26 June 2015

Integrity

Posts relating to the information security principle "Integrity" are listed below.

06 May 2015

Android Security 2014

Google announced early last month the release of a report analysing security in the Android ecosystem.

One of the charts from Google's report 'Android Security 2014 Year in Review'

Android Security 2014 Year in Review describes varies measures of security including occurrence of potentially harmful mobile applications, platform API abuse and network level abuse.

Information is provided on Google's 4-tier severity rating systems for vulnerabilities.

Security enhancements during 2014 are also discussed, together with newer changes such as the enhanced Google Play review process to help protect users.

Posted on: 06 May 2015 at 11:27 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

01 May 2015

Snakes & Ladders Coming To Shoreditch

A week on Monday, on the 11th May, I will be speaking during the MAKE day at this year's Digital Shoreditch.

Partial screen capture of the Digital Shoreditch web site at http://digitalshoreditch.com/

The Digital Shoreditch Festival 2015 is a two week mass-community celebration with participants from the world of tech, creative, and all related industries, running from 11th to 24th May. The schedule for the main programme (11th-15th May) has a separate theme for each day — MAKE, GROW, NEXT, CONNECT and LIVE.

The MAKE day offers the chance to learn by doing and bring new ideas to life with with a "vibrant mix of entrepreneurs, artists, scientists, makers, designers and hackers from across the creative ecosystem". I will be talking about the Snakes and Ladders application security board game for developers.

OWASP Snakes and Ladders is a print-your-own board game that is a fun way to learn about the desirable security controls and tricks software applications face. There are two versions — one for web applications and one for mobile apps.

I am speaking at 15:40 hrs in Shoreditch Town Hall. This will be the first time any of the printed sheets for the mobile app board game will be available — previously I have printed and given away the web application board game. Both will be available on Monday.

Otherwise, I am also looking forward to all the other sessions on the day and during the rest of the week. Tickets are on sale.

Hope to see you there.

Posted on: 01 May 2015 at 08:42 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

28 April 2015

Summary of Last Year's ICO Enforcement Action

PwC UK has published a summary of enforcement actions taken by the Information Commissioner's Office (ICO) in 2014.

Partial view of a chart from the PwC report 'Privacy and Security Enforcement Tracker 2014' showing a comparison of the number of each enforcement type undertaken by the ICO in 2012, 2013 and 2014

The Privacy and Security Enforcement Tracker 2014 summarises and comments on information originally published by the ICO on its web site concerning actions it has taken against organisations. This includes enforcement notices, monetary penalty notices, prosecutions and undertakings.

The report also summarises trends in other jurisdictions and provides information about Belgium, France, Germany, Italy, Lithuania, Mexico, Poland, Russia, Spain, Sweden, Switzerland and the United States of America.

Although the information security risk mitigations and controls required by the ICO are not summarised, for those processing personal data online, the ICO itself summarised these in May.

Posted on: 28 April 2015 at 07:17 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 April 2015

AppSensor CISO Briefing

Following the release of the Introduction for Developers in February, the OWASP AppSensor team has now created and published a new document aimed at Chief Information Security Officers (CISOs) and others with similar responsibilities.

Cover of the 'AppSensor CISO Briefing'

The CISO Briefing is a high-level overview, with pointers to the more detailed resources for specifiers, architects, developers and operators.

The document's content was partially taken from the introductory sections of the AppSensor Guide and the AppSensor Microsite. This was then edited and changed by myself, John Melton and Louis Nadeau.

I incorporated several quotations from industry analysts, reports and standards to help set the context in the current security environment. The quotations are all publicly available but are mostly not OWASP AppSensor specific — instead they illustrate current trends and concerns about attack visibility, real-time detection, the need for automation, runtime application self-protection (RASP), and active defences.

The 12 pages comprise the following:

  • Defending Software Applications
  • Detect and Respond to Attacks From Within the Application
  • Benefits For Organizations and Users
    • Lower information security risk
    • Improved compliance
    • Reduced impact of attacks and breaches
    • Increased system survivability
  • Enterprise Ready
    • Extremely low false positives
    • Intelligence driven security
    • Low system resource overhead
    • Machine-speed response
  • Next Steps
  • Additional AppSensor Resources
  • About OWASP.

The CISO Briefing can be downloaded free of charge as a PDF, or purchased at cost in hardcopy from Lulu.com. There will also be some copies available during the CISO track at the AppSec EU conference in May.

Posted on: 24 April 2015 at 08:54 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 April 2015

Data Breach Investigations Report 2015

The Verizon annual Data Breach Investigations Report was published last week.

