Mike Gillespie will be speaking at IFSEC international about cyber security and cyber awareness from 19th - 21st June at ExCel, London. Click hereto hear some of his thoughts as he discusses the biggest cyber-related problems and threats in the physical security supply chain ahead of the key event. To sign up for this event, click here.
By Smeeta Padhiar
Posted 8th June 2018
In Camera Systems, CCTV Security, cyber security, cyber threat, IT security, Mike Gillespie, Security, Surveillance camera, surveillance camera commissioner, Tony Porter
The Surveillance Camera Commissioner Byers Toolkit has been launched, this toolkit has been introduced for any organisation who wants to maximise their chance of success and minimise the risk of buying a surveillance camera. From a cyber security perspective, we see it as a vital step forward in collaboration across physical and cyber areas, we are proud to have been involved in this important guide.
Advent IM Director Mike Gillespie says, ''I have been delighted to be involved in this project. It is great to be working with the Surveillance Camera Commissioner Tony Porter and his advisory panel, where cyber threat is both understood and prioritised. The buyers guide is an important step forward in the education of the end user of Surveillance Camera Systems, to ensure that they are capable and informed, that systems are fit for purpose and that they are left in, and maintained in, a safe and secure manner.''
Click here to read the Surveillance Camera Commissioner Buyers Toolkit.
By Ellie Hurst
Posted 31st May 2018
In cyber security, data protection, education, GDPR, Infosec, schools
The wait is over and in the words of the .GOV website... The Data Protection Act updates our data protection laws for the digital age. It received Royal Assent on 23 May 2018.
All of the guidance documents are here. Don't forget you can always talk to us about any Data Protection or GDPR concerns you have as we can offer training as well as expert consultancy.
By Ellie Hurst
Posted 29th March 2018
In Cambridge Analytica, data breach, data protection, Facebook, GDPR, privacy, trust
So much has been written or compiled in the last few days about Cambridge Analytica and Facebook. Commentators in all fields have got a contribution; be that data privacy and protection professionals, security professionals, political commentators or any combination thereof. Whilst we don’t want to add to the morass of information in what is an increasingly convoluted and complex chain of events, we did think it might be an ideal time to take five minutes to think about the absolute failure to grasp what Facebook really is...
Facebook is a data broker. Now, don’t get me wrong, it is a useful and life enhancing tool for millions of people. But it, and the organisations it does business with, want to know everything about you. I know profiling is not new, or indeed unique to Facebook, but this level of voluntary transparency on behalf of users, has been utterly mastered and perfected by Facebook. Its entire existence is based up on your acquiescence to this business model and every app that it supports most be ‘socially enabled’…So when people say, if the product is free, then you are the product, then it does actually apply to Facebook, however much you like the platform. In fact, Facebook is pretty much the poster child for this model. So when Mark Zuckerberg says that he apologises because Facebook had a duty to protect the personal data of users, what he doesn’t say is he has a duty to protect the privacy of that data. A subtle but important difference, which I hope Facebook users will notice. What has happened with the personal data of Facebook users used by Cambridge Analytica, is not a data breach, it is a betrayal of trust which underlines an attitude we see often in businesses who think our personal information is theirs to do with as they please, as soon as they have it. In other words, they think that they own it. They don’t. And now the genie out of the bottle and it’s blowing raspberries at our sense of outrage and anger at the sinister manipulation of our data. We can no longer turn a blind eye or pretend we were unaware that this was always a possibility, having been seduced by the free services.
Perhaps this will be a wakeup call for users of platforms that require invasive permissions. Perhaps the upcoming GDPR will underline to the public their rights to their own privacy and their absolute sovereignty over it and how it may be used, not to mention that they can withdraw that permission any time they choose…
By Ellie Hurst
Posted 15th March 2018
In botnet, cyber security, IoT, Mike Gillespie, mirai, physical security systems
Mike will be speaking at the Bolton Roadshow for Norbain. Hear some of thoughts ahead of this key event in Norbain's video interview with him.
Sign up for this event here.
By Ellie Hurst
Posted 5th March 2018
In cyber attack, fileless, malware, PowerShell, Security, windows, WMI
From Del Brazil Senior Security Consultant - Advent IM
Simply put Fileless malware is a very well-engineered piece of malware that is very difficult to detect as part of any post incident analysis. It is designed to operate and survive in the memory of systems and as such once a system is re-booted the malware should/could be removed. Sounds pretty easy to defeat or so you’d think as normally any rebooting of a system would generally remove the malware; however there are now versions that write an entry into the registry of the system making the malware more persistent.
As with all computer software and hardware there are always unknown vulnerabilities that are there to be exploited by attackers, the trick is finding the vulnerabilities before the attacker and suitably addressing them to prevent an attack; however more often than not a vulnerability is only discovered after an attack has taken place and then it becomes a race to identify a solution and make available to legimate users before attackers conduct multiple attacks on various systems used by everyone and anyone.
A prime example of a Fileless malware attack would be one carried out on the Iranian nuclear facility by Stunxnet. The attack was directed towards Microsoft Windows machines using specific software and once a certain set of parameters/measures met the malware would unload its payload causing damage to systems using Microsoft Windows etc.
Due to the lack in a file being stored on the target machine/system any forensic examination would have be carried out in a certain manner to ensure that any potential evidence is correctly retained as to follow standard guidelines may erase or at least make it very difficult to recover any useful evidential material.
For this reason alone Fileless Malware is very attractive to would be attackers as it can leave little if any trace for standard digital investigative practices.
Attackers can develop/program malware to operate in the Powershell scripts where there can execute hidden commands which may render the target machine/system defenceless or even allow unauthorised access to sensitive data.
So the big question is, how do we defeat Fileless malware? There is no simple answer but as usual we go back to some basic principles in that systems (hardware/software) need to be updated and maintained in line with manufacturer’s requirements. This will not in any way guarantee to defeat any Fileless malware attack as generally speaking Fileless attacks are exploiting yet undiscovered/undisclosed vulnerabilities; however educating users not to download, install, update or import files, software, images or any other form of file may reduce the likelihood of a piece of Fileless malware being installed and/or executed.
Developers should also be required to use a Sandbox environment to avoid any potential infection attacking a live system, this coupled with enforcing the rule of least privilege may reduce the possibility of an attack. Most importantly of all ensure that the use of Powershell or similar programs are strictly controlled and monitored for any unauthorised or unusual activity.
By Ellie Hurst
Posted 23rd February 2018
In data protection, privacy, Question Time, Security, surveillance camera commissioner, Tony Porter
We attended this excellent event and have high hopes there will be more of this kind of frank and open debate in future.
From Tony Porter -
You never really know if an idea will work. Professor William Webster (Centre for Research Information Surveillance and Privacy) thought that if he "built it people would come". And they did – lots of people!
Delivering a commitment made as part of the National Surveillance Camera Strategy (Citizen Engagement strand) we took over a part of London School of Economics, ran a ‘Question Time’ themed event, packed the panel with high profile and compelling people and got the party started. A great turn out ensured a buzz reverberated around the room before the auditorium quietened and the panellists issued their opening position statements.
The debate started with a challenging question from the floor - should we have an integrated National CCTV network - harnessing crime, national security and critical national networks with the plethora of other cameras (state owned and private) as they seemingly do in the Middle East? Great question and it certainly got the energy flowing. Mick Barton (Chief Constable of Durham Constabulary) made the point that if that's where society is going he’d rather run a Gîte in France! The panel acknowledged that whilst there would arguably be law enforcement benefits in such an approach the balance between privacy and security would be shifted far too easily and too heavily in the wrong direction as well as being a significant step towards a dystopian society. (I précis!).
The debate moved quickly to incorporate subjects such as ANPR, police use of body worn videos, emerging surveillance technologies, an absence of a clear basis in law for their use, regulation, the NHS, domestic CCTV, inappropriate retention of custody images of innocent people by the state and questioned whether CCTV was actually any value to preventing crime. New surveillance technologies featured heavily and Silkie Carlo, Director of Big Brother Watch provided a passionate argument against the use of automated facial recognition cameras in society suggesting that there is no clear basis in law for what are essentially biometric checkpoints and referencing their "Face Off" campaign. Simon Israel (Senior Home Affairs Correspondent for Channel 4 News) focused the debate upon the impact of surveillance on the citizen and wider society.
We were grateful for Lord Brian Paddick's presence. He illuminated the room with insights into the passage of the new Data Protection Bill, how GDPR will influence all manner of data processing and also focused on issues of divergence between member European States. We managed to hold onto him for the totality of the debate as he was required back at the House at the end of the event - great effort
Finally me - I participated but more importantly I listened. The most important aspect of the evening was to understand the views from the floor, and they were many and varied. I do have access to government and it's important I use that access to influence from a considered and informed perspective. My thanks go to all the panel members, to Professor Webster and to Professor Fussey who facilitated the event and to Mike Gillespie and his team for managing my twitter feed. Most importantly I thank those people who gave up their time and turned up to make up the audience and make the event such a positive experience. A great night and great initial feedback.
The Surveillance Camera Commissioner's original blog post here.
By Ellie Hurst
Posted 15th February 2018
In cctv, surveillance camera commissioner, Tony Porter, video surveillance
The Surveillance Camera Commissioner, Tony Porter, is taking part in an important Question Time - style event, next week. If you want to find out more and how to book your FREE place, please go to the Commissioner's blog.