17 April 2015

London Insurance Markets and Cyber Risk Insurance

The UK government has published a report on the role of insurance markets in managing and mitigating cyber risk.

A figure from the report 'UK cyber security: the role of insurance in managing and mitigating the risk' illustrating the cyber risk profile for a typical large UK business

UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk describes how insurance can be another mechanism for cyber risk reduction, encouraging steps to reduce risk through reduced premiums, and providing insight from claims and near misses.

The report highlights that many aspects of cyber risk, such as the risk of business interruption, the potential for large and public impact, and the need for rapid response post-event, are common to other "tail risks" (low frequency, high impact events), such as natural catastrophe and terrorism.

The information I found most worthy of particular attention was:

  • More than 60% of incidents reported to insurers are the result of accidents
  • The majority of the high-severity losses stem from actions designed to cause harm
  • A paucity of data makes attempts to model cyber exposure difficult
  • Any form of data pooling among underwriters would therefore benefit their customers
  • The cost of cyber insurance relative to the limit purchased is typically three times the cost of cover for more established general liability risks
  • Cyber insurance also has a much lower degree of price differentiation across individual firms... this is concerning because it undermines the value of insurance in encouraging risk reduction by firms, since they will not see a corresponding reduction in their insurance costs
  • Half of firm leaders we spoke to do not realise that cyber risks can even be insured
  • Less than 10% of UK companies have cyber insurance protection even though 52% of CEOs believe that their companies have some form of coverage in place.

The taxonomy of cyber risk, cyber loss categorisations and risk profiles for larger and smaller business are especially helpful, and could be used by any organisation to undertake their own comparative cyber risk assessment.

Figure 8 of the report explains the typical cyber exclusions and gaps in traditional insurance policies for property, business interruption, general liability, and errors/omissions/professional indemnity. The potential insurability, market size and opportunities for the London insurance market are discussed.

Posted on: 17 April 2015 at 07:29 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 April 2015

PCI DSS v3.1 for Ecommerce Payments

Lots happening this week. The Payment Card Industry Security Standard Council (PCI SSC) has announced the release of an update to the PCI Data Security Standard (PCI DSS).

Partial view of the title sheet from the Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.1, April 2015

PCI DSS v3.1 (15 April 2015), includes several changes to reflect changing threats and recently discovered vulnerabilities, but also including some clarifications and additional guidance.

The most important aspects changed for ecommerce channels relate to the following PCI DSS requirements:

  • 2.2.3 and 4.1 - Removed SSL as an example of a secure technology. Added note that SSL and early TLS are no longer considered to be strong cryptography and cannot be used as a security control after June 30, 2016. Additional guidance provided in Guidance column. Also impacts Requirements 2.3 and 4.1.
  • 2.3 and 4.1.1 - Removed SSL as an example of a secure technology and added a note to the requirement.
  • 3.4 - Clarified in requirement note that additional controls are required if hashed and truncated versions of the same PAN are present in an environment.
  • 6.6 - Added clarification to testing procedure and Guidance column that if an automated technical solution is configured to alert (rather than block) web-based attacks, there must also be a process to ensure timely response.

The PCI SSC has provided an on demand webinar to assist with understanding all the changes. Version 3.1 is effective immediately and PCI DSS Version 3.0 will be retired on 30 June 2015.

Posted on: 16 April 2015 at 11:38 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

15 April 2015

Security of Public Communications Network and Service Providers

The European Union Agency for Network and Information Security (ENISA) has published guidance on what nations should take into account when evaluating the security compliance of public communications network and service providers.

Bars on a chart from the ENISA document 'Technical Guideline on Security Measures for Article 4 and Article 13a'

The requirements relate to Article 13a of the Framework Directive (2009/140/EC) and Article 4 of the e-Privacy Directive (2002/58/EC).

At first glance, many organisations might assume they do not fall within the remit of this "network and services" legislation, but Technical Guideline on Security Measures for Article 4 and Article 13a describes the "assets in scope" as "all assets of the provider which, when breached and/or failing, can have a negative impact on the security of networks, services and/or the processing of personal data".

The guidance provides a non-exhaustive list of networks and services, and related systems "which are often supporting, directly or indirectly, the provision of networks and services or the personal data processing". Whilst many in scope systems are communication and network related, including wires and fibre, network devices and DNS, other components mentioned are PCs, removable media, power supply systems, backup power supply and cooling systems. Many companies may be providers of services like these to organisations that are affected by the legislation.

The document goes on to describe "additional services" in scope that include "Provider web sites for customers, billing portals, et cetera, if they contain personal data which was collected and processed in connection with the provision of networks or services", "Customer premises equipment (CPE), if under the control of the operator (such as VOIP boxes)" and "Other systems used for storing or processing of personal data collected in connection with the provision of networks or services. This could involve procedures involving paperwork like paper-printed letters, contracts or bills". As the document states "Third party assets are in scope just as if they were assets of the provider".

The guidance defines a "security incident" as "a single or a series of unwanted or unexpected events which could have an impact on the security of networks, services and/or the processing of personal data". It goes on to provide examples of various scales of incident and whether they are reportable.

The technical guidance is divided into 26 security objectives, each with three levels of sophistication that demonstrates what level of controls are in place. The objectives and measures might be useful for other organisations to assess their own maturity, regardless of legislative applicability.

Posted on: 15 April 2015 at 18:18 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

14 April 2015

Remote Banking Fraud Up, Card Fraud Up

The Financial Fraud Action UK (FFA UK) has published its latest figures about financial fraud in the UK.

e-commerce card fraud losses increased from £190.1m in 2013 to £217.4m in 2014 — a 14 per cent rise

In a news release published at the end of March, the FFA UK states the increase is primarily due to a change in tactic by fraudsters who are deceiving customers rather than attacking the payments technology and systems directly. It warns about the increasing numbers of scams which aim to trick people into disclosing financial details or transferring their money directly to fraudsters.

As a result of these trends there is now a new Joint Declaration by UK Banks, Card Issuers and Building Societies is a combined effort to combat phone-initiated fraud.

Online banking fraud increased from £40.9m to£60.4m in 2014, a 48 per cent rise.

Card fraud losses were driven by criminals using UK cards fraudulently abroad, where the security features can be circumvented in some locations.

Posted on: 14 April 2015 at 07:37 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 April 2015

Digital Advertising Fraud

Over the last couple of months I have been doing some background reading for a new project.

One of the charts from the ANA report 'The Bot Baseline: Fraud in Digital Advertising'

One area I was interested in discovering more about was advertising click fraud. In my research I came across a report The Bot Baseline: Fraud in Digital Advertising, published by the US Association of National Advertisers (ANA) and White Ops at the end of last year. It includes information gathered from 36 ANA member companies spanning 181 advertising campaigns with 5.5 billion digital advert impressions.

The report discusses:

  • Cost of bot fraud
  • The effect of reach
  • Differences with video campaigns
  • Sourcing traffic
  • Premium buys
  • Digital advertising supply chain
  • Adware attack severity
  • Bot source locations
  • Engagement and viewability metrics
  • Evasion
  • Tracking
  • Ad injection
  • Countermeasures.

The Interactive Advertising Bureau (IAB) has also published a document describing Anti-Fraud Principles and Proposed Taxonomy. There are also some related terminology definitions and discussion of fraud in the IAB Europe whitepaper Viewable Impressions, February 2015.

Posted on: 10 April 2015 at 08:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 April 2015

Penetration Testing Guidance for PCI DSS

The Payment Card Industry (PCI) Security Standards Council (PCI SSC) has published another information supplement for PCI Data Security Standard (PCI DSS), this time on penetration testing. It would appear there has been a large variability in penetration tests being undertaken for PCI DSS.

The cover from the PCI Security Standard's Council  'Information Supplement: Penetration Testing Guidance'

Information Supplement: Penetration Testing Guidance, v1 March 2015, replaces the PCI SSC's original penetration testing information supplement titled "Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3 Penetration Testing" published in 2008.

The scope of a penetration test is defined in PCI DSS Requirement 11.3. It must include the entire cardholder data environment (CDE) perimeter and any critical systems that may impact the security of the CDE, as well as the environment in scope for PCI DSS. This includes both the external perimeter (public-facing attack surfaces) and the internal perimeter of the CDE (LAN-LAN attack surfaces).

The information supplement is comprised of the following sections:

  • Introduction
  • Penetration testing components: Understanding of the different components that make up a penetration test and how this differs from a vulnerability scan including scope, application and network- layer testing, segmentation checks, and social engineering
  • Qualifications of a penetration tester: Determining the qualifications of a penetration tester, whether internal or external, through their past experience and certifications.
  • Methodology: Detailed information related to the three primary parts of a penetration test: pre-engagement, engagement, and post-engagement
  • Reporting and documentation: Guidance for developing a comprehensive penetration test report that includes the necessary information to document the test as well as a checklist that can be used by the organization or the assessor to verify whether the necessary content is included
  • Case studies / scoping examples.

Hopefully this will help organisations define more consistent objectives and requirements for penetration tests, improving the quality, and thus benefits of doing such testing.

Posted on: 07 April 2015 at 06:39 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 April 2015

International Personal Data Transfers within AWS

The European Commission's Article 29 Working Party (Art. 29 WP) and lead authority the Luxembourg National Commission for Data Protection (Commission Nationale pour la Protection des Données - CNPD) have announced their decision of a review of Amazon Web Services in relation to the international transfer of personal data.

The Dear Mr Dubois letter

The letter states that the lead authority has analysed Amazon Web Services (AWS) "Data Processing Addendum" and its Annex 2 "Standard Contractual Clauses" which incorporates Commission Decision 2010/87/EU.

The conclusion is that "...by using the 'Data Processing Addendum' together with its annexes, AWS will make sufficient contractual commitments to provide a legal framework to its international data flows, in accordance with Article 26 of Directive 95/46/EC".

This would imply that AWS customers will be able to assume that any transfers of personal data to non European Economic Area (EEA) AWS regions will have the same level of protection as it receives within the EEA.

Posted on: 04 April 2015 at 09:50 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

31 March 2015

Participate in the OWASP Project Summit in Amsterdam

The Open Web Application Security Project (OWASP) is supporting a project summit during the two days prior to the main AppSec EU conference.

Photograph of a sign mounted on a door in Amsterdam which reads in Dutch and English 'Denk aan de buren a.u.b. - Please mind the neighbours'

A project summit on Tuesday 19th and Wednesday 20th May has been announced and information published on the AppSec EU 2015 web site. The concept of the summit is to work on improving and extending project outputs with other volunteers, and as such requires active participation and contribution.

Across all the sessions there are a wide range of inputs needed including requirements specification, architecture review, coding, testing, documentation/wiki writing and review, user interface design, planning, graphical design, video creation and translation. Full details, timings and objectives of each session are provided on the summit's wiki pages.

There are many projects participating, including sessions for projects I am actively involved in. My own parts of the summit are

Tuesday 19th May

  • 10:30-12:00 hrs OWASP Codes of Conduct - Document Review
    The current Codes of Conduct were developed primarily during the last major OWASP Summit in Portugal. They cover: Government Bodies Educational Institutions Standards Groups Trade Organizations Certifying Bodies Development Organizations This 1.5 hour session will review, edit, update and release v1.2 of each document. Participants should be interested in how external entities can be encouraged to support OWASP's mission, read the existing Codes of Conduct in advance, and come with suggestions for changes. The session agenda is 1. Introduction; 2. Joint review and edit (15 mins each document); 3. Publish updated documents to wiki (PDF and Word).
  • 13:00-15:00 hrs OWASP AppSensor (Documentation) - Guide Review
    The AppSensor Guide v2 was published in May last year, and has had two minor updates, the last one mainly due to the important release of the v2 code implementation. This session is to edit and improve the guide, since many of the chapters have not been fully reviewed. Participants should read a chapter or two in advance of the summit (chapter 5 onwards, but choose randomly/what is of interest) and bring their edits/comments to the session, where the guide will be updated. All participants will be acknowledged in the guide and on the project wiki page. The session agenda is 1. Briefing; 2. Live editing; 3. Publication updated PDF.
  • 15:30-16:30 hrs OWASP Snakes and Ladders - Dutch Translation
    OWASP Snakes and Ladders (web applications) has been translated into 5 other languages already, and Portuguese is in progress. But so far not Dutch. This rapid session will ask participants to translate the 900 words or so into Dutch, so that a PDF and Adobe Illustrator version can be created. It will also be possible to help remotely, as it will be set up on Crowdin. The session agenda is 1. Meet; 2.Translate; 3. Create Illustrator and PDF output; 4. Publish.

Wednesday 20th May

  • 09:00-12:00 hrs OWASP Cornucopia - Ecommerce Website Edition - Video
    The objective is to create a short "how to play the Cornucopia card game" video during this half-day session. Cornucopia is a card game that helps identify security requirements, but people may not be familiar with how easy it is to get started. Participants for this session are needed to be players, to create a narrative, to video the game being played, and if there is time and anyone has the skill, to edit the video and sound into a release version. It is preferable if participants are already a little familiar with the game and/or threat modelling. If there is time, we will also discuss alternative game strategies like a Jeopardy format. The session agenda is 1. Storyboarding; 2. Game play recording; 3. Editing; 4. Soundtrack; 5. Publish video.
  • 13:30-17:00 hrs OWASP AppSensor (Code) - Dashboard
    The AppSensor v2.0.0 code implementation final release was undertaken in January. One of the tasks to continue with is the development of a reporting dashboard. This session is to brainstorm ideas and layouts for the dashboard, and identify what tools/libraries can assist in the creation of the dashboard. Bring ideas, energy, URLs, paper and pens! The outputs will be dashboard mockups. The session agenda is 1. Introductions and objectives; 2. Information requirements; 3. User stories; 4. Information design; 5. Code libraries and frameworks.
  • 17:00-18:00 hrs OWASP Automation Threats to Web Applications - Website Owner Experiences
    The OWASP Automation Threats to Web Applications Project is undertaking research and will publish its outputs immediately prior to AppSec EU 2015. This meeting seeks input from training and conference attendees on their own organisations' experiences of automated attacks: What types of automated attacks occur and with what frequency? What were the symptoms? How are they detected? What incident response measures were taken? What steps were undertaken to prevent or mitigate such attacks? Participation/contribution can be anonymous or otherwise. The intention is to update the published documents during the session and if possible create additional sector-specific guidance.

Registration

Attendance at the project summit is free, but everyone is a participant to help achieve the objectives. Please register to let the team know who will be attending. Join as many or as few of the sessions as you like.

The summit is co-loacted at the Amsterdam RAI as the chargeable training courses running on the same days. Why not sign up for those and the conference at the same time?

I look forward to seeing some of you there.

Posted on: 31 March 2015 at 13:52 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 March 2015

Financial Conduct Authority Update March 2015

The UK's Financial Conduct Authority (FCA) is becoming more proactive in the online application space.

Photograph of one of the dragon boundary marks at the boundary of the City of London on Embankment

Following last year's consultation on use of social media, the FCA has completed its review and has now confirmed its approach for financial promotions in social media.

The finalised guidance has been published as FG15/4 - Social Media and Customer Communications: The FCA's Supervisory Approach to Financial Promotions in Social Media.

This covers web sites and applications that enable users to create and share content or participate in social networking, including blogs, microblogs (e.g. Twitter), social and professional networks (e.g. Facebook, LinkedIn, Google+), forums, and image and video-sharing platforms (e.g. YouTube, Instagram, Vine, Pinterest. Any form of communication (including through social media) is capable of being a financial promotion, depending on whether it includes an invitation or inducement to engage in financial activity. So, for example, it would include 'advergames', where promotional messages are placed in entertainment applications.

On another matter, in addition to the document published in July on Considerations for Firms Thinking of Using Third-Party Technology (off-the-shelf) Banking Solutions, legal news blog Out-law.com reports the FCA is examining platforms' technology systems later this year.

The FCA is also consulting on proposed changes to its consumer credit rules and guidance. Almost a year ago on 1st April 2014 the FCA took over the regulation of consumer credit from the former Office of Fair Trading (OFT). This brought around 50,000 consumer credit firms into its scope.

And finally, the UK's new Payment Systems Regulator (PSR), launching next week and part of the FCA, has announced its regulatory framework for payment systems (summary factsheet). Customers of payment services providers may not be aware of this change — Card payment systems is in the 2015/16 programme of work.

Keep up-to-date with FCA and PSR news.

Posted on: 27 March 2015 at 08:40 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 March 2015

Web Application Attacks from a WAF Perspective

I had lost track of Imperva's useful Hacker Intelligence Initiative (HII), threat advisories and Web Application Attack Reports (WAARs). The latest WAAR was published in October 2014.

Part of Imperva's 'Web Application Attack Report Edition #5 - October 2014' illustrating two of the charts included

Web Application Attack Report Edition #5 - October 2014 describes the most popular web application targets, attack vectors, duration and magnitude. The analysis is based on data from 99 web applications that had a web application firewall (WAF) from the vendor deployed in the period 1st August 2013 to 30th April 2014.

Attack data are included for:

  • SQL injection
  • Remote file inclusion
  • Local file inclusion
  • Directory traversal
  • Cross-site scripting
  • Comment spamming.

Other types of attack vector and threats are not covered. The report's introduction suggests that a further 201 web applications did not see any of these types of attack during the period.

Posted on: 24 March 2015 at 08:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Application Security and Privacy
https://www.clerkendweller.uk/
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/
Requested by 192.81.216.243 on Saturday, 18 April 2015 at 23:39 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk