cyber risk management?

Cyber services are currently going through an evolution, moving from the reactive to the proactive, as businesses wake up to the impact a cyber-attack can have on their operational output or reputation.

Traditional cyber services revolved around providing some basic anti-malware tools to prevent an attacker from gaining access to networks, and then, when things went wrong, dealing with the aftermath of an attack, investigating what happened and how the attackers were able to gain access. Whereas more recent service offerings across the marketplace revolve around predicting when, where, how, and why attackers may strike, or reducing the impact of any successful network breach.

Physical and cyber security are mutually supporting

I would be surprised if any businesses would leave their premises unlocked with the doors open at night; doing so would clearly invite opportunist thieves to help themselves. It is therefore somewhat surprising (although probably unknowing) that organisations have so little concern with their cyber security. With more and more data being stored on company networks or in the cloud, ranging from valuable proprietary information to sensitive personal information or financial transaction information, the loss or non-availability of any of these could have a real impact. That could mean your company or organisation losing its competitive edge, or receiving significant reputational damage or potentially large financial losses.

Viewed in this way, it is a lot easier to appreciate the risk that poor cyber security can pose to a business and why it needs to be addressed as a priority. As an example of the impact a cyber-attack could have, the TalkTalk hack is reputed to have cost the business the loss of 100,000 customers and £60m, so the costs to a business can be considerable.

Selling cyber security

The difficulty in providing proactive cyber security services is that businesses often don’t know that they need any advice on cyber security until it is too late. Essentially, how do you go about selling someone something that they don’t know they need?

The answer is education and awareness to businesses at all levels.

So what?

Cyber Security, like physical security, should be viewed in the same light as any other risk held and managed by the organisation. However, at the moment these cyber risks simply do not appear on the list of risks that need to be considered, let alone have any consideration given to how they should be mitigated, or if the current level of risk they present falls within the organisational risk appetite. The TalkTalk hack mentioned earlier is but one high profile attack, more of which seem to hit the news with increasingly alarming regularity.

A case in point

An example of the scale of the problem and the lack of awareness outside of the IT security sector was brought sharply into focus for me recently. A good friend of mine who runs a very successful online business (circa £10m annual turnover), did not see his business and livelihood linked to cyber security in the slightest. He only recently installed a firewall on his network, despite having traded online for almost a decade and had very little awareness of his IT systems and the security issues and risks that it, and therefore his business, was exposed to.

In order to increase his awareness, I briefly ran through a few scenarios of what could happen, for example, if there was a loss of availability to his network through malware being installed, or more worryingly the loss of client data that will be punishable under the GDPR legislation that comes into effect next year.

GDPR? What’s that then?

The Global Data Protection Regulations will come into force in May 2018 and replace the outdated Data Protection Act from 1998. These regulations are likely to be a key driver in changing company cultures from a reactive to a proactive cyber security stance, as non-compliance could leave your business with a fine of up to €20m or 4% of your global annual turnover, whichever is greater.

The way ahead

Organisations will need to be very clear about what types of data they hold and process and, as a result, what their legal requirements are. Network architectures and system settings should be configured to ensure that only those that need access to certain data types can get to it, as well as devising policies and procedures for dealing with any security incident that might occur. This is where proactive cyber security advisory services come in. Many businesses are now realising that it is often more cost efficient and more effective to employ the services of experienced independent experts to provide advice on cyber vulnerabilities, associated business risks, and to offer credible solutions as to how those risks can be managed optimally.

Good cyber security is a blend of, people (leadership, culture and training), well tried and tested processes (governance), technology (protection and detection), and preparedness (resilience), supported and underpinned by a mature IT solution and sound physical security controls – does this describe your business?

Summary

Cyber criminals are becoming increasingly adept at refining their technological capabilities. So rather than waiting to become a target and victim, now is the time to adopt a proactive stance; to remain legally compliant and understand your current cyber security risks so that they can be managed appropriately – it’s not if, but rather when your business will be targeted. Don’t be caught unaware…

Look out for my next blog post on Security Operations Centres and why they are so important.

21 Cyber Security Blogs

21 top cyber security blogs

1. CNET

Why follow? CNET has an entire section of their site devoted to security. Their consumer technology experts weigh in each day on everything from credit card data breaches and cyber warfare to scams and social media privacy. They cover what’s happening in current events while providing a solid technological outlook. This blog has a casual tone and is not overly technical in writing. It’s a good one to follow if you have a particular interest in consumer-related security.

2. CyberArk

Why follow? CyberArk is one of the few security companies whose efforts are entirely dedicated to preventing cyberattacks. With many of the world’s top businesses trusting their protection, CyberArk is a blog boasting a lot of authority. The site is updated every few weeks or so with insightful, intelligent articles on hot topics such as the newest global security concerns and recaps from recent security and hacker conferences.

3. Dark Reading

Why follow? Dark Reading is a cybersecurity community comprised of contributing influential IT professionals. This cutting-edge blog is chock full of news and commentary covering a broad range of cybersecurity-related issues and even offers podcasts and videos. Dark Reading is part of InformationWeek, which hosts nine digital technology communities.

4. Homeland Security News Wire

Why follow? Homeland Security News Wire, a leader in the industry’s online daily publications, manages its own cyber security blog. This resource combines elements of government, science and business to analyze the technical aspects of current events. Plus, it’s packed with authoritative and informative reporting and is updated daily.

5. Infosec News

Why follow? Infosec is a small but long-running and respected cyber security blog. This streamlined site allows you to catch up on the latest breaking news, which varies from security and hacking to public policy and industry conferences. This blog also has an extensive posting of job openings for job seekers in the IT and security field.

6. Information Security Buzz

Why follow? Information Security Buzz’s cyber security blog is an independent resource for the latest updates and expert input on industry happenings. This blog features a video channel with insightful commentary from IT professionals. You can even use their LinkedIn community discussion page to rub elbows with other industry professionals and hash out the latest hot topics.

7. Infosecurity Magazine

Why follow? Infosecurity Magazine is one of the larger cyber security publications out there with a vast amount of information on their website. The site is updated daily and hosts its own virtual conferences throughout the year and even has its own webinar channel and an extensive directory of cyber security companies.

8. Inside Cybersecurity

Why follow? Inside Cybersecurity is a site dedicated to keeping professionals up to date with federal policies affecting digital security. The site provides behind-the-scenes reporting of law making and its repercussions on the public, though it is subscription-based. Give the free trial a try to better understand the relationship between public policy and cyber security.

9. Krebs on Security

Why follow? Krebs on Security is authored by Brian Krebs, a former Washington Post reporter. This five-year-old blog offers a lot of archives to dig through, while also providing a fresh look at current cyber security threats. Because of his unorthodox ushering into the cyber security industry, Krebs’ style is accessible and casual, which makes following this blog easy and enjoyable.

10. Naked Security

Why follow? Naked Security is the security threat blog of Sophos, a cyber security company. This blog has a huge following and does a great job of making their content interesting, relevant and accessible. The site is divided into relevant topics such as vulnerability, android, privacy and Facebook, so you can easily find content relating to your interests.

11. SC Magazine

Why follow? SC Magazine hosts a data breach blog that is a must-see for cyber security pros. Each no-frills blog post is short and concise, getting down to the fundamentals of each security breach. SC Magazine has a large following and is very active on social media as well.

12. Schneier on Security

Why follow? Bruce Schneier is a heavy hitter in the security field with impressive credentials. His cyber security blog pulls in all sorts of articles from across the web and generates a lot of engagement on his site. This is a good blog to follow if you want to see differing opinions on the topics everyone’s discussing. Schneier also produces a monthly newsletter to keep you in the know.

13. Securosis

Why follow? This cut and dry cyber security blog is produced by Securosis, an information security advisory firm that also conducts a lot of IT research. They claim to be “totally obsessed with improving the practice of information security” and that is seen in their articles. This regularly-updated blog is all about providing practical and useful information to its loyal followers.

14. Security Bloggers Network

Why follow? If you’re looking for a wide variety of voices and perspectives, this is the blog for you! Security Bloggers Network is a feed of about 300 blogs and podcasts. If quality and variety are not incentive enough to follow the blog, then the quantity alone should astound you. You can expect more than 50 new posts daily!

