Wednesday 25 May 2016

Microsoft seeks to mitigate laziness by banning popular passwords [Link - SC Magazine]

I was asked to comment on Microsoft banning people from using popular passwords, for SC Magazine:

I was asked to answer four questions:

Are there any security risks associated with Microsoft analysing passwords like this?
There is very little risk, as we are trusting Microsoft to store and secure that password, as it will need to be check every time it’s used.  Like all other systems, it’s just an algorithm to check how the password is structured.

Why is Microsoft doing this now and not a long time ago?
Insecure passwords have been a problem since there was a need for passwords.  SplashData do an annual review of the worse passwords people use and typically users will be blamed for using these sorts of passwords.  It is the provider/administrator that sets the stipulation of the password structure, so insecure passwords are due to bad standards.  Cybersecurity and data compromises are more common place, so it is good that Microsoft is taking action.

Is this a good idea?
It is definitely a good idea to increase the security of passwords, but if Microsoft were taking security more seriously, I’d want to see the use of two factor authentication.

Won't people just forget complex passwords more easily?
If the complexity increases too much then passwords will be written down.  The user needs to consider a move to a secure password vault, or the supplier needs to look to two factor authentication.

Thursday 19 May 2016

100 Million LinkedIn Accounts for sale

It was reported in the news that 100 million LinkedIn Accounts were for sale on the Dark Web.

LinkedIn previously reset the passwords of those accounts they believed were compromised in 2012, but it seems many more accounts were compromised than previously believed.

LinkedIn's response should have been to reset all the users passwords and implemented better protection for the new passwords.

From a user perspective, we need to ensure we are using different passwords for each of our web services.  Why?  Well if your LinkedIn password is the same as your email provider, other social media accounts, cloud storage, etc, then the compromised password could be replayed into a number of websites and services to gain access to those.

Although it's not two-factor authentication, two-step verification will give some additional security to your LinkedIn account.  Not only will this add security to your account, it's also free.  The instructions to switch on two-step verification for LinkedIn is relatively straightforward.

Don't forget your other web accounts, as two step verification is available for Google, Facebook, Microsoft, Twitter and many other site.  If the websites and services you use aren't taking your security seriously, should you be using them?

Wednesday 18 May 2016

To pay or not to pay... [Link - SC Magazine]

Another article published in SC Magazine, this time about vendors paying bug bounties:

Andrew Tang explores the contentious issue of paying bug bounties when software flaws are discovered.

The idea of paying a bug bounty to someone who discovers a software flaw may be touchy subject but it's also a nailed down reality.

Broadly speaking, there are those who say software vendors should do more to secure their software, while others point to the benefits of paying for the discovery of software vulnerabilities. Both have valid points.

Certainly, Microsoft, Google and Facebook think bug bounties are a good idea; they habitually make payments for discovered flaws.

By paying bug bounties, some software makers are essentially saying they can't guarantee the security of their products and commercially they can't afford to do so. The argument goes that if they dallied on extensive security testing their products would no longer be commercially viable, millions would be lost, companies would sink and thousands would be out of work.

Torture and imprisonment

The fact remains however that exploits can cause tremendous damage. A flaw in Adobe Flash led to the Italian Hacking Team selling it to, among others, repressive regimes with extremely poor human rights records.

Another vulnerability affected an Adobe font driver in Windows essentially allowed attackers to elevate their privileges on a machine to administrator level. In fact Adobe software has been so riddled with bugs at one point its future viability was in question after pundits and industry analysts essentially advised users to flee while they could.

A major vulnerability in software bundled with Samsung phones left as many as 600 million Samsung smartphone owners at risk of hacking while last year auto manufacturer Chrysler had to recall 1.4 million cars because of a flaw in its Uconnect dashboard computers. About the same time a software flaw in new Dell laptops left many users vulnerable to malicious hacking.

Falling on swords

Some vulnerabilities can lead to the loss of millions and millions of customer records from credit cards numbers to email addresses, passwords and more. The fall out can be horrendous therefore it's not surprising to see revenues plunge, CEOs fall on their swords and huge fines slapped on the business by regulatory authorities.

Given these occasionally dramatic consequences it makes more sense to pay a bug bounty, though some companies are at the moment averse to doing so.