Partial view of Figure 43 from the Verizon 'Data Breach Investigation Report' showing the SANS critical security controls mapped to incident event chains

The Data Breach Investigations Report (DBIR) summarises findings from the collection and analysis of almost 80,000 security incidents relating to over 2,000 confirmed data breaches, sourced from 70 contributing organisations.

A breakdown by industry sector is provided. The 2015 DBIR incident and breach information collection processes have no substantial changes from the 2014 DBIR, focusing on security events resulting in confirmed data disclosure, as well as other security incidents such as denial-of-service attacks, and compromises of systems without data loss. The report re-iterates that it only represents a sample of events — the results are only representative of the sources of information contributed.

An analysis of the threat actions illustrates that the proportion of actions involving RAM scraping is growing, spyware/keylogger is falling and both credentials and phishing are broadly similar.

There is plenty of interesting data on breach discovery, phishing, patching, malware, industry profiles and impacts. The discussions on the problems with threat intelligence and the limited impact of mobile device compromise are insightful.

Nine common incident classification patterns are used to summarise the findings, including "web application attacks", accounting for 9.4% of incidents. Almost all the attacks in this category were opportunistic in nature, with information, financial services, and public entities being particularly affected. Use of stolen credentials are the most common action involved.

The last figure in the report (illustrated above) is a mapping from the recommended SANS Critical Security Controls to incident event chains. Although this only relates to Verizon's own source data, and not any of the other contributors, it illustrates that many basic security measures can help protect against the most common attacks. These include two-factor authentication, patching web services, verifying the need for internet-facing devices, proxying outbound traffic and web application testing.

Posted on: 21 April 2015 at 10:49 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 April 2015

London Insurance Markets and Cyber Risk Insurance

The UK government has published a report on the role of insurance markets in managing and mitigating cyber risk.

A figure from the report 'UK cyber security: the role of insurance in managing and mitigating the risk' illustrating the cyber risk profile for a typical large UK business

UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk describes how insurance can be another mechanism for cyber risk reduction, encouraging steps to reduce risk through reduced premiums, and providing insight from claims and near misses.

The report highlights that many aspects of cyber risk, such as the risk of business interruption, the potential for large and public impact, and the need for rapid response post-event, are common to other "tail risks" (low frequency, high impact events), such as natural catastrophe and terrorism.

The information I found most worthy of particular attention was:

  • More than 60% of incidents reported to insurers are the result of accidents
  • The majority of the high-severity losses stem from actions designed to cause harm
  • A paucity of data makes attempts to model cyber exposure difficult
  • Any form of data pooling among underwriters would therefore benefit their customers
  • The cost of cyber insurance relative to the limit purchased is typically three times the cost of cover for more established general liability risks
  • Cyber insurance also has a much lower degree of price differentiation across individual firms... this is concerning because it undermines the value of insurance in encouraging risk reduction by firms, since they will not see a corresponding reduction in their insurance costs
  • Half of firm leaders we spoke to do not realise that cyber risks can even be insured
  • Less than 10% of UK companies have cyber insurance protection even though 52% of CEOs believe that their companies have some form of coverage in place.

The taxonomy of cyber risk, cyber loss categorisations and risk profiles for larger and smaller business are especially helpful, and could be used by any organisation to undertake their own comparative cyber risk assessment.

Figure 8 of the report explains the typical cyber exclusions and gaps in traditional insurance policies for property, business interruption, general liability, and errors/omissions/professional indemnity. The potential insurability, market size and opportunities for the London insurance market are discussed.

Posted on: 17 April 2015 at 07:29 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

15 April 2015

Security of Public Communications Network and Service Providers

The European Union Agency for Network and Information Security (ENISA) has published guidance on what nations should take into account when evaluating the security compliance of public communications network and service providers.

Bars on a chart from the ENISA document 'Technical Guideline on Security Measures for Article 4 and Article 13a'

The requirements relate to Article 13a of the Framework Directive (2009/140/EC) and Article 4 of the e-Privacy Directive (2002/58/EC).

At first glance, many organisations might assume they do not fall within the remit of this "network and services" legislation, but Technical Guideline on Security Measures for Article 4 and Article 13a describes the "assets in scope" as "all assets of the provider which, when breached and/or failing, can have a negative impact on the security of networks, services and/or the processing of personal data".

The guidance provides a non-exhaustive list of networks and services, and related systems "which are often supporting, directly or indirectly, the provision of networks and services or the personal data processing". Whilst many in scope systems are communication and network related, including wires and fibre, network devices and DNS, other components mentioned are PCs, removable media, power supply systems, backup power supply and cooling systems. Many companies may be providers of services like these to organisations that are affected by the legislation.

