Archive for the Government Category

SEC == Security

Posted in Cyber Security, Government, Security, SIR on 23 Oct 2011 by Stuart Aston

 

CF Disclosure Guidance: Topic No. 2 – Cybersecurity

600px-US-SecuritiesAndExchangeCommission-Seal_svg_-325x325I would have completely missed this if it wasn’t for a colleague who spotted it; she described it as “This is the single largest announcement in cyber security in 10 years”…

And she is right to do so; this fundamentally changes the behaviour of companies in relationship to security.

By getting companies to report incidents and assert a value associated with the loss it puts Cyber Security on the agenda of the board, which is where it should have been for the last decade at least.

It enables investors to make choices based upon reported incidents, and determine if a company is a wise investment as a result in comparison to it’s peers. 

Well done SEC… now maybe the customers will do security updates in a timely fashion, and take user education about security seriously as an investment in investor confidence. 

sir_infographic_poster_MM_v11_updateIt will be interesting to see how they report and what mitigations they start to take; in our latest Security Intelligence Report we note that of the most common attacks we see most do not use an 0-day and can be mitigated with simple maintenance and that just under half require some level of user interaction, hopefully this will put both of patch management and user training on the board agenda of all publically traded companies. 

Advertisements

Windows 7, the safest Microsoft operating system yet…

Posted in Government, Security, UK on 18 Dec 2010 by Stuart Aston

 

CESG recently said of Windows 7 that it was “the safest version of a Microsoft operating system” and “encouraged Her Majesty’s Government to adopt Windows 7 when choosing a Microsoft Operating system”.

Security secure Download all no shadowAs some of you may know we work with CESG to produce a best practice framework for configuring Windows 7 for its use within UK Government. We call this guidance the Government Assurance Pack (GAP), and is made freely available to all UK government departments via CESG.  It does not require the use of expensive third party software and builds on Microsoft’s investments in developing secure  code (SDL) and features like AppLocker, Group Policy, ASLR, DEP,  x64,  etc… to provide a low impact, supportable security configuration for UK governments use.

The approach of the GAP is to utilise the basic features of the operating system to provide a common starting point in making risk management decisions, from a “default deny” perspective.   In doing so it allows business owners  to make a positive risk management decision between  the use of a particular feature or application and the business requirement for its use.

In addition Microsoft BitLocker and BitLocker to Go can be used be used by UK Government departments to protect information at rest up to Business Impact Level 3, with appropriate guidance from CESG, which will meet or exceed the requirements for most government users,

people operator hard hat construction iconSome people have asked why would you do something special for government?   I don’t typically go to work wearing a hard hat and safety boots, but, I know that in certain environments it is appropriate to wear them.  Windows is a general purpose operating system, and while it is secure by design, by default and in deployment, government in general faces a higher level of risk than most consumers and even enterprises and so it is appropriate to take additional measures to mitigate those risks.  The measures we use are built into the operating system, though they are regarded as a configuration not generally required by most businesses and consumers, but, the advantage this gives is that the GAP configuration is fully supported .

The GAP was created in conjunction with CESG and with Microsoft’s Security Centre of Excellence a true joint effort between government and industry, if you are a  UK government department requiring information on the use of Windows 7 please contact your CESG representative for more details.

Home Office does u-turn on Internet Explorer 6 – Will this become a domino effect? | TechEye

Posted in Government, Home Office, Internet Exlplorer, Security Updates, UK on 1 Nov 2010 by Stuart Aston

 

 

Internet Explorer 8 IE logo v The Home Office has made an important step forward here, and should be applauded for committing to move from IE6 to IE8, and I hope that other departments follow suit.

The challenge of course is that any software component needs to be maintained and updated, as well as on the latest version, to maximise the assurance that one can place in software.

The advantages of  having the capability to keep software updates in current, also produces other business benefits beyond the assurance and reliability of the software in question. It also enables the IT organisation to rapidly make changes to support business needs. New applications can be deployed more rapidly and updated using the same kinds of infrastructure investment, changing a “defensive” investment into one that promotes genuine agility in an organisation.

Staying “current” and staying updated is probably one of the most important tools that a security professional can use in mitigating the potential threats that are present in the internet today.

Home Office does u-turn on Internet Explorer 6 – Will this become a domino effect? | TechEye

%d bloggers like this: