Author: Jason Kempnich

Meltdown 0

Meltdown & Specter bugs: what they mean for business

Meltdown and Specter are recent CPU (hardware) bug discoveries that use a critical design flaw in CPUs to easily obtain the information from an off-limits memory location. In other words, researchers have found a way to trick the CPU into giving up information held elsewhere in memory, even if that memory is off-limits to the original program reading it. Triggering the bug requires very little code and can be as simple as the victim reading a web page that contains the appropriate Javascript. However, finding useful information inside the system and sending that information back home is more complex and may require additional steps from a threat actor. As can be seen in this demo from Michael Schwarz, the bug can cause passwords and other information...

1

Should I put my small business records in the cloud?

Keeping data safe and disaster-resistant is a major challenge for the average small business – a challenge some businesses don’t even realise is there. Most small businesses don’t have access to an IT specialist to protect the business’ data against a digital intruder or data loss event. This becomes especially critical where the data is sensitive, such as in medical practices. Often this work can fall to the business owner or a well meaning IT-savvy employee, but rarely is this person equipped to properly navigate the dual minefields that are Information Security and Business Continuity. Using cloud services can provide small business a level of assurance that may not have been possible with in-house or outsourced IT services. The inescapable truth of the matter is a Software-as-a-Service cloud provider is...

0

Could your cloud be deleted?

Are a username and password all that stand between you and total loss? Is your organisation’s IT health solely dependent on another company’s financial health? As part of deciding to embrace cloud services, you must be able to identify a new set of risks to business continuity that perhaps weren’t a concern previously. Here’s just two… Bankruptcy  You’ve decided to outsource your application to a SaaS (Software as a Service) or other public cloud provider.  In large scale SaaS contracts, considerable attention is rightly placed on Service Level Agreements (SLAs) to ensure the availability of the application to the business.  But what happens when an SLA can’t protect you? Have you considered  how your business may continue to function if your cloud service was withdrawn without notice,...

0

The risk within self audit risk assessments

No one knows the risks inherent to an asset better than those who work with the asset. That is why self audit has been around for years. It allows the audit team to get to the hidden details, while distributing the discovery phase of the workload to outside of the audit team. When I first started working with self assessment audits, the sessions were typically moderated by an experienced risk assessor. The moderator would ensure likelihoods and impacts were accurately recorded and (s)he would use an auditor’s experience to help interpret and guide the answers. Since then, Risk and Audit teams have been placed under increasing pressure to do more with less. I have noticed a trend to remove the moderator for the self-assessments, and take the self-assessor’s word...

0

Does my non-US business need a SOC 1, 2, 3 or SAS70 report? ISAE 3042 and ISO 27001 perform similar functions

“Our US based client has asked for our SOC 2 audit report! I haven’t heard of one! What is it? What do I do?” Service Organisation Controls (SOC) are a US-centric accounting standard, designed to make an assessment of the controls an organisation has for its information (SOC 1), services impacting availability, integrity and confidentiality (SOC 2) and trust services (SOC 3). SOC was introduced by the American Institute of Certified Public Accountants (AICPA), and each report must be issued by a certified AICPA. In a nutshell, SOC is a US audit report, used by US businesses, issued by a US-certified auditor. If your organisation is outside of the USA, this report might be irrelevant to your local business context and may be difficult to come by due to the report being issued by an AICPA. Difficult, but not impossible....

2

Database encryption – is it worthwhile?

The Wall Street Journal recently reported giant US-based health insurer Anthem had suffered a massive breach of its sensitive customer database. It is thought the entire contents of the database was successfully retrieved by the intruders, who had obtained a legitimate employee’s credentials. The Journal cited a source familiar with the breach, who said the sensitive database was not encrypted and that encryption would have made it more difficult for the intruders to obtain the information. This gives rise to an important security architecture question: when should you encrypt a database? What are the benefits? Would database encryption help? We have very few public details to work off, but in this case I believe database encryption would not have altered the outcome. The intruder had obtained a legitimate employee’s...

2

Is N-tier architecture still relevant in the public cloud?

Classic N-tier architecture has been with us for well over a decade.  But does it still have a security role to play in public cloud deployments?  First a recap.  We’ll use a database-driven three tier web application in our examples, as this will cover a large number of real-world scenarios. What is N-tier and how does it help? (pre-cloud) Pro tip: skip to the next heading if you don’t need an N-tier refresher. It was once common for all parts an application to sit on the same server – the web server that gives code to the user’s browser (presentation), the application (business logic), and the database (data) were all together.  It was cheap, easy to implement, but could not scale horizontally.  Application boundaries could be unclear, and a...