IT Governance Blog on IT governance, risk management, compliance and information security.

The Dutch hacker believed to be responsible for the world’s largest DDoS attack a few weeks ago has been arrested. Apparently he was caught 35km north of Barcelona in an orange van that doubled as a mobile computing office, (in my mind it’s like a  malicious Mystery Machine) remotely controlling his ‘cyber bunker’.

Anyone outside of the cyber security industry would be forgiven for thinking that this kind of event was a one-off. In reality, these kinds of events are taking place 24 hours a day, 365 days a year. Eighteen cybercrimes PER SECOND according to one Symantec report.

Admittedly it is quite unusual to find a Dutchman declaring cyber war from a van in Spain, but cybercrime is a real problem across Europe, and one that is widely under-reported by the media.

Seth Berman, a digital risk management expert based in London, told CNBC in March that this under reporting could actually be damaging Europe’s ability to face the cyber threats posed in 2013. A lack of mandatory reporting regulations and a history of organisations being shamed for breaches have led to companies hiding their problems from customers and even staff.

Until the regulation catches up and forces organisations to be more open about their problems, cyber security will continue to be Europe’s Achilles heel, data breaches will continue to happen and organisations will fail to live up to their responsibilities.

In the meantime there some simple steps you can take to keep your information safe:

• Use proper information security management
• Make sure everyone is security aware
• Test your security systems regularly

Over the past couple of weeks, banks in the Netherlands have been experiencing an influx of DDoS(or distributed-denial-of-service) attacks, causing customers to be unable to access their online accounts.

Rabobank and ING are just two of the major banks that have been affected.

According to comScore, 2 out of 3 internet users in the Netherlands access online banking sites which makes the country with the highest penetration of online banking users in the world.

With such high numbers of users in the Netherlands, it is shocking to hear that so many of its banks are experiencing DDoSattacks.

A DDos attack involves bombarding a site with data traffic so that it crashes or makes it extremely difficult to reach. This news comes 3 weeks after what possible was the biggest ever DDoS.

This attack  is just one of many cyber threats that thousands of organisations face around the world every single day.

To help you face up to, manager and overcome cyber threats that target your business, IT Governance has a vast range of products and services available to those countries situated within Europe. From handy pocket guides to information security training and automated risk assessment software.

Following recent high profile cyber attacks, allegedly originating from China and North Korea, concerns regarding cyber security in the Asia Pacific region are palpable.

The speculation regarding the involvement of both nation states militaries in the cyber attacks has led to fears of North Korea training teams of ‘cyber warriors’, according to South Korean security experts which, if true, would be worrying news.

Aside from speculative finger waiving of who is to blame, what is known are the effects of cyber attacks, which target sensitive economic and business information and Distributed Denial of Service attacks (DDoS). With the recent cyber security frailties of Australian organisations including the Australian Tax Office and the Reserve Bank of Australia it is clear that organisations need to increasingly strengthen their cyber security defences.

In the information economy, the confidentiality, availability and integrity (CIA) of corporate information assets and intellectual property is more important for the long-term success of organisations than the traditional, physical and tangible assets.

ISO 27001 is the International Cybersecurity Standard is the best practice specification that helps businesses and organisations the world over to develop an Information Security Management System (ISMS). At IT Governance we produce a range of ISO 27001 books and toolkits which provides all the tools you need to create your own ISO27001 compliant Information Security Management System (ISMS).

ENISA, the European Union’s cyber security agency, is calling for businesses and governments throughout Europe to take urgent action to address the emerging trend of cyber attacks, ‘Cyber-attacks – a new edge for old weapons’.

In recent months, a series of cyber attacks targeted high-profile organisations including government and critical infrastructure. Mandiant’s report on cyber espionage included details of the theft of data from hundreds of organisations including those in the EU’s critical sectors. Several recent cyber attacks which have used old methods of attack are being used in a more targeted and intelligent way, giving them a ‘new edge’.

