Tag Archives: ISO27001

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

Advertisements

Security Predictions for 2016

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how  the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Image courtesy of Vlado at FreeDigitalPhotos.net

Vlado at FreeDigitalPhotos.net

 

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations.  These attacks are likely to be followed by sweeping phishing scams from the African continent.  There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same.  Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people.  I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees.  I also predict a significant challenge for many organisation which hold personal data.  The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens.  With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO).  Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited.  This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

  • Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017
  • Related to the above, more Data Centre Security certifications due to contractor (customer) requirements
  • More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target
  • Cyber Essentials leads to more demand for ISO27001 certifications from SMEs
  • Privileged insider remains the main Threat Source & Actor
  • More incidents relating to online cyber-extortion / ransomware
  • With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever
  • More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware  in business.  Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

A word from our Directors…

Julia McCarron

Julia McCarron – Advent IM Operations Director – I predict a RIOT – Risks from Information Orientated Threats.

 

 

Mike Gillespie_headshot

 

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

Trident vulnerable to hacking?

By Julia McCarron with contribution from Chris Cope.

There have been a number of press stories in the last few days that could have us searching for our 3 pronged spears to protect these shores because, if the news is to be believed, the missile version of Trident could be rendered useless or obsolete from a cyber-hack.

I don’t know about you but I viewed these articles with some skepticism as I can’t believe that the MOD and Government haven’t thought to test the technical vulnerabilities of such a critical system before now, especially one with such far reaching consequences if it were breached?

As I understand it from those who have knowledge of MOD workings, all military systems, including Trident and its associated communications networks, are assured via the Defence Information Assurance Services (DIAS) Accreditors.  This assurance process takes into account the likely threats and resulting risks that apply to those systems, including hacking and other forms of cyber-attack.  There is a stringent policy of assessment and review for all major systems, and Trident will be one of the most assured systems due to its importance.  Clearly, though details of this assurance are highly unlikely to ever be released into the public domain; information on risks and counter measures taken against them will be very closely guarded. And I would hope so too!

The MOD will employ a number of safeguards to protect its most important systems.  Many of these will be familiar to the wider information security field and it’s no surprise that ISO27001 features heavily.  The greater the risks to the system, and the more critical it is, the more stringent the controls in place. Many high level MOD systems are effectively air-gapped and have no connection to the internet, even via a controlled gateway. That means they are effectively isolated from other communications networks, even the authorised users are heavily constrained in what they can and cannot do; use of mobile media for example is highly regulated.  Given Trident’s role as a potential counter-strike weapon, the communications to the deployed vessels receive very careful attention.  Not only will there be good level of assurance against the normal range of attacks, but there will be significant redundancy in place, just in case one fails.  Trident is carried by the Vanguard class submarine, which is designed to operate virtually undetected.  Commanders of these vessels have clear direction from the Prime Minister on what to do if there is evidence of a nuclear attack and all communication from the political leadership in the UK fails.

The comments made by a former Defence Secretary about potential vulnerabilities around the Trident system make interesting reading in light of recent concerns over cyber-attack, but the timing of these comments is telling. The House of Commons is due to vote on the future of the UK’s nuclear deterrent … there I go being skeptical again but as my hero Leroy Jethro Gibbs often says, Rule 39# There’s no such thing as a coincidence…

EU Data Protection Changes – What You Need To Know

Thank you to Dale Penn, one of the talented Advent IM Security Consultants for this informative guest post.

Folder

GDPR (General Data Protection Regulation)

Introduction

This January the European Commission revealed a draft of its GDPR. The European Commission is hoping to introduce the GDPR by this end of 2015 to replace the outdated EU Data Protection Directive 95/46/EC as this current standard is not really inadequate to deal with issues such as globalization, Social networks, Cloud Computing etc etc.

 The GDPR is a Regulation and not a directive and so this means it will have immediate effect on all 28 EU member states after a 2 year transition period.

The GDPR includes a strict data protection compliance regime with severe penalties of up to 100M euros or up to five percent of worldwide turnover for organisations in breach of its rules.

What should it achieve?

The GDPR should provide a single set of regulations for data protection across the EU which deal with the current global environment and the advances made in communication technology and foster a baseline standard of data protection across the EU.

Key Changes

  1. Non EU Businesses may still have to comply with the Regulation.

Non EU controllers (and possibly non-EU processors) that do business in the EU with EU data subjects’ personal data should prepare to comply with the Regulation. Although regulation beyond EU borders will be a challenge given the huge proposed fines, those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.

  1. The definition of personal data will become broader, bringing more data into the regulated perimeter.

The Regulation proposes that data privacy should encompass other factors that could be used to identify an individual, such as the genetic, mental, economic, cultural or social identity of an individual. Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

  1. Rules for obtaining valid consent will change.

The consent document should be laid out in simple terms, and there is a proposal that the consent have an ‘expiry date’. Silence or inactivity should not constitute consent.

  1. The appointment of a data protection officer (DPO).

At the moment, there is still no agreement on the thresholds for appointing a DPO. There have been proposals to appoint a DPO for each company over 250 employees, and, in other instances, where companies process more than 5,000 data subjects a year.

  1. The introduction of mandatory privacy risk impact assessments.

A number of proposals have suggested conditions under which a privacy risk impact assessment will be required. What seems to be clear is that a risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers are likely to have to conduct privacy impact assessments to analyse and minimise the risks to their data subjects.

  1. The Introduction of data breaches notification

The Data Protection Officer (DPO) will be under a legal obligation to notify the Supervisory Authority without undue delay and this is still subject to negotiations at present. The reporting of a data breach is not subject to any minimum standard and it is likely that the GDPR will provide that such breaches must be reported to the Supervisory Authority as soon as they become aware of the data breach. Individuals have to be notified if adverse impact is determined.

  1. The right to erasure.

The right to be forgotten has been replaced by a more limited right to erasure. A data subject has the right to request erasure of personal data related to him on any one of a number of grounds.

  1. Data Portability

A user shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system.

ISO27001:2013 Transition Training now available!

**PRESS RELEASE**                                                                 Media Contact: Ellie Hurst

 +44 (0) 121 559 6699,

bestpractice@advent-im.co.uk

Date :05 Nov 2014

ISO27001 Transition Training now available

Information Security experts, Advent IM, today announced the launch of ISO27001:2013 transition training course.

Last year, the de facto Information Security standard ISO/IEC27001 underwent changes and some important alterations have been made to various controls and clauses. This means that organisations who are already certified or compliant to ISO27001:2005 are now having to think about transitioning their Information Security Management System to the 2013 version. Because of this, organisations have increasingly been seeking support in successfully completing this transition. Advent IM, stepped up to the mark after the initial release of the new version, with a tool to help businesses already certified to map the controls and clauses against the 2005 version. But the growth in requests for further support has been marked and the team of specialists at Advent IM were asked to provide a tailored made course for those currently certified or compliant to ISO27001:2005 to transition to 2013.

Advent IM today announced the availability of this bespoke course which will work alongside the mapping tool to support Information Security Managers who are navigating their way through the changes. Advent IM’s track record in both successful certifications and in Information Security training, make it perfectly placed to offer this training.  Operations Director, Julia McCarron said, “We were very pleased to be asked to supply this support. It’s great to know organisations continue to take their commitment to quality Information Security Management Systems seriously. ISO27001 has proven to be an enormously helpful framework; its comprehensive nature makes it a solid choice for a holistic approach to securing information assets. The transition to ISO27001:2013 need not be onerous; we are highly experienced with this standard and our vision is to help organisations have as smooth and successful a transition as possible.”

Details on how to secure a place can be found on the website at

www.Advent-IM.co.uk/opencourses.aspx

Issued: 051114                  Ends                                     Ref: ISO27001:2013/ Advent – 1

 

 

NOTES TO EDITORS

 

About Advent IM

Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats.

 
From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.

Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project management methodology widely used within the public sector, CISSP qualified and Home Office trained physical security assessors.

 

October 1st – Government Suppliers will be required to have Cyber Essentials

From 1 October 2014, Government will require all suppliers bidding for certain contracts which are assessed as higher risk to be Cyber Essentials certified. The suppliers and contracts affected are likely to be from the following sectors: IT managed or outsourced services, commercial services, financial services, legal services, HR services and business services. This will not be mandatory for suppliers through G-Cloud or the Digital Services Framework. Further guidance for suppliers will be issued later this year. (GOV.UK)

Cyber Essentials Badge Small (72dpi)      Regular readers of this blog will know that not only have we recently gained Cyber Essentials certification, we have also been mentoring clients through the process to enable a painless and swift certification. Whilst we don’t normally ‘sell’ via the blog, given the tight deadline and the apparent confusion around this Government requirement, we thought it would be a good idea to provide a link to our Cyber Essentials consulting in case readers need it. You may require a little you may require a lot or you may want to do most of it yourself and just want some reassurance from a consultant that your submission is right. If you have ISO27001 you will be well prepared, if you haven’t then you may well already have a lot of what you need but don’t yet realise it.

iStock_000016426779SmallDon’t worry, just ask. http://www.advent-im.co.uk/cyber_essentials.aspx

Public Sector SIRO training places for October 8th

There are a couple of spaces left on October’s Public Sector Senior Information Risk Owner (SIRO) training course.

In summary:

Having successfully developed and delivered SIRO Training for the UK’s Police Forces since 2012, we have redesigned our popular and well respected SIRO training course for the broader public sector.

 Our training course will give you a greater understanding of your role and responsibilities as SIRO for your organisation. It will also cover both the principles of information risk management and information assurance using several scenario based exercises to test and improve your understanding of the crisis management issues in this area. At the end of the training, you will have the confidence to deal with information risk and incidents should they occur within your organisation.

As usual it will be allocated on first come first served unless there are cancellations. 

If you are from the Public Sector and either want to find out more about this training and why it is so vital to your organisation or you want to book your SIRO onto this course, please visit the website.  http://www.advent-im.co.uk/siro.aspx or email us at bestpractice@advent-im.co.uk with PS SIRO in the subject.

October 8th at Advent IM training suite in Birmingham (just off the M5)

Senior Information Risk Owner  Training from Advent IM

Senior Information Risk Owner Training from Advent IM