Reporting cyber security incidents to NCSC
Reporting cyber security incidents helps the New Zealand NCSC (National Cyber Security Center) to develop a threat environment picture for government systems and Critical National Infrastructure (CNI) and assist other agencies who may also be at risk. Cyber security incident reports are also used for developing new policies, procedures, techniques and training measures to help prevent future incidents. The NCSC provides enhanced services to government agencies and critical infrastructure providers to assist them to defend against cyber-borne threats.
Reporting cyber security incidents to NCSC through the appropriate communication channels ensures that appropriate and timely assistance can be provided.
If you are a government organization or Critical National Infrastructure organization and you have encountered or suspect a cyber threat, please contact NCSC and/or download, complete and return an Incident Reporting Form from www.ncsc.govt.nz
Recording cyber security incidents
The purpose of recording cyber security incidents in a register is to identify the nature and frequency so that mitigation actions can be taken.
- The Responsible Entity should ensure that all cyber security incidents are recorded in a register.
- The Responsible Entity should include, at the minimum, the following information in its register:
- The date the cyber security incident was discovered
- The date the cyber security incident occurred
- A description of the cyber security incident and whether it was reported
- The file reference.
The Responsible Entity should use their register as a reference for future security risk assessments.
Outsourcing and cyber security incidents
When a Responsible Entity outsources information technology services and functions, they are still responsible for the reporting of cyber security incidents. The Responsible Entity must ensure that the service provider informs it of all cyber security incidents to allow it to formally report to NCSC and /or where relevant, NZ Police.
Responsible Entities that outsource their information technology services and functions must ensure that the services provider consults with the Responsible Entity when a cyber security incident occurs.
PALO ALTO, CA (February 14, 2017). Osprey Security, the Big Data driven cyber security and threat intelligence company, won the award as the Best Cybersecurity Company in this year’s Cybersecurity Excellence Awards. The annual Cybersecurity Excellence Awards are the most prestigious awards across the Cybersecurity industry that honor and recognize the world’s best products and organizations that demonstrate innovation, excellence and leadership in the Cybersecurity arena.
These awards provide a tremendous insight into the most successful companies within the American economy’s most dynamic segment— its Cybersecurity and Information Security domain. Winners were chosen via popular vote from the LinkedIn Information Security Community – a group comprised of nearly 350,000+ members. Companies such as Blue Coat, Check Point, Rapid7, Sophos, Tripwire, Cylance, CyberArk, Darktrace, Lookout, Securonix, and many other well-known names gained national exposure as honorees of the Cybersecurity Excellence Awards.
“The Cybersecurity Excellence Awards is a true validation of the cybersecurity industry. This win is a true reflection of the immense contribution and commitment to excellence from our exceptional team, cutting-edge products, the executive leadership, and our distinguished board members. From just metrics perspective, we have demonstrated strength in building proprietary technology, network effects, economies of scale, and branding making us a leading startup in the United States within the Cybersecurity domain.”
“We view this recognition as a sign of our commitment to being the leading company in the Cybersecurity industry. Knowing that we received the most number of votes in the award history is a strong validation from the security community.” said Dr. Vivek Lall, CEO of General Atomics, and Chairman of the advisory board for Osprey Security.
“Congratulations to Osprey Security for being recognized as the winner in the Best Cybersecurity company category of the 2017 Cybersecurity Excellence Awards”, said Holger Schulze, founder of the Information Security Community on LinkedIn. “With a record 458 entries this year, the awards are highly competitive and our winners reflect the very best in innovation and excellence in the cybersecurity space.”
Since the beginning of 2016, Osprey Security experienced a vertical growth. What began as two guys about a year ago, is now an organization with a global team and offices in Palo Alto, California and in Singapore. Osprey Security is ready to grow in orders of magnitude in the coming year with the successes and foundation built on the efforts of its team, its customers, and the encouragement from the VCs, investors, and other well-wishers.
About Cybersecurity Excellence Awards
The Cybersecurity Excellence Awards honor companies and individuals that demonstrate excellence, innovation and leadership in information security. This independent awards program is produced in cooperation with the Information Security Community on LinkedIn, tapping into the experience of over 350,000+ cybersecurity professionals to recognize the world’s best cybersecurity products, individuals and organizations. For more information visit www.cybersecurity-excellence-awards.com.
About Osprey Security
Osprey Security is a disruptive Cyber Security company transforming the way organizations can manage their cyber threat landscape by providing actionable security and risk intelligence using its Patent Pending Technology and processes tailored to meet the organization’s risk appetite. Our products use empirical data driven methods to provide unmatched insight into emerging threats and help organizations address them before they can be exploited causing an incident. Our next generation machine learning based algorithms provide organizations with real-time threat intelligence, allowing them to proactively defend against cyber-attacks and help them counter with our evidence based security platform.
For more information, please visit www. ospreysecurity.com/ or connect with us on Twitter (@osprey_security) and LinkedIn.
+1 (650) 542-9237
The US-EU Privacy Shield Framework is a result of a shared goal of strong privacy protection from the United States and the European Union that ensures EU data subjects benefit from effective safeguards and protection as required by European legislation with respect to processing their personal data.
The United States Department of Commerce issued 15 U.S.C 1512. Osprey Security, as a premier Cybersecurity company deeply cares around the security and privacy of its customers and is proud to announce that it is one of the leading organizations certified by the United States Government. With this, we announce our commitment to all the Privacy Shield principles including notice, choice, accountability for onward transfers, security, data integrity and purpose limitation, access, and recourse/enforcement and liability. More importantly, this also ensures Osprey Security has EU GDPR readiness to meet additional obligations under GDPR, including additional accountability and program governance, broader individual rights, privacy by design and default, PIAs, and breach notification.
Here is a link to Osprey Security’s certification as published in the Privacy Shield website and the United States Government.
Osprey Security has been nominated under the “Best Cybersecurity Company” category in the Cybersecurity Excellence Awards 2017. Osprey Security is truly on the cutting edge of technology and solving the cybersecurity challenges of its customers. We truly appreciate the nomination and the recognition offered.
Vote for us in the Best Cybersecurity Company category by giving the thumbs up. Hurry up, the deadline to continue to promote your favorite Cybersecurity company is January 15th 2017.
Vote for Osprey Security Now – http://cybersecurity-excellence-awards.com/candidates/osprey-security/
In the past, we shared a startup’s legal obligations. Continuing on the same theme, in general, at the early stages of starting up a tech company, legal issues are the last thing on founders’ minds. But, knowing potential problem areas can reduce the amount of time and money founders have to spend on legal matters. Here are a few things in particular that are likely to impact tech startups from a legal issue perspective:
- Confidentiality. Often, those in tech industries are expected to sign confidentiality and non-disclosure terms. Founders should review any such agreements they signed with former employers in at least the last five years to make sure that there are no clauses under which the former employer could own new developments.
- Law of Other Jurisdictions. Tech companies are likely to operate on a global scale. While the advantages of having consultants, contractors, and users in other countries is substantial, founders must make sure they comprehend applicable laws and regulations regarding privacy, tax, and intellectual property.
- Innovation. Innovation is the bread and butter of tech companies. But, new technologies bring new legal questions, and possible litigation risks. Uber, for example, arguably created a unique kind of worker that is difficult to categorize under the law as written, which led to massive litigation.
Data breaches have become increasingly more common within the last decade. Most of these intrusions have caused a great deal of consumer scrutiny and could potentially affect a company’s future business potential. These data breaches have affected some major corporate enterprises and it is important for them to consider their legal obligations from a Cybersecurity and data breach perspective. Take for example the below listed data breaches and compromises:
- In 2007 TJ Maxx was subject to an intrusion where 94 million records were compromised;
- In 2010, Sony Playstation Network suffered an intrusion where 77 million records were compromised;
- In 2013, Target was subject to an intrusion where 70 million records were compromised; and
- In 2014, JP Morgan Chase fell victim to an intrusion where 76 million records were compromised.
Unfortunately, although these corporations are obviously victims of serious crimes, these breaches have pushed the onus onto businesses to develop security measures to protect consumer information. Failing to develop potential safeguards can ultimately lead to great distrust amongst the public, or, in certain circumstances, even litigation.
After Target’s 2013 data breach, the company faced a class action for its failing to protect customer data and ultimately settled for $10 million. Such a suit leads to the question: how exactly does a corporate entity become responsible for the nefarious acts of a third-party?
Typically, if the state has not adopted legislation placing the affirmative duty upon the corporate entity to adopt security measures for the protection of consumer information (please note: Massachusetts, California, Connecticut, Rhode Island, Oregon, Maryland, and Nevada have all passed such legislation), a court will view the failure to provide sufficient protection of consumer information under a typical negligence standard. A court will, therefore, consider (more…)
Cybersecurity is a Game of Thrones. There is a constant struggle between the various actors to gain the upper hand. We at Osprey Security are no exception. The Osprey Risk Intelligence and Compliance product manages all aspects of an organization’s Cybersecurity needs relating to their Governance, Risk, and Compliance items. For this product, we chose AngularJS to build and deploy our front end web application. The front end is what the users see first and interact with directly, and that’s why it has an important role in the application security. It is the bridge between the user and the data, a friendly way of interaction with data.
There are numerous frameworks out there to implement an appealing user interface, but the ultimate choice depends on our functional and security needs and what and how we want to build. We want to ensure that we take into account, all the features and capabilities that are on offer esp. as it relates to the Risk Intelligence and Compliance product for example.
AngularJS: a front-end framework
We chose AngularJS as our framework for a variety of reasons. To give a brief overview, an Angular application typically communicates with a server to retrieve the data and then present it to the user. The communication could be via RESTful API or a simple web service.
To mitigate most of the common attacks, AngularJS assists in writing code in a way that: is secure by default and makes auditing for security vulnerabilities such as XSS, clickjacking, etc. a lot easier.
AngularJS provides security features such as: (more…)
As a software engineer, it is always interesting to learn a new programming language. At Osprey Security, when it turned out that I would be involved in a project with Go or Golang as it is also referred to, as the primary back-end language, it was a really exciting feeling. The fact that Golang was designed to be a good fit for server side programming added more spice to all this.
Here I’m going to share my first impression on the language. Quite a few features of Golang will be described in the prism of Java which I used a lot last years.
What is striking for a Java developer is that Golang is not an object oriented language in a pure sense of this word. Yes, it has structures and you can call functions on those structures, as if you call methods in OOP language but there is no inheritance. Golang uses composition instead. Go is not functional, but it has anonymous functions, high order functions and so on. As for me, I see Go as procedural language. If somebody asks me to describe Go, I would say… like C. As in C, there is no exception handling, but functions return error codes instead. There is no function overloading as it regarded a bad practice, but there is support for pointers! (more…)
Securing our users has always been a challenge on the web. For years, we’ve found that the traditional usernames and passwords provided a secure method for authenticating users. They enter their credentials, submit the form, and in no time, they gain access to the providers services. Better known as a Single Factor of Authentication, SFA is still used across majority of the sites and has been a reliable security method. But, over time, attackers have been able to expose user credentials applying certain techniques. As a way of protection our users, we started to implement password checks and used well known hashing and salting techniques at the database level. But in most cases, not all password checks are equal and not all hashing techniques are reliable enough to prevent attacks.This is where Two Factor Authentication comes in.
So what is Two Factor Authentication? TFA a method that is based on users providing two factors of information rather than a single credential. Now, why is this a better option? For one, it adds an extra layer of security over the traditional username and password by removing the need to create highly secure password checks and two, introducing a second factor such as a device the user owns, increases the difficultly for hackers to obtain a successful attack. Here at Osprey, TFA was one of the strategies we wanted to integrate for our login portal. With multiple 2F strategies available, we found a new strategy created by the Facebook team called Account kit.
Introducing Facebook’s Account Kit
Introduced at the F8 conference this April, Account kit was a new product that Facebook launched for all developers to secure their mobile and web applications. In short, Account kit is a TFA and Single Sign On method that allows users to login and register using their phone number or email. With Account kit, developers don’t have to create a separate workflow to handle new registrations because their infrastructure handles authentication and managing user accounts. To get a better picture on how it works, let’s take a look at what happens during a simple login using Account kit: (more…)
Docker is perfect to make the developer’s life easier. Thanks to containers, one can engineer the many facilities that make their application into many microservices, dividing their problem into more manageable blocks. For instance, you can trigger a container for a redis database, along with a container fueled by an node.js / express image, and you can have your infrastructure up and running with no hassle.
Docker can prove handy even for optimizing the building pipeline. Indeed, using docker-compose, the Docker orchestration tool, and volumes, you can build your app stage by stage, passing through shared docker data *volumes* the result of any of these build steps to the next one. At the end of the pipe-line, you would have a container, with access to all of the artifacts that have been built so far – via the shared data volumes – launching the very services of your application.
Docker Compose in Action
But let’s see an example in action.
You have two stages of building here:
2. Then, you have to build AND run the *Golang* server, going first through downloading your project’s dependencies (assuming you used Godeps), building and installing the *Golang* service, and running it as a daemon at the startup of your app (containerized or not)
If we want to use containers to approach such a situation, we’d have
- Store these generated front-end assets in a data volume so we can persist and hand them over to the back-end
- And spin off a container running Golang, mount the previously prepared data volume on it, run the dependency fetching, the building and assigning an entry point (that is, the command firing the service upon launch of the container).
As we can proceed to these steps by hand jsut fine, or script them using Shell or whatever, we can use docker-compose, the very useful orchestration tool that comes with the docker toolbox distribution. (Linux users might have to install it by hand) (more…)