Category Archives: RANT

A Phisher of Men: Learn How to Turn Social Engineering Techniques Around to Improve Your Security at the RANT Forum

The dangers of phishing and social-engineering attacks are well known and understood by businesses, NGOs and public bodies, so why are they still
effective? And what if there was a way to use the same psychological
pivots attackers use, and improve cyber security? Well, those attending
this month’s RANT Forum in London are about to find out just how to make
that happen.

The speaker at this month’s event is Barry Coatesworth, a highly regarded
cyber-security expert and a member of the government’s industry advisory
group for cyber-security standards, the Information Assurance Advisory Council. In almost 25 years in the business, Barry has experienced first-hand the good, the bad and the ugly of cyber security.

Phishing and associated attacks remain a hot topic, and Coatesworth will
show how and why they still work. “What I do is look at the psychology
behind these attacks,” he tells the Acumin Blog. “Security is constantly
changing, and it’s difficult at the best of times for CISOs to level the
playing field in a constantly changing threat landscape. It’s a case of
adapt or fail – so I look at why attacks work or don’t work, and at how
that understanding can be used to improve security.”

There are any number of scenarios that attackers can use to identify weak
links in an organisation and exploit these to access information: the more
obvious examples include masquerading as executives or colleagues,
relatives or other trusted contacts. But what Coatesworth is more
interested in is the methodologies that underpin these attacks. By unpicking
them and understanding them, he believes infosec professionals can get
ahead of the curve.

“It all depends what the attacker wants to do,” Coatesworth says. “Attacks
tend to be against personnel with access to sensitive information or with
admin access to systems. Opportunity is key, as well as the time and
effort needed to orchestrate a successful phishing attack. It’s not
one-glove-fits-all, but when you look at the psychology behind how the
attacks work, there are some common themes.”

Most businesses use some of the principles of social engineering already,
but probably don’t realise it. “The psychology behind these attacks is all
about marketing and PR,” Coatesworth says. “It’s more in the generalities
than the specifics. They all follow similar proven methods to seduce or
manipulate you to click on that link or download that file. If you
understand these strategies you can use them internally: it’s like a form
of guerrilla warfare, but you can use it in a positive way.”

If you want to learn how – or even if you’ve tried it and don’t think it
can be done and want to argue about it – then Wednesday’s RANT Forum is
the place to be. Wednesday 25th September, email Gemma on gpaterson@acumin.co.uk if you would like to be added to the guest list. We hope to see you there.

Advertisements

Hundreds of security professionals flocked to the RANT conference in June

Acumin has been running its monthly RANT events for the last seven years and it all started from humble beginnings.

IT forums are nothing new, but when attending the ones available at the time, Acumin founder and managing director Simon Hember and the team noticed the real value in these gatherings was found afterwards in the bar where everyone would chat and really get to the hard truths in the industry.

As a result RANT was born, a conference that would create a relaxed atmosphere to allow every attendee to get involved, bring forward their ideas and challenge the views of even the highest ranked security professionals.

Like the IT security industry itself, RANT has grown substantially over that seven year period and now sees hundreds of professionals turn up to network with one another and enjoy a few drinks afterwards – some things never change!

The last RANT conference featured some fantastic keynote speakers including Mark Stevenson from the League of Pragmatic Optimists and it even had some quirky aspects thrown in like a University Challenge competition, which saw the Royal Holloway University bring some of its brightest and best students to face off against the industry’s best professionals in a battle of wits.

Bruce Hallas, information security and risk management specialist at the Analogies Project, was in attendance and spoke of the reasons why he chose to be part of it.

“The whole concept of flipping it around so that you have the bar discussion on the stage I think was innovative, it’s unique, I haven’t seen that before and that was one of the reasons I was compelled to get involved,” he said.

Some of the hottest topics in the information security industry were discussed and debated upon at the event, in what was a wonderfully relaxed setting in London.

Gemma Paterson, marketing manager at Acumin, said: “RANT offers a completely different take on the standard security conference. We want people to feel relaxed, we want people to feel like they have the power to be able to stand up and say exactly what they’re thinking.

