What is a vulnerability assessment?

What is a vulnerability assessment?

A vulnerability assessment takes a vulnerability scan a step further by using a security tester‘s knowledge to drive an appropriate use of automated tools and test scripts.

What do you get?

The report for the results should be manually created, which places the findings into the context of the environment under test. An example would be removing common false positives from the report and deciding risk levels that should be applied to each report finding to improve business understanding and overall context of a finding. It is great for increasing the level of assurance gained through automated testing, whilst still helping to keep costs low.

For more information on security testing, see our blog here and download our cheat sheet here.

What is a vulnerability scan?

What is a vulnerability scan?

A vulnerability scan uses automated tools to identify known security issues through matching conditions with known vulnerabilities.

What do you get?

The tool automatically sets the risk level for the results of the scan and no manual verification or interpretation of the results prior to issue takes place. This is great for identifying technical vulnerabilities at a low financial cost. However, it also generates a high level of false positives while missing certain types of issues. This limits the overall level of assurance gained.

For more information on security testing, see our blog here and download our cheat sheet here.

Creating a Strong SNMP Community String

Creating a Strong SNMP Community String

To ensure that an attacker does not gain privileged or read access to your devices via a poorly configured SNMP community string, we would recommend that the following steps should be taken:

Follow similar guidance to mainstream password guidance.

• Use both upper and lower case

• Include one or more numerical digits

• Use special characters, e.g. @, #, $ etc.

• Prohibit use of words found in a dictionary

• Disallow passwords matching the format of calendar dates, license plate numbers, telephone numbers, or other common numbers

• Prohibit of use of company name or an abbreviation

Information Security Assurance from a Resilience Perspective

Information Security Assurance from a Resilience Perspective White Paper

Today the global business environment is more complex and interconnected than ever before. Organisations rely on electronic data as their lifeblood, and the systems that enable the storage, transport, access and manipulation of this data have become critical. Even simple spreadsheets can become mission critical systems in their own right and this has resulted in an era where networks and the applications sitting within them have become the very backbone of every organisation regardless of their size and market sector. As a result, networks and applications are a primary channel for businesses and one that they must protect if they are to meet their businesses objectives and in the end, to survive.

For many organisations, their approach to information security results in a fortress mentality that focuses on the implementation of defences and preventing an attack. It is increasingly acknowledged however, that we cannot build sufficient defences to be 100% secure while allowing our organisations to effectively carry out their business, and as such, for many this siege based approach is no longer acceptable. A more resilient approach to the management of information security is therefore needed. This approach should not only take into account the mentality that organisations cannot be 100% secure but also acknowledge that the cost of securing our organisations can be large. A risk based approach should therefore be adopted which takes a more holistic approach to managing information security that accepts that the risks cannot be fully mitigated and adopts a resilient approach. Doing so will therefore place greater emphasis on the importance of gaining an appropriate level of assurance.

Following on from our recent article in SC Magazine on the topic of resilient information security, we have now issued our white paper. A copy of which can be found here.

Information Security Assurance from a Resilience Perspective

SC Magazine recently published an article by our CEO, David Stubley on the topic of resilience and the need to adopt a holistic approach to information security.

“If we accept that our defences will no longer hold against every attack and we cannot therefore 
be 100 percent secure, then we also need to think about information security from a new perspective.”

The full article can be found here and a link to our white paper can be found here.

 

Scottish cluster for the UK Cyber Security Forum

We are pleased to announce that we are collaborating with ZoneFox to establish the Scottish cluster for the UK Cyber Security Forum. The UK Cyber Security Forum represents small companies who are actively working in cyber security across the UK. As the leading independent information security consultancy in Scotland we are proud to work closely with other SMEs to develop Scotland’s cyber capability.

Our first meeting will focus around a breakfast briefing on the 4th November titled:

UK Cyber Forum – Breakfast Briefing – “What the Cyber are the Scottish Government up to!”

Our CEO, David Stubley will present an update on the Scottish Government’s plans on Cyber Security.

If you are a Cyber SME, why not sign up to join us on the day here.

Details for the day:

08:00 for breakfast
08:30 Events starts
09:30 Finish

Location: CodeBase, Argyle House, 3 Lady Lawson Street, Edinburgh, EH8 8RD

Scottish Business Insider

7 Elements CEO, David Stubley is quoted in the September edition of the Scottish Business Insider.

The article on ‘Building Your IT Fortress’, focuses on the ever changing threat landscape faced by organisations from hackers and the need for organisations to take proactive steps to manage the risk presented. Often security testing is used to gain assurance that an organisation’s approach to security meets thier needs.

However, David Stubley, CEO at 7 Elements, says organisations do need help in understanding what security testing actually means.

     “It has become ubiquitous within the field of information security and means very different things to individuals and organisations. All levels of security testing are valid but it is important you choose the level that is right for your needs. Balance your risk appetite, cost, the level of assurance required, threat landscape and any regulatory requirements, if applicable.”

The full Scottish Business Insider article can be found here.

To help organisations understand what it is they require, we have published a more detailed blog that takes a look at the different types of tests that come under the security testing banner and what you can expect from that test.

 

7 Elements CEO appointed by Glasgow Caledonian University

7 Elements CEO appointed by Glasgow Caledonian University

David Stubley, CEO at 7 Elements, a key player in the Scottish information security industry, has been appointed as an external examiner at Glasgow Caledonian University for the Digital Security, Forensics and Ethical Hacking course.

This new role brings practical, on the job insight to Glasgow Caledonian University ensuring students are learning relevant theory and that the University is producing sought after graduates.

Dr Michelle Govan, Senior Lecturer in Digital Forensics and Security, said; “Glasgow Caledonian University’s unique MEng/BEng in Digital Security, Forensics and Ethical Hacking programme has strong foundational links with industry, designed to inspire, embed real world understanding and provide an overall enhanced student experience. To ensure that the programme reflects current developments, and students develop the skill set industry requires, we are delighted that David, with his extensive experience and expertise in this area, has taken up the role of External Examiner and will be an integral component in the University’s quality monitoring and assurance procedures for our programme.”

The curriculum which combines the study of core technological concepts, theories and principles with specialised knowledge and understanding in the area of digital forensics, security and ethical hacking, has been developed to provide students with both theoretical and practical learning to produce graduates that will make a significant contribution to industry and society as professional practitioners.

David Stubley, CEO at 7 Elements, said; “I’m very pleased to have been appointed by Glasgow Caledonian University, good graduates are essential to the industry so it’s great to be able to influence the quality of students graduating with such a prestigious degree. Graduates are an important part of the 7 Elements model with the business appointing two graduates this summer on a 12 month graduate programme.”

The 7 Elements graduate programme has been developed and run internally by the 7 Elements team. The programme includes shadowing and training opportunities which are assessed throughout the 12 months with a six month and an end of year industry recognised practical certification, the ideal follow on for graduates.

Drupal and WordPress Denial of Service

Drupal and WordPress frameworks are vulnerable to a denial of service condition within the XML-RPC service.

Details of the issue can be found here on the official sites for Drupal and WordPress. Basically the attack works by sending an XML-RPC call to the remote site with an initially small XML document. This element of the document is then iterated multiple times, expanding the document to an even larger size.

How does this work? Well, a small initial file of 200 KB will expand to 2.5 GB on the remote server due to a vulnerability called an XML Quadratic Blowup Attack. Attempting to parse multiple requests leads to all resources being consumed. This results in the application and even possibly the whole system falling over.

Using a simple proof of concept script it was possible to kill an entire site and underlying operating system within a few moments:

 

“System running out of memory. Availability of the system is in risk.”

 

Unless you have previously disabled XML-RPC or have patched your Drupal and WordPress frameworks in the last few days you are currently exposed to this denial of service attack and we would recommend that you update to the latest version of your framework as soon as possible.

GCHQ certifies Master’s Degrees in Cyber Security

Our CEO, David Stubley, has been quoted in a recent Information Security Magazine article regarding the launch of the GCHQ programme to certify Cyber Security University Master’s Degrees:

“As a highly technical security consultancy we are acutely aware of the skills gap that exists between academia and the commercial sector,” he told Infosecurity.“GCHQ looking to address this can only be a positive step and one we hope will lead to providing graduates with the skills that will enable them to become valued security professionals.”
The full article can be found here, with the full announcement from GCHQ here.