Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts By :

Stuart O'Brien

Don’t click if you receive any of these emails…

960 640 Stuart O'Brien

Hackers are getting smarter and now know how to leverage psychological triggers to get the attention of victims, according to a new report.

KnowBe4, a provider of security awareness training an simulated phishing platform has published its Top 10 Global Phishing Email Subject Lines for Q2 2018. The messages in the report, which were compiled from analysing KnowBe4 user data, are based on simulated phishing tests users received or real-world emails sent to users who then reported them to their IT departments.

Ironically, the top three messages for Q2 2018 show that hackers are playing into users’ commitment to security, all tricking users with clever subject lines that deal with passwords or security alerts.

Hackers continue to take advantage of the human psyche. A recent report from Webroot validates this notion with IT decision makers believing their organisations are most vulnerable to phishing attacks – more so than new forms of malware. Some 56 per cent of IT decision makers in the US believe their businesses will be most susceptible to phishing attacks, while 44 per cent of IT decision makers in the UK are most concerned with ransomware attacks. By playing into a person’s psyche to either feel wanted or alarmed, hackers continue to use email as a successful entry point for an attack.

“Hackers are smart and know how to leverage multiple psychological triggers to get the attention of an innocent victim,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4. “In today’s world, it’s imperative that businesses continually educate their employees about the tactics that hackers are using so they can be savvy and not take an email at face value. Hackers will continue to become more sophisticated with the tactics they use and advance their utilisation of social engineering in order to get what they want.”

The Top 10 Most-Clicked General Email Subject Lines Globally for Q2 2018 include:

  1. Password Check Required Immediately
  2. Security Alert
  3. Change of Password Required Immediately
  4. A Delivery Attempt was made
  5. Urgent press release to all employees
  6. De-activation of [[email]] in Process
  7. Revised Vacation & Sick Time Policy
  8. UPS Label Delivery, 1ZBE312TNY00015011
  9. Staff Review 2017
  10. Company Policies-Updates to our Fraternisation Policy

GUEST BLOG: Security insights from the outer edge

960 640 Stuart O'Brien

Gallagher Security Perimeter Product Manager, Dave Solly, talks about security at the perimeter and not just at the door…

If there’s one area of security that’s often overlooked in commercial channels, it’s perimeter. This all too common gap in thinking is preventing businesses from really solving their security issues, often issues they don’t realise, or don’t want to admit they have.

As a product manager for perimeter systems, of course I’d say that. But hear me out.

In my experience, few businesses who have a security problem think they need a perimeter solution. Instead, they turn to traditional access and intruder solutions and their well-known benefits of business efficiency, compliance and risk management. These are all great reasons to spend money on a reader at the door, but they don’t address the business continuity problem at the gate, nor do they provide any protection to outdoor assets or the building itself. That’s where the perimeter comes in.

What’s the difference between securing a door and securing a gate? In my opinion, other than the physical structure, not a lot, though many organisations would rather secure a building because that’s where they see the value. But if an intruder is already in your yard, breaking through a door, then damage has already occurred and the intruder has potentially reached your assets anyway. Securing your perimeter allows you to solve this. Wouldn’t you rather stop an intruder before they even have a chance to get in?

Too often, perimeter security is a box-ticking exercise: employ a guard and put in CCTV cameras. This type of approach is cheap, easy to deploy and very common. It’s also retrospective, prone to human error, reliant on other technologies to be truly useful, and often results in continued security problems.

As the first cordon of security, your perimeter system gives you the chance to completely stop theft and damage from intruders. Not reduce: completely stop. I’ve seen many examples where this has happened – such as when a freight depot was experiencing ongoing fuel theft, they invested in a secure, well designed perimeter solution. Overnight, intruders and theft disappeared and they haven’t had a problem since. Right now, you should be asking not just “What investment have we put in to our perimeter?” But also “How much do we value our business?”

Theft, damage, trespassers and accidental access to potentially dangerous environments are all risk factors that put business continuity firmly at the heart of perimeter security. The low upfront cost of the most common perimeter solutions needs to be considered in the context of ongoing guard patrol expenses, lost work time to fix damage, replacing stolen assets and the often unseen cost to staff morale of repeated break-ins. What’s the true cost of your not-so-secure perimeter?

