Category Archives: Data policy

Banking on Hybrid Cloud: Some Top Security Tips

by Bharat Mistry

A new Wall Street Journal news story this week claims that Amazon Web Services is beginning to make headway in the banking sector. If it’s true it’ll be a major breakthrough for the public cloud provider in an industry which has long been too risk averse and highly regulated for its brand of multi-tenant cloud computing. What the piece doesn’t mention explicitly is that if the notoriously conservative financial services industry is signing up to the public cloud, it’s most likely to be as part of hybrid deployments.

Yet even with a mix of private and public cloud installed to limit risk, organisations must remember that cloud computing brings with it a whole new set of security and management challenges. Forward planning, as always, is everything. Continue reading

Time for Change: Europe’s New Data Protection Regime is Almost Here

by Bharat Mistry

They must have put something in the water round the EU negotiating table this month. Barely a week after a landmark deal was agreed to implement the Network and Information Security (NIS) Directive, the European Parliament and Council have cleared the way for an imminent final agreement on the much-anticipated EU General Data Protection Regulation (GDPR). As it stands, the new region-wide law will have a major impact on the way UK organisations handle and protect their customers’ data.

The message for CISOs is clear: it’s time to get serious about compliance plans. Continue reading

Europe’s New Security Law: CISOs Can Take on NIS and Win

by Bharat Mistry

It’s been a long time coming, but Europe finally looks set to get a harmonized cyber security law fit for the 21st century. On Monday, MEPs and the Council of Ministers agreed on the wording of the Network and Information Security Directive (NIS). It promises to mandate that “operators of essential services” take “appropriate” security measures, and that any breaches are notified to the authorities.

The proposed directive will be overwhelmingly positive in the long run – for improving Europe’s information security, information sharing and incident response. But it also signals the start of an intensely busy time for CISOs all over the region as they scramble to meet a whole new set of requirements.

A long time coming
NIS has been several years in the making. Over that time we’ve never experienced a truly catastrophic IT-related critical infrastructure security incident. But the warning signs are there. Nation states, financially motivated cybercriminals and hacktivists all have the tools at their disposal to launch successful targeted attacks aimed at disrupting operations, or stealing valuable IP and customer information. Then there are the incidents that come from human mistakes and technical failures. EU NIS agency ENISA estimates these combined threats result in annual losses of around €260-€340 billion (£189-£247bn).

The financial services sector is perhaps the most regularly targeted by hackers, given the wealth of sensitive data it holds. But others are at risk too. That’s why the NIS directive aims to improve security standards among essential operators in the energy, transport, banking, financial, health and water supply sectors, alongside some providers of online marketplaces, search engines and cloud platforms. Smaller firms will be exempt, although the details are still being worked out.

What happens next?

  • The provisionally-agreed text needs to be formally approved by Parliament’s Internal Market Committee and the Council Committee of Permanent Representatives
  • Member states will then have 21 months to implement the Directive into national laws
  • Member states will also have to identify concrete “operators of essential services” from these sectors
  • A “strategic cooperation group” will be set up to exchange info and best practices, draw up guidelines and help member states with “cybersecurity capacity building”
  • A network of Computer Security Incidents Response Teams (CSIRTs) will be set up to co-ordinate responses to cross-border and internal threats
  • Data breaches will have to be reported to the relevant public authorities

As with any kind of proposed legislation, the devil is in the detail. But it’s likely that NIS will apply to a large swathe of organisations in the sectors mentioned above. The question CISOs must ask themselves now is “do I have an appropriate level of security in place?” In many cases, breach detection, response and reporting will need to improve. The very fact that notifications are to be mandated will focus CEO minds on data security. This is in combination with the European General Data Protection Regulation, which is mooting fines of up to 5% of revenue for serious infractions.

Cyber security has never had a higher profile at a European policy-making level and boards will be forced also to raise it up their agendas. This will mean more work, but also potentially more resources, for the under pressure CISO. The message is simple: start planning now to ensure you’re not left with too much to do come deadline day.

 

 

The Clock’s Ticking: How to Stay Secure on Windows Server 2003 After July

by Ross Dyer

July 14th represents another major date in the calendar for IT professionals across the globe: the official end of Microsoft support for Windows Server 2003. We’ve been here before, of course, most recently with Windows XP. But despite having had over a year to prepare, the likelihood is that, come July, many organisations will still be running a major piece of software for which security updates are no longer available. There might be good reasons for doing so, but without taking the proper precautions first, businesses could unwittingly advertise themselves to cyber criminals as an attractive target for attack.

That’s why we are recommending our Deep Security platform as the best way of ensuring that Windows Server 2003 End-of-Life (EoL) doesn’t become the biggest security threat of 2015.

The problem with EoL
There are many reasons why firms will still be running the 12-year-old server OS after July 14. It won’t all be down to poor planning. Some may have run out of budget or resource and need to wait before migrating. Others may have found that mission critical applications and hardware running on top of the platform aren’t compatible with upgraded versions – further delaying and complicating matters.

Yet with some estimates putting the number of Windows Server 2003 machines out there at 10 million globally at least, there will be enough exposed companies to attract the attention of the black hats. Without adequate security measures to shield systems against attack, firms are at risk from new exploits targeting vulnerabilities in the OS for which Microsoft is no longer producing patches. It’s not inconceivable that the bad guys are already working on and storing up new zero day exploits until after July 14, when they can deploy for maximum effect.

The end result for UK firms could be catastrophic data loss, with all the attendant clean-up and remediation costs, financial penalties, damage to brand and shareholder value, customer losses and legal costs. Firms could also find themselves on the wrong end of industry regulators if they fail to keep systems and security fully up-to-date, while operational costs could soar thanks to increased downtime.

Deep Security to the rescue
No organisation is the same, and many will have their own reasons for staying with Windows Server 2003 after July 14. But Trend Micro’s advice is to start planning your migration ASAP – no matter how difficult that path may be. Staying on an unsupported platform indefinitely is a risk manager’s nightmare. And given that major upgrades like this can take over 200 days – the sooner, the better.

But in the meantime there are things you can do to minimise risk and protect key systems from attack.

Trend Micro Deep Security features intrusion detection and prevention (IDS/IPS) technology designed to shield system vulnerabilities before they can be exploited by attackers. These so-called virtual patching capabilities will help organisations stay secure until they are ready to migrate off unsupported systems like Windows Server 2003, reducing costs and improving compliance efforts in the process. What’s more, Deep Security also provides integrity monitoring so that administrators can spot and stop any unauthorised changes to end-of-life systems where there shouldn’t be any.

With Deep Security you can:

  • Protect your organisation against any new vulnerabilities exploited post-Jul 14, including zero day attacks
  • Detect any malicious changes to the system, thus speeding your response to a cyber attack
  • Smooth the migration path off Windows Server 2003 to newer, more secure systems
  • Surmount any compliance challenges such as PCI DSS 3.0
  • Patch business apps at your own pace, reducing costs and downtime

For more information visit: http://www.trendmicro.co.uk/business/windows-server-2003-end-of-life/index.html