Ransomware, Phishing and other Malware

Cyber Awareness Training General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Security Tools

Is Cyber Security making the grade for Small to Medium Enterprises?

I’ve touched on this subject several times in the past but was encouraged to revisit it after reading a book by Jean-Christophe Gaillard entitled The Cyber Security Spiral of Failure.  A provocative title and of course, the subject matter was aimed at the corporate sector.  But my view is the difference between the 2 sectors, in terms of solutions is often one of scale, with corporations being more complex and faced with many problems that the SME sector doesn’t.  They do however have the same threats and consequences of failure, as each other.

The author argues that for a couple of decades now, many organisations have been trapped in this spiral of failure, driven by endemic business short termism and the box-ticking culture of many executives in regard to compliance.  This really does resonate in the SME world with short termism often driven by financial necessity and especially during and since COVID, where survival was paramount, often requiring day to day management.  Of course, no SME owner or manager likes that and would love to have a solid and well-funded plan going forward, if only! 

Successful transformation takes time and often requires changing the culture of the organisation, and this at a time when many owners are struggling with the emerging business practices of a more distributed work force, following the pandemic.  Coming up with any transformative planning around IT naturally comes below that required for the business in general.  Bottom line is often that if it isn’t our core business, it can wait.  Even though of course, there are very few businesses that can continue to operate efficiently without their IT systems.

Which brings us to compliance.  For most SMEs compliance often means data protection, although there are the financial services regulations, and many do have industry standards governing IT and data, that they must comply with.  This often means that owners and managers undertake quick wins using box-ticking measures which often come a cropper sooner or later.

The book quotes from the BT Security survey released in January 2022.  One aspect which I fully agree with is the emphasis on getting security basics right and the importance of awareness development amongst employees.  Getting this right and training our employees are essential pillars of any cyber security practice, so as the book says, the question remains, why are we still banging on about it? – and everyone who reads my stuff knows I do that a lot.

There are a lot of traditional good security practices which have been pushed and re-emphasised time and time again.  Patch management, access management, anti-virus/malware, firewalls etc, and from my time working in the corporate space, I know that large enterprises have spent millions on traditional areas of cyber security over the last 2 decades.

But are we really still stuck there, entrenched in traditional thinking when our working practices are changing, technology is changing, compliance requirements are changing?

SME management is often completely left behind by these changes.  They have enough problems just keeping their businesses afloat and trying to grow, they don’t have enough time or resource to keep abreast of these many and varied issues.  Let’s face it, if corporate management is struggling with this changing landscape given their resources, what hope for the SME.

More than half (54%) of SMEs in the UK had experienced some form of cyber-attack in 2022 (stats for 2023 are starting to trickle through), up from 39% in 2020 (Vodafone Study, 2022).  As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a backup regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

So, what does he mean?  As he’s not here to ask I suggest that he’s saying is that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are to ensure that your solution to those risks, vulnerabilities, and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

But now we have the ‘new normal’ with many businesses enjoying the financial bonus of having a smaller office footprint whilst many people work remotely, bringing with it an increase in security problems.  Earlier we mentioned traditional security solutions that have been around for a long time, most of which pre-date the pandemic and were based on the old bastion security methodology ie a network perimeter, protected with traditional solutions.  But that bastion model no longer exists in many places, or if it does, it only protects half the workforce in the office, whilst the other half work remotely.  What is needed is new solutions that protect your staff wherever they might be working from.

Luckily for you, we have such a solution.

General Security Issues Identity and Access Management Ransomware, Phishing and other Malware

A Company’s Tale – From COVID to Hybrid

This is a tale that could be told regarding many organisations, especially since COVID hit.  Names have been changed and certain other details have been omitted or masked.

Hawk Engineering Ltd is a company that provides high quality environmental engineering services to its clients, and began operations on 16 July 2019, not long before COVID hit. It’s a limited company owned and operated by Norman Jones and Rupert Smith.  Mr. Jones and Mr. Smith both left their respective jobs to specialise in environmental engineering consulting to small and medium sized businesses.

The company was set up to target small to medium sized companies and government organisations within the UK.  They have managed to secure several contracts and have grown from the original 2 man team to 8 consultants/engineers and 3 support staff, housed in a serviced building where they rent 4 rooms, one for the admin staff, one for the consultants, another for the 2 partners and a small conference room.  The support staff cover finance, HR and general admin duties.  The building shares a reception area and a cleaning contract.  The cleaners operate out of hours, cleaning after everyone has left for the evening.  The consultants are provided with laptops, tablets and smart phones whilst the admin staff use desk top PCs, and all are connected to a large printer.

Rather than ramp up its permanent staff too quickly, they use relevant qualified consultants when necessary.  These consultants are given an email address and access to the data they need to work on projects.

The 2 partners are aware that they now hold a growing amount of personal and corporate data, not just about their own staff and systems but also about their clients.  They are aware of the Data Protection Act 2018 and GDPR but are not sure about how much this will affect them.  They have a local IT management company under contract and up to the start of COVID had an onsite server which stored their data and an email server providing mailboxes to the staff and contractors.  At the outbreak of COVID, this caused an issue.

In terms of policies, they have very little that references the DPA 2018 and/or GDPR.  Their website does not contain the necessary privacy statement or statements regarding the use of Cookies.  They don’t have an overarching security policy or a cyber security strategy in place.

But everything in the garden was rosy, the company was doing well, it was in profit and had a relatively full order book, at least for the foreseeable future.  And then along came COVID and everything changed.

At first it wasn’t a problem, we all remember how the UK ramped up relatively slowly, with lockdowns coming after those in other countries, but come along they did. The full implications of not being able to work in the office only started to become apparent after the office was out of bounds.  They couldn’t claim any sort of immunity because they were simply not in an industry that required such immunity, so the office closed.  The consultants used laptops and they could continue to work, but not securely.  They didn’t have a remote access system in place as consultants worked on client site and tended to use client networks through which they could connect.  Not optimum but cheap and cheerful and cash flow was everything to a small business.  The real hit was on the admin staff as they used desktop PCs which they had left behind when they went home.

So initially the admin staff were the priority to find a solution for and the first issue was to be able to find machines they could use at home, and then connect them to the office file and mail servers, the latter applied to consultants as well.

I’m sure most reading this will remember the issues as many of you will have faced the same problems.  So long story short, the problem was to establish as near to normal operations as possible and they ignored security as firstly, they didn’t grasp the implications, and secondly, they didn’t know what to do about it.  Their IT management company wasn’t a lot of help in the latter regard simply because they were firefighting issues for all or most of their clients and didn’t have the time or resource, and frankly, didn’t really have the skill set either.

In many respects recovering an operational capability in that instance, wasn’t much different in recovering from any natural disaster and much of the planning required for a disaster recovery and business continuity situation, would have applied, with perhaps the difference that the office would continue to be out of bounds.  So, plans could be adapted, assuming of course you had a plan in the first place, and they didn’t.

What they were able to do was to set up a contract with a cloud provider and as their IT support got some bandwidth, they migrated their data from the office based server to the cloud storage and at the same time migrated their email.  Getting staff to connect to the cloud was an issue and some found it easier than others as that had to be done remotely and some were more IT savvy than others.

It didn’t solve the desktop PC problem though and staff continued to use home PCs, the same PCs their kids were gaming on, to connect to the company data.  A recipe for disaster.  Of course, this was solved by purchasing and shipping laptops which the IT support set up before shipping.  But by then their data could easily have been compromised via the home PCs.  There is no way of knowing whether or not they were compromised and if this is a problem which could come back to bite them.

Work-from-home employees are at much greater risk than those in offices. Since home connections are less secure, cybercriminals have an easier entry into the company network.  Furthermore, the explosion of various online tools, solutions, and services for collaboration and productivity tend to have the bare minimum of security default setting, and updates from third-party vendors can change security preferences and be easily overlooked.

Phishing becomes an even greater threat to home workers, often because, in an office environment, they have access to colleagues and managers, who they can approach for advice and guidance.  This is much harder to replicate with remote workers, especially those who may not be particularly tech savvy and who may not wish to become ‘burdensome’ to their co-workers.

Ransomware also enjoys an advantage in the work-from-home model.  If their connection to the company is blocked, it is more difficult for workers to get assistance from the right experts and authorities.  And since trust levels are lower when working from home, some workers will be concerned that they have “done something wrong” and so may be more reluctant to seek help. While this risk can be addressed by increased training, as well as messaging that vigilance and involving IT support will be rewarded, it can still be an uphill battle.

The company has now evolved further, and expanded a little, and has adopted the hybrid method of working, saving money on floor space, fuel and light etc.  But this has come with problems of its own which we’ll look at next week.

Cyber Awareness Training General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

Cyber Security Policies – A Must Have or a Nice to Have

How important are policies and processes in comparison with technology, when it comes to Cyber Security and its sister discipline, data protection.  The clue is that in Cyber Security we refer to People, Process and Technology, in that order.

Top of this list is People, and I’ve written extensively about how important cyber awareness training is for all, managers and employees alike.  This piece is all about policies and processes.  First and foremost, policies have to be relevant to the organisation and not just downloaded from the internet, maybe with a few modifications, before applying a tick in the box and moving on.  Policies have to mean something and have a purpose.  Many organisations I go to either have some very scant policies or actually, none at all.

I often talk about risk in terms of cyber security and how managing that risk is extremely important.  And that means understanding what those risks actually are, and then taking steps to mitigate them.  When I talk about this, I can often see the wheels turning and the audience thinking technology and how much is that going to cost them.  Well, it’s very often the case that technology is not the answer.  There are many risks where a good policy, promulgated to, and understood by all, can save the company money.

A good example of that is a fairly common scam that tends to costs SMEs between 5 and 50K depending upon the size of business.  How this is achieved is that the scammer or let’s call him/her what he/she is, the criminal, spends some time profiling the company, using various social engineering techniques to work out how the company is organised and who is who.  You may be surprised as to how much of that information is freely available on the company website, companies house and other sources. Having discovered who the boss is, and who looks after invoice payments, the criminal then ‘spoofs’ the bosses email.  Email spoofing, in simple terms, is sending an email purporting to come from someone else.  So, it arrives purporting to come from the boss, but actually it’s from the scammer.  Such an email is sent to the person who pays invoices, with an invoice attached, saying please pay this as a matter of urgency.  This happened recently to someone I know, and when it arrived in the accounts department it didn’t look cosher to the payments clerk, who replied to the email asking if the boss was sure.  Of course, she got an email back saying yes, I’m sure.  She paid it and the company lost over 30K.  The accounts clerk was clearly switched on but she made a basic error, because she didn’t know any different.  If she had sent a fresh email to the boss querying the invoice, it would have gone to the boss who could have stopped the transaction.  Instead, she replied to the email and her reply went back to the scammer.  A policy which dictates fresh emails rather than using the reply function, and known to all, would have saved the company a lot of money.

Policies and attendant processes are essential for the protection of company data and the bottom line, company money.  What needs to be covered and in what depth, depends on the risks that the company is facing, and will differ company to company depending on its type.  In broad terms, and as an absolute minimum, the following are required:

  • Overarching IT security policy – often this only needs to say very clearly what responsibilities employees have in regard to security and data protection, lay down a requirement and responsibility for cyber awareness training, and state that all employees are to be cognisant of all the policies and are to sign that they have read and understood them.  And most importantly, it must be signed off at board level making it clear that this is a crucial requirement.
  • IT Acceptable Use Policy – what is, and what is not, an acceptable use for company IT.
  • IT Email Policy
  • IT password policy
  • IT Mobile working policy – essential for mobile workers who may be tempted to work from a coffee shop, and of course, working from home.  This latter might be a separate policy or can be part of the mobile working policy.
  • Data Protection Policies – a whole other subject.
  • Social media policy – this can be really important.  Probably 100% of your employees will have a social media presence and will use it daily. How important is it that they don’t associate themselves with the company on their private social media?  Depends on the person but it could be damaging in reputational terms.  The company might also do some digital marketing on social media.  Who is, and who is not, allowed to get involved with that function.

