Monthly Archives: April 2012

Security audits for mobility and business intelligence operations

April 26, 2012

Australian firms are focusing more on mobility and business intelligence than ever before, according to a recent report.

The Chief Information Officer Agenda survey performed by Gartner as part of its Executive Programs 2012 initiative covered over 2,000 CIOs around the world – 132 of which were in Australia.

Researchers found that the main drive for these professionals for projects in 2012 was related to extracting value from mobile technologies and business intelligence (BI) operations.

While areas such as cloud services and virtualisation were still ranking well in terms of future planning, the survey found that the increase in adoption rates for smartphones and personal tablets made them less of an immediate priority.

Vice-president of Gartner Andy Rowsell-Jones explained that the new ranking was something of an anomaly for researchers to find.

He asserted: "BI has had a chequered history in Gartner's annual CIO survey. Is it new ideas, new tools, or the triumph of hope over experience that has propelled BI back into the limelight? We will find out over the course of the year."

However, the added amount of information collected and stored by businesses involved in data mining and mobile access also necessitates an increase in security audits and compliance certification, as the value generated by the collection of client details is also widely recognised by malicious online parties.

Penetration testing can give a clear picture of the security puzzle

From within a business or organisation, the task of providing an objective review of any feature, project or asset can be difficult to manage without it being clouded by certain factors.

In some cases the points under consideration are the results of the efforts of the reviewer, while in others the person in charge is highly likely to know the staff members concerned.

As professional as these individuals may be, it still remains in the best interests of the organisation as a whole to consider the possibility of bias affecting the outcome of a review.

Rather than place the onus on internal stakeholders to prove their detachment from projects that may be very close to their heart, it may be more productive in the long run to simply avoid this scenario entirely.

This is where the value of ethical penetration testing services comes to the fore – with dedicated professionals performing external evaluations in order to determine the most likely avenue of entry for a malicious party.

The main advantage is that a firm will be able to gain an insight into where their coverage may be lacking – with gaps that are obvious to those outside a firm that might not be considered by the professionals immediately responsible for the every operations.

IT developments to factor in security audits

A new survey from Gartner has shown that 2012 may be set to become the year of cautious IT behaviour, as companies face economically turbulent market conditions.

For many chief executive officers (CEO), the uncertain financial situation presented by their competitors and stakeholders presents a powerful argument towards investing in new developments.

Gartner's survey of over 220 CEOs published on April 16 found that – while fiscal responsibility and cost control had grown in priority – IT investment was to grow over the remainder of the year.

Vice president at Gartner Jorge Lopez explained that the drive to produce additional value from technology investment was "comparatively healthy".

Mr Lopez asserted: "The newer trends, such as mobile and cloud, are rising to the foreground of CEOs attention.

"However, CRM remains CEOs' favourite IT capability because marketing is a never-ending competitive quest for customer retention."

While the value generated from effective use of data mining and long-term relationship management activities, due diligence demands that the level of online security needs to reflect the value represented by the material kept on hand.

Ideally, vulnerability management measures should be an integral part of the planning process – with the costs and benefits factored into additional IT project planning.

Red cell testing takes on mobile security

When considering an organisation's digital security, it is commonplace for workers to take into account common features such as password strength and regular updates of antivirus software.

While these certainly help to form part of a strong security plan, these components do not constitute a complete suite of protection.

This is because malicious parties are constantly evolving the way they seek out information that can be used in a penetration attack.

As an example, the 2012 Threat Report by Websense Security Labs analysed over 200,000 smartphone apps and found what it calls "a noticeable percentage" of the mobile programs were containing elements of malware and non-essential permissions.

The report states: "The popularity of mobile devices is creating a large target installed base and cybercrime is actively innovating to harvest information for profit."

On top of this, researchers found that 51 per cent of mobile users turn off password permissions and security protections on their devices – making a lost or stolen phone a valuable commodity for malicious parties.

This is just one of the avenues that red cell testing teams could use when helping to examine possible exploitation routes – making use of the same methodologies and processes as real-world hackers and data thieves, but without the danger of losing control of proprietary information.

PCI DSS neglect can damage a business’ reputation

The payment card industry data security standard (PCI DSS) is a set of requirements developed and maintained by an industry council made up of some of the biggest names in the game.

Compliance with these measures is important for businesses and clients – not to mention financial providers – as it protects their reputation and helps to enhance the purchasing experience.

However, a recent interview published by ZDNet on April 24 with a leading expert on PCI DSS asserted that many firms had neglected their security obligations.

According to senior security consultant Steven Surdich, companies sometimes engaged in so-called 'patching' behaviour before a yearly audit rather than ensuring their system was adequately protected at all times.

The PCI expert stated that this kind of activity was obvious to external qualified security assessors who are charged with ensuring that a company's defences are in line with the industry standards

Mr Surdich explained: "The environment that was certified as PCI compliant – that needs to be protected from unauthorised changes.

"You want to make sure that you understand the environment, and that you're actually part of the change process in some capacity."

Regular reviews of the payment card systems by a registered professional can be helpful in this process, as they explain the requirements on a relatable basis.

