SECURITY MATTERS The corporate newsletter from Boxing Orange
Boxing Orange Working with business to maximise IT security budgets.
www.boxingorange.com in association with Webscreen
SPRING / SUMMER 2009
Boxing Orange WELCOME
SECURITY MATTERS SPRING / SUMMER 2009
In this issue: Welcome
2
News Round-up
3
Customer Focus - Nisa-Today's
4
Ask the Expert Boxing Orange SIEM Services
5 6/7
Government and Public Sector Focus 8 Customer Viewpoint - Cefas
9
Partner Focus
10
Staying Secure
11
BOXING ORANGE LTD 5 Beaconsfield Court, Garforth, Leeds LS25 1QH UK T: 0113 232 2330 F: 0113 287 0124 E: info@boxingorange.com W: www.boxingorange.com
Printed on 9 Lives 80 FSC certified coated paper from responsibly managed forests with an 80% recycled fibre content.
2
Hello and welcome to the If this is something you are currently Spring issue of Boxing Orange’s looking at, Stuart would be happy to newsletter, Security Matters. discuss the best way of implementing NAC to meet your own These are challenging times and specific requirements. belt-tightening is the order of the day It may be an obvious comment but for many businesses. But with cyber- clearly we are very thankful to all our crime predicted to increase due to customers for their continued the downturn, companies cannot business, many of whom we have afford to risk compromising their worked with since the company was corporate security particularly as launched – a clear testament to our new regulations and compliance team. It is a privilege and pleasure to requirements are putting added play a critical role for so many leading pressure on their systems. industry names. With this very much in mind we have made cost savings and RoI the overriding theme for this issue and I am delighted to take this opportunity to announce our exciting upgraded SIEM service which will form the core of our security service offering going forward. Developed after extensive world-wide research and feedback from our customers, the ondemand service offers immediately measurable cost benefits as well as enhanced security particularly for businesses with complex network security systems to monitor. Together with our accredited security consultancy services, such as PCI certification and penetration testing, and strong partnerships with the leading security vendors, we believe that this development will put Boxing Orange clearly ahead of the pack of security service providers in the UK. Our regular “Ask the Expert” feature puts the spotlight once again on one of our resident security solutions specialists. This time Stuart Williamson takes an in-depth look at Network Access Control, offering practical advice drawn from actual customer experiences.
Last, but by no means least, due to our increasing portfolio of government projects, we have also included a special section that focuses on the security needs of the public sector, which we plan to make a regular feature of future issues. This time we take a look at the security implications associated with the use of the Government Connect network, which is now the standard communication system for all government departments and local authorities. I hope that you find Security Matters an informative and interesting read and I look forward to hearing any comments or ideas you may have for future issues via our feedback form on our web site.
Regards Jarrod Potter Managing Director Boxing Orange
0113 232 2330 info@boxingorange.com
New business wins Boxing Orange’s customers cover the full range of commercial and public sector organisations including Top 1000 international businesses. Understandably, given the nature of what we do for them, most prefer to remain anonymous but here are a few examples of the type and scale of projects undertaken by Boxing Orange during the past year… SIEM deployments for: A major UK central Government department A large financial institution PCI compliance projects for: An international retailer A leading car manufacturer A petrochemical company Cisco NAC deployment for: A major gaming company A managed Tripwire deployment for: A central Government department
New to Boxing Orange Boxing Orange is proud of the close working relationships with world leading security technology vendors that have been built up over the past 8 years and we are continually reviewing the emerging technology scene to ensure we can offer best of breed products in our portfolio. Recent additions to Boxing Orange’s product partner list include –
An enterprise class technology designed to pro-actively maintain optimum security standards across the entire network infrastructure
The world’s leading intrusion detection and prevention system
Innovative, world-class mobile memory devices
Cisco IronPort
An anti-Phishing solution for: Another financial institution
Cisco IronPort email security defence solutions include anti-spam as well as virus and phishing protection
Thanks for the business… you know who you are.
For more information on any of these or our full range of security products call 0113 232 2330
New faces at Boxing Orange Boxing Orange continues to grow despite the challenging times and is delighted to welcome more new faces to the team to support our aggressive sales and marketing plans for 2009. We are continually on the look out for experienced and enthusiastic people to help take the business forward and are particularly keen to hear from individuals with specialist security project management skills as well as enterprise and government sales experience. If you feel you fit the bill send us your CV to careers@boxingorange.com STRICTLY NO AGENCIES
BOXING ORANGE / SECURITY MATTERS www.boxingorange.com
3
C U ST O M ER FO CU S
Nisa-Today’s, the UK’s largest buying and distribution service for convenience store groups as well as independent retailers and wholesalers, is an organisation owned by its members with the principal objective being to use its combined buying power to secure the best prices on branded and own brand products and provide a highly efficient nationwide supply chain and logistics operation.
Today’s members. Using a standard PC and broadband connection to Boxing Orange’s secure data centre, the VPN provides a secure tunnel through which data is transmitted between the member’s EPoS systems and Nisa-Today’s central order processing servers.
access, managed security services including best of breed content filtering and DDoS protection, the whole package provides a safe and productive web environment to underpin the members’ business operations.” David Morris, Nisa-Today’s Head of IT
In addition to the VPN service the system includes a secure high speed connection for general internet access. For members with multiple locations there is also the option to utilise the VPN service to maintain secure inter-store communication, stock management, central ordering as well as credit card transaction processing.
Through its membership Nisa–Today’s represents over 5,000 retail stores and around 270 wholesale depots covering the whole of the UK. The combined turnover of the group positions the company as one of Europe's largest independent buying groups providing the negotiating ‘muscle’ that ensures the widest range of quality products “The fact that NT Net can be at competitive checkout prices for customers and at the same time creating a accessed without significant investment in new hardware level playing field for its members. or software was a big factor The Boxing Orange solution, NT Net, uses a in adopting the Boxing Orange solution. With the additional dedicated Virtual Private Network (VPN) benefits of high-speed internet based service created exclusively for Nisa-
Boxing Orange Threat Watch THREAT WATCH
An overview of all the latest vendor and analyst reports into the security threat environment reveals an overwhelming consensus view that security is still a growing problem for network managers particularly as attacks are increasingly being driven for financial gain rather than hacker peer group kudos.
During 2008 there have been continual reports in the media of the proliferation of malicious botnets. As yet to be fully unleashed, many industry watchers are predicting a massive increase in coordinated attacks in 2009 with identity theft and denial of service top of the list of the major concerns.
According to independent web security industry watcher cgisecurity.com, with the exception of vulnerability exploits, all the major threat categories are set to at least continue at the same rate or increase in the next 12 months.
Threat Predictions for 2009* • Malicious Insiders - Rising Threat • Malware - Steady Threat • Exploited Vulnerabilities - Weakening Threat • Social Engineering - Rising Threat • Careless Employees - Rising Threat • Reduced Budgets - Rising Threat • Remote Workers - Steady Threat • Unstable Third Party Providers - Strong Rising Threat • Downloaded Software Including Open Source & P2P Files - Steady Threat *Source: http://www.cgisecurity.com/about.html
4
0113 232 2330 info@boxingorange.com
Network Access Control ASK THE EXPERT
Network Access Control (NAC) has recently joined the growing list of TLAs (three letter acronyms) that abound in the security sector, but what does it actually mean and is it something that you need to consider for your organisation? Stuart Williamson, Service Architect at Boxing Orange provides some answers to the questions we frequently hear from our customers…
What exactly is NAC? Network Access Control as defined by Forrester Research is a “mix of hardware and software technology that dynamically controls client system access to networks based on their compliance with policy." Put more simply this means that deploying technology such as Cisco's NAC provides a highly secure and extremely cost-effective method of attaining and more importantly maintaining secure access to the corporate network. Whether via the corporate LAN wired/wireless, public internet VPN or third party networks, NAC can control access and help police the clients that connect to the network. NAC can automatically place clients into a quarantine or remediation network where they can update their key security resources such as firewall, anti-virus or encryption software. Once the client is up to date and in line with a security baseline they can access the network. A NAC solution provides network and security professionals with an effective prevention rather than expensive and time consuming cure. What benefits would my organisation realise by deploying a NAC solution? • Prevent unauthorised network access • Secure corporate and non-corporate assets • Reduce vulnerability-based exploits by quarantining devices before they access the network • Help ensure corporate policy compliance • Minimise inside threats – both intentional and non-intentional
How does NAC work in practice? NAC products scan computers and other devices before they get on the network to determine whether they possess a security posture in line with corporate policy. For example NAC will look at: • Is virus-scanning software up-to-date? • Is the operating system patched to the desired level? • Is a personal firewall in use? • Are the devices’ registry settings correct? The NAC process requires a policy engine capable of matching scan results to policies to see if the device is qualified to gain access. The network must contain devices such as switches, routers, firewalls and servers that can enforce the policy engine's decision and take the relevant actions. These actions can be multi-level: • To block access to non-compliant devices • To restrict access to certain resources e.g. provide internet access only • To allow access to an isolated network segment, sometimes referred to as a remediation network, where security functions can be brought up-to-date to match the current policy.
How does NAC work with IP devices that do not have an operating system? Devices such as printers and IP phones have limited functionality when compared to PC devices and as such, standard PC NAC policies cannot be applied. NAC copes with these devices by allowing the use of ‘white lists’ policies. These lists are based on unique device attributes such as MAC addresses to allow a NAC policy to be implemented. Can other types of security products play a role in a NAC environment? Most definitely yes, as an example, antivirus/antispyware software can play a major role in Cisco's NAC environment by delivering status information to Cisco's Trust Agent. The agent gathers data from the client’s software and other software on desktops and laptops to develop a profile of the computers trying to access the network. Many vendors are supported by Cisco’s NAC products.
Stuart Williamson Service Architect Boxing Orange Tel: 0203 056 4002
What security functions are included in the NAC environment? • Authentication • Endpoint scans • Policy compliance checks • Policy creation • Enforcement • Management
BOXING ORANGE / SECURITY MATTERS www.boxingorange.com
5
SECURITY MATTERS
Maximising Security Technology Investments ISO a d Stan rds & Policy
Boxing Orange SIEM Services I PC S DS eb W ring lte
E co ma nt il a en n tf d 300 i + pro Ve du nd ct o s
VI RV CES IC ES
Ch e CR c k ES T Email encryption
bility Scaslailience Re PS HI
GIA24/7/ C A 36 n aly5 st
on ati r t ne ing Pe Test
ry & ce lato lian gu mp Re al co leg
• Reduces management overhead
• Make better informed tactical and strategic security decisions • Demonstrate compliance with industry or government regulations
GE R • Prioritise security incidents E RY D S SECURITY E S & L PRO A For more information on our full range of security FESSION products call 0113 232 2330 or 0203 056 4002, S DDo
d Frau evention /Pr tion tec De
NA C
VM
Forensics
BCP
• Leverages over 50 man-years of security expertise
• No costly client software to purchase and maintain Risk m & m anage o m d e llin ent g
IPS /I D S
S IE M
Firewall
0113 232 2330
• 24/7 access to expert security consultancy
AN
www.boxingorange.com
• Provides an instant “snap-shot” view of the corporate security posture
WL
Customers also have 24/7 access to Boxing Orange’s team of certified security experts, providing an additional layer of consultancy and advice on the appropriate action to take, removing the need to maintain a costly in-house security resource.
n e Re tw alor t k
Fraud detection & prevention
The service can be tailored to the exact needs of the organisation, providing a platform to support, monitor and control regulatory compliance standards such as PCI, MiFID and ISO 177799.
• Advanced correlation and analysis of multipleappliances
SIE M
anagement Risk M licy Po
r
NA MA SO VI AD
Using advanced correlation and analysis techniques the system provides real-time event reporting and incident alerting, based on data from any of over 300 different vendor solutions in the network, alerting the appropriate person in the organisation to enable timely remediative action to be carried out.
• Secure client dashboard
Data Leakage Prevention
e sis im naly a
The Boxing Orange Security Incident and Event Management (SIEM) service has been designed to provide a cost-effective solution maintaining maximum security posture whilst remaining compliant. The service has evolved over the last 8 years and draws on experience gained from monitoring millions of security events for 100’s of clients, constantly updated with new intelligence gained from managing thousands of complex devices and networks.
CLA S
rit y w cu vie Se t/Re di Au
Although network firewalls, IPS and DDoS mitigation technologies provide some protection for businesses, networks have become more complex and cyber attacks are constantly evolving to find ways of circumventing these established defence systems. Monitoring and managing this array of point security solutions has now become a significant element of the network management budget for many organisations, particularly in terms of consolidating and interpreting the masses of information each appliance can produce on a daily basis.
Boxing Orange SIEM Features
PCI/ ASV
email info@boxingorange.com or visit www.boxingorange.com
6
0113 232 2330 info@boxingorange.com
BOXING ORANGE / SECURITY MATTERS www.boxingorange.com
7
SP E C IA L F EA T UR E
Government and Public Sector Focus
With high-profile cases of data leakage frequently hitting the headlines, network security is very much a hot topic for the public sector. The development of initiatives such as the Government Connect programme is a clear signal that this is being taken seriously. Providing a pan-government, accredited and secure network between central government and every local authority in England and Wales, it is high on the agenda of most public sector IT professionals. Although the network, known as GCSx (Government Connect Secure Extranet) is not yet mandatory, most of the major government departments have given it preferred status as the secure method for transfer of data between themselves and UK local authorities. In April this year they will also begin the phase out of alternative transfer media such as the internet and postal services, making normal operations very difficult for any local authority that does not meet the Government Connect security criteria.
To access the GCSx network, local authorities and government departments must be compliant with the Code of Connection (CoCo) which covers a list of security controls that must be in place before their GCSx circuit can be activated. Through its comprehensive range of professional security services and status as a PCI ASV, Boxing Orange provides public sector organisations a one stop shop for all their security requirements from initial consultancy through to design, installation, management and technical support services to meet many of the critical requirements included in the CoCo standard.
To access the GCSx network local authorities and government departments must be compliant with the Code of Connection (CoCo) which covers a list of security controls that must be in place before their GCSx circuit can be activated.
Boxing Orange has extensive experience in the public sector gained through the provision of managed security services for several government departments and public sector organisations including Cefas and the Human Tissue Authority.
For further information, contact us on 0113 232 2330 or 0203 056 4002
8
0113 232 2330 info@boxingorange.com
CUSTOMER VIEWPOINT - Cefas Richard Page is responsible for managing the IT infrastructure that supports Cefas’s team of 550 environmental scientists and administrative staff located across its 2 main laboratories and a number of smaller offices across the UK. An important government research organisation, Cefas plays a significant role in helping to manage and preserve the UK’s and the world’s diverse aquacultural environment. Q. What were your main requirements when designing your network infrastructure?
Q. What measures have you implemented to help protect sensitive data on the network?
A. The main driver for redesigning the network was to increase the throughput to our specialist laboratories at Weymouth and Burnham-on-Crouch, while off-loading the internet browsing traffic to local ADSL links, which would also offer us resilient links from the specialist laboratories to the main Lowestoft laboratory, which was planned to have a resilient infrastructure to the internet, consisting of dual links, switches and firewalls.
A. The main IT security measures being taken are the installation of Check Point’s Pointsec full disk and removable media encryption utilising the FIPS 140 encryption keys. We have also upgraded from Symantec’s AV product to the Symantec Endpoint security product. This will enable us to lock down peripheral devices being attached to Cefas PCs.
Q. Why did you choose an MPLS network architecture?
Q. How much has the Boxing Orange relationship helped in ensuring the optimal performance of the network?
A. We have a very good relationship with the account managers, project managers A. We were running a WAN based on and engineers at Boxing Orange, almost a internet VPNs, which were cost effective partnership. Without this type of but had the downside of not being able to relationship our infrastructure would not be offer a fast round time trip, especially for operating to its optimal performance. Weymouth, which is the more distant site, Boxing Orange advises us on both network approx 68ms round trip for a ping. connectivity and security systems. We in The MPLS offered us a faster guaranteed turn have to evaluate this advice and round time trip, approx 40ms. discuss with the team at Boxing Orange on Q. Have you had many issues since whether it is fully appropriate for our needs the network went live? and act within our budget limitations. The Boxing Orange team are always helpful A. We had bandwidth problems, the 1Mbs with further advice and assistance on how links to the labs were being fully utilised we can achieve our goals. and slowing some mission critical applications. With advice from Boxing Q. What plans have you got for future Orange we installed PacketShapers to development of the network? prioritise the critical applications and time A. We are currently upgrading the critical user interactive applications over Weymouth link to 2Mbs. As we have closed non-critical and non-user interactive the Burnham-on-Crouch lab we now have applications (e.g. domain replication, the spare capacity on the Lowestoft link. SMTP traffic between Exchange servers). We are also investigating using a second We also installed the acceleration and MPLS link at both Lowestoft and compression utilities, which in effect gives Weymouth for replication of our RDMS us more bandwidth. which is currently under development.
GOVERNMENT CASE STUDIES
Cefas, the Centre for Environment, Fisheries and Aquaculture Sciences, is an internationally renowned aquatic scientific research and consultancy centre. It aims to be the prime source of high quality science used to conserve and enhance the aquatic environment. It has a huge range of resources and expertise, with more than 500 staff based in 4 UK laboratories including its own ocean-going research vessel. Boxing Orange has been managing the Cefas MPLS network since 2006 and is continuing to work with Boxing Orange to add new security technology to enhance its network infrastructure.
The Human Tissue Authority, HTA, is the UK government funded organisation responsible for regulating the removal, storage, use and disposal of human bodies, organs and tissue for research, transplantation, education and training set up under the Human Tissue Act and is also responsible for approving donation of solid organs and bone marrow from living donors. Boxing Orange was contracted to carry out a redesign of the corporate IT infrastructure including conducting a detailed security audit prior to the installation and management of HTA’s communication network.
For further information, contact us on 0113 232 2330 or 0203 056 4002
BOXING ORANGE / SECURITY MATTERS www.boxingorange.com
9
PARTNER FOCUS
Webscreen Technology Boxing Orange Extends Range of DDoS Services In response to customer feedback, Boxing Orange has recently added Webscreen based DDoS mitigation to its range of fully managed security services supported by the Security Operations Centre. Offering a full monitoring and management service for critical, high DDoS-risk web sites, Boxing Orange is able to provide round the clock manual back-up services for Webscreen deployments, ensuring availability for customers during key trading periods.
Online retailers and gaming companies are often targeted during their traditional peak periods when they could potentially lose £millions in lost revenue if they are taken off line.
Boxing Orange’s firewall and IPS expert Ray Stone has just completed putting Sourcefire’s powerful range of awardwinning security appliances through its paces prior to being included in the company’s best of breed product portfolio. “The Sourcefire Defense Center™ is a powerful, yet easy-to-use centralised management console that correlates threats against network and vulnerability intelligence. It provides a centralised command and control of Sourcefire 3D® Sensors, including event aggregation and 3D Sensor policy administration. With an extensive range of sensor modules, the appliance offers a reliable, high performance security platform suitable for the full range of enterpriseclass network environments.” Sourcefire 3D® Sensors are faulttolerant, purpose-built appliances available with throughputs from 5Mbps up to 10Gbps. 3D Sensors passively aggregate network and user intelligence while defending the network against internal and external threats. Each 3D Sensor is capable of running Sourcefire IPS™, RNA, RUA, and NetFlow Analysis modules.
10
A DDoS managed service from Boxing Orange can add an extra layer of security and peace of mind at these critical times.
For further information, call us now: 0113 232 2330
In the few months since its introduction into Boxing Orange’s security armoury, Tripwire has proved highly popular amongst the customer base with the first deployments now complete. The most recent Tripwire installation was part of a major Government department upgrade. Tripwire specialist, Richard Ackroyd said: “We have been extremely impressed with the Tripwire product and we are very happy to offer this within our managed services.” Tripwire is industry recognised for its enterprise-level configuration control software. Its leading product, Tripwire Enterprise, is the first to combine configuration assessment with configuration change auditing in a single solution. Tripwire Enterprise helps IT ensure the organisation not only achieves and maintains configurations in an operationally optimised, compliant and secure state but also helps them prove it.
For further information, email info@boxingorange.com
0113 232 2330 info@boxingorange.com
SECURIT Y MATTERS
Staying secure despite the recession Many of the companies we speak to tell us that they are being squeezed from all sides at the moment; increased regulatory pressures mean that businesses need to do more to protect data held on their systems; new and more sophisticated cyber attacks are testing the capabilities of network security infrastructures to the limit and financial pressures are restricting budgets for investment in new technologies – who would want to be a network security manager in a recession? The reality is that businesses cannot afford to wait for the upturn and many are now seeing the advantages of outsourcing the core services needed to ensure that their network security meets the requirements of their businesses, as an answer to their problems. Outsourcing security services to a company
CHARITY
like Boxing Orange brings immediate benefits, particularly in terms of the day to day management and maintenance of the complex array of different technologies companies need. Our team of highly qualified and experienced security experts are on hand 24/7 to handle issues as and when they arise for a fraction of the cost of maintaining an equivalent in-house resource. Market analysts are forecasting that the global market for cloud-based security services will see double digit growth over the next 3 to 5 years reaching over £2billion by 2012. With the addition of our enhanced SIEM solution to our already established managed services and professional consultancy capabilities, at Boxing Orange we are ready to service this demand and can offer the full range of support to enable customers to stay secure
Phil Ineson - Sales Director
through the current recession and beyond. Call 0113 232 2330 to speak to one of our security consultants for more information on our range of services.
Boxing Orange Take to the Skies for Charity The Boxing Orange team have been testing their nerve to help raise much needed funds for the company’s adopted charity, Martin House Children’s Hospice. Braving strong winds and the urge to run in the opposite direction, 20 members of the Boxing Orange staff agreed to strap themselves to another human being they had only just met and throw themselves out of a plane from 15,000ft in the air…raising £3000 in the process.
Martin House, based in Boston Spa near Wetherby, provides specialist care for children and young people with life-limiting illnesses and is Boxing Orange’s preferred local charity. Boxing Orange’s staff raise money on an ongoing basis and are always willing to try new activities to help boost funds.
www.martinhouse.org.uk
BOXING ORANGE / SECURITY MATTERS www.boxingorange.com
11
Friday Webcast When: Last Friday of every month What: 30 minute Webcast on a topical security issue
Up and Coming Webcasts • PCI DSS 1.2 – Getting on the path to compliance • Security on Demand – SIEM as a Service • Managing Third Party Risk and Compliance For details of these and Boxing Orange’s regional seminar programme register for our regular email updates at www.boxingorange.com/webinars