7Safe Limited » News & Events

PA’s 7Safe education team backs UK Cyber Security Challenge

safe7or — Wed, 28 Mar 2012 17:15:35 +0000

The winner of the second annual UK Cyber Security Challenge, supported by 7Safe education services, part of PA Consulting Group, has been awarded a place on 7Safe’s leading information security certification course. PA’s Alan Phillips, IT security and risk expert presented the award to Cambridge University student Jonathan Millican, who was crowned the winner having beaten thousands of talented contestants.

Additionally, several other highly popular 7Safe education prizes were awarded to finalists of the competition, who selected specialist certification courses ranging from the Certified Forensic Investigation Practitioner (CFIP) to the Certified Application Security Tester (CAST) course.

Supported by both the public and private sectors, the competition is intended to help drive the development of a larger and more dynamic cyber security workforce that is equipped with the increasingly diverse range of cyber skills required by government and businesses in order to defend UK organisations against the increasing risk of cyber attack.

Alan commented: “We are proud to continue to sponsor the challenge for the second year and to help reinforce the message that cyber threats are increasing among organisations due to a lack of skilled, trained experts working in important parts of the public and private sector. Importantly, by offering places on our specialist information security certification courses, we hope to inspire the next generation of cyber talent to protect the UK’s business assets."

To find out more about how our specialist information security education services can help your organisation secure business assets, please contact us now

Responding to the MS12-020 security vulnerability

safe7or — Mon, 26 Mar 2012 08:38:23 +0000

On 13th March 2012, Microsoft released a security patch for the MS12-020 vulnerability relating to the remote desktop protocol (RDP). The identified vulnerability allowed attackers to execute arbitrary commands on systems running vulnerable RDP services over the network which could lead to denial of service attacks, or worse, to loss of sensitive data stored on the system. In order to protect themselves from this critical security vulnerability, organisations are advised to apply the Microsoft patch and take further steps to ensure both the immediate and longer-term security of their IT infrastructure.

To find out how to secure your IT infrastructure in relation to this critical security vulnerability, click here

Cyber experts share insights into why cyber security is no longer just a technical issue.

safe7or — Thu, 08 Mar 2012 10:57:52 +0000

Cyber business is considered a main engine for future economic growth and the opportunity to use related technologies, such as the cloud, to reduce costs is a key part of the agenda for many organisations. Yet cyber crime is also increasing as are the indications that it is still not being treated seriously or is simply regarded as a problem for the IT department to worry about.

London Stock Exchange figures indicate that nearly £125 trillion is traded electronically in London in a typical month, which makes the UK a significant target for cyber-attack. At present, this risk is not being fully managed, creating fears that the country could be being systematically pillaged in cyberspace. Yet because the hype often drowns out the facts, because there is a clear vested interest behind many of the reports on the scale of the problem and because most people think risk is primarily an IT problem, the issue is not getting the attention it deserves and not being treated as one that concerns people, reputations and brands.

Roughly 80 per cent of the value of a typical company is exposed in cyberspace. There have been enough cases for us to know that a typical advanced attack costs the victim in excess of £100 million, with an average of 12 per cent wiped off the market cap of a company in the immediate public aftermath.

The scale of the risk deserves to be managed at board level within companies yet typically it isn’t – or not at least until after a major attack has been discovered, when the cost of resolving the problem becomes much greater than it would have been had adequate protection measures been in place. As with so many things, taking proactive action is a better strategy than battening down the hatches and hoping to avoid it.

To tackle the problem the UK Government is investing £650 million in a national cyber security programme. One of the top challenges will be how to persuade the private sector to do more in this area. Options being considered include regulation, tax incentives, sharing more information about ongoing attacks, new standards and accreditation schemes and mandating suppliers to raise their game. Yet there are some simple practical steps that every organisation can take to mitigate against the risk.

Enabling a targeted response. Working in the digital age has increased the exposure of a business and its assets, and in ways that are not always recognised. For example, by using an iPhone application, someone can feasibly assume remote control of certain types of car, starting and stopping the engine, applying the brakes, controlling its speed and retuning the engine. This is made possible because the alarm system for the car uses a 3G mobile phone module, which links its electronic management system to cyberspace. In a typical office, similar technology can be used to compromise a photocopier. As a result, businesses need to think very carefully about how they are vulnerable and the degree to which risks are being taken. It is worth remembering that technical security solutions in the market can generally only respond to problems that are already known about. A “zero-day attack” – which exploits IT vulnerabilities unknown to the software developer – will usually succeed. Furthermore, in cyberspace, it is possible for one person to bring a company down, and from the convenience of their sofa at home: there are enough people out there who might be tempted and the tools they need are often just a click away.

Most attacks are opportunist in nature and not targeted, so simple “hygiene measures” such as keeping software patches up to date will provide good protection. However, research organisation Gartner estimates that one in 20 pieces of executable code on the typical corporate network is malware that has escaped all technical controls.

Addressing the people problem. In almost every major cyber-attack, there is evidence of a perfectly good policy or security control not being followed. So cyber is not just a technology challenge: the people and cultural aspects have to be fixed too as there is little value in implementing measures that are counter to the way people behave and think. For example, randomly generated passwords may be hard to crack, but most people have to write them down to remember them, which defeats their purpose. In addition, the technical bit of an attack – breaking into a network – is usually relatively easy for a professional and can be a five-minute job. At the same time, finding and extracting something of value is more difficult and time consuming and may take up to two years of work. In these instances, insider help (whether knowing or manipulated) is often used to short-cut the process. This happens in around half of all advanced attacks. To counter this organisations need to evaluate who can be trusted most and balance controls with appropriate monitoring and after an incident track back and identify things that should have been spotted before which may help both deter and prevent such problems.

Over many years, the threat has changed in terms of its prevalence and complexity, but the underlying methods are largely the same as they have always been. This is why we should come to expect an increase in custom malware attacks like Stuxnet, the worm discovered last year that targets controls of industrial facilities. Obviously greater connectivity is leading to wider opportunity, and the tools for hackers have become commoditised, making it easier for anyone to enter the market. For example, social media is making it easier for hackers to connect and orchestrate crimes together, and on a much larger scale. As a result attackers increasingly take advantage of the tendency of (especially younger) people who volunteer their every personal detail to social networks by committing large-scale fraud and identity theft. This is why social media companies will increasingly come under scrutiny as they attempt to balance making profits against the need to protect their subscriber data.

The ubiquity and growing reliance on smart phones is driving a massive demand for third-party apps, many of which are functional yet highly insecure, giving rise to software that has access to people’s contacts, tracking where they are and where they go on the web. Yet as we look to the future, improved awareness is likely to reduce the number of opportunist attacks. Moves to improve international co-operation and to introduce new legislation around privacy and better online identity management will, over time, help to act as a brake. However, the capability and resources available to certain governments and to organised crime gangs suggests that targeted cyber-attacks will continue to occur, and that inevitably some will be catastrophic.

Good social responsibility is already proving key for large organisations in avoiding becoming a target. The rise of intelligence-led security and better focused investment based on a risk and resilience approach is also likely to pay dividends. As is the expected consolidation of supplier markets, as many SMEs are acquired and merged into larger players, so diversifying and rounding their security offers to customers.

Conclusion. The market is shifting slowly, as the limitations of technology are better understood and as more experts learn to work with the new paradigms. Suppliers are waking up to the additional value of offering safer products and services, which feature appropriate security from the outset. Customers are seeking better protection and governments are looking to make places like the UK safer place to do business. Ultimately, however, success will depend upon persuading the people in an organisation that cyber security is something that must be taken seriously.

Edward Savage, cyber security expert, PA Consulting Group and Alan Phillips, cyber security expert, PA Consulting Group.

Visit The Future of Business blog here.

Understanding the security risk from XPATH 2.0 – meet PA at Black Hat Europe 2012

safe7or — Thu, 01 Mar 2012 16:00:19 +0000

On 14 March, PA Consulting Group’s Sumit Siddharth will be speaking at the world’s premier IT security event, Black Hat Europe 2012, focusing on the vulnerabilities associated with the programming language, XPATH 2.0.

To schedule a meeting with Sumit during the conference, please contact us now.

Sumit is a specialist in application and database security, an industry-renowned security researcher and head of penetration testing at 7Safe, part of PA Consulting Group. He will be joined by Tom Forbes, 7safe research analyst, who has been working on the XPATH project during recent months.

Sumit will share his insights and experience around penetration testing by demonstrating advanced exploitation techniques and the resulting threats to businesses. The talk will provide a unique opportunity for attendees to gain in-depth knowledge about security vulnerabilities in XPATH 2.0

Attackers are obtaining confidential data from organisations by exploiting XPATH injection vulnerability and Sumit and Tom will present a number of real-life examples showing how attackers can do this. To conclude, they will release an innovative open-source tool that can be used to automate the exploitation of this vulnerability, helping you to establish whether your organisation is exposed to risks posed by a xpath injection vulnerability under XPATH 2.0 .

To find out more about how PA can help your organisation use the latest penetration testing techniques to improve its security and resilience in cyber space, please contact us now.

PA Consulting Group acquires 7Safe Ltd to enhance its cyber security service

safe7or — Thu, 12 Jan 2012 09:43:19 +0000

PA Consulting Group is pleased to announce that it has acquired 7Safe Ltd, a leading cyber security consultancy head-quartered in Cambridge. 7Safe’s expertise in security risk assessment, computer forensics, eDiscovery and education complements PA’s own long-established cyber security, risk and resilience capability, which has been in high demand in securing the businesses of both public and private sector clients.

The acquisition of 7Safe means that PA now offers a market-leading, end-to-end cyber security service – helping organisations become more secure while making the most of the opportunities that cyberspace presents. 7Safe’s deep testing and forensic skills will complement PA’s wider cyber security experience and expertise.

Jon Moynihan, Executive Chairman at PA Consulting Group, stated: “We are very pleased that 7Safe has chosen to join PA, thus rounding out our already extensive set of capabilities in cyber security. 7Safe are our kind of people; they have the same highly professional, ethical and people-focused approach to business as PA. The combination of the two businesses will enable us to meet all of our clients’ cyber security needs. We are delighted to welcome 7Safe into the PA group.”

Alan Phillips, co-founder of 7Safe, says: “We are all excited by the opportunities that this provides to better help our clients. Cyberspace offers great opportunities for businesses; we can help ensure that their operations are conducted safely and with resilience. PA has an enviable market reputation for delivering cyber security solutions. We are delighted to join forces to provide an integrated range of cyber security services to clients.”

Neira Jones, Head of Payment Security, Barclaycard, says: “Barclaycard and 7Safe have been working together for over four years, ensuring the security of online payments around the world from all of our global partners. We look forward to working with PA and 7Safe in the future, as they bring together both specialist technical capabilities and wider cyber security, IT, management and technology expertise.”

7Safe formally became part of the PA Group of companies on 1 January 2012.

For more information, click here

Cyber Security Skill Gap Highlights Training Needs

safe7or — Tue, 20 Dec 2011 11:15:27 +0000

An alarming increase in cyber attacks have recently been seen in the UK, many incidents of which have been widely reported in the media. The issue has naturally drawn attention to the urgency for companies to improve their security measures. Ironically, the UK has seen a huge drop in the number of pupils undertaking computing courses, leaving the country even more vulnerable to future cyber attacks.

In a recent interview with the Daily Telegraph ahead of the government’s Cyber Strategy, Baroness Neville-Jones stated how important it is to stop organised criminals, and the essential need to train more cyber experts.

‘We must bring through the trained youthful talent to support the transition to an internet economy. We need quality as well as quantity', Lady Neville-Jones said.

The interview drew attention to the fact that initiatives need to be developed to help inspire young people with the concept that cyber security is an arena which can offer real prospects. As such, projects like the Cyber Challenge UK for students could help create excitement and activity around the career path.

7Safe, part of PA Consulting, understands the need to actively encourage young talent into the information security arena, as shown by its support in sponsoring the UK Cyber Security Challenge 2011. Winners were awarded with prizes of places on 7Safe’s latest Certified Application Security Tester course CAST and Certified Forensic Investigation Practitioner CFIP course.

7Safe Director Alan Phillips commented: ‘At a time when the country is vulnerable to cyber attacks, the need to offer skills-development training in IT security has never been greater. We hope that our hands-on education will influence key contributors to make a positive impact on the future of the government’s new Cyber Security Strategy’.

To read the full article featuring the interview with Baroness Neville-Jones, click here

Interview With 7Safe Pentester Reveals Latest Tools & Exploits in IT Security

safe7or — Fri, 16 Dec 2011 15:04:54 +0000

Head of Penetration Testing at 7safe Sumit Sidharth (Sid), was recently interviewed by the Pentest Magazine to provide insights into his specialism in application and database security. Speaking from over seven years of successful experience within the IT Security Industry, ‘Sid’ talks candidly about his contributions towards a number of white-papers, articles, advisory, tools and exploits to the industry. Some of the highlights include Sid’s extensive research into the area of SQL injection and his latest work in Oracle database vulnerabilities.

To view full interview click here

Brit PhD Student Excels in Pentagon Digi-Forensics Challenge

safe7or — Fri, 16 Dec 2011 12:30:44 +0000

A computer science student from Lancaster University has become the UK winner of the digital forensics challenge, a global competition designed and hosted by the US Department of Defense. Christopher Richardson (AKA Ikarus) came first in the UK and ninth internationally among 1,791 competitors from 52 countries.

The challenge was designed to test the ability of competitors to extract and scrutinise data to solve a simulated cyber crime. Aspects of the challenge involved understanding file signatures, metadata hashes, data hiding, communication recovery, and information concealment. “It was difficult in parts but really enjoyable,” says Richardson, who is currently studying for a PhD in intrusion detection systems. “I have always had an interest in a wide range of security areas both inside and outside of my academic speciality and this competition gave me a platform to test my skills on practical problems with real world relevance. After getting stuck a couple of times, I didn’t think I had done that well, but to win the UK stream and do so well across the whole competition feels great.” Richardson will receive £2,000 of security training from 7Safe as a reward for his efforts, which have also earned him a place in the UK Cyber Security Challenge UK’s face-to-face play-offs next year.

He qualifies, alongside several runners up, for the Sophos Malware Hunt on 14 January, where competitors will be asked to identify and explain a range of real malicious code from the vaults at Sophos' Labs.

The Cyber Security Challenge UK is designed to unearth fresh sources of cyber security talent from people not already working in the industry. the initiative is supported by both the UK's government, universities and high tech firms.

“The Challenge is a key component of a new approach that the profession must embrace – it’s about focusing on natural aptitude first, and then bringing in certifications and training courses like the ones we are offering Chris, to mould that aptitude into a professional skills set,” explained Alan Phillips, chief exec of 7Safe.

Hacking Oracle From the Web: Part 2

safe7or — Fri, 28 Oct 2011 15:20:41 +0000

The first sequel of this paper was released in 2010 and it discussed the privileges needed to execute OS code when exploiting a SQL Injection in a web application which has an Oracle back-end.

This paper examines new techniques to execute multiple statements via SQL Injection. No special privileges are needed to use these techniques and they work for all versions of Oracle Database from Oracle 9i to 11g R2. The paper specifically outlines how to achieve privilege escalation and OS code execution when exploiting SQL Injection vulnerability in a web app which in-turns connect to an Oracle database.

Click to view (PDF)

The 7Safe Penetration Testing team introduce Server Hardening

safe7or — Fri, 07 Oct 2011 08:43:29 +0000

Server Hardening, sometimes referred to as a build review, is a relatively new service offered by 7Safe. This service is designed to assist IT management and security teams with the task of creating and adhering to defined policies or rule sets, whilst still providing useable systems.

Many modern operating systems have advanced security measures and controls built in, and when combined with regular patching, this makes for a very secure base build. However, it is not uncommon for servers to organically grow and services expand over time, with every change weakening the underlying structure of the server. This is often due to the introduction of extra 3rd party software and services, as well as ever changing permissions on files, folders and registry keys to name just a few.

This unique service offering will help your organisation to maintain a secure and organised IT infrastructure by providing fully up-to-date information and customised recommendations for your company.