Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
    • Insights

    Change The Conversation From “If” to “When” And Save…

    Information Security: Protecting Your Future
    SECURITY
    Welcome to our four-part series on information security in business. We discuss security risks, managing an incident and preventing serious damage to your organisation while keeping your competence intact.
    Using our extensive experience, we show you potential savings that come with a thorough security incident plan. We will also let you know what your Incident Response plan should consider and how best to maintain it.
    Across each blog, we use our significant security expertise to guide you in making the best decisions when it comes to protecting your organisation.
     

    Part 1: Change The Conversation From “If” to “When” And Save Your Business Significant Costs

    Welcome to our first information security blog. Since the onset of information security wisdom, the conventional conversation between most of the information security roles I know and their business has been varying versions of the following theme – “Give me some of the IT and risk management budgets so I can buy differing sets of information security technology and services to prevent a security incident from seriously hurting our business”.
    Budget and Expectations
    Statistics point to the outcome of that conversation resulting in organisations allocating between 3% – 8% of their IT budgets specifically to Information Security. My experience is that typical C Level comprehension of this conversation is that this spend should provide a near bulletproof fortress for their organisations Information Systems and data. Unsurprisingly when a significant security incident then occurs, my experience is that C level reaction ranges from disbelief, indignation, denial and, in some cases, scapegoating of IT recipients for wasteful or ineffective spend of this budget. In fairness to C level – they are not entirely to blame for these mismatched expectations.
    Plain English
    When is the last time as an Information Security professional you have sat down with C level colleagues (during the limited windows of time you have their attention) and said in plain English – “I need a minimum of 6% of the IT budget to appropriately address our identified Information Security risks for the coming year. Just so we are clear, this budget – nor indeed any amount of budget, technology or services – will not prevent one or more significant Information Security incidents happening to our business in the short to medium term.”
    From “If” To “When”
    If we shift the conversation with the executive in our business from a vague “if it happens” to a direct “when it happens” in plain English then there can be no ambiguity. Statistics back up this “when” assertion. 43% of respondents to a Ponemon 2014 study indicated that their organisations had a data breach within the last 12 months, up from 33% in 2013.
    Significant Security Incidents
    A data breach is just one form of a significant security incident, with other events such as significant critical service outages (accidental or deliberate), significant malware outbreaks, data loss (non-disclosure) not being included in these figures. Statistics from the UK Department for Business Innovation and Skills show that when all major security incidents are counted, upwards of 81% of large businesses had a security breach in 2014. This is not a comfortable admission for an information security professional, nor is it an admission that an executive necessarily wants to hear. It’s easier to pretend that all is and will be okay and that our spend and efforts will ward off all information security ills.
    Justifying The Budget
    So how do we now justify the information security budget and our roles in light of the fact that we most likely can’t prevent a significant breach happening? Well you finish the last conversation with the business executive along the following lines

    “and when I get that budget we will spend it on a mix of proactive and reactive security measures, technologies and services. This will prevent, detect, mitigate and respond to information security incidents when they happen on a prioritised basis in discussion and agreement with the business, our partners, our customers and our insurers.”

    Our next blog instalment
    We take a look at types of security incidents and what it takes to protect your data.

    News

    Ward Solutions helps Laya Healthcare robustly protect the data…

    Ward Solutions, Ireland’s leading information security provider, is today announcing that it is delivering a comprehensive information security service to Laya Healthcare to protect the health insurer against emerging IT security threats and manage information security risks. The contract is valued at €120,000 over 18 months.
    Noel O'Grady, Ward Solutions, Ian Brennan, Laya Healthcare and
    Laya Healthcare provides health insurance to more than 475,000 customers across Ireland and has a team of 430 employees in Dublin and Cork. As a health insurer, it deals with large amounts of confidential data and places a high priority on safeguarding the security and integrity of all of its customer’s information.
    To ensure it has the most effective IT security systems and policies in place, Laya Healthcare appointed Ward Solutions to carry out a full risk assessment for the organisation. This has resulted in improved internal procedures and processes across all of its businesses. It has also focused IT spend on key areas which include compliance and protection of corporate reputation.
    Ward Solutions is now also providing an Information Security Officer as a Service to Laya Healthcare with the main purpose of implementing procedures that will help the organisation attain ISO 27001 accreditation. This will deliver competitive advantage in the health insurance market for Laya Healthcare as this standard provides customers with the confidence that any risks are being effectively managed at all times and that the data of laya healthcare members is protected.
    Ward’s information security officer will establish, implement and improve Laya Healthcare’s ISO 27001 compliant information security management system and will reduce the costs and time to achieve successful accreditation.
    Ian Brennan, director of Information Technology, Laya Healthcare said, “We are committed to reinforcing the protection of all our confidential customer data on an ongoing basis. Ward Solutions has helped us join the dots across the organisation and has provided us with a complete overview of our information security environment. The resulting actionable reports have enabled us to become more proactive as we mitigate risk in the ever evolving security landscape.
    “Also, having a deeply experienced and qualified security expert from Ward onsite a few days a week and with a single focus, has guaranteed information security is prioritised at all times. They are helping us to build a real culture of secure protection across our business.”
    Brendan Molloy, business development manager, Ward Solutions, said, “Laya Healthcare has a very large and complex IT environment and as such its security infrastructure is intricate. We have many years’ experience working with businesses of all sizes and know how to see through this complexity to identify potential threats and recommend the best services and solutions that will suit their needs.
    “Our goal is to ensure we are doing the right thing for our customers and our specialists spend a lot of time training and researching the latest threats so that we can always provide the very best advice and support. We will continue working closely with Laya Healthcare to give them the highest levels of confidence that risk is managed appropriately.”
     

