I don’t for one moment feel that any professional would argue that we are not facing a time of Digital instability in our interwoven words of Business, Social Media, or when we, and the great public utilise some form of on-line service. It may be that the associated risks manifest as some cloak-covered communication, with a must-read attachment sent from a LinkedIn Member, who for some reason does not possess a profile! Or maybe, remaining with this theme, it could be a Tracking Advice from Amazon, or maybe a HMRC Tax Rebate, or even a surprise Payment Notification you were not expecting! Or could it be that Crypto Currency pot you were never aware of must be claimed within 24 hours, or you will forfeit the unknown wealth of £7200.00 in profits you never realised you were entitled to! And that is only considering a sample of the ever-rising scams, and potential security vulnerabilities which are waiting in the wings to pay the unsuspecting users inbox a call.
When we get to the world of the SME, and up to big business, the risks are commensurate in their multiplication. Not only are all those dangers as discussed above potentially winging their way to an associated corporate mailbox, but in the macro scale of the business environment, these risks are multiplexed by an unknown factor of Cyber and Social Risks. Here we may be considering the Industrial Scale Threats of Ransomware, DDoS, Backdoor Intrusions, not to mention some of those over trusted contractors who happen to insist they simply can’t work without the support of a Privileged Account. And just in case your Bank, or Business has stockpiled some Crypto Currency to pay any prospect attacker off, it may be good time to consider how such virtual assets are secured – before some passer-by decides to highjack them – and we haven’t even started to consider the Ordinary Users who we rely on so much to get the Corporate daily chores addressed – yes, there is a long list to consider.
Having now spent 30 years plus in an industry which has now morphed into a world of Cyber, when I look back down the operational road, I realise that along the way, driven possibly by commercial exuberance, many of those early skills and teaching have got lost along the way, and in my opinion, the Cyber Security Challenge seems to have risen far to high up to the Presentation Layer, and has (is) jumping over some of those important security nuts-and-bolts, and whist delivering what is considered to be a semblance of robust Cyber Security, by inference, or in some cases, ignorance, is leaving the supposedly protected enterprise wide open to any semi-skill miscreant passer-by. As my very good friend Steve Gold (RIP) once relayed to me post interviewing a group of successful German Hackers with a question he posed – Steve asked:
‘How come you are so very accomplished at hacking into other people systems’ However, Steve was somewhat taken aback by their response, when one member replied, ‘It is not us who are so accomplished, it is everybody else we have hacked who are just plain stupid, leaving loose ends exposed for manipulation’.
One of the major issues I have faced year-of-year when working with Clients is the lack of appreciation of the Risk Model of the presented horizons of exposure, based the aspects of the Vertical, Horizontal, and 370⁰ (the extra 10⁰ applied for good x-check measure) potential areas of insecurity. By chance, and all driven by good reason, as we seem to have set off on a side- path of Compliance and Governance based on some well-meaning, yet at time temperate recognised Standards with the misguided belief that a Tick-Driven Compliance approach amounts to robust security – which is in my experience far from the case.
If any organisation wishes to even stand a chance of surviving the ‘Era of Cyber Adversity’, then it is time to overhaul their kit-bag of skills and add into that container the required adequate embellishment of trained and accomplished professionals, to ensure that when a situation is encountered, there is more than just a pen and paper siting on the desk with which the MIR Team will attempt to scrawl out their immediate response plan which the situation is in full flight – and with possibly the CEO, or CFO standing in the doorway just about to blow a gasket.
Some of the most robust and sensible solutions I can ever offer to any client is, ensure that, as a minimum the following areas are considered:
- Conduct a Technology and People Threat Assessment and identify any areas in which shortfalls exist, and then look to the training budget to plug those holes – and in QuickTime
- As painful as it may be, at least get a grip of all your Critical Assets in whatever form they arrive in – Data, Systems, Infrastructure, People, Business Partnerships and Real Estate etc
- Consider getting your staff trained to, not just a Pen-and-Paper level of skills, but to a level where they can understand what the pragmatic Back-to-Basics aspect of Cyber Security really to expects in its full protective form
- Where specialist needs exist, such as supporting a First Response Activity, Conducting, a Digital Forensics Mission, or carrying out a Fraud Audit, remember the success, or failure of the outcome is based on two factors. Current Situational Awareness of the art, linked to an Accomplished Professional who owns a safe pair of informed hands
- Know where your wires go – in other words, have an idea of the overall topology of the interconnected estate, including any Promiscuous Signal, and other forms of expensive communications – say Microwave – it is valuable information to have to hand when you are trying to make a decision as to what may be discounted in times of pressure.
- Take serious attention of employing the art of OSINT (Open Source Intelligence) to proactively watch over your Social, Digital Assets and Brand(s): or, in the negative reactive profile, use this powerful open source world to monitor your interest post an attack to derive any useful adverse information which could assist you to mitigate the impact
When training, I find that the most advantageous methodology is, along with a Health Warning, to demonstrate to the delegates the adverse side of security, and to familiarise them with the Darker-Side of the art. The theory here being, if they have been taken into the world of understanding the Poachers Mindset, they will be better enabled to understand him/her at such time they commence battle. The second benefit of course is, if we can lower the mindset from the Presentation Layers of anticipated risks, maybe we may also start to understand those holes that have been missed by those operational staff, which are so eagerly sought after by our potential adversaries.
John is the Principle at Shadow-Intelligence (Si), partnering with PALISCOPE, BreachAware and iStorage. He is a Visiting Professor at the School of Science and Technology, Nottingham, Trent University (NTU) and holds the appointment of Editor in Chief for the International Journal of Cyber Forensics and Advanced Threat Investigations (CFATI). For the last decade he has delivered training courses in the Middle, and Far East to Commercial, Industrial, the Financial Services Sector, and Military Agencies, including the UAE, US, Pakistan, Saudi Arabia, Malaysia (KL), Singapore, Argentina, and Sao Paulo
He served in the Royal Air Force 22 years’, specialising in Counterintelligence, working with UK Agencies such as GCHQ/CESG, and others in the fields of SIGINT, COMINT and Satellite Communications, holding appointments such as System ITSO for a CIA SCIF.
In the commercials sectors of IT/Cyber he has worked for/with Logica, Bae, T5, GM, Experian, Betfair, Palace of Westminster, House of Lords/Commons, TSol (Treasury Solicitors) and provided Consultancy to the Saudi Arabian MOD, TRA (Telecommunications Authority (Dubai) and the Military Academy of Malaysia (KL) on SOC, CSIRT, Digital Forensics and OSINT. Within the last 5 years he has focused on Geopolitics, with global expertise around the UAE and Russia, Anti-Terrorist Operations (ATO), Cyber-Warfare, Dezinformatsiya (Disinformation) and Maskirovka (Military Deception).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.