This is not an exhaustive list.  It depends very much on risks that needs mitigating.  They will also be accompanied by processes to support the policy.

Does this resonate with you.  If you’d like to know more, we’d like to help.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Supply Chain Security

Another Tilt at AI

At the risk of boring you about the risks inherent in AI, I’m going to have another go, simply because it’s a fascinating subject.  AI can really become the gift that keeps on giving.  We’ve always played catch up to the cyber criminals, trying and often failing to anticipate what the next attack will be, what the next series of attacks will be.  Will it be ransomware, denial of service or perhaps a new and more sophisticated scam?  Who knows?  But there is no doubt that AI is raising the bar.

I have talked a lot about the re-emergence of the script kiddie and how AI in enabling this particular breed of wannabe criminals.  But it’s also true that the more skilled and sophisticated criminal is making use of AI and finding new and innovative ways of relieving you of your hard earned cash.

There is a lot going around within the IT and cyber industry about the ethical usage of AI, its ethical development, and that IT system integrators have a cast of thousands working on such ethical development and usage.  Fine, I applaud them.  But what does that mean for cyber security, and indeed data protection?  Well, I have to say, in my humble opinion, not a great deal.  I say that simple because no matter how ethical we are, the criminal doesn’t give a damn, he or she will continue on their own sweet way and do what criminals have always done, which is to completely disregard ethics.  So, whilst we can applaud and support those companies who are producing software and systems which use AI ethically, for the good, but just like old times, the criminals will do their own thing.

So, let’s take a look at some of what is at risk in terms of our data and systems:

  1. Data Protection.  AI systems tend to be extremely good at analysing, organising, and harvesting vast amounts of data, raising concerns about privacy breaches and unauthorized access to sensitive information.  A good AI powered attack could capture huge amounts of personally identifiable information (PII), in a ridiculously short amount of time.
  • Data Integrity.  In the good old days (please indulge me – I’ve been around a long time), we used to talk about CIA, no, not the infamous US intelligence agency, but Confidentiality, Integrity, and Availability.  We now have something we call the Adversarial Attack.  This is where attackers can manipulate AI algorithms by feeding them misleading data, causing them to make incorrect predictions or classifications, in turn destroying the integrity of your data, not just rendering it useless, but dangerous.
  • Model Vulnerabilities.  This next one is relatively new, at least to me, and as I never tire of saying, I’ve been this game as long as there’s been a game.  It’s something call Model Vulnerabilities.  AI models can be vulnerable to exploitation, such as through model inversion attacks or model extraction, where attackers can reverse-engineer proprietary models.  So, if you’re in the dev game, this is a very real nightmare.
  • Bias and Fairness.  AI systems may inherit biases from training data, leading to unfair or discriminatory outcomes, which can have legal, ethical, and reputational implications.  This could be used as another form of extortion, playing with the integrity of your data, to the point where you can no longer trust it.
  • Malicious Actors.  These can compromise AI systems at various stages of development, deployment, or maintenance, posing risks to organisations relying on these systems.  This has a play in supply chain security.
  • Attackers can leverage AI techniques to enhance the effectiveness of cyberattacks, such as automated spear-phishing, credential stuffing, or malware detection evasion.

Addressing these risks requires a multi-faceted approach, including robust security measures, thorough testing, ongoing monitoring, and regular updates to mitigate emerging threats.

The real danger is complacency.  AI isn’t a future hypothetical threat but is very real and here now, already making itself felt, for both good and bad.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

Scams v Hacks – how does this effect SMEs?

When I speak to SMEs, I make the point that the chances of being ‘hacked’ is relatively low when compared with being scammed.  Why?  In my view, I look at a hack as being a technical attack on a target by someone who is technically savvy and skilled in identifying and exploiting weaknesses in a company’s defence.  A scam on the other hand can be perpetrated by people with relatively low levels of technical ability and scams are in fact, a con, just like any other old fashioned con, in that they get the target to agree to, or to do something, that will benefit the con artist.

We always recommend that our clients try as best as they can to have defence in depth.  That’s an old military term which is often used in cyber security now to describe multiple layers of defence.  This can be expensive though and it must be tempered by budget, targeting controls where they are most needed.  What this does is to deter many attackers who are looking for a quick win, so if they have to work long and hard to break in, they’ll often go elsewhere, where the pickings might be easier.  And of course, whilst an SMEs defence might be somewhat less than those of an enterprise organisation, the pickings are likewise smaller, making it not cost effective for the attacker to take too much time with a technical hack.

Does this make scams much more attractive to the criminal?  Yes, I believe it does, simply because the amount of effort required is low and they are skilled in manipulating people, especially those that have had minimal cyber awareness training.  Scamming, just like hacking is generally preceded by some form of social engineering.  Social engineering refers to techniques aimed at talking a target into revealing specific information or performing a specific action for illegitimate reasons.  So, whilst a hacker modifies a computer’s software and hardware structure to carry out certain tasks, social engineering uses people as weapons to attack selected targets. In this way the manipulation is accomplished by employing trust through different forms of communication.

Typically, social engineering is achieved via Phishing, Vishing (video), Smishing (via SMS), malware and Spear phishing where the targets are selected for their importance to a specific attack.  Whatever method is used the aim remains the same, it is to persuade the unwary to give up sensitive information, install malicious software or do things that compromise your business security.  The best protection against social engineering remains a work force that are aware of the techniques and dangers posed by this.

What is the cost of scams to the across the globe?  One statistic suggests that public sector fraud losses amount to about £50.2 billion whilst frauds committed directly against individuals, including marketing fraud and identity fraud, is around £8.3 billion. The total cost of fraud has risen from about £190 billion in 2017 to almost £219 billion.  (Source Peters, Peters and Crowe). Of course, not all of this is via online fraud, but it is becoming the most common type of scam we see today.

Some of the most common types of scams that we see include, but are not limited to:

  • Copycat government websites. Some scams involve websites designed to look like official government websites such as HMRC. …
  • Dating and romance scams. …
  • Holiday frauds. …
  • Mandate fraud. …
  • Pharming. …
  • Phishing emails.

I received an email only yesterday purporting to come from someone called, and I kid you not, Lisa Monaa, inviting me to partake in an extremely profitable project, and I just couldn’t bring myself to read anymore.  It was a badly written phishing email with little chance of success.

AI is having an effect as well.  I’ve written earlier about the CEO scam whereby a CEOs email is spoofed and sent to an accounts department with an invoice attach, stating that the CEO has received a complaint from a supplier that their invoice is late and to get it paid without delay.  That scam has now been updated to a voice simulated by AI, over the phone, demanding the same.

Whilst that scam is quite old, it shows how social engineering has a play.  Firstly, they have to find out what the CEOs email is.  Not difficult.  The company’s email form will almost certainly be shown on their website with a contact like sales@abc.com.  So, the attacker knows that the suffix is abc.com.  They may well also be able to get the CEOs name from the website or even Company’s House.  Next send an email to JSmith@abc.com.  If that bounces send it to John.Smith@abc.com and so on until it goes through.  Next phone the accounts department, ask for Mary in accounts payable.  No Mary here I’m afraid.  Oh sorry, I was sure it was Mary, who handles accounts payable then, Oh that’s Julie.  So, he now has CEOs email and someone to send the email to.  That would probably take about 30 minutes of the scammers time.

The impacts of scams can be very far reaching.  Firstly, there is financial loss, which to many SMEs operating on tight margins, can be quite devastating.  Then there is the possibility of data breach.  If you are a business with lots of client personal data, say a financial advisor, a lawyer, an estate agent, pharmacist, you get the drift, and the aim was to steal data, then you could be hit with a substantial fine from the Information Commissioner not to mention lawsuits from those whose data has been stolen.  Reputational damage can be disastrous and then there is the effect on staff who can suffer greatly thinking they have damaged the company and put everyones job at risk.

Bottom line – scamming is endemic, it’s going nowhere, and AI is going to make it more prevalent, not less.  SMEs spend far less on their defences and on cyber awareness training making them more likely to be targeted.  Combating this threat should be high on your to do list.

Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware

A Tale of Two Company’s

These stories are fictitious but are based on real events with the company names, locations, and industry vertical either changed or obscured.

Company One

ABC Ltd is a chain of financial advisors which has seen strong growth even allowing for the hiccup of the COVID lockdowns.  It has grown from one site nearly 20 years ago, to six sites situated in rural market towns in the East of England.  As with nearly everyone else, COVID has significantly changed the way they operate as they were forced into home working and never went back to being fully office based and are now operating a more distributed hybrid working pattern, with staff working between offices and home.  This hasn’t proven to be an issue and has some financial benefits, reducing the office footprint, fuel and light and travel costs.  Their clients, consisting of local businesses mainly but with a significant department looking after individuals, have not been impacted by these changes.

John is the finance director, and he was given the additional responsibility for IT, something not unusual in SMEs, as they can rarely afford their own in house IT experts.  This has led to John outsourcing the IT to a local IT management company and so far, they have had no complaints.  Although John doesn’t profess to have any in depth IT knowledge, he discussed their requirements in detail and accepted that a move away from onsite servers and storage to a cloud based system made perfect sense and lent itself to the distributed network they now operated.

However, he had some concerns around cyber security.  He read a lot and what he read worried him, particularly about things such as ransomware, phishing, social engineering and scamming.  He knew that they held considerable amounts of personally identifiable information (PII) as defined by the Data Protection Act or UK GDPR as it is becoming known, and he had heard horror stories of company’s being fined a lot of cash for losing that data.  So, John decided to bring to bring this up at a board meeting and was met with some resistance from the CEO and other board members.  They asked what advice he was getting from their IT providers, and he said not a lot.  They seemed to be happy with the defences in place, which relied on firewalls in the office, and personal firewalls on remote laptops and desktops, anti-virus software and secure channels for sending data to and from the cloud storage.  The cloud provider operated under Ts&Cs which seemed to ensure that they took responsibility for the secure storage of their data.  He was concerned that not all their data was stored on the cloud, even though it was supposed to be.  He knew that staff working from home downloaded data onto their laptops, worked on it, and then uploaded it.  He was sure they ever deleted the copy they had on their laptops and had no way of checking.  He was also sure that data was attached to emails and sent around, so there would be copies on the email server, and on email clients.  But he was told to forget about it as it wasn’t a priority for funding. 

Jumping forward a couple of months and staff were panicking, and his phone was ringing off the hook as IT user after user was seeing a red text box sporting a skull and crossbones and the message that their data was encrypted, and if they wanted to unencrypt it, it would cost £50,000.  The CEO convened an emergency board meeting, and the IT provider was dragged in.  It didn’t take long to ascertain that this was a sophisticated attack and when they attempted to access their cloud storage, they found that the data held there, was also affected.

The CEO asked the IT provider how long this would take to fix, if indeed it was fixable.  He replied that they did have two sources of backups of the data, online and offline.  The problem was that the online data could also be affected and so the safest recourse was the offline backup, but that was only done weekly and therefore they would lose at least 3 days’ worth of data.  The CEO was not pleased.  Added to this, John wasn’t happy with just fixing the immediate issue, he wanted to get to the bottom of how this happened and how can they stop it in the future.  He contacted a specialist cyber security company that was fairly local to them.  Modesty forbids me to mention their name.

