INTERNET OF THINGS (IOT) SECURITY
IoT devices are any physical devices that are able to connect to and communicate over the internet. This connectivity allows new opportunities for cyber criminals.
IoT devices such as cameras, home sensors, and even baby monitors have become hugely popular. Unfortunately, security has been an after thought for many manufacturers and consumers. Here are some threats related to IoT devices that you should be aware of.
Weak passwords, and a lack of two factor authentication on many devices can make it easy for an attacker to gain access to your devices.
Lack of Encryption
Unencrypted data, possibly even passwords being sent over the air with no protection (a recent story involved IoT lightbulbs doing just this between each other).
Are cameras showing weak points? Employee screens? Stock levels? An attacker could leverage this for malicious purposes.
Insecure software / hardware / firmware
Some devices are unable to receive updates with security patches. Or, it may be that manufacturers simply do not release updates. This is a huge vulnerability. Similarly, if device credentials are hard coded in (i.e. unable to be changed), then if these are ever exposed then it becomes much easier for an attacker to compromise that device, as well as potentially other devices on that network.
Do you have ports open that shouldn't be? Could the device be compromised to conduct DDoS attacks?
STIMULATE THE MIDDLE AGED
As many organisations want to support mobile, team-oriented and non-routine ways of working, an increasing number of them are looking for assistance in adopting digital workplace technology. A recent Gartner, Inc. survey concluded that only 7 percent to 18 percent of organisations possess the digital dexterity to adopt new ways of work (NWOW) solutions, such as virtual collaboration and mobile working.
Not surprisingly they found that the youngest age group (18-24) are the most likely adopters of NWOW closely followed by the oldest (55-74). The group that were at the low point of the adoption dip (35-44), potentially feeling fatigued with the routines of life as middle age approaches. They were most likely to report that their jobs are routine, have the dimmest view of how technology can help their work, and are the least interested in mobile work.
COOL - I.T.
It seems that the days of snow are finally behind us and that big golden thing in the sky has made an appearance.
It’s time to enjoy the warmer temperatures but have you thought about the effect that the temperature has on your IT Equipment?
You may have seen this error on your Phone or Tablet from time to time and you should always take measures to cool it as soon as possible.
If you are out in the sun get it into the shade and allow it to cool as extended periods of heat can cause faster deterioration of the internal components and shorten the life of the battery. Mobile devices should be kept between 0°C and 35°C
In your server room you run similar risks as extended periods of heat give you a much higher risk of system failure and downtime.
A server should be kept running at between 20°C and 24°C and dangerous temperatures are classed as anything higher than 30°C
If your server room is beyond this limit installation of an air conditioning unit should be considered.
With a Blueloop Packaged Services Agreement we can monitor the temperature for you and take appropriate and safe shut-down action in extreme cases.
A data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unathorised disclosure of, or access to, data.
The reported number and scale of data breaches has continued to increase, with recent examples such as Dixons Carphone and PageUp as examples of larger organisations being exposed. Associated threats are many, including the potential for a number of various frauds using the actual data gained from the breach, or the media awareness around the breach (e.g. phishing/vishing/smishing attempts from attackers masquerading as employees of the affected company, or regulatory authorities etc.).
If an organisation suffers a data breach, then the consequences can be dire. Financial damages can now include hefty fines from the ICO for non-compliance, and the reputational damage can be incredibly difficult to recover from.
The techniques used in many cases are often not particularly advanced. Examples include exploiting unpatched vulnerabilities or spear-phishing, and a large number of incidents have been caused by third party suppliers failing to secure data properly. This highlights the importance of getting basic technical, and procedural security measures right.
A major hardware distributor was the victim of a network intrusion whereby suspects had gained access to the backend of their .eu and .iu domains, through a vulnerability with the company’s webserver. It is believed that the suspect identified the type of webserver which the domains were hosted on using security scanning software tools such as Nmap or Metasploit. Once the type of webserver had been identified, the criminals would have ascertained that the company used the Magento ecommerce payment platform, which is used to manage their online financial transactions. Unfortunately, the Magento software which they use was vulnerable to cross site scripting (XSS), an attack type which we discuss below. This particular vulnerability had been present for over 6 months, and had not been patched.
XSS is a code injection attack whereby an attacker can inject malicious scripts (payloads) into a legitimate website or web application, which are then executed by an end user. The xss would have given the suspect(s) access to the backend of their ie and eu domains, and from there the suspects had brute forced an old admin account which had lain dormant for 2 years. This would have been relatively easy to do, as the account had a weak password.
