10 Steps to prepare for a data breach

Every day, over 3 million records are compromised from companies around the world. The fact is that cyber threats are no longer a question of IF, but WHEN, a breach will occur. It is vital for your company to have a cyber security plan in place so that you are ready to act if your organisation experiences a data breach.

We’ve simplified a 10 step process to help you prepare for an attack. If you think your systems have been breached, please contact our 24/7 security team immediately at solutions@nettitude.com.

1. Change your mind-set

3.04 million Records compromised every day

126,936 records compromised every hour

2,116 records compromised every minute

35 records compromised every second

Information Security has traditionally focussed on securing the perimeter of the network. With the evolution of mobile devices, the perimeter is becoming less well defined. In addition, attackers are increasingly able to evade perimeter defences. Nevertheless you should still continue to focus on defending your network, but not exclusively. You should bring breach detection and Incident Response readiness into your defensive repertoire. If you get into the mind-set that you WILL be breached, you will prepared in the event of one.

2. Produce Incident Response Policy & Planning Documents

99% of computer users are vulnerable to exploit kits (software vulnerabilities)

Preparation is the foundation of data breach management. Statistically speaking, it is close to absolute certainty that if you are a computer networked organisation, then you will be attacked. As society becomes more computer literate and the availability of free hacker tools increases, the chances of one or more of those attacks being successful also increases. Developing an Incident Response policy and planning documents is a critical step in preparing for a data breach.

3. Do you know all your valuable Assets?

52% of the 2016 data breaches, the exact number of data records were unknown.

Assets are at the heart of any company and need to be maintained and secured correctly to help minimise the chance of an attacker accessing them. Follow the below steps to keep your assets secured:

  • Develop a full asset register that is regularly updated.
  • Identify the critical assets in your organisation and develop a risk profile for each of those critical assets.
  • Establish the threats to those systems and understand the impact of any degradation of availability of them.
  • Ensure that, wherever possible, that you have failover capability for critical systems and that persons with authority to approve the taking critical systems offline, are identified.

4. Update your Network Diagram!

In 60% of cases, attackers are able to compromise an organization within minutes.

One of the first items a Certified Incident Response Team (CIRT) will ask for is a network diagram, so make sure you have an up-to-date network diagram in place. Identify internet facing systems, especially those that will accept user logon credentials. Care should be taken when storing this document and access to it should be strictly limited, as the information in it is of high value to attackers.

5. Simple Threat Intelligence

In 2016, there have been 454 data breaches with nearly 12.7 million records exposed.

A threat intel/analysis exercise needs to be carried out to understand what threats your industry sector faces and what tools, techniques and procedures your adversaries will use against you. This information can be leveraged to better protect your critical assets and develop detection rules for the tools and techniques that your attackers will be using.

6. Strategic Partnerships

In 93% of breaches, attackers take minutes or less to compromise systems.

Establish partnerships with both internal and external organizations who can assist you in a breach. The fundamental departments to include in this are HR, Legal and PR departments in your Incident Response testing and education programmes.

Identify third parties who can provide specialist assistance during a breach and external parties who will need notifying in the event of a breach. If you are able to, develop information/intelligence sharing with other organisation in your business sector. Establish if your local Law Enforcement agency has a computer crime unit and have their number on hand in the event of a serious data breach.

7.  Have you tested your plan?

Only 38% of global organizations feel prepared for a sophisticated cyberattack.

Gain some assurance around your preparations. At the very least you should test your Incident Response (IR) plan. This can be in the form of a table top exercise or a more sophisticated simulation based on your threat analysis. The objective is to ensure that your IR plan is fit for purpose and robust enough to deal with a broad range of scenarios. Learn the lessons from such tests to remove any weaknesses or gaps in your Incident Response plan.

8. Educate your staff

30% of phishing emails are opened. And about 12% of targets go on to click the link or attachment.

Educate your staff around matters relating to incident detection and response. End users should be trained to identify suspicious activity and phishing scams. They should also be trained to report suspicious activity and the reporting method should also be referenced in your IR plan and ‘Acceptable Use Policy’. Educate IT staff to triage suspicious incidents and understand how their actions during triage can impact on an Incident Response investigation, this should include how and who to approach in this instance,

9. Monitor, Log & Collect

63% of confirmed data breaches leverage a weak, default, or stolen password.

