Nov 26 2008

Cyber threats and overall security assessment

Category: Information Warfare,Risk AssessmentDISC @ 3:13 am

The main screen showing star names (color-code...
Image via Wikipedia

In the past when senior management (execs) needed to understand the financial implication of cyber threats and their exposures, they turned their questionnaires toward IT for relevant answers. In other words IT risk assessment was the answer in the past to understand the financial implications of cyber threats. The IT risk assessment is not the comprehensive or overall assessment of the company to understand the total implications of cyber threats. The overall assessment will not only include IT but also other departments like HR and legal etc… Basically cyber threats are neither IT issue and nor a legal or HR issue any more, it’s simply an enterprise management issue.

In old days the firewall was used as a major defense against potential cyber threats. The new cyber threats are sophisticated enough to demand better defense. New threats (virus, adware, worms, Trojan, spyware, spam, phishing) use modern techniques to bypass defenses. The potential risks of these new threats demand an immediate attention (of CFO or higher) and approval for resource allocation to protect against cyber threats. To make a solid business case for security ROI, senior level execs need to know the overall risk they are reducing, and their highest priority.

[TABLE=12]

ANSI and ISA have jointly released a document to assist senior management to prepare for financial implications for cyber threats. Basic essence of the guide is to provide a tool to execs to understand the financial implications of potential cyber threats to their organizations.

“The 40 page guide was put together by task force of risk management execs from more than two dozen organizations. The new guide offered by ANSI and the ISA recommends that CFO ask their various team’s questions about the biggest threats to data confidentiality, integrity and availability,” to get to know the existing controls in place and any relevant mitigation plan. Risk analysis of this information can help execs to map the cyber threats risks into correct financial terms and make better resource allocation.
The senior execs who want to implement information security as a process in their organization should consider ISO 27001 (ISMS) as a best practice, which provides a reasonable on-going due diligence to protect and safeguard organization data.

Reblog this post [with Zemanta]

Tags: availability, Business, Chief financial officer, cyber threats, data confidentiality, exposure, Financial services, Human resources, Insurance, integrity, isms, ISO/IEC 27001, Management, overall assessment, risk analysis, Risk Assessment, Risk management, roi, Security

Nov 17 2008

Harmful Spyware and their stealthier means

Category: Information Security,MalwareDISC @ 2:55 pm

Dozens of pop-up ads covering a desktop.

Spyware is utilized to gather information about a person with or without their consent and it intercept or record personal/financial information. Some spyware are capable of sending information back to another computer (originator of the spyware).

Characteristic of Spyware

• Compromise user machine without their knowledge
• Use vulnerabilities in the software to push a spyware code on the machine
• Install Trojans to gather data
• Gather personal and financial information to send it to attackers

Spyware are used to gather different kind of information which includes but not limited to advertising, corporate monitoring, child monitoring, governmental monitoring. Besides their legal use which is based on company policy or regulations monitoring spywares can be used for spying on a person without their consent. More common types of spywares are adware (serve advertising) and key-loggers (record keystrokes)

How you can get spyware on your machine: Spyware can be installed on your machine in many ways.

Below are some of the common ways to deliver spyware.
• Spyware can be installed on a computer via a virus or an email Trojan.
• Spyware can be installed on a computer by taking advantage of security flaws in Internet Explorer.
• Spyware sometime are included in the shareware program. User agreement for the shareware may make a reference to grant permission to allow the recording of your internet use
• Pop-up downloads are becoming a preferred method of installing spyware and adware. Pop-up download windows ask the users to download a program to their computers.
• Another popular way to distribute spyware is a drive-by download. It installs itself on the computer without user knowledge. It can be installed by simply visiting a website.

Windows Defender is software that helps protect your computer against pop-ups, and security threats caused by spyware and other unwanted software by detecting and removing known spyware from your computer. Most popular antivirus products now include adware and spyware scanning. You can find more adware and spyware removal tools at the Spyware Protection and Removal guide. This Web page includes links to popular spyware removal programs, as well as a number of useful articles. Also in Internet Explorer 7 (IE7) you can turn on/off the pop-up blocker. IE7 -> Tools -> Pop-Up Blocker. There is a pop-up blocker setting where you can allow exceptions for some sites and setup pop-up filter to high, medium and low.

