Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
    • Insights

    The 5 Pillars That Ensure Practical and Sustainable Incident…

    Welcome to our final blog in this particular information security series where we bring you pillars 4 and 5 that will ensure practical and sustainable incident response within your organisation.
    4. Resources and accountability
    As with all plans and processes they are useless unless they have adequate resources and accountable roles. The Incident Response resource pool needs to be staffed by interested and willing stakeholders from all levels in the business, with suitable skills and tools.
    It needs to address or encompass all identified roles from technical through investigative, incident supervisors, communication and public relations, legal, HR, impacted business units function heads etc., with any associated geographic spread.
    Organisations frequently forget to include, consider and contract relevant key suppliers, service providers, partners and customers in their plan. Organisations also need to consider the tools they might need. Smart tool selection on the part of information security means that tools for incident handling are part of your prevention/mitigation strategy. It also means they have an important role to play in detection and incident handling, giving you best bang for your euro.
    The tools you need to ensure information security:

    Purpose Tool
    Detection Database Activity Monitoring (DAM)IPS/IDSSIEMDLPAnti-Malware endpoint, gateway
    Analysis / Investigation Network ForensicsDigital forensicsNetwork AnalysisSystems Management and Monitoring toolsProvisioning toolsLog Management, analysis and Audit tools
    Incident Management Incident case management tools – mobile, cloud and on premiseSupport, ticketing and tracking toolsKnowledgebase and support toolsIncident management extensions to detection toolsCollaboration, and workflow environmentCommunications technology – phones – fixed and mobile, conferencing, mobile devices – laptops, tablets, PDAs
    Incident management training tools
    Prevention/Mitigation Most standard Information Security technologies such as:Firewalls, WAFS, UTM’s, NGFWWeb and email GatewaysAnti Virus / Anti Malware – endpoint, applicationAET/APT mitigation technologies such as Quarantine etc.SIEM
    IPS/IDS
    Network and endpoint DLP
    DAM
    Encryption
    Vulnerability Management and AST
    Configuration and patch management
    Identity and Access Management

    5. Sustainability
    Any Incident Response process should be part of your day-to-day operations, from small through to critical information security incidents. Your process simply needs to be scalable, flexible and appropriate.
    For example, a minor malware infection on a single unimportant workstation might not warrant C level notification, rolling out the in-house solicitor and PR machine. However if you follow a standardised process for each incident then you are continuously validating and refining your process and skills for the big incidents and consistently improving your prevention and mitigation by applying lessons learned.
    Our Advice…
    The bottom line: Change the conversation within your business, acknowledge that significant security incidents will occur. Mobilise your business to hone your response efforts beyond simple DRP to cover all likely information security incident scenarios in equal measure to prevent, detect and reduce the costs of a breach to your business. The alternative is an immature incident response approach, costing up to 20 times more to rectify. That’s an alternative that your business doesn’t need. Plan ahead and protect your future.

    Insights

    The 5 Pillars That Ensure Practical and Sustainable Incident…

    Welcome to the fourth blog in our information security series where we guide you through five pillars that will ensure a successful incident response programme for your organisation.

    In our experience, organisations tend to over-complicate their approach to incident response. The pitfalls we have come across are creating silos, impractical approaches, poor and complicated communication with the business (before, during and after) resulting in ineffective response capability, weak management commitment and little or no resources and agreed plan to act.

    IT incident response is really simple if you approach it clinically. It is about:

    Restoring normal business operations dependent on Information Systems that have been disrupted by some incident, as quickly as possible with minimal impact to the business and preventing similar incidents from having significant impact on the business in the future..

    1. Gain executive support

    You need a simple and effective communication plan to make the executive aware of the overall risk, impact and likelihood of incidents occurring to the Information Systems of the business. Achieve awareness by using strategic language and a manner that is appropriate and relative to an executive. Use language such as AETs, SIEMs, CSIRTS etc. and you will have lost them. However, expressing the impact of downtime of your e-commerce channel in €XX,000’s per hour with an externally validated high likelihood of a sustained outage as a result of significant underinvestment in securing this channel will get their attention.

