o n t ar e building resilience s c n e s e n s w by improving u ... thing as a free luncho s 14...
TRANSCRIPT
1
Cyber SeCurity reportBusiness Continuity AwAreness week
www.thebci.org
#BCAW2017
Busi
nes
s Continuity Awareness W
eek
15th –19th May 2017
Building resilience by improving cyber security
2
Cyber SeCurity reportBusiness Continuity AwAreness week
Table of ConTenTs
Introduction 3
Types of threat 5
Ransomware 5
Data breach 7
Distributed Denial of service (DDos) 9
The keys to the kingdom – part I 10
The keys to the kingdom – part II 12
shutting the door behind you when you leave 13
no such thing as a free lunch 14
Curiosity killed the cat 16
Welcoming intruders into your network 17
Conclusions 18
about business Continuity awareness Week 19
about the author 19
about the bCI 19
Contact the bCI 20
3
Cyber SeCurity reportBusiness Continuity AwAreness week
Figure 1: Infographic from the bCI
Horizon scan Report 2017
InTRoDuCTIon
Cyber security has for a long time been an issue for
business continuity and resilience professionals. The
latest Horizon scan Report published by the business
Continuity Institute revealed that cyber attacks were the
greatest concern for those working in the industry followed
closely by data breaches. Respectively 88% and 81% of
respondents to global survey expressed concerned about
these two threats materialising1.
This ranking was the same as in the previous report and,
since the survey began in 2012, both these threats have
consistently appeared in the top three.
1 The business Continuity Institute. Horizon scan Report 2017. available from: www.thebci.org/index.php/download-the-horizon-scan-2017 [accessed 21st february 2017].
88%81%
respectively 88% and 81% of respondents
to global survey expressed concerned
about these two threats materialising.
4
Cyber SeCurity reportBusiness Continuity AwAreness week
It is perhaps no surprise that cyber security continues to be
a major concern for business continuity professionals given
that another report published by the business Continuity
Institute – the Cyber Resilience Report – revealed that two
thirds of organizations had experienced at least one cyber
incident during the previous twelve months, while 15% had
experienced at least ten incidents during the same period2.
With the threat so sizeable, and the concern among
business continuity professionals so great, cyber security
was considered an obvious choice for the theme of
business Continuity awareness Week 2017. bCaW is
an annual campaign hosted by the business Continuity
Institute to raise the profile of the business continuity and
resilience industry and demonstrate its importance and
value to others.
as this campaign is aimed at awareness raising, the
intention is not to talk specifically about the technical
aspects of cyber security that may leave anyone but the
most technically-minded confused, bewildered and no
more aware of what they’re meant to do than they were
prior to the campaign. The intention is to highlight some
of the ways that individuals who don’t work in IT security
or business continuity can get involved, and help improve
cyber security within their own organization.
This report highlights six of these ways, offering some
insights as to what the issue may be with their existing
practice and provide advice on how these can be improved.
The following chapters will assist individuals in becoming
more aware about their own cyber security so that
together we can help build more resilient organizations.
2 The business Continuity Institute. Cyber Resilience Report 2016. available from: www.thebci.org/index.php/obtain-the-cyber-resilience-report-2016 [accessed 29th June 2016].
Cyber security is everyone’s responsibilityPlay your part in building a resilient organization
Use strong passwords
Take care when using insecure
networks
Keep passwords
hidden
Don’t click on untrusted
links
Don’t plug untrusted devices
into networks
X
Figure 2: Infographic from the bCI Cyber
Resilience Report 2016
5
Cyber SeCurity reportBusiness Continuity AwAreness week
TyPes of THReaT
RansomWaRe
WHaT Is RansomWaRe?
Ransomware is a piece of software that, when downloaded and installed, encrypts all of the data on your computer, or even
your entire server if the software infects that too. once encrypted a demand is made for a ransom to be paid in order for the
data to be unencrypted. It is perhaps no coincidence that the rapid rise in the use of ransomware has followed the growth of
bitcoin, as this digital currency makes it far easier for ransoms to be paid, and perhaps harder for it to be traced.
Ransomware attacks generally enter the system through the user accidently installing a malicious piece of code. It may be that
they clicked on a link, or opened an email attachment, either of which could have looked legitimate. by the time they realise it
isn’t, it’s too late, and the ransomware has been installed and has started infecting the network.
