Author: Robert Broxup

Caught in the net

Robert Broxup

Phishing emails continue to trick people into giving away personal information which can be used by fraudsters to inflict harm and financial losses on their victims. Emails can be compelling, made to look like they come from anyone, and with just enough bait on the hook to easily catch people. Fake websites are easy to set up and look like the real sites, and fake emails are easy to send, which can look as though they came from your bank.

Using simulated phishing emails within an organisation for testing employees’ security awareness proved that even experienced information security professionals were susceptible to some phishing emails.

Here are some thoughts to prevent you from becoming the next victim:

  • Never reply to emails asking for passwords, PINs or other logon credentials. No legitimate business will ever ask for these details. Never give your password to anyone, regardless of the circumstances.
  • DO NOT open attachments unless you are 100% sure about the origin of the email
  • DO NOT click on links in emails. Always go directly to the real website and log in to your accounts in the usual way
  • Phishing emails often have poor spelling and grammar along with non-personal greetings such as ‘Dear customer’. However, if they obtained your name and email address from another source, personalised phishing emails will look more authentic.
  • DO NOT reply to any SPAM or Phishing emails.
  • Phishing emails will often create a sense of urgency.  For example, if an offering is too good to be true, or a deal is only available for a short period, or the email informs you of account deactivation if you don’t log in within a specific timeframe.
  • DON’T assume that because the link is HTTPS:// that it is genuine. The fact is that anyone can buy a certificate or set up a certificate authority. Personal details you disclose may be encrypted when sent, but that means nothing if you send encrypted information to a fake website set up by fraudsters.
  • Report phishing emails to the imitated organisations and delete them
  • Phishing emails will often use current events as a means to get your attention and encourage you to take action. People injured in an earthquake, for example, will likely trigger phishing emails asking for financial support and playing on people’s natural empathy for those in need. Likewise, if the deadline for tax returns is approaching, a phishing email would attempt to exploit that urgency.
  • Links in phishing emails will often be hidden behind the text so that it appears to be a link to one site, but the actual URL is for a different website. Hovering over the link will reveal the correct destination.

In terms of the economic viability of phishing emails, with emails sent to millions of potential victims, it only takes a small number of catches for the operation to be profitable.

More on passwords

Robert Broxup

The strange thing about writing a password blog is that most of the topic is the same as what I wrote about 20 years ago, so the challenge is not writing about passwords, but making the subject of passwords interesting to read. The difference is that during these 20 years, the use of computing technology has increased significantly, and a new generation of people need to know more about how to take their safety and security more seriously. So, it is OK for me to repeat myself on this.

I didn’t think I would write another blog about passwords, but I was recently in a queue for a local cash machine when a teenager in front of me told her friend, ‘Mine is just 1234, so I can easily remember it’. A few laughs followed. I thought it was a joke initially until I saw her type ‘1234’. Even though I was standing 2 meters away, it was impossible not to see and hear what happened.

If the wrong person was in the queue, they could have inflicted serious harm to acquire the bank card. It also reminded me about how often people use Chip and PIN in an unguarded way and how often it is easy to see PINs just by being in the queue. Simple advice here is to frequently change your PIN and be more careful when using your PIN to make a purchase or withdraw cash from an ATM. Simple advice for banks could be to prevent commonly used and easy to guess PINs from being used.

Using weak passwords introduces lots of risks, and with the continually growing use of social media and personal information available online, the ability to guess weak passwords is more effortless. A dictionary attack on a system can take time. If your Facebook page shows that you are a Star Wars fan, they could start with Jedi1 or Jedi1!, or 1000s of variations on this theme, which would be more efficient than a brute force attack with an entire dictionary. Same applies to any information available in the public domain. It gets worse with security questions because if answered truthfully, you are providing immutable facts for security purposes. Your place of birth is unlikely to change, for example, and it is available on a large number of Facebook profiles.

Passwords need to be extremely difficult to guess, and unrelated to anything about you that anyone else would know or be able to find out using a search engine. There are no set rules for how this should be, and there are probably as many options as are there are security consultants. A mixture of upper case, lower case, numbers and symbols is an excellent place to start, and with a password of 8 characters or more. I am being intentionally vague here and not recommending a specific approach. As soon as it becomes an approach, refinement of hacking tools quickly follows, so you should think about how you will make strong passwords and take responsibility for your safety and security.

Someone a long time ago thought it was a good idea to replace some letters with numbers such as replacing ‘I’ with ‘1’, ‘A’ with ‘@’ and ‘E’ with ‘3’. It quickly became popular, but in practice, it means a small change to password-cracking software. If someone is known to be a Star Wars fan, then ‘J3d1Kn1gh+’ could be used along with variations of any other word using the same convention. Even a dictionary word brute-force attack can use these variations. Consequently, replacing letters with numbers has been insecure for a long time. To recap, decide how complicated and obscure your passwords will be.

Avoid using the same password for multiple purposes. Large, established systems, with an extremely security-conscious ethic, could have implemented their system security model in a way that not even the company’s staff can find out customer passwords. The extent that organisations will go to is relative to the value of what they are trying to protect, so other systems will still have their passwords stored in plain text and sent out by email in plain text as password reminders.

In recent years, more and more websites require registration before allowing purchases, and far fewer sites allow one-off purchases. Consequently, people need to have far more user accounts now than they did a few years ago. Using the same password for high-security and low-security systems allows hackers to compromise high-security systems with far less effort. Also, websites can sell cheap widgets, for the primary purpose of harvesting email addresses, passwords and other personal information to compromise higher security systems such as Bank Accounts, Social Media accounts and Email Accounts. Access to a primary email account makes it easier to compromise other sites and services.

Bring Your Own Devices

Robert Broxup

Should employees be allowed to bring their own devices into the workplace and connect them to the corporate network? There are mixed views on this, and you must carefully consider the advantages and disadvantages and then define corporate policy. Personal devices in the workplace are high risk, and the IT departments would have no control over the content of such devices. 

  • It could result in the theft of data by an employee. As company data is likely to be needed on personal devices to undertake their role within the organisation, use of the data for other purposes is a straight forward next step. Data found on personal devices could easily be considered plausible. If staff used data for other purposes, the evidence is unlikely to be available due to the lack of monitoring.
  • It would be challenging to verify the removal of corporate data on personal devices when employees leave the organisation. Backup copies could be available in remote storage areas such as Dropbox, Google Drive and One Drive. Someone could restore deleted data using recovery tools as a file is never entirely deleted until the file data has been overwritten with other files or securely deleted.
  • If companies allow employees to have data on their own devices, they generally have much less control of the data than if it was on fileservers within the organisation. It isn’t easy to maintain an inventory of sensitive information within an organisation if it extends to personal devices.
  • Using personal devices within a corporate environment also introduces risks associated with malware.
  • Software compatibility could become an issue. In a lot of cases, versions of the software are more recent on personal devices. If document formats have changed, saving a document from a personal device could result in it no longer being accessible to software on corporate devices. If corporate licensed software needs installing on personal devices, it may not be compatible, and if it is, it may be in breach of software licence terms and conditions.
  • With lost or stolen personal devices, it could be impossible to know what corporate data was on the device, and consequently prevent accurate reporting under data protection regulations.

A different kind of risk with personal devices in the workplace is the quantity of time spent undertaking personal activities during working hours. Businesses can control the software on corporate devices, but personal devices will include employee’s software and data. Own devices can introduce a lack of productivity.

Although this blog began with a question, the case is more in favour of not allowing employee’s own devices to connect to the corporate network.

Defining Access Control Policies

Robert Broxup

Access Control comes in many different flavours depending on the business, the systems used, and the buildings protected. At the same time, access control has a generic theme. Consequently, the policies put in place will be similar across the board, even when specific implementations of access controls can be very different.

Sections of an Access Control Policy may seem self-explanatory; however, it is worth remembering that the policies will be read and adhered to by non-technical staff and staff not experienced in Information Security.

With this in mind, the following three points give an overview of the policy; which could be defined as three sections or presented as a single policy statement. It could be one section. The following are examples of what to think about when describing the policy.

  • Policy Statement – protecting access to systems is critical to maintaining the integrity of our technology and data while preventing unauthorised access
  • Background – Access Controls are necessary to restrict access to authorised personnel only
  • Policy Objective – the objective of this policy is to ensure that we have adequate controls in place to restrict access to systems and data.

Defining the scope of the policy is essential to show where and how it will be applied. Here are some examples of what to include:

  • Locations – this policy applies to our offices in London, Liverpool and Glasgow. Alternative policy documents may exist for different offices because of regional legislative differences.
  • Who – this policy applies to all employees, consultants and 3rd party vendors authorised to access our systems
  • What – this policy applies to the use of desktops, laptops, business systems and mobile devices

A specific section to document all technical terms and their definitions is essential for non-technical members of staff to understand. Examples could include Access Control, Users, Business System Accounts, Application Accounts, Privileged Accounts, Access Privileges or Permissions, Elevated Permissions, Services Accounts, Test Accounts and others.

Access Control Requirement sections could include:

  • All users must use a Unique ID to access systems
  • Define passwords following the Password Policy
  • Remote access must use two-factor authentication
  • Sessions lockout or screensaver activation after 15 minutes of inactivity

General principles would typically include:

  • Access provided based on Least Privilege and Need to Know
  • User account requests and approvals logged and documented
  • How the policy applies to vendor accounts, application and service accounts, system administration accounts, shared generic accounts and test accounts
  • Restricted access to service account passwords
  • Non-expiring passwords
  • User account access terminated when people leave the organisation
  • Accounts set to expire when contracts expire or after a period of inactivity
  • Adequate user identification when new passwords are requested

Principles specific to privileged accounts

  • For a privileged account, create it as a named user account and not a generic user account. E.g. “ADM.firstname.surname”
  • Privileged user accounts requested by line managers
  • Monitoring of privileged account usage

Other thoughts

  • Define what happens with vendor default user names and passwords
  • Define the policy on test accounts
  • Define any specific considerations for access control for 3rd party vendors and contractor user accounts

Different people and teams will have roles and responsibilities under this policy, and these need to be defined. Consider who will be responsible for the following policy roles:

  • Who has ultimate responsibility for the policy?
  • Who will review and approve the policy?
  • Who will develop and maintain the policy over time?
  • Who will be responsible for taking proactive steps to reinforce compliance?
  • Line Manager support for their direct reports in understanding the requirements
  • Commercial team responsibility for 3rd party obligations
  • Reporting requirements for non-compliance
  • Human Resources requirements for new employees
  • Requirements for all staff