Hedging your risk - www.securm.com

It's a Christmas Eve cracker - Xmas special day 24

2010-12-24T09:09:00.001Z

It's Christmas Eve, so in this blog we thought we'd simply wish everyone a very Merry Christmas and a Happy New Year.

If you're taking time off between Christmas and New Year we hope you have a relaxing and enjoyable time. If you're working, we know how you feel! Either way, just make sure your systems and data are as secure as they can be. If you would like some pointers, why not take a look at yesterday's blog, Your Data security Checklist for the Festive Period.

To finish, here are a few terrible cracker jokes to while away some time and try out on your colleagues, family and friends. We're betting they have probably ~~suffered~~ heard many of them before. We can't claim the credit for them. They all came out of the crackers at our rather splendid Christmas bash.

Enjoy!

Who's the bane of Santa's life?
The elf and safety officer.

How does Good King Wenceslas like his pizzas?

Deep and crisp and even.

On which side do chickens have most feathers?

The outside.

What's the slogan for the Eskimo lottery?
You've got to be Inuit to win it!

What's Santa's favourite motorbike?

A Holly Davidson.

A man goes to see his doctor and says, "Doctor, I have a lettuce stuck in my bottom."

The doctor takes a look and replies, "That's just the tip of the iceberg."

What do frogs wear on their feet?

Open toad sandals.

Why are pirates so cool?

Because they Arrrrrrr.

What award do the best door knocker makers receive?

The no bell prize.

What do you call a man under a pile of leaves?

Russell.

What do you call a woman between two goalposts?

Annette.

Why is it so difficult to teach dogs to dance?

Because they have two left feet.

Which athlete is warmest in winter?

A long jumper.

What did the shy pebble say?

I wish I was a little boulder.

Your Data Security Checklist for the Festive Period - Xmas special day 23

2010-12-23T08:40:00.000Z

For many businesses the week between Christmas and New Year is a welcome break, with offices closed and bosses and staff alike taking time to recharge their batteries.

But have they done enough to ensure data security?

Here's a quick checklist for you to run through over the next couple of days if your business will be operating at reduced staffing levels or is closed over the festive period.

1. Will unused laptops, portable devices and USB devices be locked securely away?

2. Have all desktop PCs, printers and any other devices that are not required been turned off? Don't leave PCs logged in or even in locked mode.

3. Are all devices that hold data at least password protected and, ideally, encrypted?

4. Are desks clear, with any sensitive documents locked away?

5. Did you make sure all shredding has been done and/or 'secure' shredding bins have been collected? And have you checked the waste bins for any sensitive documents that may not have been disposed of securely? Really! We're serious.

6. Are all your security applications, particularly server-side, up-to-date and are they set for automatic update?

7. If you run on-site backups, is there enough storage space to last? Have the backups been properly scheduled to run automatically? Is there any safeguard in place if they fail?

8. Have you set your systems to 'notify' you of any problems? Or do you have someone who will be regularly checking the 'health' of your systems?

9. Do you have a list of members of IT staff who can be 'on call' in the case of an emergency?

10. Have you turned the lights off…?

Does increased spending on IT and data security mean better security? - Xmas special day 22

2010-12-22T10:15:00.001Z

As with many things in life, it's not what you've got it's what you do with it that counts!

What do you mean?

When it comes to IT and data security, simply throwing money at it will NOT mean you have the best security. You could buy all the top security applications available and still fall victim to hacking or another type of data security breach.

It's all about well thought through implementation of security applications, robust policies and procedures and, importantly, training and awareness for staff.

It's also the case that the best solution for one business will not necessarily suit another.

You need to determine your needs, specify a budget and 'cut your cloth accordingly'.

How do I do that?

By keeping things simple and making sure you adopt a common sense approach. Identify the minimum requirements of good IT and data security for your business - not all will be technology-based – then build upon them as and when you need to. As a start you might consider the following:

· Implementation of trusted – and compatible - anti-virus, firewall and intrusion detection applications;

· Formulation of an IT policy document, including a strong but workable password policy;

· Encryption of data;

· IT & data security training and awareness;

· Lockable cabinets for laptops, portable devices and USB devices;

· Asset/security tagging of IT equipment;

· Keeping data off laptops, PCs, etc. by 'virtualising' access to data and even applications – whether through Terminal Services, a VPN or via the Cloud;

· Offsite/Cloud-based back-up and Disaster Recovery solutions;

· Secure document shredding and data destruction.

That sounds like enough. Is there more?

It depends upon your business, what it does and, as we said before, the sort of budget you have.

If you sell products or services online and process payment cards, for example, you need to have additional levels of security in place to ensure you comply with the Payment Card Industry Data Security Standard (PCI DSS).

Similarly, if your business is regulated - let's say you're a Hedge Fund regulated by the Financial Services Authority – you will have a greater burden of responsibility than non-regulated businesses.

That's not to say non-regulated businesses should take IT and data security any less seriously.

So you're saying I should get the basics right first, then reinforce if necessary?

Exactly!

And always make sure that whatever you invest in is what you really NEED.

10 Website Security Tips - Xmas special day 21

2010-12-21T15:42:00.001Z

Your website is your window to the world. By the same token, it's the world's window to you and there are some people who are more than happy to smash their way in. It can be one of the most vulnerable 'components' of your overall IT infrastructure if you don't take steps to ensure it is secure.

Here are 10 tips for website security:

1. Don't cut corners

It's no good to simply put up a website and leave it to its own devices. You need to invest time and money in it, not just to keep it working well and looking good, but also to ensure it is as secure as it can possibly be.

2. Use strong passwords

We've talked a bit about passwords over the last couple of weeks in our blogs 2^nd factor, NOT X-Factor and Gawker hack. What can businesses learn?

The more complex passwords are the more secure they will usually be. And you really should use different passwords for each element of you website operation, e.g. the Control Panel, any payment processing platform and your FTP accounts.

3. Stay up-to-date

If you ensure you are running the latest versions of your website software, Operating System and IT security applications your website will be far less vulnerable to attack.

4. Check your host

Spend time comparing the services of different hosts. Some offer far more secure hosting than others, with 24/7 active server monitoring. It's also worth checking if they support SuPHP (see below).

5. Check your script

Hypertext Pre-processor (PHP) is a scripting language that enables dynamic web pages. It is embedded into HTML source documents that are then 'translated' into web pages by a server with a PHP processor module. Standard PHP script is generally 'open access', which means anyone can run scripts!

suPHP limits access to a single user or group of users with defined permissions, so only those people to whom you grant access can run scripts.

It's important to note that not all hosting providers offer or support suPHP, so that's something worth checking when deciding upon your host.

6. Consider a move to VPS

Virtual Private Server hosting means your website is hosted separately from other sites. You have far greater control and can usually customise security measures like firewalls to your own specification, something that is not generally permitted on shared hosting. It should mean your website is much more secure.

7. Restrict file permissions

It makes sense to restrict or even block access to certain files and operations. In some cases you need to change settings to carry out an installation – effectively set as open – so just make sure that when you've finished whatever it is you are doing you set them back again and close the system.

8. Only link to trusted sites

"Open redirects" allow a large number of attacks through browsers. Ensure your site only links to known and trusted sites, and keep an eye out for any broken or spurious links that appear. You really don't want bad links on your site.

9. Secure File Transfer

When you upload, download and delete files, you need to make sure the method you are utilising is secure. Use tools like File Transfer Protocol Secure (FTPS), which employs Secure Socket Layers (SSL), for all transfers.

10.Regular 'housekeeping'

Get into the habit of regularly checking your website. Ensure updates have been successfully installed, look for code that shouldn't be there, check all links work as they should and only install trusted updates and plug-ins.

Local authority IT Security in times of austerity - Xmas special day 20

2010-12-20T08:58:00.000Z

Following last week's announcement of the latest round in its austerity drive by the UK Coalition Government, councils face the largest reduction in central funding for local government since the Second World War. This brings with it the prospect of job losses and cuts in frontline services.

There is no easy answer to the question of how best to make cuts and where they should be made but, to protect frontline services as best as possible, back-office functions will always suffer.

IT is frequently an area of back-office that is hit when such cuts are announced, despite it being essential for any council's day-to-day operations. And when cuts are made, whether in staff, funding, or both, IT security can suffer.

So what could councils do to reduce expenditure on IT whilst maintaining or possibly even improving upon their current infrastructure, service levels and, most importantly ensuring security is not compromised?

Collaborate.

One answer might be to look at collaboration, or sharing of IT infrastructure, with a single regional support centre and IT professionals who serve more than one council. This could be self-managed or outsourced to a service-provider. It would ensure the focus is not just upon IT provision, but also upon maintaining the security of systems & data. The possible downside to this solution could be the initial set-up/migration costs.

Move to The Cloud.

An alternative would be for councils to virtualise the greater part of their IT 'provision' by progressively migrating it to The Cloud.* This offers the advantage of specialist application support for users, meaning IT staff can concentrate on key functions; it would simplify IT as a service, by reducing layers of provision and making application/software licensing more straightforward; and it should, over time, reduce costs.

It would also offer councils the prospect of collaboration without the need to invest in and maintain shared infrastructure.

Most importantly, security would be maintained, if not enhanced.

· Data would be held and backed-up off-site in highly secure data vaults;

· Data would be encrypted at all times;

· There is no need for data to be loaded on to any PC, laptop or other device;

· Being Cloud-based could potentially make the transition to 2nd factor authentication a far more viable proposition.

It's too early to know what steps councils will take, but it's certain there are difficult times ahead.

* Cloud computing is a new way of delivering IT services over the Internet. It facilitates the sharing of resources, software and data, and its biggest selling point is the fact it does away with the need for businesses to invest heavily in IT infrastructure because everything can be hosted off-site. To read our blog about The Cloud click here.

Gawker hack. What can businesses learn? - Xmas special day 19

2010-12-19T13:04:00.001Z

We published a blog on 12^th December 2010, titled "2^nd factor NOT X-Factor". In it we discussed the importance of a robust password policy, how to formulate passwords and the use of additional authentication measures.

On 15^th December, the BBC reported that a US Celebrity Gossip site called Gawker, which operates one of the world's most popular blog networks, had been subjected to a major hacking attack. The attack was instigated by an organisation that calls itself Gnosis. After the hacking, details of 1.3 million accounts, including 'a significant number' of passwords, were published online by the group.

As a result, millions of users are being asked to change their passwords, not just for the Gawker site, but also for sites like Twitter, Yahoo and LinkedIn. Even the online game site, World of Warcraft, is asking some users to reset passwords.

Why are all these sites taking such measures?

Gawker will obviously be requiring users to change their passwords because it is the site that has been hacked and compromised, but other sites face potential problems for two main reasons:

1. Many users 'interlink' the various sites so they can share a feature of interest from Gawker in Twitter, or tell friends about a spectacularly high score in World of Warcraft, for instance. This can mean some 'sharing' of passwords.

2. Significant numbers of users do not have different passwords for each and every site they are signed up to.

The attack also highlighted just how insecure passwords were. Apparently the favourites amongst Gawker users were 123456, password and 12345678. So users are being asked to make their passwords stronger.

It also revealed underlying flaws in Gawker's overall infrastructure security, something the site's boss has admitted was a serious issue, according to a report that appeared in The Register yesterday (18^th December). Gawker is now planning to overhaul its security processes by introducing 2^nd factor authentication.

What is the significance to my business?

If your employees use the same passwords for social networking and personal online activities, like shopping and banking, as they use in the work environment, compromises like this will be of concern. If one of your employees has a social networking account or, worse still, their home PC compromised, someone could gain unauthorised access your systems as a result.

We mentioned in our "2^nd factor NOT X-Factor" blog that users should ideally have one password per system. It's perhaps worth adding that this applies equally to personal 'accounts' too and that your employees should be advised not to use the same passwords for business as they do for personal computer activity.

Data: From Acquisition to Disposal - Xmas special day 18

2010-12-18T12:53:00.001Z

Your business has a legal obligation to fulfil under the Data Protection Act 1998 when it comes to handling data. It may also have to consider compliance with the policies and guidelines of a regulatory body. The bottom line is that you are responsible for the security of your data from acquisition to 'disposal'.

There are many things to think about when putting systems in place for handling data. We couldn't possibly cover everything in this blog, but we would suggest that there are five broad categories to consider:

Information Management

A systematic approach to managing company information is a must. This is commonly referred to as an Information Security Management System (ISMS) and these can be accredited under an international standard, such as ISO:270001.

IT Infrastructure Security

A Penetration Test will highlight weaknesses and vulnerabilities in your systems, identify the appropriate measures to deal with them close the door to attack. You may already have firewalls, intrusion detection systems and other electronic monitoring solutions in place. Whilst these will obviously provide a degree of protection to your IT infrastructure, software patches and hardware updates can all inadvertently leave your system vulnerable and open to attack.

Training & Awareness

All members of staff within your organisation should be aware of their responsibilities when dealing with your company data. The implementation of an online programme of training that can be monitored and measured is certainly something to consider.

Business Continuity Planning

When disaster strikes, whether fire, flood or a malicious attack on your IT systems, your business needs to be up and running again with the minimum of financial and reputational damage. A resilient Business Continuity plan, taking account of data security and ensuring regular back-up amongst other things, will provide peace-of-mind to your staff, stakeholders, suppliers and customers.

