Monthly Archives: January 2012

The attraction of contract working: Part One

Contract work is, these days, a growing phenomenon. More people than ever before, especially in the Information Security industry, are considering shifting to this unique style of working. And it appeals to both individuals and organisations, principally because it is a flexible, easy and productive way of working.

So just what is contract work? Although there is no fixed, universal definition, it can perhaps be best described as being an agreement between an organisation and individual to hire that said person for a finite amount of time – variable to the specifics of the contract of course. It’s that basic. It can either be long-term or short-term. In the context of our field of work, it is understandably a popular way of working.

The best way in to this kind of work is to sign up with an established agency that has a history of success in this field. The benefits are palpable. As specialists with knowledge and experience of our business, agencies have the knack, the resources and contacts to make highly-focused contract work a reality.

For example, let’s say you are a CLAS consultant with current DV Clearance. An agency can, on talking with you and going through your CV – which, by virtue, implies detailing your skills and work history – filter out irrelevant contractors and narrow down potential clients that might appeal to you. Moreover, in having developed relationships with such organisations, they will be able to best assess whether your appointment will be a productive one for both you and the contractor. The end result is to produce a harmonious working relationship that leaves everyone smiling.

The development in contract work can be seen as a natural by-product of a globalised world and how, every day, it is impacting on the ways in which human beings organise themselves with regards to work. It’s all post-industrialisation, chiefly post-World War Two.

Whereas 9-5 has long held the post as the most natural and sensible way of working, the more connected nations became with one another, in terms of trade and communications, the more it began to impact on how various organisations, companies and buildings came to work with one another. 9-5 began to feel too rigid, when, for example, your customer operated in India. India is five and a half hours ahead.

Consequently, habits and longstanding ideas, once deeply entrenched, began to transform. Hours changed, flexi-time was introduced, and people worked and finished earlier (8-4) or worked later (1-4). Others realised that some jobs were superfluous to their operations and staff rosters were streamlined. It wasn’t all fun: it meant making difficult decisions and it meant people were made redundant. To be blunt, it was collateral. Contract working and indeed flexible working – the big buzz of the moment – emerged.

Advertisements

Some things never change: Part two

If you haven’t been hiding in a cave this month or guilty watching Celebrity Big Brother – testament to the saying “it ain’t over till it’s over” – you’ll have been hooked by two major stories that have emerged – one is Wikipedia’s one-day blanket blockade of its English-based content and the other is the somewhat dramatic shutdown of Megaupload.com.

Although we plan on discussing both of these respective stories in upcoming blogs, it is worth mentioning them within the context of this blog. The outcome of the Stop Online Piracy Act and the case against Megaupload.com will have an impact on our industry, with particular regards to how professionals in our industry operate online as well as how fraudsters are able to navigate the world wide web. Some things will never change, that much is true, but if the parameters in which they exist transform, well, the arena no longer is the same.

This could be a theme this year – taking the old and making it new. Ash Patel, Stonesoft’s country manager for the UK and Ireland, figures that hackers will be entering a more sophisticated age in the way they go about their criminal business. It’s not a different way of operating per se, just a more developed way of carrying out operations. The sentiment is shared by Graeme Batsman, director of Data Defender, who believes this increased refinement of methodology will lead to greater problems.
“At present we are at stage two and three,” he said.

“[Stage one is the] intent to infect computers and wreak havoc. [Stage two is for] monetary aim – cyber gangs are based in various countries and some even take credit cards to ‘remove’ viruses or give you ‘protection’.”
Stage three, he added, is state-sponsored cyber attacks, which target both state and defence contractors. What is most worrying is the scale of such attacks – prolific like a dazzling in-season footballer at the prime of his career.

While we’re used to this in our business, the workload is set to become a lot harder, creativity is going to be pushed to the limit and our capacity to react to situations in a cool and efficient manner will be more important than ever. In short, we’re going to have to maintain the quality of our work and step it up a gear.

Which is why, according to Stonesoft and Amichai Shulmanm, chief technology officer and co-founder of Imperva, 2012 will be a year where there will be more policing of online activity than ever before. The message to criminals is “we know you’re out there, so hear us loud and clear – we will find you and punish you accordingly”.

It’s a move in the right direction, recognising that as we move to a world that is deeply embedded in a digital landscape, crimes committed within this virtual environment should be one) monitored and regulated to a degree similar to that of the real world and two) those found guilty of crimes within this interface should be punished as they would outside of it.

As we said above, although some things will never change, the world in which cyber criminals and security professionals exist, keeps on evolving. If we accept that, we’ll be alright.

Something phishy is going on in Facebook

What would a world be like without Facebook? The mere question sends an icy shudder down our collective spines. It has become so embedded not only in our personal lives, but has rooted itself into the identity of different facets of society. From political parties to charities to big corporate giants, Facebook has become integral to their message.

Of course there are other social networking sites out there, all of which are user-friendly, engaging and full of interesting features – note, Google recently revealed that its own social offering, Google+, now has 90 million registered users – but none of them have had the same impact as Facebook. Heck, it even got made into a movie and a very good one at that too.

This all adds up to making Facebook particularly vulnerable to exploitation and cyber attacks. With that many people connected and overly candid about their private lives, perceptive criminals have been able to, for example, break into homes, steal identities and gain access to bank details. The worrying thing is that this openness is a sign of the age.

“People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people – and that social norm is just something that has evolved over time,” Mark Zuckerberg, the co-creator of Facebook once said.

One thing to be aware this year is a new phishing scam unique to the social networking site. The basic premise is that fraudsters are posing as Facebook security in chats. David Jacoby, a Kaspersky Lab expert, warns that not only are these scammers attempting to steal identities, but credit card information and security questions. Moreover, the move highlights a new approach to phishing.

“This Facebook phishing attack is pretty interesting because it does not just try to trick the victim into visiting a phishing website,” he wrote. “It will reuse the stolen information and login to the compromised account and change both profile picture and name.”

Once an account has been hijacked, the profile is modified and all contacts are sent a message warning them that their account will be deactivated. It asks people to click a link which redirects them to a sham Facebook page where it asks for key login details. After which comes the ‘juicy bit’ asking for credit card details (including your security code).

Not only is it all so sophisticated, it exudes authenticity. This scam and others like it showcase the product of, dare we say it, extensive research and hard labour. The disturbing thing is that they’re becoming more popular, and unfortunately capturing people off-guard.

Although Facebook is fully aware of the security threats it faces on a daily basis – “We have spent several years developing protections to stop spam from spreading and have sought to cooperate with other industry leaders to keep users and their data safe,” it said in a recent statement – more needs to be done to educate users about how to keep their data and personal information secure. We as professionals can do our best to develop strategies to negate the impact of such scams, but to truly succeed; we need vigilance from those outside of the industry as well. Together we can make Facebook a virtual home as comfortable as that of our tangible abodes.

Some things never change: Part One

The New Year doesn’t necessarily mean change. It becomes accepted wisdom that once the seconds begin ticking away past midnight on January 1st, things are suddenly different. That the world changes. That we change. If you really look at it hard it’s just a symbolic act. Time, as we know, is relative. Nothing is absolute and some things never do change.

We were thinking about this, back in the office after a well-earned break – though security professionals will know that in our industry we find it hard to switch off our respective gadgets full stop, let alone for Christmas. In particular, the topic of conversation was the continuing persistence of security threats to the information security & risk management sector.

Now, although this is an area we would like to see undergo dramatic change, namely a reduction in the amount of illicit behaviour that goes on – the eradication of it being wishful thinking perhaps – the sad truth is that security threats, on a huge scale, will continue to pose a challenge to everyone.

Hence the importance of what people like yourself do – be that working in government & compliance, in cyber security, or as an ethical hacker. Our work is inherently valuable to the fabric of society, to a degree that is not that well understood. Like Batman, we don’t do what we do for the applause (though respect from our peers is always welcome). We do it because we believe in our work.

So, what should we be looking out for in 2012? A simple glance backwards helps identify three continuing strands: drive-by downloads, mobile malware and shopping security. With the latter, it’s the authenticity of fraudulent websites that was and will continue to be a big problem. Bogus shopping sites look the part.

With regards to mobile malware, smartphones and tablets, the fashionable choice these days, are open to attacks not necessarily because of the lack of protection out there, but because many consumers are one) not so au fait with security systems, two) unaware of how open their devices are to corruption and three) having quite a nonchalant attitude to all.

Drive-by downloads, a somewhat exotic catchphrase, saw a sizeable increase in 2011. It can occur in three ways – downloaded by a user but without full knowledge as to what the implications are; downloaded without any knowledge; and the download of a virus, again without knowledge. Once downloaded, a website is “hijacked” and users susceptible to being targeted. This is one to watch out for in particular this year.

Part two will follow soon, but in the meantime, think about your own experiences as to what you saw over the course of the last 12 months and how that was similar and dissimilar to the previous year and the one before that. Post a comment below and we’ll see what trends we can identify. Some things never change, but then again, the world is full of surprises. Humans are always capable of producing new concepts, ideas and software…good and bad.

A new year, a new you and a new opportunity

At the start of a new year there is a certain impulse to start afresh. Not so much from square one, that would be quite absurd, but from a certain, how can we put it, stage in one’s life? So, as is customary, one will choose to go on a diet after a period of indulgence, we will promise to be more charitable – the older we get so suggests some research – and we’ll give our jobs some deliberation.

With the latter, this is very much a characteristic trend in workplaces up and down the UK, of which our business, the Information security industry, is not exempt. It’s not that we lament our current role – though that can certainly be the case – more that we have a psychological impulse to consider change, to mull over how we can progress in our careers.

“A key issue to consider is whether you will feel more motivated and rewarded by seeking a new challenge in your current role or company than risking a move in uncertain economic times,” John Salt, director of Totaljobs.com, told the Telegraph recently.

“Remember competition for jobs has never been more fierce so if you are going to move companies be certain the role you want is available and you can clearly show why you should get it.”

His thoughts are most astute – this is a challenging time, regardless of where you work and who you work for. Indeed, some of you reading may well be in the unfortunate position of being unemployed. It’s not that you’re without skills or experience, or the lack of impetus to find work. Whether you’re a professional in cyber security, information security or risk management, the current economic environment makes finding work, well, harder than ever before. There are jobs; it’s just that a lot more people are fighting for them.

Companies are also on the lookout for new staff in 2012 and are adopting exciting ways of advertising positions. Take for example an offer of a job for the position of Senior Network Design and Implementation Engineer. The salary is £70,000 to £90,000 (based on experience). The location is London. The client “designs, implements and manages complex IT infrastructures and platforms where it is critical to the customer that their infrastructure has the maximum possible availability”.

So far so good, yes? Well there’s more. If you yourself possess the skills that suit this excellent job, or perhaps know of colleagues, friends and/or associates who would suit this position, then you can bag yourself a cool £500 referral fee (so long as that person is chosen). Not bad eh?

If it piques your interest, the details follow:

The ideal candidate will require the following skills:

Significant experience with Checkpoint/Cisco firewalls and some exposure to switch and load balancer configuration gained in a customer facing business

  • Strong design knowledge and experience of network and security solutions
  • Strong implementation experience of network and security design solutions
  • Strong communication skills and client facing experience

The client lists as responsibilities “design, configuration, implementation of all elements of the managed Network Security service”.

For more information contact James Foster on 020 7510 9042 or email jfoster@acumin.co.uk

A New Year, a new you, a possible new career (or for a good friend of yours) and £500 to celebrate with…it could possibly be the start to a great 2012.