In a study commissioned in 2016 by malwarebytes, it was found that 39% of organizations questioned had experienced a
ransomware incident during the previous 12 months3. This figure was much higher in the healthcare and financial sector where
53% and 51% of organizations respectively experienced a ransomware incident.
WHaT Is THe ImPaCT of RansomWaRe?
If your files have been encrypted by ransomware then they become inaccessible and you will have a temporary, or perhaps
even permanent, loss of all data causing a major disruption to your operations. should you choose to pay the ransom then this
will come at a cost, and whether you pay or not, the incident could still come at a cost in terms of damage to your reputation.
There is a wide range of potential threats that could befall our organizations and these are constantly
evolving. Perhaps three of the most common, or the most damaging, include ransomware, data breaches
or DDos attacks.
3 malwarebytes. understanding the depth of the global ransomware problem. available from: www.malwarebytes.com/pdf/white-papers/understandingTheDepthofRansomwareIntheus.pdf [accessed 13th february 2017].
Data Breaches
Ransomware DDoS Attacks
6
Cyber SeCurity reportBusiness Continuity AwAreness week
To Pay oR noT To Pay? THaT Is THe quesTIon!
The fbI does not support the idea of paying ransoms in order to get data back, arguing that paying a ransom incentivises
criminals to continue with their activities as they see it as a profitable venture4. There is also no guarantee that you will get
your data back with some organizations not receiving any decryption key once they have paid the ransom, and others finding
that the data, despite being decrypted, has been corrupted in the process and has become unusable.
so WHaT Can be Done To PRevenT RansomWaRe?
To reduce the impact of ransomware, first and foremost, you must always make sure that your data is backed-up. If your data
is backed-up and you experience a ransomware attack then you can isolate the ransomware, clean the network of it and then
restore the data from your back-up. It’s not necessarily an easy process, but it means you don’t lose all your data and you don’t
pay a ransom. of course you need to ensure that the back-up can’t be encrypted by the ransomware as well.
make sure that your operating system and installed software are up to date with the latest security patches, and that your
anti-virus and anti-malware tools are conducting regular scans of your network so they can pick up anything malicious before
damage can be done. manage the use of privileged accounts so no users are assigned administrative access unless they
absolutely need it, and therefore limit the number of people who are able to install new software.
Configure access controls to the file directory so users can only access the files they need. If users only need to read certain
files rather than edit them, they don’t need write-access to those files or directories. The more you restrict the flow of data
across your network, the better chance you have of stemming the spread of a ransomware attack.
They do say that prevention is better than cure, and one way to reduce the impact of ransomware is to stop it happening in
the first place. The vast majority of the time, the user has to do something to install the software – click on a link, open an
attachment – so if the user doesn’t do that, then the software can’t install. admittedly it is not quite as simple as that, as very
often the link or the email can be cleverly disguised and appear legitimate, but it is important to develop a culture whereby
users think twice about their actions.
4 fbI. Incidents of Ransomware on the Rise. available from: www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise/ incidents-of-ransomware-on-the-rise [accessed 13th february 2017].
Ransomware
7
Cyber SeCurity reportBusiness Continuity AwAreness week
DaTa bReaCH
There are so many organizations to choose from, but when you think of a data breach, perhaps the one that springs to mind
first is yahoo! who had one billion records stolen in 2013 and then another half billion stolen the following year5. That’s a
significant breach and certainly eclipses any other known breach. of course it’s important to add ‘known’ in there as another
organization may have suffered a bigger breach, they just don’t know about it yet, or at least have not admitted it yet.
our organizations are so heavily reliant on data, it keeps us moving as we use it for research and development, we use it for
marketing, we use it for sales, and we generally use it throughout our product/service lifecycle. It helps us to understand our
customers so that we can meet their needs.
It is so valuable that lots of other organizations and individuals want it too, for reasons that include espionage, fraud, or
blackmail, among many other possible reasons.
esPIonage
Houston astros, a major league baseball team in the american league West, discovered in June 2014 that their servers had
been hacked with information about player scoutings and trade negotiations being accessed illegally. It later transpired that
the hack was the work of former astros employee and now st louis Cardinals’ Director of baseball Development Christopher
Correa. Correa has since been fired by the Cardinals, sentenced to 46 months in prison, and ordered to pay the astros $279,038
in restitution6. The penalty for the Cardinals was much higher with a $2 million dollar fine and the loss of two trade picks7.
