IT Governance Blog on IT governance, risk management, compliance and information security.

Routine penetration testing at regular intervals is a compulsory requirement to ensure that your networks and applications are secure against today’s automated cyber attacks.

At IT Governance, our approach to penetration testing is to use our extensive knowledge of hacking methodologies to simulate malicious attacks, identify the key vulnerabilities and recommend appropriate remedial activities.

IT Governance understands that Pen Testing is critical to your IT security and that it can also be an expensive process. That it was why we have reduced our Pen Testing packages by £1,000.

The benefits of IT Governance pen testing include:

• Complete solution for the efficient and routine testing of your IT system
• Ensuring that networks and applications are secure against cyber attacks
• Agreed scope of testing delivered for known and fixed costs
• Complete report indentifying vulnerabilities and recommended remedial activity

Standard Network Testing for £1,950

This package includes network testing for a system with up to 20 externally facing IP addresses and up to 4 internal servers running in a single organisation.

Read more >>>

Web Application Testing for £1,950

This package includes application testing for a single web application with an externally facing interface and a single database.

Read more >>>

Penetration Testing is critical for all businesses to ensure they are genuinely secure against today’s automated cyber attacks. And for a limited time both our Penetration Testing Standard Package and the Web Application Testing Package have been reduced by £1,000! So get Pen Tested today.

Buy the Standard Network Testing Package >>>

Buy the Web Application Testing Package >>>

The Daily Telegraph reported this week that hackers had broken into dozens of US police department computer systems, releasing vast amounts of information including reports of crimes submitted by the public.

The attack was carried out by members of the hacking groups Lulzsec and Anonymous. They posted a 7 GB file containing details of 77 officers including credit card details, social security numbers and other private data. The incident was apparently in response to the recent arrests of Lulzsec and Anonymous members in the UK and US.

One file published online, entitled ‘Snitch crime tip report’ allegedly included details of tip-offs about local incidents from members of the public, some whose names and addresses were included.

In a disturbing statement attached to the leaked data, Anonymous said: “We have no sympathy for any of the officers or informants who may be endangered by the release of their personal information.”

2011 has seen a dramatic increase in the amount of hacking on high profile organisations, government departments and institutions. It is an issue that won’t go away, and it must be a concern for all organisations at board level. My advice: If you haven’t conducted a penetration test recently, you probably should. James S Tiller’s The Ethical Hacker: A framework For Business Value Penetration Testing is a great place to start.

This morning hackers brought down the Hong Kong stock exchange’s website. Trading of several major companies including HSBC, Hong Kong Exchanges and Cathay Pacific Airways Ltd were suspended after investors were deprived access to important announcements on the website.
Hong Kong Exchanges and Clearing Ltd Chief Executive Officer Charles Li stated:

“Our current assessment is that this is the result of malicious attack by outside hacking.”

The suspension of trading was part of a contingency plan designed to ensure fair distribution of information. This attack is the latest in a series of attacks on high profile targets which include Sony, Fox, Citi Group the NasDaq.

It seems as if 2011 has been something of a watershed for hacking activity. There has been an exponential increase in the amount and scale of cyber attacks and cyber security is an issue that should be a top priority for every board.

The best place to start is to conduct a penetration test to check the levels of security of your network and systems. By conducting a penetration test you can quickly identify the weaknesses you have and create a clear plan of actions required to ensure that networks and applications are genuinely secure.

At IT Governance we offer a range of penetration packages, designed to provide a complete solution for your organisation.

View our range of Pen Testing Packages here>>>

	ITG Pen Testing Benefits of ITG Pen Testing: Complete solution for the efficient and routine testing of your IT system Ensuring that networks and applications are secure against cyber attacks Agreed scope of testing delivered for known and fixed costs Comprehensive report indentifying vulnerabilities and recommended remedial activity.

Cyber security is a real and present issue for every organisation that operates on line.

Call us on + 44 845 070 1750 or email us to discuss your penetration testing requirements.

BBC news yesterday reported that a man from the Shetland Ises, reported to be from the Lulzec hacking group, had been charged with computer offences. Jake Davis, 18, was charged with five offences relating to attacks on the UK’s Serious Organised Crime Agency’s (SOCA) website. On June 20th SOCA took its website offline after it was the subject of a distributed denial of service (DDos) attack, which Lulzsec claimed responsibility for. DDos attacks bring down a website by overloading them with web requests; usually using large numbers of computers which are under malicious control.

The arrest is the latest in a serious of arrests by police trying to crackdown on Lulzec and other hacking groups. Last month Ryan Cleary, 19, from Essex was charged with five offences under the Criminal Law and Computer Misuse Acts; one alleged to be an attack on SOCA’s website. Additionally, last week, a 16 year-old from London was arrested while an on-going international investigation has led to sixteen arrests in the US and four in the Netherlands.

There has been an increased drive from the Police to crack down on hacking activity from the Lulzsec group and its affiliates in recent months. The problem is though, it is difficult to ascertain the size of the organisation and its almost impossible to stop them recruiting new members. Indeed, hackers don’t need to be affiliated to a group to carry out their attacks.

Cyber crime, cyber hacking and data theft are issues that won’t go away, regardless of the Police’s attempts to crack down on them. It is therefore essential that every organisation takes responsibility for its own internet security and protection of its critical assets.

The first step every organisation should take is to conduct a Penetration Test of their networks and applications. A Penetration Test will simulate a malicious attack against and test your current levels of security. The resulting findings will then form the basis upon which your security measures can be improved.

IT Governance offers a range of Penetration testing packages. Alternatively you can call one of our team to discuss your penetration testing requirements on 0845 070 1750.

Last week the Australian domain hosting company Distribute.IT, and its sister company Click n Go, were forced to sell up to a larger competitor after they were the subject of a crippling cyber attack. On the 11th June the Melbourne based company lost more than 4800 websites hosted on their servers. As Distribute.IT’s backup services were held online, hackers were able to cause irreparable and permanent damage to backup systems and core services.

To Distribute.IT’s horror, when they attempted to stabilise the network they identified ‘further vulnerabilities in the configuration’ and they advised customers to ‘make preparations to migrate and transfer your requirements to another hosting/co-location provider.’

What is surprising, and what has infuriated customers of Distribute.IT, is that they had no physical back-up of the data and no disaster recovery plan.

The Netregistry Group moved quickly to buy Distribute.IT and provide as much assistance to customers as possible. Netregistry stated that they will provide a free hosting service for Distribute’s customer as soon as possible.

The fact is that this attack could have been mitigated by a simple Pen Test. A Pen Test would have identified the weaknesses in Distribute.IT’s networks and systems and provide a clear plan on the actions required to ensure that networks and applications are genuinely secure.

At IT Governance we offer a range of penetration packages, designed to provide a complete solution for your organisation.

View our range of Pen Testing Packages here.

	ITG Pen Testing – Benefits Complete solution for the efficient and routine testing of your IT system Ensuring that networks and applications are secure against cyber attacks Agreed scope of testing delivered for known and fixed costs Comprehensive report indentifying vulnerabilities and recommended remedial activity. Read more about our Pen Testing services here.

As the attack on Distribute.IT has demonstrated, it isn’t just the huge brands like Sony, Fox and Nintendo who are at risk of a cyber attack. Cyber security is a real and present issue for every organisation that operates on line. Failure to take this issue seriously could just cost you your business.

Email us today or call us on 0845 070 1750 to discuss your penetration testing requirements.

This morning Essex police arrested a suspected member of the infamous LulzSec hacker group. A 19-year old man was arrested at his family home in Wickford following a joint investigation between Scotland Yard and the FBI. The individuals private details, including his home address, had been posted online by LulzSec, after it emerged he was about to inform on them.

This incident followed the latest attack, from the Brazilian arm of the LulzSec group, on the websites of the Brazilian Government and the President’s Office. It follows a statement from LulzSec on Sunday  that they were joining forces with Anonymous, another hacker group, and that their ‘Top priority is to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments’.  It seems this wasn’t a hollow threat.

The list of organisations LulzSec has hacked is impressive to say the least, ranging from online gaming websites, government agencies, adult websites and media organisations. To date the alleged attacks made by LulzSec have included Sony Pictures, Sony Playstation, the IMF (International Monetary Fund), the CIA, the UK’s SOCA (Serious Organised Crime Agency) , the US Senate, Fox.com, PBS, Nintendo, Bethesda Game Studios, Minecraft, League of Legends, The Escapist, FinFisher and Pron.com. Are you next?!

At IT Governance we understand that cyber attacks are a risk for every business. We recognise that efficient and routine penetration testing of your system is the only way of establishing that your networks and applications are secure. We offer a range of penetration packages, designed to provide a complete solution for your organisation.

View our range of Pen Testing Packages here.

Pen Testing – Benefits:

• Complete solution for the efficient and routine testing of your IT system
• Ensuring that networks and applications are secure against cyber attacks
• Agreed scope of testing delivered for known and fixed costs
• Comprehensive report indentifying vulnerabilities and recommended remedial activity.

Contact us today via email or call us on 0845 070 1750 to discuss your penetration testing requirements.

Read more about our pen testing services here.

You arrive home after an enjoyable evening out. As you approach your house, you hear a noise that appears to come from around the back. Quietly, you step around the back and, in the gloom, you see someone at your back door who seems to be engaged in an attempt to gain entry. “Who’s there?” you call. The man turns; his face is covered. “Don’t worry, my friend,” he says cheerily. “I’m an ethical burglar just checking the security of your house.” He scoops up a bag lying next to his feet and scurries past you. As he passes, he turns and says, “By the way, all seems pretty good”; and with that he vanishes into the night.

What would you think? Is it ‘ethical’ for someone to try and break into your house without your knowledge?

There are some people out there who seem to think that, morally and ethically, it is fine to break into other people’s systems to ‘test’ their security. Recently, the NHS apparently suffered such an assault http://www.telegraph.co.uk/technology/news/8567008/Fears-for-patients-data-after-hackers-hit-NHS.html#disqus_thread. The ‘hackers’ even suggested, “We mean you no harm and only want to help you fix your tech issues”.

Other recent data breaches (Sony Playstation, Nintendo) have shown that all types of organisation are prone to attack, although it is probably the larger more well-known ones that will suffer most. Even the IMF has been targeted http://www.telegraph.co.uk/technology/news/8570957/IMF-computer-system-targeted-by-hackers.html.

Are these kinds of attacks ethical? Is it right for a group, or groups, of self-styled ‘security’ experts to brazenly try and exploit an organisation’s defences? The moral and ethical questions are probably pointless. These sorts of attacks will occur, so long as we have the Internet and clever people that use it.

So what should be done? Well, each organisation must protect itself so far as it can. Data should be assessed to determine the risk to that data. If the risk of attack is high, then it needs to be protected. One such method is to encrypt the data. Handling and classification of data should be unambiguous, and there should be clear rules for staff to follow. Perimeter defences for the network should be checked. One very effective way of testing such defences is to use Penetration Testing. One such example is http://www.itgovernance.co.uk/penetration-testing.aspx.

Ideally, Caesar’s maxim should be exercised (“the best form of defence is attack”). However, the spread both geographically and numerically of such hackers probably makes this very difficult for most organisations to contemplate. Thus, the only way to protect yourself and your vital data is to make sure your defences are watertight.

Make sure your staff are trained to spot potential attacks. Make sure they know what to do if anything suspicious happens (e.g. a suspicious e-mail is received). Make sure they know of, and follow, the rules you have set for them to protect data.

Most of this is common sense; however, when did common sense stop a hacking?
If you would like to discuss any aspect of this article, then please contact IT Governance on +44 (0) 845 070 1750 or e-mail servicecentre@itgovernance.co.uk. The website is http://www.itgovernance.co.uk.

It came to light last week that hackers had attacked the International Monetary Fund (IMF). This international body holds data for 187 of the world’s 194 nations. Amongst its functions, the IMF provides economic assistance and policy advice for nations in financial crisis; and thus holds extremely confidential information about the financial state of many nations.

The hackers made off with a ‘large quantity’ of data including emails and other documents. It is not yet clear how sensitive the stolen data is; needless to say though, the IMF are attempting to keep the media away from this story as much as possible.

The penetration is believed to have been carried out through a ‘spear phishing attack’. Typically, this is where an employee is lured into clicking on a link to a malicious website or downloading a file loaded with malware. The attack is similar in style to the recent attacks on Google, Sony and CitiGroup.

How secure is your organistions sensitive information?

Cyber attacks are a risk for every business, of any size. Efficient and routine penetration testing of your systems is the only way to ensure that your networks and applications are genuinely secure against today’s automated cyber attacks. IT Governance is here to help. We can provide a complete solution for your business, call us today on 0845 070 1750 or email us to discuss your penetration testing needs.

	ITG Penetration Testing – Standard Package – Key Features Complete solution for the efficient and routine testing of your IT system Ensuring that networks and applications are secure against cyber attacks Agreed scope of testing delivered for known and fixed costs Comprehensive report indentifying vulnerabilities and recommended remedial activity. Order this package today

If you would like to read more information about Penetration Testing, and the services that IT Governance can provide, click here for more information. We also have a free White Paper on Security Penetration Testing and ISO27001, download here.

