Category Archives: Security Awareness

Things You Need to Know About Open Source – The FAQ Edition

Open Source projects can be a great asset, or they can be a curse. It is all in how you manage it. To be successful in using open source, there are several things to keep in mind, from licensing to updates. And if you ignore any of them, it can cause problems. Here are some […]… Read More

The post Things You Need to Know About Open Source – The FAQ Edition appeared first on The State of Security.

Security roundup: May 2019

We round up interesting research and reporting about security and privacy from around the web. This month: password practice, GDPR birthday, c-suite risk, and further reading for security pros.

Passwords: a good day to try hard

No self-respecting security pro would use easy passwords, but could they say the same for their colleagues (i.e. everyone else)? The answer is no, according to the UK National Cyber Security Centre. It released a list of the 100,000 most hacked passwords, as found in Troy Hunt’s ‘Have I Been Pwned’ data set of breached accounts. Unsurprisingly, ‘123456’ topped the list. A massive 23 million accounts use this flimsy string as “protection” (in the loosest possible sense of the word). Next on the list of shame was the almost as unimaginative ‘123456789’, ‘qwerty’, ‘password’ and 1111111.

The NCSC released the list for two reasons: firstly to prompt people to choose better passwords. Secondly, to allow sysadmins to set up blacklists to block people in their organisations from choosing any of these terrible passwords for themselves. The list is available as a .txt file here and the agency blogged about the findings to give more context. Help Net Security has a good summary of the study. The NCSC published the research in the buildup to World Password Day on May 2, which Euro Security Watch said should be every day.

WP Engine recently performed its own analysis of 10 million compromised passwords, including some belonging to prominent (and anonymised) victims. It makes a useful companion piece to the NCSC study by looking at people’s reasons for choosing certain passwords.

Encouraging better security behaviour through knowledge is one part of the job; effective security controls are another. In April, Microsoft said it will stop forcing password resets for Windows 10 and Windows Server because forcing resets doesn’t improve security. CNet’s report of this development noted Microsoft’s unique position of influence, given its software powers almost 80 per cent of the world’s computers. We recently blogged about what the new FIDO2 authentication standard could mean for passwords. Better to use two-factor authentication where possible. Google’s Mark Risher has explained that 2FA offers much more effective protection against risks like phishing.

GDPRversary getting closer

Almost one year on from when the General Data Protection Regulation came into force, we’re still getting to grips with its implications. The European Data Protection Supervisor, Giovanni Buttarelli, has weighed in on the state of GDPR adoption. He covered many areas in an interview with Digiday, including consent, fines, and legitimate interest. One comment we liked was how falling into line with the regulation is an ongoing activity, not a one-time target to hit. “Compliance is a continued working progress for everyone,” he said.

The European Data Protection Board (formerly known as the Article 29 Working Group) recently issued draft guidance on an appropriate legal basis and contractual obligations in the context of providing online services to data subjects. This is a public consultation period that runs until May 24.

The EDPB is also reportedly planning to publish accreditation requirements this summer. As yet, there are no approved GDPR certification schemes or accreditation bodies, but that looks set to change. The UK regulator recently published its own information about certification and codes of conduct.

Meanwhile, Ireland’s Data Protection Commission has started a podcast called Know Your Data. The short episodes have content that mixes information for data controllers and processors, and more general information for data subjects (ie, everyone).

Breaching the c-suite

Senior management are in attackers’ crosshairs as never before, and 12 times more likely to be targeted in social engineering incidents than in years past. That is one of the many highlights from the 2019 Verizon Data Breach Investigations Report. Almost seven out of ten attacks were by outsiders, while just over a third involved internal parties. Just over half of security breaches featured hacking; social engineering was a tactic in 33 per cent of cases. Errors were the cause of 21 per cent of breaches, while 15 per cent were attributed to misuse by authorised users.

Financial intent was behind 12 per cent of all the listed data breaches, and corporate espionage was another motive. As a result, there is a “critical” need for organisations to make all employees aware of the potential threat of cybercrime, Computer Weekly said. ThreatPost reported that executives are six times more likely to be a target of social engineering than a year ago.

