Helping you Piece IT Together

Home Previous About Us Our Services Whitepapers Resources Links News Contact Us Search

Visit Our
Blog

Issue June 2009

Welcome to the latest edition of BH Consulting's Security Watch Newsletter.   In this month's issue we provide updates to what has been going on in BH Consulting and provide you with some insights into the latest news happening in the world of information security.

 

 

About BH Consulting
BH Consulting was founded in answer to demands for an independent consulting firm to assist clients gain a competitive edge by achieving IT Operational excellence in deploying, managing and securing their IT infrastructure. With over 20 year’s experience, we provide you with access to in-depth expertise, experience and technical know-how. Backed with our quality processes and commitment to deliver, BH Consulting provides clients with quality solutions at cost effective rates.

BH CONSULTING NEWS

BH Consulting Achieves ISO 27001 Accreditation
Following an independent audit of our Information Security Management System by Certification Europe, BH Consulting has been awarded accreditation to the ISO 27001:2005 Information Security Standard.  This independent certification recognises that BH Consulting has in place an Information Security Management System that meets the requirements of this highly regarded standard.  Achieving this accreditation means that our customers can be confident their information is being dealt with by a company who takes the matter of information security seriously.  As a consulting company it also shows that we practise what we preach.  BH Consulting has achieved this certification for all of its services and we also believe that we are the smallest company in the world to achieve this certification.

  • Brian Honan Publishes Book
     Brian Honan's book "Implementing ISO 27001 In a Microsoft Windows Environment" has recently been published.  Brian wrote the book in response to the many questions our clients have asked in the past on how best to put in place the various controls and goals outlined in the ISO 27001 Information Security Standard.

    Very often these people were mandated by their senior management to implement the standard in order to provide the business with assurances that they were using recognised best practises to secure their information assets.

    However these people suddenly faced a number of major challenges.;

    • They had to first become familiar with the ISO 27001 Information Security Standard and understand how it works.
    • Identify what controls were applicable to their organisation based on their risk assessment and resultant required controls.
    • How to ensure that the controls that required technical configurations were being properly implement
    • Last but not least how to do all the above in the most effective and cost efficient manner possible.

    "Implementing ISO 27001 In a Microsoft Windows Environment" addresses those issues.  The book also focuses on how to leverage some of the existing Microsoft technology, such as Microsoft Windows Server 2008, Microsoft Windows Vista and various other Microsoft security tools, that most organisations have employed. 

    Feedback on the book has been positive with the first review stating “Overall the book accomplished exactly what the title eludes to and is a definite must have book for anyone from an Information Security Manager, to a Windows system administrator or infrastructure architect” and “I’ll definitely have this book on call in my information library.”

    You can purchase the book from Amazon or directly from the IT Governance website.

    2nd Digital Security Forum
    Brian Honan will be speaking at the 2nd Digital Security Forum to be held in Lisbon at the end of this month.  Brian will be giving an Interactive case study on Identity Theft using his experience in stealing Marie Boran’s, from the SiliconRepublic.com, identity which she wrote up and we discussed on our Security Watch Blog.

    Certified in the Governance of Enterprise IT
    BH Consulting is pleased to announce that our Principal Consultant Brian Honan has been Certified in the Governance of Enterprise IT (CGEIT) by the IS Audit & Control Association (ISACA).  By achieving this certification Brian demonstrates that he has the knowledge and experience required to assist clients manage their governance and compliance requirements with regards to their IT systems.  Brian is now one of only 3,000 people worldwide who have been awarded this certification.

    MS3i  Workshop
    The MS3i Workshop will be held on the 11th and 12th of June.  MS3i  "Messaging Standard for Sharing Security Information" is an EC-funded project to determine and propose the requirements for an international standard on sharing security information.  BH Consulting participated in the trials for this project and Brian Honan will be presenting the outcomes of those trials.  More details of the workshop are available at the MS3i website.

    ISO 27001 Risk Management Workshop
    One of the key elements in implementing an Information Security Management System based on the ISO 27001:2005 Information Security standard is the successful completion of a risk assessment.  Certification Europe will be hosting a workshop on how best to conduct a risk assessment.  Brian Honan will be co-presenting the workshop.  Registration for the event is available at Certification Europe's website.

    BH CONSULTING WEBSITE UPDATE
         We strive at BH Consulting to provide information that is relevant and useful in securing and running your business. To this end we provide a range of free whitepapers available for download free from our white papers page.

    Don't forget to visit our Security Watch Blog to keep up to date with the latest information security news.

    LATEST THREAT LEVELS
    Get more information on the latest updates on current threats at our online resources page;

    FEATURES

    Preparing Business Continuity for Pandemics
    The Dept of Enterprise, Trade and Employment have released two good publications in relation to preparing your business in the event of a flu pandemic (or indeed any pandemic).

    The first is a document, “Business Continuity Planning - Responding to an Influenza Pandemic” (PDF file approx 1.2 MB), providing advice on how to prepare your company to continue business in the event of a pandemic impacting Ireland. It is 68 pages long but well worth the read with some good pointers and preparations that should be considered. It is also written in a way to assist organisations of all sizes, including those in the SME sector.

    The second is a corresponding checklist to ensure you have the appropriate measures in place.

    BH Consulting previously discussed about preparing for such an eventuality on our blog and how many Business Continuity Plans we review for clients focus too often on the technology and IT infrastructure and not on the people aspect.  If you have not done so, now is the time to review your Business Continuity Plans and the above documents are good resources to start with.

    ISSA Ireland and Microsoft Special Event
     ISSA Ireland are hosting a special event next Wednesday the 10th of June.  The event is being run in conjunction with Microsoft and will focus on the security features of the Windows platforms.  There are some really good talks lined up which will prove to be very useful to those of you charged with securing a Windows environment.  In these days of recession and cut backs you will find out about some of the inherent security features of Windows that you can employ at little or no cost and perhaps save you having to purchase third party tools.

    The talks are;

    • Security Improvements in Windows 7 and Windows Server 2008
    • How Microsoft Manages Information Security
    • Microsoft’s Malware Research: Conficker a Case Study

    There will also be series of lighting talks given by members on their favourite free security tools for the Windows platform.

    The event will kick off at 2 p.m. and finish at 5 p.m.  It will be held in the Academy Building at 42 Pearse St.  More details of the location can be found on the Academy’s website or see the map below.  To register for the event you should go to the ISSA Ireland website.

    If you cannot make it to the event, or even if you can, and want more information on how to use the security features of Windows don’t forget that Brian Honan covers these in detail in his latest book, “Implementing ISO 27001 In a Windows Environment“.  The book is available from either Amazon or the IT Governance Website.

    OWASP Ireland AppSec Conference 2009
    OWASP will be hosting their first Irish Application Security conference here in Dublin on the 10th of September.   Application security is becoming more and more important as criminals target weaknesses in our applications.  This conference will provide you with some excellent speakers and take-aways to help you improve the security of your applications.  More details of the event are available on the OWASP website.

    Protecting Your Windows Systems from the Conficker Worm
    Subsequent to the critical out of cycle patch, MS08-067, issued by Microsoft in October 2008, the Conficker Worm was discovered and has infected over an estimated 9 million PCs.

    Microsoft has released an advisory note on how to protect your PCs from the Conficker Worm.  In summary Microsoft recommend you take the following steps;

    1. Apply the security update associated with MS08-067.
    2. Make sure you are running up-to-date antivirus software from a trusted vendor.
    3. Check for updated protections for security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems.
    4. Isolate “unpatched” or legacy systems using the methods outlined in the Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide.
    5. Implement strong passwords as outlined in the Creating a Strong Password Policy whitepaper.
    6. Disable the AutoPlay feature through the registry or using Group Policies as discussed in Microsoft Knowledge Base Article 953252.  NOTE: Windows 2000, Windows XP, and Windows Server 2003 customers must deploy the update associated with Microsoft Knowledge Base Article 953252 to be able to successfully disable the AutoRun feature. Windows Vista and Windows Server 2008 customers must deploy the security update associated with Microsoft Security Bulletin MS08-038 to be able to successfully disable the AutoRun feature.  We advise that you follow the above recommendations to ensure your systems are protected from this threat.

    Remember to also update your incident response plan just in case you efforts are too late.  See our free whitepaper on “Incident Handling and Management.

    Interesting Summer Reading
    With the advent of the Irish summer we will no doubt be sheltering from the beating rain.  So while we wait for the sun to occasionally break out there are two reports released over the past few months that make interesting reading.

    The first is the annual report from the Office of the Data Protection Commissioner for 2008.  As per usual the report highlights the areas that many companies overlook when handling personal data belonging to clients or staff. 

    The second is Verizon's Breach Report for 2009.  This report is compiled from actual breaches experienced by clients of Verizon.  It is very worthwhile reading the report to learn from the mistakes of others.  Some of the key lessons are;

    • 74% of data breaches in the report resulted from external sources
    • 20% of data breaches were caused by insiders
    • 32% of data breaches implicated business partners
    • 67% of data breaches were due to significant errors on behalf of the victim organisation, e.g. missing patches.
    • 64% of data breaches resulted from hacking while 38% utilised malware.

    FREE SECURITY SCAN
         In partnership with Qualys, BH Consulting are offering a free Network Security Scan so you can check how healthy your network is. To find out more about what this service can do for you, visit our free Network Security Scan

    Alternatively contact us or visit our website to get more details on our risk assessment service.

    This issue of Security Watch is being brought to you by BH Consulting.  If you have found this issue to be of use please support our drive to raise funds for Focus Ireland.

    Each Security Watch eNewsletter, and the special Security Alert issues, are produced independently by the Windows IT Pro Custom Media Group and is distributed by various Microsoft security partners. Each eNewsletter contains up-to-date information about security strategies, technologies, and alerts. Each Security Alert contains the latest information about security threats.

    Additional news courtesy of Silicon Republic, Cnet, Silicon and Zdnet

    To update your subscription to our newsletter click here.  To unsubscribe click here

    • Home | About Us | Our Services | Useful Resources | Contact Us | Corporate Responsibility | Disclaimer | Privacy | Blog
    Copyright © 2005 BH IT Consulting Ltd.