Noord Infosec UK 2020 Dialogue

The Noord Infosec UK 2020 Dialogue is a must-attend event for CISOs, Directors and Heads of Information Security, as we explore and define the future role of the CISO to enable business growth through digital transformation.

This intensive 2-day programme is jam packed with intelligence and opportunity to put your business in a leading position. True peer-to-peer engagement delivered in the most powerful and engaging format, we will be addressing challenges such as:

  • How to create effective security plans, including: design and implementation of a successful Security Considerations Assessment to minimize costs, and delays in service delivery
  • What can be done to minimize the impact of cyberattack on your team’s mental health and wellbeing
  • How to adopt an agile approach to staying on top of vulnerabilities to constantly evolving websites when new functionality is introduced
  • What security leaders can do to influence organizational culture and grow an understanding of cyber threats across the business, while ensuring the board understands security is business critical

 Key topics:

  • Business Continuity
  • Security in the Digital Economy
  • Recovery and Resilience
  • Securing the 4th Industrial Revolution
  • What next for the CISO?
  • Securing the Workforce

 Speakers include:

  • Craig McEwen, Global Head of Cyber Defence, Anglo American
  • Deborah Petterson, Deputy Director, National Cyber Security Centre
  • Matt Broomhall, Chief Information Security Officer, TUI
  • Tim Harding, Chief Information Security Officer, Rightmove

What’s included?

  • 2 – days conference and workshop programme
  • Comprehensive event documentation – including option to download presentations from our secure website
  • Access to our secure event website to customise and build your own itinerary prior to the event
  • Stream sessions, focus groups, speaker’s corners and plenary conference sessions with keynote speakers
  • All-inclusive luncheons and refreshments during the day – unlimited tea, coffee, soft drinks
  • All-inclusive drinks reception and 3-course dinner on day 1
  • Pre-matched one-to-one meetings and personalised event itineraries ensuring you gain maximum benefit from your networking time

Venue:

DoubleTree by Hilton Oxford Belfry

Milton Common Thame

Oxford OX9 2JW

Tel: 01844 279381

Accommodation: One night accommodation on the 25/02 is included in your event package fee and includes breakfast. Additional nights subject to availability at £109 including breakfast and VAT, bookable directly with the venue. Quote ‘noord event’ for the rate.

Getting there:

Nearest train stations:  Haddenham and Thame – 7 miles Oxford – 14 miles

By Car: The hotel is situated just off the M40, junction 7

Delegate testimonials:

  • “Great event, mix of networking with like-minded souls & conversations with vendors you want!” – CISO, Pinsent Masons
  • “It had the right balance of discussions, presentations and vendors.” – Information Security Risk Manager, LCH
  • “Noord always has insightful dialogues, always leave better informed.” – Group Privacy & InfoSec Programme Manager, Bourne Leisure

Sponsor testimonials:

  • “A very high calibre event resulting in a lot of fruitful opportunities! Fantastically run and would recommend to any vendor.” – Account Director, DarkTrace
  • “Professional and effective.” – Enterprise Sales Manager, Cylance
  • “High quality delegates that were willing to engage and open to discussion.” – Sales Director, Osirium

Register hereor call +44 203 004 8778 and we will do it for you over the phone. To request a callback at a time to suit you, please email jay.patel@noord-dialogue.com, and of course do not hesitate to get in touch with any queries you have ahead of registering for your place.

(33)

Share

Shadow IT: The Risks and How to Control Them

Shadow IT is on the rise, thanks to the incredible pace of innovation in cloud-based apps and technology aimed at boosting productivity.

What once was limited to a handful of unapproved software installations and excel macros has grown into a vast, somewhat overwhelming issue for IT departments all over the world. Whilst there are clear benefits of many of the applications that fall under the ‘shadow IT’ category, there are also some considerable risks.

Let’s take a closer look at what shadow IT is, why it’s so problematic for companies and what actions businesses can take to protect their systems, data and compliance processes.

What is Shadow IT?

Shadow IT is a term used to describe any IT project that takes place outside of the IT department, usually without the knowledge of IT staff. Typically, Shadow IT services include cloud-based, SaaS applications, the likes of Evernote and Dropbox.

Cloud-based services offer obvious benefits for employees, and are therefore very often installed and used without any form of consultation with IT departments. Whilst this does help to lighten the workload of overstretched IT teams, it also means that software and hardware isn’t subject to the IT department’s strict checks before installation. This can mean significant exposures in terms of security and compliance, both of which remain the responsibility of the company’s IT department.