Some sites like ZDNet led with another finding: that nation-state attackers are responsible for a rising proportion of breaches (23 per cent, up from 12 per cent a year ago). It also highlighted the role of system admin issues that subsequently led to breaches in cloud storage platforms. Careless mistakes like misconfiguration and publishing errors also left data at risk of access by cybercriminals.

The Verizon DBIR is one of the most authoritative sources of security information. Its content is punchy, backed by a mine of informative stats to help technology professionals and business leaders plan their security strategies. The analysis derives from 41,000 reported cybersecurity incidents and 2,000 data breaches, featuring contributions from 73 public and private organisations across the globe, including Ireland’s Irisscert. The full report and executive summary are free to download here.

Links we liked

Challenge your preconceptions: a new paper argues cybersecurity isn’t important. MORE

An unfortunate trend that needs to change: security pros think users are stupid. MORE

It’s time to panic about privacy, argues the New York Times in this interactive piece. MORE

Want a career in cybersecurity, or know someone who does? Free training material here. MORE

NIST has developed a comprehensive new tool for finding flaws in high-risk software. MORE

NIST also issued guidelines for vetting the security of mobile applications. MORE

Cybersecurity threats: perception versus reality as reported by AT&T Security. MORE

Here’s a technical deep dive into how phishing kits are evolving, courtesy of ZScaler. MORE

A P2P flaw exposes millions of IoT security cameras and other devices to risks. MORE

A new way to improve network security by analysing compressed traffic. MORE

 

The post Security roundup: May 2019 appeared first on BH Consulting.

That’s classified! Our top secret guide to helping people protect information

As information security professionals, we often face a challenge when trying to explain what we mean by ‘data classification’. So here’s my suggestion: let’s start by not calling it that. In my experience, the minute you call it that, people switch off.

Our role should be to try to engage an audience, not scare them away. Classification sounds like a military term, and if the reaction that greets you is an eye-roll that says: ‘you’re talking security again’, then they’ve zoned out before you’ve even got to the second sentence. I try and change the language, because otherwise, what we have here is a failure to communicate.

In reality, it’s very simple if you explain what you mean by classification. If we strip away any jargon or names, what we’re doing is asking an organisation to decide what information is most important to it. Then, it’s about asking the organisation’s people to apply appropriate layers of protection to that information based on its level of importance.

De do do do, de da da da

Who needs to use data classification? These days, it’s everyone. Why is it important? Why make people do this work? Data is a precious commodity. Think of it like water in many parts of the world: there’s a lot of it about, it’s too easily leaked if you don’t protect it, it’s extremely valuable if you control the source, and you can combine it with other things to increase its worth. Well, it’s a similar story with data. Data is just a bunch of numbers, but context turns it into information. You could have 14 seemingly random numbers, and that’s data. Now, split them into two groups, one of eight digits and another of six digits with some dashes in between. Suddenly those numbers become a bank account number and sort code. Then it’s information.

Message in a bottle

The first step for security professionals to win people over to the concept is to make it real for their audience. If your message is personal, people can relate it to what they have to do in their work.

We handle types of information in different ways and make decisions all the time on who should have access to it. Think of it this way: do you file paperwork – utility bills, appointment letters, bank statements – at home? Would you leave your payslip lying around the home for your kids to read?

In a work context, a CEO might want their executive assistant to access their calendar for meetings, but they don’t necessarily want to share their bank account details to see how much money they make or what they spend it on.

Naturally, the type of information that’s most valuable will vary by industry, so you have to adapt any message to suit. In healthcare, it might be sensitive medical records about someone’s health. For someone working in food and drinks industry, maybe IP (intellectual property) like the recipe to the secret sauce or the package design are the most valuable items to protect. In pharmaceuticals, it might be the blueprints or ingredients in a new drug.

You don’t have to put on the red light

So now we’ve established that information may have different values, how do we group them? Deciding on the value of information may require the employee to apply good judgement. I like using the traffic light idea of three tiers of information (red amber and green) rather than the binary option of just public or private. Those three levels then become public (green), confidential (amber), and restricted or private (red). It allows for an extra level of data management, and therefore protection, where needed but is still a simple number to grasp.

Photo by Harshal Desai on Unsplash

This approach is easy to picture. People can very quickly understand what category information falls into, and what to do with it. Using the traffic light approach, public material (green) might be a brochure about a new product, or it could be the menu in the staff canteen. That’s the material that you want many people to see. The company contact directory or minutes from a meeting would be confidential (amber). Items that aren’t for general distribution outside board level (such as merger discussions) are extremely sensitive or privileged (red).

Once we know what we’re protecting, we get to the how.

  • If we’re dealing with physical paper documents, we can mark the sensitive information with a red sticker or red mark on the corner. The rule might be: never leave a red file unattended unless an authorised person is actively reading it and doing something with it. You know it shouldn’t leave the building unless it’s extremely well protected.
  • If the mark or sticker is amber, the person holding it must lock it away overnight.
  • Any document with a green mark doesn’t have to be locked away.

Every breath you take

You can extend that system beyond individual files to folders and to filing cabinets if necessary. You can apply this very easily by adding the appropriate colour to each document, folder, filing cabinet or even rooms in the building. Leave marker pens, stickers or anything that clearly shows the classification available for people to use.

It’s relatively easy to get people to apply the exact same marking system to electronic data. So you mark the Word file or Excel sheet with the same colour scheme, and folders, and so on. Once you’ve put the colours on it, the application of it is easy. If you use templates or forms of any kind it’s easy to start applying rules automatically, and you can then tie in the classification to your data leakage prevention tools, or DLP solutions, by blocking the most sensitive information from leaving the organisation, or at least flagging it for attention. It’s possible to put markers in the metadata of document templates, so amber or red documents could flag to the user that they need to encrypt before sending.

Ultimately, we’re in the business of changing behaviour, and the net result should be that people become more aware of information and data protection because it’s a relatable concept that they’re applying in their daily work, almost without realising.

So if not classification, what do we call it? The importance of information? Data management? It’s still not very snappy, so any suggestions or answers on a postcard please.

Oh, and as a footnote, if you have any information you want everyone in the company to read, just put it in an unsealed envelope marked “CONFIDENTIAL” and leave it near the printer/photocopier/coffee area. I guarantee everyone passing will take a look.

The post That’s classified! Our top secret guide to helping people protect information appeared first on BH Consulting.

Top Tips On Cyber Security for SMEs

Guest article by Damon Culbert of Cyber Security Jobs

Cyber criminals are a part of modern life, from Uber account hacks to major business data breaches, our online identities are rarely safe. And, while big-name companies under threat often make the news, it’s small and medium-sized enterprises who are actually their biggest targets.

Large businesses and government departments may seem like more obvious hacking targets with bigger payoffs, but these organisations can afford much more robust, well-kept and successful IT security measures and cyber security professionals working round the clock. Due to this, cyber criminals are much more likely to swing for easy targets like family businesses.

With the introduction of GDPR across Europe, all businesses are now much more responsible for the personal data they keep, meaning companies of all size can’t really afford to not have at least the basic security measures in place. The UK National Cyber Security Centre (NCSC) have created a list of five principles as part of their Cyber Essentials Scheme. These include:

1. Secure your internet connection
2. Protect from viruses and other malware
3. Control access to your data and services
4. Secure your devices and software
5. Keep your devices and software up to date

All small businesses should know these principles and be putting them into practice, no matter how many staff they employ. In addition to this, here are a couple of other tips to keep hackers at bay which can be simply implemented into your business practices and keep the ICO (Information Commissioner’s Office) from the door.

Invest in Software and Hardware
While just functioning from day to day might be your only priority as a small business owner, investing in your technology will undoubtedly help in the long run. Keeping your software, such as virus software and operation systems, will ensure that any vulnerabilities identified by the creators are covered and there are no gaping holes in your cyber defences.

It might also be a good idea to invest in a good-quality back-up server and cyber insurance, so that if any personal data is every compromised, your operations can simply switch to the back-up server without affecting your business. Cyber insurance will also help keep you covered in case any clients’ personal data is lost and costs are incurred.

Staff Awareness Without the awareness of your staff, no manner of cyber security measures will keep your business safe. 90% of breaches happen because of user interaction, most commonly through phishing scams. Sophisticated phishers can impersonate senior members of staff in your organisation and trick other employees into handing over login details, authorising bogus payments or redirecting bank transfers.

Ensuring that staff are made aware of how to identify phishing scams and even having experienced trainers come in to guide them through cyber security best practice may seem like a cost you can spare but will go far in keeping the walls around your business impenetrable.

Compliance
The GDPR states that businesses who suffer a breach must alert the ICO and any customers who may have been affected within 72 hours of discovery. This is vital, and although fines could still be handed out for failure to prevent a breach, these fines will be much higher if the ICO discovers that you kept the information to yourself for longer than the 72 hour period.

The average time it takes for an organisation to discover a breach is 229 days, so the actual time it takes for the breach to come to your attention isn’t going to work too poorly in your favour. However, regular reporting is likely to result in earlier identification which will not only help you save time and money, but will also be a great trust signal to your clients that you take protecting their data seriously.

Pre-emptive planning
Security breaches are a ‘when’ not ‘if’ problem, so planning ahead is a necessity of modern business. 74% of SMEs don’t have any money saved to deal with an attack and 40% wouldn’t even know who to contact in the event of a breach. Having comprehensive disaster management plans in place will help keep you and your clients safe, keep your reputation in top shape and make sure you don’t have to pay out major money in the worst case scenario.

Plan of Action
The best thing for SMEs to do is to start small and keep building their defences as time goes on, helping keep costs down and customers happy. Here’s a plan of action to get started:

1. Start with the basics: follow the Cyber Essentials Scheme and bake these principles into your daily operations
2. Get an understanding of the risks to your business: check out the NCSC’s ’10 Steps to Cyber Security’ for further detail than the Cyber Essentials
3. Know your business: if you still feel your data isn’t safe, research more comprehensive frameworks like the IASME standard developed for small businesses
4. Once you have a complete security framework in place, develop on the NCSC’s advice with more sophisticated frameworks, such as the NIST framework for cybersecurity.

Fraudsters Targeting Consumers with One-Ring Phone Scams

Fraudsters are targeting consumers with one-ring phone scams that exploit people’s curiosity so as to trick them into paying exorbitant fees. According to the U.S. Federal Communications Commission (FCC), this scam oftentimes begins when a fraudster contacts an unsuspecting consumer using a one-ring phone call. Many of these calls appear to originate from phone numbers […]… Read More

The post Fraudsters Targeting Consumers with One-Ring Phone Scams appeared first on The State of Security.

The Infamous Password

Passwords may not be the favourite piece of your workday, however, I have a theory – if I could share with you the value of a password and the reality of how simple they can be to create; then passwords may not be the monster you avoid. When you get the “your password expires in […]… Read More

The post The Infamous Password appeared first on The State of Security.

Upcoming cybersecurity events featuring BH Consulting

Here, we list upcoming events, conferences, webinars and training featuring members of the BH Consulting team presenting about cybersecurity, risk management, data protection, GDPR, and privacy. 

Tech Connect Live 2019: Dublin, 30 May

BH Consulting COO Valerie Lyons will be presenting at this event which takes place at the RDS in Dublin on Thursday 30 May. The conference is a business and technology event, with talks on a range of related subjects happening throughout the day. The event is free to attend, and more than 5,000 delegates are expected on the day. To find out more and to register for a free pass, visit here

Data Protection Officer certification course: Vilnius/Maastricht June/July

BH Consulting contributes to this specialised hands-on training course that provides the knowledge needed to carry out the role of a data protection officer under the GDPR. This course awards the ECPC DPO certification from Maastricht University. Places are still available at the courses scheduled for June and July, and a link to book a place is available here

IAM Annual Conference: Dublin, 28-30 August

Valerie Lyons is scheduled to speak at the 22nd annual Irish Academy of Management Conference, taking place at the National College of Ireland. The event will run across three days, and its theme considers how business and management scholarship can help to solve societal challenges. For more details and to register, visit the IAM conference page. 