    What you want from the executive is a mandate for your plan to address those risks proactively and reactively. You also want one or more executive sponsors permanently attached for the sustainability and operation of your incident response plan, as well as your overall Information Security Management System.In our experience, Business Continuity Programmes or Disaster Recover programmes are terms and concepts that executives are more than aware of at a business governance level. Therefore they typically gain easier acceptance and sponsorship.
    IT and IT security often miss an opportunity to “Trojan horse” the broader set of security risk/incidents and incident response under BCP or DRP umbrellas (and budgets) by being too narrowly focused on “disaster” scenarios only, rather than including all important information security incidents that have potential to significantly impact the business.

    2. Defined agreed objectives and scope

    Organisations that have mature Incident Response capabilities typically have crystal clear objectives for their response plan and understand the scope of the systems and processes that need to be managed under the plan. They can also articulate relevant objectives to all levels of the business in a compelling fashion.

    3. Documented, communicated, workable process and plan

    Your organisation’s Incident Response process and plan should be well documented and communicated. It should be backed by simple policy and procedures and cover all of the following major phases of incident response, which we detail below.

    Communication Phase

    This is not so much a distinct phase, rather a critical requirement through all phases , including prior to the incident. An effective communication plan tells the right people when things are normal and when they are not. It tells the right people the right amount of information at the right time. A good plan won’t over-dramatise events as this risks “crying wolf” syndrome. It should also tell people what is needed or what they need to do at key points in time and it should follow up and close the loop. Communication should orchestrate the plan when an incident is occurring.
    Information Security should take their lead from other compliance roles – such as health and safety. Our Incident Response communication plan should also communicate the effectiveness of your prevention/deterrence actions by outlining how long you have been without significant Information Security incidents. That way information security and your Incident Response plan stays on the agenda all the time!

    Detection Phase

    Review your detection mechanisms to ensure you are minimising your exposure time and that the incident is real i.e. not a false positive

    Assessment & Triage Phase

    Figure out what is going on and determine immediate actions to try and achieve your objectives. Remember the typical goal is restore services in the shortest time with minimal impact. There may be a low risk quick fix to do this without waiting to follow subsequent phases. However the Hippocratic oath is relevant in this context. Whatever you do “first do no harm”.
    This phase might also need some level of detailed forensic investigation to try and pinpoint the problem source and impact and possibly preserve evidence to legal, civil or compliance litigation purposes.

    Mitigation Phase

    Once you have a fuller picture of what is happening, work to put in place a sustainable solution to address the problem. Speed is typically of the essence to minimise impact so you may need a phased plan for short and longer term mitigation.

    Recovery Phase

    Recovery is the execution of the process to restore BAU, business as usual, enabled by the mitigation.

    After Action Review Phase

    Continuous improvement means that once you have learned key lessons from the incident, the organisation takes the lessons on board and puts in place the necessary systems, resources and processes to prevent similar incidents occurring or having impact in the future.
    CISOs or CIOs can usually make the “unanticipated incident” justification for significant events, once or maybe twice in their careers within an organisation. Organisations and their IT function have traditionally been shy about sharing the fact that they have had a security incident whether within the organisation or with affected parties. As part of “changing the conversation” (link to previous blog)wouldn’t it be really refreshing to get an email from your service provider along the following lines

    “Dear valued customer,
    Today we had a sustained outage of over 2 hours resulting from a denial of service attack originating from a compromised set of computers in data centres in Asia, targeting our online store. From our investigations none of your data was compromised during the incident as the result of strong security measures that we have put in place since our inception. Since the denial of service attack, we have further revised our other perimeter security solutions and we have put in a best of breed DDoS service.
    Though similar and other attempted attacks are continuing, our service is back to near normal. We will continue to work with our ISPs and local and regional law enforcement to ensure the continued protection of your data in any future security incident.”

    I would trust and value that level of honesty from my internal or external service provider far more than sustained silence or a one line notification of an outage with an apology.

    Pillars 4 and 5

    We’ll leave you with that wealth of information this week. Next week, we bring you the final two pillars that will ensure practical and sustainable incident response. In the meantime, follow our posts on Twitter and LinkedIn to keep up to date with information security.

