Contact Us: +44 (0) 845 070 1750 

Consultancy Services-Information Risk and ISO27001|Business Continuity & BS25999|PCI DSS|Data Protection Act (DPA)|Pen Testing  

Current Information Security and Compliance Issues

Computer Misuse Act

In the UK, the 1990 Computer Misuse Act was updated with the issue in November 2006 of the Police and Justice Act 2006. This Act makes Denial of Service attacks an offence in the UK and will also make a person guilty of an offence "if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, [a hacking offence]". "Article" is defined in the Act to include "any program or data held in electronic form". It is not clear how this phrase will apply to tools used in penetration testing, nor is it clear how "ethical hacking" will be dealt with. 

PCI DATA SECURITY STANDARD

The PCI Data Security Standard was originally developed by Visa and MasterCard, and endorsed by other payment providers including American Express, Diner's Club and Discover. This Standard included the requirements of Visa's Cardholder Information Security Program (CISP) and MasterCard's Site Data Protection (SDP). Version 1 was withdrawn from 31 December 2006 and the new version 1.1 (here's the download site) i s applicable and is controlled by the independent PCI Security Standards Council.

 

The PCI DSS also intersects with other credit card company security initiatives, such as Verified by Visa and MasterCode Secure.

 

Our new PCI DSS & Card Security Page has comprehensive resources for anyone tackling these issues.

 

Voice over IP (VoIP) / Voice over Broadband (VOB)

VoIP and VOB applications are becoming increasingly interesting to businesses everywhere, because of their combination of flexibility and cost-effectiveness. They also bring information security challenges.

 

A VoIP network is subject to all the same threats as wired network: “ …viruses, spam, phishing,  hacking attempts, intrusions, mismanaged identities, Denial of Service (DoS) attacks, lost and stolen data, voice injections, data sniffing, hijacked calls, toll fraud, eavesdropping, and on and on and on.” (VOIP Security Alliance, 1 December 2006). While there is little formal guidance on effective VoIP security, it is clear that risks to these networks need to be analysed and assessed, and appropriate (largely technology-based) controls implemented. Here is a link to current detailed recommendations on VoIP security practices.

 

PHISHING

 

Phishing attacks use 'spoofed' e-mails and fraudulent websites that are designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, and so on. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them.  Phishers then use this data to commit fraud. 

 

Clearly, phishing poses dangers for both consumers and for the organisations whose identities are hijacked; IT governance and risk management frameworks should all be addressing this issue as a matter of urgency.

 

The Anti-Phishing Working Group has a website that provides information that is relevant and helpful to those who recognise the need to take appropriate action now.

WIRELESS NETWORKS

Some estimate that deploying wireless networks can reduce MIS costs by at least 30%.  That type of saving, combined with all the user benefits of easy access to network resources, has driven the number of UK organisations deploying wireless networks up to 34% of the total, from just 2% in 2002.  53% of those organisations, however, admit that they have no security controls in place over their wireless networks.  This is a failure of IT governance; it needs to be addressed as a matter of urgency by all organisations that have deployed wireless.

 

The emerging standard for Wireless Fidelity interoperability and security is 802.11i; the website of the Wi-Fi alliance is a useful resource for those who recognise the need to consider the risks of deploying this technology.

 

You should also read The NON-Geek Guide to Wireless Security.

 

BLUE EXPLOITS

 

Bluetooth devices, particularly mobile phones, are at risk from two types of attack from nearby or passing devices, bluejacking and bluesnarfing. A bluejacking attack involves sending text messages to the mobile phones of any users who are within range, and it could be used both maliciously and for ‘bluespam’. A bluesnarfing attack is potentially more serious, and involves the theft of all contact information stored in the phones. Not all phones are vulnerable to these sorts of attacks and as manufacturers respond to the discovery of these vulnerabilities, so there will be changes. At the moment (January 2005), it is said that Nokia 6310, 6310i, 8910 and 8910i models are at greatest risk. Apparently, "on some models of phone, you are only vulnerable to attack if you are on visible mode; however, there are other models of phones where you are vulnerable even in non-visible mode".

Information Security Surveys

Boards and managements are still failing to get to grips with their information security responsibilities. Published in June 2006, Deloitte's 4th annual Global Security Survey re-identifies many important security issues: "poor new-hire screening, lackadaisical subcontractor controls, security-ignorant employees and deficient management processes...have prompted new legislation, new regulations and whole new set of business and customer requirements." There is, apparently, an "increasing understanding by boards that taking the appropriate steps to ensure security of information is a requirement." The role of the CISO is, however, still in its infancy - and security has only really risen to the C-suite level in no more than a third of organizations. 

 

The UK's Information Security Breaches Survey 2006 continued to demonstrate categorically that UK boards and managements are failing in their responsibility to take appropriate steps to secure the confidentiality, integrity and availability of their organization's information.  

 

87% of UK businesses are now "highly dependent on electronic information and the systems that process it" and, although three quarters of organisations stated that information security "was a high or very high priority for their top management or board of directors", the reality is that "many companies lack the expertise to address this complex, changing area".

 

"Three quarters of businesses are confident that their technical security processes are sufficiently good to prevent or detect all significant security breaches. Given the weaknesses in these controls, it appears that some do not not fully appreciate the risks they are running."  The fact that 94% of businesses had a security incident last year, that the average UK business now has "roughly one security breach a month" and that two-thirds had a "premeditated or malicious incident" demonstrates the validity of that conclusion in the DTI report.

 

The Open University offers an advanced course in Information Security Management.  Any organisation that is even slightly serious about tackling information security and IT Governance needs its information security staff to be appropriately qualified. Any individual who plans to make a career in the sector also needs to be appropriately qualified. The Open University's new post-graduate course on information security management will help employees to understand, create and manage both strategic and operational aspects of information security. The course is based on and supports Alan Calder and Steve Watkins' book IT Governance: A Managers Guide to Data Security and ISO27001/ISO27002 - 4th Edition. The course, called M886: Information Security Management, ran for the first time in November 2004 and places are usually limited. Click here for more details of the course and how to register.