Black Arrow Cyber Consulting
0

Blog

Our weekly Cyber Flash Briefing round up of top open source news and ‘Cyber Tip Tuesday’ videos

Posts tagged video
Different Cyber Frameworks Explained, and why they matter - Cyber Tip Tuesday Video

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony is talking about different cyber frameworks and standards and the different strengths and weaknesses between them.

If a firm was to try to start thinking about all the things they need to cover when it comes to cyber and information security it would take a long time and very likely key components would be missed. The hard work or at least some of the hard work, has been done for you through a number of different frameworks and standards, which, to varying degrees, cover off all the things a firm needs to think about.

Read More
Black Arrow Admincyber security, cyber, infosec, information security, tip tuesday, video
Phishing, Spear-Phishing, Whaling and Business Email Compromise (BEC) explained - Cyber Tip Tuesday

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Bruce is talking about Phishing emails including Business Email Compromise or BEC.

Many of you will be familiar with receiving phishing emails that, for example, encourage you to click a link to unblock your PayPal account, or encourage you to respond to an urgent message.

Although you still see that type of email, they are being replaced by much more sophisticated versions that are addressed specifically to you. These encourage you, by name, to look at an attached document or to contact the sender for a private discussion.

If you click on the attachment it will try to download malware, or if you reply to the sender then you will be starting a correspondence that will likely lead to you being duped into a later harmful activity. These personalised types of emails are called spear phishing, and they have become more prevalent because the software to create them is more easily available online and so they require less work by the attacker.

A variation of spear phishing is when the attacker targets the senior leadership in an organisation because those targets have more valuable information on their computer, and they are likely to have more wealth to exploit. This is called whaling, and again they take a bit more effort on the part of the attacker, but the rewards can be greater.

Another type of email attack is called Business Email Compromise, or BEC.

In this case, someone’s email account is broken into, and the attacker monitors the emails while the email owner is unaware. Then, at an opportune moment, the attacker will send an email to the victim with an instruction such as to use alternative bank account details for a payment. The payment goes straight to the attacker instead of the correct recipient, and the victim does not find out until it is too late.

You cannot rely on technology to stop these kinds of attacks.

You need strong people controls, where everyone should be suspicious of email and aware of the types of possible attacks.

The best thing to do is to contact the supposed sender of the email to ask them to confirm that they sent you that email before you open it. And if you are suspicious of an email from someone you do not know and you cannot contact them, then you might want to delete it; if it is a genuine email then the sender can contact you again.

If you'd like to know more about how you can protect yourself or your company, have a look at the information on our site, blackarrowcyber.com, and contact us to see how we can help you.

Read More
Black Arrow Admincyber, cyber security, infosec, information security, tip tuesday, video, phishing, spear-phishing, whaling, business email compromise, bec, explainers
Is Just Purchasing Cyber Security Tools Enough? Cyber Tip Tuesday Video

Is Just Purchasing Cyber Security Tools Enough? Cyber Tip Tuesday Video

Welcome to this week's Cyber Tip Tuesday - this week James talks about how purchasing security tools does not in itself increase security.

It’s fair to say that there are plenty of things you can do for little or no cost that will greatly decrease your attack surface or increase your security posture.

With the sheer number of products on offer promising a complete solution, it’s easy to fall in to the trap of wanting a quick fix for security.

However, simply purchasing a product is unlikely to offer any benefit without appropriate configuration or in many cases the expertise to interpret the output.

A good example is Microsoft 365 which offers many passive security features as well as some of the most accessible and competitive security tools on the market for businesses of all sizes.

However, in order to take advantage of these features they must first be configured and then maintained and monitored with oversight by a security specialist.

Security is not a tool or even a collection of tools but a mindset of deliberate and regular actions.

If you'd like to know more about how you can protect yourself or your company, contact us today.

Read More
Black Arrow Admininformation security, infosec, cyber, cyber security, tip tuesday, video, security tools
New Cyber Rules just released by the GFSC - and how Black Arrow can help you become compliant

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony is talking about the new cyber rules that the GFSC have just released and which are now in force for regulated financial services firms in the Bailiwick.

The GFSC have now released the new cyber rules and all regulated financial will need to be able to demonstrate compliance with these new regulations.

The regulations are built around compliance or adherence to the internationally recognised NIST cyber security framework and the five pillars contained therein, being identify, protect, detect, respond and recover.

We can assist any firm by producing a gap analysis against the NIST standard, and therefore the GFSC rules, to identify any areas of non-compliance or areas where firms will need to bolster their existing security arrangements.

Remember that cyber and information encompasses a lot more than just IT but is rather requires a holistic approach across people, operations and technology.

Leaving this solely to your IT team or IT provider likely won’t provide the coverage the GFSC now expects from firms.

Remember too taking a proactive approach should always be about preventing an attack or breach, many firms do not survive a significant cyber event, and for those that do recovery invariably costs a lot more than it would have cost to put appropriate controls in place to prevent the breach happening in the first place.

Boards are expected to show good governance over cyber and information security as they would be expected to do with any older and longer established risks.

It is clear from the new rules that the GFSC also agree that the responsibility for cyber and information security clearly sits with Boards, not IT.

Talk to us today to see how we can help you demonstrate compliance or become compliant with the new GFSC cyber rules.

Read More
Black Arrow Admincyber security, infosec, information security, gfsc, regulations, regulated financial service firms, rules, compliance, video, tip tuesday
Is Just Purchasing Cyber Security Tools Enough? - Cyber Tip Tuesday

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week James is talking about how purchasing security tools does not in itself increase security.

It’s fair to say that there are plenty of things you can do for little or no cost that will greatly decrease your attack surface or increase your security posture. With the sheer number of products on offer promising a complete solution, it’s easy to fall in to the trap of wanting a quick fix for security. However, simply purchasing a product is unlikely to offer any benefit without appropriate configuration or in many cases the expertise to interpret the output.

Read More
Black Arrow Admincyber, cyber security, infosec, information security, tip tuesday, video, tools, security tools
Cyber and Information Security is more than IT - Cyber Tip Tuesday

Cyber security and information security is not an IT issue, sure IT is a big part of it, but whether you have IT in-house or if you outsource your IT, cyber security extends far further than just being sat within IT.

You need to ask yourself if your Board is able to make effective decisions about cyber security? Does it understand all this stuff? Is your Board educated in the different threats, and the different countermeasures? What about your people controls?

Attackers very often go after your people as a week entry point into your organisation, rather than trying to break in via your technical infrastructure. How well protected are your people? Do you have robust policies and procedures in place?

Many firms ignore the human layer, where the biggest vulnerabilities exist, and many firms are failing in exercising good governance over their cyber and information security risks.

We can help to make sure all of your bases are covered, not just your IT, but people and governance too, to help you defend your organisations against one of the biggest risks to your business. Contact us today.

Read More
Black Arrow Admincyber, cyber security, infosec, information security, tip tuesday, video, it
The Board, not IT, is responsible for Cyber and Information Security

Welcome to this week's Black Arrow Cyber Tip Tuesday.

In our articles in Business Brief magazine and the Guernsey Press, we have consistently highlighted that the Board, not IT, is responsible for Cyber and Information Security.

The financial services regulators in the Channel Islands have also made that very clear.

The GFSC has warned that “Cyber and information security should be taken seriously by the Board and included along with more established risks within a firm’s overall strategy for risk management”.

And the JFSC has told businesses that “As a registered person, the Codes of Practice require you to understand and manage risks, including cyber-security risks, which could affect your business or customers”.

Read More
Black Arrow Admincyber, cyber security, infosec, information security, video, tip tuesday, regulators, regulations, regulated financial service firms, gfsc, jfsc, guernsey, jersey, neds, directors
What is the CIA Triad? You're probably heard it mentioned but what is it, and why do you need to know it - Cyber Tip Tuesday video

What is the CIA Triad?

In any conversation you may have been involved in relating to cyber or information security you may have heard reference to the 'CIA triad' - but what exactly is it? And why you need to know what it represents

Read More
Black Arrow Admincyber, infosec, information security, tip tuesday, video, explainers, cia triad, confidentiality, integrity, availability
The Most Effective Phishing Lures - which ones will you fall for...?! Cyber Tip Tuesday video 15 September 2020

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony is talking about the most effective phishing lures.

Which phishing emails subject lines or hooks are user most likely to fall for?

Phishing emails often have a sense of urgency attached to them to get users to react without taking time to think or assess whether the email is genuine, but there are also subject lines that are more likely to trick users.

Anything where the user things they may be about to lose something they have earned or are entitled to can be effective, so things like a change or reduction in pay or benefits, reduction in holidays or a loss of things like airmiles or hotel loyalty points can be effective.

Anything involving threats of criminal action, courts, or implying you will incur a cost or charge for not complying is also effective, especially when combined with the sense of urgency.

Make sure your users are aware of the most effective lures and are continually honing their ability to spot phishing emails with rolling testing.

Read More
Black Arrow Admincyber, information security, infosec, tip tuesday, video, phishing, phishing testing
Lessons from Charities and Upcoming Charities Workshop this Thursday

Welcome to this week's Black Arrow Cyber Tip Tuesday.

This week, Black Arrow will host a workshop on cyber security for charities. This is part of our pro-bono work with charities and the Guernsey Community Foundation.

As research, we have worked with a few charities to look at their main information and cyber security risks, and the solutions that they can implement either free of charge or at low cost.

We have seen that a charity is effectively a small business, where the team uses information that needs to be safeguarded. But a charity’s information can be very confidential where it relates to the health or private lives of its members.

The charity’s team, including employees and volunteers, might not be aware of information security or be at ease using technology. For example, employees and volunteers often receive sensitive information at home using their own computer, and then download it onto that computer and print it out to take with them when visiting the member.

There is sometimes no control over what happens to that sensitive printed document and how it is stored or disposed of.

Equally, the charity’s employees and volunteers need to be alert to the risks of using online technology and the tactics of criminals who try to get access to their computer and information.

At the workshop, we will be looking at these risks and ways to improve information and cyber security at no cost or low cost. For more information, visit the Guernsey Community Foundation website or our website blackarrowcyber.com. And contact us if you would like to be part of our pro-bono work.

If you are a charity and would like to attend Thursday's free workshop email joni@foundation.gg to book your place

Read More
Black Arrow Admincyber, infosec, information security, video, tip tuesday, charities, pro bono, charity workshop, workshop, training, events
Cyber and Information Security Lessons from the Titanic Disaster

On the day the Titanic sank the crew received 7 iceberg warnings, yet such was the competition to make the crossing in 6 days orders were given to maintain the speed of the ship in the mistaken belief they could carry on unaffected.

Now if the crew had heeded the warnings to slow down they would have stood a much better chance of avoiding the icebergs and in particular of course the iceberg that led to their sinking.

That's not to say good security means you need to slow down.

Whilst not wishing to mix metaphors brakes were not added to cars to make them go slower, quite the opposite - brakes were needed to allow cars to go faster.

Just maybe don't ignore the warnings in the belief that somehow you will remain unaffected as you sail you own ships through seas unfortunately filled with icebergs.

Contact us to see how we can help you steer your ships and stay safe as you do business in an increasingly connected world

Read More
Black Arrow Admincyber security, infosec, information security, tip tuesday, video, lessons learned