In places like water treatment plants, rail yards, council yards, manufacturing plants and power stations there’s also a duty of care required to the community – preventing people from accessing dangerous environments and doing silly things. As a kid growing up in the country, I remember running on the conveyer belts in the nearby dolomite (fertiliser) plant. Interestingly, the control room and processing rooms were secure, but not the conveyor that feeds the rocks into the crusher. Perimeter security would’ve prevented me from doing what in hindsight was clearly very foolish (but fun at the time). This is a good example of the growing need for proper protection at the perimeter – for both your organisation and the public.

There needs to be a widespread change in mind-set when it comes to perimeter security for commercial businesses. Done well, a perimeter solution is an important investment in business continuity and duty of care, with a huge impact on safety and cost reduction in the long term. It’s a change in thinking many businesses can’t afford to ignore.

McAfee unveils new enterprise security portfolio

960 640 Stuart O'Brien

McAfee says its new MVISION portfolio offers a comprehensive, flexible defense system that manages security products with multiple devices and the cloud in mind.

Specifically, the firm says MVISION strengthens the device as a control point in security architectures by delivering simplified management, stronger Windows security, behavior analytics, and threat defense for Android and iOS devices.

Plus, with its single integrated management workspace, MVISION has been designed to empower enterprise security professionals to proactively manage, optimise, and integrate security controls across any combination of McAfee advanced protection and Windows 10 native capabilities.

“To overcome the complexity created by too many device types, security products, and consoles, things must get simpler and the directional approach to security must shift,” said Raja Patel, vice president and general manager, Corporate Security Products, McAfee. “Modern device security needs to defend the entire digital terrain while understanding the risks at play. This first wave of McAfee’s MVISION technology portfolio provides businesses with an elevated management perspective where security administrators can more easily defend their devices and fight cyber-adversaries in a cohesive and simplified manner.”

The new McAfee MVISION portfolio includes McAfee MVISION ePO, McAfee MVISION Endpoint, and McAfee MVISION Mobile.

ePO is a SaaS that offers a simplified, centralised point of view and comprehension. It removes the deployment and maintenance overhead of backend infrastructure and allows customers to easily migrate their existing ePO environment. Organisations can focus exclusively on reducing security risk with the agility of the cloud ensuring they are always running the latest security capabilities. In addition to the new MVISION ePO SaaS offering, ePO has been updated to enable security teams to better understand threat risks, ensure security compliance, and act faster with less effort than ever before.

Risk-based approach needed to stop cyber crime

960 640 Stuart O'Brien

A report by Gartner has advised companies to take a risk-based approach to stop cyber crime, rather than trying to prevent attacks with large-scale, expensive security deployments.

A survey commissioned by Gartner of 3,160 CIOs across 98 countries and various major industries showed that 35% had already invested in a form of digital security at their company, with 36% admitting that they were planning to activate digital security at their company in the short term.

Discussing the findings, Rob McMillan, research director at Gartner, said: “Raising budgets alone doesn’t create an improved risk posture.

“Security investments must be prioritised by business outcomes to ensure the right amount is spent on the right things.”

McMillan advised companies to take a risk-based approach, with businesses continuously changing plans and security techniques as and when necessary.

“Taking a risk-based approach is imperative to set a target level of cybersecurity readiness,” added MacMillan.

“In a twisted way, many cybercriminals are digital pioneers, finding ways to leverage big data and web-scale techniques to stage attacks and steal data.

”CIOs can’t protect their organisations from everything, so they need to create a sustainable set of controls that balances their need to protect their business with their need to run it.”

Microsoft launches identity bug program

960 640 Stuart O'Brien

Microsoft has unveiled a new bug program that rewards researchers for discovering vulnerabilities in Microsoft’s Identity services up to $100,000.

