Category Archives: Security Awareness Training

A Phisher of Men: Learn How to Turn Social Engineering Techniques Around to Improve Your Security at the RANT Forum

The dangers of phishing and social-engineering attacks are well known and understood by businesses, NGOs and public bodies, so why are they still
effective? And what if there was a way to use the same psychological
pivots attackers use, and improve cyber security? Well, those attending
this month’s RANT Forum in London are about to find out just how to make
that happen.

The speaker at this month’s event is Barry Coatesworth, a highly regarded
cyber-security expert and a member of the government’s industry advisory
group for cyber-security standards, the Information Assurance Advisory Council. In almost 25 years in the business, Barry has experienced first-hand the good, the bad and the ugly of cyber security.

Phishing and associated attacks remain a hot topic, and Coatesworth will
show how and why they still work. “What I do is look at the psychology
behind these attacks,” he tells the Acumin Blog. “Security is constantly
changing, and it’s difficult at the best of times for CISOs to level the
playing field in a constantly changing threat landscape. It’s a case of
adapt or fail – so I look at why attacks work or don’t work, and at how
that understanding can be used to improve security.”

There are any number of scenarios that attackers can use to identify weak
links in an organisation and exploit these to access information: the more
obvious examples include masquerading as executives or colleagues,
relatives or other trusted contacts. But what Coatesworth is more
interested in is the methodologies that underpin these attacks. By unpicking
them and understanding them, he believes infosec professionals can get
ahead of the curve.

“It all depends what the attacker wants to do,” Coatesworth says. “Attacks
tend to be against personnel with access to sensitive information or with
admin access to systems. Opportunity is key, as well as the time and
effort needed to orchestrate a successful phishing attack. It’s not
one-glove-fits-all, but when you look at the psychology behind how the
attacks work, there are some common themes.”

Most businesses use some of the principles of social engineering already,
but probably don’t realise it. “The psychology behind these attacks is all
about marketing and PR,” Coatesworth says. “It’s more in the generalities
than the specifics. They all follow similar proven methods to seduce or
manipulate you to click on that link or download that file. If you
understand these strategies you can use them internally: it’s like a form
of guerrilla warfare, but you can use it in a positive way.”

If you want to learn how – or even if you’ve tried it and don’t think it
can be done and want to argue about it – then Wednesday’s RANT Forum is
the place to be. Wednesday 25th September, email Gemma on gpaterson@acumin.co.uk if you would like to be added to the guest list. We hope to see you there.

Debating the importance of security awareness

It goes without saying that in this open day and age, the importance of good practice when it comes to data and sensitive information, is more pressing than it has ever been.

From emails to tweets, USB sticks to smartphones, big bundles of paper tucked under your arm, printed here and there, remotely, across the digital highway, zip, zip and away, the ubiquity of information out there is pretty amazing.

With this sheer volume of information, transmitted, shared and downloaded on a daily basis, 24/7, all around the world, everyone always on the go, life has never been easier.

Add to that the fact that it is done through multiple devices, where one you’re minute writing a paper on your Blackberry, the next minute loading it to your Apple Macbook Pro, the next sharing it via Dropbox, it is almost inconceivable, that back in the day we relied heavily on transporting things via post.

With these radical changes comes danger. Where a lot of information used to be filed away and archived in a physical sense, under lock and key, today everything is in effect online or stored on a computer, which needn’t these days be access from one spot. You can, after all, check into your home computer remotely.

It can therefore feel as though data, however well protected, is always on the precipice of tumbling into the virtual world, like a £100 pound noted fluttering in the air for everyone to grab.

Which is why it is important for organisations, however big or small, to invest in training their staff in security awareness. A lot of time, effort and money can be saved if employees – employers as well – are informed about the latest happenings in the IT industry, like, for example, recent cyber crime trends.

However, interestingly, even if such training is delivered, is it actually having a positive impact? One line of argument is that the value of such training is negligible and it is constricted by certain limitations.

Take for example the recent study from the British Retail Consortium, which found that retailers were often unaware that a crime had taken place and didn’t think it normal to report every incident they were attentive to.

Or what about the Graeme Batsman’s comments last month, who had found that small businesses were almost lackadaisical when it came to data protection. The director of Datadefender.co.uk said: “Companies see the stories about leaks and hacks quite a lot, but the main thing is people think that it won’t happen to them. We know things will increase and get worse. More people are using computers and they have to wake up.”

At this year’s RSA Conference, whose theme is The Great Cipher Mightier Than The Sword, Acumin, the leading provider of information security recruitment and risk management recruitment services, will be delivering a special debate on the matter.

Showing a commitment to promoting good discourse, Acumin’s RANT (Risk and Network Threat) forum has assembled some of Europe’s leading thinkers in this area to push the debate further.

This includes Javvad Malik, senior security analyst at The 451 Group; Thom Langford, director of the Global Security Office at Sapient; Kai Roer, a freelance author, trainer and security consultant; Rowenna Fielding, information security manager at the Alzheimer’s Society; Geordie Stewart, managing director at Risk Intelligence; and Christian Toon, head of Information Risk at Iron Mountain Europe.

