SASIG warns cyber security profession to meet growing social media threat

The Security Awareness Special Interest Group (SASIG) is calling on cyber security professionals to strengthen procedures surrounding the use of social media. The warning about the growing threat posed by social media to the integrity of data and network security emerged during this week’s conference entitled ‘Cyber Security: The Implications of Social Media’ that was organised by SASIG in conjunction with The University of Surrey.

The audience of cyber security specialists explored the implications of the far-reaching change brought about by social media and how people interact on different platforms such as Facebook, Instagram, YouTube, Twitter, WeChat and others, highlighting the consequences of casual Internet surfing and posting.

Martin Smith MBE, founder and chairman of SASIG, informed upwards of 200 delegates that social media networks have become one of the biggest gateways for cyber criminals targeting individuals and businesses to gain access to sensitive information and data networks.

Smith stated: “Social media activity has boomed during the last decade and is now an integral part of communications for commercial and personal users. It creates many challenges for both business and personal use and can expose users to unintended risks.”

He continued: “Social media and Internet users often give up a considerable amount of personal data. However, if such information falls into cyber criminals’ hands, they can easily build a profile that gives them the capability to access sensitive personal and financial information.”

Further, Smith observed: “The new Online Safety Bill could prove to be a vital tool in the challenge to tackle the criminal gangs who target unsuspecting individuals and businesses. We strongly recommend that all organisations should take steps to strengthen their cyber security systems against attacks via social channels. Using a combination of education about threats and introducing stringent protocols can protect against misuse.”

Cyber Security Skills Festival

Career opportunities, skills and resources that protect commerce, industry and public services from cyber attacks will feature at the third annual Cyber Security Skills Festival being organised by SASIG in partnership with the UK Cyber Security Council. The event runs on Tuesday 22 February. 

Established back in 2004, SASIG is a peer networking forum for cyber security professionals who represent hundreds of organisations of all sizes here in the UK and emanate from both the public and private sectors.

SASIG boasts more than 6,000 members including Chief Information Security Officers and other decision-makers and influencers with responsibility for information security, as well as academics and Government agencies.

Annually, SASIG curates more than 150 information webinars and in-person events covering topical cyber security issues impacting business, commerce, Government agencies and other public sector organisations.

*Further information is available online at www.thesasig.com 

Hackers impersonate Marks and Spencer CEO Steve Rowe in £35 ‘free’ gift voucher scam

Cyber criminals have launched an audacious online scam designed to trick Marks and Spencer (M&S) customers into handing over confidential data by attempting to impersonate the famous High Street retailer’s CEO Steve Rowe.

The fraudulent adverts, uncovered by the Parliament Street Think Tank’s cyber research team, were launched via social networking site Facebook from an unverified page entitled ‘Marks and Spencer Store’.

Users have been bombarded with adverts showing a man (who’s not Steve Rowe) holding M&S-branded bags accompanied by the message: “Hello everyone. My name is Steve Rowe and I’m the CEO of Marks and Spencer. I’ve an announcement to make. To celebrate our 135th Anniversary, we’re giving EVERYONE who shares and then comments by 11.59 pm tonight one of these mystery bags containing a £35 M&S voucher plus goodies! Make sure you enter here [URL].”

The fake URL takes unsuspecting users to an M&S-branded portal where they’re asked for their name, address, mobile phone number and bank details including sort code and account number in order to ‘enter’ the prize draw.

Around 150 members of the public had identified and reported the scam, which was flagged to consumer groups and raised as an issue on social media.

In a statement, Marks and Spencer commented: “We have been made aware of this advert and it isn’t genuine. Our colleagues are investigating further.”

Expert observations

Cyber security expert Andy Heather, vice-president of Centrify, observed: “With more people than ever committed to online retail shopping due to COVID-19, it’s likely that we’ll see a surge of ‘exclusive’ or ‘one-time only’ deals pop up on social media, via e-mail and through SMS messages over the course of the next few months up until Christmas. Unfortunately, many of these sales and deals, much like this M&S one, will be a scam designed to steal confidential data, such as payment details or log-in credentials.”

