Monday, 23 May 2016

What's your network good for?


More to cyber-security than protecting data

Information security isn't just about your customer data, or even your own business data. Even if you store no information about your customers or anything else (perhaps you use The Cloud, but that's a whole different story in any case), you still need to worry about Cyber Security.

Or to put it another way, even if you're not a target, you might still be a stooge.

Some while ago, Brian Krebs published a striking image of what a compromised PC might be used for:

It's far from a complete list, of course. New ways to use computers seem to come round every day, but even off the top of my head, I could add Crypto-currency "mining" and password-hash cracking. Your hacked PC might just be a single node in a whole network - a Dark Cloud if you like.

Hidden risks

The threat posed to you by having someone else use your computers and network shouldn't be underestimated. What is your legal position if you are found to have been used to launder money obtained by fraud? What about hosting pirated music, software, or other media? 

Some of the risks are less obvious. If your PC is used as a source for sending Spam emails, your network address may end up getting blacklisted in some databases used to identify such things. This might mean your newsletters, legitimate marketing emails, even queries or invoices getting lost straight into your customers' spam buckets. 

In a really bad scenario, it might be your domain name that gets blacklisted, possibly making your website un-searchable, or even unobtainable.

As ever, straightforward vigilance can make all the difference. Regular anti-virus and anti-malware scans are vital, because they can spot if a device is already being used. Attackers use a variety of means to retain "back doors" to compromised networks, but regular anti-malware scanning means they have to work much harder to remain undetected.

Prevention requires different tools and is all about having regular vulnerability scans, to ensure you're not leaving doors open that an attacker can use to get access.

Monday, 18 April 2016

Article: Using open WiFi securely


An Open Question 

(Or How I Learned To Stop Worrying And Love Public Wi-Fi)

I recently wrote about some of the risks of using public WiFi, and some of the measures you can take to protect yourself. 

The article was first published in C Vu Vol 28 #1, March 2016 - the ACCU members' magazine.

An Open Question

Disclaimer alert: I am the editor of said magazine!

Friday, 15 April 2016

Privacy vs Security in Business

perfectcobalt One Person's Security is another's Privacy

There's been much in the news of late regarding the tension between (national) security and (personal) privacy. Apple vs. FBI, UK Gov's Investigatory Powers Bill, various anti-encryption proposals in the US and elsewhere, all putting security and privacy at odds with each other. There is another side to the story, however.

If you are a custodian of data about your customers - a Data Controller in the dry jargon of UK Data Protection Law - then you have a responsibility to take adequate measures to prevent that data from being accessed by unauthorized people, or being stolen. In effect, you are accountable to your customers regarding their right to privacy. It's not really your data, it's theirs.

A recent report by KPMG (Small Business Reputation & Cyber Risk) suggests that over half of small-business customers would be discouraged from using a company that had suffered a data breach, and that 90% of them are concerned about the safety of the data that businesses hold about them. In short, consumers - your customers - take their data privacy seriously.

It's not just about privacy, either. The issue of identity fraud is extremely serious, and growing, and at least some of the data used by cyber-criminals to impersonate people is gathered from personal information leaked by security breaches.

The KPMG report also claims that 86% of procurement managers would consider removing a business from their supplier roster after a breach. This is also a grave statistic for small businesses who fail to take their information security responsibilities seriously enough.

Which brings me neatly to my final point, also highlighted in that KPMG report. Over half of the small businesses surveyed think it unlikely - or even highly unlikely - that they would be the target of an attack. And yet, another recent survey by PricewaterhouseCooper (commissioned and sponsored by the UK government - Information security breaches survey 2015) reports that 74% of small businesses had suffered some form of data breach in 2015.

Your customers value their privacy, and trust you to safeguard their data. It's your security that protects their privacy. If you don't take your own cyber-security seriously enough, you risk losing that trust.

Tuesday, 5 April 2016

The Old Ones are the Best Ones


The Low Hanging Fruit

Whilst vulnerabilities such as Shellshock, Heartbleed and DROWN are undoubtedly nasty, they aren't very easy to exploit, at least until they are identified. The thing with zero-day vulnerabilities like these is that it's generally quite difficult to identify them in the first place. It usually requires crafting malicious packets, probing for buffer over-runs, attempting large-scale denial of service attacks, or seeing if protocol flaws can be exploited. Or some combination of the above. All of these take skill and patience.