    Insights

    What An Incident Security Plan Could Mean For Your…

    Welcome to our third blog in this short series which takes a look at the varying costs of security incidents, which depend on the strength of the response put into place. Well documented research and evidence from reputable organisations  Incident response plansuch as Ponemon points to the all-in costs per record of a data breach/data loss incident – ranging up to €160 per record per incident – for organisations that don’t have a well documented and rehearsed security incident response plan.
    Bringing Down The Cost
    For organisations that invest in well-developed and rehearsed security response plans prior to the loss or breach – they can potentially bring those costs down to an average of €13 per record breached or lost.
    So the range of costs for say a 20,000 record breach would be €3.2M for a company with an immature incident response plan to €260,000 for an organisation with a mature incident response plan. Both sets of cost are significant, however it is up to 20 times more expensive for the same scale of breach for organisations with an immature incident handling process.
    In Our Experience…
    Our experience of helping customers to respond to such incidents backs up this research. Responding to incidents where an organisation is not prepared is typically a car crash scenario. Unplanned reactions in a lot of cases aggravate the incident both at a technical and business level. How many clumsy media statements have we seen from organisations undergoing an incident?
    Anxious to respond to the media pressure of the initial incident, they later have to row back with press releases and customer communication details, confirming that they don’t know the basics of what, how, how many, who, when or for how long?
    Helpful Response Plans
    Helping organisations who have a thorough, documented, rehearsed and maintained incident response plan is different. The incident still happens, but the organisation goes through phases of incident response in a structured and well executed manner.
    People throughout the business understand their roles and responsibilities. Communication channels are clear. External agencies and suppliers are identified and notified. Legislative responsibility is understood. These organisations typically minimise their exposure time, minimise the likelihood of aggravating actions, minimise data loss and restore normal service and business faster.
    They also usually preserve or maintain digital evidence so the event can be investigated properly, and prosecutions civil, criminal or other can be brought successfully if required.
    Competence Intact
    Most importantly, despite a potentially damaging event, the organisation appears competent thus reassuring their customer and partners, and stands a better chance of surviving the incident and improving their security processes in the future.
    Next Week…
    We talk you through what your Incident Response plan should include and how best to maintain it.

    Insights

    What It Takes To Really Protect Your Data

    information security in business
    Information security in business

    As security professionals, we understand and focus on proactive and reactive security measures and technologies, concentrating the majority of our efforts on trying to prevent and detect incidents. We understand and are comfortable with prevention technologies such as firewalls, perimeter gateways, endpoint protections technologies, DLP and IPS systems.

    Familiar Focus

    We are familiar with auditing and testing the environments, writing policies and training users. We then tend to focus our next effort on detection solutions such as IDS, Quarantine/AET/APT SIEM systems.
    Psychologically these detection solutions are less appealing to us as they are an explicit acknowledgement that our prevention strategy will most likely fail. Nonetheless we are keen to detect in order to reduce our exposure time and minimise the impact of breaches. All of these solutions and services may be perfectly valid, appropriate and justifiable to help reduce the impact of likely security incidents as part of a structured Information Security Management System.

    Response

    The area that tends to receive least focus is “the respond” piece. Organisations develop and rehearse Disaster Recovery plans either on their own or as part of business continuity plans because financial auditors and insurers mandate it. Organisations tend to leave their respond efforts there – compliance box ticked.

    Disaster recovery response planned is for one specific scenario for a set of specific security incidents. There are lots of other security incidents such as data breach or data leakage, malware or ransomeware outbreak and loss of critical service incidents (accidental or DOS/DDoS) that might not require or invoke any disaster recovery protocols. They still warrant a carefully documented and rehearsed IT and business-wide response.

    Next time..

    In our next blog, we use our specialist security knowledge to tell you the importance of a thorough, reliable incident security plan.

    Insights

    Change The Conversation From “If” to “When” And Save…

    Information Security: Protecting Your Future
    SECURITY
    Welcome to our four-part series on information security in business. We discuss security risks, managing an incident and preventing serious damage to your organisation while keeping your competence intact.
    Using our extensive experience, we show you potential savings that come with a thorough security incident plan. We will also let you know what your Incident Response plan should consider and how best to maintain it.
    Across each blog, we use our significant security expertise to guide you in making the best decisions when it comes to protecting your organisation.
     

    Part 1: Change The Conversation From “If” to “When” And Save Your Business Significant Costs

    Welcome to our first information security blog. Since the onset of information security wisdom, the conventional conversation between most of the information security roles I know and their business has been varying versions of the following theme – “Give me some of the IT and risk management budgets so I can buy differing sets of information security technology and services to prevent a security incident from seriously hurting our business”.
    Budget and Expectations
    Statistics point to the outcome of that conversation resulting in organisations allocating between 3% – 8% of their IT budgets specifically to Information Security. My experience is that typical C Level comprehension of this conversation is that this spend should provide a near bulletproof fortress for their organisations Information Systems and data. Unsurprisingly when a significant security incident then occurs, my experience is that C level reaction ranges from disbelief, indignation, denial and, in some cases, scapegoating of IT recipients for wasteful or ineffective spend of this budget. In fairness to C level – they are not entirely to blame for these mismatched expectations.
    Plain English
    When is the last time as an Information Security professional you have sat down with C level colleagues (during the limited windows of time you have their attention) and said in plain English – “I need a minimum of 6% of the IT budget to appropriately address our identified Information Security risks for the coming year. Just so we are clear, this budget – nor indeed any amount of budget, technology or services – will not prevent one or more significant Information Security incidents happening to our business in the short to medium term.”
    From “If” To “When”
    If we shift the conversation with the executive in our business from a vague “if it happens” to a direct “when it happens” in plain English then there can be no ambiguity. Statistics back up this “when” assertion. 43% of respondents to a Ponemon 2014 study indicated that their organisations had a data breach within the last 12 months, up from 33% in 2013.
    Significant Security Incidents
    A data breach is just one form of a significant security incident, with other events such as significant critical service outages (accidental or deliberate), significant malware outbreaks, data loss (non-disclosure) not being included in these figures. Statistics from the UK Department for Business Innovation and Skills show that when all major security incidents are counted, upwards of 81% of large businesses had a security breach in 2014. This is not a comfortable admission for an information security professional, nor is it an admission that an executive necessarily wants to hear. It’s easier to pretend that all is and will be okay and that our spend and efforts will ward off all information security ills.
    Justifying The Budget
    So how do we now justify the information security budget and our roles in light of the fact that we most likely can’t prevent a significant breach happening? Well you finish the last conversation with the business executive along the following lines

    “and when I get that budget we will spend it on a mix of proactive and reactive security measures, technologies and services. This will prevent, detect, mitigate and respond to information security incidents when they happen on a prioritised basis in discussion and agreement with the business, our partners, our customers and our insurers.”

    Our next blog instalment
    We take a look at types of security incidents and what it takes to protect your data.

    Insights

    Did someone just steal my password again?

    fimg
    Did someone just steal my password again?
    I was reflecting on last week’s news that a Russian gang had stolen over 1.2 billion passwords from 420,000 different sites, mainly through security vulnerabilities exposed using code injection techniques such as SQL injection. Although there is some scepticism to the veracity of this story, it’s clear that large scale security breaches are becoming more and more prevalent.
    For example: In 2011, Sony announced that personal details of over 100 million accounts were compromised. In December 2013 we learnt that Target (a large American retail chain) was hacked resulting in over 40 million credit cards and 70 million addresses being compromised. In May of this year, eBay announced that 145 million accounts were compromised in a massive hack. Although these are not quite a ‘tip of the iceberg’ stories there are lots of further examples out there, some closer to home.
     
    What do you as a user do?
    So as a user when you hear these stories what should you do? Well the best reactive measure when you hear that a website where you have an account has been hacked is to change your password immediately. However even before that happens, and hopefully it won’t, there are some guidelines to help minimise your exposure.
    1. Use strong passwords, ideally a minimum of 8 characters with combination of upper and lower case letters, numbers and symbols.
    2. Don’t use the same password for different sites. The issue here is that a compromised account on one site may lead to your account on another site also being vulnerable.
    3. Use 2 factor authentication where possible. A number of online services now offer alternatives to passwords, see here for further details.
    4. It’s difficult to remember lots of different usernames and passwords so consider using a local password manager or wallet.
    5. Change your password at regular intervals.
     
    What do you as an organisation do?
    First work on prevention; security should be part of your strategic thinking so adopt a security approach designed to protect you by reducing the attack surface area that you present. This typically results in deploying a range of security solutions such as firewalls, intrusion prevention system and advanced threat detection systems. Once in place perform threat based risk and vulnerability assessments at regular intervals to determine just how well your defences are working and what other forms of protection you may need. Finally as a last line have secure incident and event management solutions in place to quickly identify if someone is trying to compromise you and how they are doing it.

    Insights

    Making the move to secure managed information services

    03A45422For years successful business strategies have been built around the concept of focus.  Smart companies keep their operations one hundred percent focused on what is core to their business; they invest in building up expertise, experience and skills in these areas and partner with others for services that fall outside of that core.
    When it comes to information security, outsourcing is a trend that is rapidly emerging in the Irish market.  As information security becomes more complex and needs deeper and broader expertise many companies are selecting to partner with experts in this field so that they can stay focused on what’s vital to their business while staying secure.
    Here’s what it looks like:
     
    All you can eat:  Information Security Officer (ISOaaS) as a  Service
    As the whole arena of information security, both internal and external, has become more complex, so too has the depth and breadth of skills needed to tackle it.  Today, the range of expertise and skills required to keep a business and its information secure simply no longer exists in any single person.
    So what do you do? Build up a large team of in-house experts with the diversity and range of skills you need?   For most organisations this is simply not financially viable or commercially feasible.  In fact it simply doesn’t make sense as demand for such expertise is most likely to peak and trough rather than be a constant flow.  What forward looking operations are moving towards is an on-demand service.  The ability to access the skills they need when demand is at its peak – for example when the business is:

    • designing, developing and launching a new application or service
    • reassessing its information security strategy
    • updating its policy libraries
    • dealing with an actual information security incident.
    • performing an urgent compliance work programme pre or post audit.
    • assessing some particular security technology and its application.

    with the flexibility to put resources “on-hold” when demand is low.
    At Ward we have seen clients struggle with trying to balance the skills, resource supply and demand.  So we created our “Information Security Officer as a service” offering – it’s a first for the market.
    What this means is that clients get access to the talent they need – specialised resources at the cutting edge of information security – as and when they need it.  People who not only understand information security but who also understand our clients’ business environment and can who work as trusted professionals, part of their in-house team for as long or as short as needed.
    In our world of on-demand services it makes sense that companies should be able to access first-class information security services that can ebb and flow to match the needs of their business.
     
    The house menu:  End-to End Secure Managed Service 
    It’s a simple fact – sometimes something is just so very important that it makes strategic sense to make it the sole focus and priority of one group of focused people.
    As managing information security gets more complex, taking a piecemeal approach to the security of critical information applications – from design and build to the ongoing management and operation –  can leave companies open to potential security cracks and gaps.
    So what’s happening?  In short, what we see are many businesses starting to outsource the full end-to-end secure management of critical information assets within their business.  One partner, one team and one set of experts fully responsible for every aspect of securely managing the service – from

    • building the application
    • deploying the application
    • operating the application
    • managing the integrity of the business logic and process workflows surrounding the application

    Where a business is reliant on an application or service whose daily operation needs to be close to flawless in terms of the security of the sensitive information it handles, the integrity of the processes it runs and the availability of the service it provides – focusing one set of dedicated people to the task who live and breathe little else – makes smart business sense.
    It’s what we here at Ward refer to as our end-to-end secure managed services offering and it’s one of the services our clients thank us most for!
     
    À la carte: Select and Secure
    As no two companies are the same it makes sense that there is no one size fits all approach when it comes to what organisations need in relation to information security services.   For some it is the intermittent access to resources to manage the peaks and troughs of demand.  For others it is the full outsourcing of the secure management of a critical information asset or the outsourcing of one aspect or niche service of their information security requirements.  
    So here at Ward we try to be as flexible as people need us to be.  That’s why we have what we call an “À la carte” secure managed services offering for companies who need it.  In short this works for organisations who want a partner that will look after one aspect of the operation’s information security requirements – be that a compliance aspect or a particular security service that requires niche expertise.
    For example – one trend emerging is the outsourcing of log management and security information event management (SIEM) driven compliance obligations such as PCI.   In this case the sheer volume of work involved in monitoring and reviewing all event logs along with proactively acting upon any identified anomalies makes handling SIEM internally a resourcing nightmare for many IT departments.
    The increasing complexity of the information security landscape – internally and externally – along with rising regulatory obligations means that for many it make sense to outsource some or all of the organisation’s information security requirements to those who make it the sole focus of their business.
    At Ward we have watched this trend organically emerge in the market and what we have done is create a comprehensive and flexible range of services to best support what businesses need.
    For more information secure managed services or any information security issue call us on (01) 642 0100
    This document is for general guidance only and should not be regarded as a substitute for professional advice.

