cybX Security Digest, 11th Feb 2016

Welcome to today’s edition of the security digest, my intention was to go back over the last few days and pick out a few select articles but as ever in this industry things move fast! So I’ve picked out some from the last day or so that I’ve found interesting.

Before I start with the articles, I'd like to bring your attention to a Webinar we will be producing for the 18th February on the topic of "Developing cyber resilience – the risk and opportunities of digitisation" which our Director will be delivering, well worth a look. 

Monday I posted about the Malware Musuem, we now have a Windows 3.1 shareware museum! Go indulge in some nostalgia. Elsewhere, Tripwires State of Security blog has a guide on 5 common LinkedIn scams that might be worth a read and are we seeing the end of Moore’s Law as a practical guide for computing power? The blog by Shawn Tuma also has some points raised on the new EU Privacy Shield directive, I won’t pretend to be able to comment on them so go have a look!

Going to start today with “Hackers aren’t smart, people are stupid” a blog posted on erratasec which raises a number of important points. When we ‘train’ people to look out for common malware, attacks, phishing we are teaching them in a way that conditions them to only sniff out the obvious. Which, as the blog aptly puts it “This advice demonstrates  lack of understanding of the core concept”, the phishing example is perfect, something I’ve railed on recently as my colleagues might attest too! There are nuggets of useful information for everybody in that article, I highly recommend giving it a read and I’ll just leave you with “SQL injection has been the most popular hacker attack for more than a decade” - just ask Hackmageddon.

Next up we have “Data Breaches led 3 million Brits to switch Service Provider”, does this surprise anyone? At least nobody in the security industry is surprised. One of the things that we at cybX try to get across is reputation management, if you are victim to a breach and that goes public and then the media response surrounding that is poor it’s going to reflect poorly on your company. We’ve seen last week Talk Talk state they are only now ‘returning to normal’ three months after they were attacked, so wake up people and realise that cyber attacks can be an existential threat to your business especially when you consider what GDPR (General Regulation Data Protection) has in store for us in the coming years.  

Wired has an article “How to hack the Power Grid through home air conditioners” which is another exemplary display of why we are not ready for smart cities. The study has been done by a Kaspersky initiative called ‘Securing Smart Cities’ which is a great idea, I just hope it doesn’t follow many other great ideas and become just that, nothing more than an idea. You just have to think of how many open points of communication there might be when you consider the idea of a smart city, every house with utility meters, ever house with air conditioning, temperature sensors, traffic controls, cameras, you name it - if there is a single flaw in any of these implementations it will be found and not always by the ‘good guys’.

Ironically my next article is about Wired by the Sophos security blog, “Wired to ad blocker users: pay up for ad-free site or you get nothing”. I have to get on my hobby horse for this one, with malvertising, cross site scripting, etc I personally will not be disabling my ad blocker for any website until they can prove to me that they have their third party ad suppliers, secured. I will also continue to advocate the use of ad blockers to my colleagues and friends, not because they stop annoying pop-ups, but because they mitigate against the threat of malvertising significantly. A number of sites have called it quits recently because they can’t gain revenue due to the increase in users of ad blockers, but like any digital industry they need to innovate and move with the times or face extinction. Do I have an answer? No. But hopefully the industry can think of something soon.

Lastly I’m going to finish with “Hackers are offering Apple employees $23,000 for Corporate login details” and I bet Apple aren’t the only company that has to contend with this. As always, there are a number of useful tips in the article, proper training, processes, policies and mitigation are all key. However it all comes back to, the Insider threat - how do you protect against a threat that has a degree of trust already. You operate on a policy of zero trust, but how productive can that be? Which in a swings and roundabouts kind of way, brings back to Cyber Security is just another risk, who you trust is a calculated risk based on the exposure you are willing to accept, just like any other risk.

That’s it for today, thank you for reading and I’ll see you again on Monday for a recap of the weekend's security news!

The thoughts and opinions expressed in this article are that of the author and do not necessarily reflect that of cybX or its parent company.

David Dowson is an IT Technician working on the cybX project, cybX is a simulated virtual environment in which we can train, test, validate and exercise your technical and managerial teams in a safe and secure manner.