1. Cyber Security and Incident Response
Blue Dragon has experienced incident response, investigation, vulnerability assessment and forensic investigative procedures.
Crisis response - setup of crisis team, procedures and crisis room
Investigation, forensic OSINT and reputational
Web and network vulnerability assessments, penetration testing
Insider threat programmes
Security and threat assessments
Compliance consulting for China's Cybersecurity Law
Dealing with regulatory bodies on behalf of the client
Investigating cyber actors
Evaluating ecommerce platforms
Law firm specific cyber risks
2. Case studies
A HK company had a hacking issue and wanted to determine whether it was an inside actor or an external hacker. We conducted vulnerability assessments and penetration testing and found multiple vulnerabilities which could be easily exploited by a hacker. We further determined from the web logs and modus operandi that an external IP address was directing most of the malevolent attacks.
A HK company had a hacking issue involving a phishing scam in which clients were sent fake bills or amended bills. When we simulated fake invoices to attract hackers these were not phished. We discovered an inside actor and were able to identify the actor through an examination of web logs and traffic and email header information.
3. Practical guidance
4. Password guidelines
Blue Dragon would like to notify clients that the general guidelines for password management have drastically changed in recent years.
National Institute of Standards and Technology (NIST) recommends some changes to the previous approach regarding passwords. Notably:
No more periodic password changes. Periodic changes do not improve security they just make it worse, as they lead to writing down of passwords, recycling of passwords, more requests for password reset. These are all potential vulnerabilities.
No more imposed password complexity. Letters, numbers and special characters do make it harder for a password to be cracked as it increases the variable factors a brute force attack is able to use. However, if this leads to user behaviour that puts the password at risk, or makes it more liable to be forgotten, it is worse than a simple long password.
Mandatory validation of new passwords. Passwords should avoid the hacker's "low hanging fruit", and be verified against a list of common passwords which will not be accepted, like 12345678, qwerty, p@$$w0rd and so on.
These above factors confirm several trends in the industry - first, people suffer from password fatigue from remembering too many passwords. The more passwords, the more are forgotten, or deliberately made simple, leading to behaviour which causes security breaches. Second, moves to second or multiple factor authentication are moving security away from simple passwords alone. Also, potentially password management softwares will get to a point as a security tool where they are reliable enough and widely enough used to reduce issues around human memory.
Date Created: 1 June 2017 |   Date Modified: 17 December 2017 |  Author: Dmitri M A Hubbard