The Status of Purgatory

Purgatory: A situation of temporary suffering or torment.

It’s early April and the UK is in lockdown, everything is shut other than a select few essential shops, most businesses have either had to shut up shop for the foreseeable or are trying to work from home as efficiently and as effectively as possible. The coronavirus, or Covid-19 to be precise, has brought the entire western world to a screeching halt, be you a huge multinational organisation with thousands upon thousands of employees, or a small restaurant in your local town. The reach is endless and business owners everywhere are feeling the pinch and worrying endlessly about their business’s health and stability in a business market that has placed all of us in the un-envious place called purgatory.

The simple truth here is the whole business world is in a state of purgatory, from the employees worrying about if they will get paid this month, to the business owner worried about getting paid by his customers, as well as no doubt attempting to get the state-promised support and having to negotiate the nightmare which is the CBILS loan schemes with the accredited banking institutions. We are all in a very precarious state of hell and at the moment there is very little insight into when all of this will start to go back to normal – we are in this for the long haul and by all accounts this is going to get worse before it gets better… there is a lot of concern here in the business world and for very good reason.

What makes this eminently more frightening is that we are all predominantly at home (other than those heroic health service staff and those services critical to keeping individuals fed and healthy). This makes the task of working and keeping a business running even harder because everything has to be done remotely – talking to anyone and keeping all the business plates spinning is dependent on communications and somewhere quiet in a household to work, if you have small kids out there it can be extremely difficult.

“Thank you for stating the hideously negative reality of the situation Jim,” I hear you say…

I don’t mean to be negative, usually in my articles and posts I err on the side of positivity but we have to accept and acknowledge that things are pretty difficult at the moment, and for a lot of companies it’s probably highlighted the need for a good BCP plan. I know a lot of companies that have had to cobble together quick and dirty BCP operations that can be used in the interim during the isolation requirements.

This actually has made me sit back and reflect on BCP projects we have done in the past. Razorthorn has undertaken a number of business continuity and disaster recovery plans in the past, I myself have been a part of BCP and DR projects going back even further than the 13 years Razorthorn has been around, and predicting risks, eventualities and how to handle them. The one thing that I have found in all of that time is that people have a hard time envisioning a total shutdown. It’s something I have put to groups before in “What If?” planning sessions and quite often the response is, “Well that will never happen.”

And now it has.

One thing I predict that will come out of this current crisis will be a resurgence in interest in BCP and DR planning. It has to really because now people have experienced a serious event that has put millions of businesses at risk across the country, the businesses that are left after this financial meltdown will definitely be seeking to put measures in place to ensure that if this issue should occur again, their organisation will be able to handle the situation better than it has currently. In short, there will be a lot of lessons learned from this event and many organisations will put BCP/DR plans right to the absolute top of their to-do lists.

So, as usual, here are Razorthorn’s Top Tips:

Plan correctly

BCP planning is about ensuring that the business can continue during a crisis, DR planning is about ensuring the company can effectively recover operations back to normal once the crisis has ended. Don’t mix them up and they are TWO different sets of plans.

Technology is only one piece of the puzzle

Too many plans focus on technological access – whilst this is a huge part of the puzzle you need to remember this bit is only one part of the equation. Yes, it needs to be done, it needs to be efficient and effective in its delivery of service, but there are many other aspects also to consider.

Business Impact Assessments / Critical Asset Identification

Assess the DNA of the company, what makes it tick, how it makes its revenue, how it operates within itself and with its customers. Understand the ecology of the business and make a list of the critical functions and assets of the organisation, then conduct a BIA on those functions and assets with the business owners AND those that manage those functions and assets.

Don’t plan for every eventuality

You can’t predict the course of one event, let alone develop plans for all possible events. It’s not possible and it’s counterproductive. This is what makes me cringe when I see people creating a library of plans. Work on handling the three states (point above), not an individual event. This is what drags a project out, it’s what makes them cumbersome and expensive. You can never predict the course of an event, so don’t try. When an event ACTUALLY happens it likely won’t follow the predicted path, so just… don’t.

The only time I go against this is if an event has occurred that is likely to occur again (like this pandemic shutdown), then by all means write a playbook but focus on the shutdown and not how it happened…

Business BCP/DR

This is critical and often forgotten in favour of technology. Does the business have capital stored away to pay staff during a BCP event? Does it have contingency plans for third parties with critical services going out of business? There are a whole raft of business level issues that need to be included in any BCP plan. Another good example often forgotten is PR people. If you are having a serious event that is being discussed in the media, MAKE SURE you have a good PR person on the BCP team to manage the publicity. The business aspects of a BCP plan are critical and usually left out.

Review historical events

Always start your planning process with a review of historical data and events that have caused the company pain in the past which, let’s face it, should not be too difficult at the moment. Talk with the C Suite, the business owners and the directors on what issues they faced, the problems they dealt with and the sacrifices they made. It’s important not only to build plans that work but also to get support for the project from those that suffered the most pain.

Consider the three states

There are only ever three states an asset or business function can be in, other than working efficiently.

  • Partially unavailable – not working as intended/partially effected
  • Wholly unavailable – not working or available at all
  • Purgatory – available physically, but cannot be used for some reason

The one that gets people questioning me a lot is that last state, which is the title to this article… purgatory. How can something be available but not be able to be used? Well, this current business climate is a great example. A very relevant example is that many businesses have offices and premises they cannot use, whether that’s because it’s been mandated by the government to close or due to staff having to self-isolate.

Get help

I know us Information Security professionals have a reputation for sounding a little negative, indeed you can see that at the beginning of the article… but do make sure you get an Information Security professional with a history of BCP planning to help you build your own plans, it’s a really important part of making a BCP/DR plan work. You can go it alone, but this is what we train for and work with in our daily lives, so use that experience to your advantage.

As a final statement, please all stay healthy, we at Razorthorn hope you are all ok and well during these rather unpleasant times. If you would like to talk to us about this or any other security requirement then please feel free to contact us and we will be more than happy to assist.

Finding Cyber Threats with Attack-Based Analytics

All too often, security teams within organisations fail to test their controls using the same real-world techniques that would be used by potential adversaries.

Only by emulating offensive techniques can defences be tested, measured and improved, thereby augmenting intrusion detection and prevention mechanisms.

An effective security team should not only aim to test technical controls, but also their outcomes.

These should answer basic questions such as

  • What can our controls and programme currently detect?
  • What do they fail to detect?
  • How quickly do they detect the attack methods?
  • What would be the likely outcome in the event of a detection failure?
  • How long does it take for us to contain the attack, remediate and recover?
  • Are our intrusion detection tools and systems working as they should?
  • What is the signal-to-noise ratio for the detection criteria?

Such tests would demonstrate where different threat actors would be successful or would be caught in the environment and would allow the business to know exactly what is detected or mitigated and what is not.

The ATT&CK Framework

One of the most valuable frameworks for building adversary attack emulation scenarios is ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge).

As described by MITRE:

ATT&CK is a knowledge base of cyber adversary behaviour and taxonomy for adversarial actions across their lifecycle. ATT&CK has several parts: PRE-ATT&CK, which focuses left of delivery and exploit, ATT&CK for Enterprise, which covers initial access/exploit and beyond, and ATT&CK for Mobile, which focuses on mobile devices.

The ATT&CK model applies to enterprise IT systems covering Windows, macOS, and Linux, and mobile devices using Android or iOS. It places the tactical goals of an adversary within ten categories:

Each of the tactical categories within the matrix includes common attack techniques, such as ‘Supply Chain Compromise’ or ‘Spearphishing Link’ for Initial Access. Privilege Escalation includes ‘Sudo’ and ‘Launch Daemon’, while Credential Access contains ‘Bash History’ and ‘Two-Factor Authentication Interception’. Of course, some of the techniques, such as Network Sniffing, can span multiple categories (Credential Access and Discovery).

It’s important to stress that ATT&CK doesn’t claim to cover all possible techniques in a given tactical category (it would be dangerous to make this assumption), but is based on a community of knowledge about actions that adversaries have used for a particular purpose. Using the framework, a Red Team posing as the adversary can test each of the methods while the Blue Team acting as network defenders can see whether the actions are detected or not. In this way the security team can benefit from exposing themselves to a wide variety of adversary types and techniques.

Persistence

Privilege Escalation

Defence Evasion

Credential Access

Discover

Lateral Movement

Execution

Collection

Exfiltration

Command and Control

Best Practices

The ultimate aim of running these tests is to identify visibility gaps and determine where we need to make improvements. Is your intrusion detection system doing its job and has it been configured correctly? Would the attacks be detected in your log files (assuming software or a person actually examines these files)?

Test

Ensure that you have permission and approval before running any test. You should run the test in a test environment that mimics your production environment and that’s covered by your IDS. Simulate the attack either through an automated or manual method.

Develop Threat Intelligence

Even with an automated solution, it’s advisable that you have a sound technical understanding of how these attacks work. If you don’t, this will be an opportunity to learn. New attacks will keep emerging and an effective threat intelligence programme will ensure that it keeps you prepared by making you aware of every new attack tactic.

Test and Enhance

As adversaries continue to evolve methods for compromising systems and evading common defences, it’s critical that information security leaders understand how their defensive operational capabilities, such as technical controls, expertise, and response processes, perform in the face of a determined adversary. Only by carrying out real-world tests can gaps in these defences be identified. As such, ATT&CK represents an excellent framework for systematically testing your defences against attack techniques and tactics.

Gather Evidence

Did your IDS raise an alert? Is there a new entry in a log file revealing the attack? Perhaps nothing was detected. Record and measure everything you observe.

Develop Detection

If your existing defences failed to detect anything, it’s time to investigate and implement a solution that does.

Measure

Before moving on to the next attack tactic, ensure that you record whether detection was a success or failure. This way you will know where the gaps are and can track progress.

The Evolution of Phishing

It’s becoming increasingly clear that weak passwords and phishing offer far easier mechanisms for breaking into most organisations than exploiting software vulnerabilities. Email and the human threat vector are effectively seen by attackers as the weakest security links within most organisations. This should come as no surprise, given that email itself, like much linked to the early Internet was developed without much though given to information security. As a result, the vast majority of email communications continues to be inadequate in verifying user authenticity, and increasingly sophisticated professional criminals and state-level actors have access to a vast treasure trove of information on individuals within sites such as LinkedIn, Twitter, Facebook, personal information aggregating sites, business and national registries, along with information taken from a multitude of breaches.