The rise of Shadow IT

The rise of Shadow IT is largely down to the fast-paced development of apps targeting consumers, from file sharing apps to collaboration tools and social media. These apps have been designed with specific productivity in mind, and offer an effective, time-saving solution to many everyday tasks.

Ambitious employees never take their eye off the latest news from the technology world, and early adopters have quickly grasped the opportunities that cloud-based, SaaS applications offer their industries.

Subscription-based software such as Dropbox and Hubspot is designed with usability in mind, and can therefore be easily installed without the assistance of an IT professional. This has resulted in a rapid upsurge in the amount of applications bypassing the strict testing processes of IT departments, and finding its way onto the IT systems of companies.

Shadow IT is already a huge issue for many corporations, and it’s set to become a much bigger problem over the coming years.

As we look forward to the increase in availability of 5G, we can expect to see the prevalence of cloud-based applications skyrocket. This will result in far more devices and endpoints for enterprise systems, and far greater security and compliance risks. Gartner has even suggested that the number of endpoints managed by the average CIO will triple by 2023.

Shadow IT risks you need to know about

The risks associated with shadow IT are considerable. From data leaks and security issues to inefficient processes and costly downtime, shadow IT can cause huge headaches for IT professionals in the event of an emergency. These are some of the key risks to consider:

Security
One of the main problems with the increase in use of shadow IT applications is security. The installation of applications that are not tested and checked by IT professionals can cause vulnerabilities for the entire company’s network, resulting in potential data leaks and costly downtime.

Data Losses
For approved software and applications, IT departments invariably use a backup and restore strategy. However, this does not apply to services that staff are unaware of. In these cases, there may be no backup available at all, and sensitive data therefore could be lost. Data losses may not be recoverable, and inevitably result in a vastly inflated workload for many key team members as the company struggles to reach a solution.

Data Protection
Almost all businesses now hold incredibly sensitive data, which is used to improve service and better inform growth strategies. However, this data is sometimes now uploaded to shadow IT services without the knowledge of IT departments. This risky move can result in critical data leaks, and it also leaves the company open to the risk of former employees and unapproved personnel accessing the data.

Compliance
Companies develop their own compliance rules and processes, usually after extensive research and consultation with skilled professionals. One of the key risks in shadow IT is the bypassing of these compliance rules, which can have catastrophic consequences for the company in question.

How to protect your business from Shadow IT

Many IT departments have the same immediate reaction to shadow IT: banning it. But this isn’t necessarily the best course of action. Forbidding shadow IT services risks cutting communication ties completely, and doesn’t always stop the usage of these services in reality. Instead, take a look at the following three actionable strategies that can dramatically reduce the risks associated with shadow IT.

Promote communication

Communication is vital in any good working relationship. When we look at the rise of shadow IT, a running theme is the lack of effective communication between IT staff and company personnel.

Employees who do not feel supported by their IT departments are more likely to look elsewhere for SaaS solutions to their biggest pain points. Therefore the onus is on IT departments to promote a two-way conversation on cloud-based applications, listening to employees’ requirements and understanding their need for shadow IT services.

It’s then up to IT departments to inform and educate team members on the risks associated with shadow IT, ensuring that all staff work together to reach a safer, more secure solution that speeds up business processes in the same way as popular SaaS applications.

Embrace mobile technology

We all use mobile devices in day to day life, and many of us now reach for our smartphones to fulfil a wide range of business tasks too.

To support employees and halt the rise of shadow IT in your own company, it’s a good idea to offer secure versions of internal applications, designed specifically for employees’ mobile devices.

Making internal applications accessible and safe will eliminate the need for many shadow IT services, and keep data safe as employees work on the move.

Develop new services

Shadow IT services have become so prevalent because they offer faster, better and easier ways of completing time-consuming tasks.

Instead of banning shadow IT services, IT departments must seek to understand which services appeal to their employees – and why. This will enable IT professionals to pinpoint gaps in the services offered by their own internal applications, and fill those gaps with safe, secure software that does exactly what employees need it to.

Keep an eye on the types of apps that employees are using, and ensure that your own services aren’t falling short and depleting productivity.

The rise of shadow IT is a significant problem for IT departments, but it’s not an insurmountable one. By promoting communication and developing effective internal applications that offer the same benefits as shadow IT services, IT departments can manage this rising risk and boost productivity.

