picture

News

Cyber Crime and Security


Ross Thomson was recently interviewed (18 Apr 11) on Sky News regarding the threat to Western firms from China's Cyber Hackers.

The cost of cyber crime to the UK is estimated to be £27bn per annum (source: Cabinet Office, ‘The Cost of Cyber Crime’ Report, Feb 2011) of which a significant proportion is attributable to UK business in terms of Intellectual Property (IP) theft and industrial espionage. The cost to the UK citizen is estimated to be £3.1bn and breaks down as:

  • £1.7bn per annum for identity theft (used to open bogus bank, mortgage or credit card accounts)
  • £1.4bn per annum for online scams (used to purchase goods that will not be dispatched, bogus money transfers, etc)
  • £30m for scareware and fake anti-virus software

Cyber crime is a global issue and is conducted by foreign intelligence services, organised crime networks and opportunistic cyber criminals. Much of the current activity is taking place in Russian speaking countries, China, West Africa and the Middle East. Foreign intelligence services are generally focussed on acquiring intellectual property, but cyber criminals are in it only for financial gain. The criminals will steal personal information and either use it themselves or sell it on to the highest bidder through online markets. According to McAfee Resources the approximate value that can be attributed to stolen UK bank/credit card and personal information is as follows:

Information on a Credit Card’s magnetic strip with verification value (CVC). This type of information is usually bought in bulk. £2
Full details about the bank/credit card and its owner. The cost will depend on quality of the data and from which country it originates from. Full details will include: Name, Address, Home Phone, Email Address, Date of Birth, National Insurance No., Mother’s Maiden Name, Secret Question, Secret Question Response, Name on the Card, Card No., Card Brand, Start Date, Expiry Date, PIN Number, CVC No. £20-£50
Bank/credit card with the ability to change the billing address. The cost will depend on supply, authorised balance and spending limits £50-£200

The Government is also a target of cyber crime with criminals attempting to defraud the tax and benefit system. The evidence suggests that this type of fiscal fraud conducted by cyber criminal activity alone is costing the UK taxpayer £2.2bn. The knock-on effects are also significant because this type of crime could limit the scale of efficiency savings made by moving more Government services online.

To combat the cyber criminals the Banks and Credit Card Companies have introduced additional security controls which include the use of Chip and PIN, the requirement to enter additional passwords to verify transactions, and use of two stage authentication technologies e.g. individual card readers issued to bank customers to enhance logon security. There is some evidence to suggest these proactive actions are now having an effect and reducing losses. When fraudulent crimes are committed against an individual the banks are required to fully reimburse the innocent victims.

What can individuals do to protect themselves?

Individuals must also take responsibility for their own security and use a reputable anti-virus product; keep their operating system and other software fully up to date (e.g. Windows 7, Adobe Acrobat) and make themselves aware of the online risks. These risks include opening email attachments that have arrived un-expectantly, clicking on dubious hyperlinks sent in an email or providing security related information which legitimate organisations would never ask for.

For an overview of how to protect yourself in the cyber battlefield please read our recent article here: Cyber Security: Protect yourself from the "dark side"

Strategic IA Partner to Savvis, Inc.


Savvis, Inc., a global leader in cloud infrastructure and hosted IT solutions for enterprises, will provide hosted operations and services to the United Kingdom Ministry of Justice (MoJ) as part of a five-year, £14 million agreement. Building on the successful Government Wide Services platform, accredited by Amethyst, this new contract supports the MoJ Shared Services programme. Amethyst continues to act in the role of strategic IA partner to Savvis, and expects to be engaged in wide ranging IA activities including the management and delivery of technical risk assessment, Pan-Government assurance, application and service accreditation, and data centre certification.

The Cost of Cyber Crime


Amethyst responded to the recent report by the cabinet office on cyber crime, by advising UK plc's to give information security a higher priority: they advise a four point plan.

  1. Assign someone to own information security at board level - security is a key business risk like any other strategic risk
  2. Employ skilled practitioners who understand the modus operandi of the criminal, and can recognise the nefarious techniques used
  3. Get expert advice to ensure that best practice is adopted and adhered to - thorough risk assessments are the first step to exposing the issues and weaknesses (vulnerabilities) which may have been in systems and processes for years.
  4. Access the knowledge exchange programmes which exist for business

Chris Greengrass, recently interviewed on Sky Business News, said: "Information security in UK businesses, isn't keeping pace with the increased level of threat. Amethyst isn't surprised by the government's figure of £27bn of cyber crime, and welcomes the additional funding announced by government in this area. It advises UK plc. to increase their resource and knowledge in a similar fashion. "

IISP Accreditation


Amethyst Risk Management is proud to announce our two day risk assessment course focused on HMG Information Assurance standard 1 is the first to be accredited by the Institute of Information Security Professionals (IISP). This course is for CLAS consultants and information security professionals intending to conduct technical risk assessments of information systems and provides an in-depth understanding, reinforced with a practical case study. Approval by IISP allows attendees successfully completing this course to gain 7 cpd points. To book or for more info please contact Georgina Moran on 07799 640000 or Georgina.moran@amethystrisk.com

Information Risk Management Training – New Courses


Information Risk Management (IRM) Training is mandatory for specific roles across Government, primarily those of Accounting Officer (AO), Senior Information Risk Owner (SIRO), Information Asset Owner (IAO), Departmental Security Officer (DSO), and those responsible for the management/maintenance of ICT systems.

IRM training requirements are described in the HMG Information Assurance Maturity Model and Assessment Framework issued by Cabinet Office and CESG, against which many departments have established an IA strategy and plan with a view to achieving improved IA maturity. Such training is also specified in HMG IAS6 (Protecting Personal Data and Managing Information Risk).

Building upon the success of our Technical Risk Assessment course, recently accredited by the Institute of Information Security Professionals (IISP), Amethyst now offers the following IRM training courses:

An Introduction to Information Risk Management

Suitable For

Those with specific IA responsibilities including AOs, SIROs, IAOs, DSOs and ICT managers.

Brief Description

An intensive one-day course at the end of which delegates will:

  • Understand the key concepts of information risk, its management and its relationship with other forms of risk;
  • Be in a position to lead the cultural change necessary to ensure that staff value, protect and use information for the public benefit;
  • Understand the relevant legislative, regulatory and Minimum Mandatory Measures applicable across Government including the accountability reporting requirements;
  • Be aware of the current threat environment.

Data Privacy in Government

Suitable For

Anyone with access to or responsibility for the protection of personal data.

Brief Description

An intensive one-day course at the end of which delegates will understand:

  • The key principles associated with data privacy in Government;
  • The specific minimum measures required to protect personal information;
  • The controls necessary when personal data is shared with third parties;

The course will also provide an overview of:

  • Privacy Impact Assessments (PIA) as recommended by the Information Commissioner;
  • Outsourcing and Offshoring where the scope of such activities includes personal data.

Technical Controls for Government ICT Systems

Suitable For

Anyone with responsibility for the secure configuration, design, or maintenance of Government ICT systems.

Brief Description

An intensive one-day course at the end of which delegates will understand:

  • The range of technical controls that can be deployed in a secure architecture;
  • How to achieve forensic readiness;
  • How to assess requirements for protective monitoring;
  • Appropriate encryption standards and products;
  • Client system security;
  • Use of virtualisation products.

Amethyst at InfoSec 2010


Amethyst were at INFOSEC this year and shared a stand with Intel SOA Expressway. One lucky visitor won a free space on our two day IS1 course.
We are pleased to announce that a member of DSAS won the delegate space!


 
Google Analytics Alternative