A recent threat report finds that the frequency of email fraud attacks and the number of individuals targeted per organisation are continuing to rise. Attackers are also looking to make phishing even harder to detect, via new tactics such as using AI to monitor executives’ online behaviour, and AI-enabled chatbots to lure users into clicking on malicious links. Universities are also becoming a desirable target, with researchers detecting nearly 1,000 phishing attempts hitting at least 131 universities in 16 countries over the last year.

Emails attempting to steal corporate credentials have increased over 300% between the second and third quarters of 2018. The threat of such attacks are amplified by employees’ worsening security habits. A survey of 1600 global employees found that 75% of respondents reuse passwords across both personal and professional accounts, a figure which has drastically increased. 18-25-year-olds are reusing passwords at a particularly high percentage, suggesting that younger employees have perhaps less security experience and/or are simply less security inclined. Particularly worrisome for most organisations should be the finding that 15% would consider selling their workplace passwords to a third party. This highlights the significant insider security threat often overlooked by many companies.

State-level actors have also been accused of targeting businesses through phishing. In one case, spear-phishing emails were sent to hotel staff in at least seven European countries and one Middle Eastern nation. Opening the email’s .doc attachment deployed malware on the hotel machine that then infected equipment that controlled internal and guest Wi-Fi networks, allowing those responsible to attack people of interest.

Weak information security policies, insufficient awareness, inadequate enforcement and insecure system configurations often lead to an increased level of threat in all of these areas. In some cases information security awareness training is viewed as an inconvenience that is carried out (if at all) upon hire or annually without any further follow-up. This fails to support information retention and positive habitualisation by the trainee. Only a sustained and well-planned year-round information security awareness programme can ensure that organisations prepare themselves for hostile actors and prevention of insecure internal practices.

Given that emails continue to be the cyber-criminals’ vector of choice for distributing malware and phishing, the right course of action for organisations would be to address this major threat by reviewing and improving information security awareness programmes. In particular, regular and strategically planned phishing awareness exercises should be carried out to raise the alertness levels of employees to this threat. Digital signatures and email security software can also be deployed as further threat mitigating measures. While risk mitigation measures will seldom eliminate a threat, such measures combined with more secure system configurations, should go a long way towards significantly mitigating this sizeable threat, which is likely set to further grow through the use of more advanced AI attacks.

Are Supply Chain Attacks our Weakest Link in Cyber Security?

By the end of 2021, supply chain attacks are expected to be 4 times higher than in 2020. According to a recent report (Threat Landscape for Supply Chain Attacks, ENISA) which analysed 24 recent attacks, in 66% of reported incidents, attackers focused on the suppliers’ code in order to compromise their targets.

As was noted by the UK’s National Cyber Security Centre in its Cyber Threat to UK Business report:

“Supply chain compromises of managed service providers and legitimate software… provided cyber adversaries with a potential stepping stone into the networks of thousands of clients, capitalising on the gateways provided by privileged accesses and client/supplier relationships. It is clear that even if an organisation has excellent cyber security, there can be no guarantee that the same standards are applied by contractors and third party suppliers in the supply chain. Attackers will target the most vulnerable part of a supply chain to reach their intended victim.

Supply chain compromises typically seek to introduce security flaws or other exploitable features into equipment, hardware, software, or services, prior to their supply to the target (or make use of a compromised supplier organisation’s connections to the target). Operations or activities are usually designed to breach confidentiality and integrity, but they may also be designed to affect availability (such as supplying defective equipment). Ongoing servicing, support or updates to equipment, hardware or software may also provide opportunities for threat actors to interfere with the supply chain…When done well, supply chain compromises are extremely difficult (and sometimes impossible) to detect.”

How to secure against supply chain attacks

No matter how strong the information security structure of your business may be, you are only as strong as your weakest link, and often adversaries are aware that businesses fail to adequately assess the information security practices of their suppliers. The first step in efficiently prioritising your resources in this area is to know precisely who your key suppliers are and to maintain a consistent methodology to address this issue. You should also have in place criteria by which different types of information are classified based on sensitivity. The volume of data that the supplier has access to can also be a key part of the assessment criteria. In this way, we can place a higher level of scrutiny on critical suppliers that have access to sensitive business data. In some cases we may find that the supplier has no need to access certain data sets and so we can take adequate measures to limit access to only that which is necessary.

Finding suppliers that touch little to no company data of any kind is often rare in the digital age, so many suppliers should be undergoing review by qualified and experienced information security professionals. The first step in engaging with suppliers on an information security review will often be a questionnaire, and these questions should be based on formalised information security standards. Ideally, critical suppliers should also be undergoing on-site reviews to verify results of a question-based survey.