The threat to modern vehicles in the digital age

The German Karl Benz is the man who invented the modern car. Starting a blog with such a statement is bound to provoke some criticism because it can be easily argued that he wasn’t. For example, Ferdinand Verbiest, a Flemish Jesuit missionary from the 17th century is a legitimate contender as the modern car’s founding father. You can go even further back and make the case that Guido da Vigevano, an Italian inventor came up with the original concept in the 14th century.

Whatever your sentiments, from wind powered four-wheeled devices to engine-powered open top vehicles like the Benz Velo Model to today’s computer-powered behemoths, the evolution of the car has been unpredictable.

For computers to have ever been associated with vehicles in the way they are today would have been thought unimaginable both from a technical and aesthetical point of view. But normal laws do not bind technology so to speak – it develops in a fashion that is often hard to predict. Where will we be in 20 years time? We can estimate, but chances are it’ll be different.

“We are living in a world of incredible modern conveniences,” begins McAfee’s 2011 report Caution: Malware Ahead – An analysis of emerging risks in automotive system security.

“Computer chips, embedded in all aspects of our daily lives, have made it possible to have access to all kinds of information when and where we need it. Through internet protocols, these once dumb devices can now communicate with you and with each other in amazing, unprecedented ways.

The report goes on to discuss embedded systems and how historically information would only travel in one direction. Today it’s a two-way structure and these systems have become part of the very fabric of modern motors.

Consequently, they need security measures, which by natural deduction, implies they can be hacked into. It’s an unfortunate by-product of an era defined by gadgets, technology, the digitalisation of all sectors and the want to be connected. Convenience too is a big driver – pardon the pun – in the technological modifications made to cars.

We want to have the ability to start up a car using a smartphone, to have GPS systems integrated and hooked up to the web to provide ongoing, real-time updates and for our cars to have intuitive programmes that can respond to incidents quicker than us. What we want is what we get.

The worry, McAfee’s report states, is that little has really been done to provide security to these modcoms. When someone else can control your car, the risks become all too clear.

“The first remote keyless entry systems did not implement any security and were easily compromised: a regular learning universal remote control for consumer electronics was able to record the key signal and replay it at a later time,” the report says.

Security professionals working in information security and risk management will agree that these kinds of shortcomings need addressing. Indeed, as research has categorically pointed out, this allows for malicious software and hardware manipulation to become a regular feature of car crime and car theft.

It’s a fascinating area that is becoming evermore pressing the more sophisticated cars become and thus, the need to develop complex and secure safety systems to protect vehicles will become a bigger area of responsibility for some cyber security professionals.

Technology has had the ability to transform the one-time, wind powered vehicle into a titan of comfort, entertainment and drivability. Let’s keep it that way with in-car and remote security modernisation now and in the foreseeable future.

The fallibility of chip and pin

It was introduced back in 2004 and heralded as a fraud-smashing new approach to safely paying for goods and services. Like an impenetrable rock.

The swish-swoosh of elaborate signatures – because we all thought the more complex the style, the harder it would be to forge – became a traditional gesture. The strip on the back of cards for our names still exists, but the signature we put on it, is to some extent, redundant.

By 2005 it was viewed as a groundbreaking step forward, evidently doing its job and doing it well. The UK Payments Administration Ltd, which was then known as the Association for Payment Clearing Services, reported that chip and pin had cut plastic card fraud by 13 per cent.

It was validation.

However, flaws in the system have been identified. Last year seemed to be a particular milestone in changing perceptions. The conversation in the information security and risk management industry about the shortcomings of chip and pin was becoming louder.

Chip and pin was meant to do away with skimming – where cards are swiped. In March of this year, Italian specialists explained that EMV (Europay, MasterCard and VISA) cards “talk to” payment terminals, which fraudsters can now read if they install skimming devices on such outlets.

They can even do this on a pin terminal, after which a “clone card” can be produced. The myth that chip and pin is a rock of security has been broken.

More worryingly, researchers at Cambridge discovered that it was possible for perceptive criminals to commit fraud without needing a pin.

They dubbed this the man-in-the-middle attack. Naturally, they didn’t release too much information, but the basic premise follows.

For one, the fraudsters are au fait with the intricate details of the chip and pin system – call it insider knowledge if you will. Secondly, they must have external hardware capable of pulling off such a scam – which can be done remotely.

“Essentially what it does is to exploit a flaw in the chip and pin system,” Dr Saar Drimer, who was part of the research, told the BBC at the time.

“It makes the terminal think the correct pin has been entered, and the card thinks the transaction was authorised with a signature.”

Of course, like any security system, nothing is absolutely fool proof, but chip and pin was brought in to be a radical alternative. In some ways, with the weaknesses identified, it has lost its ability to sit smugly at the top of the security tree. It’s now just another payment system, prone to attack.

What do you think? Post your comments below and let us know.

Getting in on the conversation

Nowadays if you’re not on a social network site like Facebook, LinkedIn or Twitter, you are seen as someone who is not with the program. It’s objectionable to some people, an affront even – why on earth wouldn’t you be connected?

This is an age of information, of conversation, both digitally and in person. We’ve never had so many channels through which to communicate with one another on such a grand, open scale. From one corner of the world to another we can navigate intelligent discourse on anything and everything, quickly and in person. The flow of content has never been so easy.

With this in mind, some hints and tips for security professionals looking to ‘get in on the conversation’, are as follows.

If you’re not already on a social networking site, then now is the time to sign up. While that may indeed be unlikely – we like to think you’re relatively informed about the virtues of such sites, personally and professionally – it is worth reiterating.

None of the above are absolutely essential – there are an abundance of social networking sites out there, equally good, though not all that well known. Some will be relevant to industry – like an intrepid explorer, hit Google and have a search. While we’re here, do have a look at Google + – it’s definitely one hell of an innovative platform to converse online.

However, the advantages of connecting on Facebook, Twitter and LinkedIn are that they are all extremely popular, have a huge following – implying you can network much more efficiently through these channels – and they excel at what they do. So get liking, tweeting and linked in.

Through such digital networks we can create opportunities for real world interaction. Sign up to mailing lists and follow key initiatives like RANT. In doing so, you open up doors for all sorts of instances where you can meet peers, learn off one another and create opportunities to progress in one’s career. You’ll also be abreast of the latest happenings in the business, whether that’s new reports, blue sky thinking or upcoming conferences discussing the future.

It’s all about fostering a collaborative – and indeed open – environment. As security professionals working in a digital age, we have to be at the forefront of technological innovation, forward-thinking and keeping an ear to the ground. Don’t get left behind.

Thinking about the unknown

“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know.”

Back in February 2002, Donald Rumsfeld, the then US Secretary of State, included the above passage in a speech regarding the alleged lack of evidence about Iraq’s purported arsenal of weapons of mass destruction (later proved to be the case).

It was immediately picked up by the media, and though parodied to an extent, it was examined by some notable scholars, who explored the ultimate meaning of Rumsfeld’s semantic faux pas.

There is something known as the relevance paradox, which refers to the position where we gather all the most relevant information we think we need to make a decision about something, and do so without realising that there is more information out there. Like for example, a totally radical idea to the one you come up with based on the content you have at hand.

Ultimately, we are unable to access that information, because its importance can only be deduced when we come across it. The conversation can delve deeper into all sorts of philosophical enquiry – and riveting stuff it is – so we’ll close that detour here.

Dave Brooks, Business Manager, Credit Suisse, got us thinking about this subject when he gave a talk at the last RANT Forum. As security professionals, operating in Information Security and Risk Management, we have the skills, knowledge and experience needed to protect ourselves and our clients from known threats but what about the unknown?

Mr Brooks asked delegates “How do we prepare, detect and react to the unknown?” Needless to say it was a question that had us on our toes. He had caught our attention.

We will come back to this topic in the New Year as we want the idea to ferment for a while. It’s a fascinating concept, after all, prescience, showing an aptitude to predict something that we potentially haven’t come across, is not exactly your run of the mill endeavour.