Monthly Archives: July 2012

Catch up to the internet

Do you remember when the internet first emerged? We’re not talking about its absolute origins, the privy of a few exceptionally smart individuals, but when the internet really started to infuse into the everyday activities our lives. For most people, of a certain age that is, it was the late 90s when it all really kicked off.

Back then though, we were more interested in emails than the web per se, websites not really offering much in terms of the perfect marriage of aesthetics and content. Instead, it was the buzz of being able to contact one another instantaneously that hooked us onto this new technological development. And it could be done globally.

It was, to all intents, the only account we “signed up to”. If we were inclined to actually browse the web, we wouldn’t need to log in to pages. Online banking didn’t exist, shopping was still about popping down the high street, and Facebook, well, Mark Zuckerberg was still in nappies, right?

After the dotcom bubble burst, things changed, the pieces fell in place and boom, soon there was a proliferation of knowledge, money and clout, a perfect coalescence of software and hardware. Now, in the year 2012, we have a smooth operating machine that allows us to do pretty much everything online.

This new order requires a lot of accounts, by virtue of which we need lots of passwords. It can be problematic from a memory point of view, but more so, in terms of data protection, it has real security implications.

Which is why the figures from a new report are startling. Experian’s CreditExpert’s web monitoring service revealed that between January and April this year alone, over 12 million pieces of personal information were “illegally traded” online by cyber criminals.

Compare to the 9.5 million bits of information that were traded throughout the entirety of 2010 and you can appreciate how things have spiralled out of control. At the core of the data being passed around are login and password combinations. It’s like giving a thief the key to your house and then saying this is the code to the alarm, it never changes, go wild.

“The reason password and login combinations make up nine out of ten illegally traded pieces of data is because they give access to a huge amount of other valuable information, such as address books and related accounts,” explained Peter Turner, managing director at Experian Consumer Services in the UK and Ireland.

“Using a different password for each account will minimise risks, but if password information is stolen from a website, all accounts using the same details will be compromised, and this information can spread among fraudsters rapidly.”

The lesson to learn here is that although the internet has changed radically since its inception and been promoted from the fringes of usefulness and relevance to the big league – a central, ubiquitous and almost essential entity – our habits and attitudes haven’t come as far. We have to adapt, get with the programme, and treat the web seriously.

So, even though the number of accounts we have has increased massively, we haven’t responded with widening the number of passwords we use. It has just been easier to just have one static password, which we even concede to being lax. It’s wrong, we accept that, but we do nothing about it.

It’s worth repeating: the simple advice is to have a unique password for everything. This may seem like a lot of work, but the payoff is extraordinary: peace of mind backed up by a hefty dose of security. Experian’s guide to keeping your account secure is pretty decent.

It has four tips: avoid the obvious like pet names; have a lengthy password – ten or more characters is great; mix up lowercase and uppercase letters with numbers and special characters; and come up with a memory exercise to remember everything – sing a song with them in it – whatever works for you.

Bear all of that in mind and you’re definitely keeping with trends. The internet has come a long way since its early days, just ask Bill Gates.

“The internet is becoming the town square for the global village of tomorrow.”


Don’t be a needle in a haystack

“A winner is someone who recognises his god-given talents, works his tail off to develop them into skills, and uses these skills to accomplish his goals.”

Famous words from Larry Bird, a former NBA basketball player who was forced to retire from the game at the age of 36.

He’d had a seminal career though; part of the 50-40-90 Club, which in short means having had a “pretty fly season across the board”, a member of the Dream Team – the winners of gold at the 1996 Olympic Games – and to top it off, the only NBA basketball player to have achieved Most Valued Player, Coach of the Year and Executive of the Year.

Now while the idea that some of us are destined to be great is debateable – born to do it so to speak – the suggestion that we are able to shape something we seem to be naturally good at is self-evident. We might find painting a work of art, kicking a football or quantum mathematics easy to do, but it is dedication to a discipline that really makes something out of nothing.

For security consultants, chief information security officers and the like, in the midst of looking for a new career challenge, there’s a question that needs to be asked: “What sets me apart from my contemporaries?”

It’s an important question and should not be mistaken for conceit. It simply is a short and simple way to analyse how far you’ve come, what knowledge and talents you’ve acquired and how this all plays into where you want to go.

In the IT industry, branches of which include information security and risk management, business continuity, ethical hacking and penetration testing, what matters most is leadership, a specialism, a flexible way of approaching projects and business in general, and a willingness to adapt.

With regards to a specialism, this speaks for itself. Businesses are looking for someone who has a command over a typical area, be it cyber security, sales and marketing or in disaster recovery. What we’re talking about here is clout, unwavering technical knowledge. Though general knowledge is important, you can’t be a jack of all trades. To stand out, one requires a marker: “This is me; this is what I excel in.”

In reference to flexibility and adaptability, this is about being able to respond to change and possessing the ability to be reactive to new developments. The IT industry is currently undergoing transformation on a daily basis and constant change is almost the norm. You have to be willing and able to grow, to progress in a personal and professional capacity. Those who are happy to do the same old thing had better look somewhere else. Dynamic is what it is all about.

So take a leaf out of Larry Bird’s book and be the kind of person you want to be. This industry is growing all the time and as more and more people come into it, competition for positions, though plentiful, is going to be greater than it has ever been. Be a leader and step forward.

The funny thing about the bustling security industry

In this day and age, characterised by economic stagnation, dwindling spending power and limited opportunity – further compounded by the fact that it had seemingly poured cats and dogs since time immemorial – the idea that businesses might struggle to retain staff appears at first anomalous.

But it really isn’t. Even in the hardest of times, people still keep an eye on opportunities, be it for reasons that their current position isn’t just a means to an end; they’re looking for a promotion; or even a career change. Life’s an experience, after all.

Some industries buck the trend, like for example security, which, by the nature of its growing importance in society – it’s becoming an important facet of most people’s lives and of businesses – is expanding. Staff retention in this context takes on a different meaning.

Here’s a very apt example that has wider resonance. A new report from the Intelligence and Security Committee – a must read for CIOs, CISOs and the like – has observed that the UK’s Government Communications Headquarters (GCHQ) is at real risk of losing out on a generation of skilled professionals.

The reason is simple – they can’t keep hold of them (which we’ll come back to). The problem this results in, however, is very serious. Without this important, proficient and accomplished workforce, the UK’s ability to be at the top of their game and ensure that cyber crime is thwarted is at a real risk of crumbling. That’s not a pretty picture.

Iain Lobban, the director of the GCHQ, is very candid at the dilemma this reality poses. Because it’s a healthy industry and there is a growing demand for cyber security experts across the globe, professionals are simply doing what is normal – packing their bags and heading off.

When you’re presented with a great opportunity and a bump in pay, it’s logical. The government simply can’t match the salaries being offered. However it isn’t all bad. For one, it paints a very good picture of the private sector in this field and, in general, of the industry as a whole.

If, for example, you log onto Acumin’s website – a leader in information security recruitment and risk management recruitment services – what hits you is both the number of jobs available and the variety. This is an industry that is on the precipice of serious activity.

So, while the picture for the government isn’t going to change in the interim, there is a business model that can work to a satisfactory level, Mr Lobban has explained.

“One of the things that I’m looking at is whether or not we can recruit people, train them and then employ them with the expectation … of losing them at the end of that period,” he said.

“And, as they move into industry, for them to be useful for us. If they’re working with some of those companies that we work very closely with, perhaps there is a benefit that we can get from them.”

It’s not perfect, but neither is the weather or the economic situation. So, we do what we do best and we adapt, always optimistic. That’s called character and Brits have plenty of it. And hey, even Carol Kirkwood, the BBC’s popular weather presenter, says that there is sunshine around the corner. Let the good times roll.

Taking on the high-rollers

The European Network and Information Security Agency (ENISA), which exists to improve network security within the EU, has stated that all banks should “presume” that all of its customer’s have PCs that are “infected”.

This fascinating suggestion by the security agency is predicated on the idea that it makes sense to go with the default position that computers – the definition here inclusive of devices like tablets and smartphones – are, to a degree, compromised.

ENISA believes that banks and financial institutions at present operate under the assumption that their online banking systems are secure, but this is a mistake that can and does lead to serious trouble.

The security agency felt compelled to make such an assertion in light of recent reports about “high roller” cyber attacks, which have been directed at wealthy corporate bank accounts.

In particular, ENISA draws its conclusions from a detailed report into the matter, produced by McAfee and Guardian Analytics, which discussed its discovery of a “highly sophisticated, global financial services fraud”.

“Unlike standard SpyEye and Zeus attacks that typically feature live (manual) interventions, we have discovered at least a dozen groups now using server-side components and heavy automation,” the authors of the report stated.

“The fraudsters’ objective in these attacks is to siphon large amounts from high balance accounts, hence the name chosen for this research: Operation High Roller.”

The intriguing thing about this is that no human participation is needed, with each assault moving at a swift speed. Combine insider knowledge of banking transaction systems with “custom and off the shelf malicious code” and you’re charting into organised crime territory, the research noted.

What can be derived from this is the notion that today’s bank robbers have migrated online because this is where the money is, another sign that the digital world is increasingly becoming the default habitat in which to do everything…literally.

The attacks occur in three distinct phases. First of all the targets are recognised using spear phishing. Those with large capital are then identified. Follow on from that, malware is then directed into their computers – and it’s bespoke to the victim’s online banking websites. It kicks into action soon as a person accesses their account. This then allows the fraudsters carte blanche to carry out deceitful transactions.

ENISA has some suggestions about how to beat the criminals at this. One, as mentioned above, adopt the attitude that all PCS are compromised and adopt security measures that protect against, for example, viruses like Zeus. Two, make online banking even more secure. Finally, there needs to be strong global cooperation (here the attacks were coordinated across the globe), otherwise there will always be shortfalls in knowledge.

Other things that can work, even against highly sophisticated attacks, includes anomaly detection strategies – criminal behaviour is fallible – developing solutions to more automated, obfuscated and creative forms of fraud, and providing equally diverse and multilayered forms of protection. The house always wins in the end.

The kind of “how to” guide to security that SMBs will benefit from

The Data Protection Act came into force in 1998 and exists as the core piece of legislation that seeks to ensure that personal data is protected in the UK. Principle 7 of the act states what is required by those in possession of sensitive data in relation to security.

Principle 7 is comprehensive – but by no means all-inclusive (risk management will be bespoke after all) – and is well captured by the following demand: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

In short, it states that businesses have to make all efforts to ensure security is vigorously implemented, otherwise, along with loss of data, breach of network security, loss of reputation and financial damage, they can get a hefty fine. £50,000 is significant and detrimental to small to medium-sized businesses (SMBs).

Conscious of this and the changing shape of the business landscape – the permeation of the internet into all facets of an organisation’s operations – the Information Commissioner’s Office (ICO), which oversees the Data Protection Act, has released a new guide to help SMBs out.

Entitled A Practical Guide to Information Security: Ideal for the Small Business, the ICO’s document is not bad at all. It’s not massively detailed – 12 pages – but that’s the point. It serves as an introduction, putting forward recommendations that are relatively easy to implement and not too costly.

The language is clean, perhaps directed at those who lack any discernable strategy for information security & risk management. For example, the following passage outlines the first step businesses can take:

“Before you can establish what level of security is right for your business you will need to review the personal data you hold and assess the risks to that data. You should consider all processes involved as you collect, store, use and dispose of personal data. Consider how valuable, sensitive or confidential the information is and what damage or distress could be caused to individuals if there was a security breach.”

While that may sound obvious, break it down and it’s informative. Like for example the line about the processes that are involved in collecting, storing and using data. Is this done automatically without any clear-cut policy or is it more regimented and authoritative? Knowing this can be exceptionally beneficial to SMBs.

Another great recommendation, which to most security consultants is standard practice, is using a layered approach to network security, something non-savvy SMBs might not consider, thinking that a single approach is enough.

But, as the ICO notes, there is no single approach that can ensure 100 per cent security. A combination of tools and techniques makes sense because if one “layer” crumbles, there’s another barrier in place to prevent an attack being successful.

Throughout the document, points like this are aired, and it is extremely refreshing to come across something that simplifies, explains and articulates the importance of information security in today’s age of information. Well done ICO.

Cyber security is in an era of ‘prominent activity’

When one of the most senior figures in British security remarks that cyber security is a global threat, you know he isn’t beating about the bushes – he’s informed, he knows, and he’s happy to spread the bad news.

Jonathan Evans, director general of MI5, the British intelligence agency that works to protect the UK’s national security against threats, informed an audience at the Lord Mayor’s inaugural annual Defence and Security Lecture, that although cyber crime has been a threat to network security for many years, we are now in an era defined by prominent activity.

Such is the threat of online malicious activity to the integrity of UK security that it is up there with terrorism as one of the four major security challenges the country has to battle on a daily basis. 24/7, one simply cannot rest on one’s laurels.

“Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states,” he said in a speech entitled The Olympics and Beyond. “And the extent of what is going on is astonishing – with industrial-scale processes involving many thousands of people lying behind both state sponsored cyber espionage and organised cyber crime.”

Serious words indeed. Backing up his arguments about the need to develop a robust system, tighter relationships with various organisations and improved sharing of best practice, he cited an example of how detrimental the actions of cyber criminals can be.

One major company, listed on the London Stock Exchange, was hit with revenue losses of £800 million – just imagine that on a national scale and you begin to see a clear picture of how damaging this can be. That money could be redirected elsewhere, help create jobs and boost economic activity.

“This is a threat to the integrity, confidentiality and availability of government information but also to business and to academic institutions,” he added.

“What is at stake is not just our government secrets but also the safety and security of our infrastructure, the intellectual property that underpins our future prosperity and the commercially sensitive information that is the life-blood of our companies and corporations.”

We definitely agree that it is important to develop closer links within the IT industry, across sectors that specialise in risk management, information security, ethical hacking and business continuity.

This is why Acumin hosts and invests heavily in RANT, a forward-thinking, blue-sky thinking risk and network threat forum. We love conversation, ideas, communicating with people – even those we don’t agree with – and exchanging information, which is the most valuable currency we have.

“The two words ‘information’ and ‘communication’ are often used interchangeably, but they signify quite different things. Information is giving out; communication is getting through.”

So said the renowned American journalist Sydney J Harris. Bear this in mind and there’s nothing an organisation cannot achieve. We’re in this together; a team.

Everyone’s talking about DDoS: Part Two

Contradictions are good, they’re very human, a sort of nod to duality. With night comes day, with heat comes the cold, with the Force comes the Dark Side.

While we began the first half of this feature sounding off about excessiveness – with good reason we hasten to add – we are, through being involved in the conversation about DDoS an example of what we call legitimate over-abundance. In this case, lots of eager banter about DDoS is a good thing.

We left you on a quasi-cliffhanger, which was deliberate. Some wise person once said you should never go to sleep having not ended an argument, but our precipitous subject matter was more a volley of information into your court to sleep on, after which, you kindly smashed it back, with shrewd insight no doubt.

Now, while the legality of DDoS might be something that a small band of ethically-minded people perceives to be sound, it is, in today’s wisdom, anything but. It’s illegal and carries with it serious punishments. That’s because DDoS attacks can damage big corporations and government.

Ryan Cleary and Jake Davis have recently admitted attacking both the Serious Organised Crime Agency in the UK and the CIA in the US, as well as running DDoS attacks against well-known brands like 20th Century Fox, Sony, News International and Nintendo to name but a few.

The reasons such organisations have responded severely is that they recognise that DDoS attacks are more than just a nuisance. As we shift to operating more and more of our lives online, such attacks have the power to seriously disrupt the way society functions.

If they can bring down a government website, who’s to say they can’t do the same to the NHS website, where, in the hypothetical future, patients may end up with essential medicine?

According to Vic Mankotia, security vice president of CA Technologies for Asia-Pacific and Japan, DDoS attacks are becoming more sophisticated and consequently damaging.

For example, the fact that some DDoS attacks originate from automated systems with “payloads delivered from USB sticks and protocols such as Bluetooth and magnetic strips of cards” reveal a new era in this criminal activity, he told ZDNet Asia.

It’s hard to keep up with changes, that much is true. Sometimes, it has to be said, businesses themselves are at fault. Don’t get us wrong, we’re not condoning the activities, everyone hit by a DDoS attack is a victim, but companies could be better off if they beef up their security.

In a fascinating article for Wired recently, one that concentrated principally about the lack of insurance cover for DDoS attacks, Miguel Ramos, a senior security consultant at Neustar, took us briefly back to the not so distant past.

“Think back to your history classes and ponder the Maginot Line, the pre-World War II French military fortifications. Hailed as a brilliant innovation and utterly impregnable, the line was quickly outflanked by a cunning and determined foe,” he observed.

“This is not too dissimilar to the way many businesses defend against DDoS attacks. It’s not uncommon to hear, ‘No problem, we’ve got it covered.’ But with what?”

He cited the example of the “woeful” weaknesses demonstrated earlier this year when such an attack on the DNS server of the British Home Office achieved the goal every hactivist aspires to: Garnering global attention through strategic targeting to raise awareness for its cause.”

Such things to bring the matter to the public arena, hence this extended feature. We commend organisations like Check Point for developing tools to fight this battle; we even welcome the chutzpah of D66, for helping us come up with answers as to why DDoS should remain illegal.

Now, enough words have been written, that much is true, so, we put an end to abundance, and leave the thinking to you.