Thursday, 13 August 2015

Infosec? What Country Is That?

By Alina Stancu (Marketing Coordinator, Titania)

About the Author

In this comparative article, Alina Stancu, Marketing Coordinator at Titania, talks about the struggles of discussing information security to outsiders and the similarities she experiences discussing her country of origin, Romania. Alina joined Titania whilst completing her final year studying; Advertising, Marketing and Public Relations at the University of Worcester. Alina has since become a valued member of the marketing team and during her time at Titania has developed an enviable amount of knowledge about the industry and the importance of cyber security.

I am familiar with the pains of discussing information security with “outsiders”, thanks to my Romanian origins. Explaining my country to non-Romanians is not much different to talking to non-technical people about security. Everyone has a vague idea of what it is, everyone knows a couple of standard stereotypes (thank you, Hollywood!), everyone has some expectations of what its inhabitants should look like.

Note: All the questions below have been posed to the author at one point or another, by various friends, acquaintances, strangers on the bus. You always start the conversation with the premise that no one will know what you are talking about, so you must accommodate the interlocutor and provide some context about the information security industry, clarify it’s a self-standing profession, and not to be confused with the more generic IT-support.

Interlocutor 1: So, is Romania a part of Russia?

Alina: No. Part of the former eastern European communist bloc of countries, but that ended in 1989, with the revolution. We’ve been aboard a merry democratic transition ever since…

Interlocutor 1: Ah… so it was part of Russia?

Alina: No

Interlocutor 1: I don’t get it. Sorry, I wasn’t very good at Geography. To be honest I don’t know much about Romania. It’s one of those places that you know they exist, but you don’t really hear much about.

Alina: That’s ok. It wasn’t ever part of Russia. We have lost Moldova (which is occupied by Romanians) to Russia, but Romania was never assimilated.

Interlocutor 1: Is it civilised? Do you have normal amenities?

Alina: What’s a normal amenity?

Interlocutor 1: Don’t know… electricity?

Alina: Mhm. We kinda need it. For, you know, essential living arrangements… like heating, lightning, Internet. Don’t get me wrong, we like living in caves heated by fire, as much as the next guy, but once in a while the iPad runs out of power.


Then, the dialogue seems to get a little more on track as people start recalling some names, or stories they may have read in the news. Hacking stories are not necessarily the most high-profile, but they do manage to draw some interest, awe or fear. Hollywood does drive some form of cyber awareness, at least. Problem is Hollywood also has a knack for exaggerating.

Interlocutor 2: Ah! Romania… I remember… Ceausescu. And that vampire… Dracula, right? He was some kind of a leader or king in your country, wasn’t he? Was he really a vampire?

Alina: Leader, yes. Vampire, not quite. Hollywood hasn’t got a great track record with sticking to facts and accuracy.


Then follow the natural confusions between the bad guys (cyber criminals) and the good guys (ethical hackers). Changing the perception that not all hacking is bad hacking and explaining that there is an actual need for ethical hackers (or penetration testers) to use their knowledge for good is always a challenge.

Interlocutor 3: I read that there are lots of Romanians begging on streets, in many European countries. Doesn’t make your people look very good. You see them in the news. I have to say it is a bit worrying.

Alina: Only a small proportion of the ones reported in media are actually Romanian. However, semantics, misleading information and lack of interest result in a wide-spread confusion outside of Romania’s borders.

Altogether, we have good and bad just like anywhere else, but when you’re an immigrant, you get scrutinised under microscope. Social issues get magnified to suit political agenda, and you find yourself in a very generic box with the label “dangerous” attached to your forehead.


Next, you explain the language. The technological lexicon can put off even the most patient, well intended ear. Most of the lack of interest towards cybersecurity stems from the intrinsically discombobulating vernacular attached to the industry. All the while, the more popular siblings such as mobile apps, web clients, social media have entered the colloquial jargon thanks to necessary integration into people’s professional and social lives. You would be hard pressed today for example, to find people not knowing what Microsoft Office is, or how to operate Skype.

Interlocutor 4: What kind of language do you speak in your country?

Alina: Romanian

Interlocutor 4: Is it like Russian, Polish? It sounds a little like it.

Alina: Haha! More like Spanish and Italian rather. Romania is part of the countries speaking 
Romance (or Latin) languages

Interlocutor 4: What did you say it’s called?

Alina: Romanian

Interlocutor 4: I don’t believe you.

Alina: …


Finally, gently break the expectancies of what the information security professional should look like. These particular stereotypes are a direct result of media portrayal of “geeks” as socially awkward people, mostly men (which in turn reflects the gender imbalance the industry deals with), that have little else in their lives aside from computers and gizmos. Is there any wonder that future generations may not want to be associated with these negative portrayals?

Interlocutor 5 (knowledgeable in ethnic physiognomy): I like Romanian girls. You don’t really look Romanian.

Alina: What does a Romanian look like?

Interlocutor 5: More blonde, with paler skin… I mean you obviously have a light skin, but you are not blonde, are you?

Alina: No. Neither is a large proportion of my co-nationals. But go on, what else should a Romanian look like?

Interlocutor 5: Don’t know, but they are usually very pretty. Alina leaves pondering over her national identity… and over her hair colour.


Much like a state, the information security industry has a different language, interesting people, its own pet hates, achievements, heroes and villains. That is not to say that it should remain marginalised and isolated from the rest of the society. Ignoring computer security is no longer a choice anyone can afford to make.
A country’s need for tourism, foreign policy and defence drives the national brand marketing. For an industry, bridging the communication gap means patience, cutting through the jargon and breaking stereotypes through education.

There is another problem that plagues the industry, and that is the “tired professional”. The IT professionals that after many years spent working with IT illiterates have got fed up with explaining and prefer to keep the strangers outside. Putting this in the same perspective of encountering people from all over the world, should you stop explaining to people where you come from just because they don’t know? Should they stop explaining to you about things you don’t know? Is there any point in harvesting knowledge, if it can’t be shared with others?

Tuesday, 11 August 2015

Network Security Is In The Details

Article originally published in Today's CIO

By Ian Whiting (CEO, Titania)

About the Author

Ian has been working with leading global organisations and government agencies to help improve computer security for more than a decade. He has previously been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve.

THERE ARE A GREAT DEAL OF SECURITY LESSONS HIDDEN in the plots and sub-plots of Star Wars – data security, hackers-for-hire, user error etc. However, what better suits the information security industry other than the striking moment that saw the Death Star exploding into glittery stardust? A chain of vulnerabilities and risk mismanagement ultimately lead to the unthinkable, the destruction of the Empires’ superweapon due to an exhaust vent vulnerability.
There is a case to be made that network security lies in the detail, especially with the rise of the advanced persistent threat and the development of cyberespionage worldwide. Criminals acting in the virtual space have long renounced the generic approach and have instead adopted a highly targeted crime deployment. Security measures must come to reflect this shift. For this, Star Wars shows us how attention to detail can be equally applied to your organisation for a more efficient defence of the network.

Advanced persistent threat: operation “Death Star”
The Death Star was an impressive military and political superweapon designed to annihilate entire planets. Yet in spite of its mightiness, the Death Stars’ defence was surprisingly vulnerable to attacks – one small weakness led to a devastating end result. An assessment of its vulnerabilities was long overdue and it may have been a chance to re-write Star Wars history.

 1. Network reconnaissance
Rebel spies led by Princess Leia manage to get possession of the Death Star’s plans, but their ship falls to the Imperial forces. Leia alone cannot analyse the information she retrieved. Instead she finds a way of transmitting the data back to her father’s home planet of Alderaan for further investigation, by storing the plans in the memory of R2-D2.
At this stage, Leia is captured by the Empire. For the time being, the Empire is unaware of Leia’s mission purpose. The princess insists they are there on a diplomatic mission.
Malware with backdoor capacities can infiltrate a network and remain undetected for years, while leaking information. For example SEDNIT infectors in operation Pawn Storm contained mainly backdoors designed to steal system information and send it to remote C&C servers.
Another example is the highly modular Snake (aka Uroburos) operation which indicates that the rootkit had gone undiscovered for at least 3 years, with a great ability to hibernate for a number of days, which made it untraceable even to professional eyes.

2. Outsourcing – “Hacking-as-a-Service”
Leia’s stolen plans reach the hands of Luke and Obi-Wan Kenobi who decide they must follow Leia’s instructions and reach Alderaan. Luke and Obi-Wan need extra assistance so they contract the services of mercenary Han Solo, who can transport them on his ship, the Millennium Falcon.
A coordinated cyberattack can involve multiple actors taking part, to accomplish various roles along the way. The underground forums of criminal activity are rife with hackers of various skills and knowledge that offer their services. Off-the-shelf tools are also popular either on a one-off basis or as a contractual service, including updating and maintenance work. The Silver Spaniel uncovered in 2014, shows a relatively simplistic campaign which did not build any software, but outsourced commodity tools available on hacking forums instead. The attack required little technical skill, yet it provided scam artists with a prosperous business.

Death Star - Shutterstock
3. Response SIEM – quarantine and counter-attack
The Millennium Falcon has to re-route, in order to reach the rebel base Yavin 4, as Alderaan was destroyed by Grand Moff Tarkin in a demonstration of the Death Stars’ capabilities. However, the Millennium Falcon gets captured by the Star’s tractor beam and brought into its hangar bay. When escaping, the ship manages to evade the Death Star, but at this point it carries a tracking device which enables Tarkin and Darth Vader to monitor them all the way back to Yavin 4.
Network defence approaches focused on threat identification and event management (SIEM) would at this stage identify a breach and trigger security alerts. An alert system would provide the CISO with the choice of further monitoring or ignoring the threat. We see that the Tarkin and Vader choose to monitor the Falcon and track it back to base. Yet, without a comprehensive risk management view of the Death Star’s vulnerabilities, they ignore the possibility that the rebels would “dare” target the core of the Star and fail to secure the ports.

4. The attack vector
The Falcon finally reaches its destination and they hand the plans over for analysis. The examination reveals a vulnerability in the exhaust port that connects to the station’s main reactor. Once the weakness was identified, an attack mission is set up and Luke joins the assault squadron.
In 2014, The Mask (El Careto) was revealed as one of the “elite” APTs. Its deployment against carefully selected targets included monitoring infrastructure, shutting down operations, avoiding detection by wiping instead of deletion of log files and others. Its purpose was cyberespionage, but the attack vector was a combination of social engineering and rare exploits for Java, Chrome, Firefox and other browsers.
Campaigns like The Mask show us that the wide range of tools and the extensive pre-planning work conducted before setting up the attack vector remain the most unpredictable part of the threat. Security and risk managers are often unaware of the “open ports” and struggle to discern between critical and minor threats.
An auditing process with clear flags for threat level is the only way to ensure that malicious actors do not achieve a more efficient assessment of your network than you.

 5. Exploit
After a number of battles, Luke assisted by the Force and under Obi-Wan’s spiritual advice is able to fire proton torpedoes into a small thermal exhaust port along the Death Star’s equatorial trench. This leads to the memorable image of the Death-Star exploding into space.
The BlackPOS family that ultimately led to the breach imposed on Target is a good example to the destructive effects that an undetected vulnerability can have to the security of a network, and finally to the reputation of an organisation. It is now known that the BlackPOS campaign operated through 3 different strains of malware, all following a similar behaviour: infiltration, memory scraping and exfiltration.
Target did have a security team in place to monitor its systems around the clock. Hackers managed to avoid detection while setting up their malware, but when they proceeded to the final stage – uploading the exfiltration malware – alerts went off in Target’s security department and then…nothing happened. The alarm was triggered early enough, before any data got leaked, yet the security operations centre chose to ignore it at that stage. The reasoning has never been disclosed.
 As we see earlier in the film, despite being aware of the thermal exhaust port, the Empire decidedly had not taken steps in securing it. The reasoning can be inferred from their conversations: too insignificant and too dangerous for the rebels to target it.
There is an important point to make here that regardless of a networks security system and even quarantine or counter-attack measures, there is also a great need for a healthy auditing practice, in order to identify your weaknesses before attackers get chance to exploit them. The final facilitator that led Princess Leia and then Luke Skywalker to succeed in their mission was the Empire having failed to design a correct risk management framework.
The accounts of many breaches provide sobering lessons in how organisations can have wide ranging “big picture, big budget” defences but leave vulnerabilities in everyday housekeeping. With the Death Star it was an exhaust vent, with your organisation it might be an out of date firewall, or a default password that had not been reviewed during your last pen-test. Monitoring the details can make the difference between a secure empire and an embarrassing and very public explosion.
 The words of General Dodonna, upon analysing the smuggled plans, can be the words of any hacker assessing the entry points of your network: “Well, the Empire doesn’t consider a small one-man fighter to be any threat, or they’d have a tighter defence.”

