o n t ar e building resilience s c n e s e n s w by improving u ... thing as a free luncho s 14...

1

Cyber SeCurity reportBusiness Continuity AwAreness week

www.thebci.org

#BCAW2017

Busi

nes

s Continuity Awareness W

eek

15th –19th May 2017

Building resilience by improving cyber security

2


Table of ConTenTs

Introduction 3

Types of threat 5

Ransomware 5

Data breach 7

Distributed Denial of service (DDos) 9

The keys to the kingdom – part I 10

The keys to the kingdom – part II 12

shutting the door behind you when you leave 13

no such thing as a free lunch 14

Curiosity killed the cat 16

Welcoming intruders into your network 17

Conclusions 18

about business Continuity awareness Week 19

about the author 19

about the bCI 19

Contact the bCI 20

3


Figure 1: Infographic from the bCI

Horizon scan Report 2017

InTRoDuCTIon

Cyber security has for a long time been an issue for

business continuity and resilience professionals. The

latest Horizon scan Report published by the business

Continuity Institute revealed that cyber attacks were the

greatest concern for those working in the industry followed

closely by data breaches. Respectively 88% and 81% of

respondents to global survey expressed concerned about

these two threats materialising1.

This ranking was the same as in the previous report and,

since the survey began in 2012, both these threats have

consistently appeared in the top three.

1 The business Continuity Institute. Horizon scan Report 2017. available from: www.thebci.org/index.php/download-the-horizon-scan-2017 [accessed 21st february 2017].

88%81%

respectively 88% and 81% of respondents

to global survey expressed concerned

about these two threats materialising.

4


It is perhaps no surprise that cyber security continues to be

a major concern for business continuity professionals given

that another report published by the business Continuity

Institute – the Cyber Resilience Report – revealed that two

thirds of organizations had experienced at least one cyber

incident during the previous twelve months, while 15% had

experienced at least ten incidents during the same period2.

With the threat so sizeable, and the concern among

business continuity professionals so great, cyber security

was considered an obvious choice for the theme of

business Continuity awareness Week 2017. bCaW is

an annual campaign hosted by the business Continuity

Institute to raise the profile of the business continuity and

resilience industry and demonstrate its importance and

value to others.

as this campaign is aimed at awareness raising, the

intention is not to talk specifically about the technical

aspects of cyber security that may leave anyone but the

most technically-minded confused, bewildered and no

more aware of what they’re meant to do than they were

prior to the campaign. The intention is to highlight some

of the ways that individuals who don’t work in IT security

or business continuity can get involved, and help improve

cyber security within their own organization.

This report highlights six of these ways, offering some

insights as to what the issue may be with their existing

practice and provide advice on how these can be improved.

The following chapters will assist individuals in becoming

more aware about their own cyber security so that

together we can help build more resilient organizations.

2 The business Continuity Institute. Cyber Resilience Report 2016. available from: www.thebci.org/index.php/obtain-the-cyber-resilience-report-2016 [accessed 29th June 2016].

Cyber security is everyone’s responsibilityPlay your part in building a resilient organization

Use strong passwords

Take care when using insecure

networks

Keep passwords

hidden

Don’t click on untrusted

links

Don’t plug untrusted devices

into networks

X

Figure 2: Infographic from the bCI Cyber

Resilience Report 2016

5


TyPes of THReaT

RansomWaRe

WHaT Is RansomWaRe?

Ransomware is a piece of software that, when downloaded and installed, encrypts all of the data on your computer, or even

your entire server if the software infects that too. once encrypted a demand is made for a ransom to be paid in order for the

data to be unencrypted. It is perhaps no coincidence that the rapid rise in the use of ransomware has followed the growth of

bitcoin, as this digital currency makes it far easier for ransoms to be paid, and perhaps harder for it to be traced.

Ransomware attacks generally enter the system through the user accidently installing a malicious piece of code. It may be that

they clicked on a link, or opened an email attachment, either of which could have looked legitimate. by the time they realise it

isn’t, it’s too late, and the ransomware has been installed and has started infecting the network.

