Security Risk or Feature Request – Software due diligence – who controls your reputation?

If you can think of a business process nowadays, there’s probably either an outsourced service or off the shelf piece of software that will perform it for you. As part of any outsourcing arrangement, due diligence will be performed. However, what happens when you buy a piece of software?

If an organisation suffers a data breach thanks to an outsourcing partner not living up to their part of the bargain, there’s always the potential to mitigate reputational damage through plausible deniability. However, when you install and manage a piece of software, whatever happens is all your fault, so what can you do to make sure that software vendors take your reputation as seriously as you do?

Security Testing – In an ideal world, software would undergo a rigorous testing regime. Back in the real world though, software will usually undergo an element of functional testing with security testing either being an afterthought or the end user’s problem. Before you buy software that your trusting with your reputation, ask the vendor for their most recent security testing results. If they try to make it your problem, look elsewhere. If they are an open approach (CANVAS LMS is a good example here), stick with that vendor and don’t let them go.

Remediation Process – Ask the vendor for their documented process for actioning vulnerability reports. If the vendor shows your a full process documenting risk assessment and communication procedures including a liberal sprinkling of response timelines, give them a tick in the box for this one. If they give you a blank look, their competitors may want to help you.

Do your own testing – So, if you’ve found the unicorn that is a vendor taking information security seriously, why would you want to do your own testing? Penetration testing arranged by a vendor will often take place in a sterile environment that doesn’t necessarily resemble the real world. A real world configuration may introduce previously undiscovered flaws.

Show me – The cynical part of me strongly believes that if a vendor smells a sale, they’ll. tell you whatever you want to hear, so don’t take them at their word, have them show you that they take the security of your customers’ data seriously.

Performing due diligence is just as important for COTS that could have an impact n your sensitive data as it is for an outsourcing partner. Above all else, if you find a vendor who uses the term “Feature Request” instead of the more commonly used “Urgent Security Fix” run away as quickly as you can – they’re not taking security of your information as seriously as you are!

Bang for Bucks Security – 7 Reasons why Businesses are Insecure (Drazen Drazic CEO)

If we had to pick what the most frequently asked question is that we get asked by CEOs, CIOs, CSOs and other senior IT Management, it would be; what is the quickest way to find out what security risks and exposures their company has. We all know that it’s not that simple but to be fair, it’s a good question if you are starting from a base of nothing.

But you can’t get an decent answer to such a question unless you have decided that you are serious about protecting your information assets. Unless you have these “basics” in place.

Back in 2007 I wrote the post “The 7 Reasons why Businesses are Insecure” on Beast or Buddha. (

I have rehashed today, as pertinent and timely as ever as it comes to attention this month in our newsletter “Bang for Bucks Security”.

Bang for Bucks Security

I won’t start by saying that implementing a strong framework is going to solve all business IT security problems. It won’t, but with one, at least you have one big advantage over now – you have a better picture and understanding of where your problems may lie and you’re less likely to be taken by surprise.

At present, most organisations have little understanding of the risks they face – where they are exposed, what they are exposed to and how these exposures could impact the business! So what are the problems?
1. Management and Governance – If the CEO and Senior Officers of the business do not ultimately own the responsibility and accountability for the security of the business, then it just does not get the appropriate attention. When we do “State of Security” reviews for our clients, we pretty much have 90% of our report written after the first hour if we find this layer of the framework not in place. ie; you can be guaranteed that if there is not an effective and ongoing management and governance layer in place, overall security within the organisation is weak. Matt Jonkman in a previous interviews with me  iexplains it well;

“Security is the CEO’s problem. The security engineers are the tools the CEO should be employing. CEOs should be directly involved in the risk decisions far more than I see on average. They need to know not exactly what technically is going on, but exactly what risk is being introduced or mitigated. It’s security 101. They should be involved from the ground all the way to incident response. It is NOT the security engineer’s decision whether to spend money to mitigate a risk based on what the impact might be. It’s the CEO that should know what that impact would mean in dollars, and how many dollars are available to be expended. I think these things are far too often delegated from officers of a company to managers without the proper oversight and long term involvement.”

2. Environment Awareness – It never ceases to amaze me how many organisations will promote being secure and having strong IT security practices and controls in place, yet not have a clear understanding of their environment. How can you say you are secure if you don’t know what it is that you supposedly protect? Most organisations have little idea about what they own – ie; IP address ranges, networks, systems and applications. Few have assigned data and system owners to all parts of the environment.

3. Policies and Standards – Most companies now have security policies and standards but are they of much value? If you don’t have an effective management and governance layer in place to own, manage, maintain and enforce good practice and if you have gaps in awareness of what makes up the corporate environment, how good are they?

4. Policy Compliance and Awareness – Policies and standards are all good and well but if you’re not doing what you say you should be doing, the security program is useless. Stating the obvious I know, but this is the story more often than not from our experience.

5 . Assurance Program – Few organisations “test” to confirm they are doing what they say they should be doing. ie; testing the effectiveness of the above mentioned layers of the framework. An ongoing assurance program helps to identify issues arising from the deployment of new technologies and problems from weak practices in existing technologies. Few organisations do:

1. Ongoing environmental scoping – mapping and keeping up to date records of what their environment is.
2. Ongoing vulnerability assessment and management – a proactive VA program helps identify issues before they become a problem.
3. Regular security testing of key systems and applications, including penetration testing and application reviews.
4. Security review of new systems before they go into testing and production. 90% of newly deployed web applications in our experience have critical security issues yet organisations still trust that their developers understand security and don’t test….scary!
5. Review of the their policies and standards – are they relevant, up to date and cover the scope of the complete business environment?
6. Review of the effectiveness of the compliance program(s). Testing to see if what the organisation says should be done is being done.

6. Incident Management and Response – If any of the above fails and an incident occurs. (Assuming the organisation knows an incident has actually taken place, and take the tip, most companies have no idea unless it’s one that has walked right up to them and slapped them in the face). Most organisations have little or nothing in the way of documented and tested response plans. (Lets add DR to this also). How can an organisation quickly and effectively respond to something if there is no plan?

7. Strategy and Performance Assessment – In any strategic planning cycle, performance and strategy re-assessments are a vital component in keeping a strategy effective and up to date. Few organisations take a holistic view when assessing the effectiveness of their IT security strategy. I know “metrics” and performance assessment in the IT security industry has been debated since day 1, but lets not confuse systems and detection metrics, as a couple of examples, with “strategy” level review.

An IT Security strategy should encompass a set of metrics that include benchmarks across the various phases and sub-phases of the strategy. The goal of the metrics is to help; define the strategy framework, communicate the strategy (by specifying performance measures), track performance (by collecting valuable information pertinent to the phase of strategy), increase accountability (by linking metrics to performance appraisals and business plans) and to align objectives of individuals, teams and the organisation itself. In most cases this is easier said than done but investigation should still be undertaken into the creation of a metrics and strategy re-assessment process that covers at a minimum;

1. Articulation of the Security Strategy.
2. Translating Strategy into Desired Outcomes.
3. Devising Metrics.
4. Linking Metrics to Leading and Lagging Indicators.
5. Calculating Current and Target Performance.
(based on work done by Rayport and Jaworski, eCommerce)

The 7 layers above form the Strategic Security Management Framework (SSMF). It’s a framework we developed some time ago to assess the effectiveness of IT Security practices in an organisation. It’s a framework that we still use today. It’s a framework that many of our clients now adopt.

By nature of doing business electronically, an organisation cannot remain secure without a proactive plan / strategy that takes a holistic and enterprise view of the risks the organisation faces.

A strategic framework is vital in the field of security management because it provides a structure to help analyse the complex requirements and highlights the dimensions of importance. An effective strategic security management framework is vital in describing the business’ short and long term plans to; secure its environment, what its goals are, how it plans to achieve those goals and how it will continue to achieve new goals required to keep pace with evolving security challenges. It should be linked to other strategies within the business such as relevant components of the overall corporate strategy and the IT strategy and functional strategies that will evolve from the security strategy itself.

As I said, managing security around a framework will not in itself solve all the problems but it is the start. Without one, organisations will continue to flounder around a bunch of disjointed practices, rarely relating to other practices and with little context to the overall objectives of securing a whole business environment.

This is where busineses are failing today.

Will QA change web penetration testing?

Originally published in PentesterLab, on 7/8/2012 by Louis Nyffenegger.

First, let’s go back a little and think about the 2 main limitations of web scanners:

  • Coverage: it’s really hard to write a spider that will cover a full website, you need to write a tool that will understand a website and know exactly what to do and what data to submit (email when an email address is expected, name when an name is expected…)
  • Scanner quality: it’s really hard to write a web scanner that will avoid false positive and won’t provide any false negative. It’s particularly hard on production systems where error messages are/should be turned off, you often need to apply some crazy logic to find if a bug is there.

Continue reading

Data breach highlights security risks

Data breaches can have devastating consequences – and one recent incident overseas has illustrated the extent of the damage this type of negligence can cause.

A security breach at one UK health trust has highlighted the importance of keeping data protected – and underscored the risks that enterprises of all types can face when they fail to do so.

The UK Information Commissioner’s Office (ICO) reported this week that one publicly-funded healthcare organisation inadvertently leaked the details of 59 palliative care patients to an external source over a three-month period.

This sensitive information contained details about individuals that was intended for the St John’s Hospice and included information about their family life, medical treatment and instructions for resuscitation.

In March 2011, Central London Community Healthcare NHS Trust began faxing these details to the wrong recipient – with a total of 45 faxes sent over a three-month period.

In June last year, the recipient informed the healthcare provider that it had been receiving – and destroying – this sensitive data.

Checks carried out by the ICO revealed that there were insufficient measures in place to ensure that information was being correctly delivered to the right people, and as such, the healthcare body was fined a total of GBP90,000 (approximately $144,635) for the data breach.

Having the right security processes in place, according to the ICO’s head of enforcement, is essential – especially when it comes to protecting sensitive data such as medical records.

Stephen Eckersley said: “The fact that this information was sent to the wrong recipient for three months without anyone noticing makes this case all the more worrying.”

While this incident occurred overseas, it serves as an important reminder of the consequences of data breaches – both from a financial standpoint as well as the damage to an organisation’s reputation.

Enterprises that deal with sensitive information – whether this is in the form of medical details, financial records or other personal information – may wish to have their security processes assessed through penetration testing.

This can help to expose vulnerabilities in your system before they are discovered by malicious parties, who can cause significant embarrassment, reputation damage and financial losses to your organisation.

If your business is also evaluating new technologies, you might want to arrange for a security due diligence assessment to be carried out. This can identify any compliance gaps and allow your decisionmakers to make an informed choice about how best to proceed.

Aus-US alliance to combat cyber crime

A new collaboration between Australia and the United States will improve cyber security standards at home – as well as across the globe, according to Nicola Roxon.

The Australian attorney-general, who is also the minister for emergency management, stated last week (May 18) that recent discussions between US and Australian policymakers in Canberra spelled good news for cyber security management.

Roxon said: “Countries everywhere are increasingly reliant on critical infrastructure such as telecommunications, which enables online activities that contribute to global commerce and trade and play an increasingly important role in national security.”

She added that while such activities have a widespread benefit to the Australian and US economies, they also pose new risks and challenges when it comes to cyber security management.

The two nations will work closely in the coming years to actively combat malicious activity in the online space – and will meet regularly to discuss effective strategies for cyber security co-operation. The May 18 statement of cyber security intent follows a number of other statements jointly signed between the United States and Australia that will foster greater collaboration when tackling international crime.

According to Roxon, the latest collaboration will primarily centre around digital control systems and other aspects of critical infrastructure.

Under the new agreement with the United States, the two countries will create collaborative education and training opportunities , as well as an exchange of information – such as IT and cyber security best practices.

National cyber incident response teams in both nations will also work closely with one another to share information and awareness on specific cyber security incidents and issues. Representatives from Australia and the US will meet annually for progress reviews – identifying successes and challenges.

Earlier this year, Roxon also announced the creation of an Australian branch of CREST – the Council of Registered Ethical Security Testers.

This represents another significant collaboration with international security efforts – CREST Australia is affiliated with CREST Great Britain, which requires its members to meet competency requirements by passing a series of exams.

CREST Australia’s role is to create and enforce the ground rules for Australian cyber security testing – a move that will ensure penetration testing and other work carried out by security professionals is carried out to a recognised standard.

In March, Roxon asserted that the creation of CREST Australia would establish clear and uniform cyber security testing standards.

The evolving nature of cybercrime

As with any criminal undertaking, if there is a measurable profit available to malicious parties they are likely to spend more time on perfecting their skills.Data theft and other cybercrimes are becoming much more organised as the practices and procedures required to gain access to sensitive information becomes more complex.

This is because the vulnerability management activities performed by professional security managers forces malicious parties to rethink their strategies – slowing them in their tracks.However, over time and through collaboration, online criminals are able to develop new and innovative approaches to discover penetration avenues.

Of course, this in turn forces the hand of security experts to review and upgrade their defences yet again – or face the consequences that come with complacency.In short, managing vulnerabilities requires careful use of resources in order to ensure that the constant cycle of penetration attempts and security upgrades does not become the digital equivalent of an arms race.

This is because the cost of protecting information assets should reflect their potential value to both the company concerned and its stakeholders. Making valuable data out of reach of malicious parties effectively puts an end to what could otherwise be an expensive cycle – with careful planning and regular review, the costs soon become an investment in security rather than a drain on resources.

Technical Risk Assessments | Penetration Testing

New businesses need to be extra diligent

As a new business begins operations, there inevitably comes along scenarios that test the capacities of the employees concerned.

While it is highly unlikely that a manager will be able to plan for every scenario, it may be possible to ensure that the systems in place are capable of handling a wide range of issues that may arise.

When it comes to asset vulnerability management, ensuring that the policy frameworks and responsibilities are in line with best practice procedures can be a powerful step in the right direction to prepare for incident management. Not only does this mean that employees are aware of how best to handle a situation, it also means that they know where they can find more information on what to do next should an incident escalate.

Regular reviews of internal practices can help to ensure that staff activities are still aligned to protect the safety and security of the business’ information assets, while external audits of a firm’s defences can help to highlight any gaps before they become an issue.In this way a new enterprise can continue to securely deliver its products and services in the knowledge that it has been diligent in covering potential breach avenues.

The two-pronged approach to effective digital security

Raising the issue of system audits, it is common for people inside a business to consider one of two key topics – online precautions or internal business protocols. However, the truth is that these two areas have a much closer relationship than may be immediately apparent.While internal policies help managers to control how sensitive information is stored, transmitted and processed, these rules and regulations do not directly protect the firm from dedicated external threats. Conversely, the deployment of a firewall, antivirus software and spam filters can provide a good level of protection from probing attacks, but do little to reduce the impact of a breach should it occur.

This is why specialist security audit firms suggest that a two-pronged approach be taken when the decision is made to review an enterprise’s defences – as a comprehensive review will deliver more of an insight into potential problems than a piecemeal plan. A sound report will allow managers and IT specialists to begin collating a defensive strategy that covers all the bases – not just external threats or internal processes

Managing the use of employee flash drives

As the price of memory used in USB flash drives plummets, the capacities of the devices seems to grow at an equal rate, improving their usefulness across a range of applications.In turn this makes the ubiquitous ‘memory stick’ something of a baseline commodity that is used in almost every industry to transfer data and documents from one machine to another without using wireless connection, content management systems or other digital options. However, this same level of familiarity makes USB drives something of a target for malicious activities, both as a source of valuable details and as a point of injection for future attacks. A common practice is to pick up a device, check it for information, and then return it with a hidden installer that activates when it is plugged into a victim’s machine. In response, many firms issue blanket bans on the use of such devices across their in-house facilities – the reasoning being that if no information is stored or received on flash memory sticks, there is no chance of them falling into the wrong hands. While this approach may have its merits, it is often does not work for the business and so it still pays to have vulnerability management plans in place should the potential for a security breach arise

Stopping a good system from going bad

When malicious parties attempt to access the digital assets of a firm, it may not always be to try and gain control over financial information.
The contact details stored by a business can be just as valuable to third parties as bank accounts and credit card numbers, simply because of the opportunities they represent. While many companies are quite diligent in storing their sensitive information away from prying eyes, it can be tough for those on the inside to know exactly how much information is available during a committed attack. To get a clear view of the digital features that are the most easily accessible – but without the dangers of actually losing data – an ethical hacking team can be organised to examine the defences.

Reporting their findings directly back to the company, an online security team can perform penetration testing to all areas of a firm – or limit their activities to specific areas that are of concern to the business.This allows managers in charge of the protection of digital assets to know which parts of their framework represent the biggest threat, allowing them to act before an actual attack occurs

Penetration Testing | Penetration Testing Teams