Black budgets for software flaws

The practice is already well established in the industry and it can be big business. Among the many interesting facts that whistle blower Edward Snowden revealed was that the US National Security Agency spent more than $25 million (£17M) from its black budget in 2103 to acquire software vulnerabilities. While this is, in all likelihood, for spying on other governments, foreign banks and commercial operations have been hacked in the recent past with the finger pointing at the US.

Of course, software bugs are not the sole reason for major data breaches. More often than not serious cyber-hacks happen because of weak or stolen credentials, social engineering and poorly configured servers and Web applications.

That said, the impact of software bugs shouldn't be underplayed. Within this context and weighing the advantages against the disadvantages it makes absolute sense for bug bounties to be paid. It stops an organisation from being hacked in the first place and the cost doesn't compare to the damage and fallout when a successful cyber-attack takes place. However, clearly what is really needed is more secure software.

Making vendors honest

One approach is to actually ride the current bug bounty wave and implement a global bug bounty system, and one that is lucrative. Governments and global enterprises could get behind this and drive it forward. This might also encourage vendors to be more honest. The amount they currently pay for bug bounties is often minuscule compared to annual revenues.

A global bug bounty would ensure that that every release of commercial software products would come under scrutiny by an army of security experts. Initially it might hit the vendors hard but over the long term it would lead to much more secure software.

Monday 16 May 2016

Home and mobile working - ’10 Steps to Cyber Security’

Mobile working is an established fact of life today, whether you’re accessing corporate data on the move or connecting to the company network from your home. Mobiles devices now make it easier for employees to do all they need irrespective of geographical location.  

While the mobile revolution provides flexibility for employees, it also brings risks. One of which is the simple physical loss of equipment, such as a laptop left on a train, or a smartphone left in a taxi. Being able to access all documents from a single location means that, should the device end up in the wrong hands, the security can be compromised.

Blunders and lapses

Should you happen to find yourself in a situation whereby your device goes missing, do not panic. Laptop lapse can easily be dealt with by encrypting hard drives, enabling remote access to wipe data and also by using extremely robust passwords.

A more immediate danger, however, are sophisticated exploits such as mobile botnets, where multiple smartphones can be infected with a virus or Trojan type software. This can result in a network of phones being programmed for malicious activity, such as stealing credit card data or malware, burrowing into a corporate network. As mobile computing becomes increasingly commonplace, hackers are also increasingly drawn to it.

World of many devices

In terms of home and mobile working, organisations need to secure and manage operating systems in a world of mixed-use devices, while at the same time incorporating identity, context, and privacy enforcement to set the appropriate level of access to enterprise data and services.

Organisations need to address three areas: device management, application management and content management.

In terms of device management, organisations need to be able to secure and manage a diverse range of mobile devices, automatically enable enterprise settings such as Wi-Fi and VPN, as well as providing end-users with secure access to corporate email.

With application management, a business should aim to deliver, secure and when appropriate, retire mobile apps. This provides IT with the ability to manage the application life cycle from making applications available to employees, securing applications on the device and when necessary, containerising corporate apps to keep them separate from personal apps.

Content management is the ability to enable end-users to securely access and manage enterprise documents that are kept in different content repositories, whether on-premises servers or in the cloud. It’s also important that corporate email attachments are encrypted. Ideally, users should also be able to securely browse corporate Intranet content without the need for a device-wide VPN.

Importance of policy

Policy guidelines also need to be in place in order for a business to dictate actions. For instance, if a mobile device falls out of compliance, IT can define remediation actions that will either notify the user of policy violations or remotely wipe corporate information.

In addition, stating how an employee should connect to the corporate network can also help with security. Connecting to a corporate network via secure socket layer virtual private networks alongside a two-factor authentication for identification will also ensure privacy and protect corporate data.

Sunday 15 May 2016

Removable Media Controls - ’10 Steps to Cyber Security’

Removable media is anything that can be brought into an organisation and plugged into a computer ranging from a USB stick to external memory, smartphones and tablets, iPods, Bluetooth devices, recordable CDs and DVDs. It also includes wearable devices such as smartwatches, which are gradually becoming more popular.

Some people in the workplace may use a laptop to charge their smartphone or transfer files using a memory stick because it contains something they are working on. However, irrespective what it is you’re plugging in, there are dangers attached when inserting a USB into your laptop. Firstly, there’s the risk of the devices containing malware and secondly, there’s the danger that sensitive data can be downloaded and stolen.

The Stuxnet attack on the Iranian plant in 2013, illustrates the tremendous damage that can be wreaked from a small memory stick. It’s therefore essential not to overlook removable media controls when looking at cyber security.

Consider the consequences

In the corporate sphere, the risks of information theft, data loss and malware can all lead to reputational damage and financial loss for a company. If you have any doubt about the consequences of serious data loss, consider the case of US retailer Target. It was the subject of a hack in which millions of customer records were plundered and as a result, its revenues plunged by over 40 per cent.

Safeguarding against loss via removable media should ideally be planned when a security policy is being developed. As removable media in the workplace is now all too commonplace, and is one of the highest areas of vulnerability, it should be addressed as a matter of urgency.

Reducing the risk 

Even if your network is locked down to the point of disconnecting it from the Internet, that doesn't prevent someone from copying sensitive data onto a CD-ROM, or to a USB memory drive and walking out the door with it.

Removable media controls fall under data loss prevention and as a result, there is a raft of technologies designed to help protect the removable devices. The fast-paced business environment of today requires employees to have anytime, anywhere access to corporate data and business applications, therefore putting the block on removable media may seem draconian and counter-productive.

However, it can be managed. It’s possible to protect critical data from coming into and leaving the company through removable media with tools that monitor and control data transfers from desktops and laptops, irrespective of where users are and even when they are not connected to the corporate network.

Managing devices

Specifying which devices can and cannot be used, defining what data can and cannot be copied onto allowed devices and restricting users from copying data from specific locations and certain applications will help when managing devices.

Endpoint encryption for removable media is also another effective approach. It allows the encrypted device to be used on any machine without installing any software or requiring administrator privileges. It also allows encrypted files to be saved or edited safely, which ensures user flexibility is also maintained.

Remember, policy is essential. Identifying removable media devices, nailing down required actions and outlining the steps that are needed to ensure continued business flexibility will help protect your sensitive data.

Friday 13 May 2016

Monitoring - ’10 Steps to Cyber Security’

Monitoring IT systems is central to the protection of an organisation. The government’s 10 Steps to Cyber Security points out that for monitoring to be successful, it must be comprehensive.

In other words, this means looking at everything from the networks, servers, desktop computers as well as host intrusion detection systems, prevention solutions and wireless intrusion detection.

The guide also states that all network traffic needs to be monitored, both inbound and outbound, and organisations need to be able to generate audit logs that identify unauthorised use and the users.

Dramatic surge

To a significant degree, if other points within the guide are adhered to, a level of monitoring will already be taking place.

In the past, it was a widely held belief that system monitoring was not really a core requirement for operational effectiveness. However, the dramatic and sustained surge in cyber attacks and the threat from insider data leaks, presents this argument as redundant. The need to protect sensitive data, whether it’s customer information, financial records or intellectual property has never been more pressing. 

Industrial scale tracking

For many organisations, monitoring needs to take place on an industrial scale with the tracking of thousands of devices. At its core, monitoring essentially needs to track activity as well as raising red flags if anything out-of-place happens. 

There are a number of ways to approach this. We recommend centralised technology platforms that detect threat activity as it provides the security team with the context and insights needed to minimise the potential fall-out.

Full insight

It’s not just a question of looking out for malware; it’s a question of having full insight into the IT estate and all its component parts. It needs to be comprehensive given that some threats are multi-vector advanced persistent threats carried out by external attackers, while others arise from malicious or accidental behaviour by insiders. 

A business needs to be able to detect even a partial fragment of sensitive data on a network endpoint with data loss prevention tools as well as guarding against data loss in the cloud and on premise.

Detailed analytics

Detailed analytics help you understand what is normal organisational behaviour as well as helping to highlight when something or someone deviates from the norm. 

Preconfigured policies are also important in that they allow you to get up and running quickly and more importantly, effectively. The importance of monitoring data and human behaviour can’t be overstated, especially as it can give you an early warning system that flags up if something is amiss. 

Thursday 12 May 2016

Malware prevention - ’10 Steps to Cyber Security’

The scale of malware is enormous. Approximately 250,000 new malware sites are brought online every day. While the majority of these are only alive for around 24 hours, they can cause enormous damage.

This is particularly true when malicious sites are combined with different attack methods such as phishing or pharming or even search engine manipulation.

Wreaking havoc

All it takes is for malicious malware to end up in your network is an employee to fall for a phishing email, clicking on a poison link and then being redirected to a website where a Trojan is implanted into the network.

The CESG’s 10 Steps to Cyber Security outlines the potential in a rather prosaic manner: “Malware infections can result in the disruption of business services, the unauthorised export of sensitive information, material financial loss and legal or regulatory sanctions.”


Malware can lead to blackmail, the deletion of entire databases, key loggers that record every finger tap across a keyboard, backdoors that are used to implant malware, rootkits that provide full access to a system and passwords stealers.

As malware has been around for such a long time, everyone is familiar not only with the damage it can cause, but also its ubiquity. As a result, there is widespread understanding that it needs to be guarded against which is positive.

The most effective way of doing this is via robust and rigorous antivirus at the firewall. Antivirus needs to dovetail with other defence methods such as real-time threat detection and forms of detection that don’t just rely on detecting virus signatures. This is because host and client machines also need protecting.

Zero day threats

While signature detection is important to block the hundreds and thousands of malware variants that swarm the Internet, it’s not enough to detect newly- released malware, so called zero-day threats.  As more Internet traffic becomes encrypted via the HTTPS protocol, the need for layered malware protection becomes more acute.

It’s possible to use technology that not only sends an alert that an unknown file has entered your network, but also informs you whether it reached a computer, if it executed, what it did, when it ran, if it spread or deleted itself and so on. If the file is malicious, you can automatically stop it from executing. This enables you to rapidly prioritise alerts, investigate events, and remediate incidents.

Wide ranging defence

This holistic layered approach recognises that malware infections are, not only, too common, but the enterprise needs protecting across the range of its systems. From the perimeter firewall to endpoint devices, protection is needed at every stage.

Wednesday 11 May 2016

Incident management - ’10 Steps to Cyber Security’

CESG’s 10 Steps to Cyber Security guidelines points out rather bluntly that “All organisations will experience an information security incident at some point.”

However blunt, it’s true. It’s a question of not ‘if’ but ‘when’. This adage simply reflects the scale of malicious cyber activity that takes place. For instance, thousands of new malware variants appear every day.

Vitally important

An incident management strategy is vitally important to contain damage should it happen. In fact, IT system breaches need to be considered within the context of disaster recovery and business continuity, as well as mandatory reporting requirements.

One of the best ways to develop an incident management strategy is by using existing standards. The ISO 27000 family of standards help organisations keep information assets secure. Specifically the ISO/IEC 27001, the best known standard outlining the requirements for incident management. It covers people, processes and IT systems all of which are viewed through the lens of risk management.

Systematic approach

These standards help organisations manage the security of its assets whether it’s financial information, intellectual property, employee details, customer details or third party information by providing a systematic approach.

The ultimate goal of ISO 27001 is ensuring security requirements are met and as such it incorporates incident management as a central component.

An incident management strategy starts with the identification of incidents typically with users logging them and also automatically generated incident logging based on pre-established conditions.

Informing responses

Incidents then need to be categorised to enable easy classification. In turn this informs prioritisation, such as; the effect an incident has on business, whether it needs to be dealt with urgently or whether can it be managed at a later stage.

Following the initial identification and categorisation of an incident, diagnosis, escalation, investigation and resolution need to take place. While some of these processes can be automated some are also dependent on human processes and intervention such as investigation and diagnosis.


Depending on the incident this often involves forensics. This is where a backtrack process takes place so the cause and location of the incident can be established. This is important because a hacker can plunder a customer database and have credit card or banking and personal information up for sale before the company is aware anything has happened. As such, it’s important to be able to detect the path of the attack and trace it back to a source, date and time.

In summary, an incident management strategy needs to be a central component in a wider disaster recovery strategy. The point of incident management is that it enables you to effectively identify and manage breaches.

Tuesday 10 May 2016

User education and management - ’10 Steps to Cyber Security’

The governments ‘10 Steps to Cyber Security’ guidelines flags user education as a vital component in any security policy focusing specifically on acceptable and unacceptable behaviours. In fact, we think education provides the building blocks for good security. 

User education is about raising awareness about the risks and dangers that can arise from a slack approach to security. This can be anything from bringing USB sticks into the workplace and plugging them into computers or a lack of understanding about social engineering and phishing. 

The weakest link

Within this context, the weakest link in the business can be employees that lack IT security knowledge. Leading-edge technology can be irrelevant if employees are not aware or educated on a comprehensive security policy. 

Spear phishing attacks, for instance, can be particularly damaging. A few years ago, RSA, a high profile security company, and its cryptography keys were compromised in spear phishing attack. 

The company was breached after attackers sent two different targeted phishing emails to four workers at its parent company, EMC. The emails contained a malicious attachment that was identified in the subject line as 2011 Recruitment plan.xls. One of the recipients eventually opened the infected spreadsheet that led to the breach. In this respect, education is crucial. 

Do not avoid awareness 

None of the recipients were people who would normally be considered high-profile or high-value targets, such as an executive or an IT administrator with special network privileges. However, that didn’t matter. The malware had been unleashed. Once a spear phishing email makes it through filters and other similar technologies, the user element really comes into play, which is what the hackers were depending on.

When educating users, awareness is only the first step. Training must also be used. It provides people with a fixed body of knowledge which they can be tested on. 

Strength in depth

Training can take place in incremental steps or be focused on specific business requirements. It doesn't need to be a sweeping one-size fits all programme, it can be bespoke, targeting a specific department or focusing on remediating certain behaviours. 

One thing is certain, a trained and educated workforce will dramatically reduce the chances of your organisation ending up as headline news or seeing its valuable customer information for sale on the dark web. 

Monday 9 May 2016

Managing user privileges - ’10 Steps to Cyber Security’

Managing user privileges is an important aspect of comprehensive information security. Ideally, employees should only have access to the data and systems necessary to carry out their role.

The government guidelines on cyber security emphasise the need to manage user privileges appropriately so the number of deliberate, or accidental, attacks is reduced. The problem is that unmanaged privileged accounts can lead to all sorts of problems for a business.

Access all areas 

Think of a privileged account as an access all area pass to confidential business data and systems, allowing users to grant broad access rights that often go far beyond what is needed for that job function. Monitoring the actions of users is therefore paramount for security and compliance, however despite this, monitoring is not something that is standard practice.

Cyber criminals are only too aware that many privileged accounts often go unmonitored, unreported and as a result, are insecure. They understand that access to a privileged account provides the ability to control the organisations resources, disable security systems, as well as vast amounts of sensitive data. The damage done proportionately can be very severe.

Jumping security hurdles

The TalkTalk customer database hack was apparently the result of hackers gaining access to a privileged account that granted access to a customer database. When the TalkTalk CEO later announced that she didn't think the data was encrypted, there was uproar amongst the media. However, if the cyber criminal found access via a privileged account access, allowing hackers to basically jump over security then the point of whether the data was encrypted or not is secondary.

Privileged accounts users can include third-party providers, cloud server managers, systems administrators, application or database administrators, select business users such as senior-level executives and social media. Compromising any of these accounts can create considerable problems.

The best practices dictate that privileged accounts should be incorporated into an organisation’s core security strategy. This means that controls need to be put in place to protect, monitor, detect and respond to all privileged account activity.

Control don’t compromise

There are several ways to control privileged account activity. Some organisations choose to deploy a strategic solution across the entire enterprise, while others take a ‘stepped’ approach that involves looking at the most vulnerable points first.

Starting with securing privileged credentials and then moving to monitoring the accounts, once secured, enables the implementation of the underlying infrastructure. Using analytic algorithms can also help reveal previously undetectable malicious privileged user activity as it monitors behavioural data.

Layered security

Introducing layered security such as encryption, tamper-proof audits, and data protection can also help with protection of accounts, especially when used in conjunction with other methods. Multiple authentication methods assist in keeping your files and data protected from both internal and external threats.

Monitoring the actions of privileged accounts is fundamental to security. Do not let protection let you down.

Sunday 8 May 2016

Network Security – ’10 Steps to Cyber Security’

The development and ubiquity of the Internet has been a great thing. It has opened up the world, making previously closed shops available on a global scale. However, as the Internet grows so does cyber criminal activity. It’s therefore imperative to have a robust and rigorous network security solution in place.

Robust filters

The government’s 10 Steps to Cyber Security points out that “Connecting to untrusted networks (such as the Internet) exposes corporate networks to attacks that seek to compromise the confidentiality, integrity and availability [of IT environments].”

A firewall on the perimeter of your network that carries out deep packet inspection, monitoring the traffic coming into the network is essential. As is robust antivirus with the ability to filter websites and inbound emails to guard against malicious links and phishing attacks.

You need to be looking out for malware that is attempting to get into the network, emails that have Trojans hidden in them, websites with poison links and any other network traffic that may be harbouring malicious software. It’s important to remember though that the landscape isn’t fixed, it’s constantly changing as new attack methods are developed and malware mutates to avoid detection.

Protecting the environment

Protecting the environment is made more complex by distributed enterprises that have branch offices and remote or roaming users, or data centres that use technologies like virtualisation and the cloud.

The CESG guidelines say you need to: ”Filter all traffic at the network perimeter so that only traffic required to support your business is allowed, and monitor traffic for unusual or malicious incoming and outgoing activity that could indicate an attack.” For any CIO and IT administrator, these are basic first steps.

The approach taken will however be determined by the IT environment. When protecting the perimeter you need to consider that your network is full of applications that a port-based firewall fails to identify or control.

Flexible controls

File sharing, social networking, personal email and streaming media are just a few of the applications that can evade your firewall by hopping ports, using SSL, or non-standard ports. Blocking these applications may impact on the business. As such, you need an approach to create effective firewall-control policies that extend beyond the traditional 'allow or deny' approach.

Similarly, if you’re protecting a virtualised data centre you’ll need to consider how to enable and protect applications moving across the cloud, how to isolate applications and how to eliminate the security lag as your cloud environment changes.

Distributed environments

If you wish to safeguard a distributed environment, another approach is required. It’s common in these environments to see clients with smaller branch offices, employees working remotely from home and roaming users. In fact, users often move from one location to another within a day. While it’s great for productivity, it can lead to dangerous inconsistencies and IT compromises.

Although each environment requires a different approach, each essentially has the same goal, to optimise visibility, increase control and eliminate policy configuration gaps.

Saturday 7 May 2016

Secure configuration – ’10 Steps to Cyber Security’

Once a security policy has been agreed, areas of vulnerability have been outlined and the values of different types of data and responsibilities are agreed, the next step is to ensure the existing technology infrastructure is secure.

As systems become more complex due to additions to new software and hardware, vulnerabilities can appear quicker.

Comprehensive strategy

Secure configuration is a question of maintaining control as the IT environment evolves. Ensuring you know what applications end users are downloading and that a comprehensive update strategy is in place to patch software is crucial.

When users download and install software, it can conflict with existing applications and create vulnerabilities as unpatched software presents an open door for hackers.

Industrial scale subterfuge

It’s worth remembering that hackers and cyber criminals put enormous effort into identifying and exploiting software vulnerabilities. In fact, there is a vast underground network operating largely on the dark web dedicated solely to developing malware that exploits vulnerabilities and selling it to other hackers.

One of the difficulties for IT administrators is managing all of the applications within an IT environment. Given the size of some IT operations it can feel like, and often is, an impossible task without expert guidance and the right tools.

While the CESG guidelines quite rightly point out that, “Without an awareness of vulnerabilities that have been identified and the availability (or not) of patches and fixes, the business will be increasingly disrupted by security incidents.”

Holistic and centralised approach

A salient point and a nightmare for any CIO is a major system breach, which happens as the result of unpatched software or the exploitation of insecure system configurations.

Adopting a holistic approach will help secure configuration and also urge endpoint standardisation. This will help simplify and manage what can sometimes feel chaotic. Centralising the management approach also ensures industry best practise is maintained.

Closing the door

There are a number of unrivalled benefits to this approach. Firstly, it ensures endpoints and applications are not only patched, but also properly configured.  When implemented correctly it also carries out assessments on software flaws and configuration vulnerabilities, whilst at the same time delivering rapid remediation, continuous validation and policy compliance reporting.

Secondly, everything that is happening across the network, from software downloads to new endpoints that are added can be seen. As a result, potential vulnerabilities are flagged and standards-based remediation is applied ensuring optimum security.

Friday 6 May 2016

Information Risk Management – a fundamental point in ’10 Steps to Cyber Security’

The first area in the government’s ’10 Steps to Cyber Security’ guide is Information Risk Management Regime. This is the foundation for robust security practices and is achieved by developing and establishing a security policy.

Getting it in front of the board

For any security regime to be truly successful it must be sanctioned and driven from the executive board level to ensure it sweeps down through the organisation and is taken seriously.

It is however, relatively rare to see a board level executive with responsibility for security. Typically this falls to a CIO or someone who has authority rather than advisory powers, often just below board level.

The government guide quite rightly suggests that cyber risk should be addressed regularly at board level. This would be a significant step and one that shows cyber security is being taken seriously.

Consequences of failure

Time and again we see instances where cyber security isn’t taken seriously and the consequences for the companies involved can be huge. In the US, Target a national retailer suffered a serious breach in which 40 million credit and debit card details and 70 million customer records were stolen.

The breach had a devastating effect on reputation and revenues plunged by a staggering 46 percent in a quarter-on-quarter comparison.

In the UK, TalkTalk CEO Dido Harding was also under pressure following a breach of a customer database. The company had clearly learned lessons from other major breaches such as Target and Sony, and didn’t attempt to confuse the issue. It quickly came clean about the breach.

When interviewed by national TV, Harding put on a brave face and accepted responsibility however, it was quite clear that she was out of her depth in talking about the breach and whether data was encrypted or not.

Taking it seriously

The one way to get the interest of board members is to speak to them in a language they understand such as potential reputational damage, the impact on revenues, loss of customers and other strategic issues.

With the Information Commissioner handing out fines of up to £500,000 for leaking customer data, it is not a subject to take lightly. These points may seem dramatic however it reflects the seriousness of cyber-breaches.

Identifying vulnerabilities that can lead to a breach is achieved by carrying out a risk assessment. In fact, this is the first essential step in developing and implementing a security policy. A risk assessment requires a thorough analysis of a company, its assets and its value. Typically this is intellectual property and customer details.

Asking the right questions

It’s important to ask questions when dealing with cyber security. Where is data stored? Is the database secure? Is the website secure? Where does data travel in and out of the network? What is the BYOD policy? Are software updates carried out regularly? Who has responsibility for network security?

Once you have the answers to the above questions, a security policy can be developed along with an Information Risk Management policy. This will outline any areas of responsibility, compliance requirements, incident management, monitoring and reviews and so on.

A lifecycle approach is also essential to risk management, where policies undergo regular review to take account of new developments. For instance, if the organisation is beginning to incorporate Internet of Things technology into operations this needs to be taken into account, with vulnerabilities assessed and security enabled.

Thursday 5 May 2016

The government’s guide to cyber protection: 10 Steps to Cyber Security

In early January the government relaunched its ’10 Steps to Cyber Security’ guide. Originally released in 2012 by Communications Electronic Security Group (CESG), the information arm of GCHQ, the guide offers practical guidance on the steps that organisations can take to improve the security of their networks and data.

In 2014 the government ran a survey, the 2014 Cyber Governance Health Check of FTSE 350 companies, which revealed that 58 percent of those surveyed had used the guide to assess their security. This clearly reveals that the need for robust IT security is getting through to board level directors up and down the country.

On the back of this relaunch GCHQ said it continues to see real threats to the UK on a daily basis, and the scale and rate of these attacks shows little sign of abating. Cyber-attacks have become so common that for many companies it’s not a question of ‘if’, rather ‘when.’

Only recently, an aerospace manufacturer that supplies parts to Boeing and Airbus, had its accounts department hacked. The cyber thieves extracted an estimated $55 million (£39 million) and the theft barely raised an eyebrow. The muted reaction arguably reveals just how familiar cyber-attacks are and how there is almost a level of acceptance that these types of attacks will happen.

Interestingly, FACC didn’t dwell on the financial loss, it was more concerned to get the message out there that intellectual property had not been stolen and operations had not been affected.

When a company is faced with a serious hack, while the losses must be dealt with, the fear is that reputational damage will be so serious and undermining that the company could sink. The government guidelines offer practical insight into key areas of information security ranging from implementing an information risk management regime to home and mobile working.

In series of blogs we’ll be looking at each area and spelling out what exactly it means, demystifying any jargon and explaining how you can successfully address the issues.

Wednesday 4 May 2016

Cyber security basics: How to protect your business from common cyber attacks [Link - CBR]

My comments used by Computer Business Review (CBR) around cyber security basics: 


However, as Andrew Tang, Service director, Security at MTI Technology, says it also means malware protection at the entry and exit points of a network, such as perimeter firewalls, email gateways and web gateways.

"If there is a web presence, ensure the web application is secure," he says.

He recommends adopting the OWASP Top Ten, a series of guidelines for securing web applications.

Businesses should also ensure a robust patching plan is in place, so that vulnerabilities in software cannot be exploited."