27-10final
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
IS NOW<br />
Combining thermal security cameras with video management systems.<br />
www.flir.com<br />
Untitled-20 1 18/02/16 10:1<br />
cyber roadshow around uk:<br />
CCTV is data too<br />
If you are carrying<br />
out CCTV monitoring<br />
for the first time, or<br />
installing new CCTV,<br />
the expectation is that<br />
you will carry out a risk<br />
assessment, under<br />
new data protection<br />
law, Jane Burns,<br />
head of privacy law<br />
at Birmingham law<br />
firm Anthony Collins<br />
told the roadshow. It<br />
would require a risk<br />
assessment. Some<br />
firms may have to<br />
appoiint a DPO (data<br />
protection officer) to<br />
meet UK law due next<br />
year, in line with the EU<br />
general data protection<br />
regulation.<br />
58<br />
UNHAPPY<br />
‘Any internet-connected<br />
device that has a<br />
camera attached to it<br />
will likely have a<br />
microphone built-in as<br />
well, turning them into<br />
perfect spying tools if<br />
remotely controlled by<br />
hackers.’<br />
Liviu Arsene, Senior<br />
E-Threat Analyst at<br />
Bitdefender.<br />
A police-supported ‘Cyber Security UK<br />
roadshow’ went around this summer.<br />
We went to its Birmingham event.<br />
One way to judge an event<br />
is whether it makes the<br />
general news. In that way, the<br />
roadshow scored well, as it appeared<br />
on that evening’s BBC regional TV<br />
news. One of the speakers, Rebecca<br />
Fahy, told of how here Coventry firm<br />
was hit by a cyber attack six years ago,<br />
and lost data (‘it almost felt like we<br />
had failed’). It now holds the Cyber<br />
Essentials quality standard. Another<br />
speaker, Helen Barge, of Risk Evolves,<br />
told cameras: “Any organisation that<br />
says we are not of interest to any cyber<br />
crime is unfortunately wrong; it’s not a<br />
question of if it happens to you; think<br />
when it’s going to happen to you.”<br />
Slap me now<br />
One reason for the roadshow is that<br />
business is behind with doing cyber.<br />
One of the speakers, Louis Augarde,<br />
of Birmingham-based OmniCyber<br />
Security, made an amusing and<br />
shrewd point that he had ‘quite<br />
probably the worst job title in the<br />
world’ - penetration tester. As he said,<br />
try explaining that to a woman in a<br />
night-club. “It’s, hold on, are you<br />
going to buy me a drink, or shall I<br />
slap you now?!” Louis described his<br />
job, ‘ethical hacking’ as a pen-tester<br />
for short. He said: “Everybody is<br />
vulnerable to everything.” It depends<br />
on the motive of the attacker. Are they<br />
skiddies - script kiddies - running<br />
computer tools often provided from<br />
organised crime, with no idea what<br />
they are doing; or the next level up,<br />
stealing everything they can, to sell<br />
OCTOBER 2017 PROFESSIONAL SECURITY<br />
Testing<br />
for money, and producing the tools;<br />
or state-sponsored hackers or nation<br />
states. A common tactic is ransomware,<br />
exploiting what Louis likened to<br />
‘an open window in your house’; or<br />
phishing emails to seek passwords and<br />
other useful IT data, to use to hack<br />
further; and denial of service attacks.<br />
He went through the methods and<br />
indeed some of the lingo of ‘social<br />
engineering’ to steal info, such as<br />
‘baiting’ (leaving a memory stick,<br />
labelled ‘private’ or ‘confidential’<br />
that some cannot resist loading onto<br />
their computer, tricked into believing<br />
they’ll find a spreadsheet of staff<br />
bonuses. Besides ‘phishing’, you have<br />
‘whaling’, emails aimed a specific,<br />
high-level people, seeking their login<br />
and other details. ‘Pretexting’ is<br />
asking for information, to confirm your<br />
identity, to enable a scam. You might<br />
say on social media that service from a<br />
mobile phone company was bad. You<br />
get a call, to say sorry, and the firm<br />
offers you an upgrade to your handset,<br />
if you give a few details. Sounds<br />
gratifying, except if it’s not from the<br />
firm, but a hacker, seeking your details.<br />
And ‘scareware’ is a sort of software<br />
that pretends to be legitimate, to help<br />
your computer, but in fact it’s malware.<br />
Buyer’s pose<br />
times<br />
As an insight into the (ethical) hacker’s<br />
thinking, Louis described the business<br />
networking website Linkedin as his<br />
favourite, ‘a whole massive list of<br />
everything’. For instance, it may help<br />
the creator of a phishing or whaling<br />
email to guess the email address of<br />
his targets. Or, a neat piece of social<br />
engineering might be to pose as a<br />
buyer, saying you want 50 of their<br />
products. The reply gives not only<br />
a name and form of email, but their<br />
writing style; that the phisher can turn,<br />
also perhaps buying a domain name<br />
similar to the target’s, and aiming for<br />
staff to email back their passwords,<br />
thinking the phishing email has come<br />
from their IT manager. As Louis set<br />
out, once a victim has signed in for<br />
a hacker, he ‘can do everything’.<br />
He can re-set user passwords (for<br />
paying tax, for example), and send<br />
out emails to their customers. Louis<br />
went into the ‘dark web’, a protocol<br />
developed for anonymous use of the<br />
internet. As Louis said, no-one wants<br />
their personal details to be on sale<br />
there as ‘high quality credentials’. He<br />
advised: “Be a little bit more aware of<br />
what you click on, what emails you<br />
read, where you are going to put your<br />
card details if you are going to buy<br />
products or services online.”<br />
For years, and as we’ve reported, it’s<br />
been the norm to hear hand-wringing<br />
from the authorities on cyber. Police<br />
speakers were more optimistic.<br />
Det Chief Insp Rob Harris of the West<br />
Midlands ROCU (regional organised<br />
crime unit) said:”Actually there are<br />
quite a lot of red capes out there now,”<br />
as opposed to ‘black cape’ hackers.<br />
In the April issue after the Midlands<br />
Fraud Forum, we reported the plainest<br />
hint, from City of London Police<br />
Commander Chris Greany, National<br />
Coordinator for Economic Crime, that<br />
police simply are legally unable to<br />
collar cyber criminals in swathes of<br />
the world. Greany has since retired.<br />
World map<br />
Harris raised this; do tax-payers want<br />
him investigating an arms deal on<br />
the dark web, a sale from Bolivia<br />
to China? He spoke of a case with<br />
suspects in named European countries<br />
and other continents, a server in<br />
France, payments to Switzerland,<br />
a company in central America. He<br />
repeated what others in authority<br />
have said; that 80 per cent of cyber<br />
crime can be stopped, ‘by some very<br />
simple measures, the stuff you have<br />
heard already today’. Start educating<br />
yourself, he urged; whether the<br />
official ‘ten steps to cyber security’ or<br />
the Cyber Essentials scheme. Peel’s<br />
original UK policing principles are as<br />
relevant as ever, Harris suggested. p<br />
www.professionalsecurity.co.uk