Compliance - a matter of managing risks

Today I've been browsing the good stuff going on over at Unified Compliance Project whose aim, as I understand it, is essentially to help organizations find and exploit alignments between various compliance requirements, eliminating duplication and hence reducing the total amount of compliance effort required. For example, implementing an ISO/IEC 27001-compliant Information Security Management System (ISMS) should simultaneously satisfy most if not all legal requirements for information privacy controls (with no additional effort), and should at least partially satisfy governance requirements arising from SOX, in addition to miscellaneous business benefits as a result of having a best practice ISMS.

One of the issues I've been pondering relates to "mandatory" requirements and obligations such as those enshrined in laws, regulations and contractual terms. It seems to me that, despite initial impressions, compliance with "mandatory" requirements may not be a simple binary condition. For a start, in most cases, the requirements are more complex than that. It is conceivable for the organization to be fully compliant with certain parts of the requirements but not so for others. Furthermore, the extent of compliance with any one requirement is often subject to interpretation, either because the requirement is ambiguous (hopefully not!) or because the organization and whomever is assessing compliance (law enforcement, lawyers, auditors, regulators, management) have their own viewpoints and prejudices. Finally, there is a chance that noncompliance might not be detected, or even if it is, it might not lead to the worst case consquences often paraded by the compliance lobby.

It's the same with speeding laws. If I break the speed limit, even by 1 mph, I am strictly failing to comply with a mandatory legal obligation. In practice, however, it is extremely unlikely I would ever be stopped for 1 mph over because (a) there are insufficient policemen with radar guns to track my every journey; (b) their radar guns have tolerance limits; (c) my speedo has tolerance limits, and the police and/or prosecutors allow me some flexibility; (d) if I am caught, there's a chance I might talk my way out of it; (e) even if I am fined, I might escape justice by fleeing the country, or I might get off "on a technicality". The situation changes for every mph over the limit - as indeed do my chances of being involved in a fatal accident. I weigh all this up every time I drive. [And yes I make mistakes: I have been fined for speeding. I didn't flee the country, I paid up and "learnt my lesson".]

So, all of this is, in fact, a risk management exercise. I assess the threat (of being caught speeding), the vulnerability (how far over the limit I am going) and the impact (the fines, the grief).

Something like SOX can be treated in the same way. Management may consciously choose NOT to be totally compliant, assessing the risks like any other business decision. Maybe they will get away with it. Maybe they can present good enough excuses to the auditors etc. to escape the full force of the law. Maybe the commercial benefits of noncompliance justify it in purely economic, if not ethical, terms.

I haven't seen this kind of perspective discussed anywhere but I am not a compliance expert. Perhaps it's old hat and I've just stumbled across somethig that is already well known. Or perhaps this stuff actually happens but nobody is willing to acknowledge it openly? I'd be interested in your thoughts.

USB security risk self-assessment

City of London Police officers thinking of transferring information on USB memory sticks can self-assess the risks using a questionnaire. It's a simple idea really: a police officer's responses to a few questions determine the 'risk score' leading to approval (or rather a requirement to seek approval from the relevent level of management authority, and/or to use USB sticks with additional security controls) or disapproval of the use of a USB stick for the intended situation.

Being self-assessment, the system depends on users answering appropriately and is open to deliberate abuse and inadvertent errors. However, this risk is offset to some extent by compliance procedures and structures in the police. Furthermore, it's better than nothing - without the system, police officers presumably make such decisions on a more arbitrary basis, assuming they even consider the security risks. The tool at least raises security awareness (assuming the tool is suitably promoted, for instance by being embedded in standard operating procedures).

Automating USB risk assessment is interesting at another level too. The decision tree in this instance is relatively simple, much simpler than with many other information security risks yet still complex enough to benefit from being presented as a structured questionnaire. The assessment output is based simply on the net total of scores from each question, and has only a few possible recommendations. Someone has had to write the questions and determine the score ranges and recommendations, somehow. The assessment could give inappropriate responses under certain circumstances since it does not take account of all possible situations (e.g. whether the police officer has lost numerous USB sticks before).