5 Wikipedia. yahoo! data breaches. available from: en.wikipedia.org/wiki/yahoo!_data_breaches [accessed 8th march 2017].
6 esPn. ex-Cards scouting director Chris Correa sentenced to prison for hacking astros. available from: www.espn.co.uk/mlb/story/_/id/17101079/chris-correa-former-st-louis-cardinals-scouting-director-sentenced-jail-hacking-houston-astros [accessed 20th february 2017].
7 esPn. after investigation, mlb orders Cardinals to forfeit top two picks, pay $2 million to astros. available from: www.espn.co.uk/mlb/story/_/id/18586344/mlb-orders-st-louis-cardinals-forfeit-top-2-2017-draft-picks-pay-2-million-houston-astros [accessed 20th february 2017].
Data Breaches
8
Cyber SeCurity reportBusiness Continuity AwAreness week
fRauD
Data is a valuable asset and when used maliciously can be extremely profitable. In the days following the TalkTalk hack when
157,000 records were stolen, one customer who had been in contact with the telecoms company to report a slow broadband
speed, had £3,200 stolen from her8. using all the information they had gleaned about this lady, and without going into the
details, criminals were able to persuade her to part with the money.
blaCkmaIl
ashley madison is an online dating site with one minor difference, the whole raison d’etre for signing up is to have an affair.
naturally, one can assume that users of the site would like a little bit of discretion regarding their activities. so when the site
was hacked in 2015 there were a lot of embarrassed and quite worried individuals who were desperate to keep their little
secrets hidden, whatever the cost9.
HoW Do you PRevenT a DaTa bReaCH?
There are plenty of technical solutions that make your network more secure, and again you need to make sure that your
network is up to date with security patches and anti-virus. It is worth noting however, that the yahoo! data breach was the
result of someone clicking on the wrong link10. a study by the Ponemon Institute indicated that 61% of security breaches are
the result of a malicious or negligent employee, so protecting yourself from the insider threat is a major step to take11.
8 This Is money. TalkTalk customer scammed out of more than £3k after fraudsters target her with compensation overpayment trick. available from: www.thisismoney.co.uk/money/saving/article-3582624/TalkTalk-customer-scammed-3k-fraudsters.html [accessed 8th march 2017].
9 Cso online. blackmail rising from ashley madison breach. available from: www.csoonline.com/article/2980631/data-breach/blackmail-rising-from-ashley-madison-breach.html [accessed 8th march 2017].
10 The Hacker news. yahoo! Hack! How It Took Just one-Click to execute biggest Data breach in History. thehackernews.com/2017/03/yahoo-data-breach-hack.html [accessed 23rd march 2017].
11 The Ponemon Institute. managing insider risk through training and culture. www.experian.com/data-breach/2016-ponemon-insider-risk.html?WT.srch=2016_insider_risk_pr [accessed 23rd march 2017].
Data Breaches
9
Cyber SeCurity reportBusiness Continuity AwAreness week
DIsTRIbuTeD DenIal of seRvICe (DDos)
It is estimated that one zettabyte of information travels across the internet every year, and while only one may not seem a lot,
it is worth noting that a zettabyte has 21 zeroes in it, so that’s a lot of data12. The good news is that internet can cope with this
as there’s an estimated 6.4 billion internet connected devices in use so the data is spread around13.
but what happens when all that data is focussed on one device or one server. on new year’s eve 2015, one of the world’s
largest broadcasting companies – the bbC – had its website flooded with data in an attack that that reached up to 602gbps
and ultimately took the whole site down for several hours including the on-demand television service14.
This was a distributed denial of service attack (DDos) where compromised devices across the world bombarded a single server
with so much data that it was no longer able to function. sometimes the damage can be irreparable.
Clearly there is nothing the individual user can do to prevent such an attack, but it should be noted that these attacks are the
result of many other devices being comprised and then used for malicious purposes.
With the rise of the Internet of Things, more and more devices are coming online, with potentially up 50 billion by 2020, and
many of these devices do not have effective security15. Just consider what devices you have that are connected to the internet
- routers, smartwatches, fridges, televisions etc. Have you ever changed the default password? by reducing the number of
devices that can be compromised, we are reducing the pool of devices that can be used for an attack.