The post Upcoming cybersecurity events featuring BH Consulting appeared first on BH Consulting.

Cyber Security: Three Parts Art, One Part Science

As I reflect upon my almost 40 years as a cyber security professional, I think of the many instances where the basic tenets of cyber security—those we think have common understanding—require a lot of additional explanation. For example, what is a vulnerability assessment? If five cyber professionals are sitting around a table discussing this question, you will end up with seven or eight answers. One will say that a vulnerability assessment is vulnerability scanning only. Another will say an assessment is much bigger than scanning, and addresses ethical hacking and internal security testing. Another will say that it is a passive review of policies and controls. All are correct in some form, but the answer really depends on the requirements or criteria you are trying to achieve. And it also depends on the skills and experience of the risk owner, auditor, or assessor. Is your head spinning yet? I know mine is! Hence the “three parts art.”

There is quite a bit of subjectivity in the cyber security business. One auditor will look at evidence and agree you are in compliance; another will say you are not. If you are going to protect sensitive information, do you encrypt it, obfuscate it, or segment it off and place it behind very tight identification and access controls before allowing users to access the data? Yes. As we advise our client base, it is essential that we have all the context necessary to make good risk-based decisions and recommendations.

Let’s talk about Connection’s artistic methodology. We start with a canvas that has the core components of cyber security: protection, detection, and reaction. By addressing each of these three pillars in a comprehensive way, we ensure that the full conversation around how people, process, and technology all work together to provide a comprehensive risk strategy is achieved.

Protection:

People
Users understand threat and risk, and know what role they play in the protection strategy. For example, if you see something, say something. Don’t let someone surf in behind you through a badge check entry. And don’t think about trying to shut off your end-point anti-virus or firewall.

Process
Policy are established, documented, and socialized. For example, personal laptops should never be connected to the corporate network. Also, don’t send sensitive information to your personal email account so you can work from home.

Technology
Some examples of the barriers used to deter attackers and breaches are edge security with firewalls, intrusion detection and prevention, sandboxing, and advanced threat detection.

Detection:

The average mean time to identify an active incident in a network is 197 days. The mean time to contain an incident is 69 days.

People
Incident response teams need to be identified and trained, and all employees need to be trained on the concept of “if you see something, say something.” Detection is a proactive process.

Process
What happens when an alert occurs? Who sees it? What is the documented process for taking action?

Technology
What is in place to ensure you are detecting malicious activity? Is it configured to ignore noise and only alert you of a real event? Will it help you bring that 197-day mean time to detection way down?

Reaction:

People
What happens when an event occurs? Who responds? How do you recover? Does everyone understand their role? Do you War Game to ensure you are prepared WHEN an incident occurs?

Process
What is the documented process to reduce the Kill Chain—the mean time to detect and contain—from 69 days to 69 minutes? Do you have a Business Continuity and Disaster Recovery Plan to ensure the ability to react to a natural disaster, significant cyber breach such as ransomware, DDoS, or—dare I say it—a pandemic?

Technology
What cyber security consoles have been deployed that allow quick access to patch a system, change a firewall rule, switch ACL, or policy setting at an end point, or track a security incident through the triage process?

All of these things are important to create a comprehensive InfoSec Program. The science is the technology that will help you build a layered, in-depth defense approach. The art is how to assess the threat, define and document the risk, and create a strategy that allows you to manage your cyber risk as it applies to your environment, users, systems, applications, data, customers, supply chain, third party support partners, and business process.

More Art: Are You a Risk Avoider or Risk Transference Expert?

A better way to state that is, “Do you avoid all risk responsibility or do you give your risk responsibility to someone else?” Hint: I don’t believe in risk avoidance or risk transference.

Yes, there is an art to risk management. There is also science if you use, for example, The Carnegie Mellon risk tools. But a good risk owner and manager documents risk, prioritizes it by risk criticality, turns it into a risk register or roadmap plan, remediates what is necessary, and accepts what is reasonable from a business and cyber security perspective. Oh, by the way, those same five cyber security professional we talked about earlier? They have 17 definitions of risk.

As we wrap up this conversation, let’s talk about the importance of selecting a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and the stats. What framework will you pick? Do you paint in watercolors or oils? Are you a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or have you developed your own framework like the Nardone puzzle chart? I developed this several years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. It has been artistically enhanced over the years to incorporate more security components, but it is loosely coupled on the NIST 800-53 and ISO 27001 standards.

When it comes to selecting a security framework as a CISO, I lean towards the NIST Cyber Security Framework (CSF) pictured below. This framework is comprehensive, and provides a scoring model that allows risk owners to measure and target what risk level they believe they need to achieve based on their business model, threat profile, and risk tolerance. It has five functional focus areas. The ISO 27001 framework is also a very solid and frequently used model. Both of these frameworks can result in a Certificate of Attestation demonstrating adherence to the standard. Many commercial corporations do an annual ISO 27001 assessment for that very reason. More and more are leaning towards the NIST CSF, especially commercial corporations doing work with the government.

The art in cyber security is in the interpretation of the rules, standards, and requirements that are primarily based on a foundation in science in some form. The more experience one has in the cyber security industry, the more effective the art becomes. As a last thought, keep in mind that Connection’s Technology Solutions Group Security Practice has over 150 years of cyber security expertise on tap to apply to that art.

The post Cyber Security: Three Parts Art, One Part Science appeared first on Connected.

Password-less future moves closer as Google takes FIDO2 for a walk

For years, many organisations – and their users – have struggled with the challenge of password management. The technology industry has toiled on this problem by trying to remove the need to remember passwords at all. Recent developments suggest we might finally be reaching a (finger) tipping point.

At Mobile World Congress this year, Google and the FIDO Alliance announced that most devices running Android 7.0 or later can provide password-less logins in their browsers. To clarify, the FIDO2 authentication standard is sometimes called password-less web authentication. Strictly speaking, that’s a slightly misleading name because people still need to authenticate to their devices a PIN, or a using a biometric identifier like a fingerprint. It’s more accurate to say FIDO2 authentication, but not surprisingly, the term ‘password-less’ seems to have caught the imagination.

Wired reported that web developers can now make their sites work with FIDO2, which would mean people can log in to their online accounts on their phones without a password. This feature will be available to an estimated one billion Android devices, so it’s potentially a significant milestone on the road to a password-less future. Last November, Microsoft announced password-less sign-in for its account users, with the same FIDO2 standard. One caveat: Microsoft’s option requires using the Edge browser on Windows 10 1809 build. So, the true number of users is likely to be far lower than the 800 million Microsoft had been promising. But this is just the latest place where Microsoft has inserted FIDO technology into its products.

It’s not what you know

I spoke to Neha Thethi, BH Consulting’s senior information security analyst, who gave her reaction to this development. “Through this standard, FIDO and Google pave way for users to authenticate primarily using ‘something they have’ the phone – rather than ‘something they know’ the password. While a fingerprint or PIN would typically be required to unlock the device itself, no shared secret or private key is transferred over the network or stored with the website, as it is in case of a password. Only a public key is exchanged between the user and the website.”  

From the perspective of improving security, Google’s adoption of FIDO2 is a welcome development, Neha added. “Most of the account compromises that we’ve seen in past few years is because of leaked passwords, on the likes of Pastebin or through phishing, exploited by attackers. The HaveIbeenpwned website gives a sense of the scale of this problem. By that measure, going password-less for logging in to online accounts will definitely decrease the attack surface significantly,” she said.

“The technology that enables this ease of authentication is public key cryptography, and it has been around since the 1970s. The industry has recognised this problem of shared secrets for a long time now. Personally, I welcome this solution to quickly and securely log in to online accounts. It might not be bulletproof, but it takes an onerous task of remembering passwords away from individuals,” she said.

Don’t try to cache me

Organisations have been using passwords for a long time to log into systems that store their confidential or sensitive information. However, even today, many of these organisations don’t have a systematic way of managing passwords for their staff. If an organisation or business wants to become certified to the ISO 27001 security standard, for example, they will need to put in place measures in the form of education, process and technology, to ensure secure storage and use of passwords. Otherwise, you tend to see less than ideal user behaviour like storing passwords on a sticky note or in the web browser cache. “I discourage clients from storing passwords in the browser cache because if their machine gets hacked, the attacker will have access to all that information,” said Neha. 

That’s not to criticise users, she emphasised. “If an organisation is not facilitating staff with a password management tool, they will find the means. They try the best they can, but ultimately they want to get on with their work.”

The credential conundrum

The security industry has struggled with the problem of access and authentication for years. It hasn’t helped by shifting the burden onto the people least qualified to do something about it. Most people aren’t security experts, and it’s unfair to expect them to be. Many of us struggle to remember our own phone numbers, let alone a complex password. Yet some companies force their employees to change their passwords regularly. What happens next is the law of unintended consequences in action. People choose a really simple password, or one that barely changes from the one they’d been using before.

For years, many security professionals followed the advice of the US National Institute of Standards and Technology (NIST) for secure passwords. NIST recommended using a minimum of seven characters, and to include numbers, capital letters or special characters. By that measure, a password like ‘Password1’ would meet the recommendations even if no-one would think it was secure.

Poor password advice

Bill Burr, the man who literally wrote the book on passwords for NIST, has since walked back on his own advice. In 2017, he told the Wall Street Journal, “much of what I did I now regret”. He added: “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree”. NIST has since updated its password advice, and you can find the revised recommendations here.

As well as fending off cybercrime risks, another good reason for implementing good access control is GDPR compliance. Although the General Data Protection Regulation doesn’t specifically refer to passwords, it requires organisations to process personal data in a secure manner. The UK’s Information Commissioner’s Office has published useful free guidance about good password practices with GDPR in mind.

Until your organisation implements the password-less login, ensure you protect your current login details. Neha recommends using a pass phrase instead of a password along with two factor authentication where possible. People should also use different pass phrases for each website or online service we use, because using the same phrase over and over again puts us at risk if attackers compromised any one of those sites. Once they get one set of login credentials, they try them on other popular websites to see if they work. She also recommends using a good password manager or password keeper in place of having to remember multiple pass phrases or passwords. Just remember to think of a strong master password to protect all of those other login details!

The post Password-less future moves closer as Google takes FIDO2 for a walk appeared first on BH Consulting.

Games people play: testing cybersecurity plans with table-top exercises

If a picture is worth a thousand words, and video is worth many multiples more, what value is an interactive experience that plants you firmly in the hot seat during a major security incident? Reading about cyberattacks or data breaches is useful, but it can’t replicate the visceral feeling of a table-top exercise. Variously called war-gaming scenarios or simulated attacks, they can be a valuable way of helping boards and senior managers understand the full implications of cyber threats. More importantly, they can shed light on gaps where the business can improve its incident response procedure.

These exercises are designed to be immersive. They might start with a scenario like a board meeting, or a company orientation day. All participants will get a role to play; for the purpose of the session, they might be designated as a head of HR, finance, legal, or IT. As the scenario starts to unfold, a message arrives. The press has been enquiring about a major data breach or a ransomware attack on the company.

Muscles tighten, a wave of nausea passes over the stomach. The fight-or-flight instinct starts to take hold. Your role might say manager, but you don’t feel like you’re in control.

What happens next?

That will depend on how much preparation your business has done for a possible cybersecurity threat. Some companies won’t have anything approaching a plan, so the reaction looks and feels like panic stations. At various points during this exercise, the facilitator might introduce new alerts or information for the group to react to. For example, that could be negative commentary on social media, or a fall in the company stock price.

The exercise should prompt plenty of questions for the participants. What exactly is going on? How do we find out what’s happened? How is this affecting operations? Who’s taking charge? What do we tell staff, or the public, or the media?

A growing sense of helplessness can be a powerful spur to make rapid changes to the current cybersecurity incident response plan (assuming there is one).

Other organisations may already have a series of steps for what to do in the event of an incident or breach. In these cases, the table-top exercise is about testing the viability of those plans. You can be prepared, but do the steps on paper work in practice? Or as Mike Tyson memorably put it, “everybody has a plan until they get punched in the mouth”.

The exercise can show the value of having a playbook that documents all procedures to carry out: “if X happens, then do Y”. This will also shed light on missing steps, such as contact numbers for key company executives, an external security consultant, regulators, law enforcement, or media.

Fail to prepare, prepare to fail

When it comes to developing or refining an incident response plan, the devil is in the detail, says David Prendergast, senior cybersecurity consultant at BH Consulting. Here are some useful questions to ask:

  • If your policy says: ‘contact the regulator’, ask which one(s)
  • Who is the specific point of contact at the regulators office?
  • Does the organisation have the email address or phone numbers for that person?
  • Who in your company or agency is authorised to talk to the regulator?
  • What information are they likely to need to have that conversation?
  • Do you have pre-prepared scripts or statements for when things might go wrong (for customers, stakeholders, staff, and media (including social media channels)?

It might also force the company into making certain decisions about resources. Are there enough internal staff to carry out an investigation? Is that the most appropriate use for those employees, or is it better to focus their efforts on recovering IT systems?

That’s the value in table-top exercises: they afford the time to practice when it’s calm and you can absorb the lessons. There are plenty of examples of companies that handled similar situations spectacularly badly in full public view. (We won’t name names, but the list includes anyone who uttered the words “sophisticated attack” before an investigation even started.)

By the (play)book

It’s more helpful to learn from positive examples of companies that showed leadership in the face of a serious incident. That can be as simple as a statement of business priorities while an organisation copes with the fallout. In 2017, as Maersk reeled from a ransomware infection, CEO Soren Skou gave frontline staff in 130 countries clear instructions. As the Financial Times reported, the message was unequivocal even as the company was forced into shutting down IT systems. “Do what you think is right to serve the customer – don’t wait for the HQ, we’ll accept the cost.”

Some larger companies will run an exercise just for themselves, but some organisations run joint war-gaming scenarios with industry peers. Earlier this month, financial institutions and trade associations from around Europe carried out a simulated ransomware attack.

According to FinExtra, the scenario took the form of an on-site technical and hands-on-keyboard experience. There were 14 participants at CISO and CIO level, along with many more observers from other companies in the financial sector. The aim of the event was to encourage collaboration and information sharing with other teams and organisations to improve collective defences against cyber threats.

Whether it’s a war-gaming exercise or a table-top event, the goal is the same: to be ready for the worst ahead of time, and knowing what steps are available to you when bad things happen for real.

The post Games people play: testing cybersecurity plans with table-top exercises appeared first on BH Consulting.

October Is National Cyber Security Awareness Month: Be Part of Something Big

2018 marks the 15th year of National Cyber Security Awareness Month (NCSAM). The Internet touches every aspect of our lives, and keeping it safe and secure is everyone’s responsibility. You can make a difference by remaining diligent and staying cyber aware. Be part of something big this month. Learn more, be aware, and get involved.

Connection is an official Champion of NCSAM. We’re dedicating the month of October to spreading the word about the importance of cyber security, and providing tools and resources to help you stay safe and secure online.

Each week during October highlights a different cyber security theme, addressing specific challenges and opportunities for change. Stay tuned for information about the top cyber security threats, careers in cyber security, and why it’s everyone’s job to ensure online safety. What are you doing to keep the Internet safer and more secure? Be sure to check back each week to stay informed, and get tips from our experts about how you can participate in keeping everyone safe online.

The post October Is National Cyber Security Awareness Month: Be Part of Something Big appeared first on Connected.