Scottish Cyber Awards

Logo Scottish Cyber Awards (1)We are very proud to announce that we will be sponsoring the Leading Light Innovation Award at the first ever Scottish Cyber Awards!

The Scottish Cyber Awards are being organised by the Scottish Business Resilience Centre and Scottish Enterprise and their purpose is to recognise Scotland’s commitment towards cyber security excellence. The award ceremony will be held on Wednesday the 16th of November at The Waldorf Astoria in Edinburgh.

If you would like more information about the Scottish Cyber Awards please visit www.sbrcentre.co.uk.

MoD is backing the Cyber Essentials Scheme

As of the 1st January 2016, all MoD contractors and sub-contractors will now be required to have cyber essentials or cyber essentials plus. It is also important to be aware that this extends to all MoD procurement, suppliers and subcontractors, even if they are not working directly with/for the MoD. For projects starting after 1st January, all suppliers will be required to have the relevant Cyber essentials certificate by the contract start date at the latest and thereafter renewed annually.

Key Points

There are four different risk categories for all MoD projects, very low, low, moderate and high, which have different certification requirements:
  • All contractors and sub-contractors on projects with a very low risk rating are required to have a CE certificate.
  • All contractors and sub-contractors on projects with low, moderate and high risk ratings are required to be CE+ certified (which includes gaining CE as part of the process).

Get in Touch

7 Elements are an accredited certification body for Cyber Essentials, more information on the scheme can be found here. As an independent technical information assurance consultancy, 7 Elements is well suited to assist your organisation in gaining a Cyber Essentials Certification.
As the scheme is designed to be available to all sizes of organisations, our pricing is cost effective.
To discuss your Cyber Essentials needs please contact us.

Mitel CCMWeb OpenRedirect

Advisory Information

Title: Mitel CCMWeb OpenRedirect

Date Published: 

Advisory Summary

The application accepts user input and then on completion of an additional task redirects the user to an external link.

Vendor

Mitel

Affected Software

Product Version
MiCC (CcmWeb 7.x and earlier

Description of Issue

A Open Redirect vulnerability was discovered in the MiContact Center version 7.1. This vulnerability was found in the login component of CCMWeb and could be exploited by modifying the ‘redirecturl’ parameter to point to an attacker controlled site. This vulnerability could be used as part of a phishing attack as the domain element will be familiar to the client building trust in the URL. As the site redirection does not happen until the user has authenticated to the site it may be possible to set up credential theft scenarios by cloning the CCMWeb login page.

PoC

The following proof of concept redirect the user to www.google.com after a successful login. This is only a proof of concept and through obfuscation or tiny URL technologies the Google URL could be changed to something miscellaneous.

http://1.1.1.1/CCMWeb/webforms/login.aspx?redirecturl=http://www.google.com

Timeline

Reported – 26th January 2015

Accepted – 31st March 2015

Advisory Published – 4th October 2015

Mitel CCMWeb Unauthenticated Local File Inclusion

Advisory Information

Title: Mitel CCMWeb Unauthenticated Local File Inclusion

Date Published: 

Advisory Summary

A lack of input validation allows an attacker to download arbitrary files from the server.

Vendor

Mitel

Affected Software

Product Version
MiCC (CcmWeb 7.x and earlier

Description of Issue

A local file inclusion vulnerability was discovered in the MiContact Center version 7.1. This vulnerability was found in the flexreport component of CCMWeb and could be exploited by an unauthenticated user to reveal arbitrary files by utilising directory traversal sequences to download files.

PoC

The following proof of concept downloads the Windows host file.

http://1.1.1.1/ccmweb/flexreport.ashx?filename=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\system32\drivers\etc\hosts

Timeline

Reported – 26th January 2015

Accepted – 31st March 2015

Advisory Published – 4th October 2015

 

Aerospace, Defence and Marine (ADM) Industry Leadership Group

7 Elements CEO appointed by the Aerospace, Defence and Marine (ADM)
Industry Leadership Group. The full article can be found here.

ADM Industry Leadership Group

7 Elements CEO appointed by the Aerospace, Defence and Marine (ADM)
Industry Leadership Group

David Stubley, CEO at 7 Elements, a key player in the Scottish information security industry, has been appointed as a new member of the Aerospace, Defence and Marine (ADM) Industry Leadership Group (ILG). The group has expanded its remit to cover Cyber Security as it represents both a significant market opportunity for companies in the sector but also Scotland has a considerable and growing capability in this area. David will bring his years of knowledge and expertise into the group to ensure that the revised 2015 strategy for Aerospace, Defence, Marine and Security (ADMS) fully incorporates this new growth opportunity for Scotland’s economy.

Scottish Enterprise facilitates ILGs, with the groups responsible for developing and delivering forward looking industry strategies. ILG members provide strategic leadership and advice to industry and the public sector in Scotland, drawing on their national and international expertise on global trends and issues and the niche areas where Scotland has global competitiveness. These groups comprise leading business figures drawn from across the private sector as well as senior representatives from the public sector including Scottish Enterprise, Scottish Government and key stakeholders.

The ADMS ILG currently has 18 members from key industrial and academic players in the sector including Vector Aerospace, Selex ES, Thales Optronics, Spirit Aerosystems, BAE Systems, Clyde Marine Group, University of Strathclyde, STUC, Scottish Engineering, Society of Maritime Industries, Inter-Tec Services ltd, British Airways Maintenance Glasgow, Castle Precision Engineering, Beal Group, MacTaggart Scott ltd. 