The document goes on to describe "additional services" in scope that include "Provider web sites for customers, billing portals, et cetera, if they contain personal data which was collected and processed in connection with the provision of networks or services", "Customer premises equipment (CPE), if under the control of the operator (such as VOIP boxes)" and "Other systems used for storing or processing of personal data collected in connection with the provision of networks or services. This could involve procedures involving paperwork like paper-printed letters, contracts or bills". As the document states "Third party assets are in scope just as if they were assets of the provider".

The guidance defines a "security incident" as "a single or a series of unwanted or unexpected events which could have an impact on the security of networks, services and/or the processing of personal data". It goes on to provide examples of various scales of incident and whether they are reportable.

The technical guidance is divided into 26 security objectives, each with three levels of sophistication that demonstrates what level of controls are in place. The objectives and measures might be useful for other organisations to assess their own maturity, regardless of legislative applicability.

Posted on: 15 April 2015 at 18:18 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 April 2015

Digital Advertising Fraud

Over the last couple of months I have been doing some background reading for a new project.

One of the charts from the ANA report 'The Bot Baseline: Fraud in Digital Advertising'

One area I was interested in discovering more about was advertising click fraud. In my research I came across a report The Bot Baseline: Fraud in Digital Advertising, published by the US Association of National Advertisers (ANA) and White Ops at the end of last year. It includes information gathered from 36 ANA member companies spanning 181 advertising campaigns with 5.5 billion digital advert impressions.

The report discusses:

  • Cost of bot fraud
  • The effect of reach
  • Differences with video campaigns
  • Sourcing traffic
  • Premium buys
  • Digital advertising supply chain
  • Adware attack severity
  • Bot source locations
  • Engagement and viewability metrics
  • Evasion
  • Tracking
  • Ad injection
  • Countermeasures.

The Interactive Advertising Bureau (IAB) has also published a document describing Anti-Fraud Principles and Proposed Taxonomy. There are also some related terminology definitions and discussion of fraud in the IAB Europe whitepaper Viewable Impressions, February 2015.

Posted on: 10 April 2015 at 08:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 April 2015

Penetration Testing Guidance for PCI DSS

The Payment Card Industry (PCI) Security Standards Council (PCI SSC) has published another information supplement for PCI Data Security Standard (PCI DSS), this time on penetration testing. It would appear there has been a large variability in penetration tests being undertaken for PCI DSS.

The cover from the PCI Security Standard's Council  'Information Supplement: Penetration Testing Guidance'

Information Supplement: Penetration Testing Guidance, v1 March 2015, replaces the PCI SSC's original penetration testing information supplement titled "Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3 Penetration Testing" published in 2008.

The scope of a penetration test is defined in PCI DSS Requirement 11.3. It must include the entire cardholder data environment (CDE) perimeter and any critical systems that may impact the security of the CDE, as well as the environment in scope for PCI DSS. This includes both the external perimeter (public-facing attack surfaces) and the internal perimeter of the CDE (LAN-LAN attack surfaces).

The information supplement is comprised of the following sections:

  • Introduction
  • Penetration testing components: Understanding of the different components that make up a penetration test and how this differs from a vulnerability scan including scope, application and network- layer testing, segmentation checks, and social engineering
  • Qualifications of a penetration tester: Determining the qualifications of a penetration tester, whether internal or external, through their past experience and certifications.
  • Methodology: Detailed information related to the three primary parts of a penetration test: pre-engagement, engagement, and post-engagement
  • Reporting and documentation: Guidance for developing a comprehensive penetration test report that includes the necessary information to document the test as well as a checklist that can be used by the organization or the assessor to verify whether the necessary content is included
  • Case studies / scoping examples.

Hopefully this will help organisations define more consistent objectives and requirements for penetration tests, improving the quality, and thus benefits of doing such testing.

Posted on: 07 April 2015 at 06:39 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 April 2015

International Personal Data Transfers within AWS

The European Commission's Article 29 Working Party (Art. 29 WP) and lead authority the Luxembourg National Commission for Data Protection (Commission Nationale pour la Protection des Données - CNPD) have announced their decision of a review of Amazon Web Services in relation to the international transfer of personal data.

The Dear Mr Dubois letter

The letter states that the lead authority has analysed Amazon Web Services (AWS) "Data Processing Addendum" and its Annex 2 "Standard Contractual Clauses" which incorporates Commission Decision 2010/87/EU.

The conclusion is that "...by using the 'Data Processing Addendum' together with its annexes, AWS will make sufficient contractual commitments to provide a legal framework to its international data flows, in accordance with Article 26 of Directive 95/46/EC".

This would imply that AWS customers will be able to assume that any transfers of personal data to non European Economic Area (EEA) AWS regions will have the same level of protection as it receives within the EEA.

Posted on: 04 April 2015 at 09:50 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Integrity Security Principle : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by 54.80.239.100 on Friday, 3 July 2015 at 07:10 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk