight into what they thought about the process and how it has evolved over the years. We asked them what they perceived as the biggest challenges when sourcing information security professionals.

Tom Salkield, professional services director at Integralis, said: “We need to attract more people into this industry sector … there are some big problems that we actually need to solve.”

According to Mr Salkield the industry must integrate more with the education system to get people interested in IT security.

“We need to be working much more closely with schools, colleges and universities to entice the new leaders of the future to come and enjoy the big debate we’re involved in,” he added.

Many other professionals gave their opinions on the industry and their thoughts on the matter can be seen in the video below.

For example, Javvad Malik, senior analyst at 451 Enterprise, believes it’s about more than just the technical skills that are required, he thinks it’s also about personalities and “people who can fit into the mould”.

The stereotype of having information security professionals all come from hacking origins is now gone and individuals are constantly emerging from a range of backgrounds and this diversity can only be a good thing.

Acumin has been hosting the monthly RANT events for the last seven years and encourages everyone to get involved with the discussion and lively debate.

Each forum and conference sees hundreds of information security professionals join in and share their ideas on the future of this ever-growing industry.

Attending RANT is a great way to broaden your thoughts and expand your network and the next event will be held on August 28th in London.

Upcoming RANT Forum to focus on EU Data Protection Regulation

Next week’s RANT Forum will certainly feature one of the hottest topics in the IT security industry right now, as Sarb Sembhi, director of IncomingThought and chair of the ISACA GRA-SC3, will be presenting a talk on the EU Data Protection Regulation as well as other areas such as the state of the privacy policy in the US.

Prism has been a word on the lips of many an IT security specialist over the past month, with former National Security Agency (NSA) worker Edward Snowden revealing its methods of spying on citizens from all over the world.

Sarb is a well-renowned speaker and delivered an interesting talk at the RANT Conference earlier this year, which saw much interaction with the audience. It’s likely that this new talk will get the same reaction, with many professionals having a different point of view on the whole matter.

Since before the EU Data Protection Regulation was made available to the general public in January 2012, all the major US Service providers have been lobbying the EU to water down the provisions to protect EU citizens. Their point of view is that the costs to implement the provisions will hurt the consumer in the long-run.

This lobbying has been one of the most heavily funded of all time and makes you wonder how in light of the Snowden revelations that this might have actually been because it would make things difficult for the NSA, rather than just the providers.

Mr Sarb suggests that if the EU Data Protection Regulation is watered down, then there is no need for the service providers at all as the NSA will be able to store all the data.

This will naturally create a lively debate over the issue and people will be able to express their own opinions on what should be done, or not done, in an open and informal environment.

You can join us for the next London RANT Forum on Wednesday 31st July and as usual there will be plenty of food and networking opportunities on offer.

Those interested in attending this fantastic event should email Gemma Paterson on gpaterson@acumin.co.uk to be added to the guest list.

Hundreds of security professionals flocked to the RANT conference in June

Acumin has been running its monthly RANT events for the last seven years and it all started from humble beginnings.

IT forums are nothing new, but when attending the ones available at the time, Acumin founder and managing director Simon Hember and the team noticed the real value in these gatherings was found afterwards in the bar where everyone would chat and really get to the hard truths in the industry.

As a result RANT was born, a conference that would create a relaxed atmosphere to allow every attendee to get involved, bring forward their ideas and challenge the views of even the highest ranked security professionals.

Like the IT security industry itself, RANT has grown substantially over that seven year period and now sees hundreds of professionals turn up to network with one another and enjoy a few drinks afterwards – some things never change!

The last RANT conference featured some fantastic keynote speakers including Mark Stevenson from the League of Pragmatic Optimists and it even had some quirky aspects thrown in like a University Challenge competition, which saw the Royal Holloway University bring some of its brightest and best students to face off against the industry’s best professionals in a battle of wits.

Bruce Hallas, information security and risk management specialist at the Analogies Project, was in attendance and spoke of the reasons why he chose to be part of it.

“The whole concept of flipping it around so that you have the bar discussion on the stage I think was innovative, it’s unique, I haven’t seen that before and that was one of the reasons I was compelled to get involved,” he said.

Some of the hottest topics in the information security industry were discussed and debated upon at the event, in what was a wonderfully relaxed setting in London.

Gemma Paterson, marketing manager at Acumin, said: “RANT offers a completely different take on the standard security conference. We want people to feel relaxed, we want people to feel like they have the power to be able to stand up and say exactly what they’re thinking.

“So you might have a panel on stage of the most senior security professionals and you still want the audience to be able to feel like they can challenge those views and put their opinions across.”

The RANT forums and conferences are expanding at a staggering rate and with the sector changing so rapidly there’s always something to rant about. It brings together some of the best thought leaders from around the world and opens up massive networking and learning opportunities for professionals within the industry.

To see more from the event, you can check out the video content from the event here.

IT industry facing some hefty challenges

The IT security industry is going through some of the largest changes in its history with several different phenomenons shaping the sector.

One of the biggest innovations in recent years has been the implementation of cloud computing. Since its inception it has boomed and now many organisations are using it to make drastic savings and – in some cases – simply keep up with the competition.

This rapid leap to cloud is causing IT departments plenty of headaches as information security becomes much more difficult.

Another similar security issue that has cropped up in recent years has been the new trend of bring your own device – which has given us the fabled BYOD acronym.

Of course, this has happened thanks to the huge rise in mobility brought about by devices such as tablets, smartphones and even Ultrabooks in some cases.

Many companies across the globe are now allowing their employees to use their own laptops and other mobile devices in order to improve flexibility and generate cost savings.

Naturally, if staff are using their equipment at work, organisations will not need to fork out money on buying it themselves and if staff want to work from home they can, which is certainly useful for those trying to raise a family.

However, the downside to this is there are so many devices to keep track of. A few years ago, a firm would buy in all the equipment and staff would use them. It would all be the same, therefore keeping track of it and installing relevant software was easy.

Unfortunately, this is no longer the case and IT security managers have to keep track of dozens of different smartphone, tablet and laptop brands, while making sure all of them are up to date with protection software.

This will be a key challenge for many within the IT industry over the coming years as BYOD is showing no sign of slowing down.

It’s topic such as this that many professionals like to rant about at the Risk and Network Threat Forum (RANT) conferences that take place up and down the UK every month. Last month’s event took place in St Paul’s, London and it was a fantastic day filled with a tonne of topical debate.

Q&A with Ed Gibson, speaker and panellist at tomorrow’s RANT Conference

Can we have a sneak preview of what you’ll be talking about at the panel discussions?
I think provocative would be the word. All of us have attended conferences; we hear from the same people about the same things. Each panel member has so much experience that it will not be the same discussions about how we can boil the ocean and make the world a safer place.

It will be about things we can all do. One of the major problems is that people attend conferences and leave saying, ‘the world is falling apart – what can I do about it?’. We want to leave the audience with an idea of one thing they can do when they get home to help make their own environment more secure.

That sounds a bit different from the usual fear, uncertainty and doubt that you get from many conferences. This sounds much more practical.
Yes, and you often hear about how it must be the Chinese or North Koreans that are stealing all out IP… Well, maybe they are contributors but I think we need to get our minds set toward being more open. If we focus on one or two particular countries we are going down the wrong track. I think that will draw a fair bit of discussion.

Any time we deal with something we are not entirely familiar with there is a fear factor built in. If that’s not handled properly we can drive ourselves into a death spiral. I’m not sure we should be doing that. Yes, there are people out there who can exploit technology for the purposes of whoever they are acting on behalf of, but I’m not sure that’s different from other industries. And I think there are more people out there who want to make things better than want to destroy them. There are people out there with thoughts other than doom and gloom.

I think every day there are people making things better – whether that’s through law enforcement, security services or a combination of commerce and government agencies working together or informal CISO to CISO level at businesses.

You have held a number of fascinating roles in the security industry, working with the likes of Microsoft and the FBI over a long career. How has the industry changed over that time?
Sometimes I have to smile at what’s happened. I was talking about these things back in 2000, 2001 and 2002. Anyone who had some foresight back in 2000 into the security problems that could and indeed have developed was extremely frustrated because no one wanted to listen; we as consumers demanded that things just worked.

So in conclusion, what do you hope attendees will get out of the RANT conference?
You have to question why you really want to attend a security conference. There are hundreds of stands of people selling their security technology, how do you make a decision as to what security product is best for your environment? If so, how do you make that determination? Networking? Seeing what others are buying? The same way I buy wine – cheap and with a nice label?

I think what the organisers have done is a pretty spectacular thing; they’ve developed a forum that enables and facilitates different thoughts – maybe those thoughts that people want to say but haven’t said in public. Here’s an opportunity like no other to change our thought process and perception and understanding and maybe walk away with a different and more truthful understanding of what’s happening in the world.

Next week’s RANT Conference attracting some of the IT industry’s biggest names

IT professionals from around the country are currently preparing for this month’s RANT Conference, which is now merely days away from taking place.

The Risk and Network Threat Forum (RANT) Conference has been run by Acumin since 2007 and this month’s event is being held in St Paul’s London, in the heart of the UK’s IT industry.

Every month a new speaker attends the conference to start a rant about a hot topic within the IT sector. Of course this is not just a one way conversation and the audience is actively encouraged to interact and pitch in with their own points of view, opinions and suggestions in what is a relaxed and informal atmosphere.

Tuesday (June 11th) will see many top industry professionals take to the stage to engage with an audience that is growing month-by-month. Well known speakers Stephen Bonner of KPMG and Mark Stevenson of Futurologist will be there to talk about some of the biggest issues the sector is currently trying to tackle.

Naturally, there is so much to go through considering the changes occurring in the industry and this month’s agenda is simply massive and there will be plenty to talk about both at the presentations and in the pub afterwards with the infosec community.

Bring your own device will feature heavily in the conference and all advantages and disadvantages will be explored. Mobile device management, secure outsourcing and the major threats currently facing cyber security will also all be discussed.

The RANT Conference is designed for passionate information security managers, directors, chief information security officers and other senior information security and risk professionals who work within end user organisations.

A short teaser video for the RANT Conference has been devised and can be viewed here. It was made by Twist & Shout Media – @twistandshoutUK on Twitter if you’d like to give them a follow – the team behind restrictedintelligence.co.uk.

Next week’s RANT Conference is going to be huge and there are set to be 60-80 ranters in attendance. Places are going fast so professionals are urged to register ASAP to secure their place.

Q&A with Alan Edwards, Integralis

Integralis recently released the results of a survey into online data protection and trust. What was the key takeaway figure from that research? (http://integralis.com/en/about-integralis/integralis-in-the-news/nid-00241/one-in-four-customers-admit-they-do-not-trust-companies-to-secure-their-personal-information-online/)
If you look at organisations today, many will have implemented a security strategy based on perimeter defence. The principal is simple, build a wall high enough to keep the bad guys out, and control the resources (people, processes and technology) that operate inside the firewall (perimeter).

However, many businesses have consumers who are connected to them in order to do business, which calls into question the original idea of the ‘perimeter’ or at least raises the question of where the perimeter now is. If I’m connected to my bank I am part of their network, and unknowingly have as much potential to introduce risks onto the bank network as one of their employees. My interaction with the bank could, inadvertently, create a problem for the bank in the same way that an employee could.

Maybe it’s time for organisations to consider the fact that the perimeter has gone and to treat customers who connect to them in the same way as they treat their staff, in terms of education  and making them  aware of the risks.

Banks seemed to do well in terms of trust online, with 63% of respondents trusting their bank with online transactions. Why do you think that is?
Despite what has happened recently, banks have historically been trusted and, in an online sense, banks do better at educating their customers. In my experience banks lead the way in communicating with customers in terms of which attacks they may be vulnerable to. They are also good at educating customers in what they can do to protect themselves, which in turn helps protect the bank from risks borne by online users.

Banks have also been proactive in terms of security measures like two factor authentication. That seems to be a conscious decision from the banks, who see their customers are part of their network and are therefore extending this level of authentication to them too.

Social networks came out bottom in terms of trust online – but that lack of trust doesn’t seem to stop people from using them.
Social networks top the overall usage charts, but rank bottom in terms of trust. It seems that in the online world people behave totally differently, and convenience overweighs any risks.

Turning to the RANT conference – these stats should worry attendees, if the vast majority of people simply don’t trust online businesses with their data.
The message to attendees is about how you start to bring trust into your risk or information security strategy. If the focus is just on the perimeter and not on the access consumers have to the network, then it is likely that your data is at greater risk, and that your users don’t trust you as much as you perhaps would like.

What is the message Integralis wants to deliver to the event?
The title of the discussion we’re running is ‘In banks we trust and in trust we bank’. Our message to CISOs is to start considering your customers as part of your network, and educate them and provide the tools to protect themselves just as you would with staff. In this way not only will your business be more secure, but your customers may even start to invest their trust – which must be worthwhile.