Friday 28 May 2021

Keeping Phishing Simulations on Track


The West Midlands Train service has come under fire after workers discovered that an email promising them a bonus payment after running trains during the pandemic was actually a phishing simulation test.

Around 2,500 employees received a message which appeared to come from Julian Edwards, Managing Director of West Midlands Trains, thanking them for their hard work over the past year under COVID-19, and that they would get a one-off payment as a thank you.

However, those who clicked through on the link were then emailed back with a message telling them it was a company-designed ‘phishing simulation test’ and there was to be no bonus. The email warned: “This was a test designed by our IT team to entice you to click the link and used both the promise of thanks and financial reward.”

Since the test has been revealed, the train service has received media backlash for promising a fake financial reward to well-deserved teams. However, the modern threat landscape is constantly evolving, and it’s vital that businesses prepare their workforces against any type of threat. So was this a good test of resilience? Andrea Babbs, UK General Manager, VIPRE, explains.

Fight Fire with Fire
In order to be successful in the fight against cybercrime and protect the network, businesses should not be afraid to fight fire with fire and sometimes stoop as low as the phishers themselves – who have no morals. By using a powerful message and incentive such as the suggestion of a bonus provided by West Midlands Train Service, businesses can gain valuable insight into how their employees could be tricked into clicking on a phishing link, and why they need to ensure their staff are trained for any type of attack.

However, the test has clearly upset West Midlands’ employees and could have been done in a less dramatic way so that it wasn’t either ethically or morally questionable. Particularly during a pandemic where our frontline workers, like those in the transport industry, have continued to put themselves at risk over the last year. The idea of a bonus in the current challenging environment seems deserving as an act of recognition for their above and beyond service – but for this to be a test, rather than the promised reward, is particularly hard-hitting for those involved.

Finding the Balance
It is vital that organisations take the time to train and educate their staff so that they become an additional line of defence in an organisation’s cybersecurity strategy. However, IT teams also need to rely on users’ goodwill to encourage them along the cybersecurity journey. This test by West Midlands Train service may have damaged that goodwill and could disillusion some members of staff.

Rather than mentioning a bonus, the train service could have mentioned a change to pay, or the date of payroll. Both of these statements would have had the same instinctual reaction in employees, without having heightened emotions surrounding the letdown of a non-existent bonus.

Importance of Education
Regardless of the incentive behind the West Midlands phishing test, the fact that employees clicked on the link highlights the need for businesses to perform these types of tests in the first place.

Cybercriminals will stop at nothing to get users to click on a phishing link, download a malicious attachment or fill in their details on a forged website, and will use personal or professional information to lure them into doing this.

Therefore, employees need continuous training to identify and avoid these attacks. Going forward, businesses who are looking to deploy such phishing tests should try using less exciting topics to trick their users in order to avoid any bad will or backlash from their employees and the media.

One way to achieve this is to implement Security Awareness Training programmes that incorporate real-life situations, including phishing simulations - that are less emotive. This educational material will help organisations to fortify crucial cyber threat prevention messaging and educates workforces on how to protect both the business and themselves.

Wednesday 26 May 2021

How Hidden Vulnerabilities will Lead to Mobile Device Compromises

Your mobile device can be hacked very easily without your knowledge. Even if an attacker can’t get into your device they can attempt to gain access to the sensitive information instead that is stored inside such as your places visited, emails and contacts. It's not just consumers who are targeted by cybercriminals, the rise of smartphones and tablets in the workplace and the increase in remote working has resulted in hackers targeting businesses via their mobile device vulnerabilities.

Most individuals and organisations with very sensitive information, still do not take basic mobile security measures, even with the rising threats to our smartphones. According to a study by Intertrust on mobile security, the cost of mobile app hacks and violations will hit $1.5 billion by the end of 2021. Yet, network systems or even our desktop computers get more attention, with mobile device security continuing to be ignored by organisations across the globe every day.

Three Ways a Mobile Device can be Compromised
Unsecure Wi-Fi
When out and about, the free wifi sign is always something we’re looking out for, but it's best to ignore these networks the next time you come across a public Wi-Fi network that doesn't need a password. When using unsecured Wi-Fi networks, eavesdroppers will see all unencrypted traffic. Wi-Fi could be insecure in public places, such as cafes and airports, allowing malicious actors to visualise everything you do while connected.

Make sure you're connecting to websites using HTTPS. HTTPS ensures that correspondence to and from a specific website is encrypted, while a VPN service encrypts anything you send. Look at the address bar of your browser window to see if you're linked via HTTPS; you should see "HTTPS" at the start of the web address (or, on some web browsers there is a lock icon). Hackers have been able to obtain valid SSL certificates for sites with names that are slightly different from those of major financial institutions, as well as the HTTPS prefix.

Finally, using public Wi-Fi exposes you to session hijacking, which occurs when a hacker tracking your Wi-Fi traffic tries to hijack an open session you have with an online service (such as a social networking site or an email client) by stealing the browser cookies the service uses to identify who you are. Once hackers have your cookies, they can use it to impersonate you on these pages or even track you down.

Pay attention to the warning message your device is sending you to see if you're on an unsecured connection. An alert will pop up on iPhones saying that the identity of the server can not be checked and asking if you still want to connect. Before you can access Wi-Fi, you will be asked to press "continue". Despite this warning, 92% of users click continue on the screen. In fact, your phone has a lot of very good technology built in to alert you when you are going to make a bad security decision. Be vigilant when connecting to free Wi-Fi, and avoid exchanging personal information, to protect yourself.

Malicious Apps
There has been a rise of 54% of mobile users who have got attacked through malicious apps over the past year. Apps add mobile functionality, but also increase the risk of a data breach, particularly if they are downloaded from websites or tweets instead of a secure app store. Malicious code that allows hackers to steal data could be hidden within apps, even ones that work.

The mobile technology ecosystem is enormous. Neither Apple nor Google will look at every single app in their store and decide whether or not it is malicious. You should restrict the number of applications you install in order to protect yourself - MDM security solutions can include computer implementations that require workers to use a VPN or a private Wi-Fi hotspot to connect to public Wi-Fi networks. Due to the increasing number of sophisticated cybersecurity threats. MDM is the key to a healthy, effective, and reliable mobile workforce.

What we call the attack surface on your phone increases the more applications you have. What this suggests is that there are more code lines and thus there is a greater occurrence of a security-sensitive flaw in that amount of code.

Operating System Flaws
Vulnerabilities are identified as what lets attackers in, despite the best efforts of smartphone manufacturers. To protect users, device manufacturers release operating system updates frequently. All of those updates have very important security patches in them and people are concerned that maybe this will affect how they use their phone or if their phone will not be compatible with it.

As soon as the new updates are released, they need to enforce those changes. Hackers know about vulnerabilities after updates are issued and try to hack out-of-date devices. Nobody recovers from being hacked quickly. Although computers have always been vulnerable to attack, mobile devices are becoming a larger target for criminals to attack. Secure yourself by identifying the risks and making attempts to minimise them ahead of time.

Author
This article was provided by SaltDNA, a provider of secure mobile message and voice call communications. You can sign up for a free trial of SaltDNA or talk to a member of their team at info@saltdna.com or by visiting saltdna.com.

Wednesday 19 May 2021

Cyber Security: Data ‘Re’-Assurance

How do you know company data is secure? 
How do organisations know their data is secure? And how can companies ensure that a network breach won’t result in a loss of sensitive data? The consequences of a data breach are potentially disastrous for any organisation, so companies need to be reassured that their data is secure at all times in line with any internal and external compliance needs - and that they have the tools and visibility to prove this, should a network breach occur.

With 78% of IT security leaders lacking confidence in their company’s cybersecurity posture, now is the time for organisations to focus on applying a ‘Zero Trust’ approach to their cybersecurity strategy. In doing so, security professionals acknowledge that they cannot trust the security of their underlying infrastructure and therefore implement controls from a data assurance perspective, placing emphasis on protecting their sensitive data, irrespective of where this data travels within the network. And for those CISO’s and CSO’s who are solely concerned with their network security, they need to reconsider and focus on their data security.

Security professionals should be taking a proactive approach to their organisation’s cybersecurity and should always be considering how they can better protect their most valuable asset - their data. With this in mind, Paul German, CEO, Certes Networks, outlines how data assurance is a mindset that security professionals need to adopt in order to be confident that their sensitive data is protected at all times.

Increasing Threats
Cyber attacks are increasing dramatically and by its very nature, sensitive data is an incredibly valuable asset and one that is frequently targeted. Last year, 37 billion data records were leaked at a staggering 140% increase year on year. Surely there are measures that companies can take to prevent this growing breach of data.

However, on average only 5% of company files are properly protected - a surprising statistic considering the vast implications of a cyber attack. Furthermore, malicious hackers are now attacking computers, networks and applications at a rate of one attack every 39 seconds.

Clearly, cyber attacks and consequent data breaches are an epidemic and organisations need to put the appropriate measures in place in order to protect their data and their business. Ultimately, companies need to adopt a data assurance strategy aligned to business intent so they have the right tools and security posture in order to be in the best position when it comes to safeguarding their most valuable asset against cyber criminals.

The Consequences
When a cyber attack occurs and an organisation loses the sensitive data they have been trusted with, there are significant consequences. Of course, the obvious economic repercussions are enough to make any business concerned, with the average cost of a data breach being £2.73 million ($3.86m USD) as of 2020.

However, it is not just a data breach, but a breach of trust. Additionally, losing a client’s sensitive data damages a company’s reputation and organisations could even be facing legal action, especially if they breach regulations such as GDPR, HIPAA or CJIS. The fact is that businesses are fined for a loss of data because they are not compliant with specific laws over the use of sensitive information - not for a network breach.

By looking at cybersecurity from a data assurance perspective, security professionals have the capacity to bypass these damages by protecting their data from the outset, rather than waiting for an inevitable breach to happen before implementing data security measures. There is no reason for businesses to put themselves in a vulnerable position when they have the ability to effectively avoid the consequences of a data breach altogether.

Data Assurance
When businesses consider their cybersecurity strategy from a data assurance perspective, they are directly focusing on their data security and ensuring that they have the necessary outputs in place in order to prove at all times that their sensitive data is protected according to their business intent.

Through understanding their business intent, organisations adhere to specific objectives that they have defined in order to protect their data and mitigate associated risks. By adopting a Zero Trust approach to their cybersecurity posture, companies can achieve the separation of duties that cannot be met when security protocols are tied into the network infrastructure. With a secure overlay that is agnostic to the underlying network infrastructure, security teams can have total control of their security posture. This means that should an incident occur, the required controls are in place and functioning and security professionals can easily prove that their main priority, which is their sensitive data, is safe.

Additionally, with regulations over how organisations can handle data continuing to evolve and change, companies need the mechanisms in place to be able to proactively react to any developments in regulatory compliance requirements. By implementing policies that match evolving compliance requirements and by putting data at the forefront of any cybersecurity strategy, organisations can be secure in the knowledge they are observing these rules and regulations and won’t fall victim to their data being compromised.

Companies need to seriously consider implementing the right controls in order to make sure their data is protected and by focusing on their cyber security strategy from a data assurance perspective, they can ensure that they are emphasising the protection of their most valuable asset.

Thursday 13 May 2021

How to Ensure Security when Buying a Refurbished or Second-Hand Smartphone


Last year, a Which? investigation found that 31% of resold smartphone models from three of the major used and refurbished handset stores are no longer receiving security updates. Phone manufacturers only schedule data updates for a certain period after the release of a model, so those looking for an additional bargain in older devices could be putting themselves at risk.

As well as security issues, second-hand smartphones that haven’t been wiped by their previous user can still contain sensitive data. Without following the proper steps, anybody considering selling their old phone on eBay or another marketplace could be exposed to fraud in numerous ways.

How to Ensure Security When Buying a Phone
Phone manufacturers often release information on their security updates, so checking your chosen model is still receiving these updates is essential to remain secure once you start using your new phone. The length of time phones are updated varies by manufacturer and by model.

For example, Apple offers security updates for several years and the next model to stop receiving these updates is the iPhone 6, released in 2015, which will no longer be updated at the end of 2021. However, the Huawei Mate 10 Pro, stopped being updated just 28 months after its release in 2017.

Apple also links its security updates with its general software updates, meaning if your device is no longer being updated, your apps and other functions will not work as well and can be exploited by hackers in other ways. For this reason, it’s best to shop around for more recent models.

For those who have chosen an old model, it’s important to take extra care when using the device and navigating online. Pay attention to app permissions, as some apps may take advantage of gaps in the phone’s security perimeter that can expose your personal data. Using smartphone security or antivirus software will also help prevent unauthorised access to your device or your data when using an older phone.

With any used or refurbished phone, carrying out a factory reset before using will ensure that any personal data that has been missed by the previous owner is deleted before you start using the device.

Consider Your Data before Selling Your Smartphone
Before selling a smartphone, the best course of action to prevent your data from being stolen or abused is to perform a complete factory reset of the device. Once you’ve saved everything you want to keep on an external backup, like your computer or the cloud, perform a factory reset by following the guidelines of your phone’s manufacturer. Some devices may ask if you want to keep personal data while performing the factory reset, make sure you don’t select this option as this will not fully clear the device.

Things to pay attention to are any apps where passwords are saved to your phone and apps that send SMS confirmations for security purposes. Before getting rid of your old device, make sure texts from online banking or other sites can be received on your new phone and be sure to save passwords somewhere secure to avoid being locked out once your phone has been reset.

The Used and Refurbished Phone Market
Used and refurbished smartphones make up only 14% of all smartphone sales, but their presence is essential in reducing the environmental impact of the smartphone industry by prolonging the life of every device. With numerous precious metals used in smartphones that will soon be too difficult to mine, manufacturers need to do more to keep old devices secure.

By arbitrarily limiting the length of time devices receive security updates, manufacturers are forcibly cutting the life of most devices short, contributing to the major e-waste problem faced by modern society.

In addition to manufacturers, second-hand phone vendors need to make their customers aware before they buy unsecured devices. Following the Which? survey, some second-hand retailers added information about the security strength of old devices, which helps inform consumers’ decisions and raise awareness of how they can secure these devices if they choose to still purchase them.

Conclusion
Overall, second-hand and refurbished smartphones are an essential facet of the smartphone industry and more needs to be done to improve the quality and security of these devices to combat the rapidly growing e-waste problem, as well as provide more opportunities for consumers to get their hands on smartphones at any price point.

This article was written by Damon Culbert from Repair Outlet, smartphone parts and refurbished device retailer.

Tuesday 11 May 2021

10 Things You Might Not Know About Cyber Essentials

 
IASME delivers Cyber Essentials on behalf of UK NCSC
By Sam Jones | Cyber Tec Security and Dave Whitelegg

What is 
Cyber Essentials? If you are just hearing about the Cyber Essentials scheme, read on as we unpack 10 things you might not know about Cyber Essentials.

1. UK Gov Launched Cyber Essentials in 2014
The UK Government National Cyber Security Centre (NCSC) published its ‘10 Steps to Cyber Security in 2012', after the UK Government agencies recognised small-medium sized UK businesses require further cybersecurity guidance and support in order to protect the British digital dependant economy. 

This led to the development of five critical 'cyber essentials' technical security controls which provides a minimum level of cybersecurity protection. Assurance of the adoption of these five security controls by an organisation provides a good degree of confidence an organisation is protected against the most common cyber threats, thus the UK Cyber Essentials certification scheme was born.

2. IASME is the Sole Partner of the NCSC in delivering the Cyber Essentials Scheme
As of April 2020, Information Assurance for Small and Medium Enterprises Consortium (IASME) won the contract to become the sole partner of the Cyber Essentials scheme on behalf of the NCSC. Prior to this, there were five different accreditation bodies operating under different methodologies. So to reduce confusion around the scheme and to streamlined the certification process, the NCSC decided to go with a single accreditation body - IASME.

IASME now oversees a large number of Certification Bodies based around the UK, all of which have qualified assessors able to certify businesses looking to achieve the certification.

3. Cyber Essentials is the only UK Government Cybersecurity Standard
Although there are other cyber certifications available, Cyber Essentials is the only scheme designed and backed by the UK Government. Holding the certification is a mandatory requirement for any business bidding on UK Central and Local Government, and Ministry of Defence (MOD) contracts. 

Although a UK standard, business outside of the UK can and are Cyber Essentials certified.

4. There are Two Levels to the Cyber Essentials Scheme
The scheme is designed with small-medium sized businesses in mind, offering a low cost and straightforward way to start their cybersecurity journey, protecting UK businesses from the most common cyber threats. 

To make the scheme more flexible, the are two levels, Cyber Essentials and Cyber Essentials Plus
  • Cyber Essentials requires the five basic security controls to be assessed and recorded on an IASME provided secure web portal, with a qualified assessor verifies the information provided. This simple self-certification costs around £300. 
  • Cyber Essential Plus (CE+) provides a higher level of assurance than the regular Cyber Essentials, so suites business striving to further demonstrate their cybersecurity posture to clients. Some clients may even require CE+ certification for their security assurance via a contractual clause.  The CE+ assessment process requires an external assessor to evidence and verify the five Cyber Essentials controls and requirements. The cost of a CE+ assessment will depend on the size and complexity of your business' IT network.
5. Cyber Essentials has to be Renewed every 12 months
Cyber Essentials certifications must be
 renewed every year, to demonstrate the business is still aligned with the standard requirements. However, despite certification requiring passing a point-in-time security assessment, it is important that the cyber essentials security requirements are continually met. This is comparable to taking in your car for an MOT, your car may be deemed road-safe on the day it passed all the MOT checks, but if the car becomes no longer road worthy a couple of weeks later, then the MOT certificate provides no protection for your car being both safe and legal to use on UK roads. Therefore, with Cyber Essentials, you must constantly verify compliance with the security requirements outside of the annual certification process, else your business will not benefit from the protection the security controls provides.

6. Achieving Cyber Essentials is Often Quick
Too many businesses put cybersecurity on the backburner because they lack the understanding and the time to properly assess their cyber controls and risks.  Achieving Cyber Essentials certification does not take weeks to complete. The Cyber Essentials assessment approach provides guidance to help identify and remediate any security shortcomings found, so you can ultimately obtain a Cyber Essentials state of operation and certification which can be used to prove your business compliance with the scheme to others parties.

Of course, the time to complete a Cyber Essentials certification will depend on the extent of the remediation work required, however, you do not need to be a security expert to fix the typical issues, as expert security guidance is provided through the online assessment process. Some businesses without security issues have managed to complete a Cyber Essentials assessment and then receive their IASME Cyber Essentials certification within 24 hours.

7. Cyber Essentials reduces the risk of ICO Financial Penalties
The UK Information Commissioner’s Office (ICO) regulates privacy rights and data protection compliance with the UK Data Protection Act (DPA\GDPR), for any organisation which processes and/or stores UK citizen personal information.  Failure to safeguard UK personal data from cyber-attacks can result in the ICO issuing of eye-water monetary penalties. The maximum amount is the higher value between £17.5 million and 4% of your annual turnover (based on the previous financial year). Recent penalties have involved Ticketmaster UK, Marriott International, and British Airways, the latter of which was fined £20m.

Adopting the Cyber Essentials controls helps to protect personal data. The ICO works closely with the NCSC and is said to look favourably on organisations that have obtained Cyber Essentials certification and are breached, which may reduce the chance of higher regulatory fines being imposed.

8. Cyber Essentials is for Big and Small UK Organisations
The Cyber Essentials certification has been adopted by many big names, including the likes of Vodafone, Deloitte, Accenture, BP and Barclays Bank. However, the scheme was very much developed with UK SME cybersecurity in mind. Adopting Cyber Essentials is a crucial first step for SMEs in taking their cybersecurity obligations more seriously, with a certification demonstrating security assurance both to customers and suppliers.

Small businesses are highly prone and are the hardest hit by cyber-attacks, although it doesn't seem that way given it's the large bluechip companies that tend to dominate the media headlines when comes to cyberattacks and data breach reporting. While larger companies can afford to incur the often heavy cost of a cyberattack, it tends to be a different story for small businesses, where a serious cyberattack can lead to the business permanently closing.

SMEs are commonly in the supply chain of larger organisations, as such are targetted by cybercriminals seeking to gain access to those organisations, given IT security is often a lot weaker at SMEs than the attacker's target. Once SME systems are compromised by an attacker, it can be a simple process to hop through the supply chain network to the target organisation.

