27-10final

IS NOW
Combining thermal security cameras with video management systems.
www.flir.com
Untitled-20 1 18/02/16 10:1
cyber roadshow around uk:
CCTV is data too
If you are carrying
out CCTV monitoring
for the first time, or
installing new CCTV,
the expectation is that
you will carry out a risk
assessment, under
new data protection
law, Jane Burns,
head of privacy law
at Birmingham law
firm Anthony Collins
told the roadshow. It
would require a risk
assessment. Some
firms may have to
appoiint a DPO (data
protection officer) to
meet UK law due next
year, in line with the EU
general data protection
regulation.
58
UNHAPPY
‘Any internet-connected
device that has a
camera attached to it
will likely have a
microphone built-in as
well, turning them into
perfect spying tools if
remotely controlled by
hackers.’
Liviu Arsene, Senior
E-Threat Analyst at
Bitdefender.
A police-supported ‘Cyber Security UK
roadshow’ went around this summer.
We went to its Birmingham event.
One way to judge an event
is whether it makes the
general news. In that way, the
roadshow scored well, as it appeared
on that evening’s BBC regional TV
news. One of the speakers, Rebecca
Fahy, told of how here Coventry firm
was hit by a cyber attack six years ago,
and lost data (‘it almost felt like we
had failed’). It now holds the Cyber
Essentials quality standard. Another
speaker, Helen Barge, of Risk Evolves,
told cameras: “Any organisation that
says we are not of interest to any cyber
crime is unfortunately wrong; it’s not a
question of if it happens to you; think
when it’s going to happen to you.”
Slap me now
One reason for the roadshow is that
business is behind with doing cyber.
One of the speakers, Louis Augarde,
of Birmingham-based OmniCyber
Security, made an amusing and
shrewd point that he had ‘quite
probably the worst job title in the
world’ - penetration tester. As he said,
try explaining that to a woman in a
night-club. “It’s, hold on, are you
going to buy me a drink, or shall I
slap you now?!” Louis described his
job, ‘ethical hacking’ as a pen-tester
for short. He said: “Everybody is
vulnerable to everything.” It depends
on the motive of the attacker. Are they
skiddies - script kiddies - running
computer tools often provided from
organised crime, with no idea what
they are doing; or the next level up,
stealing everything they can, to sell
OCTOBER 2017 PROFESSIONAL SECURITY
Testing
for money, and producing the tools;
or state-sponsored hackers or nation
states. A common tactic is ransomware,
exploiting what Louis likened to
‘an open window in your house’; or
phishing emails to seek passwords and
other useful IT data, to use to hack
further; and denial of service attacks.
He went through the methods and
indeed some of the lingo of ‘social
engineering’ to steal info, such as
‘baiting’ (leaving a memory stick,
labelled ‘private’ or ‘confidential’
that some cannot resist loading onto
their computer, tricked into believing
they’ll find a spreadsheet of staff
bonuses. Besides ‘phishing’, you have
‘whaling’, emails aimed a specific,
high-level people, seeking their login
and other details. ‘Pretexting’ is
asking for information, to confirm your
identity, to enable a scam. You might
say on social media that service from a
mobile phone company was bad. You
get a call, to say sorry, and the firm
offers you an upgrade to your handset,
if you give a few details. Sounds
gratifying, except if it’s not from the
firm, but a hacker, seeking your details.
And ‘scareware’ is a sort of software
that pretends to be legitimate, to help
your computer, but in fact it’s malware.
Buyer’s pose
times
As an insight into the (ethical) hacker’s
thinking, Louis described the business
networking website Linkedin as his
favourite, ‘a whole massive list of
everything’. For instance, it may help
the creator of a phishing or whaling
email to guess the email address of
his targets. Or, a neat piece of social
engineering might be to pose as a
buyer, saying you want 50 of their
products. The reply gives not only
a name and form of email, but their
writing style; that the phisher can turn,
also perhaps buying a domain name
similar to the target’s, and aiming for
staff to email back their passwords,
thinking the phishing email has come
from their IT manager. As Louis set
out, once a victim has signed in for
a hacker, he ‘can do everything’.
He can re-set user passwords (for
paying tax, for example), and send
out emails to their customers. Louis
went into the ‘dark web’, a protocol
developed for anonymous use of the
internet. As Louis said, no-one wants
their personal details to be on sale
there as ‘high quality credentials’. He
advised: “Be a little bit more aware of
what you click on, what emails you
read, where you are going to put your
card details if you are going to buy
products or services online.”
For years, and as we’ve reported, it’s
been the norm to hear hand-wringing
from the authorities on cyber. Police
speakers were more optimistic.
Det Chief Insp Rob Harris of the West
Midlands ROCU (regional organised
crime unit) said:”Actually there are
quite a lot of red capes out there now,”
as opposed to ‘black cape’ hackers.
In the April issue after the Midlands
Fraud Forum, we reported the plainest
hint, from City of London Police
Commander Chris Greany, National
Coordinator for Economic Crime, that
police simply are legally unable to
collar cyber criminals in swathes of
the world. Greany has since retired.
World map
Harris raised this; do tax-payers want
him investigating an arms deal on
the dark web, a sale from Bolivia
to China? He spoke of a case with
suspects in named European countries
and other continents, a server in
France, payments to Switzerland,
a company in central America. He
repeated what others in authority
have said; that 80 per cent of cyber
crime can be stopped, ‘by some very
simple measures, the stuff you have
heard already today’. Start educating
yourself, he urged; whether the
official ‘ten steps to cyber security’ or
the Cyber Essentials scheme. Peel’s
original UK policing principles are as
relevant as ever, Harris suggested. p
www.professionalsecurity.co.uk