LRQA Nettitude Blog

We are pleased to announce the addition of Sarah Beresford, our new Security and Network Solutions Account Manager, within the Security and Network Solutions team. This new team delivers network consultancy, enterprise network solutions and network security solutions. Throughout the forthcoming months, Sarah will be working closely with our clients to assess the effectiveness of their current environments and advise on any appropriate action to ensure their business infrastructure is as safe as possible. Below is a further insight into how Sarah will be working within this new team.

By Joel Snape, Senior Security Researcher at Nettitude

Across most branches of industry, it is common to find security companies doing pro-active vulnerability research on equipment used in that industry and publishing details of the issue found after liaising with the vendor to ensure they are fixed. For example, in the wake of several large-scale internet attacks in 2016, researchers focused their attention on IoT devices with many reports surfacing of issues with devices such as CCTV cameras, home routers and network-connected storage devices.

In the maritime space, however, much less research has been publicly shared, predominantly because of the comparative cost and lack of accessibility of standard maritime equipment, although research has been carried out for several years, and some of the results have been publicly presented. Nettitude have pulled together highlights of the most relevant research in the public domain from a few key systems and highlighted the impact these vulnerabilities have within the marine and offshore sector, full details of which can be found in this report. So, what did the researchers find? Is the equipment currently used secure?

ISO27701:2019, a new international standard concerned with the management of personal data, has been published. ISO27701 is a Privacy Information Management System (PIMS), and provides an extension to the better known ISO27001:2013 Information Security Management System (ISMS).

In this blog, we’ll take a brief look at the new standard, how it differs from ISO27001:2013, and how it can benefit your organisation.

What is a zero day attack exploit?

Imagine setting sail with your bow doors still open. Or operating with an engine that leaked 50% of its fuel intake. Or if we let the bridge continue to operate with all the windows smashed.

CREST, CSA and AISP work together to introduce penetration testing certifications in Singapore

Nettitude has added another string to its penetration testing bow today, following confirmation from CREST – the not-for-profit organisation that serves the needs of the technical information security marketplace – that our testing team has successfully achieved full CREST STAR (Simulated Target Attack & Response) status. STAR is arguably one of the most sophisticated approaches for delivering penetration testing. Through combining comprehensive threat data with a “Red Team” style of testing, STAR assessments are designed to deliver some of the strongest levels of assurance available to organisations across the globe.

‘Ssssshh – Do I have to tell anyone that I have lost something important?
Beyond PCI DSS - Protecting more than just card data
The latest version of the PCI Data Security Standard, which was formally released last month (Version 2.0, 28 Oct 2010), provides Merchants, Service Providers, Auditors and Banks with an opportunity to briefly review how far (or not) the Card Payment Industry has come in securing it’s Card Holder Data.
Many IT Managers and Financial Directors still loath the words ‘PCI Compliance’, however, the essential common sense of the 12 requirements are slowly being understood as general good practice for data security.

Version 2.0 offers no seismic shift in the standard or its approach. Clarifications of the existing requirements, a more detailed reporting/testing process and a longer three-year cycle of updates all demonstrate that the standard is bedding into a mature yardstick for data security.

Now is a good time to pause and reflect on why these requirements cause so many organisations so much pain. We should also scratch our heads and ask why it is that we have not done all this before?
Clearly, a big part within our organisations and companies has been played by a culture that has seen security as an optional add-on, or something to be considered when the budget exists, or as is the case with many, a naive understanding that security will be someone else’s problem. The media is full every week of cases of data theft:  Law company websites being compromised, major hotel chains being breached and high street retailers being attacked.

Or what about the reports that Card Details have been sent out in clear text emails in what appears to be an unthinking legitimate process, or the reports of yet another loss of Personally Identifiable Information (PII) on a USB/CD/Laptop/unencrypted email or spreadsheet.

The pillars and concepts of PCI Security are not rocket science. They consist of 12 requirements that any Information Security Manager worth his salt would be able to pull together as sensible, common-sense measures that any organisation that takes security seriously should be doing to some degree or level.