Anti-Spyware, Registry Cleaner & PC Optimizer

Computer users particularly need to watch out for bogus spyware removal programs. They are dangerous because they punish the user for doing something right. Victims think that this will remove the spyware, instead in some cases computer users are paying to install a spyware.
Checkout the Rouge Anti-Spyware Products table

How to Protect from Spyware
httpv://www.youtube.com/watch?v=_w-DZNbq66I&feature=PlayList&p=18F23434175F964D&playnext=1&index=26

Reblog this post [with Zemanta]

Tags: adware, bogus spyware, drive-by download, financial information, Internet Explorer, keylogger, Pop-up ad, rouge anti-spyware, Security, shareware, Spyware, trojan, virus, Windows Defender, World Wide Web

Nov 04 2008

Open Network and Security

Category: Information Security,Open NetworkDISC @ 7:54 pm

Made and uploaded by John Manuel - JMK{{#if: |...

Open networks are heterogeneous environment where users like to use all the applications and systems at any given time. In a heterogeneous environment, each department run different hardware and software, but you can control the protocols which will work on this environment.

Universities are famous for open network. Most Universities network is comprised of a Bank (To give loan to students), a restaurant, and a bookstore which have credit card processing ability. Students, alumni, researchers, employee and staff need access to utilize resources. Now how would you control access if same person assume all the roles mentioned above. Universities are basically transient communities, where users come back and plug-in their new devices and expect an immediate access to all the resources. Where the reputation of openness is challenge at every step of the way, now the question is how can they maintain reputation and yet control the environment based on security policies.

Reasonable security can be accomplished by focusing on a process rather than adding yet another security control. The process is based on risk assessment program where you assess your critical assets based on threat and vulnerability pair and measure the likelihood and impact of a threat if a given vulnerability is exploited.

The process start with knowing your assets – Network registration will detect when you plug-in your new equipment. Before you get an access, it detects a hardware address and username. You can also control common misconfigurations and noncompliance issues with network registration process. Some vulnerability management systems discover assets and perform vulnerability and security configuration assessment to proactively identify and prioritize risks. New vulnerabilities are accessed from trusted site on a regular basis and when vulnerabilities are identified, the management system needs to have an ability to remediate to comply with the information security policy.

Most of the departments in an open network contains different systems and applications and basically have different security appetite. Distributed IT Governance can address this issue where you develop policies and procedures which fit their needs and hand it over to the department to comply.
Open network requires pretty much open borders, Instead of securing the network/system emphasis should be on data protection.

[TABLE=9]

Recent news from AT&T to make its network open where customers can use any handset of their choice, perhaps a reaction to in response to recent moves from Verizon and Google to promote open network. Specifically Verizon announced that it would allow “any device” and “any application” to operate on its network. These open networks does provide flexibility for customers but at the same time burden lies on the shoulders of the corporations to provide right balance of security and privacy with availability of the network.

In an open network, reasonable security can be achieved by embracing ISO 27k standard and eventually acquiring ISO 27001 (ISMS) certification. Information Security Management System (ISMS) can be a great value added process to manage ongoing monitoring, maintaining and for process improvement of an open network. ISMS as a process in-place provides reasonable security safeguard to your information and certainly help to minimize the liability in the court of law.

End-to-End Network Security: Defense-in-Depth by Omar Santos
httpv://www.youtube.com/watch?v=zTJSMjYd9c4

(Free Two-Day Shipping from Amazon Prime). Great books

Reblog this post [with Zemanta]

Tags: AT&T, Computers, Credit card, data protection, heterogeneous, impact, Information Security, Information Security Management System, isms, iso 27001, ISO 27k, ISO/IEC 27001, IT Governance, likelihood, Network registration, Omar Santos, Reasonable security, risk assessment program, security controls, threat, Universities network, Verizon, vulnerability, vulnerability management systems

Oct 29 2008

Laptop and traveling precautions

Category: Laptop SecurityDISC @ 12:58 am

Laptop security

Best practice emphasize the fact to backup the data if you can’t live without it, in the same way a traveler must avoid taking sensitive data on the road unless it’s absolutely necessary to do so. If you do plan to take sensitive data with you on the laptop, the necessary security controls must be implemented and go with the sensitive data. The data protection controls should be based on your information security policy data classification.

The laptop hardware itself is only worth few hundred dollars these days, but on the other hand it’s hard to put a price tag on the exposed data which may have a drastic impact on your organization, especially these days when most of the organizations are at the edge due to financial chaos.
Frequent travelers know it’s possible to lose a laptop or lose data because laptop may become inoperable due to hardware malfunction. Planning an important business trip should include encrypting sensitive data and backup on a remote website (Carbonite). So in case you lose your laptop or it’s is inoperable for some reason, you can remotely recover backed up files from site within reasonable time.

[TABLE=8]

Here is how you can encrypt your data on Windows laptop with built-in utility EFS

1. Create a new folder, and name the folder Private.
2. Right click the new folder and choose properties
3. Click advanced button
4. Check encrypt contents to secure data box and then click OK, Apply and OK again.

You have created a secure area where you can put your sensitive documents. Any file or subfolder you add to this folder (Private) will be encrypted automatically. Basically any type of file except Windows system file will be encrypted in this folder. Now if the attacker steal your laptop and remove your hard drive and mount on a system where the attacker has administrative privileges, the attacker will not be able to access the contents of the folder Private. On the other hand 256-bit AES encryption key is stored in encrypted form as a file attribute called the data decryption field (DDF). The EFS private key, needed to decrypt the DDF and extract the file encryption key, is also stored in encrypted form in the registry. The master key, which is used to obtain the key needed to access the EFS private key, is encrypted by the systems key and also stored locally. So the attacker will be able to decrypt the EFS protected files if he can somehow get possession of the system key.

Luckily we do have a choice whether to store the system key locally on your laptop. If you click start, then Run and then launch syskey.exe utility, you can choose how and where the system key will be stored. The dialogue box will present three options.

1. Store the startup key locally
2. Store the startup key on the floppy disk
3. Generate the startup key from a password

With the two non default options, you will be requiring to either insert the floppy or enter the password whenever the laptop is BOOTED. The floppy option is highly inconvenient for laptop users but the password options seem sufficient to protect the laptop data. On the laptop which doesn’t have a floppy drive, don’t try to click the floppy option because when you boot next time the laptop will be looking for the system key on a floppy before booting.

Survey: CISOs worried about mobile data security

**The real Hustle – Laptop Theft Scam
httpv://www.youtube.com/watch?v=Gb3ZiTJkCaA


Reblog this post [with Zemanta]

Tags: aes, Backup, Booting, carbonite, Cryptography, data classification, data ptotection, ddf, efs, encryption, exposed data, financial chaos, Hardware, Notebooks and Laptops, private key, Security, security controls, sensitive data, system key, threats, Windows

Oct 21 2008

12 Phishing Threats and Identity Theft

Category: Email Security,Identity TheftDISC @ 7:22 pm

Have you ever thought of losing something and you cannot live without it? Yes, that something can be your identity. Phishing is a practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information. In daily life people advise to retrace your steps when you lose something. The question is how you retrace your steps on cyberspace where some uber hackers know how to erase their footsteps to avoid detection. It is difficult to find phishers in cyberspace, and jurisdictional issues make it even harder to prosecute them. Then there is an issue of trust that phishers dupe people to believe that their web site is not fraudulent to collect personal/financial information.

Amongst the financial crisis, phishing might be on the rise because for many organizations information protection might be the last thing on their mind. The FDIC has created a webpage to inform and warn consumers about “phishing.” These days phishers have targeted social network organizations LinkedIn and Facebook where their members have been duped into revealing their sensitive data.

Mainly phishing attacks are targeted to steal the identity. Now the question is, how easy it is to steal somebody’s identity? Let’s say a phisher has your name and address, and then he/she can get your Social Security number with the search on AccurInt or other personal database website. A Social Security number is not the only bounty a fraudster can find on these websites, other personal/private information is available as well at minimal cost.

In the table below are the 12 threats to your online identity which can be manipulated in phishing scams, and possible countermeasures to protect your personal and financial information. Some threats are inadequate or no security controls in place. The last row of the table is a monitoring control to identify the warning signs of identity theft.

[Table=7]

Organizations should take necessary steps to protect against identity fraud and apply whatever state and federal legislation applies to your business. Organizations which are serious about their information security should consider implementing the ISO 27001 (ISMS) standard as a best practice, which provides reasonable due diligence to protect and safeguard your information.

US Bank phishing attack exposed
httpv://www.youtube.com/watch?v=n2QKQkuSB4Q


(Free Two-Day Shipping from Amazon Prime). Great books

Tags: accurint, countermeasure, cyberspace, due diligence, equifax, experian, facebook, fdic, financial crisis, fraudster, identity fraud, information protection, isms, iso 27001, jurisdictional, legislation, linkedin, phishing, prosecute, safeguard, social security, threats, transunion, uber hacker

Oct 17 2008

SmartPhone and Security

Category: Information Security,Smart PhoneDISC @ 1:53 am

Mobile spyware is malicious software which is used to spy and control mobile devices (BlackBerry, PDAs, Windows Mobile and Cell Phones). Mobile spyware will not only intercept the message between two devices but also determine the location of the device. Basically, mobile spyware software is installed on a mobile device to spy on them.

Small businesses are usually not equipped to handle these threats. Just like laptops and desktops – mobile devices need security controls like antivirus, personal firewall, encryption and VPN to provide needed level of protection. Small businesses need to be aware of the security threats, like they might think that they are installing a game, which might very well be a key logger (logs your key strokes) or trojan software.

[TABLE=6]

Hackers on the move, WSJ August 11, 2008 by Roger Cheng – where he writes about more companies are letting employees use their personal smart phone at work and the security experts warns about the present threats in the industry. http://online.wsj.com/article/SB121803418845416977.html

Tips to safeguard your smartphone
httpv://www.youtube.com/watch?v=S64J4BCCoi4


(Free Two-Day Shipping from Amazon Prime). Great books

Tags: antivirus, encryption, hacker, intercept, key logger, malicious, mobile phone, mobile spyware, personal firewall, roger cheng, security controls, security expert, spy, threats, trojan, vpn, wsj

Oct 13 2008

World Bank security breach and financial crisis

Category: Information Warfare,Security BreachDISC @ 1:56 am

The World Bank controls the World’s banking system, creates plans and strategies to develop economies to protect countries from financial turmoil. This information is a treasure trove of data which can be manipulated for huge monetary or political gain.

Amongst the financial crisis, a major security breach has been reported at World Bank that might tell us a story that protecting consumers’ data during these crisis might not be the first priority for many suffering financial institutions.

World Bank Under Siege in “Unprecedented Crisis

“It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.”
“In total, at least six major intrusions — two of them using the same group of IP addresses originating from China have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month. ”

The World Bank’s technology and security expert states that the incident is an “unprecedented crisis.” Some security experts are saying that this might be the worst security breach to date at a global financial institution. The hackers controlled around 18 servers for more than a month and World Bank admits that sensitive data could have been stolen but they are not sure about the total impact of the breach.

Alan Calder wrote about “Data protection and financial chaos” and mentioned that “When financial markets appear to be in free fall, many organizations might think that data protection is the least of their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not exist anymore?”
I concur with Alan on this point, in the midst of this chaos, our personal data might be at great risk and we have to be vigilant and carry the load to protect our data. At the same time, this might become another reason for the financial institutions’ demise if they let their guards down now and do not make a priority to protect customers’ data.

During this turmoil, some financial institutions’ upper management doesn’t have to worry about their responsibility of securing the customers data adequately when they already know that eventually the taxpayers will be paying for their mistakes and their bonus plan will stay intact. Unprecedented crisis are sometimes the result of unprecedented greed.

Glassner “I don’t know that the captain of the Titanic got a bonus for driving the boat into iceberg. They at least had the decency to go down with the ship” [quoted in ‘Wachovia’s Golden Parachutes” story in S.F. Chronicle of 10/10/08 pg. C1].

Bill Gates “I’m quite worried about the fiscal imbalances that we’ve got and what that might mean in terms of financial crisis ahead.”

Chinese hackers: No site is safe
httpv://www.youtube.com/watch?v=ovNVhk1rVVE&feature=related


(Free Two-Day Shipping from Amazon Prime). Great books

Tags: china, consumers data, data protection, deeply penetrated, financial chaos, financial crisis, full access, hackers, inicident, monetary gain, restricted treasury, Security Breach, sensitive data, spy software, treasure trove, unprecedented crises, unprecedented greed

Oct 08 2008

Skype and Information Privacy

Category: Information PrivacyDISC @ 1:00 am

According to an SF chronicle article by Peter Svensson (Oct 3, 2008, pg. c4) “A Canadian researcher (Nart Villeneuve) has discovered that the Chinese version of eBay Inc.’s Skype communication software snoops on text chats that contain keywords like “democracy”. “

In other words, the Chinese version of Skype was used for surveillance of text messages between two users. Researcher Nart Villeneuve not only found that the application was filtering specific words but that it was also passing the messages caught by the filters to other servers. Because of poor security on those servers, Nart was able to recover more than a million messages from those servers.

Well, based on Skype’s previous claim that messages between two systems are encrypted and only public keys on those systems can decrypt those messages, this is questionable. Also, this revelation does not agree with Skype’s claim that software discards the filtered messages.

Now the question arises that how do we know that our text messages on Skype are not being tapped in the United States?

Are privacy and security laws only applicable to consumers but not the corporations? If that’s true then our state of security and privacy is in pretty dire shape. It seems like consumers’ information is for sale to the higher bidder without our consent or appropriate compensation.

Without any credible evidence, our Govt. should not be able to perform wholesale surveillance (profiling) for the sake of security. We are building a society of fear where everybody is under surveillance and is a suspect until proven innocent, which sounds like we are living in a police state.

Laws of secrecy and unnecessary surveillance will ultimately diminish the fundamentals of democracy. To lift the cloud of secrecy behind these sorts of initiatives the public needs to put pressure on their public representatives to dig out the truth. Otherwise the mound of voluminous data from surveillance can be used to harass innocent people and be used as a tool to distract from reality.

We cannot expect our information to be secure unless we trust our Govt. to protect our privacy and corporations to secure our information.

Skype’s China Spying Uncovered
httpv://www.youtube.com/watch?v=60SFGH3lxLg


(Free Two-Day Shipping from Amazon Prime). Great books

Tags: compensation, credible evidence, democracy, dire shape, encrypted, filtering, poor security, reality, snoops, surveillance, voluminous

Oct 07 2008

vsRisk and security risk assessment

Category: ISO 27k,Security Risk AssessmentDISC @ 3:18 pm

Information Security Risk Management for ISO27001 / ISO27002

The State of California has adopted ISO/IEC 27002 as its standard for information security and recommends other organizations and vendors to use this standard as guidance in their efforts to comply with California law.

To achieve an ongoing compliance, major organizations require tools to comply with standard such as ISO 27002/ISO27001. vsRisk is an easy to use Information Security Risk Assessment tool which makes risk assessment process consistent, easier and produces required documentation to achieve ISO 27001 certification . vsRisk also aligns seamlessly with standards like ISO 27002, ISO 27005 and NIST SP 800-30.

vsRisk helps organizations to develop an Information Security Management System (ISMS) asset inventory and capture business, legal and contractual requirements against each asset. vsRisk is customizable to meet specific needs when introducing new risks, vulnerabilities and controls without any additional help from a consultant. vsRisk helps you focus on assets rather than on threats and vulnerabilities. This is an approach which works by treating business processes as an asset, which is examined for their criticality, lack of security and consequences of failed process can be examined. In this regards, vsRisk is an effective and efficient tool by identifying most important points and key issues right away, which focusing on threats doesn’t.

Major benefits of vsRisk tool:
1. It is the definitive ISO27001 risk assessment tool, compliant
with all the key information security standards – which means that
you can be certain that a vsRisk risk assessment will help you
achieve ISO27001 certification.
2. It is designed to be usable – your lead risk assessor and any
asset owners involved in your risk assessment are going to find
their task made easier
3. Unique features include the risk assessment wizard, which
standardizes the risk assessment process and guides asset owners
through the risk assessment process.
4. vsRisk creates a baseline from which future risk assessments can
easily be made.
5. vsRisk integrates with ISMS documentation toolkit, for even
greater usability.

“vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk assessment and can assess confidentiality, integrity and availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001. Providing a comprehensive best-practice alignment, it supports ISO 27001 and 27002 (ISO/IEC 17799) disciplines, and is ISO/IEC 27005 and NIST SP 800-30 compliant. It also offers a wizard-based approach that simplifies and accelerates the risk assessment process, plus integrates and regularly updates BS7799-3 compliant threat and vulnerability databases.”

The key to successful Risk Management is to protect your most important/critical assets. The importance/criticality of an asset might change over time. That is another reason to automate security risk assessment process to recalibrate your risks based on current state of security.

Risk Management to ISO27001/NIST Wizard-based risk assessment tool Simplifies compliance – To buy vsRisk tool!

Meet Stringent California Information Security Legislation with Comprehensive Toolkit

ISO27001 EXPERTS CAN HELP COMPANIES MEET STRINGENT CALIFORNIAN …
EIN News (press release) – Netherlands
vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk …

Tags: asset owner, automate security risk assessment, baseline, california, isms, iso 17799, iso 27001, iso 27001 certification, iso 27002, iso 27005, nist sp 80-30, sb 1386, vsrisk

Sep 29 2008

Vista and defense in depth

Category: Information Security,Vista SecurityDISC @ 3:47 pm

To be competitive and successful in today’s business environment demands a serious consideration of information security. Sometime low risk item could damage your company business and can lead to lose sensitive data. To recover from the aftermath of an incident can be a costly proposition.

One way to deal with the new threats is to be vigilant and know your weaknesses by assessing your infrastructure. On the other hand it helps a great deal to have an operating system which comes with built in security controls which you can turn on and off based on your security needs. Microsoft claims that Vista is the most secure operating system yet and was built with security as a top priority. However with all these built in security features, you may need to make some configuration changes to fit in your security requirements.

Windows Vista comes with many built in security features to protect your business assets. Below are the new security features.

[TABLE=4]

In the past access was the top priority for Microsoft operating system (open by default – start locking down as needed). Now in Vista the control is a top priority (closed by default – start opening up as needed).
Vista security development life cycle (SDLC) follows defense in depth model which compartmentalized and makes it tough for the intruder to get to the crown jewel. At the same time intruder risk the chance of detection at every layer. Defense in Depth model:

[TABLE=5]

Vista Service Hardening:
Vista service hardening is designed to run services with the least possible privileges. Four different features are utilized to achieve service hardening.

o Service isolation
o Least privilege
o Restricted network access
o Session 0 isolation

Service isolation – is a method by which a service can access an object without having a super user access account to secure the objects like registry keys.

Least privilege – Based on best practice each service should utilize the least privilege necessary to accomplish the task. Under Vista, when service initiate, it request for specific privileges provided by the local system.

Restricted network access – Under Vista, a service access can be restricted by TCP/UDP port, protocol, and direction that network traffic is flowing. Restricted network access will limit attack vector by blocking unnecessary ports, protocols and direction of the traffic.

Session 0 isolation – Vista does not allow any user application to run with session 0. All user applications must run in session 1 or higher. Only services and other non-user facing application run on session 0, to maintain isolation between services and user application.

Service hardening, when combined with other security features provides a tough defense. This defense in multiple layers is aimed to safeguard your system and also enables your business to be successful by keeping the threats at acceptable distance.


(Free Two-Day Shipping from Amazon Prime).

Tags: closed by default, compartmentalize, defense in depth, incident, intruder, least privilege, open by default, restricted network access, safeguard, sdlc, security features, sensitive data, service hardening, service isolation, session isolation

Sep 18 2008

Email and Security

Category: Email SecurityDISC @ 3:14 am

As we know, it is possible to spoof an email sender’s name, so now the question of how to authenticate the sender has become even more important, since email has been used to send sensitive information.

In the recent case of Gov. Sarah Palin’s email, her email account got hacked and the hacker posted the screen shot of her email to WikiLeaks. Freedom of information laws require messages from government email accounts to be placed into the public record, so some public officials try to use Yahoo/Gmail to keep the information out of public scrutiny.

First of all public figures should avoid using public email addresses and even if you do don’t make it so obvious by naming it eponymously as did Gov.Palin. This information is owned by the commercial email sites and system administrators can see the email in the mailbox and can capture the text in transit. In commercial sites you will draw a great amount of attention, If you happen to be a high profile figure.

Second, perhaps we should not use commercial channels for private or sensitive information. If it’s necessary to use email as for sensitive information, make sure your email is encrypted in accordance with the Advanced Encryption Standard.

Third, two factor authentication for sensitive email is industry standard now, which requires the user to possess something (Token) and something only the user knows (Password or PIN). Two factor authentications provide identity theft protection.

Finally, strong authentication is a solution to secure identities and use of the Advanced Encryption Standard minimizes the exposure of email content.

How to forge email addresses


(Free Two-Day Shipping from Amazon Prime).

Tags: authenticate, authentication, encryption, minimize exposure, palin, secure identities, spoof, theft protection

Sep 04 2008

Web 2.0 and more data

Category: Information Security,Web 2.0DISC @ 5:52 pm

According to the Identity Theft Resource Center of San Diego, “the data breaches are on the rise in 2008” and with more data breaches so are the impact and amount of losses. Web 2.0 is next phase of internet creation, where huge social networks are built and citizens of the network enjoy the interactive and conversational approach of the new web frontier. Does the web 2.0 introduce new threats which can be exploited by cyber criminals?

To aid a social communication, users are required to input personal profile including birth date and residence addresses into these social networks to participate, which happens to provide a target rich environment for cyber criminals. These days new attacks are already taking advantage of personal information, some of which is retrieved from social network sites. If the account is hacked/breached from one of these social network sites, the impersonator can damage the (personal and professional) reputation by modifying the profile or changing/inserting the contents or comments.

Cross site scripting is one of the major threat facing Web 2.0, below is an example of XSS.

“In an incident reported in early December 2006 by Websense, hackers compromised the MySpace social networking site and infected hundreds of user profiles with a worm. This malicious code exploited a known vulnerability to replace the legitimate links on the user profiles with links to a phishing site, where victims were asked to submit their username and password. In addition, according to Websense, the worm embedded infected video in victims’ user profiles.”

AJAX is one of the main programming languages used to develop Web 2.0.

“A traditional Web site is like a house with no windows and just a front door. An AJAX Web site is like a house with a ton of windows and a sliding door. You can put the biggest locks on your front and back doors, but I can still get in through a window.”

What if you happen to be a peace activist or a whistle blower in your company? Then perhaps Uncle Sam or your employer wants to settle scores with you for some reason. The question is who is monitoring them or for that matter stopping them from getting into your account to steal or modify data to damage your reputation or career? The point is, besides all the functional benefits, web 2.0 comes with new threats which we need to be aware of. Without knowing these risks we can’t manage or mitigate them to a point which is acceptable to the society at large.

Web 2.0 contents are mostly interactive or dynamic in nature. The tools which were used to defend static contents might not be feasible for dynamic web 2.0 contents. Non-repudiation, validating the source and real time verification of the contents might be necessary to stay on top of the dynamic nature of web 2.0 threats.

Web 2.0 – Opportunity 2.0 or Threat 2.0?

How freely available online infomation on Web 2.0 was utilized to break into online banking account

Web 2.0 … The Machine is Us/ing Us

httpv://www.youtube.com/watch?v=6gmP4nk0EOE


(Free Two-Day Shipping from Amazon Prime). Great books

Tags: ajax, cross site scripting, cyber criminals, data breaches, identity theaft, mitigate, non-repudiation, phishing, Web 2.0, web 2.0 threats, websense, xss

Aug 25 2008

Laptop security and vendor assessment

Category: Laptop Security,Vendor AssessmentDISC @ 2:37 am

Another report of a laptop stolen, this one containing reams of sensitive customer information. The laptop was later returned in the same office complex, to a room which was reportedly locked; however, the sensitive data on the laptop was not encrypted.

According to a San Francisco Chronicle article by Deborah Gage (Aug 6, 2008, pg. C1): “A laptop containing personal information on 33,000 travelers enrolled in a fast pass program at San Francisco International Airport turned up Tuesday in the same airport office from which it had been reported missing more than a week ago.
The machine belongs to Verified Identity Pass, which has a contract with the TSA to run Clear, a service that speeds registered travelers through airport security lines. Verified Identity operates the program at about 20 airports nationwide.
The computer held names, addresses and birthdates for people applying to the program, as well as driver’s license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information.
Travelers in the Clear program pay to have the TSA verify their identities. In return, they receive a card that gives them access to special security lanes in airports so they can avoid standing in line to go through security.
The TSA said in a statement that Verified Identity was out of compliance with the administration’s procedures because the information on the laptop was not properly encrypted. Now the company must undergo a third-party audit before Clear can resume, the TSA said.”

When TSA states that the vendor (Verified Identity) was out of compliance, does that make the vendor liable for negligence? Not unless this was stated clearly in the contract that the vendor will be liable if customers’ private data is exposed unencrypted. Which means private data should be encrypted if it’s at the server, in transit or on the laptop.
This brings the question if the 3rd party service provider (vendor) should be considered for the security risk assessment and how often. This question should be considered before signing a service contract with the vendor and what criteria or standard should be used to assess the vendor. Should this assessment include the security office 3rd party cleaning staff, perhaps yes, considering sometime cleaning staff does have an access to very sensitive areas in the organization? Many of the controls applied to contractors should be more or less the same as applied to regular employees but the contractor who has access to sensitive information potentially should have more controls then the regular employees, which should be clearly defined in the service contract.
Before signing the service contract, due care requires the organization should always assess the vendor’s security posture based on their own information security policy and ISO 27002 standards. Depending on the risk assessment report, the organization can negotiate the controls necessary to protect the security and privacy of their data and customers with given vendors. At this point the organization needs to make a decision, if the vendor is up to par as far as information security is concerned and if negligent, give them some sort of deadline to improve controls to become a business affiliate. Depending on the level of data sensitivity, some vendors might be required to acquire ISO 27001 certification to become a business partner. This clause should be clearly included in the service contract.
Assessing the vendor on a regular basis might be the key to know if they are complying with the required security clauses mentioned in the service contract and make them potentially liable for non-compliance. If the vendor fails the assessment the organization should follow up with the vendor to remediate those gaps within a reasonable time frame, otherwise this constitutes a breach of the contract.

Laptop Security
httpv://www.youtube.com/watch?v=dytZBBlDMJs


(Free Two-Day Shipping from Amazon Prime).

Tags: assessment, business affiliate, compliance, data sensitivity, iso 27001, iso 27002, laptop stolen, privacy, service contract, social security numbers, TSA, verified identity

Aug 21 2008

Access control fraud and countermeasures

Category: Access ControlDISC @ 1:22 am

These days access to the internet is a business requirement. Most businesses are selling their products and services on the internet which sometimes requires customers to have access to the critical assets such as applications and databases. The global growth of the internet has increased complexity and potential risks to these assets. In some cases, one potential breach may put the organization’s very existence at risk.  French bank Société Générale made a frightening announcement in Jan. 2008 that it has uncovered a $7.14 billion US fraud — one of history’s biggest.  A trader at the futures desk misled investors in 2007 and 2008 through a “scheme of elaborate fictitious transactions.”


