Category Archives: education

The Increasing UK Cyber Skills Gap

As organisations throughout the UK embrace Cyber Security Awareness Month, Intelligencia Training looks at why businesses are continuing to battle an increasing cyber skills gap.

Following an audit in 2018, the UK government recently announced plans to conduct its second audit into the state of the country’s cyber security workforce. The initial audit published last year found that more than half of UK businesses had a “basic technical cyber security skills gap”.

These findings didn’t come as a surprise, as Intelligencia, whose qualifications consist of the UK’s highest levels of vocational training available in intelligence and the only cyber security awareness programme with an official UK Government regulated qualification attached, explain that many organisations are overlooking the key weakness in their security infrastructure; their staff.


With IT infrastructure becoming more robust and cyber threats from social engineering and spear phishing increasing, cyber security should be just as much the responsibility of the wider workforce, as it is those in IT and network security. Even more so when you consider that over 90% of successful cyber breaches are facilitated by human error and a lack of general cyber security awareness.

One report found that between April and June 2019, UK businesses faced an average of 146,000 attempted cyber-attacks.

So how do we counter the threat?
Intelligencia highlight that social engineering and phishing are responsible for over 85% of human error breaches and that businesses need to educate the wider workforce – the prime target for cyber criminals - to identify and prevent such attacks.

The specialist training provider further explains that while some have taken action on increasing cyber security awareness, the assessments and training used are commonly ineffective.

Many organisations fail to recognise the true sophistication of professional attacks and monitor awareness levels through generic assessments, such as mass phishing tests based on click-rate, and limit training to more traditional programmes, which often become outdated the moment a learner completes the course.

Learning and development shouldn’t end on course completion and providing staff with a sustainable solution to cyber security awareness in an ever-evolving landscape is key. New threats evolve daily and it is essential that awareness is sustained to minimise the risk of a breach.

About Intelligencia 'Cyber Stars' Training:Intelligencia Training are cyber security specialists that operate within both the public and private sectors. They continue to deliver the leading Cyber Stars Initiative to a wide-range of high profile organisations to support them in increasing cyber security resilience.

For further information on the Cyber Stars Initiative, visit www.intelligenciatraining.com/cyber-stars or contact info@intelligenciatraining.com.

CanadianCIO of the Year finalist a bridge builder by nature

This is one in a series of profiles of tech leaders named as a finalist for the 2019 ITAC CanadianCIO of Year Award. Mr. Sanderson will be part of a Nov. 14 Town Hall discussion for finalists focused on the changing role of the CIO. The ITAC CanadianCIO of the Year winners will be announced…

Consumers have concerns about cybersecurity, value education on best practices

Nearly three-quarters of consumers (74%) would be likely to participate in a cybersecurity awareness or education program from their financial institution if they offered it. The survey conducted by The Harris Poll on behalf of Computer Services also found that an overwhelming majority of consumers (92%) have concerns about the security of their personal confidential data online. The poll ran online July 1-3, 2019, and it represents feedback from more than 2,000 U.S. adults ages … More

The post Consumers have concerns about cybersecurity, value education on best practices appeared first on Help Net Security.

Educational organizations massively vulnerable to cyber attacks

The education sector is facing a crisis as schools grapple with high levels of risk exposure – driven in large part by complex IT environments and digitally savvy student populations – that have made them a prime target for cybercriminals and ransomware attackers, according to Absolute. The summer months of 2019 saw the number of publicly-disclosed security incidents in K-12 school districts in the U.S. reach 160, exceeding the total number incidents reported in 2018 … More

The post Educational organizations massively vulnerable to cyber attacks appeared first on Help Net Security.

Vaughan partners with VentureLAB, York U, and Mackenzie Health to plan modern health precinct

As the City of Vaughan works towards the opening of the brand-new Mackenzie Vaughan Hospital in late 2020, it announced a partnership today with VentureLAB, York University, and Mackenzie Health to conduct a feasibility study and envision the plans for the Vaughan Healthcare Centre Precinct. The proposed complex is planned to be built on the…

Is your school GDPR compliant? Use our checklist to find out

At this year’s ASCL (Association of School and College Leaders) conference, a guest said to us: “The GDPR? Wasn’t that last year?”

Our heads fell into our hands. How was it possible for someone to be so misguided about such a well-publicised regulation? Granted, 2018 was very much ‘the year of the GDPR’ in some circles. It came into effect in May 2018, following much discussion and a last-minute surge from organisations that left compliance until the last minute.

But compliance isn’t a one-time thing. It continues to be effective for any organisation that processes the personal data of, or monitors the behaviour of, EU residents.

A brief summary of the GDPR

The GDPR works like this: there are data subjects (that’s individuals like you and me), and we own our own personal data. The GDPR considers personal data to be anything that identifies, or can be used to identify, a living person, such as your name, National Insurance number or email address, whether it’s a personal or work account.

