Defend, deter, develop – strategy to counter being in a widely connected world

GCHQ

The Chancellor, Philip Hammond announced on 1st November 2016 the UK Government’s plans for a new £1.9 billion strategy to defend the nation against cyber attack over the next five years, as well as outlining a more attacking stance on going after those who would seek to do the nation harm.

Philip Hammond added, “If we do not have the ability to respond in cyberspace to an attack which takes down our power network – leaving us in darkness or hits our air traffic control system grounding our planes – we would be left with the impossible choice of turning the other cheek, ignoring the devastating consequences, or resorting to a military response,” Philip Hammond said as he described the National Cyber Security Strategy in London. “That is a choice we do not want to face and a choice we do not want to leave as a legacy to our successors.” He went on to say, “Trust in the internet and the infrastructure on which it relies is fundamental to our economic future.”

The Government announcement follows the recent speech from the National Cyber Security Centre’s Director General, Andrew Parker and warnings from the head of MI5 about the increasingly aggressive behaviour in cyberspace from nation state threats from countries like Russia. Russia is suspected of trying to influence the US elections by creating distrust in the electoral process, plus the usual espionage, subversion and cyber attacks.  All in all – the stakes continue to escalate in volume and severity of national scale.  Unsurprisingly, the Kremlin has dismissed the allegation.

In addition, the recent targeting of WIFI-enabled domestic appliances to create a DDoS attack to seek to disable specific websites via the Internet of Things (IoT), has started to create uncertainty in the minds of the public as to what they can trust with technology.  The situation is not helped by a lack of education around the need to create fresh passwords on receipt to avoid default factory settings which can be overrun.  Neither is the situation helped if the manufacturers install a factory setting password which in itself cannot be changed.

Web founder Tim Berners-Lee attending the Open Data Institute’s forum on the same day commented in a Radio 4 interview:  “The United Kingdom needs to have a strong but responsible and accountable police force, and [cyber-intelligence agency] GCHQ needs to have the tools to be able to defend us and defend the open internet.”

What the £1.9 billion is expected to translate into is specialist police units to tackle organised online gangs, some money towards education and the training of 50 cyber security specialists at the National Cyber Security Centre.

Where historically, it was the Americans who sought to confront Russia, the UK’s desire to have a visibly active stance should be welcomed by UK business, although much will depend on whether we get enough ‘boots on the ground’ or ‘hands on the keyboards’ to counter the high volume of lower end cyber attacks which has been identified as a real need.

government_communications_headquarters_logo_svg

Law firms face increasing cyber attacks in 2016

law society of ireland

The start to Summer 2016 has seen a sizeable increase in recorded attacks on legal firms in Ireland, as reported by RTE news on 5th June 2016.  Over a dozen firms have recently suffered ransomware attacks.

Why is the legal sector a prime target?
The legal sector is a prime target for cyber criminals on one side due to the sensitivity and volume of private client data held on their computer systems and secondly, because of the large sums of money held by solicitors in their client accounts on a daily basis.

What are common ways for ransomware attacks to take place?
Computer systems can be compromised by ransomware attacks either through email or a web browser.   A user might open what to them looked like an innocuous email, which once opened immediately encrypts files across their entire network.  The message (which can be remarkably polite), then warns that immediate payment is required by a given deadline, or the files will be destroyed.  Victims will often see a timer ratchet as well, whereby any delays to settlement increase the sum demanded.  The warning is stark and often along the lines of:  “Any attempt to damage or remove this software will lead to the immediate destruction of the private key to your server.”

What kind of sums are involved in ransomware attacks?
Sums can range from a few hundred to many thousands of £pounds.  In this particular spate of attacks, the Irish legal firms had had ransom demands of between 5,000 – 30,000 Euros from the criminals to unlock their computers.

One solicitor wishing to stay anonymous commented: “The accounts system was in jeopardy, which we would be accountable for a closing balance of E4-5m every day to clients.  Trying to identify 2,500 clients whose money was actually in the account to the very cent was never going to be achievable going forwards”.

The general advice is for all organisations would be:

•      To regularly review your data security policies and procedures (and ensure they are up to date and fit for purpose reflecting the current threat landscape).
•      To regularly back up your data to mitigate any losses
•      To act expediently and deal with the issue
•      To deploy up to date antivirus software
•      Have effective web filtering
•      To utilise up to date firewalls
•      To educate staff to heighten everyone’s awareness about cyber security – what different attacks look like – and importantly what their process and actions should be should they receive something they believe to be a cyber threat.

This news comes on the heels of the annual risk management survey by Legal Business and Marsh which found that “IT security breach / data management accident or breach” was the highest risk to law firms in terms of damage it could cause and the likelihood of it occurring.

For regulated industries especially, the demand for effective and contemporary security systems and knowledgeable management teams will serve as a significant reassurance to their customers.  Amicus ITS provides specific Security as a Services offerings to protect against cyber attack. These include ‘Foxcatcher’ and ‘Amicus Viper’.  Anyone wishing to discuss any cyber security issues in confidence can ring the security team on 02380 429429.

The UK Referendum – Macro and Micro events impacting on your IT environment

_88531589_86624272

The Macro Picture
On 23rd June 2016, all British, Irish and Commonwealth citizens resident in the UK will be able to exercise their democratic right to vote for the UK to remain a member of the European Union, or leave the EU.

As you would expect in a modern democracy, all eligible citizens will be free to vote as heart or mind dictates and it’s no surprise that such an economically seismic event of this nature is leading to much debate and consideration by politicians, pundits, colleagues and friends alike.

However you vote on the day, this event can rightly be classed as a genuine macro event which happens not every 5 years, but potentially once a generation and both outcomes from the vote have the potential to profoundly impact the UK business environment.

As an organisation that provides integral support to businesses both within the UK and across the world, we have been keeping a keen eye on the implications for staying in or exiting and we know a number of our customers have been doing the same. We are aware that customers across industries have been undertaking discrete assessments of their business footprint, trading parameters and their IT infrastructure in order that policies and processes are developed to accommodate both outcomes. Amicus ITS’ regulatory and compliance teams have been very active with a number of customers to ensure the implications of data management and the storage of data offshore from the UK are clearly known and managed.

At Amicus ITS, our position on the need to assess, review and prepare your IT and data management infrastructure to ensure it is ready for any outcome is clear – TAKE ACTION, however discretely, to provide reassurance to the stakeholders in your business that you can manage and thrive in the unknown environment to come. Depending upon your perspective, macro events can be dealt with as minor bumps in the road or full on roadblocks. Your position on this should be determined by action and not inaction.

The Micro Picture
So what about micro events? These exist all around us and are multiple within the commercial environment that all companies operate. This is the same whether this is within the UK, EU or across the globe and within Amicus ITS we see the impact of these every day. Invariably, our everyday policies, procedures and good common sense ensure that micro events are managed and dealt with in a clean and efficient manner. However, at such a critical time as a major referendum, macro and micro events are inexorably drawn towards each other and this is something we are already starting to see within the IT managed services support environment.

As 23rd June approaches, we are starting to see a rise in the number of micro cyber security related incidents within our customer base, ranging from CryptoLocker attacks, to targeted DDoS attacks. More worryingly, we are seeing refined and highly complex preparation and targeting of brands and institutions for whom the macro outcome of the election could be doubly impacted by a breach of their security thresholds. A complex and high profile breach of cyber defences at the time of our Referendum could damage both commercial performance and reputation to companies and brands who may need to support a new direction within their chosen business space.

The simple truth is that macro or micro events happen all the time. By focusing on the right sort of preparation and planning to ensure IT infrastructure and security is kept at the front of your mind, alongside doing what you do best, will means that you can successfully adapt to any outcome and take some time to embrace the outcome – whichever way things go.

plan_perform

 

‘Panama Papers’ – a wake up call for the legal sector

April’s data breach legal, trust and accounting firm victim Mossack Fonseca of Panama, offers a perfect storm warning for law firms.  As reported in last week’s blog (see link), the legal sector is a highly attractive and potentially susceptible target for the armies of cyber attackers due to the sensitive data held by law firms about their clients.

All law firms should take the Panama breach as a major wake-up call,” says founder and executive chairman of IT Governance, Alan Calder. “Law firms have notoriously been targets for cyber criminals because of the sensitive information they possess. More recently, the scale and devastation that cyber breaches cause means that law firms need to consider their cyber security posture right now.”

The swift changes in cyber attack and swopping focus on market sectors makes trying to defend your crown jewels (ie. your data) ever more critical.  Law firms were ranked the seventh highest target for cyber criminals in CISCO’s 2015 Annual Security Report and in midsummer 2015, CISCO’s 2016 Annual Security Report noted that Professional firms were one of four sectors (Government, Electronics, Professional and Healthcare), most hit by Trojan related attacks, while the Professional Services vertical was hit with a high number of iFrame attacks.  Add to this, the UK’s Information Commissioner’s Office (ICO) investigated 173 law firms two years ago over data protection breaches.  It is not a comforting picture.  But there are good things that can be done by taking a proactive stance on security.

The ICO acknowledges ‘There is no “one size fits all” solution to information security, as the security measures that are appropriate for a particular organisation will be different to another. However, given the pressures facing the legal sector, companies would be well advised to adopt a risk based approach to deciding what level of security is required and where – and to ask pertinent security questions from the third party contractors and suppliers they use.

ISO 27001 Information Security Management System (ISMS) provides a risk based approach to data security.  When rolled out through the organisation it can push down through the supply chain to raise standards with third party contractors and suppliers.  Whilst no organisation can be guaranteed to remain 100% free from threat 24×7, a law firm which creates a robust and regularly monitored cyber security posture, will be better prepared to fend off, or respond quickly and effectively through tested policy to a breach.   What this means for the firm’s customers and stakeholders are higher levels of assurance, as well as enabling you to meet growing legal and regulatory data protection obligations.

As with all things technological these days, it’s not just about knowing what’s in your estate to protect, it’s about strategically identifying for the business what you might need to consider adding to your infrastructure, to build peace of mind for your Board and customers.  That journey will ultimately be better travelled with an expert MSP which has ISO 27001, a passion for data security, a keen eye on cyber security – and one which can not only advise but is able to deliver 24×7.

ISOIEC 27001 with UKAS

The cost to TalkTalk of the 2015 cyber attacks

In our post of 31st December 2015, we discussed the lessons learned from the TalkTalk cyber attack debacle.  Now TalkTalk have published their Q3 results, offering a truer picture of the costs to date.

The original emergency damage forecast in November by the telecomms company was £30-£35 million (largely for unconditional free upgrades for customers and £15 million in reduced trading revenue).  This has now been doubled to £60 million.

Additionally, and of little surprise, there has been significant reputational loss, resulting in the loss of 4% of their customerbase (some 101,000 customers), following the attack.

Recovery will be slow and despite City share prices rising 5% this morning, this follows a 30% drop following the attack at the end of October 2015.

This, in a week where it was revealed that two other organisations felt the pain of attack:

•      Lincolnshire County Council’s systems shut down for four days following a malware attack contained within an email and a document that was opened in error by staff.  The £1m ransom was not paid and staff have been working off paper all week.  CIO Judith Hetherington-Smith said: “People can only use pens and paper, we’ve gone back a few years. [The attack] happened very quickly. Once we identified it we shut the network down, but some damage is always done before you get to that point – and some files have been locked by the software.  A lot of the files will be available for us to restore from the back-up.”

•      HSBC was also hit on Friday 29th January when customers couldn’t access their personal bank accounts. It was a DDoS attack and whilst HSBC sought to assure customers on Twitter stating they “successfully defended their systems“, the process to restore then caused considerable disruption for their customers. The timing couldn’t have been worse for many; the first pay day after Christmas, and the last working day before the tax return deadline.

What this amply illustrates is the urgent need for businesses to change their behaviours and instead of relying on a dim hope that they won’t be the target of an attack at some point in the future, businesses should assume they will be attacked.

NB.  Whatever the size of your company you are at risk.  So ensure that proper IT governance steps are undertaken through pen testing, robust cyber defence software, allied to round the clock monitoring and threat intelligence to put yourself in a stronger position defensively and an agile stance for responses.  That way you start to stem financial loss and costly reputational damage.

talktalk_logo_0

Technology & Governance – the year ahead

There is lots of potential in many directions for cyber-security, threat intelligence and risk management in 2016 and I am sure there will be some startling stories.   But the one thing I know for sure is that there will by hyper-growth in online extortion, hacktivism and mobile malware and a pivot for government agencies and corporations towards a much more offensive strategy for dealing with cyber security threats.

g1

I think that both governments and enterprises of all sizes are beginning to recognise the benefits of cyber security foresight and acceptance that there will be cyber attacks – and that it is likely they will be hacked. We see changes in legislation coming down the line and increasing hiring activity around skilled cyber security analysts and officers within enterprises.

g2
Enterprises are now evaluating their risk as it relates to their assets and their position in their supply chain to assess their vulnerabilities and respond with plans to protect and defend accordingly. Individual users are becoming much more aware of online threats and through training and education, are upping their game translating this heightened visibility into increasingly prudent preventative action.  Malvertising is being forced to morph into more sinister approaches due to an almost 50% increase in the use of ad-blocking software in 2015.

g3

This is good and bad, as the new approaches will have figured out a way around the software and will create new and innovative attack vectors that most users won’t see coming. Hackers are really good at evolving to adapt to new environments and for every defensive measure, there must be 50 ways to work around it.

An increase in the sophistication of psychological and analytical techniques and social engineering innovation will create a large bubble in the online extortion business driving hackers to expose even more incriminating information about their victims. Hopefully, the Ashley Madison breach will act as a lesson-learned deterrent, or at least a cautionary tale to help potential victims think twice before posting such potentially incriminating information.

If there is no basis for extortion, then it will be hard to extort.

So here are some of the things I believe we can expect to see during 2016:

•    Evolving cyber criminals will develop new techniques and attack vectors to personalize hacks, potentially making 2016 the year of online extortion (unless we stop posting hyper-personal data in inappropriate spots).
•    Mobile malware will surge along with the sales of smartphones and new online payment systems (these will create a target rich environment that will be impossible for cyber criminals to resist as these payment systems are particularly vulnerable to attack).
•    There will be a significant increase in government regulations designed to increase protection, detection, arrest and prosecution of cyber criminals, but result instead in increased cost and difficulty related to compliance for all businesses.
•    Significant fines and punishment for failure to comply with existing regulations affecting retail, consumer, healthcare, hospitality, finance and manufacturing industries.
•    In spite of increased intention, most companies will not be able to staff cyber security experts in 2016, as the current unemployment rate for analysts is less than zero.
•    There will be a reduction in malvertising but an increase in socially engineered intrusion and the resulting compromise and capture of administrative credentials will lead to an increase in successful breaches.

 

Now is the time to take decisive action to get ahead of all this by installing layered-defence technologies, training in identifying and detecting cyber attacks, moving to immediate compliance with all regulations affecting our and our customer’s industry sector, and developing an internal cyber defence capability as well as partnering with external specialist firms to provide it.

What you don’t want is your emails exposed, your internal documents made public, your assets compromised, your position in your supply chain used as a tool to breach a client company or your name in the paper.

If our assets aren’t more valuable than the investment required to get secure, our customers and reputational impact surely are.   Let’s get moving.

 

Silhouette of a hacker isloated on black

 

 

 

 

 

EU neighbours stand together in fight against cyber threats

In response to the increasing threats from cyber attacks and a lack of any common approach in Europe to digital network breaches, a new ‘Network and Information Security’ directive has been agreed this week by MEPs and ministers. This creates for the first time an EU-wide set of rules on cyber security.

Representatives from 28 EU countries have created a common set of minimum standards for cyber security in Brussels. Primarily designed to target any organisation running critical national infrastructures (eg. airports and power stations), it also sets a minimum benchmark of standards for organisations such as banks, energy and water companies.

On top of this, any company running critical services (plus some technology firms) will be required to report cyber breaches and attacks.  The tech firms likely to be included are online marketplaces such as eBay, Amazon and search engines like Google.

The European Agency for Network and Information Security (Enisa) estimates that such breaches whether from human error, technical failure or malicious attack result in annual losses in the range of €260bn to €340bn (£188bn to £246bn).

The whole driver for creating consensus is based on the strength of shared intelligence and protocols between countries.  In this new digital and dangerous age, countries must swallow historic aversions to sharing security information across Europe, for the greater good of its citizens.  A boost to this is also the EU pledge to offer best practice to others and to assisting member states to secure their infrastructures where they do not have the technologies or cyber security specialists.

Knowing how witheringly slow EU politics can be, this political goodwill collaboration amongst EU partners is in no small part spurred on as a result of the Paris terrorist attacks on 13th November 2015.

There remain many hurdles as the agreement still needs approval from the European Parliament and national governments.  With a vote in Spring 2016, it would then take around two years to put the measures in place.

MEP Vicky Ford (Chairman of the European Parliament Internal Market and Consumer Affairs Committee), who chaired the final round of talks, said that it was “a hugely complex piece of legislation.  We have set up a network which will enable experts from each of the 28 countries in the EU to share and develop best practice in network security, whilst not compromising any individual member state’s own national security measures.”

One can only hope that EU security agencies are prompted by their leaders to be proactive in sharing digital network threat information altruistically in the intervening 24 months.  The old “I’m all right Jack” mentality is now firmly a thing of the past as neighbours must support each other in this darker digital world.
Eu-flag