New titles show you how to combat cyber threats

April 23rd, 2014 by

Last year cyber crime cost UK businesses £21 billion, the Government £2.2 billion and individuals £3.1 billion (UK Cabinet Office statistics). The battle against cyber crime will only be won if everyone plays their part.

Businesses, Government and individuals must all understand the cyber threat landscape and how their actions can make it easier or more difficult for cyber criminals to succeed.

We’ve recently added some new titles to our growing cyber security catalogue to help you understand the latest threats and what you can do about them.

9781849285261_frontcoveronly_rgb_v1 Protecting Our Future: Educating a Cybersecurity Workforce
An examination of the operational challenges and needs of the workforce in the military, healthcare, international relations, telecommunications, finance, education, utilities, government, small businesses, and not-for-profit organisations.
Price: £18.00
9781849285261_frontcoveronly_rgb_v1 Cybersecurity and Cyberwar: What Everyone Needs to Know
A definitive account of the nature of war, conflict, and security in the 21st century, beginning with an explanation of what cyberspace is and then move on to how to exploit and defend it.
Price: £10.99
9781849285261_frontcoveronly_rgb_v1 Cyber Security Culture
A research-based study reinforced with expert insights to help managers form policies and procedures to prevent cyber intrusions, put robust security systems in place, and to arrange appropriate training exercises.
Price: £55.00
9781849285261_frontcoveronly_rgb_v1 Cybersecurity: Managing Systems, Conducting Testing, and Investigating Intrusions
Aimed at cyber security professionals as well as those new to the field, this comprehensive guide covers the tools, techniques and strategies you need to work in the cyber security industry, and demonstrates how to build security into your systems.
Price: £42.50
9781849285261_frontcoveronly_rgb_v1 PAS 555 2013: Cyber security risk. Governance and management. Specification
PAS 555 supplies a holistic framework for effective cyber security which not only considers the technical aspects but also the related physical, cultural and behavioural aspects of an organisation’s approach to addressing cyber threats, including effective leadership and governance.
Price: £85.00
9781849285261_frontcoveronly_rgb_v1 Cyber Security Policy Handbook
This book explains in simple language what cyber security is and details the history of, and current approaches to, cyber security policy, covering global security organisational policy issues and detailing the pros and cons of specific policy choices, including their impacts.
Price: £60.50

Jailbroken iPhones at risk from new malware; steps to fix

April 22nd, 2014 by


[image source: Digital Trends]

A new bug has come to light which is stealing Apple IDs and password from jailbroken iPhones. For those who are unaware, a jailbroken iPhone is an iPhone which has had limitations removed from the iOS. Removing these limitations allows the download of additional applications, extensions, and themes that are unavailable through the official Apple App Store.

Lack of security is a well-known risk when jailbreaking, but it rarely stops those who are looking to get more from their iPhone.

So, back to the malware.

The strangely titled “unflod Baby Panda” is suspected to be of a Chinese origin according to security firm SektionEins. The malware works by inserting itself into running processes and stealing credentials.

Disguised as a library called Unflod.dylib, SektionEins says that the malware tries to “steal the device’s Apple ID and corresponding passwords and sends them in plaintext to servers with IP addresses in control of U.S. hosting companies, for apparently Chinese customers.”

To get rid of the malware if infected, users need to look at the /Library/MobileSubstrate/DynamicLibraries/ directory where the file Unflod.dylib will be hiding. You can then use iFIle to locate that files as well as Unflod.plist. Once you have found them, then you will need to permanently delete them.

We recommend that you also change your Apple ID passwords and enable two-step verification.

A closer look at the shocking card fraud losses in South Africa

April 17th, 2014 by

This post takes a closer look at card fraud losses in South Africa during the last few years. According to a SABRIC report, the banking industry card fraud losses increased by 22% in nine months in the year 2012 -2013. South Africa is the third most targeted country for cyber crime after China and Russia. This is because the country is not protected  enough and organisations often leave doors open to criminals.

Card fraud can happen in different ways. Listed below are the main methods of card fraud in South Africa.

  • Card Not Present (CNP) can be identified as payment made when the card is not present, so over the phone or over the internet, by email or fax. CNP card fraud losses increased by 16% during the period of 2012 – 2013.
  • Counterfeit card fraud performed with a card that has been cloned using information stolen from magnetic strip. Counterfeit card fraud losses increased by 27% during 2012 – 2013.
  • Card stolen or lost is when the cardholder is no longer in possession of their card and criminal use it on their behalf. Lost or stolen credit card fraud increased by 102.4% during 2012 to 2013. This table details the biggest card fraud losses by fraud type over the past 8 years.



Fraud type 2006 2007 2008 2009 2010 2011 2012 2013
CNP R22.3 R40.7 R65.8 R63.1 R64.2 R133.4 R154.4 R178.7
Counterfeit R53.5 R94.7 R157.1 R145.7 R92.7 R207.7 R113.9 144.5
Lost/Stolen R66.2 R117.5 R117.5 R65.7 R25.8 R18.3 R15.6 R31.7

         All figures are in R millions     —      Source: Card Fraud – SABRIC


According to the 2012 Norton Cybercrime Report, the financial impact of card fraud losses in South Africa amounted to R3.7 billion. In 2012, 2.39 million, or 64% of the population have experienced cyber crime. The majority of fraudulent card transactions for 2013 occurred in Gauteng (42.8%) followed by KwaZulu Natal (16.7%) and Eastern Cape (8.5%). Together, these cities account for 86.1% of all card fraud losses.

There is no doubt that cyber criminals are changing their hacking ways and consumers and organisations may be less aware of how to protect themselves. Card fraud losses, as well as the costs of card fraud among organisations in South Africa, are increasing dramatically.

Whether you are a merchant or a service provider, one way to reduce the likelihood of card fraud is to comply with the Payment Card Industry Data Security Standard (PCI DSS). Compliance with the Standard is mandatory for organisations that process, transmit or store cardholder data.

Why not have a look at “PCIDSS: A Practical Guide to Implementing and Maintaining Compliance, Third edition” which provides a flexible and tailorable route to achieving compliance with the PCIDSS that is ideal for organisations of all sizes and sectors.

Heartbleed bug increases cyber threat fears

April 17th, 2014 by

The Heartbleed bug, which has now affected two thirds of the world’s secure websites for over two years, hit the headlines last week. Attacks leave no trace, and it’s impossible to know whether or not a particular site has been hacked.

With cyber threats advancing at such an alarming rate, the need to employ effective and realistic cyber security measures to protect your information assets has never been more urgent.

The Finnish security firm who helped discover the flaw, Codenomicon, has said that “smaller and more progressive services or those who have upgraded to (the) latest and best encryption will be affected most.”

Security experts are urging people to change their passwords and for organisations who think they’ve been affected to install the fix that came out on Monday.

None of IT Governance’s websites have been affected, but if you think your business has been affected by the bug, we strongly recommend a penetration test which includes a Heartbleed bug test. Call us today to discuss your specific requirements, toll free on: 1 877 317 3454.

The cyber threat is very real and current. For a wider overview to the threat as a whole, download our free briefing paper, Cyber Security: A Critical Business Issue, to understand the threats that affect your organisation, and the cyber security approach you should take. Written by acknowledged international cyber security expert Alan Calder, this paper will help you recognise the rising threats and the appropriate actions to take.

Download now >>

Is PCI DSS version 3.0 just another version of the Standard or a new weapon in the fight against global cyber crime?

April 17th, 2014 by

Commerce is widely affected by cyber crime. Cardholder data continues to be an attractive target for criminals, and the number of attacks exploiting security vulnerabilities is constantly increasing. Recognising that an effective response must adapt to the threat it faces, the PCI Security Standards Council (PCI SSC) revises its Payment Card Industry Standards (PCI DSS and PA-DSS) every three years based on industry feedback, as well as in response to current market needs. The evolving requirements of the standards ensure that they remain up to date with emerging threats, implementation and maintenance challenges, and market changes.

Challenge areas and change drivers

The PCI DSS applies to all organisations that process, store or transmit cardholder data, and industry feedback on the Standard comes to the PCI SSC from more than 700 Participating Organisations, including merchants, banks, processors, hardware and software developers, boards of advisors, point-of-sale vendors, and the assessment community. Ahead of the publication of version 3.0 of both standards in November 2013, the PCI SSC identified certain common challenge areas and drivers for change, which included:

  • lack of education and awareness;
  • weak passwords and authentication;
  • third-party security challenges;
  • slow self-detection and malware; and
  • inconsistency in assessments.

The updates introduced in version 3.0 address these challenges by adding guidance and clarification on the intentions of the Standard’s requirements, and suggest ways of meeting those requirements.

PCI DSS changes

Changes introduced in version 3.0 have been designed to help organisations take a more proactive approach to protecting cardholder data that focuses on security rather than compliance. The aim is to make the PCI DSS an everyday part of normal business practice. Key themes emphasised throughout version 3.0 include:

» Education and awareness

A lack of education about, and awareness of, payment security, coupled with poor implementation and maintenance of the PCI Standards, causes many of today’s common security breaches. Updates to the PCI Standards aim to help organisations understand the Standards’ requirements and how to implement and maintain controls properly across their businesses. Changes to both the PCI DSS and PA-DSS will help build awareness within the organisation as well as with business partners and customers.

» Increased flexibility

Changes in the PCI DSS and PA-DSS focus on the most common risks that lead to incidents of cardholder data compromise (such as weak passwords and authentication methods, malware, and poor self-detection), and provide added flexibility on ways in which organisations can meet the Standards’ requirements. Organisations will now be able to take a more customized approach to addressing and mitigating common risks and problem areas. More rigorous testing procedures for validating proper implementation of requirements will help organisations drive and maintain controls across their business.

»Security as a shared responsibility

Securing cardholder data is a shared responsibility. Today’s payment environment has become ever more complex, creating multiple points of access to cardholder data. Changes introduced with the PCI DSS and PA-DSS v3.0 focus on helping organisations understand their entities’ PCI DSS responsibilities when working with different business partners to ensure cardholder data security.


The updated versions of the PCI DSS and PA-DSS will:

  • provide stronger focus on some of the greater risk areas in the threat environment;
  • provide increased clarity on the PCI DSS and PA-DSS requirements;
  • build greater understanding on the intent of the requirements and how to apply them;
  • improve flexibility for all entities implementing, assessing, and building to the standards;
  • drive greater consistency among assessors;
  • help manage evolving risks and threats;
  • align with changes in industry best practices;
  • clarify scoping and reporting; and
  • eliminate redundant sub-requirements and consolidate documentation.

So, does this amount to just another update, or are the changes enough to have a real impact on the fight against cyber crime?

Attend our ISO27001:2013 and PCI DSS v3.0 event on 8 May at the Churchill War Rooms, London, to find out more about the change drivers and key themes of the new version of the PCI DSS (version 3.0).


Welsh Councils break DPA 2.5 times a week

April 15th, 2014 by

It’s quite a staggering statistic: 135 breaches of the Data Protection (DPA) Act by Welsh Councils in 2013: more than double the 60 breaches in 2012.

This basically means that every other day the DPA is being broken in a council in Wales. This information came to light after a Freedom of Information request by the BBC.

Nearly all councils in Wales breached the DPA last year. Breaches ranged from financial and personal information sent in error, data being lost, a failure to encrypt data and confidential papers being left on public transport.

Breathe a sigh of relief if you live in the Blaenau Gwent, Ceredigion, Neath Port Talbot, Vale of Glamorgan and Swansea areas as these councils reported no breaches last year.

Anne Jones, Assistant Information Commissioner for Wales, said: “It’s important local authorities live up to their legal responsibilities under the Data Protection Act.”

“Keeping people’s personal information secure should be hardwired into their culture as losses can seriously affect reputations and as a consequence, service delivery”.

Manage sensitive data with BS10012

So what can these councils do to better manage the confidential data they handle?

BS10012 is the British best-practice Standard that provides the specification for a Personal Information Management System (PIMS). It details the actions that organisations should take to ensure they comply with UK data protection and privacy laws.

Learn more about BS10012 and compliance to the UK Data Protection Act.

The secrets behind the undisclosed Chinese cyber threat

April 14th, 2014 by

Chinese Cyber ThreatThat a number of major western companies and government agencies have been attacked by hackers in the last five years will come as no surprise; we’re becoming increasingly inured to the idea that cyber attacks are now the norm. That those organisations should choose to remain silent about the attacks, however, is unusual.


There are many reasons that so few organisations reveal having been hacked. They might not realise they were hit. If they do know that they were hit, they might not have sufficient information about the attack, and be unaware of where it came from or who perpetrated it. They might prefer not to announce their vulnerability due to the nature of their work: the negative publicity and  reputational damage engendered by disclosing a breach can have a significant impact for many companies, especially those in the security industry (for example, defence contractors). In the case of human rights organisations, they might just be afraid.

This raises an obvious question: should it be mandatory for US organisations to inform the public when they’ve been attacked, like the proposed EU data protection legislation recommends in Europe?

Nasa, Coca Cola, and Lockheed Martin have all been hacked in recent years, but in each case it was some time before the fact was revealed. It’s believed that many of these attacks originated in China, but that remains difficult to prove so organisations are hesitant to point the finger. Blaming China also makes it difficult for large organisations to do business with the world’s second largest economy.

The New York Times and Google were also hacked, but are unusual in publicising this information, and for blaming China for their attacks. Indeed, their openness has been seen as a positive step in addressing the effects of international cyber warfare.

US Defense Secretary Chuck Hagel is currently on a 10-day trip to the Asia-Pacific region, and his meeting with Chinese Defence Minister Chang Wanquan on Tuesday focused on Chinese cyber attacks, among other topics. The Pentagon having recently announced plans to more than triple its cyber security staff, the US took the unusual step of trying to reassure China about its cyber strategy, clearly hoping that China would reciprocate by being more open about its use of cyber attacks. China is yet to respond.

For more information on this subject, read 21st Century Chinese Cyberwarfare, which argues that the People’s Republic of China uses cyber warfare to promote its own interests and enforce its political, military and economic will on other nation states.

For a wider view of what cyber security means, read CyberWar, CyberTerror, CyberCrime and CyberActivism, which will help you make the most of international standards and best practices to create a culture of cyber security awareness within your organisation that complements your technology-based defences. 

(Image source: Silicon Angle)

IT Governance Nominated for European Security Blogging Award

April 14th, 2014 by

For the second year running, a selection of Europe’s top security bloggers will be competing for several European Security Blogging Awards.

IT Governance is very proud to announce that it has been nominated for ‘Best Corporate Security Blog’. Over the last few years our team has worked tirelessly to turn the IT Governance blog into a portal of useful information about information security and other IT governance, risk management and compliance (IT GRC) areas. We are very proud to be nominated for an award recognising our commitment.

Other high profile bloggers such as Graham Cluely and Brian Honan (an ITGP Author) have been nominated across several awards, making for a very healthy competition.

If you’d like to cast your vote then you can do so by visiting the European Security Blogging Awards voting page.

The awards will be held at InfoSec on 30th April – you can register to attend InfoSec here –

We would like to thank all of our readers who have helped make the IT Governance Blog a success, and we look forward to continuing to provide you with valuable information in the future.


COBIT 5 for cyber security: want to know more?

April 14th, 2014 by

COBIT® 5 is often seen as merely a business framework for the governance and management of enterprise IT, but what some don’t realise is that it can be used to address the growing threat from cyber crime.

It provides a means to address cyber security in a systematic way and to integrate it with an overall approach to security governance, risk management and compliance.  Furthermore, it has now been included in the new US Cybersecurity Framework, which maps to COBIT 5.

With the release of COBIT 5, ISACA recognised the need for clear guidance on how information and cyber security issues could be addressed using the framework. This leverages the core principles at the heart of the framework and the relevant enablers to deliver a holistic approach to information and cyber security.

ISACA provides guidance on the topic of employing COBIT 5 to address cyber security in COBIT 5 for Information Security and Transforming Cybersecurity Using COBIT 5.

Find out more from Sarb Sembhi of ISACA

To find out more about how COBIT 5 can be leveraged to help you address the cyber crime menace, attend the ISO 27001:2013 and PCI DSS V3 – new Standards in the Global Cyber War event in London on 8 May.

Sarb Sembhi of ISACA London will be giving a talk at the event on how COBIT 5 can be used to address cyber threats.

Do you use a penetration testing tablet?

April 11th, 2014 by

As a penetration tester, you’ll know that having the right tools for the job is of critical importance. A new weapon in the arsenal of penetration testers is the penetration testing tablet. These devices, such as the Pwn Pad 2014, provide a highly flexible and convenient means to pen test a network.

Read a review of the Pwn Pad 2014 by a professional penetration tester.

Packed full of the latest penetration testing apps, these devices are ideal for penetration testing professionals and ethical hackers who are always on the go, and who don’t want to carry around bulky laptops or other large pen testing equipment.

If you haven’t selected your penetration testing tablet yet, we recommend the Pwn Pad 2014. Our own technical services team use the device and have found it to be a more than capable penetration testing tool.

See the Pwn Pad 2014 in action

Want to know more about the Pwn Pad 2014? Come and see the device in action at our event in London on 8 May at the Churchill War Rooms.

%d bloggers like this: