Security

Is Your Physical Security Exposing Your Information Security

Last week I stumbled across a rather interesting set of videos on YouTube by a presenter called Deviant Ollam (https://www.youtube.com/results?search_query=deviant+ollam+physical+security). Deviant Ollam is a physical security penetration tester in the US and runs a company doing just that: trying to gain access to places he shouldn’t. We’re not talking black hat breaking in activity here but we are talking about white hat: doing these things paid for by the client to test their physical security.

What I found watching some of these videos was startling. Yes, some of the content is a little bit US-centric and perhaps doesn’t apply to the UK, however, it really got me thinking about a question. As IT, we spend all this time and money investing in information security, event logging, event monitoring, alerting, and more. If the physical security of our premises, however, is so easily bypassed, are we just making it too easy for would-be attackers.

Read more…

End of Support for Windows 7 and Server 2008

Windows 7 and Windows Server 2008 (and 2008 R2) has had a great run of it. After Vista that came before it and Windows 8 that came after it, Windows 7 was a shining light for enterprises: it offered the right user experience and the right performance. Windows Server 2008 R2 has been the mainstay of enterprises the world over, far exceeding what was possible in Windows Server 2003 and not feeling quite as bloated as Windows Server 2012 did. Sadly, all good things come to an end at some point and January 14th 2020 marks the end of support for Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Read more…

Securing Your Cloud Resources for Free

Azure Active Directory Conditional Access is a feature that you get with Azure Active Directory Premium so you can manage who, where, when, and how users can sign-in to access your cloud-based services such as Office 365 and Microsoft Azure. Although it’s great and we’d recommend everyone look at it, for some, the cost it too much. In this post, we’ll explore what you can do when it comes to securing your cloud resources for free.

Read more…

PCI DSS Changes to Supported Security Protocols

Do you run a website? Is your organisation required or meet or have you opted to voluntarily meet the requirements of PCI DSS or do you just like to keep up with good security practices?

Starting on 30th June 2018, the PCI Security Standard Council (PCI SSC) has given organisations who must comply with PCI requirements until this date to move away from insecure web security standards. This means that if your organisation is running a website or have any web-based services which use a secure connection, they must use the TLS 1.1 or above protocols; the web service must reject connections over SSL 3.0 and TLS 1.0 protocols. There is a handy PDF guide at https://www.pcisecuritystandards.org/pdfs/PCI_SSC_Migrating_from_SSL_and_Early_TLS_Resource_Guide.pdf.

For most websites and web services, this is a simple change to implement, however, some platforms will not allow you to make this change and some application development languages may not even support these newer versions.

For big businesses, they may have teams dedicated to managing these requirements but for small organisations or start-up businesses offering online web fronts and check-out shopping services, you may not. Why not get in touch with us about consulting and we can help you investigate whether you can simply make this change or whether there is more work in store to get yourselves ready for the change. Now may even be a good time to take a look at modernisation such as Azure Web Apps for your website.

Moving to a Secure Web World

The internet and digital communications are evolving. In recent years, there is momentum and support for stronger internet security and adherence to best practice and industry standards. Part of this is for more websites to deliver their content over secure channels even if the website is not transacting payments and orders or accepting input of personal data. If you are transacting and taking online payments or orders; if you have people entering their details such as a contact or subscription page on your website then you definitely should be using secure connections.

According to Scott Helme, a British security researcher, in 2017, the number of websites from the Alex Top 1 Million Websites using secure communication as standard reached 38% which is still a remarkably low number. Google now provides preference to websites which use secure channels in their rankings and modern web browsers such as Microsoft Edge, Google Chrome, and Mozilla Firefox all now clearly show you if the website being browsed is not secure.

Read more…