If you thought the Wannacry Ransomeware worm which brought a vast number of computer systems to their knees was a major disaster, then watch out for this next one.  EternalRocks uses 7 leaked NSA hacking tools.  These were developed by the American Security Agency to hack into enemy systems, however the leaked versions are now being used to extort money worldwide.

This new one doesn’t alert the user that the system is infected until 24 hours later, hoping that a backup of the infected system will have been made and make restore more difficult.
The worm does not have a ‘kill switch’ which halted the spread of Wannacry.  It is looking for systems to infect and then demand a fee for the decrypt key. The vulnerability uses unpatched SMB ports.

We understand that systems which have the latest operating systems and are patched should be ok.    Certificated users with ISO 27001 will be aware of the requirements for this.

It is vital that organisations have good backups of data and that these backups are fully verified so that they can be installed in case of a problem. It is too late when a restore fails through an unverified backup or the backup is corrupted.

Cyber Crime is fast becoming the number one risk.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

Section 10:  Cryptography 

 

A cryptography policy must be developed and implemented.  This must include:

  • The required level of protection required;
  • The type, strength, and quality of the encryption algorithm to be used;
  • Key management;
  • Integrity/authenticity of using digital signature or message authentication codes; 

 

Section 11:  Physical and Environmental Security 

 

Critical or sensitive information processing facilities must be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc.  It must also be sited to prevent unauthorised viewing of confidential matter.

There is a need for concentric layers of physical controls including barriers, walls, card controlled entry gates or manned reception desks (rather like  an onion) to protect sensitive IT facilities from unauthorised access.

A secure area may be a lockable office, a computer room or several rooms surrounded by a continuous internal physical security barrier.

Critical IT equipment, cabling and other assets must be protected against physical damage, fire, flood, theft, and interception etc., both on and off-site.

Power supplies and cabling must be secured. IT equipment must be maintained properly and disposed of securely.

Access to and within application systems must be controlled in accordance with a defined access control policy. Particularly sensitive applications may require dedicated (isolated) platforms, and/or additional controls if run on shared platforms.

The application of physical controls must be adapted to the technical and economic circumstances of the organisation.

11.2 Equipment

To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.

This includes the siting of equipment to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access.

Supporting utilities must be inspected regularly to detect damage and malfunction.
Cabling must be protected and checked for unauthorised interception.

Clear desk and clear screen policies must be in use.

Section  12:  Operations Security

This is a big clause and it covers all aspects of operations security.

To ensure correct and secure operations of information processing facilities.

Documented operating procedures must be available to all users who need them.

Change control procedures must be used to record and authorise changes to the organisation, business processes, information processing facilities and systems that can affect information security.

Capacity management must be monitored, tuned and projections made of future capacity requirements to ensure the required system performance,

12.2 Protection from malware

 

To ensure that information and information processing facilities are protected from Viruses and other malware.

12.3  Backup

 

Systems  must be backed up to protect against data loss.

12.4    Logging and monitoring

 

To record events and generate evidence.

12.5    Control of operational software

 

To ensure the integrity of operational systems.

12.6  Technical vulnerability management

 

To prevent exploitation of technical vulnerabilities.

12.7   Information systems audit considerations

 

To minimise the impact of audit activities on operational systems.

Section 13: Communications security

 

This is a big clause and covers all aspects of communications security

To ensure the protection of information in networks and its supporting information processing facilities.

Section 14: Information Systems acquisitions, development and Maintenance

 

To ensure that information security must take into account the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems.

14.1 Information Security Requirements analysis and specifications

 

Automated and manual security control requirements must be analysed and fully identified during the requirements stage of the systems development or acquisition process, and incorporated into business cases. Purchased software must be formally tested for security, and any issues risk-assessed.

14.2 Security in development and support processes

 

To ensure that information security is designed within the development lifecycle of information systems.

14.3 Test data

 

To ensure the protection of data used for testing.