In total, 138 customers were affected with compromised banking details, which were used in secondary fraud. The investigation identified the route of compromise and also a number of IP addresses, with the suspects using multiple VPN companies to remotely access the victim’s network.
The investigation team was able to trace the malicious file back to a server in Eastern Europe, who had contacted the company using encrypted instant messaging and making payment through the cryptocurrency Bitcoins (BTC).
Through extensive open source enquires and engagement with international law enforcement partners we were able to identify details of the organised crime group behind the attacks and provided this intelligence to overseas law enforcement for them to develop the intelligence and take proactive action against the suspect(s) identified. This investigation highlights the effective intelligence sharing between international agencies to tackle cyber crime on a global scale.
Implementation and Preparation
ITIL (formerly an acronym for Information Technology Infrastructure Library) is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. This process is adopted here at Blueloop for our customers.
Recent publicity regarding poorly implemented system upgrades for the banking industry clearly demonstrates that upgrade and system improvements need to be well planned and tested in a live ‘pilot’ before implementation. Using ITIL’s industry standard for both IT project delivery and IT support provide suitable controls and measures for organisations in a professional and efficient manner.
Why risk business disruption when there are industry tools for IT service to protect your business?
SUPPLY CHAIN ATTACK
Type of attack where security flaws or vulnerabilities are introduced into equipment, hardware, software, or services before they are supplied to, or used by, a target.
Supply chain attacks can be used for a number of purposes, including breaching confidential data, stealing login credentials for further attacks, or even supplying defective equipment to prevent a service from being useable (a denial of service).
One example saw attackers compromise legitimate websites through website builders used by creative and digital agencies. The criminals utilised a redirect script to send people to a malicious domain they owned, where malware was downloaded and installed by users who were browsing legitimate websites.
Ongoing servicing, support, or updates may provide criminals with an opportunity to interfere with a supply chain.
Your Data Matters
GDPR How was it for you? Did the sky fall in?
After the email bombardment and mixed messages that we have all experienced about GDPR, it’s time to take a
step back and reflect on a very sensible campaign that the Information Commissioners Office (ICO) has launched, called “Your Data Matters”.
Their brief is a very straightforward one; “increase public trust and confidence in the way personal data is handled”.
This comes at a time when our confidence on how this data is handled is at low ebb, with a recent Direct Marketing Association (DMA) study showing that 86% of consumers would like more control of how data is held and processed.
The ICO campaign has cross-industry support from companies such as PwC, Sainsbury’s, and the BBC.
Find out about your personal data rights and how to find advice concerning its use by third-parties by visiting https://ico.org.uk/your-data-matters/
Five minutes well spent.
Organisations consider data management and security to be a simple nightly backup but Veeam believe there are 5 steps to data security nirvana and traditional backup is just the first.
- Backup: Back up all workloads and ensure recoverability of data loss or attack
- Aggregation: Manage data backup and recoverability across multiple environments with an aggregated view of SLA compliance
- Visibility: Deliver monitoring, resource optimisation, capacity planning, and built-in intelligence to improve
multiple environment data management
- Orchestration: Move data to the best location across multiple environments to ensure business continuity,
compliance, security, and optimal use of resources with an orchestration engine, that enables disaster recovery
(DR) plans to be automatically and non-disruptively executed, tested, and documented
- Automation: Veeam's idea of nirvana in which data becomes self-managing, via data analysis,
pattern recognition, and machine learning, and so automatically backed up, migrated to ideal locations, secured during anomalous activity, and recovered instantaneously
We are not at the Automation stage yet but it's good to set our sights high.
Blueloop work with Veeam to provide resilient data and system management solutions.
Cyber Intelligence Report
SOUTH WEST POLICE
Regional Crime Unit
A form of phishing where a specific person is deliberately targeted with an email typically containing personal information, purporting to be from a reputable source.
Spear Phishing emails have the same end goal in mind as regular Phishing attacks - they are designed to make a potential victim interact with the email in some way, usually through clicking on a link or attachment. However, they are generally much more difficult to recognise, as the authors include highly relevant information which adds legitamacy to the correspondence.
As an example, criminals often masquerade as vendors and email financial workers with attached invoices relating to recent orders that a company may have placed. Once the attachment is opened, malicious code is executed which can trigger various actions - such as stealing passwords, running cryptojacking software, or taking command of a computer to use in a future botnet for a DDoS attack.
For more information https://www.swrocu.org.uk/cyber.aspx