This article was written by Henry Umney, CEO of ClusterSeven. Henry has over 25 years of experience and expertise within the financial services and technology sectors. Prior to ClusterSeven, Henry held the position of sales director in Microgen, London and various sales management positions in AFA Systems and ICAP.

(86)

Share

Jeff Bezos’ phone hacked

As reported by The Guardian, Jeff Bezos had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia. The encrypted message from the number used by Mohammed bin Salman is believed to have included a malicious file that infiltrated the phone of the world’s richest man, according to the results of a digital forensic analysis. Large amounts of data were exfiltrated from Bezos’s phone within hours, according to a person familiar with the matter.

Jake Moore, Cybersecurity Specialist at ESET:

“This has all the hallmarks of the Pegasus spyware, which is a very sophisticated malware. When run on a device you will likely have no idea of what has just happened. Engineering a file to look like a photo or video that has come from a contact is the perfect way of executing the malware, so no doubt Bezos was unaware what had just occurred. 

 

This particular spyware is used on highly targeted individuals and so people of high value or wealth need to be extremely cautious of such tactics used. Bezos may well have innocently clicked on the file in the message, but extreme caution should always be adhered to whenever something is received. Although difficult to reduce the risk, anyone who is a possible target, including people in the media and politicians, should always be aware of the risks.  

 

Groups such as the NSO are very capable of carrying out vulnerability checks on operating systems and are always out to exploit and weaknesses found before they are patched.”

(34)

Share

npm malicious JavaScript package

The security team at Node Package Manager (npm) has removed a malicious JavaScript package present in the npm repository, according to computing.co.uk. This malicious software was observed stealing sensitive data from UNIX systems. The package, named 1337qq-js, was uploaded to the repository on 30th December 2019, and was downloaded at least 32 times over the past two weeks before it was spotted by Microsoft’s Vulnerability Research team.
Jake Moore, Cybersecurity Specialist at ESET:
“It is recommended to remove this particular software but vulnerabilities are predominately identified through the in-built audit feature in npm, which detects previously reported malicious packages. As this threat was unknown before, it makes it far more difficult to predict in future. Even when the Microsoft Vulnerability Research team is there to act as a security blanket, users are advised to always take caution when downloading any files. As we have seen before, every once in a while malicious software may slip through the net and catch people out- but at least this one was caught before it had been out too long and gained any serious traction or made significant damage.”

(28)

Share

Unsecured Amazon database exposes sensitive information on British Consultancy Firms- Comment

It has been reported that an unsecured database on Amazon has been discovered exposing sensitive information on thousands of British consultancy firms as well as working professionals. The database was found by Noam Rotem and Ran Locar, two researchers at cyber security firm vpnMentor, who claimed that it was stored on an Amazon Web Services (AWS) S3 bucket and was leaking information belonging to HR departments of various British consultancy firms, as well as professionals. The researchers said they were able to see all files stored in the database, including thousands of passport scans, tax documents, background checks, job applications, expense forms, scanned contracts, emails, and salary details.

 

Robert Ramsden Board, VP EMEA at Securonix, has offered the following commentary:

 

“Given the sensitive nature of the information exposed in this leak, if this database had been discovered by criminal hackers, the security and privacy consequences for those whose data had been exposed could be great. Individuals incur a heightened risk of experiencing threats such as identity theft and phishing scams.

 

This may be one of the first data incidents of 2020, but it follows a very similar pattern to numerous data leaks in 2019. Practising basic cyber hygiene is a must for all organisations, particularly those that are trusted with our most sensitive data, and in 2020 those that fail to secure their databases should be held accountable.”

 

Corin Imai, senior security advisor at DomainTools:

“Personal Identifiable Information is often sold by cybercriminals, who find creative ways to exploit it in attacks such as targeted spear phishing campaigns, account compromise and identity theft. Anyone with an association to the consultancy firm whose data was left exposed on the encrypted database should take preventive measures to avoid falling victim of a scam, such as being weary of emails coming from unknown senders and avoiding to click on links and attachments they don’t recognise.

In turn, organisations that store data in the cloud should make sure they understand their role in securing it: cloud providers are responsible for the security of the cloud, but customers are still in charge of securing what they choose to store in it.”

Sergio Lourerio, Cloud Security Director at Outpost24:

“Today, we are still in the early days of cloud infrastructures security and what we are seeing a prevalence of opportunistic, not very sophisticated attacks, such as looking for publicly accessible AWS S3 data buckets. You’d be amazed to see the data you can find there just by simply scanning low hanging data in cloud infrastructures. And it only takes a couple of API calls to do it. With a lot of data being migrated to the cloud for use cases like data mining, and lack of knowledge of security best practices on Azure and AWS it is very simple to get something wrong.

The solution for low hanging data is to perform continuous data risk assessments before the attackers do. This can be automated and not another big burden for security teams. For more sophisticated attacks such as ransomware, the data risk assessments help preventing them as well by not leaving your data storage open and tighten the scope of data that ransomware may access. Today, cloud providers such as AWS, Azure and GCP are launching tools to customers to tackle this issue, which can be complemented by cloud security posture management solutions and cloud workload protection platforms using the terminology by Gartner.”

(31)

Share

The Paradox at the Heart of Securing Digital Transformation

Written by Bernard Parsons, CEO, Becrypt

Whether it is an EPOS system at a fast food venue or large display system at a public transport hub, interactive kiosks are becoming popular and trusted conduits for transacting valuable data with customers.

The purpose of interactive kiosks, and the reason for their increasing prevalence, is to drive automation and make processes more efficient. For many businesses and government departments, they are the visible and tangible manifestations of their digital transformation.

Kiosks are information exchanges, delivering data and content; ingesting preferences, orders and payments. With so much data going back and forth, there is huge value, however, wherever there is value you’ll find malicious and criminal activities seeking to spoil, subvert or steal it.

Three categories of Cyber Threat

Kiosks are just the latest in a long line of data-driven objects that need protecting. At stake is the very heart (and public face) of digitally evolved organisations.

Threats to kiosks come in three principal forms:

Threats to system integrity – where kiosks are compromised to display something different. Losing control of what your kiosks look like undermines your brand and causes distress to customers. A recent example is of a well-known sportswear store in New Zealand, where a kiosk displayed pornography for 9 hours before employees arrived the next morning to disconnect it.

Threats to system availability – where kiosks are compromised to display nothing. In other words, they go offline and, instead of displaying some kind of reassuring ‘out of order’ message, give the appearance of a desktop computer with frozen dialogue boxes or raw lines of code. Examples of this are all too common, but are typically characterised by ‘the blue screen of death’.

Threats to system confidentiality – where kiosks show no outward signs of compromise, but are in fact collecting data illegally. Such attacks carry significant risk over and above creating nuisance or offence. Examples include one of the largest self-service food vending companies in the US suffering a stealthy attack whereby the payment card details and even biometric data gleaned from users at kiosks may have been jeopardised.

The challenge of curbing these threats is compounded by interactive kiosks’ great virtue: their connectedness. As with any Internet of Things (IoT) endpoint architecture, the potential routes for attack are numerous and could spread from attacks on a company’s internal network, stem from vulnerabilities in kiosk application software, or even result from a direct assault on the kiosk itself.

How Best Practice Regulatory Standards Apply to Kiosks

Regulatory compliance plays a part here, with the EU GDPR and NIS directive (ably supported by comprehensive guidance proffered via the UK NCSC Cyber Assessment Framework) compelling organisations to consider all parts of their endpoint estates with appropriate operational controls, processes and risk management approach in respect of – for example – patch management, privileged user access and data encryption.

Regulatory reforms are all well and good, but technology (AI, machine learning, blockchain, etc.) is evolving rapidly and organisations must be as proactive about the cybersecurity challenge as possible or risk falling behind the digital innovation curve.

Here at Becrypt, through our work with UK Government and the National Cyber Security Centre (NCSC), we have developed solutions in line with core objectives sought by NIS and other regulations, for use in public sector environments. At the same time, we are seeing private sector businesses increasingly coming under the sorts of cyberattacks more commonly associated with the public sector.

(49)

Share

Peekaboo Moments suffers breach leaving thousands of baby images and videos exposed- Comment

It has been reported that thousands of baby videos and images are being left unsecured and exposed to the internet by Peekaboo Moments, a mobile app. This is due to the app’s developer, Bithouse Inc., leaving an Elasticsearch database open on the internet.

Full story here: https://www.bankinfosecurity.com/babys-first-data-breach-app-exposes-baby-photos-videos-a-13603

Commenting on the news is Hugo van den Toorn, manager of offensive security at Outpost24:

“Unfortunately, this is yet another Elastic Database that is open to the public, which has nothing to do with the product itself, but purely with how the vendor has decided to set up their infrastructure and deploy their software. With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations. As datasets grow to these sizes and contain this sensitive information, data is becoming increasingly valuable to our business and in some cases even more valuable than money. Unfortunately, not everyone protects (your) data like the valuable asset it is. Even after vendors make statements such as ‘we take your security and privacy serious’, we often see security ending-up somewhere on the bottom of the priority list… Assuming it made the priority list at all.” 

