Author Archive: Callam McMillan

Ethics and Integrity in Security

If you follow my website, you’ll have seen that I haven’t posted in quite some time. Not because I haven’t wanted to, but because I have never quite managed to find the time with everything else I’ve been working on. One of those things is getting a company up and running. I’m proud to be the managing director of Willsley Ltd which is a really fancy way of saying that I have a side gig alongside my day job as the Information Security Manager at CAF. In previous articles I’ve talked about my personal philosophy of “Always assume the worst,…
Read more

Share

Phishing in Micro and Small Businesses

Of all the cyber risks a business will face, phishing (the act of social engineering through malicious emails) has to be one of the greatest. If you go looking for information about how to defend yourself or your organisation, there’s no shortage of good information on the Internet, but what if you’re a sole trader, or you only employ a couple of people? Suddenly there’s a lot less guidance, which doesn’t help when you’re now in the position of having to both be phish aware, and know what to do to defend yourself. Phishing fact and fiction Here are six…
Read more

Share

Getting value from threat intelligence

Whether you run a security function, manage systems, or perhaps run a organisation in its entirety, a key responsibility is being aware of threats to your organisation. If your company uses IT, then information security risks should be considered as one of the most critical to your organisation. Dealing with these risks requires you to know they exist, and this is where threat intelligence is used. However, if you’re not careful, you’ll be staring at a mountain of technical, potentially conflicting, and useless information that will do nothing to make your organisation more secure. Larger organisations that have IT departments,…
Read more

Share

More thoughts on the Easyjet breach

You can find a link to the initial article here Over a fortnight on from the public announcement that Easyjet had the details of 9 million customers lost, along with the payment card details of a further 2200, things haven’t been getting much better for the beleaguered airline. Of immediate priority is that they are now looking at a class-action lawsuit with a headline figure of £18 billion, or £2,000 per person that had their details stolen. Pragmatically the figure that end up being settled on will be much lower, but still significant, both in financial costs and as a…
Read more

Share

When security controls become theatre

If you go to the supermarket today, it’s highly likely that you’ll find yourself in a line, two metres apart leading up to a person with a counter that looks like they’d literally be anywhere else than stood at the door counting people in and out of the store. Once you’ve made it past this Gandalf-like character shouting you shall not pass! It’s straight into a labrynth of one way arrows, black and yellow tape, and people who look like they’ve been searching for the arrow that’ll take them to the checkouts since the end of March. Welcome to the…
Read more

Share

Making sense of the Easyjet breach

Upon seeing the news earlier today that the budget airline Easyjet had been breached, my reactions (in order) were “Woah”, followed by “Bloody hell”, and finally “Not this **** again!” 9 million affected users, of which over 2200 may have had their credit card credentials compromised. Obviously Easyjet have apologised; informed the ICO and police; and are in the process of contacting customers. To my mind, this sounds eerily familiar to the MageCart attack that compromised British Airways back in 2018, leading to the breach of up to 380,000 customer’s data including payment card details. Unfortunately for BA, just 22…
Read more

Share

An introduction to risk

I started this as a brief introduction, but in making sure I explained the fundamentals, I ended up writing pretty much a chapter of a book on Information Security. If you read this and you are saying “but you’re telling my stuff I already know”, lucky you! Risk management is one of the very first things I teach my junior analysts at the start of their careers; and it’s something you should ensure your stakeholders understand. By giving them an appreciation of risk and its management, you’re much more likely to be able to deliver your security messages effectively. You…
Read more

Share

Do you still own your perimeter?

Designing a company network to be secure isn’t that difficult: A firewall here; a DMZ there; some next-generation technologies liberally sprinkled around; and a set of policies to ensure that systems are built securely and operated securely. At which point, you kick back in your chair, and bask in the sea of green that are your security dashboards. Sorry, you’re not allowed to have it that easy, so here’s a pandemic for you to deal with; and by the way, all your staff will now be working from home for the foreseeable future. If your company issues all its staff…
Read more

Share

Why we need policy, even in a crisis

As the scale of the Covid-19 epidemic became clear in the opening months of 2020, governments around the world began considering draconian restrictions on everyday life in order to contain the spread of the virus and ultimately limit the death rate as a result of it. However, in countries with a mature and functioning democracy, this wasn’t just a knee jerk reaction, rather a legislative instrument that balanced the need to protect society with the need to protect individual freedoms. In the main, most western countries appear to have struck an appropriate balance. But what does this look like at…
Read more

Share

The Chinese spy-chip saga: One week on

Last week, the Financial news website Bloomberg released what could potentially be the biggest security related story in years. Evidence that the Chinese government were implanting so called “Spy Chips” on Supermicro motherboards intended for use in top American companies including Amazon, Apple, and the US government itself. In the hours and days following, Supermicro’s share price has fell by 40 percent; while Supermicro, Apple and Amazon have all issued vehement denials as to their alleged discovery of the chips embedded in the motherboards. Both The Register and Ars Technica produced excellent write ups of what was an bombshell revelation….
Read more

Share