Review logging capability and configuration across your organisation to see if it can be leveraged to assist in any future data breach investigation or used to detect intruders inside your network. The log review should encompass application logs, security appliances and management software such as Group Policy. Develop retention policies for log data develop processes for managing large volumes of log data.

10. Detect the breach!

In 7% of breach cases, the breach goes undiscovered for more than a year.

Your ability to detect data breaches will largely be dependent on the people, processes and technology within your organization. Your IT staff should have processes in place to review log data that you have configured in your environment in order to identify anomalous records that might be worthy of further investigation. Similarly, logs from IDS/IPS, anti-virus and other security products should be reviewed regularly for anomalies. A robust process for log reviewing would be to automate that process by implementing a SIEM solution.

Ready to take your organisation’s cyber security to the next level?

Nettitude provides a variety of services to keep your company safe from cyber threats. Speak with a specialist today by emailing us at solutions@nettitude.com.

 

To contact Nettitude’s editor, please email media@nettitude.com.

Network Operations Engineer

Due to continued expansion we are seeking a Network Operations Engineer to be based in our Leamington Spa, Warwickshire offices.

Reporting to the Head of Managed Security Services, you will be involved in supporting our client’s environments.

We provide annual support and maintenance contracts for customers, and are looking to recruit a candidate that is capable of providing 3rd line support for our client base. A successful candidate will be both a strong communicator and will enjoy working in a lively office environment. The candidate will be required to respond to customer support queries, and either work to resolution themselves, or pass it to a Senior consultant. The candidate will “own” all support queries, and will be empowered to ensure that they are followed through to completion. The technology areas that will be supported include:

Essential:

  • Firewalling (experience with one of the following firewalls – Cisco, CheckPoint, Palo Alto) inc VPN, next generation security and IPS/IDS
  • Security Products (Filtering, content checking, DDOS, 2 factor)
  • LAN and WAN Links
  • Routing/Switching
  • Wireless

Beneficial:

  • Storage & Backup
  • Microsoft Services
  • VMWare
  • Vulnerability Management
  • PCI or ISO compliance knowledge/experience.

THE APPLICANT:

  • An ideal candidate will have the following skills:
  • Strong understanding of TCP/IP with demonstrable experience of this area
  • Understanding of Cisco IOS with demonstrable experience of this skill
  • Understanding of Firewalling concepts with demonstrable experience of installing Firewalls, supporting firewalls (understanding the rules & policies behind firewalls)
  • Understanding of VPN technologies with previous demonstrable experience of installing and working with VPN technologies
  • Demonstrable previous experience of working with Server/Storage/Microsoft skills
  • Client facing / consultancy skills with previous experience of supporting a helpdesk function at second or third line enquiry
  • Previous experience of managing client solutions either on site and face to face with the client or by telephone in a helpdesk scenario to a least second line support and ideally to third line support
  • Experience of providing 2nd or 3rd line support to a wide range of external customers as well as internal support to colleagues
  • An ideal candidate will have the following professional qualifications (or equivalent):
  • A solid understanding of offensive and defensive security
  • Experience within a security focused support role
  • Computer Science Degree 2.1 or above (or equivalent)
  • CCNA or CCNP-Security in order to deliver the Cisco focused network solutions to our client base
  • Palo or Checkpoint firewall certifications.
  • Other Security Qualifications
  • MCP or MCSE

Pre-Sales Consultant

Nettitude is a 120 man organisation with offices in the UK and US.  We deliver cutting edge cyber security services to some of the largest and most widely trusted organisations in the world.  We help organisations understand the risks from cyber and provide proactive guidance on how to reduce this risk through a series of professional services engagements.

Nettitude has historically focused on delivering Professional Services, and is transitioning in to 24×7 Managed Security Services business that delivers proactive detection and response services around the clock.  This provides us with a number of key differentiators in the market, that is fuelling double digit year on year growth.

Role Description

The role will report directly to the Pre Sales Manager. The pre sales consultants will support the sales team by delivering pre sales assistance to help close business.  This will be delivered both onsite in front of clients as well as remotely over the telephone.

Pre sales consultants will have responsibility for scoping engagements, and for larger requirements they will have responsibility for generating pre-sales proposals.

It is expected that suitable candidates will have a strong understanding of Penetration Testing, Incident Response and Risk management.  Nettitude will provide adequate training to help the presales consultant develop across all of the lines of business.

Essential Skills

  • Will be able to demonstrate strong technical assurance background.  Either CRT or CCT level CREST certification would be a benefit
  • Strong communication skills, both verbal and written
  • Strong understanding of wider infosec domains.  CISSP, CISM desirable
  • Understanding of Incident Response and SOC services would be desirable

Responsibilities

  • Undertake all technical pre-sales calls and meetings within their specialism
  • Provide accurate scoping information for the sales team
  • Provide technical due diligence information for incorporation into each sales proposal
  • Uncover new leads during the pre-sales process and load into CRM for action by the account manager
  • Ensure the highest possible rate of conversion of opportunities to ‘won’ business
  • Periodically develop and refresh the technical elements of sales proposals relating to their specialism
  • Be prepared to deliver presentations  during the sales cycle

The Technical Pre-Sales Consultant will also be required to:-

  • Remain up-to-date with specialist skills and market trends
  • Remain current with all required accreditations and certifications
  • Undertake rudimentary training in other technical pre-sales specialisms in order to provide cover as required

Key Working Relationships

The following groups represent the expected primary working relationships required for this job role.

  • Technical Pre-Sales Manager
  • Chief Commercial Officer
  • Sales Managers
  • Sales Teams UK
  • Sales Teams US
  • All Technical Teams

PCI DSS v3.2 – The One Year Countdown has begun! Again?

I am sure many of you are reading this title thinking “what is he talking about, v3.2 went live ages ago” and you would be correct, however version 3.2 of the PCI DSS continues with the concept of future requirements, meaning the one year countdown to the 31st January 2018 has begun.

Save the date

The PCI Security Standards Council introduced nine requirements in PCI DSS v3.2 which are best practice until 31st January 2018, after which time they become mandatory.

Now let’s be realistic, the majority of merchants and service providers are going to treat ‘best practice’ as ‘optional’ until they undergo an assessment after 31st January 2018; but please don’t wait. Compliance is not just the assessment with the Qualified Security Assessor (QSA); we should be striving to meet every requirement, at all times and they must be in place by the 31st January 2018 even if your assessment is not until after that date.

Do I need to do something now?

YES! The majority of these future dated requirements are for Service Providers, so if you choose to postpone doing something about them now, this is going to be highlighted in your Attestation of Compliance.

In this hyper-competitive world, can you afford to show this to your clients and the payment brands? Will it make the difference when touting your wares? If I was looking for a service provider, part of my due diligence requirement (12.8.3) would be to see how you’re doing with your future dated requirements.

Don’t forget, you have not only got these requirements going mandatory, you may also have the GDPR on the horizon too. So let’s get planning.

What are the requirements?

The table below was compiled from the PCI DSS v3.2, so be sure to get the full requirements from there:

Requirement Details Service Provider only?
3.5.1 Maintain a documented description of the cryptographic architecture. Yes
6.4.6 Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable. No
8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. No
10.8 Implement a process for the timely detection and reporting of failures of critical security control systems. Yes
10.8.1 Respond to failures of any critical security controls in a timely manner. Yes
11.3.4.1 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods. Yes
12.4.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program. Yes
12.11 Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Yes
12.11.1 Maintain documentation of quarterly review process to include: – Documenting results of the reviews – Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program. Yes

…and that means I have to do what?

Some of these requirements are nothing but forcing you to employ good practice. On first look this seems cheeky perhaps, but if it is good practice you can hopefully already demonstrate this either within your self-assessment or to your QSA.

3.5.1 – Documenting your cryptography

This is not a daunting as you might think. It is only going to apply to your organisation if you are storing encrypted cardholder data, and if you are a service provider; so you might be off the hook already. Pragmatically, this is only an extension of 3.6 so review that documentation and add details accordingly.

6.4.6 – This is an extension of change control

Possibly the EASIEST of the future dated requirements. Why you say? Because it is just good change management. If you are achieving a good change management posture, this goes without saying that you will be ensuring that PCI DSS compliance is being maintained on all changes, let alone those deemed ‘significant’.

Review the process, insert a reminder/action/decision point to say “Is this significant? Was all affected documentation from this change updated appropriately” and record.

8.3.1 – Multi-factor Authentication for Non-Console Administration

This could be an awkward one. Here’s the problem for Admin’s – sitting at the machine in the CDE, don’t need MFA to logon (but I won’t complain if you have it!). Sitting elsewhere and connecting to the CDE to administrate it, you will need something. Start planning now if this is not in place as it will affect a number of requirements and likely to attract the attention of 6.4.6 above.

10.8 & 10.8.1 – Find out that it is broken, why it happened and fix it without delay

This one is for service providers only – but once again I will not object to Merchants doing it too! You need to show how you are monitoring the monitoring systems for failure. This can go hand in hand with testing your incident management processes, particularly for things which do not get tested on a daily basis. Work out a control test to apply to each of those system where appropriate. If the monitoring processes do their job, you will not only be giving yourself evidence of testing the incident management plan, but you have checked the monitoring systems itself is working

11.3.4.1 – Segmentation Testing

This is a recurring activity to test your segmentation, only for service providers too. Check the requirements in the standards and have it done, either by an independent qualified resource, or engage the services of a penetration testing company.

12.4.1 – Executive Management and a PCI Charter

This is new, and not entirely unfamiliar. If you are running an ISO 27001 ISMS, you will know about Top Level Management needing to be part and parcel of the programme. A RACI matrix here will help, along with keeping top management in the loop; this requirement is a good place to start if you have not already.

12.11 & 12.11.1 – Perform reviews

Again, this is not a new idea but a real boost for maintaining compliance. Thinking again about ISO 27001, you are doing internal auditing as that is mandatory, then it is a control to go into your management system and you are covered. It is about assessing that you are performing BAU activities and can evidence this, so some evidence that change controls and BAU activities were observed in place and effective and that documentation evidence exists of such a review.

So it is all quite straightforward?

Yes – a general review of your day to day activities is going to ‘smash these out of the park’. And if you are struggling with where to start, contact your QSA Company for assistance; they will be happy to help.

If you have done nothing yet, please try and minimise your delay. Also, remember that these are all requirements designed to minimise risks, so pop an entry into your risk log (requirement 12.2) and as you work through them, drop them off; the assessment process will love you for it!

P.S. Save the Date – 31st January 2018, not only is it a significant day for PCI DSS, it is also a total lunar eclipse and in the UK we sadly don’t get to see too much of it.

 

To contact Nettitude’s editor, please email media@nettitude.com.

Nettitude partners with Parliament as Cyber Security Month gets underway

February will see a series of events organised as part of Parliament’s Cyber Security Month, which is aimed at raising awareness of the importance of cyber security as an issue that those in Parliament need to address in their personal and professional lives.

Organised by the Parliamentary Digital Service in collaboration with a number of partners, including Nettitude, Cyber Security Month is part of a wider series of initiatives planned for 2017.

Over the course of four all-day sessions, Members of both Houses and their staff will have the opportunity to brush up on their existing knowledge and learn new skills relating to cyber security.

Nettitude’s CEO, Rowland Johnson, will today host a session on the current cyber threat landscape, explaining the sophistication and motivation of today’s attackers, as well as organised cyber crime and the importance of threat intelligence in providing security assurance.

Rob Greig, Director of the Parliamentary Digital Service, has commented: “In a rapidly evolving cyber security threat environment, Parliament is committed to promoting good cyber practice wherever possible. We can all benefit from improving our understanding and it is great to be collaborating with a number of industry-leading organisations during Parliament’s Cyber Security Month, and I look forward to a successful series of events which I hope will be interesting and informative.”

To contact Nettitude’s editor, please email media@nettitude.com.

Soldier to Cyber

As an ex-serviceman myself, I’m often approached by numerous service leavers who’ve asked how they can best prepare themselves for a career as an IT Security Consultant (AKA Penetration Tester / Ethical Hacker).

I’ve created this post based entirely on my personal experience. The aim is to provide guidance to those, who like myself, intend entering this exciting and fast evolving industry as a complete beginner.

It was two years after leaving the Armed forces when I realised the career path that I wanted to take, and this realisation came after much deliberation into what actually motivates me. Unfortunately, as a result of this delayed realisation and lack of calculated direction, I didn’t effectively utilise my time in resettlement. Of which, I’d strongly recommend using the whole year to get the very most out of it! Resettlement is one of the most joined up processes the military offers, providing you apply thought to what you want out of it. I would encourage anyone in resettlement seeking a career as a Security Consultant to utilise all available opportunities and look into the training programs explained below.

  1. Sign up to the CTP (Career Transition Partnership) website and enrol on the CompTIA A+ course (10 days). Now I know what you may be thinking “A+ is primarily hardware related” and you would be right. But A+ also covers a lot of the basics such as virtualisation, networking and security practices – These “basics” will become part of your everyday working life as a Security Consultant. Besides, you’ll also become a competent IT Technician, armed with the skills and knowledge to repair your own PCs/laptops; saving yourself £££’s in the future. It will also prepare you for course number 2, outlined below.
  2. CompTIA’s Network+ and Security+ course (15 days). This course is designed to look into networks and then security best practices (both topics are vitally important as a Consultant, because you will need to advise your clients on how to remediate their security failures). It is during this course where you will begin to learn about testing network security with pen testing tools. I would also take the time to invest in attending the exams for any courses to gain your formal certification. This will impress any potential employer, whilst also demonstrating your commitment and aptitude. CTP receive a preferential discount on CompTIA exams to encourage ex-servicemen and women. Consider using your annual SLC to fund these exams.
  3. Sign up to Cybrary.it and study the Linux+ course. This is VITALLY important because the tools you will be using in the future as a Consultant are likely on the Operating System (OS) Kali Linux. Before you start to use Kali Linux, you really need to understand how a Linux OS works. Cybrary’s Linux+ course does just that. Don’t just give the course lip service, it’s so important to get used to the functionality of a Linux OS – You really need to understand exactly what you are running. Practice, practice, practice; this will save you so much pain in the long run.
  4. The allocated resettlement/GRT shouldn’t be viewed as “buckshee holiday”; you should be using this time to apply your technical knowledge in a practical way and applying to potential employers for work placements. Things like accommodation and travel, as well as food are all covered when you are using GRT for a work placement (I will caveat that with, this was the case 3 years ago).
  5. Using the whole year, this would take you into roughly 6 months of resettlement and you’d have gained the basic skills to further your development. It is now you should consider using one of your resettlement grants towards a course provider who offers CREST training in Penetration Testing / Ethical Hacking in order to work towards the CRT (CREST Registered Tester) exam. The fact you are leaving the military most likely with SC, or DV and a CRT qualification will make you highly desirable.
  6. You will now be armed with plenty of skills and certificates to be considered for a Junior Tester position. Whilst you’re applying for jobs or just seeing out the end of your time in the Armed Forces, download vulnerable Virtual Machines; Metasploitable2 is a great start. It’s purposely designed with plenty of security flaws to exploit and test your newly learned skills. Alternatively, there are plenty more vulnerable VMs.
  7. Should you want to excel and go above and beyond it would be worth considering studying for the OSCP (Offensive Security Certified Professional) exam. The OSCP certification is regarded as the best within the Pen Test industry. By successfully completing the OSCP certification, the holder will have clearly demonstrated their proficiency as a Penetration Tester. This course costs around £1200 and is a difficult course that requires 100% commitment.

Embrace learning! The industry is constantly evolving and I haven’t stopped learning and I don’t think I ever will. Ensure you utilise your resettlement package wisely and invest the time and effort to prepare for your future.

I wish you all the success in your future. Please feel free to drop me a message should you need further guidance.

To contact Nettitude’s editor, please email media@nettitude.com.

Junior Developer

Role Description

We are looking for a Junior Developer to join our dynamic and enthusiastic research and innovation team involved in bringing to life cutting edge cyber technology solutions around threat intelligence, simulated attack platforms and bespoke tools. You will have +1 years development experience and will be keen to be involved in developing with Python. You will have the opportunity to help shape and define new work in the department and get involved with cutting edge technologies.

Essential Skills

  • Relevant degree in Software Engineering, Computing or similar
  • Ideally + 1years commercial development experience

General Skills:

  • Self-starter and able to work dynamically within a small team
  • Able to organise their own time and work independently

Desirable Skills

The following skills would be highly desirable:

  • Linux
  • Familiarity with Python
  • Familiarity with any of the JavaScript frameworks

Senior Security Information Consultant

Nettitude are looking for experienced Information Security Consultants with a deep passion and enthusiasm for InfoSec. Can you deliver exceptional technical and business leadership, pragmatic advice and in depth guidance directly to a wide range of customers? Do you enjoy, and can you effectively communicate strategy, effect technical and business changes and deliver impactful briefings to businesses?

Role Description

The role involves working closely with our multi-national clients to identify information security risks within their organisations, and act as a trusted advisor to prioritise and respond to those risks.

As part of our industry leading Information Security Consultancy team, you will be involved in guiding and leading clients within a range of security engagements including: Cyber strategy workshops, threat assessments, risk assessments, security assessments, C-Level briefings, secure network and system architecture design, consultancy around a range of security frameworks, SOC Maturity workshops, and serving as a trusted advisor or virtual CISO.

Essential Skills

  • Solid grasp of technical subjects around networks, servers, databases and software applications
  • Demonstrated thought leadership and the ability to influence, shape and guide security programmes and business owners
  • Solid understanding of risk, threats and vulnerabilities
  • Ability to communicate clearly, with impact, to both technical and exec/board level staff
  • Excellent written and verbal communication skills
  • 5+ years’ experience within security disciplines
  • Previous experience in a client-facing consultancy role
  • Excellent time management skills

Required Skills

  • You should hold, or be willing to obtain, at least one of the following accreditations: CISSP, ISO27001 Lead Auditor/Implementer, CISA, CISM. Qualifications such as GSNA, IRCA ISMS Auditor or higher (e.g., Auditor/Lead Auditor, Principal Auditor), IIA Certified Internal Auditor (CIA), Microsoft MCITP, Cisco CCNA, CREST and other offensive security qualifications or experience would also be an advantage.

Desirable Skills

  • In depth experience of security architecture, design and configurations
  • Solid understanding of breach detection and SOC maturity processes/models
  • Experience and understanding of both offensive (testing) and defence (monitoring & logging) security
  • Experience of conducting PCI DSS Assessments, RoC’s and Gap Analysis workshops
  • Experience delivering security awareness training to both end-user and technical audiences would be an advantage.
  • Experience of conducting threat assessments and OSINT/threat intelligence engagements would also be desirable.
  • Project management

Expectations

  • You will be out on client sites for 60-70% of the time with report and office days in between. Assistance with pre sales and working with the wider teams at Nettitude is essential.
  • As well as client-facing delivery, all consultants are encouraged to contribute to the wider infosec community, through the authoring of blogs, attending or presenting at industry events, and membership of professional bodies. Existing experience and demonstration of leadership, industry activities and/or blog articles/whitepapers are actively encouraged.

SOC Security Engineer/Technical Consultant

We’re looking for a driven individual who is highly organised and has a desire to learn and grow within the role.

Role Description

Nettitude provides leading edge cyber security assurance services through our SOC, NOC and Testing teams. We are looking for highly capable consultants to join the team who have a passion to build and shape the industry. Defining what good looks like within a SOC, providing technical consultancy, understanding and applying Threat Intelligence and guiding customers to better and improved security postures are all focused areas of skills we are looking for.

A blended role incorporating the delivery of cyber security consultancy from risk and threat assessments, through to technical network design and management, to focused SOC/Product delivery. This is a very exciting role with room to develop, expand knowledge and work with a cross section of expert teams within Nettitude.

Required Skills

  • Demonstrable Security consulting experience around risk, security products (Firewalls, IPS/IDS, Logging, etc), secure network design, threat intelligence
  • At least two years’ 2nd/3rd line support experience with LAN/WAN including switches, routers & Wi-Fi.
  • Configuration and maintenance of IPS/IDS solutions including signature/rule base tuning for specific threats
  • At least two years’ experience of configuring firewalls such as Cisco ASA’s, Palo Alto or Checkpoint.
  • Solid security understanding of both security principals and security products
  • Demonstrable experience of secure and resilient network design including VLAN’s, NAT, routing, switching and IP addressing.
  • An ability to work under pressure and take ownership of issues through to resolution.
  • A proactive attitude and ability to communicate with a variety of individuals and skill levels.
  • At minimum a CCNA or CCSA.
  • On-site client consultancy experience

Desirable Skills

  • CCNP, CCSE or PCNSE or other security related exams/qualifications
  • Experience of working in a SOC or with incident response/cyber investigations
  • Knowledge and experience of PCI environments
  • Understanding use of incident response products (CarbonBlack, Tanium) & SIEM platforms/tools
  • Working knowledge of Yara rules

Expectations

  • Office based in Leamington Spa, Warwickshire but with customer site visits as required.
  • Flexible hours of work between 0800-18:30

The Big Freeze Is Coming – PCI DSS and change freezes

With the festive period rapidly approaching, many people will no doubt be looking forward to an extended break and some well-earned time away from work. The run-in to Christmas can be a relatively peaceful time of the year for many people, with organisations reluctant to kick-off large projects, or make significant change at a time when their employees are taking leave.

Many businesses will implement, what is referred to as, a change freeze over this period; completely stopping all but the absolutely unavoidable, hoping to minimise the risk of unexpected downtime. After all, nobody wants to be rolling back a system upgrade on Christmas Eve, or recovering backups on Boxing Day.

Probably the most common justification for a change freeze is found in the retail sector. With the Black Friday madness now behind us, the busiest shopping day of the year is predicted to be December 23rd. Crowds of hopeful last minute shoppers are expected to rush to the high-street, and possibly even more will go online and put their trust in next day delivery.

It’s at this time of year, where the impact from any technical glitches will likely cost more than at any other time. Last year, over a third of all shoppers waited until the final week before Christmas to complete their shopping, resulting in a significant loss for any retailer whose website or shops are unable to satisfy their customers desire to spend.

It’s easy to see why those tasks, considered not to be “absolutely unavoidable”, are delayed. Updates, upgrades, migrations, new installations – they’ll have to wait until January. But this can prove to be problematic, especially if your business is trying to comply with PCI DSS.

There are many ongoing requirements that must be met to maintain PCI DSS compliance, and some of them could fall victim to the change freeze. The most significant issue is applying critical security updates within one month of their release. In my opinion, PCI DSS is already very forgiving on this requirement, arguably one month is an overly long window in which to apply a critical security update. However if your business runs a change freeze from mid-December until January, failing to install updates could leave you (and your Qualified Security Assessor (QSA)) with a problem, come the time of your next on-site assessment.

Any organisation which enforces a change freeze that might impact on security (never mind compliance) should complete a comprehensive risk assessment. Consider what additional risks exist as a result of the freeze, and any mitigation work required (wherever possible). Make sure that you assess the risks of both making and not making changes, and use the same risk assessment process for a consistent result.

Keeping with the example of not installing security patches, you should consider the exposure of each system affected (a public-facing server versus an internal server), as well as the time immediately before and after the change freeze. It should go without saying that your ‘house’ should be in order prior to the change freeze, and that all patches should be applied and verified. Another recommendation is to complete additional vulnerability scanning to provide extra visibility and assurance.

While the change freeze is in place, your teams should be actively monitoring any alerting systems you have, as well as the security bulletins provided by vendors. If critical updates are released, assess whether they justify breaching the change freeze. If they don’t, then at the very least you should consider applying them to any test environments.

Schedule in any required maintenance windows in advance, and when the change freeze lifts, apply any critical updates to the most exposed systems first, and work back from there.
As for your PCI DSS and compliance, it’s important to “show your working”. Don’t simply hope your QSA won’t notice that some tasks haven’t been completed. Each QSA’s approach and expectations may vary, so work with them on an ongoing basis and at the time of your assessment, and show that you’ve acted appropriately.

Performing a risk assessment doesn’t have to mean pages and pages of documentation, but you should be able to demonstrate that you considered the risk and acted appropriately. You may also need to complete a compensating controls worksheet, but again this is something to discuss with your QSA. PCI DSS should never stand in the way of your organisation achieving its goals, and taking a pragmatic and open approach to this should help to ensure that the change freeze doesn’t leave you out in the cold.

To contact Nettitude’s editor, please email media@nettitude.com.