Thursday, 17 April 2014

CQR is now an approved member of CREST Australia

Within the Information Security world the word Risk is key. Understanding and managing that word can make the greatest of difference to an organisation.

CQR are proud in the fact that they practice what they preach and their risks are checked, managed and improved at every opportunity. And to reinforce the work that they do and the value and the expertise that they have they have now officially become a member of CREST Australia.

Crest is the Council of Registered Ethical Security Testers and in order to become one of their CREST Approved companies each is subjected to auditing and CQR are happy to have passed this process and are now on the list of CREST Approved companies.

To complete the process 3 of CQR’s best security specialists have completed CREST’s demanding CRT examination process and have become certified information security testers. CREST’s CRT exam is based on the applicant’s skills and experience, there is no way to prepare for it except to rely on your own knowledge. One of CQR’s specialists achieved the highest score that has ever seen in the exam, and CQR are very proud of all of their specialists who took part and passed.

All those who pass the examination must be employed by a CREST approved company to be part of CREST Australia.

In achieving approval from CREST this shows that CQR and its security specialists work to the highest of standards and are dedicated to providing the very best of service to their clients.
 
 

Monday, 14 April 2014

The Heartbleed Bug, gone in a heartbeat.

There is a hole in the heart of Internet security which has the potential to expose countless encrypted transactions.  It’s been named the Heartbleed Bug.  The bug was accidentally incorporated into OpenSSL in late 2011.  OpenSSL is an open source library that many software developers use to implement SSL/TLS encryption to provide security and privacy for communications over the Internet.

So how does it work?
When you connect to a secure Internet site to access your email, social media account, or Internet banking, the server you connect to will send back what is called a ‘heartbeat’, and just like your heartbeat it is how your computer and the server stay connected whilst you are logged in.  This heartbeat is used so that the server knows that you are still there and wishing to connect to your online account.  Once you log out this heartbeat stops meaning the server then knows that there should no longer be a connection and so your online account is no longer accessible.

The heartbeat is a very small message, but by using the bug an attacker may be able to get access to more of the memory of the web server than it should, and this memory may contain sensitive information useful to an attacker.  This might include usernames and passwords, session keys or even the web server’s private key.

So am I affected and what should I do?
This is a hard question to answer.  If your web site uses an old version of OpenSSL, then they are not affected.  Even if they do use the vulnerable version of OpenSSL, it would require an attacker to be using the bug at exactly the time you are using the site to be able to grab your credentials.  The best we can say is that it’s possible that you have been directly or indirectly affected.  Unfortunately the Heartbleed bug leaves no trace of exploitation, so you are unable to see if it has been used against you.

The best thing for us all to do is change our passwords if our provider tells us that they were exploited.  It might even be a good idea just to change all those old passwords that you’ve been using for years, just in case.  Here are some tips for creating a secure password:
·         Be a minimum of 8 characters long
·         Use upper and lower case letters
·         Substitute numbers or symbols for letters
·         Do not use simple personal information (i.e birthdays, kids names, pet names)
·         If you keep a written copy of your passwords use and encrypted method of accessing them, not a note in your wallet.
·         An easy thing to remember is a phrase, try abbreviating the phrase and using each of the first letters as your password. Using numbers can help make this harder to guess.

The OpenSSL team have created a fix and this is being rolled out across the Internet to correct the bug.

How can I find out if my website is affected?
A useful tool to check the configuration of your Internet provider is https://www.ssllabs.com/ssltest/

I would like more information of Heartbleed and its effects.
Here are some of places to look for more information.

Providing detailed information of Heatbleed and detailed Q&A
The Heartbleed Hit List: The Passwords You Need to Change Right Now
How Heartbleed Works: The Code Behind the Internet'sSecurity Nightmare

Sarah Taylor
www.cqr.com

Friday, 4 April 2014

The XPocalypse is nigh!

Next week, on 8-Apr-2014, the mainline support for Windows XP ends.  If you believe the media, the Internet is headed for a disaster of biblical proportions.  Real wrath-of-God-type stuff.  Fire and brimstone coming from the sky!  Rivers and seas boiling!  Forty years of darkness!  Earthquakes!  Volcanoes!  Human sacrifice, dogs and cats living together, mass hysteria!

Perhaps the late great Harold Ramis had it right in Ghostbusters, but I think that XP will go into the night, not with a bang but with a whimper.

Let's fire our proton pack at each of the arguments, and see what ends up in the trap.

1.  XP will be vulnerable forever.
Absolutely true.  There will be no more security patches ever.  But most businesses that have managed the transition to Windows 7 still don't patch effectively, which means that most of those installations are vulnerable right now.  If you upgrade but don't maintain your patches, you might as well not bother.

2.  XP is everywhere.
No it really isn't.  The current market-share of XP is just under 30%.  While this is still much higher than we would like a week away from the end of support, it is low enough that herd immunity will probably protect the laggers for some time.

3.  Alright then, XP is everywhere in critical systems.
Yes and no.  It is true that most of the ATMs on the planet run XP, but the vast majority don't run the same XP Professional image that you might have once had on your desktop.  What they run is either Windows XP Embedded Service Pack 3, which is supported until 12-Jan-2016, or Windows Embedded Standard 2009, which is supported until 9-Apr-2019.  So the banks have plenty of time to address the issue.

4.  Ok then, XP is in medical systems, if they don't upgrade people will die.
In some of them it definitely is, and it's the desktop version.  You can probably even find Windows 98 running some systems in hospitals.  However almost all of these systems are not networked, so the attack surface is very small.  They also tend to be locked inside the machine, so accidental access is unlikely.

5.  But my Mum has XP!
And finally we get to the crux of the problem.  There really is a lot of legacy XP out there in systems that we've given to our families.  Nothing says "I love you" like buying them a new tablet and sending the old XP machine to recycling.

I really don't think there is any need to cross the streams right now, but it still might be a good idea to keep an eye out for the Stay-Puft Marshmallow Man.  After all, we get to choose the form of the Destructor!
 
Phil Kernick
@philkernick

Tuesday, 1 April 2014

3 new certified QSA's reporting for duty.

In March, 3 of our Australia based employees became certified as Qualified Security Assessors (QSA’s) which doubles the number of QSA’s working for CQR covering Australia and New Zealand.

CQR have been a QSA company for a number of years and prides itself on having available QSA resources in each of their Australian offices.

Being certified as a QSA means that the PCI Security Standards Council has assessed each candidate to meet the requirements to perform a PCI data security assessment, and are able to validate a client’s adherence to the PCI DSS.

Why comply to PCI DSS?

For vendors who are responsible for the safe handling of cardholder information the PCI Data Security Standard (PCI DSS) is a key part which provides an actionable framework for developing a robust payment card data security process, including prevention, detection and appropriate reaction to security incidents.

Undertaking a PCI Security Standard can seem like a lot of effort, especially for those with smaller organisations, but the benefits out way those doubts. In an environment where data is valuable, showing compliance to PCI DSS lets customers know that your systems are secure and they can trust you with their sensitive payment card information. That trust allows your customers to be happy doing business with you and making confident customers they are more likely to become repeat customers or recommend you to others.

For other organisations doing business with you it shows that you are conscious about security and are active in looking after your data and that of others. Compliance is an everyday process and ensuring that you are up to date and meeting the standards guidelines is just as important. Being compliant can also help with other regulations that are out there.

Being compliant not only gives your customers and business partners confidence and peace of mind but it will also help your company to avoid the negative effects of compromised data, including loss of sales, relationships which can lead on to insurance claims, cancelled accounts, payment card and government fines. None of which any organisation wishes to encounter. This shows that the benefits of having a robust PCI DSS can benefit all organisation who deal with cardholder information.

CQR have proven success in supporting businesses through stages of their PCI journey and having additional PCI QSA’s ensures that the extra skills are available to achieve this.

Contact CQR today to see how we can help you achieve compliance today.

Sarah Taylor
www.cqr.com

Wednesday, 12 March 2014

Privacy and your organisation, do you understand the rules?

The Australian Privacy Amendment Act 2012 will come in to force on 12th March 2014 and will introduce significant amendments to the Privacy Act 1998.

The Privacy Act changes will give the Information Commissioner the ability to:
 
  • Resolve complaints, use external dispute resolution services, conduct investigations and promote compliance;
  • Investigate serious breaches (including the right to impose penalties of up to 1.7 Million on businesses);
  • Assess the privacy performance of businesses.
Who must comply with the Act?

The Privacy Act protects personal information handled by businesses with an annual turnover of more than $3 million and health service providers of any size.

The Act may also apply to a small business however if they pose a higher risk to privacy, for example, small businesses that hold health information and provide health services or those that:
  • trades in personal information
  • provides services under a Commonwealth contract
  • runs a residential tenancy database
  • is related to a larger business
  • is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act.
Other small business operators may choose to opt in to the regime or may be brought into the regime by regulation.

If you’re not sure whether the Privacy Act applies to your business, try the 9 Step Privacy Checklist for Small Business External linkon the Office of the Australian Information Commissioner (OAIC) website.  http://www.oaic.gov.au

How will the changes affect you?

The changes will affect how businesses can:
  • Handle and process personal information;
  • Use personal information for direct marketing;
  • Disclose personal information to people overseas.
Although you may already have a requirement to comply with the Privacy Act you need to be particularly aware of the changes as you will need to change your privacy policies and practices significantly in order to comply with requirements of the Australian Privacy Amendment Act 2012.

A point to note

Each State has its own Privacy legislation and therefore you must understand the legislative restrictions on processing personal data, not only within the State you reside, but of the States you interact with!

NSW for example has the Privacy and Personal Information Protection Act 1998 (NSW) together with the Health Records and Information Privacy Act 2002.  

Private sector company’s should be aware of requirements if they provide services to a NSW government agency.

Private sector health services providers of any size in NSW will have to comply with the Health Records and Information Privacy Act 2002 and also the Commonwealth Privacy Act 1988.
How confident are you in your Privacy practices?
For example, APP11 requires an organisation to take reasonable steps to ensure personal information is protected from “Interference, unauthorised access, modification and disclosure”. 

  • How do you provide this assurance?
  • Are you able to demonstrate ‘reasonable’ steps have been taken to protect personal data?

You must take reasonable steps to “implement practices, procedures and systems that ensure compliance with the APPS”.

So how well do you know your information processes?  What personal information do you collect and do you understand its lifecycle within your organisation?  Are you able to answer the following:
  • What personal information is collected, where, when, why and by whom?
  • What controls do you have at the collection point?
  • Do you collect consent?
  • How do you record consent?
  • Do you understand the purpose(s) for which information is collected?
  • How is it kept relevant?
  • Where does the information go?
  • How is it stored?
  • How is it kept up to date?
  • What format is data stored? For how long?
  • What happens at ‘end-of life’?
If you’re not confident you can answer these questions, we are here to help!

CQR Services

CQR is able to help organisations through the following services:


Service

Overview

Privacy Compliance Jumpstart

We will conduct a Privacy Impact Assessment (PIA), Provide an implementation roadmap and draft a Privacy Policy.

Privacy Impact Assessment (PIA)

We will conduct a series of interviews to understand how you currently use and protect personal information.

Provide recommendations on how you can improve your processes to ensure the personal information is:

·         Processed fairly

·         Kept accurate, complete and up to date

·         Kept secure

·         Made available to data subjects

 

Update to Privacy Policy

We will review and update your Privacy Policy to ensure it captures the requirements of the Australian Privacy Amendment Act 2012.

Third Party Audit

We will conduct an audit on how you manage third party relationships.

Information Security Gap Analysis

We will conduct a series of interviews to understand how you currently protect personal information using ISO 27001 information security standard as the benchmark for compliance.

Privacy Audit

We will conduct an audit on your privacy practices covering:

·         Consent management

·         Subject access requests

·         How you use and protect personal data

·         Defined roles and responsibilities

·         Review of Privacy Policies, Procedures and Guidelines

·         Risk Management

Friday, 7 March 2014

Social Bronze Age

In October 2013 I wrote a blog entitled Stone Aged Security, where I noted that we've been through the journey of Stone Age to Industrial Age twice before, first for civilisation taking 12,000 years, and then again for IT, but this time 200x faster and only taking 60 years, and that we had started the cycle again for the Social Stone Age.

The Social Stone Age (2000-2013) will be looked back on fondly.  It's the age when we discovered social media.  It's the age when we were encouraged to share.  It's the age when we naively assumed that private actually meant private, and that big brother didn't really exist - or at least if they did, they were only watching the bad guys.  It's the age when we weren't having discussions about metadata.

That age is over.  2014 is the start of the Social Bronze Age.  This age is marked by two distinct phase changes in the way that we communicate on the Internet.

The first phase change is that we are moving from a default unencrypted Internet, where we only encrypt that information that we consider to be sensitive, to a default encrypted Internet, where we encrypt everything all the time.  Facebook and Twitter moved from only encrypting logins, to encrypting everything.  Google started encrypting all searches.  This would have happened eventually, but it has really been forced this year by the realisation that the threat model has fundamentally changed.  We are no longer trying to protect ourselves just from cybercriminals, but also from the security services that are recording everything all the time.

The second phase change is that we have moved to a default "in" position for social media.  It is now assumed that everyone has at least one social media account, and that the only people who don’t have one have consciously chosen not to, and they are just a little odd.  Private mailing lists have almost entirely gone, replaced by social media groups.  Moreover social media is replacing e-mail as the normal way that people communicate with each other.

My calculations show that the Social Age is running 2.5x faster than the IT Age, and 500x faster than civilisation!  It's hardly surprising that we really aren't coping that well.  If this trend continues, then here are my predicted dates for the remainder of the Social Age, and some key expectations.

2018: Social Iron Age.  The end of centrally controlled social media, and the end of companies like Facebook and Twitter.  Social media will be peer-to-peer with all the processing, privacy and communication controlled by the users and happening in an app on their phones.  The Internet of things will be real and it will all be IPv6.

2021: Social Middle Age.  The end of e-mail and text based communication.  Everything will be voice controlled, and keyboards will seem quaint.  Real-time language transcription and translation will be practical for everyday use.  Language will no longer be a barrier to communication.

2023: Social Industrial Age.  Avatars will do most of the work for you.  Expect the first real cyber world war.  What we see as science fiction today, will be practical reality, except that we still won't have artificial intelligence, robots or flying cars.

2024: The next age starts - the Machine Stone Age.

It's going to be an interesting 10 years.

Friday, 28 February 2014

Autumn is coming, are you prepared?

With the Autumn season just a day away we look to changing our wardrobe for some warmer clothing, preparing our home for the relief of rain and looking forward to making it into the garden and seeing what the summer sun has left for you to revive. It’s a chance for us all to take a break from the long and busy summer and nestle down in our homes ready for winter.

But what are the risks involved, initially you might think that there can’t be much, with looking forward to catching up on some of those books on the book shelf you haven’t had time to start, decorating the dining room because the summer was too hot to even think about it or taking up a new hobby if that’s your thing.

The first big downpour of 2014 left my gutters overflowing and my garden turning into a swimming pool, all of which was unexpected. I didn’t know it was going to rain that hard and we had already cleared out the gutters a few weeks before but with those record breaking 40 degree temperatures in Adelaide that had a big effect on the trees around my house and when the wind picked up they shed all their dry leaves back on to my roof and into my gutters, hence them overflowing and my husband getting soaked to his socks clearing them out and hoping he cleared them before the water got into the roof.

We hear it all too often on the radio and the news of people like you and I having their information hacked and money stolen from their bank accounts, and when we find out it’s happening we go into defence mode and change our passwords and have a rant to the bank until its fixed. But what if it’s your workplace and your office holds the information of others or your organisation is closed down for the day what then? It may not be just you who is affected and it doesn’t take long for someone on a laptop sat in their own home to leave you with a wealth of problems which can’t be fixed with a phone call or a password change. The risk of a cyber-attack isn’t your only threat; losing power to your premises for a long period of time can be just as harmful if you become out of contact or are unable to complete your daily tasks.

Having a disaster recovery plan in place can be a challenging and difficult task but in the event of a breach or natural event it could possibly be your only hope of maintaining service and being able to recover as quickly and efficiently as possible.

So what can I do?

For an organisation who have not taken a great deal of time to consider their disaster recovery CQR can assist any business to analyse a business and look at where experiencing a disruptive event can have an effect on a business through a Business Impact Analysis, this will provide a risk register, business continuity and recovery plans and most importantly enable show if the business can recover within a desired timeframe.

We can provide an independent review of your IT Service Recovery Plans through an IT Service Recovery Technical Review, ensuring that the information therein is adequate to support the recovery processes and that staff are aware of their roles and responsibilities.

In having a Vulnerability Assessment completed CQR have specialist consultants who can carry out technical vulnerability scans that will challenge the resiliency of your network architecture. We will provide you with a vulnerability report outlining the risks and provide recommendations to manage the identified vulnerabilities.

In addition to these services CQR can also provide Exercise / Test Facilitation, Document Development, Review of Business Continuity Gap Analysis against ISO 22301:2012 Business Continuity Standard and Business Continuity Management System (BCMS) Development. All of these services are done through partnering with the organisation and developing a scope to ensure that what is delivered is exactly what is needed in order to prevent the worst happening. 

So before the winter arrives I have my own plan in place to make sure that my gutters no longer get clogged with leaves and debris and that I reduce the risk of my garden becoming flooded again, and that will involve my husband getting back up onto the roof again, but hopefully this time he will be dryer.

Sarah Taylor