Tuesday, 29 October 2019

Passwords or Passphrases? Being More Secure Online

Written by Adrien Souyris 

"Sorry, your password must be at least 8 characters long, contain a capital letter, a number, a special character, an inspiring message, a spell, a gang sign, a hieroglyph and a quantum mechanics equation"

There are three main methods of proving your identity online: 
  • Through something you have (for instance, a smartcard)
  • Through something you are (entering the realm of biometrics here)
  • Through something you know (usually a password)

The latter is the most widely used means of authentication, being the cheapest to implement and manage. However, passwords introduce a significant problem:

  • A strong password which is difficult to guess, typically being at least 8 characters and containing an upper case, lower case, number, symbol, and being a phrase rather than a word, will be difficult to remember
  • A simple password which is easy to remember, either because it is short, contains simple patterns, or is a single word, will be easily guessed by an attacker
  • Writing down a password turns it into "something you have" and makes it vulnerable to theft or copying

Passwords are one of the weakest ways of authenticating yourself but there’s a couple of neat tricks to secure your accounts, while making your life easier. 

Multi-factor authentication 

Authentication can be achieved by using one of the five authentication factors. Multi-factor authentication (MFA) simply makes use of two or more of the above. But how can we make this work in a simple manner? Well, nearly anyone can authenticate using "something they have".

MFA for mobiles works by asking for a second, six-digit, one-use password each time you log in to your account.

This password is either: 

  • Received by text message
  • Generated by a smartphone app (such as Google Authenticator)

So, if a cyber criminal attempts to hack your account, they will be unable to access your data without your phone. Google, Amazon, and social media accounts support MFA.

Password managers

Instead of writing down passwords, there is one tool used for remembering strong, complex, lengthy passwords: password managers.

These applications act as a secure notebook for your credentials. With a password manager, you can use more complex passwords such as @p:[^U5w}cAvA<b4>^G+. The only password you need to remember is a strong one for your ‘notebook’. Most of these managers can automatically connect you on any website you return to, and the majority can also be protected using MFA.

Use passphrases 

When password managers are not an option, an alternative to re-using credentials or having weak passwords is to use passphrases. Passphrases are usually quotes, expressions, or any memorable series of words. Passphrases lack complexity but are longer, making it easier for you to remember but harder for hackers to crack!  

Thursday, 17 October 2019

ISO / IEC 27001 | Gaining Your Competitive Advantage

Written by Steve Giachardi

There are many benefits to your organisation aligning or certifying to business standards: documenting that you have strong governance in place, ensuring that you are adopting best practice, and demonstrating that you take security seriously, to name a few. In this article we will discuss the benefits of aligning and certifying to ISO/IEC 27001.

Deriving from the Greek word Iso, meaning equal, ISO/IEC 27001 is now widely recognised as the de facto standard for information security, controlled by the governing body, the International Organisation for Standardisation.

There are 31,910 organisations globally that are ISO/IEC 27001 certified, with 2,444 in the UK and 9,111 in America alone. So, why are so many organisations choosing to certify to ISO/IEC 27001?

Good governance, best practice, strong controls, and maturing as an organisation are all important and admirable objectives, but perhaps the greatest benefit is in fact a commercial one. Information and cyber security are common boardroom topics, that often filter down into what organisations demand from their suppliers. This is particularly true, but not limited to, financial services, pharmaceuticals and any industry that is highly regulated or that has valuable assets to protect, such as customer data or intellectual property.

Demonstrating that you take information security seriously, as a potential new supplier, can ultimately mean the difference between winning or losing your next tender process.        

ISO/IEC 27001 Overview

This article discusses ISO/IEC 27001, its purpose and its benefits, addressing specification and requirements, ISMS (information security management system) specification and requirements, and issues with ISMS.

ISO/IEC 27001:2013 is an information security standard that was published on the 25th September 2013. It supersedes ISO/IEC 27001:2013 and is published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is a specification for, and recognised as best practice framework for, an ISMS. Organisations meeting the standard may gain an official certification issued by an independent and accredited certification body on successful completion of a formal audit process. Organisations will meet information security standards by aligning to ISO/IEC 27001, making them likely to win more business, especially in enterprise organisations.

International information security standards

ISO/IEC 27001:2013 specifies 114 controls in 14 groups:
  • A.5 - Information security policies
  • A.6 - How information security is organised
  • A.7 - Human resources security - controls that are applied before, during, or after employment
  • A.8 - Asset management
  • A.9 - Access controls and managing user access
  • A.10 - Cryptographic technology
  • A.11 - Physical security of the organisation's sites and equipment
  • A.12 - Operational security
  • A.13 - Secure communications and data transfer
  • A.14 - Secure acquisition, development, and support of information systems
  • A.15 - Security for suppliers and third parties
  • A.16 - Incident management
  • A.17 - Business continuity/disaster recovery (to the extent that it affects information security)
  • A.18 - Compliance - with internal requirements, such as policies, and with external requirements, such as laws.

