Data Protection Day 2016!

As it is Data Protection Day, we thought we would take a look at the current state of play when it comes to business impact from data breach and its not pretty reading…

With increasing levels of data being collected every year, now more than ever we need to ensure very high quality processes and practice in our businesses. It is certainly not something to be taken lightly and the changes to EU DP regulations which could result in penalties of  5% of global turnover for serious data breaches, it could actually mean some of the worst offenders face a very uncertain future.

If you are unsure or need some support with Data Protection, don’t leave it to chance; get some proper guidance. Data Protection done well can be a business-enhancing function; raising everyone’s game and awareness of security. It can also mean closer examination of the need to keep all of the data a business currently stores in order to comply with the Data Protection Act.

Here are some of the latest findings on the cost to UK of Data Breach.

data protection day 2016

Advertisements

Cyber (Information) security challenges that face Solicitors (and any other type of law firms)

Security for UK legal professionals

With thanks to one of our highly experienced, Senior Security Consultants, Mark Jones…

istock_000011991144medium.jpgTraditionally in our experience law firms, such as solicitors, have relied on compliance with Lexcel regulations, and the Data Protection Act, to provide adequate security measures to combat threats from say typically malicious insiders or burglars to their attractive data and information databases. In these days of cyber-based threats these traditional defences are clearly inadequate to deal with far more complex and persistent threats posed by external individuals and groups (such as Serious and Organised Crime) that have far more capability and motivation than ever before out in the Internet. Perhaps this is due to increased (or in many cases new) connectivity of law firm systems to being online 24/7 to the outside world and the additional threats that it poses and typically no single individual within the business having responsibility for information security? It is certainly…

View original post 556 more words

Affinity Gaming and Trustwave legal action

A post from Chris Cope CISM, CISSP, MInstISP, CESG Certified Professional, PCBCM, ISO27001 Lead Auditor  and Advent IM Security Consultant

It had to happen at some point;  a cyber security company is being sued by a customer for not delivering the goods.  Las Vegas based Affinity gaming has initiated legal proceedings against Chicago firm Trustwave for making representations that were untrue and for carrying out work which was ‘woefully inadequate’.  The point of contention was a hack on the casino’s payment card system in 2013.  Affinity allege that Trustwave concluded that the intrusion had been contained and dealt with, but the casino operators later suspected this was not the case and engaged another security consultant, Mandiant, to confirm.  The breach had not, allegedly, been contained and now Affinity is looking to obtain damages from Trustwave.

This is not the place to suggest what did or didn’t happen; that will be discussed, at considerable length I suspect, in the American courts.  Rather, a better topic for discussion is that of contractor liability.  This lawsuit is a bit of a first for the cyber security industry, although the concept of suing contractors for damages is by no means new.  Countless companies and individuals have been sued for breaches of contract or for tort damages.  I suspect it was only a matter of time before our industry saw similar action.  But this should be taken as a wake up call.

In English Law, a consultancy firm is seen as providing a service to the customer. The 1982 Supply of Goods and Services Act, Section 13  states that ‘In a contract for the supply of a service where the supplier is acting in the course of a business, there is an implied term that the supplier will carry out the service with reasonable care and skill’.  The key term here is reasonable; what would a reasonable person judge to be a service that was carried out in a competent fashion? Note, the law does not require that a contractor provides the perfect service; there is a realisation that contractors are human and to expect perfection is unreasonable.

So how then can a cyber security contractor ‘prove’ its competence and ability to deliver a reasonable service?  Whilst the emphasis remains on the accuser to prove incompetence, it doesn’t hurt to ensure that a good, pro-active defence is in place.  First of all, the competence of employees must be evaluated and baselined.  There are a plethora of cyber security qualifications available, drawing comparisons between qualification awarded by different bodies can be difficult, but it remains perfectly possible to ensure that consultants are qualified for the tasks they are expected to perform, and perhaps most importantly of all, maintain those qualifications.  Secondly, cyber security is a very broad field and being an expert in every area is almost impossible, therefore assigning consultants to tasks which suit their skills sets is hugely important.  The supervision of less well qualified personnel must also be taken into account; junior staff members must be able to develop their skills, but for the customer’s sake, they must be supervised properly in the process. It’s worth companies remembering that they are responsible for the actions of their employees whilst delivering a contract, via vicarious liability.  Their mistakes will come back to haunt the employer unless sufficient care is taken.  We must also ensure that we appropriately manage the expectations of our customers.  No venture is ever risk free and there is no one piece of technology which will solve every problem; our goals should be clearly stated that we intend to reduce the risk to an acceptable level, not eradicate it completely.  If we promise too much then it’s no surprise that customers expect too much.  Finally, whilst the above is correct for English Law, other jurisdictions have different rules; companies that work globally would be wise to ensure they understand the local environment properly before signing a contract.