    News

    Security Consultancy take on App Dev in Grant Thornton…

    On TuGrant Thornton 5km runesday 2nd September a record 3,856 runners making up 964 teams took part in the third annual Grant Thornton Corporate 5k Team Challenge in the Dublin Docklands. Among them were 8 runners making up 2 teams for Ward Solutions. The event was run in aid of LauraLynn with 10% of the entry fees going to that charity, with more being raised through sponsorship of the individual teams.
    For some of us, our warm up consisted of the adrenalin pumping stress of driving from City West into the docklands, through rush-hour traffic. Arnaud had planned to take a bike from Harolds Cross – but the City Bikes had a glitch and the stations were out of order. He phoned Sinead, to say he’d be late as he had now had to walk to the docklands. Sinead was in her car by the canal, looking for a parking space in order to hop on one of aforementioned bikes. Her heart rate was close to max without running a step! But we made it in time, arriving looking like we’d finished already!
    The Ward Solutions teams, like many of the others, were made up of a mix of serious and fun runners. Team 1, the Security Consultancy team led by marathon runner Brendan Fay, were hotly fancied to take the honours. However despite having a lower average age by 6 years, they were beaten on the night by Team 2 from Application Development and Sales. Credit must be given to the youngest runner, Xiuyuan Yu, who was drafted into Team 1 at the 11th hour in place of Richard Costelloe, who had very inconsiderately gone on holiday! Xiuyuan is a sprinter, and did well complete the 5k course in a very respectable time. Brendan Gormley posted the best Ward time of 23:39, with Brendan Fay in 25:06 and allegedly injured Arnaud Autin with 25:09. If Arnaud posts that time while injured, he’ll be some asset when he’s recovered.
    Team 2, had a perfect blend of youth and experience. Philip Bustard led the team home in 25:53, Richard Eyres in 27:13, Brendan Molloy in 27:53 and Sinead Harrington in 30:55. Their combined scores just pipped Team 1 for bragging rights, not that we in App Dev brag – we leave that to other Ward teams.
    After a restorative cup of tea and sandwich in race headquarters in CHQ, we retired to the “Harbourmaster” for a team debrief and to plan a strategy for next year. It’s a simple one– train more, get faster! A year seems so far away – we’ll have to find another race. We’ve been bitten by the running bug.
     
    Grant Thornton 5km run - selfie

    News

    Brendan Gormley secures top three placing in Irish CISM…

    Ward Solutions would like to extend hearty congratulations to Brendan Gormley, senior information security consultant, on achieving one of the top three results in Ireland for a recently completed Certified InformationBrendan Gormley, senior information security consultant and PCI specialist, Ward Solutions Security Manager (CISM) exam.
    Certification from CISM promotes international security practices and recognises individuals who manage, design, oversee and assess an enterprise’s information security.
    Brendan will be recognised for his wonderful achievements at an awards ceremony at the ISACA AGM on 18th September. All of our CISM members from our Information Security Consultancy Practice team will be there to celebrate with Brendan too.
    Ward Solutions recognises that the skills and knowledge of our security consultants are a key part of our continued success. This achievement by Brendan further demonstrates our leadership position in this area. Our Information Security Consultancy Practice is the most technically proficient in Ireland, providing technical expertise, independent consultancy advice and superior quality to all of our customer engagements.
    Once again, we’d like to take the opportunity to congratulate Brendan Gormley and we hope that you will pass on your congratulations too.
    Brendan Fay, Head of Information Security Practice, Ward Solutions