Rewards offered range from $500 to $100,000 for any flaws found that impact a range of services, including Microsoft and Azure Active Directory accounts, OpenID and OAuth 2.0 standards, Microsoft Authenticator applications for iOS and Android and identity services.

On a page dedicated to the new bug program, Microsoft invites security researchers who may have discovered a security vulnerability the opportunity to disclose of the problem privately to the company so they have the opportunity to fix the issue before publishing technical details, stating that “together we can bring assurance that digital identities are safe and secure.”

Microsoft goes on to say that “a high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up containing any required background information, a description of the bug, and a proof of concept. We recognise that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission.”

A full description of the program can be found here.

UK firms ‘overconfident’ on cybersecurity

960 640 Stuart O'Brien

Business are displaying a false sense of security when it comes to their IT security, flying in the face of evidence showing rising incidents of cyber attacks.

That’s the conclusion of a study conducted by Ovum on behalf of US-based analytics firm FICO, which found that three quarters of UK execs felt their firm was getter prepped than competitors for  a cyber attack.

What’s more, and 43 per cent said their firm was a top performer – second highest only to Canada out of the eight countries surveyed.

By comparison, 68 per cent of executives from US firms said their firm was better prepared than their competitors, and 37 per cent said their firm was a top performer.

Ovum conducted telephone surveys for FICO of security executives at 500 companies in the US and 10 other countries in order to compile its report.

Power and utilities providers respondents in the US were the most confident, or least realistic, with 86 per cent rating their firms above average or top performers.

Financial services respondents were the least confident, or most realistic, with 60 per cent rating their firms above average or top performers.

In the UK, financial services respondents were least realistic, with 96 per cent rating their firms above average or top performers, while retail and e-commerce respondents were most realistic, with 57 per cent rating their firms above average or top performers.

Only 36 per cent of organisations are carrying out more than a point-in-time assessment of what their cybersecurity risk is.

Security IT Summit

Security IT Summit 2019: Save The Date!

960 640 Stuart O'Brien

The next Security IT Summit will take place on July 2nd 2019 at the Hilton London Canary Wharf – secure your place today!

The event will provide you with a rare full working day of networking, learning and connection building – plus cost-saving cybersecurity solutions.

In short, the Security IT Summit will enable you to lay the groundwork for your organisation’s cyber security strategy.

And what’s more, the Security IT Summit is completely FREE to attend as our VIP guest – benefits include:

– A personalised itinerary of meetings with solution providers who match your project requirements
– Attendance to a series of seminar sessions hosted by industry thought leaders
– Informal networking with peers
– Lunch and refreshments provided throughout the day

You’ll be joining 65+ other senior IT security professionals, and the the industry’s most trusted solution providers.

Among the delegates attending the last Security IT Summit were representatives from Arcadia, British Red Cross, Barclays PLC, Cancer Research, Fenwick, Financial Ombudsman Services, GE Capital, John Lewis, London Stock Exchange Group, Marshall Motor Group plc, Moonpig, Nationwide, O2 Telefonica, Pret A Manager, Prudential, The Guardian, Vodafone, Yorkshire Housing and more.

Register for your free place here.

Or for more information, contact Emily Gallagher on 01992 374085 / e.gallagher@forumevents.co.uk.

To attend as a solution provider, call Chris Cannon on 01992 374096 or email c.cannon@forumevents.co.uk.

Do you specialise in Authentication Systems? We want to hear from you!

960 640 Stuart O'Brien

Each month on IT Security Briefing we’re shining the spotlight on a different part of the cyber security market – in August we’re focussing on Authentication Systems.

It’s all part of our ‘Recommended’ editorial feature, designed to help IT security buyers find the best products and services available today.

So, if you’re an Authentication specialist and would like to be included as part of this exciting new shop window, we’d love to hear from you – for more info, contact Lisa Carter on lisa.carter@mimrammedia.com.

Here are the areas we’ll be covering, month by month:

August – Authentication

September – Penetration Testing

October – Vulnerability Management

November – Employee Security Awareness

December – Malware

For information on any of the above topics, contact Lisa Carter on lisa.carter@mimrammedia.com.