15. Security Watch

Why follow? Security Watch is the blog of BH Consulting, an independent IT solutions firm in Ireland. The blog covers information security issues on an international level. It is updated regularly with casually written content along with occasional videos. Browse through their multiple archives or search by category to find a topic of your choice.

16. SecurityWeek

Why follow? SecurityWeek is a cyber security blog that provides insight and expert analysis on global security threats and headlines. The blog is jam-packed with articles and information. They also divvy it up conveniently into different categories like cybercrime and security architecture. The site also offers more in-depth research and whitepaper reports.

Security concerns

Security professionals feel no great joy in being right about patching.  The past two months have been a period of “I told you so” moments for anyone who has ever had to have the conversation with a sys  admin about the importance of patching. It’s been a long time for me but the memory lingers.)

Still  security professionals care more about being safe than being right so, as I say, there’s no great joy.  But, now that we’ve had two months of ugly exploits that were very much enabled by unpatched systems and everyone appears to be paying attention, we should take a few moments to review the excuses we’ve heard for why it was not important to patch.

We should be able to finally de-bunk the excuses and I think I speak for everyone in security when I say we hope to never hear them again.  Consider this a proactive set of canned responses to be used to reply to sys admins and their managers who, at some future time, somehow forget about the WannaCry-Petya attacks.

  1. “Patching takes time and my staff is busy.” So the question then is: are you sure keeping the infrastructure secure is part of your department’s mandate? Go check.  If you did check and if keeping the infrastructure secure is not included in it, then find the folks who are responsible for keeping the infrastructure secure and make sure they’re patching. But, on the other hand, if keeping the infrastructure secure IS your responsibility then the question becomes: does your staff have something more important to do and who made the decision that it was more important than patching?  Perhaps the person who made that decision should reconsider.  Finally, if keeping the infrastructure secure is not anyone’s responsibility, jump up and down waving your arms until it is.  Security will be there jumping up and down  and waving with you.
  2. “These machines don’t connect to the internet so they don’t need to be patched that often.” These latest attacks made it abundantly clear that malware is capable of spreading like a weed. And it doesn’t matter if the weed first started in your neighbor’s backyard; once it jumps to yours, anything can happen. Not to mention the fact that some of your most important machines may not ever connect to the internet but may bring the business to a halt if they get infected. So maybe whether or not something connects to the internet is not as important to patching as whether or not something is important (or connected to something important).
  3. “Patching can break something.” You mean what if patching breaks a test machine as opposed to not patching and finding that an outbreak of malware was so severe that you have to send everyone home?   Patches should be tested.  If patches DO break something on a test machine, then some level of effort or risk must be taken on.  But make those decisions explicit, not a matter of inertia.
  4. “My staff will get to patching as soon as they’re done with the nextthingmobilecloudIOTbigdata project.” Patching is boring.  When faced with the choice between working on that sexy new deliverable that is super high profile and patching the system, we are all tempted to work on the shiny stuff.  See #1 above for more on this.

Security and IT Ops are good partners in most organizations but the time and attention commitment involved in  patching often challenges IT Ops who are being asked to make EVERYBODY happy.  If there is one learning that came out of the past two months it’s that your organization de-prioritizes basic system hardening at its own risk.  And if anyone wants to understand just what that risk is, they can type “WannaCry” in their search engine of choice and hit ENTER.

Conducting a Secure Code Review

When it comes to conducting code reviews, no doubt your dev team are great at reviewing for functionality and performance. However, with new application security risks emerging all the time, it is vital that your dev team starts to make application security as much of a priority as functionality.Today I’m looking at five steps they can follow to conduct a code review that identifies security bugs and vulnerabilities.

1) Identify Code Review Objectives

Setting clear objectives will help to keep you focused during your code review, which will make it more effective at identifying bugs and vulnerabilities.Before starting your code review, it’s important that you understand the types of bugs that are possible in the code you’re reviewing, based on its architecture and threats you identified during threat modelling.If you already have an idea of what a bug will look like – for example, if there are patterns to help you identify bad code that can cause vulnerabilities in your application – then you have a better chance of finding it compared with if you just go in blind.It’s important that when you’re conducting a secure code review, you only look for security issues, and save checking for functionality and other problems for another review. The more things you are looking for during a code review, the less likely to are to spot any of them – you’re trying to think about too much at once!

2) Conduct a Static Analysis Scan

Using the right tools is vital to the success of your code review. A static analysis tool can be used to automatically check your code for compliance with a set of rules and best practices that you’ve predefined. So a static analysis scan is a fast and efficient way to find code defects and inconsistencies which can threaten the security of your application.For the first pass-over of your code during your review, you should run a scan with a static analysis tool to pick up on those simple mistakes. After this initial, automated step, you will move on to manually reviewing your code for more complex bugs and vulnerabilities.

3) Look for Common Bugs

For the next pass-over of your code, you should turn your attention to the most common security risks. The OWASP Top 10 is a list of the ten most critical, and most common, web application security risks, which also contains guidance on how to prevent or fix these common vulnerabilities.Referring to the OWASP Top 10 gives your developers a great starting point when looking for common bugs and vulnerabilities in your code. By adopting the guidance from the OWASP Top 10, your organisation can develop a simple, prioritised application security framework and ensure that the most common security bugs don’t make it into deployment.

4) Look for Bugs Specific to This Application

Your decisions about how to develop your application can introduce vulnerabilities that are language-, architecture- or platform-specific.As well as having an understanding of common vulnerabilities, it is also worth making sure that your developers are aware of language- or architecture-specific vulnerabilities, so that they check for these during their code review.Hopefully these potential threats would have been identified during threat modelling, and your dev team have already mitigated these risks during the development process, but it’s always worth a final check!

5) Post-Review Activities: Prioritise/Fix/Learn

Once you’ve completed your code review, the next step is to prioritise the vulnerabilities in order of severity, to ensure that the most serious vulnerabilities get fixed before less serious ones. You can then fix the bugs you’ve identified, and your dev team can learn from those mistakes. How were these bugs found, and how were they fixed? This knowledge will help to improve the code they write in the future.

Reducing Security Vulnerabilities

It may therefore come as a surprise (or not, if you are a software developer yourself) that most companies fail to invest in adequately training developers on security best practices, whilst throwing large amounts of money at advanced detection tools. Many large organisations have the latest firewalls, advanced malware detection systems and automated code testing tools, but skimp on even basic secure development training. This leads to a major, fundamental problem: most firms continue to develop insecure software.

According to a 2012 research report by the Ponemon Institute:

  • 63% of security professionals and developers state that application security consumes 20 percent or less of their overall IT security budget.
  • 71% of developers believe security is not adequately addressed during the software development lifecycle.
  • 51% of developers believe security is only addressed in the launch and post-launch phase.
  • Just 16% of developers believe security is addressed during the design and development phases, compared with 36% of security professionals.
  • 47% of developers say their organisation has no mandate to remediate vulnerable code, compared with 29% of security professionals.
  • Just 11% of developers think their organisation has a fully deployed application security training program, compared with 22% of security professionals.

These statistics identify two major problems:

  1. Application security seems to be addressed late in the software development lifecycle, where it costs more to address vulnerabilities.
  2. Security professionals and developers have significantly differing opinions on how well security best practices are implemented in their organisation, implying that developers are inadequately trained.

Why Is This?

Perhaps one of the biggest reasons that companies continue to fail to invest in training is the perceived loss in developer time to training. Senior management calculate that to invest in X hours of training per year, for every developer in their organisation, they’d be spending, well… An astronomical amount of money.It’s then challenging to measure the direct results of that investment. How do you know exactly how many vulnerabilities you prevented from reaching your applications?Let’s consider the following assumptions for a second:

  • It takes your development & quality assurance team 30 hours to remediate a critical security vulnerability.
  • On average, 500 critical defects make it into your applications each year, and are detected.

That’s a total of 15,000 hours of developer & QA team time to resolve those vulnerabilities. You can therefore consider that as an absolute “upper limit” for your total developer time investment in security training. So if you had a team of 500 developers, that would represent a maximum of 30 hours per year, per developer. To break-even, that 30 hour investment would have to stop all 500 critical defects from making it into your applications.Now, to make another assumption, let’s assume that a developer who is given 5 hours of security training introduces one less security vulnerability into their software each year than one not trained in security. That means that for your developer’s 5 hours of training, they saved 30 hours of development & QA time. A 6x return on investment.Now, these numbers are of course all speculative, but even if somehow your development team could eliminate vulnerabilities in half the time, that’s still greater than a 3x return.Better still, what if you could provide your developers with computer-based training on-the-go? Software which helps them to improve their security knowledge during their downtime, whenever it’s appropriate. This presents an opportunity to minimise lost development time, and let developers teach themselves on their own terms, without impacting productivity.Are the economics of developer training really even a question at this stage? Developers trained in security introduce less vulnerabilities into applications, which results in lower assessment and remediation costs. It also further decreases the chance of a critical vulnerability making it into your deployed application, and we’ve all seen what that can do.

ultimate guide to online dating

Online dating is as normal to life as is online shopping. Believe it or not, online dating has been around for 20 years, and as a result, cybercriminals are finding big money in people looking for love. However, these aren’t issues that should deter you from fishing in the sea of online dating.

In this guide, we will take you step-by-step through the entire online dating process. From finding the best dating site, protecting your digital privacy, all the way up to that first date, we’ve got you covered.

Step 1

Choosing the right site
The cyber-sea of love can be overwhelming to navigate. It is estimated that there are approximately 5,000 online dating sites worldwide.

The first thing you’ll want to check is if the website is a reputable site. We suggest that you stick to well-known websites and do some research. Conduct Internet searches in order to find out how many members are subscribed, read reviews that may include both good and bad experiences from the site.

Visit the website itself and investigate before signing up. Read the privacy policy. Look for an “about us” section. Does the site provide the name of a real person, or at least a phone number to contact if you have questions?

Paid vs. free?
This really depends on what you are looking for. Paid sites tend to have members that are committed to actually meeting people in real life, because it is a financial investment. Membership to these sites isn’t cheap, so if someone is paying, they are usually more serious about actually finding a relationship.

Free sites tend to have more members, which equals more choices, but it also means there’s a higher chance of interacting with a scammer on a these sites.

The personal factor
Keep in mind; most of these sites will store more personal information about you than other websites do. When you fill out a profile on one of these sites, it can be extremely detailed. These sites will often ask you to list the city you live in, your date of birth, marital status, gender, and even more detailed information, such as if you own pets or have children. It may seem rather invasive, but it helps the site match you with people in your area and help you narrow down criteria in member searches.

Additionally, a lot of these sites will have what are called “personality quizzes” The purpose of these quizzes are to help match you with other like-minded individuals. However, those answers from those tests can be very personal and you want to be sure that your private information is being protected properly.

How to protect your privacy on online dating sites:

  • Check to see if the website deletes your data after you close your account. Some sites will allow you to either delete or disable your account. Since users sometimes return to online dating, the site may retain your information.
  • Check the privacy settings on your profile.
    Some dating sites make profiles public by default, which means that they can be indexed by search engines.
  • Look at the privacy policy.
    It should be clear about how it shares your personal information with other members. It should also be clear about who else gets to access your data, such as third parties.
  • Does it reveal your photo only to members or also for online advertising? If so, is there an option to opt-out?

Step 2

Creating Your Profile:
Of course, you want to create an enticing and attractive picture of yourself for others to see, but keep a tight grip on what personal information you put out there for everyone to see. For example, it’s ok to say what you do for work, but not to say what company it is.

Create a username that you have not used on any other accounts. Make sure you do not use any aspect of your real name, or any other personally identifiable such as birthdates- even birth years. Your username can be searched, and anything tied to that username can come up easily.

Choosing Photos:
A picture really is worth a thousand words. The photos you post on your profile can actually contain a lot of information about you in the background if you’re not careful. Last year, a user was goofing around in his sister’s room, and took a photo of himself. Within 24 hours, members of that website managed to track down the sister’s identity, social media accounts and more all based on what was in the background. A user can do a reverse image search and easily locate other websites where that photo is posted. In this case- brand new selfies are a-ok!

