What Is Penetration Testing?

Pentesting or penetration testing is a means of evaluating computer and network security by identifying and exploiting vulnerabilities that a real attacker would attempt.

Pentesting will usually include a research stage (collecting information), identifying vulnerabilities, entry points (scanning), attempt to break in (exploiting) and feedback on the findings (reporting).

Strategies include:

Targeted testing sometimes referred to as the “lights-on” approach and is performed in collaboration with the organization’s IT team.

External testing targets the visible servers or devices (DNS, email servers, web servers, firewalls) an outside attacker would have access to normally in order to determine how far they could break in.

Internal testing would be conducted from the inside – behind the firewall – with authorised access, in order to establish what damage could be done if an employee directed or assisted the attack.

Blind testing implies only a limited amount of information (i.e. name of the company) is available before the test takes place. This strategy requires extensive research and it may involve higher costs.

Double blind testing means not only the information of the target company is limited but also limits the number of people aware that the test is taking place. This is done in order to test the company’s security, attack identification and response policies.

For application testing: 

White-box testing the tester is given specific knowledge about the programming code in order to understand whether the program performs the intended purpose or not.

Black-box testing tests whether the tester has information on the input and output of the program but is not aware of the inner workings of the software.

Grey-box testing (translucent testing) is a combination of white-box and black-box testing.

What Is STIG Compliance?

STIG (Security Technical Implementation Guide) Compliance is a standardized guideline for installation and maintenance of software and hardware according to the (U.S.) Department of Defense regulations. STIG also comes with a “checklist” which gives instructions on how to verify if a device is compliant, and if not, how to make it compliant.

Gold Disk is a system administrator tool which allows scanning for vulnerabilities and automates a system configuration compliant with STIG. As of 31st of December 2012 Gold Disk was terminated (and taken off public domain) and other scanning solutions: Host Based Security System – HBBS, Security Content Automation Protocol – SCAP, Compliance Checker – SCC were to be used instead.

STIGs can be downloaded at the IASE (Information Assurance Support Environment) website, and they are regularly updated to address new configurations.

UK Cyber Minister Mentions Titania in Annual Cyber Strategy Review

We were delighted to receive a mention in yesterday’s speech in Westminster by Cabinet Office Minister Francis Maude, in his annual review of the UK’s progress towards the objectives of the national Cyber Security Strategy.  

During his speech, the Minister announced the government’s new target for the UK to achieve £2 billion of cyber exports annually by 2016.

In doing so, he specifically mentioned Titania, a UK SME already supplying its cyber software to 50 countries, as an example of the type of company in “the industries of the future that can help the UK achieve strong lasting growth and compete and win in the global race.”

Andy Williams, Titania’s Head of Global Business, who also sits on the board of the UK’s public/private Cyber Growth Partnership, said: “We appreciate the government’s active support for UK cyber SMEs, from which we have already substantially benefited. As Titania continues to expand into new overseas markets, we look forward to increasing our contribution towards the UK’s achievement of what is an ambitious but eminently achievable target of £2 billion for cyber exports.”

The mention comes around 8 minutes in. 

For more stories about Titania, please visit our news & media page.

What Is PCI Compliance?

PCI Compliance – Payment Card Industry Data Security Standard is a set of requirements designed to ensure all businesses which handle credit card information maintain a secure environment. It was created by the five major card schemes like American Express, JCB, Visa, MasterCard and Discover Financial Services to prevent and reduce card data fraud. Even though it does not have any legislative power the regulators can apply fines, or increase transaction fees or terminate the relationship with the merchant.

Source: bigcommerce.com

PCI compliance came about in order to improve payment procedure security, but the responsibility to enforce compliance lies with the merchants and customers not with the PCI council.

Even more to the benefit of individuals running businesses from home, PCI compliance can at least offer guidance on security measures, since intruders do focus on the home users as “easy targets” with home run applications that are not adequately protected.

For all external facing IP address merchants that store cardholder data, a quarterly scan by a PCI Approved Scanning Vendor is compulsory to validate the compliance.

