Skip to main content

Home/ Hass and Associates Cyber Security Group/ Contents contributed and discussions participated by Calvin Wilkinson

Contents contributed and discussions participated by Calvin Wilkinson

Calvin Wilkinson

Hass & Associates Online Reviews: Twelve Tips to Combat Insider Threats - 1 views

Hass & Associates Online Reviews Twelve Tips to Combat Insider Threats
started by Calvin Wilkinson on 20 Mar 15 no follow-up yet
  • Calvin Wilkinson
     
    Twelve Tips to Combat Insider Threats
    Employees with access to sensitive data remain a critical security vulnerability - but there are practical steps for addressing the issue from within.

    The Edward Snowden leaks highlighted that if the NSA can have its sensitive documents stolen by an employee, anyone can. According to the 2015 Vormetric Insider Threat Report, 89% of global respondents felt that their organisation was now more at risk from an insider attack with 34% saying they felt very or extremely vulnerable.

    According to corporate security firm Espion, while the frequency of cyber incidents is on the rise, hackers trying to gain access to critical information are not always to blame, with insider involvement remaining a significant problem.

    The methods used to transfer data can include uploading to online network storage, email transmission, storage on local media including USB memory sticks, CD's or DVD'S and other data exfiltration methods. The information sought by hackers is multifaceted and varied and depending on the nature of the target's business can include; intellectual property, financial information, customer or client related information, project plans, business presentations, blueprints and personnel details.

    'Insider abuse is more difficult to detect, as the perpetrators often have legitimate access to sensitive data and removing it may go completely unnoticed,' said senior Espion consultant John Hetherton, commenting on incidents of security breaches from within organisations. 'Whether opportunistic or disgruntled with their employers, the threat from the inside becomes more serious, as these employees have access to the company's best kept secrets and insider knowledge of security weaknesses.'

    'Insider attacks can cause significant damage to companies and the consensus indicates that as workers become concerned for their futures, the likelihood of an insider attack increases.'

    With that in mind, Espion offers twelve tips for addressing the issue from within:

    Ensure that organisational policies are unambiguous regarding the classification and protection of information. Policies should stipulate controls commensurate to the value of the information; the more valuable the information the more rigorous the controls. These controls should state protection measures for information at rest and in transit

    All staff should sign confidentiality and non-disclosure agreements when joining the organisation.

    Where BYOD is an option, the organisation should implement technical controls, protecting company information which may be held on personal devices.

    Know exactly where all the organisation's key information is stored and how that information may legitimately enter and leave those repositories.

    Set up all user access by means of unique user accounts to maintain accountability of actions. Generic and shared accounts should be disabled and the sharing of passwords should be prohibited by policy. It is especially important that system administrators are also subject to these controls.

    Password complexity and management processes should be robust to prevent impersonation attacks.

    Strictly control access to information, which is authorised by information owners and regularly reviewed to ensure access to information is appropriate.

    Where third party cloud based services are adopted by the organisation, a robust movers and leavers process should be implemented to cover both key internal systems and cloud services where access control may not be centrally controlled by internal IT, such as Dropbox and Google Drive.

    Put in place granular auditing for accessing key systems and information repositories. The level of auditing should be granular enough to ensure that the sequence of events which lead to the breach can be reconstructed.

    Real time alerting of suspicious activities should be actively monitored and responded to by trained incident responders, as part of a defined incident response plan.

    If there is a notice period, the IT department should actively monitor employee's access to the network to make sure sensitive and confidential data is not being downloaded or sent to the employee's personal email account. Additional measures should be considered in the event of an acrimonious departure, as employees that leave an organisation on bad terms are more likely to steal data.

    And lastly, as an employee leaves an organisation, a thorough audit of their paper and electronic documents should be carried out and company mobile devices and laptops should be returned.
Calvin Wilkinson

Hass & Associates Online Reviews: Expert Reaction, Business Implications Of The Icloud ... - 1 views

Hass & Associates Online Reviews Expert Reaction: Business Implications Of The Icloud Hack
started by Calvin Wilkinson on 06 Sep 14 no follow-up yet
  • Calvin Wilkinson
     


    What ramifications will businesses and Apple itself face following the celebrity leaks.

    The dust has barely begun to settle following the massive celebrity 'nude photo' leak over the weekend, yet allegations and claims are flying here, there, and everywhere.

    Fingers are being pointed at suspect iCloud security despite no concrete evidence of exactly how theimages became public in the first place (that is, apart from the original 'leakers' confession of obtaining the images from iClouds)

    Firstly, it has to be unlikely that iCloud itself sustained a large attack, especially as the service is 128-bit encrypted both ways of delivery.

    What is much more likely was that this was an attack of social engineering, an exploitation which works by manually deciphering information about the target ie. email addresses, date of birth, secret question answers, to try and attempt a spoof access to an account.

    Of course this does raise issues about the surrounding security of iCloud against social engineered attacks, but businesses should have a much higher level of security than your regular Hollywood celebrity.

    Steve Jones, head of R&D at UK penetration tester RandomStorm, said: "Although Apple's encryption of the data itself is considered robust, Apple could apply AES 256 bit encryption to the images. This would put the majority of hackers off, or really slow them down.

    "However, access to the celebrities' images could have been gained through more indirect means, such as guessing the celebrities' passwords, or by finding their email address and then correctly answering traditional security questions.

    "Apple could improve the security of iCloud by enforcing the use of much stronger, unique passwords and by introducing two factor authentication to iCloud accounts, to ensure that access is from the correct device and/or account owner."

    Weak passwords could be what is at the heart of this leak, and if your business is not operating at a level where it is creating stronger passwords than a layman then things needs to change.

    Paco Hope, Principal Consultant at software security company, Cigital, also argues that iCloud is not in itself risky for businesses if used correctly. "Businesses build security in by using secure software to access their data. The choice of cloud provider is just part of that overall picture. This hack means nothing with respect to the security of iOS: iOS devices were merely the cameras in this situation. No one should change their position on iOS versus Android versus Windows based on this incident."

    Furthermore, large firms such as Apple obviously have trained and dedicated in-house security teams which are constantly patching and working around flaws in the armour. Rik Ferguson, VP of security research at Trend Micro, said: "A wide scale 'hack' of Apple's iCloud is unlikely. Even the original poster is not claiming that."

    Steve Jones further argues that the security responsibility does not solely lie with the cloud storage provider. He said: "Businesses observing this hack should already understand that any digital asset that is valuable, whether it be employee login details, customer data, patient records, financial details, or intellectual property, is a target for cyber thieves and needs to be protected appropriately.

    "This also means that businesses cannot delegate information security to their cloud service provider. If your business is faced with a determined assailant you need to put in place your cyber fire drill: change the rules on your firewall to shut the ports until further notice, move the assets, hide the assets and block access until you have had time to assess which vulnerability was exploited."

    Mike Ellis, CEO at ForgeRock, also argues that it is indeed businesses that need to be more aware of cloud security. He said: "Big businesses as well as large, trusted government organisations need to manage vast and growing numbers of employee and customer digital identities.

    "Global brands and large organisations that fail to take the right steps to address the growing complexity of identity relationship management risk not just a big dent in their reputation and trust, as iCloud is surely likely to face, but serious commercial or social consequences too as customers switch to more trusted brands or switch off entirely altogether. This example is just the tip of the iceberg and must be addressed sooner than later."

    But Egemen Tas, VP of Engineering at Comodo Group, highlights some of the ramifications he thinks businesses with lapsed cloud security face. He said: "Cloud service providers should realise that they are expected to be as liable as a bank would be when it comes to catching fraudulent activities or having security and compliance procedures in place.

    "Banks have legal compliancy requirements and regulations hence they have ways to combat similar threats to the cloud. Why shouldn't cloud storage providers have similar legal regulations and liabilities? Just like we are more than one password away from our personal online banking accounts, we should be more than one password away from our cloud storage accounts. Having one password on our cloud accounts is not enough to combat attacks of this nature."

    This breach, no matter who to blame, ultimately still alerts businesses to the risk of cloud storage, but this unforunate opportunity should be used to highlight areas where improvements can be made and cloud security awareness can be heightened. Alex Raistrick, from Palo Alto Networks comments: "The recent scandal involving leaked photos of celebrities stolen from Apple's iCloud storage facility serves to highlight that security is still one of the greatest barriers preventing cloud computing from reaching its full potential. However, amid the negativity there are now more opportunities than ever for channel partners who specialise in cloud security to move in and toughen up security, particularly on previously 'trusted' platforms."
Calvin Wilkinson

Hass & Associates Online Reviews on Cybersecurity to Be a Core Part of M&A Deals - 1 views

  •  
    Data breaches can have a big effect on a merger's overall value. There appears to be a worrying level of complacency toward the assessment of cyber-risks during M&A deals, despite increasing awareness of the cybersecurity risks facing businesses. International law firm Freshfields Bruckhaus Deringer found in a survey shared with Infosecurity that 90% of respondents believe cyber-breaches would result in a reduction in deal value; and 83% of dealmakers believe a deal could be abandoned if cybersecurity breaches are identified during deal due diligence or mid-transaction. Yet, too few tie-up architects are addressing the threat. A majority (78%) say that cybersecurity is not a risk that is currently analyzed in-depth or dealt with in deal due diligence. "It's surprising that dealmakers recognize the growing threat of cyber-attacks to businesses, but generally aren't addressing that risk during deals," said Chris Forsyth, co-head of the firm's international cybersecurity team. "You wouldn't dream of buying a chemicals plant without assessing environmental risk, so why would you buy a data-driven business without assessing the risks its faces around data management and cyber-security?" The firm said that the effect of a cyber-incident on value would work both ways - a business with a good track record and robust processes could be worth more than competitors, while a business with a bad track record could be worth less.
1 - 3 of 3
Showing 20 items per page