Heather continued: “If people may have already fallen victim to a scam of this nature, it’s essential that they take proactive measures to stop these scammers in their tracks. This requires individuals to report these scams to the impersonated brand, freeze bank accounts and change log-in details. It’s very common for attackers to hold on to stolen log-in credentials for months after an attack, waiting for the victim to drop their guard before re-breaking in to other accounts protected by the same password.”

Tim Sadler, CEO at Tessian, explained: “Phishing scams don’t just reside in your Inbox. Hackers are increasingly using social media as another hunting ground for their victims. With the lure of a prize giveaway, cyber criminals are hoping that people will click the URL link to ‘enter’ the competition. Those that do click are led to a malicious website that prompts them to enter valuable personal information and credit card details.”

Sadler concluded: “As we head into the busy pre-Christmas shopping season, we can only expect to see more of these types of ‘sale’ scams emerge online. Treat these posts just like you would any phishing e-mail. Ask yourself if this deal seems legitimate and verify the identity of the person requesting you to take action before clicking on any links. In this instance, the scammers have used a picture of someone who isn’t the CEO of M&S. If you’re still unsure, visit the retailer’s website and official social media channels to cross-check that the deal has been mentioned elsewhere.”

96% of UK organisations experience at least one business-impacting cyber attack in past 12 months

Tenable Inc, the cyber exposure company, has published the results of a global industry study of business and security executives that reveals the majority of UK organisations (96% of those surveyed, in fact) have experienced a business-impacting cyber attack in the past 12 months.

The data is drawn from ‘The Rise of the Business-Aligned Security Executive’, a commissioned study of more than 800 global business and cyber security leaders, including 103 respondents from the UK. The survey was conducted by Forrester Consulting on behalf of Tenable.

As cyber criminals continue their relentless attacks, 63% of respondents in the UK have witnessed a dramatic increase in the number of business-impacting cyber episodes over the past two years. Unfortunately, these attacks had damaging effects, with organisations reporting loss of employee data (44%), financial loss or theft (36%) and customer attrition (34%). Some 65% of security leaders in the UK say these attacks also involved operational technology.

Business leaders want a clear picture of how at risk they are and how that risk is changing as they plan and execute business strategies. Only four out of every ten local security leaders say they can answer the fundamental question: “How secure, or at risk, are we?” with a high level of confidence, despite the prevalence of business-impacting cyber attacks.

Global respondents

Looking at global respondents, fewer than 50% of security leaders said they are framing cyber security threats within the context of a specific business risk. For example, although 96% of respondents had developed response strategies to the COVID-19 pandemic, 75% of business and security leaders admitted their response strategies were only “somewhat” aligned.

Organisations with security and business leaders who are aligned in measuring and managing cyber security as a strategic business risk deliver demonstrable results. Compared to their siloed peers, business-aligned security leaders are:

*Eight times more likely to be highly confident in their ability to report on their organisations’ level of security or risk

*90% are very or completely confident in their ability to demonstrate that cyber security investments are positively impacting business performance compared with 55% of their siloed counterparts

85% have metrics to track cyber security RoI and impact on business performance versus just 25% of their siloed peers

Business-aligned leaders

Those organisations with business-aligned cyber security leaders are also:

*Three times more likely to ensure cyber security objectives are in lock step with business priorities

*Three times more likely to have an holistic understanding of their organisation’s entire attack surface

Three times more likely to use a combination of asset criticality and vulnerability data when prioritising remediation efforts

“In the future, there will be two kinds of CISO — those who align themselves directly with the business and everyone else,” said Renaud Deraison, CTO and co-founder at Tenable. “The only way to thrive in this era of digital acceleration is to bring cyber into every business question, decision and investment. We firmly believe this particular study shows that forward-leaning organisations view cyber security strategy as essential to innovation and that, when security and the business work hand-in-glove, the results can be transformational.”

NATO selects BlackBerry’s encrypted voice technology for secure calls

The NATO Communications and Information (NCI) Agency has awarded a contract for BlackBerry’s SecuSUITE for Government to encrypt the conversations of its technology and cyber leaders wherever they communicate – in the workplace, at home or when travelling abroad.

The NCI Agency helps NATO’s 29 Member Nations communicate securely and work together in smarter ways. It acquires, deploys and defends communication systems for NATO’s political decision-makers and Command Centres, working on the front lines against cyber attacks. Due to the classified nature of the information the NCI Agency handles, it’s critical that all communications remain secure, combating any opportunity for a cyber criminal to electronically eavesdrop on conversations.

“As cyber criminals and state-sponsored actors become increasingly more sophisticated, we needed a highly secure way for our cyber leaders to have phone conversations with people inside and outside of our organisation regardless of where they are in the world,” said Kevin Scheid, general manager of the NCI Agency. “BlackBerry’s voice encryption technology helps solve this challenge and strengthens our elite cyber defence strategy.”

Dr Christoph Erdmann, senior vice-president of BlackBerry SecuSMART at BlackBerry, responded: “Eavesdropping on calls is one of the easiest ways to gain access to private information. We’re extremely proud that the NCI Agency, a world leader in the development and use of technology that keeps NATO nations secure, has put its trust in BlackBerry’s software to secure voice communication. No matter the operating system or ‘thing’ used to communicate, BlackBerry’s arsenal of cyber security technology ensures that our customers’ data remains private.”

BlackBerry’s SecuSUITE for Government supports Android and iOS smart phones and tablets, and can be can be installed on-premise, in a Data Centre or in the cloud.

Use cases for the solution include: 

*Secure conferencing: Encrypts conversations between a secure conference bridge and a SecuSUITE for Government-enabled devices

*Secure landing: Encrypts mobile devices to a landline within a network

*Break-in: Protects any communication between a mobile or landline on the user’s home network to a SecuSUITE for Government-enabled mobile device

*Break-out: Secures mobile devices to the employee’s home network and from there to external mobile or landlines through PSTN extension

SecuSUITE for Government has been evaluated and certified to be compliant with the Common Criteria protection profile for VoIP applications and SIP servers. It has also earned a NIAP certification and has been placed on the NSA Commercial Solutions for Classified Program component list of products certified for use on classified systems.

*For more information on BlackBerry’s SecuSUITE for Government visit blackberry.com/government

UK’s SMBs battling average of five cyber attacks per annum

Small and medium-sized businesses (SMBs) in the UK have faced up to an average of five cyber attacks in the last 12 months. That’s according to research commissioned by online encryption specialists Appstractor Corporation that highlights the growing threat such businesses face from online criminals.

A significant number of IT decision-makers in these SMBs believe they’re being put at greater risk of attack because their security software isn’t keeping pace with the sophisticated nature of the attacks with which they’re confronted.

According to the new independent report entitled ‘Under Attack: Assessing the Struggle of UK SMBs Against Cyber Criminals’. some businesses (19%, in fact) faced as many as ten attacks in the last year. IT bosses who took part in the research survey suggested that one of the major causes for concern for SMBs in the UK is that security and encryption software is aimed at individual consumers or large corporations and Governments, meaning that they cannot be deployed effectively in a small business environment.

In fact, only 44% of IT decision-makers in SMBs believe that they’re able to properly protect themselves against cyber criminals using current software and systems when compared to the ability of large businesses to protect themselves.

A third believe that the UKs small business community – which makes up 99% of businesses, according to the Federation of Small Businesses – is being “forgotten about” and placed at a higher level of risk when compared to their larger counterparts.

When it comes to the level of threat faced by these smaller companies, Appstractor Corporation’s research found that 17% of companies faced at least one attack in the last year, 28% were attacked two or three times, 32% faced four or five attacks and 19% were attacked between six and ten times.

A small proportion of companies – 2% – said that their company had been targeted up to 20 times in the last 12 months.

Commenting on the report, Paul Rosenthal (CEO and founder of Appstractor Corporation) agreed that current solutions were not up to scratch. but also said that some SMBs were making themselves an easy target for criminals.

