CQR is now an approved member of CREST Australia

Within the Information Security world the word Risk is key. Understanding and managing that word can make the greatest of difference to an organisation.

CQR are proud in the fact that they practice what they preach and their risks are checked, managed and improved at every opportunity. And to reinforce the work that they do and the value and the expertise that they have they have now officially become a member of CREST Australia.

Crest is the Council of Registered Ethical Security Testers and in order to become one of their CREST Approved companies each is subjected to auditing and CQR are happy to have passed this process and are now on the list of CREST Approved companies.

To complete the process 3 of CQR’s best security specialists have completed CREST’s demanding CRT examination process and have become certified information security testers. CREST’s CRT exam is based on the applicant’s skills and experience, there is no way to prepare for it except to rely on your own knowledge. One of CQR’s specialists achieved the highest score that has ever seen in the exam, and CQR are very proud of all of their specialists who took part and passed.

All those who pass the examination must be employed by a CREST approved company to be part of CREST Australia.

In achieving approval from CREST this shows that CQR and its security specialists work to the highest of standards and are dedicated to providing the very best of service to their clients.

Sarah Taylor
www.cqr.com

The Heartbleed Bug, gone in a heartbeat.

There is a hole in the heart of Internet security which has the potential to expose countless encrypted transactions.  It’s been named the Heartbleed Bug.  The bug was accidentally incorporated into OpenSSL in late 2011.  OpenSSL is an open source library that many software developers use to implement SSL/TLS encryption to provide security and privacy for communications over the Internet.

So how does it work?

When you connect to a secure Internet site to access your email, social media account, or Internet banking, the server you connect to will send back what is called a ‘heartbeat’, and just like your heartbeat it is how your computer and the server stay connected whilst you are logged in.  This heartbeat is used so that the server knows that you are still there and wishing to connect to your online account.  Once you log out this heartbeat stops meaning the server then knows that there should no longer be a connection and so your online account is no longer accessible.

The heartbeat is a very small message, but by using the bug an attacker may be able to get access to more of the memory of the web server than it should, and this memory may contain sensitive information useful to an attacker.  This might include usernames and passwords, session keys or even the web server’s private key.

So am I affected and what should I do?

This is a hard question to answer.  If your web site uses an old version of OpenSSL, then they are not affected.  Even if they do use the vulnerable version of OpenSSL, it would require an attacker to be using the bug at exactly the time you are using the site to be able to grab your credentials.  The best we can say is that it’s possible that you have been directly or indirectly affected.  Unfortunately the Heartbleed bug leaves no trace of exploitation, so you are unable to see if it has been used against you.

The best thing for us all to do is change our passwords if our provider tells us that they were exploited.  It might even be a good idea just to change all those old passwords that you’ve been using for years, just in case.  Here are some tips for creating a secure password:

·         Be a minimum of 8 characters long
·         Use upper and lower case letters
·         Substitute numbers or symbols for letters
·         Do not use simple personal information (i.e birthdays, kids names, pet names)
·         If you keep a written copy of your passwords use and encrypted method of accessing them, not a note in your wallet.
·         An easy thing to remember is a phrase, try abbreviating the phrase and using each of the first letters as your password. Using numbers can help make this harder to guess.

The OpenSSL team have created a fix and this is being rolled out across the Internet to correct the bug.

How can I find out if my website is affected?

A useful tool to check the configuration of your Internet provider is https://www.ssllabs.com/ssltest/

I would like more information of Heartbleed and its effects.

Here are some of places to look for more information.

Providing detailed information of Heatbleed and detailed Q&A

The Heartbleed Hit List: The Passwords You Need to Change Right Now
How Heartbleed Works: The Code Behind the Internet'sSecurity Nightmare

Sarah Taylor
www.cqr.com

The XPocalypse is nigh!

Next week, on 8-Apr-2014, the mainline support for Windows XP ends.  If you believe the media, the Internet is headed for a disaster of biblical proportions.  Real wrath-of-God-type stuff.  Fire and brimstone coming from the sky!  Rivers and seas boiling!  Forty years of darkness!  Earthquakes!  Volcanoes!  Human sacrifice, dogs and cats living together, mass hysteria!

Perhaps the late great Harold Ramis had it right in Ghostbusters, but I think that XP will go into the night, not with a bang but with a whimper.

Let's fire our proton pack at each of the arguments, and see what ends up in the trap.

1.  XP will be vulnerable forever.

Absolutely true.  There will be no more security patches ever.  But most businesses that have managed the transition to Windows 7 still don't patch effectively, which means that most of those installations are vulnerable right now.  If you upgrade but don't maintain your patches, you might as well not bother.

2.  XP is everywhere.
No it really isn't.  The current market-share of XP is just under 30%.  While this is still much higher than we would like a week away from the end of support, it is low enough that herd immunity will probably protect the laggers for some time.

3.  Alright then, XP is everywhere in critical systems.

Yes and no.  It is true that most of the ATMs on the planet run XP, but the vast majority don't run the same XP Professional image that you might have once had on your desktop.  What they run is either Windows XP Embedded Service Pack 3, which is supported until 12-Jan-2016, or Windows Embedded Standard 2009, which is supported until 9-Apr-2019.  So the banks have plenty of time to address the issue.

4.  Ok then, XP is in medical systems, if they don't upgrade people will die.

In some of them it definitely is, and it's the desktop version.  You can probably even find Windows 98 running some systems in hospitals.  However almost all of these systems are not networked, so the attack surface is very small.  They also tend to be locked inside the machine, so accidental access is unlikely.

5.  But my Mum has XP!

And finally we get to the crux of the problem.  There really is a lot of legacy XP out there in systems that we've given to our families.  Nothing says "I love you" like buying them a new tablet and sending the old XP machine to recycling.

I really don't think there is any need to cross the streams right now, but it still might be a good idea to keep an eye out for the Stay-Puft Marshmallow Man.  After all, we get to choose the form of the Destructor!

 

Phil Kernick

@philkernick

www.cqr.com

3 new certified QSA's reporting for duty.

In March, 3 of our Australia based employees became certified as Qualified Security Assessors (QSA’s) which doubles the number of QSA’s working for CQR covering Australia and New Zealand.

CQR have been a QSA company for a number of years and prides itself on having available QSA resources in each of their Australian offices.

Being certified as a QSA means that the PCI Security Standards Council has assessed each candidate to meet the requirements to perform a PCI data security assessment, and are able to validate a client’s adherence to the PCI DSS.

Why comply to PCI DSS?

For vendors who are responsible for the safe handling of cardholder information the PCI Data Security Standard (PCI DSS) is a key part which provides an actionable framework for developing a robust payment card data security process, including prevention, detection and appropriate reaction to security incidents.

Undertaking a PCI Security Standard can seem like a lot of effort, especially for those with smaller organisations, but the benefits out way those doubts. In an environment where data is valuable, showing compliance to PCI DSS lets customers know that your systems are secure and they can trust you with their sensitive payment card information. That trust allows your customers to be happy doing business with you and making confident customers they are more likely to become repeat customers or recommend you to others.

For other organisations doing business with you it shows that you are conscious about security and are active in looking after your data and that of others. Compliance is an everyday process and ensuring that you are up to date and meeting the standards guidelines is just as important. Being compliant can also help with other regulations that are out there.

Being compliant not only gives your customers and business partners confidence and peace of mind but it will also help your company to avoid the negative effects of compromised data, including loss of sales, relationships which can lead on to insurance claims, cancelled accounts, payment card and government fines. None of which any organisation wishes to encounter. This shows that the benefits of having a robust PCI DSS can benefit all organisation who deal with cardholder information.

CQR have proven success in supporting businesses through stages of their PCI journey and having additional PCI QSA’s ensures that the extra skills are available to achieve this.

Contact CQR today to see how we can help you achieve compliance today.

Sarah Taylor
www.cqr.com