Tag: Cyber Security

The fallout of a major data breach

Posted on by Admin Admin

A few weeks on from the suspected ransomware cyber attack on Optionis Group – Parasol’s parent company, contractors have found their personal data for sale on the dark web.

The discovery is the latest in a series of misfortunes to affect contractors employed through Parasol following the cyber attack in the second week of January.

As an umbrella company, Parasol employs temporary workers, often on behalf of employment agencies. Umbrella companies provide convenience for contractors and agency workers, and the companies who use the services of those workers, by managing contracts, timesheets and payroll, etc.

The role of an umbrella company also means it’s necessary for them to hold a large amount of personal and sensitive data. The introduction of the IR35 regulation in the UK, which relates to contractor / client relationships, has led to an increased use of umbrella companies by contractors and, consequently, an increased number of financial (payroll) transactions being made through those companies. As a result, companies such as Parasol now process and store a vast amount of sensitive financial data, making them attractive targets for cyber criminals.

The Optionis Group incident is the second major attack (that we know of) on an umbrella company in less than four months. Giant Group was the victim of a “sophisticated cyber attack” at the end of September 2021, which took the company’s communications and server network out of operation, and left some contractors without pay.

Timeline of the Optionis Group cyber attack and consequences

14th January 2022

Parasol initially advised its contractors that there was no access to the company’s operational and communication portals used to submit timesheets, view payslips, process contract extensions and so on.

Rumours began to circulate on social media that Parasol was experiencing a cyber attack, which was later confirmed by Optionis Group.

15th January 2022

Some of Parasol’s contractors started to report missing payroll payments or payments that were significantly lower than expected. When this was questioned, the company confirmed that payments were having to be made manually, implying that their bank accounts had been compromised.

21st January 2022

Parasol’s portals were restored. However, other companies within the Optionis Group had to move to rebuilt platforms. For example, an accountancy firm within the group reopened their portal with data migrated from their last back up – from November 2021, meaning 2 months’ worth of data was missing and needed to be manually re-entered.

4th February 2022

Social media reports confirmed that personal data from Optionis Group had been found on the dark web.

7th February 2022

An email from Optionis Group confirmed that their data had been found on the dark web and individuals would be advised if they had been directly impacted.

28th February 2022

At the time of writing, the contractor we spoke to had heard nothing further from Parasol / Optionis Group, despite finding their own personal data on the dark web.

Taking action

As someone who works in the cyber security and fraud industry, they have quickly taken matters into their own hands and put in place controls to mitigate the personal impact of this data breach.

They’ve paid to set up monitoring alerts with Experian and CIFAS to try to protect themselves from identity fraud. The platforms will alert them if their personal details are used to apply for financial products.

As the director of a limited company, they’ve also had to register with the Companies House protection scheme to protect their company and receive alerts if anyone tries to change, or conduct business using, their details.

There’s still no guarantee that the individual’s leaked details won’t be sold or used maliciously in the future.

And the issues at Optionis Group are ongoing, with some systems still not restored in full since the cyber attack.

The contractor we spoke to is, unsurprisingly, frustrated and angry about the situation:

“I know how devastating an information security breach can be, so when I heard that my accountants and umbrella company that I work through for payroll had been breached, I was immediately very concerned. When it was confirmed that the personal data had been located on the dark web, I was extremely angry as you just assume that your accountants have the necessary protection in place for your data and information. Obviously not. It’s vital that other such firms review their systems and ensure they have the utmost protection as these attacks are becoming more and more commonplace.”

This viewpoint is clearly held by other affected parties. ComputerWeekly.com reported that some contractors had “tak[en] it upon themselves to investigate whether their personal data [was] compromised…after growing frustrated at the time…[taken by Parasol] to provide updates on the situation.”

The same article reports that “a group action is being prepared…to seek compensation for contractors caught up in the breach”.

Clearly, the main fault here lies with malicious actors who carried out a targeted cyber attack in order to breach a company’s systems and steal personal data. However, every company that holds personal data has a legal duty to keep data secure and to respond to potential data breaches in a specific way. In this case, there appear to be failings on both the security and the response side by Optionis Group.

Cyber security support from ESA Risk

At ESA Risk, we offer a broad range of cyber security services that can help you secure systems and data, become more cyber-aware, identify breaches, and prepare for and respond to attacks.

Our consultants have proven experience of working in some of the UK’s top financial institutions where they have implemented secure cyber controls and continue to provide remediation and preventative cyber security and data breach support.

For advice and support on making your business cyber-secure, or if you’ve been the victim of a cyber attack or data breach / leak, please contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

 

Free download: The Cyber Threat Landscape 2022 Special Report

10 smartphone security tips

Posted on by Admin Admin

As a result, should your smartphone fall into the wrong hands, it is a potential treasure trove of information and, therefore, a potential cyber security risk.

If you download a rogue app, click on a malicious link in an email or visit a dubious website, it’s even possible for hackers to hijack your phone without it leaving your side.

Here are 10 smartphone security tips to help keep you and your device safe and secure.

1. Guard your smartphone and make use of security settings

Treat your phone as carefully as you would your bank cards. Take care when using your phone in public, and don’t let it out of your possession. Thieves can quickly rack up huge bills on stolen phones, and you may be liable for all charges run up on your phone before you have reported it lost or stolen to your provider. To help prevent this happening, protect your phone against unauthorised use by setting up a PIN, password or biometrics-based security for your lock screen via your devices settings.

2. Take precautions in case your phone is lost or stolen

smartphone security - imei numberMake a record of your phone’s IMEI number, as well as the make and model number. The IMEI is a unique 15-digit serial number which you will need to give to your mobile operator to have your phone blocked. You can check your IMEI number by ‘dialling’ *#06# in your calls app (device information is displayed on-screen, rather than making an actual call). These details are also noted on a phone’s original packaging.

