Monthly Archive August 2017

Security by Design.. a little thought can save a great deal of expense!

Security consultants talk about “Security by design” … and to be fair, most of us believe in it! The trouble is that to much of society, it is at best, an intangible aspiration, and at worst… a mindless industry cliche. As a result the benefits are often missed in practice. This is particularly true in many smaller organisations where it is often seen as an expensive luxury.

There is a perception that cyber security is a complex technical issue that is beyond most normal folk. Whilst there are some aspects of Cyber which can be horribly complex, there are also powerful actions that we can all take to make ourselves a harder nut to crack… regardless of our technical ability or our role in society or in organisations.

The key is to acknowledge that we are not alone, and that our actions (or lack of them) influence the way potential attackers behave….and the opportunities open to them. We can make a potential attacker’s job hard or easy just as we can make ourselves appear an attractive target… or make it clear that we are not worth the effort.

This is more than basic cyber hygiene (eg antivirus, passwords and firewalls – these are, I’m afraid, a given) …it is about how we think and how we behave. Specifically, it is how we set ourselves up – as individuals or as organisations.

For example, as individuals…rather than blindly carrying everything around on a laptop, we might decide that particularly sensitive information needs special protection and we might decide to make it less available to an attacker … perhaps we might decide to save it on encrypted drives or keys and lock it up safely with our critical paperwork when we are not using it. In doing so we are applying the common sense and thought processes we use with our tangible belongings – to our intangible ones; our information.

For larger infrastructures, a little thought about structure can give defenders a significant advantage over attackers. We can make sure that access to our systems are controlled and force everyone entering a system to pass through or over areas that are closely monitored. If we are working on particularly sensitive information, we might choose to change the frequency that we test our systems.  We can seek to create an environment where we have the upper hand!

This logic isn’t new…Think of medieval spiral staircases which were generally designed to favour a right handed defender..(though I note that in the fortresses of the Kerrs, an Anglo-Scottish Riever family who were reputed to be mainly left handed, the spiral allegedly went the other way! Someone had clearly thought about it!)

If we treat our intangible and invisible information assets in the same way that we treat our physical valuables… then we can make things a lot harder for an attacker.

If we fail to control our own behaviour and our environment then we will undermine even the most effective (and expensive) technology. A little thought and common sense can save a great deal of expense.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Summer holidays: don’t take your eye of the PCI DSS ball

The summer months are traditionally a time when hard-working people take a break. Those left in the office can end up feeling over-stretched or less-motivated than normal. But it is not a time for anyone to take their eye off the ball. Visa has issued new advice on how to Play it Safe this Summer, emphasising once again that working with the right partners is ‘crucial to protecting the cardholder environment’ and ensuring that PCI DSS compliance is met and maintained.

Produced for the US market, Visa’s analogy is based on the principles of baseball but it goes something like this:

First basefollow secure procedures

Ensure service providers follow secure procedures when using remote access to reach your environment. Service providers accessing a merchant’s Point of Sale (POS) system using remote access must follow secure procedures and those providers should go through the QIR certification program if eligible. This protects against data breaches and helps to facilitate compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Second base – change passwords

Change all default passwords to strong, multivariable passwords. The Verizon Data Breach Investigations Report (DBIR) found that 81% of breaches in 2016 occurred because criminals used either stolen and/or weak passwords. Requiring all employees to create complex passwords, and to change them often, adds a critical level of security to the environment.

Third base – ignore suspicious emails

Remind employees to ignore any suspicious emails and report them to IT. The DBIR found that 1 in 14 users were duped into opening an attachment from a phishing email and ‘95% of phishing attacks that led to a breach were followed by some sort of software installation’. Informing employees about phishing schemes will help prevent security lapses in the future.

Home run – partner with a Registered Service Provider

Partner with a Registered Service Provider. Soha Systems Survey on Third Party Risk Management found that 63% of all data compromises involve a third party vendor. Service providers listed on the Visa Global Registry of Service Providers meet Visa’s requirements for validating compliance with industry security requirements. Using these registered providers helps to secure the promise of a trusted payment system.

PCI DSS – seek professional advice

Establishing an organisation’s exact PCI DSS requirements can be a complex business and professional advice should be obtained.

SRM is an accredited QSA Company. Our team of QSAs can conduct your PCI assessment to validate and maintain your compliance with the PCI DSS. We have a wealth of experience in helping companies understand not only how to comply but how to reduce the scope to make compliance each year as simple as possible. From understanding how to complete the SAQ document right through to full PCI assessments for FTSE 100 companies, SRM has the qualifications and expertise to complete the task in a robust and cost-effective way. We also have an established Retained Forensics service which identifies and mitigates the risk of a potential breach.

http://blog.srm-solutions.com/hot-water-and-pci-compliance/

http://blog.srm-solutions.com/does-outsourcing-card-processing-make-you-pci-compliant/

http://www.srm-solutions.com/services/pci-dss/

http://www.srm-solutions.com/services/retained-pci-forensic-investigation-pfi-service/

Game of Thrones: data theft and pen testing

‘Hi to all mankind’. Thus began the email sent to journalists by hackers who have reportedly stolen 1.5TB of files and videos from entertainment giant HBO. What has made the headlines is the fact that the script for next Sunday’s episode of Game of Thrones has been released. The HBO hackers conclude their email saying that ‘HBO is falling’ and it is perhaps chilling to consider the vulnerability of even the largest and best-protected companies to breach and data theft.

In April Netflix was also compromised and refused to pay a ransom demand. Ten episodes of its series ‘Orange Is the New Black’ were leaked by a hacker group known as TheDarkOverlord. It is not yet clear whether the HBO hackers are seeking a ransom payment. Yet although advance plot lines for a TV series make headline news, there is another important aspect to consider. Namely the sensitive corporate data held by HBO which may now also be in the hands of unprincipled criminals.

HBO confirmed this week that it had experienced a cyber incident ‘which resulted in the compromise of proprietary information’ and that it is examining the breach. Forensic investigation will reveal how the system was breached and enable the company to secure its systems. But assuming that a company the size of HBO has access to the very best cyber defence, what more can they do?

First of all it is worth pointing out that anything to do with Game of Thrones is a huge headline draw. With 8.9 million people reportedly watching the finale of Season 6, hackers will have been particularly motivated to succeed. Yet all organisations which hold data are vulnerable to a greater or lesser extent. Those with a strategic plan which includes regular penetration tests, network security testing and vulnerability assessments are, however, better placed because they have created inbuilt responsiveness.

Expert pen testers put themselves into the mind of potential attackers, exploring and exploiting all opportunities. As systems become more complex, the ‘attack surface’ continues to grow and the potential number of ways a hacker gains access is ever expanding, making this technique increasingly valuable.

As an additional precaution, organisations should defend their systems by assuming that they have already been breached and that a hacker lurks quietly within. If information is encrypted and secured with high difficulty passwords regularly updated, hackers may just prefer to concentrate their efforts on easier prey. When it came to the fate of the Seven Kingdoms, perhaps the hackers felt the effort was worth it, but, like Jon Snow, let’s make their lives as difficult as possible.

SRM can advise on all aspects of Information Security Testing as well as providing a full range of consultancy services.

Information Security Testing & Compliance

 

 

SRM Blog

SRM Blog