12 Cisco. Cisco visual networking Index:forecast and methodology, 2015–2020. available from: www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/complete-white-paper-c11-481360.pdf [accessed 24th february 2017].
13 statista. Internet of Things (IoT): number of connected devices worldwide from 2012 to 2020 (in billions). available from: www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/ [accessed 24th february 2017].
14 Cso. DDos attack on bbC may have been biggest in history. available from: www.csoonline.com/article/3020292/cyber-attacks-espionage/ddos-attack-on-bbc-may-have-been-biggest-in-history.html [accessed 24th february 2017].
15 statista. Internet of Things (IoT): number of connected devices worldwide from 2012 to 2020 (in billions). available from: www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/ [accessed 24th february 2017].
DDoS Attacks
10
Cyber SeCurity reportBusiness Continuity AwAreness week
16 keeper security. What the most common passwords of 2016 list reveals. available from: blog.keepersecurity.com/2017/01/13/most-common-passwords-of-2016-research-study/ [accessed 14th february 2017].
THe keys To THe kIngDom – PaRT I
your computer network is your kingdom, it is where you store all your valuable data that allows you to go about your business.
The device you use, whether it is your PC, laptop, tablet or smartphone, is the way in which you enter that kingdom, so it is
important to keep it secure and prevent anyone with somewhat unscrupulous intentions from gaining access and stealing or
corrupting your data.
How do you do this? by having a secure password for a start. something that cannot be cracked by the most skilled hacker
using the latest technology, or perhaps more obviously, something that cannot be guessed by the least skilled hacker with no
technology.
a study conducted by keeper security earlier in 2017 revealed that, of the 10 million passwords that were made available to
them as a result of a data breach, nearly 1 in 5 was ‘123456’16. The top ten list of passwords included:
> >
> >
> >
> >
> >
1. 6.
2. 7.
3. 8.
4. 9.
5. 10.
123456 1234567890
123456789 1234567
Qwer t y password
12345678 123123
111111 987654321
11
Cyber SeCurity reportBusiness Continuity AwAreness week
17 business Insider. This website shows how long it would take for a hacker to break your password. available from: www.businessinsider.com/hacker-password-cracking-test-2016-5 [accessed 23rd march 2017].
18 Random Ize. How long to Hack my Password. available from: random-ize.com/how-long-to-hack-pass/ [accessed 23rd march 2017].
19 business Insider. Tracks from the new gorillaz album leaked online because someone found them on vimeo and guessed the password. available from: www.businessinsider.com/4-new-gorillaz-songs-leak-online-album-vimeo-saturnz-barz-2017-3 [accessed 23rd march 2017].
20 Thycotic. 300 billion passwords report. available from: thycotic.com/resources/cybersecurity-ventures-protect-300-billion-passwords-worldwide-2020/ [accessed 14th february 2017].
21 Wired. Hack brief: Hackers breach a billion yahoo accounts. a billion. available from: www.wired.com/2016/12/yahoo-hack-billion-users/ [accessed 14th february 2017].
Without going into the technicalities of how passwords can be hacked, a business Insider article identified just how long it
takes to hack various types of passwords17. The article noted that a password like ‘123456’ or ‘password’ would take less than a
second to crack. If you are curious how long it would take to crack one of your passwords, visit the random-ize website, enter
your password and find out18. you will probably be quite alarmed.
The main method used is called brute force which can either use a pre-defined dictionary of possibilities and the system tries
each one until the right password is found, or the more traditional brute force attack analyses different combinations of letters,
number and symbols until the right password is found. naturally the more characters you include in your password, the longer
this will take. The more you use different characters such as letters (upper and lower case), number and symbols, the longer it
will take to crack.
While this makes it sound easy to crack a password, it is sometimes even easier to guess one. The uk music band – gorillaz –
are set to launch a new album later in 2017 and some of the tracks from this album were leaked online prior to the launch19.