Thursday, 4 December 2014

Three Times a Winner in Three Weeks

Titania is proud to announce some impressive recent weeks which brought the company multiple awards and recognitions, in the cybersecurity industry, as well as in a business context. The company won at the Risk Management Awards, Birmingham Post Business Awards and the British Chamber of Commerce Awards all within a few weeks.

Risk Management Awards - Cyber Security Initiative of the Year

Amid the official inauguration of our office, where we welcomed Rt Hon Francis Maude at our new headquarters in Worcester, we have also won at the Risk Management Awards, in the “Cyber Security Initiative of the Year” category for our Nipper Studio auditing tool.

Andy Williams, Head of CyberConnect at techUK and consultant for Titania proudly picked up the award at the black tie ceremony organised by the Continuity Insurance & Risk Magazine.  The evening was hosted by Chris Barrie (who you may remember as Arnold Rimmer in the popular British series “Red Dwarf”).

Andy Williams, Head of CyberConnect UK, collects the Cyber Security Intitative of the Year for Titania

Birmingham Post Awards - Export

Risk Management Awards - "Cyber Security Initiative of the Year" 

Award season had not quite finished for Titania. 

The company’s Marketing team was honoured to attend the Birmingham Post Awards, after being shortlisted in the Export Category.  The ceremony was attended by over 750 business delegates and included Shadow Chancellor Rt Hon Ed Balls MP as a guest speaker, Lord Mayor of Birmingham, Shafique Shah and comedian Lee Hurst, who provided the entertainment for the evening. 

Rt Hon Ed Balls MP opens the Birmingham Post Awards ceremony with a keynote speech

With export activities conducted in more than 60 countries and an overseas customer base of around 90%, Titania was declared a winner. Sadly we had to leave early, in order to catch a train, so we did not get to collect our award, but luckily Paul Kehoe, CEO of Birmingham Airport (which kindly sponsored the Export category) collected it for us!

Paul Kehoe, Birmigham Airport CEO, displays Titania's award in the Export category

British Chamber of Commerce Awards - Small Business of the Year

The prestigious venue hosting the Chamber Awards 2014:
Tower of London
Next up came the British Chamber of Commerce Awards at the Tower of London, where we were shortlisted in the category “Small Business of the Year”.

The competition was very tight with 8 other excellent small businesses shortlisted in the same category…

… and we won! For a second consecutive night we were returning home with an award. 

The Chamber Awards winners on stage

Proud owners of Titania, Ian & Nicola Whiting, display the title of "Small Business of the Year" 

Our Sales & Marketing Manager, Ruth Inglis, took the opportunity to take a quick selfie with the host of the awards and Sky Sports presenter, Georgie Thompson

All the awards we have won in the past couple of weeks, as well as in recent years are proudly on display for staff and employees, in the reception hall of our offices. 

Titania's testimonial of excellency: the awards cabinet

Finally, as a team-effort achievement, we are also proud to announce we have recently acquired Level 2 accreditation in the Worcestershire Works Well scheme. Shelley Gunnell, HR Manager, comments for Worcester News: “Titania is incredibly proud to be the first SME to reach Level Two of the Worcestershire Works Well accreditation. We hope that we have inspired other local SME’s to take the first steps towards fostering an environment that encourages health and wellbeing in the workplace. We would like to thank Worcestershire Works Well for its continued support, as well as our growing Titania Team who helped make this happen.” 

Titania receives certification for improving well being in the workplace