InfoSec pros don't like Fridays

Data breaches are always big news, and they’ve certainly attracted attention over the last couple of weeks.

But even though the TalkTalk saga appears to be far from over, some people have been able to step away from that and publish other interesting stories over the last 7 days.

So, featured below, is a choice selection of recent security articles that will give you useful advice, open your eyes to how some firms do business and give you an insight into when attackers choose to strike.

1. IoT – no fridge is an island

Governance, risk management and compliance expert Sarah Clarke took a different approach to the Internet of Things last week.

With the ‘things’ often derided as being the problem, Sarah twists it around and instead points to the security baked into IoT. Or rather the lack of it.

Citing an excellent LinkedIn post by Dave Waterson, she discusses a scenario in which someone has their bank account compromised following a rogue update for a network-enabled fridge.

It may sound like a far-fetched impossibility – Sarah herself mentions the FUD (fear, uncertainty and doubt) problem – but it is not entirely implausible.

And that’s why basic security remains important, whether you are using a desktop PC to surf the internet, or checking supermarket recipe ideas via an app in your refrigerator.

As Sarah says, the following can all help to make the IoT a useful addition to our lives rather than a security disaster waiting to happen:

2. Phishy, phishy, phish

Last week, writing for the IT Governance blog, Stuart Winter-Tear delved into spear phishing.

If you don’t already know, spear phishing is like regular phishing, except for the fact that it is tailored towards you.

As Stuart writes, when technical hacking against a well-defended target proves tricky, hacking the people within the organisation can prove to be a much more successful alternative means of gaining entry.

So, as ever, be careful what you click on, and remember that personally addressed emails that pull on your emotional triggers should be viewed with a healthy dose of scepticism.

3. Knowledge doesn’t equal understanding

Security video blogger extraordinaire Javvad Malik recently wrote about benefiting from a bad situation.

Featuring an extremely interesting video (not created by himself for once) about a back-to-front bicycle, Javvad explained how negative situations could often presented as a benefit to someone, somewhere.

Giving examples such as smoking and the healthcare industry, as well as the oft-peddled – but quite wrong – feeling that the antivirus industry is in some way responsible for creating most of the world’s malware, he uses his post to highlight how bad news has, in some ways, become synonymous with the security industry.

Taking FireEye as an example, Javvad said:

“I find it disturbing that FireEye CEO Dave DeWalt indicated that the company’s disappointing results, which saw stock prices tumble nearly 25%, on a lack of Chinese hackers.”

As Javvad says, this line is unfortunate as it takes the security industry and paints a picture that looks very different to the one we’d like to see.

Instead of representing the security business as a defender of information and enabler of business it does instead, according to Javvad, say that:

“the security industry is grateful and profits from the actions of malicious hackers and that a drop in ‘nation state hacking’ is bad for business.”

That’s not the message Javvad wants to see sent out and I’m in complete agreement with that.

4. I don’t like Fridays

While the Boomtown Rats disliked Mondays, and The Bangles simply found them manic, most InfoSec professionals should be far more wary of Fridays, according to SC Magazine’s Community Manager Roi Perez.

Citing security firm Cyren, Perez confirmed that Monday was the day when most threats and breaches came to light – but it was in fact the beginning of the weekend that saw the most malicious behaviour.

Why is that?

Because cyber criminals ramp up their efforts on a Friday, knowing full well that many employees are less well protected over the weekend as they connect to unprotected networks away from the office.

Moral of the story?

If you do take work away from the office, don’t forget your security awareness training. Be aware of the networks you are connecting to, the people around you, the links you are clicking on and the email attachments you may be tempted to open.