Image for post
Image for post
Photo by Aida L on Unsplash

Can you trust your penetration testing company with your results, or are they inadvertently performing the initial reconnaissance for cyber criminals, with you picking up the bill to boot? Whether from an insider threat or remote access trojan, penetration testing (pen test) companies are an ideal target for cyber criminals. Their customers are a ready made list of organisations with valuable enough data to justify a paying for a pen test, or some regulatory compliance requirement.

Pen test results are available for purchase on the dark web, so this is not just theory, but a reality. If you know there are major shortcomings with your IT security, there is no point paying for an expensive pen test when the money could first be put to use to actually address some of the gaps and shortcomings. A report listing all the issues and vulnerabilities in your IT infrastructure is the perfect Christmas gift for a cyber criminal, especially if leaked internally via an insider threat. As a result, third party risk is taken to a new level when it comes to choosing a pen testing company, which means that risk assessments need to reflect this, rather than treat them as any other supplier. The same can be said for IT support companies, who not only have detailed network information on their customers, they also have full remote access and admin privileges to internal systems, as well credentials for any cloud services they administer on behalf of their customers. …


Image for post
Image for post
Photo by Olivier Darbonville on Unsplash

Back in September I received an email claiming to be from the courier firm DPD and that an attempt to deliver a parcel was unsuccessful. In order to get the item redelivered I would need to reschedule the delivery and confirm the address details are correct. Unfortunately as there had already been three failed attempts there would be a small charge. The link provided also included the tracking code embedded into it for convenience.

Image for post
Image for post

But wait, switching from my phone to my laptop showed that it was coming from a Hotmail address instead of a DPD email address and also that the payment was in euros, not pounds sterling. But more to the point, why is it that someone can register the web domain ‘tracking-128673.dpd-co-uk-servicedelivery-supportuser-info .com’ without raising alarm bells? I checked and saw that it was registered using namecheap.com so I reported it to them via their live chat feature and was told to submit a ticket to the Abuse Reports department via the Support option on their website and choosing the relevant abuse type. …


Image for post
Image for post
Photo by Kelly Sikkema on Unsplash

As part of the cyber security awareness training for many organisations, the IT department simulates phishing emails via a third party service to help educate their users and report on who is more likely to click on a phishing email. Some of these third party phishing services are even free like Gophish and Duo Security, and yet, I have a policy of not phishing my own staff. Let me explain why.

The reason is, that for the past 5 years I have been encouraging all my colleagues to forward suspicious emails they receive to the IT department or to contact IT if they are unsure about the validity of an email. This feeds into the quarterly cyber security group training sessions so that it is based on actual ‘real world’ phishing emails we have received and allows us to update and tweak the email filters as part of a continuous improvement cycle. Most of the phishing emails that make it past the email filters are via compromised business email accounts of our third party suppliers (or even clients) trying to get us to enter Microsoft Office 365 credentials for a bogus file sharing service, or download a malicious payload. …


Image for post
Image for post

For over 20 years we have been on a never-ending cycle of being told that the software we use has bugs or security issues and that it has been fixed in an update or patch. But those updates have had a tendency of breaking something else, and the whole cycle begins again. In the worst cases, a bad operating system update has left users completely in the lurch without a working computer and so people have become weary of updates, even to the point of refusing to install them. How many times have you restarted a computer only to realize that there were updates pending, and now you have no idea how long it will be before you can use it again to get on with some work? …


Image for post
Image for post
Photo by Lianhao Qu on Unsplash

The GDPR legislation at 57,500 words long is not the easiest of things to get your head around if your business processes personal data (for which the majority do). But one of the smallest steps in GDPR compliance that so many forget to do, can land you a £400 or £600 fine, going up to £4350.

This small step is nothing more than to pay the annual £40 or £60 data protection fee, which is required by law to the data protection authority, which in the UK is the Information Commissioner’s Office or ICO. If you are lucky enough to warrant an annual fee of £2900 then it means you have more than 250 members staff and a turnover of over £36 million. If you receive a warning letter and ignore it, you could be fined. …


Image for post
Image for post
Photo by Balaji Malliswamy on Unsplash

Everything we do online is based on trust, we trust our email providers, our cloud services, our search engines, software developers and online stores. We give them personal and financial information, ranging from our pet’s names and first school, to our credit cards and bank details. So, as a result, it is very easy for the criminals to abuse that trust, because the opportunities to do so seem endless. …


Image for post
Image for post
Photo by Ricardo Arce on Unsplash

Targeted email attacks are an increasingly difficult problem to stop through technology alone, requiring both processes and people (via education) to effectively combat. Commonly called ‘spear phishing’ and for high profile targets ’whaling’ the core of the attack is via social engineering and elements of truth from our recent online activities.

So why are they so difficult to block? Firstly, many targeted phishing emails do not contain anything immediately malicious. Some will not have anything at all that gives the game away, building a rapport over time. Others rely on shortened hyperlinks and attachments that contain hyperlinks like an Adobe PDF file. These may reach out to fake login sites, fake banking sites or a whole host of scenarios that the criminals can think of. …


Image for post
Image for post
Photo by Scott Graham on Unsplash

Cybersecurity training in many organisations is seen as chore, a tick box exercise that needs to be done when we get time, maybe next week. Or it is mandatory, regardless of the deadlines you face, but mostly irrelevant to your role or to risks the organisation faces. Yet, in today’s world of highly sophisticated data breaches, does all this training actually make a difference?

Firstly, cyber security training is a bit like studying history; every month that goes by adds another month to the pool of history to possibly learn. There is no end to the subject matter because it is constantly evolving. Secondly, when teaching any subject, if the students are not interested, then given the limited amount of time available, they are unlikely to learn anything or already know what you are teaching and resent having to go through the process. Lastly, the security technologies in place do most of the work, protecting users from 99.9% …


Image for post
Image for post
Photo by Ryan Moulton on Unsplash

Over the past few years there has been a paradigm shift in the world of computer gaming, whether on a consoles, computers and mobile devices, where the focus is no longer on just selling you a game. Instead, the focus has shifted on you buying an in-game currency or virtual currency that allows you either unlock additional content or offers some advantage or cosmetic difference on how your game character(s) look within the game. As a result, this is raking in hundreds of millions for some game developers and the criminals have taken note.

Many of the games are technically free, and there are millions of players that do not buy in-game currency, but the downside is that progress within the game is extremely slow. So, the criminals offer as bait, free in-game currencies like Fortnite’s V-Bucks or Robux from the gaming platform Roblox, potentially worth hundreds of pounds. So, what do the criminals get out it? Many of the scams have a survey component, gleaning personal information that many would not normally give, followed by your username and password for the gaming account concerned. To top it off, you may be asked to share your friends email addresses with the promise of more in-game currency or to buy (via a credit card) reduced rate currency. …

About

Nick Ioannou

IT professional, blogger, author and public speaker on cloud and security issues, with over 20+ years’ corporate experience. More resources at www.boolean.co.uk

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store