Dec 10 2009

What is a risk assessment framework

Category: Information Security,Risk AssessmentDISC @ 5:46 pm

Computer security is an ongoing threat?!?
Image by Adam Melancon via Flickr

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

Definition – A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.

A good RAF organizes and presents information in a way that both technical and non-technical personnel can understand. It has three important components: a shared vocabulary, consistent assessment methods and a reporting system.

The common view an RAF provides helps an organization see which of its systems are at low risk for abuse or attack and which are at high risk. The data an RAF provides is useful for addressing potential threats pro-actively, planning budgets and creating a culture in which the value of data is understood and appreciated.

There are several risk assessment frameworks that are accepted as industry standards including:

Risk Management Guide for Information Technology Systems (NIST guide) from the National Institute of Standards.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from the Computer Emergency Readiness Team.

Control Objectives for Information and related Technology (COBIT) from the Information Systems Audit and Control Association.

To create a risk management framework, an organization can use or modify the NIST guide, OCTAVE or COBIT or create a framework inhouse that fits the organization’s business requirements. However the framework is built, it should:

1. Inventory and categorize all IT assets.
Assets include hardware, software, data, processes and interfaces to external systems.

2. Identify threats.
Natural disasters or power outages should be considered in addition to threats such as malicious access to systems or malware attacks.

3. Identify corresponding vulnerabilities.
Data about vulnerabilities can be obtained from security testing and system scans. Anecdotal information about known software and/or vendor issues should also be considered.

4. Prioritize potential risks.
Prioritization has three sub-phases: evaluating existing security controls, determining the likelihood and impact of a breach based on those controls, and assigning risk levels.

5. Document risks and determine action.
This is an on-going process, with a pre-determined schedule for issuing reports. The report should document the risk level for all IT assests, define what level of risk an organization is willing to tolerate and accept and identify procedures at each risk level for implementing and maintaining security controls.

Related articles by Zemanta

Tags: Business, COBIT, Computer security, Data, Fire and Security, Information Technology, iso 27001, iso 27002, National Institute of Standards and Technology, NIST, OCTAVE, Risk management, Security, security controls, Technology

Oct 16 2009

Web Services and Security

Category: Cloud computing,Information SecurityDISC @ 4:01 pm

Cloud Security and Privacy

Because of financial incentive, malicious software threats are real and attackers are using the web to gain access to corporate data. Targeted malicious software’s are utilized to steal intellectual property and other confidential data, which is sold in the black market for financial gain. With use of social media in corporate arena, organizations need to have web services use policy, to ensure employees use the internet for business and comply with company web use policies. To have an effective web use policy makes business sense and to implement this policy efficiently is not only due diligence but also assist in compliance. After implementing, the key to the success of web use policy is to monitor the effectiveness of the policy on regular basis.

webservices

Hosted web security services operate at the internet level, intercepting viruses, spyware and other threats before they get anywhere near your network. These days if malicious software has infected your gateway node the attacker is home free and it is basically game over. How to fight this malice is to use hosted web security services, which is transparent to users and stop the malwares before they get to the corporate network.

Things to look at web security hosted services are protection, control, security, recovery and multilayer protection.

Protect your corporation from anti-virus, anti-spam, and anti-spyware
Content Control of images, URL filtering and enterprise instant messages, all web request are checked against the policy
Secure email with encryption
Archive email for recovery
Multilayer protection against known and unknown threats including mobile user protection

Web Security Anti-Virus, Anti-Spyware – stops web-borne spyware and viruses before they infiltrate your network, protecting your business from information theft and costly diminished network performance.

Web Filtering – enables you to block access to unwanted websites by URL, allowing you to control Internet use and enforce acceptable Internet usage policies


Download a free guide for the following hosted solutions

Hosted email solution
Hosted email archiving
Hosted web monitoring
Hosted online backup

Tags: archive email, boundary encryption, content control, email archiving, email solution, image control, Malicious Software, Malware, multilayer protection, online backup, Spyware, url filtering, web filtering, web monitoring, wen security

Oct 08 2009

Security Controls and Principles

Category: Information SecurityDISC @ 3:08 pm

checklist

Principles of Information Security

For security controls to be effective apply the pillars of information security

–Principle of least privilege
–Separation of duties
–Economy of mechanism
–Complete mediation
–Open design

Least Privilege
• “Need to Know”
• Default deny – essentially , don’t permit any more to occur than is required to meet business or functional objectives
• Anything extra introduces risk

Separation of Duties
• The idea is that we don’t want to give any one individual so much power that they cloud take dangerous actions without any checks and balances in place.
• You trust them with their job responsibilities but they should be accountable for their actions which is only possible when you measure or monitor their performance.