    Insights

    Irish Independent Article

    Independent-May-15thMaking the move – why Irish businesses are turning to managed information security services in the battle to protect their companies and customers from the upward spiral of security incidents.
    Like many things in the world today the arena of information security is becoming more complex on a daily basis.  While it’s natural (and partially true) to think the complexity is being driven by the increasing volume and sophistication of external threats this is really only half the picture.  Any IT executive who is responsible for information security knows only too well that the changing nature of the business environment itself brings to the table a new raft of complexities that impact information security.  From adoption of cloud and managed services to increased compliance obligations your own devices and rapidly evolving malware attacks there is little doubt that information security issues are on the rise
    With this comes increasing demands on IT departments to protect their operations in an environment that is in constant flux.
    As a result executives are starting to re-evaluate their information security strategies and look for new ways forward. One trend that has emerged is that of “security as a service”.
    Pat Larkin and Paul Hogan are co-founders of Ward Solutions, a company that specialises in the area of information security.  Here are some information security trends that they see emerging in the Irish market place.
    Information Security Officer (ISOaaS)  as a  Service
    Increased information security complexity – internal and external – means an increased need for expertise.  The range of expertise and skills that the information security role requires can no longer exist in any single resource. The question is do you need that expertise on a 24×7 basis?  Answer is, sometimes yes and sometimes no.  In most businesses there are certain times when the company needs at its fingertips access to the best and brightest brains in the area of information security.  This might be when the business is designing, developing and launching a new application or service, reassessing its information security strategy, updating its policy libraries or dealing with an actual information security incident. The need for deep and extensive expertise at intermittent intervals is creating a real demand for “security as a service” type offerings.  For one, security as a service makes better economic sense than hiring an extensive in-house team full time, but more importantly it enables the business to access specialised resources that are at the cutting edge of information security trends and innovations.
    “What we see in the market is a real demand from clients who want to be able to tap into a comprehensive range of information security skills when and where they need them. They want to have a trusted partner that they can call upon, one that knows their business and can be part of their team for as long as is required.  This demand has led us to create our Information Security Officer as a service offering for clients. On an ongoing basis we supply clients with access to the best in the business with predictable service levels and costs so as they don’t have to build and maintain full time in-house expertise” explains Pat Larkin
     
    Managed Security Service 
    From Start to Finish 
    There is little doubt about the fact that IT is a critical service provider within most businesses today. There is growing recognition that the field of information security is a very specific part of the overall IT operation, one that is highly important and that requires deep and constantly evolving levels of expertise.
    With this recognition comes a realisation that for some organisations where critical information asset are involved the best strategy forward is to outsource the end-to-end information security management of the assets to an expert in the field.
    What does this mean?  Put simply it means contracting the ongoing services of an information security expert to manage all aspects of a critical information asset within your business. Someone who can securely build the application, deploy and operate it on an ongoing basis. A partner who is responsible not only for the security of the application but also for the security and integrity of the business logic and process workflows that surround the application – in short the end-to-end secure management of an application or service that is critical to the business in terms of confidentiality of data, integrity of process and availability of service.
    “With the growing internal and external complexities around information security fewer and fewer companies are willing to take risks when it comes to critical information assets within their business.  With this comes a realisation that information security is simply not a core competency that they have.   What they want is to partner with someone who is 100% focused on this area so that they can rest assured they have done the utmost to protect their business and their customers” explains Pat.
    Selective Services
    For some companies the growing trend is to turn towards managed services for certain selected information security services.  Whether the internal driver is compliance or critically important assets the approach remains the same. Rather than bring the skill set in-house, the company chooses to outsource to a managed service provider.
    One trend emerging is the outsourcing of log management and security information event management (SIEM) driven off compliance obligations such as PCI.  The sheer volume of work involved in monitoring, reviewing and taking action to address identified anomalies makes handling SIEM internally a nightmare for many IT departments.
    “For some businesses certain regulatory requirements not only require a specialist skill set but are also highly  labour intensive and  time consuming,  More and more we see businesses looking externally for managed services to support their regulatory obligations on an ongoing basis.  It makes sense to outsource what is not core to your business” comments Pat Larkin.
    Managed information security services is a growing trend in both the local and global markets with more and more businesses turning to third party suppliers to procure specialist services that are simply difficult and costly to build in-house.
    Ward Solutions has been in the business of information security for over 15 years. The company has a team of over 60 security professionals working with over 250 clients in Ireland. It is the trusted information security partner for companies such as  CIE, Laya Healthcare, Vodafone, National College of Ireland, Bord Gáis, Fleetmatics and the Department of Jobs, Enterprise and Innovation.
    For more information visit www.ward.ie or contact Pat Larkin on (01) 642 0100
     

    IE Logo Insights

    Security Alert – Microsoft Internet Explorer 6-11 – What…

    IE LogoAs you may be aware, there has been a critical security vulnerability found and exploited in Microsoft Internet Explorer versions 6 through 11. Until Microsoft release a patch, here’s what the security analysts at Ward Solutions recommend users do to protect themselves and their businesses:-

    1. Avoid using Internet Explorer where possible. If you must use Internet Explorer for a certain application or site them limit your use of its to these situations only
    2. Disable Adobe Flash plugin as this is required for this bug to work

    The Microsoft Internet Explorer exploit relies on a flaw in Internet Explorer and the presence of Adobe Flash. It does require a user to visit a malicious web page, or a web page that has hosted user-provided content or advertisements. Once exploited, the flaw allows the attacker to run commands and code on the target users machine, with local user privileges.
    In short, this means that the latest IE bug works when an internet user clicks on a malicious link in Internet Explorer. There is no warning that something might be wrong, and clicking on the wrong link is all that it takes for your computer to be compromised. After you click on the link, malware may be installed on your computer without being noticed.
    If you would like further assistance or advice on this issue, please contact the Helpdesk on (01) 6420100 or via email at support@ward.ie
    References:
    [1] http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html “New Zero-Day Exploit…”
    [2] https://technet.microsoft.com/en-US/library/security/2963983 “Microsoft Security Advisory 2963983”

    Insights

    Making Information Security Pay – Enabling Your Organisation

    Making Information Security Pay – Enabling Your Organisation
    Over the last few years I have done numerous presentations on the topic of Information Security – both at C level events and more focused information security gatherings. I always start by asking the audience a simple question – which is “Do they view information security as a cost or an “asset” to their business”?
    Almost every time the majority seem to classify information security as a necessary “cost” unless the audience is made up of information security professionals or I am briefing executives following the occurrence of a recent information security incident.  In these cases, unsurprisingly the majority of people typically cite information security as an “asset” to their business.
    As I perform this less than scientific exercise over the years there are two things that continue to strike me:

    1. The consistently held view, even by some professional in the field that information security is all about prevention and insurance.  A necessary cost to try and stop bad things happening.
    2. How difficult it is for information security professionals to sell information security to their own management and board despite the well-known risks and potential catastrophes that their business could faces as a result of a compromise.

     
    However- things are changing and I do see a gradual but steady increase in the number of people starting to view information security as an asset to their business.  In my opinion this turning tide is directly attributable to two significant factors:
     
    Raised Awareness:
    First the really obvious reason – raised awareness at every level in the organisation due to the growing number of organisations featured adversely due to some significant customer data breach or service outage.  And it’s impacting us all, as a consumer I have received 4 notifications in the last 18 months from companies holding my or my family’s sensitive data about some significant element of loss or compromise of this information.
    The traditional approaches for business case justifications for spend on information security are well documented and established.  They are typically either a compliance based argument- for example:
    “ in order to  continue taking on line payments at the volume we are doing  – we must be PCI/DSS compliant and therefore requirement 1 states that we must install and maintain a firewall configuration to protect cardholder data – without this we are not compliant and cannot do business” – QED.
    Or, alternatively a Return on Investment (ROI) argument – hopefully with some associated qualitative or quantative risk assessment analysis supporting it – for example
    ”the typical all in cost of a data breach occurring on personal or financial data is €115 per record – we process or hold 70,000 records, if the risk is that all or even a percentage of these e.g. 20% are disclosed or compromised then the potential cost to the organisation is estimated to be €1.61M – the cost of appropriately securing the Information Systems that hold these records is €30,000 capex and €6,000 opex per annum and this implementation reduces the likelihood of breach to very low probability of less than 5%” – QED..
    As you can see by default these types of arguments though perfectly valid – still to some degree reinforce the established perception of information security as necessary insurance or a risk mitigation cost.
    Positive Leadership:
    The second most significant factor in shifting organisations’ perception of information security as a cost is being driven by the positive leadership of information security managers themselves. Traditionally the information security role by virtue of its inherent risk management responsibility was typically risk averse, sometimes overly policy driven and on occasion perceived within the business as the “department of NO”. Thankfully this is a rapidly changing perception.
    The successful Information Security Officers or CISO’s that we work with have figured out that the above arguments are the bread and butter of their day job – keeping the business appropriately safe and secure.  Where they invest their remaining time is in understanding in detail their organisational needs and challenges. They actively engage with the relevant parts of the business to add value above and beyond insurance and prevention.  They look for opportunities for information security to help the business to innovate – to take managed risks, to achieve business goals and contribute to the bottom line.
    Practical Examples
    Let’s look at some practical examples:
    We do a lot of work with Higher Education and Research clients nationally and internationally. The traditional student (customer) processing models have shifted unrecognisably in this sector in the last 10 year from a primarily on campus only, manual, slow, cumbersome, paper and people based education and service delivery model to either a hybrid mix of online/virtual learning plus some on campus education, accreditation and service delivery model.  In this model students can register, pay their fees, select their courses, access academic content, submit assessments and attend virtual lectures.
    Key to this transformation is the provision, automation and integration of a heady mix of education information systems and conventional line of business systems such as student registration and administration systems, e-Learning systems, financial systems, HR systems for academic and administrative staff, timetabling systems, examination systems, research management systems and so forth.   A typical education institution has over 300+ applications, 10,000+ students, 1500+ staff, 4000+ joiners and leavers per annum and turning over €100M+ a year.  Providing seamless, secure access to services to students and staff from anywhere in the world whilst protecting personal data, financial integrity, examination and accreditation integrity, intellectual property protection, service availability and so forth is no mean achievement.
    From an information security innovation perspective CISO’s in Higher Education institutions are truly enabling partners in this transformation by utilising information security management technology solutions such as:
    Identity and Access Management Solutions:
    To automate really complex, time sensitive provisioning and de-provisioning of the large volumes of joiners, leavers and the comprehensive change management processes that all of the user in these institutes typically go through.  Enabling this transformation in a heavily automated, mobile and highly dynamic environment – with positive or improved end user experiences – whilst removing a lot of previously expensive labour intensive manual, slow, error prone processes with poor user experiences.
    Secure Mobile and Remote Access to Services:
    Enabling students, staff and researchers to gain appropriate access to services, content and data of widely varying sensitivity ranging from staff or student personal or financial data to high value research intellectual property, to accreditation and examination data and services in a seamless user experience on campus, at collaborating campuses, industry or 3rd parties literally anywhere in the world. Again CISO were instrumental in proposing governance, data handling and classification policies and frameworks to these institutions allowing them to determine who should have access to what data and services and from where. They were also instrumental in proposing secure extranet and intranet technologies, secure wired and wireless solutions, graduated and adaptive authentication, federation and authorisation models and technologies to help enable and control this secure access.
    Secure Payment Services:
    A lot of money changes hands as part of the education experience. Traditionally at registration students lined up with cheques, cash or credit cards to pay for their annual or term fees. They paid for on campus services such as printing and photocopying facilities as well as food and beverage services with cash. Aside from being a poor user experience from a user’s perspective this also placed a lot of money handing costs and risks to the institution. Once again CISO’s were instrumental in developing and implementing secure “cashless” payment systems for everything from online payments for college fees to pre-paid accounts and tokens for printing and catering services on the institution – solving both the user and the institutions problems.
    Indeed so much innovation was required in Higher Education and Research early on to deliver on the business model transformation required that a number of key security technologies were effectively pioneered, developed or piloted in this sector.
    The Institutions that were first or most successful in this transformation required the positive and constructive collaboration and innovation of their internal and external IT providers and information security resources.
    Success criteria included:

    • Increase in students attending the institution not just because of academic or research excellence but also because of the new reach of the institution to a potentially global market, the range of services offered, the service delivery models, the improved user experience and the perception of innovation.
    • Reduction in administrative cost through secure automation and integration.
    • Improved compliance and risk management through improvements in identity quality, elimination of manual, error prone, non-systemic process

     
    Conclusion 
    Appropriately protecting your organisations from information security risk is now the minimum requirement of the information security role. To add real business value CISO’s need to become partners in business innovation, constructively helping their organisation to achieve its goals by providing and suggesting solutions and model for the business to identify, manage and control the risks that the organisation needs or want to take. CISOs need to be able to actively contribute to either the top or bottom line. When they do this then then they will have no issues getting C Level airtime.