Data Security

Glimpse of the Future of Tech at CES Expo Show

Posted on by Andy Miller

This week, at the giant CES expo in Las Vegas, the latest technology from around the world is on display, and here are just a few of the glimpses into the future that are being demonstrated there, with regards to business-tech.

Cyberlink FaceMe®

Leading facial recognition company Cyberlink will be demonstrating the power of its highly accurate FaceMe® AI engine. The FaceMe® system, which Cyberlink claims has an accuracy rate (TAR, True Acceptance Rate) of 99.5% at 10-4 FAR, is so advanced that it can recognise the age, gender and even the emotional state of passers-by and can use this information to display appropriate adverts.

D-ID

In a world where facial recognition technology is becoming more prevalent, D-ID recognise the need to protect the sensitive biometric data that makes up our faces. On display at CES expo is D-ID’s anti facial recognition solution which uses an algorithm, advanced image processing and deep learning techniques to re-synthesise any given photo to a protected version so that photos are unrecognisable to face recognition algorithms, but humans will not notice any difference.

Hour One

Another interesting contribution to the Las Vegas CES expo is Hour One’s AI-powered system for creating premium quality synthetic characters based on real-life people. The idea is that these very realistic characters can be used to promote products without companies having to hire expensive stars and actors and that companies using Hour One can save time and money and get a close match to their brief due to the capabilities, scale/cope and fast turnaround that Hour One offers.

Mirriad

Also adding to the intriguing and engaging tech innovations at the expo, albeit at private meetings there, is Mirriad’s AI-powered solution for analysing videos, TV programmes and movies for brand/product insertion opportunities and enabling retrospective brand placements in the visual content. For example, different adverts can be inserted in roadside billboards and bus stop advertising boards that are shown in pre-shot videos and films.

What Does This Mean For Your Business?

AI is clearly emerging as an engine that’s driving change and creating a wide range of opportunities for business marketing as well as for security purposes. The realism and accuracy, flexibility, scope, scale, and potential cost savings that AI offers could provide many beneficial business opportunities. The flipside for us as individuals and consumers is that, for example, as biometric systems (such as facial recognition) offers us some convenience and protection from cyber-crime, they can also threaten our privacy and security. It is ironic and probably inevitable, therefore, that we may need and value AI-powered protection solutions such as D-ID to protect us.

Featured Article – Email Security (Part 1)

Posted on by Andy Miller

In this week’s article, which is the first of two parts on what is a huge subject for businesses to tackle, we take a look at some of the important issues of email security and how businesses can try to strengthen this crucial area of their cyber defences.

Most Breaches Involve Email

Over 90 per cent of breaches now involve email, and Proofpoint’s Annual Human Factor Report figures, for example, show that social engineering is strongly favoured as a way in by cybercriminals as 99 per cent of email attacks rely on victims clicking links.

Statistics like these reveal some of the key challenges that businesses and organisations face on a daily basis, such as how to defend effectively against the whole range of email attacks, how to spot and eliminate threats as they arrive, and how to ensure that staff are aware of email threats and know what to do when faced with suspicious emails and links.

Types of Email-Based Attacks

There is a vast array of attacks launched through email systems (often relying on social engineering) including targeted phishing schemes, business email compromises, and ransomware attacks.

– Ransomware is still a popular attack and extortion method, and Trend Micro reported a 77 per cent surge in malware attacks during the first half of 2019.

– Phishing is a cheap, easy and highly effective method for criminals to gain access to company systems, steal important data and money, and create a cornerstone of all kinds of other hacking campaigns. Just some of the high profile examples from the news this year include fake voicemail messages being used to lure victims into entering their Office 365 email credentials into a phishing page, Thomas cook customers being targeted by phishing attacks in the wake of the travel company going into receivership, and news of Lancaster University being hit by a large, sophisticated phishing attack aimed at grabbing the details of new student applicants.

Verizon’s 2019 Data Breach Investigations Report showed that 32 per cent of data breaches involve phishing. Phishing threats to businesses are also evolving and becoming more sophisticated all the time. For example, PhishLabs recently discovered a tactic whereby by attackers used a malicious Microsoft Office 365 app to gain access to a victim’s account without the need for the account holder to give up their credentials to the attackers!

The National Cyber Security Centre offers advice on how to protect your business/organisation from phishing attacks here: https://www.ncsc.gov.uk/guidance/phishing.

There is also a number of phishing test sites available online so that you (or staff members) can see if you’re able to spot a phishing email.

– Malware attachments to emails. There is a now staggering amount of malware types that businesses and organisations have to protect themselves against. For example, over 800 million different types were encountered in 2018, and some commentators are predicting that variants will reach over 1 billion by 2020!

A Number of Sources

Email-based attacks aren’t simply targeted just at your email system in a straightforward way but could come from e.g. supplier email systems that have been compromised or could use details stolen from breaches elsewhere as part of the campaign.

PROTECTING YOUR BUSINESS AGAINST E-MAIL THREATS

There are many ways that you can try to protect your email system from email attacks and try to minimise the risk of human error that is so important in social engineering attacks. These include:

HELP FROM THE BIG TECH COMPANIES

Microsoft

Microsoft offers a number of ways that businesses and organisations can help keep their email secure, such as:

– Outlook’s Junk Email Filter, and the Report Message add-in for Outlook.

– Office 365’s Advanced Threat Protection (ATP) plans which offer a variety of leading-edge tools to investigate, understand, simulate, and prevent threats.

– Secure Score for Office 365 – a way to measure and get suggestions about how to protect your business from threats, all through a centralised dashboard.

– The “campaign views” tool in Office 365 that is designed to offer greater protection from phishing attacks by enabling businesses to be able to spot the pattern of a phishing campaign over individual messages.

More information: The Microsoft blog here gives 6 email security best practices to protect against phishing attacks and business email compromise: https://www.microsoft.com/security/blog/2019/10/16/top-6-email-security-best-practices-to-protect-against-phishing-attacks-and-business-email-compromise/

Google

Google also offers a number of tools and suggestions, including:

– Advanced security settings for G Suite administrators to protect against phishing and malware (find out more here: https://support.google.com/a/answer/9157861?hl=en).

– Offering steps to identify compromised accounts (see https://support.google.com/a/answer/2984349?hl=en&ref_topic=2683865).

– Advice on Firewall settings.

You may, of course, already be using another email protection system.

Other Advice

Advice about ways in which you can protect your company now from email-based attack such as phishing and malware attacks is widely available, and in addition to the measures already covered (e.g. using Microsoft security tools), some basic measures that companies take include:

– Always keeping anti-virus and patching up to date.

– Staff education and training e.g. how to spot suspicious emails and what to do/what not to do e.g. not to click on links from unknown sources.

– Disabling HTML emails if possible (text-only emails can’t launch malware directly).

– Encrypting sensitive data and communications as an added layer of protection.

– Getting into the routine of checking your bank account’s activity for suspicious charges.

– Making sure important and sensitive company data is backed up and including business email compromise (BEC) in business continuity planning and disaster recovery planning.

– Preventing email archives from being publicly exposed e.g. by making sure that archive storage drives are configured correctly.

– Monitoring for any exposed credentials (particularly those of finance department emails).

– Using two-Factor Authentication (2FA) where possible, and enterprise users may wish to block .html and .htm attachments at the email gateway level so that they don’t reach members of staff, some of whom may not be up to speed with their Internet security knowledge.

– Not using the same password for multiple platforms and websites (password sharing). This is because credentials stolen in one breach are likely to be tried on many other websites by other cybercriminals (credential stuffing) who have purchased/acquired them e.g. on the dark web.

Looking Forward and Getting Prepared

In today’s environment, attackers can adapt their campaigns and methods so quickly, and use methods that can evade the more common protection solutions (polymorphic attacks) that businesses and organisations find themselves in a position whereby known signature and reputation-based checks aren’t enough and that they need to be able to get a fuller picture and find solutions that can focus effectively on zero-day and targeted attacks in addition to known vectors. Looking forward, there is also the future threat of AI machine-learning software being able to possibly generate phishing URLs that can beat popular security tools, and of the threats posed (further in the future) buy the possible use of quantum computers in cyberattacks, and these are subjects that we will look briefly in part 2 of our look at email security. For now, stay safe.

New Phishing Tracker For Office 365

Posted on by Andy Miller

Microsoft is launching a new “campaign views” tool in Office 365 that is designed to offer greater protection from phishing attacks by enabling businesses to be able to spot the pattern of a phishing campaign over individual messages.

Context and Visibility

Microsoft is in a good position to leverage the large amount of anti-phishing, anti-spam, and anti-malware data and experience that it has across the entire Office 365 service world-wide to identify campaigns. It is this information that feeds into the campaign views tool.
The idea is that the extra context and visibility that campaign views provides gives the full story of how an organisation has been targeted. This additional dimension of defence means that an organisation and its users can see if/how defences have held up against popular attacks, and adjust its own defences accordingly, based on these insights.

What It Shows

The kind of information that the ‘campaign views’ tool can reveal to security teams includes:

  • A summary of a phishing campaign i.e. when it started, it’s pattern and timeline, the size and spread of the campaign, and how many known victims there has been (and see if users have clicked on the phishing link).
  • A list of IP addresses and senders associated with the attack, plus a list of all the URLs that were used in the attack.
  • A look at which messages were blocked, delivered to junk or quarantine, or allowed to get through to the inbox.

Today’s Attacks ‘Morph’ To Get Around Defences

Today’s email attacks are often the sophisticated output of factory-like cybercrime operations where new templates and variances can be rapidly created, generated, and scaled-up in a way that is designed to offer the best chance of maximising financial gain while evading detection and capture.

For example, in a single campaign, the attackers can make multiple changes and variants (morphs) e.g. changes in the sending infrastructure, the sending IPs and sending domains, sender names and addresses, URLs, and the hosting infrastructure for their attack sites. These morphs can, therefore, enable attackers to get around popular defence tactics such as blocking known bad URLs, sending IP address, or sending domains.

Value

Microsoft says that the extra context and visibility that ‘campaign views’ gives security teams means that they can be more effective and efficient. For example, once armed with the information that ‘campaign views’ provides, security teams can be better at remediating compromised/vulnerable users, improving the general security posture (by removing configuration flaws), investigating related/similar campaigns, and hunting and tracking any threats that have the same indicators of compromise.

What Does This Mean For Your Business?

Email is one of the main ways that cybercriminals can gain access to company systems and phishing campaigns are an all-too-common way to dupe businesses into clicking on links in often convincing-looking pages, thereby releasing the malware that causes so much damage, or imparting password and financial information. ‘Campaign views’ appears to be another potentially valuable tool in the cyber defences of businesses with its main strong point being that it gives a much fuller picture of real-world attacks. This additional context and data can help businesses to become much better prepared and more proactive in finding and closing the door on rapidly evolving email security threats.

Real-time Phishing Protection Now Available in Chrome

Posted on by Andy Miller

Google has announced real-time phishing protection with the help of improvements to ‘Safe Browsing’ which allow Chrome to check each new site you visit against a safe list stored on your computer and with Google so that Chrome can issue an instant warning if the site is thought to be suspicious or malicious.

Phishing Problem

As well as being sent to phishing pages via links in phishing emails, phishing links are also inserted into malicious advertisements and even direct messages on chat apps.

Also, even though Google’s existing ‘Safe Browsing’ feature adds thousands of new unsafe sites and to the blocklists of the web industry and Chrome already checks the URL of each site you visit/file you download against a local list which is updated every 30 minutes, Google has noted that some phishing sites are even able to slip through the 30-minute refresh window by switching domains quickly or by hiding from Google’s crawlers.

The multiple phishing threats coupled with the ability of some sites to side-step even a 30-minute time window are what have prompted Google to move into real-time phishing checks through Chrome.

Real-Time

Google’s new, improved protections via Chrome allow the inspection of the URLs of pages visited with Safe Browsing’s servers in real-time (local safe site list check + checks with Google) in order to be able to give users an instant warning that they may be on a malicious page as well as a prompt to change their password.

Google says that this real-time warning system on sites that are brand new can deliver a 30% increase in protections.

Password Issues

The issues of using weak passwords, password sharing, and the stealing of passwords through phishing are all-too-familiar threats. With this in mind, Google launched predictive phishing protections which can warn users who are syncing history in Chrome when they enter their Google Account password into suspected phishing sites. Google has now also expanded this protection to cover everyone signed in to Chrome (whether or not Sync is enabled) and the feature will also work for all the passwords stored in Chrome’s password manager.

This updated security feature now means that if you type one of your protected passwords (from Chrome’s password manager, or the Google Account password you used to sign in to Chrome) into an unusual site, Chrome will classify this as a potentially dangerous event.

What Does This Mean For Your Business?

Offering real-time phishing protection checks is one way to help Chrome users stay a step ahead of cybercriminals who have shown that they could even adapt their campaigns quickly enough to get past a sophisticated system that updates its security information every 30 minutes. This has to be good news for business and domestic users alike, and the flashing up of instant warnings on visiting new sites looks as though it could reduce the numbers of those who fall victim to phishing attacks as well as constantly reminding Chrome users of the risks that are ever-present on the Internet today and of how easy it would be to fall victim to ever-more convincing and sophisticated phishing attempts.

How Does Encryption Work?

Posted on by Andy Miller

Encryption comes from the age-old science of cryptography.  In the digital world of today, encryption refers to using electronic devices to generate unique encryption algorithms which essentially scramble messages and data making them unintelligible to anyone who tries to intercept them, and also to provide an effective way to lock our electronic devices.

Using Encryption

Encryption can be used for most things that have an internet connection, such as messaging apps, personal banking apps, websites, online payment methods, files and more.

Why?

Cybercriminals seek our personal data (especially financial details) which they can find in our files, on our personals devices, and on websites / platforms and places online where we have submitted that data e.g. for registration/login, payment, in the form of emails and other messages, and our personal data may be stored in many different places (servers and databases) across the Internet and the digital world.

Verizon figures show that nearly one-third of all data breaches in 2018 involved phishing and that phishing was present in 78% of cyber-espionage incidents and the installation and use of backdoors.  Also, IT Governance figures, for example, show that 421,103,896 data records were confirmed to have been breached in October this year (still only 50% of the monthly average!) in111 incidents (including the compromising of sensitive and financial information).

A recent nCiper survey showed that the main driver for encryption is the protection of sensitive information and that organisations use encryption to protect intellectual property and the personal information of their customers.

Symmetric and Asymmetric Encryption

There are two main encryption methods, symmetric and asymmetric, both of which are made up of encryption algorithms, and the use of prime numbers forms a fundamental aspect of popular encryption methods.

Note: You will often hear the term ‘keys’ used as part of the explanation of encryption.  Keys in this sense means a random (but unique) string of bits that are generated by an algorithm to scramble and unscramble data.  Generally, the longer the key, the harder it is to break the encryption code.

Symmetric encryption uses the same (identical) key for encrypting and decrypting data. With symmetric encryption, two or more parties have access to the same key. This means that although it is still secure, anyone who knows how to put the code in place can also reverse engineer it.  Symmetric key encryption is generally used for encrypting large amounts of data efficiently e.g. 256-bit AES keys are symmetric keys.

Asymmetric encryption, on the other hand, uses a pair of keys, one for encrypting the data and the other for decrypting it. For the first key (used to encrypt data), ‘public key’ cryptography uses an algorithm to generate very complex keys, which is why asymmetric encryption is considered to be more secure than symmetric encryption (the code can’t be run backwards).  With asymmetric encryption, the public key is shared with the servers to enable the message to be sent, but the private key (owned by the possessor of the public key) is kept secret. The message can only be decrypted, therefore, by a person with the private key that matches the public one. Different public-key systems can use different algorithms.

Public Key Encryption – HTTPS

Public key encryption is widely used and is useful for establishing secure communications over the Internet e.g. for TLS/SSL, which enables HTTPS.  For example, A website’s SSL/TLS certificate is shared publicly and contains the public key, but the private key is on the origin server i.e. it is “owned” by the website.

Different Methods of Encryption

There numerous common encryption algorithms and methods.  These include:

  • RSA – Unveiled by three mathematicians back in 1977, RSA is a public-key encryption algorithm and a common standard for encrypting data sent over the internet.
  • Triple DES – designed to replace the original Data Encryption Standard (DES) algorithm and uses three individual keys with 56 bits each.  Triple DES is being used less frequently now but is still used in financial services and other industries.
  • Blowfish – also designed to replace the original Data Encryption Standard (DES).  This is a flexible and strong standard that is found in many different software categories e.g. e-commerce platforms (to protect passwords).
  • Twofish – One of the fastest, can be used in hardware and software environments, and (like Blowfish) is freely and often bundled in encryption programs.
  • AES – Advanced Encryption Standard (AES) is an incredibly strong encryption algorithm used by the U.S. Government, and likely to become the private sector standard in future.

Free Encryption

In addition to Blowfish and Twofish, other free encryption tools include LastPass (a popular password manager), VeraCrypt (available for Windows, OS X and Linux OS), and FileVault2 (good for encrypting data on macOS devices and Mac hardware).

Windows 10 includes its own encryption tool ‘BitLocker’ which enables you to use encryption on your PC’s hard drive and on removable drives.

End-to-End Encryption

End-to-end encryption is used to encode and scramble information so only the sender and receiver can see it. For example, WhatsApp uses end-to-end encryption and although the messages go through a server, none of those messages can be read by anyone other than the sender and receiver.

WhatsApp and its end-to-end encryption were criticised by Amber Rudd in 2017 (who was Home Secretary at the time) when it was revealed that the first London Bridge terror attackers used WhatsApp to plan the attack and to communicate.  This led to government calls for ‘back doors’ to be built-in to WhatsApp and other end-to-end encrypted communications tools to allow government monitoring.  These calls were resisted on the grounds that building back doors means that security is compromised, and cybercriminals could also exploit these back doors.

Fails

Although encryption provides effective security and privacy it is not always infallible. For example:

  • Back in May 2018, A German newspaper released details of a security vulnerability discovered by researchers at Munster University of Applied Sciences, in PGP (Pretty Good Privacy) data encryption. PGP is an encryption program that is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and disk partitions, and to increase the security of e-mail communications.
  • Also, in October this year a report by a former Google employee on the ‘Freedom of the Press Foundation’ website warned organisations that any data stored on Google’s G Suite is not encrypted, can be accessed by administrators and can be shared with law enforcement on request.

Quantum Threat

One on threats to existing encryption that many tech commentators fear in the near future comes from quantum computers.  For example, quantum computers can perform calculations much faster than classical computer and this could enable them to defeat the encryption that currently protects our data e.g. our online banking records and other personal documents on hard drives.  With people having access to (commercial) quantum computers, this could become a real threat (e.g. access to Quantum Systems are now being offered via the cloud).

As well as the quantum threat, there is also some concern among tech and security commentators about the encryption and anonymisation technology that is being used to hide criminal activity e.g. on the dark web

The Future

In the immediate future, therefore, some companies are seeking to address the threat from quantum computers cracking existing encryption algorithms. Estimates of when there will be commercially available quantum computers range between 10 and 20 years, although state-sponsored use of quantum computers for wrongdoing could conceivably happen sooner.

The National Institute of Standards and Technology is already pushing researchers to look ahead to this “postquantum” era.

Recently, IBM researchers developed two quantum-proof cryptographic algorithms (Kyber and Dilithium) which now make up the “Cryptographic Suite for Algebraic Lattices” (CRYSTALS).  These have enabled IBM to create the world’s first quantum computing-safe tape drive.

In the meantime, however, with cyber threats evolving at a fast pace, companies and organisations that don’t use encryption as one of their security tools are effectively making things too easy for cybercriminals to access their data, with potentially devastating consequences.

Over Half of Businesses Don’t Respond To GDPR Requests On Time

Posted on by Andy Miller

The results of a survey by Talend show that 58% of businesses worldwide fail to address requests from individuals for a copy of their personal data within the one-month time limit as required by GDPR.

Bad, But Better Than Last Year

The survey, which involved 103 GDPR-relevant companies across the globe (84% of which were EU-based companies) revealed that more than 18 months after the General Data Protection Regulation (GDPR) came into force, most companies are still not complying with the Regulation when it comes to data requests.

Even though a 58% failure to comply rate is not good, it is an improvement on 2018 when 70% of the companies surveyed reported they had failed to provide an individual’s data within one month.

Public Sector, Media & Telecoms Worst Offenders

The Talend survey revealed that only 29% of public sector organisations and only 32% of companies in the media and telecommunications industries were able to respond with the correct data within the one-month limit, putting them at the bottom of the compliance table for this issue.

Average Performers

The survey also showed that companies in the retail (46%), financial services, travel, transport and hospitality sectors barely achieved an average response rate within the one-month limit. This, however, was a small improvement on the previous year.

Why?

According to Talend, the lack of a consolidated view of data and clear internal ownership over pieces of data, and a lack of automation in processing requests are key reasons why companies are failing to respond to data requests within the legal time limit.

In some industry sectors too (e.g. financial services), retrieval of the information may be complicated by clients perhaps having many different contracts with the same company with their data being spread across different offices and systems.  This, coupled with the fact that processing data requests is often manual, time-consuming, and, therefore, costly (“spend, on average, more than $1,400 to answer a single SRR” – Gartner) goes some way to explaining the slow response. (SRR means subject rights request)

Also, there is a lack of proper ID checks by companies where data requests are concerned with only 20% asking for ID, and there have also been reports of companies struggling to find the right email address to send the data requested to.

What Does This Mean For Your Business?

With GDPR becoming law 18 months ago, the potential fines for non-compliance being large, and with companies and organisations having appointed specific people to be in charge of data management and security, these results do look a little disappointing on the surface, and many businesses would expect to do better.  However, GDPR has brought a much larger volume of data requests for some organisations and back in June it was even reported by law firm Squire Patton Boggs that one year on from the introduction of GDPR, companies were facing cost pressures from a large number of subject access requests (SARs) coming from their own employees.

Nevertheless, the shift in responsibility towards companies that GDPR has brought, and the widespread knowledge about GDPR is a reminder also, that companies really should have a system and clear policies and procedures in place that enables them to respond quickly and in a compliant way to data requests, whoever they are from.

The Difference Between Backup and Disaster Recovery

Posted on by Andy Miller

We’re all familiar with the value of making a backup of business data, but how does this fit with ‘Disaster Recovery’ and ‘Business Continuity’ strategies?  This article takes a brief look at how these elements fit together to ensure that businesses can survive, function and get back up to speed when disastrous events (external or internal) pose a serious threat.

Reality

Normal life rules apply to the business environment i.e. things can and do go wrong, and backup and disaster recovery are both based upon this understanding.

Business continuity in the event of a ‘disaster’, is about making sure that your essential operations and core business functions can keep running while the repairs can be made that get you back up to speed.

What Could Go Wrong?

There is a potentially huge range of ‘disasters’ that businesses could make plans to be able to overcome, and even though organisations come in different sizes and have different budgets, the risks they face are generally the same.  Typically, the more obvious ‘disaster’ threats the business include:

  • Hardware failures/server failures.
  • Outages and/or file corruption
  • The effects of cyber-attacks.  For example, 53% of senior managers believe that a cyber-attack is the most likely thing to disrupt their business (Sungard AS 2019) and the effects could include damage to / locking out of systems (malware and ransomware), fraud and extortion, data breaches (which could also attract fines under GDPR, damaging publicity and loss of customers).
  • Environmental/natural disasters e.g. fire and flood.
  • Important 3rd supplier failure or the loss of key employees.
  • Failures of part / a component of a network e.g. as highlighted by recent problems with banking and airline industry services.
  • Theft or loss of equipment holding company data.