Economy of Mechanism
• Complexity is an enemy of security, it’s much more difficult to create a simple mechanism and keep it that way.
• The more complexity added to a system, the more chance for error or flaw

Complete Mediation
• The control cannot be bypassed (organization firewall, by creating a backdoor)
• This principle says no unofficial backdoor (no disabling the anti-virus software)

Open Design
• The security of a system must not be based on the obscurity of the mechanism
• Proprietary software are not tested properly and sometime include an undisclosed back door (ballot counting software)


[TABLE=9]

Tags: Complete mediation, Economy of mechanism, open design, Principle of least privilege, security controls, security principles, Separation of duties

Sep 21 2009

Due Diligence, and Security Assessments

Category: Information Security,Security Risk AssessmentDISC @ 9:21 pm

Microsoft Baseline Security Analyzer
Image via Wikipedia

Fighting Computer Crime: A New Framework for Protecting Information

Risk assessment demands due diligence, which makes business sense and derives organization mission. Due care care is also about applying the specific control that counts. In information security, due diligence means a complete and comprehensive effort is made to avoid a security breach which could cause detrimental effects and identify various threats that may be exploited for a possible security breach.

Donn Parker defines due care as a “use of resonable safeguards based on the practices of similiar organizations”

Fred Cohen defines “due diligence is met by virtue of compliance review.”

Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
(FIPS 200, Section 3, Minimum Security Requirements)


Reblog this post [with Zemanta]

Tags: donn parker, due care, due diligence, Fred Cohen, security controls

Sep 10 2009

Way beyond the edge and de-perimeterization

Category: Cloud computing,Information SecurityDISC @ 2:59 pm

Wie eine Firewall arbeitet / how a firewall works
Image by pittigliani2005 via Flickr

De-perimeterization term has been around almost for a decade and finally industry is taking it seriously because of virtualization and cloud computing popularity. Is it time for businesses to emabrace de-perimeterization?

De-perimeterization is a double edge sword for industry which creates scalable options for operation and huge challenges for safeguarding the assets beyond the edge. One of the major advantages for de-perimeterization is that user can access corporate information over the internet; in this situation user can access corporate data from any where, it’s hard to draw the line where the edge begins and where it ends. All you basically need a functional laptop with internet connection. On the other hand, de- perimeterization poses a great challenge due to possibility of viruses, spywares and worms spreading in your internal protected infrastructure.

In de-perimeterized environment, security attributes shall follow the data, wherever the data may go or reside.

In security architecture where firewall was considered a very effective perimeter defense has been weakens by virtualization and cloud computing. In early days of firewall defense, organization only needed to open few necessary protocols and ports to do business. Internet accessible systems were located on the DMZ and the communication was initiated from the corporate to internet. Now there are whole slew of protocols and ports which needs to be open to communicate with application in the cloud. As corporate application move out of the organization network into the cloud, the effectiveness of firewall diminished.

Defense in depth is required for additional protection of data because as new threats emerge, the firewall cannot be used as an only layer of security. The key to the security of de-perimeterization is to push security at each layer of infrastructure including application and data. Data is protected at every layer to ensure the confidentiality, integrity and availability (CIA). Various techniques can be utilized for safeguarding data including data level authentication. The idea of data level authentication is that data is encrypted with specific privileges, when the data move, those privileges are moved with the data.

layered-defense

Endpoint security is relevant in today’s business environment especially for laptop and mobile devices. Agents on laptops and mobile devices utilized pull/push techniques to enforce relevant security policies. Different policies are applied depending on the location of the laptop. Where security policy will ensure which resources are available and what data need to be encrypted depending on the location of the device.

When corporate application and important data reside in the cloud, SLA should be written to protect the availability of the application and confidentiality of the data. Organizations should do their own business continuity planning so they are not totally dependent on the cloud service provider. For example backup your important data or utilize remote backup services where all data stored is encrypted.


Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance


Download a free guide for following cloud computing applications

Hosted email solution
Hosted email archiving
Hosted web monitoring
Hosted online backup


Reblog this post [with Zemanta]

Tags: business continuity, Cloud computing, cloud computing article, cloud computing concerns, cloud computing email, cloud computing hosting, cloud computing information, cloud computing security, cloud computing services, cloud security, cloud services, de-perimeterizations, DMZ, iso assessment

Jul 28 2009

PCI DSS Law and State of Nevada

Category: Information Security,pci dssDISC @ 12:09 am

Information Security Wordle: PCI DSS v1.2 (try #2)
Image by purpleslog via Flickr

45 States followed California when they introduced “SB1386”, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.

Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!

From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

Not only does this effect Navada-based organisations, it affects EVERY organisation that collect or transmit payment card information about any person who lives in Nevada.

Where One leads – others WILL follow!


Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: california, Credit card, Nevada, Payment card, pci dss, privacy, Security, Texas

Jul 16 2009

Common Information Security lapses

Category: Information SecurityDISC @ 4:36 pm

Information Security Wordle: RFC2196 - Site Se...
Image by purpleslog via Flickr
User Security
  • Opening email attachments with integrated email clients

  • Not updating client software

  • Downloading untrusted software

  • Not creating or testing backups

  • Using wireless router connected inside the LAN

    • Strategic Security

  • Not providing training to security personnel

  • Only addressing physical security, neglecting data security

  • Not validating security fixes

  • Relying on firewall for all security needs

  • Not evaluating impact on reputation and data of security breach

  • Not implementing long term security decisions, relying on hot fixes to put out fires

  • Not addressing issues, neglecting security as policy

    • Operational Security

  • Not hardening internet connected host

  • Connecting test systems to the internet

  • Not updating systems on a regular and emergency basis

  • Using unencrypted protocols for management, reporting

  • Choosing bad default user passwords, changing passwords in insecure manner, or notifying users in insecure manners

  • Not testing or maintaining backups, not understanding the intricacies of backup software and procedures


    • Tags: Backup, Information Security, poor security, Security, security mistakes

    Jun 30 2009

    Security controls and ISO 27002

    Category: Information Security,ISO 27kDISC @ 1:56 pm

    seeyourdataUsually security breach occurs due to lack of basic security controls or lack of effective control which is not relevant over the time. Security controls also disintegrate over the time due to lack of maintenance and monitoring.
    According to Privacy Rights Clearinghouse survey, the top three breaches resulted from laptop theft, software or human error, and hackers. Most of these breaches could have been prevented by procedural, management and technical security controls. Most of the security breaches happen during the state of non-compliance. The most famous TJX security breach happens in 2007, at the time of the breach TJX complied with only 3 out of 12 PCI-DSS requirements.

    Small organizations sometimes don’t have enough resources to comply with all the requirements of regulations and standards like HIPAA and PCI. But that is not an excuse of not understanding the relevant regulations and standards requirements to your business and having a clear security strategy which explains how to achieve the compliance down the road. Also your security strategy will be an evidence of your due diligence to secure your critical assets. On the other hand big organizations have enough resources to implement security controls, but for whatever reason they often do not have clear strategy how to establish security controls.

    Information security is not a onetime static process but an ongoing assessment of risks in your business, where you need to understand the your critical assets, classification of those assets based on CIA, sensitive data and its access, policies, standards, procedures , training, security reviews and continuous monitoring.

    One of the most popular baseline for security controls is the international standard ISO 27002 – Code of Practice for Information Security management. ISO 27002 have 11 security clauses and 133 security controls are high level which provides a reasonable guidance for implementing an Information Security Management System (ISMS). Due to ISO 27002 broad scope, it’s relevant to every industry and size of business.

    Organization should have a baseline of security controls before barging onto complying with PCI or HIPAA regulation. ISO assessment will help you to understand what controls are in place and assist you with security strategy and later will become a measuring stick for your ISMS.

    Ongoing compliance is achieved by monitoring the relevant controls. Ongoing compliance will depend on the quality of your information security management system (ISMS). ISMS would include thorough monitoring, logging and reviewing controls to maintain and improve system security over time. You can develop an automated monitoring process to achieve consistent results and sustain compliance by continuously monitoring your system. ISMS (based on ISO 27001) certainly can be a great value to manage ongoing monitoring, maintenance and improvement cycle.

    Related articles by Zemanta

    [TABLE=2]


    Reblog this post [with Zemanta]

    Tags: Computer security, Health Insurance Portability and Accountability Act, Information Security, Information Security Management System, ISO/IEC 27001, pci dss, Privacy Rights Clearinghouse

    Jun 17 2009

    Credit card authorization process weakness

    Category: Information Security,pci dssDISC @ 3:09 pm

    A diagram showing the front side of a typical ...
    Image via Wikipedia

    Credit Repair Kit For Dummies (For Dummies (Business & Personal Finance))

    Credit card authorization sequence:

    1) Creditholder swipes card at merchant. A request is sent to merchants bank
    2) Merchants bank “asks” processor to determine the cardholder bank
    3) Processing network finds cardholders bank and request approval for purchase
    4) Cardholders bank approves purchase and generates a approval code
    5) Processor sends an approval code merchants bank
    6) Merchants bank sends approval code to merchant
    7) Purchase is complete and cardholder receives a receipt

    “Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.”

    Weak security enables credit card hacks

    Credit Card Fraud Made Easy
    httpv://www.youtube.com/watch?v=m5UE5fXRyKs

    Related articles by Zemanta


    Reblog this post [with Zemanta]

    Tags: Credit card, credit card privacy, credit card secure, credit card security, credit card theft, secured card, visa card

    May 06 2009

    Rise of cybercrime and management responsibility

    Category: Information Security,Information WarfareDISC @ 5:08 pm

    ITIL Security Management
    Image via Wikipedia
    According to SF Chronicle article by Deborah Gage (May 8, 2009, c2) consumer reports magazine’s annual “State of the Net” survey finds that cybercrimes has held steady since 2004, with one out of five consumers becoming victims in last two years at a cost to economy of $8 billion. Consumer report can be found on at www.consumerreports.org

    Uncertain economic time brings new threats and scams and most of the security experts agree that there’s a possibility of increase in cybercrime for this year. Survey also found that around 1.7 million people were victims of identity theft and 1.2 million had replaced their computers because of infected software.

    First why all the signs are showing uptick in cybercrimes and second what are we going to do about it.

    Management should start considering security as total cost of ownership instead of wasting time on what is ROI of information security. If there is a security breach, somebody in the management should be held accountable not an IT or security personnel. Management will keep demonstrating lax attitude toward data protection and security in general unless there are serious consequences like spending time in jail for lack of security controls (basic due diligence) and not taking appropriate actions for the risks that posed a significant threat to the organization.

    PCI, HIPAA and SOX compliance are a good start in a right direction for management to take information security into consideration, but these compliance initiatives don’t address the security of a whole organization. They address security risks of a business unit in an organization. If management is really serious about security then ISO 27002 code of practice is one of the option which should be considered to address the security of the whole organization and ultimately organization should achieve ISO 27001 certification which will build a comprehensive information security management system to manage ongoing risks.

    [TABLE=2]

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: Information Security, International Organization for Standardization, isms, iso 27001, iso 27002, Operating system, Policy, Security

    Apr 22 2009

    RSA and cybersecurity

    Category: Information SecurityDISC @ 6:52 pm

    SAN FRANCISCO - FEBRUARY 6: Art Coviello, Exe...
    Image by Getty Images via Daylife
    This week I was in attendance with thousands of people from all over the globe at RSA conference in Moscone Center San Francisco. The conference offers variety of training tracks and this year included two new tracks physical security & governance and risk & compliance. Since Novell CNE was one of my first professional certification, I was glad to see Novell making some headway’s in information security arena, especially Deloitte was promoting Novell identity management solution in the conference.

    The cloud computing is the buzz word for this year conference. As far as virtual environment boundaries are concerned , it’s hard to say where it start and where it ends which complicate the matters and complexity of the cloud will introduce new threats and risks. With that in mind cyber security appears to be worse than last year. Attendance might be bit low this year due to budget cut but the conference floor was packed with vendors and enthusiastic audiences.

    Most of the security expert understand that companies are cutting budgets and might be decreasing their investment in security. Having a proactive security strategy and spending the security dollars wisely is the key to success of a business in this downturn economy. One thing to understand about information security, there is no ROI (return on investment) in security. ROI is a total cost of ownership.

    Another concern in the conference is that the threats and fraud goes up during downturn economy. Companies should have comprehensive policies to tackle insider threats regarding disgruntled employees who might be at verge of getting laid off to prevent them from stealing intellectual property.

    There is an outstanding line of keynote speakers like Melissa Hathaway, federal acting senior director of cyberspace. She advised the current (Obama) administration. She will be discussing issues like how much federal government should be involved in protecting critical assets like power grids. The conference like RSA helps security professionals to sharpen their skills and work in collaborative manners to successfully defend their organizations from attackers.

    Related articles by Zemanta

    RSA Conference 2009 Highlights
    httpv://www.youtube.com/watch?v=BAxAagvmu6w

    Reblog this post [with Zemanta]

    Tags: Cloud computing, Consultants, Information Security, Melissa Hathaway, Moscone Center, Obama, RSA Conference, San Francisco, Security

    Mar 17 2009

    Congressional data mining and security

    Category: Information SecurityDISC @ 12:42 am

    Data mining
    Image by moonhouse via Flickr
    “By slipping a simple, three-sentence provision into the gargantuan spending bill passed by the House of Representatives last week, a congressman from Silicon Valley is trying to nudge Congress into the 21st Century. Rep. Mike Honda (D-Calif.) placed a measure in the bill directing Congress and its affiliated organs — including the Library of Congress and the Government Printing Office — to make its data available to the public in raw form. This will enable members of the public and watchdog groups to craft websites and databases showcasing government data that are more user-friendly than the government’s own.”

    Would be great if this passes BUT, Government would have to have security provisions so hackers could not manipulate databases in this case raw data. Without proper controls, databases can be easily modified and stolen, so before making the raw data available to public, Congress might need a comprehensive legislation to protect the confidentiality, integrity and availability of the data.

    Security principles and controls which should be considered in database legislation?
    • Principles of least privilege
    • Separation of duties
    • Defense in depth at every level
    • Strong auditing and monitoring controls
    • Security risk assessment to assess risks based on ISO 27002 and NIST 800-53
    • Comprehensive risk management program to manage risks

    Congressional Data Mining: Coming Soon? (Mother Jones)

    Related articles by Zemanta

    What is Data Mining?

    httpv://www.youtube.com/watch?v=wqpMyQMi0to

    Reblog this post [with Zemanta]

    Tags: Business, Data mining, database, defense in depth, iso 27002, Mike Honda, National Institute of Standards and Technology, Risk Assessment, Risk management, Security, separation of duities, Silicon Valley

    Feb 18 2009

    Economic turmoil and BCP

    Category: BCP,Information SecurityDISC @ 6:42 pm

    information
    Due to economic insecurity all the warning signs are pointing that this year is going to top the record for information security and privacy incidents. Organizations may not be in a position to take business limiting risk and bypass security fundamental like Business Continuity Planning (BCP). During this economic uncertainty organizations have to pay more attention to liability, regulatory penalties and negative PR which might cause an irrecoverable damage to business in today’s market.


    “BCP is the creation and validation of a practiced logistical plan for how organization will recover and restore partially or completely interrupted critical functions within a predetermine time after a disaster or extended disruption”

    The first step in business continuity process is to consider the potential impact of each disaster or disruption. Next step is to determine the likelihood of the disruption or how likely this disruption will occur within a year and how many times. Both impact and likelihood will determine the risk to the organization critical asset in a sense if impact of the disruption is high the risk is high or if likelihood of the incident is high the risk is high. High risk disruption will attract more attention during planning process.

    Risk Analysis:
    • Understand the function of probabilities and risk reduction
    • Identify potential risks to the organization
    • Identify outside expertise required
    • Identify vulnerabilities / threats / exposures
    • Identify risk reduction / mitigation alternatives
    • Identify credible information sources
    • Interface with management to determine acceptable risk levels
    • Document and present findings

    BCP Plan:
    • Understand clear objectives, available alternatives, their advantages, disadvantages, and cost ranges, including mitigation as a recovery strategy
    • Identify viable recovery strategies with business functional areas
    • Consolidate strategies
    • Identify off-site storage requirements and alternative facilities
    • Develop business unit consensus
    • Present strategies to management to obtain commitment

    Assessing the Effectiveness of a BCP Plan for an Individual Business Unit:
    Business unit contingency planning was never more important than now. The success of BCP planning depends upon the feasibility and appropriateness of the plan. However, only comprehensive TESTING of the contingency plans could validate that and everyone hates testing. It is important that the Contingency Plan clearly identify those responsible for declaring a disaster and executing the plan. BS 25999-2:2007 is the specification for implementing, establishing, and improving a business continuity management system (BCMS) within an organization.

    The requirements in the standard are generic and are intended to be applicable to all organizations, regardless of type, size and nature of business. The extent of application of these requirements depends on the organization’s operating environment and complexity. BS 25999-2 can be used by internal and external parties, including certification bodies, to assess an organization’s ability to meet its own business continuity needs, as well as any customer, legal or regulatory needs.

    Purchase BS25999-2:2007 online today and prove business resilience to customers and partners.

    [TABLE=16]

    BSI – What is Business Continuity Management?
    httpv://www.youtube.com/watch?v=DkQsmSg1PFU&NR=1

    Reblog this post [with Zemanta]

    Tags: Business, Business continuity planning, Business Services, Contingency plan, Emergency Management, Fire and Security, Information Security, Risk management

    Feb 10 2009

    Defense in depth and network segmentation

    Category: Information Security,Network securityDISC @ 2:17 am

    Traditional security schemes are incapable of meeting new security challenges of today’s business requirements. Most security architectures are perimeter centric and lack comprehensive internal controls. Organizations which are dependent on firewall security might be overtaxing (asking security mechanism to do more than it can handle). Some of the old firewalls rule set stay intact for years, which might be a liability when the firewall rule set neither represent current business requirements and nor are protecting critical assets appropriately.

    “Firewalls are typically managed by a succession of administrators who create their own rules, which then accumulate over a period of years. This creates rule duplication, which can impinge on performance, but also brings risks such as the use default or open passwords.”

    The first step in defense in depth is designing a corporate network segmentation policy which describes which departments, application, services and assets should reside on a separate network. Network segmentation will assure that threats are localized with minimal impact on the organization. NIST, ISO27002, and PCI emphasis the importance of network segmentation but does not mandate the requirement. At the same time PCI Standard committee emphasize in new standards that the compliance scope can be significantly minimized by placing all the related assets in the same segment. Network segmentation is not only a common sense in today’s market but also one of the most effective and economical control to implement, simply a great return on investment.

    Network segmentation benefits:
    o Improve network performance and reduce network congestion
    o Contain attacks (viruses, worms, trojans, spam, adware) from overflowing into other networks.
    o Improve security by ensuring that nodes are not visible to unauthorized networks. Reduce the size of broadcast domain

    Basic idea behind defense in depth is to protect your crown jewel in multiple layers of defense, should one fail, another will provide crucial protection. Another important thing to remember is that we cannot defend everything, so our defense in depth approach should be asset centric rather than perimeter or technology centric. Perform a thorough risk assessment to find out your most important assets and apply the defense in depth approach to protect the confidentiality, integrity and availability of those critical assets. Examples of network segmentation include wireless network, where you place the wireless network users in their own segment behind a firewall with their own rule set. This rule set will help to contain the users on wireless network as well as any potential attacks on the organization. To get to the content of another segment in the network, the wireless users has to pass through all the layers of protection.

    Defense in depth diagram
    defenseindepth
    Different attacks will be handled by different layers. In the outer layer 1 will handle most of the network related attacks while the layer 2 will handle most of the script based attacks which target the operating system. Layer 3 will handle most of the application attacks which are complex and only utilized by skilled attackers. Layer 4 is your final frontier where you protect your crown jewel by moving many of the tools and techniques used at the perimeter closer to critical assets.



    Related article
    Network segmentation is a common sense





    Defense in depth
    httpv://www.youtube.com/watch?v=zTJSMjYd9c4&feature=related


    Tags: Consultants, Firewall, ISO/IEC 27002, National Institute of Standards and Technology, Products, Rate of return, Security, Wireless network

    Jan 30 2009

    ISO 27k and CMMI

    Category: Information Security,ISO 27kDISC @ 2:00 am

    To become a successful business in today’s market, optimized information security controls may be the panacea for unmet security needs. One way to achieve optimized information security control is to perform ISO assessment and assess the organization security posture based on ISO 27002 code of practice and map each control with Capability Maturity Model Integration (CMMI) to find out the current CMMI level for each control. information The goal is to address the organization security needs as a whole, and assess how different departments and business functions are addressing the current business security requirements. The CMMI has five levels and evaluate security controls based on levels, not on specific objectives. Each level provides the basis for the next level where it is not possible to get to the next level without complying with previous level. ISO 27002 is a comprehensive framework which can be utilized to obtain the baseline upon which to build each level. For each control in ISO 27002, maturity levels are defined using maturity definition found in CMMI. In the assessment report maturity level of each control of ISO 27002 standard can be evaluated. Utilizing the color coded scheme provided by CMMI model, create a one page ISO control summary for executives which will not only help them to understand the current security posture but also can be instrumental for measuring progress and resource allocation.

    The scope of the ISO27k standards includes various aspects of IT. The introduction to ISO 27002 states clearly: “Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post of using electronic means, shown on films, or spoken in conversation. Whatever form information takes, or means by which it is shared or stored, it should always be appropriately protected.”

    Benefits of ISO 27k framework:
    o Framework addresses the security issues for the whole organization and limit data breaches
    o Address compliance with various regulations like (SOX, HIPAA, and PCI) without creating silos.
    o Reduce total cost of security by decreasing total number of controls required
    o Perception of your business that you are serious about information security not just compliance
    o Enhance partners and vendors confidence to do business with your organization
    o Future deciding factor for national and especially international partners for more business
    o Internationally recognized standard which addresses security awareness for the whole organization

    isotocmmi

    Assessment will give an organization a high level view of their current security posture and provide a road map for security strategy in a sense what needs to be addressed first utilizing risk based approach. This is also a good start if your organization is interested in the Information Security Management System (ISMS) or ISO 27001 certification. ISO 27001 is the standard for the certification which includes the set of requirements for ISMS. Justifiable scoping is the key to a quick and successful certification; organization may adjust their scope in a re-certification attempt. Perhaps in the first attempt you may need to include just a web portal in your scope and the entire infrastructure behind supporting that portal. Once the ISMS project scope is determined, here are some steps you can follow to prepare for ISO 27001 auditors.

    1. Based on your scope, create an asset list
    2. Find out asset threats and vulnerabilities and classify the asset based on CIA scale
    3. Come up with risk matrix based on impact and likelihood of the risk
    4. Create priorities based on impact and likelihood of the risk
    5. Based on priorities, implement appropriate controls for risks which needs to be addressed
    6. Do the risk assessment again, PDCA improve ISMS

    “ISO27001 is a structured, technology-neutral, vendor-agnostic specification and code of practice for information security management in organizations of all sizes that should be adopted as part of an organization’s overall risk management strategy.”

    This should give you a jump start to certification. You have already started the process of certification because most of the documentations in the risk assessment will become part of certification process later and will lead you to 12 steps which are part of PDCA cycle. ISMS certification process utilized Plan-Do-Check-Act (PDCA) cycle methodology which continually improve information security management system and meet the contractual, legal, and regulatory requirements for information security.

    ISO assessment is utilized to analyze the current security posture of an organization where each control is defined and can be color coded using the base definition found in CMMI. Therefore ISO assessment is a great first step towards the final ISO 27001 certification audit or for that matter any compliance audit.

    [TABLE=2]

    ISO 27k framework for today’s security challenges
    httpv://www.youtube.com/watch?v=yRFMfiLbNj8

    Three useful titles on ISO 27k by Alan Calder

    Related articles by Zemanta

    Tags: Capability Maturity Model Integration, CIA scale, Information Security, Information Security Management System, International Organization for Standardization, isms, iso 27001, iso 27002, ISO/IEC 27001, PCI, PDCA, Risk Assessment, Risk management, Security, SOX HIPAA, vsrisk

    Dec 16 2008

    Unstable economy and insider threats

    Category: Information Security,Insider ThreatDISC @ 2:42 am

    State of affairs
    Image by Pulpolux !!! via Flickr
    During the current unstable economy, organizations face increased threats from insiders during tough economic years ahead. During hard time organizations not only have to worry about outsider threats but will be facing an increased threat from disgruntled employees who might see no future with the organization during unstable economy. During these circumstances, when new jobs are hard to come by, revenge or financial need might play a motivating factor for a disgruntled employee.

    In July 2008, San Francisco city network administrator (Terry Childs who hijacked the city network) was arrested and charged with locking his own bosses and colleagues out of city network. Basically his bosses got caught sleeping on their jobs because they were not monitoring this guy who happens to have the key to their kingdom. San Francisco city network controls data for its police, courts, jails, payroll, and health services. After 8 days in jail cell Terry Childs finally relinquished the password to Mayor Gavin Newsom in his jail cell. Why San Francisco’s network admin went rogue

    Here are some considerations to tackle insider threats

    Manage and monitor access
    Manage your users through single sign on source like Windows active directory or Sun single sign on directory, which not only enable control access to sensitive data but also let you disable access to all resources when employee leave the company from a single location. Single sign on solution also provide comprehensive audit trail which can provide forensic evidence during incident handling.

    Limit data leakage
    Intellectual property (design, pattern, formula) should be guarded with utmost vigilant. Access to IP should be limited to few authorized users and controls should be in place to limit the data leakage outside the organization. Protect your online assets, and disable removable media to prevent classified data being copied into USB drives, CDs, and mobile phones.

    Principle of least privilege
    Which requires that user must be able to access to classified information only when user has legitimate business need and management permission. Sensitive data should be distributed on need to know basis and must have system logs and auditing turned on, so you can review the access is limited to those who are authorized. Proactively review the logs for any suspicious activity. In case suspicious activity is detected, increase audit and monitoring frequency of the target to detect their day to day activity. Limit access to critical resources through remote access.

    Conduct background check
    Conduct background check on all new and suspicious employees. All employees who handle sensitive data must go through background check. HR should conduct background verification, reference check and criminal history for at least 5 years. What type of checks will be conducting on an individual will depend upon their access to classified information.

    Risk assessment
    Conduct a risk analysis of your data on regular basis to determine what data you have, its sensitivity and where it resides and who is the business owner. Risk analysis should determine appropriate data classification based on sensitivity and risks to data. Regular risk assessment might be necessary, due to passage of time data classification might change based on new threats and sensitivity of the data.

    Digital Armageddon – The Insider Threat
    httpv://www.youtube.com/watch?v=FQ4bvCPwFMY

    Reblog this post [with Zemanta]

    Tags: Background Check, Detect activity, Gavin Newsom, Intellectual Property, Manage access, Monitor access, Online assets, risk analysis, San Francisco, Security, Tough Economy

    Nov 17 2008

    Harmful Spyware and their stealthier means

    Category: Information Security,MalwareDISC @ 2:55 pm

    Dozens of pop-up ads covering a desktop.

    Spyware is utilized to gather information about a person with or without their consent and it intercept or record personal/financial information. Some spyware are capable of sending information back to another computer (originator of the spyware).

    Characteristic of Spyware

    • Compromise user machine without their knowledge
    • Use vulnerabilities in the software to push a spyware code on the machine
    • Install Trojans to gather data
    • Gather personal and financial information to send it to attackers

    Spyware are used to gather different kind of information which includes but not limited to advertising, corporate monitoring, child monitoring, governmental monitoring. Besides their legal use which is based on company policy or regulations monitoring spywares can be used for spying on a person without their consent. More common types of spywares are adware (serve advertising) and key-loggers (record keystrokes)

    How you can get spyware on your machine: Spyware can be installed on your machine in many ways.

    Below are some of the common ways to deliver spyware.
    • Spyware can be installed on a computer via a virus or an email Trojan.
    • Spyware can be installed on a computer by taking advantage of security flaws in Internet Explorer.
    • Spyware sometime are included in the shareware program. User agreement for the shareware may make a reference to grant permission to allow the recording of your internet use
    • Pop-up downloads are becoming a preferred method of installing spyware and adware. Pop-up download windows ask the users to download a program to their computers.
    • Another popular way to distribute spyware is a drive-by download. It installs itself on the computer without user knowledge. It can be installed by simply visiting a website.

    Windows Defender is software that helps protect your computer against pop-ups, and security threats caused by spyware and other unwanted software by detecting and removing known spyware from your computer. Most popular antivirus products now include adware and spyware scanning. You can find more adware and spyware removal tools at the Spyware Protection and Removal guide. This Web page includes links to popular spyware removal programs, as well as a number of useful articles. Also in Internet Explorer 7 (IE7) you can turn on/off the pop-up blocker. IE7 -> Tools -> Pop-Up Blocker. There is a pop-up blocker setting where you can allow exceptions for some sites and setup pop-up filter to high, medium and low.

    Anti-Spyware, Registry Cleaner & PC Optimizer

    Computer users particularly need to watch out for bogus spyware removal programs. They are dangerous because they punish the user for doing something right. Victims think that this will remove the spyware, instead in some cases computer users are paying to install a spyware.
    Checkout the Rouge Anti-Spyware Products table

    How to Protect from Spyware
    httpv://www.youtube.com/watch?v=_w-DZNbq66I&feature=PlayList&p=18F23434175F964D&playnext=1&index=26

    Reblog this post [with Zemanta]

    Tags: adware, bogus spyware, drive-by download, financial information, Internet Explorer, keylogger, Pop-up ad, rouge anti-spyware, Security, shareware, Spyware, trojan, virus, Windows Defender, World Wide Web

    Nov 04 2008

    Open Network and Security

    Category: Information Security,Open NetworkDISC @ 7:54 pm

    Made and uploaded by John Manuel - JMK{{#if: |...

    Open networks are heterogeneous environment where users like to use all the applications and systems at any given time. In a heterogeneous environment, each department run different hardware and software, but you can control the protocols which will work on this environment.

    Universities are famous for open network. Most Universities network is comprised of a Bank (To give loan to students), a restaurant, and a bookstore which have credit card processing ability. Students, alumni, researchers, employee and staff need access to utilize resources. Now how would you control access if same person assume all the roles mentioned above. Universities are basically transient communities, where users come back and plug-in their new devices and expect an immediate access to all the resources. Where the reputation of openness is challenge at every step of the way, now the question is how can they maintain reputation and yet control the environment based on security policies.

    Reasonable security can be accomplished by focusing on a process rather than adding yet another security control. The process is based on risk assessment program where you assess your critical assets based on threat and vulnerability pair and measure the likelihood and impact of a threat if a given vulnerability is exploited.

    The process start with knowing your assets – Network registration will detect when you plug-in your new equipment. Before you get an access, it detects a hardware address and username. You can also control common misconfigurations and noncompliance issues with network registration process. Some vulnerability management systems discover assets and perform vulnerability and security configuration assessment to proactively identify and prioritize risks. New vulnerabilities are accessed from trusted site on a regular basis and when vulnerabilities are identified, the management system needs to have an ability to remediate to comply with the information security policy.

    Most of the departments in an open network contains different systems and applications and basically have different security appetite. Distributed IT Governance can address this issue where you develop policies and procedures which fit their needs and hand it over to the department to comply.
    Open network requires pretty much open borders, Instead of securing the network/system emphasis should be on data protection.

    [TABLE=9]

    Recent news from AT&T to make its network open where customers can use any handset of their choice, perhaps a reaction to in response to recent moves from Verizon and Google to promote open network. Specifically Verizon announced that it would allow “any device” and “any application” to operate on its network. These open networks does provide flexibility for customers but at the same time burden lies on the shoulders of the corporations to provide right balance of security and privacy with availability of the network.

    In an open network, reasonable security can be achieved by embracing ISO 27k standard and eventually acquiring ISO 27001 (ISMS) certification. Information Security Management System (ISMS) can be a great value added process to manage ongoing monitoring, maintaining and for process improvement of an open network. ISMS as a process in-place provides reasonable security safeguard to your information and certainly help to minimize the liability in the court of law.

    End-to-End Network Security: Defense-in-Depth by Omar Santos
    httpv://www.youtube.com/watch?v=zTJSMjYd9c4

    (Free Two-Day Shipping from Amazon Prime). Great books

    Reblog this post [with Zemanta]

    Tags: AT&T, Computers, Credit card, data protection, heterogeneous, impact, Information Security, Information Security Management System, isms, iso 27001, ISO 27k, ISO/IEC 27001, IT Governance, likelihood, Network registration, Omar Santos, Reasonable security, risk assessment program, security controls, threat, Universities network, Verizon, vulnerability, vulnerability management systems

    Oct 17 2008

    SmartPhone and Security

    Category: Information Security,Smart PhoneDISC @ 1:53 am

    Mobile spyware is malicious software which is used to spy and control mobile devices (BlackBerry, PDAs, Windows Mobile and Cell Phones). Mobile spyware will not only intercept the message between two devices but also determine the location of the device. Basically, mobile spyware software is installed on a mobile device to spy on them.

    Small businesses are usually not equipped to handle these threats. Just like laptops and desktops – mobile devices need security controls like antivirus, personal firewall, encryption and VPN to provide needed level of protection. Small businesses need to be aware of the security threats, like they might think that they are installing a game, which might very well be a key logger (logs your key strokes) or trojan software.

    [TABLE=6]

    Hackers on the move, WSJ August 11, 2008 by Roger Cheng – where he writes about more companies are letting employees use their personal smart phone at work and the security experts warns about the present threats in the industry. http://online.wsj.com/article/SB121803418845416977.html

    Tips to safeguard your smartphone
    httpv://www.youtube.com/watch?v=S64J4BCCoi4


    (Free Two-Day Shipping from Amazon Prime). Great books

    Tags: antivirus, encryption, hacker, intercept, key logger, malicious, mobile phone, mobile spyware, personal firewall, roger cheng, security controls, security expert, spy, threats, trojan, vpn, wsj

    « Previous PageNext Page »