It’s hard to know what – indeed, whether – to post in the wake of the Paris attacks. I’d just come off the phone to a French client when the news broke, which made it feel all the more immediate and proximate. I wish we had a simple answer to this awful conflict; at the moment all the responses seem inevitably to lead to more deaths – some will be culpable and arguably deserved, but most will likely be innocent. I think we’d all rather see no more images of dead children, whatever their origins. That said, we can’t just roll over, so in the absence of a better option here’s hoping our military response is swift, well-targeted and effective.
The French response, in part, has been to encourage business as usual – #tousaubistro. So I suppose I should carry on writing drily critical copy about the usual run of security breaches. Forgive me if my heart’s not quite in it, though.
It’s certainly business as usual in the world of supply chain security failure. We heard last week about Niteworks, the MOD-affiliated business networking firm that had its membership database compromised. It’s being played down, but in the current climate I’d be taking the protection of current and former military personnel’s personal information rather seriously, wouldn’t you?
KPMG seem to agree with me that supply-chain security matters, although somewhat ironically they seem to think it’s mostly about large companies insisting on better security from their small suppliers. And why beholdest thou the mote that is in thy brother’s eye, but considerest not the beam that is in thine own eye?
As Black Friday[1] approaches – probably not the best-chosen name ever – we’re reminded that the threat of credit-card-stealing malware remains ever-present. Both at the retailer, infecting the tills, and on the consumer’s desktop. If you’re in retail, learn from TalkTalk and get someone to audit you now, before it all goes wrong. I should add, in fairness, that TalkTalk are now claiming they’d called in BAE before the hack. This just reinforces my point about their communications deficiencies, as well as making one wonder what, exactly, BAE had achieved – although perhaps they hadn’t had enough time to make a difference. Securing a business, especially a large one, is not the work of a moment.
There’s some interesting talk at the moment about the use of so-called “big data” to de-anonymise supposedly sterilised datasets. Releasing “anonymised” (or “de-identified” to use the unnecessary American neologism) data is quite common in healthcare and retail, amongst other places, so the news that it’s relatively easy to identify individuals in these datasets is disturbing – partly because we have to worry what will be done with the data, and partly because it may affect participation and data sharing in medical research, which is an essential component of effective science.
Finally, in this slightly listicle-esque round up of recent security news, we hear that there’s a new variant of Cryptolocker doing the rounds which acts as a kind of persistent threat – once installed, it transparently encrypts your backups for a while before revealing itself and demanding ransom. This stops you simply reverting to last night’s backup and telling the scammers to get stuffed. It’s frankly rather scary, since most such infections are carefully designed to avoid detection by common AV and anti-malware scanners. Defences against it include scanning for the files dropped by the infection, using decent ACLs to limit the potential damage from an infected user, checking daily that your backups are legible, using a decent intrusion detection system and – of course – better security awareness training.
That’s all for now. Vive la Republique!
[1] Named for the first day of the year that retailers expect to move into profit – “into the black” – but every other date with this epithet is a bad one: “Black Wednesday”, “Black September”. Last Friday (also the 13th) probably has a better claim now, albeit “vendredi sombre”.
A bigger picture 