ISMS Requirements

The official title of the standard is "Information technology— Security techniques — Information security management systems — Requirements".

27001:2013 has ten short clauses, plus a long annex, which cover:

1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organisational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system's performance
10. Corrective action
Annex A: List of controls and their objectives.

This structure mirrors the structure of other new management standards such as ISO 22301 (business continuity management); this helps organisations who aim to comply with multiple standards, to improve their IT from different perspectives.

Information Security Management System

An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of BS 7799.

The governing principle behind an ISMS is that an organisation should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organisation and external environment. ISO/IEC 27001:2013 therefore incorporated the "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach:
  • The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
  • The Do phase involves implementing and operating the controls.
  • The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
  • In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.

ISO/IEC 27001:2013 is a risk-based information security standard, which means that organisations need to have a risk management process in place. The risk management process fits into the PDCA model given above.

Other frameworks such as COBIT and ITIL touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally. COBIT has a companion framework, Risk IT, dedicated to Information security.

The development of an ISMS framework based on ISO/IEC 27001:2013 entails the following six steps:
  1. Definition of security policy
  2. Definition of ISMS scope
  3. Risk assessment (as part of risk management)
  4. Risk management
  5. Selection of appropriate controls
  6. Statement of applicability

ISMS Requirements

To be effective, the ISMS must:
  • have the continuous, unshakeable and visible support and commitment of the organisation’s top management
  • be managed centrally, based on a common strategy and policy across the entire organisation
  • be an integral part of the overall management of the organisation related to and reflecting the organisation’s approach to risk management, the control objectives and controls and the degree of assurance required
  • have security objectives and activities based on business objectives and requirements and led by business management
  • undertake only necessary tasks and avoiding over-control and waste of valuable resources
  • fully comply with the organisation philosophy and mindset by providing a system that, instead of preventing people from doing what they are employed to do, will enable them to do it in control and demonstrate their fulfilled accountabilities
  • be based on continuous training and awareness of staff and avoid the use of disciplinary measures and “police” or “military” practices
  • be a never-ending process

Dynamic Issues In ISMS

There are three main problems which lead to uncertainty in information security management systems (ISMS):

  • Dynamically changing security requirements of an organisation
Rapid technological development raises new security concerns for organisations. The existing security measures and requirements become obsolete as new vulnerabilities arise with the development in technology. To overcome this issue, the ISMS should organise and manage dynamically changing requirements and keep the system up to date.

  • Externalities caused by a security system
Externality is an economic concept for the effects borne by the party that is not directly involved in a transaction. Externalities could be positive or negative. The ISMS deployed in an organisation may also cause externalities for other interacting systems. Externalities caused by the ISMS are uncertain and cannot be predetermined before the ISMS is deployed. The internalisation of externalities caused by the ISMS is needed in order to benefit internalising organisations and interacting partners by protecting them from vulnerable ISMS behaviours.

  • Obsolete evaluation of security concerns
The evaluations of security concerns used in ISMS become obsolete as the technology progresses and new threats and vulnerabilities arise. The need for continuous security evaluation of organisational products, services, methods and technology is essential to maintain an effective ISMS. The evaluated security concerns need to be re-evaluated. A continuous security evaluation mechanism of ISMS within the organisation is a critical need to achieve information security objectives. The re-evaluation process is tied with the dynamic security requirement management process discussed above.


Is ISO/IEC 27001 accreditation for everyone? Perhaps not. But if your business is serious about reducing risk, and is looking for an effective way to assess the risks in your business (Plan), implement controls to measure that risk (Do), use these to benchmark ongoing performance (Check), and continuously review the ISMS as the business changes over time (Act)? Yes, absolutely.

An ISO journey may seem like a big undertaking but, for most, the benefits far outweigh the initial investment, and the journey to accreditation can be surprisingly short. Rarely is there a better opportunity to drive cultural change in a business and, not only that, one that leads to both a mature information security posture, as well as your business’s next big competitive advantage.  

Tuesday, 10 September 2019

Security Metrics: Persuading and Influencing the Board

Written by Chris Jeffers

The Importance of Security Metrics

A few years ago, I attended a meeting with senior management reviewing several security related initiatives. I was prepared as I knew I’d be asked to provide rationalization for these new projects. I talked through my justification process by first identifying the problem, then the need to address this problem, and finally how this new solution would resolve it. All was going as planned until one of them asked the question, “How will this align with the organization’s business initiatives?”.  Before I could answer, another senior leader asked me “Chris, how do we know what’s currently deployed is keeping us secure?”.

My first thought was you have to be kidding! I don’t have time and what’s the point? There’s a new story everyday about a data breach and an organizations’ data getting encrypted because a user clicked on a ransomware email; we should purchase the solution and get it deployed so we aren’t the next organization hitting the headlines - however, I realized that response would get me nowhere; in fact, that response could throw me out the door looking for a new job! The reality was those questions were valid and caused me to start thinking, so I responded by saying I’d get back to them with some answers. Now, I had to figure out how to do just that.

Using Metrics

I understood the primary reason for having these various security tools, processes and staff - to reduce the risks to the organization - but how can I show they’re accomplishing that? How can I provide evidence that illustrates risk is being reduced?

This is achieved by establishing items to measure and produce metrics. The metrics are numerical data that represent what is occurring and provide the means to tell the organization how the risk is being reduced. These metrics are not based on subjective judgment or interpretation, such as using a low, medium or high rating, but rather presented as a percentage or numerical value.

To better understand what these metrics are and some possible data sources, I started out with the following
  • Anti-virus code and definition versions currently deployed
  • Vulnerabilities discovered in the network and grouped based on CVS score
  • Monthly incidents
  • Email-related malicious events
  • Days from missing patch discovered to actual deployment

I recognized this as a good starting point, understanding we should have enough initial coverage to illustrate to senior management how we are reducing risk to the business:
  • Collecting the current anti-virus versions and definitions helped to identify whether our updating process was progressing or needed attention
  • Understanding the current vulnerabilities and their severity presented the assets at higher risk
  • The monthly incident data was used to understand the types of security incidents, resources required and realizing how effective the processes and staff were. This helped us to understand the type of additional training needed
  • Email-related metrics was all about understanding if the organization had been targeted and the effectiveness of our spam filtering and phishing awareness training
  • Reporting metrics on patching would enable us to understand the amount of time it was taking to get the correct patches deployed. From the point of identifying the patch(s) required, to the point of being applied, this was used to track how well the mandated SLAs were being addressed, as well as the amount of time the asset was left in a higher risk state

Advice for Establishing Your Security Metrics

When considering which data sources to use for your security metrics, try to avoid collecting from a source that presents a long and difficult process and attempt to implement an automated method of data collection over a manual process. The issue with the manual approach is it increases the risk of human error and it becomes harder collecting in a timely manner - timely collection being important to allow for current metrics and trending.

Now that you are collecting metrics from meaningful data sources, you need to put together the report to present to senior leadership. In doing so, be sure to follow some basic rules to help make your presentation well received.
  • Be sure you understand your audience and the strategic objectives of the business. Actually, as the one responsible for driving the security direction and operation for the organization, it is imperative that you understand the strategic business objectives. It’s very difficult to have a clear understanding of the risks to the organization without understanding the business and leaderships’ tolerance to risks.
  • The metrics data being presented must be relevant and meaningful to senior management.  Avoid using many IT abbreviations, jargon, and expressions which make it hard to understand. Ideally, the metrics should be self-explanatory or, if required, include a straight-forward definition. Consider including colorful, visual graphs which make information easier to absorb than text.
  • Lastly, you want to create a situation that will encourage conversation between yourself and the leaders. The goal is to provide information and insights into how risk is truly being reduced, whilst staying in line with the business’s objectives.


To summarize, security metrics are used for providing evidence that security tools, processes, and people are reducing risk in the organization. The metrics are objective numerical data, presented as a percentage or numerical value. In data collection, an automated process is preferable over a manual process, to avoid the risk of human error and to ensure the process of reporting is efficient. When reporting the findings to leadership, ensure you understand your audience and business objectives, and ensure the insights provided are clear.

Thursday, 22 August 2019

The Life of a GRC Information Security Consultant

Written by Ibraheem Khan

My career in Information Security Consulting began because of 3 reasons. The first, working with different businesses; learning and understanding how businesses in all sorts of industries operate is fascinating. What does the business specialise in, and what are their most critical assets? Secondly, being able to use the knowledge and skills I have acquired over the years to assist companies with their IT security posture. Thirdly, I really love the travel – a welcome bonus of the job!

Since becoming a consultant I’ve enjoyed other benefits too, such as client satisfaction; receiving positive feedback from clients, particularly from highly qualified and respected individuals, based on the work I undertook is very rewarding.

It’s satisfying recognising the difference I’ve made to an organisation’s information security posture, so observing cultural change through information security awareness and training is another benefit of my role. As time goes on without governance and risk management, organisations generally implement projects and conduct business as usual (BAU) activities through bad habits (even though they have the best of intentions) such as not conducting due diligence on a third party, prior to using their systems or sharing data. Observing the smallest of changes such as employees locking their screens when they leave their desks or wearing ID passes within company premises, to asking for assistance due to a supplier onboarding, is encouraging to see.

