Octree Observer

  • Are you serious about cyber-security? Security Serious Week opens

    by : Octree

    It's Security Serious Week, a campaign designed to bring industry experts together to make others more serious about cyber-security.

    My thanks to Max Metzger of SC Magazine for this news article.

    To mark the opening of Security Serious Week, the cream of UK cyber-security marshalled at London's St Katharine's Docks, to discuss the campaign as the opening salvo of an industry-wide effort to raise security awareness.

    Yvonne Eskenzi, one of the founders of the campaign, explained the drive behind it: “Security Serious is all about those that can't, learning from those that can – it's simple really. I plan to bring together our leading experts to convey their words of wisdom to those people and organisations who want to become more security savvy.”

  • Police nab 9 for allegedly spoofing bank employees in £60 million scam

    by : Octree

    UK police have arrested nine people over allegedly spoofing phone calls from victims' banks to drain them of a total of £60 million.According to a release from the Metropolitan Police, the gang fooled their marks into handing over confidential information by posing as bank employees on the phone.

    My thanks to Lisa Vas of Sophos for this article.

    UK police have arrested nine people over allegedly spoofing phone calls from victims' banks to drain them of a total of £60 million.

    According to a release from the Metropolitan Police, the gang fooled their marks into handing over confidential information by posing as bank employees on the phone.

    The UK gang was arrested on Wednesday after a series of coordinated raids on 14 addresses in Ilford, Watford, Slough and Scotland.

    Police had been investigating
  • What should business owners do on Monday morning?

    by : Octree

    Over the weekend there has been much publicised and printed regarding the recent breach at TalkTalk but we’ll leave it to the ongoing investigation by the appropriate authorities to report on the facts in due course.



    It has however raised calls by leading business organisations for urgent action to be taken to tackle cyber-crime with the Institute of Directors (IOD) claiming only “serious breaches” of crime make the headlines but attacks on British businesses “happen consistently”.

    Little over 12 months ago the UK Government launched a cyber hygiene standard for businesses called Cyber Essentials, by implementing Five Key Controls it is claimed that around 80% of cyber-attacks could be prevented if businesses implemented controls covering.....
  • Businesses exposing confidential data to ex-employees

    by : Octree

    One third of IT decision makers say ex-employees are able to access systems after leaving

    Just under one third (32 per cent) of UK companies have admitted that people who've left their employ still have access to confidential files and systems, meaning their business could be wide open to a major security breach.

    However, the number is much higher in the US, where over half of all companies said outgoing employees were probably able to log into systems after leaving the organisation.

    Almost half of respondents to the research carried out by Centrify said they had the processes in place to 'offboard' leavers, the same number again have access rights and password knowledge that would allow them to break into systems up to a week after they cease working at the company.

  • Companies Buy Good Security, But Fail to Deploy It Properly

    by : Octree

    Companies may be investing more in multilayered IT security solutions, as everyone says that they should, but once purchased those solutions are not being properly deployed.

    Thanks to Tara Seals of Infosecurity Magazine for this startling and revealing article.

    A Lieberman Software survey has revealed that companies are putting their customers’ data at risk because IT teams don’t have the expertise or time to deploy complicated IT security products.

    The results were a bit alarming; about 69 percent of respondents said that do not feel they are using their IT security products to their full potential. As a result, a staggering 71 percent of IT professionals believe this is putting their company, and possibly customers, at risk.

  • It’s a fact: your employees are the biggest threat

    by : Octree

    A company's own employees are a significant factor in the majority of data breaches, either through malicious activity or avoidable mistakes

    A company's own employees are a significant factor in the majority of data breaches, either through malicious activity or avoidable mistakes, say two new studies, but companies aren't doing enough to address this issue.

    According to a recent survey by CompTIA, human error accounts for 52 percent of root causes of security breaches, while technology errors account for 48 percent.

    "The main reason that companies exhibit a low level of concern over human error is that it is a problem without an obvious solution," said the report. "A high level of concern over malware or hacking can be addressed with an investment in technology."

    But human error can only be addressed with training, and there are few metrics to evaluate the effectiveness of training, said the report, which was released just over a week ago.

  • Cybercrime is child’s play, it seems

    by : Octree

    How a 7-year-old girl hacked a public Wi-Fi network in 10 minutes

    So we all like the convenience of free Wi-Fi at a coffee shop or other public space – a welcome sign for millions of people every day who want to get some work done, make a video call, or just catch up on a bit of online shopping.

    According to research nearly two thirds (59%) of Britons regularly use unsecured Wi-Fi hotspots, with one in five (20%) doing so weekly or more to bank online (19%) shop (25%), send emails and documents (31%), and use social media platforms (50%). All of this activity could put their passwords, bank details, confidential information and their very identities in the hands of hackers. The survey found that sensitive data was often transferred when users logged on, with online banking and responding to emails two of the most popular habits to carry out when connected.

  • 90% of data breaches could be avoided

    by : Octree

    Online Trust Alliance advises a best practice approach to information security

    The Online Trust Alliance (OTA), the global non-profit organisation "with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet", released its 2015 Security & Privacy Best Practices and Security & Privacy Risk Assessment guides last week.

    According to its analysis of “nearly 500 breaches reported in the first half of 2014", more than "90% could have been avoided had simple controls and security best practices been implemented."

  • 90% of data breaches could be avoided

    by : Octree

    Online Trust Alliance advises a best practice approach to information security

    The Online Trust Alliance (OTA), the global non-profit organisation "with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet", released its 2015 Security & Privacy Best Practices and Security & Privacy Risk Assessment guides last week.

    According to its analysis of “nearly 500 breaches reported in the first half of 2014", more than "90% could have been avoided had simple controls and security best practices been implemented."

  • 90% of data breaches could be avoided

    by : Octree

    Online Trust Alliance advises a best practice approach to information security

    The Online Trust Alliance (OTA), the global non-profit organisation "with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet", released its 2015 Security & Privacy Best Practices and Security & Privacy Risk Assessment guides last week.

    According to its analysis of “nearly 500 breaches reported in the first half of 2014", more than "90% could have been avoided had simple controls and security best practices been implemented."

  • Sony accuses DDoS attackers for ruining PlayStation's Xmas

    by : Octree

    Gaming service STILL struggling to return to life

    My son couldn’t wait to unwrap his shiny new Sony Playstation 4 on Christmas morning. The excitement was intense. And then came the time to activate his Playstation Plus subscription to play online and with friends across the Internet. It couldn’t be done! I thought at first it may be a browser issue, then an ISP issue, then a web filtering issue. But no…………it turned out to be a massive DDoS (Distributed Denial of Service) attack initiated by yet another Hacktivist group by the name of Lizard Squad. They did not endear themselves to the general public, and their motives are unclear. But it was yet another assault on the Japanese media corporation - talk about kicking a man when he’s down. Thankfully, for my sanity as much as anything, the network is now back online, and my son is now locked away for hours at a time only surfacing for essential supplies and his ablutions.

    A DDoS is an attack method used to deny access for legitimate users of an online service. This service could be a bank or e-commerce website, a SaaS application, or any other type of network service. Some attacks even target VoIP infrastructure.
  • Bring Your Own Disaster as UK firms see rising mobile breaches

    by : Octree

    BT Study highlights the threats to businesses with unmanaged mobile devices

    A study from BT reveals that almost half of UK firms (41 percent) suffered a mobile security breach over the last year, with another fifth reporting as many as four incidents in the same time-frame.

    The research reveals that UK businesses are still not taking sufficient security measures to protect themselves from mobile threats – such as lost and stolen devices or mobile malware infections - and this all comes despite the same study revealing that 95 percent of UK organisations now allow their employees to use a BYOD (Bring Your Own) or COPE (Corporately Owned Personally-Enabled) device.

    Some of the findings on mobile security make for shocking reading; just over a third (35 percent) of IT decision makers said that they had a BYOD policy – which is seen by many as the first step in enterprise mobility management - while only 15 percent said that they felt confident they had sufficient resources to prevent a mobile security breach.

  • Bring Your Own Disaster as UK firms see rising mobile breaches

    by : Octree

    BT Study highlights the threats to businesses with unmanaged mobile devices

    A study from BT reveals that almost half of UK firms (41 percent) suffered a mobile security breach over the last year, with another fifth reporting as many as four incidents in the same time-frame.

    The research reveals that UK businesses are still not taking sufficient security measures to protect themselves from mobile threats – such as lost and stolen devices or mobile malware infections - and this all comes despite the same study revealing that 95 percent of UK organisations now allow their employees to use a BYOD (Bring Your Own) or COPE (Corporately Owned Personally-Enabled) device.

    Some of the findings on mobile security make for shocking reading; just over a third (35 percent) of IT decision makers said that they had a BYOD policy – which is seen by many as the first step in enterprise mobility management - while only 15 percent said that they felt confident they had sufficient resources to prevent a mobile security breach.

  • Retailers are "overconfident" about their security, majority have fundamental gaps

    by : Octree

    Worrying signs for Xmas shopping!

    Just in from Lisa Vaas at Sophos Labs, right in time for the holiday shopping daze: many UK retailers' heads are comfortably buried in the sand when it comes to their cyber security and data protection capabilities, thinking that in spite of not having basic protection and no contingency plans for data breaches, something - maybe magic? - will somehow protect them from malicious cyber-attack.

    In fact, the vast majority - 72% - of 250 UK retail IT decision makers surveyed for the 2014 Retail Security Barometer report, which was conducted by Opinium for Sophos, have failed to implement fundamental security required to safeguard both business and customer data.

    It's not that retailers aren't aware of the increasing risks, and it's not as though retailers don't know how a breach could affect both consumers and their own brand.

    One of many recent examples, this one from across the pond, is US retailer Home Depot, which at the end of last month was facing 44 civil lawsuits across the US and Canada following a huge data breach in September that left 56 million credit cards and 53 million email addresses exposed.

  • Retailers are "overconfident" about their security, majority have fundamental gaps

    by : Octree

    Worrying signs for Xmas shopping!

    Just in from Lisa Vaas at Sophos Labs, right in time for the holiday shopping daze: many UK retailers' heads are comfortably buried in the sand when it comes to their cyber security and data protection capabilities, thinking that in spite of not having basic protection and no contingency plans for data breaches, something - maybe magic? - will somehow protect them from malicious cyber-attack.

    In fact, the vast majority - 72% - of 250 UK retail IT decision makers surveyed for the 2014 Retail Security Barometer report, which was conducted by Opinium for Sophos, have failed to implement fundamental security required to safeguard both business and customer data.

    It's not that retailers aren't aware of the increasing risks, and it's not as though retailers don't know how a breach could affect both consumers and their own brand.

    One of many recent examples, this one from across the pond, is US retailer Home Depot, which at the end of last month was facing 44 civil lawsuits across the US and Canada following a huge data breach in September that left 56 million credit cards and 53 million email addresses exposed.

  • Information security: 'Not my problem'

    by : Octree

    Non IT directors pass the buck on cyber security.

    Having read this article from Tony Morbin, Editor in Chief of SC Magazine, I could not resist passing it on.

    Awareness for cyber-security as a risk has risen, but as Simon Church, CEO at NTT Com Security explained: “There is still a high level of misunderstanding, indifference and complacency, and failure to rank information security as a critical risk."

    The figures in 'The Global Risk:Value' report back up this view, based on a survey of 800 business decision-makers (not in an IT role) in the UK, Australia, France, Germany, Hong Kong, Norway, Sweden and the US, showing that 19 percent think there would be no significant impact on their revenue from a data breach and 28 percent admit they do not know what the financial implications would be.

  • How secure is your website?

    by : Octree

    Financial services websites suffer the second most number of attacks

    Things do not get any easier for financial institutions, clearly.

     

    According to the latest research websites of financial services businesses are the second most targeted behind only the retail sector. Impervas’s 2014 Web Application Attack Report is based on data collected from real time attacks on applications protected by their web application firewalls over a 9 month period, so no conjecture is assumed.

  • How secure is your website?

    by : Octree

    Financial services websites suffer the second most number of attacks

    Things do not get any easier for financial institutions, clearly.

     

    According to the latest research websites of financial services businesses are the second most targeted behind only the retail sector. Impervas’s 2014 Web Application Attack Report is based on data collected from real time attacks on applications protected by their web application firewalls over a 9 month period, so no conjecture is assumed.

  • 'Serious threat' as free web apps plant Trojans and ransomware

    by : Octree

    We are being warned of a 'serious threat' from cyber-criminals using free web apps to distribute malware.

    I am pretty sure I’m not the first to admit I have used “freeware” occasionally to achieve some technical objective, and have been less than cautious as to the source, the program or the implications. I just wanted to mount that ISO file to install the app, open a PDF that Adobe didn’t like, edit a photo without ludicrous expense…….you get the gist. And what about the inviting adware?

    Yet are we really sure what we are clicking on, or downloading, isn’t laden with malicious code ready to compromise our systems? It would appear not.

    In a 17 November blog post, Trend Micro says criminals are using the FlashPack exploit kit to target corporate users who download apps supported by adverts. The ads secretly infect victims with a range of malware and ransomware, without the users clicking on malicious links or visiting unsafe websites. Trend has seen attacks being funnelled through three specific malicious domains, with the vast majority of victims so far based in the US.
  • 'Serious threat' as free web apps plant Trojans and ransomware

    by : Octree

    We are being warned of a 'serious threat' from cyber-criminals using free web apps to distribute malware.

    I am pretty sure I’m not the first to admit I have used “freeware” occasionally to achieve some technical objective, and have been less than cautious as to the source, the program or the implications. I just wanted to mount that ISO file to install the app, open a PDF that Adobe didn’t like, edit a photo without ludicrous expense…….you get the gist. And what about the inviting adware?

    Yet are we really sure what we are clicking on, or downloading, isn’t laden with malicious code ready to compromise our systems? It would appear not.

    In a 17 November blog post, Trend Micro says criminals are using the FlashPack exploit kit to target corporate users who download apps supported by adverts. The ads secretly infect victims with a range of malware and ransomware, without the users clicking on malicious links or visiting unsafe websites. Trend has seen attacks being funnelled through three specific malicious domains, with the vast majority of victims so far based in the US.
  • ICAEW: businesses are falling further behind cyber attackers

    by : Octree

    Business is not keeping up with cyber risks, says accountancy body

    Businesses are not doing enough to combat cyber risks despite an increased awareness of the need to take cyber security seriously, warn auditors. The ICAEW report, Audit Insights: Cyber Security, says there is a growing gap between business and cyber attacker capabilities, with economic growth and new business activity continuously creating new cyber risks.
  • ICAEW: businesses are falling further behind cyber attackers

    by : Octree

    Business is not keeping up with cyber risks, says accountancy body

    Businesses are not doing enough to combat cyber risks despite an increased awareness of the need to take cyber security seriously, warn auditors. The ICAEW report, Audit Insights: Cyber Security, says there is a growing gap between business and cyber attacker capabilities, with economic growth and new business activity continuously creating new cyber risks.
  • How to avoid your critical data being held hostage

    by : Octree

    A simple guide to avoiding ransomware

    Ransomware is on the increase, not least because of its extremely lucrative nature. I’ve witnessed first-hand the devastating consequences. Files are locked with very strong encryption and cannot be released unless a ransom is paid. Yet it can be so easy to avoid, just by following some simple guidelines, courtesy of my infosec colleague Tom Tollerton.

    Beef Up User Security.
    Infection starts with a compromised user. Avoiding the installation of malicious software altogether is the best prevention of ransomware, yet unsuspecting and inherently trusting users continue to click on suspicious links and open email attachments from people they don’t know, immediately exposing their computer systems to the risk of infection. Combined with administrative privileges, a malicious file can often install unauthorized software that is difficult to eradicate. If this recommendation could be executed perfectly, there would be no fear of system infection. Unfortunately, human beings will always be the weakest link in the security chain, so we must rely upon the effective implementation of additional layers of protection.

  • How to avoid your critical data being held hostage

    by : Octree

    A simple guide to avoiding ransomware

    Ransomware is on the increase, not least because of its extremely lucrative nature. I’ve witnessed first-hand the devastating consequences. Files are locked with very strong encryption and cannot be released unless a ransom is paid. Yet it can be so easy to avoid, just by following some simple guidelines, courtesy of my infosec colleague Tom Tollerton.

    Beef Up User Security.
    Infection starts with a compromised user. Avoiding the installation of malicious software altogether is the best prevention of ransomware, yet unsuspecting and inherently trusting users continue to click on suspicious links and open email attachments from people they don’t know, immediately exposing their computer systems to the risk of infection. Combined with administrative privileges, a malicious file can often install unauthorized software that is difficult to eradicate. If this recommendation could be executed perfectly, there would be no fear of system infection. Unfortunately, human beings will always be the weakest link in the security chain, so we must rely upon the effective implementation of additional layers of protection.

  • JPMorgan hack sees financial services turn spotlight on cyber security

    by : Octree

    The positive side to a major data security breach

    You may or may not be aware that last week JP Morgan Chase reported that 76 million households and seven million businesses had their private information compromised, including customer names, addresses and telephone numbers but excluding financial information. Hackers also obtained internal data identifying customers by category, such as whether they are clients of the private bank, mortgage, vehicle finance or credit card divisions. The breach affected anyone who visited the company’s websites, including Chase.com, or used its mobile application. Follow-up reports have since claimed that the investment bank may have been compromised by a state-sponsored actor (believed to be of Russian origin) which exploited an employee password through a phishing attack to break into a company server.
  • Phishing Scams- Catching Email Users Hook, Line and Sinker

    by : Octree

    Email borne ransomware on the increase

    As reported by our Australian email filtering partner Mailguard Pty, further evidence of the increasing threat of ransomware.

    Another day and another sophisticated phishing scam has hit the headlines. This recent batch of file-encrypting ransomware including CryptoLocker, CryptoWall and CryptoDefense, and botnet kits like Zeus, are all deemed particularly nasty.

  • Londoners agree to give child away in return for free WiFi

    by : Octree

    Hundreds trapped and exposed by fake 'poisoned' WiFi hotspot.

    My thanks to SC Magazine for this article once again highlighting the reckless and carefree way we access public wifi.

    Researchers have exposed the public's “reckless” attitude to WiFi security by trapping hundreds of people in a free “Trojanised” hotspot in London that harvested their account details - and even got people to sign away their first-born child in its terms and conditions agreement.

  • It’s a fact……….small businesses know nothing about cybercrime!

    by : Octree

    SMEs face a relentless barrage of cyber threats today.

    What a way to start the week! A 7.30am Monday breakfast meeting to highlight cybercrime and how it threatens SMEs, organised by our Chamber of Commerce, and hosted by the good people of PwC. Charlie McMurdie was the keynote presenter, formerly Head of Law Enforcement National Cyber capability, Police Central e-Crime Unit, and now Senior Cyber Crime Advisor at PwC.

    And Charlie pulled no punches when, in a hopelessly short period of time, she delivered a whistle-stop assessment and some very high profile examples of the online threat posed by cyber criminals. What is really frightening is how organised these criminal gangs are, as well as astute and skilful computer hackers. And the expectation of almost complete anonymity as well as abundant financial rewards further amplifies their motivation.
  • Just when you thought it was safe to go back in the water………

    by : Octree

    Double whammy as UK users hit by banking and ransomware


    It seems just five minutes ago we were talking about the Cryptolocker Trojan that encrypted data files and then demanded a ransom to “unlock” them. Authorities from numerous countries collaborated to bring down the botnet delivering this malware. And now……

    The new TorrentLocker ransomware and long-established Vawtrak/Neverquest banking malware have both started targeting UK financial industry users.
  • The ex-employee menace: why companies need a security 'exit' strategy

    by : Octree

    Insider threat to corporate data

    Rogue employee, internal threat, security awareness training, internal security, (whatever you can think of that people may use to search!)

    It would appear that few SMEs take the threat of a rogue employee seriously, and even fewer consider the implications after they have left. Yet the threats from rogue access are vast, from lost critical data to compliance failures, leading to potentially crippling damages. Read Edward Snowden as a high profile recent example.
  • The ex-employee menace: why companies need a security 'exit' strategy

    by : Octree

    Insider threat to corporate data

    Rogue employee, internal threat, security awareness training, internal security, (whatever you can think of that people may use to search!)

    It would appear that few SMEs take the threat of a rogue employee seriously, and even fewer consider the implications after they have left. Yet the threats from rogue access are vast, from lost critical data to compliance failures, leading to potentially crippling damages. Read Edward Snowden as a high profile recent example.
  • How to Weaponise your Pets

    by : Octree
    I must credit Lisa Vaas of Sophos for this story, however whilst extremely amusing the ramifications are very serious indeed.
    For 3 hours last month, a Siamese cat named Coco stalked a suburban neighbourhood.
    The mighty Coco's hunting was fruitful that day.
  • Cyber Essentials - could it be the glue for SME Internet Security?

    by : Octree
    Having attended a presentation by Richard Bach, Assistant Director for Cyber Security at the Department for Business, Innovation and Skills, it is refreshingly clear that the Government is finally taking information security for small businesses seriously. The announcement, on 5 June this year, that the government was introducing the Cyber Essentials Scheme, aimed primarily at small businesses, was a welcome tonic for what is an often a neglected sector generally. But is it really the solution, or yet another elephant in the room?
  • Germany considers replacing email with typewriters to evade spying

    by : Octree
    According to The Guardian, the head of the Bundestag's parliamentary inquiry into National Security Agency (NSA) activity in Germany - Christian Democrat politician Patrick Sensburg - said in an interview with Morgenmagazin TV that he and his colleagues were considering tossing email completely.
  • GOZeus, Cryptolocker and other deadly creatures (Part 2) [And how to avoid them]

    by : Octree
    I sincerely believe I would be hard pushed to find a business owner / partner / manager who has not been beaten around the head with news of the latest cash stealing, file locking trojan that is infiltrating computer systems on a global and prolific scale. Not least because every news medium, whether online, hard copy or television, as well as a plethora of industry newsletters and periodicals, has covered the threat story in some detail and at considerable length. The FBI has also given us two weeks until the end of the world! And, we have also witnessed, possibly for the first time, government departments and business advisory networks such as the Federation of Small Businesses (FSB) highlighting this highly dangerous and very real threat in isolation.

  • Cyber crime costs small firms nearly £19bn a year

    by : Octree

    So according to research carried out by the Federation of Small Businesses (FSB) small businesses across the UK could be losing billions of pounds every year to cyber criminals and fraud, with the average small firm facing a near £4,000 cost.

    A new report from the Federation of Small Businesses said cyber crime and fraud cost its 200,000 members around £800m a year, or £3,926 each on average. Government figures estimate that there are 4.8 million small firms across the country. This would mean a total cost of more than £18.8bn based on the FSB’s average.

Octree Cyber Essentials
Cyber security – don’t know where to start?
Talk to Octree, specialists in helping SMEs achieve Cyber Essentials status.
GDPR Survey

Recent Posts

Blog Categories

Blog Archive