Articles about security – will be highlighted on the security page.

More uptime availability and performance success for Safe4

During January 2015 Safe4 maintained 100% availability of the service except for a short period  when our hosting partner applied a critical security patch to the infrastructure.  Since we take the security of our customers’ information very seriously it was felt that applying this patch was essential. The downtime was scheduled for overnight at a weekend, so it is hoped that it did not impact any of our users. Please accept our apologies if you were unable to access the service during this time.

Availability

We hope you are pleased with the performance you are seeing when using the system. In order to help target improvements Safe4 tracks the time taken to display pages in the system. Since there are a number of factors that can cause performance problems we have implemented an approach which measures the time it takes for you to be able to use a page. This is the most realistic measure we can find.

When developing Safe4 the team treat any page that takes longer than 2 seconds to load to be a defect. This is our performance target.

We are pleased to advise that during January the average (median) page load time experienced was 0.89 seconds. This is well under our target so it is hoped that we are meeting your performance expectations.

Performance

If we examine individual geographies we can see the impact of the internet on the performance.

  • Performance in the UK, where our data centre is based, is averaging out at 0.78 seconds.
  • Performance in South Africa is averaging out at 1.5 seconds, despite the extra network connections we are pleased to be getting great performance here.
  • The slowest average performance at 1.6 seconds seems to be for users in the United States where increased network delays seem to be adversely affecting performance.

Safe4 will continue to monitor performance and availability of the service to ensure that we meet the demands of your businesses. Look out for updates to these charts in the coming months.

Safe4 achieves Cyber Essentials accreditation

Cyber Essentials Badge Medium (72dpi)

The Cyber Essentials accreditation scheme was implemented by the UK Government to establish criteria for the management of information in order to prevent intrusion from external attackers.  Accredited organisations are entitled to display the Cyber Essentials logo, which confirms that they have met the standards required.

Safe4 have received this accreditation, and we are now able to display the Cyber Essentials badge on our website and our secure cloud service.

This is part of an ongoing process to ensure that Safe4 remains one of the most secure sites on the internet.  It is accompanied by annual penetration testing, performed by licenced external laboratories, and constant surveillance of the ever-growing range of internet security threats.

The objective is to ensure that Safe4 customers’ data is protected to the highest standards available, and that our user community in the legal, financial, insurance, health and government sectors can trust their confidential information to Safe4.

For further information, please refer to the Contact page on our website.  We would appreciate an opportunity to speak with you.

Safe4 Information Management Limited

February 2015

UK Legal Profession warned of the importance of information security

A number of sources have recently published some salutary information on the need for improved security among the UK’s professional practioner community.  Digital Law have highlighted this in a fairly damning article, which can be viewed by clicking here.  The UK Information Commissioner’s Office has pointed out the need for solicitors and barristers to take greater note of poor security standards, and to draw attention to these when possible.  At present more than 50% of UK law firms use open email services to transfer confidential information.

Whilst not everyone will regard US whistle-blower Edward Snowden as their favourite source of advice on security matters, his recent comments on data security, and in particular the use of Dropbox, make interesting reading.  A number of leading UK security specialists have strongly supported his views.  His comments can be viewed by clicking here.

By providing a highly secure document delivery and storage service, Safe4 overcomes all of these concerns.  Using UK-hosted data centres accredited to ISO-27001, Safe4 is among the most secure services on the internet according to independent testing laboratories.  Annual penetration testing under the auspices of GCHQ through the UK Government’s IT CHECK scheme also helps to ensure that confidential information is managed using the highest standards possible.

If you would like more information on how Safe4 can assist your firm, please use the Contact Us link on this website.

Safe4 keeps POODLES at bay

You may have seen in the press this week that Google have discovered another vulnerability – POODLE – that could enable a hacker to access information from a secure (https) web connection. The vulnerability only applies to an old version (SSLv3) of the protocol used to secure the communication between a users browser and the web site. The reality is that in the overwhelming majority of cases (>98%!) communication between the browser and web site uses a newer version of the communication protocol (TLS) which is not affected.

Your information is only vulnerable if the web site you access supports SSLv3, AND if the browser can be convinced (using a malicious web site or virus) to use SSLv3 instead of the new TLS protocols AND if the hacker has network level access to the communication channel between the browser and web site. It is therefore somewhat challenging (but not impossible) to exploit and Safe4 consider it to be a relatively low risk in respect of typical business information.

What has Safe4 done to protect your information?

You will be aware that in April this year, following the Heartbleed announcement, Safe4 undertook a comprehensive review of the security protocols used and the configurations of the web servers. Although Safe4 was never vulnerable to Heartbleed we did make some changes to our security configurations earning Safe4 an A+ rating on independent tests. The changes we made in April included disabling the SSLv3 protocol which was not being used by any of our clients. Safe4 is therefore not vulnerable to the POODLE vulnerability.

What you can do to protect your information?

Safe4 expect that over the coming months many other websites will follow our lead and disable support for SSLv3 – however you can also protect yourself by disabling SSLv3 in the browser. It is suggested that you speak to your network managers about how to do this – Safe4 can provide advice if required.

Finally

Remember that the majority of information exploits rely on some form of human intervention, e.g. visiting a malicious web site, your first line of defence needs to remain robust virus protection and effective firewalls and web protection. Safe4 can also provide a 3 hour training session for your staff to gain a better understanding of information security on the web and provide simple approaches that everyone can take to improve their online security both at work and in personal life.

Safe4 will continue to monitor developments and threats to information security and will provide updates as items develop.

Email us at [email protected] or call us on 0845 094 8045 to find out more.

Make your passwords safer with advice from Safe4

The release of personal photographs and videos of celebrities has made headline news around the world this week. Once again the security of cloud storage services has been called into doubt. As the story has unfolded it has become clear that the vulnerability was not a result of a failure of the iCloud security systems. Instead it appears that the breach was the result of social or people engineering.

Read more

May flowers … planning security for the future

Having secured your operation against the security issues seen in April and reviewed in my last blog post, how do you assess the robustness of your organization to defend against the ongoing threat environment in May and through the summer?

It is difficult enough for an organisation to determine its exposure to security threats, such as have been seen in the last couple of months. It is often harder to establish guidelines and policies around the handling of different types of information flowing through the many channels of your business in a robust and defensible way. A simple risk based approach can be used to develop these policies and ensure that your organisations are protected as much as possible.

The analysis can be done very quickly and simply by a small team.

First, look at the types of information that may have been affected, breaking them down into broad categories, for example

  • Contracts
  • Plans and Strategies
  • Client confidential information
  • Bidding documents for deal A
  • Marketing information
  • etc.

Like any risk based approach for each of the above categories you need to consider two dimensions.

  • Likelihood – how likely is it that the information has been compromised? A simple scale of Unlikely/Likely/Very Likely should be considered.
  • Consequence – what are the consequences if the information were to be compromised. You should consider financial and reputational impacts to yourselves and where appropriate your clients. A simple scale of Low/Medium/Significant is in most cases sufficient.

If this is plotted as a simple matrix it is possible to assign a risk to each combination of likelihood and consequence, and to devise mitigating actions for those information categories that have a high risk.


For each of the assessed risks it is important to take appropriate mitigating actions, for example as shown below. The mitigating actions are best worked out as a workshop session.

Critically the risk matrix can also be used to categorise your information and decide on its use, storage and techniques for distribution, especially electronic. This can minimize your exposure to future threats and demonstrate to your clients the effectiveness of your information security controls.

Again a simplified example of a set of strategies for information handling could be.

Such a review can be completed in about a day using a small team and can provide invaluable input to dealing proactively with information that may already have been compromised, or to define a future strategy for handling information.

Having an effective strategy for management of your information is vitally important since two things are certain

  1. ~ Clients want their information quicker and at a location and on a device of their choosing. Cloud based distribution of information is going to remain.
  2. ~ Valuable information will be of interest to other parties and techniques for stealing that information will only increase in sophistication.

 

Safe4 will continue to provide a top level of security for all confidential documents stored by its customers within their overall security strategy.

I hope this summary has been useful and will enable you to use the March Winds and April Showers of the recent security scares to bring forth a May flowering of a robust security environment for your documents.

Please respond to this blog or contact us at [email protected] with any questions or comments.

New document from the ICO confirms the need to keep browsers updated

Recent well-publicised issues regarding security threats to Internet users have highlighted the problems that arise through the use of out-of-date operating systems and web browsers when accessing Internet-based services.  Safe4 have rigorously applied all current security patches to our servers, and consequently we have avoided any of the risks caused by the Open SSL HeartBleed bug (see the other posts on this blog).

As a result some users of very old technology, typically Windows XP and early versions of Internet Explorer, have been blocked from accessing Safe4.  This is because the older security protocols have been the cause of many of the current threats to secure web-based services.  As before, our advice to users is to upgrade their operating system and browser and apply all of the security patches supplied by Microsoft, or alternatively to use another browser such as Google Chrome or Mozilla Firefox.

The UK Information Commissioner’s Office has now published further guidance on this issue, with specific reference to data protection.  Their document can be read by clicking here.

Safe4 will continue to apply all possible protection measures to safeguard our customers’ information, and will not maintain the use of outdated security protocols to permit access by unsupported browsers or operating systems.

Microsoft patches Internet Explorer Vulnerability

Following the announcement earlier this week that a vulnerability had been found in all versions of Internet Explorer (6, 7, 8, 9, 10 and 11), Microsoft has acted quickly to provide an update. All users of Internet Explorer are strongly encouraged to upgrade at the earliest opportunity.

The upgrade process is simple – just use the Update functionality built into Windows by clicking on “Check for updates” in Windows Update which can be accessed from your Control Panel.

Further details can be found on the Microsoft blog –http://blogs.technet.com/b/microsoft_blog/archive/2014/05/01/updating-internet-explorer-and-driving-security.aspx

In an interesting move Microsoft has also issued an update for users of Windows XP – despite discontinuing support for XP at the beginning of April. Safe4 would however encourage you to upgrade as soon as practical to take advantage of the latest security features and to remain secure against future threats.

If upgrading from Windows XP is impractical for you at the moment, we recommend using a browser other than Internet Explorer, as mentioned in earlier blogs.  Google Chrome and Mozilla Firefox are both viable alternatives.

 

Posted by Alistair Stubbs, Safe4 Information Management Technical Director

Internet Explorer Vulnerability

Following concern about the Heartbleed bug, there has been an additional significant announcement from Microsoft about a security vulnerability in ALL versions of Internet Explorer. See https://technet.microsoft.com/en-US/library/security/2963983 for full details.

This is a pretty major vulnerability as it could enable someone to execute arbitrary code on someones PC. It does however require a user to visit a website that has been crafted to exploit this vulnerability. Users of Internet Explorer browsers should be especially vigilant about visiting unknown sites, phishing and following unrecognised links in emails or instant messages.

Both the US and UK governments have provided advice and are recommending that until the problem is resolved you should use an alternative browser, such as Google Chrome or Mozilla Firefox.

Safe4  also encourages our users to find an alternative to Internet Explorer until Microsoft has issued an update.

Please note this is in addition to our recommendation in a recent blog post to upgrade from Microsoft XP.

March winds and April Showers bring forth …

The Spring of 2014 has seen a raft of news about online document security – both good and bad. The year was ushered in by guidance from regulatory bodies and professional organizations including the Solicitors Regulation Authority (SRA) on cloud based document security and the Institute of Chartered Accountants with the ICAEW guide to cyber security in corporate finance.

