So …. are you still using USB storage devices ?

 

This was a question my friend asked me last week as it turned out his company suddenly wanted to block them from being used and he could not understand why and was in fact rather annoyed. After I had sat down and explained to him the risks of USB devices, I thought this would make a great post for the blog

What are USB storage devices?

They can range from a flash drive to a hard drive in a box, this post will concentrate on the small flash drives but equally applies to the other devices .

Flash drives have become so popular because they use little power, have no fragile moving parts are small, light and cheap. Data stored on flash drives is impervious to mechanical shock, magnetic fields, scratches and dust. These properties make them great for transporting data from place to place and keeping the data readily at hand.

I remember when the first flash drives were just 8 MB  but they have since massively increased to 516 GB or even 1 TB. A 64 GB for example already holds a massive amount of information (Examples can be seen here https://www.ebay.co.uk/gds/What-Size-USB-Flash-Drive-Should-You-Buy-/10000000177330128/g.html)

So what risks ?

These devices as mentioned are small and can contain a vast amount of data, so look out for the following risks

They can easily be lost or stolen which can lead to an accidental of data

They can be used by malicious insiders at a company to easily extract a large amount of confidential company information.

They can bypass most of the network security controls (such as the firewall, proxy, mail security gateway etc)  and accidentally (or maliciously) introduce malware onto your computer. This is particularly relevant if a USB device is shared between work devices and home (which probably has far less security than at work)

 

The first risk applies to everyone from home user to a company employee. Using an encrypted USB device will help if the device is lost (as long as you have used a strong password .. more on this in a future post)

I usually advise a company that does not want to block USB devices to at least only allow approved company encrypted devices to be plugged into a device and to block any other makes of USB devices.

Blocking USB devices is the best and most cost-effective way to stop company data loss via these devices. They also give an additional benefit of preventing the  third risk of introducing malware

One question I get from company bosses is the third risk does not really apply to their company as they have anti-virus. It may come as some surprise to you that anti-virus is not 100% effective and does not always pick up the latest malware. (http://www.slate.com/articles/technology/future_tense/2017/02/why_you_can_t_depend_on_antivirus_software_anymore.html)

My recommendations

If you are a company ..block the devices and use a cloud business service (OneDrive, Dropbox, Google Drive)  to store company data (more on this in a later post). Allow only a few exceptions which must use a company approved and monitored device

For home use, by all means, use an encrypted USB device but be aware it can be lost so make sure that you have a backup of your data elsewhere.

Online counterfeiting – part 2

This post follows on from part one which is here

 

 

Your company has realized that actually online counterfeiting is an issue, so what next  ? Well the next step could be go and grab some data and see how large or small the problem actually is.

Getting the data

Let’s take a scenario ..your company sells a product that is being counterfeited and sold online a global eCommerce site. You want to get a list of the sellers of the counterfeited goods to give to your legal team

Right so there are a couple of ways to do this

  • Get a human to sit down once a week, log on to the ecommerce site , search the site for your brands and copy and paste the results into say an excel file
  • Use an automated system to regularly do the above

The first option is going to work if you have the human resources or there are only a few sellers and adverts. However I would argue the second option works better if you have many sellers with many adverts, you do not need extra resources but it also has some extra benefits.

The automated system

First you need what is known as a web scraper. These come in many shapes and sizes from DIY programming  to ‘data as a service’ which is outsourced web scraping from which data is delivered to you. There are a number potential issues to be aware of running a web scraper in-house which we will go into in a later article.Whatever type of web scraper  you take it should be easy to automatically schedule daily or weekly to search for the latest adverts.

Before we move to the next part there are a couple of things to highlight. The web scraper compared to a human has the ability to scale across many sites and eCommerce platforms and collect the data in an organised format. 

Next you need is somewhere to store these results. It could be an excel sheet that you send somewhere in your company each week but I would suggest something a little smarter .. data analysis

Data Analysis

Essentially all this means is put your data into a database and run analytics across the data. This has many advantages , some of which are listed below

  • You keep all the historical stuff. You can get a timeline of when a particular seller is putting adverts online. Are they regularly putting up adverts or are they waiting for a particular high season , or were they just a one off seller
  • You can see hotspots of adverts. Is a particular time of the year more important than another
  • Who are you top sellers of counterfeiters ? These may be the ones to send to Legal as high priority
  • You easily get metrics over the full amount of data in the database . How many counterfeits were taken off the market this year ?
  • Collect intelligence for identifying sellers. Are counterfeited being products sold a certain percentage lower than the official price compared to say someone selling second –hand ?

All parts of the system could be out-sourced, in-sourced or a combination of the two. It just depends on the resources you have and of course budget 

The next post will look at how to build a system and the potential costs 

Hacking then phishing – kicking a person when they’re down!

Today we’re going to highlight two issues for the price of one. Not bad for a Monday!

Firstly we have the recent admission by British Airways that criminals had hacked their website and personal details – including bank card numbers – of about 380,000 customers had been compromised. To add insult to injury, it took them 15 days to realise then warn customers so they can take action, by which time a huge amount of fraudulent transactions could have been conducted by the criminals and whoever they sold the card data to. If only they had an effective Security Operations Centre like other multi-national (really should) have!

Secondly, the fact that BA contacted their customers by email – and the possibility of this being exploited by other criminal groups – was debated by my fellow security professionals last week, so I thought I’d check my spam folder in my personal email account. Imagine my surprise when I spotted the attached message! It took a few moments but we found a few indicators of a phishing email (“return to” address was very suspicious, suspicious hyperlinks not going to BA website, minor grammatical errors in text, the promise of two freeplane tickets being unrealistic for half a million customers, etc.).

Would you have spotted it?

So there we have it, a quick and simple introduction into how one criminal group can quickly jump on the bandwagon and exploit another criminal group’s actions, praying on people easily exploited as they’re placed under pressure dealing with the first problem. Talk about kicking a person when they’re down!