NoticeBored blog

NISTIR 7564 "Directions in Security Metrics Research" says:

"Advancing the state of scientifically sound, security measures and metrics (i.e., a metrology for information system security) would greatly aid the design, implementation, and operation of secure information systems."

Hear hear!

"... Enterprise-Level Security Metrics, was included in the most recent Hard Problem List prepared by the INFOSEC Research Council ..."

That I didn't know, but I totally agree: security metrics is indeed a Hard Problem.

If you would like to metricate your ISMS, do take a look at NIST's new paper. The main body is quite short at just 15 pages but covers a wide brief, drawing on metrication practices from other fields. If you are eager to learn more, there are six pages of references to deepen your knowlege still further.

Labels: Infosec

A blog entry by Gerry O’Neill, CEO of the Institute of Information Security Professionals, gives us an update on the IISP's progress towards defining and implementing a certification process for its members. 

Gerry acknowledges a handful of existing certifications (such as CISSP, CISM, CISA and MSc) from which ISSP appears to have borrowed a few ideas (e.g. referring to a "common body of knowledge", presumably similar to the CISSP CBK?).  He identifies certain characteristics of a profession, including "a ‘licence to practice’, based around a core of specialist knowledge, skills and disciplines, regulated by a professional body and, crucially, with business recognition of its value."  The ‘licence to practice’ idea works well for professions such as medicine, accountancy and law but these professions are clearly much older than information security.  Whether the IISP can first establish itself as a recognised professional body, secondly impose regulations and standards on its members, and thirdly achieve broad acceptance by the general public and the authorities is an open question at this point.  They have set themselves a worthwhile but extremely difficult task, attempting to shortcut the thousands of years that other professions have had to develop their professional practices. 

While there will be a Disciplinary Committee to ensure compliance with the IISP Code of Conduct, I wonder whether they will also establish a professional practices and ethics board to assess claims from the public or authorities that its members are incompetent, incapable, unethical or otherwise unsuitable to be called information security professionals?  Policing the members and upholding the highests professional standards is another important though difficult role for a professional body - it's an integrity issue for the individuals concerned, the professional body and indeed the profession as a whole.

The Institute has defined a list of 33 skills as a basis for both developing and assessing information security professionals.  Three items in the list caught my eye: I1 Research, I2 Academic Research and I3 Applied Research.  Most security certifications (other than MSc and similar academic qualifications) emphasise practical expertise and implementation skills rather than research.  As a former research scientist myself, I welcome the emphasis on original research which will both help advance the profession and provide an entry route for students.

All in all, I'm interested to see this initiative develop and welcome the IISP extending its remit from the UK to the rest of the world, in due course. 

Labels: Governance, Infosec

An update to the Payment Card Industry Data Security Standard (PCI DSS) has been announced with a preview/summary of the changes due for release in version 1.2 on 1st October.

Most of the changes are classified as clarifications of existing requirements but controls for wireless networks caught my beady eye. On the one hand, PCI DSS semingly acknowledges that WEP is no longer adequate (about time!), but on the other it allows WEP to continue until July 2010. 2010! That's like saying "Wardrivers, take your time, you have 2 years to find and exploit vulnerable stores". Given recent high-profile incidents of that nature, I'm puzzled as to why WEP is tolerated at all. PCI DSS 1.2 is an opportunity to drive up security standards and in many respects it is incrementally improving things, but in this one respect, they're letting the chance slip by.

Examples of "critical employee-facing technologies" that ought to be covered by security policies will be expanded to include "remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and Personal Data Assistants (PDAs)". I'm pleased to say that we have been covering those issues for years in the NoticeBored security awareness service, and will be covering them all before the end of this year [RATs were mentioned in the malware module in March. We're currently finalizing next months module on email security right now, and researching for a forthcoming module on 'securing portable IT devices' for release in December.]

Employees will be required to acknowledge that they have read and understood the company’s security policy and procedures “at least annually”. Note the wording: employees will have to acknowledge the policies and procedures. Management's focus will be on getting bits of paper signed or learning management systems ticked once a year, rather than confirming that employees actually understand and recall the policies or pushing for more frequent awareness and training. That's another opportunity missed. Ho hum.

Against this background, I'll be just a touch more cynical next time someone complains about the 'PCI DSS compliance overhead', and even more careful about giving anyone my payment card details.

[Thanks to the Security Warrior, Anton Chuvakin, for alerting me to this. Anton's home turf is security logging but like many infosec pros, he has fingers in many pies.]

Labels: Compliance, Confidentiality, Infosec, Law, Privacy

Over at ISO27001security dotcom I've just posted:
- a 2.2Mb ZIP file containing the full contents of the free ISO27k Toolkit
; and
- a printoutable PDF version of the ISO27k FAQ.

Although they are already useful and generating good feedback, these are both works-in-progress. Further contributions to the toolkit and FAQ are always welcome. If you have implemented the ISO27k standards, are there policies, procedures etc. that you would be willing to donate to the cause? If you wish, I can help you format them to suit the purpose, for example removing any proprietary content to make them generic and adding a Creative Commons license. In return, you will be openly acknowledged as the contributing author in the material and on the website. Clearly, it is vital that you either personally own the materials you submit or have the copyright owner's express permission since they will end up in a public forum.

Visit the website or contact me (Gary@isect.com) for more info.

Labels: Compliance, Governance, Infosec, IPR, ISO27000

I don't know about you but models have intrigued me ever since I was a kid playing with Meccano and Lego. There's something fascinating about the structure and relationships making the whole thing greater than the sum of its parts. So when I heard about a new model linking people, process, technology and organizational design/strategy in the context of information security, I couldn't resist a look.



A PDF presentation of the ICIIP model gets off to a good start, representing it as a nice symmetrical three-dimensional tetrahedron rather than so many other flat two-dimensional tabular models. It even has information labels on the six connections (described as "tensions") between the four nodes as well as on the nodes themselves. The tensions are governance, architecture, culture, human factors, enabling and support, and 'emergence' (representing the inherent complexity and emergent properties of any organizational system).

Digging a bit deeper, authors Laree Kiely and Terry Benzel explain slide-by-slide the labels on the model. In each case they outline what they mean by the labels, fair enough, and then follow up with 'recommendations' ... and here I start to wonder how they came up with the specific recommendations. The authors' previous works are cited but not properly referenced in the paper, so readers are left guessing.

For example, their recommendations for the governance tension are as follows:

• Understand the criticality of security issues
• A different attitude regarding governance role and duties
• Emergent, cross-industry communities of interest and communities of practice who could develop standards
• New security knowledge and criteria for CEO selection, performance review, and compensation
• Require development and education for Boards and C-Suite as part of new self-regulating standards
• Criteria implemented corporation-by-corporation
• Hold vendors and suppliers accountable for implementing these standards/criteria

Standards, education and accountability seem reasonable if not exactly Earth shattering proposals, but why did they pick these out and how do they relate to the management of information security.

There's a lot missing from the presentation slides (such as how the "tensions" relate to the nodes) which, presumably, the authors fill-in when presenting. However, there are several other materials from Dr. Kiely and Benzel on the USC Marshall website which I shall enjoy exploring at my leisure.

Labels: Governance, Infosec

Mike Blakley wrote a fine piece in EDPACS on using SQL queries to interrogate a database system for audit purposes.

Abstract:

"Organizations, both large and small, are increasingly reliant on database systems for their operational support needs. This is due to the adoption of accounting systems ranging from large enterprise resource planning systems, down to departmental or even desktop-based database systems. The traditional audit approach used to account for data stored in databases has relied on information technology or other support staff to extract data for audit, which was then tested by others, often technical specialists. An alternative approach, which also provides greater audit independence, is to increase the knowledge level and skills of audit staff so they can obtain this data directly and perform their audit tests independently. This article may have relevance to other IT system audits."