    News

    Ward Solutions announces 22 new jobs and €1.8M investment

    Ward Solutions, Ireland’s leading information security provider, today announced the creation of 22 new jobs at its Dublin and Belfast offices. These jobs are being created as part of a new €1.8M investment to fund significant expansion and upgrade of all services delivered in Ward’s Security Operations Centre in Citywest, Dublin. This includes the enhancement of services such as managed security, digital forensics, e-Discovery and security analytics.
    Founded in 1999, Ward Solutions provides a comprehensive range of information security services to more than 300 customers across the island of Ireland. Key services include security consultancy, secure managed services and software development.
    Ward Solutions will begin recruitment immediately and will have all 22 new employees on board within two years. This will bring total employee numbers to 80 before the end of 2016. 16 of the new hires will be based in Citywest, Dublin and 6 will be based in its new office in Belfast city centre. The new roles will include information security engineers, developers, information security consultants, customer services and sales positions.
    The investment is focused on all areas where Ward is experiencing and anticipating growth. This includes adding significant capability to its security operations and secure managed services centre, which is being equipped with highly advanced information security technologies. This includes risk assessment, monitoring, analysis and remediation capabilities, identity and access management, online policy and compliance management, as well as the key personnel to deliver the services securely.
    Reflecting the increasing compliance and litigation demand, Ward is also enhancing its digital forensics, e-Discovery and security analytics services at both a platform and capabilities level.
    Ward Solutions has experienced an average year-on-year growth rate of 20% over the past two years and predicts that this growth will accelerate further to 30% per annum for the next two years. It expects to achieve revenues in excess of €10M by 2016.
    While most of Ward’s existing customer base is in the Republic of Ireland, it sees significant growth opportunities in Northern Ireland, following the opening of its new Belfast office. Ward also serves a small number of customers in Britain and will target considerable growth in the UK market over the next two years.
    Ward’s customer base includes a wide range of private and public sector organisations, such as CIE, Vodafone, National College of Ireland, Bord Gáis, Fleetmatics and the Department of Jobs, Enterprise and Innovation.
    Pat Larkin, CEO, Ward Solutions, comments, “This investment in new employees, technologies and services will provide us with a very solid and scalable platform to achieve our aggressive growth plans. There has been a huge rise in demand for our services as the security threat landscape has continued to evolve and become increasingly difficult for businesses to manage. Customers like the fact that they deal with a provider who can deliver on all of their information security requirements.”
    “We have the largest and most capable team of information security resources in Ireland and can mobilise quickly to solve any IT security problem. We continuously invest a lot of time and budget in R&D, developing new solutions to increase our customers’ security and compliance, and reduce the complexities caused by information security management and incidents. We’re really looking forward to bringing in new talent to our Dublin and Belfast offices to add to our existing highly experienced team. By the end of this investment, we will have the largest information security resource on the island, with the widest range of capabilities.”
    Paul Hogan, CTO, Ward Solutions and Pat Larkin, CEO, Ward Solut
     

    Noel O'Grady News

    Ward builds out leadership team to further drive growth…

    Noel O'GradyNoel O’Grady joins Ward Solutions’ executive team as Sales Director to further drive the company’s ongoing growth and development.  Noel brings to the business strong commercial skills along with many years of experience in the information security sector having previously worked with Rits, TeleCity and Fort Technologies.
    Noel joins an ever growing team at Ward and is the 9th new hire in the last six months across a variety of executive, consulting and technology roles.

    IE Logo Insights

    Security Alert – Microsoft Internet Explorer 6-11 – What…

    IE LogoAs you may be aware, there has been a critical security vulnerability found and exploited in Microsoft Internet Explorer versions 6 through 11. Until Microsoft release a patch, here’s what the security analysts at Ward Solutions recommend users do to protect themselves and their businesses:-

    1. Avoid using Internet Explorer where possible. If you must use Internet Explorer for a certain application or site them limit your use of its to these situations only
    2. Disable Adobe Flash plugin as this is required for this bug to work

