Archive for the ‘Information Security’ Category

A closer look at the shocking card fraud losses in South Africa

April 17th, 2014 by

This post takes a closer look at card fraud losses in South Africa during the last few years. According to a SABRIC report, the banking industry card fraud losses increased by 22% in nine months in the year 2012 -2013. South Africa is the third most targeted country for cyber crime after China and Russia. This is because the country is not protected  enough and organisations often leave doors open to criminals.

Card fraud can happen in different ways. Listed below are the main methods of card fraud in South Africa.

  • Card Not Present (CNP) can be identified as payment made when the card is not present, so over the phone or over the internet, by email or fax. CNP card fraud losses increased by 16% during the period of 2012 – 2013.
  • Counterfeit card fraud performed with a card that has been cloned using information stolen from magnetic strip. Counterfeit card fraud losses increased by 27% during 2012 – 2013.
  • Card stolen or lost is when the cardholder is no longer in possession of their card and criminal use it on their behalf. Lost or stolen credit card fraud increased by 102.4% during 2012 to 2013. This table details the biggest card fraud losses by fraud type over the past 8 years.

 

 

Fraud type 2006 2007 2008 2009 2010 2011 2012 2013
CNP R22.3 R40.7 R65.8 R63.1 R64.2 R133.4 R154.4 R178.7
Counterfeit R53.5 R94.7 R157.1 R145.7 R92.7 R207.7 R113.9 144.5
Lost/Stolen R66.2 R117.5 R117.5 R65.7 R25.8 R18.3 R15.6 R31.7

         All figures are in R millions     —      Source: Card Fraud – SABRIC

 

According to the 2012 Norton Cybercrime Report, the financial impact of card fraud losses in South Africa amounted to R3.7 billion. In 2012, 2.39 million, or 64% of the population have experienced cyber crime. The majority of fraudulent card transactions for 2013 occurred in Gauteng (42.8%) followed by KwaZulu Natal (16.7%) and Eastern Cape (8.5%). Together, these cities account for 86.1% of all card fraud losses.

There is no doubt that cyber criminals are changing their hacking ways and consumers and organisations may be less aware of how to protect themselves. Card fraud losses, as well as the costs of card fraud among organisations in South Africa, are increasing dramatically.

Whether you are a merchant or a service provider, one way to reduce the likelihood of card fraud is to comply with the Payment Card Industry Data Security Standard (PCI DSS). Compliance with the Standard is mandatory for organisations that process, transmit or store cardholder data.

Why not have a look at “PCIDSS: A Practical Guide to Implementing and Maintaining Compliance, Third edition” which provides a flexible and tailorable route to achieving compliance with the PCIDSS that is ideal for organisations of all sizes and sectors.

COBIT 5 for cyber security: want to know more?

April 14th, 2014 by

COBIT® 5 is often seen as merely a business framework for the governance and management of enterprise IT, but what some don’t realise is that it can be used to address the growing threat from cyber crime.

It provides a means to address cyber security in a systematic way and to integrate it with an overall approach to security governance, risk management and compliance.  Furthermore, it has now been included in the new US Cybersecurity Framework, which maps to COBIT 5.

With the release of COBIT 5, ISACA recognised the need for clear guidance on how information and cyber security issues could be addressed using the framework. This leverages the core principles at the heart of the framework and the relevant enablers to deliver a holistic approach to information and cyber security.

ISACA provides guidance on the topic of employing COBIT 5 to address cyber security in COBIT 5 for Information Security and Transforming Cybersecurity Using COBIT 5.

Find out more from Sarb Sembhi of ISACA

To find out more about how COBIT 5 can be leveraged to help you address the cyber crime menace, attend the ISO 27001:2013 and PCI DSS V3 – new Standards in the Global Cyber War event in London on 8 May.

Sarb Sembhi of ISACA London will be giving a talk at the event on how COBIT 5 can be used to address cyber threats.

Do you use a penetration testing tablet?

April 11th, 2014 by

As a penetration tester, you’ll know that having the right tools for the job is of critical importance. A new weapon in the arsenal of penetration testers is the penetration testing tablet. These devices, such as the Pwn Pad 2014, provide a highly flexible and convenient means to pen test a network.

Read a review of the Pwn Pad 2014 by a professional penetration tester.

Packed full of the latest penetration testing apps, these devices are ideal for penetration testing professionals and ethical hackers who are always on the go, and who don’t want to carry around bulky laptops or other large pen testing equipment.

If you haven’t selected your penetration testing tablet yet, we recommend the Pwn Pad 2014. Our own technical services team use the device and have found it to be a more than capable penetration testing tool.

See the Pwn Pad 2014 in action

Want to know more about the Pwn Pad 2014? Come and see the device in action at our event in London on 8 May at the Churchill War Rooms.

Has the board’s perception of cyber security changed with the changing cyber risk environment?

April 11th, 2014 by

I hope that it has. As cyber risks proliferate it is important that cyber security is driven from the very top of the organisation. Organisations that manage cyber risk effectively are in a better position to take advantage of new business initiatives, new technological advancements, and, importantly, to win new customers and contracts.

The realisation that big data, Cloud, Internet of Things (IoT), Bring Your Own Device (BYOD) and social media are creating as many threats for businesses as they create opportunities is important for addressing cyber security at an organisational level. According to Information Week Research: State of Cloud Computing , 51% of organisations are reluctant to migrate to the Cloud due to concerns about data security flaws. This highlights the fact that many business owners are sacrificing effectiveness and innovation out of fear of a data breach.

Following the success of its first Boardroom Cyber Watch 2013 Survey, IT Governance has launched the Boardroom Cyber Watch 2014 Survey again this year. It aims to find out how business owners, board directors and IT professionals are adapting to the constantly changing array of cyber risks. The survey will be followed by an incisive report that will shine fresh light on this and other issues.image

Take part in the Boardroom Cyber Watch 2014 Survey today – it is multiple choice and takes less than 5 minutes to complete.

You will receive a free copy of the IT Governance report on company directors and IT security, and will be entered into a prize draw to win a Samsung Galaxy Tab 3.

Please note: The survey closes end of April and the results will be published in May 2014

OpenSSL & Heartbeat Explained

April 10th, 2014 by

heartbleedOver the last few days the press has been full of stories about the vulnerability in OpenSSL that allows unauthenticated retrieval of memory blocks up to 64kB in size – and that retrieved memory could contain encryption keys. This vulnerability has been officially recorded as TLS heartbeat read overrun (CVE-2014-0160) and is a serious vulnerability which has a CVVS2 Base Score rating of 9.4. There is an official fix for the vulnerability, which requires either installing OpenSSL 1.0.1g or recompiling OpenSSL with the DOPENSSL_NO_HEARTBEATS flag set.

The vulnerability does not affect all deployments of SSL, only those which use vulnerable installations of OpenSSL, so Microsoft base installations should not be affected. A key check for organisations will be to scan their servers to see if they are affected. Vulnerability scanner vendors such as Tenable have released plugins or modules that detect this vulnerability through their update services like the Nessus profession feed. Nessus released their plugin and announced it on their RSS feed on Wednesday. As the vulnerability has been announced and exploits are publicly available, it is now critical that organisations patch their servers before the attackers successfully use the exploit. – This exploit is suitable for the lesser skilled “script kiddies” to use, so it can be expected that attacks will be conducted out of curiosity by the vast army of script kiddies out there.

Organisations must determine if they are vulnerable, patch and then gain assurance the patch has been successfully deployed. The use of vulnerability scans and 3rd-party penetration testing can help with this activity. Once patched, an organisation can then advise its users on the best action to take, such as changing passwords.

Book a FREE Compliance Surgery at InfoSecurity Europe 2014

April 10th, 2014 by

Infosecurity Europe is the most important date in the calendar for information security professionals across Europe. Taking place at Earl’s Court in London, Tuesday 29 April – Thursday 1 May, the event will feature over 325 exhibitors, approximately 13,000 visitors and a diverse range of new products and services.

IT Governance will be at Infosecurity Europe (Stand F103) and we would like to offer you the opportunity to set up a 1:1 meeting with one of our expert consultants.

Make the most of your time at the event and reserve an appointment with an IT Governance specialist by booking a FREE 15-minute expert compliance surgery.

Our team of experts will help you to understand and make progress with:

  • ISO27001
  • PCI DSS compliance/completing self-assessments
  • Data Protection Act (DPA) regulations and responsibilities
  • ISO22301 Business Continuity Management Systems
  • ITIL/ISO20000 IT service management compliance
  • NHS N3/IG toolkit submissions/self-assessments
  • European directives (e.g. European e-Privacy directive).

Compliance surgery appointments are accessible to all Infosec visitors and are available throughout the full three days, at a time convenient for you.

Book your FREE 15-minute session today:

Online: www.itgovernance.co.uk/infosec2014.aspx
Email:   events@itgovernance.co.uk
Telephone:   0845 070 1750

ISO27001 has helped many companies win business – insightful case studies explain how

April 7th, 2014 by

One of the most widely-recognised benefits of implementing ISO 27001 – the international information security standard – in an organisation is the level of security assurance it provides to the board, shareholders, customers and regulators.

Another top benefit of ISO 27001 is the competitive edge it can give to your business. If two competing suppliers are tendering for the same contract and are relatively equal in regards to price, experience and quality of work – the organisation with proven cyber security credentials may influence the purchasing decision in its favour.

Many of IT Governance’s clients have recognised the competitive advantages that ISO27001 brings and have opted for ISO27001 certification. The latter is often seen as a contractual requirement or a prerequisite for winning more business. These case studies reveal how they achieved this.

Wirefast outpaces competitors by gaining ISO27001 certification

With technology facilities in the UK, USA and Asia, Wirefast employs a highly-skilled team of software engineers and support staff to develop and deliver its communications solutions. The company’s client list reads like a Who’s Who of global business, including banking and finance, oil and gas, and healthcare. They are also known for Newslink, a high-availability messaging application used by the world’s leading news contributors and media outlets.

To demonstrate Wirefast’s ongoing commitment to achieving best practice in information security, the Board determined they should achieve certification to the ISO27001 Standard. Paul White, CFO, and Paul Green, Information Security and Operations Manager, asked IT Governance to provide consultants who could guide their in-house project team, meeting ISO27001 requirements and ensuring a successful certification audit at its first attempt.

Download the Wirefast ISO 27001 Case Study

Bioscience high-flyer, Eagle, FastTracks to ISO27001 certification

“We saw at once that IT Governance’s ISO27001 FastTrack™ package removed the need to invest significant time, money and effort in researching and acquiring the skill-set necessary to do this alone.” (Abel Ureta-Vidal, Chief Operating Officer, Eagle).

Eagle’s dozen, exceptionally-qualified employees, are all leaders in the field of management and analysis of genomic data, including Next Generation Sequencing (NGS), helping customers plan, pilot, and migrate their existing bioinformatics systems into the Cloud.

Eagle’s customers expect them to demonstrate compliance with ISO27001, the international standard for Information Security Management Systems (ISMS) – hence, they approached IT Governance to hire FastTrack consultancy services that resulted in them becoming one of the few genomics data specialists able to display an ISO27001 UKAS-accredited certificate.

Download the Eagle ISO 27001 Case Study

Gain a competitive advantage with ISO 27001

April 2nd, 2014 by

We often talk of the operational benefits that conformance to ISO27001’s specifications will bring your organisation, from the cost-saving advantages of increased efficiency to the peace of mind that a robust information security management system (ISMS) provides, but it’s important to remember that compliance with the standard also gives you a distinct competitive advantage, and will enable you to win new business as well as retain your existing clients.

Having the edge over your competitors is always beneficial, and when tendering for new contracts you want the best chance of success that you can get. Here’s how ISO27001 can help win you more business:

  • ISO27001 is recognised in every country and every market in the world as the mark of highest competency in information security management. Prospective customers recognise this, and will often choose a supplier that holds an ISO27001 certificate over one that doesn’t.
  • In the UK, requests for quotations and tender requests from public sector organisations including the MoD, the NHS and local authorities will ask that the supplier be compliant with ISO27001 or, if it is not, demonstrate the required information security measures by completing a long questionnaire or submitting to an inspection. Conformance to ISO27001 saves considerable time and money in the required due diligence of tender applications. (To be accepted by the MoD as an approved Enhanced Learning Credit (ELCAS) training provider, IT Governance Ltd was asked to be fully compliant to ISO27001.)
  • ISO27001 itself recommends that compliant organisations maintain supply chain relationships with ISO27001-compliant suppliers. If you are looking to form trading relationships with larger ISO27001-certified commercial enterprises, you will need to be compliant with ISO27001 too.
  • In the IT service industry, where the protection of data is paramount to winning and maintaining the trust of customers, an ISO27001 certificate is the only credible demonstrable of effective information security.

The implementation of an ISO27001 ISMS brings numerous recognised long-term benefits for your organisation, and will pay for itself several times over in the extra business you win as a result of your certification. IT Governance supplies a wide range of ISO27001 products and services to help you achieve that end.

ISO27001 Certified ISMS Foundation Training Course

The one-day ISO27001 Foundation Course provides a complete introduction to the ISO27001 standard and explains how and why compliance to ISO27001 can help your company win new business with larger firms and public sector organisations including the MoD, the NHS and local government.

List of Data Breaches and Cyber Attacks in March

April 1st, 2014 by

Once again, cyber criminals have been very busy. In March there have been several high profile breaches such as that of Morrisons and the California DMV. Whilst this list may appear long, it is only a snapshot of the true number of breaches and attacks that occurred in March.

Data Breach

Devices stolen from Palomar Health staffer, data on 5K patients at risk

Morrisons employee arrested following data breach involving details of 100k staff

CD in refurbished drive contained unencrypted info on 15K NYC transit workers

Iowa DHS data breach dates back 2008, more than 2,000 impacted

Malware on Wisconsin university server storing info on 15K students

More than 1,000 UK HealthCare patients impacted by stolen laptop

About 55K in San Francisco impacted in theft of Sutherland computers

Another two universities suffer data breaches, but notification still too slow

Hackers steal 12 million customer records from South Korean phone giant

Cardholder Data

Malware in 34 Spec’s stores, payment data compromised for 550K

Credit Card Breach at California DMV

Personal info ends up online, nearly 9,000 Ohio patients affected

Other Attack

EA Games website hacked to phish Apple IDs from users

NATO website hit hard by denial-of-service attack as Crimean tension rises

Russia Today website hackers tweak headlines, replace with word “Nazi”

Hootsuite suffers DoS attack

Bitcoin user loses $10K to typosquatters

AnonGhost hackers deface a fake bank site

Meetup.com DDoSed by extortionist, refuses to pay ransom

The key to improving your cyber security defences and protecting yourself from the emerging cyber threats, is to know what your vulnerabilities are. Find out how to protect your organisation by attending this webinar – What every IT professional needs to know about penetration tests’ on 03/04/14 at 3:00pm GMT.

UK Government Protective Marking Scheme replaced by Government Security Classifications

April 1st, 2014 by

With effect from 2 April 2014 the UK Government Protective Marking Scheme (GPMS) is being replaced by the Government Classification System (GCS). This new system specifies three level of classification that should be used when classifying information assets:

• Official
• Secret
• Top Secret

It is the responsibility of all those who work in the British public sector (i.e. government departments, agencies and individuals) to protect information assets in line with the GCS, including by classifying their data to ensure it receives the appropriate protection. The GCS also mandates that it should be implemented by public sector delivery partners and the wider supply chain.

This simplified policy will make it easier and more cost-effective for government material to be marked, handled and protected.

How can we easily comply with the GCS?

Boldon James Classifier is a suite of software tools that allows users easily to apply classifications and protective markings to emails and other types of files so that they can be identified and receive appropriate levels of protection.

Boldon James Classifier:

• applies labels and protective markings so that information that requires special handling is identified;
• automatically applies visual labels to documents and emails, which helps educate users about the sensitivity of information and ensures adherence to policy; and
• can be used orchestrate multiple on-demand security technologies such as encryption.

If you would like to find out more about Boldon James Classifier, please see our Information Classification Software page.

Alternatively, you can see Boldon James Classifier at our event on 8 May 2014, ISO 27001 2013 and PCI DSS V3 – new Standards in the Global Cyber War which is being held in London, at the Cabinet War Rooms.


%d bloggers like this: