Online Safety and Security

ID-100356086

We live in the developed world where it is now finally safe to walk on the city streets. Police and security guards are there to protect us in the physical world. But who is watching out for us when we are online?

Issues:

  1. Cyber crime and state-sponsored attacks are becoming more and more common. Hackers are now shifting their focus form companies to the individuals. Cars, airplanes, smart homes and other connected devices along with personal phones can be exploited by malicious attackers.
  2. Online reputation is becoming increasingly more important. Potential business partners conduct thorough research prior to signing deals. Bad reputation online dramatically decreases chances to succeed in business and other areas of your life.
  3. Children’s safety online is at risk. Cyber-bullying, identity theft; with a rapid development of mobile technology and geolocation, tracking the whereabouts of your children is as easy as ever, opening opportunities for kidnappers or worse.

Solutions:

We offer a one-stop-shop for end-to-end protection of online identity and reputation for you and your children.

A platform of personalised and continuous online threat monitoring secures you, your connections, applications and devices and ensures safety and security online.

Acting as a cyber bodyguard, it is available 24/7 and dramatically reduces the risk of being affected by cybercrime .

Benefits:

We work with highly-skilled professionals in the field of law, cyber security, technology, information privacy, digital marketing, psychology and law enforcement to ensure you get all you need in one place to safety secure online

Get in touch to get a free personalised online security and privacy risk assessment today.

Service Free Plus Premium
Security and privacy self-assessment V V V
Basic online profile analysis V V V
Online traceability analysis V V V
General online privacy and security guidelines V V V
Personalised risk assessment V V
Advanced online profile analysis V V
Personalized recommendations and steps for reducing, mitigating or transferring risk V V
Mobile application for controlling and monitoring of applications’ activity V V
Technology solution for online privacy and security V V
Penetration testing V
Assessment for family members (up to 5) V
Cyberbullying protection for children V
Geolocation assessment V
24/7 support V
Periodical assessment and detailed recommendations V
Physical security assessment V
Connected cars security V
Smart home security V

Image courtesy ofwinnond / FreeDigitalPhotos.net


Cyber Wargaming Workshop

ID-10071890

I was recently asked to develop a two-day tabletop cyber wargaming exercise. Here’s the agenda.
Please get in touch if you would like to know more.

Day 1
Introduction
Course Objectives
Module 1: What is Business Wargaming?
How Does Business Wargaming Work?

  •         Teams
  •         Interaction
  •         Moves

Module 2 Cyber Fundamentals

  •         Practical Risk Management
  •         Problems with risk management
  •         Human aspects of security
  •         Conversion of physical and information security
  •         Attacker types and motivations
  •         Security Incident management
  •         Security incident handling and response
  •         Crisis management and business continuity
  •         Cyber security trends to consider

Module 3: Introducing a Case Study

  •         Company and organisational structure
  •         Processes and architecture
  •         Issues

Module 4 Case study exercises

  •         Case study exercise 1: Risk Management
  •         Case study exercise 2: Infrastructure and Application Security

Day 2
Introducing a wagaming scenario
Roles and responsibilities
Simulated exercise to stress response capabilities
The scenario will be testing:

  •         How organisations responded from a business perspective
  •         How organisations responded to the attacks technically
  •         How affected organisations were by the scenario
  •         How they shared information amongst relevant parties

Feedback to the participants
Course wrap up

Image courtesy zirconicusso / FreeDigitalPhotos.net


Removing Unused Firewall Rules

ID-100234172

Implementing cutting-edge technology solutions is not the only way to combat cyber threats. Seemingly mundane administrative tasks such as network infrastructure hardening could yield greater results in terms of risk reduction.

I ran a remediation project for a major blue chip company, which successfully removed over 8,000 unused firewall rules.

Such projects can be complex and require a rigorous process to be designed to ensure that no active rules are removed. For example, a period of monitoring and subsequent hypercare ensured that only a few rules were reverted back to production after being indicated as “unused”. Proactive stakeholder engagement was key in completing the work ahead of schedule and under budget.

As a result, the project improved network security by eliminating the chance an attacker can exploit a weak unused firewall rule. Moreover, the number of rules on the firewalls was cut by half, which made it easier and cheaper to monitor and manage.

Image courtesy renjith krishnan / FreeDigitalPhotos.net


Industrial Control Systems Security: Information Exchange

There are a number of global information exchanges related to industrial control systems security. They offer useful guidelines and standards to help protect the environment.

The UK Centre for the Protection of National Infrastructure (CPNI) provides good practice and technical guidance as well as advice on securing industrial control systems.
Secure move to IP-based Networks (SCADA):

They also highlight the risks of wireless connectivity of physical security systems

Similar information exchange centres were established in Japan and Spain,

For the introduction to Industrial Control Systems Security see my previous blogs (Part I, Part II, Part II) or ICS Security Library


Database Security Project

ID-100187848

A company experienced a significant data breach from a malicious source which led to the loss of strategically sensitive information. I was called in to manage a security remediation project. Given that data at rest is a critical asset, remediating and hardening the company’s business critical databases was a key component of this program.

The client designed a solution for database security but was struggling to implement it and gain the required stakeholder buy-in. Furthermore, the client’s business critical landscape was highly dispersed – with application management spread across multiple business units based out of a number of countries and database management was overseen by third-party IT vendor.

I was a part of the project management team, which was established to coordinate multiple stakeholders in order to implement the end-to-end solution for database security consisting of monitoring, reporting and remediation of business critical databases.

I identified that the most significant obstacle was business application owner understanding of the system, the processes, and the benefits of implementation. I initially engaged in extensive stakeholder communication and business change management to ensure the required buy-in.

I drove the progress of system implementation through stakeholder management, delivery management, information gathering and providing technical expertise and management reporting. I worked within the client’s project management methodology whilst leveraging my experience and expertise in project management to ensure timely delivery.

As a result, the business critical databases in scope were brought into the known state of compliance, drastically reducing the attack surface. Moreover, awareness of the importance of application security and secure behaviours to support databases was raised significantly.

I embedded the processes to implement the system into the client’s run and maintain activities, ensuring that future changes to their business critical landscape do not introduce new database vulnerabilities. I also developed an asset inventory for business critical databases which improved upon any previous client efforts.

Image courtesy ddpavumba / FreeDigitalPhotos.net


Productive Security

ID-100235520

Let’s see how some security controls might affect human behaviour in a company.

  • Restricting software installation on computers is in line with one of the main principles of information security – the principle of least privilege. That way a security manager can make sure that employees in his company don’t install unnecessary programs which may contain vulnerabilities. Such vulnerabilities can be exploited by a potential attacker. There are instances, however, when a user may require a piece of software to perform his productive tasks. Failure to install it quickly and easily may result in unnecessary delays.
  • Restricting access to file sharing websites helps to make sure that a company is not in violation of the data privacy regulation and users don’t store sensitive information in the insecure locations. However, it is important for a company to provide an easy-to-use, secure alternative to enable the business.
  • Restricting access to CD/DVD and USB flash drives. Personal USB flash drives can be a source of malware which users can introduce to the corporate network. Restricting access to CD/DVD and USB flash drives not only helps to prevent this threat, but also limits the possibility of sensitive data leaks. It is important to understand the core business processes in a company to make a decision on restricting the access. Sometimes drawbacks of such a policy may overshadow all possible benefits.
  • Regular full antivirus checks help to make sure that employees’ workstations are free from malware. However, the process of scanning a computer for viruses may take up a lot of resources and slow down the machine with the possible impact on productivity,
  • Awareness training can be a powerful measure to protect against a wide range of security threats, including social engineering (e.g. phishing). However, research shows that blanket awareness campaigns are ineffective and a better approach is needed to address this issue.

Image courtesy of renjith krishnan/ FreeDigitalPhotos.net