| Portables | | Portable computers place a risk on the user of a criminal attack to steal valuable corporate data stored on the computer. Criminals can target and attack users who have a portable computer that will contain corporate emails and business data that can be sold to competitors. | | Burgularies on executive homes have increased as people who work from home using a portable computer are easy to identify as easy targets. The physical loss of portable computers containing business data is a breach of Data Protection Act and the Owner can be subject to fines by the UK Information Commissionair. | | The rule is simple: | | Do not permit business Data including Emails to be stored on any computer for any reason and for any purpose. |
| Tuition | | The Owner will provide security training and education for each authorized user as may be appropriate. | | The ASP offer tuition to authorized users to minimise their possibility of becoming the target of criminals who may attack the users family. Where users implement a very open and transparent policy that no business data or emails will ever be stored on their local computer, then the risk of them and their local computer becoming a criminal target is minimised. Where users ensure that they never download or copy any business data to their local computer then criminals will not be able to target the user and their computer to streal valuable intelectual property rights as data. Where users never share their pass phrase with any other person, then any criminal using their pass phrase will trigger an alarm to stop the criminal and blacklist the user action. If a criminal threatens a user or their family, they should give up their pass phrase and report the attack to local police and their managers. |
| Opinion | | The ASP offer an opinion that Linux is significantly more secure than any Microsoft Windows edition - Linux-Mint is the recommended desktop operating environment. Opinion is that Google Gmail is more secure than Microsoft Outlook in every measured way, however any cloud based email service is more secure than any server based email service such as Microsoft Exchange. Opinion is that Libre Office or Google Docs are more efficient and more effective than any installed edition of Microsoft Office - Microsoft 360 Office in the cloud is an exception that can be very secure, but has higher costs than other Office suites. | | As a means to reduce operational costs, Linux-Mint is free of charge, does not require any anit-virus software, can run efficiently on lower-specification machines and only gets updated once every 6 months. Linux-Mint may be used on desktop, netbook and laptop computers - it has the look, feel and comfort of an early edition of Windows. |
| History | | History is no evidence of what will happen in the future, but it is 100 times better than guessing what will happen. | | With more than fifteen years experience of operating many hundreds of web services for many thousands of users, criminal attack vectors can be measured. | | Fortunatly, no data has been stolen and no security breach has taken place with any application over all these years, so experience about how to handle and recover from a breach is unknown and unproven. |
| Reported Breaches | | Every reported data breach has been analysed and lessons learnt based on the evidence as: | | 35% Software flaws in web applications. | | 22% Cyber espionage. | | 14% Point of Sale intrusions. | | 9% Credit card Skimmers. | | 8% Insider misuse. | | Every reported attack has been analysed and lessons learnt based on the evidence as: | | 25% Staff errors. | | 20% Malware and virus infections. | | 18% Insider misuse. | | 14% Physical loss. |
| Risk Analysis | | For every reported breach, risk analysis is undertaken to ensure that adequate security precautions have been taken to eliminate the possibility of the same type of breach being made to any web service. | | (1) Software for applications has been eliminated - this exceludes 35% of all reported breaches. While companies employing large consultancies continue to expend their software iabilities, the ASP employs fourth generation language methods that cannot have software flaws. | | (2) Cyber Espionage has been eliminated by excluding email servers connected to the same network as web servers and by continually monitoring every authentication request. While many companies continue with inadequate login passwords, the ASP deploys multiple layers of sign-in authentication that includes a pass phrase, geolocation, IP address, network ISP, date, time and a host of other factors. The ASP has eliminated 95% of threats by ensuring that every pass phrase is unique, is strong and is not user defined where it may be used with other applications. | | (3) Point of Sale equipment is not part of any application service and so these (low quality) hardware devices do not create a threat. | | (4) Card Readers are not part of any application service so skimmers and related misuse is not a threat to any web application service. | | (5) Insider Misuse is the number one threat that the ASP must continually address by each and every application service - some users are inquisitative and some are plain criminals. Continual monitoring of what users do, what error messages are shown with shared audit trails like "What Did I Do" help to keep insiders safe and secure. Where an insider tries any clever URL manipulation or SQL injection, then their account is blacklisted to prevent future criminal attacks. . |
| Password Sharing | | For many years, authorized users were conditioned to share their passwords with their manager and collegues - this dangerous method of working has now been eliminated. Where it is monitored that a users pass phrase has been disclosed to any other person, then that pass phrase is changed and reissued. | | To prevent a users pass phrase from being used with other application services that may become vulnerable, no user is permitted to assign their own pass phrase. Many other layers of authentication are employed so the pass phrase is of minor importance. Pass phrases are constructed using an algorithm that means it needs to be changed every 3 to 5 years, rather than once a month. |
| | | Evidence | | The cost of security increases each year by ever increasing amounts and does not look like flattening out. One day, the cost of security could become so great that the cost effectiveness of application services may beceome limited. | | Legal obligations to conform with ever more expensive security auditing has driven up the cost of applications and is likely to continue to be a critical cost factor into the future. No matter how good an application is built, its external audit requirements caontinue to increase in cost. The average application with 1000 functions will take at least 5 days of external penetration testing and 10 days of internal penetration testing at more than 1000 GBP per day. |
| Risk Management | | Continual monitoring has proved to be a very effective means of preventing criminal attacks from becoming a breach. | | The ASP ranks attacks into those that are just kids trying silly scripts to test to external interface and those that are professional persisent attacks that could cause damage or discover a vulnerability. The security cost of running web services is that kids will try out clever script tricks that may be good enough to hack into cheap CIA sites, but are not professional enough to pose any true threat to the ASP web services. The growing security cost is making sure that NSA quality state sponsored espionage is always thwarted and that means many layers of security so if one layer is breached, other layers will continue to provide protection while the criminal is blacklisted. |
| Phishing Attacks | | Email is the easy way to attack most corporate servers - some user in some department will eventually click on a link that will enable malware to be downloaded. Corporate users may not have been trained well enough or may not understand how a click on an email link can enable a criminal to copy the corporations entire data store. The ASP does not suffer from such phishing attacks as no email servers are connected to the same network as any application web server. | | Every email must be stored in the cloud and never downloaded to any computing device - this simple rule eliminates 90% of all email phishing threats. A corporation using Gmail email services will not suffer a criminal email attack on their corporate intelectual property. |
| Data Theft | | The number one threat to the ASP web services is insider data theft. This is driven by two distinct motivations, (1) the insider is a criminal who can gain from selling the data they have stolen or (2) the insider is attacked by a criminal who threatens their familiy if certain data is not stolen. Each Owner has a duty of care to protect its users from criminal attacks on their family to steal data and intelectual property. | | The insider criminal threat is addressed by the continual monitoring of normal and unusual behaviour. Anything that could be said to be a criminal data theft is instantly stopped and the user account blacklisted to prevent further attacks. Report downloads have been eliminated and replaced with report drill down to detailed records for further processing - reports have no reason to be downloaded and so the threat of data theft is eliminated. | | The user attacked by a criminal who threatens the users family if certain data is not stolen is managed in a very simply way. The user should simply give up their sign in credentials to the criminal and report the incident to the police and their company as soon as possible. It is very likely that a criminal with the users sign in credentials will not be permitted to sign in - authentication demands a lot more than a pass phrase. If the criminal gets signed in, navigation to valuable information is restricted and continually monitored. Behaviour such as continually downloading massive amounts of data will be stopped and the user account blacklisted. |
|