The band had a selection of tracks hosted on their vimeo account, and one of their fans guessed the password and managed to
gain access. The password was ‘2017’.
as well as having strong passwords, it is also important to change them regularly. keeping your own password secure is one
thing, but can you trust others to keep it secure? Data breaches resulting in large numbers of passwords being compromised
are becoming more and more commonplace. according to Thycotic’s 300 billion passwords report, more than 3 billion user
credentials and passwords were stolen in 2016, with 8.2 million passwords being stolen every day and approximately 95
passwords stolen every second20. let’s not forget the yahoo! hack in 2013 that led to over one billion user account details
being stolen, and this was distinct to another hack of the same company a year later that led to half a billion user details being
stolen21. If passwords are routinely changed then it means that stolen passwords will soon be obsolete.
It is also worth ensuring that passwords for different accounts also vary. If your password for one account is stolen, you don’t
want the hacker to therefore have access to all your accounts by using the same password.
12
Cyber SeCurity reportBusiness Continuity AwAreness week
22 ars Techinica. Hacked french network exposed its own passwords during Tv interview. available from: arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/ [accessed 14th february 2017].
23 Infosecurity magazine. eagles Take the #superbowl of Passwords. available from: www.infosecurity-magazine.com/blogs/eagles-take-the-superbowl-of/ [accessed 23rd march 2017].
THe keys To THe kIngDom – PaRT II
so we’ve now got our uncrackable password that no one could ever possibly guess, and one that will take a hacker too long to
crack to justify their time. The problem now is, “how am I supposed to remember: ‘3qgtys@wn?X!WJyC’? There is no logic to
it and even someone with the best memory is going to struggle.
The solution – “I’ll write it on a post-it note and hide it under my keyboard!” If you go to any office then the chances are that
you will find this happening, whether it is on a post-it note securely hidden under the keyboard where no one will ever find it,
or written on the inside of the user’s diary, or perhaps tucked away in the top drawer, as they are both far more secure. some
users don’t even try to hide it, they just stick the post-it note to their monitor.
It is human nature to make things easy for ourselves, and that includes not putting in the effort to remember a password when
we can just write it down somewhere.
It was even speculated that a french television network which experienced an
intrusion to their network made themselves vulnerable by broadcasting their
password during an interview. The interview they conducted happened to feature
an employee’s desk in the background, which included among a host of other
paperwork, a post-it note with a user name and password22.
In this day and age it can be an impossible task to try and remember all the passwords that we have to use on a daily basis.
Particularly if we are told that our child’s name or favourite sports team isn’t an acceptable password either, forcing us to
choose something a little less memorable. Incidentally, prior to super bowl 2017, a study was done on a list of leaked password
that found that Philadelphia eagles came top of the charts when it came to fans using the name of their favourite nfl team as
their password23.
There are however, a selection of tools that can be used to securely store your passwords. Password managers or digital vaults
can enable you to store all your passwords securely and even advise you if your password is too weak or has been duplicated.
Whatever you choose to do, just don’t make your password visible to others.
13
Cyber SeCurity reportBusiness Continuity AwAreness week
24 fellowes. national survey uncovers data breach vulnerabilities in the workplace. available from: assets.fellowes.com/press/fellowes%20businessProfessionals%20Press%20Release.pdf [accessed 14th february 2017].
25 Preempt. The growing security threat from insiders. available from: info.preempt.com/insider_threat_report [accessed 14th february 2017].
sHuTTIng THe DooR beHInD you WHen you leave
now our networks are secure with a strong password protecting it, a password that is not written down anywhere for someone
to find. What could possibly go wrong? Well there’s little point in having a password if you don’t actually use it. you would
never leave your house or car with the door wide open, so why would you do such a thing with your computer?
you can often walk round an office and see empty desks with computers switched on and unlocked. Perhaps the user has just
gone for a cup of coffee, or perhaps they’ve taken their hour long lunchbreak or they’re in a meeting which will last several
hours. It doesn’t take long for someone to get into your computer and access your files.
according to a study carried out by fellowes back in 2012, more than quarter of users (26%) are guilty of leaving their
computer unlocked when they’re away from their desk24.
of course you may think you’re safe when you’re in your own office and no doubt you trust your colleagues, but let’s not forget
that many studies have identified that the insider threat as a similar concern to the outsider threat. Research from Preempt
showed that 49% IT security professionals are more concerned about the insider threat25.
so whether it is your colleagues giving you a slightly embarrassing facebook status, or something far more sinister like deleting
or removing files, there can be a price to pay for not locking your computer.