The impact of cyber attacks can be extremely damaging and due to the vulnerabilities of organisations defences. ENISA identifies e-mail as a significant vulnerability, going so far as to say: “Email is insecure: E-mail is universally used, by consumers, businesses and government organizations, but most email systems do not provide any kind of authentication, i.e. it is very hard for users to understand where the message originates from and whether or not the sender is a trusted party. This makes it is very easy for attackers to send fake messages or to pretend they are someone else (spoofing)”. ENISA go on to say that organisations in critical sectors should address the risk of spear-phishing by using encryption solutions and sender authentication frameworks.

Spear-phishing, where a spoof e-mail is sent fraudulently targeting an organisation in search of confidential data, is favoured by cyber criminals as it is low-cost, easy to launch and very effective.

Aside from setting up rigorous cyber security, verification and authentication solutions is addressing the human factor. Technological security is not enough; no organisation is completely secure until all of its staff are fully aware of their role in achieving effective information security.

IT Governance has drawn on its years of Information Security Staff Awareness training to develop and produce the world’s most useful and complete online e-learning information security staff awareness course.

ITG e-Learning Course – Information Security Staff Awareness Price: €52,08

Spamhaus, the organisation that is effectively the world’s de-facto spam police, reported earlier this week that is was subjected to a massive Distributed Denial of Service attack (DDoS).

Although, for now, the effects have been limited to a general slowdown of websites and online services, it could be the sign of things to come.

The situation began when Spamhaus attempted to take action against a Dutch company called Cyberbunker – hosts for some of  the net’s worst offenders for spamming and piracy. Unhappy with being blacklisted, they allegedly teamed up with Eastern European and Russian gangs to launch a massive cyber attack against Spamhaus, generating 300gb of malicious-ness per second.

To put that into perspective, per hour it’s the equivalent of downloading about 27 million high definition Harlem Shake videos. A terrifying idea in so many ways.

Although this is clearly an exceptional attack (even large scale attacks on highly-protected financial institutions rarely go above 50gb/s), it does show how organised these kinds of cyber attacks have become.

All organisations need to be aware of the dangers posed by DDoS attacks, Advanced Persistant Threats (APTS) and other cyber threats. Just today the BBC reported that a London listed company lost £800m as a result of a cyber attack.

Your response to a cyber threat must be proportional to the risks you face. IT Governance can help you to understand and face up to cyber threats with the correct measures in place.

Cyber compliance: By complying with internationally recognised best practice, such as ISO27001, you can make sure your system for managing information security is robust and fit for purpose.

Visit our webshop to see the ISO27001 products we offer »

Cyber resilience: To mitigate against cyber risk, make sure you have adequate business continuity and disaster recovery procedures in place. With the right measures in place, even if an attack does occur, you’ll be able to get your operation back on track as quickly as possible.

Visit our webshop to see the business continuity products we offer »

Cyber security testing: IT Governance has a full range of security testing services to help you find and fix vulnerabilities in your IT systems.

Visit our penetration testing page for more details »

The Government will today announce a new Anti-cyber threat centre following a successful pilot in 2012. The intiative will include experts from government communications body GCHQ, MI5, police and businesses with the aim of sharing information on cyber threats including the technical details of an attack, methods used in planning it and how to mitigate and deal with an attack.

The new London based centre will contain around 12-15 analysts to monitor attacks and provide details in real-time of who is being targeted.

Businesses are by far the biggest victims in terms of industrial espionage and intellectual property theft

Cabinet Office minister Francis Maude said: “We know cyber attacks are happening on an industrial scale and businesses are by far the biggest victims in terms of industrial espionage and intellectual property theft, with losses to the UK economy running into the billions of pounds annually.”

“This innovative partnership is breaking new ground through a truly collaborative partnership for sharing information on threats and to protect UK interests in cyberspace.”

