Digital Piracy Can Kindle Grief Of Amazonian Proportion

Love it or hate it, digital content is here to stay.

Be it games distributed via Steam, underpriced apps from the App Store, or books from Amazon, all your digital entertainment and business needs can seemingly be provided for by the virtual world.

But that can cause problems.

Take apps for example – acquiring them from the App Store or Google Play is generally a safe bet, but sometimes you may want an app that isn’t available, or find one elsewhere at a reduced price, or even free. In the latter case there is a fair chance that you may not receive what you expected or, if you do, it may come with some undesirable “extras”.

But such issues shouldn’t only concern users of smartphones or tablets. No sirree, even the humble ebook reader needs to be aware of the issues surrounding literature acquired from alternative sources.

The most recent example of what I am talking about here comes in the form of Kindle ebooks and the possibility that they could be used to compromise your Amazon account.

Security researcher Benjamin Mussler says a flaw in Amazon’s Kindle management page allows hackers to obtain users’ credentials via booby-trapped digital books. When a user uploads an ebook they have obtained from a third party it moves through Amazon’s system before being able to be stored on their device. Such content is stored in the Kindle Library which is cloud-based but that functionality allows an attacker to hide a script in a .mobi or .awz file which could then be used to swipe the associated Amazon account.

It isn’t the first time this has been possible either – Mussler first reported the flaw almost a year ago and a fix came quickly, but has subsequently reappeared, following an update at Amazon’s end:

“When I first reported this vulnerability to Amazon in November 2013, my initial Proof of Concept, a MOBI e-book with a title similar to the one mentioned above, contained code to collect cookies and send them to me.

Interestingly, Amazon’s Information Security team continued to use this PoC on internal preproduction systems for months after the vulnerability had been fixed. This made it even more surprising that, when rolling out a new version of the ’Manage your Kindle’ web application, Amazon reintroduced this very vulnerability.

Amazon chose not to respond to my subsequent email detailing the issue, and two months later, the vulnerability remains unfixed.”

Whilst this is primarily of concern to those who pirate content from dubious corners of the web, it could also conceivable apply to content creators whose own systems have been compromised.

So, keep your own system clean and, as ESET’s Mark James says, do not download ebooks or pdfs from dodgy sources either. Saving a few quid could cost you in the long-run:

 “If you enjoy having lots of books to read while travelling around on business or relaxing by the pool on vacation then the thought of having them all on an electronic device seems prefect. The Amazon Kindle is an excellent device for this and if you have one you probably struggle with the concept of paying the same if not more for an electronic version of the book than the good old fashioned paper version. It does not make sense when you look at the production, duplication and storage costs of paper books alongside the exact same but in electronic format it just does not add up. However, think very hard before you go looking on questionable websites for a cheaper or free version of the eBook as it may easily contain malware.

I am sure your first thoughts would be “impossible” it can’t happen, a book cannot contain malware, well you’re wrong. Compromised books have been found to have scripts embedded in the titles that when executed will attempt to send your Amazon account cookies to the attacker, which could enable them to compromise your Amazon account. Amazon was informed about this last November and they fixed it within days, but when they rolled out their new “Manage your kindle” page earlier this year it manifested itself again. If you want to protect yourself then its relatively easy to do so “DO NOT” download eBooks or pdfs from untrusted sources. It really is not worth it to save a few pounds.”

Server Anomaly Detected Captain Freenode, Set Passwords To Change

Email – malware attachments and phishing scams, but maybe not dead just yet.

Facebook – privacy, what is privacy?

WhatsApp – location, location.

Snapchat – nothing is ever truly gone forever.

There are many different ways of communicating these days (anyone remember the good ol’ times when you had to use a pen and paper and lick a stamp?) but none are totally secure. At least none of the above anyway. Allegedly.

But before you feel tempted to return to Internet Relay Chat (IRC) for your communication needs, you should be aware that medium isn’t without it’s challenges too, such as denial of service attacks and straight out mischief, as seems to be the case with the popular Freenode network.

The free opensource IRC network announced on Saturday that it had spotted an ‘anomaly’ on one of its servers, which means it is likely that someone sniffed real hard and then ran off with passwords:

“Earlier today the freenode infra team noticed an anomaly on a single IRC server. We have since identified that this was indicative of the server being compromised by an unknown third party. We immediately started an investigation to map the extent of the problem and located similar issues with several other machines and have taken those offline. For now, since network traffic may have been sniffed, we recommend that everyone change their NickServ password as a precaution.