Profile Do’s and Don’ts:

  • Create a username that you have not used on any other online accounts that you are associated with. Your username can be searched, and anything tied to that username can display in Internet search results.
  • The same applies for the photos you post on your profile. A user can do a reverse image search and easily locate other websites where that photo is posted. In this case, you’ll want to create unique photos that are posted on that site only. Which means it’s ok to go selfie crazy!
  • Set up a free email account to use with your dating account that has a unique name. Make sure that the email account has no personal information about you in the address.

Step 3

Safe Communicating:
While it may not seem harmful to give out your phone number or personal email address- don’t just yet. You may have been chatting online awhile with your new crush, however, they’re still a stranger until you meet in real life. People can put on appearances online that aren’t actually true to their real life. Use caution about giving away anything that can link you to your identity online. It’s even ok to not give someone your last name until the date is set up.

  • Initially, keep communication to potential sweethearts limited to the dating site itself. A lot of these sites have moderators, and allow you to report anything that seems offensive and even threatening.
  • If you and your new friend decide to move the conversation to email, use the dedicated email account that you created for the online account to protect your anonymity.
  • When the time comes for a phone call, be cautious and set up a free Google Voice account, which will generate a separate phone number and forward it to your mobile. In the event that things fizzle out, the other person won’t have your real phone number.

Make sure you don’t catch a “catfish”
Catfishing is a different kind of scam in and of itself. Catfishing is when a user assumes the identity of someone else. This tactic is used by online predators to try to trick people into an online romantic relationship. Catfishers will always make up excuses as to why they can’t meet you, talk on the phone or meet up on webcam. If the user’s profile seems too good to be true, it probably is. Do a reverse online image search of their photos, and if they appear in other places, under other names, you may have caught yourself a catfish.

How to spot online dating scams:
Online dating, while extremely beneficial is not infallible to cybercriminals. In addition to personal safety from online predators such as stalkers and Catfishers, there are also a slew of online scams that are perpetuated through these sites.

  • An individual may contact you with a sob story, about being stranded in a foreign country, or a sudden family emergency. If they ask you for money, you should report them to the service you are using and then block them.
  • To help verify the identity of the person that you’re talking to, ask for a recent photo. If they protest or makes excuses as to why they can’t provide a photo, it is best to err on the side of caution.
  • If you’ve been chatting up a potential sweetheart for a while, and they continually put off meeting in real life, this could be a red flag.
  • Don’t visit links sent to you by people you haven’t talked to for very long. Scammers will pose as a member and try to get their target to click on links, usually leading to porn or webcam sites, and sometimes can even lead to malicious sites that download malware onto your computer.
  • If someone requests a webcam chat, be especially careful about your behavior. The criminal can record the webcam session and they can use it to blackmail you. If the conversation you’re having starts to take an uncomfortable turn, it’s okay to disconnect the chat.
  • Scammers create fake profiles
that are run by programs called bots. Their objective is to get you to click on a link that will lead to either porn, malware or scam you out of credit card information. It’s actually quite easy to spot a bot, as they have a set of predetermined “canned” responses. If you notice that the conversation you’re having seems a bit off, or the person isn’t answering your questions directly, chances are it’s a bot.

Step 4

Meeting in real life
So, you’ve decided to meet up. While everything may seem to be going along swimmingly with your new crush, it’s still important to continue to exercise caution.

  • Be sure that your first meeting is in a public place where there are other people around that may assist if things start to go south. Plus, your date still won’t have your home address.
  • Use the buddy system. Tell a close friend about the date, where you are going, how long you expect to be there, who the person is, and their phone number. This way, you have backup waiting in the wings, whether it’s to get out of an uncomfortable situation, or the date is just not going well, your friend can help bail you out.
  • Recently, some bars have a sign posted in the ladies room targeting online daters, stating to order a “special” drink if they’re having a bad date. The bar staff will come and assist you if you end up in an uncomfortable or unsafe situation.
  • If you’re not ready for one on one meeting, some sites organize dating events. These are relatively new, and a super safe way to meet new people in real life, as it is in a group. There are so many great and engaging activities; speed dating, pub quizzes and cookery classes are some of the few offerings.