Usually for a merchant to be declared compliant, the process will involve internal scans, penetration tests and file monitoring for the cardholder data environment. If customers need transference to a third-party website during transaction, then the third-party IP address needs to be submitted to the scan as well.

PCI DSS guide on security requirements consists of six rules:
·         Build and maintain a secure network and systems
·         Protect cardholder data
·         Maintain a vulnerability management program
·         Implement strong access control measures
·         Regularly monitor and test networks
·         Maintain an information security policy

PCI compliance council categorises merchants under 4 levels:
1.       Merchants processing over six million Visa transactions per year, regardless of transaction channel.
2.       Merchants processing one million to six million Visa transactions per year, regardless of transaction channel.
3.       Merchants processing 20,000 to 1 million Visa transactions per year, e-commerce transactions.
4.       Merchants processing fewer than 20,000 Visa e-commerce transaction, and all other merchants processing up to 1 million Visa transactions per year, regardless of transaction channel.

2014’s Cyber Threat Predictions

1. BYOD makes two of the prolific lists for cyber threats released for the year ahead. Grouped with Cloud services, this new technological development poses more and more of a risk to information security.

Experts recommend: If you can’t eliminate BYOD or Cloud, make sure to implement them early, correctly and where possible with clear boundaries to distinguish between personal and professional data.

Image ID: 913723 via www.sxc.hu 

2. Reputational damage is largely dependent on how efficient your incident-response plan is. Time and time again we hear that companies are more than likely to have already suffered an attack and not even know it. Not a day goes by without a hacking story surfacing in the news.  Improving the security defences are of course recommended but for companies that want to stay ahead there is some more advice:

Experts recommend: Once the damage is done, a good response time can make the difference between a company’s survival and its failure. Plus it’s not only the IT department that must take all the heat. Correlated efforts throughout the entire organization are necessary to mitigate the issues. Just look at the #RBSglitch or the BA promoted tweet incidents to see the damage that can be done.  

      3. Privacy and regulation mainly on the issue of data management. Companies storing and processing third party data is common practice, but under sub-contractors the safety of this data is not entirely clear until a breach occurs. Sadly, their security standards may not always be at the same level as yours.

     Experts recommend: A closer inspection of the subcontractors and clear guidelines on responsibility, obligations and legal roles in case of a breach.

       4. Cybercrime – This is quite a broad spectrum. Fast tech developments, isolated and under-invested IT departments, increased online hacktivism and regulatory frameworks that simply do not update fast enough, provide the perfect recipe for cybercrime.

    

     Experts recommend: Rapid progress does not only occur in the criminal world. The past 12 months have showed a great increase in sophisticated tools, cyber forensics, prevention mechanisms and improvements in response-protocols, which looks promising in terms of preventing and protecting against online attacks. So use these tools and evaluate and update your systems and defences to make the best use of these technological developments.

      5. The IoT (Internet of Things) is becoming quite visible in the media lately. Especially since Symantec reported a new worm targeting specifically IoT.  The Internet of Things is a concept which assigns physical objects virtual representations that would enable interaction without human interference.  The threats on PCs have plenty of negative implications that can affect life, work, play and finances, but the IoT takes it a step further and connects the virtual world with the real one.

   

     Experts recommend: Future concerns regarding the protection of these devices, and more research allocated into the development of IoT. As attackers test against different architectures, proving the intent for more targeted attacks, the physical harm potential looms closer.

      6. Malicious insider – predictions say that for 2014, companies should expect a significant number of data breaches to come from inside. Such attacks can go undetected and if discovered will rarely be heard of outside the organisation

      Experts recommend: Naming and shaming the attackers may be a good deterrent, but also knowing the data breach regulations and accountability rules is strongly recommended so that organisations that have fallen prey to intellectual theft property know how to proceed.

      7. Corporate auditing committee results can be costly if you haven’t carried out a proper risk assessment and implemented a cyber policy. This is because these committees not only consider the financial welfare of the organisation, but the connection between cyber security standards and the financial welfare of the company. The legal and reputational implications arising from that can involve protection against lawsuits questioning the level of cyber security that can be deemed “commercially reasonable”.

   

     Expert recommend: That the corporate board auditing committees need to decide who determines what “reasonable” cyber security standards is, who enforces it and what response procedure should be implemented.

Most of the forecasts for 2014 are not new. They’ve been reported in the media so much over the past year that cyber risks are not only keeping the InfoSec community up at night, but have now entered into the sphere of general public concern. What these predictions are however, are an exercise in learning from past mistakes, and considering the pace technology is developing, individuals and organizations need to learn fast. 

Titania in the Shortlist for the Cyber Security Category at the European Smart Metering Awards 2014

Smart Metering UK and Europe Summit 2014 have joined forces once again, to acknowledge the industry’s highest standards at the 5^th edition of the European Smart Metering Awards. Titania’s Nipper Studio security auditing software has been shortlisted for the cyber security award for the 2^nd year in a row. They feature in the Solutions Provider category alongside established names in the industry such as BAE Systems Detica, Secunia and Codenomicom. 

The awards ceremony is set to take place on the 30^th of January, coinciding with the Smart Metering UK & Europe conference. A panel of 10 independent judges from utilities, consumer bodies, universities and associations throughout Europe will be assessing the applicants and decide the winners.

The first part of the conference will be addressing issues in the smart metering & grid industry, whilst the cyber security concerns will be addressed in the second part of the conference with speeches regarding threats and implications for the energy sector. A recent addition to the Smart Metering conference is a focus on information security. This comes as a response to the transition towards a more digitalized system of Smart Grids. Alongside data management, access and sharing, and consumer privacy dominate today’s technological landscape and determine the future of the energy sector.

Titania is very pleased to be shortlisted for the awards and is delighted to be recognized as a solution provider within the Smart Metering industry.  As the creator and international distributor of Nipper Studio to 50 countries worldwide, the cyber security tool is already used by utilities suppliers all over the world, as well as the U.S.Department of Energy.

The Smart Metering UK and Europe Summit will be held at London’s ETC Venue, St. Paul’s 200 Aldersgate, during the 30^th and 31^st of January. For more information about the conference and awards, please visit: www.smuksummit.com

For more information about Titania, our products, or solutions in securing the energy sector, please visit our website www.titania.com or email us at: enquiries@titania.com

What Is ERP?

What is ERP?

ERP – Enterprise Resource Planning is a piece of software, or more accurately a collection of different applications, each satisfying a particular business demand, that synchronize together in order to provide an integrated management of business processes. Mainly focused on the back office functions that do not affect the general public directly, ERP has developed from a manufacturing resource to a core enterprise system, automating processes, by using a database as an information bank.  Although the specifics vary from one organization to another, most will include:

·        Product Planning
·         Manufacturing
·         Marketing & Sales
·         Inventory
·         Purchasing

By 'integrated' it means that ERP will “pull” together the information from all these departments and provide an accurate picture for the Accounting department, for example. ERP is also capable of analysis and reporting which feeds information in at management level for decision-making purposes.

Configuration & Customization

Successful ERP implementation for any business means understanding what specific processes the business needs and, once the software is out of the box, setting up these processes.  The software is designed to support a number of configurations and any performance mishaps will be assigned to the software provider. Customization on the other hand is a more complex process which personalizes the software further than configuration and therefore it will fall under the customer’s responsibility. Customizing ERP can be done in different ways, some more complex than others such as:

·         Re-writing part of the software – complex, invasive and harder to maintain. May  resist upgrades and require subsequent re-writing or testing.

·         Creating an entire new module to work within the existent system

·         Outsourcing third-party software

Advantages
·         Transparency for management and collaboration between departments
·         Automated and synchronized work flow
·         Central analysis and reporting system
·         Central database storage

Disadvantages
·         Cost and resources deployed for implementation, configuration and personalization
·         Cost and time saving will not be noticeable straight away
·         Data migration and employee transference from existing software to ERP
·         High (ERP software) switching costs means vendor control over upgrade / maintenance costs