Once a formal supplier security process is in place and integrated into the procurement process, with criticality and risk ratings generated, a business can ensure that adequate measures are being taken to minimise the attack surface through a third-party vector. There are numerous benefits to having such a process in place, including a significant reduction in business risks such as damage to assets and reputation, and major fines. All of these can result in big financial losses. By having a formal review process, you also provide assurance to your suppliers that you have strong information security measures in place and that any shortcomings on their part may result in them losing your business. This therefore leads to an amplifier effect where your information security and that of your suppliers are increased in concert.

Ultimately, an adversary is looking for and needs only one small point of entry to carry out a costly attack on your organisation. As past events have shown, if organisations fail to carry out adequate information security reviews of their suppliers, it becomes only a matter of time until your company’s name may end up in the news – for all the wrong reasons.

Contact us for a thorough cyber security assessment today.

The Importance of Cyber Security Metrics

Imagine for a moment a scientific experiment where no one measured anything. How reliable would the results be? Firstly, no one would be able to test a hypothesis with any real certainty. Even if observations were made, the experimenters would have to recall these from memory, with all of its inherent shortcomings. The experimenters would likely even disagree among one another over what they had observed. Then of course they would have to present their findings. They could describe the experiment, but all of the key questions like how much, how fast, etc. would all have to be left unaddressed or described in a qualitative manner: “The material combusted quite quickly” or “The bacteria multiplied quite fast.” This would be enough for any respectable scientist to howl in laughter or pull their hair out in frustration. There would be no confidence in any of the findings and the study itself would be impossible to replicate. An unscientific scientific experiment indeed.

In a similar vein, no information security programme can be effective if it fails to gather relevant data to create metrics and track progress. While mistakes and biases can still skew results, the beauty of the scientific method is that it places our faith in facts and evidence. Like an astute detective scanning a crime scene with a keen eye, we must derive meaning from chaos. We can only do so by gathering information pertinent to the investigation.

What would be ill-advised is to gather information without first knowing what questions we are trying to answer.

Key questions for measuring cyber security metrics

  • What are the goals of my information security programme?
  • How will metrics demonstrate the progress of my information security programme?
  • What data do I have access to and what data will I need?
  • What tools will I use to gather that data?
  • How much time and money will it take to implement these metrics?
  • Which metrics will be key indicators?
  • How can I present these cyber security metrics in a way that can be understood by senior management and translates to the broader goals of the organisation?

We also need to be aware of the potential limitations and pitfalls of metrics. If it becomes too great of an obsession, organisations and individuals can often lose sight of the main strategic purpose of the metrics. The numbers become an obsession, to such an extent that it becomes a game of sorts; people and organisations desperately look for any way to show an improving metric by any means necessary, even if it happens to run counter to the spirit of that metric.

The old adage of “you can’t manage what you don’t measure” remains true in almost every field and organisational department. Ultimately the question we are aiming to answer with information security metrics is: Am I spending time and money on what matters most? In that sense, an effectively implemented and sustained metrics initiative will prove to be invaluable in harnessing the full power of an information security programme.

Razorthorn Recognised as Market Leader

Razorthorn has been recognised by the global research and advisory firm Gartner as a market leader in the delivery of PCI consultancy and advice.

The latest report by Gartner, Inc. highlights how quality is not dictated by size and that experience and past success is the great measure. The report published on 15 August 2018 Market Guide for PCI DSS Qualified Security Assessment Services makes clear that “security and risk management leaders responsible for engaging PCI DSS assessors must ensure their assessor has relevant domain experience and understands both business and technical drivers”.

PCI DSS compliance is one of the biggest challenges and concerns for any organisation that either relies on taking card information from customers for their services or facilitating organisations with services that do. As a company with over 15 years of experience in helping its clients succeed in their PCI endeavours, Razorthorn can assist companies with all PCI DSS Projects and Re-Audits.

Find out about our PCI DSS Compliance Consultancy service.

The Importance of Data Masking

A guest blog by Steve Pomroy, Imperva

The Uber Breach and the Case for Data Masking

You’ve probably heard about the Uber data breach, involving the personal data of 57 million Uber customers and drivers and a six-figure bribe. Without a doubt, it’s nasty business. But for all that, this breach stings a little more for me and not just because I’m probably one of those Uber riders whose data was stolen. It’s worse because these data thieves could have been left holding the equivalent of digital fool’s gold instead of Uber’s crown jewels, so to speak. Let me explain.

Sensitive Data and Development Environments

If you read the article closely, you’ll notice that the hackers appeared to work their way in via the software engineering side of the house. They ultimately accessed an archive of sensitive rider and driver data after obtaining login credentials used by the software engineers (which the engineers had publicly posted in GitHub). In other words, the attackers found a copy of the production data that was being used by Uber’s software developers to improve and enhance its systems and applications. There is a fundamental problem with this approach to development. First and foremost, sensitive data should never be used for software development purposes.  

The approach of simply copying a production database and dumping it into a lightly secured development environment might have been acceptable 20 years ago, but it’s completely unacceptable now. Why? Because it not only needlessly amplifies the attack surface with each copy, but industry best practice masking technology is available that greatly reduces the risk while retaining the functionality of the data.

That data should have been masked (deidentified / pseudonymized) before being opened up to the software engineers. Not only would it provide developers with the realistic data they need to build high quality software, it would also protect the data subjects (Uber riders like you and me). By the way, copying data for dev purposes like this flies in the face of the data minimization rule found in the EU’s GDPR. If this had happened after May 2018, it would certainly run afoul of the new rules.

A Different Outcome

Every time I read one of these headlines, I cringe. It’s every executive’s worst nightmare to stand in front of the media and/or lawmakers and talk about the millions of user accounts stolen, the fraud protection they’re putting in place, and the “renewed” approach to security they’re (finally) taking—not to mention the fines regulators may impose, the brand damage, share price hit, etc. And, of course, there are the customers like you and me who have our personal data stolen all over again.

And then I turn the scenario completely inside out:

The CEO calls a press conference to announce that hackers broke into their systems and attempted to steal the data of 57 million customers from one of their development servers. Luckily, the stolen “data” had been masked. Not only did the attackers steal data with zero street value, the company worked with investigators to track down the hackers attempting to bribe the company for their silence. The message in this scenario couldn’t be clearer: here’s the proof that our company takes the security of your data very seriously.

While data masking wouldn’t have prevented the Uber breach, it certainly would have mitigated the impact. Masked data reduces risk exposure and in this case would have kept Uber’s customer and driver data safe (and useless) in hackers’ hands.

Social Engineering – Hacking Human Emotion

The Art Of Deceiving People

Criminals will always look for the path of least resistance. This is why social engineering – the act of ‘hacking’ people – is often the criminal’s chosen way into organisations. It is far easier to exploit the trust people have in others than it is to discover ways to break into buildings or hack highly secured, robust systems.

This article is about emotional skills social engineers use rather than their technical capabilities, because the emotional skills are far more powerful, harder to defend against and often leave little trace. It’s always fascinated me how easy and powerful this kind of attack is and over the years, I have studied many of the renowned protagonists, as well as many you may not consider.

Social engineering has been part of the fabric of human interaction since records began. The simplest and easiest way to explain this underrated skill is “the ability to convince a person or people that your requirements are correct or acceptable.” Social engineering is an art form and, like any other, you need to practice it on a daily basis to perfect it. Some of the greatest social engineers are known for their ability to not only convince people, but also their ability to adapt and adopt in an instant depending on the situation.

Another way to explain the skills involved in being a social engineer is to understand how the specialism is used in many forms and given many titles.

The Razorthorn Social
Engineering Testing Service

How susceptible are your employees to social engineering? As of 2020, in 95% of all tests, we have managed to obtain sensitive information employing social engineering techniques. How do you measure up?

Occupations that require social engineering skills:

  • Intelligence officers
  • Private investigators
  • Police officers
  • Politicians
  • Sales people
  • Professional gamblers
  • Hypnotists
  • Mediums
  • Magicians

Although the above is not an exhaustive list and may surprise you, it gives you a good idea of how pervasive social engineering skills are. It’s only when you consider the many roles social engineering plays in everyday life that you begin to understand the power that comes with it.

The list of successful social engineering hacks is endless in scale and cost – from the Greeks’ use of the Trojan Horse to the release of FBI files in 2016 with the now famous statement:

“So, I called [the helpdesk] up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that’s fine – just use our one. I clicked on it and I had full access to the computer.”

Social engineers use a number of techniques to manipulate their targets, but they all rely on using human weakness – our emotions – to succeed. Neuro-linguistic programming techniques are employed to create a personal connection and an atmosphere of likeability and trust. This is achieved by mirroring the target’s body language, breathing rate, voice and vocabulary, and will enable the hacker to subtly take control of conversations and manipulate people’s emotions.

Social engineers understand that people care most about themselves: by suspending their ego and engaging the target in conversations about themselves, they will give the target a sense of self-importance and, consequently, a desire to spend more time with the infiltrator. Another key weapon a social engineer could use is sexual attraction. The endorphins that are released during exchanges where there is attraction and flirtation will cause targets to be more vulnerable and subsequently give away sensitive information more freely. Sexual attraction is a powerful weapon, and when utilised effectively, the chances of successful manipulation of a target are massively increased.

However, social engineers do not always use a friendly or charming approach to get what they want; they can play on a number of human emotions in order to manipulate their targets.

Emotional Attacks

Obedience

From a young age we are conditioned into obeying those we perceive as being of a higher status and with greater authority than ourselves. Victims of social engineering techniques will rarely question a figure of authority for this reason. For example, a manager you have never met demanding urgent access to a room or information to ensure senior management can complete an important task. They may be wearing a seemingly correct ID, using the names of senior management you have heard of and subtly mention that your obstruction could cost you your job. You would be amazed at how successful this simple technique can be at convincing many people into handing over the information they desire. This simple technique also works for police, fire, ambulance, roadside recovery teams, hotel staff etc.

Fear

Fear can cause people to do things that they would not think of doing under the influence of any other emotion; people will act out of character to remove themselves from the situation that is causing them to feel fear. This can be seen in as simple a situation as receiving a phone call stating that: “Your bank account has been compromised and we need to transfer your account over to a safe area to ensure no more money is taken from your account.” The attacker uses fear and urgency to confuse and weaken their target and is successful in many cases.

Lust

Lust can take many forms: lust for power, for money, or for sex. It is a strong, intense and selfish desire, and social engineers can use this to their advantage.

Kindness

For the majority of people, it is part of their nature to want to help others who they perceive to be in need. This desire to improve the lives of others in some small way can be seen in as simple a gesture as giving change to a homeless person on the street. However, this desire can be taken advantage of. Imagine, for instance, a woman rushes into the atrium of the building you work in, she looks stressed and upset and is rummaging desperately through her handbag: “I forgot my badge and I am so late for my meeting! Would you mind please letting me through?” Would you do it? Most people probably would.

Anger

People will tend to go out of their way in order to avoid confrontation. If you are quite clearly angry, the average joe is unlikely to stop and question you. People just want to get out of the presence of an angry person. Acting as an angry top-level employee who can’t access his specific files will generally get you what you want if portrayed in the right manner to the right person.

Curiosity

Another social engineering technique is the based on the human trait of curiosity. Its main characteristic is the promise of something interesting or advantageous that hackers use to deceive the victims.

Phishing Attacks

There are many types of phishing attacks (for example, whaling and spear phishing), but they are all a form of online fraud in which the attacker tries to gain information, such as login credentials or account information, by masquerading as a trustworthy entity or person via email.

Phishing attacks are the most commonly exploited attack vector and account for 90% – 95% of all successful cyber attacks (IRONSCALES, 2017). Only around 3% of the malware run from phishing emails tries to exploit a technical flaw, whilst the other 97% is trying to manipulate the user through some type of social engineering (Sjouwerman and Mitnick, 2017). According to a statement released by the Department of Justice, two of the biggest tech giants fell victim to an email scam that cost them roughly $100 million (Statt, 2017).

Successful phishing attacks often follow the following format: “Your bank account has been breached! Click here to login and verify your account.” Or, “You have not paid for the item you recently bought on Amazon. Please click here to pay.”

These types of emails create a sense of urgency and fear that causes the victim to act quickly and click on the link without further consideration. The phishing email will usually direct victims to a spoofed website to get them to give away the sensitive information the hackers require.

Other Forms of Attack

Quid pro quo

Quid pro quo attacks promise the victim a benefit in exchange for information. This type of attack often involves people posing as technical support. They will make random calls to employees within a company stating that they are contacting them regarding an urgent issue (“your laptop has been breached; install the new software now to prevent further damage”) or, if they have physically manipulated their way into the organisation itself, they may go and speak to the target in person and simply say, “I need your password so I can help protect your PC against security breaches.”

Social engineering bots

Malicious bots are often responsible for highly sophisticated and destructive social engineering attacks. These bots can infect web browsers with malicious extensions that hijack web surfing sessions, and use social network credentials that have been saved in the browser to send infected messages to friends. They could be on your social networks, such as Facebook, posing as friends, but instead be siphoning off your data or influencing your decisions with convincing points of view.

Off guard hack

This type of attack happens on mutual ground, such as in a bar, coffee shop or on a train. The attacker has done their research and finds out where the mark will usually be when they are not at the office. In the pub or at a bar are one of the most efficient places to interact with the target as they will be more relaxed and their inhibitions will be lowered due to consumption of alcohol. When you bring sexual attraction into the mix, the social engineer can manipulate the target in to sharing information with them that they would never contemplate divulging in the work environment.

Baiting

Baiting is the cyber world’s Trojan Horse: it uses physical devices and relies on human curiosity. For example, if you leave a USB drive lying around an office, chances are somebody is going to pick it up and insert it into their computer. Once this piece of hardware has been inserted into a computer, which is more than likely connected to a larger network, the malicious payload is activated and will spread like wildfire through the network. The data that is held on that network and any connecting network is now in the hands of the attacker.

Tailgating

Tailgating (or ‘piggybacking’) is when someone who lacks the proper authentication gains access to a restricted area. They will gain access by exploiting the willingness of people to help others, such as holding a door open for a stranger or allowing a distressed individual to borrow your phone. Social engineers will often find outdoor social locations, such as a smoking area, and strike up conversations with targets before following them back into the building.

Information gathering

In order for a social engineer to be successful, they will always begin with information gathering before engaging with their target. The internet holds a wealth of information on organisations and individuals – a quick Google search will show you the key personnel worth targeting. Social media websites such as Facebook, Instagram and LinkedIn will hold personal details about the target’s opinions, hobbies, friends and family, and favourite places to eat and drink. Often the hacker will begin with the target’s friends or family and thereby manipulate his or her way into the targets trusted inner circle. ‘Dumpster diving’ is another way for a hacker to glean information. Although going through rubbish isn’t the most glamourous way of doing this, the items that people throw away can be gold dust to a social engineer.

So, how do you secure your organisation against social engineering attacks?

Human error is the weakest link in any organisation. A company can have all of the alert systems and anti-virus software on the market, but if an employee willingly gives away information, your defence technology will be rendered useless. This is why the strongest defence against any social engineering scheme is education and training: social engineering attacks are not just aimed at your directors or management teams, they are aimed at the receptionist, the maintenance staff, the guard at the gate. Employees at every level of any organisation should be educated in the tactics commonly used and what to do if they think they have fallen victim.

Razorthorn provides a range of online security awareness training which educates employees on the dangers of social engineering and the different techniques that attackers use. Our market leading anti-phishing behaviour management service provides companies with the ability to run their own simulated phishing attack assessments. This subjects employees to phishing emails in a safe environment, and will teach them how to spot phishing attacks and resist any real future phishing attempts. Undergoing this training will eliminate, as far as possible, the weak link that is human error, and turn your staff into a integral part of a strong cyber defence strategy. As well as providing training for its staff, organisations must make sure that they have a strong cyber security posture; they need to be using technologies such as anti-virus, vulnerability and patch management solutions, network segmentation, database and file integrity monitoring, email security, multifactor authentication, and post-attack forensics.

Contact us to find out more or arrange cyber awareness training for your staff.

GDPR Compliance

GDPR: What you need to know

The GDPR regulations, brought in in 2018, brought in a swathe of updates to the protection of Personal Identifiable Information (PII) and rights for the Data Subjects, such as the right to be forgotten. Not only did it introduce more protection requirements, but failing to meet the GDPR compliance regulations can lead to large fines, with sums up to 20 million Euros.

Our resident GDPR experts have outlined the 10 key point that organisations must be aware of when it comes to GDPR compliance.

The Razorthorn
GDPR Compliance Service

We create a tailored approach for our clients to
a) assess their current standing against GDPR and
b) create and manage your compliance roadmap.

GDPR Compliance – The 10 Things You Need To Know

1. Understanding your PII

Organisations should be aware of what type of PII they hold. PII is any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, by reference to an identifier. The regulation also adds new types of identifiers, such as location data and online identifiers (IP Addresses). Also included are other types of sensitive data, genetic and biometric data.

2. Where is the PII?

Once you understand the types of PII information you hold, taking stock of where PII may be potentially stored is the next logical step. PII won’t be solely just stored in databases. If your organisation deals directly with customers, PII may be stored in CRMs, email inboxes and potentially recordings of phone calls. Not only that, your own staff PII will inevitably be stored in various places as well, such as your organisation’s pension supplier databases.

3. Where does the PII flow?

The regulation requires that you map where PII is stored and sent. This itself can be a mammoth task for even the smallest organisation. The regulation does not stipulate how exactly this is performed. However, automated data discovery for organisations with a large amount of PII is recommended, while organisations that deal in a small amount of PII could utilise methods such as freeform diagrams.

4. How is the PII protected?

The regulation requires organisations to impellent technological and organisational protective controls for the PII. The regulation also goes one step further, expressly calling for pseudonymising and encryption of PII, controls to ensure resilience of systems and services processing PII, controls that allow organisations to restore the availability and access to the PII in the event of a breach and frequent testing of the effectiveness of the security controls.

5. Do you require a Data Protection Officer (DPO)?

Under the regulation, a DPO must be appointed if you fulfil any of the criteria listed within the regulation. For example, a DPO must be appointed if you carry out large scale systematic monitoring of individuals (e.g., online behaviour tracking). A DPO’s minimum tasks are defined within Article 39 and the regulation also outlines what support the organisation must give the DPO.

6. Do you need to carry out Data Protection Impact Assessments (DPIA)?

A DPIA enables organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. The regulation again stipulates when a DPIA should be performed and what information it should contain. For example, a DPIA is required if your organisation conducts large scale processing of special categories of data or personal data in relation to criminal convictions or offences and should include a description of the processing operations and the purposes.

7. Rights to the people?

Although GDPR requires implementation of controls for securing PII, it also implements a whole new raft of rights for the Data Subjects (i.e. the people who you hold PII on). These rights range from rights to access PII on themselves, right to full erasure, rectification of PII and the right to be informed, to name a few. The regulation also expects organisations to have documented and implemented processes to support these rights.

8. Data Controller or Data Processor?

Data Controllers and Data Processors are not new terms and have been apparent in older regulations. However, the GDPR regulation outlines responsibilities for both the Data Controllers and Data Processors. Deciding whether your organisation is a Data Controller or Data Processor will be key in how you meet the defined responsibilities. There is an argument though, that most organisations will be the Data Controller in terms of their own employees’ PII.

9. Do you have incident management?

Under GDPR, all organisations have a duty to report certain types of data breaches to the supervisory authority. In the UK’s case, this is the ICO and in certain cases the Data Subjects involved. The regulation also includes a 72 hour time limit from discovery, for reporting data breaches. Your organisation’s Incident Management programme should mirror the regulation’s process for determining what type of breach it is, who it should be reported to and how.

10. Do you have data breach insurance?

Along with the data breaches reporting mechanism, the regulation also enforces financial penalties for certain data breaches. These penalties can be as high as either €20m (£17m) or 4 per cent of global annual revenue, whichever is highest. Organisations with the best intentions of complying fully with GDPR will not be infallible to data breaches – no one is. With this in mind, organisations should consider data breach insurance or update their current insurance policies to reflect GDPR penalties.

If you would like any further information on our GDPR compliance services or wish to speak to one of our GDPR experts, then please get in touch.

Hacking Myths

The Truth about Hacking

Your perception of cyber attacks is probably wrong

Cyber attacks can be performed for either criminal, terrorist, activism or political gain. In the end though, they all use similar Tactics, Techniques and Procedures (TTPs) to achieve their ultimate goals. From a criminal point of view, finical institutions have often bared the brunt of the hacker’s target sights.

However, now we are seeing hackers expanding their scope to include healthcare organisations, retailers and even universities with no sign of slowing anytime soon. As a security organisation, we often see that security teams believing in preconceived misconceptions of hackers’ TTPs and reasoning behind their attack which prevents them from building effective security programmes to defend against complex cyber attacks.

Misconception 1: Security solutions prevent hackers penetrating your organisation.

Fact: No organisation is an impregnable fortress, it’s inevitable.

Although new technologies are brought out frequently to combat hackers penetrating organisations’ networks, this still isn’t enough to combat the threat. Whereas organisations have to defend against a myriad of threats, the hacker’s only task is to find or develop a single vulnerability. No organisation is perfect and hackers know this. With a little persistence from hackers their efforts will eventually pay off.

Suggested remediation: An effective perimeter defence is important. However, organisations should build their security architecture with the assumption that it will be breached, backed up with appropriate incident response and fast learning plans. Knowledge, sensitivity and patience is key for any good cyber security team – the more you can understand your network, traffic flows and business activities, the better you will identify anomalies – technology can only do so much.

Misconception 2: Hackers only target vulnerable organisations.

Fact: Hackers aim for targets based upon their own goals, not weak organisations.

The common misconception that hackers only target weak organisation that are easy to penetrate and unprotected is false. In reality hackers aim to reel in the big fish, the big organisations that perceive they are well protected. Hackers choose targets that fit their overall end game goal, whether this is to steal money, obtain private data or damage an organisation’s reputation. Often the hacker’s aim can be a combination of these things. Often, the organisation that is attacked is not the final target, but a route into another organisation.

Suggested remediation: Analyse what hackers would aim for within your organisation. For example, sensitive information such as critical company data that drives revenue. Develop strength in depth – not all data is created equal and some deserves greater controls than others. Prioritising what you would consider most ‘sensitive’ and create mitigating controls to help prevent hackers gaining access to your most sensitive information. External organisations that you rely on and share networks or information with should also be prioritised in order to help prevent hackers intercepting or penetrating your networks/information.

Misconception 3: Hackers only gather information on the IT and security systems in use by an organisation.

Fact: Hackers gather all-source intelligence and data on a target in order help them understand the targets response.

As any hacker worth their salt knows, knowing how the target will respond to an attack can give you the ultimate edge in achieving the end goal incentive. Hackers will spend a large amount of time building up an intelligence picture of an intended target, which goes far beyond what a target uses in terms of IT systems. Hackers will gather information on employee data, salaries, work habits, business connections, travel calendars and any data that will help build the intelligence picture and profile of key personnel within the organisation, such as security personnel.

Suggested remediation: Although this can be difficult, social media training is an essential prerequisite for all staff and especially staff of privilege. Getting them to understand how the world can use their online information and presence against them can be your most effective defence. Put in place a clear classification scheme and highlight the types of information that should not be shared outside of the company.

Misconception 4: Hackers rush in grab what they want then quickly leave.

Fact: Hackers like to keep themselves on the ‘down low’ and spend as long as possible within your network.

Hackers purposefully move ‘low and slow’ in order to avoid detection. It also increases the hacker’s chances of prolonged exposure to your organisation’s sensitive information. In order to remain undetected, hackers perform a minimal amount of actions per day so that they do not attract the attention of the security team.

Suggested remediation: The ‘low and slow’ technique can work to the advantage of an organisations security team as it gives the team a significant amount of time to stop the hacker’s actions. Detection of the ‘low and slow’ technique can be difficult, however there are advanced behavioural systems that can help to identify and stop these threats.

Misconception 5: Effective response to an identified hacker’s operation equals fast response.

Fact: Hackers perform several decoy operations to feint the actual real operation.

Security teams often have an incentive to stop a threat/incident as soon as it is identified. This can lead to rash decision making and not understanding the bigger picture. Whilst a quick reaction to an incident is encouraged, security teams should also take a step back and observe the bigger picture as often hackers use decoy tactics to distract you from the real attack.

Suggested remediation: An organisation should always plan to be deceived by a hacker. When closing incident tickets, always be a bit sceptical, and make sure the incident is fully contained and remediated. Look for wider patterns of behaviour and take nothing for granted, no matter how small or insignificant.

Overall, in order to deal with the ever evolving cyber attacks, organisations should implement an effective detection and response plan that is moulded by the discussed five facts and the following important steps that should at least be included within the plan:

  • Preparation across the entire company
  • Invest in detection as well as responsive processes
  • Hold test runs
  • Check the alerts that appear benign
  • Create a consolidated data repository

As long as organisations are aware and accept that hackers will or have infiltrated their network, you can begin to deal with the threats and understand the hacker modus operandi.

  • Identify measurements and matrices
  • Don’t overlook industrial controls
  • Containment and remediation
  • Plan for a follow-up budget and resources
  • Follow-up across the organisation

To speak to us about any aspect of cyber security, email us or call 0800 772 0625.

Follow Us