Introducing the Yorkshire Cyber Security Cluster

We love what we do here at Bob’s Business, and as one of the founders and creators of the Yorkshire Cyber Security Cluster (YCSC) along with CRK consulting, we are proud to be helping regional organisations to become more cyber secure.

Introducing the YCSC

The YCSC is an initiative created as part of the UK Cyber Security Forum to help organisations across the Yorkshire region to collaborate and build stronger standards of cyber security as part of a knowledge exchange collective.

It brings together recognised cyber security experts, a selection of academic institutions, charities, local bodies and the police force who are all working together towards reducing cybercrime within Yorkshire and the surrounding regions.

The YCSC now has over 30 core member organisations and an extended community of hundreds of individuals that is growing daily. As well as businesses, academia and public service providers from around the Yorkshire region, the Yorkshire and Humber Regional Cyber Crime Unit (YHROCU) are also members that regularly talk at the meetings, giving insights into what is happening within the cyber security industry.

Sergeant Shelton Newsham from the Regional Cyber Crime Unit described the relationship with the YCSC: “We have a close relationship with the cluster. It is one that brings several benefits to businesses and the public throughout the four forces we cover. The ability of the cluster to bring together industry experts is an important factor in enabling new issues to be raised, problems to be discussed and intelligence to be shared.”

“These open and honest discussions enable us all to work together to reduce that risk to businesses and individuals. The opportunity for law enforcement, industry and academia to meet and discuss issues is something that enables greater knowledge sharing across various sectors to benefit those that live and work in our region. Collaboration leads to more creative approaches enabling law enforcement to connect with different business areas who all have the same goal which is to reduce the risk of businesses and individuals becoming a victim of Cyber Crime.”

The YCSC meetings are held bi-monthly at The Digital Media Centre in Barnsley and are open to anyone who wishes to attend. There are traditionally three speakers at the meetings who talk about a selected theme or topic, helping to educate other members about this area of cyber security.

At the last YCSC meeting in June 2018, Bharat Mistry, principal security strategist at Trend Micro, spoke about ransomware. Thomas Chappelow, a Principal Consultant in PCI and Information Security at Data Protection People, also provided a talk on ‘A day out with Ransomware’.

When speaking about his involvement with the YCSC, Thomas Chappelow said: “A key part of my work is the engagement of stakeholders within the industry, and the wider public, on the importance of cyber and information security capability-building. The Yorkshire Cyber Security Cluster provides a vital forum for regional and national experts, law enforcement officers, and other stakeholders, to share with each other the lessons they are learning within their respective sectors. I’m excited to see the Cluster develop into a key regional security resource.”

The cluster also heard from one of its key members Dr. Daniel Dresner who speaks regularly at the meetings. We asked him what he thought about the YCSC: “I look forward to YCSC meetings. They are an ideal combination of businesses, law enforcement, and academics who come together to look at practical cyber security in (as has been said elsewhere) an ‘unfettered…untrammelled’ atmosphere. YCSC avoids the false divisions of business and family persona which makes it the kind of community approach that I’m interested in – it sets out to make a difference.”

Past meetings have focused on other aspects of the cyber security community such as ‘The next generation of professionals’ where Kathy Mckay from Ideansinc discussed ‘The Commercialisation Project and Building a Northern cyber security Talent Pool, working alongside industries and universities’.

Melanie Oldham, Co-Founder of the YCSC said: “What I love about the cluster is we are all experts in our own field and get the opportunity to showcase this at the meetings, whilst improving our wider knowledge and identifying commercial collaboration opportunities with some great regional businesses, increasing revenue and resilience to the region”.

In the meeting, the cluster will be hearing from Ryan Mackenzie about Advanced Threat Protection, other speakers are to be confirmed.

Join the YCSC

Could you be one of our next speakers? If you would like to speak at one of the future events please get in touch by emailing email@ycsc.org.uk.

If you would like to become a member then all you have to do is come along to the next YCSC meeting and speak to a member of our team about membership. Our meetings are free to attend and you can secure your ticket here on our Eventbrite page.

If you would like to get involved or find out more, visit the YCSC website or you can contact us at email@ycsc.org.uk.

 

Record GDPR Fine for Google

Just over eight months since the introduction of the General Data Protection Regulation, and world-renowned technology giants, Google, have been hit with a record fine of £44m for failing to comply with the new legislation. 