In the same issue, Fred Cohen discusses the specification of control requirements for [real-time process] control systems and SCADA, an area that relatively few information security managers and IT auditors have experienced. I have had some exposure to this at power generation and engineering companies but admit I know next to nothing about it. Having seen conference presentations on "exploring" SCADA networks and Building Management Systems, I'm sure these are targets for curious hackers who relish the challenge of understanding obscure comms protocols and exploiting inadequate security controls. Fred's comments about the ever-deepening Internet connectedness of such networks and the historical lack of attention to security ring very true. I often wonder what fun would lay in store for hackers with access to the networks and devices, perhaps exploiting the numerous wireless command and control systems out there. Let's hope they are responsible enough to use their powers for good not evil.

All in all, another excellent issue. [The fact that I'm one of many on the EDPACS editorial board is purely coincidental, of course!]

Labels: Audit, Database, Hacking, Infosec, Network

Secure Computing Magazine explains what the Trusted Platform Module (TPM) is, and what it can be used for. It stops short of explaining how to use it but has links to other sites that do so.

The TPM is a hardware crypto module on a chip, pre-installed by the manufacturers in ~100 million PCs. Being hardware based makes it more resistant to attacks than pure software based crypto systems - note 'more resistant to' not 'totally secure against'. I'm sure it's only a matter of time before some enterprising hacker hacks the TPM, perhaps using side channels (e.g. power consumption) or electron microscopy, attacks that have worked to some extent against smart cards. Meanwhile, TPM is considered stronger than normal software-based password vaults etc.

Here's a list of the top 10 uses for TPM, extracted from the article:

1. Multi-factor authentication.
2. Strong login authentication.
3. Machine binding.
4. Digital signatures.
5. Password vaults.
6. File and folder encryption.
7. Strong client/server authentication.
8. Network access control.
9. Endpoint integrity.
10. Trusted client/server security.

Cool!

Labels: Infosec

We've just released our latest security awareness module on "information security risk management". The title is deliberately a bit ambiguous - in fact it cover mostly risk management in an information security context, plus a bit of information security management and a sprinkling of IT operations for good measure.

Identifying and managing information security risks is of course a key objective for information security managers. The module dispenses sage advice to managers and IT professionals on exactly what is involved in the infosec risk management process. For general employees, we emphasize the "What's in it for me?" aspect by drawing parallels between managing infosec risks at home and at work.

Whereas the PDF newsletter is free, you'll need to subscribe to NoticeBored to see the whole module in all its glory, and receive another one each month. We work this way to encourage customers to deliver rolling/continuous awareness programs. It seems to us a month is long enough to put across the essentials of any information security topic (potentially in more depth than any other awareness program we know of), yet short enough to avoid everyone getting totally bored by the same old same old. Next month we'll move on to a new topic (information security governance), hopefully before the eyelids start dropping and the posters disappear into the background.

We're clearly passionate about our approach to security awareness but keenly aware that we don't have a monolopoly on the subject. Please email me (Gary@isect.com) or comment on this blog if you have other security awareness ideas or approaches that work for you. We'll gladly acknowledge your input if we take up your ideas, and maybe something more substantive will find its way to your inbox as our way of saying thanks.

Labels: Awareness, Infosec, Risk

A woman mistakenly thinking she was about to be fired allegedly took revenge on her employer by going into the office late one evening and deleting data files worth $2.5m. Although the deleted data were later retrieved (whether from backups or by 'undeleting' them is not stated), the potential remains for trusted insiders with access to corporate IT assets to cause enormously costly damage by sabotage.

Deliberate or accidental sabotage by backup operators are tough threats to control against. They have both physical and logical access to servers and their data, often work unsupervised out-of-hours, and are mostly relatively junior staff. Trust is the primary control, though many would argue that it is no control at all, merely blind faith in many cases. The risks can be reduced by various security control measures, such as:
- Alternating backup operators
- Combining on- and off-site backups
- Tightly controlling physical access to backup storage and especially archives
- Closer management supervision and/or physical monitoring of trusted employees working in the data center
- Better training and automation of backup processes, reducing the need to give backup ops unrestricted logical access to data
- Better HR processes for monitoring employees in such trusted positions and more respect for the valuable jobs they perform.

Labels: Incidents, Infosec, Insider, Office

FERC, the Federal Energy Regulatory Commission, has approved eight new mandatory critical infrastructure protection (CIP) reliability standards developed by NERC, the North American Electric Reliability Corporation, covering:
- Critical cyber asset identification (NERC standard CIP-002) - essentially inventory and risk assessment of critical information assets;
- Security management controls (CIP-003) - security policy and management structure, exceptions process etc.;
- Personnel and training (CIP-004) - personnel risk assessment, training and, of course, security awareness;
- Electronic security perimeters (CIP-005) - a 'crunchy outer shell' for networks;
- Physical security of critical cyber assets (CIP-006) - physical perimeter controls, card locks, processes, visitor logs etc.;
- Systems security management (CIP-007) - security testing and patching, controlled network services, antivirus, security monitoring and various other IT security controls including, I note, minimum 6 alphanumeric+punctuation character passwords with a lifetime of up to one year (!);
- Incident reporting and response planning (CIP-008) - an annually-reviewed incident response plan; and
- Recovery plans for critical cyber assets (CIP-009) - DR plans with at least annual exercises.

For completeness, CIP-001 covers sabotage reporting, the critical infrastructure equivalent of SB-1386 and similar requirements to report unauthorized credit card or personal data disclosures.

FERC's IT security standards are stronger that mere recommendations and will probably become fully mandatory when get-out clauses relating to business judgement are removed. In-scope companies should all have started work on this by now and have to be fully compliant by mid-2008 or mid-2009 depending on the type of company and the specific standards.

FERC did not go as far as to mandate NIST's SP800-series security standards, however, excellent though they are, nor indeed international standards such as ISO/IEC 27002. The stated reason was not to delay implementation. While I applaud their haste to beef up infrastructure security, it's a shame to ignore the large existing body of work on information security from the likes of NIST, ANSI, BSI, ISO, IEC and others. Arguably there is a need for specific security standards covering SCADA (Supervisory Controls And Data Acquisition) systems, but the electricity industry is not pure SCADA by a long shot: there are conventional systems, many running Microsoft Windows and various UNIX/Linux variants, and TCP/IP networks all over the place, and security architecture, operations and management issues are basically the same as for any other industry. [I guess adopting existing standards would put a posse of electricity industry security consultants out of jobs but IMHO they are better deployed implementing security standards than creating new ones.]

Looking over the lit of bullets above, it is not hard to align FERC's advice with ISO/IEC 27002 ... whereupon gaps such as compliance stand out. FERC evidently intends to assess or audit the utilities' security against the standards but there's more to compliance than formal assessments/audits. Electricity companies should have suitable governance structures and processes in place to ensure compliance with their internal security requirements (policies, standards, guidelines and procedures) and with legal obligations unrelated to FERC (e.g. software license compliance plus other intellectual property issues, SOX and protection of Personally Identifiable Information) along with compliance by their suppliers and business partners. There are solid commercial drivers for information security in the electricity industry, quite separate from the critical infrastructure protection angle. Surely FERC could leverage this to their advantage?

The standard on DR is also notable for the absence of any advice on contingency planning and business continuity. I would have thought that 'keeping the light on' is absolutely number 1 top priority for the electricity industry, therefore resilience is more important than recovery. Perhaps this is so ingrained that it is taken as read but I'm surprised by the omission.

By the way, I also couldn't help but notice that "Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety Commission" are explicitly excluded from the scope of the standards. I trust the nukes have their own, strong, rigorous, comprehensive cyber security standards ... they do, don't they?

Labels: Awareness, Compliance, Infosec, ISO27000, Physical

We have completed and published our collaborative white paper listing the top information security threats, vulnerabilities and impacts, along with some risk scenarios and controls, as we head towards the new year.

My sincere thanks are due to all who participated in the project, contributing directly to the shared document on Google Docs or commenting on it through the fora. I suspect there are still several points of disagreement but I hope we are all reasonably happy with the end result. I have certainly enjoyed the process and value the discussion.

Labels: Awareness, Infosec, ISO27000, Risk

A new Microsoft Advisory gives further details of the WPAD (Windows Proxy AutoDiscovery) vulnerability recently disclosed at Kiwicon, New Zealand's first hacker conference.

The vulnerability relates to the way that Windows systems set to autoconfigure their web proxy settings go looking for the configuration file. If they don't find one on the local network, they go up the DNS tree and, under some ciscumstances, end up looking for a host called wpad.co.nz or wpad.co.uk or whatever. If some enterprising haxor has registered one of these domains, they have the ability to create and offer malicious proxy configuration files, and can subsequently control the way vulnerable machines access the Web.

Microsoft offers workarounds pending a proper fix of the wpad logic. Turning off wpad is one solution, though I'm not sure whether this can be configured for all machines in a domain using Group Policy, so it may require each machine to be configured. Similarly, there's a registry hack that needs to be applied on every machine. Another fix is to create a wpad server and offer a legitimate proxy config file ... but make sure it is a high-availability machine since a denial-of-service attack on it would presumably reopen Pandora's box.

Good luck!

Labels: Hacking, Incidents, Infosec, Integrity

Here's a sad tale of woe. A good friend of mine in Singapore is suddenly facing redundancy through absolutely no fault of her own. Her employer is simply cutting costs, slashing the workforce it seems without considering their employees' net value (i.e. business benefits created less salary and other expenses). What makes this really sad is that the organization in question is a bank that really ought to have a better idea of basic economics.

So, if anyone out there in Blogoland knows of Singapore-based/regional openings for a highly qualified and experienced IT auditor cum information security manager cum IT governance expert, and understands that value equation, do please get in touch with me (email Gary@isect.com). My friend has a CISSP (with the ISSMP concentration), CISM, CISA and 2 decades in the field with globally-renowned financial services companies. She is also one of the most gracious, friendly and genuinely committed individuals I know. It's hard to think of a better definition of "asset".

Labels: Audit, Infosec, Misc

A blog describing Intel's 'defense in depth' approach to information security has a neat description of the 4 main phases:
(1) Prediction (essentially risk assessment);
(2) Prevention i.e. classic preventive security controls;
(3) Detection and monitoring for threats that evade, disable or bypass preventive controls; and
(4) Response and recovery - corrective controls, a last resort.

Add a pinch of continuous improvement to learn from every event, and there you have it. Sure beats ISO/IEC 27001's somewhat simplistic plan-do-check-act model!

[By the way, Intel, the 'defense in depth' concept also applies within any of those phases e.g. using multiple information sources to broaden and deepen the analysis of security vulnerabilities in phase 1, or combining real-time alerting with near-time log anaysis in phase 3.]

Labels: Infosec, ISO27000

The Information Security Forum's Standard of Good Practice for Information Security has been updated and re-released just a few days ago. I have long admired the ISF standard for two key reasons:

1. It is well written, clearly laid out and eminently usable. As a user, I really like pragmatic standards!

2. It is free. If the ISO/IEC 27000 standards were free, I'm sure they would be even more popular and widely used than they are and the world would be a safer place. For organizations or individuals who are unwilling or unable to afford ISO27k, the ISF standard makes a good second choice ... along with the NIST SP 800 standards and a raft of others.

The 2007 version is a weighty 372 pages but is fluff-free. Each of the controls is simply and directly stated with very little in the way of explanation, context, justification or implementation guidance. That's great for those of us with sufficient experience to fill in the gaps for ourselves but could be a bit ambitious for those new to information security management.

I'm sure I'll be referring to the standard in our security awareness materials, though not as much as ISO27k.

Labels: Infosec, ISO27000

The US Government's plans to use standardized Windows desktop environments has advantages for non-US Government entitities also. The Federal Desktop Core Configuration (FDCC) specifies reasonable Windows XP and Vista security settings, and application software vendors are encouraged to make sure their products work on a standard spec PC. Tools such as Secutor Prime (free for non-commercial use) will audit a PC against the FDCC and report discrepancies, with enough details for a competent sysadmin to resolve. It's not quite point-n-click one-button-security for the masses but is useful for those who want to improve security of their own Windows systems. Companies that rollout standardized Windows desktops would be well advised to check their standard builds against FDCC too.

I won't go into the downside of encouraging a PC monoculture at this point but leave that for your homework, and Google.

Labels: Infosec

The latest Computer Crime and Security Survey from America's CSI (Computer Security Institute - not the TV show) is a handy source of statistics to consider and perhaps spice up your security awareness materials. The survey is well respected, being vendor independent, having just under 500 responses and being consistently designed from year to year.

Key findings:
- Since last year, the estimated average loss has nearly doubled to $350k per organization per annum
- Nearly 1 in 5 respondents who suffered security incidents said they’d suffered a "targeted attack" i.e. a malware attack aimed exclusively at them or similar organizations
- Financial fraud caused the greatest financial losses
- Insider abuse was the most prevalent security problem
- Just under half of respondents said they had suffered security incidents, similar to but slightly less than the past 2 years
- 29% of organizations report security incidents to law enforcement

Being a security awareness specialist, the following caught my beady eye:

"Almost half—48 percent—spend less than 1 percent of their security dollars on awareness programs. While this may be the case simply because some forms of awareness training (such as putting reminders on corporate intranet sites) aren’t expensive, one is tempted to conclude that while the industry talks a good game about teaching users how to be good stewards of company network resources, they don’t yet put real dollars behind the proposition."

~Half spend less than 1% of their security budgets on awareness! Golly! Given that security budgets are around 10% of IT budgets, there must be a lot of managers out there that are so frugal on security awareness that they 'squeak when they walk'. Our very own security awareness products typically cost about the same as a single cup of coffee per employee per annum, barely enough to merit a budget line item. Cost is surely not the issue: many organizations evidently don't appreciate the potential business benefits of a well-run security awareness program. Perhaps they think employees will just 'be secure' without any guidance? Flying pigs optional. Security incidents averaging $350k p.a. are (at least partly) the inevitable result of such wishful thinking.

Labels: Awareness, Infosec

If you are planning or just starting out on your ISO/IEC 27002 implementation project, this may be just what you need. The ISMS Documentation Checklist is simply a list of the documents typically required by and/or created by an Information Security Management System. Your project plans should include researching, drafting, reviewing, approving, publishing and promoting your own suite of ISMS documents, so it helps to know what is typically expected.

The list was created by a team of ISMS users on the ISO27k implementers' forum, a mailing list run at ISO27001security.com

Phase 2 of this collaborative project involves collecting and publishing examples of each of the documents in the checklist. If you would like to get involved in the project, please contact me (Gary@isect.com) to join the fun. We anticipate publishing example documents gradually between now and the end of the year.

Labels: Infosec, ISO27000

The CSO Executive Council is running a series of surveys to assess security metrics practices. The latest survey report revealed that two thirds of respondents do not gather security program data in order to create statistical reports to present to senior management, and followed up with the following (sample) of explanations:

- Not requested, and no value to security program at this point.
- Lack of management interest in seeing security metrics.
- Lack of interest by senior management.
- No funding'
- Embryonic'
- Information is gathered and presented to senior IT security management.
- Security organization is not established due to budget constraints.
- Nobody is asking, and I would not know what to prepare.
- Time, not sure what to measure.
- No good collection method.
- Didn't start to do it yet. We plan to do it in the near future.
- Data points too qualitative.
- No manpower.
- No formal security program.
- Not my responsibility.
- No demand from The Clueless.
- Not my role.
- Narrative reports are provided, not statistical.
- Not needed for awareness, budgeting, etc.
- Haven't developed metrics.
- Management doesn't know that they want this.
- Not requested.
- Don't have the requisite systems in place.
- Insufficient resources to gather automatic and consistent metrics.

"Lack of interest from senior management" caught my eye and "No demand from The Clueless" made me smile but rather than simply accepting this sad state of affairs, how about running some security awareness activities to give senior managers a clue? If information is seen as a valuable organizational asset, the need to protect it is a natural and easy step (and if not, you have more fundamental issues!). If protecting information assets is important, measuring the extent of protection and identifying improvement opportunities is also important, isn't it? So there we are: an executive security awareness program in one paragraph.

I have more sympathy with other comments about the difficulties of designing an objective metrics scheme for information security. It's hard to figure out security metrics that are both simple/cheap to gather and meaningful/useful. My discussion paper published in ISSA Journal in July 2006 might help, as may a paper written by members of the ISO27k Implementers' Forum at ISO27001security.com that derives pragmatic security metrics from ISO/IEC 27002.

Take the CSO Executive Council's third Security Program Scorecard survey to be eligible for a drawing for a copy of Measures and Metrics in Corporate Security

Labels: Awareness, Infosec

Details of audits of US Army websites and blogs run by soldiers, disclosed under the Freedom of Information Act, reveals that far more security policy breaches occur on official Department of Defense websites than on blogs. The audits were conducted by the Army Web Risk Assessment Cell, a special unit with a remit (evidently) to minimize unauthorized disclosure of sensitive military information via the Web.

It seems to me the Army was absolutely right to highlight the information security risks relating to blogging. I believe the audit results reflect the outcome of a highly successful security awareness program. If this issue had not been addressed so effectively, I'm convinced there would have been far more noncompliance issues, in other words this is a lesson to us all.

In respect of security awareness programs and policy compliance, 'the military' have a significant advantage over most of us in that the workforce is specifically trained to respect authority and follow orders - or at least, that is the classical view. In fact, I understand modern soldiers are increasingly being taught to think for themselves and operate autonomously, albeit within a highly structured (literally 'regimented') operating framework and, when necessary, at gunpoint. The traditional approach to the blogging security issue would presumably have been to send out an order banning blogging. What actually happened was more subtle: Army bloggers were instructed to register their blogs with commanding officers and pre-clear what they publish. 'Blog responsibly' is a rather softer message but the audit results seem to indicate its effectiveness in this situation.

Labels: Audit, Awareness, Confidentiality, Governance, Incidents, Infosec, Network, Risk, Trade secrets

"Agency computer systems are vulnerable because many lack basic controls,
and one of the best ways to improve information technology security is
to improve the metrics for how departments measure how these basic
controls are implemented."

Golly. Those in charge of rewriting FISMA have figured out that they probably need information security metrics to track government departments' performance.

OK guys, the next baby step is to work out what metrics are needed.

I'll put money on "number of security incidents" being one of the 'cutting edge security metrics' about to be proposed, followed shortly by some bright spark noticing and promoting NISP SP 800-55 as The Answer.

With that and the news about the hacking of three well-known US electronic voting systems, I'm glad I don't live in the Good Ol' US of Eh?

Labels: Infosec

The 10th annual Global Information Security survey conducted by Accenture for Information Week compared responses from ~3,000 companies in US and China.

'Spreading security awareness' is the fifth biggest security challenge identified by respondents. Amazing! [To stage left: "Get their addresses someone, I need to send them a leaflet"].

In commenting on the data, the report's authors go well beyond simply re-stating the statistics. Their analysis warns complacent information security managers to pay more attention, keep up with current threats and prepare for tomorrow's.

"It seems as though security pros are missing the point, choosing to focus on the security threats with which they're most familiar as opposed to emerging threats designed to cash in on the value of customer data and intellectual property. A careful reading of our survey's results, however, indicates that organizations are waking up to just how vulnerable their customer information and intellectual property are to data thieves."

...

"Some security pros may be blissfully ignorant. Botnets, which can take control of IT resources remotely and can be used to launch attacks or steal information, debut as a concern in this year's survey, though only 10% of U.S. respondents and 13% of Chinese respondents rank them as a top three problem. This may be because companies are often unaware that they've been infiltrated by botnets, which is exactly what bot herders are counting on."

If you need more gen than the article provides, the report itself costs $499 or just under $12.80 per page.

Labels: Awareness, Infosec

Dan Geer has been extremely generous in posting Measuring security, a presentation/training course (350 slides with readable speaker notes!) on the application of mathematics to information security. It neatly exploits ideas from statistics and other fields of study in the context of information security, revealing a wealth of creative ideas - so much so that I spent most of my afternoon reading it cover-to-cover and thinking about the practical applications.

Dan's summary slide hardly does it justice but might be just enough to intrigue you into downloading the presentation if "security metrics" is your thing too:

• The field is a mess, but progress can be made in any direction
• State of the art is the inequality and the ordinal scale, but those suffice for much decision making
• Consistency beats clever, and trend accuracy beats point precision

Dan refers more than once to the discuss@securitymetrics.org mailing list: guess I'll have to join up if that is a guide to the level of discussion!

Labels: Infosec

Over several years, Professor Mich Kabay of Norwich University has built a sizeable database of annotated abstracts of relevance to his information security students. From the database, Mich extracts an annual dump - the latest one is here. It's essentially a massive reading list but the annotations allow users to search for relevant material using keywords. I'm sure I'll be using it frequently when researching new or updated NoticeBored security awareness modules.

Labels: Awareness, Infosec

For anyone else who's keen to keep up with information security and related events as they happen, I thought I'd list the hit parade - my top ten favourite Web resources.

Starting with the chart-toppers, here are the six big hits I use practically every single day:

1. ISN (Information Security News) - a handful of relevant infosec news items to my inbox every day, each one supplied as plain text email with a URL in case I need to reference the original source. Always relevant and on-topic. No wasted bits. Moderator William Knowles does a fantastic job.

2. SANS ISC (Internet Storm Center) - a continuous blog/diary of what's hot from the people who are constantly scanning Internet traffic for new attack vectors. Generally first to identify and publish info on emerging malware and vulnerabilities. Makes a great browser home page. SANS Newsbites is not bad either - twice weekly email digests with informed commentary.

3. CISSPforum - a professional community of over 4,000 CISSPs and SSCPs from around the globe. A virtual locker room, ideal for lonely infosec professionals who don't have several hundred qualified peers in the office with whom to pass the time of day.

4. Gigalaw - similar style to ISN but focuses on legal IT-related news such as IPR issues and new privacy legislation. Supplied as one email per day with about 6 headlines leading to short summaries on the Gigalaw site and URLs to the original sources.

5. Blogs like this one - way too many to list. When I have a quiet moment, I use a blog reader to catch up with what other infosec pro's are saying and generally browse through for interesting leads. Good for discovering alternative perspectives on everyday issues and interesting items from obscure places. Bad for time management.

6. Google. 'Nuff said. Well almost: Google's Alerts are a handy way to run those searches that I always run, delivering daily email digests again (yes, you're starting to see a pattern).

Other sources to complete the top ten, used as and when necessary:

7. CERIAS and CERT-CC - a wealth of cool information but you need to set aside time to browse the libraries.

8. ISO, NIST etc. - for security standards

9. ISACA, ISSA, ITGI, CCcure, ITPI and various other professional membership bodies.

10. Selected infosec magazines such as [In]security, CSO/CIO and of course The Register, always good for a laugh.

11 (bonus item). RISKS-List is a long-running source of news and insightful commentary on IT risks.

Conspicuous by their absense from the hitlist are:

- Myriad "portals" that pad out far too many intrusive adverts with "news" (mostly vendor press releases) and "articles" that are also thinly disguised adverts. More biased than a capsizing supertanker.

- Vendor websites and newsletters. At least they admit their bias but I value independence and objectivity over marketing fluff any day. Used selectively to gather information on new and updated infosec products, critical patches etc.

- Podcasts, online seminars, eSymposia and similar. Unless I'm having trouble sleeping, I don't generally have the time to waste listening to some sales machine droning on for hours about how their particular hammer cracks all known nuts, or to waste time listening to cheesy royalty-free muzak from amateur producers who love the sound of their own voices and can't even get the audio levels right [/rant]. The accompanying presentation slides are sometimes worth a quick browse, taking a few minutes to skim not an hour or more. A few online speakers are worth the effort but I'm very choosy. Life's too short.

OK there we are. What about you? What's in your top ten? If there were just one or two resources you'd persuade me to add to my list, what would they be? Please either add a comment here or write your own blog post and send me a link.

Labels: Infosec

"Today’s information systems are incredibly complex assemblages of hardware, software, firmware, and people, all working together to provide organizations with the capability to process, store, and transmit information on a timely basis to support various organizational missions and business functions. The degree to which organizations have come to depend upon these information systems to conduct routine and critical missions and business functions means that the protection of the underlying systems is paramount to the success of the organization. The selection of appropriate security controls for an information system is an important task that can have major implications on the operations and assets of an organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity (including non-repudiation and authenticity), and availability of the system and its information. Once employed within an information system, security controls are assessed to provide the information necessary to determine their overall effectiveness; that is, the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Understanding the overall effectiveness of the security controls implemented in the information system is essential in determining the risk to the organization’s operations and assets, to individuals, to other organizations, and to the nation resulting from the use of the system.

... so starts the latest and greatest draft of NIST SP 800-53A "Guide for Assessing the Security Controls in Federal Information Systems - Building Effective Security Assessment Plans". What a neat way to sum up the whole of information security in just one paragraph!

The standard essentially comprises a large audit checklist for checking a broad range of information security controls against good practice advice in NIST SP 800-53, FIPS 200 and other standards (including ISO27k), topped-and-tailed with background/context, explanation, glossary and references. Being a typical NIST SP, it is well-written and comprehensive.

NIST is seeking feedback on the draft. I'm currently skimming my copy and scribbling a few notes while eating my lunch 'al desco'. We have until the end of July to respond but I'm sure project leader Ron Ross would appreciate comments sooner rather than later.

Labels: Audit, Infosec, Law

Return on Information Security Investment (ROISI), perhaps more commonly if less accurately known as ROI or ROSI, is one of those topics that is often discussed but never truly resolved. It has been declared a zombie topic on CISSPforum for that reason: we're tired of hearing the same old arguments re-hashed every few months. That said, we are always open to new angles on the old saw. Masters student Adrian Mizzi took a long hard look at ROISI and wrote his thesis around it. Adrian's model involves finding an optimal investment choice by balancing three key factors: “Viability of Expenditure”, “Successfulness of Attack” and “Motivation to Attack”. Adrian's thesis has been published as a book ($37) or PDF ($25) for those who are interested in some primary and secondary research on this important topic.

Labels: Infosec

An excellent 36-page report by The Network ,Inc., a company that runs whistleblower services, and CSO Executive Council gives the results of their statistical analysis of 180,000 whistleblower hotline calls from 550 organizations over 4 years. That's quite a sample on a seldom-reported topic. Here are a few salient points from the 2006 Corporate Governance and Compliance Hotline Benchmarking Report - a Comprehensive Examination of Organizational Hotline Activity:

- 65% of calls were 'serious enough to warrant investigation' - that's management-speak for "Oh shit" - with nearly half resulting in 'corrective action';

- 71% of callers gave information that was 'news to management'. 71%! Managers I have known think they are well-connected to the workforce. "I'm all ears", they say. "My door is always open" or "I Manage By Walking About." Yeah, right;

- just over half of the callers prefer anonymity, with callers alleging corruption/fraud (10% of calls) less likely to remain anonymous than those reporting other things such as HR issues, policy/code violation, environment/health and safety concerns etc. In my experience, managers considering whistleblower policies seem overly concerned about anonymity, claiming that it encourages frivolous or scurrilous calls, and that they won't be able to investigate calls made anonymously. More poppycock! It seems to me they need to focus more on addressing the content of the calls than on the callers;

- What I would categorise as "blue collar workers" are more likely to use whistleblower lines than "white collar workers", with retail and transportation/comms/utilities employees leading the way.

Does your organization have a whistleblowers' policy, with or without a hotline? Was its introduciton driven by SOX, by Audit, as a result of a particular incident or for some other reason? Who answers the calls/emails and how do they handle them? How useful is the information obtained in relation to the effort/cost involved? If you could start over, how would you set it up? Comments and further links are very welcome. I'm eager to learn more.

Labels: Audit, Awareness, Fraud, Incidents, Infosec

The IT Compliance Institute (ITCi) has produced a useful cross-reference matrix showing the points of contact/overlap between a whole bunch of US/international laws, standards and regulations relating to information security (free access requires registration on the ITCi site - there are other useful resources too so it's probably worth doing). Some of the main ones are: ISO 17799 and 27001, COBIT4, COSO ERM, NIST SP 800-14/26/53, FISMA, Mastercard SDP, HIPAA, various FFIEC, SAS 94, PCAOB and SOX. They are listed along one axis with control objectives on the other axis and the page or section references in the body note the coverage.

So, here are three ways you might use the matrix:

- ISMS coverage by control objective: check down the list to confirm that your ISMS covers most of the control objectives, and if there are any you do not recognize or you know are weak, look across the rows to find references from the standards that will explain the requirements;

- ISMS coverage by laws/standards/regs: highlight the vertical columns for all those laws/stds/regs which which your organization has to comply, then highlight the horizontal rows where there are any entries in a marked column. Rows with multiple entries are common controls so you probably already have them but implementation should integrate the multiple requirements. Be careful about the rows with single entries: do you have them all covered in your ISMS? If not, there's a noncompliance risk to consider.

- Linking standards to laws & regs: management are strangely concerned about compliance to laws and regs if not standards, presumably because they fear the personal accountability and business impact of non-compliance. The cross-reference matrix can help the information security manager who is promoting best practice ISMS standards by identifying the legal and regulatory requirements that coincide with best practice controls.

A lot of work must have gone into compiling the matrix. Make the most of it.

There's further information on ISMS best practices at our ISO 27001 Security website.

A webinar explains the ITCi's Unified Compliance Project which is making excellent plans to simplify, harmonize and perhaps even unify the IT compliance problem across laws, standards and regs.

More information security links here

Labels: Infosec, ISO27000

We all know about the off-shore call-centers in places like India and Indonesia, but there's more to outsourcing than call-centre operations. A fascinating article in Bank Technology News paints a beautifully clear picture of IT outsourcing in India, particularly the islands of investment awash in a sea of poverty.

It's easy for us Westerners to overlook the cultural differences and make false assumptions about India, especially if we have never visited that part of the world. Outsourcing may be a massive earner for India and is still growing strongly but the local infrastructure is creaking under enormous strain. The caste system survives, meaning inherent inequalities. India has over a billion citizens, half of them under 25, and an average wage of just US$3,300 per year. Whereas two thirds of the population survives on less than a dollar a day, highly-trained IT specialists earn well and are in short supply. High IT staff turnover creates its own security issues.

The article specifically calls out the information security and privacy concerns in India. "... background checks of personnel remains a nagging concern. No central criminal databases exist and credit agencies remain relatively new, so any background checks must be done in person, which is often invasive. "Sometimes they'll just ride around the [potential employee's] neighborhood and talk to the constable," says Crosby. "None of this stuff is documented."

"... the Indian Information Technology Act of 2002 makes cyber crimes a federal offense, enforceable by India's Central Bureau of Investigation. The CBI established the Cyber Crime Investigation Cell in March 2002 to patrol such crimes, including a crime lab to train investigators. Parliament is now debating an amendment to the act, already approved by the Cabinet, that would make fines and jail time more stringent for those convicted of IT privacy crimes."

Indian data centers are reasonably secure according to those who have inspected the facilities. "... most outsourcers are compliant and certified for BS779 and ISO17799 controls, the two U.S. best-practice controls for information security, which have now become internationally recognized." [Some artistic license there by the journalist: British Standard BS 7799 became ISO standard ISO/IEC 17799, neither of which are American!].

More privacy and information security management links

Labels: Infosec, ISO27000, Privacy

Here's some news to cheer your new year. ANSI is selling ISO 17799:2005 as a PDF download for just US$30. Bargain! The normal price elsewhere is at least $100 more so either they are having a January clearance sale prior to its imminent re-badging as ISO 27002 or someone made a typo on the pricing page (an integrity failure!).

A PDF of ISO 27001:2005 is also just $30.

The license permits installation and use of the PDFs on a single PC but I believe site licenses are also available.

More info on ISO 27001 and ISO 17799/27002

Labels: Infosec, Law

A neat presentation and webcast by George Spafford brought out the value of integrating IT security processes with general IT operations, risk, change and configuration management and linking to business strategy, through ITIL IT service management and COBIT. It's good to see such a broad perspective on IT security, especially one that puts the business rather than security objectives at centre stage.

More information security management resources

Labels: Infosec, Risk

The IT Compliance Institute has amassed an excellent collection of IT governance-related white papers, articles and resources. Their IT audit checklist for reviewing information security management, a new addition, has many potential uses [access requires you to register on the website]. It can be used directly by experienced IT auditors and compliance assessors as a checklist to guide a review of key controls, and it provides pointers on audit preparation, testing and reporting. Prospective auditees and managers will benefit from reading about and preparing for the kinds of things the auditors will be doing, especially the section on things the auditors will be looking for. Those designing and implementing Information Security Management Systems will appreciate the guidance on elements of an ISMS that auditors find particularly important. The checklist can even form the basis of a structured description or specification for a robust ISMS. All in all, a nice paper from the IT Compliance Institute. It's worth browsing the ITCi website for other similar resources including the biannual IT Compliance Journal [again, "free" to those who register].

More information security management, IT governance and IT audit resources

Labels: Audit, Governance, Infosec

"'Phone Phishing', a method of stealing confidential information over telephone, is on a steady rise and awareness is the key to tackle it, according to security experts here. The most prevalent method of gaining access to personal data is the simple process of picking up a phone and calling a customer service call centre of a service provider, they said. Customer service agents are trained to "take care" of callers and often they are more than willing to help." So says a piece in India's Economic Times. I must say that, in my experience, security aware customer service agents (those first two words are vital!) can be one of the information security manager's strongest allies in the battle against social engineers. Through security awareness/training/education, coupled with proper management support and sensible policies, guidelines and procedures, IT Help/Service Desk workers should not only be permitted to refuse to service dubious callers, they should be actively encouraged to be careful.
More social engineering resources

Labels: Awareness, Infosec, Secrecy, Social engineering

An audit checklist from the IT Compliance Institute (ITCi) explans what auditors would typically want to know about enterprise risk management practices. The checklist, written by the infamous Dan Swanson, offers practical advice to auditees as well as auditors. The ITCi "strives to be a global authority on the role of technology in business governance and regulatory compliance. Through comprehensive education, research, and analysis related to emerging government statutes and affected business and technology practices, we help organizations overcome the challenges posed by today’s regulatory environment and find new ways to turn compliance efforts into capital opportunities."
More risk management and IT audit resources

Labels: Audit, Governance, Infosec, Risk

Alex Hutton runs a weblog for IT risk geeks focusing on the FAIR (Factor Analysis of Information Risk) risk analysis method that his employer Risk Management Insight LLC (RMI) promotes. In his blog, Alex takes me to task for my previous blog entry about the FFIEC, FAIR enough, and complains that the NoticeBored blog only accepts comments from authenticated users. Well OK, I've relaxed the restriction to encourage more feedback although I'll be moderating comments, not to censor what people say but merely to block spam. [Alex: why didn't you email me? Gary@isect.com]
Meanwhile, I took another look at FAIR. What follows is a rather harsh and cynical critique of the FAIR method as described in the undated draft FAIR white paper, partly because the paper's author, Jack Jones, invites comment towards the end of the document: "It isn’t surprising that some people react negatively, because FAIR represents a disruptive influence within our profession. My only request of those who offer criticism is that they also offer rational reasons and alternatives. In fact, I encourage hard questions and constructive criticism". So here goes.
Right away, I was intrigued by a statement at the front of the paper regarding it being a "patent pending" method that commercial users are expected to license. Unless I'm mistaken (which is entirely possible!), "patent pending" means "not patented" i.e. it is not currently protected by patent law, or else it would presumably be labelled "Patented" and give a patent number. Judging by the content of the introductory paper, FAIR appears to be a conventional albeit structured risk analysis method so I'm not clear what aspect of it would be patentable in any event. [My snake oil-o-meter starts quivering around the 5% mark at this point.]
"Be forewarned that some of the explanations and approaches within the FAIR framework will challenge long held beliefs and practices within our profession. I know this because at various times during my research I’ve been forced to confront and reconcile differences between what I’ve believed and practiced for years, and answers that were resulting from research. Bottom line – FAIR represents a paradigm shift, and paradigm shifts are never easy." [Not only is it claimed to be patentable, but it's a paradigm shift no less! The snake oil-o-meter heads towards 10%.]
The paper defines risk as "The probable frequency and probable magnitude of future loss". [Strictly speaking, risk includes an upside too, namely the potential for future gain which FAIR evidently ignores.] FAIR considers six specific forms of loss: productivity, response, replacement, fines/judgments, competitive advantage and reputation. [Management's loss of confidence in any system of controls that fails is evidently not considered in FAIR - in other words, there is an interaction between management's risk appetite and their confidence in the control systems they manage, based on experience and, most importantly, perception or trust. These apparent omissions hint at what could potentially be a much more significant problem with the method: there is no clear scientific/academic basis for the model underpinning the method, meaning that there are probably other factors that are not accounted for. Obtuse references to complexity and this being an "introduction" to details that are to be descibed in training courses etc. further imply incompleteness in the model and hence limited credibility for the method. Snake oil-o-meter jumps to half way.]
"A word of caution: Although the risk associated with any single exposure may be relatively low, that same exposure existing in many instances across an organization may represent a higher aggregate risk. Under some conditions, the aggregate risk may increase geometrically as opposed to linearly. Furthermore, low risk issues, of the wrong types and in the wrong combinations, may create an environment where a single event can cascade into a catastrophic outcome – an avalanche effect. It’s important to keep these considerations in mind when evaluating risk and communicating the outcome to decision-makers." [I wonder whether FAIR adequately describes risk aggregation, possible geometric increase and the "avalanche effect" noted here, in scientific terms? The author accepts the need to take such things into account but does FAIR actually do so? Snake oil-o-meter swings wildly around the half way point.]
[FAIR looks to me like a practitioners' reductionist model, something they have thought about and documented on the basis of their experience in the field as a way to describe the things they feel are important. FAIR might *help* an experienced information security professional assess risks but I'm not even entirely sure of that: the method looks complex and hence tedious (=costly) to perform properly. I wonder whether, perhaps, the FAIR method should be applied by a consultant such as someone from, say, RMI? Snake oil-o-meter settles around two-thirds full scale.]
To give him his due, the author acknowledges some potential criticisms of FAIR, namely: the "absence of hard data" and "lack of precision" (which are simply discounted as inherent limitations as if that settles the matter); the amount of hard work involved in such a complicated method (which is tacitly accepted with "it gets easier with practice"); "taking the mystery out of the profession" and resistance to "profound" change (I know plenty of information security and IT managers who would dearly like to find an open, sound, workable and reliable method.) [FAIR does not appear to be a profound change so much as an incomplete extension of conventional risk analysis methods. Snake oil-o-meter creeps up again.]
The appendix outlines a "basic risk assessment" in 4 stages: (1) "Identify scenario components" ("identify the asset at risk" and "identify the threat community under consideration"); (2) "Evaluate Loss Event Frequency (LEF)" ("estimate the probable Threat Event Frequency (TEF)", "estimate the Threat Capability (TCap)", "estimate Control strength (CS)", "derive Vulnerability (Vuln)" and "derive Loss Event Frequency (LEF)"); (3) "Evaluate Probable Loss Magnitude (PLM)" ("estimate worst-case loss" and "estimate probable loss"); and finally (4) "Derive and articulate Risk". Many of these parts clearly involve estimation, implying subjectivity (e.g. "estimate probable loss" could range between zero to total global destruction in certain scenarios: the appendix does not say how we are meant to place a mark on the scale). The details of the method are not fully described. For example, the TEF figure seems to be obtained by assigning the situation to one of a listed set of categories "Very High (VH): > 100 times per year"; "High (H): Between 10 and 100 times per year"; "Moderate (M): Between 1 and 10 times per year"; "Low (L)" Between .1 and 1 times per year"; or "Very Low (VL) < .1 times per year (less than once every ten years)." Similarly, the category boundaries for worst case loss vary exponentially for no obvious reason ($10,000,000; $1,000,000; $100,000; $10,000; $1,000; $0). [The use of two dimensional matrices to determine categories of 'output' value based on simple combinations of two 'input' factors is reminiscent of two-by-two grids favored by new MBAs and management consultants everywhere. The rational basis for using these nonlinear scales and the consequent effects on the derived risk probability are not stated, nor is method for determining the appropriate category under any given circumstances (how do we know, for sure, which is the correct value?). This issue strikes at the very core of the "scientific" (theoretically sound, objective, methodical and repeatable) determination of risk. The snake oil-o-meter rises rapidly towards three-quarters.]
The appendix casually includes a rather worrying statement: "This document does not include guidance in how to perform broad-spectrum (i.e., multi-threat community) analyses." [Practically all real-world applications for risk analysis methods necessarily involve complex real-life situations with multiple threats, vulknerabilities and impacts. It is not clear whether the full FAIR method can cope with anything beyond the very simplest of cause-effect scenarios. Snake oil-o-meter creeps up to 80%]
To close this critique, I'll return to a comment at the start of the FAIR paper that information risk is just another form of risk, like investment risk, market risk, credit risk or "any of the other commonly referenced risk domains". [The author fails to state, though, that risk is not managed 'scientifically' in these domains either. Stockbrokers, traders, insurance actuaries and indeed managers as a breed use, but cannot be entirely replaced by, scientific methods and models. Their salaries pay for their ability to make sound decisions based on expertise, meaning experience combined with gut feel - clearly subjective factors. Successful ones are inherently good at gathering, assessing and analysing complex inputs in order to derive simple outputs ("Buy Esso, sell BP" or "Your premium will be $$$"). From the outset, it seems unlikely the method will meet its implied objective to develop a scientific approach. Being based on "development and research spanning four years" is another warning sign since risk analysis in general and information security risk in particular, have been studied academically for decades. Although this is an 'introductory' paper with some strong points, it is quite naive in places. The snake oil-o-meter peaks out at around 80%.]

More risk management links

Labels: Infosec, Risk

The Handbook of Information Security: Key Concepts, Infrastructure, Standards, and Protocols, edited by Hossain Bidgoli (~$900 from Amazon), is a huge triple-volume 3,366-page classic textbook comprising chapters on a wide range of information security management topics by acknowledged subject matter experts. This is a properly researched and peer-reviewed collection of top-notch material that is suitable both as a practitioners’ reference and as the course book for information security Masters degrees. If you are seriously interested in information security management, this is your Bible.
More information security management resources

Labels: Awareness, Infosec

Clement Dupuis over at cccure.org put me on to a new infosec risk management handbook from an organization I haven't come across before - a Swiss organization called the Security Officers Management and Analysis Project. The handbook is described as "high level informations" containing 14 core pages on risk management, both in general and specifically in relation to information security - in fact, it probably has more to say on information security management than risk management. It aims to describe "how to plan, implement and manage an information security risk strategy and ISMS (Information Security Management System) activities." The language is rather naive in places but this could easily be due to its being translated into English, and the meaning comes through. For example: "A security officer never should be the owner of an asset. Even if this could look like a good idea, it is not. At the end the security officer would be responsible for all the assets which he obviously can not be." It is loosely structured around ISO 17799 / ISO 27001.
The accompanying Information Security Risk Assessment Guide is still in development with a 31-page draft already available. The guide looks as if it will focus on risk management in greater depth than the handbook. At the moment, it is little more than a collection of placeholders, ideas and notes to be explained/expanded later.
Both documents are released under the GNU Free Documentation License giving recipients the freedom to create and sell derivative works provided they reference the originator, retain section headings etc. SOMAP are actively inviting readers to get involved with and contribute to the project. If their appeal succeeds, the project has the potential to clear up an area of information security management that remains poorly served by other works. Although maybe a dozen information security risk management methods are in use worldwide, they seem to be the realm of specialists rather than general practice in the field.
More risk management resources

Labels: Infosec, ISO27000, Risk

The transition from POTS (Plain Old Telephone System) to VOIP (Voice Over IP) is likened in an article by CSO Magazine to Swedes changing the side of the road on which they drive. It's a dramatic analogy but acts as a worthwhile counterpoint to the usual arguments about VOIP simply replicating POTS security issues. In fact, VOIP/IPtel introduces some novel risks:
- Confidentiality: unauthorized disclosure of information by snooping on calls, copying or redirecting them;
- Integrity: change management; authentication of users and security administration;
- Availability: additional complexity caused by implementing new IT/networking equipment to replace tried-and-trusted PABXs; convergence of voice and network technologies potentially creating new unanticipated technical issues;
- Financial: risks relating to the implementation project's business case;
- Operational: changing pattern of use of phone systems may open up novel working practices and business opportunities with unique security/risk implications (e.g. remote Internet teleworking potentially including offshore, wireless phones).
Analysing the risks on another axis gives a different view:
- Threats: accidental misconfiguration or operator errors causing software/system/network failures; man-in-the-middle attacks on voice calls (manipulating voice traffic in real time to change conversations);
- Vulnerabilities: new technology (compared to POTS); all the usual information or IT security vulnerabilities (e.g. bugs); all eggs in one basket;
- Impacts: simultaneous loss of network data and voice capability causing business disruption; disclosure of confidential information; regulatory or legal implications such as retention of calls.
More web and network security links

Labels: Availability, Infosec, Integrity, Network, Secrecy

Microsoft has dumped another bucket of patches on its customers. Read the Microsoft info page or, for another perspective, check out what SANS Internet Storm Center has to say. The ISC picks out three critical patches, one of which they rate "PATCH NOW" since it is being actively exploited. If you are too busy to check, test or download the patches, remember that the clock is ticking. A few days back, the BBC reported that a honeypot system running unpatched XP Home gets compromised within ~15 minutes of web connection. Get your patching processes up to scratch or face trying to explain to your stakeholders why you suffered avoidable information security incidents ...
More incident management and bugs! resources

Labels: Bugs, Incidents, Infosec

Managers seem to expect forensic evidence to appear as if by magic when an employee is caught committing fraud or circulating porn on company IT equipment. The reality is that, while system, network and firewall logs usually record some information, it is unlikely to be sufficient or suitable for forensic purposes unless the logs and controls have been designed and maintained with that potential use in mind. Aristotle has an unusual network usage/content monitoring product that claims to address this kind of controls gap. It is targeted at schools and offices, for example identifying children contemplating suicide or employees stealing corporate data. It retains forensic evidence and provides the reporting tools to use of it.

More incident management links

Labels: Fraud, Incidents, Infosec, Network

CyberSpeak is a technology podcast covering computer security, computer crime and computer forensics, hosted by two former federal agents who investigated computer crime. It comes highly recommended by a fellow CISSP.
More incident management and forensics links

Labels: Incidents, Infosec

October's NoticeBored Classic information security awareness module is about information security/IT incidents - how they are identified, reported, analyzed, contained, resolved and closed out. We encourage organizations to conduct Post Incident Reviews routinely on all significant incidents, not to apportion blame but to identify control improvements and, most importantly, make sure someone is identified to "own" the corrective actions arising. This is a typical learning loop leading to continuous improvement, yet so often thigs are just left drifting after the dust has settled on an incident. Perhaps it's a maturity thing. I've witnessed first-hand quite a range of responses to serious infosec breaches, ranging from "headless chicken mode" to "stay calm, everything is under control". The headless chickens were far too disorganized to consider let alone conduct effective Post Incident Reviews, preferring to continue lurching from breach to breach. If only their stakeholders knew the true state of management!
Incident management links collection here. Further relevant contributions always welcome.

Labels: Awareness, Incidents, Infosec

The State of Information Security 2006, a worldwide study by CIO, CSO and PricewaterhouseCoopers was published today. A well-written press release summarizes the main findings but I look forward to reading the full report in depth in due course.
Surveys like this frequently provide snippets of security awareness information that Mean Something to management. It's easy to take comments and statistics out of context that appear to support pretty much any position you want to promote ... but the real value is in being able to put some context around current trends and build a more strategic view of information security in relation to business imperatives. Catching management's interest enough to get them to read the report is an even better outcome.

More security awareness links

Labels: Awareness, Infosec

A Sky News piece Faulty Parts Danger On Holiday Jets explains that two former internal auditors at Boeing did their job by reporting dubious safety practices to management, who instead of thanking them for doing their jobs, allegedly marginalised and intimidated them and eventually demoted and dismissed them. The auditors went a step further by blowing the whistle to the FAA and are now locked in a legal dispute with their former employer under the US whistleblower law. Boeing, naturally enough, says their whistleblowers' case is "without merit" and stress the multi-level safety controls. [Speaking as a former internal auditor at Airbus, I can vouch for the multi-level safety controls and quality assurance practices in the aerospace industry, and also for the intense competition between the major players. I didn't see dubious safety practices in my time at Airbus, quite the opposite in fact but, that said, I was an IT auditor not an engineering/procurement specialist. I did see management and politicians heavily engaging in competitive strategies but (to my knowledge), passenger safety was paramount. Design engineers were actively encouraged to cut weight and cut costs but without compromising safety. Safety did not appear to be a competitive issue at Airbus.]

Labels: Infosec

The Security Technical Implementation Guides (STIGs) and other information-security-related guides from the NSA, previously released through the NIST website, are now available directly from DISA's public area. The STIGs, in particular, form an excellent basis for corporate technical security standards, supplementing the vendor-specific secure configuration and system hardening guides released by the likes of Microsoft, HP, CISCO etc. Their mailing list is a neat way to keep up with developments - low volume and invariably interesting.
More IT Ops, secure systems management and related links

Labels: Infosec

A very public industrial espionage case involving allegations that an employee tried to sell proprietary information from Coca-Cola to Pepsi is a timely reminder of the issues arising from trusted insiders. It is alleged that the employee, an administratrive assistant in the marketing function having ready access to highly sensitive information, removed it from the office and offered to sell it to Coke's arch rival. Pepsi presumably alerted the auhorities who ran a 'sting' to catch the alleged perpetrator red-handed. Even with the benefit of 20-20 hindsight, it is unclear what Coke management might reasonably have done to address this risk. Better screening and supervision of employees, maybe? Clearer policies on control of sensitive information in whatever format, e.g. "secret information must not be removed from the office"? An employee who is prepared to offer secrets for sale to a competitor seems unlikely to heed such policies. Better detective and corrective controls might perhaps have identified the exposure before things got out of hand, especially if there were preliminary incidents. Due to the implending court action, there is limited information on the details of the case, for example the news article does not state whether the accused had an exemplary record.
More links on keeping secrets

Labels: Confidentiality, Infosec, Risk, Secrecy, Trade secrets

The latest CSO ezine contains an eye-opening assessment of the risk of 'economic espionage' (a.k.a. industrial espionage or intellectual property theft). Secrets Stolen, Fortunes Lost recounts several case studies and makes the point that traditional security measures are no longer effective in today's e-everything world. Information security threats require different controls, and in turn this requires senior management to update their attitudes towards securing the company's crown jewels. Simply acknowledging the value of their proprietary and personal information would be a good start, let alone recognising the vulnerabilities and impacts of information security breaches.
More IPR resources

Labels: Confidentiality, Infosec, IPR, Risk, Trade secrets

NIST Special Publication 800-100 "Information Security Manual: A Guide for Managers" is a 174-page draft released in June 2006 for public comment. It refers throughout to [US Government] agencies but in fact is broadly applicable, containing sound guidance on important areas such as information security governance, investment and metrics, planning, contingency, C&A, incident management and, of course, awareness training and education. It's a good-un, well worth a serious look.
More infosec laws, regulations and standards

Labels: Awareness, DCP, Governance, Infosec, Law

Influencing senior management, a presentation on security metrics, gives a good overview of the factors to consider when developing a set of security metrics. The particular examples chosen may not suit every organization but, as examples, they illustrate the kinds of things worth measuring and reporting. The slides touch on Kaplan and Norton's classic 'balanced scorecard' approach but (as so many do) emphasizing 'scorecard' over 'balance'. Still, a worthwhile read if you, like me, are fishing around for useful security metrics.

Labels: Infosec

Best Practices for Secure Development may be 5 years old but the advice is still sound. "Inasmuch as a software project does not start with coding, building security into an application does not start by implementing security technologies. We will suggest an approach recommended by the existing risk management and software building practices." The paper goes on to discuss security aspects up to implementation, stopping short of security operations, controls maintenance and security aspects of end-of-life system retirement/replacement.
More secure software development links

Labels: Infosec, Risk

Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners has been released by the Institute of Internal Auditors. We are encouraged to share it with our management and Boards.
More governance links

Labels: Governance, Infosec

A new item at Silicon.com included the following quote: "'Companies must make strong and effective security practices part of their culture through awareness, education and accountability,' says Jan Babiak, head of the information security practice at Ernst & Young. 'This needs to be enforced by the CEO and the board, with organisations aspiring to implement well designed controls and fostering a security-conscious culture led from above. Without this top-down endorsement, employees will often ignore controls or worse avoid them, placing the entire enterprise at great risk.'" We'd certainly support the need for senior management's proactive support but there's rather more to the issue than that.
Take security policies for example. Policies without a management mandate are practically worthless. Policies with a clear mandate are fine, but are not in themselves effective. Policies with a clear mandate, a communications program to make sure people are aware of and understand their obligations towards the policies are an improvement ... but even that is not enough. People need to be led the extra mile to commit to the policies and, in time, adapt their behaviors to fall into line with the policies. Compliance activities can help but (yes, you guessed it) are not necessarily The Answer either - "comply or else" expletives from management can cause enormous damage to the changes necessary to achieve positive cultural shifts.
In a truly security-aware culture, people comply with security policies not so much because someone tells them to do so, but because they genuinely appreciate the need, just like an experienced driver instinctively uses mirror-signal-manouver whereas a learner driver consciously mutters the reminder under their breath. Get the security habit through awareness, training and education - but make sure your management get in the habit too. Awareness really does start at the top.
White paper on the value of security awareness

Labels: Accountability, Awareness, Infosec, Risk

Information Security Management Maturity Model (ISM-cubed) is a new method that seeks to apply ISO 9000-style quality management processes to information security management. The method’s description paper naturally mentions ISO 17799, ISO 27001, COBIT, ITIL, CRAMM and other buzzwords. Unfortunately it does not explain how the method was developed (e.g. does it have an academic or pragmatic basis?).

Capability maturity model and metrics are particularly interesting aspects of the method. Standards such as ISO 17799 and COBIT are quite 'flat' with no obvious sequence in which organizations might implement the basics and then progressively improve their security. ISO 27001 does include the classic Deming PDCA continuous quality improvement model but falls short on metrics. ISO 21827 is a security maturity model, again with limited metrics. NIST SP 800-55 includes an enormous list of security metrics but little in the way of practical guidance on selecting or using them to mature an organization's information security management.

More information security management links

Labels: Infosec, ISO27000

Through ISO27001security.com we are helping to spread good information security practices and promote the use of the new ISO 27000-series information security management standards. We have finally published an update to the page describing the latest version of the information security management standard ISO 17799:2005 (which is due to become ISO 27002 next year). We have documented the history and outlined the content of the standard with a brief summary of the main sections and subsections.
Explore links to further web resources on the standards, regulations and laws applying to information security on the NoticeBored.com website.

Labels: Infosec, ISO27000, Law

The CISO Handbook is a well-written practical guide to building and delivering an information security improvement programme. Presenting sage advice in a consistent manner, the book is a helpful primer for the person tasked by management with 'fixing information security'.
More book reviews, white papers etc. on our website

Labels: Infosec

The NSA and CSI’s SNAC security configuration guides comprise a set of security standards for various operating systems (such as Windows, MacOS, Solaris), applications (such as Oracle, SQL Server, Exchange, Office, SMS, BEA Weblogic, IIS, IE and Netscape), network equipment (routers and switches) and more. If your management has endorsed your high-level and information security policies but the supporting technical standards are still ‘work in progress’, then take a look at SNAC.
More IT operations security resources

Labels: Database, Infosec, Network