You are the Weakest Link

You are the Weakest Link – the Man in the Security Loop

People, process, technology. It is all too easy to get carried away with the technical and procedural controls that we look to for the bulk of the security on our IT systems and, increasingly our industrial, domestic and public services systems too.  Make no mistake, the technical controls are great for what they do.  On the whole they have the advantages that most technology shows – that is, they do boring, repetitive, accurate things pretty well, and as we know humans are pretty bad at that.  This points the way to the crux of the human influence on security – most of the risk from insiders is unintentional.  Procedures, too, are crucially important, but in the end they rely on people to execute them. Continue reading “You are the Weakest Link”

Regency Security Consultant Achieves Certification as Senior CESG Professional

Proving Regency’s continued commitment to the CESG Certified Professional (CCP) scheme, a member of our Security Consultancy team, Stephen Bottomley, this week achieved Senior Practitioner certification in the Security & Information Risk Advisor (SIRA) role. Additionally, Stephen also achieved Practitioner certification in the IA Auditor role.

Stephen’s achievement reinforces the Regency statement that we are continuously looking to enhance our capability in the Cyber Security and Information Assurance space.

Are you prepared to look the Ravenous Bugblatter Beast in the eye?

Data compromise has really hit the headlines over the last week. First, TalkTalk, a large UK telecoms, mobile phone and internet service provider, found itself under attack from hackers with press reports suggesting that they may have stolen the personal data of up to 4 million customers from the company’s systems, potentially including financial information such as bank account details. Continue reading “Are you prepared to look the Ravenous Bugblatter Beast in the eye?”

EU Data Protection Regulation: Are you prepared to detect and report a breach in 72 hours?

We are all familiar with the Data Protection regime, established by the Data Protection Act 1998 which was itself based upon the 1995 European Union Data Protection Directive. There have been some developments over the years since it first came into force, the introduction five years ago of the Information Commissioner’s powers to fine organisations for breaches being the most notable example. Continue reading EU Data Protection Regulation: Are you prepared to detect and report a breach in 72 hours?”

Cyber Essentials Scheme – Malware Protection

Cyber Essentials Scheme – Malware Protection

In April this year we published an article about Boundary Firewalls & Internet Gateways which is one of four articles that we’ve written about the UK Government Cyber Essentials Scheme. In this article I’m going to cover the final element of the Cyber Essentials Scheme and what it may mean to your organisation.

The UK Government 10 Steps guidance states: “Produce policies that directly address the business processes (such as email, web browsing, removable media and personally owned devices) that are vulnerable to malware. Scan for malware across your organisation and protect all host and client machines with antivirus solutions that will actively scan for malware. All information supplied to or from your organisation should be scanned for malicious content.”

What is Malware Protection?

The description given on the Cyber Essentials Scheme overview is that Malware Protection ensures that virus and malware protection is installed and is up to date. To clarify this further Malware is actually a shortened version of “malicious software” and the protection aspect describes those software and hardware measures that can be put in place to protect your network and associated devices from malware.

Types of malware include viruses, computer worms, Trojans, keyloggers or in fact any type of malicious code that was designed maliciously by its creator to enter and infect the target device.

The reasons for creating malware are broad but generally considered to be part of a criminal attempt to make money by stealing the likes of financial information, IPR or personal data from the target or infecting the target computer with forced advertising (adware).

Put simply, think of malware as a particularly nasty disease and malware protection as an inoculation or injection from the doctor to protect you from catching it when you come in to contact with it.

Why do we need Malware Protection?

As an individual and a business you no doubt have information that is precious to you and I doubt that you want to be bombarded with adware when you are already busy working online but did you also know that you are vulnerable to other types of malware such as ransomware where money is extorted from you by the criminals in return for the keys that they may have used to encrypt your important documents?

Malware can also be used to send spam emails from your computers as well as the potential for using your computers to host illegal pornography. The potential for malware is extremely concerning and the potential to harm your hard won business reputation in the event of malware infection is very real.

What about the anti virus software my network provider gave me?

Most computers and operating systems are delivered with anti virus software already installed. However, this might only be a short duration subscription and not an enterprise version that is suitable for your business network. Additionally the software needs to be activated and registered if you are to start to use it

There is lots of choice, how do I choose suitable Malware Protection?

There are lots of vendors who offer anti virus protection but here are some features that you may want to consider:

  • Does it have an auto update feature?
  • Does it scan documents automatically when they are opened?
  • Do you need it to run on your enterprise web gateway to provide a monitoring capability?
  • Does malware protection include the ability to inspect SSL/TLS packets from encrypted sites?
  • Does it provide a reporting feature that tells you when it has detected malware?
  • Does it provide protection for all your operating systems including OSX?
  • Will your software be compatible with your business applications?
  • If I choose a cloud solution what are the privacy implications for my data?

How do I implement Malware Protection without disrupting my business

If you have not already done so then you should implement Malware Protection as soon as you can. The following are the very high level points that you should consider; if you want more details you can contact us for a more detailed advice sheet:

  1. Initial configuration – When you initially install your malware protection software you must carry out an update to receive the latest signatures from your software vendor. Signature updates are released by vendors on a daily basis and you can soon find yourself out of date if you don’t keep up.
  2. Update feature – Once your software has received its initial update successfully you should check your computers again to ensure that the automatic feature is functioning correctly.
  3. User education – Consider educating your users about the sources of malware through an email or poster campaign. Emphasise practices such as not clicking on links in emails where the sender may be unknown. Only give access to websites that have a message function like LinkedIn to those individuals who have a valid business reason to do so and brief them accordingly about the potential risks.
  4. Maintain your Malware Protection – Ensure that your malware protection software version is maintained and that new releases are installed when convenient to your business. Remember our advice on Patch Management last year? Include your Malware Protection in your business patching strategy.

So what’s the bottom line for my business?

The bottom line is that all organizations who are connected to the internet are at continual risk of malware attack. Attacks could be targeted but are often just as result of hackers and criminals on the internet using automated malware techniques to look for any vulnerable system to attack. During the National Cyber Crime Conference in 2014, a Regency consultant described this capability as similar to physical attackers being able to try every door handle in a street in 10 seconds. The law of averages means that, if attackers try enough handles they will find one which is left unlocked.

Organisations that fail to take the minimum measures run a serious risk of a catastrophic impact on their business associated with the loss of information, money or reputation. Ask yourself – could your business cope if the information on all your machines was held to ransom, if an attacker gained access to your company bank account and if all your customer contact details were stolen?

What next?

If you do not currently have Malware Protection installed, hopefully you now realise why you need it. The Regency team has lots of experience helping clients large and small to implement security appropriate to their businesses. So if you need help understanding how you go about choosing, installing or configuring Malware Protection, you can contact us for a copy of our detailed advice sheet or some specialist advice on Malware Protection, Cyber Essentials or any aspect of cyber security

Practical Application of Risk Appetite and Tolerance

Working in Information Security we see frequent references to the concepts of Risk Appetite and Tolerance, but they are often confused. Through this article we can hopefully clarify how the concepts of Risk Appetite and Tolerance can be practically applied.

The Limit of Acceptability

We often encounter people who are confused about the relationship between risk appetite and risk tolerance.  Whilst Risk Appetite is defined by HM Treasury in “The Orange Book” as “the amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time”, the publication does not explicitly define Risk Tolerance. The concept that many people are trying to articulate when they become confused between appetite and tolerance is the boundary between risks which can be accepted and risks which may be tolerated.

Risk LimitsAs part of an engagement working with some safety engineers I discovered they call the boundary between acceptable and tolerable risks the “Limit of Acceptability”. The graph shown to the left uses likelihood and impact on the axes and shows the “Limit of Acceptability”. The area between the “Limit of Acceptability” and the “Limit of Tolerance” is the risk tolerance. It is very important to understand that there is no strict relationship between the location of these two limits, other than the “Limit of Acceptability” being below the “Limit of Tolerance”.

In practice it is much easier to define the “Limit of Tolerance” in terms of unacceptable risks than it is to define what might be a tolerable risk. A simple example is to say “breaking the law is an unacceptable risk”, it is an unambiguous statement that is understandable to anybody.

In practical application the “Limit of Acceptability” in many organisations will be the point at which risks can no longer be accepted by delegated risk owners and will need to be escalated. This is the concept that many are trying to articulate with statements such as “Risk Tolerance for the system is Low”. This effectively means that the treatment of inherent risks assessed at Low or below does not require specific attention. This is not to suggest that treatment of these risks is specifically avoided. Inherent risks above Low will need to be considered for treatment. In many cases these risks will be treated so the residual risk falls to Low, or below. However, when the control to treat the risk is viewed as disproportionately expensive or is assessed to have a significant adverse effect on the functionality of the system it will need to be considered if the risk is tolerable.

Risk Appetite: How Big is your Bucket?

We often find that people struggle with the concept of risk appetite and overall risk exposure for an organisation. A simple analogy is that as an organisation you have a bucket in which you put all your risks. Appetite is the total size of the bucket and exposure is how much is in the bucket at a given time. This means that if the bucket is relatively empty (and current exposure is low) then you might choose to tolerate more risks, however if the bucket is nearly full (and current exposure is high) you either need to address some existing risks to make room in the bucket or tolerate fewer new risks. Some organisations choose to sub-divide their risk appetite and devolve responsibility, the model is still the same they just have several little buckets, which when combined hold the same as the one big bucket for the organisation.

Whilst in the previous section it has been proposed that acceptable risks can be identified ostensibly on their assessed severity, the decision to tolerate a risk needs to be considered in a much broader context. Risk ExposureGraphs like the one used in the previous section can be viewed as being partially responsible for the confusion about assessing tolerable risks, since many attempt to illustrate risk appetite purely on the basis of the impact and likelihood. The graph to the right is a simplified version of that above and shows increasing Impact, Likelihood or both leads to increasing Exposure.

Risk Appetite, is often defined in an abstract way. The categories of risk appetite defined in “The Orange Book” and associated publications use classifications such as “Adverse”, “Open” and “Hungry” and the descriptions of these classifications are quite open, for example “Hungry” is described as “Eager to be innovative and to choose options offering potentially higher business rewards, despite greater inherent risk.”.  These classifications rely on an assessment being made about the business rewards which result from tolerating a risk.

 

Risk Appetite2The concept of increasing Exposure is important to the graph to the left since it allows the two axes on the previous graphs to be combined on to one in this graph. This graph illustrates a range of risk appetite classifications associated with treatment cost. The basic concept of the graph is that for each risk appetite classification only those risks which fall under the line would be within Risk Appetite.

As the text on the graph states it is very important that treatment cost is understood to be not just the cost of implementing a security control, but also any loss of business functionality (dis-benefits) associated with the implementation of the control.

If an attempt is made to apply risk appetite purely in isolation, the lines on the graph would be drawn as  horizontal rather than curved, indicating that a risk can be accepted purely on the basis of its exposure rather than as a balance with its treatment cost. This balance has a key part to play in pragmatic risk management, because the focus is on total exposure. In practice this is likely to mean addressing risks with a low treatment cost to reduce exposure allowing the potential to tolerate risks which have a much greater treatment cost.

In practical application it is important to have a standardised method to make an assessment if a risk can be tolerated since all the assessments need to feed into the overall exposure. The method also needs to be scalable so that the amount of effort required is proportionate to the severity of the risk. Since these assessments are likely to form part of a risk escalation process they must be comprehensible to senior risk owners in the organisation who often do not have a technical background.

Regency has considerable experience advising on both the management of specific risks and the design and implementation of risk escalation processes. An example of this is the design and implementation of a risk escalation procedure we created for a central government department. Five years later the process is still in use with the initial department and is known to be in active use by at least four other large public sector organisations.

Maritime Cyber Security

Early in June 2015 the MSC held it’s 95th meeting. Whilst cyber was placed 4th on the agenda it was elevated ahead of all other security risks facing the industry.

In excess of fifty percent of European goods are transported by maritime carriers. Continue reading “Maritime Cyber Security”

FBI Warn of Ransomware Epidemic

A recent post in SC Magazine has reported that the FBI are highlighting a severe risk of Ransomware across the world; the article reports that the FBI’s own Internet Crime Complaint Centre is highlighting the continued increased spread of cryptographically enhanced ransomware across the globe. Continue reading “FBI Warn of Ransomware Epidemic”

UK Cyber Essentials Scheme Scoops Major Award

Regency IT Consulting would like to congratulate the Cyber Essentials Scheme for winning the Editor’s Choice Award at the SC Awards Europe 2015. This impressive award coincides with the first anniversary of the Cyber Essentials Scheme.

The citation stated that “many SMEs and even some medium sized companies have next to nothing in place to protect themselves from cyber-threats, and so Cyber Essentials receives the Editor’s Choice Award for actually putting a bar in place for the first time, potentially having a greater impact on improving information security in the UK than any other single initiative.”

Regency is not only a very proud holder of the Cyber Essentials Plus certificate and one of the scheme’s early adopters but we are also pleased to be able to assist many of the medium and SME organisations for whom the scheme was intended to help and support certification in the scheme.

This UK Government backed, industry supported scheme consists of five basic elements, which, when combined, give protection against common cyber threats which may threaten organisations who operate online. The five elements consist of:

  • Boundary Firewalls & Internet Gateways
  • Secure Configuration
  • User Access Control
  • Patch Management
  • Malware Protection

If you would like to know more about the Cyber Essentials Scheme and how Regency could help you achieve certification, why not contact us for a copy of our detailed advice sheet or more information.

Our website has a number of brief articles which give more detail on each of the elements of the Cyber Essentials Scheme.

“Rewiring The Pentagon” – The New Cyber Security Strategy for the US Department of Defense

Over the past few weeks our focus on the General Election may have distracted attention sufficiently for some events in the outside world to have slipped past unnoticed.

One such might be the US Secretary of Defense, Ash Carter, delivering a lecture, “Rewiring the Pentagon: Charting a New Path on Innovation and Cyber Security,” to an audience at Stanford University in Silicon Valley in California on April 23, 2015.

Carter’s presentation unveiled the recently published 2015 Cyber Security Strategy for the US Department of Defense (DoD). Continue reading ““Rewiring The Pentagon” – The New Cyber Security Strategy for the US Department of Defense”

I’ll show you mine, if you’ll show me yours: Writing a practical removable media policy

Working as a consultant I am often put in the situation to discover at first hand just how little thought has been put into the practicalities of security policy and procedure. The situation which most commonly highlights this for me is the need to exchange information on an ad-hoc basis with a client. When the material is too big or sensitive for email you often end up with a Mexican standoff where a USB memory stick would be an ideal mechanism for the transfer but neither party can connect a device provided by the other due to respective company policy and controls.

Companies often have a removable media policy which says something like “staff must only connect company issued USB memory sticks into company issued computers”. You might have noticed that there is actually some ambiguity in this statement, but read in the most restrictive way this means that USB memory sticks can only be used to transfer information between company computers. In practice the availability of shared network drives, in most organisations, means this is probably the one time when you have a range of options available. The ambiguity means it could also be read to mean staff are free to plug company USB sticks into any device and their company issued computer. In practice neither of these interpretations is likely to be ideal for a business.

The key to writing practical security policy and procedure is to develop an understanding of the business requirements and their context. Producing policy which doesn’t adequately address business requirements will resulting in at least one of the following outcomes:

  • Impact the operation of the business
  • Cause staff to find uncontrolled ways round the policy
  • Reduce respect for, and potentially compliance with, policy more generally

One of the best ways to understand the business requirements is to develop some “use cases” or “user stories” these can then be used to explore the practicality of potential control options and the risks which need to be managed. At a high level the following are key risks posed to a company network by removable media, although these will vary for different requirements:

  • Exporting of information in an untraceable manner
  • Transporting unprotected sensitive information
  • Importing of malicious content
  • Importing of unlicensed material

Use Case Examples

Use Case: Office based staff have a requirement to import and export large volumes of information to exchange with suppliers and clients on an ad-hoc basis.
The risks presented by this use case beyond the generic ones stated previously include:

  • Distributing malicious content to suppliers or clients
  • Distributing inappropriate material to suppliers or clients
  • Importing inappropriate material from suppliers or clients

In an office based situation it should be practical to control the import and export of material through a limited number of endpoints and users. This focus on a smaller number of users means that it is both easier to train the users and they can better maintain familiarity with the procedure. A restricted number of endpoints can be beneficial especially for imports because they can be designed to provide additional protection, especially when importing information from supplier or client provided media such as a “sheep-dip” arrangement.

Use Case: Consultants need to exchange large volumes or sensitive information with clients on an ad-hoc basis during assignments.
The risks presented by this use case beyond the generic ones stated previously include:

  • Malicious content is transferred to client systems
  • Inappropriate client material is transferred from client systems

In a situation where staff are mobile and working on a range of sites limiting the number of users or devices which can be used will have a significant impact on staff being able to perform their roles.

Policy Example

Writing the portion of the Regency removable media policy to address our consulting staff brought some interesting considerations. Whilst we have the advantage of a security aware workforce since our entire consulting workforce are either security professionals or project managers specialising in managing security work, we have the challenge that we need to enable our mobile consultants to work simply and easily with clients who have restrictive security policies whilst protecting our systems and client information.
The approach we chose, takes advantage of our security aware consulting staff and can be likened to Dynamic Risk Assessment. Dynamic Risk Assessment is the method used by organisations such as the emergency services to help staff manage risks when they respond to incidents. The application of this method to removable media is based on providing consultants with a list of considerations to review prior to inserting removable media into their laptop. Some of these considerations include:

  • Has the removable media been anti-virus/anti-malware checked at source?
  • When was the last AV signature update on your laptop?
  • Has your laptop had a recent backup?
  • Can the information be safely transported on the removable media?

Drawing a Balance

Hopefully, it has become clear that a removable media policy which tries to treat all the user communities in your organisation as one is unlikely to be the best approach. The most flexible approach needed by a proportion of users to support the business will introduce unnecessary risks if applied to all users. The most restrictive approach, whilst suitable for office based staff, can have a big impact on your business by restricting key mobile staff. Adopting the use case approach allows you to identify and apply some simple divisions in your user community to provide users with the tools to do their jobs, whilst also managing your risks. This use case approach also has additional benefits such as helping to identify and avoid undesirable situations such as rountine transfers taking place using removable media.

If you need some help writing a practical policy for removable media or other areas of information security then contact Philip or the Security Practice.

People are the weakest link

The recent fine of £180,000 levied by the Information Commissioner’s Office (ICO) on the Serious Fraud Office (SFO) is a timely reminder of how it’s often the simple things which can let organisations down when it comes to safeguarding information. Continue reading “People are the weakest link”