Nortel and the decades long breach

February 16th, 2012

“He who learns but does not think, is lost! He who thinks but does not learn is in great danger.” Confucius

A whistle-blower from defunct Nortel (a Canadian telecoms company), has just released information that indicates that Nortel was the victim of an attack spanning years!

The attack was allegedly undertaken from China, the attackers managed to get access to systems and services within the network, and then use these anchor points to steal information over a period of up to ten years….

But what is more astounding was that Mr Zafirovski, Nortel’s CEO between 2005 – 2009, told the wall street journal that him and other staff:

“did not see it as a significant issue”

I found this astounding, that a CEO of a (former) major Canadian company, would actually say that they did not think that a hacker having access to their network, was not a significant issue….

So he (and his staff) did not think it was a significant issue that:

  • Members of the public’s sensitive data was at risk
  • Employees sensitive data was at risk
  • Credit/Debit card information of any type was at risk
  • Any third parties they had access to technologically were at risk
  • Every person using the telco ops was potentially at risk.
  • Every business using the telco ops was potentially at risk

It is astounding that in this day and age a CEO and a board of directors would not take a security issue seriously….

Epic Fail.

Tags: , , , , , ,
Posted in general | No Comments »

PCI DSS Vendors and Service Providers…. Double check credentials!

February 8th, 2012

“Lions and tigers and Bears…. OH MY!”

Dorothy – WIzard of Oz

Over the last few weeks me and the guys at Razor Thorn HQ have been doing some checks on behalf of a number of our clients, looking for PCI DSS complaint service providers in a number of different sectors.

I have to say I am both disappointed and annoyed at the results….

We contacted a mix of about 20 different service providers, ecommerce, call centres and a few other areas.  Of the twenty service providers only two actually had the Attestation of Compliance (AoC) ready to show us.  The rest all tried to talk their way round the subject or never got back in touch with us.

In short a vast majority were seemingly lying about their accreditation.

They were willing to say they had it to get new business, but obviously actually doing PCI DSS properly was not a priority.  Some of those called that were unable to provide adequate evidence of their compliance actively advertised on their websites of their compliance with PCI DSS!

Additional to that I was speaking with a business contact of mine at one of the few web hosting providers that is PCI DSS compliant and he was telling me that he had seen a dramatic increase in the number of vendors using PCI DSS as a means to sell their products, with inaccurate statements such as:

“It removes the need for PCI DSS”

“It complies with PCI DSS”

Let me just set the record straight here as a QSA and on behalf of all good QSA’s – no one product can take away the need for PCI compliance or answer all the PCI requirements…. Yes there are certain products that make your compliance easier; in fact some products are excellent in this aspect, but they cannot remove the requirements for PCI DSS completely, you still have to undertake the rest of the PCI DSS requirements for instance requirement 12 has many items that are process and business related and thus cannot be solved by software alone…..

With regards to service providers, always request  PROOF that they are compliant. If they claim to be compliant to a level 1 service provider ask for their Attestation of Compliance (AoC) if they cannot provide it then they are not compliant. If a company is a service provider to you, then YOU cannot become compliant until THEY are compliant (or you drop them and use a company that can prove compliance).

So to conclude; don’t believe the sales material hype and do not accept that a company is a PCI compliant service provider until they can prove it!

Tags: , , , , , , ,
Posted in general | No Comments »

Cyber Liability Insurance

January 12th, 2012

“The first rule of business, protect your investment”

Etiquette of a banker 1775

 

Cyber liability insurance is the latest hot topic for insurance firms out in today’s market. Recently the news has been buzzing about significant cyber thefts for some of the largest companies, who have incurred significant brand damage as well as substantial fines and business disruption due to cyber-crime.

Insurance companies have now realised that informational assets are now at significant risk from being stolen and mishandled and thus have begun a significant drive to sell cyber liability insurance, allowing business’s that have serious loss due to cyber-crime to protect themselves by having insurance, thus limiting the monetary damage from such criminal activities.  It is an excellent idea and a valid method of mitigating the impact of losses to the business.

However when carefully reading the terms and conditions from the many companies now offering cyber liability insurance it is obvious that they expect a level of security responsibility to be undertaken by the purchaser to ensure that Information security functions are being undertaken correctly, otherwise they are able to refuse claims due to inadequate security.

During our information security teams investigations a number of common clauses were noted:

 

  • Beware of insurers liability, this is limited in many T&Cs to £250k – £500K.  if your assets are worth more than this figure then you will still incur significant costs in the event of a breach.
  • Consequential losses are not covered! Much of the damage from cyber-crime comes in the form of consequential losses (lost revenue, profit, tax), this does not seem to be covered in most insurance T&C’s.
  • Credit card theft, as well as the damages from such breaches are not covered at all in almost all cases.
  • Third parties involved in the business and damages from business failures at the third party level are not covered under your policy!
  • Personal use of IT systems that result in damage are not covered in most policies, if you get a virus from your personal webmail account that infects your corporate network you may not get a pay-out.
  • Viruses and damage from viruses are not included in many cases.
  • In many cases the term ‘Hacker’ did not include employees of the business therefore potentially if an internal issue occurred there would be no pay out.