“It’s the case that SMBs are at a disadvantage in the cyber security arms race because software and platforms are not being effectively designed for them, so they have to shoehorn consumer or large enterprise-grade solutions into their company which don’t work in small businesses. IT managers and small business owners need to rid themselves of their current ideas that they are too small to be targeted and so don’t have to worry about security and encryption software. The reality is that small businesses are being targeted by criminals more than ever before. Techniques like automated mass targeting are putting them at a serious and present risk of attack.”

*To access the full report click here

‘Technology at the Edge’: Axis Communications unveils Top Five Trends to shape 2018

Surveillance specialist Axis Communications’ CTO Johan Paulsson has outlined the Top Five Trends that the company feels will shape the New Year. 

Paulsson stated: “As the Greek philosopher Heraclitus said: ‘The only one constant in life is change’. There’s perhaps no better example of this than the technology industry, where innovation is so rapid that even the most fantastic of imagined futures seem like they could become a reality in the not too distant future.”

Axis Communications has put together five top technology trends that the Lund-based business feels will have a great impact on the security and surveillance industry now and in the years to come, helping to facilitate a smarter and, of course, safer world.

Johan Paulsson: CTO at Axis Communications

(1) A move towards the edge

“Two of the greatest trends that have propelled our industry forward in recent years,” observed Paulsson, “are cloud computing and the Internet of Things (IoT), both of which are delivering undeniable benefits to businesses and consumers alike. That said, they also come with implications, namely the rise in the amount of data being transferred, processed and stored. Going forward, we anticipate that ‘edge’ computing will become ever popular, alleviating this issue by performing data processing at the ‘edge’ of the network, closer to the source of the data. Doing so significantly reduces the bandwidth needed between sensors, devices and the Data Centre.”

(2) Cloud-to-Cloud

Paulsson observed: “Despite the move towards edge computing, the cloud will continue to play a significant role in IT infrastructures. As an increasing number of companies offer cloud-based services, the cloud ecosystem is increasingly becoming the preferred point of integration, rather than the traditional on-premise system. One benefit of integration between clouds is the significant potential reduction of in-house IT services required, in turn creating great cost benefits.”

(3) Deep and machine learning

According to Paulsson: “We’ve now reached a stage where the full benefits of deep learning architectures and machine learning can begin to be realised. The explosion of data available to analyse is helping businesses become increasingly intelligent. As applications develop, there are significant opportunities for predictive analytics which could facilitate incident prevention: from terrorist incidents to slip and fall accidents; from traffic issues to shoplifting and even the tragedy of rail suicides.”

(4) Cyber security

“Once again,” outlined Paulsson, “cyber security must appear on the list of trends for the next 12 months and beyond. The constant enhancement of cyber security will be a never-ending task. This is because well-resourced cyber criminals will never stop looking to exploit vulnerabilities in any new technology. As the number of connected devices grows, so too do the potential flaws that, if left unaddressed, could provide the opportunity for networks to be breached.”

Embellishing this theme, Paulsson said: “Legislation is being created to address these concerns. In the European Union, the forthcoming General Data Protection Regulation – the deadline for compliance for this being 25 May – will unify the protection of data for individuals within the EU, wherever that data is held or used.”

(5) Platforms to realise the full benefits of the IoT

In conclusion, Paulsson informed Risk UK: “The IoT has reached a point where it’s crucial to use scalable architecture to successfully collect and analyse data and manage the network of connected devices. Such an IoT platform allows equipment from different node vendors to co-exist and easily exchange information to form smart systems using existing network infrastructure. There are numerous companies, both well-established providers of technology and new market entrants, that are enabling platforms to support IoT devices. The next 12 months will see further maturation of this process.”

*Read more: https://www.axis.com/blog/secure-insights/technology-trends/

Ransomware attacks cause one fifth of infected SMEs to cease business operations immediately

More than one third of businesses have experienced a ransomware attack in the last year, while over one-in-five (22%) of these impacted companies had to cease operations immediately. That’s according to a study conducted by Malwarebytes.

The Annual State of Ransomware Report finds that the impact of ransomware on SMEs can be devastating. For roughly one-in-six of impacted organisations, a ransomware infection caused 25 or more hours of downtime, with some companies reporting that it caused systems to be down for more than 100 hours.

Further, among SMEs that experienced a ransomware attack, one-in-five (22%) reported that they had to cease business operations immediately, while 15% lost revenue.

“Businesses of all sizes are increasingly at risk of ransomware attacks,” said Marcin Kleczynski, CEO at Malwarebytes. “However, the stakes of a single attack for a small business are far different than those for a large enterprise. The findings demonstrate that some SMEs are suffering in the wake of attacks to the point where they must cease business operations. To make matters worse, most of them lack the confidence in their ability to stop an attack, despite significant investments in defensive technologies. To be effective, the security community must thoroughly understand the battles that these companies are facing such that we can better protect them.”

Most organisations make addressing ransomware a high priority, but still lack confidence in their ability to deal with it. 75% of those organisations surveyed place a high or very high priority on addressing the ransomware problem. Despite these investments, nearly 50% of the companies questioned expressed little to only moderate confidence in their ability to stop a ransomware attack.

For many, the source of ransomware is unknown and infections spread quickly. For 27% of organisations that suffered a ransomware infection, decision-makers couldn’t identify how the endpoint(s) became infected. Further, more than one third of ransomware infections spread to other devices. For 2% of the organisations surveyed, the ransomware infection impacted every device on the network.

SMEs in the US are being hit harder by malicious e-mails containing ransomware than SMEs in Europe. The most common source of ransomware infections in US-based organisations is related to e-mail use. 37% of attacks on SMEs in the US were reported as coming from a malicious e-mail attachment and 27% from a malicious link in an e-mail. However, in Europe, only 22% of attacks were reported as originating from a malicious e-mail attachment. An equal number were reported as having emanated from a malicious link in an e-mail.

Most SMEs don’t believe in paying ransomware demands. 72% of respondents believe that ransomware demands should never be paid. Most of the remaining organisations believe that demands should only be paid if the encrypted data is of value to the organisation. Among organisations that chose not to pay cyber criminals’ ransom demands, about one third of them lost files as a result.

Current investments in technology might not be enough. Over a third of SMEs claim to have been running anti-ransomware technologies, while about one third of businesses surveyed still experienced a ransomware attack.

“It’s clear from these findings that there’s widespread awareness of the threat of ransomware among businesses, but many organisations are not yet confident in their ability to deal with it,” said Adam Kujawa, director of malware intelligence at Malwarebytes. “Companies of all sizes need to remain vigilant and continue to place a higher priority on protecting themselves against ransomware.”

London Digital Security Centre and Oxford University pool resources to develop White Paper on Digital Security for SMEs

Oxford University, in association with the London Digital Security Centre (LDSC), will be looking at the challenges faced by SMEs and their importance to the economy as a supply chain link to larger companies and Government in order to produce an academic White Paper entitled ‘Developing Security Education and Awareness Programmes for SMEs’ for publication this coming November.

The White Paper will provide an overall review of the LDSC’s approach and effectiveness on security education for SMEs. This work will provide recommendations for assessing the effectiveness of such programmes in future and the LDSC’s specifically.

Providing education and training for this sector is crucial in order to ensure that cyber security capacity measures (such as ‘10 Steps to Cyber Security – Cyber Essentials’) are actually implemented. This White paper will explore current offerings on cyber security education and training for SMEs and identify the existing gaps.

Drafted by Dr Maria Bada and Dr Jason Nurse, the authors have already published similar work on the effectiveness of cyber security awareness raising. This new White Paper will build on previous knowledge and expertise using interviews and focus groups to collect information.

Dr Bada commented: “Our aim is to review the London Digital Security Centre’s approach to security education for SMEs and the motivation for this initiative. We will critically reflect on the effectiveness of the LDSC’s approach thus far. Our methodology is based on qualitative and quantitative data.”

The LDSC has already recognised the challenges that SMEs face when it comes to cyber security and is helping businesses to embrace digital innovations and operate in a secure online environment such that they protect themselves against cyber criminals.

John Unsworth, CEO at the LDSC, concluded: “Our role is to help improve the security posture of SMEs operating in London. It’s vital we understand their motivation and the issues they face to ensure the training and advice we give is implemented. This is particularly important given that over 1,000 SMEs in London report a digital crime to Action Fraud every month.”

Cyber criminals “exploiting human weaknesses” to make their gains

Cyber attackers are relying more than ever on exploiting people instead of software flaws to install malware, steal credentials or confidential information and transfer funds. A study by Proofpoint found that more than 90% of malicious e-mail messages featuring nefarious URLs led users to credential phishing pages, while almost all (99%) email-based financial fraud attacks relied on human clicks rather than automated exploits to install malware.

The Human Factor Report found that business e-mail compromise (BEC) attack message volumes rose from 1% in 2015 to 42% by the end of 2016 relative to e-mails bearing banking Trojans. BEC attacks, which have cost organisations more than $5 billion worldwide, use malware-free messages to trick recipients into sending confidential information or funds to cyber criminals.

BEC is now the fastest-growing category of email-based attacks.

“Accelerating a shift that began in 2015, cyber criminals are aggressively using attacks that depend on clicks by humans rather than vulnerable software exploits, tricking victims into carrying out the attack themselves,” said Kevin Epstein, vice-president of Proofpoint’s Threat Operations Centre.

“It’s critical for organisations to deploy advanced protection that stops attackers before they have a chance to reach potential victims. The earlier in the attack chain you can detect malicious content, the easier it is to block, contain and resolve.”

Nearly 90% of clicks on malicious URLs occur within the first 24 hours of delivery, with 25% of those clicks occurring in just ten minutes and nearly 50% within an hour. The median time-to-click (the time between arrival and click) is shortest during business hours from 8.00 am to 3.00 pm EDT in the US and Canada, a pattern that generally holds for the UK and Europe as well.

Watch your inbox closely on Thursdays. Malicious e-mail attachment message volume spikes more than 38% on Thursdays over the average weekday volume. Ransomware attackers in particular favour sending malicious messages from Tuesday through until Thursday. On the other hand, Wednesday is the peak day for banking Trojans. Point-of-Sale campaigns are sent almost exclusively on Thursday and Friday, while keyloggers and backdoors favour Mondays.

Attackers understand e-mail habits and send most e-mail messages in the four-to-five hours after the start of the business day, peaking around lunchtime. Users in the US, Canada and Australia tend to do most of their clicking during this time period, while French clicking peaks around 1.00 pm.

Swiss and German users don’t wait for lunch to click. Their clicks peak in the first hours of the working day.

UK workers pace their clicking evenly over the course of the day, with a clear drop in activity after 2.00 pm.

“Watering hole-style cyber attacks on the rise” warns High-Tech Bridge

On Sunday 12 February, security firm Symantec released an analysis of a new wave of attacks that has been underway since at least October 2016 and came to light when a bank in Poland discovered previously unknown malware running on a number of its computers.

The bank then shared indicators of compromise with other institutions and a number of those other organisations confirmed that they too had been compromised.

These ‘watering hole’ attacks attempted to infect more than 100 organisations in 31 different countries.

Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico have been blocked, 11 against computers in Uruguay and two against computers in Poland.

Preliminary investigations suggested that the starting point for the Polish infection could have been located on the web server of Poland’s financial sector regulatory body, namely the Polish Financial Supervision Authority (www.knf.gov.pl).

Commenting on this news, Ilia Kolochenko (CEO of High-Tech Bridge) said: “We should expect that cyber criminals will find more creative and reliable ways to compromise their victims. Trustworthy websites, such as governmental ones, represent great value for cyber criminals, even if they don’t host any sensitive or confidential data.”

Kolochenko continued: “In the past, hackers used one-off or garbage websites to host malware, but as corporate users become more educated and vigilant, attackers need to find more reliable avenues to deliver malware and enter corporate networks. That’s why Gartner, as well as other independent research companies, continuously say that the risk posed to corporate web applications is very high and seriously underestimated. Spear phishing and watering hole attacks against high-profile websites will grow significantly in the near future.”