If you are the developer of a widely used encryption library, or a ubiquitous runtime library, then you do indeed need to care about these things. "Widely used" in this sense means having millions of users. And that's what makes such things attractive to attackers, and worthwhile concentrating their effort on finding those vulnerabilities.

However, it's not always the zero-day exploits that catch people out.

If your software is sending customer passwords in plaintext back to the MotherShip, or fails to correctly validate user-input from a form, then attackers aren't going to bother looking for more subtle exploits. They already found the low hanging fruit.

And this can happen to software that is widely used:

This isn't even low hanging fruit, it's fruit that's already fallen off the tree and is just lying there, waiting to be picked up. In this instance, the "attacker" had the best of intentions: to highlight a flaw in Valve's process. When they were notified, Valve immediately engaged with the perpertrator to get the problem fixed.

Not everyone takes their security so seriously, even after they've been exploited. The moral is this: it's better to find out if you have vulnerable systems before you're attacked by someone who almost certainly will not tell you they've done it!

Wednesday, 30 March 2016

Whose Data Is It Anyway?

The Real Cost of Cyber-Security

According to a UK goverment-sponsored survey carried out by PwC (information-security-breaches-survey-2015), 74% of small businesses in the UK suffered some form of data breach in 2015. Nearly one third of all businesses surveyed declared that they had performed NO security risk assessment in that time. Obviously these are the headlines in broad strokes, but it's clear that some correlation exists between those things, especially factoring in the other broad statistic: that the cost of data breaches to small business was, on average, between £75,000 and £311,000.

These are fairly worrying statistics, not least because the survey had already filtered out responses from companies who felt unable to answer the questions, for whatever reason. 

The cost shown above accounts for such things as material loss of business as the result of a breach, regulatory fines imposed for failing to adequately protect data, business disruption and so on. It's much harder to put a hard number on reputational damage. Customers are increasingly aware of the value of their personal data, and the importance of identity integrity. Any business who fails to protect that data risks losing the trust of those customers - and their business.

I would go a step further: businesses need to understand that they are only stewards of the data, that ultimately data about a particular customer belongs to the customer

More succinctly, if I'm your customer, it's not your data, it's mine.


What is to be done?

The security media seems focussed on the latest zero-day attacks (exploiting vulnerabilities for which no patch or fix is available), coupled with the latest high-profile breaches in industry. Serious vulnerabilities are even being given names, possibly to make them more accessible, resulting in Heartbleed, Shellshock and DROWN

These are indeed very serious issues, and need to be addressed by anyone using the technologies involved, but I doubt they account for most or even many of the attacks reported by PwC in their report. Without naming names, there have been a number of very high-profile data breaches of late, many of which seem to have been possible due to careless security practises within the companies who were victim to attack. Poor password policies on critical systems, and vague or non-existent security procedures for dealing with things like phishing and malware, seem to have been the primary causes.

These vulnerabilities aren't new, they don't require expensive tech or cutting-edge methods to exploit, but they do exist, and they are dangerous. Not all businesses are at risk from state-sponsored attack, or zero-day exploits, because they are generally expensive to implement. They are certainly expensive to protect against. 

Most businesses, on the other hand, are vulnerable to simple automated attacks such as port-scanning, password brute-forcing and 3rd party software version/patch vulnerabilities. These things, by contrast, are relatively easy to identify, and much less expensive to protect against.


Here it comes: the sell

If you got this far, then perhaps you'll forgive me this plug. PerfectCobalt is an Information Security company which specialises in providing an affordable, straightforward service to businesses of all sizes, but particularly small businesses who perhaps are unable to justify spending huge amounts of money on cyber-security. If those businesses instead do nothing, it puts their data, and their customers' data, at risk.

We focus on identifying and advising on common vulnerabilities such as those mentioned above, because they present the largest attack surface, and present the greatest risk.

If you would like to find out more about PerfectCobalt's services, see our website. You can follow our updates on the Twitters as well @PerfectCobalt.