Backing Up Your Data – Where To Store It

When it comes to backups, security, integrity, cost, scalability, complying with legislation, your own business plans, and ease of daily use are all considerations.  Where / how to store backed-up data is a decision tackled differently by different companies.  In the UK, GDPR (the data protection regulations) should be taken into account in these decisions.  Places to back up data could include:

  • On-site – storing data in the same location e.g. on an external hard drive in the workplace.  Although the data backup is close to hand, this is not a particularly secure solution and in the event of flood/fire/theft disasters, your data would be gone.
  • Off-site – taking the data away on a hard drive or another physical storage medium.  This means it’s less at risk from local issues (e.g. loss, theft, damage) but could mean it takes longer to restore data .
  • Online – backing up your data on hosted servers (in the cloud) and accessing them through an application. This is now becoming the preferred method for most businesses as it is convenient and fast (if you have an Internet connection) and it cuts out many of your on-site potential disaster risks (fire, flood, loss and damage of physical storage media).

Some businesses prefer to use a ‘hybrid’ cloud backup to help address any vulnerabilities that cloud-only or local-only backup solutions have.

There are many dedicated online backup solutions available e.g. IDrive Business, Backblaze Business, Carbonite Safem, or larger solutions for businesses with much bigger data backup requirements.

Backup Decisions

Taking regular, secure backups of your business data is an important part of good practice.  It is also an important element of disaster recovery and the business continuity process.

There are several types of backup that businesses need to make decisions about.  These include whether, if/when and how to make:

  • A full backup – one that covers every folder and file type and typically takes a long time.
  • An incremental backup – the first back up is a full one, followed by simply backing up any changes made to the previous backup.
  • A differential backup – similar to an incremental backup, requires more storage space but has a faster restore time.
  • A mirror backup – an exact copy of your data that has the advantage of removing the obsolete files each time.
  • An Image-based backup – captures images of all data and systems rather than just copying the files.
  • A clone of your hard drive – similar to imaging and creates an exact cloned drive with no compression.

In reality, many businesses make use of many different types of backup solutions at the same time.

Business Continuity, Backup Decisions and Disaster Recovery

Accepting that disasters happen and that you can plan how to maintain business continuity while you deal with them (using a disaster recovery plan) is an important step in safeguarding your business. Maintaining the ability to ensure that core functions and critical systems remain in place in the event of a disaster (business continuity) involves planning, an important part of which is the disaster recovery plan (DRP).  Creating this plan is usually an interdepartmental process, which is often led by information technology.

RTO & RPO – Linking Backups To Your DRP.

There are two metrics you can use to help you to make data backup decisions that relate to your DRP.

The Recovery Time Objective (RTO): the recovery window / how long (time) the business realistically has to recover from a disaster before there are unacceptable consequences.

The Recovery Point Objective (RPO): how far back (the maximum tolerable period of time) your organisation needs to go in recovering data that may have been lost due to a disaster.

By working out these time periods (particularly RPO), it can help you to decide upon the frequency of backups, which backup methods are most suitable and preferable to you e.g. the need to go back longer periods may favour online backups, and businesses with  large quantities of valuable historic data may struggle with a short RTO (which may require tiered data recovery).

In today’s business environment it is worth bearing in mind that your customers are not likely to be very tolerant of downtime, so recovery windows now need to be as short as possible. Many businesses, therefore, simply opt for a daily backup.

Disaster Recovery Plan

At the heart of your business disaster recovery strategy should be the disaster recovery plan (DRP) which should provide step-by-step workable instructions to ensure a fast recovery.  A DRP should be tested and kept up to date to ensure that it will work in reality in the event of a disaster and typically includes elements like:

  • A plan for roles and communications, detailing employee contact information and who’s responsible for what following the disaster.
  • A plan to safeguard equipment e.g. to keep it off the floor, wrapped in plastic away from flooding.
  • A data continuity system that details what the business needs to run in terms of operations, finances/accounts supplies, and communications.
  • Checking that your data backup regime is working, and that very recent copy is stored in a secure place but would be easily and quickly accessible when needed.
  • An asset inventory, including photos where possible, of the hardware (workstations, printers, phones, servers etc) reference for insurance claims after a major disaster.
  • Keeping (up to date) documentation that lists all vital components of your IT infrastructure, hardware and software, and a sequence of what needs to be done to resume business operations with them.
  • Photos showing that the hardware was in use by employees and that care had been taken to minimise risk e.g. items were off the floor (e.g. to avoid flood damage).
  • A supplier communication and service restoration plan so that you quickly restore services and key supplies after the disaster.
  • Details of a secondary location where your business could operate from if your primary location was too badly damaged in a disaster.
  • Details of the testing, optimisation and automation of your plan to ensure that it could be implemented quickly, as easily as possible, and free from human error.

Putting The Pieces Together

The basic difference between a backup and disaster recovery, therefore, is that a backup is having a copy of your data, and disaster recovery is the whole strategy to recover your business operations and essential IT environment in the event of a serious event e.g. cyber-attack, equipment failure, fire or flood.

