ProfSec27-09ps

IS NOW
Combining thermal security cameras with video management systems.
www.flir.com
Untitled-20 1 18/02/16 10:18
detective’s appeal:
Also protect
your digital
perimeters
Cyber was on the agenda of the most
recent ST17 conference.
Pictured: Dave Porter
speaking at the ST17
conference at the
Majestic, Harrogate
in July
Morning seminar
The Yorkshire and
Humberside cyber crime
unit has been running
seminars for businesses
and others to better
understand the risks, most
recently on cyber incident
response planning, on
August 3, at Sheffield
Hallam University;
including how to manage
the media and customers
through an attack.
58
UNHAPPY
‘If you were lucky
enough not to have
been effected by
WannaCry or Petya take
it as a sign. Remember,
you don’t have nine
lives.’
Tim Erlin, VP at IT
security firm Tripwire.
One of the detectives from the
Yorkshire and Humberside
cyber crime unit, Dave Porter,
spoke at Harrogate. That’s one of nine
regional units. While the National
Crime Agency and the NCSC (National
Cyber Security Centre) also do similar
work, Dave began by saying how
many staff were in his unit: six, five
detectives and one sergeant. While that
might not sound many, Dave added
that police forces were ‘encouraged’
to bring on their own cyber units; and
he foresaw upskilling of police, so that
when a cop was called out, he would
be as able to deal with the thief stealing
from your bank account, as the thief
on the street. However, that did beg
the question of how able police now
are to, for instance, seize computers
as evidence, and investigate, let’s
say, the high-profile recent cases of
ransomware, as Dave mentioned.
What are you doing
Dave raised some questions for the
security audience; when installing
equipment such as a video recorder,
do you know exactly what you are
doing? Is there a vulnerability through
a IP-connected device? Because if
there is, he went on, the chances are
that someone is scanning, trying to
find such devices, looking if there is
something they can use. “All I am
asking, you are in the physical world,
protecting perimeters; you need to
do that in your digital world as well.
Know your perimeter, know your
architecture, know what is installed,
map it, walk around it in your head.
Cyber crime, yes, it is technical, but
most preventative measures are what
you would do in the physical world.”
Walking around parts of a city with
headphones and sunglasses on would
be a risk, not something you would do;
but people are not taking equivalent
SEPTEMBER 2017 PROFESSIONAL SECURITY
due care in cyber-space, he said.
Poor passwords and user names are
one of the biggest vulnerabilities;
use ‘password’ as a password, and
that will get smashed in seconds, he
warned. If you have Windows XP (that
is, the software that Microsoft has
ended support for) running anywhere
on your systems, take it offline and
decide how you can protect it. In other
words, such legacy products need to
be managed properly, and patched. “I
can’t talk enough about back-ups,”
Dave went on. “So many businesses
are crippled when ransomware occurs
on their systems.” While you may pay
the bitcoin ransom to get your data
back, it might not come until you pay
more. Keep your back-ups offline, and
in a different location, he advised. And
have a business continuity plan for
when a cyber-crime occurs, for how to
bring your systems back.
Rush to IoT
Cars, kettles, toys, games consoles,
web cameras and CCTV; people are
rushing to the Internet of Things (IoT),
without thinking of vulnerabilities, he
warned. IP cameras and routers are
routinely exploited through the Mirai
botnet (which lets a hacker enter a
device, send spam via it, and steal
data). “Ask yourself the question, does
it need to be online,” Dave said.
And insider threat
Another threat to cyber that is in fact
from the physical world that Dave
covered next: insiders, ‘still one of the
biggest threats we have in cyber-space
... it doesn’t have to be malicious
either’. Criminals will gather details
about your organisation - maybe
through a supplier - to carry out a
mandate fraud, for instance. While
as Dave said we have all seen such
emails; the right one with the right
leverage showing the right knowledge,
will get money paid to it. Product
developers may bleed facts about
programmes on forums online, that’s
abused. Dave repeated the wartime
slogan, ‘loose lips cost ships’: “We
see that in the police all the time; say
the wrong thing to the wrong person
and you don’t know where it’s going
to go.” What IT access do staff,
including from agencies, need. Do
they need access to payroll, that they
might manipulate; or to confidential
files, that they may send to the
media? He ended by stressing how
cyber-crime will affect all businesses
and people: “It isn’t about if, it’s
about when, it really is.” No longer
can you leave cyber to ‘Bob in IT’:
“Everybody needs to be aware.” p
And from the chair
Mike Gillespie, conference chair,
echoed Dave. Mike said: “There are
manufacturers right now today who
are prepared to sell us equipment
that still has firmware that has a
vulnerability in it that allows the Mirai
botnet to occur; and I think everyone
of us should be pushing back on the
manufacturers of our security kit,
to ensure at point of supply we are
getting security.” See over the page. p
www.professionalsecurity.co.uk