Consider making your phone less useful to potential thieves by barring calls to international numbers and premium rate lines, if you never use them. Some mobile insurance policies, or any other policies that may cover the phone, could provide limited cover for unauthorised use. It’s worth checking the terms and conditions of your existing policy, and when considering a new policy.

The national Mobile Phone Crime Unit’s Immobilise database is a free registration service that assists thepolice in reuniting owners with their stolen smartphones. For further details and contacts for different operators, see Ofcom’s Lost or Stolen Phone Guide.

3. Don’t override your smartphone’s security settings

It is not advisable to attempt to ‘crack’, ‘jailbreak’ or ‘root’ your smartphone or tablet. This is a process people use to remove restrictions placed on their device’s operating system by the phone manufacturer. Doing so carries considerable risks: it compromises the security of your device and may leave you more vulnerable to malicious software. It is also likely to invalidate your manufacturer’s warranty.

4. Back up and secure your data

Smartphones offer the option to back up your data to the cloud and/or a personal computer, so that you don’t lose data if your phone goes astray. Check for information on how to do this in the phone’s manual.

5. Install apps from trusted sources only

Apps are the easiest way for someone to hack into your phone. Sometimes hackers will take a popular paid-for app, add their own illegitimate elements and then offer it for free on ‘bulletin boards’, ‘peer-to-peer’ networks or through fake online stores. Once the rogue app has been downloaded to your phone, the hacker can potentially take control of the handset, incur charges via premium SMS without your permission, make calls, send and intercept SMS and voicemail messages, or browse and download online content. You may not be aware anything is wrong until it’s too late. Only download apps from official stores (e.g. App Store, Google Play), and exercise care – research the app and check reviews.

6. Use antivirus software

It’s not just rogue apps which pose a threat to your smartphone’s security. Viruses and spyware can also be downloaded from websites, or by connecting your device to an infected computer. Some phones may be more vulnerable than others, but you can check for antivirus software in a reputable app store. Also, before connecting your device to a computer, ensure it has the latest antivirus/antispyware and firewall installed and running.

7. Use software to find your phone or erase its data if it goes missing

This software is typically installed by default on most smartphones, allowing you to log in to a website or an app on another device to track your phone and take action. Examples include Apple’s Find My app and Google’s Find My Device for Android.

8. Clear your phone before you dispense with it

If you decide to donate, resell or recycle your smartphone, remember to erase any data on it first. Remove and erase any media cards and perform a full or ‘factory’ reset by going into the Settings menu.

9. Accept updates and patches

From time to time, you’ll be prompted on screen to update your operating system. App developers may also propose updates to their app. It is advisable to accept these updates as they become available. As well as typically offering new features and improving your phone’s performance, they can also fix security vulnerabilities.

10. Check if your smartphone security has been breached

smartphone security - app usageAdditionally, there are some lesser-known tricks to check whether your smartphone is being tracked or if your security has been breached:

  • Dial *#21# to see whether your data, including SMS, are being forwarded to a third party.
  • Dial *#62# to see if your calls are being automatically forwarded. If so, where are your calls forwarded to? Don’t be too alarmed initially if you see that your calls are forwarded to a number you don’t recognise. This number might be a separate voicemail box run by your network service provider. The digest message might say that your calls are forwarded to this number after 20 seconds or so. Mobile service providers often provide separate voicemail gateways, including for those overseas on roaming charges. But you should certainly double-check with your service provider. Some suspicious numbers of known scammers and criminals are published online at unknownphone.com.
  • Dial ##002# to stop your calls being automatically forwarded.
  • Dial *#*#4636#*#* to find detailed configuration about your phone including call redirects, current network, usage and location. Check ‘Usage Statistics’ and ‘App Count Usage Time’ to double-check app usage and remove any apps that are suspicious (for example, you might not use them, but they show high usage).

Further smartphone security advice and support

For further advice on securing your smartphone and other digital device, or if you think your device has been compromised, contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form. We’re here to support you.

You may also be interested in:

 

Free report download: The Cyber Threat Landscape 2022

The role of cyber attack war games in building cyber resilience

Posted on by Admin Admin

The reality is that penetration testing provides no guarantees of security and does not address the weaknesses in an organisation’s ability to detect and respond to a sophisticated attack; or its ability to manage a cyber crisis and take the timely decisions to enact cyber defence or system continuity plans. Consequently, there is a need for more sophisticated and technically based crisis exercises to identify causes of failure and to provide training, education and awareness.

To most firms, a real-world attack simulation is as much a ‘game changer’ as actually being targeted. In both cases, firms can expect to learn hard lessons, but the war game process ensures that the organisation is ready to absorb the lessons and identify the benefits without the pain or damage of an actual breach. This point cannot be underestimated. In a real event there is invariably a catalogue of human and management failures consistent with the inability to think clearly under pressure.

In reality, most lessons are only learnt after a real event, even when the overriding climate is negative or less orientated towards learning. A cyber attack war game, which simulates a prolonged attack, aims to provide lessons before a real event, and enables learning during an attack. In short, it can develop a firm’s ability to interpret and apply experience into real-time learning.

Cyber security war games derive significant learning across multiple levels of decision-makers, and can be structured specifically to bring together the C-suite, security leadership team, security operations centre and incident response, as well as the forensics, risk and crisis management teams. War gaming is an excellent and effective way for large organisations to identify the weaknesses in communications and coordination between these groups. In times of crisis, the cascading effects of an attack and the impacts are often exacerbated by the decisions taken, and the process of decision-making by these groups. Learning how these groups take certain decisions when faced with uncertainties, or adapt and enact response plans when tackling ‘unknowns’, is vital to a successful response and the successful building of cyber resilience within an organisation.

How do cyber attack war games work?

A well-crafted cyber security war game incorporates both a ‘fundamental surprise’ that the organisation had not anticipated and a number of ‘situational surprises’ – known cyber risks for which the organisation has little or no advanced warning. Much of the pre-exercise planning should aim at developing appropriate knowledge and intelligence in order to define the exercise in a manner that can be controlled and developed over time and tests the different capabilities.

The ‘storyline’ can commence with a technical event to kick off the assessment of initial implications, and the event would then be developed through situational feeds from the directorate. The initial objectives should be to test detection: by the systems; by the incident response team; and the analysis of the forensic team. More can then be provided by the directorate including intelligence, such as analysis of the threat community, IP information, and pieces of a malware. The exercise can then examine the fundamentals of communication and decision-making, specifically:

  • who is taking decisions and on what basis?
  • what is the process of taking alerts/indications and deriving useful information from then?
  • how is information then transformed into knowledge throughout this first technical phase?

At this point, a major new technical event may be introduced, or the original event may be taken in a new direction to trigger a new cycle of detection and decision-making. Evaluation may focus more on how the new event affects the decisions previously taken, the need for additional resources, and whether a new risk assessment should take place. With a second-phase escalation of the attack, the evaluation can examine who is assessing the risk throughout the event, who is involved in the process, what indicators are in place, and how they conduct a timely assessment of the possible implications from the new event.

Using this approach will allow escalation towards the involvement of the crisis management team, and an examination of their team, what stage they were involved and how they receive the relevant information. The exercise can also test the team’s communication effectiveness, who precisely was involved and how they supported the whole process.

Building cyber resilience

The more significant element in the learning process is the incorporation of observation, decision-logging, and mentoring as part of the war game process, while a full debrief and post-exercise workshop should establish lessons learnt, capability gaps and the modifications required in technology and processes.

The ‘learning by doing’ opportunity that war games provide identifies failures in breach incident response as well as failures in security. This should ensure a balance between security and implementing the appropriate response, but also offer a list of immediate tactical priorities for remediation, as well as short-term changes. It can also pick up previously peripheral issues that had not been addressed or prioritised specifically because they may have been proven to be more critical to the overall security apparatus than previously recognised. Often these are ‘human’ aspects known to be weaknesses, though not recognised and addressed at an organisational level.

By establishing the right cyber attack war game framework, the learning objectives are set at the top of the agenda if the organisation is astute enough to accept that a breach will occur, and the success is measured by how it deals with this.

The iterative process of this type of workshop can offer a forum for planning that integrates investment, and priorities between prevention, defence, and a shared understanding of the converged nature of cyber risk. This pre-emptive approach to developing effective cyber defence and identifying causes of future failure identifies priorities for response training, and the development of a response doctrine that can provide an organisation with agility and options.

Conduct a cyber war game

At ESA Risk, we can design and run a cyber war game specific to your business. If you would like to learn more about cyber security, war games and/or building cyber resilience within your organisation, please contact us.

The biggest threat

Posted on by Admin Admin

Graeme McGowan, Cyber Risk & Security Consultant at ESA Risk, reveals the biggest cyber security threat posed to businesses in the UK.

It’s the leading cause of reported data security breaches, according to the Information Commissioner’s Office (ICO), and arguably the largest enabler of malware infections and cyber attacks.

He also outlines ways the risks posed by this threat can be minimised.

What is the biggest cyber security threat?

While many people might expect the answer to be the latest malware in circulation or an organised group of hackers, the actual answer is more simple and closer to home…

Human error is arguably the largest enabler of cyber attacks and malware infections. Many people are not aware of the tell-tale signs or preventative measures to take when it comes to cyber security.

biggest security threat 95% human errorThe ICO has reported human error as the leading cause of reported data breaches, highlighting a need to amend this. In turn, it is now handing out fines to organisations following data breaches, as a reverse incentive to push companies to educate their staff and thereby avoid potential breaches in future.

Businesses are not fined if they have a sufficient protocol in place guarding against human error, but small companies are being particularly hit hard because of gross negligence and a lack of staff training leading to employee mistakes.

A simple example:

Firm X sent out personal data in respect of an individual and their family via email and post. A lack of security meant that unconnected third parties, who had no way of knowing the sensitivity of the content of the post and emails, then unintentionally had access to the sensitive personal data. The unconnected third parties were accidentally included on the email and therefore received the data, most likely by the fault of the sender who seemingly did not check the recipient/s they were sending the email to.

A complaint was made by the individual concerned following the unauthorised disclosures and an investigation into the incident revealed that repeated human error was to blame for the breach, resulting in a £10,000 fine being handed to the firm.

Why was the fine so large?

The ICO has noted that the fine is reflective of the firm’s disappointing response to the complaint and its failure to engage appropriately or show an understanding of the impact of the breach on the individual. The lesson here is that, in itself, a breach of data protection rules will not automatically incur a penalty. However, inadequate safeguarding measures followed by a delayed or obstructive (or even just negligent) response to a breach may lead to investigation and subsequent fines from the ICO.

Human error will always be a risk, but the response to that error is what is important both in terms of limiting any sanctions and maintaining a positive relationship between a business and the individuals with whom it deals.

Where does the risk lie?

Lack of understanding or awareness may mean:

  • A subject access request goes unanswered or is delayed.
  • Misuse of personal data, e.g. it is used to contact individuals without consent.
  • Personal data is used for purposes outside of the purpose for collection of that data.
  • Personal data is inadvertently provided to unconnected parties.
  • Delayed or no action following a security breach.
  • Failure to update records or delete records.

All of the above would be breaches of the General Data Protection Regulation (GDPR) and may require immediate action or even reporting, depending on the circumstances.

How do we prevent or minimise the ‘human error factor’?

In three words: training, education and awareness.

Compliance with GDPR cannot rely just on software systems and one data protection manager.

All individuals within organisations from the cleaner to the CEO need to be aware of how data protection compliance impacts on their role and what their responsibilities might be. In a few cases, there may legitimately be none, but it is important for the knowledge to be there and for staff to be alert and aware of cyber security protocol.