(55)

Share

Microsoft Issues Patch to Fix Severe Vulnerability Discovered in Windows- Comment

Brian Krebs posted a story last night about an emergency patch Microsoft sent to government agencies, branches of the US military and other organisations responsible for managing internet infrastructure. The vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Commenting on this, Yonatan Striem-Amit, CTO and Co-Founder, Cybereason, said “The internet is abuzz with rumors of a particularly critical patch going live today, Jan 14th, as part of the first Patch Tuesday of 2020. According to these rumors, the patch is so severe that government agencies and critical internet service providers have received warning ahead of time to install and incorporate these patches. More specifically, the patches are stated to fix an issue with ‘crypt32.dll.’ This ‘dll’ hosts the functionality in Windows that handles cryptography and specifically, handles encryption and signature verification.

Assuming the above rumors are true, what can we learn?

Given the advanced warning to critical agencies and providers, we can easily guess is the issue is very severe.  Two classes of issues might cause such a response, it’s either remotely exploitable or severely violates chains of trust.
  1. By remotely exploitable, I refer to the option of using a rogue client or server to use maliciously formed TLS traffic and thus execute code on a victim machine. If this is indeed the case, the issue might be “wormable” which means a compromised machine can attack other machines on the internet and trigger the same issue. An example of such an issue is the EternalBlue, SMB attack leaked from NSA in 2017.
  2. By violating the chain of trust, I refer to the option where the vulnerability allows faking the signature on a binary. For example, convincing the operating system that a malicious binary is actually a legitimately signed one by a respected vendor. This would allow hackers to fool the update mechanism, potentially including Window’s own Windows Update to install malicious software assuming it was legitimate.
So what should we do?
  1. Given the information at our disposal right now, customers should absolutely make sure they apply this patch quickly. This is true for all “critical patches” but is doubly true at this time
  1. Go proactively hunting and remember that “looks can be deceiving”. As we learn the nature of the exact issue, we might need to update our hunting playbooks to account for the option this gives hackers.”

(48)

Share

Sextortion Email Scammers Try New Tactics to Bypass Spam Filters

According to Bleeping Computer, sextortion scammers have started to utilize new tactics, such as sending sextortion emails in foreign languages and splitting bitcoin addresses into two parts, in order to bypass spam filters and secure email gateways so that their scam emails are delivered to their intended recipients. For example, scammers are sending emails to English speaking users but with the content written in Russian and instructions to “Use google translator.”
Jake Moore, Cybersecurity Specialist at ESET:
“This just proves that sextortion attackers will continue to evolve and try anything to evade detection from current technologies and filters.
If you receive such an email, you shouldn’t panic. There is very little chance that any of the claims, such as the hacker being able to install spyware on your machine, have any truth in them. This is purely a tactic used to try and instill fear into the recipient and scare them into thinking the worst, resulting in them impulsively sending money to a criminal.
People should never feel forced into sending money to extortionists, and should always contact the police if they feel threatened. I would also advise people to place a webcam cover over their webcams when not in use, to add confidence in the case of any future sextortion emails.”

(24)

Share

GCHQ investigating whether cyber attack triggered London Stock Exchange outage

As reported by Endgadget, GCHQ is investigating the possibility that a London Stock Exchange outage in August may have been due to a cyberattack. It is reportedly taking a close look at the associated code, including time stamps, to determine if there was any suspicious activity. The exchange was in the middle of updating its systems when the outage happened, and there’s a fear this left systems open to attack.
Jake Moore, Cybersecurity Specialist at ESET:
“The potential consequences of an attack on the LSE could be huge, and not only on the Exchange itself. As we recently saw with the cyber attack on Travelex, the knock-on effects with other firms connected with the company can be catastrophic. When such a pivotal corporation is attacked, many third party organisations can be affected in different magnitudes. Some are equipped to not be affected by the cyber attack itself, but then financial hits can come as a secondary blow.
Stock exchanges are naturally aware of this increased risk of attack and have higher levels of security in place for such attacks. However, if threat actors are persistent enough, they will continue to make attempts via a series of entry points, and there is only so much protection that can be in place. Staff in training will continually be a target, therefore keeping staff aware of such threats is key to protecting such a high-risk organisation.”

(64)

Share