    The Microsoft Internet Explorer exploit relies on a flaw in Internet Explorer and the presence of Adobe Flash. It does require a user to visit a malicious web page, or a web page that has hosted user-provided content or advertisements. Once exploited, the flaw allows the attacker to run commands and code on the target users machine, with local user privileges.
    In short, this means that the latest IE bug works when an internet user clicks on a malicious link in Internet Explorer. There is no warning that something might be wrong, and clicking on the wrong link is all that it takes for your computer to be compromised. After you click on the link, malware may be installed on your computer without being noticed.
    If you would like further assistance or advice on this issue, please contact the Helpdesk on (01) 6420100 or via email at support@ward.ie
    References:
    [1] http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html “New Zero-Day Exploit…”
    [2] https://technet.microsoft.com/en-US/library/security/2963983 “Microsoft Security Advisory 2963983”

    Insights

    Advisory: OpenSSL ‘Heartbleed’ Security Alert – What it is,…

    There’s been a major security alert over the last week regarding the heartbleed bug in OpenSSL (see the OpenSSL Advisory). A vast number of systems and sites have been affected, this is no storm in a teacup – it’s serious, and cannot be ignored.
    OpenSSL is a component used to provide secure communications protocols for HTTPS websites used by a wide variety of systems (Twitter, Facebook, Remote VPNs, Remote Admin interfaces..) from a wide variety of vendors (Cisco, Big IP, Juniper, McAfee, Apache…), which means that it has hit a huge number of services and companies across the globe, from the likes of Google and the Canadian Revenue Agency to the shop around the corner running a simple payments page over HTTPS.
    So, what is this bug exactly?
    The flaw was discovered in the method used to implement TLS Heartbeats. These can be used to maintain long-lived TLS sessions. To create a heartbeat, either the client or the server can request some data from the other. The way they do this is to send a request with the data, and here’s the fun part, the length of the data sent [*].
    Client: Hi Server, send this back to me : Carrots, 7 letters long
    Server: Hi Client, I’m still here, proof: Carrots
    All well and good. But what if we send a short sentence, and tell the peer we sent a long one?
    Client: Hi Server, send this back to me: Car, 10 letters long
    Server: Hi Client, I’m still here, proof: Car.FHULWF
    Aha! What have we here? We get the original string back, plus an additional 7 characters from whatever was in the memory of the process after the string we sent. The protocol allows for up to 64Kb of data to be sent, so the attack basically sends one byte of data, and gets over 63,000 extra ones back.
    This could be anything in the memory of the process being compromised – other web pages, secure pages, usernames, passwords, your private SSL keys…. it’s serious. As an example, the Canadian Revenue Agency has determined that approximately 900 Social Insurance Numbers were leaked due to this bug, and Yahoo! were reported to be leaking usernames and passwords of their users before they had patched as well.
    You don’t need to authenticate against the server to do this, so there’s no need to know any existing secrets or to have an existing account. Worst of all, there’s every chance that it won’t be logged either as the session does not need to even request any actual web pages.
    So what do I do?
    You need to do three things, in this order:

    • Patch
    • Re-generate your private keys, revoke and re-issue your SSL certificates
    • Change your passwords for the affected services

    Right, I’m convinced. But what do I patch?
    At the most basic level, you need to patch OpenSSL, which is the root cause of the issue. This affects all versions of OpenSSL from 1.0.1 to 1.0.1f. A fix has been released in version 1.0.1g, and older versions are NOT affected. The catch here is that OpenSSL is a component of other systems, and as it is an open source product, it can be (and has been) included in other commercial systems. The key to tracking down what needs to be patched is your software and hardware inventory which, in conjunction with vendor advisories, will help you narrow down what needs to be updated. For our own managed service customers, we maintain inventories that have enabled us to rapidly identify and update our customers systems. Without such lists, you will need to treat anything serving or terminating a HTTPS connection as suspect until you can examine and prove otherwise. Vendor advisories are also critical, as you may have no way of knowing what a commercial system is using to terminate HTTPS until your vendor can confirm it.
    As a starter, The following systems are known to be affected:

    • Big IP F5 (versions greater than 11.0, or if using COMPAT ciphers)
    • FortiOS 5 and up
    • Aruba 6.3.x, 6.4.x
    • Centos & RedHat Linux using stock OpenSSL libraries versions 6.5 and greater
    • Debian Linux 7 and up when using stock OpenSSL libraries

    Other vendors have reported in the negative for issues (e.g. Checkpoint) or have yet to respond. We strongly recommend that everyone should check their environments for this vulnerability.
    References:
    http://xkcd.com/1354/
    http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
    http://heartbleed.com
    http://security.stackexchange.com/questions/55116/how-exactly-does-the-openssl-tls-heartbeat-heartbleed-exploit-work