Viewing small gaps in a wider context

Ideally, modern organisations are supposed to operate as a well-oiled machine, with actions in one area serving to assist others in their duties.

This level of interdependence is what provides a business with its efficiencies that makes its service provision or production methods a valuable proposition – the focus of working to strengths and opportunities rather than reacting to market conditions.

However, this same cross-reliance of people and processes needs to be taken into context when undertaking penetration testing and information security reviews.

This is because it can be easy to dismiss a small gap in a firm's digital defences when the information most obviously at stake is not of great importance to the firm or its activities – the costs of protecting it can outweigh the immediate prospect of damage done by malicious external parties.

However, the access gained through one small, seemingly insignificant channel could be used later by the same individuals – or sold on to other participants – to explore for further vulnerabilities.

As security specialists will know, it is important to remember to think of the big picture when assessing the strengths and weaknesses of a firm's defences – because the small gaps that are ignored today could lead to greater problems later on down the track.

Tips for maintaining PCI compliance – ZDNET Article

April 24, 2012

Recently at our April Breakfast Briefs in Sydney and Melbourne, Steven Surdich one of Securus Global’s resident PCI DSS experts and QSA’s provided an address on the importance and trials of maintaining PCI DSS Compliance all year round, rather than just a point of time excercise when an Audit is due.

There are many very pragmatic strategies and processes that can be employed which do not need to be difficult or complex if implemented as part of business as usual process and not special PCI Compliance Activities.

Here is a little of what ZDnet had to say

Too many companies are neglecting to keep up to date with the standards required for accepting electronic payments, even though compliance is easily achieved by following three simple rules, and not a once per year obligation according to Securus Global senior security consultant Steven Surdich

Although many companies appear to be having difficulty in doing so, Surdich said it is simple if they follow the three basic rules: controlling changes to the cardholder environment; maintaining oversight of their activities; and simplifying compliance processes.

To read full article:

For more info on PCI Compliance visit the SG Website:

How vulnerability management requires thinking outside the box

April 17, 2012

As the number of interactions between organisations and stakeholders is enabled by advances in technologies, the amount of information retained by many businesses is bound to increase.

The opportunities available to companies engaging in this kind of activity are enormous – intensive analysis of so-called 'big data' collections can lead to advances in product and service offerings, as well as enhancements to a range of corporate communications.

However, this information is still valuable to other parties without further treatment, meaning that firms need to be prepared to look after their investment.

Vulnerability management is not a simple process that requires a basic stop-gap approach – it is more of a cycle that involves a number of steps.

After deciding on the security state preferred by the company, the firm needs to compare this to the measures currently in place.

This activity requires a fair bit of innovation and out-of-the-box thinking in order to develop viable scenarios where the company would be in danger of losing control over its proprietary data, as these penetration avenues may not always be immediately obvious.

By keeping an open mind on the subject of vulnerability management – or making use of professional testers – a firm is able to identify the gaps well in advance and can act to stop a threat becoming a reality.

Vulnerability Management Programs
Management and Governance

Security audit to find gaps in online defences

When it comes to online security for commercial concerns, most people tend to think of hackers sitting in darkened rooms, hammering away at a firm's firewalls or sending out virus-laden emails to break through online defences from the inside.

While these features are common enough in the digital space, in no way should they be allowed to form the be-all and end-all of a firm's security protection measures.

This is because a dedicated attacker is more likely to utilise a range of angles in order to gain as much information as possible before they take decisive action.

These stalking activities can include some truly innocuous approaches – phone calls asking for specific staff members, emails 'accidentally' addressed to the wrong employee and even direct social engineering attempts in face-to-face meetings.

In the busy work day these small details can easily get lost as employees focus on their tasks, otherwise unaware that they have given away a valuable piece of information to a malicious party.

To get a full-spectrum analysis of the weak points in a firm's security protocols, a security audit known as a "red cell" test can be undertaken that simulates a real-world approach to gaining access to privileged information – with the added bonus that the details will remain in confidence.

Red Cell
Technical Risk Assessment
Vulnerability Assessment

Cheques vs electronic payments PCI DSS compliance

April 14, 2012

Electronic payment processing technology still has some inherent weaknesses when it comes to customer data, according to the assistant governor (financial system) of the Reserve Bank of Australia.

In a speech given earlier this week (March 20), Malcolm Edey asserted that while recent technological developments – including online payment services and mobile phones – have made electronic payments quicker and more efficient to use, the humble cheque still sets a relatively high benchmark.

He told an audience at the Cards & Payments Australasia 2012 Conference in Sydney: "Cheques are always a good reminder of the things that are missing in our electronic payments."

As an example, he noted that when making a payment with a cheque, all the person making the payment needs to know is the recipient's name, while electronic payments tend to require a bit more information.

Until details like account and BSB numbers can be integrated seamlessly, there will always be opportunities for further progress in the payment sector.

Widespread adoption of payments made via smartphones has underscored the importance of data security compliance in this sector, according to the general manager of the Payment Card Industry Security Standards Council.

Speaking last month in a podcast interview with Information Security Media Group, Bob Russo noted that PCI DSS compliance will be essential when taking mobile phone payments – and he urged companies to take a forward-thinking approach to managing vulnerabilities.