Blog

Virtual Guardian Appointed Exclusive AlienVault MSSP in Quebec

Laval (Quebec), April 8th, 2014. Virtual Guardian Inc., leading Canadian IT security consultancy firm, confirmed today its partnership with San Mateo, California-based AlienVault, the leading provider of Unified Security Management™ solutions and crowd-sourced threat intelligence, as an exclusive managed security services provider for its Unified Security Management™ solution (USM) in the province of Quebec, Canada.

AlienVault’s Unified Security Management™ (USM) platform provides a way for organizations with limited security staff and budget to address compliance and threat management needs. With all of the essential security controls built-in, and continuous threat intelligence updates from AlienVault Labs, USM provides unparalleled security visibility.

“Virtual Guardian has spent the last ten years helping Canadian organizations achieve security visibility through its service offering,” said Patrick Boucher, Virtual Guardian’s President and Founder. “AlienVault’s USM is the most affordable, complete solution sharing that same objective. It just made perfect sense to become a managed security service provider and add that weapon to our arsenal. We now have the ability to offer our clients complete visibility and control over their network security.”  

“We are thrilled to welcome Virtual Guardian as an exclusive reseller of our USM offering in Quebec,” said Steven Wolford, Strategic Account Manager at AlienVault.  “Virtual Guardian’s security expertise combined with our award-winning USM product will provide their customers with the security visibility needed in today’s environment.”

“Quebec’s information security’s decision makers are being assailed on all sides by vendors of individual solutions. Managing these point solutions is becoming an increasingly difficult, time consuming and expensive task. More and more organizations in our province are requesting solutions that can deliver better security visibility and more control over their infrastructure at an affordable cost. That’s exactly what we plan on delivering,” concludes Mr. Boucher.    

About Virtual Guardian
Founded in 2003, Virtual Guardian is a leading company in the information security industry. Virtual Guardian’s team of certified security experts operates its network monitoring service and helps organizations gain complete security visibility. Virtual guardian also offers a wide range of traditional information security consultancy services, such as pen testing, Web application audits and compliance guidance. Always on the leading edge of its industry, Virtual Guardian has demonstrated its expertise by being, in 2009, the first information security company in Canada to be awarded the prestigious ISO 27001 certification, the highest accreditation level in its field in the world. For more information visit www.virtualguardian.ca.

ITSMF conference March 26th: “No security without visibility”

Presentation:

What is security visibility? This expression, already well integrated in the vocabulary of the American persons responsible for IT security, is still not well known in Quebec. Why? During this presentation, accessible to people with all levels of expertise, you will learn what security visibility is and why it is important not only to large enterprises but also to SMEs.
 
Highlights of the presentation:
- What is security visibility?
- The invisible enemies
- Around your house with Patrick
- The elements that provide visibility

Speaker: Mr. Patrick Boucher, Consultant

Mr. Patrick Boucher founded the IT security consultancy firm Virtual Guardian in 2003. It is specialised in IT security.

An experienced analyst, he has more than fifteen years of experience in IT, including ten in security. His expertise includes governance, security architecture, business continuity, security audits and risk analysis. Mr. Boucher holds a diploma in IT from UQÀM and he also holds many certifications, including CISSP, CISA, CEH, CGEIT and ITIL.
Virtual Guardian is the first IT security consultancy firm in Canada to be certified ISO27001.

Location: More details will follow shortly.

Cost: Free for itSMF members and $35 for non-members. A light dinner will be provided.

Take this opportunity to become a member of the Montreal branch of itSMF: take part in our activities and events and benefit from interesting discounts on the documents available at the itSMF Canada online store.

Agenda:

17:30    Registration and light dinner
18:00    Welcome word
18:05    Conference
19:30    Discussion with speaker
20:00    Closing words

Due to the limited space available for this event, please ensure your presence. In the case of any changes, please advise us by email.

Register by clicking here.

Virtual Guardian in Protégez-Vous magazine

Have you unknowingly purchased a fake antivirus from a cyberswindler? Getting rid of it is not an easy feat! Here is an article (french) that was published in Protégez-Vous magazine’s October issue to help you resolve this problem.

PCI-DSS v3.0 — change highlights

The PCI Security Standards Council (PCI SSC) published PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) 3.0 change highlights, as a preview of the new version of the standards coming in November 2013.

The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.

The seven-page document is part of the Council’s commitment to provide as much information as possible during the development process and eliminate any perceived surprises for organizations in their PCI security planning.

A quick word to our Network and Systems Monitoring service: NSM’s PCI option will take into account all changes in the new version of the standard and therefore will continue to ensure that your compliance requirements are met. If you have any questions, please contact Virtual Guardian ay 450-933-7774 or by email at support@virtualguardian.ca.

Article on social engineering by Rémy Baccino (fr)

It’s a well documented fact that humans are often the weak link in the quest for the perfect information security posture. Rémy Baccino, IT security analyst for Virtual Guardian, has studied this phenomenon and published his observations in the following article titled “La psyché humaine comme première faille de sécurité” (french article). You may reach the author, by phone at 450-933-7774 or by email at rbaccino@virtualguardian.ca. 

Forensics investigations: DOs and DON’Ts

The original article was written in french only. For information about this article in english, please feel free to contact its author, Mr. Marc Seguin, who is Virtual Guardian’s resident specialist in IT forensic investigations. Mr. Seguin is GIAC (GIAC Certified Forensics Analyst) and CCNA certified. He can be reached at mseguin@virtualguardian.ca.

OWASP updates its Top 10 list

Since 2003, application security researchers and experts from all over the world at the Open Web Application Security Project (OWASP) have carefully monitored the state of web application security and produced an awareness document that is acknowledged and relied on by organizations worldwide.

OWASP has released its 2013 top 10 list of risks associated with the use of web applications in an enterprise, and they are as follows:

1) Injection
2) Broken Authentication and Session Management
3) Cross-Site Scripting (XSS)
4) Insecure Direct Object References
5) Security Misconfiguration
6) Sensitive Data Exposure
7) Missing Function Level Access Control
8) Cross-Site Request Forgery (CSRF)
9) Using Known Vulnerable Components
10) Unvalidated Redirects and Forwards

For additional explanations about the risks, example attack scenarios, mitigation and prevention techniques, tips for developers, and to compare the new list with the previous one released in 2010, download the full report.

Only 36% of small firms apply security patches!

Only 36% of small firms apply security patches. No wonder cybercrooks are stealing their cash

Small businesses are under constant attack from malware, scams and online fraud. They are not only losing money directly to fraud, but also in costs associated with maintaining security. Small businesses are simply woefully under-prepared to keep their assets safe. Despite reorganisation and redirected priorities, the police can still do little to help.

This all emerges from a report on the threat of online fraud to small UK businesses, released by the FSB. No, not Russia’s slightly cuddlier successor to the KGB; this is the Federation of Small Businesses, a UK pressure group representing the needs of small businesses, and providing a range of services to them, boasting over 200,000 members.

Survey synopsis

The study takes the form of a survey of a subset of that membership, covering their experiences of online fraud, their attitudes to how it affects them, and what actions they’ve taken to protect themselves. Now, such studies are notoriously biased – asking people with a vested interest and minimal specialist knowledge what they think of a complex technical issues will always give some off-the-wall results. This report contains some useful data though, both on what small business owners think has happened to them in the past, and on the parlous state of their cyber defences.

For the full article, click here.

Virtual Guardian celebrates its 10th anniversary!

Laval (Quebec), January 23rd, 2013. Virtual Guardian Inc, a company specializing in IT security, is proud to announce that it is celebrating its 10th anniversary this January. Here are some company highlights:

 • January 2003: Patrick Boucher founds Virtual Guardian Inc.
• December 2008: The company reaches 1M $ in sales for the first time in its history.
• April 2009: Virtual Guardian is the first IT security company in Canada to receive the prestigious ISO 27001 certification.
• April 2010: The company is expanding. Its head office moves from a 600 square foot office to a 3000 square foot business condo on de l’Avenir boulevard in Laval, near the new Montmorency metro station.
• May 2010: Virtual Guardian’s 24/7 Security Monitoring service is launched.
• January 2013:  Virtual Guardian celebrates its 10th anniversary.

To read the official press release, click here (french version only).

Not just the “big guys” at risk

The article below explains why and how smaller companies are not immune to hackers and data loss. If you operate a small or medium business and have concerns about information security, contact Virtual Guardian today. We have custom-made packages with prices tailored to fit tighter budgets.

———————————

It’s become fashionable to assume that all cybercriminality these days is about money. In other words, attacks that aren’t likely to be worth anything aren’t likely.

It’s also fashionable to assume that the attackers are increasingly and exclusively after rich and fruitful targets, such as multinationals and governments. In other words, if you’re a little guy, you’re off the radar and can stay safe online simply by keeping your head down. Sure, cracking into systems just for the fun of it – the lulz – was briefly popular a couple of years ago, thanks to the appositely-named Lulzsec crew, but a bunch of arrests seemed to put paid to all of that. But those arrests didn’t stamp out cracking for the sake of it. There’s still plenty of gratuitous, “because it’s there” digital break-and-enter going on.

Even if you run a tiny website and don’t have much to hide, you (and your customers) are nevertheless at risk from criminals, like the apppositely named @JokerCracker, who openly gives his reason for hacking as, “It’s just a personal challenge.” JokerCracker has announced a number of hack-and-reveals over the past few days. That’s where he digs around on your website for holes, probably using automated tools to find what software you’re running, and what vulnerabilities he can most easily exploit.

Once he knows a likely way of tricking your webserver into dumping one or more of its databases, instead of simply answering one of your pre-arranged queries, he’ll extract what he can, and upload anything that looks like Personally Identifiable Information (PII) to a public drop site, where data-theft voyeurs can grab it at will. The final step is a tweet to let the world know. A sad example over the weekend was his hack of a boutique Australian babycare site. He only made off with about 900 records, perhaps because that’s the whole database collected by the site owner. (Only email, screen name and passwords were leaked. Your full name, your child’s name and birthday, requested on signup, didn’t appear in the dump. That’s a small mercy, I suppose.)

The passwords, as you may have guessed already, weren’t hashed or obscured at all. They were all stored in plain text.

  •     If you are a user of a website that gets hacked this way, and you shared your password with any other sites, change those passwords immediately, and stop re-using passwords.
  •     If you’re the owner of a website that gets hacked this way, consider publishing a warning on your main page and alerting your users.
  •     If you’re the operator of any sort of web site or similar online property, don’t keep plaintext passwords.
  •     If you think a site is storing plaintext passwords, consider withdrawing from it until it stops doing so.

Note that the last point implies that you can easily tell whether a site is doing the right thing with your passwords.

Fortunately, many sites publish, or will tell you if you ask, how they deal with password storage and reset. But others won’t, and often that’s because they know they have bad news, or don’t even realise the importance of the question. In that case, you may be able to find out simply by trying a password reset. If you get back a password reset link, they probably haven’t been storing your password in plaintext. But if you get your old password back in an email, then clearly the site must have been storing it. Babycare Advice, for what it’s worth, doubles up on its insecure behaviour because doesn’t use HTTPS during its login phase; worse still, it doesn’t even use HTTP “challenge-response” password verification, which at least prevents your password going out unencrypted. Your password is there, in the clear, waiting to be sniffed. Web site users, be vigilant. If you think a site is not treating your PII with the respect it deserves, even for so-called casual or throwaway logins, then consider working, shopping or playing somewhere else. Web site operators, don’t be happy with the security standards of ten, five or even two years ago. Show that you care about PII and help to build and maintain the trust of your customers.

Source: Paul Ducklin, January 21st 2013, Naked Security