Once onsite they identified that there needs to be two strands to this.  First and foremost, the company needs to be gotten up and running, which means restoring from backup.  But there is no point doing that if the ransomware is still sitting on their systems because it would merely encrypt the backup.  It’s never that easy.  How did the ransomware get on the systems, how deeply is it embedded, how did it get on the cloud storage etc.  How it got there was quite easily detected.  It was simple email scam sent to around half of their workforce, at least two of whom clicked on it.  Once that was done it spread itself around the system, infecting all connected machines, and easily jumped to the cloud storage and even the online backup, which was connected to the cloud storage itself.

From then it was a simple but painful exercise which took best part of a week to sort out.  In order to be safe and thorough, all machines were wiped, including the operating systems, and then the OS reinstalled, along with all the applications.  Meanwhile they worked with the cloud storage provider, who was cooperative, to clean up their servers.  The data was then installed from the offline backup.

It was estimated that they lost money well into 6 figures, including fixing the problem, and lost business whilst it was all sorted out.  Trying to get back the 3 days’ worth of data lost, was embarrassing.  But at least they didn’t cave in to extortion as some might have, as we’ll see below.  Luckily there was no indication of a data breach which sometimes accompanies ransomware attacks, so no involvement of the Information Commissioner and the embarrassment of having to contact clients about their personal information.  It could have been worse.

Recommendations asked for by the board included:

  • Cyber Security Awareness training for all staff, including induction and 6 monthly refreshers.
  • Revisit the anti-virus/malware in use to see if there is a better solution for ransomware.
  • Revisit protections for the data itself.  Do they know where it all is?  Can it be audited?  What about encrypting it themselves before anyone else can?  It might not protect against ransomware, but if a data breach happens, it will avoid ICO fines.
  • Revisit the backup routines.
  • Have a solid disaster recovery and business continuity plan to avoid ad hoc and inevitable knee jerk responses.
  • The ransomware code required privileged access to do the real damage.  It got it easily.  Revisit the privileged access management system in place.  Is it up to scratch?
  • Consider annual cyber security health checks.
  • Consider adhering to a standard such as Cyber Essentials or perhaps even ISO27000 series.

Company Two

Company Two was a transportation and storage company which operated from one site and its core business was transporting and storing produce before it was moved on to the consumer chain ie supermarkets and the like.  As such they had 3 large cold stores which were of course temperature controlled and any prolonged period without temperature control could cost the business thousands in a relatively short space of time.

The problem was that their security architecture was still based on the old bastion model of having a secure perimeter, protected by firewalls, but once inside, there was no segmentation, ie once in, the world was your oyster and the temperature control systems were on the same network as the other IT systems, with nothing separating them.

At this point the same thing happened to them, as happened to Company One.  They received the ransomware message which was even more damaging because it not only encrypted their data, but it knocked out the temperature control systems.  This meant a more sophisticated attack than just embedding malware in an email, the attackers must have gotten into the system and identified a serious weakness that they could exploit.

This wasn’t as difficult as it seemed.  There were several weaknesses in their defences.  First, they had changed broadband provider, but the old broadband connection was still active and connected to their network.  Second, they had security cameras which were remotely maintained.  These cameras were also on the main network and therefore there was a remote backdoor into the system.  There were other weaknesses, but these will do as explanations as to what happened.

As the gravity of the situation dawned on everyone, the decision was made to pay up and prevent a potential disaster in regard to the cold stores.  Understandable I suppose but ultimately not a good solution.  They did get back online within half a day.  So far so good.  But they wanted to make sure that this couldn’t happen again and so they called in some cyber experts to look things over.  What was discovered was quite horrifying.  Firstly, the attackers left a back door into the system which was discovered and closed down.  This would have allowed the attackers easy access to do it all again.  The issue with clicking on a dodgy link was also raised.  But the real problem was that it was discovered that the ransomware attack was used to also disguise the theft of data.  Missing was a considerable amount of financial information, including bank account details not just for them, but for their customers and suppliers, and PII relating to their customers and suppliers, but nothing too damaging other than business email and postal addresses.  Luckily their HR and payroll was outsourced and so they held very little about their staff.  Nevertheless, it was estimated that the cost of this breach would eventually reach 5 figures.

Lessons included very much the same as Company One but with the addition of having a security architecture review with the aim of tightening things up and introducing network segmentation.

Summary

  • Cyber security is a business issue not an IT issue.  It’s the business that suffers, not the IT support. 
  • Cyber Awareness training is the biggest and cheapest quick win that any company can take to protect itself.
  • Make sure your backups are adequate and up to date.
  • Make sure you have a disaster plan to recover from an attack.
  • Make sure you have a business continuity plan to continue working whist you recover from a disaster.
  • Make sure you privileged access management is adequate.
  • Make sure your anti-malware solution is the best available to protect against modern threats.
  • Don’t be complacent.  Just because your cloud provider is popular, doesn’t necessarily mean it’s up to par.
  • Don’t rely on firewalls alone, the bastion model of security is well out of date now.
  • Consider adhering to a standard such as Cyber Essentials or perhaps even ISO27000 series.
Cyber Awareness Training General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Security

Artificial Intelligence – It’s here to stay

Artificial Intelligence is coming more and more to the front in the news, in just about all spheres of IT, no matter the vertical it serves. 

What exactly is AI?

Artificial intelligence (AI) describes computer systems which can perform tasks usually requiring human intelligence. This could include visual perception, speech recognition or translation between languages.

Of course, that’s not the only description you’ll find if you use your best research tool, Google, but it’s one used by the National Cyber Security Centre, so it’ll do for me.

I’m willing to bet that many of you, most of you, have some form of AI app downloaded on your devices.  ChatGPT is arguably the most popular amongst the general populace but it’s not the only game in town.  These apps are becoming more and more available and popular. ChatGPT is an artificial intelligence chatbot developed by OpenAI, a US tech startup. It’s based on GPT-3, a language model released in 2020 that uses deep learning to produce human-like text.  It has an underlying technology that has been around much longer, but this blog isn’t about the technicalities of AI, but more about how it affects SMEs as they go about their business.

I’ve been arguing that perhaps the biggest potential threat in terms of proliferation, ie the number of attacks waged at a relatively low level, aimed at quick wins in terms of scamming money, is the re-emergence of the script kiddie.  I wrote, some time ago, about how code could be written to be inserted into a Ransomware attack, quite easily, using AI. 

Script Kiddie

A script kiddie was what we called someone of relatively low skill levels who would go online to the dark web, and purchase scripts written by more advanced criminals that they had put up for sale.   The script kiddie would then use these scripts to mount an attack on a company or organisation.  These often failed because the script kiddie wasn’t all that bright, but just occasionally, they were harmful and even devastating.

Another scam, reported in The Washington Post, was an update on the very well reported CEO Scam, whereby someone impersonates the CEO of a company using spoofed email, but this time it’s using AI spoofing the CEOs voice, attempting to scam money from the company.  This one worked, and the company lost a lot of money.

So why am I bringing this up again so soon?  Well AI continues to be reported in the news, sometimes with a good result and sometimes not so good.  So, I thought I’d ask Chat GPT what it thought about AI and Cyber Security.  I asked 2 questions, the first was, ‘Is AI a danger in terms of Cybersecurity?’.  The answer came back:

Double Edged Sword

AI can be both a boon and a potential danger in terms of cybersecurity.  On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks.  On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously.  Sophisticated AI powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale.  It is crucial to develop robust safeguards ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

So even ChatGPT thinks this is a double edged sword.  The real problem for my target clientele, the SME space, is that affording AI powered tools to detect and mitigate threats and analyse large amount of data, will seemingly be too costly for them.  But as many defences use AI themselves now, it’s actually quite affordable.  So, when we are talking about developing robust safeguards, understanding the risks becomes even more vital, if that’s possible, than it ever has been before.  It also brings Zero Trust solutions sharply into focus and finding such solutions that are affordable, is going to become crucial.

The next question I asked was, ‘How do we ensure that AI isn’t a cybersecurity threat?’.  The answer came back:

Key Considerations

Ensuring that AI is not a cybersecurity threat requires a multi-faceted approach. Here are some key considerations:

1. Robust Security Measures: Implement strong security protocols, encryption, and access controls to safeguard AI systems and their underlying data from unauthorized access or manipulation.

2. Rigorous Testing and Validation: Thoroughly test and validate AI algorithms and models to identify and fix vulnerabilities, including potential avenues for cyberattacks, before deployment.

3. Adversarial Testing: Conduct adversarial testing to simulate potential attacks and evaluate the resilience of AI systems against different cybersecurity threats.

4. Data Privacy and Governance: Establish clear policies and practices for data privacy, ensuring that sensitive information is properly handled, stored, and shared in compliance with relevant regulations.

5. Ongoing Monitoring and Updates: Continuously monitor AI systems for potential security risks, promptly address vulnerabilities, and keep software and hardware up to date with the latest security patches.

6. Ethical AI Development: Integrate ethical considerations into the design and deployment of AI systems, emphasizing transparency, fairness, and accountability to mitigate potential biases or unintended consequences.

7. Collaboration and Information Sharing: Foster collaboration among industry, academia, and government entities to share knowledge, best practices, and emerging threats, enabling a collective effort to combat AI-related cybersecurity challenges.

8. Education and Awareness: Promote cybersecurity awareness and provide training to AI developers, users, and stakeholders, emphasizing responsible AI usage and the identification of potential threats.

By following these guidelines and continuously adapting to emerging risks, we can enhance the security of AI systems and minimize the potential for them to be exploited as cybersecurity threats.

Next Steps & Relevance

Again, looking at this from an SME perspective, some of it isn’t relevant i.e., No6 for example, SMEs aren’t going to be developing their own AI solutions.  And much of it I would have come up with on my own, without the aid of a machine.  It would appear that AI uses some common sense, which is nice.  No8 for example.  I bang on and on about this.  It is low cost and easy to implement.  It’s staggering how many companies don’t do this. This list also shows the value of Zero Trust solutions and encryption, which on its own, vastly reduces the risk to data, particularly PII (personal identifiable information – UK GDPR).

The argument then is that AI might encourage a proliferation of low level attacks, largely aimed at SMEs who generally have the lowest defences.  Quite low level criminals can utilise AI to carry out attacks that heretofore would have been beyond their skill level.  Common Cyber sense can go a long way to mitigating these attacks.  Technology evolves, attacks evolve, but the basic understanding of threat + vulnerability = risk, has never gone away.  Understand that and you stand a good chance of staying safe.

Ransomware, Phishing and other Malware

Phishing

Phishing is todays leader, a subject which I’m sure you’ve heard a lot about but which is always worth a mention.

Phishing is a term used to describe cyber criminals trying to trick victims in to doing something by posing as legitimate organisations or people. This could be downloading malware disguised as an attachment, clicking on a malicious link, or getting financial details changed.

According to MetaCompliance 91% of all cyber-attacks start with a phishing email which is why it is so important to be aware of the tactics that these super social engineers use.

There are various different types of phishing which can take place on all of your devices, phone, and it doesn’t have to be a smart phone, tablet, laptop or desktop. A number of terms are used to describe these methods. Phishing is generally used to describe attacks via email, whilst Vishing is used to describe attacks via the phone and Smishing via text message.

Apart from those general terms we also have more specific ones:

  • Spear phishing – this is where publicly available information is used to make the messages appear more believable. Data breaches are a great source of this information as the details released are those which you would expect to be kept secret. For instance, if you received an email with your username and password in, you are likely to believe it.
  • Whaling – this is like spear phishing in that it is very targeted but this time the criminals are either targeting senior leaders of the company (in the hopes that compromising their accounts will enable a higher level of authority and access to sensitive data) or will impersonate a senior leader to get an action to come about (such as sending a high value payment).
  • Angler phishing – this is where cyber criminals use notifications or direct messaging within social media applications to entice someone to act, clicking a link for example.
  • Pop-up phishing – this is where criminals place malicious code in the small notification’s boxes, called pop-ups. They can also use a web browsers notifications feature so when you visit a website and the pop up says that the website wants to show notifications, clicking the “allow” button downloads malicious code.

What you really want to know is how do you spot a phishing attack and what should you do about it? Criminals are getting more sophisticated in the campaigns that they are operating, and it can be very difficult to detect some of these, but there are a few things that might help you to spot a phish.  Below are some ploys in general use:

  • Urgency – “this has to be done NOW!”
  • Authority – from CEO / senior member of staff – but is it their style or a unusual request?
  • Mimicry – impersonation of a trusted individual or organisation
  • Curiosity – “OMG! Have you seen this?”

You can also look out for:

  • Grammar and spelling  – does it make sense, is it addressed to you or “recipient”
  • Email address  – look at the full email rather than just the first name that you recognise
  • Hypertext – review URL before clicking, ensuring you look at the whole of the URL.

What should you do? 

Report it – If you think you have received a phishing email, then you need to report it. Your business should have a policy about this, and your staff should understand what they need to do, whether they have fallen victim or just received it. Your staff can be a huge asset in protecting your company against phishing attacks so empower them to question the communications they receive from everyone.

The NCSC has an add-in which you can use in business versions of Outlook to report phishing emails directly to them so that they can investigate and potentially remove the threat. This could also help to keep phishing in mind when staff receive an email, like a little nudge.  It’s free and should be a no brainer.

Next We thought we’d take a look at some specific industries and we have picked on Estate Agents to go first, although arguably, much of this could equally apply to several service industries including financial advisors and solicitors.

Estate Agents hold large amounts of personal data, much of which is financial and therefore has to be held for 7 years and this makes them vulnerable to data breaches (which of course applies to many other sectors). The data held will pertain to the purchase and/or sale of property. This will require details of payments, confidential client IDs, bank account details and the like. Nothing surprising there. I’m sure many hold this data securely and maybe even encrypt it. But they also upload such data to 3rd party sites to market properties, sometime more than one and that’s when human error can creep in. Internal mistakes are the biggest single cause of data breaches, and whilst malicious activity from cyber criminals is a reality, it falls somewhat behind the internal breach.

The Data Protection Act 2018 may be a subject to drive you into a coma. However it’s a really important subject that you need to have a good working understanding of. Why, I hear you ask? It’s all about that GDPR stuff isn’t it, not a problem now that we’ve left the EU. And even if there is a law, Data Protection doesn’t really affect us smaller organisations, it’s something the big companies have a problem with but we’re OK. Aren’t we? Well no, you’re not. Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’.

All organisations, regardless of size, must make sure the information is:

·      used fairly, lawfully and transparently

·      used for specified, explicit purposes

·      used in a way that is adequate, relevant and limited to only what is necessary

·      accurate and, where necessary, kept up to date

·      kept for no longer than is necessary

·      handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

This can become a really big financial issue. Rarely if ever is a single persons record lost, it’s nearly always multiple records. There are now law firms offering no win no fee deals for people wanting to sue following a disclosure of personal data, and that’s on top of any fine you might expect from the ICO.

I’ll never get tired of pushing security awareness training, of having solid processes and policies which are rolled out and that staff are fully aware of. That will sort out much of the potential for data breaches. There are of course other issues but the basic principle of understanding the risks you face and targeting your spend and resources on those specific risks, hasn’t changed since the proliferation of IT started 30 years ago.

General Security Issues Ransomware, Phishing and other Malware Supply Chain Security

Supply Chain Security, Spear Phishing and Remote Working

Reports on Cyber trends abound, and you could be forgiven for thinking that they are often produced by organisations trying to sell you something. And I might be tempted to agree. Am I any different, well I’ll leave you to judge but I do think that it is very important to educate, and not just sell, into the SME market. I’ve said many time times before, that the SME market has been badly served by the Cyber security industry, in that it tends to get ignored. However, that doesn’t mean that they are any less at risk, or any less important to the UK economy. Quite the reverse. I do read several reports about cyber trends, and if I think they are of use, then I do pass them on via this newsletter. I have read one recently which I think is worth passing on. It highlights 3 different scenarios, all of which I have blogged about in the past. They are, in no particular order, supply chain attacks, spear phishing and attacks against hybrid workers. These are clearly not exhaustive, but they are relevant to SMEs.

An often forgotten element of Cyber security lies within a company’s supply chain.  Manufacturers for instance, often use what is known as ‘just in time supply’, i.e., they have an electronic connection to their key suppliers who are connected to the company’s inventory, and automatically resupply when an item runs low.  It’s efficient and prevents the holding of unnecessary stock.  But it can, if not done correctly, drive a coach and horses through your security.

In short, a supply chain attack is a cyber-attack that seeks to damage an organisation by targeting less-secure elements in the supply chain.

Small to medium enterprises are at greatest risk from cyber security threats, and their vulnerability in turn poses a danger to the major corporations that they do business with.  Why, well the problem with small to medium sized enterprises is that they are in the unique position of having disproportionate access to important information. They are often mission critical suppliers that produce niche products, and they generally have the weakest cybersecurity arrangements in terms of size, resources, and expertise. They open up large clients to leapfrog cyber security attacks.

Spear phishing is an email or electronic communications scam targeted towards a specific individual, organisation, or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.

Spear phishing is a more targeted cyber-attack than phishing. Emails are personalized to the intended victim. For example, the attacker may identify with a cause, impersonate someone the recipient knows, or use other social engineering techniques to gain the victim’s trust.  In other words, this is what might be referred to more as a scam than a cyber-attack, but it is no less illegal.

The common characteristics of spear phishing emails are not unlike traditional phishing scams:

  • The email uses email spoofing to masquerade as a trusted person or domain. …
  • Social engineering is employed to create a sense of urgency to exploit the victim’s desire to be helpful to a friend or colleague.

Hybrid working has been the subject of several of my blogs and newsletters of late.  We are all now seeing the ‘new normal’ and are embracing it to some extent.  There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are planning to adopt a hybrid model.  In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base.

As organisations of all sizes begin the decision making process which allows them to seriously consider the recalibration of their operating model to adapt to the new normal, then there is a real need to re-evaluate their cyber security stance, involving policies, processes, people training and technical defences.

Cyber criminals have used this shift in working patterns to their advantage and their attacks have increased hugely, across the globe.  Working from home has increased the footprint of IT operations whilst weakening its defences and the scope for cyber criminals to develop new attack methods, new scams, and to generally increase their revenue, exponentially.

Cyber-attacks and data breaches tend to only hit the headlines when it’s a large company involved.  However, SMEs are hit every day, but for somewhat smaller sums of money and there is an argument that often these attacks go unreported to protect reputations and even go undiscovered for long periods of time.  Data breaches do get reported because of the requirement to make such a report to the Information Commissioners Office, but even then, actions taken by the ICO often fly under the radar.  For instance, this year alone there have been over 40 fines by the ICO, many to companies categorised as SME.  A finance company was fined £48k and a solicitor was fined £98k.  You can research all of this on google if you want confirmation.

Ransomware, Phishing and other Malware

A bit more on Ransomware, at the risk of over emphasising it, not that I think you can.

According to the NCSC, responsible for cyber security in the UK, ransomware continues to be a clear and present danger to UK companies, both at the Enterprise and SME level. It has now become the most significant cyber threat facing the UK, with the impact of an attack on critical national infrastructure stated in the UK National Cyber Strategy 2022 as potentially as harmful as state-sponsored espionage. There remains a pervasive opinion within SME management, that ransomware only affects the big companies, that SMEs are just too small to provide a level of reward that cyber criminals are looking for. I also said that there was evidence that when an SME gets hit, the amount asked for is quite small, from around £500 to £1000, and therefore many SMEs simply pay up. There is of course a real danger there because often their data has already been stolen, and sometimes the criminal doesn’t release the data back to the company, leaving the SME not only out of pocket, but unable to continue with business.

How much better if you can avoid getting hit in the first place.  Here I list some ways that you could perhaps use to avoid the problem.

  1. Arguably, the biggest and most effective step an SME can take is Cyber Awareness Training for staff. It is simply a fact that 90% of data breaches are caused by human error.  It is very unlikely that an employee will do something deliberately to damage your business.  But humans are fallible and, if they haven’t had any awareness training, they simply don’t know what they shouldn’t be doing.  Cyber security awareness training remains the most significant step you can take in this regard.  You can’t expect your staff to help you avoid cyber security attacks if they don’t know what they are looking for.  Cyber security is NOT an IT issue, it’s very much a business issue and responsibility lie with everyone in the business.  Clearly this training needs to be part of an overall strategy, which again, need not be complex or onerous.  Most successful strategies follow the KISS principle – Keep It Simple Stupid.
  2. The next reasonably low-cost thing that ties in with Cyber Awareness Training and a security strategy is robust, well thought out policies and procedures, that have been rolled out across the work force and are monitored to ensure they remain relevant and that they are understood by all. Giving an employee the means to check what they should do if they suspect there is something nefarious going on, is simply giving them support, it is not there to catch them out or to use as a stick against them.  Many SMEs don’t have any such policies in place and many others have downloaded specimens from the internet, topped and tailed them and expect them to be enough, which they very rarely are.
  3. Next think about your backup strategy. Even when you are using a cloud-based provider, that doesn’t necessarily mean that your data is secure, although many providers would disagree, at least in their advertising.  How much better to have a strategy whereby your data is backed up overnight to a magnetic media storage point, which can be taken off line and stored in secure storage.  If you do that, then if you are subject to an attack and your data is locked up, you can have some or all workstations wiped and reloaded, and then have data restored from the tape, all of which would not take most SMEs off line for more than a day.  You then have a breathing space to sort everything out in the longer term.
  4. Email remains the top attack vector for many attacks and this is one of them. There are many products on the market that will tell you that they will block as many malicious emails as possible, and many of these are very good at what they do.  For an SME, it will nearly always come down to a matter of cost and some of these products are more expensive than others.  Unfortunately, there are still a considerable number of SMEs out there, either using the cheapest anti malware product they could find, or even a free product.  You get what you pay for and if its free, you’ve got a problem.  Any product you choose to use must be mitigating an identified risk.  If a risk hasn’t been properly identified and a product selected that covers that risk off, as well as it can be covered off, then you’ve quite possibly wasted your money.

There is a product on the market from a company called Platinum-HIT, which takes a very innovative approach to this.  Quite simply it blocks any executable not on your whitelist from running.  It takes a free 30 day evaluation for it to profile your network and build a list of executables that are in use daily by users.  So those that run your applications, email etc etc, and produces that list for human inspection.  Once agreed, that becomes your whitelist.  It’s extremely effective and so far, we haven’t found another product that takes this approach in blocking all forms of malware, including ransomware.

The overall message I would like to put across to all SMEs, is that you are just as vulnerable as anyone else, to this, and many other attacks.  Have you identified your risks?  Have you identified ways to mitigate those risks, enabling you to maximise your defensive spend.  Or, have you just bought into an argument that says that you have a firewall and some anti-virus, you’re using a cloud provider and you’re therefore covered?  I’d welcome the opportunity to have that debate with you.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

Defend Your Business Against The Latest Cyber Threats

Please get in touch and a member of our team will be in touch with you soon to discuss your requirements.
CHAT WITH OUR TEAM
Phone

0845 5443742 / 0845 5443730

EMail

hello@hah2.co.uk

Address

57 High St
Somersham
Huntingdon
PE28 3JB

Privacy Policy
All rights reserved H2 CRAS 2023

Facebook-f Twitter Linkedin Envelope
Scroll to top