14
Cyber SeCurity reportBusiness Continuity AwAreness week
26 f-secure. great Politician Hack Report. available from: fsecureconsumer.files.wordpress.com/2016/05/greatpoliticianhack.pdf [accessed 14th february 2017].
no suCH THIng as a fRee lunCH
so we’ve now learnt that we need to have a strong password which we need to keep hidden away, and if we are apart from our
devices then we need to make sure they are locked. What next?
one of the first things we do when we’re in a coffee shop, or airport, or many other places, is to log on to the free public wifi,
just to check our emails or browse the internet while we’ve got a spare few minutes.
but as they say, there’s no such things as a free lunch. very often the reason that wifi is free is because the provider wants
something – your details. When you register for the wifi you normally have to supply your name and email address and then
the providers can start trying to sell their product to you. and we’re usually happy to accept this. There’s probably nothing
wrong in that, but how do we know we’re using the right wifi? How do we know it’s not someone more sinister providing the
wifi, someone masquerading as the supplier, in order to obtain more than just your registration details?
It’s not that complicated a process to set up a wifi signal, and once someone has requested access to that signal, they have
potentially also granted access to their own device for a hacker to have a look through.
In 2015, f-secure conducted a study involving four high profile uk politicians to demonstrate just how insecure accessing public
wifi can be. The great Politician Hack Report revealed that within half an hour of accessing the wifi, one politician had their
gmail account hacked, another had an internet phone call intercepted and recorded, while another had their facebook account
hacked26. It didn’t matter that they had strong passwords, when those passwords were entered while logged into the wifi, they
passed freely through the router and were made available to the hacker.
15
Cyber SeCurity reportBusiness Continuity AwAreness week
Thankfully this was just a test to show what could be done, but the report notes that if politicians were to have their social
media accounts hacked just prior to an election, and an erroneous post was made, it is possible that this could change voter
opinion. The recent brexit referendum and us Presidential election shows how powerful misinformation can be, and that it is
extremely difficult to take back once it is ‘out there’.
so what can be done to make your network more secure? first of all, if you are connecting to the public wifi, make sure you are
connecting to the right network and not the network set up by the dodgy guy sitting in the corner. fake networks will often
be set up with legitimate sounding names that mimic the location or popular providers, so don’t think just because the name
matches the coffee shop you’re in that it is legitimate. If in doubt, ask someone behind the counter what the wifi name is, most
coffee shops display the name of their wifi anyway.
use a virtual private network (vPn) wherever possible to connect to the internet, particularly if you are dealing with sensitive
information. setting up a vPn means that users can use a public network as though it were a private one by encrypting data
that is sent out.
one of the reasons we use public wifi is to save on our data allowance, so perhaps it may be worth considering an extended
data contract, or even opt for unlimited data from your provider. This means there will be far fewer instances when you’ll need
to connect to public wifi, and most modern phones/networks offer fast enough connection speeds to prevent any frustrating
delays.
If you’re using a wireless network that is effectively ‘unknown’, in that it isn’t a home or office network you are familiar with,
avoid activities that involve sensitive information wherever possible. While you may still be at risk of some of the problems
highlighted previously, it would at least help prevent this sensitive data from being compromised.
finally, consider whether it’s really necessary to be online at that particular time. It’s quite possible that whatever needs doing
could wait until you return home or reach the office, or could using the phone’s own data connection be a realistic alternative?
16
Cyber SeCurity reportBusiness Continuity AwAreness week
27 Tischer m, Durumeric Z, foster s, Duan s, mori a, bursztein e, bailey m. users really do plug in usb drives they find. available from: zakird.com/papers/usb.pdf [accessed 13th february 2017].
28 CompTIa. Cyber secure: a look at employee cyber security habits in the workplace. available from: www.comptia.org/resources/cyber-secure-a-look-at-employee-cybersecurity-habits-in-the-workplace [accessed 13th february 2017].
29 ahnlab. 78% of IT Professionals admit Picking up and Plugging In abandoned usb Drives. available from: global.ahnlab.com/site/main.do [accessed 8th march 2017].
30 sC magazine. Ibm distributed infected usb drives at conference. available from: www.scmagazine.com/ibm-distributed-infected-usb-drives-at-conference/article/557760/ [accessed 8th march 2017].