As in many of these recent hacker attacks, the actions of an employee have been at the centre of the issue. That is not to say that system security was not a major issue, it clearly was. However, it is imperative that individuals within an organisation understand their role when it comes to information security. Our ITG E-Learning Course: Information Security Staff Awareness is an effective and affordable way to ensure your staff has the appropriate information security training.

Click here to visit all our e-learning training courses.

Many suppliers of pen testing services in the UK provide very effective technical tests but often fail to deliver a comprehensive Penetration Testing report. The quality of the information contained in the report and its relationship to the identification of the potential threats is crucial to ensuring your networks and applications are truly secure.

What should you expect from our Penetration Test Report?

While a great deal of technical effort is applied during the testing and analysis, the real value of our Penetration Testing service is in the report and the subsequent briefing provided to your key stakeholders. Each report includes the following:

• A complete description of the tests performed
• Each potential vulnerability identified and ranked in order of importance
• A proposed remedial solution for each potential vulnerability
• An Executive Summary that clearly identifies the business risks and possible solutions
• The opportunity to discuss all tests and recommendations as required

Not just for the IT Manager

The information in the Penetration Test Report should always be shared with senior management and other key stakeholders. Prior to any testing, we recommend that you undertake a risk assessment to indentify the major potential threats to your system and align the potential damage that they may cause to the key objectives of your organisation. These risks may include the loss of confidential information, the failure of communications or the failure of a business critical system such as an e-commerce site.

The IT Governance Penetration Test Report always includes an Executive Summary that identifies these business risks and possible solutions in non-technical layman’s terms. In addition to the standard report, many of our customers also ask us to attend a meeting at their office to present our results and recommendations in detail.

What makes our Penetration Testing service unique?

IT Governance has a long and distinguished history in the provision of information security expertise and solutions and is widely known for its work in helping organisations achieve compliance with the PCI DSS and ISO/IEC 27001:2005 standards. Our Penetration Testing service builds on this foundation to provide the highest quality security testing of your IT networks and applications.

Why should you choose IT Governance for your Penetration Testing service?

• Practical risk assessment to ensure testing meets all security objectives
• All types of testing provided including system, applications and staff assessment
• Qualified Certified Security testers employing the latest ethical techniques
• Comprehensive testing report outlining all appropriate remedial actions

Find out more about the ITG Penetration Testing – Standard Package

Please take the opportunity to contact us directly to discuss your requirements
and find out how you can book your Penetration Testing Service. Our Customer
Service team will be delighted to hear from you and if required can arrange for
one our Consultants to call you for a no-obligation chat. For further
information, please email or call on 08450 701750.

Web-based applications and databases are increasingly used by businesses to market and sell their products on the Internet. Did you know that over 70% of all cyber attacks target Web application vulnerabilities linked to essential functionality including shopping carts, web forms, login pages, dynamic content and blogs?

While there is no doubt that complexity and ease of access to Web applications make them easier to attack, the real value to a hacker is the prize of valuable payment and credit card information stored on your system.

Routine penetration testing at regular intervals is a compulsory requirement to ensure that your Web applications are secure against today’s automated cyber attacks and to maintain compliance with standards such as ISO27001 and the Payment Card Industry Data Security Standard (PCI DSS).

How can you afford to regularly test your system at 6 or 12 month intervals?

	IT Governance Web Application Testing Package The IT Governance Web Application Testing Package is designed to provide a complete solution for the efficient and routine testing of your IT system ensuring that your applications are genuinely secure against today’s automated cyber attacks.

The benefits of the IT Governance Web Application Testing Package include:

• Ensuring all Web applications are secure against cyber attacks
• Agreed scope of testing delivered for known and fixed costs
• Provide assurance to all users (staff, customers, key stakeholders)
• Complete report indentifying vulnerabilities and recommended remedial activity

For smaller organisations, we recommend the ITG Web Application Testing Package which offers full testing for a system with a single Web application with an externally facing interface and a single database together with a comprehensive test report for a fixed fee of £1950 + VAT.

www.itgovernance.co.uk/products/3185

Please note that a range of optional ‘testing modules’ can be added to any IT Governance Penetration Testing Package. These include the testing of your IT network infrastructure (recommended) or a Wireless Network system as required.

Please take the opportunity to contact us directly to discuss your requirements and find out how you can book your ITG Web Application Testing Package. Our Customer Service team will be delighted to hear from you and, if required, can arrange for one our Consultants to call you for a no-obligation chat.

For further information, please e-mail ServiceCentre@itgovernance.co.uk or call on 08450 701750.

ITG Web Application Package