“So you might have a panel on stage of the most senior security professionals and you still want the audience to be able to feel like they can challenge those views and put their opinions across.”

The RANT forums and conferences are expanding at a staggering rate and with the sector changing so rapidly there’s always something to rant about. It brings together some of the best thought leaders from around the world and opens up massive networking and learning opportunities for professionals within the industry.

To see more from the event, you can check out the video content from the event here.

Q&A with Alan Edwards, Integralis

Integralis recently released the results of a survey into online data protection and trust. What was the key takeaway figure from that research? (http://integralis.com/en/about-integralis/integralis-in-the-news/nid-00241/one-in-four-customers-admit-they-do-not-trust-companies-to-secure-their-personal-information-online/)
If you look at organisations today, many will have implemented a security strategy based on perimeter defence. The principal is simple, build a wall high enough to keep the bad guys out, and control the resources (people, processes and technology) that operate inside the firewall (perimeter).

However, many businesses have consumers who are connected to them in order to do business, which calls into question the original idea of the ‘perimeter’ or at least raises the question of where the perimeter now is. If I’m connected to my bank I am part of their network, and unknowingly have as much potential to introduce risks onto the bank network as one of their employees. My interaction with the bank could, inadvertently, create a problem for the bank in the same way that an employee could.

Maybe it’s time for organisations to consider the fact that the perimeter has gone and to treat customers who connect to them in the same way as they treat their staff, in terms of education  and making them  aware of the risks.

Banks seemed to do well in terms of trust online, with 63% of respondents trusting their bank with online transactions. Why do you think that is?
Despite what has happened recently, banks have historically been trusted and, in an online sense, banks do better at educating their customers. In my experience banks lead the way in communicating with customers in terms of which attacks they may be vulnerable to. They are also good at educating customers in what they can do to protect themselves, which in turn helps protect the bank from risks borne by online users.

Banks have also been proactive in terms of security measures like two factor authentication. That seems to be a conscious decision from the banks, who see their customers are part of their network and are therefore extending this level of authentication to them too.

Social networks came out bottom in terms of trust online – but that lack of trust doesn’t seem to stop people from using them.
Social networks top the overall usage charts, but rank bottom in terms of trust. It seems that in the online world people behave totally differently, and convenience overweighs any risks.

Turning to the RANT conference – these stats should worry attendees, if the vast majority of people simply don’t trust online businesses with their data.
The message to attendees is about how you start to bring trust into your risk or information security strategy. If the focus is just on the perimeter and not on the access consumers have to the network, then it is likely that your data is at greater risk, and that your users don’t trust you as much as you perhaps would like.

What is the message Integralis wants to deliver to the event?
The title of the discussion we’re running is ‘In banks we trust and in trust we bank’. Our message to CISOs is to start considering your customers as part of your network, and educate them and provide the tools to protect themselves just as you would with staff. In this way not only will your business be more secure, but your customers may even start to invest their trust – which must be worthwhile.

 

 

Q&A with Stephen Bonner, speaker and panelist – RANT Conference

Let’s start by hearing a sneak preview of the talk you’ll be giving at RANT?
It will be on the subject of cyber war. The way some people talk about it annoys me, so that makes me passionate. It annoys me when people use phrases like “Digital Pearl Harbour” and compare the proliferation of cyber weapons with nuclear weapons. The way we overegg some of the threats, and make them sound like significant problems when they are not that important at all, does us no favours. I think we’d be better off being more realistic about the threats and benefits.

I’ll be saying that what’s happening now isn’t war and draw some parallels between what war is and isn’t like. But I’ll also talk about what it would look like if we did have a cyber war. I don’t think cyber war is impossible or all made up but I think the use of the phrase is wrong.

Using the word “war” and describing what’s happening now in that way normalises war, which I think is a terrible thing. Cyber war is only likely if we keep making it more and more normal.

And what about the panel you’ll be part of?
I hope that will be a little more light-hearted! The other talk is more about “You’re all doing it wrong, stop it,” and this is a bit more humorous. We’ve assembled a panel of people that have never sought to be security rock stars, but given them a platform to discuss how they became security rock stars and what the benefits are. They will also be offering advice to aspiring security rock stars! It’s firmly tongue-in-cheek, though.

With such an experienced panel the audience will be hanging on your every word. What’s the message you want them to take away from that and your talk?
To enjoy it would be my advice. With my talk, it’s very much about getting people to stand up and challenge people who throw around terrifying expression when they don’t match. It’s also about changing the message around cyber war and getting people to think about the definition of war, the Geneva Convention and so on. I think people perhaps aren’t properly preparing: people should be working harder to make war less likely and also working to reduce the consequences of it.

If phrases such as cyber war and Digital Pearl Harbour are wrong, what should we be calling it?
It’s just crime and theft. It’s still bad and can damage organisations and people, but it’s a crime, not war. And the proper response to crime is law enforcement, not intelligence agencies and the military. The more we position simple crimes as military actions the more comfortable people will be with taking military action.

I’m going to talk a bit about the features we see at the very high end in terms of espionage work and compare that to war. There are not very many stealth wars; once you’ve invaded you have to stand up and say hello. Mostly what we’re seeing is crime with a bit of espionage thrown in. A denial of service (DoS) is not war, it’s a protest, a riot. You stop protests and riots by arresting and prosecuting people, not by cluster bombing. There is a line and we need to be very clear about it.

You have been involved with The RANT Events for many years now. What do you think sets it apart from other security events?
It has an authenticity; it’s people talking about what they are passionate about rather than what they are told to be passionate about. There is an element of truth to the event; it’s a way to cut through some of the hype that can dominate the security industry. There are no keynotes where a DLP vendor tells you how important DLP is, or an antivirus vendor telling you how important that is.

RANT feels very much like a community, with people engaging and being honest about the things they like and dislike. I think that’s powerful and an important step towards being a more mature industry.

Register for the RANT Conference – http://www.rantconference.co.uk/register/

Top industry professionals set to flock to London for the upcoming RANT Conference

June’s RANT conference will see a selection of top IT Security industry professionals take to the stage.

The RANT Conference in St Paul’s London is a little under a month away now and anticipation amongst information security professionals is growing by the day.

On June 11th 2013 a full day of enlightening, informative and engaging presentations and interactive debate panels conducted by a selection of of the IT security industry’s most influential thought leaders, Rockstars, Futurologists, Innovators,  and Ranters  has been scheduled.

Acumin has been running the monthly Risk and Network Threat Forum (RANT) since 2007. It serves as an end user only, informal networking, discussion and debate event for senior professionals working within the information security and risk management market.

Every month a new speaker attends to start a rant about a particular hot topic within the industry and actively encourages the audience to pitch in with their points of view, opinions and suggestions in a relaxed and informal atmosphere.

The first RANT Conference in June will see well known speakers Stephen Bonner of KPMG and Mark Stevenson of Futurologist take to the stage amongst plenty of other top industry professionals to talk about the biggest issues the sector is currently wrestling with.

Some of these topics include bring your own device – which serves up the notoriously well known acronym BYOD – mobile device management, secure outsourcing, and the major threats currently facing cyber security.

Mark Stevenson, founder of The League of Pragmatic Optimists, will also be attending to give a keynote speech on ‘The Big Shift’, highlighting the major role the security industry has to play in helping shape the future.

State sponsored espionage and the pressing issue of mobile security will also be explored later in the day by a selection of top industry RANT’ers.

The RANT Conference is designed for information security managers, directors, chief information security officers and other senior information security and risk professionals who work within end user organisations.

June 11th really is an essential date for the 2013 IT security calendar and the event is not to be missed by industry professionals!

The conference has seen a high number of registrations already, places are going fast so be sure to register ASAP to secure your spot. Discount codes are available, email Gemma on gemma@rantconference.co.uk to see how you can get one.

Q&A with Mark Stevenson, keynote speaker at the upcoming RANT Conference

logo low res

Without giving too much away, what will you be talking about at the RANT Conference on June 11th?
I’m going to be talking about the mega trends that will affect the world and what will be required of the security industry in order to respond to them.

