Graham Cluley, is a well-known British IT-security guru. Which makes him an expert on a topic that never runs out of angles. – When I started off in the business 25 years ago, we had 200 new viruses every month. Today we see 400 000 new types of malware every day, he says.
Graham Cluley will be speaking, at Copperbergs Nordic IT Security Forum, this time taking place in Stockholm (Stockholmsmässan) on the 26th of October.
Cluley, who was a senior technology consultant at Sophos from 1999 to 2013, is nowadays mostly known as a blogger, frequent Twitter-contributor and speaker. And Graham Cluley never gets bored discussing IT security issues. It’s quite obvious, that the issues of the business are a never ending story:
– I remember in the old days, people said, ”How will you cope when there are 10 000 new viruses in total?”. And the truth is, now we see 10 000 new viruses every 40 minutes… It’s just astonishing.
And the profile of the typical hacker, has definitely changed:
– Back in the day, the people writing malware were kids, and they were not doing it to make money… it was just ”electronic graffiti”.
But malware and ransomware have by now become big business and breaches in IT security are making the news almost every day, worldwide. One of the big stories this spring, for example, is the ”Linked In leaks” incident. This story actually first hit the news in 2012, when it was reported as a breach of 6,5 million Linked In accounts. But recently, it was revealed that as many as 117 million accounts are actually involved…
– Ultimately the people to blame for the leak, are the hackers. They have committed a criminal act. But you might argue that LinkedIn did not have decent security in place. I think you can argue that quite strongly. They weren’t protecting those passwords by sorting them, and using the right algorithms to protect them. I think there is a lot of fault there, says Graham Cluley.
Blaming the users for poor password use is just an elitist and wrong way of reasoning, according to Cluley.
– There are some people, who like to blame the users. ”Well, if you were using the same password in multiple places… or if you didn’t reset your passwords, then shame on you”. But we work in the field of computer security. We live and breathe this stuff, all the time. The typical man on the street, doesn’t. And they need help. And they need to have their awareness raised about these things. It’s our job as security professionals, to remind them of these dangers. There is so much else going on in their lives. They would expect a large company like LinkedIn, to do the job competently, and they didn’t.
Graham Cluley continues:
– Every week, we hear about another company or another website that has got its database hacked. And as a result, people are put at risk.
This does not mean, of course, that there aren’t simple ways for the ”layman”, to help himself (or herself) more than a little bit:
– I don’t really like to blame the users. What I would rather do, is to encourage the users to get serious, to start using a password manager, and to turn on two step verification.
Cluley points out that the most common ”layman mistake”, is not the use of easy passwords, like ”123456” or the only daughters name or the dogs name.
It’s using the same password, no matter how complex, for many – or all – online accounts.
– That actually is a much bigger problem, I think, than an easy-to-guess password. You can have a really complex password, but if you use it in multiple places, you are doomed. Because at some point, one of your websites will get hacked, that password will fall into the hackers’ hands, and they know your e-mail address. The first thing they are going do, is to try your e-mail address as a username, on different sites together with the password they just grabbed.
An interesting aspect of IT security hacks, that has become quite apparent, is that far from all hackers are typical criminals…
– What we didn’t imagine was the scale of cybercrime growing so much. And more than that, that we would see governments, and intelligence agencies, actually hacking malware. And writing malware, to disrupt uranium enrichment facilities in Iran. It is a weapon now, which can be used for espionage, and potentially cyber warfare as well. In terms of disrupting facilities, bringing down systems. The kind of things you might try and do normally with a bomb, with explosives, even if it won’t have the same impact.
-”Let’s stop that company from working”, ”Let’s stop the army, from being able to communicate with each other”.
Predicting what the biggest threat to IT security will be in the future, is really tricky business. Most experts who make this kind of predictions, usually get it wrong, according to Graham Cluley. But he nevertheless, identifies his own ”biggest worry”.
– One thing I’m fearing, is the Internet of Things.
With the Internet of Things, it’s not only our computers and our phones, but other devices as well. Those devices are poorly secured, they are not built with security in mind. For example, CCTV cameras, are connected to the internet. And hackers are using CCTV cameras, not to spy… but they use that computer power, to conduct DDoS attacks.
For anyone interested in Graham Cluleys take on IT security: apart from the upcoming Copperberg Nordic IT Security Forum on October 26th, his homepage where he is posting new articles all the time, and Twitter would be the obvious choice. He is so prolific on Twitter, that for example – in 2009 and 2010 – Computer Weekly named Cluley the ”User of the year”.
– I think Twitter has become an astonishing platform, for sharing information very rapidly. That’s where I get my breaking news from now, it’s not the BBC.
For more information: www.safesendsoftware.com
SafeSend provides protection against the accidental emailing of sensitive data outside the company domain. How common is data loss through misaddressed emails amongst enterprises?
It is more common than one might first think. The Verizon Data Breach Investigations Report states that misdelivery – sending paper documents or emails to the wrong recipient – is the most frequently seen error in data disclosure.
In November 2014, the Bank of England’s details of a top-secret project – the bank’s contingency plan in the event of Britain leaving the EU, unknown even to most of its employees – were emailed to the Guardian by mistake. To avoid a similar future incident from happening, the Bank of England disabled the autocomplete function for all its employees. Another high profile data breach happened in May 2015 where personal details of the world leaders at the last G20 summit were accidentally disclosed by the Australian immigration department. In this case again, the autocomplete function was disabled for the whole organization. Both of these cases could have been prevented by SafeSend.
By introducing nonobtrusive tool to ensure users really understand to whom they are sending email traffic, you minimize several risks but it requires an extra step in the sending process. How is the response of the users about adding this extra step?
The vast majority of our users actually appreciate the extra step as most of their emails are internal within the organization and will not induce the SafeSend confirmation window to appear. When they actually do send an email to external recipients, they see SafeSend as a good reminder to be extra careful.
What our users have in common is an understanding for the possible consequences of a misdelivered email and the focus on data loss prevention from an integrity and compliance perspective. In that context adding the extra step that you mention is not seen as an obstacle.
Do you operate as well within B2C? What are the options for private customers?
SafeSend is engineered primarily for enterprise deployment. That is where the application offers clear benefits and a solution to a real problem that most organizations are facing today.
At the moment we do not offer the product on the consumer market, but should there be a growing interest in that direction, it is something we may well consider in the future.
SafeSend is part of this year’s Nordic IT Security Forum in Stockholm. What’s the message you will deliver to the audience?
We want to deliver the message that accidental data leakage by email can be prevented without loss of productivity. We developed SafeSend as a solution to a problem: “To prevent the accidental emailing of confidential emails outside the company domain by mistake”. SafeSend asks users to confirm external recipients and files in outgoing emails, preventing Outlook’s autocomplete function from adding the wrong recipients.
We look forward to a great conference and hope to see you in our booth where you can learn more about SafeSend and its contribution as data loss prevention!