To GDPR outlines a list of steps organisations must take to protect that information. It also contains eight data subject rights that give individuals more control over the way organisations use their personal data.

These include:

  • The right to access the personal information organisations store on them;
  • The right to request that organisations rectify any information that’s inaccurate or incomplete;
  • The right to erase personal data when it’s no longer necessary or the data was unlawfully processed; and
  • The right to object to processing if the individual believes the organisation doesn’t have a legitimate reason to process information.

Organisations that fail to meet these requirements face fines of up to €20 million (about £18 million) or 4% of their annual global turnover, whichever is greater.

GDPR compliance in schools

Schools have a particularly hard time of it when it comes to the GDPR. They often work with tight budgets and lack the resources to retain a dedicated information security team.

Additionally, schools process large amounts of children’s data, which merits extra protection. In some cases, there are specific rules that apply to children, which means data processors must work out whether the data subject qualifies as a child (defined as under 13 in the UK) before proceeding.

If that’s the case, the data processor must account for requirements concerning:

Can you use consent?

Organisations cannot legally obtain consent from children. Instead, they must seek the approval of a person holding “parental responsibility”, and make “reasonable efforts” to verify that the person providing the consent is indeed a parental figure.

This requirement doesn’t apply in the context of preventive or counselling services offered directly to a child.


Understand your consent requirements >>


Privacy notices

Organisations must ensure that privacy notices targeted at children are written in plain language that could reasonably be understood by data subjects.

This is similar to general rules about privacy notices, but it’s important to remember that the language you use must be appropriate to the intended audience. What’s considered plain language to a 12-year-old will probably be a lot different than, say, a 5-year-old.


Find out more about privacy notices >>


Online services offered to children

In most cases, consent requests for children will relate to online services, or what the GDPR refers to more generally as information society services. These include things such as online shopping, live or on-demand streaming and social networks.

The GDPR states that consent must be closely regulated in these services because children “may be less aware of the risks, consequences and safeguards” of handing over their personal details.

Schools aren’t GDPR-compliant

These are reasonable requirements, but many schools still fail to understand the importance of compliance or make the necessary changes. The ICO (Information Commissioner’s Office) reported that breaches in the education sector increased by 43% in the first three months that the GDPR was effective.

The number of security incidents increased from 355 in the second quarter of 2017­­–18 to 511 in the same period last year. Meanwhile, the number of incidents involving data breaches increased from 239 to 353.

The ICO found that common disclosure issues included:

  • The loss or theft of paper or digital files;
  • Emailing information to the wrong recipient; and
  • Accidental verbal disclosure.

There has also been a sharp increase in the number of cyber attacks targeting schools, with a 69% rise in malware, ransomware and phishing scams between 2017 and 2018.

Mark Orchison, managing director of cyber security firm 9ine, warned that “schools don’t have the internal expertise” to deal with cyber attacks, and they lack “the skills to understand the risks or what to do when [an attack] happens”.

“Schools are seen as an easy target,” he added. “Sending false invoices, for example, is easy money.”

The figures aren’t all bad news, though. Orchison suggested that the rise in data breach reports may well be a case of schools becoming more aware of what breaches are and when they need to be reported.

GDPR checklist for schools

Staying on top of your GDPR compliance requirements can seem daunting, which is why we encourage all organisations to create a plan of action.

Anyone looking for help on what that should include should take a look at our GDPR checklist for schools. It will help you record your school’s progress towards GDPR compliance and identify any areas where development may be required.


A version of this blog was originally published on 28 March 2019.

The post Is your school GDPR compliant? Use our checklist to find out appeared first on IT Governance Blog.

COBALT DICKENS Launched New Phishing Operation against Universities

The COBALT DICKENS threat group stayed busy over the summer by launching a new global phishing operation targeting universities. In July and August 2019, Secureworks’ Counter Threat Unit (CTU) researchers observed COBALT DICKENS using compromised university resources to send out library-themed phishing emails. These emails differed from those used in the Iranian threat group’s previous […]… Read More

The post COBALT DICKENS Launched New Phishing Operation against Universities appeared first on The State of Security.

Maths and tech specialists need Hippocratic oath, says academic

Exclusive: Hannah Fry says ethical pledge needed in tech fields that will shape future

Mathematicians, computer engineers and scientists in related fields should take a Hippocratic oath to protect the public from powerful new technologies under development in laboratories and tech firms, a leading researcher has said.

The ethical pledge would commit scientists to think deeply about the possible applications of their work and compel them to pursue only those that, at the least, do no harm to society.

Despite being invisible, maths has a dramatic impact on our lives

Related: Google whistleblower launches project to keep tech ethical

Related: To fix the problem of deepfakes we must treat the cause, not the symptoms | Matt Beard

Continue reading...

SSH In Nutshell : A protocol for secured network communication

Estimated reading time: 4 minutes

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. A widely used Transport Layer Protocol, SSH is used to secure connections between clients and servers. SSH was basically designed as a replacement for conventional Telnet and for unsecured remote shell protocols such as the Berkeley rlogin, rsh, and rexec protocols. These protocols send critical information, such as passwords, in plain text format, and are susceptible to interception and disclosure using methods like packet analysis or deep packet inspection. The encryption used by SSH provides confidentiality and integrity of data over an unsecured network, such as the Internet.

                                         Fig. 1: SSH Protocol Stack

How Does SSH Work?

The SSH protocol employs a client-server model for authentication and encryption of data transferred between them.

Negotiating Encryption for the Session

  • Version Exchange: When a TCP connection is made by a client, the server responds with the protocol versions it supports. If the client can match one of the acceptable protocol versions, the connection continues.
  • Key Exchange Initialization: To kick off the key exchange, both sides send a SSH_MSG_KEX_INIT message to each other, with a list of cryptographic primitives they support with their preference. These primitives are basic building blocks, used to perform key exchange and bulk data encryption. The following table (Tab.1) shows some examples of cryptographic primitives.
                                                                                          Tab.1: Cryptographic Primitives

 

  • Diffie-Hellman Initialization: The key exchange begins by the client, generating an ephemeral key pair (private and associated public key) and sending its public key to the server in a, SSH_MSG_KEX_ECDH_INIT message (Fig. 2). The server checks the authorized_keys file of the account that the client is attempting to log into for the key ID. If strict key checking is enabled, and key is not found to be correct, the connection is rejected by the server thereby safeguarding the server from connecting with unknown clients. The key pair created will only be used during the key exchange and disposed afterwards. So, for an attacker it is extremely difficult to steal a private key while passively recording encrypted traffic. This property is called forward secrecy.
                                                   Fig. 2 Generation of the key exchange initialization message

 

  • Diffie-Hellman Reply: On receiving SSH_MSG_KEX_ECDH_INIT message, server generates its own ephemeral key pair. The shared secret key K is generated by server, with its own key pair and client’s public key. After successful generation of shared secret an exchange hash H is generated (Fig. 3). The exchange hash is signed by server to generate its signature HS (Fig. 4).
                                                                 Fig. 3: Generation of the exchange hash H

 

The exchange hash and its signature serve several purposes:

•  The signature or verification loop, of the exchange hash and its signature enables the client to verify whether the server has ownership of the host private key. If yes, the client is connected to the correct server.

• A faster handshake is achieved by signing the exchange hash instead of input to exchange hash.

                                                                  Fig. 4: Generation of the ECDH KEX reply

 

The exchange hash is generated by taking the hash (either SHA256, SHA384 or SHA512, as per the key exchange algorithm) of the following fields:

• Magics M

• Server host public key (or certificate) HPub

• Client public key A

• Server public key B

• Shared secret K

Magics consists of client version, server version, clients SSH_MSG_KEXINIT message and server SSH_MSG_KEXINIT message. With this information in hand, the SSH_MSG_KEX_ECDH_REPLY message can be constructed by the server from the following:

ephemeral public key of the server B,

the host public key of the server HPub,

and the signature on the exchange hash HS.

After SSH_MSG_KEX_ECDH_REPLY is received by client, the client can calculate the secret K and the exchange hash H.

The client extracts the host public key (or certificate) from SSH_MSG_KEX_ECDH_REPLY and verifies the signature of exchange hash HS, hence proving the ownership of the host private key.

In order to prevent Man-in-the-Middle (MITM) attacks, after the signature is validated, the host public key (or certificate) retrieved is checked against a local database of the trusted hosts; if this key (or certificate) is not trusted the connection is terminated.

If you have ever seen a message like below (Fig. 5), it means that the key presented is not in your local database of known hosts.

                                                                          Fig. 5: Prompt for Authentication of Server

Authenticating the User’s Access to the Server

The next stage involves authenticating the user and deciding access. There are various mechanisms for authentication but which mechanism to use depends upon what purpose the server is configured for.

The simplest is password authentication, but this is highly not recommended due to complexities and automated password breaking scripts.

The most popular and recommended alternative is the use of SSH key pairs. SSH key pairs are asymmetric keys. The public key is used to encrypt data that can only be decrypted with the private key. The public key can be freely shared, because, although it can encrypt for the private key, there is no method of deriving the private key from the public key.

Summary

SSH provides a secured encrypted channel for configuration of remote servers, established by agreed cryptographic primitives, and user authentication by symmetric key pairs.

The following diagram shows various stages of SSH handshake in establishing a secured channel that uses a password authentication mechanism.

                                                      Fig. 6: Stages of SSH Handshaking with user Password Authentication

The post SSH In Nutshell : A protocol for secured network communication appeared first on Seqrite Blog.