To change your password use /msg nickserv set password newpasshere

Since traffic may have been sniffed, you may also wish to consider any channel keys or similar secret information exchanged over the network.

We’ll issue more updates as WALLOPS and via social media!”

The advice given in the announcement is sound – changing passwords now is recommended if you are one of the company’s 80,000-odd users.

But with so many breaches lately, in conjunction with the resulting necessity for a change of login credentials, it can be tricky to come up with something that is both new and secure each time.

If you need help remembering all those passwords then a password manager such as Keepass or LastPass is highly recommended. If you prefer to create your own passwords then please remember to use a broad mix of numbers, letter, symbols and a frequent change between upper- and lower-case. If you need more tips, you’re in luck – we have 10 password tips right here.

Facebook’s Exploding Posts: Mission Impossible vs. Robin Of Sherwood

This Facebook post will self-destruct in 5 seconds.

Well, ok, maybe not 5 seconds. But your latest Facebook post could soon be gone in a timescale chosen by you (well, ok, anywhere between 1 hour and a week).

A small number of users spotted the new feature in a Facebook iOS app earlier this week which allows users to set a deletion date at the time they create a new post.

A Facebook spokesperson confirmed the existence of the trial feature, saying:

“We’re running a small pilot of a feature on Facebook for iOS that lets people schedule deletion of their posts in advance.”

Small scale trials of new features are nothing new for the social networking giant which is constantly looking to evolve. Facebook users will be grateful, however, that this one is not as secret as say, testing how users react to positive and negative news, the secret emotion experiment which recently surfaced and did little to enhance the reputation of a company which many fail to equate with privacy protections.

That said, Facebook may be learning what its users want, as evidenced by the recent addition of the ‘privacy dinosaur’ aka the new privacy checkup tool.

So, that means all users will be able to self-destruct all of their postings in the future, wiping them off Facebook’s servers for ever more, right?

Well, before you see Facebook as a means for posting questionable or sensitive content, you may wish to consider the fact that the answer to that question is not clear – it looks like the removal from a user’s timeline will be permanent but I’d be very surprised if Facebook would want to let anything fall off its own servers (we know it keeps a record of anything typed into the status box, regardless of whether the user subsequently decides to publish it or not, for example).

Then of course there is the fact that virtually nothing shared on the web is private ever again anyway – the kids of today ain’t half bright you know and they can take screenshots and everything.

So before you even start contemplating using Facebook’s potential new service, or the Slingshot app, or Snapchat to post something you otherwise may have kept to yourself (or should have) remember that nothing that is published can be unpublished and privacy can sometimes be an illusion. Or, as my boyhood hero Michael Praed would say, “Nothing is forgotten. Nothing is ever forgotten.”

Microsoft Sings We’re Not Gonna Take It, Invites Contempt

“See you in court!”

Aaargggh, no thanks, that sounds like a mighty stressful and bank balance-busting exercise in futility to me.

But then again, I’m not Microsoft so perhaps I’ve got good reason to not want to end up in front of a judge. Not that I’ve done anything wrong of course. Honest. Just ask GCHQ – its minority report division already knows I’m a saint now and will continue to be so in the future too.

Microsoft, however, is so keen to have its say in court that it has invited proceedings upon itself. Kind of.

After US authorities made demands over emails stored on a Microsoft server in Dublin, Ireland, the software giant said no dice and has now taken the unusual step of asking the US government to hold it in contempt of court so that it can accelerate the privacy-based case onto the appeals stage.

The case centres around a series of emails which are said to to be relevant to an investigation into drug trafficking but, despite the potential gravity of that case, Microsoft disagrees with the government view that data held overseas is there to be grabbed, instead suggesting that US jurisdiction should terminate in line with its physical borders.

An outstanding warrant, about which almost nothing is known publicly, has caused Microsoft much consternation with the company promising to appeal any adverse ruling “promptly.” The company objected to the search on many levels, including the fact that it believes an existing precedent applies:

“The U.S. has entered into many bilateral agreements establishing specific procedures for obtaining physical evidence in another country including a recently-updated agreement with Ireland. We think the same procedures should apply in the online world.”

In a blog post, the company also highlights how it is taking the moral high ground in making a stand for privacy and also cites backers such as Apple, Cisco and the EFF.

None of this is to say that Microsoft feels it is above the law though, merely that it believes that government should play by the rules and follow established processes:

“We appreciate the vital importance of public safety, and we believe the government should be able to obtain evidence necessary to investigate a possible crime. We just believe the government should follow the processes it has established for obtaining physical evidence outside the United States.”

Now, after some procedural confusion, US District Judge Loretta Preska has found Microsoft in contempt, allowing the company to proceed with its appeal immediately. Meanwhile Microsoft has come to an agreement with the Department of Justice that allows it to escape punishment for that ruling, though the government said it retains the right to seek sanctions at a later date if it feels it necessary to do so, with the full stipulation saying:

  1. Microsoft has not fully complied with the warrant, and Microsoft does not intend to comply while it in good faith seeks further review of this Court’s July 31 decision rejecting Microsoft’s challenge to the Warrant.
  2. While Microsoft continues to believe that a contempt order is not required to perfect an appeal, it agrees that the entry of an order of contempt would eliminate any jurisdictional issues on appeal. Thus, while reserving its rights to appeal any contempt order and the underlying July 31 ruling, Microsoft concurs with the Government that entry of such an order will avoid delays and facilitate a prompt appeal in this case.
  3. The parties further agree that contempt sanctions need not be imposed at this time. The Government, however, reserves its right to seek sanctions, in addition to the contempt order, in the case of (a) materially changed circumstances in the underlying investigation, or (b) the Second Circuit’s issuance of the mandate in the appeal, if this Court’s order is affirmed and Microsoft continues not to comply with it.

Passwords: Microsoft Likes Them Easy, Google Prefers Them Pronounceable

Back in July Microsoft researchers suggested that simple passwords may be suitable for the majority of user accounts, based around their studies which showed the majority of users still preferred to recycle the same ridiculously simple login credentials everywhere they go on the web.

And that’s despite the fact that password managers, which can be used to generate complex and nigh on impossible to guess passwords, are widely available and often at a price point no-one can refuse (that means free).

So why is that?

Is it a failing within the infosec profession if people can’t get something so basic right? Maybe. But I tend to think of it more along the lines of laziness/convenience – users with old and bad habits don’t want to change. They don’t want to remember lots of passwords because, lets face it, that’s tricky. And they may not have even heard of a password manager, or at least not looked into them enough to realise what they can offer.

The times they are a changing though. Or at least they may be.

And that’s because Google might be muscling in on the password management business via it’s Chrome browser, if the latest developmental build is anything to go by.

The latest experimental version of Chrome, known as Canary, can be updated with Google’s updated password manager by typing the following into your address bar:

  • chrome://flags/#enable-password-generation
  • chrome://flags/#enable-save-password-bubble

Once installed, you can use the password generator whenever you sign-up on a website.

According to Google’s Francois Beaufort, the user will be offered a “strong and pronounceable” password whenever they encounter a password field across the web:

“As soon as you focus the password field, a nice overlay will suggest you a strong and pronounceable password that will be saved in your chrome passwords. For info, Chromium uses a C library² that provides an implementation of FIPS 181 Automated Password Generator (APG). “

Once entered, the new password will be added to your Google saved passwords, in much the same manner as a regular password manager.

Whether the experimental feature will make it into the next stable version of Chrome remains to be seen but I think it unlikely. It could however make an appearance in the not too distant future which could prove a little tricky for existing password managers such as KeePass and LastPass.

Knowing how many users value convenience over security, I suspect they will choose Chrome’s built-in password management over third party alternatives. Or at least they would if they could stop using “password1″ for everything.

Hanging Out With Tom Raftery on Technology For Good

Last week I was delighted to take part in the Technology for Good podcast. Tom Raftery kindly invited me onto the show. The show focuses on the latest technology news with a view to seeing how it can be used for the greater good. It was a fun podcast and typical of two Irish men we talked so much we ran over the allotted time for the podcast.

Anyway the podcast is available below. A big thank you to Tom for having me on the show.

ISACA Ireland 3rd Annual Conference

The Ireland chapter of ISACA, the global IT association that serves information systems audit, assurance, security, risk, privacy and governance professionals, is holding its annual conference in Dublin at Croke Park Conference Centre on 3rd October 2014.  The event is entitled “GRC & Cyber Security Conference – Bringing the Silos Together”.  Keynote speeches will be given by renowned cyber security experts such as;

  • Graham Cluley,
  • Professor John Walker; chair of ISACA London’s Security Advisory Group,
  • Amar Singh
  • Patrick Curry of the British Business Federation Authority.

The one day event is open to ISACA members as well as non-members and talks given at the conference will cover issues in cyber security, privacy, audit & control, governance, risk and compliance.

“We are extremely pleased to announce the ISACA Ireland 2014 Annual Conference and build on the success of last year’s event,” said Neil Curran president of the ISACA Ireland chapter.  “After receiving an impressive response to our call for papers, we have produced a fantastic line up of talks from speakers all over the world covering risk, EU regulations, application security, APT, COBIT, securing the supply chain, third party risk management and much, much more. We are excited to bring the Irish information systems community together for this educational and great networking event.”

To find out more and to register for the event, please visit the registration page.

ISACA have kindly given a discount of 25% for readers of our blog. If you would like to avail of this discount let us know via the comments or by emailing [email protected]

For event sponsorship opportunities, please contact: [email protected]

Barclays: You’re So Vein You Probably Think This Authentication Is About You

Back in May I asked elsewhere whether your veins could provide an alternative means of verifying your identity at the cash point.

I concluded that, on the whole, the idea was sound though not entirely infallible.

Sure, the risk of having your fingers cut off by a cash thief were slim (assuming the thief realised that blood flow was a necessary element of the authenticating process), but hackers would not necessarily be completely flummoxed by new technology, as demonstrated by Barnaby Jack’s famous ‘jackpotting’ demonstration.

Indeed, in some countries such as Poland and Japan, the new technology has been in place for some time now so it is not surprising to me to learn that Barclays now plan to implement finger vein technology for some UK customers.

From next year corporate customers will be able to use Hitachi technology to access not their ATMs but their online bank accounts without a password, authentication code or chip and PIN reader.

The news has been welcomed by ex-head of payment security at Barclaycard Neira Jones, Independent Advisor & International Speaker – payments, risk, cybercrime, & digital innovation, who told me:

“It is not surprising that Barclays is looking to support innovative technologies for the authentication of corporate customers. This has traditionally been a space where particularly stringent (and often proprietary) technologies (e.g. hardware tokens) have been used to ensure the security and non-repudiation aspects of the transaction types associated with that customer segment. The use of biometrics is certainly a welcome one in that space and will definitely improve the customer experience as well as the safety of transactions.”

Adopters of Barclay’s chip and vein will merely need to place their finger in a scanner that connects to a PC via a USB cable. An infrared light then scans the inserted digit for blood vessels which are then compared to a registered sample that has previously been stored on a smart card.

The scanner itself will be usable by more than one person but each user will need to have their sample data saved on their own card which will be added to the reader at the time of use. To set the card up, Barclays requires one digit to be registered, which it suggests should be the index finger. It also suggests registering a second finger as a backup which, presumably, is a fail-safe for the absent minded who lose the first one.

Michael Mueller, managing director, head of cash management of Barclays Corporate Banking said:

“Typically when you upgrade security you increase complexity. It’s so simple it doesn’t wow anyone, it’s just a very simple and also intuitive process for the customer. I think it opens up a whole range of opportunities for this, but also beyond this, and that is why we are so excited about using biometrics.”

Talking of simple solutions, the bank hasn’t completely ruled out the use of fingerprint scanners in the future either. Such technology is widely available on smartphones these days but isn’t that secure (think gelatin sweets), but Mueller suggested it may have a role to play in applications that require less stringent security.

Do you think this new implementation of biometrics is sound? Let us know via the comments.

Home Depot Investigates Breach. Slow Adoption Of Chip-And-Pin To Blame?

Another day, another breach.

This time it looks like US DIY chain Home Depot may have been compromised along with the possibility that customer credit and debit card data may have been snatched.

The possible breach was first reported by Brian Krebs who later updated his original post to suggest that the breach may extend back to April or May of this year.

The home improvement chain has subsequently revealed that it is investigating what it refers to as ‘suspicious activity’ and has also confirmed that it is working with “banking partners and law enforcement” as part of its own inquiry into what may have transpired.

Paula Drake, a U.S. spokesperson for Home Depot, said:

“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate. Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further.”

Krebs, who broke the Target data breach story last year, said that the it was too early to say how many stores may have been affected but the fact that Home Depot has 2,200 outlets means that:

“This breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.”

If the breach is confirmed, Home Depot would be the latest, and possibly largest, retailer to suffer a loss of sensitive customer information, which may further alarm shoppers who are likely already concerned about the ability of large firms to keep their private data safe.

Krebs said that a number of banks became aware that the chain may have been breached after a massive new swathe of payment card data was made available on underground websites. He added that there are some indications that the alleged attackers in this case may be the same group of Russian and Ukranian hackers that were responsible for the aforementioned Target breach, as well as other high profile compromises at P.F. Chang’s and Sally Beauty. The motivation for the attack, according to Krebs, could be some sort of protest against the US and Europe in the wake of sanctions levied against Russia following its moves into Ukraine.

Whilst data theft is likely to continue within the retail industry I am of the opinion that US firms are more at risk than others right now due to the slow adoption of the chip-and-pin system in America.

Until that system is fully integrated in the US, the fact that magnetic card strips are still scanned as part of the payment process makes them an easier target at the point of sale.

Or, as Ken Westin, security analyst at Tripwire, says:

“It’s safe to say that mega retailer point-of-sale data breaches are approaching the point of an epidemic. These breaches are having a significant impact on consumer trust and many of the retailers still do not fully comprehend the scope or origin of the breaches.

Organized criminal syndicates are actively targeting U.S. retailers simply because they’ve become lucrative targets; these groups take advantage of inherent vulnerabilities in payment architectures and applications, amongst other tactics, to get into these retail chains and siphon data off undetected.

Pretty much all of these retailers have been notified of potential fraud after the fact usually by fraud analysts at financial institutions who detect stolen credit card activity. They then map the activity back to specific retailers as the common point of origin.”

Responding To Computer Security Incidents

The following is an article I wrote for the Emergency Services Ireland Magazine;

Computer-SWAT-team.jpgOnce the realm of IT security professionals, computer security is now an issue and concern for all business people. Recent high profile security breaches such as those at eBay which exposed over 140 million users’ details, the Target retail chain in the US which resulted in 100 million credit card details of customers being stolen by criminals, and a US bank which lost over US $45 million within 24 hours. Nearer to home we have seen the Clare based Loyaltybuild company suffer a security breach late last year which exposed credit card details of customers and earlier this month the news headlines highlighted how police disrupted a criminal gang’s virus network which they used to steal over $100 million.

In 2013 IRISSCERT, Ireland’s first Computer Emergency Response Team www.iriss.ie, dealt with 5.800 security incidents impacting Irish businesses. This figure was up from 432 incidents in 2012. Many of these incidents involved companies’ websites being hijacked by criminals to serve out phishing websites or looking to infect computers visiting those sites with computer viruses.

Cyber crime is now big business and criminals are looking to steal information such as financial details, credit card information, personal details, or any other information which they can sell or trade. These criminals are becoming more and more sophisticated and employ many different methods of attacking companies’ computer networks.

As a result it is incumbent on every company and organisation to ensure its networks, systems, and data is secure. However, there is no such thing as 100% security so you need to ensure you have proper preparation is also required in the event the preventative measures don’t work and a security breach occurs.

Information security is only as effective as the response it generates.A structured response ensures that an incident is recognised early and dealt with in the most appropriate manner and minimises damages to your organisation in terms of reputation, costs of dealing with the incident, regulatory concerns such as Data Protection, and the ability to prosecute those behind the incident.

In order to implement an appropriate incident response, you should ensure the proper people and processes are involved and the most appropriate response developed based on the type of incident. Some incidents will simply require no response, others will require only an automated response, e.g. drop a connection to a blocked port on a firewall, whereas others will require a more complicated response involving personnel from various parts of the organisation and different levels of management.

It is important that you also ensure all personnel involved in responding to an incident are properly trained and versed in their responsibilities.If the skills are not available in-house then you should be sourced elsewhere.In addition you should make sure that all related policies and procedures are regularly tested and reviewed to ensure their effectiveness and applicability.You should also put in place a review process so that lessons are learnt from any incidents that require a response.

What response is required to an incident will depend on a mixture of business and technical drivers as the type of response can impact on employee, customer, and public relations and may even have legal ramifications.It is therefore essential that clear, concise and accurate processes and procedures that have been approved by senior management are in place for all personnel to follow.

Remember you need to take into account that a large majority of incidents may happen outside office hours or when key personnel are not immediately available, so ensure your plans take this into account.