In a study commissioned in 2016 by malwarebytes, it was found that 39% of organizations questioned had experienced a

ransomware incident during the previous 12 months3. This figure was much higher in the healthcare and financial sector where

53% and 51% of organizations respectively experienced a ransomware incident.

WHaT Is THe ImPaCT of RansomWaRe?

If your files have been encrypted by ransomware then they become inaccessible and you will have a temporary, or perhaps

even permanent, loss of all data causing a major disruption to your operations. should you choose to pay the ransom then this

will come at a cost, and whether you pay or not, the incident could still come at a cost in terms of damage to your reputation.

There is a wide range of potential threats that could befall our organizations and these are constantly

evolving. Perhaps three of the most common, or the most damaging, include ransomware, data breaches

or DDos attacks.

3 malwarebytes. understanding the depth of the global ransomware problem. available from: www.malwarebytes.com/pdf/white-papers/understandingTheDepthofRansomwareIntheus.pdf [accessed 13th february 2017].

Data Breaches

Ransomware DDoS Attacks

6


To Pay oR noT To Pay? THaT Is THe quesTIon!

The fbI does not support the idea of paying ransoms in order to get data back, arguing that paying a ransom incentivises

criminals to continue with their activities as they see it as a profitable venture4. There is also no guarantee that you will get

your data back with some organizations not receiving any decryption key once they have paid the ransom, and others finding

that the data, despite being decrypted, has been corrupted in the process and has become unusable.

so WHaT Can be Done To PRevenT RansomWaRe?

To reduce the impact of ransomware, first and foremost, you must always make sure that your data is backed-up. If your data

is backed-up and you experience a ransomware attack then you can isolate the ransomware, clean the network of it and then

restore the data from your back-up. It’s not necessarily an easy process, but it means you don’t lose all your data and you don’t

pay a ransom. of course you need to ensure that the back-up can’t be encrypted by the ransomware as well.

make sure that your operating system and installed software are up to date with the latest security patches, and that your

anti-virus and anti-malware tools are conducting regular scans of your network so they can pick up anything malicious before

damage can be done. manage the use of privileged accounts so no users are assigned administrative access unless they

absolutely need it, and therefore limit the number of people who are able to install new software.

Configure access controls to the file directory so users can only access the files they need. If users only need to read certain

files rather than edit them, they don’t need write-access to those files or directories. The more you restrict the flow of data

across your network, the better chance you have of stemming the spread of a ransomware attack.

They do say that prevention is better than cure, and one way to reduce the impact of ransomware is to stop it happening in

the first place. The vast majority of the time, the user has to do something to install the software – click on a link, open an

attachment – so if the user doesn’t do that, then the software can’t install. admittedly it is not quite as simple as that, as very

often the link or the email can be cleverly disguised and appear legitimate, but it is important to develop a culture whereby

users think twice about their actions.

4 fbI. Incidents of Ransomware on the Rise. available from: www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise/ incidents-of-ransomware-on-the-rise [accessed 13th february 2017].

Ransomware

7


DaTa bReaCH

There are so many organizations to choose from, but when you think of a data breach, perhaps the one that springs to mind

first is yahoo! who had one billion records stolen in 2013 and then another half billion stolen the following year5. That’s a

significant breach and certainly eclipses any other known breach. of course it’s important to add ‘known’ in there as another

organization may have suffered a bigger breach, they just don’t know about it yet, or at least have not admitted it yet.

our organizations are so heavily reliant on data, it keeps us moving as we use it for research and development, we use it for

marketing, we use it for sales, and we generally use it throughout our product/service lifecycle. It helps us to understand our

customers so that we can meet their needs.

It is so valuable that lots of other organizations and individuals want it too, for reasons that include espionage, fraud, or

blackmail, among many other possible reasons.

esPIonage

Houston astros, a major league baseball team in the american league West, discovered in June 2014 that their servers had

been hacked with information about player scoutings and trade negotiations being accessed illegally. It later transpired that

the hack was the work of former astros employee and now st louis Cardinals’ Director of baseball Development Christopher

Correa. Correa has since been fired by the Cardinals, sentenced to 46 months in prison, and ordered to pay the astros $279,038

in restitution6. The penalty for the Cardinals was much higher with a $2 million dollar fine and the loss of two trade picks7.

5 Wikipedia. yahoo! data breaches. available from: en.wikipedia.org/wiki/yahoo!_data_breaches [accessed 8th march 2017].

6 esPn. ex-Cards scouting director Chris Correa sentenced to prison for hacking astros. available from: www.espn.co.uk/mlb/story/_/id/17101079/chris-correa-former-st-louis-cardinals-scouting-director-sentenced-jail-hacking-houston-astros [accessed 20th february 2017].

7 esPn. after investigation, mlb orders Cardinals to forfeit top two picks, pay $2 million to astros. available from: www.espn.co.uk/mlb/story/_/id/18586344/mlb-orders-st-louis-cardinals-forfeit-top-2-2017-draft-picks-pay-2-million-houston-astros [accessed 20th february 2017].

Data Breaches

8


fRauD

Data is a valuable asset and when used maliciously can be extremely profitable. In the days following the TalkTalk hack when

157,000 records were stolen, one customer who had been in contact with the telecoms company to report a slow broadband

speed, had £3,200 stolen from her8. using all the information they had gleaned about this lady, and without going into the

details, criminals were able to persuade her to part with the money.

blaCkmaIl

ashley madison is an online dating site with one minor difference, the whole raison d’etre for signing up is to have an affair.

naturally, one can assume that users of the site would like a little bit of discretion regarding their activities. so when the site

was hacked in 2015 there were a lot of embarrassed and quite worried individuals who were desperate to keep their little

secrets hidden, whatever the cost9.

HoW Do you PRevenT a DaTa bReaCH?

There are plenty of technical solutions that make your network more secure, and again you need to make sure that your

network is up to date with security patches and anti-virus. It is worth noting however, that the yahoo! data breach was the

result of someone clicking on the wrong link10. a study by the Ponemon Institute indicated that 61% of security breaches are

the result of a malicious or negligent employee, so protecting yourself from the insider threat is a major step to take11.

8 This Is money. TalkTalk customer scammed out of more than £3k after fraudsters target her with compensation overpayment trick. available from: www.thisismoney.co.uk/money/saving/article-3582624/TalkTalk-customer-scammed-3k-fraudsters.html [accessed 8th march 2017].

9 Cso online. blackmail rising from ashley madison breach. available from: www.csoonline.com/article/2980631/data-breach/blackmail-rising-from-ashley-madison-breach.html [accessed 8th march 2017].

10 The Hacker news. yahoo! Hack! How It Took Just one-Click to execute biggest Data breach in History. thehackernews.com/2017/03/yahoo-data-breach-hack.html [accessed 23rd march 2017].

11 The Ponemon Institute. managing insider risk through training and culture. www.experian.com/data-breach/2016-ponemon-insider-risk.html?WT.srch=2016_insider_risk_pr [accessed 23rd march 2017].

Data Breaches

9


DIsTRIbuTeD DenIal of seRvICe (DDos)

It is estimated that one zettabyte of information travels across the internet every year, and while only one may not seem a lot,

it is worth noting that a zettabyte has 21 zeroes in it, so that’s a lot of data12. The good news is that internet can cope with this

as there’s an estimated 6.4 billion internet connected devices in use so the data is spread around13.

but what happens when all that data is focussed on one device or one server. on new year’s eve 2015, one of the world’s

largest broadcasting companies – the bbC – had its website flooded with data in an attack that that reached up to 602gbps

and ultimately took the whole site down for several hours including the on-demand television service14.

This was a distributed denial of service attack (DDos) where compromised devices across the world bombarded a single server

with so much data that it was no longer able to function. sometimes the damage can be irreparable.

Clearly there is nothing the individual user can do to prevent such an attack, but it should be noted that these attacks are the

result of many other devices being comprised and then used for malicious purposes.

With the rise of the Internet of Things, more and more devices are coming online, with potentially up 50 billion by 2020, and

many of these devices do not have effective security15. Just consider what devices you have that are connected to the internet

- routers, smartwatches, fridges, televisions etc. Have you ever changed the default password? by reducing the number of

devices that can be compromised, we are reducing the pool of devices that can be used for an attack.

12 Cisco. Cisco visual networking Index:forecast and methodology, 2015–2020. available from: www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/complete-white-paper-c11-481360.pdf [accessed 24th february 2017].

13 statista. Internet of Things (IoT): number of connected devices worldwide from 2012 to 2020 (in billions). available from: www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/ [accessed 24th february 2017].

14 Cso. DDos attack on bbC may have been biggest in history. available from: www.csoonline.com/article/3020292/cyber-attacks-espionage/ddos-attack-on-bbc-may-have-been-biggest-in-history.html [accessed 24th february 2017].

15 statista. Internet of Things (IoT): number of connected devices worldwide from 2012 to 2020 (in billions). available from: www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/ [accessed 24th february 2017].

DDoS Attacks

10


16 keeper security. What the most common passwords of 2016 list reveals. available from: blog.keepersecurity.com/2017/01/13/most-common-passwords-of-2016-research-study/ [accessed 14th february 2017].

THe keys To THe kIngDom – PaRT I

your computer network is your kingdom, it is where you store all your valuable data that allows you to go about your business.

The device you use, whether it is your PC, laptop, tablet or smartphone, is the way in which you enter that kingdom, so it is

important to keep it secure and prevent anyone with somewhat unscrupulous intentions from gaining access and stealing or

corrupting your data.

How do you do this? by having a secure password for a start. something that cannot be cracked by the most skilled hacker

using the latest technology, or perhaps more obviously, something that cannot be guessed by the least skilled hacker with no

technology.

a study conducted by keeper security earlier in 2017 revealed that, of the 10 million passwords that were made available to

them as a result of a data breach, nearly 1 in 5 was ‘123456’16. The top ten list of passwords included:

> >

> >

> >

> >

> >

1. 6.

2. 7.

3. 8.

4. 9.

5. 10.

123456 1234567890

123456789 1234567

Qwer t y password

12345678 123123

111111 987654321

11


17 business Insider. This website shows how long it would take for a hacker to break your password. available from: www.businessinsider.com/hacker-password-cracking-test-2016-5 [accessed 23rd march 2017].

18 Random Ize. How long to Hack my Password. available from: random-ize.com/how-long-to-hack-pass/ [accessed 23rd march 2017].

19 business Insider. Tracks from the new gorillaz album leaked online because someone found them on vimeo and guessed the password. available from: www.businessinsider.com/4-new-gorillaz-songs-leak-online-album-vimeo-saturnz-barz-2017-3 [accessed 23rd march 2017].

20 Thycotic. 300 billion passwords report. available from: thycotic.com/resources/cybersecurity-ventures-protect-300-billion-passwords-worldwide-2020/ [accessed 14th february 2017].

21 Wired. Hack brief: Hackers breach a billion yahoo accounts. a billion. available from: www.wired.com/2016/12/yahoo-hack-billion-users/ [accessed 14th february 2017].

Without going into the technicalities of how passwords can be hacked, a business Insider article identified just how long it

takes to hack various types of passwords17. The article noted that a password like ‘123456’ or ‘password’ would take less than a

second to crack. If you are curious how long it would take to crack one of your passwords, visit the random-ize website, enter

your password and find out18. you will probably be quite alarmed.

The main method used is called brute force which can either use a pre-defined dictionary of possibilities and the system tries

each one until the right password is found, or the more traditional brute force attack analyses different combinations of letters,

number and symbols until the right password is found. naturally the more characters you include in your password, the longer

this will take. The more you use different characters such as letters (upper and lower case), number and symbols, the longer it

will take to crack.

While this makes it sound easy to crack a password, it is sometimes even easier to guess one. The uk music band – gorillaz –

are set to launch a new album later in 2017 and some of the tracks from this album were leaked online prior to the launch19.

The band had a selection of tracks hosted on their vimeo account, and one of their fans guessed the password and managed to

gain access. The password was ‘2017’.

as well as having strong passwords, it is also important to change them regularly. keeping your own password secure is one

thing, but can you trust others to keep it secure? Data breaches resulting in large numbers of passwords being compromised

are becoming more and more commonplace. according to Thycotic’s 300 billion passwords report, more than 3 billion user

credentials and passwords were stolen in 2016, with 8.2 million passwords being stolen every day and approximately 95

passwords stolen every second20. let’s not forget the yahoo! hack in 2013 that led to over one billion user account details

being stolen, and this was distinct to another hack of the same company a year later that led to half a billion user details being

stolen21. If passwords are routinely changed then it means that stolen passwords will soon be obsolete.

It is also worth ensuring that passwords for different accounts also vary. If your password for one account is stolen, you don’t

want the hacker to therefore have access to all your accounts by using the same password.

12


22 ars Techinica. Hacked french network exposed its own passwords during Tv interview. available from: arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/ [accessed 14th february 2017].

23 Infosecurity magazine. eagles Take the #superbowl of Passwords. available from: www.infosecurity-magazine.com/blogs/eagles-take-the-superbowl-of/ [accessed 23rd march 2017].

THe keys To THe kIngDom – PaRT II

so we’ve now got our uncrackable password that no one could ever possibly guess, and one that will take a hacker too long to

crack to justify their time. The problem now is, “how am I supposed to remember: ‘3qgtys@wn?X!WJyC’? There is no logic to

it and even someone with the best memory is going to struggle.

The solution – “I’ll write it on a post-it note and hide it under my keyboard!” If you go to any office then the chances are that

you will find this happening, whether it is on a post-it note securely hidden under the keyboard where no one will ever find it,

or written on the inside of the user’s diary, or perhaps tucked away in the top drawer, as they are both far more secure. some

users don’t even try to hide it, they just stick the post-it note to their monitor.

It is human nature to make things easy for ourselves, and that includes not putting in the effort to remember a password when

we can just write it down somewhere.

It was even speculated that a french television network which experienced an

intrusion to their network made themselves vulnerable by broadcasting their

password during an interview. The interview they conducted happened to feature

an employee’s desk in the background, which included among a host of other

paperwork, a post-it note with a user name and password22.

In this day and age it can be an impossible task to try and remember all the passwords that we have to use on a daily basis.

Particularly if we are told that our child’s name or favourite sports team isn’t an acceptable password either, forcing us to

choose something a little less memorable. Incidentally, prior to super bowl 2017, a study was done on a list of leaked password

that found that Philadelphia eagles came top of the charts when it came to fans using the name of their favourite nfl team as

their password23.

There are however, a selection of tools that can be used to securely store your passwords. Password managers or digital vaults

can enable you to store all your passwords securely and even advise you if your password is too weak or has been duplicated.

Whatever you choose to do, just don’t make your password visible to others.

13


24 fellowes. national survey uncovers data breach vulnerabilities in the workplace. available from: assets.fellowes.com/press/fellowes%20businessProfessionals%20Press%20Release.pdf [accessed 14th february 2017].

25 Preempt. The growing security threat from insiders. available from: info.preempt.com/insider_threat_report [accessed 14th february 2017].

sHuTTIng THe DooR beHInD you WHen you leave

now our networks are secure with a strong password protecting it, a password that is not written down anywhere for someone

to find. What could possibly go wrong? Well there’s little point in having a password if you don’t actually use it. you would

never leave your house or car with the door wide open, so why would you do such a thing with your computer?

you can often walk round an office and see empty desks with computers switched on and unlocked. Perhaps the user has just

gone for a cup of coffee, or perhaps they’ve taken their hour long lunchbreak or they’re in a meeting which will last several

hours. It doesn’t take long for someone to get into your computer and access your files.

according to a study carried out by fellowes back in 2012, more than quarter of users (26%) are guilty of leaving their

computer unlocked when they’re away from their desk24.

of course you may think you’re safe when you’re in your own office and no doubt you trust your colleagues, but let’s not forget

that many studies have identified that the insider threat as a similar concern to the outsider threat. Research from Preempt

showed that 49% IT security professionals are more concerned about the insider threat25.

so whether it is your colleagues giving you a slightly embarrassing facebook status, or something far more sinister like deleting

or removing files, there can be a price to pay for not locking your computer.

