Cyber Security Challenges Conference - Titania Discusses Experiences in the US Market

On Tuesday the 24th of June, Titania's CSO Andy Williams, joined a panel of speakers at the half day Cyber Security Challenges conference held at the BIS Conference Centre in London.

Cyber Security Challenges - panel session

Organised by UK Trade & Investment (UKTI), techUK and the Fairfax Country Economic Development Authority (FCEDA) speakers discussed the opportunities for UK companies in the US cyber security market in the public and private sectors. 

Having supplied to over 60 countries worldwide, with around 60% of revenue coming home from the US, Titania's Andy Williams delivered a talk outlining the experience Titania have of the US cyber market and advice on how to do business. 

Other speakers included Lockheed Martin who outlined opportunities in the US market, plus FCEDA and UKTI discussing the support they offer to UK companies looking to supply to the US government and cyber industries. 

The event concluded with a networking lunch and a chance for 1-2-1's with attendees and speakers. 

Andy Williams said: "We know from experience that the cyber security sector in the US is receptive to highly innovative British products. This event was a perfect opportunity to hear from companies who have already achieved success in the market, as well as Government and industry experts who can offer support and insight into doing business in the US."

Andy Williams speaking about cyber security challenges in the US market

WorcsLitFest Launches With the Young Writer Award At The Worcester Guildhall

Source: worcslitfest.co.uk

The evening of Friday, 20^th of June, will see the launch of the much awaited Worcestershire Literary Festival. Hosted at the Guildhall, Worcester City Centre, the night will conclude with the competition to determine the Worcestershire Poet Laureate for 2014 /2015.

The panel of judges includes Poet Laureate Emeritus Maggie Doyle, Poet Laureate Tim Cranmore, County Arts Officer Steve Wilson,  Young Poet Laureate Holly Perrett and Secretary of LitFest Polly Robinson. Last year’s winner Tim Cranmore will hand over his title to one of 6 finalists: Bronwyn Durand, Louise Jones, Damon Lord, Fergus McGonigal, Claire Walker and Suz Winspear.

As part of the WorcsLitFest supporters, Titania’s team will be there from 18.30, ready to open the evening with the Young Writer competition. The judges are looking for youngsters between the ages 13 and 19 with a unique talent. As sponsors of this event Titania will then present prizes to the young winners.  Later, winners of the Flash Fiction awards, an internationally recognised short-story competition, will be announced by the judge and founder of the contest, Lindsay Stanberry-Flynn.

Tickets for the first part of evening can be purchased from the WorcsLitFest website.

The night is set to end with a gentle Midnight Moonlight walk around what was once known as the hunting grounds of Malvern Chase.

This however is only the beginning. Over the next 10 days, the organisers, volunteers and WorcsLitFest advocates have worked very hard to bring new, fun, vibrant and dramatic moments to Worcester. There will be a Romantic Novelists Panel with four award winning authors, writing workshops, stand-up poetry, a live cooking demonstration, children story-telling and an evening with house hold name and radio personality Mike Harding, plus many other surprises.

Along with Titania, the Worcester business community has enthusiastically committed to support the Worcestershire Literary Festival. Among the organisations that have joined forces are: The University of Worcester, Sanctuary Group, The Hive, Worcester Whitehouse Hotel, SME Solicitors, Andrew Grant, King’s Worcester, Tudor House, Severn Valley Railway, Pure Risks, Simply Lets, The Old Rectifying House, Drummonds Bar, Avoncroft Museum, eRotary and others.

Tickets are still available online. For enquiries contact secretary@worcslitfest.co.uk

For updates follow @WorcsLitFest and tweet at #worcslitfest

IA14 The Government's Information Assurance Event

Titania is attending IA14, the ‘government’s flagship event on cyber security and information assurance’. Hosted at Park Plaza Westminster Bridge Hotel, London over 16 – 17 June 2014, the event was designed to provide a platform for discussion across government IT, public sector, industry and academia. The debates will focus on how the UK can become an international authority in information security.

Having recently attended information security conferences on both sides of the Atlantic, Titania’s delegate, Andy Williams will be able to share relevant insights with corporate and public sector representatives.

Source: cesg.gov.uk

Conference

IA14 comes shortly after the launch of the Cyber Essentials Scheme and it is likely to be a point of interest at the conference. Another recent initiative in UK’s cyber security policy that IA14 participants can expect to hear about is the CBEST framework, established by CREST (Council for Registered Ethical Security Testers) and the Bank of England. 

Combining government views with industry voices, the keynote speeches promise to reflect a balanced perspective of the cyber security landscape. Ciaran Martin and Iain Lobban of GCHQ, along with Rt. Hon. Francis Maude MP comment on behalf of the Cabinet Office. Bringing industry views are Kathy Warden of Northrop Grumman Information Systems, Symantec’s Samir Kapuria, while Lionel Barber, editor at the Financial Times, will be chairing a panel session.

Streams

Aside from the conference, delegates have the opportunity to observe four streams, organised as collective panels between industry, government and CESG.

The first stream illustrates the challenges of globalisation for the security industry, with issues from manufacturing, international trade and what constitutes an acceptable security promise from vendors. Also included are a comparative look at the cloud service providers, national and international context, and a talk from CESG on new cloud security principles.

The second stream addresses the problem of an ever-changing threat landscape for Government, industry and citizens, by looking at information sharing across governmental departments. Delegates will also have the chance to hear updates on the Defence Cyber Protection Partnership.

Stream three looks at the Secure by Default strategy and features Chemring Technology Solutions as a compelling case study on secure voice communications.

The fourth stream brings Andrew Gracie from the Bank of England and Ian Glover, CREST President, together to explain the corroborated efforts behind CBEST and its benefits to risk-management. Atkins debates the critical vulnerabilities faced by ICS (Industrial Control Systems). Finally, one of the most acute questions in cyber security today: “Why system users don’t simply follow the rules?” is discusses by Prof. Angela Sasse in the context of psychology and human behaviour. Dr. Emma Philpott of the Malvern Cyber Security Cluster concludes the session with a speech on the full leverage that SMEs can exercise in the supply chain.

Exhibition

The exhibition does not fall short of great industry names either. With exhibitors such as BAE Systems, Surevine, Blue Coat Systems, Blackthorn, Symantec, Nexor and Skyscape, delegates and public sector officials will have the opportunity to find the most up to date tools and solutions available in the industry.

Paws Studio Review

By Jim Halfpenny 

About the Author 


Jim is an experienced IT practitioner with 14 years experience in both academia and industry, working with renowned companies including British Airways, Oracle, BSkyB and Cloudera.

Whether you see compliance as a burden or an aspiration we are frequently mandated to meet a certain set of security requirements around our information assets. One important aspect is being able to demonstrate to yourself and to others that your systems meet the criteria set by your compliance regime. How do you ensure that your systems are compliant with your policies or those mandated by compliance standards? A program of auditing your systems will help you understand the state of your estate.

Titania’s Paws Studio provides a means to audit Windows and Linux systems and provide compliance reports against a defined set of policies. It sets out to provide clear and detailed reports of the system’s level of compliance. Policy templates are editable and Paws Studio comes with predefined templates based on established policies and best practice including PCI, SANS and DoD STIG.

Policy templates are essentially a group of compliance audit checks built from the check library provided by Paws Studio. Checks range from high-level tests such as the presence of antimalware software right down to individual file permissions and registry settings.

There are two ways of creating and customising policy templates. The first is a wizard that guides you through creating your policy. Here you can define the rules that comprise your policy by clicking through a series of screen and selecting checks from the library. The interface is straightforward and self-explanatory and it is a great tool for less advanced users. However, the more technically minded user might find it time consuming and prefer to use the supplied Policy Editor instead which is undoubtedly the more powerful tool.

The Policy Editor provides you with a tree layout of your policy, giving you a bird’s eye view on the ability to quickly navigate through the rules.

In addition clicking on the advanced tab gives you a syntax-highlighted view of the raw policy XML. Whatever tool you choose, the result is an XML file defining the compliance checks for your policy and metadata used to generate the final compliance reports.

Once you have your policy defined it’s time to audit your systems. In order to compile a report you need the compliance audit data collected from a machine. At this point you have three options. You can choose to audit the local machine where Paws Studio is installed. You can also audit a system over the network. To do this will need valid administrator credentials on the remote system. Paws Studio will scan the local network for hosts to audit or you can specify the IP address of the machines in scope.

The third option is to use the portable data collector software, a small executable that can be run from a thumb drive. This is particularly useful where you need to audit a system that is not on the network or is air gapped from your audit workstation. Run the Data Collector, choose an audit policy and it will create a .paws file with the audit results.

Once you have collected your audit data you can produce a report on the audited system. Reports contain the result of each test on the system as well as summary charts showing percent tests passed and a breakdown of tests that failed by severity. Paws Studio creates a compliance audit report that can be saved as HTML, PDF, PostScript or Microsoft Word document. CSV and XML formats are also available so you can feed machine-readable reports into other reporting systems or build your own applications to consume your compliance data.

Paws Studio is available for Windows, Mac OS X and various flavours of Linux and currently supports auditing of Windows and Linux systems. This software pitches to the SME market who could be priced out by enterprise-grade auditing software though they are unlikely to benefit from the bells and whistles these tools provide. If you need a cost effective and easy to use compliance reporting tool, Titania’s Paws Studio certainly merits a second look.

Paws Studio Walkthrough

by Alen Damadzic (Software Developer, Titania)

About the Author

Alen is a key member of the technical team and is the lead developer of Paws Studio compliance auditing software. Since joining Titania as a computing graduate three years ago, Alen’s knowledge of software development and cyber security has grown with the company and he now uses this knowledge to support and train new members to the ever growing development team.

Paws Studio is a compliance auditing tool for servers, workstations and other Windows or Linux based systems. At a basic level, creating a compliance report in Paws Studio can be as simple as selecting an audit policy and clicking go. However, behind the scenes, Paws Studio is performing a number of different processes in order to determine what needs to be checked, collecting the data, comparing the collected data against a policy and finally creating a report. This article provides a walkthrough of those processes to enable you to create truly effective and thorough custom policies to audit against.

Figure 1. Paws Studio audit process

A typical Paws Studio audit is a two-step process. The initial step is to collect the data for the audit and the second is to create the report by comparing that data against a compliance list (see Figure 1).

Collecting Audit Data

Data, such as password policy settings, are collected using a data collector. On Windows, the data collector is a small native program that reads the registry, file permissions and so on. The data collector does not require installing on the system that is being audited and does not require anything to be installed. On Linux systems the data collector is a shell script.

The data collector only collects what is required to create the report. Those audit parameters are specified in a policy file, which we will come back to later.

Figure 2. Report creation methods

When you select to create a new report in Paws Studio (see Figure 2), it will give you the option to add all the systems that you want to audit (local and remote). Paws Studio will then deal with executing the data collector for you and retrieve the results. It is important to note that during this process, Paws Studio will tidy up after itself, so no audit files will be left on the audited system.

Figure 3. Manual data collector option

It is also possible for you to run the data collector yourself on various systems and provide Paws Studio with the collected data; this is shown as the “Manual” option (see Figure 3).

To obtain the latest data collector so that you can perform the audit yourself, select the “Export Collector” option from the “Utilities” menu. You will also need a copy of the audit policy file for the data collector. By default on a Windows system the policy files are stored in “C:\Program Files\Paws Studio\XML”. You will find policy files for PCI, STIG, SANS, and others.

The data collector can be executed from the command line on both Windows and Linux systems. This gives you the ability to script the software so you can automate the audit data collection process.

The Audit Policy

Figure 4. Audit policies

When you create a compliance audit report in Paws Studio you have to select an audit policy that you want to check compliance with. It could be a PCI policy, STIG or others. The policy that you check compliance against when producing a Paws Studio report is stored in a specially formatted XML file.

Although Paws Studio is supplied with a number of pre-defined audit policies, you can create your own. You could use your favourite XML editor to create an audit policy file but Paws Studio includes a policy editor.

The audit policy editor has two modes of operation, a wizard mode and editor mode (see Figures 5, 6). The wizard mode is designed to easily enable you to create your own new audit policy, or edit an existing one, and guide you through the process. The editor mode is more suited for advanced users and editing existing policies.

Figure 5. Policy editor: editor mode

Figure 6. Policy editor: wizard mode

Figure 7. Paws Studio Settings

Customizing an Audit Report

Your audit reports can be customized to change the company name, logo, classification and so on. If you want to override the default Cascading Style Sheet (CSS) there is even an option to do that.

Some key customization options such as the “Policy Editor” “Authorized Software” and “Authorized Startup Items” contain the lists of what is determined to be authorized or not during those particular checks.

The “Reporting” options include an “Interactive Mode” setting that will cause Paws Studio to potentially ask you some questions during an audit. For example, some checks may require a physical analysis, such as “is the server room door locked?”.

An Audit Walkthrough

Figure 8. Paws Studio main frame

Now that we have highlighted the key components of a Paws Studio audit, the simple process of performing a report with all the available options is straight forward.

Select the “Create Report” option (see Figure 8).

Figure 9. Report creation methods

Select what you want to audit (see Figure 9).

“Local” will enable you to perform an audit of your local machine.

“Network” will enable to audit other computers on the network. You many need to specify a username and password.

“Manual” will allow you to add manually collected audit data.

Figure 10. Audit policies

Select the audit policy report that you are interested in. You can select multiple audit policies or specify your own using the “Import Policy” button (see Figure 10).

Click on “Create Report”.

Then you can read your report and save it out to a number of different formats such as HTML, Word, PDF, CSV and others.

Conclusion

This article has delved into what goes on behind the scenes of Paws Studio. By walking you through the key processes involved in creating your own compliance reports, it will enable you to get the most out of the software.

Titania at the Official Cyber Essentials Scheme Launch

Andy Williams (Titania's CSO) was present yesterday, at the invite of the office of Rt. Hon. David Willetts MP, Minister of State for Universities and Science, for the official launch of the Cyber Essentials Scheme. The event was hosted by the ICAEW (Institute of Chartered Accountants for England and Wales) and it was aimed to educate companies on the benefits of adopting the scheme and how best to apply it to businesses. 

Cyber Essential Scheme Launch. Credits: @ICAEW

The scheme, which stands as a guidance and certification reference point, will work alongside other cyber security accreditation bodies (such as the Information Security Forum or British Standards Institution). As such, businesses will be granted the opportunity to qualify for badges that would display how security conscious they are. 

Although the government announced it does not intend to impose legal requirements, it has stated that starting on October 1st, all suppliers bidding for information that handles personal and sensitive contracts in the public sector will need to be Cyber Essentials certified. Early adoption by a few high-profile names such as BAE Systems, KPMG and Barclays show that the scheme was received with enthusiasm. Also, the insurance industry is keen to support the integration of the scheme into their standards.

The scheme is overseen by CREST, the not-for-profit organisation that represents and certifies the information security industry, who collaborated alongside CESG to develop the assessment framework for the scheme. For those interested, badges are already accessible: IASME offers self-assessment path and CREST has a 2-level accreditation available. 

Among information security professionals reactions were positive, but at times reserved. The general consensus was that while the scheme is great for getting the basis of cyber security into place, sustained efforts are needed. 

Peter Wood observes that this is certainly ‘better than nothing at all’ as it addresses the lack of cyber security education for small to mid-sized businesses, which could really benefit from governmental help. Other experts agree that while it is a good starting measure, it shouldn't be seen as a complete solution and as in order to achieve noticeable results, the scheme needs continuous refinement in the long-term. 

Andy Williams thinks that "building on the government's '10 Steps to Cyber Security' launched in 2012, the Cyber Essentials Scheme is an useful next step in raising awareness of basic cyber hygiene standards that, if met, can help businesses protect themselves against cyber attacks. It will be interesting to see how many companies pursue the certification. The government's stated intention to ultimately require all of its suppliers to be CES certified will certainly help to encourage the adoption of the scheme across the UK."

It has been reported that the framework does not yet include guidance around business orientated issues such as business management, IT governance or employee awareness. Organisations would find it useful to have one source that is trusted to be up to date and reliable in these areas to help curb confusion. 

The Cyber Essentials Scheme lays down a good basic foundation and the legislative side gives it a more determined approach, suggesting that the Government is starting to recognise cyber security as a major national issue. The Queen’s Speech in the Houses of Parliament saw the proposal of 11 new laws, including a ‘Serious Crime Bill’ which suggests appropriate jail sentences for cyber crime in order to fully reflect the damage inflicted by a cyber attack. 

CEO in the Spotlight: Interview with Ian Whiting

by PenTest Team

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. 

In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 60 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.

Hello Ian, please tell us few words about Titania.

Titania was founded with the aim of developing easy to use security auditing software that performs a detailed analysis of systems that otherwise would require specialist knowledge. The software that we have released to date has assisted both government and leading businesses in better securing their networks. In the process, Titania has gained critical acclaim from leading industry analysts and several awards.

Since opening our first office in December 2010, Titania has experienced considerable growth. We now supply our products directly, and through a network of global partners, to organizations in over 50 countries worldwide. Our customers tend to be those that are security conscious, in sectors such as finance, defence, telecommunications, auditing and manufacturing.

What is it like leading a company like Titania and what are some of the challenges you face?

There are of course many technical and development challenges to running a business like Titania that specializes in cyber security auditing. However, as soon as we started trading our largest problem was responding to our customers’ requests to purchase the software and keep up with the demand for new features and functionality. In fact our largest challenge to date has been to manage the growth of the company. 

We are always looking to keep ahead of the competition and we have decided on a plan to achieve that goal through the technical capabilities of our products rather than through our company's marketing arm. So although we sometimes have a difficult time communicating our message, our products speak for themselves.

Do you offer any professional services?

We do not provide any professional services at present, though we are always continuing to review that situation. So we may add professional services at a later stage, both directly and through our network of global partners.

Users of our software do not require training services as one of our development goals was always to make our products as easy to use as possible. I believe we have succeeded in that goal. I have personally seen non-technical people produce detailed and complex security audit reports using our software with no previous experience with the tool. This being said, we are not resting on our laurels and we continue to look at ways to further improve user interaction with our products.

How often do you refresh (update) your products to meet the latest security challenges and threats?

Our products are continually being updated and are evolving to meet the requirements of our customers and the new issues that emerge in the industry. Typically each of our products has a short release cycle with updates being made available monthly.

Can you mention some of your top-selling products?

Nipper Studio is our company’s flagship product. It takes the manual process of reviewing how network switches, routers and firewalls have been configured and automates it. This is not done using the intrusive method of scanning a network device, which would not give you the full picture of how the device has been setup, but by analysing their native configuration.

The reports that are produced by Nipper Studio can contain security audit findings, compliance reporting, configuration reporting and more. The reports produced are equally detailed and specific, they were designed with technology that writes the report just like a human would. This is in contrast to traditional computer report writing technology that simply joins pre-written paragraphs of text together and rarely accurately describes how something specific has been configured.

Our most recent product, Paws Studio, is a Windows and Linux compliance product for servers, workstations and cloud-based systems. It was developed based on very specific security requirements of our customers who work in highly secure environments, with very sensitive information. They needed a solution that could be run without installing software on the audited system. Therefore we built Paws Studio to be able to run over the network, on the local system or offline with no connection to the audited system.

Although we have pre-configured Paws Studio with a number of different compliance check lists, you can define your own compliance checklist within the product. We have developed a Policy Editor that enables you to either modify one of the pre-defined compliance lists or create one of your own from scratch.

All of our products have been designed to be integrated with bespoke and third-party systems, including continuous monitoring setups. They can easily be integrated using a scriptable interface and you can export the report data in a variety of different formats. We also release our products with multi-platform support covering Microsoft Windows, Apple Mac OS X, Red Hat Linux, Ubuntu, Fedora and so on.

Our customers are very important to us and their needs play a key role in the development of all of our products. We base a lot of our development plans around their feedback and requests.

Where do you see network security heading in next few years? What are some of your predictions?

I see that security compliance is going to play an ever larger role within the industry than it does today. It is great to see progress towards an ever improving security baseline, but it also saddens me to see many organizations depending solely on compliance as the means to being secure. It is why I believe it is important that the security industry, in addition to enhancing security compliance lists, highlights the fact that being compliant does not mean you are secure. Unfortunately I can see there will continue to be security breaches in organizations who manage security risks with compliance instead of striving to ensure a truly
secure environment. You can almost picture the victim company’s statement now. It would read something along the lines of: “The company had met their compliance standards and we are now reviewing our current operating practices to ensure how best future breaches could be avoided”. 

Nipper Studio is fairly popular in the network security industry; can you give us some historical background on that product?

I have a background as a penetration tester and regularly performed manual assessments of various network devices. A proper assessment of a network device is not a five minute task, each aspect of how a device can be configured needs to be properly analysed and any potential security risks highlighted. Anyone who is simply reviewing firewall rules is not doing a thorough job. It is also a task that requires a high level of knowledge about the device being reviewed. It seemed by me that this is exactly the type of task that is suitable for automation.

***** It is worth noting that although penetration testers are typically both highly skilled and adaptable, they cannot be expected to have in-depth knowledge of every system they come across. The same is also true of the network administrators who manage those systems, they may not have the in-depth security background required to identify potential weaknesses in their systems. Nipper Studio is exactly the type of solution that could help each side. Giving penetration testers, device specific assistance and helping network administrators identify potential security weaknesses. *****

Although Nipper Studio originally started life simply identifying a limited number of security weaknesses with Cisco configurations, it soon grew by adding support for more devices, identifying more security weaknesses and eventually writing the security audit report for you.

At Titania, how do you strive to achieve top-quality software? What kind of quality control do the products go through?

This is a very challenging aspect of developing a product such as Nipper Studio. The number of moving variables involved with the development process is huge. We support a large number of different devices, the manufacturers of which are constantly updating and revising their platforms. Plus the vulnerabilities in each platform are forever evolving.

We maintain a growing test environment that includes the different devices that we support, plan to support and some others that may never get added to Nipper Studio. These are all used during the development and testing process, together with different firmware versions. To help manage the development plan for this we employ a development and tracking system that enables us to manage all these variables together with improvements suggested by our customers. Each developer and tester knows from our tracking system what tasks they need to be working on next.

Nipper Studio supports various Cisco devices and some people may be under the impression it only supports Cisco devices. What would you like to say about that?

Nipper Studio does support a wide range of Cisco devices, it was originally developed with only Cisco support and it is used by Cisco. So it is easy to understand how historically Nipper Studio could be mistaken for supporting only Cisco devices. However, the latest versions of Nipper Studio support over 100 different devices from different manufacturers and are used internally by a growing number of those manufacturers. Even a network that predominantly uses devices made by a single manufacturer will undoubtedly have a number of network devices made by someone else. We are often approached by customers asking for us to add support for unusual systems and devices. The network devices that we see deployed in data centers has evolved over time with increasing deployments of some devices and the reduction in others. We have developed a plugin-based architecture for Nipper Studio to help us adapt to those changes, enabling us to quickly develop, test and deploy support for new devices.

Very often clients complain that they are not offered good product/customer support. How do you ensure good customer support?

It was important for us to achieve our ISO 9001 accreditation as it helps us to ensure that every customer receives the same high standard of support from the point that they first engage with the company to when they receive the product and the subsequent support process that follows. We believe that every customer deserves great customer service and technical support and we offer these services free of charge to every one of our customers. Our ISO 9001 conformance not only ensures that all of our staff deliver the highest level of support but also promotes continuous improvement throughout the company. We achieve this through collecting and reviewing customer feedback and auditing our customer care processes.

Thank you for the interview