The cyber security profession is evolving and it is only to be expected that practitioners will face greater scrutiny.  Rather than adopt the position that companies like Affinity are looking for a scapegoat for their own failures, we must ensure that we are able to consistently deliver a good enough service.  This may be the first such action, but I doubt it will be the last.

Cyber Everything & PCI DSS – The Forgotten Standard?

Senior Security Consultant for Advent IM and PCI-DSS expert,  Mark Jones gives us his thoughts on the current awareness of this important payment industry standard.

In the current information security climate where everything has ‘cyber’ prefixing the topic e.g. cybersecurity, cyber risk, cyber threats and the list goes on, is it possible organisations have forgotten about existing and very important ‘cyber-related’ standards such as the Payment Card Industry’s Data Security Standard (PCI DSS)?

MC900441317

As more and more business is done online in our ‘new’ cyber world – 2015 Online Retail Sales £52 Billion up 16.7% from £45 Billion in 2014 – payment cardholder (CHD) account data security is more important than ever. This includes the need for assured authentication, confidentiality and integrity of payment cardholder information as traditionally granted by the Secure Sockets Layer (SSL) protocol over HTTPS padlocked browser sessions in the past 20 years. In 2014, the US National Institute of Standards and Technology (NIST) determined that SSL and indeed early versions of SSL’s successor, the Transport Layer Security (TLS v1.0) protocol (also referred to as SSL), were found to have serious vulnerabilities with recent high-profile breaches POODLE, Heartbleed and Freak due to weaknesses found within these protocols.

iStock_000015534900XSmallSo, if you are an entity that that stores, transmits or processes Cardholder Data (CHD), specifically the 16 (can be up to 19) digit Primary Account Number (PAN), then you should seek to comply with the latest version v3.1 of the PCI DSS. This version was released in April 2015 by the PCI Security Standards Council (SSC) that removed SSL as an example of strong cryptography and that can no longer be used as a security control after 30 June 2016. However, the migration from SSL and early TLS to TLS v1.1 and 1.2 has caused issues for some organisations hence the SSC update in December 2015[1] that the deadline had been extended for 2 years, with a new end date of 30 June 2018 for existing compliant merchants. However, SSC is at pains to emphasise that this delay is not an extension to hold off migrating to a more secure encryption protocol (as defined by NIST) and entities that can update should do so as soon as possible.

If the entity is an Acquirer (typically the merchant’s bank), Payment Processor, Gateway or Service Provider, then they MUST provide TLS v1.1 or greater as a service offering by June 2016. Additionally, if it is a new PCI DSS implementation (i.e. when there is no existing dependency on the use of vulnerable protocols) then they must be enabled with TLS v1.1 or greater – TLS v1.2 is recommended.

As you can see, PCI DSS can play a significant part in any cyber security programme providing the entity in question is compliant with the latest version 3.1. If you have yet to start, or are part way through a PCI DSS implementation project, what can and should you do NOW? We recommend the following 3 actions:

  • Migrate to a minimum of TLS v1.1, preferably v1.2;
  • Patch TLS software against implementation vulnerabilities; and
  • Configure TLS securely.

If you need any further help and guidance with PCI DSS, please contact Advent IM…

[1] http://blog.pcisecuritystandards.org/pci-changes-date-for-migrating-from-ssl-and-early-tls

Incident Management – an explanation and example

Advent IM Security Consultant, Del Brazil, offers some guidance on best practice in Incident Management.

Incident Management is defined by the Information Technology Infrastructure Library (ITIL) is ‘To restore normal service operation as quickly as possible and minimise the impact on business operations, thus ensuring that agreed levels of service are maintained.’  Although this definition is very much aligned to the service delivery element of IT, organisations should translate it to all areas of the organisation to form the basis of any incident management strategy.

Any Incident Management process should include:-

Incident detection and recording – Ensuring that sufficient and appropriate means of both detecting and reporting of incidents is critical, as failure to report incidents can have a serious impact upon an organisation.  There maybe a legal requirement for incidents to be reported such as incidents associated with the loss of personal data or security breaches related to protectively marked information, although not applicable to every organisation.  Ensuring that an incident is correctly reported will facilitate the correct actions are taken in line with the incident management plan and thus ensure the correct allocation of resources.

An example maybe that an individual receives an email from an untrusted source and without realising any inherent risk, opens an attachment, which in turn causes their terminal to become unresponsive.  The individual contacts the IT department in the first instance in order to initiate some form of containment measures, whilst also documenting down how the incident occurred.

Classification and initial support – There are various levels of severity associated with different types of incident and ensuring that they are correctly classified will mean that the appropriate resources or emergency services are tasked accordingly.  These levels of severity range from low impact/minor incident requiring a limited number and type of resources, through to a major incident, which has the potential to impact on the whole organisation and requires a substantial amount of resources to manage or recover from.  In the early stages of any incident the support provided by a designated incident response team is vital as their initial actions can have potentially massive implications on the organisations ability to resume normal operations.

Following on from the previous example the incident may be classified as a low priority at this stage as only one terminal/user has been affected.  The IT department may have tasked a limited number of resources in tracking down the suspicious email on the mail server and then taken the appropriate quarantining and/or deleting procedures.

Investigation and diagnosis – Further and ongoing investigations into the incident may identify trends or patterns that could further impact on the organisation, once normal operations have been resumed.

Keeping in mind the example previously discussed, should the initial findings of the IT department reveal that the email has been received by a large number of users, then further impact analysis should be undertaken to establish the impact or effect on services before any additional resources are dedicated to resolving the issue.  This further investigation requires an organisation-wide broadcast, highlighting the incident and what actions should be taken in the event that users received suspicious emails or attachments.

Resolution and recovery – Ensuring that the correct rectification method is deployed is paramount, as no two incidents are the same and as such any incident management plan should have a degree of flexibility to accommodate potential variations.

Using our example scenario, the correct rectification solution in this instance would be to purge the mail server of any copies of the suspicious email and then to execute the scanning of the mail server with an anti-virus and/or anti-spam product.  Consideration should be given as to whether to take the mail server off line to perform the relevant scans, however any potential down time may impact on the output of the organisation.  In the event that the mail server is taken off line, it is imperative that communication is maintained with all staff, contractors, customers and third party suppliers etc.

Incident closure – The closure of an incident should be clearly communicated to all parties involved in managing or effecting rectification processes as should a statement stating ‘Business has resumed to normal’ to clearly indicate to all concerned that normal operations can continue.

In our example , it’s essential that all persons involved or impacted by the incident are informed accordingly which formally closes the incident.  This also reassures any interested parties that normal service has been resumed thus preventing any additional business continuity plan being invoked.

Incident ownership, monitoring, tracking and communication – An Incident Manager/Controller should take clear ownership of any incident so that all relevant information is communicated in an effective way to facilitate informed decisions to be made along with the correct allocation of resources.

As always, good communication is vital not only with staff, emergency services and the press but also with key suppliers and customers, as these may have to invoke their own business continuity plans as a result of the incident.  Business continuity plans ensure critical outputs are maintained but the invoking of a plan comes at a cost, whether it be financial or an impact to operational outputs.  It is therefore imperative that once an incident has been deemed formally closed then key suppliers and customers should be informed accordingly, this will  enable them to also return to normal operations.  Post incident analysis or ‘Lessons learnt’ meetings should be held after any incident to highlight any weaknesses or failings so that rectification measures can be introduced accordingly.  Likewise, should there be any good practices or solutions highlighted during the incident, then these should also be captured as they may be used in other areas of the organisation.

Now our example has been correctly identified, treated and business has returned to normal it is imperative that an incident ‘wash up’ meeting takes place to clearly identify those areas for improvement and those that performed well.  The correct allocation of resources during the initial stages of the incident to address what was deemed to be initially a minor incident, resulted minimal impact to not only business outputs, but also to customers or third party suppliers.  The findings of the ‘wash up ‘ meeting should be correctly recorded and analysed for any trends or patterns that may indicate a weakness in security.  In this instance the mail server’s spam filters may have been incorrectly configured or not updated resulting in a vulnerability being exploited.

Any incident management plan should be suitably tested and its effectiveness evaluated with any updates/amendments implemented accordingly.  It would be prudent to exercise any incident management plan annually or when there is a change in the key functions of the organisation.  It is also additionally recommended that all users are reminded of how to report incidents during any annual security awareness education  or training.

As organisations become ever increasingly reliant on internet and IT services, it is imperative that an effective, appropriate and fully tested, Incident Management Procedure is embedded within the organisation.  Failure to ensure this may result in an organisation struggling to deal with or recover from any kind of security incident.

Internet Explorer: Jan 12th will bring some changes…

A post from Advent IM Security Consultant, Chris Cope. 

Do you use Microsoft Internet Explorer?  Are you using a version of Windows older than 8.1?  If the answer to these questions is yes ,or even don’t know, then you need to keep on reading.

On 12 January 2016, Microsoft will only provide security updates to Internet Explorer 11; previous versions will no longer be supported.  Version 11 is the last release of Microsoft’s long running Internet Explorer browser, with Microsoft Edge now supplied by default on newer versions of Windows, version 10 onwards.  Internet Explorer 11 was made available for Windows 8.1 on 17 October 2013 and on 7 November 2013 for Windows 7, but for users who have been running Windows 7 for some time, an older version  of Internet Explorer may be installed, which could include versions 8, 9 and 10.  If you are using Microsoft Vista, or earlier, then you will definitely have a version of Internet Explorer which will no longer be supported.

What does this mean for home users and organisations?  Security updates from vendors such as Microsoft aim to deal with software vulnerabilities that are present in a wide range of applications.  Many applications are released with vulnerabilities which aren’t identified until after their official release, or become apparent following other in-service updates.  The vulnerabilities are identified by either the vendor company, or a third party, and the race is then on to ensure that the vulnerability can be patched before it is exploited by an attacker. These vulnerabilities can lead to a number of attacks, including buffer overflows, remote code execution and privilege escalation.  All of these attacks should be avoided by anyone who is serious about keeping their company, or personal, IT systems secure.

Without enduring support from Microsoft, any future vulnerabilities in Internet Explorer Version 8, 9 and 10 will not be treated.  It would be wrong to assume that just because Internet Explorer  has been in-service for a significant amount of time, all the vulnerabilities would have been identified and patched by now.  Vulnerabilities are routinely discovered on older, as well as newer, software.

So what do you need to do about this?  Organisations should confirm that if Internet Explorer is installed, it has been updated to Version 11.  Home users should do the same.  If you are using a Windows operating system that is older than 8.1, then it is highly likely that you are using an older version of Internet Explorer.  Visiting the Microsoft website will enable you to confirm the Internet Explorer version and upgrade, you can also check yourself by opening the browser, finding settings and clicking on ‘About Internet Explorer’.  If you have an older version, then upgrades are available from the Microsoft website.  Even if you don’t use Internet Explorer, if you have a Windows based computer, it is highly likely that Internet Explorer has been installed, even if another browser has been installed afterwards and is now used by default.  Even software which isn’t used can be a vulnerability which an attacker can exploit. Some organisations may find it difficult to update a particular piece of software across a network in a short time frame.  If Internet Explorer cannot be upgraded to version 11 by the 12th, then the potential risks that the organisation now faces should be properly assessed, with mitigating actions put in place.

Got a Drone for Christmas? Don’t forget Registration and Regulation

Whilst trying to contain my disappointment at not getting Millennium Falcon drone in my stocking, I asked Advent IM Security Consultant, Del Brazil, what the implications are for those of us who do have drones, Star Wars based or not…

Civil Aviation Authority (CAA)

Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net

Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net

As Christmas has been and gone many of us will now be the proud owner of a drone in some form or another.  The excitement and thrill of being in control of your own flying machine coupled with maybe a camera of some description is only matched by the recent hype related around the new Star Wars movie.  Some people including the author may disagree including; however some people may view the freedom of flying a drone quite a fun hobby but we all have our own vices.

The CAA defines a drone as an unmanned aircraft which unlike traditional remote controlled model aircraft, which have been used by enthusiasts for many years, have the potential to pose a greater risk to the general public and other aircraft.   Unlike manned or model aircraft there are currently no established operating guidelines so operators may not be aware of the potential dangers or indeed the responsibility they have towards avoiding collisions.  Anyone flying a drone either recreationally or commercially has to take responsibility for doing so safely.

The CAA’s focus is purely safety. For the criminal use of drones, including harassment, anti-social behaviour or damage to property, it is a police matter. If people have concerns about a drone being flown in public they should call the police, a CAA spokesman says. “Local police can assess the situation in real time and, if there is any evidence of breaching the air navigation order, they will pass on any information on to us.”

It has been reported that the CAA has prosecuted two Unmanned Aerial Vehicle (UAV) operators relating to safety breaches with another four investigations pending. The Association of Chief Police Officers was unable to say how many prosecutions the police have made over drones but there have been a few; although during the ongoing House of Lords select committee inquiry on remotely piloted aircraft systems, Chief Inspector Nick Aldworth of the Metropolitan Police said: “We do not have a criminal privacy law in this country, so it is not the concern of the police to try to develop or enforce it.”

Is there any other legislation that drone operators may fall foul of?  Well according to Chief Inspector Aldworth “The most obvious example to date is the Sexual Offences Act 2003 and the specific offence of voyeurism.”

The number and frequency of incidents being report around the world is on the increase which include a Euro 2016 qualifier in Belgrade being stopped after a drone trailing an Albanian flag was flown over the stadium whilst in France a number of nuclear power stations were buzzed by drones in a number of mysterious incidents.

A number of associations affiliated with flying and/or airspace The British Airline Pilots Association (BALPA) is campaigning for drones to be programmed not to enter certain airspace – known as geo-fencing. The Phantom series of drones, sold by manufacturer DJI, already includes geo-fencing. The GPS of the drone is programmed with the co-ordinates of thousands of airports around the world. It cannot enter these areas. If it tries to it will be forced to land. And within a 2km radius of a major airport its height will be capped at just 10m.

Another step that BALPA is calling for is that, just like with a car or television, people purchasing a drone would have to give their personal information to the retailer and that this information should be logged or that there is a requirement for users to register their drones with the relevant authority.  This has a twofold effect in that if a drone is apprehended the owner can be traced to ensure that it is returned to its rightful owner and that it may also assist in any investigation relating to illegal activity that may have been undertaken by the operator.

Another possible solution would be to build in strict height limitations just like the Phantom 2 which is limited to a height of 400 feet; although this is likely to be easily circumvented with software.

Regulations have just come into play in the United States which requires hobbyists to register drones as small unmanned aircraft systems on the Federal Aviation Administration website.  The online registration service is active but it is unclear as to the scale of uptake and amount of registrations that have actually taken place thus far.

In Ireland as of 21st December 2015 it is now mandatory for all drone operators to register any drone that weighs more than 1kg in accordance with the Small Unmanned Aircraft (Drones) and Rockets Order S.I. 563 of 2015.  There is clear ‘do’s and don’t guide’ available on the Ireland Aviation Authority (IAA) website.

At present there is no actual regulation in place within the UK that requires operators to register their drones; however that is likely to change as more incidents occur that not only threaten life but also privacy.  There are plans afoot within the House of Lords EU Committee for a drone register to be created which initially would capture business and professional operators and eventually normal consumers too.  There is an Official UK Drone Register but this is specifically for drone operators/owners who voluntarily add their details to a public register to aid in returning drones if they go astray.