14


26 f-secure. great Politician Hack Report. available from: fsecureconsumer.files.wordpress.com/2016/05/greatpoliticianhack.pdf [accessed 14th february 2017].

no suCH THIng as a fRee lunCH

so we’ve now learnt that we need to have a strong password which we need to keep hidden away, and if we are apart from our

devices then we need to make sure they are locked. What next?

one of the first things we do when we’re in a coffee shop, or airport, or many other places, is to log on to the free public wifi,

just to check our emails or browse the internet while we’ve got a spare few minutes.

but as they say, there’s no such things as a free lunch. very often the reason that wifi is free is because the provider wants

something – your details. When you register for the wifi you normally have to supply your name and email address and then

the providers can start trying to sell their product to you. and we’re usually happy to accept this. There’s probably nothing

wrong in that, but how do we know we’re using the right wifi? How do we know it’s not someone more sinister providing the

wifi, someone masquerading as the supplier, in order to obtain more than just your registration details?

It’s not that complicated a process to set up a wifi signal, and once someone has requested access to that signal, they have

potentially also granted access to their own device for a hacker to have a look through.

In 2015, f-secure conducted a study involving four high profile uk politicians to demonstrate just how insecure accessing public

wifi can be. The great Politician Hack Report revealed that within half an hour of accessing the wifi, one politician had their

gmail account hacked, another had an internet phone call intercepted and recorded, while another had their facebook account

hacked26. It didn’t matter that they had strong passwords, when those passwords were entered while logged into the wifi, they

passed freely through the router and were made available to the hacker.

15


Thankfully this was just a test to show what could be done, but the report notes that if politicians were to have their social

media accounts hacked just prior to an election, and an erroneous post was made, it is possible that this could change voter

opinion. The recent brexit referendum and us Presidential election shows how powerful misinformation can be, and that it is

extremely difficult to take back once it is ‘out there’.

so what can be done to make your network more secure? first of all, if you are connecting to the public wifi, make sure you are

connecting to the right network and not the network set up by the dodgy guy sitting in the corner. fake networks will often

be set up with legitimate sounding names that mimic the location or popular providers, so don’t think just because the name

matches the coffee shop you’re in that it is legitimate. If in doubt, ask someone behind the counter what the wifi name is, most

coffee shops display the name of their wifi anyway.

use a virtual private network (vPn) wherever possible to connect to the internet, particularly if you are dealing with sensitive

information. setting up a vPn means that users can use a public network as though it were a private one by encrypting data

that is sent out.

one of the reasons we use public wifi is to save on our data allowance, so perhaps it may be worth considering an extended

data contract, or even opt for unlimited data from your provider. This means there will be far fewer instances when you’ll need

to connect to public wifi, and most modern phones/networks offer fast enough connection speeds to prevent any frustrating

delays.

If you’re using a wireless network that is effectively ‘unknown’, in that it isn’t a home or office network you are familiar with,

avoid activities that involve sensitive information wherever possible. While you may still be at risk of some of the problems

highlighted previously, it would at least help prevent this sensitive data from being compromised.

finally, consider whether it’s really necessary to be online at that particular time. It’s quite possible that whatever needs doing

could wait until you return home or reach the office, or could using the phone’s own data connection be a realistic alternative?

16


27 Tischer m, Durumeric Z, foster s, Duan s, mori a, bursztein e, bailey m. users really do plug in usb drives they find. available from: zakird.com/papers/usb.pdf [accessed 13th february 2017].

28 CompTIa. Cyber secure: a look at employee cyber security habits in the workplace. available from: www.comptia.org/resources/cyber-secure-a-look-at-employee-cybersecurity-habits-in-the-workplace [accessed 13th february 2017].

29 ahnlab. 78% of IT Professionals admit Picking up and Plugging In abandoned usb Drives. available from: global.ahnlab.com/site/main.do [accessed 8th march 2017].

30 sC magazine. Ibm distributed infected usb drives at conference. available from: www.scmagazine.com/ibm-distributed-infected-usb-drives-at-conference/article/557760/ [accessed 8th march 2017].

CuRIosITy kIlleD THe CaT

When was the last time you actually bought a usb memory stick? In many cases, the devices we use have been given to us

free of charge by marketers using them as a tool to try and sell their product. Can we trust the information that is on them?

In some cases however, it is not a device that we have been given that we plug into our machines, it is one that we’ve found.

They say that curiosity killed the cat, well it also has the potential to kill our computer networks if we don’t know what we are

plugging into them.

In 2016, researchers at the university of Illinois conducted a study whereby they positioned 297 usb sticks across the campus

to ascertain the behaviour of the finders. The paper produced revealed that of all the devices that were dropped, 135 had files

within them opened up, while a further 155 were picked up although whether they were plugged in is unknown27. The study

showed that nearly half of participants were happy to plug in the device, most of whom did not use any formal precautions

prior to opening files, potentially allowing malicious software to be downloaded and installed.

The university of Illinois study had slightly more alarming results than an earlier study commissioned by CompTIa28. In their

study, 200 usb sticks were dropped in public places and 17% of those were plugged in and had files opened up.

of course you shouldn’t always assume that it is just the less cyber aware who plug untrusted usb sticks into their device, the

‘experts’ are just as guilty. a study conducted by ahnlab at the Rsa Conference in 2013 found that over three quarters (78%)

of IT security professionals admitted to picking up and plugging in usb flash drives found abandoned or lying around29.

It is also important to note that it is not just devices you find ‘lying around’ that perhaps shouldn’t be trusted. usb sticks from

reputable sources should also be treated with caution as attendees at the australian Information security Conference found in

2010 when free usb sticks from an extremely reputable vendor were discovered to have malware on it30.

17


31 friedrich-alexander-universität. one in two users click on links from unknown senders. available from: www.fau.eu/2016/08/25/news/research/one-in-two-users-click-on-links-from-unknown-senders/ [accessed 8th march 2017].

WelComIng InTRuDeRs InTo youR neTWoRk

so often we are told to be careful about what links we click on but there is a psychology involved in creating links and it is all

too easy to be drawn in to what the link is offering – perhaps a juicy bit of celebrity gossip, or the chance to get some money,

or perhaps something that resonates with one of our addictive natures. There are many things that can be done to entice

people to click. Clickbait is becoming more and more common, and in reality, the link title often bears very little relevance to

what lies behind it. but while clickbait is more about encouraging click-throughs in order to get advertising revenue, sometimes

links, and what lies behind them, can be a lot more sinister.

Phishing is becoming more common by disguising your email as a trusted source in order to encourage the user to take some

action. This could be a completely speculative email, or it could be more targeted, what is known as spear phishing, whereby

the attackers will use some basic information they already have on you to encourage you to hand over more. an example of a

phishing attack might be to send an email that looks like it is from the user’s bank encouraging them to visit the website and

log-in. The account it comes from will look very close to being legitimate and the website it directs you to will look much like

the real one. but that is where the similarity ends. once you have logged in, you have just given the hackers your log-in details.

It may not be the case that they want you to enter information, they may just want you to click on the link as this has the

effect of downloading a malicious piece of software to your computer and perhaps your entire network.

Researchers at the friedrich-alexander-universität conducted a study which found that more than half of e-mail recipients

(56%) and around four in ten facebook users clicked on a link from an unknown sender even though they knew of the risks of

their computer becoming infected with a virus31. When asked why they clicked on the link, the large majority of participants

said that it was due to curiosity with regard to content of the photos or the identity of the sender.

as noted earlier in this report, the yahoo! data breach was the result of someone clicking on the wrong link and therefore

allowing the attacker into their network. users need to demonstrate more caution, and certainly more restraint, when clicking

on links.

18


ConClusIons

We are faced with cyber threats all the time and sooner or later those threats will materialise. as the saying

goes, the good guys have to be lucky all the time, the bad guys need only be lucky once. as technology

evolves so does the threat, and as the threat evolves, so do the security mechanisms put in place to combat

them, and as this evolves so do the threats and so on. It is an endless dance of protecting our computers

and our networks from those who wish to do us harm, or at least profit from our loss.

While it is likely that we will at some point suffer a cyber security incident, there is no need for us to make

it easy for the hackers. each and every one of us can do something, or indeed several things, to help protect

ourselves. These are simple things which include:

1. use a safe secure password that cannot be easily deciphered, or in fact guessed. Rather than using 123456, or the name

of your favourite sports team, use a random combination of at least twelve characters including letters (upper and lower

case), numbers and symbols. also use different passwords for different accounts.

2. Clearly a password as described above isn’t memorable, and certainly if you have a different password for every account,

remembering them all is an impossible task. Don’t however write your password down on a post-it note and hide it

under your keyboard, or write in your password notebook that you leave next on your desk. If you are having trouble

remembering passwords, use a password vault that can secure them with a good level of encryption.

3. Don’t leave your IT devices unlocked so that anyone could gain access to them and all your sensitive data when you are

away. If you leave your computer unattended, make sure you lock it before you go. make sure you use the lock functions

on your smartphones and tablets. you would never intentionally leave your house or car unlocked, so why do so with

your technology?

4. be careful when using public wifi. If you do need to use it, and let’s face it we all do, then at least make sure that you

are using the official version and not a fake set up. If you’re in a coffee shop then ask at the counter what the wifi name

is and make sure you log on to that. even that may not be entirely secure, so use a virtual private network when using

public wifi as that adds a degree of encryption to your browsing. furthermore, think twice about what data you send

over the network when using public wifi. Is it sensitive data? Could it wait until you are on a trusted network?

5. If you find a usb stick lying on the ground, don’t let curiosity get the better of you so that you plug it in and start

clicking on files. even if you have a supposedly trusted usb stick, it might be astute of you to check it is free of anything

malicious first. If you absolutely must plug it in then run a scan on it first on an isolated computer to check for viruses.

6. Don’t click on links that cannot be trusted as you may inadvertently invite the attackers into your network. links can be

hidden behind links so what you see is most certainly not what you get.

19


business Continuity awareness Week (bCaW) is an annual

global event organized by the business Continuity Institute

to raise awareness of the importance of business continuity

and resilience. featuring publications, webinars and other

resources promoting the importance of business continuity

and resilience, this event is aimed at organizations. This

year’s event has a theme of ‘cyber security’ and focuses

on the role that individuals can play in helping to improve

cyber security, and seeks to demonstrate that everyone

has a part to play in building an organization’s resilience

– a fundamental aim of business continuity.

abouT THe bCI

founded in 1994 with the aim of promoting a more resilient world, the business Continuity Institute

(bCI) has established itself as the world’s leading Institute for business continuity and resilience. The bCI

has become the membership and certifying organization of choice for business continuity and resilience

professionals globally with over 8,000 members in more than 100 countries, working in an estimated 3,000

organizations in the private, public and third sectors.

The vast experience of the Institute’s broad membership and partner network is built into its world class education, continuing

professional development and networking activities. every year, more than 1,500 people choose bCI training, with options

ranging from short awareness raising tools to a full academic qualification, available online and in a classroom. The Institute

stands for excellence in the resilience profession and its globally recognised Certified grades provide assurance of technical and

professional competency. The bCI offers a wide range of resources for professionals seeking to raise their organization’s level of

resilience, and its extensive thought leadership and research programme helps drive the industry forward. With approximately

120 Partners worldwide, the bCI Partnership offers organizations the opportunity to work with the bCI in promoting best

practice in business continuity and resilience.

The bCI welcomes everyone with an interest in building resilient organizations from newcomers, experienced professionals and

organizations. further information about the bCI is available at www.thebci.org.

andrew scott is the senior Communications manager

at the business Continuity Institute, who joined after

a brief stint working as the Press officer for a national

health charity. Prior to that he had over ten years at

the ministry of Defence working in a number of roles

including communications and business continuity.

During this time he also completed a masters in Public

Relations at the university of stirling. andrew took his

CbCI exam in november 2014 and passed with merit.

abouT busIness ConTInuITy aWaReness Week

abouT THe auTHoR

anDReW sCoTT senior Communications manager

20


www.thebci.org

ConTaCT THe bCI

andrew scott

senior Communications manager

10-11 southview Park,

marsack street

Caversham, Rg4 5af,

united kingdom.

+44 (0) 118 947 8215

www.thebci.org

@thebceye

o n t ar e building resilience s c n e s e n s w by improving u ... thing as a free luncho s 14...

Documents