Blog

I use this photo of the British actor Terry Thomas in my  cyber security training sessions, asking “Would you buy a used car from this man? …… What if you couldn’t see him? What if he had sent you an email and sounded genuine?”. It never fails to get a laugh and a good reaction from the attendees.

Unfortunately, cyber criminals aren’t so kind as Terry (though they can be as charming). The criminals are more than happy to take advantage of the coronavirus pandemic, as can be seen from the phishing campaigns using links to health information and outbreak maps.

They will also scan the Internet looking for insecure remote access servers, and will continue to target staff in an attempt to gain access to email  or get them to pay funds to the wrong bank account.

There are three areas you need to consider when expanding your organisation’s use of remote access:

People

Phishing attacks will continue, and new ones may target people working at home (“Click here to join videoconference” for example). You will need to make sure that your staff know how to spot and avoid these attacks, and know how to report them – given that they can’t just walk around the corner to the IT department. Keep them updated with alerts about the latest phishing campaigns, and if you feel they may need some extra training then our online course is ideal. Privacy and confidentiality is also a consideration – advise them to lock their screens if going away from their PC for a while.

Process

Staff who used to be working in the same office may now be spread across the city. This is like to reduce the ability to ask quick questions like “What should I do with this request to transfer money?”, “What do I do when a supplier changes their bank account?” or “Does this look genuine?”. Having clear policies and procedures that staff can refer to will be important to reduce the risk of fraud or other mistakes.

Technology

You need to make sure that any remote access solutions you are using are secure. For servers this means making sure they are fully patched and that the firewall is configured correctly. SaaS apps such as Office 365, Teams need to be configured so that you keep control of the data held by them and accessed by your staff on their home computers.

Two factor authentication (2FA) needs to be enabled on remote access servers and SaaS apps. Office 365 comes with basic 2FA built in, which is fine for remote workers and will protect them from email account compromise. Other SaaS apps such as Gmail and Gsuite also have 2FA built in. Remote access servers will need additional software – Duo is a good solution with free licensing for up to 10 users.

You’ll also need to think about the devices your staff will be using. If you have expanded email access to more mobiles, then advise staff to update their software versions and to install anti-virus on Android devices (AVG provide a free version which is actually good). The same advice applies if they are connecting in using a home PC – make sure patching and anti-virus are up to date.

Videoconferencing software is less of a security risk, but be mindful that some software allow users to transfer files, which don’t get checked for viruses the same way that emails do.

Summary

The major risks from a move to remote working can be reduced by following the above steps, and by good ongoing communication with staff. If this way of working continues, then there may be additional risk and security measures that need to be considered, but the ones above are enough to worry about at this time.

If you have any questions about the above, or would like a quick review of your remote access, then please get in touch.

 

I was discussing cybersecurity recently with an experienced IT consultant. He works with a variety of clients, and some of them are reluctant to invest in security. He summarised the five common reasons given by clients. I’ve shown these below, together with my thoughts.

Firstly it’s the risk factor that ‘it probably won’t happen to me’.

Given the number of automated attacks against Internet connected servers (web, email, remote access), constant phishing emails and online fraud, it is highly likely that their organisation will be attacked. Geographical distance is no protection, and neither is size of business.

Secondly its the decision maker level who don’t understand technology – and unfortunately techies aren’t the best at giving business reasons for the ‘why’.

For the decision makers the conversation should not be around technology but business risk. How much brand damage they are happy to suffer, potential lost revenue, what explanation they will provide to their directors as to why they didn’t invest in security.
Thirdly it’s genuinely the cost – high levels of security can cost quite a bit.

This really comes down to identifying the likelihood and impact of an attack or incident, and the cost of protecting against it.  Organisations should be doing this and creating a plan so that investment will created the greatest reduction in risk.
There is also the hassle of having to run through additional security procedures, like 2FA involving extra steps, complex passwords, biometrics.

Two factor authentication (2FA) is one of the most critical security investments an organisation can make. It can be implemented so that it provides protection without the hassle. It should only prompt on remote access, users should acknowledge a prompt on their mobile rather than having to enter codes, and they should have the option to remember their device (e.g. laptop) for a period of time (usually 30 days) which will reduce the number of times they are prompted.
Final issue that i’ve heard was that companies have invested thousands after a security audit and it turns out it’s protected them that day, but the next day there is a new threat on their environment – so a continually moving target.

There is a lot of hype from cybersecurity vendors about the latest threats. However in my experience there are a core set of security measures that never become outdated. These include 2FA, patching, restricted admin rights, management reporting, good payment policies, good privacy policies, standards for web development, standards for IT suppliers. There will always be a need to review cybersecurity risks (this should be done annually) but many new threats will be mitigated by the basic security measures above.

Cybersecurity can be approached in a measured, cost-effective way that reduces business risk. If you’d like to learn more about how we help organisations then please get in touch.

Your organisation may collect data from customers or clients. And you may share this data with 3rd parties who can provide services such as marketing, analytics, invoicing etc. However, as you collected the data, it’s still your responsibility to keep it secure.

This means that your organisation should be taking the following steps

• Keeping a record of what data has been shared, and the third parties it has been shared with
• Ensuring that you have an agreement with each third party setting out the information supplied, the way it will be used, what they will deliver back to you, and how they will keep the data safe
• Performing due diligence on the third parties that hold your most sensitive data. This usually involves an audit of their security – both of the systems used to transfer, store and process your data, and of general IT security (remote access, patching, training etc)

By making the above part of your procedures, you will significantly reduce the risks to your organisation and your clients.

If you’d like any assistance with reviewing and reducing your IT security risks then please get in touch.

 

 

As the recent issues around the pre-release of Budget 2019 details have shown, good communication after a security incident is crucial. Poor communication will make the situation much worse.

Treasury appears to have made a few mistakes:

• They rushed to explain how the data breach happened. They would have been under pressure, with far more media focus than most organisations who suffer a breach. However, it would have been better to say that they were still investigating how the breach happened, rather than jumping to a conclusion that was proved to be wrong
• They stated that they had seen 2000 attacks on their website. Unfortunately this made them sound naive. Websites and servers connected to the Internet are under constant attack from automated scripts as well as more targeted attacks. Once again  waiting for clearer details before communicating would have been better. It was in fact 2000 searches via the publicly available search function on their website
• They stated that they had been hacked, and that they had referred the matter to the police. Once again, this was premature. They had not been hacked, the data breach was caused by misconfiguration of IT systems by Treasury, and the police have confirmed that no crime has been committed and they have closed their investigation
• They provided inaccurate information to government ministers who then relied on it when communicating to the NZ public

The above are additional to the mistake that caused the breach – a misconfiguration of their website (which indexed the cloned website containing the Budget details).

So how can your organisation avoid making these mistakes?

• Make sure you have an incident response plan. This sets out how to respond to various security incidents (including a data breach), who to communicate to, when to communicate, and issues to watch out for
• Test your incident response plan using a table top exercise. This involves running through an example incident with the management team, making decisions on actions and communication. It’s best to get an external party to run this exercise for you. It will highlight any gaps in the plan, and ensure that when a security incident does happen, the organisation has practised it’s response and will be more likely to minimise the impact
• Ensure that there is a focus on securing any confidential or personal data that could be accessed via the Internet. This includes development and test versions of websites and systems, that often have a lower level of security than production or “live” systems. Security review and testing should form part of any major changes, rather than being an annual event

 

If you’d like any help with creating or reviewing an incident response plan,  running a table top exercise, or reviewing the security of your organisation’s systems then please get in touch.

It seem that if you follow cyber security news there are new software vulnerabilities announced every day.  The media tends to report on these without any context, and can even talk up the dangers. This can give the impression that it is too hard to secure you information and systems. And whilst it’s true that new software vulnerabilities are discovered almost every day (and patches issued to address them), it does not mean that criminals will use those vulnerabilities in attacks.

Criminals will only put in the lowest amount of effort or expense required to achieve their aim – which is usually to make money, either through direct means (blackmail, fraud, ransomware or other scams) on indirect (stealing information which can then be sold or used). They will not use an attack that is expensive in time or effort when a simpler one will achieve similar results. There is no need to hack a company’s IT systems via Wi-Fi when sending a phishing email to one of their staff is far easier, more effective and less risky for the criminal.

This doesn’t mean that we shouldn’t install patches to fix vulnerable software. But we should think about whether the cyber security risks we read about actually apply to us, and whether they are likely to happen.

Here’s a quick list of the areas that you should focus on:

• Phishing emails are still a very effective way of attacking companies – make sure your staff have training, test their awareness, and turn on any anti-phishing protection you many have (e.g. some firewalls check for malicious websites when staff click on email links)
• Payment policies – criminals love tricking people into paying money to the wrong account, or paying a fictitious invoice. Make sure you have good payment policies to guard against fraud –  especially if you handle money for clients
• Remote email – criminals will get password from users (via phishing emails) and use them to log into email remotely. They’ll then send out phishing emails from this account, or use it to commit fraud. Two factor authentication can stop criminals accessing remote email, even if they have the user’s password
• Remote access – criminals will log into remote access servers/PCs using passwords they have obtained, or will launch a brute force attack to guess the password. Once they have access, they may install ransomware on the network or launch other attacks. Once again two factor authentication will help, as will scanning the servers for vulnerabilities and addressing them
• Website / web applications – criminals will try to gain access to websites that hold or process valuable information e.g. credit card details, personal information. They will either sell this information, or use it to launch other attacks (personal information can be used to gain access to accounts or to create better phishing emails). Performing a security review of your website/web application will help.

 

If you’d like more information on how we can help you review and reduce your risk, then please get in touch – simon@securestrategy.co.nz

 

 

As we all come back from the Christmas break and gear up for another year of activity, it’s timely for boards to consider the state of cyber security in the organisations they are responsible for. Here is a simple checklist which should help to give some surety that the management team have the right procedures and protective measures in place.

1. Is there a regular report on cyber security that is presented to the board?  Does it contain enough information to allow board members to understand the current risks and to see that progress is being made to reduce them?
2. Does the organisation undertaken annual cyber security reviews? Have the risks raised been evaluated and addressed? Not addressing identified risks can invalidate cyber insurance cover, and may have other  negative impacts (as well as the obvious risk of a cyber security incident).
3. Is there a plan in place to improve overall cyber security? This is often less about addressing specific risks and more about ensuring that there are the right internal policies, procedures and standards in place to minimise the chance of risks and incidents appearing. There are various  good practice frameworks that can be used in this area.
4. Is the organisation compliant with external standards? Various industries will have different standards they need to comply with, and some standards will have an impact on cyber security. For example, complying with AML/CFT means that far more personal data (driving license, passport details etc) may be stored. This data needs to be secured. And there may be some standards that need to be complied with but have been missed – e.g. PCIDSS if the organisation takes credit/debit card payments.
5. Has the security of suppliers/partners been considered? Third parties can be given remote access to support systems or data (usually client or staff data) can be passed to them for processing. Has the organisation considered the privacy and security implications, have they set expectations with the third parties, and how are they being monitored?

 

If you’d like some assistance in this area then please contact simon.thomas@securestrategy.co.nz

 

It’s multi-factor not multi-app

Many of you will I hope have implemented multi-factor authentication (MFA) when using remote access. If you haven’t then please see my article here and then get your IT team to set it up. The majority of MFA (or two-factor) implementations will use an app on a smartphone and will ask the user to press approve or to enter a code shown on the screen (but not an SMS). Due to the widespread use of Office 365, you may be using the Microsoft Authenticator app. But if you have tried to set up MFA for cloud based applications such as Xero, WordPress, RealMe and MailChimp you will see that they ask you to use Google Authenticator. So you could end up with two authenticator apps for different web sites or services.

One app to rule them all

But you can in fact use one app. Both the Microsoft and Google Authenticator apps are based on the OTP (one time passcode) standard. So if you see a cloud service asking for Google Authenticator, you can scan the QR code with Microsoft Authenticator and it will work. I have logins for Azure, 365, MailChimp, Xero, RealMe, Buffer and two different WordPress sites set up on my Microsoft Authenticator app.

Using Microsoft sites with Google Authenticator takes a bit more work. When asked what mobile device you would want to install the app on, choose Other. You will then see the QR code that you can scan with Google Authenticator.

The future

The use of multi-factor authentication is growing, especially as on-premise software such as MYOB becomes cloud-based. And many organisations, especially government departments, are making MFA compulsory for their online services. Using  a mobile app as the second form of authentication (in addition to your password) means that you can log in even when you don’t have cellphone reception (the code the app shows you does not depend on a signal). And using one app rather than two makes it even easier.

If you’d like to understand why you should be using MFA to secure your data and operations, and the other cyber security risks you should consider and minimise,  then please get in touch.

Why should my business have an  Independent Security Review

When we provide Independent Security Reviews for clients, the first thing we do is sit down with them to understand their business, what type of information they hold, where they store it, what type of financial processes they have, and how they interact with their clients.

We use this information to perform a threat modelling exercise, where we think about how a criminal could attack the business, what effort would be required, and what the return would be.

The result is a list of threats, based on real-world data (what attacks are actually happening to other companies) and on their relevance to the client (do they have information, systems and processes that are vulnerable to this type of attack).

The Threat Model

The threat model determines where we test and probe, and where we ask further questions, both of the client and of their IT company. And we use it when we look at how ready the client is to respond to a successful attack, and whether they could limit the damage caused.

For many clients the only response plan they have in place is a cyber insurance policy.  There is more that a company should do in terms of planning for a cyber security incident, and we provide recommendations in that area.

Issues with policies

We review the cyber insurance policy against the threat model, to see if the client is really getting the protection they think they are. And we find in the majority of instances that they are not, and that their cyber insurance policy excludes a major risk that they think would be covered.

This omission included those policies that only covered malware that was specifically written for the client (unless you are Sony this is unlikely to happen), and ones that only cover online fraud if the criminal has hacked into the client’s system and made the bank transfer themselves. But in fact the  majority of online fraud happens as a result of criminals persuading staff to pay funds to the wrong bank account.

What should I do next

If you’d like to understand what your real risks are, how to minimise them, and how to limit the damage of a cyber security incident, then please get in touch.

 

2018 is going to be an interesting year for privacy, both in NZ and internationally. There are three main reasons.

Australia – Mandatory Reporting of Data Breaches

This came into effect on the 22 February 2018. If you have a business entity in Australia with an annual turnover of  over $3m then you will fall under the Privacy Act and the new Notifiable Data Breaches amendment. If you suffer a data breach that  “is likely to result in serious harm to any of the individuals to whom the information relates”, then you must notify the Australian Privacy Commissioner and the affected individuals as soon as practicably possible. The amendment defines a data breach, serious harm, and also qualifies what remedial steps a business could take to remove the risk to individuals, which would mean that they no longer had to notify the breach.

Europe – General Data Protection Regulation

This comes into effect on the 25 May 2018. It provides protection for people residing in the EU. Businesses in NZ will fall into the scope of GDPR if they

• have a business entity in the EU
• provide services (paid or free) to people residing in the EU
• market to people residing in the EU (including profiling them using web technologies)

It does not apply if someone from the EU is able to access your website – you have to be targeting your services to them. And it does not apply to EU citizens residing outside of the EU – so no need to ask your clients about their citizenship in order to comply with GDPR. Travel and tourism companies are likely to need to comply, as will Internet startups who market their services to the EU. As the law is new, it will take a while for any ambiguities to be ironed out.

New Zealand – Update to the Privacy Act

After a couple of reviews over the past two decades, our Privacy Act is finally getting an update. Submissions close on the 24 May 2018. Currently included in the draft Bill is mandatory reporting of data breaches, and it’s likely that other requirements will be strengthened to keep our laws close to the level provided by GDRP (though perhaps not as stringent). NZ currently has “adequacy” status with the EU, which means that personal information can be transferred to NZ without businesses having to take additional measures. We will want to maintain this status (only 12 countries have this).

Summary

You’ve probably seen new privacy policies being issued by a lot of organisations. They’ve taken the time to review and update their terms, prompted by GDPR. Even if you’re not doing business in Australia or Europe, its worth reviewing the personal data you collect and hold, how you are securing it, and whether your privacy policy reflects this.

If you’d like to discuss this area in more detail, please get in touch.

Email phishing remains a constant problem for businesses. Whilst implementing an email anti-spam/anti-virus solution can cut down on the amount of phishing emails your staff might receive, some will still slip through.

This leaves your staff as the last line of defence. They need to know how to spot phishing emails – by looking at the address it was sent from, the wording etc. Our new online training course can help with this and has a lesson dedicated to email security.

The majority of phishing emails are sent from addresses that are:

• random (simon@123xx.wsdf.com)
• throwaway (simon@gmail.com)
• have one or more letters changed (simon@xer0.com)

Staff can spot these with some training – especially if the wording in the email causes suspicion.

But some emails are sent from an address that looks genuine – simon@xero.com for example.

There are a couple of ways this can happen:

• criminals gain access to a staff member’s email account
• criminals spoof the email domain

These phishing emails can be very hard to spot – especially if they have been received from a trusted business partner. I’ve seen a number of phishing emails received by my clients that appear to come from suppliers. They were from people in organisations the clients trusted, and so they clicked the links. When it was discovered that they were phishing emails, it caused some concern about the security measures in place at the business partner, and whether the client’s information was safe with them.

Whilst receiving phishing emails is a constant risk, you certainly don’t want to be in the position of appearing to have sent them (or to have actually send them because an email account has been hacked). That would certainly damage your reputation.

Thankfully there are ways that you can protect both your business and your clients from these types of emails. Before I go into what you can do, I’ll quickly explain the technologies involved.

• Two factor authentication – most people should know what this is (I’ve written about previously). Its main use is to protect remote access to email accounts, remote desktop servers and web applications. Once you enter a correct username and password, you need to enter a code from your mobile phone (or click an app)
• Sender Policy Framework (SPF) – this lists the email servers that are authorised to send email on your behalf
• Domain Keys Identified Mail (DKIM) – this adds a secret encrypted key to the email to prove it came from your business (or someone you have authorised – MailChimp for example)
• Domain-based Message Authentication, Reporting and Conformance (DMARC) – this tells the receiving email server what to do if an email it receives fails the SPF or DKIM checks – either report it to you (monitor mode), put it in the recipient’s junk folder (quarantine), or block it entirely (reject)

Many organisations use DMARC, DKIM and SPF to authenticate the emails they send – including BNZ, Xero , PayPal, ANZ, Westpac and IRD

Emails you receive 

• Make sure your email server is set to check and  act on DMARC rules for the emails it receives (most email servers do this)
• Make sure your suppliers / trusted partners have implemented two factor authentication for remote access to their email. This should form part of the security standard you ask them to agree to.
• Make sure your suppliers / trusted partners have implemented SPF, DKIM and DMARC for the emails they send out. Once again this should form part of the  supplier security standard

Emails you send

• Make sure you have implemented two factor authentication for remote access to your email (do this for any remote desktop servers as well). This is really becoming an essential part of IT security for a business
• Implement SPF, DKIM and DMARC for the emails you send out. You need to make sure you have thought about all of the parties who send email on your behalf – including marketing programs, scan to email devices etc. You should set DMARC in report mode for the first month, which will allow you to see if there are any emails that would fail the checks, and why. Once you are happy that genuine email would get through, then set DMARC to reject mode

Implementing the above is not hard and significantly reduces both the risk to your business reputation and the risks from your suppliers.

If you’d like to discuss this area in more detail, please get in touch.