15 Nov

Oversharing into King’s

Oversharing into King's
So, another trip down to London on the train and I’m reminded again of why I decided to start blogging this kind of message.  Millions of pounds are spent on security yearly by businesses from gateway and “Next Gen” Endpoint technology through to SIEM, IPS and a whole raft of layered security models. But what about the end user? Today was a clear case in point that user awareness and social engineering training is equally important if you don’t want all that work being undone.


So here I am, sitting above my pay grade in first class, making my way down into King’s Cross. We have the usual mix of commuters and tourists, but being first class and this time of day, it’s more for former than the latter. Many of us sitting here with a laptop or tablet taking phone calls and adding to the general noise of the morning journey. Imagine my unsurprise when we hear a gentleman on the phone to his IT support department, with a conversation that went a little like this:


“Hi, My name is <Redacted> from <Redacted>, I’m having trouble getting access to my systems through the VPN, I’m on the train.”


Queue me perking up and bringing up his LinkedIN Page, seems he is rather senior in this financial organisation.


“Yes, my username I’m using is <redacted>, I’m still not able to get in. Yes, The IP I’m trying to connect to is <redacted>, I’m using the Cisco client.”


So this is where I start looking around the carriage to see if anybody else is taking this in, with one commuter in particular catching my eye and smirking. During this small conversation we have already obtained his name, company name and position, VPN username and connection IP address.


“Yes, might be my password, are you able to change this for me?”


One thing that stood out here before the bombshell was the lack of information after this point, there appeared to be no confirmation of who he was to the person on the other end of the phone in order to facilite the change of password request, although have to concede I’m unsure if this was somehow done in a manner I couldn’t see, still, it didn’t matter given the next thing he said.


“Sorry, the line is really bad, did you say my password was <redacted>?”


So there we have it, a short phone call from someone desperate to do some work before they reach the station and a total lack of awareness has lead to a potential security breach of quite serious proportions. There are clearly elements here we are still unsure of, for example, whether there is 2FA in place, or that the username is the same for the VPN and his network access, but all in all, this information is something that a malicious attacker could use to great advantage.


User Awareness and Social Engineering are key factors in a good security strategy, don’t be a <redacted>
09 Dec

Threat Intelligence Management Framework

In order to respond effectively to the rapid growth of emerging and increasingly sophisticated threats, it is important that organisations have an effective strategy around threat intelligence management. The framework proposed by McAfee (part of Intel Security) follows a layered approach.

The Threat Intelligence Funnel

Global level intelligence sits firmly at the top. This threat intelligence is often not real time and by definition cannot be relied upon when protecting against Zero Day threats. However, global intelligence is very valuable around identifying the vast majority of commodity signature based threats. Global intelligence feeds such as GTI (Global Threat Intelligence), a service provided by McAfee; or similar services shouldn’t be relied upon in isolation. This is due to the wide range of indicators of compromise that may or may not be locally relevant. This lack of local relevance may also lead to false positives.

Some organisations may choose to subscribe to more industry focused community and third party intelligence feeds. For instance, financial services organisations may choose to subscribe to the likes of FS-ISAC and in the case of federal and public sector, GovCert may be playing a part. Other organisations may choose open source providers such as Hail A Taxii or other similar alternatives. While industry vertical-focused or third party providers are valuable and may provide more targeted threat intelligence, the indicators of compromise may still not be as relevant to specific organisations.

According to Verizon’s 2016 Data Breach Investigations Report 70-80% of threat samples that an organisation receives, are unique to that institution. This number has progressively increased in the last few years. This increase, validates the view that sophisticated and more advanced threats are targeted and arhcitected around the specific vulnerability profile of individual organisations. This changing threat landscape, highlights the importance of relevant, real-time and local intelligence gathered from local context aware sensors.

Therefore local threat information, complemented by community and global information sources as part of an actionable intelligence funnel framework is a vital component of any layered defence strategy.

24 Nov

The Ambition, The Possibility and The Reality.

In the war against Cyber Criminals, Enterprise IT teams fundamentally have a significant challenge on their hands. The fundamental problem is essentially this:

Cyber Criminals are “out innovating” Enterprise IT.

Cyber Criminals can essentially move faster than most IT organisations as they are not bound by “change control” or ITIL. They also don’t need to conform to corporate ethics, policies or compliance requirements. Additionally they don’t need to contend with corporate politics, siloed operations and empire builders.

Their mission is very simple. Gain unauthorised access to information and other assets and maximise return on time invested doing so. The rapid weaponisation of the cyberspace coupled with significant commercial opportunities for cyber criminals has given rise to ever more sophisticated, tailored, difficult to detect and targeted attacks aimed at the industry. These attacks have the potential to cause significant damage; damage to both reputation and business viability.

In an effort to build the most sophisticated defence against such threats, every IT organisations has ambitious plans to build the most powerful defence. For those Star Wars fans out there, this can be likened to the Death Star!

The Ambition

The Ambition

However due to technology and budgetary limitations,  the reality looks more like the below:

The Possibility

The Possibility

But due to the fragmented nature of the cyber security market and how organisations tend to think about “security problems”, most IT environments end up with this:

The Reality...

The Reality…

Often times, IT organisations end up with a “bag of bits”. These point solutions are often sold without any professional services attached to them and the business outcomes are often overlooked leading to vendor proliferation.

According to a study done by Penn Schoen Berland, a global market research and consulting firm, earlier in 2016, 62% of security practitioners believe that technology sprawl adversely impacts the overall security posture of organisations.

In order to build the “lego set” an integrated open and extensible architectural approach that penetrates deeper into the fabric of the organisation with the ability to learn and adapt and get stronger over time is essential.