Monthly Archives: November 2011

Why you will matter

We’re now getting to that time of year where we pause for reflection, take stock of what we’ve learnt and cast our eyes ahead to the new year with a sense of renewed optimism as to what we can achieve. 2012 can be better than 2011 and every year preceding that. That is the definition of progress.

As a sort of dissent to introspection of 2011 – though we may perhaps reflect on the year in a later post – we wanted to look back at Deloitte’s 2010 Global Financial Services Security Survey, a report we’re confident everyone involved in the information security and risk management industry will have read or at least come across.

The opening paragraph to the report was as strong as introductions go, which we think is worth quoting again, albeit slightly abridged: “The new decade marked a turning point for those of us involved in the information security industry. We now live in an age of cyber warfare. The environment is dangerous and sinister. The children who used to make mischief in their basements are now only bit players and rarely make the news anymore.

“They have been superseded by organised crime, governments and individuals who make computer fraud their full-time business, either for monetary gain or for competitive or technological advantage. Countries now accuse each other of cyber warfare.”

We think they hit the nail on the head there. We are all involved in a sector that has, in some ways, become one of the most important industries in the world, at the forefront of protecting governments and citizens against that wish to either cause harm and/or disruption for whatever reason, whether it is political or vindictive.

With every new development in cyber security comes, it has to be said, equally innovative and ingenious ways of getting around it. Our business is, therefore, in a global context, a 24-hour machine.

As we grow ever dependent on what can be best described as the ‘virtual infrastructure’, the physical world and its parameters represented and engaged with inside of a digital landscape, the need for more professionals and experts to work on ethical hacking and forensics for example, to get people up to an exacting level where they are SC & DV cleared, will become ever pressing.

Like the green industry has been touted as one possibility of getting the UK’s economy – and that of other nations across the world – back on track and booming, so too will the information security sector be instrumental in equipping people with jobs that matter.

Threats Facing Android

In a very recent article on PC World’s website, Eric Geier wrote that 2012 will see a rise in information security threats, aided, in part, by the ubiquity of mobile devices – smartphones, tablets and laptops for example – as well as the growing and sustainable popularity of social networks. Cybercrime is going to become a very pressing issue indeed.

Moreover, a new study by McAfee, suggests that Android is now the number one attacked mobile platform out there.

With that in mind, we thought we’d give some of you professionals working in forensics, governance and compliance, and information security and risk management a lowdown as to some of the major threats – and vulnerabilities – facing devices using Android.

Third party applications are one of the best things about using Android – the open source nature of it allows for widespread innovation and development, providing consumers and businesses alike with a huge variety of choices. Naturally, established names imply a certain level of tacit trust – you’re confident that you’re getting a reliable product – whereas unfamiliar names bring a level of uncertainty – you’ve got nothing to weigh it up against. Because the open source environment is defined by the sheer volume of developers and products out there, it can be a tough maze to navigate through.

Similarly, Google’s own casual mantra, their guiding company philosophy of openness and close collaboration, though commendable brings certain, obvious weaknesses that is, in comparison to say Apple, a major shortfall. Take for example the verification process for applicants wanting to enter the Android market – in the last two years a number of apps, approved and available to users, have come with malware-infections. This is a major area that needs addressing.

Other things to be wary of include privacy settings. Though we may live in an age of ‘over-candidness’, where people reveal odd little titbits on sites like Facebook and Twitter, privacy is still a right worth protecting. However, in some cases, there are transparent weaknesses already built into certain devices. HTC devices, for example, automatically geo-tag photos and Tweets – you actively have to disable this feature. Consequently, other devices alleging localised services could, rather worryingly, sneakily utilise GPS permissions for location tracking. And of course there is the much publicised data collection and exposure on the company’s Sensation and Evo range.

One of the biggest risks is the easy access to a virtual private network (VPN), which many businesses and employees use remotely, providing an easy mobile working environment. Which is great for increased connectivity and in promoting flexible working, but also a route for cybercriminals to infiltrate corporate networks surreptitiously and either introduce corrupt software or thieve important data.

The threats are very real but there are measures in place to help protect Android uses. We’ll be discussing that in our next post. In the meantime for further reading check out the Acumin white paper on Android security: http://www.acumin.co.uk/cm/content/resources/white_papers

A Fortress or a Modern City? That is the question

Before he found international fame with his, to all intents, groundbreaking action-novel The Da Vinci Code, American author Dan Brown released a number of novels that later went on to become best-sellers.

The first novel he ever released was entitled Digital Fortress, a thriller about a cryptographer who is called in by the National Security Agency to help break a code that its all-powerful device cannot break. Cue lots of Browninian twists and turns and cliff-hangers.

It’s an interesting title, one that presages the digital world we live in. A lot has happened in the 13 years since it was released with regards to cyber security, information risk, ethical hacking and other things pertinent to this industry.

The next RANT topic coming up at the end of the month deals with the idea of so-called digital fortresses, contrasting it against the open approach, otherwise known as de-perimeterisation.

What will be discussed at this networking event, which all professionals operating in the information security industry – including those with expertise in governance & compliance, digital forensics and penetration testing – are advised to attend, is a number of topics including physical defence strategy of past civilisations, a comparison with how modern towns and cities are secured and the pros and cons of a digital fortress strategy or an open approach.

The latter is referred to, or at least known as de-perimeterisation. This term, coined by Jon Measham in 2001 and popularised by the Jericho Forum, describes “the erosion of the traditional secure perimeters, or network boundaries, as mediators of trust and security”.

This so-called erosion has been made possible by consumerisation online, meaning that firewalls can easily be bypassed and security overhauled. As such, if an open approach is desired, then the argument goes that every level needs to be secured using a myriad of strategies including data-level authentication, encryption, and inherently secure communications. Traditional boundaries, once take for granted, are fast disappearing as the internet continues to evolve at a startling pace.

It’s a fascinating subject, one which is occupying the thoughts of many security professionals to no end at the moment. Attend the next event and join the discussion by emailing Gemma at Acumin to be added to the guest list.

“Protecting our Assets; Fortress or Modern City?”is being held on November 30th and will be the last in 2011.

For more information visit the RANT website or join us on Twitter @RANTforum or @Acumin.  You can also get in touch with the discussion host Paul Vincent of Cyber Security Limited at his Twitter profile @cybersecurer.

– Gemma Paterson, Acumin

Open source Android a target for cyber criminals

The smartphone revolution was always inevitable if we considered Moore’s law as indisputable fact. To abridge a very fascinating and somewhat complicated branch of philosophy coupled with technological discourse, Moore’s law relates to the idea put forward in 1965 by Gordon Moore, Intel co-founder, that the number of transistors on a chip would double every 24 months.

Simply put, this would result in technological devices being smaller, more intelligent and powerful than their predecessors. So far so good, this could be a near-enough description of how things have panned out nearly 50 years on from that now prescient statement.

With smartphones coming to dominate the lives of everyone from bankers, to social networkers to information security and risk management professionals, these devices, like their cumbersome ancestors, are vulnerable to – or at least victim to – cyber security breaches.

Google’s Android operating system, which is at the forefront of the smartphone market – it’s available on a wide range of devices at competitive prices – is one which is being most visibly targeted. At any given time there are 40,000 infected devices across the globe, which goes some way to show how serious the problem is for Google.

It comes with the territory – Google, though famous for its adage “don’t be evil”, has grown into a huge multinational corporation with a massively diverse portfolio of operations. Many of which are free, many of which are predicated on the idea of collaboration. This is especially the case with Android, which is based on an open source philosophy – which allows people the freedom to modify, change and improve existing programs.

Which leaves it naturally vulnerable to those seeking to use it for far less noble goals – rootkits, Trojans, botnets, you name it; all of this is able to, in some way, immerse itself into the Android operating system. An apt description of this is the commercialisation of mobile malware, meaning smartphones are now prey to malicious and manipulative rogue software like SpyEye.

That’s just a brief introduction to the current state of play in the growing prevalence of cyber security in mobile devices. In the last year alone, 20 per cent of cyber crime in the United Arab Emirates occurred on mobile devices.

With smartphones fast becoming a part of everyday business, adopting risk management procedures to counter this is going to be an important part of the daily rigmarole.

In our next blog, we’ll look at some of the major threats and vulnerabilities on Android devices.

Download the Acumin white paper on Android Security from here: http://www.acumin.co.uk/cm/content/resources/white_papers

Everyone needs to (attend) RANT

It’s good to RANT.

The Oxford Dictionary definition of a rant by the way is: “speak or shout at length in an angry, impassioned way.”

We like impassioned, there’s a positive in that description. The word angry we don’t like so much.

So, it’s good to RANT.

You might have observed the capitalisation of RANT, which is deliberate. It’s the acronym for Risk and Network Threat, a monthly, informal networking forum held by Acumin Consulting and NGS Secure.

It’s an event where senior end users in the information security and risk management industry meet with other professionals and experts to discuss – or rant if you will – about pertinent industry issues. It’s not only a great platform for debates, discourse and blue-sky thinking, but also an apt, focused and beneficial space in which to network.

Note – there are no security vendors or consultancies in attendance at such events. It’s not about sales. RANT exists as a genuine meeting place for like-minded thinkers to convene, whether it’s to query issues, rant about projects highlight certain topics or simply to listen and be informed. All under Chatham House rules.

If anything is sold, then it would be knowledge, and the price of that is, so long as you’re a member of the RANT community, absolutely zilch.

So why is face-to-face networking important? In a digital age where conversations occur over screens, where we can comfortably ring one another wherever we may be, send a tweet and get a tweet back almost instantaneously, it could be argued that such events are redolent of a bygone era.

Which would be a huge mistake. Human beings are, after all, sociable creatures – actual human interaction, as opposed to virtual relations, is almost innate, part of our DNA. Furthermore, 80 per cent of our communication – in fact, some studies suggest as much as 90 per cent – is non-verbal.

That in itself, without the need for me to elaborate, speaks volumes. An informal chat with one of your peers at an event like RANT, beer in hand, in comfortable surroundings, is conducive to creating a productive environment. Not to mention the invaluable face-time with the Acumin consultants who have their ear to the ground on all industry developments every month beofre RANT.

There’s the classic saying that “it’s not what you know, it’s who you know”. A classic for a reason, there is, of course, a semblance of truth in the maxim, but we like to go one step further and come up with a modified version:

“It’s what you know and who you know combined that provides you with a strong foundation.”

From which the opportunities are abundant. You just have to look for it, be amongst your professionals and get talking.

Let’s get ranting at RANT…impassionedly of course.

Metropolitan Police setting standards in the fight against cyber crime

For now, let us reflect on the good times.

The Metropolitan Police revealed at the start of the month that its Central e-Crime Unit saved the UK economy an astonishing £140 million in just the last six months alone.

With cyber crime costing the country a gargantuan £27 billion a year, its efforts –IT security professionals working in information risk management would agree – are to be applauded.

The ACPO National e-Crime Programme (NeCP), which received a hefty funding boost at the start of the year after the government realised that cyber security is increasingly pushing its way to the top of the list of threats to the UK’s safety and intelligence, is looking to be a frightening force.

That funding by the way, which came to a total of £30 million, has been money well spent. The NeCP is building a sophisticated, tech-savvy and committed team that signals a positive step forward in security. They aim to set standards of pre-eminence and then outperform themselves.

The positive thing is that it is focusing on some of the biggest threats to security going, like distribution of malicious code – aka malware – denial of service (DDoS) attacks and unwarranted computer intrusion.

Detective superintendent Charlie McMurdie, from the Police Central e-Crime Unit said: “The PCeU continues to take action in its continuing efforts to reduce the harm caused to the UK economy and to UK citizens by those making use of the internet to commit crime.”

Security breaches online for example, where many people are choosing to organise their professional lives, their personal lives, the conduit from which they interact and network with one another, statically or remotely, where personal details are passed over the internet highway, is on the rise and will be as prevalent as so-called “regular” crime.

That the government has recognised this and invested in it as well is a positive and proactive move, backed up by the machinery that is putting in place the mechanisms needed to combat rising levels of crime against individuals, businesses and the government itself.

If the Metropolitan Police’s recent successes is anything to go by, then cyber criminals, lurking behind encryptions and clever algorithms, “state-sponsored” criminals to organised crime gangs down to “spotty teenagers sitting in their bedrooms” as Detica’s Martin Sutherland so eloquently put it, are facing a new era of clampdowns.

An eye on data, governments increase Google requests for information

The internet is, without a question of a doubt, a vital part of most people’s existence, from people working in forensics, to those involved in ethical hacking and cyber security professionals who keep on top of threats and/or the latest security measures against such activities.

And Google is, perhaps, the dominant player in this virtual arena, at least from a purely search point of view – the dominant search engine by a long shot. That’s putting it lightly, it is, in any case, a master in other areas, like statistical analysis (Google Analytics); social media, and relevant to this post, in the art of data collection.

The American multinational corporation, which was founded by Larry Page and Sergey Brin, recently released its biannual transparency report, which it does, and I quote, to “ensure that we maximise transparency around the flow of information related to our tools and services”.

The most fascinating thing about this report is that government requests, from the UK to the US to China and all the rest – for Google to pass on data is increasing. With regards to the UK, the tech organisation reported a massive 71 per cent rise in content removal requests from the British government and its police force. The reason for moving such information is down to national security issues, a bid to preserve information security.

A Home Office spokesman explained the government’s action as a response to online extremists or hate content, which it takes “very seriously”.

“Where unlawful content is hosted in the United Kingdom, the police have the power to seek its removal and where hosted overseas, we work closely with our international partners to effect its removal,” the spokesman said.

In response, Google said that it had had fully or partially complied with 82 per cent of these requests.

It’s an intriguing insight into the ‘hidden backroom’ conversations going on all the time between Google and various governments, in what is a very sensitive area. We value information security and risk management as much as any other organisation, but we have to be careful that such actions don’t filter into unjustified censorship.

That’s why Google’s transparency report is such a good thing – it lets the world see what’s going on and what governments are doing. Accountability, transparency and, of course, maintaining high levels of information security with sensitive and private data is inherently important after all.