As if this was a challenge, the barometric pressure around some key security vulnerabilities was building up as Spring started and the March winds began to blow.   April came, not just with rain, but with security showers and dire warnings about the need to protect the security of your valuable information.  3 significant events caused us all to check that our security raincoats were actually keeping the rain out:-

Heartbleed

First the Heartbleed vulnerability hit the headlines. This was possibly one of the most significant security vulnerabilities of recent years with two main characteristics causing it to be a real problem:

  • The vulnerability exposed the encryption keys used to secure information sent between your browser and many websites. Once someone has the encryption keys it is possible to read all of the information exchanged. This could include items such as passwords, credit cards, commercially or legally sensitive documents and other personal information.
  • The nature of the vulnerability also made it impossible for someone to know if their encryption keys, or other information exchanged has been intercepted. In light of this everyone who has been operating the vulnerable versions of the software needs to assume they have been compromised.

Unfortunately there was also a shower of poor advice about how to deal with Heartbleed. The most significant misdirection was the advice to immediately update your passwords in the belief this would protect your information – it wouldn’t necessarily. For this reason alone, it is worth reviewing what action was taken and whether it worked.

Did you deal effectively with Heartbleed?

If you are a user of a web site, the main imperative was to check with the provider of the services that you use that they patched the Heartbleed vulnerability before you updated your passwords. If they didn’t then you still may be at risk.

Reputable providers of web services have been very open with the status of their systems, whether they are affected, and what steps they have taken. Look for emails from the providers, or blogs on their websites. For example, we at Safe4 had a strong enough architecture and controls that our users were not at risk and we confirmed this with messages at system log in and with blog information on our website.

If you are uncertain about any of this, it is very easy to check whether the site you use is still vulnerable. Go to the free Qualys SSL Labs online test and put in the site URL. The result will tell you whether Heartbleed is still an issue or not with the site. Then, check directly with the site whether they were “clean” when you last updated your password. If this was before your last password update, then you should be safe. However, as it is good security to change your password periodically, then you might want to play absolutely safe and update it again anyway.

Windows XP and Internet Explorer 8

There was also a significant date during the month for those people who are still using Windows XP.On the 8th April Microsoft discontinued support for XP.

There may be no obvious immediate implications since the software will continue to run as before. However Microsoft will not be issuing any further security updates to XP. As time goes by, this operating system will become increasingly vulnerable.

Interestingly Windows XP already does not support a number of the modern information security protocols which have been developed to improve security.

Many companies, including Safe4, who have undertaken detailed reviews of their information security strategies, have decided to disable support for older security protocols – which unfortunately cannot be used by Internet Explorer 8 on Windows XP. Disabling support for Internet Explorer on Windows XP has enabled these companies to attain the highest possible ratings for security in independent analysis.

Safe4 therefore strongly recommends that companies and all users of secure online services look to upgrade from Windows XP to Windows 8 as soon as possible. In the meantime, if upgrading XP is not an available alternative, we would suggest using an alternative browser such as Google Chrome which will take advantage of the latest security protocols.

Dropbox and Box weblinks

As April gave way to May, there was emerging news that these two widely used free file sharing services were vulnerable to a web linking loophole exposing files to unauthorized access. The vulnerability, described here by independent security analyst  Graham Cluley, laid bare sensitive information including tax returns, mortgage applications and corporate information including a business plan.

The problem appears to be that Dropbox and Box did not always require users accessing a shared link to authenticate themselves.

Safe4 always requires valid authentication from a user and checks that the user has permission to access the particular file linked to. Safe4 Technical Director, Alistair Stubbs, commented “proper user authentication has always been a foundation of the Safe4 architecture, specifically to guard against potential problems such as this.”

What next for May?

Even a quick review of history will clearly show that wars have been won and lost, or empires fallen due to intercepted information.

We assume that you have used the information above to review the current security of your documents and information. For the future and without being overwhelmed by a further downpour of technical information, how do you handle the commercial implications of staying secure through the summer and beyond?

A simple risk based approach which can provide a framework to help an organisation review its commercial exposure and to take the most appropriate mitigating actions is further explored in another blog post by Safe4 Technical Director Alistair Stubbs.

Safe4 will continue to provide a top level of security for all confidential documents stored by its customers. We hope this summary has been useful and will enable you to use the March Winds and April Showers of the recent security scares to bring forth a May flowering of a robust security environment for your documents.

 

Posted by: Alistair Stubbs, Safe4 Information Management Technical Director