Google’s GDPR Fine Explained

The CNIL, France’s data protection office found Google guilty of breaking EU privacy laws by failing to acquire adequate consent from its users regarding the data used for personalised advertising.  

The regulator also found that the search engine provider didn’t provide clear and easily accessible information to consumers regarding the collection and manner in which their personal data was held.

The CNIL discovered that the setting to allow personalised advertisements was automatically selected when users were creating an account, which Google then used as the basis for all of its processing systems to be carried out. This does not comply with the General Data Protection Regulation (GDPR), which says the consent is “specific” only if it is given distinctly for each purpose.

In a recent statement, Google said “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”

Original complaints against Google were filed on the 25th May 2018 by privacy rights groups, None of Your Business (NOYB) and La Quadrature du Net (LQDN). The groups claimed Google did not have the legal right under the GDPR to process user data for personalised advertisements. 

Max Schrems, chairman of NOYB, said, “We are very pleased that, for the first time, a European data protection authority is using the possibilities of the GDPR to punish clear violations of the law. Following the introduction of the GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often, only superficially, adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

After months of speculation around the enforcement of GDPR fines, maybe this is the wake-up call and ‘made to example’ that Europe has been waiting for.

How will the fine affect Google? 

Considering that Google had an estimated annual turnover of around £85bn ($110bn) for 2017, the €50m (£44m) fine that they have received will be a drop in the ocean. It may seem that Google has gotten off lightly this time around, as the GDPR indicates that organisations could be fined a maximum of 4% of their annual turnover; which in Google’s case could have been an estimated £4bn (€4.5bn) fine. 

The real damage done is to Google’s reputation. The fact that the largest search engine provider in the world has been found to be in breach of GDPR will lead to users being more reluctant to use Google services because they cannot trust them to handle data responsibly. Under the GDPR, individuals are able to claim compensation if their rights have been violated, so this could be just the start of the thickening plot.

Dr Lukasz Olejnik, an independent privacy researcher and adviser, indicated that the ruling was the world’s largest data protection fine. “This is a milestone in privacy enforcement and the history of privacy. The whole European Union should welcome the fine. It loudly announced the advent of the GDPR decade,” he said.

How does GDPR affect you?

Now that the first ‘big’ fine has been issued under GDPR, the bar has been set when it comes to what’s acceptable under new data protection laws – and how much it can cost an organisation.

We can expect more fines to follow throughout 2019, and to make sure that you’re not one of them you should review your existing data protection procedures within your organisation. This includes what kind of data you keep, how you handle data and training your staff to understand what role they have to play in maintaining GDPR compliance.

Before the GDPR was introduced last May, we wrote a quick article highlighting how the new data protection law will affect organisations of all shapes and sizes.

At Bob’s Business, we’re the trusted experts in providing online cyber security training. That’s why we developed our very own suite of GDPR training courses to help organisations get up to speed with the new regulation and ensure all users understand their obligations. To try the GDPR demo course for yourself, visit our GDPR training page to get started.

Double Award Nomination for Bob’s Business

Bob’s Business has been providing engaging, educational cyber security training for its clients since 2007. We pride ourselves on the work we’ve done to help benefit the information security community and how our courses have helped organisations develop secure workplace cultures. That’s why we’re thrilled to announce that we have been nominated for not one, but two industry awards.

Our nominated Cyber Security Courses

Bob’s Business Founder and CEO Melanie Oldham, has been nominated for Security Champion of the Year in the 2019 Women In IT awards, whilst the business’ Cyber Security Awareness Training product has been shortlisted for Outstanding Security Training Initiative in the Outstanding Security Performance Awards (OSPAs).

The Women in IT Awards is the world’s largest event focused on tackling gender imbalance by recognising the achievements of women within the technology sector. Since its launch in 2015, the Women in IT Awards has showcased women in technology and identified new role models in London, New York, Ireland and Silicon Valley.

The winner will be announced at the awards ceremony on 30th January at the Grosvenor Square, Marriott Hotel, London.

The Outstanding Security Training Initiative category at the OPSA’s recognises individuals or companies that operate a successful training scheme, which promotes outstanding performance and has produced identifiable results.

In this category, Bob’s Business has put forward its Cyber Security Awareness Training package. Since it was first released the online training courses have educated over 500,000 users across hundreds of organisations on cyber security essentials, which gives individuals a foundation in cyber best practice and creates a secure working environment for our clients.

