Tag Archives: commissum

Attack on Japanese Defence Contractor

The recent publication of the security breach suffered by the Japanese Defence Contractor, Mitsubishi Heavy Industries is just the latest in a long series of similar breaches around the world.

Once again, the discovery of multiple instances of the installation of malware or viruses on servers and desktops is symptomatic of what could be a very sophisticated attack – frequently referred to as Advanced Persistent Threat (APT) type attack.

It is reported that the breach started with what is known as spear phishing attacks – when attackers use very targeted emails; specially crafted/customised to targeted individuals, to maximise the chances of them being opened and any links within them being clicked on and followed.

Martin Finch, Managing Director of commissum, a specialist Information Security Consultancy, said that “the organisation targeted here is a typical victim of such an attack by what could be industrial espionage or state sponsored hacking to access either national security information, or intellectual property. Previous victims have for example included, Lockheed Martin, the world’s largest aerospace company”.

Chris Williams, senior consultant at Information Security company, commissum said that “the usual modus operandi is for attackers to establish a foothold through initial breaches, and then use this to both escalate the level of the breach and establish further access points. This frequently continues over what is often a very protracted time-scale. The victim will, if one or more breaches are discovered, be uncertain as to how many other breaches have been established and where these are”.

China, Russia and Korea have been mentioned as possible sources of this type of attack in the past; China in particular in this case has vigorously and indignantly denied any involvement. That is one of the problems with a sophisticated attack of this type; it can be almost impossible to establish for certain where the attack originated. It is clear though that China is just one of the countries suspected of past involvement in such attacks by US and Western European government agencies.

In addition, as is often the case, the victim is downplaying the impact and the level of penetration achieved. It is reported that the Japanese government were not immediately informed of the breach, as is required in the Defence sector; allegedly it was discovered in August but was exposed by the press this week. It is unlikely that the public will ever know for sure if the breach involved a serious leak of information.

Via EPR Network
More Computer press releases

What Are the Issues Around Cloud Computing?

commissum explain all the issues of cloud computing, and explain all about the benefits it can bring small companies.

When we mention cloud computing to our SME clients as a possible solution for the cost effective management of their services, we often get asked “but what are the risk of trusting our information to someone else?” At commissum we believe that many of the issues relating to cloud computing are not new and should be considered for all relationships with service providers, although there are a few specific considerations to be made.

Using cloud computing, organisations can contract service providers to provide infrastructure, platforms and, presently more commonly software. These services enable convenient, on-demand network access to a shared pool of configurable resources such as networks, servers, storage, applications and other services, provided and released with minimal management effort or interaction of the service provider. The advantages of scalability, reduced lower overhead costs and flexibility are clear and allow organisations to focus on core competencies instead of devoting resources on IT operations.

Most companies have policies and processes in place to deal with commercial relationships with IT service providers. Although these policies and processes will equally work well with cloud services many still do not sufficiently cover the risk related to the security of information.

Applications which are to be provided by a cloud service require the same risk assessment considerations as those provided by a traditional service provider.
What if the solution is:-
· failing to deliver the required business value;
· not performing to the levels agreed;
· not integrated with the existing in-house services;
· unavailable and causes delays and reputational damage;
· suffered from breaches in integrity and confidentiality of information.

But commissum’s Principal Assurance Consultant André Coner suggests that the following considerations specific to cloud computing should
he added:
· Maturity of the cloud service provider and service provider on-going concern issues;
· Complexity of compliance with laws and regulations;
· Legal issues around liability and ownership relating to different hosting countries;
· Storage of personally identifiable information in other countries;
· Consider the much greater dependency on third parties and reliance on external interfaces;
· Greater reliance on Internet connectivity;
· Security issues of public, community and hybrid cloud environments;

With 20 years of experience, commissum is adept at offering practical advice and recommending cost-effective solutions, to deliver a joined-up, coherent approach to protecting an organisation’s information assets.

Via EPR Network
More Computer press releases

The new PCI DSS version 2 is effective. What now?

The PCI Security Standards Council (PCI SSC) is a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS). The PCI SCC has released the new version 2 of its PCI Data Security Standard (PCI DSS) which has become effective on 1st January 2011.

The new standard begins the three year lifecycle that allows for validation against the previous version of the standard (1.2.1) until 31st December 2011. This provides stakeholders time to understand and implement the new version of the standard as well as provide feedback. The PCI SCC encourages organizations to transition to the updated version as soon as possible.

The changes in version 2.0 introduce no new major requirements. The majority of changes are modifications to the language to clarify the meaning of the requirements and make understanding and adoption easier. Many of the revisions reinforce the need for a thorough scoping exercise prior to assessment in order to: understand where cardholder data resides; reduce the infrastructure and applications subject to the standard; allow organizations to adopt a risk-based approach when assessing; prioritizing vulnerabilities based on specific business circumstances;

commissum’s Principal Assurance Consultant André Coner commented that many organisations fail to adequately segment the cardholder data environment from the remainder of it’s network and therefore are significantly increasing the complexity and cost of their PCI DSS compliance. Because, without adequate network segmentation the entire network is in scope of the PCI DSS assessment. Segmentation is therefore strongly recommended as it will reduce the scope and cost of the PCI DSS assessment. It also reduces the cost and difficulty of implementing and maintaining the PCI DSS controls.

Via EPR Network
More Computer press releases