The challenges I’ve observed

Working for various clients has enabled me to take note of challenges most organisations face; regardless of the industry, I have noticed these common themes:

Challenge one: managing the information security risk due to increased connectivity, use of new systems/applications, and operational changes. A slow adoption of information security and fast development/business growth in a short timeframe.

Challenge two: an increase of risk due to the vast amount of neglected legacy systems and applications which are now embedded in an organisation as critical assets without appropriate operation procedures or plans to migrate to a new version.

Challenge three: profit outweighing security controls. The point of a security control is to protect an asset. However, it is not unusual for some departments to experience the thought process that implementing a security control will result in a longer timeframe to reach the end goal, thus losing out on potential business or profits, leading to the idea: not implementing a control is actually better for the business. This ideology is rather dangerous as, without the correct level of security control protecting an organisation’s most valuable assets, this can result in the demise of the organisation.

Challenge four: lack of knowledge around the architecture of an organisation’s network. Most organisations do not have an up-to-date network diagram or a diagram highlighting the security architecture of the estate. Without having current knowledge on the interconnectivity between network, systems, and applications, the chances of being able to identify potential vulnerabilities or understand project scope is greatly reduced.

Challenge five: lack of management around information security in third party suppliers; third party suppliers’ integration and business relationships can be complex, interdependent, sometimes international and evolving. This, with the lack of due diligence around how assets are protected and what assets are provided to a supplier, combined with total reliance on third-party suppliers, has led to more information exchange and consequently an increase in information security risk.

Challenge six: information security culture; changing the culture within fast paced organisations is an ongoing challenge. Most organisations want quick business changes and quick access to systems, applications, and other forms of information assets. Adopting a new culture which may impact and disrupt the current BAU processes may be considered as a hinderance resulting in rejection.

Overcoming the challenges

When clients ask me to advise on the above challenges, I recommend the following:

1.  Develop an information security culture, providing knowledge and awareness to help people understand issues and allow them to take ownership of information security, by:
  • Encouraging employees to be security conscious at home and work
  • Improving employee engagement to manage risk through understanding the potential impact of security incidents or attacks
  • Encouraging the reporting of suspicious activities, reducing misuse of business information or systems, and improving incident response timed

2. Develop appropriate information security training and awareness. Ongoing training and relevant information security awareness will provide employees with the knowledge needed to:
  • Reduce risk of security breaches or incidents as employees think and act in a more security conscious way
  • Increase organisational effectiveness through adherence to policy
  • Improve internal communications on information security

3. Understand the confidentiality, integrity and availability of your information assets. Knowing the CIA of your assets allows you to assess where vulnerabilities are and how best to minimise the extent of their exposure, by:
  • Identifying key assets that need protecting to minimise your potential attack vectors
  • Identifying how information is accessed, processed, stored and transferred

4. Take a risk-based approach to understand and manage the risk exposure of your information assets. Taking a risk-based approach will allow you to:
  • Manage your information security exposure through informed risk-based decision making across your systems, organisation and assets
  • Using risk prioritisation, allocate resources efficiently and effectively across your organisation

5. Have governance for information security within your organisation. Effective governance enables organisations to demonstrate commitment to information security, by:
  • Delivering strategic direction though policy, procedures and guidelines to manage information security consistently across the organisation
  • Allocating resources and funds to maximise and mitigate information security risk appropriately
  • Influencing information security culture through awareness and positivity

6. Work with third-party suppliers to reduce risk
  • Conduct relevant due diligence on third party suppliers and identify the purpose of each asset and how it shall be managed once in the hands of a supplier
  • Understand the information security risks that a third party supplier introduce from procurement through to BAU and how to appropriately manage them

7. Ensure information security measures are applied through the life of your assets and organisational changes by:
  • Ensuring all assets are owned, monitored and identified
  • Identifying poorly managed assets that may impact the organisation’s BAU operations

8. Prepare for and manage information security incidents. Having an information security incident response capability will allow you to minimise the effects of incidents.
  • Have adequate threat intelligence to respond appropriately to information security incidents
  • Include learning from events or incidents for improvement of plans
  • Conduct incident tests to identify areas for improvement and capitalise on them


Being an Information Security Consultant is a challenging but engaging role. This article summarises why it’s thoroughly enjoyable, some of the common challenges I’ve seen and how to start addressing them. I have been able to do what I enjoy on a day to day basis, working and meeting some amazing businesses and clients.

Who knows, I may have the opportunity to work with you one day.