IA14 The Government's Information Assurance Event

Titania is attending IA14, the ‘government’s flagship event on cyber security and information assurance’. Hosted at Park Plaza Westminster Bridge Hotel, London over 16 – 17 June 2014, the event was designed to provide a platform for discussion across government IT, public sector, industry and academia. The debates will focus on how the UK can become an international authority in information security.

Having recently attended information security conferences on both sides of the Atlantic, Titania’s delegate, Andy Williams will be able to share relevant insights with corporate and public sector representatives.

Source: cesg.gov.uk

Conference

IA14 comes shortly after the launch of the Cyber Essentials Scheme and it is likely to be a point of interest at the conference. Another recent initiative in UK’s cyber security policy that IA14 participants can expect to hear about is the CBEST framework, established by CREST (Council for Registered Ethical Security Testers) and the Bank of England. 

Combining government views with industry voices, the keynote speeches promise to reflect a balanced perspective of the cyber security landscape. Ciaran Martin and Iain Lobban of GCHQ, along with Rt. Hon. Francis Maude MP comment on behalf of the Cabinet Office. Bringing industry views are Kathy Warden of Northrop Grumman Information Systems, Symantec’s Samir Kapuria, while Lionel Barber, editor at the Financial Times, will be chairing a panel session.

Streams

Aside from the conference, delegates have the opportunity to observe four streams, organised as collective panels between industry, government and CESG.

The first stream illustrates the challenges of globalisation for the security industry, with issues from manufacturing, international trade and what constitutes an acceptable security promise from vendors. Also included are a comparative look at the cloud service providers, national and international context, and a talk from CESG on new cloud security principles.

The second stream addresses the problem of an ever-changing threat landscape for Government, industry and citizens, by looking at information sharing across governmental departments. Delegates will also have the chance to hear updates on the Defence Cyber Protection Partnership.

Stream three looks at the Secure by Default strategy and features Chemring Technology Solutions as a compelling case study on secure voice communications.

The fourth stream brings Andrew Gracie from the Bank of England and Ian Glover, CREST President, together to explain the corroborated efforts behind CBEST and its benefits to risk-management. Atkins debates the critical vulnerabilities faced by ICS (Industrial Control Systems). Finally, one of the most acute questions in cyber security today: “Why system users don’t simply follow the rules?” is discusses by Prof. Angela Sasse in the context of psychology and human behaviour. Dr. Emma Philpott of the Malvern Cyber Security Cluster concludes the session with a speech on the full leverage that SMEs can exercise in the supply chain.

Exhibition

The exhibition does not fall short of great industry names either. With exhibitors such as BAE Systems, Surevine, Blue Coat Systems, Blackthorn, Symantec, Nexor and Skyscape, delegates and public sector officials will have the opportunity to find the most up to date tools and solutions available in the industry.

Titania at the Official Cyber Essentials Scheme Launch

Andy Williams (Titania's CSO) was present yesterday, at the invite of the office of Rt. Hon. David Willetts MP, Minister of State for Universities and Science, for the official launch of the Cyber Essentials Scheme. The event was hosted by the ICAEW (Institute of Chartered Accountants for England and Wales) and it was aimed to educate companies on the benefits of adopting the scheme and how best to apply it to businesses. 

Cyber Essential Scheme Launch. Credits: @ICAEW

The scheme, which stands as a guidance and certification reference point, will work alongside other cyber security accreditation bodies (such as the Information Security Forum or British Standards Institution). As such, businesses will be granted the opportunity to qualify for badges that would display how security conscious they are. 

Although the government announced it does not intend to impose legal requirements, it has stated that starting on October 1st, all suppliers bidding for information that handles personal and sensitive contracts in the public sector will need to be Cyber Essentials certified. Early adoption by a few high-profile names such as BAE Systems, KPMG and Barclays show that the scheme was received with enthusiasm. Also, the insurance industry is keen to support the integration of the scheme into their standards.

The scheme is overseen by CREST, the not-for-profit organisation that represents and certifies the information security industry, who collaborated alongside CESG to develop the assessment framework for the scheme. For those interested, badges are already accessible: IASME offers self-assessment path and CREST has a 2-level accreditation available. 

Among information security professionals reactions were positive, but at times reserved. The general consensus was that while the scheme is great for getting the basis of cyber security into place, sustained efforts are needed. 

Peter Wood observes that this is certainly ‘better than nothing at all’ as it addresses the lack of cyber security education for small to mid-sized businesses, which could really benefit from governmental help. Other experts agree that while it is a good starting measure, it shouldn't be seen as a complete solution and as in order to achieve noticeable results, the scheme needs continuous refinement in the long-term. 

Andy Williams thinks that "building on the government's '10 Steps to Cyber Security' launched in 2012, the Cyber Essentials Scheme is an useful next step in raising awareness of basic cyber hygiene standards that, if met, can help businesses protect themselves against cyber attacks. It will be interesting to see how many companies pursue the certification. The government's stated intention to ultimately require all of its suppliers to be CES certified will certainly help to encourage the adoption of the scheme across the UK."

It has been reported that the framework does not yet include guidance around business orientated issues such as business management, IT governance or employee awareness. Organisations would find it useful to have one source that is trusted to be up to date and reliable in these areas to help curb confusion. 

The Cyber Essentials Scheme lays down a good basic foundation and the legislative side gives it a more determined approach, suggesting that the Government is starting to recognise cyber security as a major national issue. The Queen’s Speech in the Houses of Parliament saw the proposal of 11 new laws, including a ‘Serious Crime Bill’ which suggests appropriate jail sentences for cyber crime in order to fully reflect the damage inflicted by a cyber attack. 

'A Day In The Life Of ' a Penetration Tester - Interview with Ian Whiting

What do you know about the career of an ethical hacker?

Source: ianhsutherland.com

SANS institute holds penetration testing at no. 2 in their top 20 coolest jobs in information security, along with the tagline: “You can be a hacker, but do it legally and get paid a lot of money”. It is not surprising that this career path is becoming more and more attractive as the cyber world becomes more developed. The need for good infosec professionals is even more acute nowadays, but this career is still tucked away on techie boards, or discussed over hack forums in technical jargon; little is understood of it by the general public.

Once in a while, stories surface outside geeky magazines about this elusive career. Portrayed as veritable digital ninjas, we see the cyber security guys in cellar-like environments, surrounded by a few machines and devices, talking about APTs, 0-day exploits and a number of acronyms that mean nothing outside of the industry. Is this the wrong image of a penetration tester? Not necessarily, but it is certainly not the only aspect of it.

CREST, the certifying body for the penetration testing industry, came up with an initiative to better acquaint people with a career in information security. Taking advantage of the wide range of infosec professionals gathered for the CRESTCon & IISP Congress 2014, CREST interviewed a number of industry representatives and put together a series of ‘A Day In The Life Of’ videos. With interviewees finding themselves at various stages in their career, the CREST videos provide a comprehensive overview of the job.

The interview below is a recount from Titania’s CEO, Ian Whiting; how he started in cyber security, where it has brought him today and what advice would he offer to those looking to enter the industry:





More episodes from the CREST series on information security careers: A Day In The Life Of'. 

Guide to the UK government cyber essentials scheme

First published in HelpNet magazine:

By Edwin Bentley (Senior Software Developer, Titania)

 

About the Author

Edwin joined Titania in 2011 and has since become a key member of development team, having primary involvement in advancement of both the Nipper Studio and Paws Studio software. He has a keen interest in Information Security and the role that the industry will play in the future advancement of technologies.

The results of the latest cyber threat reports and surveys have denominated 2013 as the year of major breaches. The media naturally focuses on the big stories of massive data breaches or coordinated state attacks which leave in their wake a trail of lawsuits, customer data losses and political conflicts. However that’s not the entire spectrum of the cyber security landscape, nor does it reflect the full damage of attacks in cyber space. The SME landscape has its own perils and it suffers just as much as the large corporate domain. The difference is you don’t often hear about it.

Security and compliance is a sore subject for most small and medium sized enterprises. PCI-DSS for example can be a long and painful process for small retailers that are left feeling understandably frustrated at the end of an 80 page document heavy with technical jargon. The next challenge to look forward to is the abundance of guidance and industry bodies, but with no single place to check against a simple number of guidelines. 

Currently the UK cyber security environment is not regulated by compulsory compliance policies. While industry specific frameworks are in place – PCI-DSS for retail, STIG for military, NERC for energy – no clear guidance exists for ensuring organizations operate in a cyber-safe manner for their benefit as well as for the benefit of their customers.

The Cyber Essential Scheme, the new best-practice guidance emitted by the UK government in response to industry demands of a better cyber security policy for the business landscape, was released on the 7th of April 2014. The project follows a call for evidence which concludes that cyber security standards should be internationally recognized, promote international trade, allow systems to exchange and use information efficiently and be auditable.

5 points of the cyber essentials scheme:

1. Boundary firewalls and internet gateways

The objective is to restrict unauthorized access from the internet by configuring firewall rules, internet gateways or other network devices.

What to look for?

Default admin passwords, firewall rules, blocking of vulnerable services (like NetBIOS, SMB, tftp, RPC etc), updates for firewall rules and restricted access to the admin interface for the boundary firewall should assist with securing inbound and outbound network traffic. 

Case in point

The Target breach was achieved through a third-party vendor. Limited access was not enabled on the POS network; hence the attackers gained access to the contractor’s credentials, which managed environmental controls remotely, and from there it was only a matter of time until the hackers infiltrated the payment processing systems across the entire network.

2. Secure configuration

Is default-mode safe-mode? Whether it’s a computer, a network, or a phone the “out-of-the-box” mode is never safe, which is why stronger authentication is required.

What to look for?

Removing unnecessary user accounts – especially any with special access privileges - and pre-installed unnecessary software, changing default passwords, disabling the auto-run feature to prevent code being executed without user knowledge and consent and installing a personal firewall. 

Case in point

When the Winter Olympics were taking place in Sochi, the NBC News’ ran a story on how the reporter’s phone and test computers were hijacked ‘before we even finished our coffee’. Later, the story was proved a hoax, as a combination of risky user behaviour (clicking unknown links, visiting suspicious websites) and default security settings left intentionally on the two test laptops.

3. User access control

User accounts with special access should be assigned only to authorised individuals and granted with only minimum level of access to applications, computers and networks. User privilege is essential to manage, in order to avoid abuse. Privilege abuse makes up for 88% of insider threat actions, according to the latest Verizon DBIR (Data Breaches Investigation Report).

What to look for?

Accounts should be subject to approval, restrict access to a need-to-know basis, details of special access clearance should be documented and reviewed, for a clean track record and auditing procedures. Admin accounts should be used only for administrative tasks and isolated from internet or email. Authentication should require a unique username and a strong password which should be changed on a regular basis. Updated removal or disabling of special privilege accounts when necessary. 

Case in point

Last year’s most prominent case of user privilege abuse was the U.S. government contractor Edward Snowden. With unauthorized SSH keys and falsified digital certificates, Snowden managed to access and steal NSA documents without setting off the alarms across the network, and the NSA is not an isolated case. These type of practices have already been reported in the wild. Under the context of trust abuse and special access threats, every enterprise is a sitting target. 

4. Malware protection

Viruses, worms, spyware can infect any device with an internet connection, thus any organization should have malware protection software. 

What to look for?

Malware protection software should be configured to scan files automatically upon access (downloading, opening files, or accessing web pages) as well as regular automatic scans. Regular updates should be installed, either through manual or centralized configuration. Website blacklisting should be employed to prevent suspicious connections. 

Case in point

The Google Drive scam was a very convincing phishing scam targeting Google Docs and Google Drive users. It consisted of a simple email with a request to view a shared document on Google Drive. The link led to a fake Google login page, which looked almost identical to a real one, because the fake page was hosted on Google’s servers and benefited from Google’s SSL certification, to make it look even more convincing. But once the user entered their credentials, a PHP script stored them on a compromised server. 

With a configured list of blacklisted websites and up to date detection software, this type of scam would not pose much a problem to an organization. 

5. Patch management

Any software is prone to technical vulnerabilities. Once discovered and shared publicly theses vulnerabilities are quickly exploited by cyber criminals, or organized groups. 

What to look for?

Ensuring that the software is licensed and supported in order to receive continuous updates. Updates and security patches should be installed in a timely manner. Software which is no longer supported should be removed from the computer or network. 

Case in point

The end of support for Windows XP announced as early as 2007 still came as an unpleasant surprise to dedicated users and cost-weary businesses. But loyal home-users and organizations will have to make the migration very soon, as security threats loom over the unprotected OS when the next patches are released for the other versions of Windows. 

A lifeline to SMEs

The butterfly effect in the cyber market can be even less than a delicate wing batting in Brazil; it can be a weak admin password to a third party vendor with peripheral access to a SCADA system powering the energy grid for a middle-sized country.

International affairs think-tank Atlantic Council in association with Zurich Insurance Group released recently a report which warns of parallels between the global cyber scene and the financial meltdown from 2008. It argues that ‘on the internet, it has been easier to attack than to defend’ because the internet was founded on trust, not security. However, as the internet became increasingly complex, highly interconnected and widely available the risks escalated rapidly.

Source: security-centre.lancs.ac.uk

The report ends with best practice recommendations resonating with the ones found in the Cyber Essentials program. As it stands the UK does not have any cyber security certification, no reference point to measure against and no single agreed guidance to look up to. The Cyber Scheme initiative is the first step to a one-for-all policy, with the only hope that it will not turn to represent yet another compliance headache for SMEs, but an actual support line for the business sector.

CREST, working with CESG the information security branch of GCHQ has developed an assessment framework which is now available for consultation. The full scheme along with the assessment framework and the accreditation badge will be available in summer 2014.