Data Destruction

There will come a point when either the data, or the systems upon which it is held, are no longer required, but you can't just throw them away. If the data gets into the wrong hands, and the Information Commissioner's Office comes knocking at your door, the fact it is old and no longer of value to your business will be no defence. It's worth identifying a trustworthy provider of data destruction and IT equipment disposal services who can issue you with appropriate certification and documentation. It will mean you can demonstrate you have taken every possible step to ensure the security of your old data.

Are your employees involved & engaged? - Xmas special day 17

2010-12-17T06:07:00.001Z

Your IT Security is only as strong as it weakest point. And, as we've said before, the weakest point is usually the human element.

A number of our recent blogs have touched upon the subject of involving and engaging your employees in your IT Security policies and processes. In those blogs, we've broadly explained why it's a good thing, but we thought a more detailed blog concentrating upon how you can get them involved, and the sort of things to consider when you do, would be helpful.

1. Help them to understand.

If your employees do not understand the importance of IT Security they almost certainly won't be able to appreciate the necessity of policies and procedures. In fact, they may see them as an imposition, a hindrance, or even something you've put in place just to catch them out. Negativity is counter-productive and something you really need to get past. So, how do you help them to understand? Read on.

2. Keep it simple.

How many times have you heard this before about so many things? Well, don't ignore it because it's very, very important in this context. For your purposes and those of your business, IT policies may need to be detailed, in-depth and highly technical. But overload and overwhelm employees and you will struggle to get them to understand. Try things like:

· Simple, one page, crib sheets about policies that directly apply to them and their particular roles;

· Practical, scenario-based training – don't grind them down with hours of PowerPoint presentations and technical jargon;

· Regular updates explaining what to look out for and what they should do or not do if faced with certain situations.

3. Make on-going training and awareness an essential part of your IT Security processes.

We've touched upon this in the point above. You need to train your employees, raise their awareness of issues and keep them updated with important changes and developments. Testing their knowledge and understanding on a regular basis is really important, but don't think exams and written tests.

Keeping things light-hearted and, dare we say it…FUN…is a great way to engage your employees. Setting a challenge to find 10 potential security breaches could be one approach.

4. Encourage input from your employees.

Let's say you are considering implementing a new password policy that requires every employee to have different passwords for each system they access. You could simply write it up and go ahead with it. No consultation, just straight to release.

But, if you haven't spoken to your employees and have failed to explore the practicalities of your proposed policy in the light of their working practices, how do you know it's workable? What if employees simply cannot remember every password, but you tell them they mustn't write anything down? What would the impact be upon your time and the time of other IT staff if there is a constant need to 'unlock' users and reset passwords? There's also a good chance it will cause resentment amongst your employees.

We're not suggesting you consult employees on every single detail, but they are the people using your systems. Not only can they tell you if certain policies are likely to work, they can also tell you when things don't seem to be functioning as they should and when there appear to be problems. This could be feedback – possibly an early warning of a major issue – that you could miss out on if your employees don't feel they have a voice.

5. Ensure buy in.

It's great to encourage involvement but you need employees to really buy-in to your policies and procedures. The best way to do this is to get them to sign-up. By this we mean you should require them to sign acknowledgements that:

· They have read and understood what they have been told – this should be required every time there is a significant change in policy;

· They are aware that you expect them to follow policies and procedures;

· They acknowledge their responsibilities as a part of the process; and

· They are aware of the consequences of any failure to adhere to policy.

We can see this might seem slightly at odds to our suggestion the process could be light-hearted and fun, but buy-in and sign-up are absolutely necessary. It's also the case that they bestow the element of importance upon the process. It's the only aspect that needs to be formal.

The fact is your employees need to understand your policies in order to apply them and to be aware of the consequences if they don't. You need them to sign-up to this because, much as you wouldn't want it to happen, you may have to take disciplinary or even legal action against an employee in the future. If you have nothing to demonstrate they had received training and understood their responsibilities, you could end up with no claim or case.

Whilst we've written this blog about involving your employees in your IT Security policies and procedures, the points above could equally well apply to all other areas of your business. Involve them and engage them, then get their buy-in by requiring them to sign-up. It makes good business sense.

Disaster Recovery Planning in a nutshell - Xmas special day 16

2010-12-16T08:22:00.001Z

On 7^th December 2010, we posted a blog called Business Continuity Planning in a nutshell. At the end, we promised a similar blog about Disaster Recovery Planning would be coming soon. Well, soon has come! This is it.

As we mentioned in the previous blog, a Business Continuity Plan focuses on all aspects of your business and seeks to put in place procedures to follow in the event of disaster. It will often include a Disaster Recovery Plan, which focuses specifically upon IT.

The first stage of Disaster Recovery Planning naturally mirrors the first stage of Business Continuity Planning. It includes:

Identifying the threats and risks;
Ascertaining the current level of preparedness;
Documenting normal operating policies and procedures;
Identifying all IT assets – equipment, software, etc. – and their location;
Listing all key IT equipment and service providers – e.g. online backup and disaster recovery support – and their contact details;
Distinguishing between the critical & non-critical IT functions and determining 'acceptable levels' of disruption;
Documenting the minimum and optimum technical requirements to ensure your business can function after a disaster – e.g. number of servers, PCs, software/applications, access to data, peripherals, etc.;
Deciding upon the key personnel and/or minimum staffing requirement to ensure critical IT functions can be carried out;
Listing the contact details of the key IT staff members;
Understanding the potential impact of disaster.

Disaster Recovery Planning is not a one off process in exactly the same way as Business Continuity Planning is not. Having written up your plan documenting the IT department's response in the event of disaster, you will need to ensure it is regularly reviewed and updated to take account of such things as changes in IT infrastructure (e.g. new servers), amendments to policies and processes (e.g. a move to Cloud-based services) and personnel changes.

Most importantly, any provisions you put in place should be tested, tested and tested again. If your backups could not be restored or technology switched from your primary location to a secondary location at a critical time, all your planning could be for nought and the disaster exacerbated.

To steal a line from the Scouting movement: Be Prepared.

To read Business Continuity Planning in a nutshell click here.

The BIG Threat? - Xmas special day 15

2010-12-15T09:59:00.000Z

What would you say poses the biggest threat to the security of your systems and data?

- Viruses and Trojans?

- Hacking?

- Theft or vandalism?

- Malicious 'insider activity'?

- Failure to follow policies / procedures?

If you really think about it, the biggest threat is posed by people, because none of the above can happen without human involvement.

People aren't responsible for everything though!

We're not suggesting every threat involves people - there's no controlling the elements and not every leaking pipe or electrical fault will be down to poor installation – but when something goes wrong, there's often someone behind it.

You can't do anything about the people who pose the external threats, like virus attacks, hacking, burglary and vandalism. But what you can do is take steps to prevent, or make it difficult for them to enact, those threats

By regularly testing your systems for vulnerabilities, patching them and implementing robust IT security applications, you can reduce the possibility of a virtual attack.

To protect your systems from the physical threat, you can ensure any data is encrypted; minimise the amount of data held on desktops and laptops; consider locking portable equipment in secure fire safes; and protect your building's perimeter with CCTV, amongst other things.

When it comes to employees, there is much more you can do.

Are you saying my employees are bad people?

Let's be clear before we go on – we're not for one minute suggesting your employees knowingly or maliciously pose a threat to your business. Whilst this can happen, more often than not the threat arises through a lax attitude towards, or even an ignorance of, IT security.

However good your written policies and procedures might be, if people fail to adhere to them they may just as well not have been formulated.

So what can I do?

We've said it before, and we'll say it again, "Get them involved! Engage them in the process."

People learn and understand more by 'doing'. Encourage your employees to help you devise the policies and procedures. Incentivise them to highlight possible issues and threats. It doesn't need to be a financial incentive – praise is often sufficient!

The more they play a part, the more they understand. The more they understand, the more likely they are to want to see IT security policies adhered to.

Anti-Virus Dos & Don'ts - Xmas special day 14

2010-12-14T13:44:00.001Z

We know the initiated amongst you have probably seen – and even given - plenty of advice about anti-virus (AV) software before, so we don't want to rake over old ground. But sometimes things bear repeating, just to reinforce their importance.

Here are a few dos and don'ts to consider when it comes to using AV software for your business:

The dos

Do install anti-virus software on all machines – servers, desktops, laptops, handheld devices, etc.;
Do read the instructions;
Do keep AV software regularly updated. If it's set to automatically update, make sure the updates have been successful and definitions are fully up-to-date;
Do allow AV software to run in 'real-time'. It shouldn't rely upon the user initiating its operation; it should always be running;
Do ensure your AV software scans everything, including master and boot records as well as memory and system files. It's not just executables that can cause harm;
Do enable macro virus protection;
Do disable preview screens in email applications;
Do maintain, and regularly review, an AV policy.

The don'ts

Don't allow USB devices to be connected or opened without a full scan;
Don't rely upon free AV software that is limited in its functionality;
Don't allow 'auto-run'/'auto-open' for any downloaded applications, email attachments, etc.;
Don't run Windows Script Hosting on machines that don't need it. If it's not enabled many virus cannot function;
Don't rely solely upon AV software. It doesn't offer complete protection against all threats; but
Don't simply run other security applications alongside your AV software without checking for compatibility. Conflicts can cause compromise.

Looking ahead to 2012

2010-12-13T21:48:00.001Z

We're not talking the London Olympics here; it's SHA-3 we're interested in.

SHA what?

SHA-3. It stands for Secure Hash Algorithm 3.

What's one of those?

SHA is one of a number of cryptographic 'hash functions' published by the National Institute of Standards & Technology (NIST), which is a US Government organisation responsible for setting information security standards.

A Secure Hash Algorithm generates 'hashes', which are essential for non-repudiation of digital signatures and certificates. In essence, anything you wish to ensure has 'come from source' should have an accompanying 'Pre-Computed Hash'. Those of you familiar with Open Source software will be used to seeing such hashes.

If you wish to prove non-repudiation of an email source, you need to provide an email hash. This is usually encrypted using the sender's private key, meaning it can only be opened by the sender's public key. Once opened you can see the hash for the message, which proves that the message is the same as it was when it was sent. As it was encrypted using the sender's private key, only the sender could have sent it, thus proving non-repudiation.

Hash keys are a bit like digital fingerprints for data.

SHA-3 will completely replace SHA-0, SHA-1 and SHA-2.

What's wrong with 0, 1 & 2? Are they no longer secure?

SHA-0 was withdrawn after the discovery of an undisclosed flaw. SHA-1 and 'derivatives' have been subjected to serious attacks, known as 'Dictionary Attacks' and it is feared SHA-2 could be next. But security is not the only issue. It's also the case that SHAs need to evolve to meet the increasing demands today's and future technology will place upon them.

A serious concern is the effect Quantum computing could have on cryptanalysis.

What will it mean for my business?

SHA-3 is being trumpeted as a solution that will offer better security, more flexibility and will have a 'shelf-life' far exceeding its predecessors, thus making it a much more attractive investment. It is hoped it will last at least 20 years.

If you use 2^nd factor authentication, process online payments, encrypt data when transferring it for backup in The Cloud, or apply digital signatures to emails or documents, you should be eagerly awaiting 2012.

Of course you will need to apply any published patches from your software vendor as your current configuration will almost certainly not support the implementation of SHA-3. There may be other concerns as well, such as backward compatibility for both hardware and software.

So why isn't it available yet?

In 2007, NIST recognised the need for Secure Hash Algorithms to become more sophisticated and decided to run a competition to develop SHA-3.

The competition has only just reached its final round, with 5 contestants still in the game. The winner is expected to be announced in early 2012.

A competition?! Why?

Yes. It was open to all, from multi-national IT corporations through to small businesses and university based teams alike. Interestingly, many of the large IT corporations went out in the first round.

This is standard practice for NIST – development of the Advanced Encryption Standard (AES) was also a 'public' competition. NIST believes such competition widens the scope and brings new input and potentially new thinking to its Cryptographic Hash Project.

Is that safe?

Yes, remember the only things that need to be secure in a cryptographic chain are the keys. When talking about hashes, nothing is secret. This is common in the world of cryptography. It allows for constant peer review and, even better, keeps the algorithms free to use.

Where can I find out more?

The best resource is the NIST website. It provides a wealth of information, some general and some more technical - http://csrc.nist.gov/groups/ST/hash/index.html.

2nd Factor NOT x-Factor! - Xmas special day 12

2010-12-12T14:00:00.001Z

If you have computers you have users who almost certainly have passwords to access those computers. Hopefully you get the drift.

Passwords are fine as the first line of defence for IT equipment such as desktops or laptops, so you really should ensure you've got a good password policy in place. However you choose to implement that policy, whether through informal training, system controls, or a mix of both, it needs to encourage your employees to use strong passwords and keep them safe.

When it comes to more technical kit, such as Servers, Network equipment and any devices facing the Internet, you will need both a strong password policy and 2^nd factor authentication

A blog is not the right medium for trying to cover the ins and outs of a good password policy, or to discuss the best way to implement 2^nd factor authentication, but we can at least cover some of the important things to consider.

1. 'Formulation' of passwords

You may wish to prescribe a certain type of password or, better still, passphrase. As a minimum, you should enforce the inclusion of a mixture of uppercase and lowercase letters, and at least two numbers.

Additionally, you should insist that your users do not use dictionary words, or anything that could be easily guessed / 'socially engineered, like the name of a loved one, a car registration number or a date of birth.

2. Password complexity/strength

This goes hand-in-hand with point 1. The more complex passwords are, the more secure they will usually be. The problem is that the more complex they become, the more difficult they are to remember, particularly if users have more than one password per system, which ideally they should.