How can businesses mitigate the threat of industrial espionage and intellectual property theft?

Companies are always nervous of revealing publicly when they have been attacked because of the potential impact on reputation and share price if they are seen as having lost valuable intellectual property or other information.

Rather than burying their head in sand or keeping this information secret, the Anti-cyber threat centre, I’m sure, will depend on organisations willingly sharing this information. The biggest problem though, is that many organisations don’t even know when they have been hacked, or even what their risk of attack actually is.

A penetration test or ‘pen test’ is the easiest, most effective way, to demonstrate that exploitable vulnerabilities in your Internet-facing resources are adequately patched, and that you have appropriate technical security controls in place to help protect against cyber-intrusions.

By utilising the services of an ‘ethical hacker’, organisations will be able to:

1. To find weaknesses in their information security system before someone else does, identifying vulnerabilities and quantifying their impact and likelihood of being exploited;
2. Produce evidence in the form of reports that their security measures are adequate and working, demonstrating that their IT spend is appropriate and cost-effective;
3. Ensure compliance with critical standards such as PCI DSS and ISO27001, the requirements of the Data Protection Act and other relevant privacy legislation/regulations;
4. Provide assurance to customers, both in a B2C and B2B context, that their data is being protected and that the organisation is not a weak link in their information security chain.

To provide your business with a complete solution, please see the IT Governance Penetration Testing Packages for further details.

To book your Penetration Testing service, or to discuss your requirements, – please call us now on 0845 070 1750 or email us.

A recent report from Deloitte has highlighted the growing trend for organisations to place cyber security and cyber resilience at the top of their business agendas.

Why?

Well Mark White, principal and chief technology officer, Deloitte Consulting LLP, summed it up nicely in a recent press briefing:

“It’s no longer a discussion about if an organization will get hacked, but only a matter of when, and how quickly and effectively it will respond.

His words echo those of information security expert Alan Calder in his recent blog.

Of the 1,749 business professionals surveyed in Deloitte’s poll, 28% said there organisation had been hacked in the last year, whilst 17% were not confident that there organisation could even detect an attack.

The truth of the matter is that cyber attacks are a concern for all. With all kinds of attack vectors, and with automated attacks on the rise, no one is immune. Don’t take it personally, you might not be attacked because of what you do or who you are, you are attacked because a weakness in your systems has been detected. And your ability to respond to attack, is as important as your ability to defend against an attack.

And as this message, that everyone needs to invest in proportional cyber resilience, permeates through the business world, it starts to become clear that the issue is not just an IT one, but a business one.

Speaking on the subject Kieran Norton, principal, Deloitte & Touche LLP and leader of Deloitte’s U.S. cyber threat management practice, comments:

“Cyber security may sound technical in nature, but at its core it is a business issue. Any company’s competitive position and financial health may be at stake. Business and technology leaders need to engage in effective dialog about what the business values most, how the company can drive a competitive advantage, and which information and other digital assets are the most sensitive. Brand, customer trust and strategic positioning may be at risk.”

It sounds like scare mongering, but if you build it they will come, and try to hack it. And Kevin Costner’s and James Earl Jones aren’t going to be around to help you (If you haven’t seen Field of Dreams you should watch it).

And as Field of Dreams probably won’t help your organisations cyber security posture, you’re best off learning more on our cyber resilience information page.

I took some time out this morning to read a 2012 data breach report by Verizon, which was sent to us via a Tweet from @RiverviewLaw on Twitter. Whilst many of the findings didn’t come as a surprise, it did confirm in my mind many of the key issues organizations are going to be facing in 2013, and reiterated that the range of products and services we make available to our customers truly does make IT Governance the single source provider for Cyber Security solutions.

The report is based on 855 incidents globally, which resulted in 174 million compromised records. Contributors include the United States Secret Service (USSS), the Dutch National High Tech Crime Unit (NHTCU), the Australian Federal Police (AFP), the Irish Reporting & Information Security Service (IRISS) and the Police Central eCrimes unit (PCeU) of the London Metropolitan Police.

Rather than giving you a blow by blow commentary of my key takeaways, I’m going to leave you to read the report yourself and simply quote a few points that I found particularly noteworthy:

• Attack Difficulty
  The best breach is the one that never occurs in the first place. Preventing a breach during the initial compromise would obviously have the least amount of repercussion. However, security controls are neither absolute nor binary; they range from quick-fixes all the way up to complex-and-costly. Understanding how much to allocate requires an understanding of the pressure the attacker is applying and where, during the attack, more pressure is used.
• Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.
• Of breach victims required to comply with PCI DSS, 96% were not compliant.

The data breach report touches on many different types of data breach and highlights that protecting its information assets is more important than ever for organization of all sizes.

Depending on the organization, it seems, in hind-sight, that routine penetration testing of networks and web applications could have highlighted vulnerabilities before they were exploited and controls could have been put in place. See how our technical services can help your organization to avoid being in next year’s report.

A lack of risk management is likely to have contributed to poor security. Using a risk based approach to information security and adopting international best practice such as ISO 27001 is the best thing any organization can do.

Not only does ISO 27001 give an organization an Information Security Management System (ISMS) that can be externally audited and help demonstrate to shareholders, customers and other stakeholders that it takes its information security seriously, but through the Plan-Do-Check-Act (PDCA) process the organization will roll out appropriate policies and procedures, implement effective staff awareness training, and implement controls to mitigate against the range of threats that have been identified through the risk assessment process. 

vsRisk is a unique tool that will simplify the risk assessment process and is fully aligned to the ISO 27001 standard. Check it out today – there’s a free trial.

Some controls will require security hardware and software to be put in place. Other controls will be simple policy changes that need to be deployed through documentation and staff trained.  Our staff awareness eLearning courses offer a unique method of training that is cost effective and engaging for the user which helps to embed a security-minded culture within the organization.

According to a report in the news, cyber crime costs have hit £205million a year. Victims include wealthy retired people and on-line retailers.

Are your on-line activities safe? According to Commissioner Adrian Leppard head of the City of London Police, in commenting on the war on cyber crime he said “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising exponentially.” He went on to add that half of all fraud in Britain, which costs the country £70 billion a year, is conducted online.

Mr Leppard warned that a quarter of the 800 specialist internet crime officers could be axed as spending is cut. “This is a very worrying criminal trend. The real worry is that, at a time when fraud and e-crime is going up, the capability of the country is going down.”

You can take measures to prevent being a victim. Implementing best practise such as ISO 27001 Information Security or ISO 27031 ICT Readiness for Business Continuity can help you prepare for and counter cyber crime and fraud.

Talk to us to find out more. Call 0845 070 1750 today!

To acknowledge the importance of cyber security, President Obama designated October as ‘National Cyber Security Awareness Month’. As we approach the end of the month, it seems only fitting that we should reflect on its importance in educating a nation to take cyber security seriously…   

Latest research in the US indicates that 77% of small business owners are of the opinion that their company is safe from cyber threats such as hackers, viruses and malware, yet 83% have no formal cyber security plan (findings from a survey carried out by Symantec). So why is cyber security not being taken more seriously? Do we need more examples of major corporations such as Google and Sony suffering harmful breaches before it shakes everyone into action?   

 To take steps to address your organisations cyber security, the first thing you need to consider is your organisations current security posture. What would be really useful is a cyber security self assessment tool. Maybe something that enables your organisation to quickly assess and demonstrate, by reference to a straightforward ‘traffic light’ matrix, which areas of the organisation are up to scratch and where more attention is required. Now if only such a tool existed… Cyber Security Self Assessment Tool

But of course the initial assessment is only the beginning – what really matters is the action you take to make your organisation become cyber resilient! Find out more and download our free whitepaper here.