9. Cyber Essentials is still needed if other Security Certifications like ISO27001 are in place
ISO27001 is a popular internationally recognised information security business management certification. Holding ISO27001 certification does not mean Cyber Essentials is an unnecessary additional certification, although the two standards complement each other well.

Cyber Essential provides a prescriptive set of security requirements which in turn provides confidence of a fundamental and a standard set of industry recognised good practice technical controls are in place and effective. This one of the reasons why Cyber Essentials is increasingly used to assure the security of supply chains through due diligence.

10. USA are Big Supporters of the Cyber Essentials scheme
Thanks to the Cyber Essentials scheme’s early success, the United States of America Cybersecurity and Infrastructure Security Agency (CISA) introduced Cyber Essentials and the culture of cyber readiness to small businesses and government agencies to guide them on their cybersecurity journey.

In line with other international security standards like the NIST framework, Cyber Essentials is a fantastic approach for those wanting to better understand their organisation’s cybersecurity defenses and the best practices for improving it.

Friday 7 May 2021

Achieving PCI DSS Compliant Firewalls within a Small Business

The most important and integral part of any data security begins with having firewalls installed in the environment. Not just that, installing firewalls is an essential requirement of the Payment Card Industry Data Security Standard (PCI DSS). However, simply installing a firewall on the network perimeter will not make your organization PCI DSS compliant.

PCI DSS draws out specific requirements pertinent to firewalls under requirement 1 and its sub-requirements on how firewalls should be installed, updated, maintained along with other firewall rules. Elaborating more on this, we have explained in this article basic PCI DSS firewall requirements, and the need for small businesses to install firewalls. But before getting into the details of it, let us first understand the meaning of a PCI DSS compliant firewall.

What is a PCI DSS Compliant Firewall?
Firewalls are used to segment or isolate networks and are an essential component to limit cyber threats and protect internal networks from the internet and untrusted networksIn a merchant’s point-of-sale environments (POS), a firewall's purpose to restrict only specific permitted network traffic into and out of the POS network environment.

However, if misconfigured and unmaintained, a firewall could fail to adequately protect
 networks and IT systems that process payment cards. The PCI Security Standards Council have provided requirements and guidance for firewalls to ensure the merchants and service providers, correctly deploy and maintain firewalls.

PCI Firewall Requirements
The PCI DSS firewall requirements cover both technical specifications and physical access controls requirements within PCI DSS requirements 1 & 9.  This includes planning for future updates, reconfiguration, limiting only relevant inbound network traffic, etc. The physical access requirements are more about ensuring that companies limit physical access to the Cardholder Data Environment (CDE). This would include inspecting card reading devices for identifying any tampering of devices, installing monitoring devices, the requirement of unique IDs for authorized access, and visitor logs to name a few. 

To understand the technical requirements, let understand the PCI DSS firewall requirements summarised below for your better understanding.

Ref.

Requirements

Description

1

Protect cardholder data with a firewall.

Firewalls are a key protection mechanism for securing the network and Cardholder Data Environment.

1.1

Establish and implement firewall and router configuration standards.

Ensure establishing firewall and router configuration standards and other documentation to verify that standards are complete and implemented.

1.1.1

Establish a formal process to validate and test all network connections, changes to firewall and router configurations.

Established documented procedures to verify there is a formal process for testing and approving network connections, changes to firewall and router configurations. This would even include interviewing responsible personnel and examining records periodically to verify that, network connections and a sample of actual changes made to firewall and router configurations are approved and tested.

1.1.2

Establish a network diagram to identify all connections between the cardholder data environment and other networks, including any wireless networks

Create network diagrams that describe how networks are configured, and identify the location of all network devices. This prevents the possibility of any area being overlooked and unknowingly left out of the security controls implemented for PCI DSS and vulnerable to compromise

1.1.3

Establish a data flow diagram that shows all cardholder data flows across systems and networks.

Create a data-flow diagram to identify the location of all cardholder data in the environment. This will help you in understanding and tracking the flow of the data in the environment across systems and networks. Further, the data flow must be kept up to date as needed depending on the changes to the environment.

1.1.4

Establish firewalls at each Internet connection between the DMZ and the local network.

The firewall on every Internet connection coming into the network, and between any DMZ and the internal network, allows the organization to monitor and control access. This further minimizes the chances of malicious unauthorized access to the internal network via an unprotected connection.

1.1.5

Create descriptions of groups, roles, and responsibilities for managing network components.

Establish roles and responsibilities for the management of network components. This is to ensure that personnel is aware of their roles and responsibilities pertaining to the security of all network components. This helps facilitates better accountability for the security of the CDE.

1.1.6

Document the security measures implemented and protocols considered unsafe and the business rationale for using all services, protocols, and ports allowed.

 

Implementing documentation of services, protocols, and ports that are necessary for business can prevent a compromise that is otherwise caused due to the unused or insecure service and ports. Further, the use of any necessary protocol and ports should be justified, and the security features that allow these protocols to be used securely should be documented and implemented.

1.1.7

Review firewall and router rules at least every six months

 

Organizations must periodically review firewall and router rules at least every six months to clearly unwanted outdated, or incorrect rules and ensure establishment rule that allows only authorized services and ports that match the documented business justifications.

1.2

Restrict connections between untrusted networks and all system components in the cardholder data environment with firewall and router configurations

Install network protection between the internal, trusted network and any untrusted network that is external and/or out of one's ability to control or manage. This is to limit traffic and prevent any kind of vulnerability and unauthorized access by malicious individuals or software.

1.2.1

Restrict inbound and outbound traffic to only that is necessary for the cardholder data environment, and limit all other traffic.

Examine all inbound and outbound connections and set restrictions of traffic based on the source and/or destination address. This helps filter out unnecessary traffic and prevents malicious individuals from accessing the network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner.

1.2.3

Install perimeter firewalls between all wireless networks and the cardholder data environment and configure these firewalls to filter only the authorized traffic for business purposes.

Firewalls must be installed between all wireless networks and the CDE, which may include, but is not limited to, corporate networks, retail stores, guest networks, warehouse environments, etc. Installing firewalls at the network perimeter works as a filter to limit only authorized traffic. This restricts malicious individuals from gaining unauthorized access to the wireless network and the CDE to compromise account information.

1.3

Prohibit direct public access between the internet and any system components in the cardholder data environment.

 

Firewalls must be installed to manage and control all connections between public systems and internal systems, especially those that store, process or transmit cardholder data. This prevents bypassing and compromise of system components and card data.

1.3.1

 1.3.2

Create a demilitarized zone (DMZ) to limit incoming traffic to system components that only provide publicly accessible authorized services, protocols, and ports.

Implementing DMZ prevents malicious individuals from accessing the organization's internal network from the Internet, or from using services, protocols, or ports in an unauthorized manner.

1.3.3

Implement anti-spoofing measures to detect and prevent fraudulent source IP addresses from entering the network.

Implement anti-spoofing measures to filter forged IP addresses entering the internal network and causing compromise.

1.3.4

Do not allow unauthorized traffic from the cardholder data environment to the internet.

Evaluate all traffic outbound from the cardholder data environment to the internet to ensure that it follows established, authorized rules and restricts traffic to only authorized communications.

1.3.5

Allow only established connections to the network.

Examine the firewall and router configurations to verify that the firewall permits only established connections into the internal network and blocks any inbound connections not associated with a previously established session. This prevents malicious traffic from trying to trick the firewall into allowing the connection.

1.4

Install personal firewall software on all portable computing devices connected to the internet and access the CDE while off the network.

Installing personal firewall software or equivalent functionality on any portable computing device protect devices from Internet-based attacks, that use the device to gain access to the organization's systems and data once the device is reconnected to the network.

1.5

Ensure that security policy and operational procedures for the management of firewalls are documented in use and are known to all parties concerned.

Ensure that the security policies and operational procedures for managing firewalls are documented, in use, and personnel responsible are aware of it. This is to manage and prevent unauthorized access to the network.


Why does a small business need to have PCI Compliant Firewall?
Poor firewall implementation and maintenance is a common factor in cyber attacks and payment card data thefts within small businesses, which is often due to poor IT security understanding and suitable resources by IT and business management. All business connectivity with the internet poses the greatest risk to safeguard with a firewall. PCI DSS requirement all
internet connectivity to be protected with a firewall, which effectively creates a ‘buffer zone’ between the business's IT network or systems, and untrust external networks and systems. Other reasons why firewalls are essential for small business include:

Access Controls
The firewall operates at the network layer, filtering all incoming requests based on IP address and the service being accessed such as web or email or some customised ports. So, installing firewalls to a great extent restricts unauthorized access and prevents entry of any malicious individuals gaining unauthorised access to the network and compromise any data.

Cloud Security

Connectivity with third parties and cloud service providers can also be controlled through a firewall policy, to safeguard from supply chain threats and protect sensitive data from exposure.

Malware Protection
Firewalls are much more than just filtering network traffic based on IP addresses. 'Next Generation firewalls provide security controls beyond the traditional firewall controls of IP address and port filtering. Such as providing VPNs, web filtering capabilities, anti-malware screening of incoming traffic, and intrusion detection/prevention which is another PCI DSS requirement. 

Application and Database Protection
Some firewalls have web application screening capability and are known as Web Application Firewalls (WAF). A correctly configured WAF provides protection from application-layer threats such as web-based attacks like SQL injections, where an attacker manipulates a web application to expose the back-end database. PCI DSS requirement 6.6 requires installing an automated technical solution that detects and prevents web-based attacks (e.g., a web application firewall) as one of two ways to address vulnerabilities to public-facing web applications.

Monitoring and Responding to Malicious Activity
Firewalls monitor and report suspicious attacks, with the support of a 'Security Information and Event Management' (SIEM) tool, the business is able to detect and quickly respond to cyber-attacks, which is covered by PCI DSS requirement 10.

Conclusion
Smaller businesses are considered easy prey by hackers, due to the tendency of such firms not having sufficiently robust IT security controls in place. Small businesses which process payment cards are specifically targeted by cybercriminals, as they can quickly turnaround stolen credit card data into cash via the dark web. Installing and maintain a firewall is a fundamental and basic IT security pillar that should never be neglected and underestimated in its importance, along with configuring IT systems to be secure, implementing access control, deploying anti-virus, and keeping all software up-to-date. PCI DSS provides a highly descriptive set of security industry good practice IT controls, which if completely adhered to on a continual 24/7/365 basis, is sufficient to protect your business from payment card compromises by cybercriminals.

Author Bio
Narendra Sahoo
(PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

Thursday 6 May 2021

Cybersecurity Is Not A One-Stop-Shop

Cybersecurity is not a One-Stop-Shop
Boris Johnson announced the Government’s roadmap to lift Coronavirus restrictions for both businesses and the general public earlier in February, and since then, this has provided a glimmer of hope for many across the country. However, since the start of the pandemic, the way business is conducted has changed permanently, with many workforces wanting to continue to work remotely as lockdowns and restrictions ease over time. So, as companies relax and rules are eased, life is expected to return to a form of ‘new normal.’ But, the issues around cybersecurity are here to stay, and the gas pedal must not be eased – especially with the increased risks associated with continued remote working.

If anything, security should be more reinforced now than ever before to ensure all aspects of a business are secure. But this isn’t the case. Steve Law, CTO, Giacom and Kelvin Murray, Threat Researcher, Webroot, detail the importance of embedding a trilogy security approach into organisations, and this is where a strong CSP/MSP relationship can be invaluable.

The Risk Grows
Despite lockdown restrictions easing, cybersecurity risks remain and are likely to grow as COVID-19 changes the working landscape. As indoor spaces begin to open in the next few months, employees will want to venture out to new spaces to work, such as coffee shops and internet cafes – but working on open networks and personal devices creates unlocked gateways for cyberattacks to take place. Since this hybrid and remote way of working looks like it’s here to stay, businesses must ensure they have the right infrastructure in place to combat any cyber threats.

For instance, research by the National Cyber Security Centre shows that there has been a rise in COVID-19 related cyber attacks over the past year, with more than one in four UK hacks being related to the pandemic. This trend is not likely to ease up any time soon either. And, going forward, hackers could take advantage of excited travellers waiting to book their next holiday once the travel ban is lifted, deploying fake travel websites, for example.

Aside from the bad actors in this wider scenario, part of the problem here is that many IT teams are not making use of a holistic and layered approach to security and data recovery; which can lead to damaging consequences as data is stolen from organisations. Such issues continue to resonate strongly across businesses of all sizes, who will, therefore, turn to their MSPs for a solution.

The Importance of a Layered Approach
Cybersecurity is not a one-stop-shop. A full trilogy of solutions is required to ensure maximum effect. This includes a layered combination of DNS networking, secure endpoint connections, and an educated and empowered human workforce.

The need for DNS security cannot be ignored, especially with the rise of remote workforces, in order to monitor and manage internet access policies, as well as reduce malware. DNS is frequently targeted by

bad actors, and so DNS-layer protection is now increasingly regarded as an essential security control – providing an added layer of protection between a user and the internet by blocking malicious websites and filtering out unwanted material.

Similarly, endpoint protection solutions prevent file-based malware, detect and block malicious internal and external activity, and respond to security alerts in real-time. Webroot® Business Endpoint Protection, for example, harnesses the power of cloud computing and real-time machine learning to monitor and adapt individual endpoint defences to the unique threats that users face.

However, these innovative tools and solutions cannot be implemented without educating users and embedding a cyber security-aware culture throughout the workforce. Humans are often the weakest link in cybersecurity, with 90% of data breaches occurring due to human error. So, by offering the right training and resources, businesses can help their employees increase their cyber resilience and position themselves strongly on the front line of defence. This combination is crucial to ensure the right digital solutions are in place – as well as increasing workforces’ understanding of the critical role they play in keeping the organisation safe. In turn, these security needs provide various monetisation opportunities for the channel as more businesses require the right blend of technology and education to enable employees to be secure.

The Channel’s Role
Businesses, particularly SMBs, will look to MSPs to protect their businesses and help them achieve cyber resilience. This creates a unique and valuable opportunity for MSPs to guide customers through their cybersecurity journeys, providing them with the right tools and data protection solutions to get the most out of their employees’ home working environments in the most secure ways. Just as importantly, MSPs need to take responsibility for educating their own teams and clients. This includes delivering additional training modules around online safety through ongoing security awareness training, as well as endpoint protection and anything else that is required to enhance cyber resilience.

Moreover, cyber resilience solutions and packages can be custom-built and personalised to fit the needs of the customer, including endpoint protection, ongoing end-user training, threat intelligence, and backup and recovery. With the right tools in place to grow and automate various services – complemented by technical, organisational and personal support – channel partners will then have the keys to success to develop new revenue streams too.

Conclusion
Hackers are more innovative than ever before, and in order to combat increasing threats, businesses need to stay one step ahead. Companies must continue to account for the new realities of remote work and distracted workforces, and they must reinforce to employees that cyber resilience isn’t just the job of IT teams – it’s a responsibility that everyone shares. By taking a multi-layered approach to cybersecurity, businesses can develop a holistic view of their defence strategy, accounting for the multitude of vectors by which modern malware and threats are delivered. Within this evolving cybersecurity landscape, it's essential for SMBs to find an MSP partner that offers a varied portfolio of security offerings and training, as well as the knowledge and support, to keep their business data, workforces and network secure.

Wednesday 5 May 2021

The Role of Translation in Cyber Security and Data Privacy


Article by Shiela Pulido

Due to our dependence on the internet for digital transformation, most people suffer from the risks of cyberattacks. It is an even greater concern this year due to the trend of remote working and international business expansions. According to IBM, the cost of cyber hacks in 2020 is about $3.86 million. Thus, understanding how cybersecurity and data privacy plays a priority role in organizations, especially in a multilingual setting.

But, what is the relationship of languages in data privacy, and how can a reliable translation help prevent cyber-attacks?

The Connection of Translation Company to Data Privacy
A lot of people will ask about the clear connection between translations and cybersecurity. In data privacy, conveying important information through effective communications is important. However, with language barriers and complicated jargon in the IT industry, only IT professionals can understand their messages. It is also especially difficult for multilingual people who only know basic translations of the contents.

Oftentimes, a cyber attack or cyber hack happens when people don’t know what’s happening in their gadgets. Malware developers have different ways of attacking their victims, and they make their attempts as difficult to identify as they can. Some of them use spam which is in the form of unsolicited and inappropriate messages. According to the Message Anti-Abuse Working Group, about 88–92% of total email messages in 2010 are spam.

Aside from that, phishing is also a known way of attempting to get sensitive information from users through a webpage that looks the same as a trustworthy entity. Due to the uncanny similarity of the sites, the unsuspecting visitors tend to put their bank, credit card, and identity details willingly.

For clarity and convenience, it is essential to have accurate translations for guidelines, procedures, and warnings to bridge communication gaps in cybersecurity. However, you must find an experienced translation company with specialists in diverse technologies and masters the terminologies in the IT industry. It is best to avoid free translation software that is more prone to data piracy and cyberattacks.

Cyberattack Cases Worldwide
To understand the severity of cyber hacking, here are some of the widely known cyberattacks in different parts of the world:

Japan
Even with its title as one of the leading countries with high technology, Japan still wasn’t able to escape cybercrimes. Last 2016, Japan experienced a series of cyberattacks on different companies that led to the leaking of over 12.6 million confidential corporate information. There was also another ransomware named WannaCry that attacked over 500 companies at that time. They even caused great damage to large brands like Honda Motors, which had to shut their operations down for some time.

Denmark
Last 2015, there were some cyberattacks on the staff members of the Danish defence and foreign minister. It was followed by the ransomware that paralyzed the operations of Maersk, Denmark’s transport and logistics giant brand. The multiple threats of cyber attacks in their country also affected their hospitals and energy infrastructures. Due to that, the request for their languages for cybersecurity is continuously increasing up to this year.

Russia
Some people think that Russia is one of the major perpetrators of cyber-attacks around the world. However, they are vulnerable to cybercrimes themselves and have already experienced previous attacks. Some of the targeted organizations in Russia were Rosnet, their largest oil producer, airports, and banks. Wannacry was also able to infiltrate Russia’s Interior Ministry, which was a great threat to their government.

How Translators Help Prevent Cyber Attacks
As mentioned, translators are of great help in preventing cyber attacks. But, how is it possible? Here are some of the best ways to avoid data privacy invasion and malware installations through accurate translations:

Translating User Interface
The user interface is the screen that lets users and computers interact with each other. If the users cannot understand what they’re seeing, it will be difficult for them to identify suspicious ads and pop-ups. Thus, it is ideal to translate the user interface to different languages to cater to the needs of their multilingual users.

For example, if the users entered a website trying to install malicious software to a computer, they should be able to identify what they can click and not. However, most websites and user interfaces (UI) are in English, and not everyone around the world speaks this language. This is why most people tend to click the wrong buttons and accidentally permit the installation of virus-infected files.

This is also the same case when it comes to using mobile applications. Most cyber hackers are using ads and pop-ups to attack users. To confuse people, malware developers don’t only rely on standard keys such as “x” that confuses people on what they should click. They make finding the exit difficult to find to force the users to make a mistake.

In these cases, translating the UI of the website, software, and application to other languages is the ideal solution.

Bridging Communication Gaps between Cybersecurity Experts
Cybersecurity staff may understand the jargon in the IT industry, but it is a different case when they speak different languages. There are numerous cybersecurity centres all around the world and they don’t always understand English. The language barrier interferes with their ability to convey important information about cybersecurity. Due to this, most companies are hiring reliable translators to let the professionals speak confidently about important matters.

Securing Accurate Translations of Important Texts
Most websites post warnings and precautions to help their users avoid malware attacks. However, if they are in a different language, most people will just ignore these warnings. Even if they try to translate the texts through free automated translations, the result could be inaccurate and may cause misunderstandings to users.

A professional translation of these warnings, labels, and precautions can ensure that the website’s messages are properly conveyed to the users. It is especially useful for large entities, organizations, and government institutions.

Protecting Critical Information
Most small to medium enterprises choose translation software because they are relatively cheaper than hiring professional translators. However, the sad truth about that is they’re putting their companies at risk for cyber attacks. This software uses artificial intelligence and machine learning that stores your information as you translate documents. They are free to use the acquired details however they want, and you can’t do anything with it.

Thus, for critical documents, emails, and company and health information, it is ideal to hire a trusted translation company to secure your details. They also use technology with tight security and privacy for the translated contents.