Creating a DRP involves completing a risk assessment and business impact analysis in order to identify critical applications and services, and it is from here that your business can then create its own tailored RTOs and RPOs which in turn, will link to your backup strategy and cycles.

Backups are essential files that enable a full restore, and as such are an important element of ongoing good practice and of your DRP, and your backup should relate strongly to the underlying strategy of disaster recovery.

One thing is certain about backup and disaster recovery which is that having no plan for either is means planning to fail.

Hacker’s Website Closed Down In International Operation

Posted on by Andy Miller

A website (and its supporting infrastructure) which sold a variety of hacking tools to other would-be cybercriminals has been closed down after an investigation by agencies from multiple countries including the UK’s National Crime Agency (NCA).

IM-RAT

The main tool that the agencies were particularly interested in eradicating was the Imminent Monitor Remote Access Trojan (IM-RAT) which is a hacking tool, of Australian origin, which has been on sale for 6 years and was available for sale via the Imminent Monitor website.

According to Europol, once installed on a victim’s computer the IM-RAT malware, which could be purchased for as little as $25, allowed cybercriminals to secretly “disable anti-virus and anti-malware software, carry out commands such as recording keystrokes, steal data and passwords and watch the victims via their webcams”.

Big International Operation

The investigation and the operation to shut down the sale of IM-RAT was led by the Australian Federal Police (AFP) and involved judicial and law enforcement agencies in Europe, Colombia and Australia, and was coordinated by Europol and Eurojust.

Coordinated law enforcement activity has now ended the availability of IM-RAT, which was used across 124 countries and sold to more than 14 500 buyers. IM-RAT can no longer be used by those who bought it.

In a week of actions (in November), the international agencies dismantled the infrastructure of IM-RAT, arrested 14 of its most prolific users and seized over 430 devices for forensic analysis.

Back in June, search warrants were executed in Australia and Belgium against the developer and one employee of IM-RAT and most recently, actions to fully shut down the distribution of IM-RAT have also been taken in Australia, Colombia,  Czechia, the Netherlands, Poland, Spain, Sweden and the UK.

In the UK, it has been reported that the NCA searched properties in Hull, Leeds, London, Manchester, Merseyside, Milton Keynes, Nottingham, Somerset and Surrey in relation to the investigation.

The shutting down of the whole IM-RAT infrastructure, and the detailed analysis of the malware and the website used to sell it mean that IM-RAT can no longer be used.

Tens of Thousands of Victims

With the IM-RAT malware/hacking tool being so widely used, Europol believes that there are probably tens of thousands of victims around the world, and so far, investigators have been able to find evidence of stolen personal details, passwords, private photographs, video footage and data.

IM-RAT

Although IM-RAT allows cybercriminals to secretly take control of a computer, there are some common signs which indicate that a computer may have been infected with IM-RAT.  These signs include an unusually slow internet connection, unknown processes running in a system (which are visible in the Task Manager, Processes tab), files being modified or deleted without your permission, and unknown programs being installed on your device (visible in the Control Panel, Add or Remove Programs).

What Does This Mean For Your Business?

For businesses, this kind of malware caused considerable problems, not least in terms of data protection, disruption, industrial espionage and extortion, and left their devices wide open to hackers. This internationally co-ordinated move by multiple agencies is an important step in the battle against so-called ‘crime as a service’ and bulletproof hosting where organised gangs have sought to profit from crimes that they can carry out from a distance via the Internet.

If you believe that your device may have been infected by IM-RAT, the Europol advice is to disconnect your device from the network in order to prevent any additional malicious activity, install trustworthy security software, and run a scan of your device using security software. When you’re satisfied that you’ve removed the infection, change the passwords for your online accounts and check your banking activity.

Some general steps you can take to guard against falling victim to malware include keeping your anti-virus software and patching up to date, installing a firewall, only using strong passwords (that aren’t shared across different accounts), covering up your webcam when its not in use, regularly backing up your data, and making sure that you don’t open any suspicious-looking emails and attachments even if they do come from people on your contact list.

Google Or Samsung Android Cameras Could Be Spying On You

Posted on by Andy Miller

Researchers at Checkmarx say they have discovered vulnerabilities in Google and Samsung smartphone apps that could allow hackers to remotely spy on users using their phone’s camera and speakers.

Study

The proof-of-concept (PoC) study results, highlighted on the Checkmarx blog reveal how the Checkmarx Security Research Team cracked into the apps that control android phone cameras (firstly using a Google Pixel 2 XL and Pixel 3) in order to identify potential abuse scenarios.

The team reported finding “multiple concerning vulnerabilities” (CVE-2019-2234) which stemmed from “permission bypass issues”.  The team later found that camera apps from other vendors i.e. Samsung are also affected by the same vulnerabilities.

The Checkmarx team have since shared a technical report of their findings with Google, Samsung, and other Android-based smartphone OEMs to enable those companies to find fixes.

What Could Happen?

According to Checkmarx, the vulnerabilities mean that a hacker could use a rogue application (that has no authorised permissions) to take control of another person’s Android phone camera app.  This could allow the attacker to take photos and/or record videos as well as to gain access stored videos and photos, GPS metadata embedded in photos, and even to locate the user by taking a photo or video and parsing the proper EXIF data.

The researchers also found a way to enable a rogue app to force camera apps to take photos and record video even when a phone was locked or the screen is turned off, or when a user was is in the middle of a voice call.

One particularly worrying aspect of the Checkmarx findings is that if the video can be initiated during a voice call the receiver and the caller’s voices can be recorded.  This could allow eavesdropping that could enable an attacker to discover potentially sensitive personal data or to gather information that could be used for extortion.

Google

According to Checkmarx, after they shared their findings with Google, the Checkmarx team were notified by Google that the vulnerabilities weren’t confined to the Google Pixel product line but also extended to products (Android) by other manufacturers.  For example, Samsung also reportedly acknowledged that the flaws impact their Camera apps and said that they had begun taking mitigating steps. Checkmarx reports that Google has said that the problem has now been addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. Also, a patch has been made available to all Google partners.

What Does This Mean For Your Business?

It is very worrying that hundreds-of-millions of smartphone users may have been facing a serious privacy and security risk without being aware of it.  For business users, this may have left them open to industrial espionage and security threats, although there is no evidence that real hackers have exploited the vulnerabilities prior to them coming to light.

When it comes to smartphone apps, the best practice is to ensure that all apps on your device are kept updated. Other defensive actions you can take regarding your phone apps include checking the publisher of an app, checking which permissions the app requests when you install it, and deleting any apps from your phone that you no longer use.  It’s also now important to be aware of the threat posed by fake apps, and you may wish to contact your phone’s service provider or visit the high street store if you think you’ve downloaded a fake malicious/suspect app.

Google To Offer Bank Accounts

Posted on by Andy Miller

Tech giant Google is crossing over into the banking world by partnering with Citigroup to offer ‘smart checking’ accounts (bank current accounts) next year as part of its ‘Cache’ project.

Partnering, Not Self-Branding

Google is reported to be prepared to rely heavily on the knowledge of Citibank partner in the project and will not be self-branding the accounts. Google will, no doubt, be grateful for the guidance of its partner through the complicated regulatory aspects of banking.

Other Tech Companies Too

Google’s move into the finance world follows that of competitor tech giants, some of whom have experienced a bumpy ride in banking territory such as:

– Facebook developing its own cryptocurrency called Libra which has recently suffered the departure of big names from the association of organisations that was set up to run the currency – PayPal has dropped out with Mastercard, Visa, and digital payment platform and processor Strip soon to follow.

– Apple introducing its own credit card, the ‘Apple Card’ in the US in partnership with Goldman Sachs and with processing by Mastercard.  The card system operates through the Wallet app on iPhone (iPhone 6 and later), but Apple soon suffered criticism that the physical titanium card that accompanies each account would be vulnerable to damage by everyday material surfaces such as denim and leather, thereby rendering potentially impractical.

– Amazon offering credit card and business loans, with a view to boosting its own e-commerce business.

Uber Money offering credit cards, debit accounts and money tracking tools to help the company with its own taxi operations.

Why?

Like other tech companies, Google’s massive customer base and widely recognised brand mean that it can leverage this power through brand extension.  Google knows that by simply supplying more of peoples’ needs online, often by strategic alliance, it can stay competitive, and find new users and new opportunities.

Privacy & Trust Worries

Some technology commentators have, however, have expressed worries that giving tech companies access to our financial information could mean that they know too much about us, and may be tempted to share data with (or sell that data to) their advertising arm or other organisations.

Although Google has said that it will not be selling or sharing its account holders’ financial data just as it doesn’t share data from its Google Pay service with advertisers, there has been a recent report that Google may be able to gain access to personal medical data of up to 50 million Americans through its partnership with the healthcare giant Ascendant.

Resea

Research has indicated that consumers are likely to trust Google with their financial affairs.  For example, a study by McKinsey & Company revealed that 58% of people (surveyed) said they would trust Google with financial products.

UK BoE Governor

Back in June UK BoE Governor, Mark Carney offered tech companies and all payment providers the chance to store funds overnight in interest-bearing accounts at the central bank and appeared to be adopting an “open mind but no open door” approach to Facebook’s Libra cryptocurrency.

What Does This Mean For Your Business?

It was more or less inevitable that the reach and brand power of tech giants, who are already trusted with many personal aspects of our lives would mean that they want (and would be able) to move into the world of our personal finances too.  The move may be a win/win for both the financial partners (who can learn how to upgrade the tech of their service) and the tech giants who can find out even more about us and can become even more essential partners to us in all parts of our digital life.

The damage to trust, however, caused by Facebook’s sharing of harvested user data with Cambridge Analytica has left some people with reservations about trusting tech companies with too much of our personal data.