Recent Blog Posts

Monday October 13, 2014 at 2:23pm
Personal data such as documents, photos and videos from thousands of individuals and small businesses could be accidentally and unwittingly shared online. People at risk are those who purchase Network Attached Storage (NAS) devices normally with the intention of sharing media (films, photos etc) within a household or maybe within a small business environment.

When configured correctly these devices can be accessible to any other device on the home or business network. However, they can easily be configured incorrectly to make them available on the internet.

Customers are putting their trust in the manufacturers to have implemented stringent security controls to protect their data. However, this is not the case with some NAS devices on sale. Good security practices are always to change the default password and to keep the firmware updated.

Shellshock puts devices at risk

To make matters even worse a new serious Bug "Shellshock" has just been discovered which could have an impact on network devices such as NAS or routers, for example.

The vulnerability was found in a software component called Bash, which is part of Linux systems as well as Apple's OS X operating system. Many web servers using the Apache system also include the bash component.

Experts are suggesting that Shellshock could hit at least 500 million machines worldwide and unfortunately a reliable and complete patch for Bash is not yet ready. A partial fix exists, but it doesn't fully solve the problem yet.

A patch from Apple should be pending.

Advice for companies who want to mitigate the threat

  • Patch systems at the earliest possible opportunity
  • Follow good cyber-security practices to secure internet connected devices:
    • Block unnecessary inbound traffic at the firewall
    • Disable unnecessary services running on devices
    • If running web server software, ensure it runs from low privilege accounts
    • Filtering input to websites, through a Web Application Firewall, can also help to limit impact
    • Ensure logging and auditing functionality is enabled and actively monitored
    • Disabling advanced functionality, such as cgi-bin, can help to mitigate some of the impact of the vulnerability, but this may have an adverse effect on websites.
With two major security vulnerabilities found in so many months, are we simply putting too much of our trust and information in the cloud? Another reason why storing your data, or at least one backup ‘offline’, isn’t such a bad idea.

Marcus Allen
Parker Management Consultants

Monday September 8, 2014 at 12:56pm
The challenges of the owner manager and directors of SME’s throughout the UK seem to grow daily. There are ever more complex risk and compliance issues to deal with, whether it’s data protection, health and safety, data security or industry regulation, the requirements can be onerous.

I find SME’s really struggle in their efforts to safeguard what is one of their key business assets - their data.

Given no business owner would knowingly put a valuable asset at risk I wonder why this is the case? I think a partial explanation is around good house-keeping – especially when it comes to job descriptions and delegating responsibilities to members of staff, and managing them to perform well on these responsibilities.

I have identified 3 key areas, which if addressed will help SME’s keep their data safe:

  1. Roles and responsibilities
    Business is moving quickly, our use of technology changes on a regular basis and with these changes come new responsibilities for all in your organisation. Sadly job descriptions and clearly defined roles and responsibilities are often woefully out of date and don’t reflect duties placed upon an employee. Indeed, when full investigations have taken place, I have found employees were not aware that they were even responsible for certain information security related activities.

    Job descriptions, like company brochures and web-sites need to be kept up-to-date. If not, the business may be in peril when it attempts to discipline an individual for not fulfilling a role or for breaching data security requirements.

  2. Data back-up
    A common-place area of concern is data-back up. Many organizations still back-up on to external hard-drives under the ‘grandfather-father-son’ protocol. This may work effectively until the designated employee either leaves the employment of the business – or is absent. If the role and indeed the associated responsibility is not clearly defined and documented there is little reference material in a dispute.

  3. Building access
    Another area might be visitor control within a building. If the duties are not clearly defined, a new starter or temp might completely miss a key element of visitor control, namely introduction to the Company’s information security policy and security obligations – whilst on site. Such a breach could have an impact upon C.I.A or ‘confidentiality, integrity and availability’ of data for the SME.
Information security advice for SMEs
So what is my advice? The SME manager needs to keep a watchful eye on all roles within their business. I suggest reviewing the organogram regularly and ensuring that all posts have a well-defined job description. Such descriptions should be version controlled, dated and approved by the author and accepted by the operator. Where possible this description should link to an updated Employee Handbook – detailing the latest procedures and policies within the business, especially those relating to data control and information security management.

Marcus Allen
Parker Management Consultants

Tuesday August 5, 2014 at 8:39am
In March 2014 the European Parliament agreed at committee level to the EU Commission’s data protection reform. It appears that EU heads of state have committed to a timely adoption of these planned new laws. But what do they mean for business owners?

There are three fundamental areas that businesses should now be aware of:

  1. One continent and one law. There will be one single framework law covering Data Protection that all member states must comply with.
  2. There will be a ‘one stop shop’ approach for organizations. There will be one authority to deal with not various as there are presently.
  3. Rules apply regardless. Businesses operating outside the EU but doing business within it, will have stronger adherence requirements.
The new regulator will have powers to fine up to two per-cent of an organization’s annual turn-over.

What do new data protection rules mean for SME’s?
There have been conflicting reports with statements of byzantine bureaucracy for the SME sector. It appears at present that the planned EU legislation will benefit SME’s:

  1. SME’s will not have to appoint a Data Protection Officer, as long as data operation is not their fundamental business activity.
  2. There will be no more notifications for SME’s. Watch this space though.
  3. Subject access fees may increase. Although we await more details.
  4. Impact Assessments. There appears to be no legal obligation to conduct an impact assessment unless risks define the need.

Of course, SME’s should keep an eye on the up-dates to the proposed EU Data Protection Directive to see exactly how they will affect their particular business. Although there appears to be a more practical approach to regulation for SME’s it’s worth remembering that other regulators such as the FCA etc. can impose huge fines for data loss.

Programmes of good data handling, updates in regulation and reviews of information security can help prevent breaches of data protection law. The international standard for Information Security management, ISO27001 helps to apply information security controls and procedures within a business and BS10012 the PIMS Standard help organisations comply with data protection requirements.

As information security management consultants we know that a formal standard can help provide a structure to the data control and management within your business, but whether you pursue ISO27001 or not, if you are a business that handles data to need to comply with data protection requirements and keep an eye open for any changes in EU rules.

Marcus Allen
Parker Management Consultants

Tuesday July 15, 2014 at 2:00pm
We live in an increasingly connected world. Devices are constantly being introduced to the market which make our lives easier and give us greater control over our environment, our communication habits and every day chores.

Smart TV’s, WiFi controlled LED home lighting, Smart Fridges, driverless cars are all examples of what has been termed the Internet of Things. The internet is no longer restricted to desktops, phones and laptops. Technology is becoming more entwined with the physical world at an alarming rate.

An average household may contain internet connected devices or systems such as Smart TV’s, baby monitors, house alarms, CCTV systems, lighting, heating, washing machines, laptops, desktops, tablets and mobile phones.

One benefit of said devices is that you could monitor your home while away, checking CCTV footage and turning house lights on or off at will. Even British Gas are pushing their ‘Hive’ Active Heating with their annoying TV adverts. It lets you control your heating and hot water remotely from your smartphone, tablet and laptop.

It’s not all good news however.

With greater control come greater risks. Hackers could access your data before, now they can take over your physical environment. Companies are keen to break into the world of smart devices marketplace. Unfortunately some are rushing products to market with little or poorly implemented security features. Security needs to be built-in from the early stages of design.

The consequence of having such vulnerabilities in these devices is an attacker could hack a home owners web-based interface and disable alarms, spy on the owners via CCTV cameras, unlock doors, turn up heating etc.

Protect yourself when using smart devices

If you are using smart devices protecting your home WiFi is ever more important, and I would recommend only using WPA2 Encryption with a random strong password (using a password manager to store the credentials), disabling the SSID (wifi name identifier) and only allow known devices to connect to your internal network. I would certainly conduct thorough research into any smart device I was connecting to any network, to validate security features or the lack of as the case may be.

A dark market exists where hackers can purchase ‘point and click’ programs to make more sophisticated command line tools to exploit and hack such devices. Hackers used to find vulnerabilities for personal reward or kudos, now they attack systems for financial gain. Unfortunately the Internet of Things is providing an ever increasing attack surface for them to inflate their egos and their wallets. Stay safe and secure!

Marcus Allen
Parker Management Consultants

Tuesday July 1, 2014 at 7:00pm
How would your business operate if a fire broke out at your premises, you were affected by flood damage, a cyber attack on your systems or theft of key data or materials?

For many organisations the subject of business continuity arises infrequently, perhaps prompted by particular circumstances or advice from outside. Of course, when I visit small to medium sized organisations, whether for ISO9001 or ISO27001, I tend to be the one raising the issue. In the case of ISO27001 business continuity and continuity planning is fundamental topic.

The initial response often received is that: ‘all is well and we have it covered – just fine.’ On closer examination, the reality can differ greatly.

In my 22 years as a management consultant I have only visited one business that took business continuity seriously – with or without the need for a management Standard. This was a large membership body in the Midlands – who could see the business case for investing in sound continuity plans.

The fundamentals of business continuity management

Whilst each SME owner or group of directors may choose to approach business continuity in their own unique way, there are some fundamentals to follow:

  1. The plans must be logical and workable and based upon a key set of activities and functions that need to be performed in sequence to ensure that objectives are met.
  2. Ensure that such plans are made available and kept in a format that key staff can retrieve
  3. Train staff as to what is required and record the training
  4. Ensure the topic of business continuity is embedded within the organisation
  5. The plans need to be up-to-date and kept this way.
All too often, when I review arrangements, key contacts within the business have left, changed job or contact numbers provided are no longer valid. In some cases presumed back-up sites are no longer available.

Also there is a huge difference in my opinion between an incident management plan and a business continuity plan. Owners of such documents need to ensure that they understand the difference.

Keeping plans up-to-date need not be complex. I suggest adding incident and continuity planning to at least one Board Meeting agenda per annum. This coupled with an annual ‘walk through’ of arrangements conducted by senior management will expose any gaps in your planning or changes in personnel, contact details or recovery plans which need to be addressed.

Business continuity is one of those things that if you do it properly will help you run a better business; fail to plan however and the consequences can be serious.

Marcus Allen
Parker Management Consultants

Monday June 2, 2014 at 2:00pm
Following on from last months blog Heart bleed: how to protect your business and yourself I thought it relevant to touch on the topic of ‘password managers’. Even changing just one online site’s password can cause heartache, imagine having to change hundreds which could have been the case as a result of the recent heart bleed vulnerability. This is where password managers make online account management so much easier.

Breaking news: ebay database servers compromised losing 145 million users credentials including personal information, address, phone number, email, encrypted password and date of birth. Yet another reason to stop trying to remember passwords and use a password manager.

I’ve had personal experience of using the following solutions and I can honestly say they have made me more efficient and more secure in the process.

Securesafe

This Swiss made solution is more of a password safe than a password manager, however it has one feature which makes it quite unique. Almost everyone now in death leaves a digital graveyard behind them, the “Data Inheritance” feature can allow partners and family access to your important information such as login criteria, PINS & passwords. It now offers secure storage of documents, secure file transfer along with the original features of secure password storage and data inheritance. It does offer SMS authentication adding that important second layer of security for authentication. It offers apps for android, iOS and other smart phones/devices.

Lastpass

One of the most respected password managers on the market, this is a true password manager not just a password store. You are still required to remember your ‘master’ password to be able to log in to the service, but once this is done Lastpass can generate unique random passwords for all your sites so you don't have to remember another password! All your passwords should look like this: Kqo\=3oyB>VXG^-6, but could you remember that? A key feature when looking at using any online secure storage is local decryption only, this means your security keys never leave your device and are never shared with any online servers. Again in my opinion multi factor authentication is a must, and Lastpass offers many options on this front. Multiple device support is available, and your account syncs across all devices.

iCloud Keychain

iCloud keychain is exclusive to Apple products. To quote Apple, “iCloud Keychain keeps your Safari website usernames and passwords, credit card information, and Wi-Fi network information up to date across all of your approved devices that are using iOS 7.0.3 or later or OS X Mavericks v10.9 or later.”

This is built into the Safari web browser and allows an even more seamless experience than Lastpass, it does not offer as many features as the previous solutions, although with each iteration I’m sure Apple will be adding new features. Again the information is only saved on the device that is approved, not saved in online servers. However it is crucial that you protect your devices with strong passwords or PINs where using iPhone or iPads. If someone has local access to your devices then they have the keys to your online kingdom.

Clef

This is hopefully the new wave of authentication used for online accounts. Clef is a mobile app that actually replaces both your username & password.

The weakness of using a traditional username/password combination for online accounts is to stay secure you have to try and remember different passwords for every site. Websites store passwords in attackable databases and hackers can crack most passwords within 24 hours in an offline attack.

Using your mobile device you get one click sign-on across multiple sites and no passwords are used or stored in an attackable database. Security is handed over to the user to manage, the user must still log in to the app via PIN code. Clef has only limited use currently until more sites adopt this authentication method.

I trust myself to safeguard my information more than a third party (i.e: eBay), do you?

Marcus Allen
Parker Management Consultants

Monday May 12, 2014 at 1:38pm
When a business manager looks at the function of IT within his or her business, all too often IT is seen as a costly resource with little or no alignment with service delivery.

The application of Business Service Management provides a structured approach to ensure that SME’s realise IT delivery and align with processes – rather than seeing IT as the cost centre.

BSM is a system for verifying the impact of IT assets and the intended availability and subsequent performance levels – aligned with corporate objectives. By mapping out the core business processes and required ‘inputs’ and ‘outputs’ careful analysis can be undertaken to ensure that IT systems are aligned with required processes. The benefits being; that the customer obtains what they need in a manner that it is required and in the most efficient way - that a small business can provide it. IT has therefore aligned itself with servicing the ‘customer needs’.

The starting point of ‘BSM’ is to map-out the critical services that customers must receive to ensure that corporate objectives are met. This may be 90% repeat business, required delivery times for goods, response to returns, help-desk etc. These services must be prioritized rather like the critical activities within a business continuity plan.

Once the above activity is undertaken then the services should be mapped to the IT systems and required applications that are needed to deliver these outputs.

The key drive is to verify that the processes that the business needs are fully supported by the IT infrastructure, rather than the IT department advising the executive management of the IT capability.

So what is the best way of starting on ‘BSM’? From my twenty years’ experience I often find that IT is deemed a technical function that is byzantine in complexity and often totally un-customer focused. Businesses often have out-of-date quality management systems that do not suitably address the Plan, Do, Check and Act ‘PDCA’ approach, nor are ‘inputs’ or ‘outputs’ properly defined – or indeed aligned with business strategy.

If the manager defines the above and seamlessly maps out critical business processes, coupled with strategic objectives – IT Business Service Management can be applied.

Marcus Allen
Parker Management Consultants

Thursday May 1, 2014 at 2:00pm
A major security vulnerability made the news recently called 'Heartbleed'. The bug means an attacker can access normally encrypted data without leaving a trace. With two thirds of internet sites using OpenSSL this is a serious threat and one business owners and individuals need to pay attention to.

Heartbleed is a bug dating back to 2011 in some versions of OpenSSL - an open source implementation of encryption protocols that is widely used on the internet. These encryption protocols are there to secure transmission of data over networks. When you see “https” in a web URL this denotes a secure connection, mostly used for online shopping sites or online banking for example.

Action for business owners

Any online services that are using OpenSSL should be immediately updated to the latest version. Where SSL certificates are used these will need to be revoked and replaced with new certificates. The final step would be to change all credentials that could have been leaked i.e passwords.

Not all versions of OpenSSL are vulnerable to attack, so if you’re a business owner you may need to check with web developers and other providers of online services which version they use.

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

What it means for you?

In simple terms it means you should look to change your passwords and log in credentials. In fact you may already have received emails from organisations you are registered with suggesting you do so.

There are sites available listing the affected websites and it would be prudent to review and change your login credentials for those affected sites. Before doing so it’s worthwhile checking that they have updated their Security certificates and servers.

Sites affected include social media, online shopping, email or banking sites - anywhere SSL encryption is used. Most major sites would have addressed this issue within several hours or days of the bug being made public. However the issue I see now is the ’bad guys’ are now aware of this issue and will be exploiting this 'in the wild', as some sites and services could remain unpatched for years. For example, Android devices running Jelly Bean 4.1.1 are vulnerable to a reverse Heartbleed attack. This is harder to exploit than the normal Server attack vector so the likelihood of data being leaked is lower, however the risk is still there.