A meaningful or even silly phrase with some letters replaced by numbers – 5ant@H45amas51v3sack - is often easier to remember than a random series of letters and numbers and can prove to be just as strong.

3. How long should they be valid for?

There's no hard-and-fast rule. Many organisations enforce a periodic change, perhaps every 60 or 90 days. This is an acceptable practice, but it can cause difficulties for users. If all passwords change at the same time they have to think of new ones. If they change at different times there's potential for confusion. It' a case of trying to find a workable balance.

Some organisations insist on a very complex and strong passwords or passphrases and then lock them down so they never change. This of course has the disadvantage that if the password is compromised and no-one realises, whoever has access to the password could gain long-term access to systems and data.

Working in IT, as many of you do, you will be aware that imposing frequent password changes and insisting upon complex passwords can adversely affect the view your users have of you, perhaps causing them to see you as overly authoritarian. It's not a view you would wish to persist but, as well as educating users about the importance of a robust password policy, there are things you can do to change their views.

· Enforce a 'lax' password changing policy, e.g. 180 days, but ensure passwords are at least 14 characters in length;

· Set up systems to prevent 'brute force attacks' that lock out passwords, perhaps after 3 unsuccessful attempts on non Internet-facing accounts;

· Tie Internet-facing accounts to a 2^nd factor authentication, such as VeriSign VIP token, which will help to prevent password compromise whilst still giving flexibility to users.

4. Security of Passwords

Obviously the ideal situation is for users to remember all their passwords. You really don't want them written down on Post-it notes and scraps of paper about the place.

If it's not feasible to expect users to remember passwords, it may be worth considering keeping a log, but this should be held very securely and access should only be given to key personnel. It could be stored in a safe or in an encrypted file on a PC that does not have network or Internet access.

In the event of disaster hitting your business, keeping passwords secure in this way may prove to have been a wise move.

What is 2^ndfactor authentication?

Put simply, 2^nd factor authentication - also known as two-factor authentication – is, as the name would suggest, a mechanism whereby more than one thing is required to authenticate a user. So, in addition to a password or PIN, a user will be required to provide an additional factor.

This could be a randomly generated code from a small electronic device, often called a token, similar to those issued by some banks. Alternatively, users might have to swipe their finger across a fingerprint reader, or even have a retinal scan.

In essence:

· First factor = something the use knows, like a password or PIN; and

· Second factor = something the user 'has', such as an electronic token number or fingerprint.

Ten Top IT Security Essentials - Xmas special day 11

2010-12-11T08:11:00.001Z

After some of our weightier blogs of recent days, joke viruses aside, we thought we'd take a short, sharp look at ten things you can do to ensure the security of your data and systems.

1. Use anti-virus software and keep it up-to-date. Don't rely on free versions that are not fully functional;

2. Regularly scan your systems for spyware and malware;

3. Install a firewall;

4. Regularly back-up data and system configurations;

5. Restrict employee access to social networking sites and personal webmail;

6. Don't use USB devices to back-up or store data;

7. Don't keep data on laptops and mobile devices;

8. Encourage the use of complex passwords and change them regularly;

9. Implement a robust process for ensuring systems and software are updated and patched; and

10. Use Two-Factor Authentication.

You can probably think of 10 more, maybe even 20. If so, great! Write them down, add them to the list above and, most importantly, remember them!

The Ten Worst Viruses? - Xmas special day 10

2010-12-10T12:41:00.003Z

Here at Securm Towers, our dynamic control centre, we have to keep ourselves up-to-date with the latest virus and Trojan threats. We need to know what they are, how they can infect your systems and exactly what needs to be done to protect against them. If one our clients calls us to say a Storage Area Network has been infected or a server has been hit, we have to be equipped to deal with the problem and explain the ramifications of the infestation.

Whilst undertaking some serious research, we stumbled across the following horrific threats to your IT Security. Please read carefully, and take note.

1. Prozac Virus: Screws up your RAM but your processor doesn't care.

2. Viagra Virus: Expands your hard drive, while putting too much pressure on your zip drive.

3. Airline Luggage Virus: You're in London, but your data is in Taiwan

4. The UK Government Virus: Runs every program on your hard drive simultaneously, but doesn't allow you to accomplish anything.

5. Adam and Eve virus: Takes a couple of bytes out of your Apple

6. Politically correct virus: Never calls itself a "virus", but instead refers to itself as an "electronic microorganism".

7. Nike virus: Just Does It!

8. Gallup virus: Sixty per cent of the PCs infected will lose 38 per cent of their data 14 per cent of the time (plus or minus a 3.5 per cent margin of error).

9. Freudian Virus: Your computer becomes obsessed with its own motherboard.

10. Elvis Virus: Your computer gets fat, slow and lazy, then self destructs, only to resurface at random locations around the world.

OK, so they're not real…as if you hadn't guessed…but, we'd be interested to know which, if any, you think is the funniest. Let us know by taking our poll, which appears on the right of this page. If you weren't amused, please answer, "I don't think IT security is a laughing matter."

Laptops and Mobile Devices – equally blessed & cursed? - Xmas special day 9

2010-12-09T18:03:00.001Z

Let's face it laptops and mobile devices are fantastic things. They allow you and your employees to work and be productive virtually anywhere in the world. The problem is, portability is equally a blessing and a curse, which means such devices can cause you a major headache when it comes to the security of your data and IT systems.

Of course, if you and your employees take sensible measures, you can at least ensure you manage and mitigate any risks, if not eradicate them altogether. Some of them might seem obvious, and not all are technology-based, but they bear repeating:

1. Don't hold data on your laptop or device.

Keeping data off laptops and mobile devices and giving secure access to virtual and/or Cloud-based access to data is the best solution.

But you still need to apply common-sense and other layers of security.

2. Don't store passwords.

If a laptop or device is stolen, and every password for each protected application and website is 'remembered', your business and your employee could have a problem or two.

3. Don't store security / authentication 'certificates'.

In the same way you shouldn't store passwords. You don't want a stolen device to simply open up your network.

4. Password protect the device.

The simplest, first line of protection for any device;

5. Password protection of key documents and data.

If you must keep data on the laptop or mobile device, make sure it is protected at file level.

6. Encryption

Operating systems, like Windows 7, and numerous applications allow you to encrypt data and files. Alternatively, you can invest in specialist encryption applications. Just be sure you back-up the keys.

7. Be wary of free Wi-Fi services.

If your employees use laptops or handheld devices over Wi-Fi networks that are not secured, they could be inadvertently making business sensitive data available to unauthorised individuals. It's well worth reviewing the security of such devices and your organisations' policies and procedures for ensuring the security of data held on them.

You might want to consider providing those employees who need Internet access on the move with mobile broadband (e.g. via a USB dongle). If any of them 'roam' extensively, using satellite communication systems is an option.

8. Install tracking software

There are numerous applications you can install on laptops and mobile devices that will send regular location updates when the device is switched on. If a device is lost or stolen, it may be possible to track its whereabouts.

9. Install data destruction software.

This can be triggered by 'brute-force' attempts to crack passwords, or you can trigger it remotely if your device is switched on and connected to the Internet.

10. Use asset-tagging, marking or engraving.

If a laptop or device is mislaid, you're more likely to get it back if it's marked up. Tagging also makes stolen devices more difficult to sell.

11. Use a cable and/or physical device lock.

It's not sophisticated, but it may well deter the opportunist thief.

12. Be sensible and be security aware

OK, so this is a bit of a catch-all, but the truth of the matter is that people are generally the weakest link in the security chain. We include under this header such warnings as:

· Don't leave devices unattended;

· Don't allow strangers to read your screen over your shoulder – consider using a screen guard; and

· Carry the device in a nondescript holdall, not a bag emblazoned with the manufacturer's or your company's logo.

It all boils down to the fact that you need to make both the physical and technological security of your laptops and mobile devices a priority and ensure your employees buy in to this.

The Insider Threat 2 - Xmas special day 8

2010-12-08T14:36:00.002Z

The recent arrest of Katia Zatuliveter on suspicion of spying emphasises again the ‘insider threat’. We raised it in our blog on 3^rd December, when we discussed the lessons businesses could learn after the WikiLeaks publication of leaked US ‘embassy cables’.*

In that blog, we recommended businesses should implement a regime of appropriate controls over access to systems data. Effectively ensuring employees have access at a level commensurate with their role.

Ms. Zatuliveter was working as an aide to Mike Hancock, a Liberal Democrat MP who is a member of the Defence Select Committee. Whilst she denies the charges, the story raises questions over the whole employee vetting and monitoring process.

In this blog, we thought we’d go beyond the confines of IT security and protocols, because what the two stories highlight is the need for robust Know Your Employee (KYE) policies.

We check all employees out before we take them on. We’re covered.

Undertaking the usual routine checks in respect of a potential employee – confirming previous employment, obtaining references and checking educational qualifications – is only a very small part of KYE.

We would suggest you consider the following:

· Criminal records checks – you will need to have appropriate permission from the prospective employee and checks must be made within the confines of prevailing jurisdictional legislation. In the UK you can now request basic disclosure for any employee;

· Credit checks – again you’ll need the person’s permission but these are a good indicator of any potential financial difficulties;

· Bankruptcy and Individual Voluntary Arrangement (IVA) searches – see www.insolvency.gov.uk;

· Check the Electoral Roll and carry out a Land Registry search – this will provide an indication of whether or not the individual resides at the address provided an/or owns the property;

· Search births, marriages and even death records;

· Disqualified Director searches – in the UK you can make these searches at http://wck2.companieshouse.gov.uk/1845e7f89a9f34b7f1319419ed37b5a1/dirsec

· Carry out your own Internet research – Are there any adverse news items or other mentions? Do they use Facebook, Twitter or other social networking tools and, if so, does their activity raise any concerns;

· Research referees and their contact details – do they appear genuine or could they be fictitious?

· Fill in the gaps – for example, don’t just accept long breaks in employment as ‘career breaks’ or let numerous address changes in a short period of time go unquestioned.

That’s a lot to do! I haven’t really got the time.

We’re not saying you have to do all of those things. Nor do we present them as an exhaustive list. They are things to consider and you will find what works best for you. You might apply different levels according to the seniority of the position, for example.

If you really don’t have the time, you can always outsource it to a specialist agency. Some agencies even provide an identity verification service. Just make sure you are clear what gets checked and that you’re not just paying for ‘a box ticking exercise’.

So is that it then?

No. It’s also very important to realise that KYE isn’t just about running checks on someone before they start working for you. It’s an on-going process.

What? You mean continually check them even after employing them?

That’s about the long and the short of it.

Isn’t that ‘a bit Big Brother’?

The chances are your employees don’t pose a malicious threat to your business and we’re not suggesting you check up on them day in and day out. You could run six monthly review sessions to find out how they are doing, discuss progress and performance, seek to identify any dissatisfaction or disquiet and perhaps put that in context with the overall performance of the department they work in and/or your business as a whole. As with most things in life, there’s no ‘one size fits all’ solution. It’s a case of trying different approaches and finding what best suits your business.

Importantly you don’t have to approach such a process from the angle of suspicion. It makes good sense from a management and business perspective to show interest in and concern for your employees. After all, you do have a duty of care. You might even make it known that if someone gets into financial difficulties the business will do its best to help them out, perhaps acting as a guarantor to a loan or operating its own loan scheme. If you make them feel happy, safe and well incentivised at work they are more likely to be motivated and productive.

And if there are concerns over a particular individual, you are more likely to get to hear about it from other members of staff because they will feel compelled to inform you. You will then have an opportunity to establish the truth, or otherwise, of these concerns and take the necessary action.

For example, it could be rumours are circulating that your finance administrator’s gambling habits have got out of hand and he’s stealing money from the company’s bank accounts. Knowing this you can take appropriate action to address the problem. You may find the rumours are totally unfounded and you can take steps to quash them. On the other hand, you may discover some truth in what’s being said. Although you establish there is no evidence that money has been stolen, you at least have an opportunity to put some additional controls in place at the same time as offering guidance and counselling to the employee.

* WikiLeaks continues to publish documents, despite the arrest yesterday, 7^th December, of its founder, Julian Assange.

Business Continuity Planning in a nutshell - Xmas special Day 7

2010-12-07T13:34:00.002Z

Business Continuity Planning is essentially putting processes in place that will ensure your business keeps running after a disastrous event, like a fire or flood, vandalism or theft of IT equipment, or even widespread staff illness.

The first stage of the process includes:

· Identifying the threats and risks;

· Ascertaining the current level of preparedness;

· Distinguishing between the critical & non-critical functions of your business and determining 'acceptable levels' of disruption;

· Documenting the minimum and optimum technical requirements to ensure your business can function after a disaster – e.g. number of servers, PCs, software/applications, access to data, peripherals, etc;

· Documenting the minimum and optimum 'business' requirements – alternative premises (if appropriate); number of desks, stationery, etc.;

· Deciding upon the key personnel and/or minimum staffing requirement to ensure critical functions can be carried out;

· Listing the contact details of the key staff members;

· Identifying key clients and primary suppliers;

· Understanding the potential impact of disaster.

Based upon this knowledge, you can then establish the procedures to follow in the event of disaster and formalise your plan in a printed document that can be referred to before, during and after any disruption. Its purpose will be to guide response to that disruption and minimise the impact upon your business. All staff should be aware off its existence and know how to access it.

