Tag Archives: Information Security

Bosch launches new information security services to protect against cyber attacks

The IT Security Expo and Congress 2019 takes place in Nuremberg from 8-10 October and experts from Bosch will be on hand on Stand 506 in Hall 10.1 to outline the company’s latest information security services for defending against cyber attacks.

Cyber criminals pose a threat to building security solutions. Today’s physical security systems are increasingly IP-based and run on the same networks as generic office and production IT systems.

“The growing use of IT, along with greater networks, is also making building security solutions potentially vulnerable to all of the same risks that plague the rest of the IT world, such as hacker attacks and malware,” explained André Heuer, who heads the information security operation at Bosch Building Technologies. “Particularly so in critical infrastructure, this interaction of IT and facility management makes it essential to find new ways in which to ward off cyber attacks. We want to help our customers expand their information security strategies to include physical systems.”

BoschInformationSecurity

On that basis, Bosch is introducing new information security services to address security needs in conventional building security systems by erecting “cyber barriers”. The company’s portfolio now embraces three complementary components:

Information Security Consulting for designing tailored information security concepts to meet customers’ individual protection requirements

Security Operations Centre which manages vulnerabilities and information security incidents to ensure a consistently high level of security while complying with reporting requirements

IT Security Services which implement appropriate measures to protect building security solutions from cyber threats

All of the services are provided in close consultation with customers’ IT security officers. By offering these options, Bosch feels that it’s “raising the standard of information security in buildings to a new level”.

Leave a comment

Filed under Risk Xtra

CREST bestows first lifetime Fellowships in recognition of outstanding achievements

CREST – the not-for-profit accreditation body representing the technical information security industry – has awarded its first lifetime CREST Fellowships in recognition of outstanding achievement or contribution to CREST and the technical information security industry in general.

“With support from those who hold CREST qualifications, CREST member companies and industry influencers, CREST has grown rapidly into an internationally recognised body with the highest levels of technical standards and governance, a strong Code of Ethics and a reputation for action and the ability to deliver,” explained Ian Glover, president of the organisation.  “That’s why the introduction of the annual Fellowships is so important as they are a way of recognising and thanking individuals who’ve made a significant contribution to build CREST and professionalise the cyber security industry.”

CRESTAwards2017

In addition to the Fellowships awarded to CREST members, further awards have been presented to recognise contributions from industry, Government and academia. These included awards for Buck Rogers (CISO of the Bank of England), Chris Ensor and Harry W from the National Cyber Security Centre and a posthumous accolade for Stephanie Damon of the Cyber Security Challenge UK whose award was accepted on the night by Nigel Harrison. Special contribution awards were also given to Adriana Costa McFadden from CREST and Allie Andrews of PRPR.

This year’s ceremony and dinner took place at the Tanner Warehouse in Bermondsey, with Ian Glover presenting the awards alongside CREST’s chairman Mark Tuner and ex-chairman Paul Midian.

Other CREST fellows for 2017 include Abhijeet Udas, Alex Church, Andrew Davies, Arjun Pednekar, Daniele Costa, Dave Hartley, Dom Beecher, Dominic Chell, Ed Williams, Edward Torkington, Gabriel Caudrelier, Gary O’Leary-Steele, Gavin Jones, Gemma Moore, Geoff Jones, Greg Rudd (CREST Australia), Ian Lovering, John O’Meara, Jonathan Roach, Joseph Hart, Marcus Pinto, Mark Harrison, Mark Raeburn, Martin Law, Michael Woodhead, Paul Beechey, Paul Docherty, Paul Midian, Paul Vlissidis, Richard Dean, Rory McCune, Simon Clow, Stuart Criddle and Tobias Clarke.

Leave a comment

Filed under Risk UK News

“Wireless security skills need to prepare for the IoT age” urges SANS Institute

The proliferation of new wireless communication technologies within consumer electronics and smart devices is overtaking the skills harboured within the information security industry. That’s the considered opinion of Larry Pesce, a leading expert in the field and a SANS Institute instructor.

“There’s a great deal of disparity between the security of the different wireless standards, and particularly so when you compare the 802 family that were predominately built for business use and emerging technologies that came from the consumer landscape such as Bluetooth, Zigbee and Z-Wave,” explained Pesce, who co-authored the books entitled ‘Linksys WRT54G Ultimate Hacking’ and ‘Using Wireshark and Ethereal’.

“For example, Bluetooth has some solid maths around encryption, but many of the security decisions are left in the hands of the users which means things can go horribly wrong. Zigbee has a poor design for how it handles passphrase and replay packets which are highly vulnerable, while security in some of the proprietary formats like Z-Wave offers almost non-existent security.”

blank template 450x450 RGB

Pesce, who also develops real-world challenges for the Mid-Atlantic Collegiate Cyber Defence Challenge, is complementary about newer wireless protocols such as 802.15.4 and Zigbee which uses baseline profiles to help deliver enhanced security, but comments: “The technology is probably ahead of the skill sets out in the field. The problem is also somewhat underestimated.”

Pesce also highlights the privacy issues that wireless-enabled devices are starting to hit against. “If we look forward, a large number of devices in the workplace and the home will be wirelessly enabled and communicating autonomously between each other and back to manufacturers. Unless more consideration is given towards securing both the devices and the communication links, there are likely to be breaches that will burrow into this Internet of Things infrastructure and start to gather private information or act as a staging post for more damaging attacks.”

Wireless Ethical Hacking, Penetration Testing and Defences

Pesce will be teaching the SANS course SEC617: Wireless Ethical Hacking, Penetration Testing and Defences at SANS London in July. The hands-on course takes an in-depth look at the security challenges of many different wireless technologies, exposing students to wireless security threats through the eyes of an attacker.

Using readily available and custom-developed tools, students navigate through the techniques attackers use to exploit Wi-Fi networks, including attacks against WEP, WPA/WPA2, PEAP, TTLS and other systems.

The course also examines the commonly overlooked threats associated with Bluetooth, ZigBee, DECT and proprietary wireless systems.

“We’re at a crossroads from a standards perspective,” concluded Pesce. “The vendors are still mostly obsessed with ‘bigger and faster’, but there’s also increased pressure from a privacy perspective and many are having a hard time figuring it out. For information security professionals, the skills needed to secure these new types of wireless connections are in high demand.”

*More information on SANS London Summer 2016 is available at: http://www.sans.org/london-in-the-summer-2016

Leave a comment

Filed under Risk UK News, Uncategorized

“UK businesses could spend £1.2 million recovering from a cyber security breach” states new research from NTT Com Security

Most business decision-makers in the UK admit that their organisation will suffer from a cyber security breach at some point. They also anticipate that recovering from a data breach would cost upwards of £1.2 million on average for their organisation. That’s according to the Risk:Value report issued by information security and risk management company NTT Com Security, which surveyed business decision-makers in the UK as well as the US, Germany, France, Sweden, Norway and Switzerland.

While nearly half (48%) of UK business decision-makers say that information security is ‘vital’ to their organisation, and just half agree it’s ‘good practice’, a fifth admit that poor information security is the ‘single greatest risk’ to the business ahead of ‘decreasing profits’ (12%) and ‘competitors taking market share’ (11%) and on a par with ‘lack of employee skills’ (21%).

Well over half (57%) agree that their organisation will suffer a data breach at some point, while a third disagree. One-in-ten state that they simply don’t know if this will be the case.

Respondents estimate that a breach would cost them an average of £1.2 million, even before ‘hidden costs’ like reputational damage and brand erosion are taken into consideration. Again, on average it would take around two months to recover from a breach. Respondents to the comprehensive survey also anticipate a 13% drop in revenue, on average, following a breach episode.

Starting to hit home

The survey shows that recent high-profile data breaches are starting to hit home. A similar report published by NTT Com Security in 2014 revealed that 10% of an organisation’s IT budget was spent on information security compared to 11% this year. However, in the latest report, around a quarter (23%) of UK businesses reveal that more is spent on Human Resources than information security.

In terms of remediation costs following a security breach, nearly a fifth (18%) of a company’s costs would be spent on legal fees, 18% on fines or compliance costs, 17% on compensation to customers and 11% set aside for third party remediation resources. Other anticipated costs include PR and communications (14%) and compensation paid to both suppliers (12%) and employees (11%).

CyberPadlock1

According to the report, the majority of respondents in the UK admit they would suffer both externally and internally if data was stolen, including loss of customer confidence (66%) and damage to reputation (57%) as well as suffering direct financial loss (41%). Over a third of decision-makers (34%) expect to resign (or expect another senior colleague to do so) as a result of a breach.

Stuart Reed, senior director for global product marketing at NTT Com Security, commented: “Attitudes towards the real impact of security breaches have really started to shift. That’s no surprise given the year we have just had. We’ve seen several major brands reeling from the effects of serious data breaches, and struggling to manage the potential damage, not only to their customers’ data, but also to their own reputation. While the majority of people we spoke to expect to suffer a cyber security breach at some point, most fully expect to pay for it as well, whether that’s in terms of third party and other remediation costs, customer confidence, lost business or even, possibly, their jobs.”

Who’s responsibility is it anyway?

*41% of UK organisations have a disaster recovery plan in place, with 40% having a formal security policy in place. In both cases, almost half are in the process of implementing or designing one

*When it comes to responsibility for managing the company’s recovery plan, 15% say the CEO now has responsibility, although this still largely falls to the Chief Risk Officer (CRO), the Chief Information Officer (CIO) or the Chief Security Officer (CSO)

*While 77% agree it’s ‘vital’ their business is insured for security breaches, only 26% have dedicated cyber security insurance. However, 38% of those questioned are in the process of obtaining a policy

*One-in-five respondents in the UK say they don’t know if their organisation has any type of insurance in place to cover for the financial impact of data loss or an information security breach

“It’s encouraging to see that almost all UK businesses now have a disaster recovery and formal information security policy in place, or are at least planning to implement one soon,” added Reed.

“Clear, concise internal processes and policies for employees and contractors have so often been overlooked, and this is what can lead to complacency and poor security hygiene. When we talk to clients, we make it absolutely clear that educating staff about security should be a top priority, supported all the while by clear and simple procedures and backed up by a solid incident response plan.” 

*The Risk:Value Executive Summary report can be downloaded here

Leave a comment

Filed under Risk UK News, Uncategorized

CESG Certified Training rebranded as GCHQ Certified Training

CESG Certified Training (CCT) was established in November 2014 to deliver training which satisfies the high standards set by CESG, the information security arm of GCHQ. APMG International is announcing that the scheme has been rebranded as GCHQ Certified Training (GCT). Effective as of 1 January 2016, the name change has been enacted to drive market recognition of the scheme and improve access to professional and relevant cyber security training.

APMG is GCHQ’s independent certification body, responsible for ensuring that training providers meet GCHQ standards. GCT helps professionals and organisations navigate the increasingly saturated cyber training market, and quickly identify training courses that meet the highest standards in terms of both content and delivery.

GCT certifies high quality cyber security training and trainers and is based on the IISP Skills Framework. This includes training suitable for those aspiring to certification under the CESG Certified Professional (CCP) scheme. The criteria for GCT are also aligned with the standards GCHQ uses for the GCHQ Certified Cyber Security Master’s degrees.

SilverShadowCyberSecurityPage13

CCT has been rebranded as GCT in recognition that GCHQ is a more widely known brand and is already used to certify cyber security Master’s degrees while also recognising high quality cyber security research. The instantly recognisable brand of GCHQ will increase awareness of the scheme for those working within cyber security, ultimately improving the availability of – and access to – cyber security training that’s fit for purpose.

Building cyber skills

A GCHQ spokesperson told Risk UK:  “One of the biggest challenges for the UK in cyber space is developing enough skilled people. Vital to building cyber skills is having relevant and high quality cyber security training. GCHQ Certified Training helps to deliver that by providing confidence in cyber security training providers and the courses they offer.’’

Commenting on the name change, Richard Pharro (CEO of APMG) said: “GCHQ is widely recognised as the pre-eminent authority on cyber intelligence and data security, which is why we fully support changing the name of the scheme. By bringing CCT under the GCHQ banner, training providers that have certified against the scheme will benefit greatly from the rebranding. This move will make it easier for end users to better understand what the certification signifies: quality, assurance and security.”

Andrew Fitzmaurice, CEO of Templar Executives (one of the first training companies to have achieved CCT certification for its courses) added: “The rebranding to GCT is a positive step for training providers and clients alike. In a market with a plethora of products, the GCHQ brand immediately helps delegates recognise which training and trainers have been rigorously assessed to deliver the highest quality learning and development, in turn reflecting Best Practice in cyber security.”

Sarah Rudge, information assurance manager at Ofqual (the Office of Qualifications and Examinations Regulation), found that the GCT-certified course she recently attended to be of a high quality, confirming the scheme’s value in the market.

Rudge commented: “I cannot recommend highly enough the information risk management course from Ultima Risk Management, which has been certified under the GCT scheme. I found it to be the perfect mix of tuition and practical exercises. It was so refreshing to find a course which is so relevant and directly applicable to my work.”

Leave a comment

Filed under Risk UK News, Uncategorized

SANS Institute returns to Brussels for delivery of “vital” training and education on information security

SANS Institute, the world’s largest cyber security training provider, will be returning to Belgium in early 2016 to host five essential information security training courses.

Entitled ‘SANS Brussels Winter 2016’, the training event offers security, penetration testing and forensics tracks including the popular SEC401: Security Essentials Bootcamp taught by Dr Eric Cole, a SANS faculty Fellow, course author and member of the Commission on Cyber Security for the 44th President.

“Demand for security expertise is outstripping supply, making this a great time for both individuals and organisations to benefit from strengthening and gaining new skills,” urged Cole, “Events like ‘SANS Brussels Winter 2016’ and other SANS training opportunities around Europe are vital to help combat what’s now an increasingly complex threat landscape.”

‘SANS Brussels Winter 2016’ takes place from Monday 18 January-Saturday 23 January at the Radisson Blu Royal Hotel in the heart of Brussels, and includes a programme of evening talks and networking opportunities.

Training courses scheduled to run at the event are as follows:

  • SEC542: Web App Penetration Testing and Ethical Hacking (Tutor: Raul Siles)
  • SEC401: Security Essentials Bootcamp Style (Tutor: Dr Eric Cole)
  • SEC504: Hacker Tools, Techniques, Exploits and Incident Handling (Tutor: Steve Armstrong)
  • FOR572: Advanced Network Forensics and Analysis (Tutor: George Bakos)
  • FOR408: Windows Forensic Analysis (Tutor: TBC)

Each course has an associated GIAC certification. Discounted rates for the certification attempt are available when purchased with a training course.

*For more information on ‘SANS Brussels Winter 2016’ visit: https://www.sans.org/event/belgium-2016/

Leave a comment

Filed under Risk UK News

Southwest Microwave awarded CPNI certification for INTREPID MicroPoint II perimeter security sensors

Southwest Microwave, the developer of integrated electronic perimeter intrusion detection systems, has recently received Government certification from the UK’s Centre for the Protection of National Infrastructure (CPNI) for its INTREPID MicroPoint II intelligent fence-mounted perimeter intrusion detection sensor.

Focused on the protection of national security and reducing the UK’s vulnerability to terrorism or criminal threats, the CPNI provides protective security advice spanning physical, personnel and cyber/information security. Tasked with recommendation and specification of specific security measures and protocols that deter, detect or minimise the consequences of attack, CPNI employs a range of stringent professional standards to rigorously test and approve physical security equipment for the protection of Critical National Infrastructure (CNI) sites.

Certification of INTREPID MicroPoint II by CPNI qualifies the system as a reliable perimeter fence detection solution for the fortification of CNI installations.

All MicroPoint II system components, including Processor Module (PM II), Control Module (CM II), MicroPoint MC115 (standard) and MC315 (armoured) sensor cables, JB70A Lightning and Surge Protection Module and PS49 Power Supply are now itemised in CPNI’s Catalogue of Security Equipment, published to support key public and private sectors partners in the selection of equipment approved to protect essential national services and assets.

“Our INTREPID MicroPoint II fence-mounted perimeter intrusion detection system has been deployed worldwide to secure critical energy, transportation, Government and industrial sites along with many other facilities linked to CNI,” explained Martin Lomberg, Southwest Microwave’s European general manager.

“The successful accreditation of the MicroPoint II by CPNI reinforces its capabilities as an effective counter-terror solution for the highest security applications, both here in the UK and abroad.”

Leave a comment

Filed under Risk UK News