For my second Digital Guardian blogpost, I continued looking at GDPR. As is the case with many cybersecurity projects, getting senior-level support for GDPR compliance efforts requires effective communication. As research from (ISC)2 has highlighted, one of the biggest challenges with GDPR projects is securing senior-level support (and the budget that goes with it). Read what I have to say in Digital Guardian for some tips on how to get the board on board.
In the first of a series of blog posts I am writing for Digital Guardian, I have tackled the General Data Protection Regulation (GDPR) and what it means for companies worldwide. To find out what GDPR is and my top ten points on why it matters, read the blog post here.
It’s enforceable from 25 May 2018, which sounds like a long time away, but as time moves quickly and organisations tend to move slowly, you should start preparing for GDPR now. One of the key problems, however, seems to be getting the leadership of organisations to fully engage with GDPR and recognise that preparing for it is a strategic, as well as IT-related, activity. With this in mind, in my next article for Digital Guardian I will be exploring what to do – and how to do it – to get the business level of an organisation engaged and on board with a project like GDPR implementation.
Michael Hill interviewed me for Infosecurity Magazine about my background, some of the big consultancy projects I carried out last year, the media work I do and much more. You can read or download the magazine here. As always, it’s an excellent read, with articles on the cyber security implications of Trump’s presidency, an analysis of the future of encryption and a thought-piece on whether and when hacking back is ever legitimate.
Cyber crime can be pretty indiscriminate, with businesses of all sizes falling victim to attacks. For smaller businesses it can be particularly challenging to receive good cyber security information and advice. With this in mind, I contributed to an article that explores:
- top cyber crime predictions for 2017
- what small businesses can do to better-protect themselves
- the future of cyber crime – what’s on the horizon?
Read what myself and other cyber security professionals have to say about ransomware, the Internet of Things, spear-phishing, Artificial Intelligence, and more.
Most people in the UK returned to work this week after the festive break and I joined Radio 2’s Drivetime show, presented by Simon Mayo, to talk about one of the pitfalls: forgetting your passwords, having not logged in for a couple of weeks.
Take a listen to my interview with Simon Mayo below for my thoughts and tips on what makes a more secure password (and why) and how to cope with many complicated passwords at once (if you don’t want to use a password manager).
My parting advice in the interview is the importance of two-factor authentication, for advice and support in doing this, check out this website.
Last night Yahoo announced another huge data breach, this one dating from 2013 and including information from 1 billion accounts. The information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5 so pretty trivial to crack) and, in some cases, encrypted or unencrypted security questions and answers. This follows the news in September of this year that information associated with 500m Yahoo accounts was breached in 2014.
I did a few radio interviews on the story this morning but wanted to expand on my thoughts. I made a video earlier in which I talk about:
– details of the breach
– the label ‘biggest known data breach’
– whether it could be state-sponsored
– what to do to better protect your online accounts
See what I have to say about this news and feel free to comment or ask questions, twitter is usually the best place to reach me.
We’ve just had Black Friday and Cyber Monday, which are no longer limited to the days themselves but many sales spanning at least a week. Figures suggest that retailers have had very strong sales: Barclaycard has reported record numbers of transactions on Black Friday and online retailers have indicated that Black Friday and Cyber Monday have surpassed their expectations and broken record sales from previous years. In the UK, online sales are expected to have exceeded £1.27 billion on Black Friday alone.
Unsurprisingly, December is the busiest time for retailers and online shopping is particularly popular. Anecdotally, I’ve known some people refuse to buy Christmas presents online because of cybersecurity fears, most memorably the Liverpool taxi driver who took a day off work and drove to London to buy his son a skateboard rather than buy it online. It cost him a day off work, a day’s petrol to and from London and it was more expensive to buy in-store, but he refused to do any shopping online because “the hackers have won”. How many more people feel the same?
Last week, at the same time as Black Friday and Cyber Monday deals were being pushed by retailers, I surveyed over 1,000 people in the UK to ask if worries about cybersecurity had ever stopped them buying Christmas presents online.
The statistics suggest that one in five people in the UK have been put off buying a Christmas present online due to cybersecurity worries. Looking a bit deeper into the data seems to suggest that the older people are, the more likely it is that worries put them off buying online, but to be conclusive about that we’d need a higher sample size.
I ran the same survey last year and found that slightly fewer respondents had been put off buying Christmas presents online due to cybersecurity worries. The survey last year also had slightly fewer respondents in general (1,002 last year compared to 1,031 this year). It’s not a huge variations in the numbers, but I will run the survey at around the same time every year and it will be interesting to see if patterns become more conclusive, or not.
While I’m talking about future research, some thoughts:
- It would be really interesting to run deeper research to explore the extent to which people choose their online retailer according to perceptions of cybersecurity (whether they trust the retailer or not). The hypothesis being that investing in cybersecurity, and marketing based on that investment, could offer a clear return-on-investment for online retailers. I plan to explore this question in the near-future.
- I do a fair amount of these surveys, focusing on cybersecurity attitudes and behaviours (see my research on two-factor authentication and biometrics, for example). While surveying 1,000 people gives a good insight, it would be great to survey higher numbers. If you or a company you know would be interested in sponsoring such a survey, I’d be happy to chat about it so please get in touch.
I’ve been commenting in the media a fair bit recently. I like to do this when my schedule allows, it’s a lot of fun and, being passionate about my job, I love to talk about cyber security whenever I can. It’s an honour that I get opportunities at a national, and even international, level to raise awareness both of cyber security issues in general, but also of the industry as a career.
However, as it’s been an especially busy few months with my consultancy work and speaking events, I haven’t had as much time to post about the media appearances once I’ve done them. So, this is a summary of some of my recent commentary.
Passwords vs Biometrics on BBC Radio 4’s Today Programme
The Dyn DDoS on BBC Radio 4’s Today Programme
Pippa Middleton’s iCloud Account Compromise on Sky News
The UK Cyber Security Strategy
I spoke to a few media outlets about the new UK Cyber Security Strategy. Here’s what I had to say:
On BBC Radio Wales
On ITV News
On Scotland Tonight
On Channel 5 News
In his latest blog post for cyber.uk, Chris Ratcliff tackles the threat posed by the Internet of Things and asks what we can do to meet the security challenges we face with more and more devices connecting to the internet.
How do you feel about being a pawn in someone else’s battle? It may sound odd, but there are currently people scanning the internet to try and take control of the gadgets and gizmos that you and I plug into our home internet connections. They’re not looking to steal our banking details or passwords or personal photos, they just want our data connections.
There have now been reported Distributed Denial of Service (DDoS) attacks peaking at 1.1Tbs of data, and this new attack vector is through the Internet of Things (IoT), that slightly odd term meaning smart TVs, light bulbs, security cameras, fridges and everything else that manufacturers think should be connected to the internet. When a vulnerable device is found, it is compromised and code uploaded to it so that when directed by a remote server, it will send junk traffic through a target.
You might say, why does that matter? The idea of scanning for a vulnerable host and compromising it has been around for as long as there have been computer networks. The problem with some IoT devices though is that they’re not designed for security, but rather built for ease of use by the end consumer, or even down to a cost. With some devices on razor thin profit margins too, ongoing support may be limited or non-existent.
And this is where we have come to with this new method for generating huge surges of data, tens or hundreds of thousands of devices from all over the world riddled with security holes, plugged into internet connections with little or no barrier between them and the outside world. How did we get in this mess?
There is an eternal conflict between security and usability. While it’s easy for security people to raise the concerns, and technically minded people to build a DIY solution, it’s easy to overlook just how many people consider IT, from laptops and phones to gadgets, to be something that should just work. In other cases, controls are actively turned off. Maybe it’s trying to get a child’s device to connect to the internet, maybe it’s to stop an annoying pop up, maybe it’s sheer bad luck. It comes down to a simple question in the mind of the consumer; “What do I have to do to be secure?”
Historically the answer has been ‘Get anti-virus’, then that was joined by ‘and a firewall’. You were now secure. You didn’t have to worry. You locked your doors at night, and you had a firewall on your PC. You were safe. Some may argue it was a false sense of security, but that was enough for many. Of course, many also forget or couldn’t be bothered to renew their anti-virus. They wouldn’t update their OS. They had no awareness of End of Life dates. Windows support? Who uses Windows support? It still runs, why bother upgrading it?
And herein lies the problem. Humans like knowing that things are taken care of. Threats of war? We have a military and intelligence services. Threats of violence or theft? There’s the police. Your ISP might offer a firewall or some sort of protection, so you don’t need to worry about online threats. Heck, the wi-fi access point your ISP provided even has Super Protection Features built in! Except that your new CCTV which lets you check on your house from anywhere doesn’t work over the Internet, but when you turn off that protection it does! It can’t be a problem though, they wouldn’t be allowed to sell them if they weren’t secure, right?
Even opening a web page is fraught with problems. If you’re ever tried locking down your web access, you’ll see a raft of connections made to a myriad of servers with each page request. Adverts, trackers, dynamic content, static content…
The answers, as much as there are, will seem obvious. Change passwords, update firmware, buy from reputable sources. Technology can be difficult though, as a single vendor’s product may be repackaged and sold under a myriad of different brands around the world.
As you’re reading a security blog, written by people who deal with security for a living, then the obvious solution may seem to be more security. Maybe we’ve reached a point where firewalling a PC is no longer enough, and we should use firewall appliances to shield our entire home network. We should set rules on that firewall to limit access to what’s required, and update its firmware and threat signatures frequently. We should inspect traffic coming from different devices and look for anomolies. Of course we also need to keep up to date ourselves with emerging trends and ensure that our defences are fit for purpose for those new threats. Then, when the manufacturer announces an End of Life date, we need to chuck our now obsolete firewalls in the bin and buy something newer, shiner, faster and supported.
Ok, that’s an infinitesimal fraction of the population protected, now the rest of the world.
In the UK, there is the Trading Standards Institute. Their role with local authorities is to ensure what is sold to the public is safe and legal. They run campaigns seizing counterfeit goods or potentially dangerous USB chargers. There’s also CE marking showing that a product meets safety standards set out for that product category. In the US, the Federal Trade Commission proudly states that it is ‘Protecting America’s Consumers’, and they were one of the bodies who charged VW with misleading consumers on emissions. Currently, as long as a device is safe with regards to power handling, materials used and RF emissions then it’s safe. I don’t see any of these bodies or standards looking at how vulnerable a device is.
What makes this especially challenging is that the harm to the individual is limited (though the frequency of these attacks could well increase) but the harm to the population is very significant. If this sounds like a need for herd immunity, then you’d be right, except there’s no vaccine that can be widely, and easily, administered.
I can see a future where Stuff That Connects To The Internet – which will probably be most electrical items and infrastructure – will need to meet a minimum standard to be legally sold in the UK. ISPs will need to be much more proactive in spotting unusual traffic patterns and both protecting the upstream data and informing their customers that something unusual is happening – although the customer service side of that is tricky. Future generations will also be much, much more familiar with everything that’s involved in living a technological life. They will understand the issues more instinctively and be more savvy about how they treat the internet.
However we need a short term solution. I’ve heard calls for the banning of IoT devices until this issue is resolved, but it leaves a huge legacy of devices sitting on networks which may be unpatchable, owned by people who don’t even realise they’re part of the problem and require action.
I always try and give my blogs something actionable in them, some great take away for people to use. Instead this time, I throw the floor open to you all. Is there a solution to this, or do we need to improve our DDoS protection?