April Fool's Joke?
There has been a certain amount of publicity recently about the CONFICKER super worm which has infected hospitals, Royal Navy warships, industry and the latest news from a leaked memo says that our Parliament has also been infected.
The conficker worm spreads through several update mechanisms, a well-known Windows vulnerability and tainted USB drives being just two. Once it secures a foothold on an infected network, the worm can spread widely across network shares by exploiting weak password security, a major factor in its high prevalence within corporate systems.
Researchers have reverse engineered the worm and it is apparent that an event is targeted for April 1st (April Fools day) and while most April Fool's jokes are harmless this one may not be.
Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 500 out of 50,000 domains a day to do the same thing. What effect that will have is at present unknown.
How can you protect your systems from the Conficker worm? This can be achieved through good security practices, including those defined in ISO27001:2005, The information Security Standard.
If you are worried about your systems and suspect that yours are infected there are a number of good detection tools available.
One indication that you may be infected is the inability to connect to various security web-sites, Conficker prevents your system gaining access.
We employ several layers of protection, including McAfee anti virus, anti spam/malware and email filtering so I was not unduly worried, but we did run a scan of all our systems just to be on the safe side.
We ran http://support.f-secure.com/enu/home/onlineservices/fsec/fsec.shtml, which is a free scan and this confirmed we were conficker free.
Don't be caught out and be an April Fool
The conficker worm spreads through several update mechanisms, a well-known Windows vulnerability and tainted USB drives being just two. Once it secures a foothold on an infected network, the worm can spread widely across network shares by exploiting weak password security, a major factor in its high prevalence within corporate systems.
Researchers have reverse engineered the worm and it is apparent that an event is targeted for April 1st (April Fools day) and while most April Fool's jokes are harmless this one may not be.
Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 500 out of 50,000 domains a day to do the same thing. What effect that will have is at present unknown.
How can you protect your systems from the Conficker worm? This can be achieved through good security practices, including those defined in ISO27001:2005, The information Security Standard.
If you are worried about your systems and suspect that yours are infected there are a number of good detection tools available.
One indication that you may be infected is the inability to connect to various security web-sites, Conficker prevents your system gaining access.
We employ several layers of protection, including McAfee anti virus, anti spam/malware and email filtering so I was not unduly worried, but we did run a scan of all our systems just to be on the safe side.
We ran http://support.f-secure.com/enu/home/onlineservices/fsec/fsec.shtml, which is a free scan and this confirmed we were conficker free.
Don't be caught out and be an April Fool
Labels: conficker virus, information security
Posted: Monday, 30 March 2009
Encryption and ISO27001
What is encryption?
Encryption is a method of scrambling a message or other data so that is cannot be read by an unauthorised person. Sadly it has become too easy to intercept messages and use them for illegal purposes. Encryption protects that data.
A simple encryption might be to use the alphabet In reverse:
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z |
| Z | Y | X | W | V | U | T | S | R | Q | P | O | N | M | L | K | J | I | H | G | F | E | D | C | B | A |
'Please reply to this message' becomes KOVZHV IVKOB GL NVHHZV
Unfortunately this code would be broken very easily. A more secure system would use the shift method where the table is used but each letter is shifted to the right by 3 boxes.
'Please reply to this message' Now becomes SOSWVS FSHLE DI DPOE KSEEWQS. This is better but relies on the person receiving the message knowing the key (what method was used). This type of encryption would be broken in second by an experienced cracker.
Modern computers rely on even more secure methods:
The first of these is the SYMMETRIC KEY where the sender and the receiver know the key and the message is decrypted. Anyone else will see a jumble of letters.
The second method is known as PUBLIC KEY, a typical system uses PGP (pretty good privacy) and relies on a public key which is available in the message and a private key which is know to only to the sender and the receiver. Again anyone else will see gibberish.
The third method is known as DIGITAL CERTIFICATE where the certificate acts as a middleman, checking the identity of both the sender and the receiver; if both are genuine the certificate allows the message to be decrypted.
Additionally financial transactions use a secure system know as SSL (Secure Sockets Layer) the user will notice that the usual http:// is replaced by https:// and a small padlock is normally present on the web-site to show that SSL is in use. Credit Card transactions use this very secure method of encryption.
The Information Security Standard ISO27001 recommends the user of encryption to protect data.
Labels: information security, ISO27001
Posted: Sunday, 9 March 2008
Information Security - AGAIN
The latest security lapse where the HMRC ( Her Majesty's Revenue and Customs Service) has 'lost' a CD containing names, addresses , NI numbers, dates of birth etc of up to 15,000 Standard Life customers has provided a new round of concerns about security of data. Apparently the disk, containing very useful information to identity thieves went missing while being transported from HMRC TO Standard Life Offices in Newcastle. Standard Life Customers have been warned to look out for any unusual activity in their financial accounts.
As we approach the season of goodwill it makes even more sense to guard against identity fraud and unauthorised transactions in credit cards and other banking areas. Copied or cloned credit cards, people watching as you enter pin numbers into 'Hole in the Wall cash machines' or just simple pickpockets taking a wallet or purse are just some of the ways that we can be relieved of our hard earned cash.
Make the run up to the festive season a poor one for thieves.
As we approach the season of goodwill it makes even more sense to guard against identity fraud and unauthorised transactions in credit cards and other banking areas. Copied or cloned credit cards, people watching as you enter pin numbers into 'Hole in the Wall cash machines' or just simple pickpockets taking a wallet or purse are just some of the ways that we can be relieved of our hard earned cash.
- Don't discard paper that has any personal or company details in the rubbish - shred all identifiable paper.
- Destroy all expired or replaced credit and debit cards. Cut into many pieces or put into a shredder (if it had the ability to shred credit cards)
- Don't respond to emails asking for user names and passwords - Banks never ask for this type of information in email.
Make the run up to the festive season a poor one for thieves.
Labels: company details, information security, personal
Posted: Sunday, 2 December 2007
ISO9001 Quality Management System Myths
There are loads of myths concerning ISO9001 and most are perpetrated by those who are ignorant of the true facts, nevertheless I hear these repeated as though they were absolute gospel.
Here are just some of these:
ISO9001 is a bureaucratic system which requires a piece of paper for everything.
False. The system should work for the organisation and not the other way round. If set up correctly ISO9001 will prove highly beneficial. Paper heavy systems are really out of date.
Dictates how any business must be run.
False. The standard states that all businesses are different and that the standard should be adapted to fit the business and not be prescriptive so that the business has to fit the standard. However the main elements are parts of any good practice system and there is no 'Rocket Science' involved.
Inflexible system.
False. If correctly set up the system will allow for unexpected events and can be as flexible as you need it to be.
Directors only must sign off all released work.
False. It is usual for identified job functions to release work but these do not have to be Directors. Most good systems will allow deputies to release work if the primary release person is unavailable.
Costs a fortune to set up and run.
False. The actual assessment and certification fees vary between certification bodies and of course the size of your company but these can be very reasonable.
As far as setting up your system, you could do it yourself. It could be more effective in the longer term to employ the services of a qualified consultant who will utilise best practice.
Requires huge quality manuals.
False. The days when manuals filled a bookcase and were almost too heavy to lift are long gone
Requires procedures for everything.
False. The standard specifies only six mandatory procedures;
Documents control, control of records, internal audit, Control of Non-conforming product/service, Corrective action & preventive action. Most businesses will have other process orientated elements documented but these are decided by the management of the business
You can produce faulty products and still meet ISO9001 provided you do it all the time.
False. Customer satisfaction is a primary measure. Poor quality products would mean dissatisfied customers and not meet ISO9001
Does not allow for quick turnaround of urgent work.
False. ISO9001 does not hinder fast turnaround of orders, in fact it ensures that records are kept to show what has been done and when
Must answer a phone by the third ring.
False. There is no mention of this in ISO9001. Some call centres have this as a requirement but it is certainly not specified in the standard.
The standard says "Say what you do - do what you say and prove it".
True. The standard uses the PDCA model - Plan, Do, Check, Act.
Most good businesses are already doing most of the requirements of ISO9001.
True. Enough said?
Here are just some of these:
ISO9001 is a bureaucratic system which requires a piece of paper for everything.
False. The system should work for the organisation and not the other way round. If set up correctly ISO9001 will prove highly beneficial. Paper heavy systems are really out of date.
Dictates how any business must be run.
False. The standard states that all businesses are different and that the standard should be adapted to fit the business and not be prescriptive so that the business has to fit the standard. However the main elements are parts of any good practice system and there is no 'Rocket Science' involved.
Inflexible system.
False. If correctly set up the system will allow for unexpected events and can be as flexible as you need it to be.
Directors only must sign off all released work.
False. It is usual for identified job functions to release work but these do not have to be Directors. Most good systems will allow deputies to release work if the primary release person is unavailable.
Costs a fortune to set up and run.
False. The actual assessment and certification fees vary between certification bodies and of course the size of your company but these can be very reasonable.
As far as setting up your system, you could do it yourself. It could be more effective in the longer term to employ the services of a qualified consultant who will utilise best practice.
Requires huge quality manuals.
False. The days when manuals filled a bookcase and were almost too heavy to lift are long gone
Requires procedures for everything.
False. The standard specifies only six mandatory procedures;
Documents control, control of records, internal audit, Control of Non-conforming product/service, Corrective action & preventive action. Most businesses will have other process orientated elements documented but these are decided by the management of the business
You can produce faulty products and still meet ISO9001 provided you do it all the time.
False. Customer satisfaction is a primary measure. Poor quality products would mean dissatisfied customers and not meet ISO9001
Does not allow for quick turnaround of urgent work.
False. ISO9001 does not hinder fast turnaround of orders, in fact it ensures that records are kept to show what has been done and when
Must answer a phone by the third ring.
False. There is no mention of this in ISO9001. Some call centres have this as a requirement but it is certainly not specified in the standard.
The standard says "Say what you do - do what you say and prove it".
True. The standard uses the PDCA model - Plan, Do, Check, Act.
Most good businesses are already doing most of the requirements of ISO9001.
True. Enough said?
Labels: information security, information security system, iso9001, Myths management, Quality
Posted: Sunday, 21 October 2007
Information Security and Social Engineering
Social engineering is the term used to obtain information from people without them realising what is going on.
A recent exercise carried out by one of our clients was to invite by email, specially selected employees (although all employees received the invitation) to take part in an exciting new venture. All, they had top do was to go to a secure web-site and enter their company log on and password to verify their interest. The recipients were warned not to talk about this venture to any of their colleagues as the matter was highly secret.
This company (that I will not identify) is accredited to ISO27001 and takes security very seriously but many of the employees did enter this confidential information into the web-site believing that it was quite innocent.
A delivery of flowers or chocolates is made, usually by a pretty girl, and the idea is to surprise the recipient so the usual security at reception is waived.
Labels: information security, ISO27001, social engineering
Posted: Saturday, 10 February 2007
0 Comments:
Post a Comment