As with all emergency planning, you should also ensure that you have all the roles, responsibilities, policies, procedures, and tools in place before you suffer a security incident. Trying to develop your plans in the middle of a security breach is not the best time to be doing do. Care should be taken in your incident response processed and procedures to detail how to preserve and record all information and potential evidence relating to an incident in case a legal or civil case ensues.

Many incidents may simply require an automated response. For example a known computer virus detected in a file could be automatically deleted by the Anti-Virus software and not require a further response. However an attack against your organisation’s website will require a more measured response and may require the involvement of senior management to decide whether to shut the website down to minimise the damage or allow the attack to continue so further evidence may be gathered in the incident a legal case may be required.

To manage a security incident you need to establish your Incident Response Team. The Incident Response Team will be responsible for managing your organisation’s response to an incident and how the organisation interacts with third parties such as police, regulatory bodies, customers, employees and the media.

Your team should be made up of a number of people with knowledge and skills in different areas. It may be necessary for you to source certain skills externally to the organisation. For example, forensic gathering skills are not commonplace and are often better sourced from vendors who specialise in this area. If this is the case then you should have a formulated process in place to ensure that resource is available when required. The team should be multi-disciplined with input from various parts of the business. Naturally you will need expertise from people in IT Security and the IT teams, however you will also need to have legal advise on how to proceed with the incident, PR expertise to manage how your company should communicate with parties such as the media, staff, and the public.

Your team will need to manage security incidents which can be a major challenge. On one hand you need to ensure that while responding to the incident that you are allowing adequate time and resources for investigating the incident, while at the same time restoring the systems to operational status as soon as possible.

To this end there are a number of key phases in managing a security incident that you need to be prepared for. These are;

Containment.

Containment involves limiting the scope and impact of the security incident, in particular to ensure that no other systems are compromised or sensitive data exposed to the attackers. Your Incident Response Team should decide on how best to contain an incident. This may involve shutting down a server or servers, disconnecting the compromised systems from the network, or indeed disconnecting the company from the Internet. Obviously the impact of the containment on the business needs to be balanced against the needs of the investigation team.

Eradication.

Eradicating an incident entails identifying and removing the root cause of the information security incident. Simply restoring a system to operational status without identifying the root cause of the compromise may result in the information security incident re-occurring again at a later stage.

To ensure the root cause has been identified and eradicated, and to also support any future criminal or civil court cases, you should ensure the following;

    • All relevant evidence will be gathered in a forensically sound manner by trained personnel using approved software and equipment.
    • All steps and actions taken by the team during the incident should be clearly documented
    • All copies of original media and log files being investigated should be digitally signed and stored securely to prevent tampering.
    • All subsequent investigations should be conducted on verified copies of the original media and log files.

Recovery

The recovery stage occurs when you are confident the incident is over and has been properly dealt with. The recovery stage means restoring a system(s) back to their normal operational status. This may require restoring system(s) from backups, system images or reinstalling from known and certified original media. A key thing to remember is to make sure that your backup media is secure and that you have not previously backed up a computer virus or any tools or system vulnerabilities that allowed the attackers to break into your system in the first place.

There is an old saying that “practise makes perfect” and this is especially so when it comes to incident response. In particular, security incidents by their nature should be rare so it is important that you ensure regular training and exercises take place with your team so they are better prepared in the event of a real security incident. These exercises should be used to see where there are any weaknesses or areas for improvements in your incident response process.

You should consider running your exercise, be they desktop exercises, role playing, or full blown simulations, at various times to test the effectiveness of your incident response process at different times of the day. Remember, that attacks can happen at any time as those attacking your systems can be located anywhere in the world over the Internet. If an incident occurred at 3 a.m. on a Saturday morning, how many of your team would be available and more to the point effective? Or what would happen if the incident occurred during times that were inconvenient for key team members, such as during the morning school run or during the evening rush hour. Running these scenarios can identify where you may need to perhaps provide remote access for key personnel on the team or have alternative people available.

Subsequent to any information security incident, be that a live incident or a practise scenario, a thorough review of the incident should be conducted. The purpose of this review is to ensure that the steps taken during the incident were appropriate and to identify any areas that may need to be improved. Any recommended changes to policies and/or procedures should be documented and implemented as soon as possible.

In todays interconnected world and high dependency on computers and networks a security incident is no longer a case of “if it will happen?”, but rather “when one will happen?” Being prepared is key to ensuring you and your company can survive and respond to a security incident with confidence.