In order to combat this risk and employee lack of awareness, training should be provided to staff at induction and at regular intervals, especially if their role and responsibilities change. It is also crucial that staff know what to do if an error occurs and a cyber security threat appears. Communication at the earliest point is key in handling a breach, so creating a culture of trust is critical.

Once the training and understanding is in place, investment in the technology to support good data protection procedures will enhance those procedures and allow easy management of the various tasks and obligations.

Cyber security services from ESA Risk

We’re here when you need us. We provide both passive and reactive support services, which are scalable and quick to deploy in crisis situations, giving you precious additional time at critical moments. Contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form to find out more.

Develop your cyber security knowledge with 1 of our cyber security courses, provided by the Global Cyber Academy.

Ransomware: What you need to know

Posted on by Admin Admin

In this article: ransomware meaning; types of ransomware; ransomware examples; protection against ransomware.

Ransomware meaning: What is ransomware?

Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. While some people might think ‘a virus locked my computer’, ransomware would typically be classified as a different form of malware than a virus. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card, and attackers target individuals, businesses and organisations of all kinds. Some ransomware authors sell the service to other cyber criminals, which is known as Ransomware as a Service.

How do I get ransomware?

How exactly does a criminal carry out a ransomware attack? First, they must gain access to a device or network. Having access enables them to utilise the malware needed to encrypt (or lock up) your device and data. There are several different ways that ransomware can infect your computer.

Malspam

To gain access, some threat actors use spam, where they send an email with a malicious attachment to as many people as possible, seeing who opens the attachment and ‘takes the bait’, so to speak. Malicious spam is unsolicited email that is used to deliver malware. The email might include booby-trapped attachments, such as PDFs or Word documents. It might also contain links to malicious websites.

Malvertising

Another popular infection method is malvertising, or malicious advertising, which is the use of online advertising to distribute malware with little to no user interaction required. While browsing the web – even legitimate sites – users can be directed to criminal servers without ever clicking on an ad. These servers catalogue details about victims’ computers and their locations, and then select the malware.

Spear phishing

A more targeted means to a ransomware attack is through spear phishing. An example of spear phishing would be sending emails to employees of a certain company, claiming that the CEO is asking them to take an important employee survey, or the HR department is requiring them to download and read a new policy.

The term ‘whaling’ is used to describe such methods targeted toward high-level decision makers in an organisation, such as the CEO or other executives.

Social engineering

Malspam, malvertising and spear phishing can, and often do, contain elements of social engineering.

Threat actors may use social engineering in order to trick people into opening attachments or clicking on links by appearing as legitimate – whether that’s by seeming to be from a trusted institution or a friend.

Cyber criminals use social engineering in other types of ransomware attacks, such as posing as a government agency in order to scare users into paying them a sum of money to unlock their files.

Another example of social engineering would be if a threat actor gathers information from your public social media profiles about your interests, places you visit often, your job, etc., and uses some of that information to send you a message that looks familiar to you, hoping you’ll click before you realise it’s not legitimate.

Encrypting files and demanding a ransom

Whichever method the threat actor uses, once they gain access and the ransomware software (typically activated by the victim clicking a link or opening an attachment) encrypts your files or data so you can’t access them, you’ll then see a message demanding a ransom payment to restore what they took. Often the attacker will demand payment via cryptocurrency.

Types of ransomware: Examples

Scareware

Scareware, as it turns out, is not that scary. It includes rogue security software and tech support scams.

You might receive a pop-up message claiming that malware was discovered and the only way to get rid of it is to pay up. If you do nothing, you’ll likely continue to be bombarded with pop-ups, but your files are essentially safe. A legitimate cyber security software programme would not solicit customers in this way. If you don’t already have this company’s software on your computer, then they would not be monitoring you for ransomware infection. If you do have security software, you wouldn’t need to pay to have the infection removed – you’ve already paid for the software to do that very job.

Screen lockers

Screen lockers – upgrade to terror alert orange for these guys. When lock-screen ransomware enters your computer, it means you’re frozen out entirely.

Upon starting your computer, a full-size window will appear, often accompanied by an official-looking FBI or US Department of Justice seal saying illegal activity has been detected on your computer and you must pay a fine. However, the FBI would not freeze you out of your computer or demand payment for illegal activity. If they suspected you of cyber crimes, they would go through the appropriate legal channels.

Encrypting ransomware

Encrypting ransomware – this is the truly nasty stuff. These are the guys who snatch up your files and encrypt them, demanding payment in order to decrypt and redeliver. The reason why this type of ransomware is so dangerous is because once cyber criminals get hold of your files, no security software or system restore can return them to you. Unless you pay the ransom, for the most part, they’re gone. And even if you do pay up, there’s no guarantee the cyber criminals will give you those files back.

Mobile ransomware

Mobile ransomware – it wasn’t until the height of the infamous CryptoLocker and other similar families in 2014 that ransomware was seen on a large scale on mobile devices. Mobile ransomware typically displays a message that the device has been locked due to some type of illegal activity. The message states that the phone will be unlocked after a fee is paid. Mobile ransomware is often delivered via malicious apps and requires that you boot the phone up in safe mode and delete the infected app in order to retrieve access to your mobile device.

Who do ransomware authors target?

When ransomware hit the scene, its initial victims were individual systems (aka regular people). However, cyber criminals began to realise its full potential when they rolled out ransomware to businesses. Ransomware was so successful against businesses – halting productivity and resulting in lost data and revenue – that its authors turned most of their attacks toward them.

By the end of 2016, 12.3% of threats were ransomware, while only 1.8% of consumer detections were ransomware worldwide. And by 2017, 35% of SMEs had experienced an attack.

Ransomware attacks are still focused on western markets, with the UK, US and Canada ranking as the top 3 countries targeted. As with other threat actors, ransomware authors will follow the money, so they look for areas that have both wide PC adoption and relative wealth. As emerging markets in Asia and South America ramp up on economic growth, expect to see an increase in ransomware (and other forms of malware) there as well.

How can I remove ransomware?

If an attacker encrypts your device and demands a ransom, there’s no guarantee they will unencrypt it whether or not you pay up. That is why it’s critical to be prepared before you get hit with ransomware. 2 key steps to take are:

  • Install security software before you get hit with ransomware.
  • Back up your important data (files, documents, photos, videos, etc.).

If you do find yourself with a ransomware infection, the number 1 rule is to never pay the ransom and make sure you have backed up all of your data on a remote drive. Other ways to deal with a ransomware infection include downloading a security product known for remediation and running a scan to remove the threat. You may not get your files back, but you can rest assured the infection will be cleaned up. For screen locking ransomware, a full system restore might be in order. If that doesn’t work, you can try running a scan from a bootable CD or USB drive.

How do I protect myself from ransomware?

My advice is to prevent it happening in the first place. There are methods to deal with a ransomware infection, but they are imperfect solutions at best, and often require much more technical skill than the average computer user posesses.

How to prevent ransomware

The first step in ransomware prevention is to invest in security tools – software and programmes with real-time protection that are designed to thwart advanced malware attacks such as ransomware.

In addition to using the right tools, it all comes down to training, education and awareness…. don’t click on it if it doesn’t feel right!

How ESA Risk can help

If you’ve been the victim of an attack or you’d like further advice and support on ransomware protection, please contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Increase your knowledge of cyber security – we offer cyber security courses, provided by the Global Cyber Academcy, from levels 2 to 5.

Internet of things (IoT) devices – cyber threats

Posted on by Admin Admin

Threats and risks continue to evolve as hackers come up with new ways to breach unsecured systems, posing a threat to the ecosystem itself. Let’s take a look at the leading threats and risks to the IoT and the associated vulnerabilities that must be secured.

What is the internet of things (IoT)?

The internet of things (IoT) is a network of intertwined devices, software, sensors and other ‘things’ which enable the world to be connected throughout physical space. This can include business software, smart home devices, care monitoring systems, mobile phones or driverless trucks, and can be as small as a thumb drive to the size of a train. All of these things communicate with each other without the need for human interaction. This web of connectivity is fascinating but poses serious danger to information security.

Exploring the IoT attack surface

A business’s attack surface is the sum of vulnerabilities that are currently present on their network, both physical and digital. This can be vulnerabilities from within their endpoint devices (computers, tablets) or from the software and hardware used to conduct business. While each device is typically protected through a security software, they are still apt to a series of added threats and vulnerabilities through their connection to the IoT. The Open Web Application Security Project (OWASP) provides a broad consensus of the current threats and vulnerabilities within the surfaces, condensed below.

IoT devices

Devices inevitably have vulnerabilities embedded within their memory systems, physical and web interface, network services, and firmware. This allows hackers to easily exploit systems within the devices’ outdated components and insecure default settings with update mechanisms. When managing vulnerabilities throughout your network’s devices, continuous monitoring is essential.

Communication channels

Attacks can originate from the channels that connect IoT devices. This presents serious threats to the security of the entire system and creates a potential for spoofing and denial of service attacks. These threats and attacks lay the foundation for an unstable network surface.

Applications and software

Each application and software presents risk, and many web applications and APIs do not protect sensitive data adequately. These data can be anything from financial intelligence to healthcare information. A breach of these types of information can result in identity theft, credit card fraud and exposure of confidential information, all because a web application isn’t properly secured or patched on a consistent basis.

7 IoT threats and vulnerabilities to be aware of

As long as the internet of things continues to expand, the number of threats will continue to increase. Being able to identify and understand the different types of threats and vulnerabilities associated with the IoT can significantly reduce the risk of a data breach at your organisation. Let’s explore the top IoT concerns:

1. Lack of physical hardening

The lack of physical hardening has always been a concern for devices within the internet of things. Since most IoT devices are remotely deployed, there is no way to properly secure devices that are constantly exposed to the broader physical attack surface. Devices without a secure location and the inability for continual surveillance allow potential attackers to gain valuable information about their network’s capabilities which can assist in future remote attacks or gaining control over the device. For example, hackers can facilitate the removal of a memory card to read its contents and access private data and information that may allow them to access other systems.

2. Insecure data storage and transfer

As more people utilise cloud-based communications and data storage, the cross-communication between smart devices and the IoT network increases. Any time data is transferred, received or stored through these networks, the potential for a breach or compromised data also increases. This is due to the lack of encryption and access controls before data is entered into the IoT ecosystem. For this reason, it is important to ensure the secure transfer and storage of data through robust network security management tools like firewalls and network access controls.

3. Lack of visibility and IoT device management

Many IoT devices remain unmonitored, untracked and improperly managed. As devices connect and disconnect from the IoT network, trying to monitor them can grow to be very difficult. Lack of device status visibility can prevent organisations from responding to, or even detecting, potential threats. These risks can become life-threatening when we look into the healthcare sector. IoT pacemakers and defibrillators have the potential to be tampered with, if not secured properly, and hackers can purposefully deplete batteries or administer incorrect pacing and shocks. Organisations need to implement device management systems to properly monitor internet of things (IoT) devices so all avenues for potential breaches are accounted for.

4. Botnets

Botnets are a series of internet-connected devices that are created to steal data, compromise networks or send spam. Botnets contain malware that allows the attacker to access an IoT device and its connection to infiltrate an organisation’s network, becoming one of the top threats for businesses. They are most prominent in appliances that were not initially manufactured securely (smart fridges, for example). These devices are continuously morphing and adapting. Therefore, monitoring their changes and threat practices is necessary to avoid attacks.

5. Weak passcodes

Although intricate passcodes can prove to be secure for most IoT devices, one weak passcode is all it takes to open the gateway to your organisation’s network. Inconsistent management of passcodes throughout the workplace enables hackers to compromise your entire business network. If just one employee does not adhere to advanced password management policies, the potential for a password-oriented attack increases. Practising good password hygiene is essential to ensure your business is covering all bases within standard security practices.

6. Insecure ecosystem interfaces

Application programming interfaces (APIs) are software intermediaries that allow 2 applications to talk to each other. With the connection of the 2 servers, APIs can introduce a new entrance for attackers to access a business’s IoT devices and breach a network’s router, web interface, server, etc. It is crucial to understand the intricacies and security policies of each device in the ecosystem before connecting them to ensure complete network security.

7. AI-based attacks

While AI attacks have been around since 2007, the threats they present within IoT are becoming increasingly more prominent. Hackers now can build AI-powered tools that are faster, easier to scale and more efficient than humans to carry out their attacks. This poses a serious threat within the IoT ecosystem. While the tactics and elements of traditional IoT threats presented by cyber attackers will look the same, the magnitude, automation and customisation of AI-powered attacks will make them increasingly hard to battle.

ESA Risk and IoT cyber security

For more advice on cyber security – including internet of things (IoT) cyber security – contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Black Friday 2021: Stay cyber-safe

Posted on by Admin Admin

For many, Black Friday 2021 marks the official start to the Christmas shopping season and, excitingly, many retailers announce time-limited sales that promise huge savings to consumers. But it’s also the prime time for cyber criminals to cash in, too.

Some digital threats to watch out for on Black Friday 2021

Phishing attacks

While consumers rush to grab themselves a bargain, they may get caught out in a phishing scandal. Phishing links commonly lead to fake login pages, prompting victims to authenticate themselves on their web account. For instance, victims may think they are logging into their favourite retailer account, when, really, they are handing their username and password over to an attacker, who can use it to their advantage later. Although this affects users directly, it also negatively impacts the retailer’s reputation, which can be difficult to recover.

Malware  

Malware (as the portmanteau suggests) refers to any malicious software designed to harm a computer system by tracking user activity, hijacking functionality or stealing, deleting or encrypting data. Most malware enters your systems via email (96% of it in 2020, say CSO). According to research by Deep Instinct, malware saw a year-on-year increase of 358% in 2020. There’s no indication of that proliferation slowing, so this should be seen as a high-risk Black Friday cyber threat.

Formjacking

Formjacking is a form of ‘Magecart’ where malicious code is injected into the checkout forms of a website and can go undetected for a long time. Cyber criminals then hijack web forms to steal personal and payment information from shoppers.

Ransomware  

Ransomware encrypts files, so they are made inaccessible to the owner. The cyber criminal then demands a ransom payment in return for releasing the locked files. Ransomware occurs when legitimate ads are hacked (‘malvertising’), or through phishing emails and exploit kits. This will have consequential impact on consumers and retailers/businesses.

Not being prepared enough for cyber threats is a threat

A staggering 3 in 4 IT leaders expressed a lack of confidence in their company’s IT security posture and saw room for improvement. Despite this, just 57% of companies conducted a data security risk assessment in 2020 and businesses need to up their cyber security efforts to reduce these risks and minimise the impact of an attack.

How can you reduce the risk of cyber threats on Black Friday 2021? 

The above attacks take place daily and are not specific to the holiday season or large events like Black Friday, but the volume and frequency of these attacks significantly increase during these times, as more consumers make purchases online.

Being aware of these threats is a step closer to preventing cyber attacks on Black Friday 2021 and during the holiday season to come. Businesses should balance their investments in security awareness training for employees and putting robust security measures in place that can help to scan their systems for suspicious activity. Similarly, consumers need to be better educated and made aware of potential threats.

If you find yourself the victim of a cyber incident, ESA Risk can help you with your response to the attack and to make you cyber-secure in the future, through the design and execution of a strong cyber security plan. Reach out to us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form to find out more.

 

Download: ESA Risk Special Report: The Cyber Threat Landscape 2022

New cyber laws are welcome, but long overdue

Posted on by Admin Admin

The Product Security and Telecommunications Infrastructure (PSTI) Bill, introduced to parliament today by Julia Lopez MP and the Department for Digital, Culture, Media & Sport (DCMS), will provide consumers with better protection from attacks by hackers on their phones, tablets, smart TVs, fitness trackers and other internet-connectable devices.

As Julia Lopez, Minister for Media, Data and Digital Infrastructure, notes: “every day hackers attempt to break into people’s smart devices.” Cyber criminals are targeting these products more and more often. Which? recently found that a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week (yes, 12,000 a week!). With that in mind, a move to mitigate the risk posed to consumers through legislation has been a long time coming.

In the DCMS announcement, the Minister goes on to say: “Most of us assume that if a product is for sale, it’s safe and secure. Yet, many are not [80% of connectable product manufacturers “do not implement appropriate security measures”], putting too many of us at risk of fraud and theft. [The PSTI] Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”

Described by the government as “a new world-leading law”, the Bill will “prevent the sale of consumer connectable products in the UK that do not meet baseline security requirements”. Included in these new cyber laws are the following:

  • A ban on universal default passwords, with new devices required to come with unique passwords that can’t be reset to a universal factory setting.
  • A demand for greater transparency from manufacturers on their efforts to fix security flaws, with companies required to publish the minimum support time for products (i.e. for how long they’ll receive updates and patches).
  • A better vulnerabilities reporting system, including a public point of contact at each manufacturer.

The new cyber laws will apply to imported goods, as well as those manufactured in the UK. Retailers (both on the high street and online) will be subject to the same laws as the manufacturers, ensuring consumers are protected no matter where a product is produced or purchased.

And the laws will apply to all ‘connectable’ devices. From January to June this year, Internet of Things (IoT) devices were targeted by 1.5 billion attempted compromises – double the number in the whole of last year.

Technical Director of the National Cyber Security Centre (NCSC) (part of GCHQ), Dr Ian Levy is “delighted by the introduction of this bill which will ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security.” The Bill was developed jointly by the NCSC and DCMS.

Dr Levy admits that this change “mark[s] the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice.” With so many connectable devices that don’t meet these standards already for sale and in our homes, we’re facing an uphill battle against cyber criminals. And, as the DCMS announcement points out, “just 1 vulnerable device can put a user’s network at risk.”

For advice on securing your network against cyber threats, contact Graeme McGowan, Cyber Risk & Security Consultant at graeme.mcgowan@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

New supply chain plans to bolster cyber resilience

Posted on by Admin Admin

The Department for Digital, Culture, Media and Sport (DCMS) has unveiled new proposals aimed at “protect[ing] the country’s digital supply chains”. Under the proposals, IT service providers could have to follow new rules, including the National Cyber Security Centre’s Cyber Assessment Framework, to bolster their cyber resilience.

Although developed before the results of the latest Cyber resilience captains of industry survey 2021 were published on 15th November, the move addresses directly the key issue highlighted by the research. The survey, conducted with “chairs, CEOs and directors of Britain’s top companies” demonstrates a gap between perceived cyber security risk and “action on supply chain cyber security”. 91% of respondents now “see cyber threats as a high or very high risk to their business”, whereas just 69% say they’re “actively manag[ing] supply chain cyber risks.”

The proposals are the result of a government consultation that began in May 2021, driven by “an increasing number of organisations…suffering cyber attacks via their supply chains or via their providers of IT services.” During the government’s ‘call for views’ on this issue, 82% of respondents agreed that an effective (or somewhat effective) solution could be legislation.

Minister for Media, Data and Digital Infrastructure, Julia Lopez, said:

“As more and more organisations do business online and use a range of IT services to power their services, we must make sure their networks and technology are secure.

“Today we are taking the next steps in our mission to help firms strengthen their cyber security and encouraging firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses’ digital footprint and protect their sensitive data.”

As the DCMS admits, this is only the beginning of an idea to strengthen the UK’s digital supply chains. A “new national cyber strategy” is promised “later this year”. Policy proposals need to be developed further and the government is reviewing “the laws and measures which encourage firms to improve their cyber security”.

More generally, the Cyber resilience captains of industry survey 2021 results show that the country’s largest firms – the Top 500 industrials by turnover and the Top 100 financial companies by capital employed – are taking cyber risks seriously.

77% of respondents said cyber security is discussed at board level on at least a quarterly basis. 92% reported that their “board integrates cyber risk considerations into wider business areas”.

However, only 16% said that their company’s board members needed no support “to be able to make better decisions about cyber resilience”. The most commonly chosen type of support needed was “awareness raising / education / training for board members” (34%), which is almost identical to our cyber security motto at ESA Risk: training, education and awareness.

Cyber Assessment Framework

The National Cyber Security Centre’s Cyber Assessment Framework covers 4 objectives:

  1. Managing security risk
  2. Protecting against cyber attack
  3. Detecting cyber security events
  4. Minimising the impact of cyber security incidents.

It “provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible” through 14 principles of cyber security and resilience.

ESA Risk and cyber resilience

For cyber security advice and support, including supply chain cyber resilience and meeting the Cyber Assessment Framework, contact Graeme McGowan, Cyber Risk & Security Consultant at graeme.mcgowan@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

The most common security threats to mobile devices in 2021

Posted on by Admin Admin

However, increases in organisational mobility typically result in a higher number of mobile devices that are accessing your systems from a remote location. For your cyber security teams, this means a growing variety of endpoints and threats they need to secure to protect your organisation from a data breach.

Mobile malware has long been a common problem. As a result, businesses and individuals are usually aware of the potential threat and how to deal with it. However, as Verizon’s Mobile Security Index Report shows, new threats are constantly appearing and organisations need to consider these, as well, in order to ensure they’re protected.

Below are the most common and critical mobile security threats that organisations currently face.

4 different types of mobile phone security threats

Mobile phone security threats are commonly thought of as a single, all-encompassing threat. But, the truth is, there are 4 different types of threat that organisations need to take steps to protect themselves from:

Mobile application security threats

Application-based threats are present when people download apps that look legitimate but skim data from their device. Examples are spyware and malware that steal personal and business information without people realising it’s happening.

Web-based mobile security threats

Web-based threats are subtle and tend to go unnoticed. They happen when people visit affected sites that appear to be fine on the face of it, but automatically download malicious content onto devices.

Mobile network security threats

Network-based threats are especially common and risky because cyber criminals can steal unencrypted data while people use public Wi-Fi networks in places such as transport hubs and cafes.

Mobile device security threats

Physical threats to mobile phone security and other mobile devices most commonly refer to the loss or theft of a device. Because hackers have direct access to the hardware where private data is stored, this threat is especially dangerous to enterprises.

Mobile cyber security threat examples

Below are the most common examples of these threats, as well as steps organisations can take to protect themselves from them.

Social engineering

Social engineering attacks are when bad actors send fake emails (phishing attacks) or text messages (smishing attacks) to your employees in an effort to trick them into handing over private information like their passwords or downloading malware onto their devices. The best defence for phishing and other social engineering attacks is to teach employees how to spot phishing emails and SMS messages that look suspicious and avoid falling prey to them altogether.

Reducing the number of people who have access to sensitive data or systems can also help protect your organisation against social engineering attacks because it reduces the number of access points attackers have to gain access to critical systems or information.

Data leakage via malicious apps

Enterprises face a far greater threat from the millions of generally available apps on their employees’ devices than from mobile malware, because 85% of mobile apps today are largely unsecured.

Hackers can easily find an unprotected mobile app and use that to design larger attacks or steal data, digital wallets, backend details and other information directly from the app.

For example, when your employees visit Google Play or the App Store to download apps that look innocent enough, the apps ask for a list of permissions before people are allowed to download them. These permissions generally require access to files or folders on the mobile device, and most people just glance at the list of permissions and agree without reviewing them in detail.

However, this lack of scrutiny can leave devices and enterprises vulnerable. Even if the app works the way it’s supposed to, it still has the potential to mine corporate data and send it to a third party, such as a competitor, and expose sensitive product or business information.

The best way to protect your organisation against data leakage through malicious or unsecured applications is by using mobile application management (MAM) tools. These tools allow IT admins to manage corporate apps (wipe or control access permissions) on their employees’ devices without disrupting employees’ personal apps or data.

Unsecured public Wi-Fi

Public Wi-Fi networks are generally less secure than private networks because there’s no way to know who set the network up, how (or if) it’s secured with encryption, or who is currently accessing the network or monitoring it.

As more companies offer remote work options, the increasing number of public Wi-Fi networks your employees use to access your servers (e.g. from coffee shops or cafes) could present a risk to your organisation. Cyber criminals often set up Wi-Fi networks that look authentic (by ‘cloning’ them), but are actually a front to capture data that passes through their system (a ‘man in the middle’ attack).

The best way for you to protect your organisation against threats over public Wi-Fi networks is by requiring employees to use a VPN to access company systems or files. This will ensure that their session stays private and secure, even if they use a public network to access your systems.

End-to-end encryption gaps

An encryption gap is like a water pipe with a hole in it. While the point where the water enters the pipe (your users’ mobile devices) and the point where the water exits the pipe (your systems) might be secure, the hole in the middle lets bad actors access the water flow in between. Unencrypted public Wi-Fi networks are one of the most common examples of an encryption gap (and it’s why they’re a huge risk to organisations). Since the network isn’t secured, it leaves an opening in the connection for cyber criminals to access the information your employees are sharing between their devices and your systems.

However, Wi-Fi networks aren’t the only thing that pose a threat – any application or service that’s unencrypted could potentially provide cyber criminals with access to sensitive company information. For example, any unencrypted mobile messaging apps your employees use to discuss work information could present an access point for a bad actor.

For any sensitive work information, end-to-end encryption is a must. This includes ensuring any service providers you work with encrypt their services to prevent unauthorised access, as well as ensuring your users’ devices and your systems are encrypted, as well.

Internet of Things (IoT) devices

The types of digital device that access your organisation’s systems are branching out from laptops, mobile phones and tablets to include wearable tech (like the Apple Watch) and physical devices (like Google Home or Amazon’s Alexa). And since many of the latest IoT mobile devices have IP addresses, it means bad actors can use them to gain access to your organisation’s network over the internet, if those devices are connected to your systems.

Spyware

Spyware is used to survey or collect data and is most commonly installed on a mobile device when users click on a malicious advertisement or through scams that trick users into downloading it unintentionally. Whether your employees have an iOS or Android device, their devices are targets ripe for data mining with spyware, which could include your private corporate data, if that device is connected to your systems.

Dedicated mobile security apps can help your employees detect and eliminate spyware that might be installed on their devices and be used to access company data. Ensuring your employees keep their device operating systems (and applications) up to date also helps ensure that their devices and your data are protected against the latest spyware threats.

Poor password habits

The 20 most common passwords in 2020, according to NordPass.

Position Password Time to crack Times exposed
1 123456 Less than a second 23,597,311
2 123456789 Less than a second 7,870,694
3 picture1 (new entry on 2020’s list) 3 hours 11,190
4 password Less than a second 3,759,315
5 12345678 Less than a second 2,944,615
6 111111 Less than a second 3,124,368
7 123123 Less than a second 2,238,694
8 12345 Less than a second 2,389,787
9 1234567890 Less than a second 2,264,884
10 senha (new entry) 10 seconds 8,213
11 1234567 Less than a second 2,516,606
12 qwerty Less than a second 3,946,737
13 abc123 Less than a second 2,877,689
14 Million 2 (new entry) 3 hours 162,609
15 000000 Less than a second 1,959,780
16 1234 Less than a second 1,296,186
17 iloveyou Less than a second 1,645,337
18 aaron431 (new entry) 3 hours 30,576
19 password1 Less than a second 2,418,984
20 qqww1122 (new entry) 52 minutes 122,481

There’s not much more to say on this topic. These bad password habits present a threat to organisations whose employees use their personal devices to access company systems. Since both personal and work accounts are often accessible from the same device with the same password, it simplifies the work a bad actor has to do in order to breach your systems.

If you use any of the passwords in this list, I strongly suggest you change them now.

Lost or stolen mobile devices

Lost and stolen devices aren’t a new threat for organisations. But with more people working from home or in public places like cafes or coffee shops and accessing your systems with a wider range of devices, lost and stolen devices pose a growing risk. First and foremost, you’ll want to ensure employees know what steps to take if they lose their device. Since most devices come with remote access to delete or transfer information, that should include asking employees to make sure those services are activated.

Out-of-date operating systems

Like other operating systems, mobile security requires continuous work to find and patch vulnerabilities that bad actors use to gain unauthorised access to your systems and data. Companies like Apple and Google address a lot of these vulnerabilities with operating system updates, so updating/patching is critical.

Cyber security support from ESA Risk

For advice and support to secure your business against cyber threats – including mobile phone security – look no further than ESA Risk. From staff training to software and process recommendations, we’ll work with you to meet your cyber security needs.

Contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Deep dive for the answers you need
TAKE A DEEP DIVE
Or contact us on +44 (0)343 515 8686 or at advice@esarisk.com.

Deep dive for the
answers you need

Lawyers, accountants, advisors, investors, senior
management. You name them, we help them find the answers
they need. Ready to discover how we can help you?

Take a deep dive
Continue browsing