Building the blocks around the smartest cryptocurrency on the market



We’re talking Blockchain – but it began with Bitcoin.

So what is Bitcoin?
Bitcoin is a cryptocurrency and a digital payment system.  Invented by an unknown programmer (or a group of programmers), it was released as open-source software in 2009. There is a market cap with Bitcoin.  The value of an individual Bitcoin has increased substantially during this time, every year more and more merchants and vendors accept bitcoin as payments for goods and services, and millions more unique users are using a cryptocurrency (digital) wallet.

Why is there a worry about Bitcoin?
There are many concerns related to Bitcoin, price volatility, doubts around legal status, tax and (lack of any) regulation, Bitcoin has been notorious in criminal activity, and is well renowned for the role it has in cyber-attacks like Ransomware.  But for believers, Bitcoin has huge upsides, de-centralised thus outside the control of a central authority, privacy, deflationary, low cost to transfer funds across borders, but most it is an attractive “store of value”.

Why is Bitcoin important?
Bitcoin is important because it requires a blockchain.  A blockchain is an undeniably ingenious invention, but since Bitcoin, blockchain has evolved into something greater.  And the main question every person is asking is – what is a blockchain?

So what is a blockchain?
The simplest explanation “Blockchain is to Bitcoin, what the internet is to email. A big electronic system, on top of which you can build applications. Currency is just one.”  Sally Davies, FT Technology Reporter.

How does blockchain work?
A blockchain is a distributed database that is used to maintain a continuously growing list of records, called ‘blocks’.   Each block contains a timestamp and a link to a previous block. A blockchain is typically managed by a peer-to-peer network collectively adhering to a protocol for validating new blocks. By design, blockchains are inherently resistant to modification of the data. Once recorded, the data in any given block cannot be altered retrospectively without the alteration of all subsequent blocks and a collusion of the network majority.   Functionally, a Blockchain can serve as “an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way”.

“The blockchain is an incorruptible digital ledger of economic transactions that can be programmed to record not just financial transactions but virtually everything of value.” Don & Alex Tapscott, authors Blockchain Revolution (2016).

Blockchains are secure by design and are an example of a distributed computing system with high Byzantine fault tolerance.  Decentralised consensus has therefore been achieved with a Blockchain.  This makes Blockchains potentially suitable for the recording of events, medical records and other records management activities, such as Identity Management, transaction processing and documenting provenance.

The entire financial, legal, and record-keeping industries are being disrupted using this decentralised, secure, and inexpensive method. It has therefore caught the eye of the Bank of England plus other large organisations including Microsoft, IBM and Cisco have consequently started to take note of it.

In summary the opportunities are infinite.

People need to understand that “blockchain” is NOT the same thing as “Bitcoin”.

Bitcoin was the first blockchain system designed, but there have been a number of others since then which are very different, designed by different people, often for different purposes. These people are in the business of designing things for use by corporations to operate their businesses to drive a competitive edge. This is no different to what Amicus ITS has been doing for 30 years, problem solving and designing solutions that deliver business value as we look constantly to the horizon at future technologies.

Click here to read our White Paper

Work with your Security and Governance teams to thwart cyber attacks

A Petya ransomware attack suspected to be a modified EternalBlue exploit is currently spreading around the world as we go to press, with UK and European organisations already affected and shipping company Maersk and ad agency WPP announcing problems with systems down.

With only a few days since the attack on the UK Government on Friday 23rd June, security experts are describing such high profile attacks as the ‘new normal’.  Weak passwords on email accounts were to blame for around 90 parliamentarians being attacked.  An official spokesperson commented that users had failed to adhere to official guidance from the Parliamentary Digital Service.  Immediate remediation of disabling remote access was put in place as a precaution whilst further investigation were made.

This follows hot on the heels of last week’s report by Which, revealing that communications giant Virgin’s consumer Super Hub 2.0 router was found to be vulnerable to hacking for those who had not changed the default wifi password setting, felt by experts to be too short and not sufficiently complex.  Virgin are not alone amongst Internet Service Providers for issuing relatively simplistic wifi keys according to penetration testing experts.  Future success in thwarting attack will require 1) a change of culture from consumers to proactively change the default password on any wireless device and 2) for retailers to ensure that directions for changing the password are immediate to access the service, easy to read and quick to do.

And all of this just one month since the WannaCry cyber attack on NHS England which was amongst around 70 organisations hit worldwide.  Brian Lord, former Deputy Director for Intelligence and Cyber Operations at GCHQ commented in May that this was due to a change from low level theft and use of ransomware in the past few years to now internationally organised crime.  Todays criminal networks could generate sustained and co-ordinated attacks into the backs of ageing IT systems, delivering a simple tool at mass scale to vulnerable areas – in this case, systems where Microsoft security patches hadn’t been updated.

The clear messages from these tales of woe are:

•    Ensure effective security and governance procedures are in place for businesses and institutions – and that these are shared, understood and abided to by all staff without exception through regular training and education awareness.
•    Consider two factor authentication and more intelligent solutions around identity management and password tools to keep the door closed to wrongful access.
•    Protect older, more vulnerable Operating Systems through regular security assessments and vulnerability detection programmes to scan your networks and find holes in perimeter security to help target your patching priorities.

Rome wasn’t built in a day, but organisations that do not have strong and effective preventative measures can easily fall in one day.  Keep security at the forefront of your thinking and actions.  Read our full article on Ransomware here

ICO starts to bear its teeth ahead of GDPR as fines start ramping up

New research from PwC reveals that the Information Commissioner’s Office (ICO)  levied 35 fines in 2016 for breaches of the Data Protection Act (DPA). This is almost double the 18 fines from the year before.

Those fines totalled £3.2 million, which makes the UK the most active country in Europe in terms of regulatory enforcement of data protection laws. The next most penalised country was Italy (£2.86 million). However, figures across Europe pale in comparison to the US, which sees far more incidents and whose regulators can issue much larger fines. The PwC reports that US organisations were fined a total of approximately $250 million (about £193 million) in 2016.

Preparing for the GDPR
The gap between US and EU regulatory powers is set to shrink when the EU’s General Data Protection Regulation (GDPR) comes into effect next year. From 25 May 2018, all organisations that process EU residents’ personal data must comply with the Regulation, or they’ll face fines of up to €20 million (about £17.4 million) or 4% of their annual global turnover – whichever is greater.

This is much higher than the current limit for EU regulators. For example, the maximum fine that the ICO can currently issue for a breach of the DPA is £500,000 – although it is yet to do so. The largest fine a UK organisation has received from a breach of data protection laws has been £400,000 which was levied against Kerboom Communications in May 2017 and TalkTalk last year.

PwC addressed the arrival of the GDPR in its study. The company’s global cyber security and data protection legal services lead, Stewart Room, advised UK organisations to use the next year to prepare for the GDPR, adding: “We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change”.

It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?

Countering ransomware – it’s time to patch the human

Ransomware relies on human fallibility crypto-ransomware, malware that extorts money from victims by encrypting their files and systems until they pay a ransom, has been much in the news since WannaCry hobbled IT systems around the world last month. While much was made of the fact that WannaCry spread through networks by exploiting SMBv1 vulnerabilities in unsupported Windows systems (such as Windows XP, Windows 8 and Windows Server 2003), it is unusual for ransomware to self-replicate in the way WannaCry did.

Often, ransomware, in common with most other forms of malware, is spread by drive-by downloads or phishing campaigns, both of which exploit human error. So, even if you use robust anti-virus and anti-malware solutions, conduct regular penetration tests and ensure you keep your systems up to date and install the latest patches, your system could still be compromised thanks to a careless employee.

According to a 2016 report by SentinelOne:

  • 39% of organisations in the UK were hit by ransomware in the previous year
    • 72% of those infections were attributable to phishing
    • 38% were attributable to drive-by downloads from compromised websites

People are frequently acknowledged as the weakest link in any security system. But with better levels of staff knowledge, companies are more secure as you can, in effect, ‘patch’ your employees. Therefore, a best-practice approach to information security such as an ISO 27001 compliant ISMS (Information Security Management System), follows a holistic approach that addresses people as well as processes and technology.

Amicus ITS takes security seriously.  “We say security is part of our DNA here” advises  JP Norman, Director of Technology, Security & Governance, “and I consistently refer to the importance of “the squishy bits” (ie. the people) in IT management.  You can deploy the best systems and infrastructure money can buy –  but you have to ensure your people are trained too.”

Not Much Deep Thinking Evident Behind NHS Trust’s Data Share with Google DeepMind

Not for the first time, the NHS has come under fire from patients, patient groups and the scrutiny of the UK’s National Data Guardian (NDG), Dame Fiona Caldicott – and the ICO’s chief Elizabeth Denham.

The Royal Free Hospital in London commissioned Google’s DeepMind division in 2015 to help develop a Streams app to detect acute kidney injury through a blood test to identify deterioration. They provided DeepMind with 1.6 million patient records in the process to enabling ‘real time’ testing.

• Patients at the Royal Free Hospital in London were mainly unaware that their details were being used by a third party, nor how it was being used.
• No details on the financial terms of the deal have been disclosed publicly.

To Dame Fiona Caldicott, whose letter to the Royal Free was recently leaked, laid out her  concern that the data had been transferred on a ‘legally inappropriate’ (read ‘unlawful’) basis.  The app being developed was not ‘central’ to patient clinical care.  Caldicott shared her concerns with the ICO.

Caldicott does not dispute the app’s ability to help clinicians save lives today, but added in her letter: “Given that Streams was going through testing and therefore could not be relied upon for patient care, any role the application may have played in supporting the provision of direct care would have been limited and secondary to the purpose of the data transfer.  My considered opinion therefore remains that it would not have been within this reasonable expectation of patients that their records would have been shared for this purpose.”

Google DeepMind’s clinical lead Dominic King, was swift to distance any cross-use of the patient data with other Google products or services, or use for commercial purposes.

The ICO’s Elizabeth Denham has yet to give her judgement on misuse under the Data Protection Act, but the issue underlines the importance of individual consent.  This will be evermore intensely examined with the forthcoming GDPR regulations in 2018.  As it stands though, the ICO nonetheless has powers to fine a company up to £500,000 for the misuse of personal data as well as seek individual criminal prosecution.

Irrespective of the worthiness and potential benefit to patients in the longer term from the app, Dominic King agrees: “I think one thing that we do recognise that we could have done better is make sure that the public are really informed about how their data is used.”

It may prove a costly oversight to the Royal Free at a time of increasing NHS budget constraints, as well as prompting an ignominious slap in the face to the Trust from its patient body through damage reputation.

Amicus ITS is continuing its series of thought leadership events, this time on GDPR through 2017 for its customers and invited guests.  Further information on the programme can be found by contact Marketing (email) or calling Lindsay Burden on 02380 429475.

WannaCry ransomware attack goes global

 

News on Friday 12th May that NHS England had suffered a major ransomware cyber attack has since been extended to a wider victim base. We now know that the attack has affected around 150 countries, with major hits on the UK and Russia. It is estimated to have affected over 200,000 users to date.  In the UK 48 NHS trusts have reported problems at hospitals, GP surgeries and pharmacies, along with 13 NHS bodies in Scotland – and no doubt the early part of this week will result in more problems as staff come into work and switch their PCs back on.

The hack which targeted Windows machines was miraculously stopped in its tracks from spreading by a young security expert (under name @MalwareTechBlog) who accidentally hit the kill switch on the malware by registering the hard code as a domain name which had been seeded by its creator

SAFEGUARDS:

There are some urgent checks that all companies and organisations should be making in the next 24 hours:

  1. Ensure you are up to date on patching your environment– a lot of organisations were caught out because they didn’t (and Microsoft released a patch for the vulnerability exploited by WannaCry in March 2017).
  2. Check your Anti Virus is up to date (and preferably use a cloud based service ie Webroot)
  3. Ensure you back up all your essential data in line with your businesses Recovery Time Objective (RTO) and Recovery Point Objective (RPO), so you can’t be held to ransom and fearful of operational losses.
  4. Communicate with your staff to alert them to avoid clicking on any suspicious emails and making sure that your operating system software is up to date (it was a rare move for Microsoft to release security updates for unsupported software such as XP as a direct result of this event)

Companies that want advice on data security, can contact Amicus ITS in confidence on 02380 429429.

 

Amicus ITS Awarded Full Certification For Cyber Essentials Plus

cyber-essentials-plus-award-2017_03_03_17

Amicus ITS has announced its award of the higher level ‘Cyber Essentials Plus’ status.  This industry-backed technical security scheme seeks to heighten the defences of companies against threat.  For Amicus ITS with its long history of serving healthcare, regulated industries and blue chip corporates, it was a logical and natural extension of its existing security standards.

Led by Standards Co-Ordinator Emma Purr of Amicus ITS’ Security & Compliance Team, Emma Purr said:  “This was a good team effort, supported by members of our technical Escalation Team.  Cyber Essentials Plus is normally a first step-in for organisations to gain the more stringent security accreditation, ISO 27001.  Cyber Essentials Plus requires a 5-step security approach, whilst information security standard ISO27001 has 114 control requirements in 14 groups and 35 control objectives which must be addressed, so is both very broad and very deep.  However, we’ve done it in reverse, having gained our ISO27001 status back in July 2014. This was however no walk in the park and illustrates the critical importance of ensuring robust defences exist around your business.  Obtaining Cyber Essentials Plus status has further strengthened our resilience and is great to have on show as another recognised security badge”.

What is Cyber Essentials Plus about?

To create the UK Cyber Essentials scheme, the UK Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) for several years before launching the current system in June 2014.  Backers also include the Federation of Small Businesses (FSB), the Confederation of British Industry (CBI) and various insurance institutions.  Forming a set of comprehensive and challenging technical controls, it endorses compliance for organisations to create better technical protection from cyber attack and misuse of systems.  With standards which are risk-based and prompted by international best practice, they include aspects such as physical security, staff awareness and data backup.

What does Cyber Essentials Plus focus on?

Amicus ITS had to focus on five mitigation strategies:

1.   Boundary firewalls and internet gateways – for any user trying to access any websites which may have malicious content
2.   Secure configuration – ensuring the administration control of all user devices are securely configured, so the rights on what can be downloaded is appropriate and controlled.
3.   User access control eg, new starters only have access to the systems they require as part of their job; special access privileges which are restricted to a limited number of authorised individuals, which includes domain admin and the restriction of selected system administrators to be able to make any changes at a high level to internal systems and security firewalls; plus password strengthening and complexity in relation to service accounts. These get changed regularly – and automatically on the exit of any personnel.
4.   Malware protection – ensuring that relevant antivirus malware software is installed and kept up to date, which scans files and web locations automatically on access to identify they are safe and also to re-endorse the protection against accessing unsafe websites which get automatically blocked.
5.   Patch management – this ensures all software running on company devices are licenced and up to date, installed in a timely manner and that out of date software is removed from devices. Additionally, that security patches are deployed automatically on release.

Anyone wishing to discuss business information security issues or about being supported to obtain Cyber Essentials status, should contact the Sales team or speak to JP Norman on 02380 429429.

cyber-essentials-plus-badge-high-res