Tag Archives: IT security

News, Tech

Visibility is vital if we are to improve safety and trust in open source software

When it comes to securing open source software, visibility and transparency are vital, writes Vivian Dufour, CEO of Meterian, and when a vulnerability is discovered the ability to respond quickly saves time, resource – and reputations.

Recent high profile cyber security incidents have reinforced the importance of cleaning up the open-source software supply chain. From Heartbleed to the Apache Software Foundation’s Log4j vulnerability, these highly publicised incidents have exposed the threats associated open-source software.

They have galvanised a range of responses at national and international level – even prompted the White House to convene an Open Source Software Security Summit in January, attended by leaders from global technology companies including Google, Meta, Apple, and Cisco.

The gathering may have been precipitated by the Log4Shell vulnerability, but the wider context was clear. How do we ensure source code, build, and distribution integrity to achieve effective open-source security management?

Open source under the microscope

Technology companies have been using open source for years. It speeds up innovation and time to market but it also has unique security challenges. The responsibility of ongoing security maintenance is carried out by a community of dedicated volunteers. Yet these security incidents have demonstrated that the use of open source is so ubiquitous that no company can blindly continue in the mode of business as usual.

Apache Log4J software is an example.  Used in software developments and security applications across the world, the zero-day vulnerability in the software sent shockwaves across organisations as security teams scrambled to patch the flaw.  If left unfixed, it meant potential attackers could break into systems, causing untold damage, not least to brand reputations.

Improving safety and trust when speed is of the essence

However, how do you quickly patch what you don’t know you have? If we are to increase safety and trust in software, we must improve transparency and visibility across the entire software supply chain.

Companies should have the ability to automatically identify open-source components in order to monitor and manage security risk from publicly disclosed vulnerabilities. A software bill of materials (SBOM) should be a minimum for any project or development. Without such visibility of all component parts, security teams cannot manage risk and will be unaware, and potentially exposed, to dangers lurking in their software.

Innovating securely

Organisations can and should take advantage of the many benefits that open-source software can deliver, but they must not do so blindly.

Now is the time for organisations to implement integrated and automated tooling to gain comprehensive risk control of components in their open-source software supply chain. Only by increasing visibility, coverage of known unknowns and transparency can companies stay one step ahead.

Click here to find out more or to read the full article

 

 

 

Awards, News

Armour Comms wins Queen’s Award for Enterprise: International Trade 2021

Cyber-security firm wins highest industry accolade for Secure Communications technology

Armour Comms, a supplier of UK Government and NATO approved solutions for secure communications including voice, video, messaging and data, has been awarded a prestigious Queen’s Award for Enterprise: International Trade 2021. The award was made for outstanding short term growth in overseas sales over the last three years.

Established in 2015, Armour Comms is one of only 112 organisations nationally to be recognised with an acclaimed Queen’s Award for Enterprise: International Trade this year. Armour Comms technology provides the convenience and usability of consumer-grade apps, with enterprise and government grade security features required by professional users to protect sensitive information and maintain privacy. Armour technology provides a highly secure mobile communications platform where every element of data, including meta-data, can be controlled.

David Holman, Director and co-founder of Armour Comms said; “The whole team at Armour are honoured to have been selected for a Queen’s Award and I know our many customers around the world will share our excitement at this recognition. It is the highlight for us of a busy 12 month period where many organisations moved to remote working and therefore required more robust security for their home workers.

“During the pandemic cyberattacks have increased significantly, generating an awareness that security for mobile workers is incredibly important because it presents such a large attack surface. By combining the usability of consumer-grade apps with enhanced security required for business use our products provide the assurance required when sharing sensitive information of all kinds and maintaining privacy, even in the most challenging of environments.”

Armour Comms supplies the secure communications solutions of choice for governments, banks, defence and law enforcement, financial services, legal and healthcare organisations, as well as family offices, ultra-high nett worth individuals and journalists operating in unfriendly regimes.

This short video explains how the Armour technology works: https://www.youtube.com/watch?v=lufP-IUckhE

 

Cybersecurity, News

CySure Services helps Trading System Support meet stringent UK Government Cyber Essentials certification

Independent global provider and maintainer of trader-voice systems secures information security CE certification critical for client business

Cyber security specialist CySure Services Limited worked with Trading System Support (TSS), an independent global provider and maintainer of trader-voice systems, to provide consultancy to help achieve Cyber Essentials (CE) certification, the UK Government assurance for information security. Cyber Essentials is operated by the National Cyber Security Centre (NCSC) and encourages organisations to adopt good practice in information security. CySure provided TSS with guidance on the policies, procedures and training required to meet the standard. Achieving CE certification enables TSS to provide assurance to clients that it has systems and processes in place to mitigate the risks of potential cyber-attacks and threats to customer data.

Bryan Erazo, Project Manager at Trading System Support said, “The Cyber Essentials programme underpins our systems and services and is critical to our business. It demonstrates that we take safeguarding our customers’ data very seriously and gives our clients peace of mind knowing TSS staff, processes and information systems are certified to government standards. The guidance provided by CySure was invaluable. The requirements to achieve certification are detailed and rigorous and the CySure team helped us to navigate successfully through the complexities outlined in the governance.”

Guy Lloyd, Director of CySure Services added, “Cyber security has become a fundamental component of business operations. In a recent government report on Cyber Security Skills in the UK[i] it was highlighted that nearly 50% of companies lack staff with the technical, incident response and governance skills needed to manage their cyber security.

“Often those in charge of cyber security do not have the confidence to carry out the kinds of tasks outlined in the Cyber Essentials scheme. At CySure we have extensive experience in helping guide companies like TSS through the complex safety procedures and protocols outlined in the governance, to put processes in place and train staff to achieve the certification.”

Cyber Essentials aims to provide businesses with a structured framework and a continuous process that implements the minimum standards to deflect most cyber-attacks. Being fully CE compliant mitigates many of the possible risks that businesses may face, including malware infections, cyber-attacks and hacking. CySure’s Cyber Security Policy Manager (CSPM) provides an end-to-end view, guidance and over-sight of an organisation’s cyber-security policies, processes and procedures.

Cybersecurity, News

Guy Lloyd: The ugly truth – the real cost of cyber breaches to SMEs

Cyber security preparedness is more than a nice to have, an SME’s survival can depend on it. Guy Lloyd at CySure explains why.

Small and medium sized enterprises (SMEs) rarely trigger national headlines for breaches in data security and compliance, not because they aren’t a target but because the monetary impact is small compared to the big corporations. However, breaches are all too common and the while the cost of cyber breaches to SMEs, including the impact to business operations, remediation work and resultant fines, may not run into millions, it can do untold damage. SMEs are agile and lean in their business operations, and so unbudgeted costs can severely impact finances.

Such is the concern about the UK economy’s resilience to cyber attacks that the UK Government recently commissioned a study[i] to analyse the cost of cyber breaches. It found that organisations are being hampered from managing and mitigating cyber risks by a lack of transparency, awareness and understanding of the costs. UK businesses tend to overlook indirect and long-term costs when assessing the impact of a cyber breach. This leaves organisations woefully unprepared for the financial impact, which in the most extreme cases, can spell an end to the business. SME’s in particular are most likely to underestimate the costly impact from non-compliance with cyber security breach-related laws and regulations, therefore leaving them unprepared for any potential fines.

Bumper year for cyber crime

The Coronavirus pandemic has provided cyber criminals with a fertile ground to execute scams and reap a bounty of riches. Attacks designed to steal valuable company and customer information have skyrocketed in 2020. Interpol[ii] reported that in a four-month period some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs, all related to COVID-19 were detected. With many of us working/schooling from home, our concentration levels have been tested to the max. When under pressure and distracted it is easy to click on a phishing email or unknowingly visit a scam website. The rush to remote working has opened up opportunities for hackers and any company with lax security measures makes easy pickings.

Work smarter, not harder

In today’s GDPR world no company can afford to be naïve or negligent about regulatory compliance. Cyber Essentials is the UK Government-backed scheme that aims to help organisations protect themselves against common cyber threats. It offers organisations a way to demonstrate to customers and suppliers a commitment towards cyber security and data protection by achieving an accredited and registered certification standard. It lays the foundation to developing policies and procedures to mitigate against threats that can impact business operations.

Getting started can seem daunting but achieving certification doesn’t have to be. Using an online compliance risk management system that incorporates GDPR and Cyber Essentials Plus is a simple and cost-effective way to achieve certification. SMEs should look for a solution that can guide them through a gap analysis to highlight the business areas to focus on.

Cyber security doesn’t need to be complex, costly or confusing. A low cost, simple set of actions as defined in Cyber Essentials can go a long way to protect against common attacks.

Preparedness in uncertain times

Business confidence comes from understanding the risks involved and the knowledge that should the worse happen it is possible to keep calm and carry on. Being certified with a creditable scheme delivers the assurance that SMEs can demonstrate their commitment and attention to bolstering cyber defences.

Uncertain times can hit when we least expect but the benefit of certification through with help from an information security management system (ISMS) is knowing your business is prepared. Now more than ever we should be celebrating business resilience and preparedness.

[i] Analysis of the full cost of cyber security breaches Report
[ii] Interpol report shows alarming rate of cyberattacks during COVID-19