Section  15:  Supplier relationships

 

This new section deals with the protection provided in supplier agreements.

Section 16: Information Security Incident Management

 

Information security events, incidents and weaknesses (including near-misses) must be promptly reported and properly managed.

16.1 Reporting Information Security Events and Weaknesses 

 

A formal incident/weakness reporting procedure is required, plus the associated response and escalation procedures. There must be a central point of contact, and all employees, contractors etc. must be informed of their incident reporting responsibilities.  Feedback to the person reporting an incident must take place.

16.2 Management of Information Security Incidents and Improvements 

 

Responsibilities and procedures are required to manage incidents and weaknesses effectively, to implement continuous improvement (learning the lessons), and to collect evidence in accordance with legal requirements.

Section 17: Information Security Aspects of Business Continuity Management          

                                  

This section describes the objective to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process must be implemented to minimise the impact on the organisation and recover from the loss of information assets.

The relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.

Section 18: Compliance

 

18.1 Compliance with Legal and Contractual Requirements         

                                       

The organisation must comply with applicable legislation such as copyright, data protection, protection of financial data and other vital records, cryptography restrictions, rules of evidence etc.

18.2  Information Systems Reviews

 

System audits must be carefully planned to minimise disruption to operational systems. Powerful audit tools/facilities must also be protected against unauthorised use.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

It is generally accepted that information is the greatest asset any organisation has under its control.   Managing Directors are aware that the supply of complete and accurate information is vital to the survival of their organisations

Today more and more organisations are realising that information security is a critical business function.  It is not just an IT function but covers:

  1. Governance;
  2. Risk Management;
  3. Physical Security;
  4. Business Continuity;
  5. Regulatory and Legislative Compliance.

With increasing reliance on data, it is clear that only organisations able to control and protect this data are going to meet the challenges of the 21st century.

ISO27001:2005 which was formally BS7799 is the International Standard for Information Security Management (ISMS) and provides a definitive reference to developing an information security strategy.  Moreover a successful certification to this standard is the confirmation that the system employed by the organisation meets internationally recognised standards.

Information Security

Business has been transformed by the use of IT systems, indeed it has become central to delivering business efficiently. The use of bespoke packages, databases and email have allowed businesses to grow while encouraging remote communication and innovation.

Most businesses rely heavily on IT but critical information extends well beyond computer systems.  It encompasses knowledge retained by people,  paper documents as well as traditional records  held in a variety of media.   A common mistake when incorporating an information security system is to ignore these elements and concentrate only on the IT issues.

Information security is a whole organisation matter and crosses departmental boundaries.  It is more than just keeping a small amount of information secret; your very success is becoming more dependent upon the availability and integrity of critical information to ensure smooth operation and improved competitiveness.

C     I     A
1.    Confidentiality
2.    Integrity
3.    Availability

These are the three requirements for any ISMS.

Managing Directors’ Perspective

Your vision is central to organisational development; driving improvements in all areas of the business to create value. With information technology being key to so many change programmes, effective information security management systems are a prerequisite to ensuring that systems deliver on their business objectives.  Your leadership can help create the appropriate security culture to protect your business.

Organisations are increasingly being asked questions about ISO 27001, particularly by national or local government, professional and the financial sector.  This is being driven by adoption of the standard as part of their legal and regulatory obligations.  In some areas this is becoming a tender requirement.

Others are seeing a competitive advantage in leading their sector and using certification in information security management to develop customer/ client confidence and win new business.  With public concern over security issues at an all time high, there is a real need to build effective marketing mechanisms to show how your business can be trusted.

You will certainly be aware of your responsibilities for effective governance, and be answerable for damaging incidents that can affect organisational value.  The risk assessment, which is the foundation of the standard is designed to give you a clear picture of where your risks are and to facilitate effective decision making.  This translates into risk management, not simply risk reduction and therefore replaces the feeling many directors have of risk ignorance in this area.  This will help you understand the potential risks involved with the deployment of the latest information technologies and will enable you to balance the potential downside with the more obvious benefits.

CFO Scrutiny

Whether, as part of compliance, such as required by Professional Bodies, Sarbanes Oxley, Data Protection Act, or as part of an effective governance, information security is a key component of operational risk management.  It enables the formulation of effective risk analysis and measurement, combined with transparent reporting of ongoing security incidents to refine risk decisions.

Giving values to the impact security incidents can have on your business is vital.  Analysis of where you are vulnerable allows you to measure the probability that you will be hit by security incidents with direct financial consequences.

An added benefit of the risk assessment process is that it gives you a thorough analysis of your information assets, how they can be impacted by attacks on their confidentiality, integrity and availability, and a measure of their real value to your business.

Although the detail within the risk assessment process can be complex, it is also possible to translate this into clear priorities and risk profiles that the Board can make sense of, leading to more effective financial decision making.

Business Continuity

How well would you cope if a disaster affected your business? 

This could be from some natural cause such as flood, storm or worse from fire, terrorism or other civil unrest.  The areas not often considered are sickness, failure of utilities or technology breakdown.

Business continuity planning in advance of a disaster can mean the difference between survival or extinction of the business. 

Many of the businesses affected by the Bunsfield Fuel Depot disaster never recovered.  Those with an effective business continuity plan have emerged like the phoenix from the ashes.

Many businesses claim to have a plan but if the plan is untested or ill prepared then it is bound to fail.
ISO27001 states that a fully planned and tested BCP should be in place to prepare for and be able to deal with, such an emergency.

ISO 27001 Elements

  • Risk assessment and treatment – Assessing the risks to the company’s assets, devising a risk treatment plan and finally accepting those risks that cannot be mitigated.
  • Security policy – This provides management direction and support for information security.
  • Organisation of information security – To help manage information security within the organisation.
  • Asset management – To help identify assets and protect them appropriately.
  • Human resources security – To reduce the risks of human error, theft, fraud or misuse of facilities.
  • Physical and environmental security – To prevent unauthorised access, damage and interference to business premises and information.
  • Communications and operations management – To ensure the correct and secure operation of information processing facilities.
  • Access control – To control access to information
  • Information systems acquisition, development and maintenance – To ensure that security is built into information systems.
  • Information security incident management –  To deal effectively with any identified security incident.
  • Business continuity management – To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
  • Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

It is quite noticeable that the number of detected viruses and malware has gone through the roof recently.  It is a sad fact that as times get harder the number and ferocity of attacks on our computer systems increases.

Most people, fortunately have anti-virus and ant malware on their systems, however not all these are kept up-to-date; if they are not updated with the latest signature data they could be worse than useless.

One startling bit of information came my way this week, ‘a computer system connected to the internet will become infected with viruses and malware in as little as twenty minutes’; some put it at less than that.

We tend to concentrate on PC’s rather than Macs and it was thought that the MAC was better protected than the PC, but we are lead to believe that modern virus and Malware attacks MAC’s as well.

One clever virus found and blocked on one of our systems had the ability to turn off the anti virus system; fortunately it was detected and quarantined before it could infect our systems.  This is in part due to our antivirus software which alerts as soon as a hint of infection is sensed and our two level stage firewalls.

Here at Quality Matters we are always on guard against these threats and our antivirus updates automatically each day. 

We help organisations put in ISO27001 systems (Information Security Management) which protect their data from unauthorised access and corruption.

The three letters (CIA) mentioned  in 27001 put it well:

C Confidential – keep data safe from others
I Integrity – ensure that data remains uncorrupted
A Availability – ensure that data is available when needed

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

 Last week I travelled to one of my clients in Kent; then traffic was awful and my sat nav took me on a slightly different route.  There was still a good deal of delay and at one point we sat in a queue for some ten minutes, then lorry in front of me suddenly reversed striking my car on the bonnet.  He lorry driver apologised and gave me details of his insurance, registration number etc.  Now I had a damaged car and was very late for my appointment. I was also very irritated that this unnecessary incident had happened.

Could I have prevented it? I don’t think so.  Should I have ignored my sat nav and used my usual route?  Again I don’t think it would have been sensible. 

I was going to my client to initiate some risk assessments for their emerging Information Security Management System ISO27001 and it struck me that the data I had concerning the other driver, the accident, his vehicle, his employer and insurance company details were governed by the Data Protection Act and this information would be held by me temporarily but then dealt with by his insurers, my insurers, the repair garage and if there had been any injuries, which fortunately there were none, by Solicitors.  All this information would be held on databases and would be available to a great many organisations.  No wonder I thought about a risk assessment covering all of this, albeit in retrospect.

I  hope to get my car back soon.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

ISO27001 The information security standard calls for building security to be part of the overall system.

Most companies will have some security on the front door; it could be a fully manned reception desk or a keypad entry system or even a locked door. Anyone intent on gaining unauthorised access will usually target another entry point. This could be an insecure window or even better a rear door or fire door that has been left ajar for those that smoke.

I have seen some quite secure buildings which are neglecting the “back door”.

In the warmer months of the year companies that do not have air conditioning often prop open rear doors to allow for better air circulation.

If no one is watching a thief or data gatherer can simply walk in.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

I am often early for appointments with my Clients (by design, as I hate being late) and to while away the time I often turn on yhe wireless function on my laptop. I am staggered just how many businesses, and home users, leave their WiFi unprotected!

They possible do not understand the implications of this but this ignorance can be costly in terms of poor security.

There are two standards available to protect any WiFi setup and these are WEP (Wired Equivalent Privacy), this is the minimum requirement for safety and WPA (WiFi Protected Access) this comes as WPA1 or WPA 2. Wherever possible I recommend that WPA2 is used; it is far more secure and uses a better protocol than WPA1 and a far superior protection to WEP.

WPA requires you to set up a pass-phrase rather than the usual six digit password.
I would be surprised if a hacker could guess a pass-phrase and it certainly would defeat all but the most determined dictionary attack.

Here I have spoken about the application of basic security for WiFi but without this protection your system is like an open door; at best it allows others to use your bandwidth and at worst it allows access to your system with all the risks that unauthorised access can cause.

Would you leave your front door wide open?

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

It is startling to see that a recent statistic records that one in ten laptops will be lost or stolen. These laptops often contain sensitive or very sensitive information but some have only minimal security in place.

Recent thefts of laptops include:

  • Irish Army
  • Metropolitan Police
  • Ministry of Defence (21 lost or stolen between July 2005 and July 2006)
  • Nationwide
  • Ernst & Young

The loss of the hardware is bad enough but the data that they hold could be very damaging.

The strict rules at airports last year meant that laptops could no longer be carried as hand luggage and as a direct result many hundreds of laptops were never reunited with their owners.


Rule 1: Never leave a laptop unattended in a car or in a public place.

Rule 2: Keep a minimum of data stored on the laptop.

Rule 3: If you need access to large amounts of data use VPN to access the main system.

Rule 4: Use complex passwords and log-in methods to protect data

In addition to these main rules:

  • If possible use two factor authentication, where a token, card or bio-metric is used to gain access to the laptop data.
  • If possible use encrypted data so that it is useless to a thief
  • When using a laptop in a public place avoid being overlooked.
  • The above are really simple and sensible precautions.

Some very secure organisations make use of the so called ‘logic bomb’, where four wrong attempts to log in to a laptop results in the entire hard disk being destroyed. Not something that should be used lightly!.. Think if the poor IT manager who will need to purchase new hardware.

Let’s make 2007 a secure year for laptops

The official blog for independent Management Training
Consultancy, Quality Matters Limited.