UK government introduces ‘Minimum Cybersecurity Standard’

960 640 Stuart O'Brien

The UK government has outlined the minimum cybersecurity standards that it expects for its own day-to-day operations in a new document developed in collaboration with the National Cyber Security Centre.

Over time, the measures will be incremented to continually ‘raise the bar’, address new threats or classes of vulnerabilities and to incorporate the use of new Active Cyber Defence measures.

The new standard will be incorporated into the Government Functional Standard for Security, obliging government departments and suppliers to comply.

The Minimum Cybersecurity Standard was published last week – you can view/download it here.

The HMG Security Policy Framework (SPF) provides the mandatory protective security outcomes that all Departments are required to achieve. The document defines the minimum security measures that Departments shall implement with regards to protecting their information, technology and digital services to meet their SPF and National Cyber Security Strategy obligations.

The Standards comprise 10 sections, covering five categories: Identify, Protect, Detect, Respond and Recover, and also set expectations for governance, such as obliging government departments to create “clear lines of responsibility and accountability to named individuals for the security of sensitive information and key operational services”.

Other elements of the Standard include the requirement for departments to identify and catalogue sensitive information they hold, implement access controls, and also implement TLS encryption standards for email. In addition, departments will be required to have cyber-incident response plans, as well as cyber-attack detection measures.

Nine graduates pass through NCSC Cyber Accelerator

150 150 Stuart O'Brien

A group of tech start-ups have become the latest to graduate from a Government initiative to advance the next generation of cyber security systems.

The nine-month GCHQ Cyber Accelerator (now renamed the NCSC Cyber Accelerator), delivered in partnership with Wayra UK, part of Telefónica Open Future, saw nine companies develop cutting-edge products and services to help enhance the UK’s cyber defences.

Part of the UK Government’s £1.9bn National Cyber Security Strategy and the Cheltenham Innovation Centre, the Accelerator is a collaboration between the Department for Digital, Culture, Media and Sport (DCMS), GCHQ, National Cyber Security Centre (NCSC), and Wayra UK and aims to drive innovation in the cyber security sector.

Firms selected to take part in the second round had access to personnel and technical expertise at the NCSC and GCHQ, as well as the Telefónica global business network. They also received £25,000 in funding, high-quality mentoring and office space.

Innovations developed include a cloud service solution to connect Internet of Things devices with end-to-end authenticated, encrypted security and a service to solve the problem of age verification and parental consent for young adults and children in online transactions.

Companies who took part were Cybershield, Secure Code Warrior, RazorSecure, Elliptic, Intruder, Trust Elevate, Warden, Ioetec and ExactTrak.

NCSC, DCMS and Wayra UK will soon be calling for cyber start-ups to join the third round of the programme – now renamed to the NCSC Cyber Accelerator – to help address some of cyber space’s key challenges.

Innovative entrepreneurs and start-ups can now register interest in participating in the nine-month programme, which will include ten innovative, agile companies in 2018/19.

Secretary of State for Digital, Culture, Media and Sport, Matt Hancock, said: “With so much of our daily lives connected to the internet, it is vital the UK leads the way on cyber security to fulfil our ambition of making Britain the safest place to in the world to be online.

“The NCSC Cyber Accelerator programme is a great example of government, industry and tech start-ups coming together to benefit from the advice of world-class experts and tackle cyber crime.”

Chris Ensor, NCSC Deputy Director for Cyber Skills and Growth, said: “On behalf of the NCSC, I would like to congratulate the second cohort on their completion of the Accelerator.

“It has been exciting to collaborate with such innovative start-ups, tackling such a broad range of problems.

“I’m really pleased that Wayra UK will continue to be our partner. I look forward to working with them and meeting more pioneering entrepreneurs as we launch the next cohort.”

Gary Stewart, Director of Wayra UK, said: “We are really pleased to be continuing our partnership with GCHQ. It’s one of our most strategic and successful partnerships.

Indeed, our first two cohorts have raised more than £20 million in funding, have created 19 British jobs and have won 15 trials and contracts worth over £3 million. And this has been just in the last 18 months.”