Contrast this to, for example, the assessment of security risks relating to a software application. There are so many elements to the risk and so many potential outputs that it is infeasible to automate the assessment - or is it? Some sort of artificial intelligence/knowledge based system is possible and could arguably give better answers than either of the two usual alternatives: asking an information security person to assess the risks or skipping the assessment altogether.

Now that would make an interesting research project for someone.

A modern Doomsday

Middle-Eastern Internet services have been severely disrupted by the failure of an undersea cable linking Egypt to Italy. There are backup connections, of course, including satellite and other cable connections but their capacity is limited, hence Internet traffic in some countries in the region is experiencing delays and probably failed connections due to timeouts.

Thanks to packet switching technology and multiple routes, the Internet as a whole is highly resilient. Undersea cables can often be repaired within days or weeks. But imagine what would happen if the Internet went down, and stayed down. Not 'stayed down for a few minutes' or hours or even days, but for an extended period perhaps indefinitely.

There are various horrific scenarios that could cause this to happen e.g.:
- Widespread technology failure, disrupting the packet switching backbone;
- Deliberate action by one or more nation states in wartime, severing critical connections and/or injecting massive amounts of spurious traffic at multiple points to disrupt;
- Natural events such as solar flares/X-ray emissions from the sun, storms etc. damaging critical equipment and links;
- Cyberterrorist attacks on the Domain Name Systems or other critical elements of the Internet, perhaps combined with conventional terrorist attacks on key nodes, cables and satellite ground stations;
- Worms or other malware, in other words, software agents swamping or damaging the network;
- "Something else" - the classic contingency planning scenario. We don't know exactly what might happen. It could be something completely novel and unanticipated or a chance combination of more than one type of event, known as 'bad luck'. For true contingency planning purposes, the exact cause and nature of the incident is irrelevant: we need to be ready to cope with whatever actually happens.

With a moment's thought, the horrendous consequences of such an incident start to become clear. The developed nations are highly reliant on the Internet and would suffer economic and social consequences very quickly. Developing nations are also actively using the Internet for eCommerce and communications with the rest of the world. The Internet has penetrated even the least developed third-world countries, and disruption to first world aide programs would have consequences there too.

We're hardly on the same scale as Google, eBay and Amazon but at a local level, our own small business would suffer within days if the Internet went down. We use the Internet for marketing and promotion, sales and delivery, research and communications. There are fallback delivery mechanisms - sending CD-ROMs in the post or direct dial-up access - both of which are limited, wouldn't work very reliably and would increase our costs. We could resort to old-fashioned research methods but would miss the ready, free access to up-to-date information security news from around the globe. Our marketing and sales would suffer the most as conventional print, TV and radio advertising is far more expensive and limited in scope. That, in a nutshell, is our own risk assessment.

Larger e-enabled businesses (such as the entire financial services industry) would su=ffer immediate problems, others might hardly notice at first, at least until their suppliers, partners and/or customers started to fail. Government departments and utilities would suffer quite quckly, causing knock-on effects as the national infrastructures started to unravel. If petrol companies and airlines were disrupted, well we'd have to get used to walking or cycling to work, if indeed work existed. Civil disruption could have serious consequences for personal safety and security.

We're just a few paragraphs into this very brief overview but the 'worst case scenario' is shaping up badly. This is starting to sound like one of those science fiction doomsday stories.

On the upside, TV, radio and print media would be severely disrupted too so we might not get to hear too much about the civil disruption outside our barricaded front doors. Some of us will retreat to our caves.

What kind of contingency plans would or could you make for "the Internet is down"? Some of the more obvious things might be to retain or stockpile ordinary modems (assuming that the telephone networks are running ... but, oh dear, they are using VOIP and, no doubt, sharing a lot of the Internet technologies and links) and generally retain (or rather rebuild) the ability for non-electronic commerce and communications.

More resourceful organizations might build their own private networks to run in parallel with the Internet - such as the financial services, military and other special purpose networks. These are expensive but the greater concern is to ensure they are adequately isolated from the Internet in fact. Supposedly private bank ATM networks have been known to crash due to Internet worms so finding and closing those worm-holes must be a priority. That's definitely something we can do today.

What else would you suggest in the way of contingency measures? Any ideas you'd like to share? Just post a comment ... while your Internet connection is still running, please.

Having a bad day at the office?

An IT systems administrator, fearing that he was about to be laid off, planted a logic bomb in his employer's systems. He survived the round of redundancies but detonated the logic bomb anyway. Fortunately for all concerned, bugs in the code prevented it working properly. In court, he was found guilty, sentenced to 30 months' jail time and found liable for $81,200 in restitution.

This story touches on quite a number of security topics:
- He was a trusted insider who went bad
- Logic bombs are a form of malware
- His office/day-job gave him privileged access to the company's IT assets
- Weak change management process controls did not prevent the bomb being installed
- The logic bomb had one or more bugs in the program/script
- Nevertheless it sparked a security incident
- He was called to account for the damage
- There was legal and presumably corporate policy noncompliance
- The risk of recurrence presumably remains

All in all, a nice multi-purpose security awareness case study.

PS The official US DOJ press release about the conviction is dated "Dec 8 2008", an integrity failure to boot.

Top information security risks for 2008

We have completed and published our collaborative white paper listing the top information security threats, vulnerabilities and impacts, along with some risk scenarios and controls, as we head towards the new year.

My sincere thanks are due to all who participated in the project, contributing directly to the shared document on Google Docs or commenting on it through the fora. I suspect there are still several points of disagreement but I hope we are all reasonably happy with the end result. I have certainly enjoyed the process and value the discussion.

Infosec risks top ten

Fellow infosec pros,

Tim Bass recently posted a stimulating entry to his blog proposing a top ten list of information security threats - not "risks" but threats specifically. This struck me as an interesting idea and an opportunity to add some depth to the rather banale top ten IT security risks lists that appear every new year. So, shamelessly extending a good idea, I've set up a shared document on Google Documents and now invite you to participate in a collaborative project to draw up a more meaningful list of current infosec risks, starting with separate lists of threats, vulnerabilities and impacts, then working on the risks, and finally the controls and conclusion.

If you would like to get involved, please check the shared document as it stands today and then email me (Gary@isect.com) to add you to the list of users with update access to the shared doc. Google Docs is cool but if you can't be bothered to update the doc yourself, just email me with your comments and I'll have a go. I'm particularly interested in emerging trends, as perceived by qualified information security professionals rather than journalists and marketers. What are you working on today and what do you expect to be doing in the year ahead?

I'm planning to publish the finished item on the Web under a Creative Commons license on or before Jan 1st 2008, acknowledging all contributors. Please don't ask me if you can earn CPEs for this though!

Kind regards,
Gary

UPDATE Dec 19th: the lists of threats, vulnerabilites and impacts are nearing completion so it's time to make a start on pulling things together as "risks". See the shared paper as it stands today and by all means have your say - pop a comment below if you like.

Security awareness success in the US Army

Details of audits of US Army websites and blogs run by soldiers, disclosed under the Freedom of Information Act, reveals that far more security policy breaches occur on official Department of Defense websites than on blogs. The audits were conducted by the Army Web Risk Assessment Cell, a special unit with a remit (evidently) to minimize unauthorized disclosure of sensitive military information via the Web.

It seems to me the Army was absolutely right to highlight the information security risks relating to blogging. I believe the audit results reflect the outcome of a highly successful security awareness program. If this issue had not been addressed so effectively, I'm convinced there would have been far more noncompliance issues, in other words this is a lesson to us all.

In respect of security awareness programs and policy compliance, 'the military' have a significant advantage over most of us in that the workforce is specifically trained to respect authority and follow orders - or at least, that is the classical view. In fact, I understand modern soldiers are increasingly being taught to think for themselves and operate autonomously, albeit within a highly structured (literally 'regimented') operating framework and, when necessary, at gunpoint. The traditional approach to the blogging security issue would presumably have been to send out an order banning blogging. What actually happened was more subtle: Army bloggers were instructed to register their blogs with commanding officers and pre-clear what they publish. 'Blog responsibly' is a rather softer message but the audit results seem to indicate its effectiveness in this situation.

Lurid job ads

"Hackers stole information from the U.S. Department of Transportation and several U.S. companies by seducing employees with fake job-listings on advertisements and e-mail, a computer security firm said."

The Reuters correspondent explains that victims were lured to a site with [fake] job advertisements and (presumably) phishing emails, only to have their systems infected with malware. The malware apparently evaded detection by the standard antivirus tools. Nasty.

I've long said that narrowly-targeted/custom malware is a particular threat if it slips under the antivirus silver bullet. Imagine the power of being able to select your target organization and inject your data extraction device and suck out your fill of an organization's lifeblood, with little chance of detection or prosecution. Imagine now that you are a Foreign Power or Criminal Mastermind with the money to buy such malware or the resources to recruit and train your own black squadron of evil hackers ...

Sleep well. Don't have nightmares. Leave that to us professional paranoiacs.

What the white hats are up against

In its usual tongue-in-cheek fashion, The Register describes the Black Hat world through ten features:
1. The Black Hats form a well integrated community that shares knowledge effectively
2. Becoming a Black Hat is a career option even for those who are not super geeks.
3. There are even specialist virus tools designed to circumvent specific AV products.
4. There are SDKs for the more advanced hackers.
5. There's a market for your data.
6. There are botnets to rent.
7. Some rogue websites are very subtly managed.
8. Good hackers know how to stay safe (they stay abroad)
9. The banking system has its channels
10. Not all businessmen are entirely averse to the odd hack (on a competitor)

In the sense of "know your enemy", the article presents an interesting perspective.

IT security's place in the world

A neat presentation and webcast by George Spafford brought out the value of integrating IT security processes with general IT operations, risk, change and configuration management and linking to business strategy, through ITIL IT service management and COBIT. It's good to see such a broad perspective on IT security, especially one that puts the business rather than security objectives at centre stage.

More information security management resources

When SysAdmins go bad 2 - the terror returns

As if to reinforce our recent posting regarding the insider threat and, especially, the threat from employees in trusted/privileged positions, another former system administrator has been charged with planting a logic bomb on his employer's systems, fearing that he was going to lose his job following a merger. The bomb was safely defused before it exploded but the alleged bomber's career options don't look too bright right now.

More malware links

CERT podcasts

Thanks to a tip-off from Gideon Rasmussen on the insider threat email reflector, I've come across a series of information security podcasts by CERT, aimed at 'business leaders'. The podcast on security Return On Investment (ROI) contains an interesting comment relating to research by "a couple of economists at the University of Maryland named Lawrence Gordon and Martin Loeb" who are said to have determined that a security control investment should only go ahead if the cost is no more than 37% of the expected return. I find this a very curious statement: from a purely economic point of view, almost any net positive return is financially worthwhile provided that (a) there is sufficient funding available for the investment (i.e. it is not outranked by other higher return investments) and (b) the projected costs and returns are realistic ... which is perhaps the issue here. Security projects in the main create returns by reducing risks and hence reducing projected future losses compared to the do-nothing option. The economists seem to be saying the security and risk professionals are seriously overestimating projected savings. They may have a point.
More security awareness and risk management resources

Risk management audit checklist

An audit checklist from the IT Compliance Institute (ITCi) explans what auditors would typically want to know about enterprise risk management practices. The checklist, written by the infamous Dan Swanson, offers practical advice to auditees as well as auditors. The ITCi "strives to be a global authority on the role of technology in business governance and regulatory compliance. Through comprehensive education, research, and analysis related to emerging government statutes and affected business and technology practices, we help organizations overcome the challenges posed by today’s regulatory environment and find new ways to turn compliance efforts into capital opportunities."
More risk management and IT audit resources

FAIR point

Alex Hutton runs a weblog for IT risk geeks focusing on the FAIR (Factor Analysis of Information Risk) risk analysis method that his employer Risk Management Insight LLC (RMI) promotes. In his blog, Alex takes me to task for my previous blog entry about the FFIEC, FAIR enough, and complains that the NoticeBored blog only accepts comments from authenticated users. Well OK, I've relaxed the restriction to encourage more feedback although I'll be moderating comments, not to censor what people say but merely to block spam. [Alex: why didn't you email me? Gary@isect.com]
Meanwhile, I took another look at FAIR. What follows is a rather harsh and cynical critique of the FAIR method as described in the undated draft FAIR white paper, partly because the paper's author, Jack Jones, invites comment towards the end of the document: "It isn’t surprising that some people react negatively, because FAIR represents a disruptive influence within our profession. My only request of those who offer criticism is that they also offer rational reasons and alternatives. In fact, I encourage hard questions and constructive criticism". So here goes.
Right away, I was intrigued by a statement at the front of the paper regarding it being a "patent pending" method that commercial users are expected to license. Unless I'm mistaken (which is entirely possible!), "patent pending" means "not patented" i.e. it is not currently protected by patent law, or else it would presumably be labelled "Patented" and give a patent number. Judging by the content of the introductory paper, FAIR appears to be a conventional albeit structured risk analysis method so I'm not clear what aspect of it would be patentable in any event. [My snake oil-o-meter starts quivering around the 5% mark at this point.]
"Be forewarned that some of the explanations and approaches within the FAIR framework will challenge long held beliefs and practices within our profession. I know this because at various times during my research I’ve been forced to confront and reconcile differences between what I’ve believed and practiced for years, and answers that were resulting from research. Bottom line – FAIR represents a paradigm shift, and paradigm shifts are never easy." [Not only is it claimed to be patentable, but it's a paradigm shift no less! The snake oil-o-meter heads towards 10%.]
The paper defines risk as "The probable frequency and probable magnitude of future loss". [Strictly speaking, risk includes an upside too, namely the potential for future gain which FAIR evidently ignores.] FAIR considers six specific forms of loss: productivity, response, replacement, fines/judgments, competitive advantage and reputation. [Management's loss of confidence in any system of controls that fails is evidently not considered in FAIR - in other words, there is an interaction between management's risk appetite and their confidence in the control systems they manage, based on experience and, most importantly, perception or trust. These apparent omissions hint at what could potentially be a much more significant problem with the method: there is no clear scientific/academic basis for the model underpinning the method, meaning that there are probably other factors that are not accounted for. Obtuse references to complexity and this being an "introduction" to details that are to be descibed in training courses etc. further imply incompleteness in the model and hence limited credibility for the method. Snake oil-o-meter jumps to half way.]
"A word of caution: Although the risk associated with any single exposure may be relatively low, that same exposure existing in many instances across an organization may represent a higher aggregate risk. Under some conditions, the aggregate risk may increase geometrically as opposed to linearly. Furthermore, low risk issues, of the wrong types and in the wrong combinations, may create an environment where a single event can cascade into a catastrophic outcome – an avalanche effect. It’s important to keep these considerations in mind when evaluating risk and communicating the outcome to decision-makers." [I wonder whether FAIR adequately describes risk aggregation, possible geometric increase and the "avalanche effect" noted here, in scientific terms? The author accepts the need to take such things into account but does FAIR actually do so? Snake oil-o-meter swings wildly around the half way point.]
[FAIR looks to me like a practitioners' reductionist model, something they have thought about and documented on the basis of their experience in the field as a way to describe the things they feel are important. FAIR might *help* an experienced information security professional assess risks but I'm not even entirely sure of that: the method looks complex and hence tedious (=costly) to perform properly. I wonder whether, perhaps, the FAIR method should be applied by a consultant such as someone from, say, RMI? Snake oil-o-meter settles around two-thirds full scale.]
To give him his due, the author acknowledges some potential criticisms of FAIR, namely: the "absence of hard data" and "lack of precision" (which are simply discounted as inherent limitations as if that settles the matter); the amount of hard work involved in such a complicated method (which is tacitly accepted with "it gets easier with practice"); "taking the mystery out of the profession" and resistance to "profound" change (I know plenty of information security and IT managers who would dearly like to find an open, sound, workable and reliable method.) [FAIR does not appear to be a profound change so much as an incomplete extension of conventional risk analysis methods. Snake oil-o-meter creeps up again.]
The appendix outlines a "basic risk assessment" in 4 stages: (1) "Identify scenario components" ("identify the asset at risk" and "identify the threat community under consideration"); (2) "Evaluate Loss Event Frequency (LEF)" ("estimate the probable Threat Event Frequency (TEF)", "estimate the Threat Capability (TCap)", "estimate Control strength (CS)", "derive Vulnerability (Vuln)" and "derive Loss Event Frequency (LEF)"); (3) "Evaluate Probable Loss Magnitude (PLM)" ("estimate worst-case loss" and "estimate probable loss"); and finally (4) "Derive and articulate Risk". Many of these parts clearly involve estimation, implying subjectivity (e.g. "estimate probable loss" could range between zero to total global destruction in certain scenarios: the appendix does not say how we are meant to place a mark on the scale). The details of the method are not fully described. For example, the TEF figure seems to be obtained by assigning the situation to one of a listed set of categories "Very High (VH): > 100 times per year"; "High (H): Between 10 and 100 times per year"; "Moderate (M): Between 1 and 10 times per year"; "Low (L)" Between .1 and 1 times per year"; or "Very Low (VL) < .1 times per year (less than once every ten years)." Similarly, the category boundaries for worst case loss vary exponentially for no obvious reason ($10,000,000; $1,000,000; $100,000; $10,000; $1,000; $0). [The use of two dimensional matrices to determine categories of 'output' value based on simple combinations of two 'input' factors is reminiscent of two-by-two grids favored by new MBAs and management consultants everywhere. The rational basis for using these nonlinear scales and the consequent effects on the derived risk probability are not stated, nor is method for determining the appropriate category under any given circumstances (how do we know, for sure, which is the correct value?). This issue strikes at the very core of the "scientific" (theoretically sound, objective, methodical and repeatable) determination of risk. The snake oil-o-meter rises rapidly towards three-quarters.]
The appendix casually includes a rather worrying statement: "This document does not include guidance in how to perform broad-spectrum (i.e., multi-threat community) analyses." [Practically all real-world applications for risk analysis methods necessarily involve complex real-life situations with multiple threats, vulknerabilities and impacts. It is not clear whether the full FAIR method can cope with anything beyond the very simplest of cause-effect scenarios. Snake oil-o-meter creeps up to 80%]
To close this critique, I'll return to a comment at the start of the FAIR paper that information risk is just another form of risk, like investment risk, market risk, credit risk or "any of the other commonly referenced risk domains". [The author fails to state, though, that risk is not managed 'scientifically' in these domains either. Stockbrokers, traders, insurance actuaries and indeed managers as a breed use, but cannot be entirely replaced by, scientific methods and models. Their salaries pay for their ability to make sound decisions based on expertise, meaning experience combined with gut feel - clearly subjective factors. Successful ones are inherently good at gathering, assessing and analysing complex inputs in order to derive simple outputs ("Buy Esso, sell BP" or "Your premium will be $$$"). From the outset, it seems unlikely the method will meet its implied objective to develop a scientific approach. Being based on "development and research spanning four years" is another warning sign since risk analysis in general and information security risk in particular, have been studied academically for decades. Although this is an 'introductory' paper with some strong points, it is quite naive in places. The snake oil-o-meter peaks out at around 80%.]

More risk management links

Open Information Security Risk Management Handbook

Clement Dupuis over at cccure.org put me on to a new infosec risk management handbook from an organization I haven't come across before - a Swiss organization called the Security Officers Management and Analysis Project. The handbook is described as "high level informations" containing 14 core pages on risk management, both in general and specifically in relation to information security - in fact, it probably has more to say on information security management than risk management. It aims to describe "how to plan, implement and manage an information security risk strategy and ISMS (Information Security Management System) activities." The language is rather naive in places but this could easily be due to its being translated into English, and the meaning comes through. For example: "A security officer never should be the owner of an asset. Even if this could look like a good idea, it is not. At the end the security officer would be responsible for all the assets which he obviously can not be." It is loosely structured around ISO 17799 / ISO 27001.
The accompanying Information Security Risk Assessment Guide is still in development with a 31-page draft already available. The guide looks as if it will focus on risk management in greater depth than the handbook. At the moment, it is little more than a collection of placeholders, ideas and notes to be explained/expanded later.
Both documents are released under the GNU Free Documentation License giving recipients the freedom to create and sell derivative works provided they reference the originator, retain section headings etc. SOMAP are actively inviting readers to get involved with and contribute to the project. If their appeal succeeds, the project has the potential to clear up an area of information security management that remains poorly served by other works. Although maybe a dozen information security risk management methods are in use worldwide, they seem to be the realm of specialists rather than general practice in the field.
More risk management resources

Addressing risks in legacy IT systems

The diagram comes from an excellent new white paper by Israeli security specialist, Danny Lieberman. It eloquently describes a systematic approach for assessing and addressing risks in legacy systems. It examines the question of why there are so many bugs (including defects that cause security issues) in software, and goes on to explain the derivation of threat models (using the Practical Threat Analysis tool) to design appropriate controls.
More risk management, secure development and Bugs! links

US hospital laptop theft puts 28,000 IDs at risk

A Beaumont Hospital Home Care laptop was stolen from the car of a home care nurse, reports Metro Detroit. The nurse, a new employee, "broke hospital policy by leaving her access code and password with the computer". Doh! Data on more than 28,000 present and former patients have been compromised. "The best protection is to train and educate people who use this information as part of their jobs, to have an awareness of the things they need to do to keep this protected," said Michael Friedman, an attorney in Detroit who has handled several HIPAA cases. "It's not a sophisticated technological solution." Having covered identity theft in this month's NoticeBored security awareness module, we'll be moving on to mobile/portable IT and teleworking next month ... what more can we do to encourage organizations to invest proactively in security awareness?
More identity theft links

FFIEC infosec manual

Although it is evidently intended to be an exam manual or study guide, the Federal Financial Institution Examination Council's IT Examination Handbook on Information Security could easily be mistaken as an information security manual. It bears more than a passing resemblance to ISO 17799, NIST, COBIT and SAS70 (amongst others) which are acknowledged as reference sources. There are "action summaries" containing key points from each section, such as this one for authentication: "Financial institutions should use effective authentication methods appropriate to the level of risk. Steps include: Selecting authentication mechanisms based on the risk associated with the particular application or services; Considering whether multi-factor authentication is appropriate for each application, taking into account that multifactor authentication is increasingly necessary for many forms of electronic banking and electronic payment activities; and Encrypting the transmission and storage of authenticators (e.g., passwords, personal identification numbers (PINs), digital certificates, and biometric templates)." A free 138 page infosec manual is not to be sneezed at.
More authentication and identity theft resources

Identity theft awareness materials released

If the statistics are to be believed, up to one in six of us has suffered some form of identity theft incident or attack. Thankfully, only a minority of attacks succeed but if you or someone you know has been through the horror of a full identity theft, I'm sure you will appreciate how important it is for us all to be on our guard.
There are lots of things we can do to reduce the risk of becoming victims, but the first step (as always) is to be aware of it, realizing that the threat exists and the impacts can be severe. If fraudsters can open bank accounts, get credit cards and run up huge debts in our name, we are the ones left with bad credit ratings and the nightmare of trying to prove we are genuine and they are the fraudsters.
The management and technical streams in the NoticeBored Classic module this month raise awareness of the control measures that corporations should take to prevent their good names being abused by the phishers and to constrain the fraudsters intent on defrauding our customers.
Additional awareness materials will be made available to the general public through the Global Security Week website this month to help those organizations planning their participation in the week leading up to September 11th. Please visit the GSW website or contact us for further information.
More security awareness and identity theft resources

Untrustworthy insiders

A very public industrial espionage case involving allegations that an employee tried to sell proprietary information from Coca-Cola to Pepsi is a timely reminder of the issues arising from trusted insiders. It is alleged that the employee, an administratrive assistant in the marketing function having ready access to highly sensitive information, removed it from the office and offered to sell it to Coke's arch rival. Pepsi presumably alerted the auhorities who ran a 'sting' to catch the alleged perpetrator red-handed. Even with the benefit of 20-20 hindsight, it is unclear what Coke management might reasonably have done to address this risk. Better screening and supervision of employees, maybe? Clearer policies on control of sensitive information in whatever format, e.g. "secret information must not be removed from the office"? An employee who is prepared to offer secrets for sale to a competitor seems unlikely to heed such policies. Better detective and corrective controls might perhaps have identified the exposure before things got out of hand, especially if there were preliminary incidents. Due to the implending court action, there is limited information on the details of the case, for example the news article does not state whether the accused had an exemplary record.
More links on keeping secrets