CuRIosITy kIlleD THe CaT
When was the last time you actually bought a usb memory stick? In many cases, the devices we use have been given to us
free of charge by marketers using them as a tool to try and sell their product. Can we trust the information that is on them?
In some cases however, it is not a device that we have been given that we plug into our machines, it is one that we’ve found.
They say that curiosity killed the cat, well it also has the potential to kill our computer networks if we don’t know what we are
plugging into them.
In 2016, researchers at the university of Illinois conducted a study whereby they positioned 297 usb sticks across the campus
to ascertain the behaviour of the finders. The paper produced revealed that of all the devices that were dropped, 135 had files
within them opened up, while a further 155 were picked up although whether they were plugged in is unknown27. The study
showed that nearly half of participants were happy to plug in the device, most of whom did not use any formal precautions
prior to opening files, potentially allowing malicious software to be downloaded and installed.
The university of Illinois study had slightly more alarming results than an earlier study commissioned by CompTIa28. In their
study, 200 usb sticks were dropped in public places and 17% of those were plugged in and had files opened up.
of course you shouldn’t always assume that it is just the less cyber aware who plug untrusted usb sticks into their device, the
‘experts’ are just as guilty. a study conducted by ahnlab at the Rsa Conference in 2013 found that over three quarters (78%)
of IT security professionals admitted to picking up and plugging in usb flash drives found abandoned or lying around29.
It is also important to note that it is not just devices you find ‘lying around’ that perhaps shouldn’t be trusted. usb sticks from
reputable sources should also be treated with caution as attendees at the australian Information security Conference found in
2010 when free usb sticks from an extremely reputable vendor were discovered to have malware on it30.
17
Cyber SeCurity reportBusiness Continuity AwAreness week
31 friedrich-alexander-universität. one in two users click on links from unknown senders. available from: www.fau.eu/2016/08/25/news/research/one-in-two-users-click-on-links-from-unknown-senders/ [accessed 8th march 2017].
WelComIng InTRuDeRs InTo youR neTWoRk
so often we are told to be careful about what links we click on but there is a psychology involved in creating links and it is all
too easy to be drawn in to what the link is offering – perhaps a juicy bit of celebrity gossip, or the chance to get some money,
or perhaps something that resonates with one of our addictive natures. There are many things that can be done to entice
people to click. Clickbait is becoming more and more common, and in reality, the link title often bears very little relevance to
what lies behind it. but while clickbait is more about encouraging click-throughs in order to get advertising revenue, sometimes
links, and what lies behind them, can be a lot more sinister.
Phishing is becoming more common by disguising your email as a trusted source in order to encourage the user to take some
action. This could be a completely speculative email, or it could be more targeted, what is known as spear phishing, whereby
the attackers will use some basic information they already have on you to encourage you to hand over more. an example of a
phishing attack might be to send an email that looks like it is from the user’s bank encouraging them to visit the website and
log-in. The account it comes from will look very close to being legitimate and the website it directs you to will look much like
the real one. but that is where the similarity ends. once you have logged in, you have just given the hackers your log-in details.
It may not be the case that they want you to enter information, they may just want you to click on the link as this has the
effect of downloading a malicious piece of software to your computer and perhaps your entire network.
Researchers at the friedrich-alexander-universität conducted a study which found that more than half of e-mail recipients
(56%) and around four in ten facebook users clicked on a link from an unknown sender even though they knew of the risks of
their computer becoming infected with a virus31. When asked why they clicked on the link, the large majority of participants
said that it was due to curiosity with regard to content of the photos or the identity of the sender.
as noted earlier in this report, the yahoo! data breach was the result of someone clicking on the wrong link and therefore
allowing the attacker into their network. users need to demonstrate more caution, and certainly more restraint, when clicking
on links.
18
Cyber SeCurity reportBusiness Continuity AwAreness week
ConClusIons
We are faced with cyber threats all the time and sooner or later those threats will materialise. as the saying
goes, the good guys have to be lucky all the time, the bad guys need only be lucky once. as technology
evolves so does the threat, and as the threat evolves, so do the security mechanisms put in place to combat
them, and as this evolves so do the threats and so on. It is an endless dance of protecting our computers
and our networks from those who wish to do us harm, or at least profit from our loss.
While it is likely that we will at some point suffer a cyber security incident, there is no need for us to make
it easy for the hackers. each and every one of us can do something, or indeed several things, to help protect
ourselves. These are simple things which include:
1. use a safe secure password that cannot be easily deciphered, or in fact guessed. Rather than using 123456, or the name
of your favourite sports team, use a random combination of at least twelve characters including letters (upper and lower
case), numbers and symbols. also use different passwords for different accounts.
2. Clearly a password as described above isn’t memorable, and certainly if you have a different password for every account,
remembering them all is an impossible task. Don’t however write your password down on a post-it note and hide it
under your keyboard, or write in your password notebook that you leave next on your desk. If you are having trouble
remembering passwords, use a password vault that can secure them with a good level of encryption.
3. Don’t leave your IT devices unlocked so that anyone could gain access to them and all your sensitive data when you are
away. If you leave your computer unattended, make sure you lock it before you go. make sure you use the lock functions
on your smartphones and tablets. you would never intentionally leave your house or car unlocked, so why do so with
your technology?
4. be careful when using public wifi. If you do need to use it, and let’s face it we all do, then at least make sure that you
are using the official version and not a fake set up. If you’re in a coffee shop then ask at the counter what the wifi name
is and make sure you log on to that. even that may not be entirely secure, so use a virtual private network when using
public wifi as that adds a degree of encryption to your browsing. furthermore, think twice about what data you send
over the network when using public wifi. Is it sensitive data? Could it wait until you are on a trusted network?
5. If you find a usb stick lying on the ground, don’t let curiosity get the better of you so that you plug it in and start
clicking on files. even if you have a supposedly trusted usb stick, it might be astute of you to check it is free of anything
malicious first. If you absolutely must plug it in then run a scan on it first on an isolated computer to check for viruses.
6. Don’t click on links that cannot be trusted as you may inadvertently invite the attackers into your network. links can be
hidden behind links so what you see is most certainly not what you get.
19
Cyber SeCurity reportBusiness Continuity AwAreness week
business Continuity awareness Week (bCaW) is an annual
global event organized by the business Continuity Institute
to raise awareness of the importance of business continuity
and resilience. featuring publications, webinars and other
resources promoting the importance of business continuity
and resilience, this event is aimed at organizations. This
year’s event has a theme of ‘cyber security’ and focuses
on the role that individuals can play in helping to improve
cyber security, and seeks to demonstrate that everyone
has a part to play in building an organization’s resilience
– a fundamental aim of business continuity.
abouT THe bCI
founded in 1994 with the aim of promoting a more resilient world, the business Continuity Institute
(bCI) has established itself as the world’s leading Institute for business continuity and resilience. The bCI
has become the membership and certifying organization of choice for business continuity and resilience
professionals globally with over 8,000 members in more than 100 countries, working in an estimated 3,000
organizations in the private, public and third sectors.
The vast experience of the Institute’s broad membership and partner network is built into its world class education, continuing
professional development and networking activities. every year, more than 1,500 people choose bCI training, with options
ranging from short awareness raising tools to a full academic qualification, available online and in a classroom. The Institute
stands for excellence in the resilience profession and its globally recognised Certified grades provide assurance of technical and
professional competency. The bCI offers a wide range of resources for professionals seeking to raise their organization’s level of
resilience, and its extensive thought leadership and research programme helps drive the industry forward. With approximately
120 Partners worldwide, the bCI Partnership offers organizations the opportunity to work with the bCI in promoting best
practice in business continuity and resilience.
The bCI welcomes everyone with an interest in building resilient organizations from newcomers, experienced professionals and
organizations. further information about the bCI is available at www.thebci.org.
andrew scott is the senior Communications manager
at the business Continuity Institute, who joined after
a brief stint working as the Press officer for a national
health charity. Prior to that he had over ten years at
the ministry of Defence working in a number of roles
including communications and business continuity.
During this time he also completed a masters in Public
Relations at the university of stirling. andrew took his
CbCI exam in november 2014 and passed with merit.
abouT busIness ConTInuITy aWaReness Week
abouT THe auTHoR
anDReW sCoTT senior Communications manager
20
Cyber SeCurity reportBusiness Continuity AwAreness week
www.thebci.org
ConTaCT THe bCI
andrew scott
senior Communications manager
10-11 southview Park,
marsack street
Caversham, Rg4 5af,
united kingdom.
+44 (0) 118 947 8215
www.thebci.org
@thebceye