Category Archives: Risk Management

A Phisher of Men: Learn How to Turn Social Engineering Techniques Around to Improve Your Security at the RANT Forum

The dangers of phishing and social-engineering attacks are well known and understood by businesses, NGOs and public bodies, so why are they still
effective? And what if there was a way to use the same psychological
pivots attackers use, and improve cyber security? Well, those attending
this month’s RANT Forum in London are about to find out just how to make
that happen.

The speaker at this month’s event is Barry Coatesworth, a highly regarded
cyber-security expert and a member of the government’s industry advisory
group for cyber-security standards, the Information Assurance Advisory Council. In almost 25 years in the business, Barry has experienced first-hand the good, the bad and the ugly of cyber security.

Phishing and associated attacks remain a hot topic, and Coatesworth will
show how and why they still work. “What I do is look at the psychology
behind these attacks,” he tells the Acumin Blog. “Security is constantly
changing, and it’s difficult at the best of times for CISOs to level the
playing field in a constantly changing threat landscape. It’s a case of
adapt or fail – so I look at why attacks work or don’t work, and at how
that understanding can be used to improve security.”

There are any number of scenarios that attackers can use to identify weak
links in an organisation and exploit these to access information: the more
obvious examples include masquerading as executives or colleagues,
relatives or other trusted contacts. But what Coatesworth is more
interested in is the methodologies that underpin these attacks. By unpicking
them and understanding them, he believes infosec professionals can get
ahead of the curve.

“It all depends what the attacker wants to do,” Coatesworth says. “Attacks
tend to be against personnel with access to sensitive information or with
admin access to systems. Opportunity is key, as well as the time and
effort needed to orchestrate a successful phishing attack. It’s not
one-glove-fits-all, but when you look at the psychology behind how the
attacks work, there are some common themes.”

Most businesses use some of the principles of social engineering already,
but probably don’t realise it. “The psychology behind these attacks is all
about marketing and PR,” Coatesworth says. “It’s more in the generalities
than the specifics. They all follow similar proven methods to seduce or
manipulate you to click on that link or download that file. If you
understand these strategies you can use them internally: it’s like a form
of guerrilla warfare, but you can use it in a positive way.”

If you want to learn how – or even if you’ve tried it and don’t think it
can be done and want to argue about it – then Wednesday’s RANT Forum is
the place to be. Wednesday 25th September, email Gemma on gpaterson@acumin.co.uk if you would like to be added to the guest list. We hope to see you there.

Big Four Information Consultancy roles for the taking

Defining a manager is a difficult thing. The Oxford English Dictionary describes it as being a “person responsible for controlling or administering an organisation and/or group of staff”. We wouldn’t disagree with that description, but it perhaps doesn’t tell the whole story.

We particularly like the quote from Frederick W Smith, founder, chairman, and chief executive officer of FedEx, who said: “A manager is not a person who can do the work better than his men; he is a person who can get his men to do the work better than he can.”

Not bad eh? Responsibility, of course, is inherent in this position, as is leadership. A manager is much more than just a chief; s/he is an integral cog that keeps things steady while simultaneously charging ahead into the unknown. Hard work and management go hand in hand but so too does success and a feeling of ownership.

There are a couple of management jobs that have popped up on our radar that we thought we would direct your way. They are both in risk assurance, one of the most dynamic and versatile industries going.

Both require a sound grasp of risk management, which they are able to modify to adapt to fit particular client briefs. As such, strategies that identify, assess, prioritise and solve risk problems are bespoke. Good managers know that no one solution fits every box.

As ever, these management positions demand a depth of skill and expertise to be able to take charge when hitting the ground running. Take the Risk Assurance Senior Manager position, the employee is looking for a candidate who not only has financial services experience, but is also capable of delivering complex engagements.

For the other role as a Risk Assurance Manager, what is desired is someone who can help identify clients who need help in developing their risk assessment plans, which involves establishing what these risks are, how to evaluate their level of threat, how to design controls to minimise their threat and how to put in place monitoring systems to ensure they do their job.

Even though he was speaking in the 19th century, Samuel Wilson, a US meat-packer whose name inspired the national personification of the country’s government – Uncle Sam – made a very astute comment.

“As population susceptibilities are better understood, we will be in a better position than we are in today to make informed decisions about risk management,” he said.

Many years on, a job in risk management is one of the most exciting around, with a body of knowledge to boot. Be part of the generation that takes it forward. Be a manager that matters.

Be the muscle for the digital age

Neelie Kroes, European commissioner for digital agenda, said in a speech recently to the European Parliament Committee on Industry, Research and Energy that her ambition is to “reinforce” the European Network and Information Security Agency (Enisa) as the world moves to even greater connectivity. Globalisation in a trade sense of the word was step one of two of making the world a smaller place. The digital age is step two. To add a bit of magniloquence to the blog, the revolution to bring humanity together is on the precipice of being achieved. World peace will be the final chapter to that story.

Anyways, that’s a digression. Ms Kroes outlined two ways in which this can be achieved.

“First, ENISA must be able to attract and to retain the very best IT security experts in Europe. Second, ENISA staff and stakeholders must have the best conditions for networking. This is essential for the Agency to carry out its mission successfully,” she told colleagues in Brussels.

What her comments highlight is the simple fact that this is an important age for professionals operating in governance & compliance and the information security & risk management industries and all affiliated sectors. What she wants is for robust defence mechanisms to be in place by 2015, which experts like yourself can help make a reality. The European Commission wants digital security to be more “muscular”, language which suggests a move towards being more proactive – swift and thorough reactive approaches are brilliant, but preventative is always preferable to damage limitation.

Interestingly, in her speech Ms Kroes suggested that powerful countries like those in the eurozone, China and, of course, the United States would benefit from working with, cooperating and up-skilling so-called “third” countries – by which we deduce she meant third world/emerging countries.

The truth is, in order to minimise their chances from being caught, punished and reprimanded by the authorities, cyber criminals attempt to lose themselves in a digital and physical maze within these respective countries. Cross-collaboration, the sharing of information and a genuine multi-disciplinary approach has positive outcomes for all stakeholders.

This has already been touched upon in the idea of Pefias – a pan-European framework for electronic information, identification, authentication and signature. Can you contribute to this? What ideas do you have? One place to share your thoughts and ideas is at our monthly RANT event. Be part of the conversation. Be the change Ms Kroes is looking for.

Why you will matter

We’re now getting to that time of year where we pause for reflection, take stock of what we’ve learnt and cast our eyes ahead to the new year with a sense of renewed optimism as to what we can achieve. 2012 can be better than 2011 and every year preceding that. That is the definition of progress.

As a sort of dissent to introspection of 2011 – though we may perhaps reflect on the year in a later post – we wanted to look back at Deloitte’s 2010 Global Financial Services Security Survey, a report we’re confident everyone involved in the information security and risk management industry will have read or at least come across.

The opening paragraph to the report was as strong as introductions go, which we think is worth quoting again, albeit slightly abridged: “The new decade marked a turning point for those of us involved in the information security industry. We now live in an age of cyber warfare. The environment is dangerous and sinister. The children who used to make mischief in their basements are now only bit players and rarely make the news anymore.

“They have been superseded by organised crime, governments and individuals who make computer fraud their full-time business, either for monetary gain or for competitive or technological advantage. Countries now accuse each other of cyber warfare.”

We think they hit the nail on the head there. We are all involved in a sector that has, in some ways, become one of the most important industries in the world, at the forefront of protecting governments and citizens against that wish to either cause harm and/or disruption for whatever reason, whether it is political or vindictive.

With every new development in cyber security comes, it has to be said, equally innovative and ingenious ways of getting around it. Our business is, therefore, in a global context, a 24-hour machine.

As we grow ever dependent on what can be best described as the ‘virtual infrastructure’, the physical world and its parameters represented and engaged with inside of a digital landscape, the need for more professionals and experts to work on ethical hacking and forensics for example, to get people up to an exacting level where they are SC & DV cleared, will become ever pressing.

Like the green industry has been touted as one possibility of getting the UK’s economy – and that of other nations across the world – back on track and booming, so too will the information security sector be instrumental in equipping people with jobs that matter.