 

As a product it’s a fantastic way of covering your organisations financial loss if a breach has occurred.  This is a solid area of insurance with some real benefits, just make sure that your policy is right for you and covers you properly and ensure that you understand what your policy does cover and what it does not.

Cyber Liability Insurance is definitely something to consider for the future.

Posted in general | No Comments »

Protect your investment

December 21st, 2011

“The first rule of business, protect your investment”
Etiquette of the banker 1775

The first rule of business for any board of directors or CEO has been and always been to protect the investment; second rule is always to make a profit.  No matter the business, no matter the sector the quote above is always at the forefront of any business leader(s) mind on a day to day basis.
You cannot in this day and age create a business that will operate for any mid to long period of time without ensuring that you secure your assets, companies develop in general in an ever moving circle:
•    Develop a product / service
•    Market the product / service
•    Sell the product / service
•    Secure the assets to protect the revenue stream
Any business no matter the product follows (or should be following) this simple process, and once you have completed this no doubt you will be following the same process again for new revenue generating activities.  This is how a business expands, grows and develops over time.

However I have found with my many interactions with many businesses, they follow the first three stages of the above process then fail to undertake the last phase properly.  This means that over time the risk that the business will have a critical failure increases due to the business not properly following the first rule, that of protecting your investment.

If you have a revenue stream which makes your business £500k per year and this revenue is expected to increase year by year would it not make sense to spend a small amount of that yearly revenue to put in place protection to reduce the risks to that revenue stream?  You could use blind faith but looking objectively blind faith has never been an effective way of protecting investments, it takes hard work, knowledge, the right people and the right advice.

Since the inception of the internet and its adoption in our lives as a primary technology for communication, advertising, market exposure and collaboration, the business world has had an explosion of innovation and rapidly expanded operations to take advantage of this marvel of innovation.  Information Technology and the internet have now become essential to the operation of 95% of the world’s business operations.  In the western world we can no longer operate without it.

Unfortunately the darker side of the business world has also adopted the internet, criminal organisations are rapidly expanding their operations, no longer is it efficient to rob a bank at gunpoint, its far more safe to employ a hacker to steal credit card information from smaller ecommerce companies where the security is almost non-existent.

Cyber-crime in the UK alone during 2010 cost businesses an estimated £27bn according to the UK government statistics these were made up of £21bn to private business, £2.2bn to the government and £3.1bn to citizens.

So what are UK businesses doing wrong? Why are we incurring such a massive amount of lost revenue to cybercrime?

The answer is simple, UK businesses are not securing their investments correctly, many are still applying old school security to their assets and not considering modern threats.  Locks, bolts and physical security is great for ensuring that your physical operations are protected but vast portions of business is now conducted within the internet and third parties connected to the internet.  Businesses are not applying security correctly where their assets are residing, which is predominantly on or connected to the internet.

In the UK businesses of all sizes need to sit back and look at their operations, look at the non-physical assets as much as the physical assets.  The threat is out there and has moved from the physical world, so small, medium and large businesses need to look seriously at where their risks lie.

One thing I hear time and time again from companies is that they are not at risk because they are “only small” or that “we are not a bank”.  Unfortunately cyber criminals don’t go for banks, too high a risk of getting caught…. No they are coming for you, the low hanging fruit…..

Tags: , , , ,
Posted in general | No Comments »

What is information Security?

December 12th, 2011

Security is not a new concept for the human race, for thousands of year’s security has been the foundation of any good society.  In effect it is central to the lives of everyone and has been since before humans developed from the primate.

In our modern world security is still a central key aspect of daily life for our personal selves, our families, our society and the world in general.  We use security as a blanket, it means we are fed, clothed, warm and safe in our daily lives as well as those nearest and dearest to us.

Security however in our modern world has been drastically expanded from what it once was of the policeman on our streets and the locks and bolts on our doors.  Now vast amounts of our time are spent utilising the wonders of the modern internet, we communicate, purchase goods, pay our bills and seek entertainment, the internet has become a cornerstone of the worlds economy and part of our daily lives.  Many of the younger generations (rightly or wrongly) spend far more time online than any other pastime or activity, and as these younger generations become adults they will not remember a time when the internet was not available unlike us older folk.

With this dramatic change in our daily lives we as a society are finding out the cold hard truth about an online world… it was not built with security in mind and it has become a big problem and a concern for many people.  Every day there are new news stories of people having their credit cards, bank information and business’s being placed at risk due to ‘Hackers, viruses and technological failure’.  Modern businesses need to secure their business assets, this is where we come in.

Razor Thorn Security is the premier information security provider, able to facilitate any digital security need.  We can provide companies with security consultancy, products and solutions that will enable them to operate safe in the knowledge that they can handle almost any threat to their business, allowing you to operate free of fear that your business is placed at risk.

When the crap hits the fan and you cant run your business due to a complete breakdown of your systems and services who you gonna call?

Tags: ,
Posted in general | No Comments »