Monthly Archive April 2017

Data protection – the gap widens across the Atlantic

Data protection is a global issue. Yet it is being approached in very different ways on either side of the Atlantic. While Europe and Britain will embrace the more stringent rules of the General Data Protection (GDPR) regulation from May 2018, the situation in the USA is going the other way. On 3rd April President Trump signed a new law making more personal data legally available. Overturning the previous legislation, ISPs are now able to access and use all but the most sensitive personal information. Much of this personal data is likely to be harvested and sold to digital advertisers.

While the global super power Google already grows its business through targeted online advertising, this will open up the practice in the US to a host of other players in the ISP market. Its advocates say this availability of data helps advertisers to target consumers more effectively thereby helping them to make better decisions. Its detractors see it very differently.

Whatever your view, Personal Information Management Services (PIMS) are already huge revenue generators and not just in the United States. A study estimates the value of the UK PIMS market to be currently worth £16.5 billion. But from this moment on, the paths diverge and when it comes to the future of personal data protection, it appears that the differentiator will be regional legislation.

The change in law in the US, with its permissive approach to personal data, will open up the PIMS market and along with it many associated problems. It certainly seems likely that this will create a need for privacy-enhancing tools and services. In Europe, on the other hand, the legislative market under the GDPR might drive online advertising businesses to invest in new models which create value from mining personal data in legal ways. There is little that can be done to prevent opportunism in the world of PIMS and digital advertising, but the American model is fraught with problems and risks, both financial and on a moral basis. We in the UK must be grateful for the very different approach mandated by GDPR.

When GDPR comes into effect, UK companies will be legally obliged to observe new procedures and take even greater responsibility for how they collect, share, and use consumers’ data. Some businesses will complain that the new regulation is burdensome and bureaucratic but they are wrong. Those who shirk it will certainly feel some pain as enforcement will be strict and fines extremely severe. But many will embrace it as an opportunity; as a competitive differentiator. If in any doubt, the complainers will only have to keep an eye on how the permissive data protection laws impact across the Atlantic.

SRM has operated in the data security environment for many years. With a wide range of knowledge and practical experience, our consultants are ready to help you understand the risks to your information and manage them effectively. Our specialist team provides a full portfolio of services which include data protection. We can assist companies to be in a more ready state for GDPR compliance when it comes into effect next year.

GDPR – The General Data Protection Regulation

The uncertainty of Brexit, the certainty of GDPR and the responsibilities of the CISO

 

If Brexit means Brexit, what does GDPR mean?

A data breach damages more than your reputation

Being known as the source of the largest data breach in history is probably not how Yahoo would like to be remembered. The reputations of eBay, Linkedin, MySpace, Talk Talk and Ashley Maddison also took a hit in recent years. Yet these high profile cases are just the tip of the iceberg. A new survey by the British Chamber of Commerce (BCC) reveals that 42 per cent of big businesses have been the victim of cybercrime. The figure for smaller companies is lower with only 18 per cent being attacked which probably reflects the current priorities of hackers.

No one should be complacent, however. In the BCC survey only 24 per cent of the businesses questioned (regardless of size) said they had security measures in place. This means that three quarters have no defence against a data breach. The impact of these, even to smaller companies, cannot be underestimated. Even more worrying is that fact that the vast majority of companies that have suffered a data breach were not aware of it until they were notified by either their customers or industry bodies.

Adam Marshall of the BCC says ‘cyber attacks risk companies’ finances, confidence and reputation, with victims reporting not only monetary losses, but costs from disruption to their business and productivity’.

We know this to be the case. But while a Government spokesman has used the BCC report to advise companies to take advantage of its Cyber Essentials scheme to protect against attacks, we do not believe this goes far enough. Cyber Essentials accreditation is certainly an extremely useful starting point and is now a requirement of any business bidding for a new Government contract. But the rules for the protection of customer data will soon become significantly stricter with the arrival of the General Data Protection Regulation in May 2018. And, besides, protection is not just about compliance; it is about having a robust defence in place as well as a considered strategy to minimise the impact of any potential breach.

This is where we come in. When a data breach occurs that involves payment card data the Payment Card Industry (PCI) calls in a forensic investigator (PFI) to identify and resolve the situation. At SRM we are one of a handful of companies in the UK retained by the PCI to carry out these investigations. But we also offer a bespoke Retained Forensic service, which uses this expertise to proactively manage systems before an attack occurs. In this way, organisations can use our Data Forensic Investigations team to meet compliance requirements but also to build robust defences and test those strategies in a controlled manner, before the worst actually happens.

We do not recommend services or tools you do not need, preferring to use our extensive experience and understanding of the online retail world to set up a targeted plan of action and remediation which will keep your business compliant and as secure as it is possible to be. Given the persistence and resilience of cyber attackers there is a remote chance that a system might still be attacked. With a robust plan in place, however, remedial action will be swift, minimising financial and reputational damage. Demonstrating a proactive approach to protecting your customer’s data also puts you in a stronger position when dealing with acquiring banks or any other regulatory authorities.

Cyber Essentials

PCI PFI

How to protect your business from account data compromise (ADC)

How to protect your business from account data compromise (ADC)

The fact is that all too often the first someone knows that their system has been breached is when they receive a call from their acquiring bank. Someone has reported that they are the common point of purchase for fraudulent activity. It is a conversation every business owner dreads.

The repercussions are serious, triggering a mandatory Payment Card Industry forensic investigation (PFI) which the vendor must pay for. The breach needs to be stemmed and an analysis made of the security issue. If there is culpability, a significant penalty may follow. In addition to that are the financial repercussions to the company’s bottom line and its reputation. So what can be done to anticipate a breach at its earliest stage or, even better, prevent such a breach from occurring?

What are the indications of an Account Data Compromise?

Sometimes it is obvious: a key-logger or a card-skimming device is found. Because malicious attackers are highly skilled, however, more frequently it is a subtle change in activity which is easily overlooked by the vendor until it is too late. Examples of these are:

  • Unexpected internet connections: from non-business-related IP addresses or from countries the business has no dealings with;
  • Log in by unknown or inactive user IDs; or an unusual level of activity from a recognised user ID;
  • Multiple instances of remote access tools present on a system in an ‘always on’ mode;
  • The presence of malware, suspicious files, executables or programs;
  • SQL injection or other suspicious activity on web-facing systems;
  • POS terminals and ATM devices showing signs of tampering;
  • Lost, stolen or misplaced sales receipts or payment card data.

What can be done to protect against such attacks?

  • Use PFI skills to your advantage: working with a respected PCI company with forensic investigation capability is a great starting point. They already have the forensic skills and tools and can use these to help you to build a robust defence;
  • Do not simply tick the annual PCI compliance box but ensure that your compliance is ongoing; continually updated and improved. Working with a PCI compliance expert will help you to do this cost effectively and robustly;
  • Get ahead of the game: go a step further than straight forward compliance and conduct a thorough review, including a penetration test and vulnerability scan to highlight your specific potential threats and vulnerabilities;
  • Be aware of your future obligations: the General Data Protection Regulation (GDPR) comes into effect in May 2018 and you will need to comply. You responsibilities increase and so do the potential penalties if a breach occurs.
  • Consider outsourcing the role of Information Security Officer (ISO): smaller companies will struggle to recruit suitably qualified individuals with the right skill set but working with a Virtual ISO team provides expert strategic input as well as practical input and training.
  • Engage with a company that specialises in forensic investigations. They will be able to test your incident response strategy and ensure that you are able to respond quickly and efficiently if the worst ever happens. Be prepared!

What happens in the event of a breach?

Breaches happen. But having the right team on hand to identify, analyse, correct and report on incidents saves money and reputation while reducing future risk and freeing you to continue to trade. SRM’s dedicated response team is on hand 24/7 x 365, providing professional, pragmatic and strategic support in the event of any type of incident, enabling you to focus on your business activities.

What next?

In the context of the damage an ADC breach can cause any investment is worthwhile. SRM offers a bespoke retained PFI service, working proactively through regular strategic reviews to develop enhanced risk mitigation and ensure rapid remediation and minimal disruption in the event of a breach.

We do not recommend services or tools you do not need, preferring to use our extensive experience and understanding of the online retail world to set up a targeted plan of action and remediation which will keep your business as secure as it is possible to be. Given the persistence and resilience of cyber attackers there is a remote chance that your system might still be attacked. With a robust plan in place, however, including relevant compliance, then remedial action will be swift and acquiring banks will mitigate their stance.

For more information see:

PCI PFI

Bespoke Penetration Testing

The technology gap which leaves organisations vulnerable to attack

Does outsourcing card processing make you PCI compliant?

 

Does Open Source Code make programs more vulnerable?

By Paul Brennecker, Senior Information Security Consultant & Principal QSA

There is something of the Tim Berners-Lee about open source software. Unlike proprietary software, where the code is a jealously guarded secret, open source software codes are available to everyone. With altruism redolent of the creator of the World Wide Web, there are individuals who produce programs where the source code is made freely available so that others can copy it, learn from it, alter it, or share it. But does this very open-ness by definition make the programs more vulnerable to attack?

The answer to this, perhaps surprisingly, is no. Attackers are highly skilled and are perfectly capable of exploiting the vulnerabilities of both closed and open source coded programs in almost equal measure. A closed source code may be secret but that simply presents them with a challenge which they relish. It is also important to remember that it is usually easier to be destructive than creative.

Software developers only need to make one security-relevant mistake anywhere in their code, while attackers only need to find one weakness. Moreover, the security problems of programs are often already known. They are often identified by the very people who wish to defend them in order that they can protect themselves. Attackers use the same techniques to try to find those problems and exploit them.

One approach is for attackers to run the program, send it flawed data and ascertain whether the program’s response indicates a common vulnerability. Because they are looking at data and not code, there is no difference between open and closed programmes.

Another approach is to search the source code for patterns. Even closed source software, however, is vulnerable because they can search the machine code for patterns that suggest security problems. Attackers use tools known as ‘decompilers’ which turn the machine code back into source code. They then search the source code for the vulnerable patterns. If an attacker wants to use source code to find a vulnerability then they can use a disassembler to re-create the source code of the product or use a binary scanning tool. This applies to closed as well as open source code.

Even the giants of the internet are not immune to source code theft by determined attackers. Microsoft has had some parts of its source code stolen several times; both directly from itself and also from another company it shared data with. What is more, there are disaffected employees who, for their own reasons, release proprietary code details.

Sometimes closed source code programs are actually more vulnerable. For example, Trojan horses can be inserted into proprietary code and, by its very nature, they are less likely to be found than in an open source program. This is because no one outside the organisation is able to review the source code. An added advantage of open source is that if an issue is found, it can be fixed immediately.

Open source code is not necessarily any more vulnerable than proprietary code. Providing a robust defence from malicious attack has little to do with code and a lot to do with accessing the correct level of expertise. Using an industry-respected team with the range of knowledge and practical experience of the complexities of the cyber environment is the best form of defence.

Prevention and cure: working out an information security budget

The Chancellor recently announced a £425 million government investment in the NHS over the next three years. While pundits speculate on what this will actually mean for our vital service, it is worth considering the issue of health in the context of business. Organisations need to ensure their ongoing health status by prioritising what steps should be taken to keep compliant with current legislation and prioritise the prevention and treatment of attacks.  Like Philip Hammond, they need to work out their priorities and work out an investment budget.

In information security terms, the A & E department – otherwise known as Incident Response – relates to extreme cases when an organisation suffers an emergency situation as the result of an attack, either on their information systems or on the physical building within which they operate. Such incidents can be swiftly mediated if a response plan is in place and continually updated. Quantifying the potential cost of this type of service requires an in depth assessment of current defences. Conducting such a review also helps in the event of an emergency as the expert consultant will be familiar with the structure, locations and systems in place. Much of this can be planned, conducted and budgeted for in a measured way by working with a specialist consultant.

Such outright attacks are thankfully rare, with attacks on specific data – often credit card data – being a more common issue. The financial consequences of a data breach are nonetheless significant. Headline figures can make Chief Information Security Officers (CISOs) quite dizzy. The press has reported huge sums lost in data breaches over the last year and, in addition to loss of business, payment card companies levy fines on the organisations involved. Things will only become tougher in the future when the Data Protection Act is replaced with the new GDPR which comes into effect in May 2018. Maximum fines for a data breach under GDPR are 20 million Euros or 4 per cent of turnover. The Payment Card Industry Security Standards Council (PCI SSC) has warned that this could mean UK businesses facing up to £122 billion in penalties for data breaches.

Yet fines are not the only financial consequences of a data breach. The damage to a company’s reputation can lead to significant reductions in income over a longer period of time. So how much should an organisation allocate to prevention and how much to cure? It’s all about context and vulnerability and an industry expert will be able to advise on the most cost-effective measures that will achieve the desired outcome.

As with any health situation, preventative measures are important. GDPR compliance is one element of this and SRM’s specialist team can facilitate a cost-effective strategy. They can then do as much or as little as required to support the CISO to embed GDPR compliance within their organisation. Working with a team of expert consultants who have an understanding of your organisation will ensure that protection levels are high and the general health status is good. They will also be on hand in the event of a flashing blue light and will be able to step in to the emergency situation with a clear strategic plan to deal with any haemorrhage.

For more about GDPR compliance see:

GDPR – The General Data Protection Regulation

The uncertainty of Brexit, the certainty of GDPR and the responsibilities of the CISO

GDPR: the impatient tiger