Mick OConnor, Chairman, of the ADM ILG said;

The need to transmit and store information securely is of paramount importance in today’s business world. There are many high profile examples where data was accessed illegally at both a business and national level. In recognition of the emerging prominence of cyber security we have invited David Stubley to join the Aerospace, Defence and Marine (ADM) Industry Leadership Group (ILG) to provide matter expertise in this area. This appointment will help increase the general awareness of cyber security to business within the ADM community moreover, identify market opportunities for Scottish business.

David Stubley, CEO at 7 Elements, said;

I’m excited to have been appointed to the Industry Leadership Group. The Scottish Aerospace, Defence and Marine sector play a vital role within the national economy and has increasingly become the focus of cyber attacks. Establishing a resilient approach to security will not only reduce the impact of these events, but make Scotland a safer place to do business.

Incident Response

As part of the Cyber Academy ‘Cybercrime Investigations & Incident Response Bootcamp’, our CEO David Stubley will be delivering training to UK Law Enforcement. For more information on our approach to incident response, please visit our site.

Keeping cool in a crisis – Incident Response

Back in January 2015, SC Magazine published my article on keeping cool in a crisis. With the ever-increasing portfolio of breached organisations, maybe it is time to revisit that advice again?

Cyber-Attacks

In today’s world it is inevitable that organisations will suffer cyber-attacks. When an organisation is attacked their incident management procedures will be key in sustaining the company through the crisis. However, with large scale breaches continuing to cost organisations and individuals dearly as well as hit the headlines, more could be done to improve incident management procedures.

Preparation

Preparation is key to any planned response but it can be difficult for organisations to anticipate what will be required in the event of an incident. For many organisations, incident response procedures plan to tackle scenarios identified through business continuity risks or following internal incidents. Procedures are often completed or reviewed as part of an annual business planning process by those with a focus on the business. This results in an introspective focus that can leave incident management procedures lacking.

An introspective focus does not effectively anticipate the full suite of scenarios that an organisation may face in responding to an incident. Such an internal emphasis does not take into account the evolving threat landscape or the changing external environment in which the organisation operates. Without placing incident response measures in this dynamic external context, organisations may find their response measures are lacking in the face of current attacks.

Learning from others

Of course, gaining information about factors external to your organisation, such as threats, is often an insurmountable challenge, but organisations have an opportunity to carry out reviews of the breaches of their competitors or other organisations similar to their own.

Groups conducting attacks, whether for financial gain or other motives, will frequently use the same methods of compromise. This fact has clearly been demonstrated in the recent attacks on the electronic point of sale systems in the US retail sector and the on-going use of targeted phishing emails to gain access to corporate networks. There are also previous attack trends of utilising SQL injection or memory scraping malware as attack methods to draw upon as examples of attack methodologies being reused. The use of similar methods by attackers means that organisations have an opportunity to identify attack approaches and vulnerabilities that could be applicable to them. Organisations should therefore look to use the experiences of others within their sector to enhance their own incident management procedures.

While it is accepted that the full details of the incident will not be publicly available, many industries have information sharing forums and employees build up relationships with their counterparts in other organisations. It is likely that an organisation will be able to garner sufficient information to identify vulnerabilities exploited by attackers and key attack vectors. This information can be used to review the incident and determine if the organisation is itself vulnerable to such an attack. In short organisations should conduct a post-incident review of the incidents that impact on other organisations.

Using the information available, an organisation can identify potential attack scenarios and whether they are likely to be breached as a result. By playing out these scenarios within the context of their own environment, organisations will be able to identify if they have compensating controls in place or where they may be required. Once compensating controls are in place organisations can then test their effectiveness in the context of these scenarios and therefore gain assurance that they are not exposed to the attacks their peers have suffered.

This process may be assisted by experts such as security testers, ordinarily external to the incident response planning process. Penetration testers can provide insight into the scenario planning and assessment process. By the very nature of their jobs, penetration testers are often skilled at identifying and understanding attack vectors. By using such experts, organisations will be able to add more rigor to their assessment of scenarios as well as challenge preconceptions. Ultimately this will result in a more resilient approach to incident response.

In summary

Reviewing the incidents of others will enable organisations to anticipate the types of attacks they may be vulnerable to and prepare for them, ultimately keeping cool in a crisis.

By keeping abreast of the threat landscape, spotting trends within relevant industries and reacting to the external environment, organisations will be able to plan effectively for incidents, if not reduce the likelihood of a successful attack. Should an attack occur, organisations will have more resilient incident response measures in place with which to tackle these anticipated threats. By learning from others’ misfortunes organisations may be able to avoid the pain of going through a similar experience.

Click here to find out more about our approach to incident response.

Cryptic message of the day

MjAxNS0wNy0yM1QwMDowMTowMCswMTowMCAweDM3CTB4NDUgCTB4NWYgCTB4
MzUgCTB4NTkJMHg1MgkweDUzCTB4NWYJMHg0ZgkweDRjCTB4NDQJMHg1Zgkw
eDU0CTB4NGYJMHg0NAkweDQxCTB4NTk=

Cyber Essentials

CE_logo_affiliated_hi_res

 

 

 

7 Elements achieves Cyber Essentials Certification body status.

7 Elements, are now a certification body able to deliver Cyber Essentials (CE) and Cyber Essentials Plus (CE+) engagements for organisations that are aiming to meet this standard.

The move comes as 7 Elements looks to expand its service offering to include a cost effective security solution to all clients which now includes conducting this government approved assessment. The CE and CE+ accreditation has been developed as a method to significantly reduce business vulnerability at an achievable cost. More information on the scheme can be found here.