Tuesday 18 March 2008
We Must Not Forget Older Methods of ID Theft
These days, everyone has been indoctrinated to believe that ID theft can only occur over the Internet. But let us not forget some older (yet still effective) methods of ID theft. Fraudsters can victimize individuals if their wallet, credit card, or chequebook has been stolen or lost. Also, there has been a resurgence of telephone fraud powered by VoIP and there is still a threat, albeit small, that you can lose your identity through postal mail. Everyone should keep important cards out of our wallet and in a safe place as well as report lost or stolen credit cards immediately. Those are just a few tips on how to secure your world in addition to protecting your digital assets.
Wednesday 20 February 2008
As a former ethical hacker with seventeen years experience in the Information Security industry, Jason has used his knowledge and expertise to create technologies that ensure organisations stay one step ahead of the security game. Jason continues to raise the profile of Information Security risks and solutions, including the introduction of the term CSO (Chef Security Officer) within business.
Jason has published articles and white papers and has appeared on BBC, ITV, CNN, and CNBC as well as Radio 5 and BBC World News. His expertise has been cited in Time, SC, InfoSec, Computing and Computer Weekly magazines and in the FT, Guardian, Times and Evening Standard.
Prior to CRYPTOCard, Jason held senior positions within a number of organizations, including Ernst & Young's Information Security Assurance and Advisory Services practice. Jason has created and developed entire security frameworks as well as Information Security Assessment Methodology. Clients have included NHS, Government, as well as a large number of FTSE 100 organizations.
Monday 18 February 2008
Have you been mis-sold security?
Information security does not need to be complicated in order to be robust, nor does simplicity equate to an inferior defence. So, have you been mis-sold security?
A lot of the hyperbole stemming from many info security vendors suggests that, in order to be secure, you’ll need to re-mortgage your company premises to upgrade to the biggest, shiniest IT security infrastructure. The simple fact of the matter is that securing business-critical information, be it customer details, financial records or strategic data, boils down to one thing – access.
Aside from the technological argument, an equally important consideration to make when strengthening IT security is cost. Because IT security has no measurable ROI, with cost justifications made instead on the ability to avoid losing money or damaging reputation, prudence is desirable when making a security investment. I for one would argue that almost all security threats could be averted with only three things; antivirus software, a firewall and some form of two-factor authentication, the latter being the most critical because if you can retain control over access you are, by default, secure.
This is why the continued use of static passwords as the last bastion of information security, and the final word in determining user privileges and administrator access, represents a significant weakness to business defences. More companies are adopting or improving ICT process, specifically by providing remote access services to help them realise operational and competitive efficiencies for their business or to meet flexible working practice regulations, This is particularly important for SMEs, which account for over 99% of all UK companies and are the real growth area for remote access services. These changes mean that companies are opening more doors to their data and so the threat posed by malicious individuals and organised criminal gangs grows exponentially. They have access to the tools and intellect needed to launch brute-force attacks, create and disseminate key loggers, as well as myriad other password cracking or harvesting methods, to which static passwords represent merely a speed bump, not a roadblock.
For this reason, the cliché that “a chain is only as strong as its weakest link” is synonymous with budget-sapping IT security projects. Relying on an archaic access control mechanism not only goes against any best practice considerations, but also is downright foolhardy. As is often the case, the financial sector realised this fact early on, particularly on the retail banking side of things, and is now adopting strong two-factor authentication (2FA). This is visible in the form of both the ubiquitous Chip&PIN, and issuing one-time-password generators to online banking customers.
With 2FA the one-time passwords, generated every single time a user needs to log in, quash any attempts made by a hacker or unauthorised user to gain access to networks, applications and vital business information as they can’t be gleaned via a keylogger and can never be guessed due to their incoherent nature.
The reason that any security measures, no matter how elaborate and innovative, are prone to failure is because they are still reliant on those easy to crack, often predictable, strings of characters. To illustrate this point it is worth taking a trip back in time to the 1950’s, when there were just five computers in operation. Aside from being protected by all manner of physical defences, should a potential saboteur get through; they would be faced with the prospect of having to guess a password. Back then this was an effective and innovative line of defence.
However, as time advances so too does the actual and perceived threat. With the advent of firearms, the sword and spear became obsolete as an army’s only tool for defence. To keep ahead of the online arms race we too need to discard untenable security measures to avoid having to learn from our mistakes.
A lot of the hyperbole stemming from many info security vendors suggests that, in order to be secure, you’ll need to re-mortgage your company premises to upgrade to the biggest, shiniest IT security infrastructure. The simple fact of the matter is that securing business-critical information, be it customer details, financial records or strategic data, boils down to one thing – access.
Aside from the technological argument, an equally important consideration to make when strengthening IT security is cost. Because IT security has no measurable ROI, with cost justifications made instead on the ability to avoid losing money or damaging reputation, prudence is desirable when making a security investment. I for one would argue that almost all security threats could be averted with only three things; antivirus software, a firewall and some form of two-factor authentication, the latter being the most critical because if you can retain control over access you are, by default, secure.
This is why the continued use of static passwords as the last bastion of information security, and the final word in determining user privileges and administrator access, represents a significant weakness to business defences. More companies are adopting or improving ICT process, specifically by providing remote access services to help them realise operational and competitive efficiencies for their business or to meet flexible working practice regulations, This is particularly important for SMEs, which account for over 99% of all UK companies and are the real growth area for remote access services. These changes mean that companies are opening more doors to their data and so the threat posed by malicious individuals and organised criminal gangs grows exponentially. They have access to the tools and intellect needed to launch brute-force attacks, create and disseminate key loggers, as well as myriad other password cracking or harvesting methods, to which static passwords represent merely a speed bump, not a roadblock.
For this reason, the cliché that “a chain is only as strong as its weakest link” is synonymous with budget-sapping IT security projects. Relying on an archaic access control mechanism not only goes against any best practice considerations, but also is downright foolhardy. As is often the case, the financial sector realised this fact early on, particularly on the retail banking side of things, and is now adopting strong two-factor authentication (2FA). This is visible in the form of both the ubiquitous Chip&PIN, and issuing one-time-password generators to online banking customers.
With 2FA the one-time passwords, generated every single time a user needs to log in, quash any attempts made by a hacker or unauthorised user to gain access to networks, applications and vital business information as they can’t be gleaned via a keylogger and can never be guessed due to their incoherent nature.
The reason that any security measures, no matter how elaborate and innovative, are prone to failure is because they are still reliant on those easy to crack, often predictable, strings of characters. To illustrate this point it is worth taking a trip back in time to the 1950’s, when there were just five computers in operation. Aside from being protected by all manner of physical defences, should a potential saboteur get through; they would be faced with the prospect of having to guess a password. Back then this was an effective and innovative line of defence.
However, as time advances so too does the actual and perceived threat. With the advent of firearms, the sword and spear became obsolete as an army’s only tool for defence. To keep ahead of the online arms race we too need to discard untenable security measures to avoid having to learn from our mistakes.
Tuesday 12 February 2008
UK .gov Site Hacked
Last week, a number of UK government websites got hacked. Yes, you read that right, UK government sites have been hacked. Interestingly enough, one of the sites was pointed to BBC’s website after the hack. This alludes to the idea that this was more of a deliberate hack and not random. I urge your organization to consider increasing your security measures. With hacks becoming more deliberate and targeted, every organization requires the security to stymie every attempt.
Thursday 31 January 2008
U.S. Government Requests to Spend $6 Billion on Security
A few days ago, the Bush administration announced a plan to spend $6 billion in a year on cyber security. With the amount of debt the U.S. government has racked up over the years, some would say this is unreasonable. On the other hand, with cyber threats continually evolving and becoming more threatening (as we have seen in France), some say $6 billion may not be enough. What are your thoughts on this? Is the Bush administration making the right move? Where should encryption, 2FA, firewalls, etc. fall into this proposed spending? Please post your thoughts…
Tuesday 29 January 2008
Manchester airport first to implement iris recognition
Manchester has implemented what it claims is the UK's first biometric access control system based on iris recognition. The system officially went live just before Christmas, and is used to control access to secure parts of the airport for airport workers. Click here to find out more.
Thursday 24 January 2008
Bank Fraud Attempts Driven by “Vishing”
Customers of three banks in the Eastern U.S. have been subjected to a new telephone phishing scam. In an attempt to retrieve personal account information customers receive an automated phone call, supposedly from their bank, asking them to call a toll-free number to renew their services need to be updated. For the customers that called the number, they were asked for account information.
Tuesday 22 January 2008
Another UK Data Breach
In yet another data loss scandal in the UK, three million drivers’ records have been lost. Transport secretary Ruth Kelly has known since May that a hard disk drive had gone missing from a secure facility in Iowa City, Iowa.
As a preventative measure, Kelly said the department is now looking at utilizing electronic data transfer. However, many would argue that data breaches are more imminent with electronic data. If the UK government and transport department decide to use electronic means to deliver sensitive data, they both should seriously evaluate methods of securing those processes.
Thursday 17 January 2008
TJX Compensates for Data Breach
To deter from a steeper bill in lawsuits, TJX has offered compensate Visa card users $40.9 million for a data breach occurring back in January. This move is supposed to “save” the company money from the waves of lawsuits that would come in if they opted not to compensate the Visa card users. What would have really saved them money is having a state of the art security standard implemented at the time of the data breach. You see, TJX was using an older security standard, the Wired Equivalent Privacy (WEP) encryption protocol, back in January.
Now TJX must compensate over $40 million as well as update their security measures, when all they needed to do was take care of the latter at the right time. For whatever reason, a $40 million mistake will hurt an organization – even TJX.
Tuesday 15 January 2008
Passport Canada’s Lax Security
Passport Canada is scrambling to reassure Canadian citizens that a recent data breach has been rectified. The breach occurred on the Passport Canada website where an applicant could simply change a few letters in their name in the URL field and access another individual’s application. This is yet another example on how relaxed security measures could result in catastrophic results. When will businesses and governments learn that security should be a priority? You would hope that the recent events in the UK will change attitudes towards strong security implementation.