If it is going to be anything, then enlightening, thought-provoking and fascinating are just a few words that come to mind. It is great when we have multiple voices of authority and experience waxing lyrical about their ideas. Here is where great debate happens.

Acumin,  will be on call throughout the entire duration of the conference to discuss any questions pertaining to recruitment. It specialises in, among others information risk management, governance & compliance, penetration testing & forensics and executive management positions.

The RSA Conference at Hilton London Metropole runs from October 9th until 11th. Register here

Something phishy is going on in Facebook

What would a world be like without Facebook? The mere question sends an icy shudder down our collective spines. It has become so embedded not only in our personal lives, but has rooted itself into the identity of different facets of society. From political parties to charities to big corporate giants, Facebook has become integral to their message.

Of course there are other social networking sites out there, all of which are user-friendly, engaging and full of interesting features – note, Google recently revealed that its own social offering, Google+, now has 90 million registered users – but none of them have had the same impact as Facebook. Heck, it even got made into a movie and a very good one at that too.

This all adds up to making Facebook particularly vulnerable to exploitation and cyber attacks. With that many people connected and overly candid about their private lives, perceptive criminals have been able to, for example, break into homes, steal identities and gain access to bank details. The worrying thing is that this openness is a sign of the age.

“People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people – and that social norm is just something that has evolved over time,” Mark Zuckerberg, the co-creator of Facebook once said.

One thing to be aware this year is a new phishing scam unique to the social networking site. The basic premise is that fraudsters are posing as Facebook security in chats. David Jacoby, a Kaspersky Lab expert, warns that not only are these scammers attempting to steal identities, but credit card information and security questions. Moreover, the move highlights a new approach to phishing.

“This Facebook phishing attack is pretty interesting because it does not just try to trick the victim into visiting a phishing website,” he wrote. “It will reuse the stolen information and login to the compromised account and change both profile picture and name.”

Once an account has been hijacked, the profile is modified and all contacts are sent a message warning them that their account will be deactivated. It asks people to click a link which redirects them to a sham Facebook page where it asks for key login details. After which comes the ‘juicy bit’ asking for credit card details (including your security code).

Not only is it all so sophisticated, it exudes authenticity. This scam and others like it showcase the product of, dare we say it, extensive research and hard labour. The disturbing thing is that they’re becoming more popular, and unfortunately capturing people off-guard.

Although Facebook is fully aware of the security threats it faces on a daily basis – “We have spent several years developing protections to stop spam from spreading and have sought to cooperate with other industry leaders to keep users and their data safe,” it said in a recent statement – more needs to be done to educate users about how to keep their data and personal information secure. We as professionals can do our best to develop strategies to negate the impact of such scams, but to truly succeed; we need vigilance from those outside of the industry as well. Together we can make Facebook a virtual home as comfortable as that of our tangible abodes.

The denial of good conversation

The dissemination of information is something we often take for granted but it hasn’t always been like that. A long time ago, long before computers, the internet and 24-hour interconnectivity, in a pre-digital age, information used to belong to a small group of individuals. Whatever doctrines or ideas they spoke of were held to be the truth – though this didn’t necessarily imply it was accepted as such. History has always had its rebels after all. Nevertheless, large swathes of the population, through illiteracy or poverty, didn’t know any better. And that remained the model for quite a long time.

Today, however, that’s a whole different story – we have more freedom to obtain information than ever before (well, in democracies we do). This greater access to content has been further amplified by the coming together of highly sophisticated digital technologies and the fruition of the internet as a useful medium through which to do, well, everything.

In the security business, how we go about disseminating information – whether it is to do with developments in the industry, job opportunities, networking opportunities – and accessing that information has been a bone of contention for quite a while now.

Remember a few blogs ago we mentioned the security industry and the lack of definition it can afford, for example, job titles, well, similar problems can occur in broadcasting, sharing and receiving information. This is something one of our RANTers recognises and spoke about at the last Risk and Network Threat Forum.

“The problem is the mode in which we communicate security awareness to our users is generally very poor,” says Javvad Malik. “We need to be a bit more creative, engaging and genuine in our security awareness efforts,” said Javvad during his 2 minute RANT where we had a Christmas Special of ‘Who’s RANT is it Anyway?’

He’s onto a very good point. Perhaps this information isn’t so much deficient as it is not properly communicated or accessed. The fault can be two ways – either employees, both longstanding and new, are not aware of where to go to find content and/or those security professionals holding, for example, training sessions, are not putting out details via the correct channels.

What this creates is ambiguity, ignorance – by way of being denied information – and a culture which is far from collaborative, but fractured. Everyone operates within the industry, but in their own hubs, like disparate planets in a solar system with no means of connecting.

It doesn’t have to be this way – in our next blog, we’ll discuss how to foster a communicative culture. Our industry might be predicated on tightening security, but we could do with being more open about how this can be achieved.