Bob’s Business previously won an OSPA in 2017 for its innovative ‘Think Before You Click’ phishing simulation service. Implemented as a positive not punitive training exercise for employees, communication is at the heart of each ‘mock’ phishing email campaign, strengthening the relationship between IT and end users, where historically barriers have been created.

The winners for the Outstanding Security Performance Awards are to be announced on the 28th February 2019 at the Royal Lancaster, London.

Founder and CEO of Bob’s Business, Melanie Oldham said “ I have sidestepped previous women in cyber awards as I wanted to be recognised as the pioneer of a great business, not just a woman within the cyber sector. Having now developed a growing business and understanding the importance good role models play in attracting more females into the industry, along with the importance of diversity, I now feel proud to be nominated for my achievements within the cyber sector”.

ISO 27001: Everything You Need to Know

What is ISO 27001?

ISO 27001 is part of the ISO 27000 family, a group of international standards for Information Security Management Systems. It is the best-known standard in the family providing requirements for an information security management system (ISMS).

The standard has 10 short clauses and 114 controls that are designed to cover so much more than just IT. The clauses and controls are tested as part of an ongoing external assessment.

Management within an organisation is responsible for determining the scope of the ISMS for certification purposes; this can be limited to a single department, location or the whole organisation.

Just remember that having the certificate in one area of the organisation does not mean that any other areas of the organisation have an adequate approach to information security management.

ISMS provides an approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management approach. It can help organisations of any size or sector keep vital information assets secure.

What to consider before embarking on your ISO 27001 journey?

Before you begin, you need to answer yes to all these simple questions if you are serious about gaining an ISO certification.

  • Are you fully committed to this journey?
  • Do you have buy-in from all senior management?
  • Has the scope been defined and agreed?
  • Has ISO 27001 been communicated to the rest of the organisation?
  • Have heads of department been engaged?
  • Do you train your staff regarding information security

We won’t lie, it is a commitment that takes some time to implement and to keep up to date, but the benefits to your organisation are well worth the time it takes, and if you have buy-in from the whole organisation they can assist with the implementation.

What are the benefits of ISO 27001 to your organisation?

ISO 27001 integrates information security principles into your organisation as usual processes, giving you the confidence to meet clients growing data protection expectations and new business opportunities.

Once you have achieved your certification, your organisation will be able to claim that you:

  • Follow best practices to mitigate cyber threats and have an incident response and management process in place to respond to cyber attacks
  • Have established a formal risk management process
  • Are taking appropriate control measure to protect confidential information

Other benefits include having a solid foundation to comply with legislation in turn reducing the risk/likelihood of costly fines or financial loss, protecting/enhancing your brand reputation and assuring clients and regulators that you take cyber security risks seriously.

Our ISO 27001 journey

Here at Bob’s Business, we started our ISO 27001 journey back in 2015. Why? Well, we wanted to be seen by our clients as a security-conscious supplier, who cares about their client data and practices what they preach in our cyber security awareness courses, which are aligned to the standard and teach end users how to help your organisation become more cyber secure.

For us, as an organisation the ISMS has provided guidance on the policies and processes that we needed in place that have supported the growth of the organisation from four employees back in 2015 to nearly thirty now. It has enabled us to submit tenders for more contracts that previously we would not have been able to, as it demonstrates to potential clients our commitment to Information Security and Data Protection.

Having ISO 27001 in place made our GDPR journey less daunting as both of them aim to strengthen data security and mitigate the risk of data breaches. It has enabled us to quickly complete client questionnaires relating to GDPR and how we protect their data.

A key component of ISO 27001 is ensuring policies are rolled out to staff and that training/education around information security is provided. Our Learning Management System (LMS) allows for tracking, reporting and policy integration of cyber security training, policies and policy acceptance.

By having the LMS and the training in place, we are able to demonstrate to external auditors that we train all our staff in cyber security awareness and that the policies have been read and accepted.

Would Bob’s Business recommend ISO 27001?

Yes, most definitely, not only has it given clients and prospects assurances that we are a security-conscious organisation, but it has helped us grow the business while maintaining the integrity of information security.

As a growing SME, ISO 27001 enables us to be able to react quickly to internal and external issues. We have the ability to revoke privileges, close accounts and reallocate key information if we lose a member of staff. When or if a breach occurs we are able to notify those involved in a timely manner.

How can you achieve ISO 27001 compliance?

Our courses are designed to give end users within any organisation awareness of information security in a short, engaging, entertaining manner. We offer over 20 bite-sized courses, all designed to be completed in less than 15 minutes, this keeping employee time spent training at a minimum.

If you’d like to find out more about our courses, click here.

Shoulder Surfing: What do you Need to Know?

When you think of hacking, you may think of a stereotypical cyber-criminal sat in their basement remotely attacking organisations and servers in order to gain unauthorised access to systems. However, this isn’t always the case as most people seem to overlook one very basic security concern, shoulder surfing!

Shoulder surfing is technically another form of hacking as it allows users to “gain unauthorised access to data in a system or a computer”… But not everyone treats it the same as a full-scale attack where one remotely forces their way to your data.

What is Shoulder Surfing?

So what actually is shoulder surfing? The hint is in the name. It’s the act of hovering over someone’s shoulder whilst they are working on their computer. During this time, you may see what passwords they enter, how their network is configured and what sensitive files they have on their computer.

You no longer need fancy, expensive keyloggers or to spend thousands on deploying malware on websites, you just have to watch over their shoulder and see what they type.

Shoulder surfers can use physical tools such as binoculars, video cameras and some vision-enhancing devices to help them spy on your computer from a further away distance.

How can you avoid shoulder surfers?

Avoiding shoulder surfing attacks across an organisation requires concerted cyber security awareness efforts to change behaviour. However, on an individual level, it’s possible to follow these tips to dramatically reduce your chances of falling victim of shoulder surfing:

Install a privacy filter

One way to negate a shoulder surfer would be to install a device on your screen called a privacy filter. Most people tend to think this is some form of program or software that is installed on your machine, but instead, it’s almost like a screen protector like you would apply to your phone.

Privacy filters are made out of polarized sheets of plastic which removes all screen visibility except for users that are sat straight in front of the screen. All a shoulder surfer would see is a black screen, so rest assured they can only see your device if they’re sat in your place, which should be easy to spot.

Sit away from people or form a physical barrier

If privacy filters aren’t for you, you should also be mindful to tilt your screen away from people next to you so they don’t have an easy line of sight to your content. You may also want to create a physical barrier such as folders, binders or any other object to negate line of sight.

Another useful tip is to avoid doing work in crowded areas. Try to refrain from doing work in cafes, airports, hotel lobbies and other very popular public spaces. All of these locations make you an easy target and makes the shoulder surfer much harder to spot.

Use a password manager

Criminals like to watch you input passwords or follow your keystrokes when on a sensitive page. But how can you stop their eyes from tracking the credentials that you enter? One popular solution for storing passwords would be a password manager. Using one of those, you’ll no longer have to manually enter your password as the fields autocomplete themselves. Say goodbye to key watchers as you’ll no longer have to enter your information.

Always be under the assumption that you’re on camera. I’m not saying be paranoid in public all the time, but imagine that your every move whilst on a computer is being recorded. It’ll help you be more cautious with what you do on your machine to help negate shoulder surfers.

Use two-factor authentication 

We would also recommend having some form of 2 Factor Authentication setup on all of your accounts. Therefore, if they do manage to spy on your password or login details, they’ll still need your mobile or another external device to approve the login.

One report shows that new technology has progressed to the point that an optical illusion can be implemented into smartphone logins which can easily thwart the plans of a shoulder surfer.

The new technology claims that by manipulating spatial frequency and several images, they can trick people into seeing different images depending on your distance from the device. Therefore, you may see someone entering ‘1234’ as their pin, but as the app randomises the order for each login attempt plus the different image, you probably entered something completely different to what they think.

In conclusion, shoulder surfing can be extremely effective and a much cheaper method of gaining sensitive information. Although difficult to spot, they can be deterred if you take our advice on board.

3 Cyber Security Horror Stories

It’s that time of year again, some people at home are carving pumpkins and others will be sitting down to binge their favourite horror films.

Some of our personal film favourites include Friday the 13th, Nightmare on Elm Street and Shaun of the Dead, but one thing that makes us want to hide under the covers is the headlines about data breaches that we see on a day-to-day basis.

This year we’ve seen the likes of British Airways, Uber and even Facebook fall prey to cybercriminals and other parties looking to steal or misuse the crucial data of their customers/users.

To get into the spirit of Halloween this year, we’ve picked out 3 real cyber security horror stories that send chills down our spines.

Cyber security horror stories

1. Hackers remotely take control of a Jeep while somebody drives it

In 2015, Wired magazine carried out an experiment where they wanted to see what could be done if somebody was to wirelessly hijack a Jeep Cherokee – except they did this in a real-life environment, while the magazine’s editor was driving it down a highway!

The hackers got up to all sorts of mischief at first by switching the radio to different stations, turning on the windscreen wipers and blasting out cold air through the car’s air conditioning system.

Then, the experiment got took to the next level, the hackers cut the transmission as the Jeep was coming up to a long incline on the highway. The Editor said that he started to frantically press the accelerator, but to no avail, the car started to slow down with an 18-wheeler truck bearing down behind it.

Thankfully, the hackers didn’t put the Editor in much more danger and he finished his nightmare car journey unharmed. But it does raise the question about the world we’re entering with the Internet of Things.

If you want to read the full story about Wired magazine’s hacked Jeep experiment, you can do so here.

2. Wannacry attack on the NHS

In May 2017, around 40 National Health Service organisations and some GP practices were affected by a global ransomware attack that locked down computers containing patient data demanding payment of €300 (£230) in the virtual currency Bitcoin.

The malicious encryption program, named WannaCry, exploited a flaw in Microsoft Windows XP and spread throughout the organisation’s network after gaining access when an NHS employee clicked a link in a phishing email.

It is estimated that 6,900 appointments were cancelled as a result of the attack, but it’s not known the full extent of the disruption caused to GP appointments, ambulances and other NHS trusts.

The scariest part was how far the malware spread and it was reported to have infected organisations from more than 70 countries. As well as the NHS, other organisations were affected including US delivery company FedEx and car manufacturers Renault.

Microsoft released a patch that fixed the vulnerability before the attack, however people failing to update their Windows machines so the WannaCry encryptor was able to spread across the world like a zombie virus.

As well as creating a case for educating employees about avoiding the risks of phishing emails, it also demonstrates that organisations should make sure they have their own zombie survival/business continuity plan ready.

3. Cambridge Analytica and Facebook

Picture this, you’re scrolling through your Facebook feed and you come across one of your friends sharing a personality test, while you’ve got some time to kill you decide to take it.

Fast forward a few years and you find out that the personality test was just a way for an organisation to access not only your personal data, but your friend’s data as well.

This is the story of many people whose data was harvested in the Cambridge Analytica and Facebook scandal.

If you’d like to know more about the Facebook and Cambridge Analytica scandal, we covered the full story and the consequences of it in a blog post.

Reminiscent of something out of George Orwell’s 1984, Cambridge Analytica used a personality quiz to harvest the data of over 50 million Facebook users, most of those were in the US. This personal data was then allegedly used to influence the results of the US 2016 Presidential Election.

While this isn’t necessarily a cyber security story, it’s a data protection story that people need to be more vigilant about who has access to their personal data and what information can be put online.

If you want to make sure your organisation doesn’t become one of these horror stories, discover our cyber security training and begin the process of turning your employees from weakness to strength.

Why Losing a Laptop Can be a Major Security Risk

Imagine this scenario: It’s been a long day. The client visit went well, they seem happy with what you’ve presented. Later when on the train home, your attention gets drawn away from the client data on your laptop, so that you can play your favourite mobile game to pass time on your commute.

You hop up and step through the train door, and begin walking to the car park. As soon as you get to the ticket barrier you stop. You got on the train with a laptop but you got off it with only your phone in hand.

As the train leaves the station, you catch a glimpse of the open lid, unlocked laptop sat on the tray table of where you were just sitting.

The laptop you just left on the train contained an offline database of information for your clients’ employees who you have just visited. Luckily, the laptop has a password on it, right?

Well it does, but the laptop was left unlocked, therefore the password is pointless.

Why losing a laptop can seriously compromise your security

The information on the laptop contained email addresses, names, contact numbers and positions in the company. If a criminal manages to get their hands on this information, there’s no saying what they could do.

Targeted phishing, selling the information, blackmail, and much more. Worst of all, if the new client suffers a data breach as a result of this, YOUR company can be held responsible.

Not only that, the laptop can enable access to all of your company’s internal communications; including your emails, documents, downloads, and notes. Confidential client information, staff information, can all be accessed in seconds by anyone that finds the lost laptop just sitting there. This then becomes a big deal. The cost of replacing the laptop could become the least of the worries. A data breach can be costly, in not only money and time, but in the reputation for your company.

In 2018, the ICO (Information Commissioner’s Office) fined Heathrow Airport £120,000 when a member of staff lost a USB stick which contained sensitive information of up to 60 people in over 1000 files. The USB was found by a member of the public last October and was not encrypted or password protected.

How to work safely whilst on-the-go

It is the responsibility of the employer to make sure that the equipment they provide is safe and secure for those working remotely, however it is your responsibility (the employees) to make sure that any mobile working equipment is used in a secure manner. Your IT manager (or equivalent) should ensure that all devices are logged and up to date. Who has them, when they have had them from, and where the device will be.

This is where staff training becomes an essential part of your security strategy. If employees are made aware of best security practices through the reinforcement of key cyber security training messages, cyber security becomes second nature to employees, which means leaving the laptop unlocked or even worse, losing the laptop, becomes far less likely, in turn reducing ease of access for criminals to exploit.

Some companies install trackers in their devices and equipment to ensure that if they are stolen or lost, they can be easily traced. Something else IT managers and HR should do is ensure the staff are all up to date on the mobile working policy. This outlines to staff how they are expected to look after equipment when out and about, and how they can avoid mistakes such as those outlined above.

Our mobile working course outlines the importance of keeping your devices secure whilst working on the go, and how to do so in a clear and engaging way. Using interactable animations and videos, the course will talk you through key points, such as leaving devices unattended, correct storage procedures, connecting to unknown networks, and much more.

To get a taste of the action and find out in more detail of how our training can help your organisation, try our FREE demo course today.

How to Combat Cyber Attacks

Every year on the 5th of February, we help celebrate Safer Internet Day; a day to inspire a national conversation about using technology responsibly, respectfully, critically and creatively.

As the use of computers and other internet-enabled devices skyrocket, people are becoming more and more susceptible to cyber attacks than ever before. Criminals are figuring out new and impressive ways of stealing your data.

However, as criminals figure out new ways to circumvent existing defences, there are numerous dedicated individuals and organisations out there who are finding ways to protect and defend against attacks. At Bob’s Business, cyber security awareness is in our DNA. It’s what we do, what we love and what we believe everyone should be educated on.

Here’s a quick guide on how you and your organisation can combat cyber attacks and stay safe on the internet.

What is a cyber attack?

The term “cyber attack” is a very, very broad term. A cyber attack can range from something as simple as someone being tricked into having their Facebook password stolen, to total international warfare with the intention of destroying the infrastructure of an entire country.

In this blog we will be focusing on the different types of cyber attacks that your organisation, your colleagues and you personally may encounter and how you can prevent you and your organisation becoming a cyber criminal’s next victim.

What are the different types of cyber attack?

There are many types of cyber attacks, in fact there are far too many to list in this blog, so we’ll just list off a few of the more ‘popular’ ones.

  • Denial of Service attack – An attack with the intent to shut down or cause  a web based service to go offline.
  • Man in the middle attack – An attack carried out by intercepting communications between two unsuspecting parties, without either being aware. Often used to steal information such as passwords.
  • Phishing – An attack that is often carried out by an email (Vishing and smishing can use phone calls and texts respectively), that pretends to be someone trustworthy to get you to hand over details or money.
  • SQL Injection – An attack that takes advantage of an exploit in certain databases on the web to gain information from them.

How can I prevent cyber attacks?

Preventing a cyber attack from happening in the first place is often the best way to try to do things, simply because the risk is minimal to yourself or your organisation. There are a number of measures that can be taken regarding cyber attacks. These fall into 2 main categories:

  • Prevention
  • Detection

The best way of defending yourself against cyber attacks is to avoid making yourself a target. Though most people wouldn’t, it’s not a good idea to go around bragging on Facebook that you’ve just got a massive pay rise, or won a lot of money, as this can make you the ideal target for a criminal looking for their next victim.

Generally people that fall victim to targeted cyber attacks haven’t done anything particularly wrong, they may have fallen victim to a phishing email or another social engineering exploit. This is where training comes in.

Learning about what makes phishing emails stand out from a legitimate email is the best preventative measure. For instance, banks will NEVER send you an email asking you to divulge your password details.

The majority of companies who have an online presence have the capacity to trigger a password reset for you, and they can’t see your password. The way this is done is by using a one way “hash” of your password.

Effectively this scrambles your password into a string of random letters, numbers and symbols. Then, the system you’re logging in to just sees this hash, and if it matches the one they have on record, they let you log in. These hashes are often at least 128 characters long, and a completely random mix of numbers and letters, so there’s very little chance that somebody could guess it, and it would take an average modern computer an incredibly long time to crack (thousands of years in most cases).

A bank would already have all of your details, why would they need you to send them over? It’s small things like this that most people can miss, but it’s also small things like this that can give people access to your life savings.

If you do ever receive an email from a bank, or a company you have an online account with asking you to change a password, or “CLICK HERE TO CLAIM YOUR FREE 3 MONTHS SUBSCRIPTION!” chances are, it’s false.

Prevention of cyber attacks

Training is a large factor in business security, as there can be a lot of staff members, using a lot of machines, receiving a lot of emails at once. It’s easy to blame Gary from the sales department when he opens a malicious email, but if he isn’t aware of the threats and cyber security vulnerabilities that every employee now faces on a daily basis, then who is to blame?

Other methods businesses can take is simple network topology, or the way the network is physically laid out. For instance, you wouldn’t have your building’s router in the lobby where any person could walk up and plug into it, would you? You should have it behind a locked door, accessible only by those who need it.

Then comes the more technical aspect – Network Intrusion Prevention Systems. The way these systems work is by stopping unauthorised access to the network. There are many ways to go into detail but a great starting place would be using a series of whitelists and blacklists on your browser to decide who has access

Detection of cyber attacks

Finally we come to Detection of Cyber Attacks. There are two ways you could do this. The first is by using a Network Intrusion Detection System (NIDS). NIDS generally use “rules”, these rules can be custom written or installed as “prefabs” of sorts, rules that already look out for the most common types of attack. These will tell the program what should and shouldn’t be happening on the network, and in turn the program will notify whoever it needs to, and or take action automatically.

The second method is simply by observing, which is generally the way most people do it. This simply means frequently checking bank statements, keeping an eye on internet speeds. However, the results of this will only really be visible once the attack is in progress or completed and the damage has been done, whereas a NIDS can track an attack from start to finish, regardless of how long the attack takes.

 

What Happened in the Facebook Security Breach?

On Friday it was announced that Facebook was hit by a cyber breach that attacked up to 50 million user accounts. The company indicated that criminals exploited a vulnerable feature due to a software bug which enabled the hackers to act like users on their profile; also referred to as the ‘View As’ option,  a privacy feature enabling users to see what their Facebook profile page looks like to visitors, including individuals who they are not ‘friends’ with on Facebook.

What happened in the facebook attack?

In 2017, Facebook inadvertently introduced three vulnerabilities in its video uploader. When using the “View As” feature that enables you to view your own profile from someone else’s perspective, the video uploader tool would occasionally display, when it shouldn’t at all. When it did appear, this generated an access token using the person who the profile page was being viewed as. If that token was obtained, an attacker would then have the credentials to login as that user.

Hackers exploited code associated with the feature that allowed them to steal “access tokens” that could be used to take over people’s accounts. Although the codes are not passwords, they allow individuals to sign into an account without the need for a password.  Access tokens are a set of codes generated once the user logs into an account for the first time. This saves the user from having to re-enter their login details every time they go to a new page. According to Facebook, users’ passwords were not revealed in the data breach, though impacted accounts did have to re-login into the social network on Friday.

How will the data breach affect Facebook?

The breach on Facebook comes in a string of recent attacks including British Airways, Equifax and Npower. Under new GDPR regulations it is reported that the breach could present Facebook with a monumental fine of up to £1.26billion.

This isn’t the first time that Facebook have hit news headlines for its cyber security vulnerabilities. In March it was reported that UK Based digital consultancy Cambridge Analytica harvested the personal information of 87 million Facebook users.

This affected not only the reputation and confidence of its users, but also those who advertise on the platform, including creators of the popular Firefox web-browser, Mozilla, who announced that it would stop advertising on Facebook following the controversy.

CEO Mark Zuckerberg, was quick to publicly respond in relation to last weeks breach, stating: “This is a really serious security issue. This underscores there are just constant attacks from people who are trying to take over accounts and steal information from our community. This is going to be an ongoing effort.”

According to Guy Rosen, the firm’s vice-president of product management, the fault in Facebook’s systems has now been fixed, adding that all affected accounts had been reset, as well as another 40 million “as a precautionary step”.

What can we learn from the Facebook data breach?

The data breach comes at an extremely bad time for Facebook, with them recently coming under scrutiny from the US and beyond, in relation to their capabilities of protecting user data.

Jeff Pollard, vice-president and principal analyst at Forresters, an American market research company that provides advice on existing and potential impact of technology, said “Attackers go where the data is, and that has made Facebook an obvious target.

“The main concern here is that one feature of the platform allowed attackers to harvest the data of tens of millions of users. This indicates that Facebook needs to make limiting access to data a priority for users, APIs, and features.”

You can find out if you were one of the 50 million users affected by the breach here.

Like most data breaches, this will have detrimental effects on the businesses reputation, image and in the longer run; more than likely its share value and profit levels. The company saw its share price drop more than 3% on Friday and has over 2 billion active monthly users.

With two attacks in the space of eight months,  Facebook will now be delving deep into their cyber security vulnerabilities to make sure they are robust against any further cyber attacks. However, it shouldn’t just be Facebook that are taking action. Facebook might have been the unfortunate ones this time around, but your organisation could be the next.

This attack was a technical exploit on Facebook’s systems. Organisations are encouraged to complete Cyber Essentials+; a scheme that showcases that an organisation has implemented the most important cyber security technical controls and carries out regularly checks for vulnerabilities within their security strategy.  To take cyber essentials in your own hands, take a look at our online cyber essentials course to find out how we can help you!

It is essential to understand that people are still the most vulnerable part to an organisation’s defence, and from the people perspective, for individuals worried about having their data compromised, make sure to visit our online courses to see what steps you can take to limit the chances of becoming a victim of online identity theft and know how to limit the effects.

Perfect Passwords: Bob’s Business Ultimate Guide

How to create the perfect password

Passwords are like pants. You shouldn’t leave them out where people can see them and you shouldn’t hand them out to strangers!

Your password is often the only thing blocking a whole tidal wave of mischief and headaches (both for you personally, and the company you work for), so it might be a shock for you to learn that guessing a password is much, much easier than you might think.

Password Security is an integral part of securing your organisation. Information created, used, stored or transmitted by your organisation is valuable, both internally and externally which is why the passwords which protect this confidential information should be well thought out, secure and never shared with others.

One common way that online accounts are breached is through password spraying, whereby lists of a small number of common passwords are used to brute force large numbers of accounts.

These attacks are successful because for any given large set of users there will likely be some who are using very common passwords, and these attacks can slip under the radar of protective monitoring which only looks at each account in isolation.

To understand how much of a problem this is, the National Cyber Security Centre recently conducted a research study which allowed participating organisations to assess how vulnerable they would be to a password spraying attack.

From the study, they found that 75% of the participants’ organisations had accounts with passwords that featured in the top 1,000 most common passwords and 87% had accounts with passwords that featured in the top 10,000.

What’s the best way to create a strong password?

When choosing a password, the bare minimum you should be considering is that it’s a mixture of 8 or more upper and lower case letters, numbers, and symbols. You should also consider choosing at least 3 random dictionary words that are easy to remember or even using a secure password manager.

You can check to see how secure your password is at https://howsecureismypassword.net/ based around current guidelines.

We also recommend not updating your password by just simply changing a number. This does NOT make it harder for cyber criminals to guess your password, particularly if it’s been hacked before.

One of the worst, and sadly the most common, password habits we see is people reusing passwords. You should also avoid using the same passwords at home and at work.

You should also set up additional security steps like two-factor authentication (2FA) to ensure that you’re well on your way to securing your accounts from any data breaches or attacks as it provides an extra barrier of support if your password was to be stolen. Unless cyber criminals have access to both your password and the access token through 2FA then they would not be able to gain access to your accounts.

You can educate your staff on how to create the Perfect Password by enrolling them on our dedicated Perfect Passwords course, just one of our cybersecurity awareness courses.