But that's not the end of the process; far from it. Business Continuity Planning is a continuous cycle and your Business Continuity Plan will need constant update and review as your business changes and evolves. Some examples of things you will need to consider are:

· Staff changes;

· Organisational changes;

· New or additional premises;

· Changes in client-base;

· New and no longer used suppliers;

· Modified or replaced technical infrastructure;

· New IT policies and procedures; and

· Changes in IT processes – e.g. a move to Cloud-based (off-site) backups.

You should notify your employees of any changes to the Business Continuity Plan that directly impact upon them.

And as well as updating your Business Continuity Plan, you will also need to test it. This doesn't necessarily mean a full-blown 'drill', but you need to at least be sure primary elements work. Examples of what you could test include:

· The key personnel call-out process;

· The 'all-staff notification process';

· The data recovery and restore process; and

· The switch of technology from primary to secondary location and back.

A Business Continuity Plan focuses on all aspects of the business and will often include a Disaster Recovery Plan specifically focusing on the IT or technology systems that support business functions.

Coming soon: Disaster Recovery in a nutshell.

Back-up essentials - Xmas special day 6

2010-12-06T09:02:00.002Z

If disaster struck and you lost data or the configuration settings of your IT systems, how would your business cope?

If you've backed everything up, hopefully all will be well and you'll be up and running in no time. If you haven't, you could find yourself in serious difficulties. You really should implement back-up processes.

Surely nobody forgets to back-up!

It's more common than you'd think but, thankfully the most businesses are aware of the importance of back-ups. Unfortunately, what they often forget are some of the fundamentals.

What are they?

· Backups should be an integral part of an overall IT Management Policy and your Business Continuity & Disaster Recovery Planning;

· Make sure you understand the difference between 'snapshot back-ups' and 'full file back-ups';

· Data should be regularly backed-up, preferably daily;

· System configurations should also be backed up, at least once a month as a rule-of-thumb;

· Backups should be checked regularly, to ensure they have run successfully and can be restored;

· If you run onsite back-ups, you really ought to consider having an off-site copy, whether that be at one of your business's other premises or with a provider of online (Cloud-based) back-up services;

· Any offsite or Cloud back-ups should be encrypted during transfer and at point of storage.

Critical Updates - Xmas special day 5

2010-12-05T12:28:00.001Z

We've 'ummed' and 'ahhed' a bit over releasing this blog. Let's face it, updates and patches are not the subjects of illuminating conversation. Nor do they make for particularly exciting reading. But we concluded that, as an IT Security company, we have a responsibility to raise the issue…and perhaps it will at least make for interesting reading.

Without wishing to state the obvious, the basic activity of update and patch management can be so important for the 'health' of your systems and the security of your data.

For most businesses, the operating systems across their IT networks are automatically updated as a matter of course. And many applications, like anti-virus, firewalls and intrusion detection can also be set to automatic update, as can hardware drivers.

It's all quite straightforward, until something goes wrong.

It's all automated. I don't need to worry, do I?

If everything is automated it's easy to assume it will all run smoothly and to be lulled into a false sense of security. But there really needs to be human input to the process.

· Do you ensure that all updates have installed successfully?

· Do you check there is no incompatibility of patches and updates?

· Do you test the impact of update and patch installations on your systems?

· Have you made sure employees cannot block or cancel critical updates?

If the answer to any of the above is "No" you should probably review your policies and procedures.

But what could go wrong?

That's one of those, "How long is a piece of string?" questions.

In some cases nothing, even if important updates have not installed or there is a conflict between a patch on a server and an update to your firewall. But that will be more down to luck than anything else.

You might just find that your systems do not run as smoothly as they might, with servers and PCs 'crashing'. This could mean more time spent dealing with IT problems and, of course, it affects the productivity of business.

In the worst case, your systems could be left exposed to viruses and Trojans and, potentially, external attack.

So what can I do?

If you've not implemented one already, an update and patch management policy, with defined procedures, is highly advisable. In simple terms, it's all about keeping tabs on what updates and patches are available, identifying any known security issues or conflicts, and recording which updates and patches have been applied to your IT systems. One critical part of a patch policy is a release plan with alpha, beta gamma release testing on live and development systems.

There are plenty of resources and points of reference on the web if you have the time and inclination to work it out for yourself. Alternatively you can speak to an IT security expert who can run vulnerability tests on your systems, identify any issues or concerns, put them right and make recommendations for the future.

It won't cost you the earth and you'll have peace-of-mind.

USB Don'ts - Xmas special day 4

2010-12-04T08:06:00.003Z

Your systems and data are vulnerable if you are lax at enforcing strict policies and procedures in respect of the use of USB devices. We'll keep this very simple and list some important USB don'ts:

· Don't allow connection of any USB device to any machine without a full virus scan;

· Don't allow .exe installs from USB devices. If it's absolutely necessary to allow installs, limit them to Administrator level access;

· Don't allow personal use of business issued USB devices;

· Don't allow devices to be taken off-site;

· Don't simply give out devices without keeping a full inventory – type, serial number, when issued, to whom, data held, etc.;

· Don't rely upon the device-based 'encryption' for the security of data;

· Don't use USB devices for critical backups;

· Don't buy USB devices for business use from online auctions or marketplaces;

· Don't connect your USB device to a computer you do not know or trust;

· Don't allow important / sensitive files to be moved or copied from your network.

It's by no means an exhaustive list, but it will hopefully provide food for thought. The golden rule is: If you're not sure, DON'T USE USB DEVICES.

The Insider Threat - Xmas special day 3

2010-12-03T14:34:00.002Z

On Tuesday 30^th November, the US State Department announced it was taking steps to temporarily reduce access to its database of 'embassy cables'. The move came after WikiLeaks began the publication of hundreds of thousands of sensitive, classified and secret documents.

Was the information gained by hackers?

There is no suggestion secure databases were hacked or accessed by outsiders – as you would expect, US Government systems are protected by the tightest possible security measures.

So who was responsible?

It's not yet known who accessed and leaked the information, but it is clear this embarrassing loss of data emanated from inside a Government organisation or department that had been granted access to the embassy cable via the US Defense Department's Secret Internet Protocol (SIPRNet). The system was set up by the Pentagon in the 1990s. Access to the network was greatly extended after the attacks of September 11^th 2001 to facilitate better sharing of intelligence.

Unfortunately, it seems the idea of sharing went a bit too far.

Surely there were controls in place!

There were plenty of controls in place.

As we've mentioned, the system itself is as secure as you can get when it comes to protection from outside attack. And people have to go through high levels of vetting and security screening before being given access. However, once access had been granted, the controls over what could be done with the data seem not to have been so tight.

As Amit Yoran, a member of President Obama's CSIS Commission on Cyber Security, says "…once you have access to these classified systems and are inside their tough perimeter, they have historically been very trusting. And when you have a trusted insider who is interested in causing harm or inappropriately accessing and divulging information, that sort of architecture with strong perimeters is quite flawed."

That's not exclusively an issue for the US government, is it?

Correct.

Whilst this leak of information involves the US Government, it should resonate across the globe to all types of organisation and business. It demonstrates 'the insider threat' on a huge scale.

Take any business, particularly of small or medium size. Many of them will have adequate perimeter security in place for their IT systems but place little restriction on how data held on those systems can be accessed and used.

How many of them have escalating levels of access privilege according to the sensitivity of certain information? How many restrict copying, editing or printing of files and data? We'd wager it's a fairly small percentage."

But won't limiting access suggest I don't trust my employees?

"That's really the wrong way to look at things," says Lee Barney, Securm's Managing Director. "Ultimately, you need to protect your data. It's the lifeblood of your business. Your employees should be given appropriate access to it according to the role they fulfil. For example, a junior administrator has no need to access key financial data or certain functions of your Customer Relationship Management system, whilst your Finance Director does."

How do I know what access levels to impose?

There's no easy answer to that one and you may find it's a bit of trial and error. Working with each of your employees to understand what systems and data they access in order to undertake their day-to-day work, and why, is obviously important.

It may be a case of trial and error to some extent but, as we frequently conclude, it's a matter of taking a common-sense approach and finding a solution that works best for your business.

Protecting your business from domain theft / hijacking - Xmas special day 2

2010-12-02T20:10:00.004Z

When you set up your business, you most likely purchased a domain name or series of domain names. They may include your business name – www.thisismybusiness.co.uk - or a phrase that perfectly describes the service you offer – www.wewashdogs.com. Either way, a domain name is the link to your website and is the 'location' element of your email address.

The last thing you'd want is for someone else to get hold of it.

That couldn't happen, could it?

Unfortunately, it is the case that you could lose control of your domain name and not know anything about it until it was too late.

Really?! How?

Yes, really.

There are two main ways you can lose a domain name.

Expiry – when you buy a domain name, you usually register it for a period of time, let's say two years. If you fail to renew the registration for a matter of days, or even hours in some cases, it becomes available to purchase. If it's purchased by someone unwittingly, you may find you have some recourse, but unscrupulous individuals know that they can 'legitimately' purchase the name and then hold you to ransom for it.

You may think it wouldn't be possible to allow a domain name to expire. But if it's registered to the company that designed your website and they fail to renew, or worse have gone out of business, you can see how it could happen.

'Theft' – If an individual wishes to gain control of your domain name, they could simply approach a hosting company other than the one you are registered with, purport to be you and request a transfer. There is no obligation upon your hosting company to confirm with you that you requested the transfer. It's hard to believe but it's true.

The good news is that many domain hosting companies offer protection from domain theft and also have processes in place to ensure you as the owner are notified of any requests to transfer.

So how can I protect my domain?

Some simple steps will help to ensure your domain name stays safe:

· Register it in your business's name;

· Keep the contact details held by your domain company up to date;

· Don't let it expire;

· Limit access to the control panel of your domain;

· Ensure your domain hosting company offers domain theft protection;

· Place a registrar lock on your domain name.

How to get your employees interested in IT Security - Xmas special day 1

2010-12-01T18:56:00.002Z

IT systems are generally most vulnerable at the user level. You can write as many policies and procedures as you like, but if your employees do not understand them, or a lack an appreciation of the impact of certain actions, your IT Security may not be as robust as you would wish.

Policies and procedures are just one element of an effective IT security set-up. Training and awareness are equally important components.

Through focused training, you can explain the importance of IT and data security. And by heightening awareness of the implications of certain actions, you can ensure your employees understand why they are banned from social networking at work, charging their iPods, or connecting their personal USB memory sticks to their work PCs, for example.

Training and awareness programmes do not have to be classroom-based. Encouraging members of staff to identify potential breaches of security and play a part in on-going IT security reviews can help to demonstrate issues in a 'real-world' situation.

Engaging your employees in the process, and including them in the formulation of policies & processes they understand, should result in tighter IT and data security...and hopefully less 'fire-fighting' for you.

Is this the dawn of a new age of cyber-warfare, cyber-crime and cyber-terrorism?

2010-11-29T09:15:00.001Z

In June this year, a worm by the name of Stuxnet was discovered by VirusBlokAda, a security firm in Belarus, on the computers of one of its Iranian clients. The worm was subsequently found to have spread widely through Iran, India and Indonesia.

Stuxnet is a Windows-specific worm capable of identifying and reprogramming industrial control systems. It was first thought that the worm had been designed to steal intellectual property and industrial secrets. But its first iteration was found to specifically target two types of frequency controller used in nuclear enrichment, which led many analysts to conclude it had been designed to sabotage Iranian nuclear power plants, including the Bushehr nuclear reactor.

Because of the sophisticated way the worm operates once 'installed', it was also believed by many that Stuxnet could only have been designed by a Western nation state or, at least with state support. Perhaps, some speculated, this was a step towards cyber-warfare.

How does it work?

Computers and servers are primarily infected through the attachment of USB devices since the types of systems targeted by Stuxnet are not generally connected to the internet. Once installed it is capable of propagating to other machines within a network and escalating its privileges so internet access is possible. The worm does no harm to these Windows computers and servers. It merely 'uses' them to help identify its real target, which is a specific type of Programmable Logic Controller (PLC) made by Siemens, and access the internet.

What are PLCs?

PLCs are small devices that run all manner of automated processes. They are used in factories, oil refineries, transport systems, utilities provision, ATM networks and nuclear power plants, to give just a few examples. A robotic arm in a car factory is a good example of something that's controlled by PLCs.

Stuxnet can seek out PLCs controlled by a particular type of Siemens software - SIMATIC WinCC/Step 7 – then embed itself and 'action' changes by altering certain data. Whilst it's almost impossible to determine their effect, the changes appear to be quite specific, leading many experts and commentators to conclude that Stuxnet is aimed at gaining control of PLCs that perform specific functions, perhaps even in a specific type of environment; hence the conclusion that the targets were nuclear plants.

It sounds quite scary. Could things be worse?

As we've already mentioned, it has been speculated that Stuxnet's purpose was to sabotage the Iranian nuclear programme. Some might actually argue that's no bad thing and, if it was aimed at reducing the potential for nuclear proliferation in Iran, its purpose was for good. That's questionable logic and it has to be pointed out there is no specific evidence to suggest Stuxnet was intended for this purpose. Moreover, Iran denies its nuclear programme is intended to develop weaponry.

Without wishing to scaremonger, the potential for malicious use of Stuxnet is far greater if, as it is feared, criminal gangs have gained access to the Stuxnet worm and are working on decrypting its code.

If they succeed in creating new variants of the worm, who knows what systems they could attempt to gain control of? In theory, they could gain access to ATM control systems and cause them to dispense all their cash in one go. Great for passers-by, but not so good for the banks! At the other extreme, they could bring a major manufacturer to its knees by sabotaging its production lines, or hold a water company to ransom by blocking or diverting supplies.

But that would pale into insignificance if terrorist groups were able to deploy Stuxnet. The impact and implications of a terrorist gang gaining control of transport systems, particularly those that are fully automated like the Docklands Light Railway in London, would be huge and could result in mass fatalities. And what would be the outcome if they gained control of a nuclear plant or weaponry systems?

That sounds even scarier? Are we looking at Armageddon?

It shouldn't come to that, but it does rely upon sense prevailing.

In terms of the way it works, Stuxnet is very sophisticated and is likely to evolve, 'mutate' and proliferate. But the manner in which it is deployed – the payload – is primitive by comparison. It primarily relies upon connection of a USB device to a target computer, or a computer on the same network, and is dependent upon being able to 'engineer' access to the internet.

So whilst its capacity for harm is great, its potential could be greatly lessened by stringent and strictly enforced protocols. Indeed, when it comes to the protection of key infrastructures like transport systems, utilities provision and even systems underpinning financial institutions, it could be argued that Governments should be laying down the law to the organisations responsible for maintaining these infrastructures.

Given the manner in which Stuxnet is deployed and functions, there are some basic preventative measures that should be taken:

· Restrict or block the use of USB devices on any critical control systems;

· Ensure all software patches are up-to-date;

· Implement regular monitoring for unusual network activity at user and access levels;

· Make sure IT security applications are fully functioning and up-to-date; and

· Do not allow systems that control key processes to have access to the Internet, whether directly or via gateways to other networks.

We're not suggesting this will completely stop Stuxnet in its tracks, but taking a common-sense approach to the problem should, at least, limit its potential for harm and reduce its value to criminal gangs and terrorist groups.

Cutting costs, not corners?

2010-11-23T17:14:00.001Z

Following on from the recent publication of its forecasts for global IT expenditure, Gartner has released its predictions for specific markets in 2011. It doesn't make particularly good reading for Europe, the Middle East and Africa (EMEA).

The forecast for EMEA is a 1.3 per cent increase in expenditure next year, but that comes off the back of an anticipated overall 2.1 per cent decrease this year. And for Western Europe, the story is even bleaker with a 3.3 per cent decrease this year and only a compound annual growth of 0.8 per cent from 2010 to 2014.

The biggest contributors to the decline in spending are, not unexpectedly, local authorities and national Governments, which reduced expenditure across the board by 2.8 per cent. Worst hit by this decrease was IT services, which has suffered a 5.6 per cent drop. Conversely, hardware expenditure increased by 4.6%. The applied logic is that businesses can justify replacing out-dated and perhaps inefficient equipment but not expenditure on outsourced services.

In the short-term, it may make some sort of business sense to invest in infrastructure, but over the years to come the money may have been better spent on outsourced services. This could be particularly true for local authorities and Government bodies. Indeed, if investment was focused upon developing secure, reliable Cloud-based services for such organisations, costs could be substantially reduced whilst delivering greater efficiency and a host of benefits that 'stand alone' IT infrastructures simply could not provide:

· Enhanced security;

· Ease of access to information;

· Specialist support;

· Opportunities for platform independent collaboration.

Our recent blog, "What is The Cloud?" discusses the benefits of Cloud-based services in more detail, as well as covering some points to consider before entrusting your IT requirements to The Cloud. Read more.

Whatever route public/Government bodies decide to take, one has to hope that they do not lose focus on IT Security and ensure they have made effective provision to protect data and infrastructure. Cutting costs is one thing. Cutting corners is another!

No-one would wish to see a repeat of the problems faced by the Royal Navy after its website was hacked. Nor would they want to see data losses like that experienced by Stoke-on-Trent Council when an unencrypted USB device, containing court reports and details of care proceedings relating to 40 children, was mislaid.

In both cases, the simple things appear to have been overlooked. We've said it before, and we'll say it again. Get the basics right first, then enhance where appropriate.

We've discussed these subjects before. If you've not had an opportunity to read our blogs, why not click on the links below and take a look?

That Sinking Feeling – Royal Navy website hacked: Read more.

To USB or not to USB – Sensitive data on USB devices: Read more.

Data Security – Belt & Braces, not Bells & Whistles – Getting the basics right first: Read more.

What is The Cloud?

2010-11-19T11:19:00.001Z

Cloud computing is a new way of delivering IT services over the Internet. It facilitates the sharing of resources, software and data, and its biggest selling point is the fact it does away with the need for businesses to invest heavily in IT infrastructure because everything can be hosted off-site.

The Cloud itself is made up of a vast array of computers, servers and storage devices. This aspect is often referred to as 'the back end'. 'The front end' is what the client or computer user sees – network/PC/laptop and the applications used.

More and more businesses are turning to The Cloud for both data and infrastructure hosting. The primary drivers are:

· Reduced costs; and

· The simplification of IT as a service.

But how could it benefit your business? What things should you consider before becoming reliant upon The Cloud? And what does the future hold for Cloud Computing?

How could it benefit my business?

As we've already mentioned, the primary benefit is reduced expenditure on infrastructure and equipment. Not just in terms of acquisition, but also on-going maintenance. In addition, businesses benefit from the fact that applications and software can be accessed and utilised via The Cloud, meaning no upfront purchase or high support costs. The only cost would be a reduced licence fee.

Obviously every business is different, so you will need to look at the possible short-term and long-term expenditure involved in a Cloud-based solution against the cost of your own IT provision. But there are other benefits that you simply will not get if you rely upon your own infrastructure.

· Specialist support – when you sign up to services in The Cloud, whether from a single provider or a series of providers, you should receive technical support from IT technicians who are specialists in particular applications, as opposed to generalists who have to spread their time and knowledge supporting anything from SQL Server to specialised facets of an IT infrastructure. This too can contribute to cost savings for businesses.

· Ease of access to information – You can get to your data wherever you are, independently of the hardware used to host it. Additionally, because you will be running applications and accessing data virtually, the devices you use to access them will not need to be so highly specified, so you may find that that you will not need to upgrade as frequently as technological advancement dictates.

· Security – Some say you can't have secure data in the Cloud but, if you choose the right provider with the right credentials, your data could be far more protected than it would be on your own networks. Reputable providers use fully secure Data Centres and employ high-level encryption for both the transfer and storage of your data.

And since your data never needs to be loaded on to any PC, laptop or other device, if equipment is ever lost or stolen you won't face potentially embarrassing data losses. With the disclosure earlier this year that encryption codes for certain 'secure' USB devices were vulnerable to hacking and may actually have been cracked – devices upon which many government and financial organisations rely – this is another notable security benefit. Why not take a look at our blog about USB encryption? Click here.

· Collaboration - In addition to the financial and security benefits, The Cloud can offer businesses great scope for collaborative working, independent of disparate and incompatible systems.

Are there any other benefits?

What we've covered are some of the key benefits to businesses. Wider benefits include the positive impact upon the environment.

A recent study commissioned by Microsoft found that businesses running email, customer relationship and content sharing applications on their own infrastructure could cut their computing carbon footprint by 30 per cent or more just by moving operations to The Cloud.

According to Microsoft, large data centres "…benefit from economies of scale and operational efficiencies beyond what corporate IT departments can achieve. Benefits become even more significant for a small business moving to the cloud, where the net energy and carbon savings can be more than 90 per cent".

To read the Microsoft press release, click here.

What sort of things do I need to consider?

It would be impossible to cover everything you need to think about utilising The Cloud, but we've covered some of the things we think most important. In essence, they all linked back to ensuring the security of your data and infrastructure.

Can you see the Data Centre? - Some of the best value providers of Cloud services have UK Data Centres, so it's worth going to take a look at them. You can tell a lot just by seeing the setup. If it consists of a couple of servers in a dusty old broom cupboard, you'll know to steer clear!
Accreditation - Is the provider and/or Data Centre accredited to ISO 270001, the international standard for information security management? More importantly does the scope of accreditation cover the provision of Cloud-based services? If not, look elsewhere.
Replication – Does the provider replicate your data at another Data Centre, whether in the UK or off-shore? A fall-back setup is a must.
Data Protection – If your data is to be held off-shore, particularly if it is outside of the European Union, make sure you are absolutely clear where you stand as far as your obligations under the Data Protection Act 1998 are concerned.
Encryption – Is the data encrypted at all stages? That is during transfer to and from your own systems and at point of storage. If data is to be transferred off-shore, are you sure that you will not be in breach of the laws governing encryption/cryptography in any of the jurisdictions through which your data is routed or in which it is stored? Who controls the keys and where are they backed up?
Backups – Who is responsible for ensuring your data is backed up? Where are backups held (refer back to data protection and encryption)? If it's all included in the service, is it an individual document and incremental change level backup or a simple snapshot backup? What can you afford and what suits your needs?
Fully managed – If you migrate data, infrastructure and backups to The Cloud, who manages day-to-day operation? A fully managed service from a Cloud Provider should mean greater security and that every glitch, flaw and problem is quickly identified and addressed. But there are obviously cost implications? Establish a balance that suits your requirements and budget.

· Internet connection – Can you ensure you and your employees have unfettered access to the Internet at all times? This is fundamentally important since access to your data is wholly dependent upon Internet access.

So what does the future hold for Cloud Computing?

We obviously don't have a crystal ball, so we can't accurately predict the future for Cloud computing. But we can see it has the potential to become the de facto IT solution for business, and we wouldn't be surprised to see Governments around the world advocating, incentivising and even prescribing its use in years to come, if only on the basis that it's greener and can provide for greater security of data.

Indeed, as Cloud computing becomes ubiquitous we can foresee Governments taxing businesses that operate their own, energy inefficient IT infrastructure, perhaps levied according to carbon footprint. Steps might also be taken to ensure Data Centres are subjected to regular assessment and certification to ensure they meet defined standards that could even be enshrined in law – in effect a Data Centre MOT.

We would certainly like to see some form of regulation introduced, or an 'industry standard' imposed. To our mind, regulation of the use of The Cloud by UK businesses, and of Data Centres, by a UK Government appointed body, backed by an enhanced ISO accreditation would be preferable.

The fact is that The Cloud will continue to evolve and the benefits it can offer to businesses will become harder to ignore. The future is bright. The future is Cloud-shaped!

China Crisis? Part 2

2010-11-16T15:47:00.001Z

In our last blog, we talked about the problem of substandard goods from China and the potential impact they could have upon your IT Security. This time, as promised, we're going to give our thoughts on how to spot the 'dodgy' traders and avoid purchasing items that at best are poor quality and at worst pose a danger to you and your business.

Moreover, it's not just a problem of the quality of goods but also of whose pockets are being lined by their sale. In a recent statement, Crimestoppers in the UK warned shoppers against buying counterfeit goods because their sale can help finance serious organised crime.

The Crimestoppers Chairman, Lord Michael Ashcroft, said, "Christmas is a time when many are trying to find ways to reduce costs. I would urge the public not to be tempted to buy cheap fake goods. The consequences are far wider than the simple transaction. It can fund serious crimes such as human trafficking."

In this context, the goods in question range from cigarettes to DVDs and electronic items.

So is it easy to spot these goods?

Not always, and as we said last time there's the distinction between straight counterfeit goods and those that are 'look-alikes', not that this necessarily makes a difference to the quality of goods or where the money ends up.

There really isn't a 'scientific' way to identify the dodgy traders or the substandard goods. Gone are the days of spotting a shady figure dealing CDs, DVDs and perfume out of suitcases at markets and on the high street. Nowadays there's an international virtual marketplace open to everyone and you are bombarded with what appear to be great deals from an array of apparently genuine traders.

First and foremost, remember the old adage, "If it seems too good to be true, it probably is." If that doesn't sway you, look out for what we think are some of the clever 'tricks of the trade' used in online auction sites and marketplaces.

· Clever wording – Genuine Replacement Part is something you see quite regularly, often with a picture of a genuine item or a picture bearing a manufacturer's logo. Laptop and mobile phone chargers are favourites for this. The price is frequently less than half that of the cost of a genuine manufacture's replacement item and you're unlikely to receive an item that is branded or endorsed by the manufacturer. But you've bought a replacement part that is, genuinely, a replacement part! Argue your way out of that!

· Volume sales and high feedback scores – Based upon anecdotal evidence, there is much to suggest that certain traders sell high quantities of low value goods to each other (or even to fake accounts) to build up their feedback scores. The accounts with high feedback are then used to sell on the higher value and volume goods. Obviously, the difficulty here is that there will be a lot of reputable sellers with genuinely high feedback and we don't want to tar them with the same brush. It's a case of taking into account everything else about the particular item and seller – where are they based? How is the item described? Is the price too good to be true?

If you're not sure, it's worth taking a look at the feedback a seller has received. Is it for the same type of goods as you want to buy? Have they built up high feedback over a matter of weeks or even days? Is feedback received on the same day an item ended? Does the feedback actually correspond to a genuine sale? Is there exchange of feedback between different accounts?

In some cases you'll see the sellers gain their feedback buying 1 penny lists. Their positive feedback is actually as a buyer, not as a seller.

· UK Seller – Often the seller is at great pains to point out they are UK-based, sometimes with words like Genuine UK Seller or a UK flag emblazoned across the photos of items for sale, but provides no specific location in the item listing. On certain auction sites and online marketplaces, you can check the seller's location in their profile. You'd be surprised how many sellers featuring a UK flag are located in China!

Another 'giveaway' is the inclusion of UK in the seller's name, e.g. Cheap_Chargers_UK. It's definitely worth checking their profile if you see something like that.

· 8 letter/digit seller names – one eBay user who was scammed identified that many of the sellers of dodgy Chinese goods have random 8 character usernames – e.g. dd8tywer.

· Seller in one location, goods in another – In some cases sellers appear to be based in one country, but the items are dispatched from another, e.g. seller in the Netherlands and item in Ireland. Ask yourself why that would be.

· Extremely low Buy Now price – If the item is genuine, why would someone try to sell it at a ludicrously low price?

It sounds like hard work. Surely there's an easier way.

It's a minefield at the best of times. If you really start to look into it you could spend hours trying to spot the good from the bad and never be quite sure if you'd got it right.

As we said right at the end of the last blog, steer clear of auction sites and online marketplaces, particularly when it comes to buying electrical and IT equipment for your business. We cannot stress enough:

When it comes to equipment upon which your business is effectively reliant for stability, functionality and security, our best advice is to only buy through established and reputable suppliers, whether on the high street or online.

China Crisis?

2010-11-12T20:29:00.002Z

With the Prime Minister and a 'UK trade delegation' having recently paid a visit to China to forge economic and business links, we thought we'd take a look at some of the pros & cons of Chinese trade. Not a topic that has an obvious link to IT security, you would think, but you might be surprised.

China is now recognised as the second largest economy in the world and it is still growing. As a manufacturing nation it is very much in its infancy, but the proliferation of factories producing anything from clothing to 'high-end' electrical and computer equipment is phenomenal.

The plus side is that, for UK companies seeking quality goods at rock-bottom prices, China can often prove to be a land of opportunity; and consumers benefit from cheaper goods on the High Street.

Most of us can probably list the negatives that are widely reported and discussed. These include:

· Difficulties faced by many companies when doing business in China - often as a result of ignorance of the languages, laws and customs of the land; but sometimes through falling prey to conmen capitalising on China's new world status;

· Loss of UK manufacturing jobs; and

· Reported poor, even inhuman, working conditions in many of the factories.

We're not going to dwell on these issues. They're for another discussion. However, regarding the latter, the Chinese Government spoke out on 8^th November saying that China should not be judged by Western standards. Arguably it has a point.

What we really want to talk about is the huge growth in sales of grey and black market goods, particularly electrical items and computer equipment. These items are usually either look-alike items (grey market) or straight counterfeits (black-market).

Take a look at any auction site or online marketplace and you will see all manner of goods, all at a fraction of the cost of what you might pay for a branded item. From MP3 players that look like iPods (and purportedly function like them) to mobile phone & laptop chargers; and from computer memory to residual current devices (RCDs). It's tempting to opt for these items because they are so cheap. They seem like a real bargain. And they would be…if you were getting an item of equivalent quality and functionality as the branded item.

What makes things worse is that the accompanying blurb often says all the right things and the items may carry applicable mandatory 'safety marks' for the jurisdiction in which they are sold, like the CE mark in Europe. Unfortunately the marks are often not genuine.

These are generally grey market goods and, sadly, you will often regret your decision to purchase. Hopefully this regret will only be born out of disappointment that the item doesn't work quite as well as you'd hoped.

But spare a thought for those who come to regret their decision as a result of a spectacular failure of the item purchased.

· The exploding RCDs that were featured on TV. RCDs being the very devices you are reliant upon to protect from electrical surge and electric shock;

· The laptop charger that produced an amperage three times higher than its stated rating, thus damaging the charging circuit and battery of the laptop;

· The 4GB MP3 players that when tested could cope with little more than 300MB of data and contained malware to boot; and

· The computer memory that caused a BIOS failure and the shutdown of a key server on a network.

The really worrying thing is that IT technicians and electricians are just as capable of being duped as the rest of us. The opportunity to keep costs down by purchasing items that appear genuine branded products, or just as good as them, at knockdown prices is not one to be sniffed at. It's just that the goods aren't necessarily always what they seem. So you could be unwittingly purchasing substandard and unsafe items from somebody who purchased them in good faith.

Add to this the fact there are numerous reports and much anecdotal evidence to suggest the sale of such goods supports organised crime, perhaps even terrorism, and the problem is compounded even further. Action really needs to be taken to stamp out this insidious trade. The most effective action would be to stop it at source and close down the factories producing these goods, which is something that should fall to the Chinese Authorities.

If they fail to act, maybe then they should expect to be judged by Western standards.

So where does IT security feature in all of this?

If you buy and install substandard IT equipment and electrical items for your business systems, the savings you make at point of purchase could be written off multi-fold if systems fail and data is lost as a result of their use.

Earlier in this blog we touched upon some examples of how shoddy goods had caused problems for unwitting buyers. Imagine them in the context of your business for a moment; and consider the potentially devastating outcomes.

· What would happen if the RCDs in your server/communications room failed or, worse still, exploded?

· What sort of damage could be caused if replacement mains chargers for laptops either surged or caught fire?

· If a USB device containing sophisticated malware, viruses and key-loggers was connected to a laptop, PC or server on your network, would you and/or your business's IT security features be able to respond quickly enough to stop any harm to your systems? Even if you could, you'd be spending valuable time dealing with something that should never have been allowed to happen in the first place.

· You've just installed RAM to speed up your server. The online merchant described it as top quality and based upon a recognised brand name, but it's actually poorly manufactured, unstable and its capacity is less than a quarter of what was claimed. At best your server will operate less efficiently than you had hoped. At worst?

Any of the disasters resulting from such situations could have a major impact upon your IT systems and thus upon your IT security. It's really not our intention to scaremonger, but this is a real and present threat.

How do I avoid substandard electrical and IT equipment?

It's not always easy to identify the good from the bad, especially when shopping online. The bottom line is that online auction sites and marketplaces might serve a purpose if you just want cheap and cheerful items for personal use. But when it comes to equipment upon which your business is effectively reliant for stability, functionality and security, our best advice is to only buy through established and reputable suppliers, whether on the high street or online.

Is there a way of spotting the 'dodgy' suppliers?

Yes, but we'll cover that in the next blog…

To be continued.

That sinking feeling?

2010-11-09T19:47:00.003Z

On Friday 5^th November 2010, the Royal Navy shut down its website after it was compromised by a Romanian hacker. As at 19:00 today, 9^th November, the website is still unavailable and is displaying a message about essential maintenance.

What exactly happened?

Unsurprisingly, the Royal Navy is staying tight-lipped, but it seems a hacker, known as TinKode, identified a vulnerability in the website and used a method known as SQL injection to compromise it. The hacker reportedly gained access to the login details of site administrators and users and published them via a link posted on Twitter.

The Royal Navy has strongly refuted any assertion that classified information has been accessed and stated there has been no malicious damage.

That's a bit worrying, isn't it?

It is a concern, particularly given the type of vulnerability believed to have been exploited – a known flaw in an internet bulletin board site identified in July, which the software provider is said to have since patched.

It appears TinKode may have realised the Royal Navy had been remiss in not ensuring the most up-to-date bulletin board software was installed and took advantage of this fact.

So what should the Royal Navy have done?

It is essential that any methods by which a site user can enter information are checked for vulnerabilities before going live and any updates applied as soon as they are available. Rigorous testing and a patch management program (as a minimum) enforced by dedicated IT security specialists would have helped guard against this attack.

Will this have significant ramifications?

The Royal Navy may have got off lightly. At this stage, there does not appear to have been any major harm inflicted upon the site. Perhaps it's lucky that the hacker in question is a "self-confessed security enthusiast" whose motive was mischief and not malice. If malice had been behind the attack things could have been far worse.

What should also be borne in mind is that the site in question is essentially a marketing vehicle for the Royal Navy and not a critical operational site. It still doesn't excuse the situation though.

The most notable result of this attack is the embarrassment caused. Not just to the Royal Navy but also to the Government, which recently announced it was treating cyber defence as key element of national security and would make an additional £500 million available to bolster it.

Additional funding! That's good, isn't it?

Yes and no.

Arguably, the Royal Navy got the basics wrong. It goes back to the opinion we put forward in our blog entitled Data Security – Belt & Braces, not Bells & Whistles; you have to get the basics right before you build upon them. There's no point throwing money at something that is fundamentally flawed. It would be a waste of valuable funding and, in this case, could potentially just serve to fill the coffers of the larger technology consulting companies.

Focusing upon improving security of key technologies and websites 'from the ground up' is the best approach and would be the most effective use of the additional funding.

Is the ICO’s bark worse than its bite?

2010-11-03T20:58:00.003Z

In April of this year, the Information Commissioner's Office (ICO) was empowered to impose fines of up to £500,000 for serious breaches of data security and the Data Protection Act (DPA) 1998. It seemed that data security was going to have a real champion at last.

Fast forward to 3rd November 2010 and one wonders whether the ICO has simply been posturing since it was given these powers.

Why, what's happened?

You may have read that Google was brought to task earlier this year over the interception of Wi-Fi data as it recorded images for Street View. In June it faced questions from US congress about allegations it had carried out such actions in over 30 countries! In August, it was cleared by the ICO in the UK because initial investigations revealed that only fragments of data had been 'harvested'.

Well, subsequent investigations by 'various international privacy bodies' established that the data acquired was, in some cases, far more detailed than first thought. In fact, evidence was found that the data captured actually contained complete emails, URLs visited and passwords. So, not the 'fragmentary data' first described.

As a result, the ICO announced a further investigation, which was widely reported on 2nd and 25th October. Authorities in some of the other 30 countries also launched new investigations.

Well that's good, isn't it?

It's good that the ICO decided to revisit the matter, but the speed and outcome of this new investigation are rather disappointing. On 3rd November it was reported that Google had effectively received a slap on the wrist from the ICO and will avoid a fine simply by apologising and signing an undertaking that it won't happen again.

At least Google has accepted responsibility.

Yes, but here was an ideal opportunity for the ICO to flex its muscle and demonstrate it really does have teeth. Whilst there is no doubt the organisation has worked hard to put data security breaches under the spotlight in the past few months, it has yet to hand down a fine for such a breach since being given its new powers in April. Hence the title of this blog!

There's also the fact it again raises concerns for businesses about the use of unsecured Wi-Fi networks.

What concerns?

It might be argued that at least it was Google that captured the data and not a criminal gang. But of course, we only know about the Google issue because the company was forced to disclose it. Who knows the extent of data that could be being captured with malicious intent?

Latest Facebook privacy issues – a concern for businesses?

2010-11-02T13:41:00.002Z

Yet again, Facebook has been found wanting when it comes to ensuring the privacy of its users. In short, settings intended to allow users to limit or block access to their profiles can be easily bypassed.

Amongst other things, it means that even 'private profiles' are viewable by someone browsing lists of friends that include these profiles. So all the information intended only for the eyes of a selected group of friends is suddenly available to any visitor to Facebook.

So what has this got to do with the security of data in my organisation?

On the face of it, you might argue it is of more concern to the individuals who have profiles on Facebook that they thought were only viewable by people they had accepted as friends.

The trouble for businesses is that Facebook (and many of the other online networking resources) can be an ideal resource for socially engineering ways around data security measures. The more personal information that's available about an organisation's employees online, the less work the 'cybercriminals' often have to do.

My organisation blocks the use of social networking sites at work, so there's no problem is there?

Blocking social networking sites helps but, unfortunately, it's no guarantee of protection from attack. Your employees will still use them at home and possibly on their mobile phones. They may provide information about their families, their jobs, their birthdays and lots more. And even if they've taken steps to make their profiles private, the latest reports tell us these steps don't actually guarantee privacy!

This means that somebody looking to penetrate your IT systems may simply have to set up a fake user profile on Facebook, perhaps saying they once worked for your organisation or, if your organisation is large enough, that they still do! They'll then start trying to identify people who work for your organisation and start "friending" and building up the trust of their new found friends.

What will these hackers do?

They may simply harvest data that gives clues as to passwords or security questions and then attempt to gain access to your systems. But the more sophisticated hackers could employ cross-scripting bugs on your website and generate a secured web page that looks as if it is a legitimate part of your site.

In one stated case, a link to such a web page was posted on a fake user profile after only three days of "friending". The comment with the link stated the organisation's systems may have been hacked and that employees should log on to the secure page to verify and reactivate their credentials.

The hackers gained credentials that could have given them access to all network systems. Luckily for the organisation in question, the hackers were IT security experts and the activity was all part of an authorised penetration test.

So what steps can I take to avoid these problems?

An authorised penetration test, including social engineering, is something you should at least consider. It will help to scope any problems your organisation may face and make recommendations about how to address them. You can then review your policies and procedures.

But essentially it's a training and awareness issue. You need to educate your employees and emphasise their responsibilities. Through focused training – short courses, online training, etc. - you can explain the importance of IT and data security and heighten awareness. Above all, whilst social networking is an obvious threat, the greatest imperative is to ensure your employees understand why they should never give up security credentials or business sensitive information to any 'unauthorised' person, in any circumstances.

If you can engender a culture of IT and data security amongst your employees, with systems & policies in place that they understand and "buy in to" you'll have won the biggest part of your battle.

An extra hour in bed?

2010-10-30T08:50:00.001+01:00

Yes, we know it has nothing to do with Security but we thought we'd remind you anyway.

As of tomorrow, Sunday 31st of October, at 2 a.m. all clocks in the UK go back one hour.

Also, have a great Halloween.

The Securm Team

0800 612 4074
http://www.securm.co.uk

Data Security – belt & braces, not bells & whistles.

2010-10-28T12:10:00.002+01:00

There is a lot written about data security these days. It's a hot topic and it will remain so as long as data breaches and resulting fines continue. An example is the recently publicised Zurich Insurance data loss.*

The Information Commissioner's Office is responsible for enforcing the Data Protection Act 1998 and has the power to fine companies up to £500,000 for serious data security breaches. It can also pursue criminal action against directors of companies responsible for such breaches. Whilst either is bad enough in itself, the damage to reputation and integrity could ultimately harm your company more. And for regulated financial companies, like Zurich, there is also the prospect of fines and censure by the Financial Services Authority (FSA).

Data security is paramount, but it needn't be complicated or unnecessarily expensive. It's primarily about adopting a common sense approach and implementing robust policies and procedures. Most importantly, you need to ensure all members of staff are aware of these policies and procedures and understand the importance of keeping data secure. After all, of the recently reported data security breaches the majority have resulted from some form of human error and / or the failure to implement even the most rudimentary protective measures.

Once you have the basics in place, you can reinforce your systems with other measures. But just make sure what you are buying into is really what you need, and don't overcomplicate things. Identify what works for your company and look for 'belt & braces', not 'bells & whistles'.

If you're not sure where to start, it would be worth engaging the services of an expert information security consultancy company. They can identify where your current systems and processes are vulnerable; provide advice and guidance about how to test your systems; help you implement enhanced security solutions; and even handle the secure destruction of data and the disposal of old IT equipment.

Although many see the latter as a minor concern in comparison to other data security issues, the point at which data is no longer required and/or is held on obsolete IT equipment can be one of the most vulnerable stages of its lifecycle within an organisation. Many companies simply stockpile obsolete IT equipment because they know the risks of insecure disposal but are not aware of methods for secure destruction of data.

Whilst taking a hammer to hard drives or memory sticks may seem like a good idea, it simply isn't a viable solution to the problem and carries with it other implications, not least a potential failure to comply with the prevailing Waste Electrical and Electronic Equipment (WEEE) regulations. Yes, even hard drives and portable media devices are covered by these regulations!

As mentioned earlier, an expert company will guide you through the data security maze and help you to identify and implement the right solutions for your company.

In summary:

Take care of the basics of data security first;
Implement robust policies and procedures;
Educate members of staff and ensure they understand the importance of data security;
Be selective about what technical solutions you implement;
If you are unsure, seek the help of information security experts; and
Never forget, you are responsible for your company data from acquisition to destruction.

* In August 2010 the Financial Services Authority found Zurich Insurance had failed to ensure the security of customers' confidential information, held on an unencrypted backup tape that was lost. The FSA decided that whilst there was nothing to suggest any data had been compromised or misused, the loss of 46,000 confidential records warranted a fine of £2.275m.

It’s the FSA’s loss…

2010-10-26T16:30:00.001+01:00

On 18th October 2010, Citywire reported that in the past three years the Financial Services Authority (FSA) has lost 41 hardware items, including laptops, Blackberries and memory sticks. Of these, only 11 were reported as stolen. The rest were lost by FSA staff. This all came to light as the result of a Freedom of Information request by Citywire.

Drilling down further into the figures reveals that in 2010 alone, the FSA has reported 10 laptops, 7 Blackberries and 2 USB memory sticks lost or stolen. In 2009, 8 laptops and 10 Blackberries were lost, whilst in 2008 it was 2 laptops and 2 Blackberries.

It should be pointed out that the FSA did have generally effective security measures in place. All the laptops and memory sticks were encrypted and the Blackberries were password protected. As an additional measure, the FSA claimed, it had remotely disabled the hardware in order to block further access to secure information.

There has been nothing so far to suggest any data has been compromised or misused, but if the FSA is judged by its own standards it should face some form of censure. Here are two examples of hefty fines it handed down for failure to ensure data security:

In 2007, Nationwide Building Society was fined £980,000 when it was discovered that a laptop, stolen from an employee's home, held confidential customer information. The Society was not initially aware that such data was held on the laptop and did not investigate the matter until three weeks after the theft. The FSA found that Nationwide had failed to put in place "…adequate information security procedures and controls…"
In August 2010 the FSA found Zurich Insurance had failed to ensure the security of customers' confidential information, held on an unencrypted backup tape that was lost. The FSA decided that whilst there was nothing to suggest any data had been compromised or misused, the loss of 46,000 confidential records warranted a fine of £2.275m.

Maybe it's too soon after the disclosure, but nothing has yet been said about potential action against the FSA for these losses, which raises the obvious question of who is policing the regulator. Perhaps the task will fall to The Information Commissioner's Office, the body responsible for enforcing the Data Protection Act 1998. It has the power to impose fines of up to £500,000 for serious data security breaches. Only time will tell what, if anything, will be done. NB: It is worthy of note that however bad the FSA losses sound, they pale into insignificance when compared to the Ministry of Defence losses for the last two years – 220 laptops lost and 120 stolen. Worst of all, less than half of the lost laptops were encrypted according to a Freedom of Information request by a firm of technology consultants.

Cloud computing - just how secure is your data?

2010-10-22T10:50:00.001+01:00

The growth of cloud computing services over the past 12 months has been phenomenal and it's easy to understand why. Companies can have access to a huge variety of productivity resources, share software online and take advantage of incredible storage space, all at a fraction of the cost of investing in their own infrastructure.

It's what might technically be referred to as a "no brainer". But what about security and what control would you have if you gave your data up to 'The Cloud'?

There is growing disquiet about the security of Cloud-based services amongst increasing numbers of IT professionals. Not least that what appears to be a single provider service will generally rely upon a number of third parties, and the number of third parties can grow exponentially as the primary provider grows its business.

This can mean passwords and other security information are shared amongst numerous providers, possibly without a client organisation's knowledge. Whilst the service providers will, of course, tell you that security is paramount, your data is entirely safe and their systems are protected, it cannot be ignored that any system that has ever been breached was once considered impenetrable.

The fact that huge amounts of data from a multitude of different organisation can often be held in one place makes The Cloud increasingly attractive to cyber-criminals. If they could obtain data, or the security credentials, of these organisations through a single attack on a Cloud-based provider their return against investment would be huge.

One shouldn't overlook the fact that there are currently no recognised standards or measures of accountability to which Cloud-based service provider must adhere. This is primarily because the 'industry' is very much in its infancy. Standards usually come with maturity.

And perhaps it's worth asking yourself what the response of the Information Commissioner's Office or a regulatory body such as the Financial Services Authority would be if your data fell into the wrong hands and you tried to place the blame at the door of your service provider?

This is not intended to suggest that such services don't have their place, but the bottom line is that relying upon Cloud-based providers is no substitute for an organisation's own robust security measures.

Testing Times

2010-10-20T17:37:00.000+01:00

Organisations naturally rely upon the numerous systems and controls they put in place for their data security and integrity. But however well they appear to operate, there are times when the only way of knowing that they are functioning correctly is to rigorously test them and push them to their limits.

Many organisations wrongly believe that if they have secure passwords, a firewall and anti-virus software they are unlikely to be troubled by a data breach or information theft. But oversights such as failure to fully validate an input form on a website, or simply installing a patch to a server without checking the effect it might have on port settings, can undermine even the best security systems.

You cannot implement systems and processes then just leave them to run unchecked. Without a strict testing regime - a general rule of thumb is that Penetration Testing should be carried out at least quarterly in most organisations - your networks could be open to misuse and abuse, ultimately leading to loss of data through such circumstances as:

· Inappropriate access controls allowing unauthorised use;

· Human error, through ignorance or disregard of processes;

· Hacking attacks; or

· 'Blagging offences', where information is obtained by deceit.

It's a common misconception that Penetration Testing and other information security services are extremely expensive. Whilst there will be providers who try to charge everything at a premium, most will charge a fair rate for a high quality service - a service that ultimately helps you to ensure the security of your networks and data.

Securm becomes a Microsoft Refurbisher - Press release

2010-09-07T13:36:00.000+01:00

For Immediate Release
11:00hrs 7th September 2010

Securm Ltd has been accepted on to the Microsoft Registered Refurbisher Program

Milton Keynes, 13:30 7th September 2010 – Securm, the specialist IT security company, is pleased to announce it has been accepted on to the Microsoft Registered Refurbisher Program. This means it can now deliver genuine preinstalled Microsoft software licences to its customers on the computer equipment it refurbishes.

Securm’s services include data destruction, WEEE compliant disposal of IT equipment – which includes refurbishment of serviceable units - highly specialised Penetration Testing and Business Continuity Planning.

Lee Barney, founder and Director of Securm, says, “We are delighted to have been accepted on to Microsoft’s Refurbisher Program. The Program will allow us to provide genuine Microsoft software on good quality, low cost equipment to a range of different customers, from individual consumers to small business and charitable organisations. Having genuine Microsoft software installed gives confidence to our customers because they know they will have legitimate access to all the updates and support that Microsoft provides.

We will be able to refurbish and sell more IT equipment so there will be less to be destroyed and disposed of, which is better for the environment, and this in turn will help us reduce costs to the customers from whom we collect. So it’s a win-win situation all round.”

InfoSec 2010 pictures

2010-05-05T09:07:00.002+01:00

It has been a while since our last post and we thought we should update you on what we have been up to.

Last week Chris Brunning and Lee Barney went to InfoSec 2010 as Exhibitors. This was the first time that Securm had Exhibited at InfoSec so for those of you who met us there please do accept our apologies for our terrible sales pitches :)

Below are a couple of pictures of ourselves and the stand at InfoSec 2010... see you there next year :)

Clearly we could only take the photo's when we weren't busy :) At least you can see our stand...

Political Warfare

2010-03-19T12:06:00.002Z

Hacking. It is a word that inspires fear into the hearts of literally thousands of Administrators every day. You may ask how they sleep at night, knowing that prying fingers are playing with their sites, looking for that one mistake that was made, ready to pounce and do something nasty? They sleep because they probably don't consider themselves a target, they will say something like, there are bigger and better companies out there who should be more worried about it than me... To an extent they are right, of course I am not saying that smaller companies should neglect their security or stop having regular pen tests etc, but what I am saying is that they need to look at the risk involved...

So let’s talk politics... In the UK we have an election at least every 4 years. So what does that mean to the average MP? Well it means that they should be dusting off their posters, flyers and campaign plans at about the 3 years 6 months mark. They know that putting posters up will properly get a few defaced (See below)

Generally though they know that most will be safe from prying fingers and aerosol cans of bored teenagers, political activists. Stop there though, what if there was a way to get around every leaflet, every poster and every calling card and change them to Anti Party messages? Well don't worry there is no way to literally do that, but with 66.3% of the population under the age of 64, (according to Wiki) you can be sure that most of them have access to the internet and you can be sure that running up to an election they will be taking another look at their candidates websites... So it is a surprise to see that Security on these sites is not taken at all seriously. Recently we have seen a number of attacks against the Conservative Party and The Labour Party political websites:

Tory Site Defaced

Harriet Harman Twitter account hacked (BBC)

Climategate

Why does this happen? Imagine you’re a candidate or sitting MP, for 3 out of 4 years, your website hasn't really been used or looked at. Least not forget that 4 years ago we didn't use the net as much as we do now. essentially Politicians aren't moving with the times, their sites have had their content updated but the security and coding has stayed the same. 4 years to a politician is a long time... it is the span of their political office... 4 years to a hacker is more than a lifetime!

My message to all the politicians out there. Stop. Look. Listen and get your Websites Scanned, Fixed and updated!

BTW, if you or anyone you know has been affected by the issues mentioned above then call the Securm confidential hotline on 0800 612 4074 – We can help

Facebook or Faceplant

2010-03-12T16:38:00.000Z

In recent years Facebook has emerged as the top social networking site, surpassing competitors such as MySpace and Friends Reunited. With over 200 million users, and everyone asking: ‘Are you on Facebook?’ – this website has become a pervasive part of our lives. This raises cause for concern with regards to the use of the social networking and the need for security within the workplace.

Certainly one issue falls under the category of privacy. We’ve all heard the taboos about keeping our profiles private, in order to protect our personal data. That’s right. Your sensitive, private information is there; indefinitely stored on their servers. And all Facebook employees have access to it. And if they decided to move their servers to house them somewhere with less scrupulous data regulations, who would then have access to ALL of our personal information?

The availability of personal information such as passwords, birthdays, and names of family members can pose a very big problem. For instance – such information as ‘place of birth’ and ‘mother’s maiden name’ are required when logging onto secure websites such as online banking systems – these are readily available via Facebook, whether hidden or not. Also, because most of us tend to use the same or similar passwords for all our online accounts – it means that if someone gains access to our Facebook password, they potentially have access to our workplace computing systems.

Facebook (and most social networking sites) are also a breeding ground for the spread of computer viruses. A recent outbreak, spread via the automated posting of links on users’ walls, direct the user to a virus download called ‘Koobface’. The link in question is supposed to appear to be a post from a trusted friend – misleading the user into clicking and downloading malware which infiltrates your system, stealing your personal information and at times, reporting keyboard tracking to the mother site. Presenting another very serious problem for the use of Facebook within a business/ work environment.

So is the solution to ban all your employees from using Facebook? Not at all. Ensure
that your organisation develops a policy for the use of social networking sites in the workplace and encourage your employees to be security conscious.

Let them use it at work, but rigorously test your information security systems to ensure that they are ISO27001 compliant, then you can ensure that you meet the latest legislation on data protection compliance. After all, regardless of Facebook, if your data is lost or stolen, you could face a fine of up to £500,000 from the Ministry of Justice.

Seek out an experienced and qualified information security specialist to debunk the myths and fully secure your electronic perimeter.

Top Gun - Information security quotes

2010-03-04T10:13:00.000Z

Before we begin let me start by saying this. Occasionally our sales guys like to have a little fun on the phone and we have this bug board at work where they try and get quotes or puns in whilst speaking to clients. The trick is to do it so well that you wouldn't know that they were doing it... On the flipside it is hilarious to listen to. So I have picked seven quotes from the greatest movie of all time... TOP GUN.

The trick in our case is that they have to somehow relate to Information Security... If you think it's easy then try it when you’re on the phone.

It's classified. I could tell you, but then I'd have to kill you.
Yes ma'am, the data on the ***Insert product here*** is inaccurate.
That son of a b**** cut me off! ***Usually used when someone hangs up the phone ***
This is what I call a target-rich environment.
That's a negative, Ghost Rider.
I can see it's dangerous for you, but if the government trusts me, maybe you could.
Had the shot there was no danger so I took it...

Finally - the most inappropiate top gun quote to use on the phone... ever

8. Goose you big sssssstttttuuuuuud, take me to bed or lose me forever.
If you have any better quotes please leave a comment below, or tweet us here

Need to keep your data safe?.... Just Encrypt it

2010-03-02T16:07:00.001Z

As of today (March 1st 2010) the state of Massachusetts in the USA has put in place the most comprehensive set of information security regulations across America. The regulations include Physical Security Controls, Administrative Security Controls and Technical Security Controls. It looks to be an impressive attempt by authorities to curb the threat to personal and private data and lead the way for the rest of the country.

But what about the UK? No such controls exist. Certainly there are some legislative requirements for certain industries, but instead of forcing companies to do things the old way, using firewalls and encryption, we should be insisting upon them taking the risk of security penetration seriously.

For instance, in Hong Kong, the banks are all obliged by law to adopt ISO27001. This ensures that they analyse and assess their risk and that correct measures and controls are put into place to address the issues raised. It doesn’t force them down a particular technological path, but it allows companies to see where things have gone wrong (or could), rather than simply blaming the systems.

This month, the annual RSA Conference meets in California to discuss data security measures. Both Government agencies and private companies will gather to share and debate the latest advances in information security and look at ways to implement more effective solutions.

But in the UK, we need to pressure government to insist that companies address the security threat to their information use and storage. Government agencies are already required to adopt ISO27001, why shouldn’t everyone else comply too? We might not be able to stop all information security attacks occurring, but we’d be better prepared to deal with things when a breach occurs and to learn from that experience.

As more and more businesses across the UK depend upon the Internet and Information Technology to run their business, the issue of information security has become increasingly vital. Even if the Government does not force your business to meet the latest ISO27001 standards, take a leaf out of Hong Kong’s book and get in ahead of the curve.

Open Source, to saucy for the enterprise?

2010-03-02T12:05:00.001Z

Only a few years ago many companies would have shuddered at the thought of using Open Source software, but times are changing. Mozilla’s Firefox, which according to web analysis firm Net Applications is second only to Internet Explorer as the world’s most popular Internet browser, is actually a very successful piece of open source secure software.

Open Source software is no longer a thing to be afraid of, in fact, I often find that much of the open source software now available is taking great leaps in providing user-friendly, secure tools, with a surprisingly decent amount of support!

But I must add a word of caution here though. Not all open source software is going to be as secure as the next, so there is still a matter of Risk Assessment involved. There will be glitches and security issues that may cause vulnerabilities, but as long as you keep up-to-date with any software updates and patches, and report any issues that you have, and then open source software can be trusted as much as private source software. Actually open source software is usually more readily patched than something like Internet Explorer, for example.

Equally, private source software is also open to security issues. Most recently you will have heard of the Google hack in China that was only possible through a vulnerability in Microsoft’s Internet Explorer. Yet the Open Source Firefox and its many useful add-ons (like Firebug) was not compromised and are now being increasingly recommended by professionals in many industries for its security, stability, compatibility and ease of use.

One of the major shifts in the last few years is also the ‘general’ computing and software knowledge of your staff. People are savvier when it comes to software, they are clued in on potential threats and they don’t tend to panic as much when something goes wrong.

So yes, open source software can (with certain security caveats) be trusted. It may not be perfect (plenty of private source software is far worse) but if you can commit to checking and updating the software regularly (which you should be doing anyway), and give the developers useful feedback, then you will find that it should grow to meet your needs and keep you safe online.

Social Media Scams

2010-02-25T10:44:00.000Z

This isn’t a news flash, I think by now most people know about the Twitter Scam that is going around at the moment. If you are reading this then CHANGE YOUR PASSWORD NOW. This goes for your myspace and facebook accounts and even your Computer passwords if they are similar (I imagine that they are....).
The scam is quite a simple one, essentially a group of Chinese scammers have set up login pages for popular social networking sites with the aim of collecting passwords. They trick you to following a link using URL shortening services such as tr.im (which doesn’t allow you to expand the url like bit.ly) with a message similar to

Of course because it’s one of your followers (a genuine real person) and you are curious you follow the link. You are now prompted to re-authenticate to twitter. The page that you are asked to authenticate on is actually hosted in China, the one for the above attack was at this URL:

http://twitter.login.kevanshome.org/login/?k9u2b

This clearly isn’t twitter or myspace. Of course, if wasn’t for the helpful people at Mozilla Firefox why would you think to look at the URL.

Note that Windows Internet Explorer doesn’t pick up on this....

Or course you should but not many people do... and thus a number or people are attempting to re-authenticate themselves and therefore giving your details away.

So check your DM’s that you have sent out, check you’re sent items in your network accounts and if you see any messages that you don’t recognise then CHANGE YOUR PASSWORDS. In fact, CHANGE YOUR PASSWORDS ANYWAY.

Lessons to learn?

As I am always telling anyone who will listen, don’t click on links sent to you in whatever form they come in, be it DM’s or emails, especially if they are from a “trusted” source. Always cut and past the URL into the address bar and if it has been shortened, expand it first. Look at the URL before you enter it or attempt to traverse to it, then STOP. Don’t hit enter, take it to a web proxy services such as http://www.daveproxy.co.uk and enter it there. View the page and only then if you trust it, visit it.
When it comes to using the internet, be very, very careful. Don’t take things at face value and don’t click on links.

Network Admins

I know a lot of you out there already know this stuff, but remember as responsible netizens we should be continuously warning people of these things. A simple password hack like this can lead to a corporate network being compromised just because the user used the same password... If you’re a network admin reading this, are you sure that no one in your organisation uses the same password for their corporate VPN access as they do for their twitter, facebook account?

On a final note, push out internet explorer and get in FireFox...

Top 20 Cloud Puns... we never said that they were funny

2010-02-16T15:04:00.000Z

After a couple of minutes talking about puns to use when calling cloud based companies we came up with the following. Any of you got any others out there, please let us know on Twitter or email :

Some of your policies are a too high level
Do you want to reign above the competition
Using our service will help you see the blue sky beyond
We think that your security vision is a little foggy
Perhaps your perimeter is blurred
With securm.co.uk the sky is the limit
Are you worried that data leaks could dry up your business
We can help your business soar above the rest
Just turn on the fog lights to see the road ahead
We can steer your way through cloud cuckoo land
(in relation to security breaches) it never rains but it pours
Where will my data be stored in the clouds? Heaven knows
What’s the weather like where you are
Securm.co.uk the service with the silver lining
We leave you walking on cloud 9
Don't leave your head in the clouds
Being on the leaking edge of the cloud
In the midst of opportunity you appear
SaaS providers thinking is sometimes clouded
Cloud companies are always thinking blue sky but it often wanes

To USB or to not USB

2010-01-25T11:50:00.001Z

Do you remember in 2008, when a British Government contractor lost a USB device containing the details of the UK prison population? Of course, they encrypted all the data so they didn’t reveal this sensitive information to anyone that found it, didn’t they? No.

Or perhaps you recall that last year the Scottish NHS admitted losing a USB data stick with the personal medical records of 137 individuals on it? Of course, because information security is a priority for the data held by the NHS, they surely found a way to make device unreadable to those without security clearance? No.

What about...2008, when a Leicestershire nurse lost a USB drive containing the names, addresses, date of birth and phone number of 80 young children. All unencrypted data.

Okay, you get the point. Using unencrypted USBs for your business or organisation is an information security nightmare. So what’s the solution?

The first is not to store sensitive data on removable or portable drives. That may be easier said than done, but it is the common sense approach. Some government agencies have made it a sackable offense for staff to possess USB devices at work, and that immediately reduces the risk.

But surely, you can just invest in encryption technology? Software or the latest built-in encryption should be a workable solution. On the surface, that sounds like a sensible strategy, but let’s look at how this may be an even more disastrous decision:

You’ve bought your organisation 10,000 encrypted USB devices and you now tell your staff that it’s okay to take them home or work on them outside the office because it’s safe. Of course, now you’ve told them that they’re ‘securely encrypted’, they aren’t quite as careful with them as they should be.

Over the course of a few years, they lose 1% of them. That’s 100 devices. 25% of those devices contain highly sensitive or secret information. In the third year, a vulnerability is exposed that allows completely open access to this important data. Now all of your devices are compromised and the 25 devices with sensitive or secret data can now be read by anyone. If you want to do anything about this vulnerability, you’ll have to recall all the USBs, but how will you cope with those that have been lost?

Giving your employees encrypted USB devices is simply storing a problem for the future. It may be a cheap solution, but in the long run it’s the most damaging. Of course nothing like this could ever happen surely? It already did!

So what’s the solution? The solution that offers the most protection (there is no perfect solution) is remote access and security in a private cloud. With upsurge in mobile Internet, it allows the same anywhere/anytime access as a USB, but it provides a great deal more security through a secure TLS connection between the host and the remote server. It’s not infallible, but it’s a lot easier to change any of the encryption settings or security details on your server or hard drives if a vulnerability is released or a breach is discovered.

If you want to keep your data protected, then USBs - even with encryption, are not a secure solution, so speak to an Information Security specialist about secure access to your own private cloud.

2009-11-23T09:26:00.000Z

PLAY.COM AND T-MOBILE ADMIT DATA LEAKS...

With the Christmas season upon us already, it was bad timing that the online entertainment e-tailer Play.com recently reported a breach in its information security protocols. Who was the culprit? A team of North Koreans, trained and funded by their government? Chinese spies? Malicious Hackers? No. This data leak was caused, created and carried out by Play.com themselves, in a moment of accidental commercial self-sabotage.

At the time of the year when most people are wondering whether to save money by buying on the Internet, Play.com injured their own credibility by emailing their customers with other customer’s order details.

Not only did Play.com badly damage their reputation at an important time, but they are now being investigated by the Information Commissioner’s Office for a possible breach of the Data Protection Act (DPA). Whilst Play.com quickly assured customers that no sensitive information was accidentally leaked, they are still at risk of prosecution under the DPA.

This comes in the same month that it was announced that staff at mobile phone company T-Mobile had sold millions of customer records to third party brokers. This sensitive information is highly valuable in the right hands and was sold for substantial amounts of money. T-Mobile are working with the Information Commissioner’s Office to investigate the theft and prosecute the offenders. However, it is unlikely that this will reassure those customers whose details have already been sold on.

In terms of information security, most people only think of protecting their data from outside intrusion. However, insider theft and accidental data leaks can be just as damaging to your organisation’s reputation and success, as external attacks.

To ensure that this doesn’t happen, these companies should implement information security safeguards that prevent data theft and the accidental exposure of data within their own information systems. The electronic perimeter of your data storage systems must be as closely guarded as the physical perimeter.

2009-10-29T21:38:00.001Z

Hacking: We Can Learn Something from Gary McKinnon...

The United States of America takes defending its borders very seriously. Yet between 2001-02, a British hacker called Gary McKinnon was able to breach its digital boundaries on a regular basis, looking for evidence of little green men.

McKinnon, a self-confessed UFO-nut with Aspergers' Syndrome managed to by-pass some of America's top information security systems, hacking into computers at NASA, the DOD, the US Army, Navy and Air Force, in what American prosecutors are calling the "biggest military computer hack of all time."

McKinnon freely admits that he hacked into US government computers by exploiting various security loopholes in the Windows operating system using commercially available software. But he denies causing millions of dollars of damage whilst hacking those systems. McKinnon is currently fighting extradition for trial in the United States, which could result in a 70-year sentence.

Regardless of the specifics of the case and the subsequent protracted extradition fight, this hacking story has some insights for both the US Military and all of us. To me, what this highlights is the potential weaknesses in even the most robust information security systems. If one guy, a 'bumbling computer nerd' in his own words, can compromise the information security infrastructure of NASA and the US Military, just how secure from hacking are the information networks we all use on a daily basis?

Sources claim that teams of organised hackers working for foreign government agencies are constantly probing financial, industrial and government information systems for flaws, weaknesses and potential breaches in the digital perimeter.

The US Administration must commit a serious amount of money to ensuring that their information systems are properly secured. If the information systems of the most powerful country in the world can be breached by an amateur, isn't it time we all had a good long look at the integrity of our own information security systems?