Managing your passwords

If the thought of changing all your passwords and login details fills you with dread and is the excuse you use to yourself for not changing passwords regularly then why not use a password manager? I've been using one for years, LastPass is my software of choice but there are lots on the market. Without this software I would probably have been using shared passwords for the sake of my sanity but leaving myself completely vulnerable to attacks like the Heartbleed one. These managers generate and store random passwords for all your sites, emails etc. So you only have to create one really strong master password, and the software does the rest. Stay safe.

Marcus Allen
Parker Management Consultants

Wednesday April 9, 2014 at 10:00am
Free ‘WiFI’ here! We see the signs everywhere from McDonalds to restaurants, hotels and airport departure lounges. With some people addicted to having internet access on their laptop, tablet or smartphone the lure of free wi-fi is all too tempting. With so much of our lives conducted on these devices a wi-fi or mobile data connection is by many seen as essential, to check email, keep up on social media or even for internet banking. Others will choose to connect to these free wi-fi hotspots to save on data usage costs.

Maybe people perceive using wi-fi as less of a risk than using a traditional shared desktop PC with a wired connection, mostly seen in early years of Internet Cafes. But that’s really not the case. The security of mobile wifi hotspots is something you should think carefully about before logging on.

If you absolutely must use a wi-fi hotspot, then only use your device for web browsing where no account details are likeable to be sent over the airwaves. A common attack vector is ‘Man in the middle’ to quote wiki: ”The man-in-the-middle attack in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle.”
In other words, big brother is watching and worse still he might be able to pretend to be you!

Checking emails, Facebook, Twitter, online shopping or internet banking could expose your user credentials or credit card information if intercepted by an attacker. Some Wi-Fi zone radio signals could even extend beyond their buildings boundaries making it even easier for an attacker to intercept traffic.

Personally I avoid using wi-fi hotspots, I use my own phone as a hotspot and keep an eye on my data usage per month (2GB is more than ample for my needs). If I really need to use a wi-fi hotspot due to weak mobile data signal then I will use ‘VPN’ (Virtual Private Network) software. In simple terms this ensures my data remains encrypted even when using a public network such as a wi-fi zone.

So next time you connect to a wi-fi zone, stop and think what sites or apps you are using. Think of the potential information that could be seen by others connected to the network, as not all fellow users might have good intentions!

Marcus Allen
Parker Management Consultants

Thursday March 27, 2014 at 11:54am
We read nowadays of many organisations appearing in the national papers for amazing instances of data loss. Often these are household names such as high street banks and major hospitals.

I get quizzed by many owner managers as to the spectacular failures of data management and how such instances occur. All too often when investigative action has taken place, the cause is often a lack of awareness or understanding of information security protocols. And not necessarily a technical failure.

When I examine IT security failings the ‘corporate culture’ is often not properly aligned or suited to maintaining the ‘assets’ in the manner required or espoused by the security policy – if there is one.

So how should an organization go about embedding a security culture?

Firstly there must be CEO involvement. The CEO needs to understand the information security programme and the assets that must be protected. In addition the CEO must promote and foster the information security strategy. The importance of the programme must be communicated to all senior managers. Dare I say it; it must be a case of ‘walking the talk’. If staff detect no interest or buy in from the top - then such an initiative is likely to fail.

Secondly, the business as a whole needs to understand the importance of the information assets that they hold. Often data in my experience is not valued in the same way as: computers, premises or cars. Only when staff fully appreciate the importance of the data as an ‘asset’ will mindsets start to alter.

Thirdly the information security management system that is adopted must be appropriate to the business needs and not some torturous system that only a highly trained technician can fathom.

Fourthly, regular awareness and feedback sessions, where staff from all parts of the organisation are invited. If the senior management attend or even the CEO, employees will start to appreciate the importance of this activity.

Finally, and in my experience this is all too often lacking a programme of well-developed information security audits are necessary. Auditors need to be well adverse in assessing both the physical and systems part of the business, plus all the management areas that are associated. A thorough report is required, with clear evidence of findings and areas of non-compliance. The report should be submitted to the CEO who should act on findings and take an interest in closure of security concerns and breaches.

So, if you want to avoid IT security failings and data breaches my advice is to really embrace information security management within your business, rather than just paying lip service to it.


Marcus Allen
Parker Management Consultants

Parker Management Consultants, 1st floor, Dominion Court, 43, Station Road, Solihull, B91 3RT Contact us here