These mega trends are part of the Big Shift (more details on that here: http://www.rantconference.co.uk/seminar/opening-keynote/), but how is that different from the digital revolution?
That was just a trailer; I like to say it is like the cocktail sausage before dinner. Everything that happened with digital – the democratisation of power and established players losing control of the means of production and distribution – will come to the physical world with programmable biology and programmable matter through 3D printing and nanotechnology.

So imagine a world where your mobile phone can give you a blood test and you can download the right drug based on that blood test and then print it at home. That’s what we’ll be seeing within the next generation or two.

That obviously has massive ethical and security implications. For example there are people using 3D printers for guns. Is there a way to allow people to download a car part, for example, but not an AK47?

That leads to the question of who regulates it…
Even whether it can be regulated; my suspicion is that it cannot. Therefore what happens to the security industry? It will have to become a ‘crowd industry’. Rather than specific people telling us what to do we will have to come together as society and work out how to secure ourselves.

So what will you be telling the Conference about how the role of these information security workers will change?
There are very difficult questions coming but they are probably the best people to answer them because they have the expertise and the knowledge and they understand more about securing distributed resources than most people.

So the question is, what is the security framework that works for individuals in a radically democratised world, where, for example, I may want to exchange my genome data with a physician in South Africa? I don’t know the answer yet, nobody does, but I think they are the right people to think about it.

How far will these changes go? What will the world look like in 100 years?
I think anyone who would attempt to tell you what the world will be like in 100 years time is either intellectually vain or bonkers. If you look at the history of futurology what you’ll see is that the predictions were often an expression of prejudice or a wish list of the person who was asked. We’re quite good at seeing first order effects: If you invented the internet it’s not a huge leap to predict email. But do you then see the invention of social media? Or its role in the Arab Spring? No.

Because of what is happening with technology all bets are off; pretty much anything you can imagine is possible in the next 100 years.

So if it’s less about predicting, what is the role of a futurologist?
It’s about getting people to ask the right question. For example I was talking to a pharmaceutical company about the prospect of printing drugs and open source drug development and what that would mean legislatively. They were then asking questions that went beyond margins, questions they hadn’t been asking half an hour before. That’s the point; they go from asking questions about profit margins on existing drugs to asking what would happen if every doctor’s surgery in the world could download and print its own open source drugs.

Douglas Adams said there are three types of technology: tech invented before you were born, which you don’t think of as technology; technology that is invented between you being born and turning 35, which is very exciting; and technology invented after you turn 35, which is completely pointless and makes you angry.

If you look at a lot of organisations the ones who decide the strategy are in the last group and most of their employees and customers are in the second, so there is a massive mismatch there.

A lot of the people you’ll be talking to at the conference may be in that last group as well.
I can guarantee that at the end of my talks people do not ask dull questions! People at the conference should be getting hold of 3D printers and hanging out with bio-hackers and so on. They should be asking, ‘what is my role going to be in this?’ and ‘how do we secure these new technologies while making them accessible?’

Hear Mark’s talk on The Big Shift at the RANT Conference on 11th June…click here to register

Cyber security is in an era of ‘prominent activity’

When one of the most senior figures in British security remarks that cyber security is a global threat, you know he isn’t beating about the bushes – he’s informed, he knows, and he’s happy to spread the bad news.

Jonathan Evans, director general of MI5, the British intelligence agency that works to protect the UK’s national security against threats, informed an audience at the Lord Mayor’s inaugural annual Defence and Security Lecture, that although cyber crime has been a threat to network security for many years, we are now in an era defined by prominent activity.

Such is the threat of online malicious activity to the integrity of UK security that it is up there with terrorism as one of the four major security challenges the country has to battle on a daily basis. 24/7, one simply cannot rest on one’s laurels.

“Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states,” he said in a speech entitled The Olympics and Beyond. “And the extent of what is going on is astonishing – with industrial-scale processes involving many thousands of people lying behind both state sponsored cyber espionage and organised cyber crime.”

Serious words indeed. Backing up his arguments about the need to develop a robust system, tighter relationships with various organisations and improved sharing of best practice, he cited an example of how detrimental the actions of cyber criminals can be.

One major company, listed on the London Stock Exchange, was hit with revenue losses of £800 million – just imagine that on a national scale and you begin to see a clear picture of how damaging this can be. That money could be redirected elsewhere, help create jobs and boost economic activity.

“This is a threat to the integrity, confidentiality and availability of government information but also to business and to academic institutions,” he added.

“What is at stake is not just our government secrets but also the safety and security of our infrastructure, the intellectual property that underpins our future prosperity and the commercially sensitive information that is the life-blood of our companies and corporations.”

We definitely agree that it is important to develop closer links within the IT industry, across sectors that specialise in risk management, information security, ethical hacking and business continuity.

This is why Acumin hosts and invests heavily in RANT, a forward-thinking, blue-sky thinking risk and network threat forum. We love conversation, ideas, communicating with people – even those we don’t agree with – and exchanging information, which is the most valuable currency we have.

“The two words ‘information’ and ‘communication’ are often used interchangeably, but they signify quite different things. Information is giving out; communication is getting through.”

So said the renowned American journalist Sydney J Harris. Bear this in mind and there’s nothing an organisation cannot achieve. We’re in this together; a team.

Thinking about cookies

We love cookies here at Acumin. We adore them, we ‘heart’ them and dig them like we dig the Rolling Stones when they were pushing a more R&B vibe back in the Swinging 60’s. We have come across Maggie Loves Cookies recently, we have to say, they are a pretty good bet, perhaps you will get a sample at the next Risk and Network Threat forum. They have a variety of flavours and designs to suit any mood.

You might have thought that this post was going to end up as a sort of treatise on the baking treat popular throughout the world, but alas, it isn’t, but wouldn’t that have been fun? Instead, we’re looking at cookies, which, to reduce it to its basic form, is simply a piece of data – or text files – that a website stores within a browser.

A cookie’s raison d’être is altruistic; at least it was from the outset. It was designed to make things easier. In short, every time you visited a website, a cookie was downloaded to your computer, which would then, on visiting that website again, let it know that you had been there before. In terms of efficiency, it allows you to log into a certain website that requires a user ID and password – let’s say Amazon or Google Mail – and revisit the site without having to log in again.

Now while to you and me that sounds wonderful, as easy as making the coffee and tea rounds at work – Jack likes coffee black with sugar, Jill likes her tea super-milky with no sugar, Sanjay likes a fruity herbal tea with five sugars – since the turn of the century there has been a growing army of critics who are concerned with privacy issues. Some of their arguments have been thoughtful and welcome to the conversation.

In the UK, after much chit chat over cups of tea, coffee and, would you believe it, cookies, changes have been made to Privacy and Electronic Communications Regulations, which demands that websites obtain consent from users before installing cookies on their respective computers.

Now while much attention is focused on cookies, these alterations, which are convoluted, carry a far greater technical change. As one reader named Dave commented on The Lawyer’s website, things are not so black and white.

“Clear as mud? Thousands of businesses are entirely unaware they’re even running cookies,” the reader explained. “Most of the online world run Google Analytics, which provides the site owner valuable information to improve their site – do all those who’ve set up GA realise they’re at risk?”

At Acumin’s next RANT – as part of the huge InfoSecurity Exhibition in London – Alan Stockey, from the Institute of Information Security Professionals, is going to attempt to navigate this tricky minefield, delivering a brief history lesson; chuck in a practical illustration of the challenges; give a demonstration, and offer a personal view of where these regulations are taking us. Who knows, if you’re lucky, he might even have Maggie bake a few cookies for you (no pressure Alan).

In an interesting article for startup.co.uk, which is well worth a read, Nick Lockett, a solicitor at DL Legal LLP, discusses how the comprehensive directive – serious, just have a mosey here and you’ll begin to appreciate how much detail is involved – noting some of the things it covers: not only have you got conditions for use of traffic, location, and subscriber data, but there’s also new standards for direct marketing via SMS, email, fax and phone channels.

He ends the piece with a fitting flourish: “May lawyers and regulators be cursed for making us live in interesting times – again!”

Time for a cookie then.

The next RANT forum takes place on Wednesday 25th April, after second day of InfoSecurity Europe at Earls Court, London, which runs from April 24th to the 26th.

Kicking off at 5.30pm, attendees will be able to have a beer and network until 6.30pm, when Alan Stockey delivers Cookie…Doh. Following on, Ben William gives his talk on Exploiting Security Gateways via the Web UI.

For more information and to register for FREE for InfoSecurity Europe visit here or get in touch with Gemma Paterson at gpaterson@acumin.co.uk or call her on 020 7510 9041.

The Information Commission’s Office has also set up a page with the intention of helping businesses understand what they need to do to comply with the cookie law.

Thinking about the unknown

“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know.”

Back in February 2002, Donald Rumsfeld, the then US Secretary of State, included the above passage in a speech regarding the alleged lack of evidence about Iraq’s purported arsenal of weapons of mass destruction (later proved to be the case).

It was immediately picked up by the media, and though parodied to an extent, it was examined by some notable scholars, who explored the ultimate meaning of Rumsfeld’s semantic faux pas.

There is something known as the relevance paradox, which refers to the position where we gather all the most relevant information we think we need to make a decision about something, and do so without realising that there is more information out there. Like for example, a totally radical idea to the one you come up with based on the content you have at hand.

Ultimately, we are unable to access that information, because its importance can only be deduced when we come across it. The conversation can delve deeper into all sorts of philosophical enquiry – and riveting stuff it is – so we’ll close that detour here.

Dave Brooks, Business Manager, Credit Suisse, got us thinking about this subject when he gave a talk at the last RANT Forum. As security professionals, operating in Information Security and Risk Management, we have the skills, knowledge and experience needed to protect ourselves and our clients from known threats but what about the unknown?

Mr Brooks asked delegates “How do we prepare, detect and react to the unknown?” Needless to say it was a question that had us on our toes. He had caught our attention.

We will come back to this topic in the New Year as we want the idea to ferment for a while. It’s a fascinating concept, after all, prescience, showing an aptitude to predict something that we potentially haven’t come across, is not exactly your run of the mill endeavour.

Be the muscle for the digital age

Neelie Kroes, European commissioner for digital agenda, said in a speech recently to the European Parliament Committee on Industry, Research and Energy that her ambition is to “reinforce” the European Network and Information Security Agency (Enisa) as the world moves to even greater connectivity. Globalisation in a trade sense of the word was step one of two of making the world a smaller place. The digital age is step two. To add a bit of magniloquence to the blog, the revolution to bring humanity together is on the precipice of being achieved. World peace will be the final chapter to that story.

Anyways, that’s a digression. Ms Kroes outlined two ways in which this can be achieved.

“First, ENISA must be able to attract and to retain the very best IT security experts in Europe. Second, ENISA staff and stakeholders must have the best conditions for networking. This is essential for the Agency to carry out its mission successfully,” she told colleagues in Brussels.

What her comments highlight is the simple fact that this is an important age for professionals operating in governance & compliance and the information security & risk management industries and all affiliated sectors. What she wants is for robust defence mechanisms to be in place by 2015, which experts like yourself can help make a reality. The European Commission wants digital security to be more “muscular”, language which suggests a move towards being more proactive – swift and thorough reactive approaches are brilliant, but preventative is always preferable to damage limitation.

Interestingly, in her speech Ms Kroes suggested that powerful countries like those in the eurozone, China and, of course, the United States would benefit from working with, cooperating and up-skilling so-called “third” countries – by which we deduce she meant third world/emerging countries.

The truth is, in order to minimise their chances from being caught, punished and reprimanded by the authorities, cyber criminals attempt to lose themselves in a digital and physical maze within these respective countries. Cross-collaboration, the sharing of information and a genuine multi-disciplinary approach has positive outcomes for all stakeholders.

This has already been touched upon in the idea of Pefias – a pan-European framework for electronic information, identification, authentication and signature. Can you contribute to this? What ideas do you have? One place to share your thoughts and ideas is at our monthly RANT event. Be part of the conversation. Be the change Ms Kroes is looking for.