In a security review, the reviewer will first determine the criticality of an asset and focus on how that asset is accessed by employees, the risks that unauthorized access by insiders or outsiders could pose to the organization, and if access control has sufficient countermeasures in place to mitigate those risks.  In other words, the security review will determine the risk level of access control to a particular asset and what appropriate control should be in place based on level of risk. At the same time, the business’s first priority is to make information available with effective access control in place. Based on criticality, assets subject to security review present different level of risk associated with access control. In other words, “not all data breaches are created equal.”


Authorization control is utilized to determine access to network resources. Authentication will determine the identity of the user. Authentication verifies that the login belongs to a user who is attempting to gain access to the system which can be obtained through PKI, smart cards, USB devices, tokens and biometrics.  Accounting keeps the records of user activity including what was used, when and for how long. Most of the application and operating systems have strong auditing features in place to track the activities of a user. Accounting records can be very useful for forensic evidence in case of a security breach. Authenticity covers validity of the information, if someone misrepresents your information by claiming that it is his or hers. Authenticity addresses all forms of information misrepresentation and authenticity of the system users.


In system profiling, the reviewer determines the criticality of access control and the risk posed to an organization where the risk is directly proportional to the criticality of an asset. Higher risk will require stronger controls or perhaps multiple controls. Security review should determine that controls in place are sufficient to avoid unauthorized access and non-repudiation of information and people. In many ways a password is the weakest link in the access control of a network defense. The best passwords are at least 60 random characters, letters, numbers, and punctuation which can be stored on a portable flash drive flash drive, to be retrieved when needed. All the passwords for the critical infrastructure should have these password characteristics. One weak password in the critical infrastructure can become a launching pad to access other resources in the network.


Security tools can be used to collect user permissions in a spreadsheet, which can be utilized to analyze the effectiveness of authentication, authorization, accounting, and authenticity. This analysis will determine if users have appropriate access based on need, role and security policy of the organization. Non-repudiation is the cornerstone of access control which assures the validity of a transaction and user. Regular monitoring and non-repudiation of users in all facets of access control might be necessary to mitigate the identity fraud associated with high profile assets. Compliance only addresses the bare minimum required to comply with a control but to measure the strength of a control in high profile assets, a security reviewer should use due care to regularly evaluate the effectiveness of access control at all levels. It might not be an example of due diligence when some regulations fail to require data encryption.


Security Threats


Rogue Trader Crushes Bank Societe Generale


httpv://www.youtube.com/watch?v=h4qD_ooM198


(Free Two-Day Shipping from Amazon Prime). Great books

Tags: accounting, authentication, authenticity, authorization, bast passwords, countermeasure, data encryption, due diligence, fraud, higher risk, identity fraud, mitigate, non-repudiation, potential risks, security review, security tools, societe general, unauthorized access

Aug 08 2008

PCI DSS significance and contractual agreement

Category: pci dss,Security ComplianceDISC @ 11:52 pm





The PCI DSS (Payment Card Industry & Data Security Standard) was established by credit card companies to create a unified security standard for handling credit card information.  The retail service industry now understands the strategic significance of PCI DSS compliance, which was demonstrated when TJX announced that their system was compromised for more than 17 months, where well over 50 million customers’ credit and debit cards were breached. Retail business which fails to comply will be subject to penalties and fines, possibly lawsuits, and may lose their credit card processing capability. Non-compliance will not only expose businesses to fines and penalties but also make it vulnerable to many threats, which can exploit the vulnerabilities in the system and put your business to unnecessary risk. These risks could have been avoided with some due diligence. When business is non-compliant, any major breach will have a significant impact on business viability.


To start a process of PCI compliance, a merchant should determine if PCI DSS applies to their organization.  PCI DSS is applicable if your customer PAN (Primary Account Numbers) is stored, processed or transmitted in your organization. After determining the applicability of the standard, the merchant needs to determine where their business falls in the categorization of businesses by their bank in terms of merchant level.


Before commencing the risk assessment the assessor will perform the system profile to determine the applicability of the scope and set the boundaries of the system covered under PCI-DSS assessment. Planning is the key to success of a project; this is the phase where all the planning and project preparation will take place.   Now the key to the success of your on-going compliance is to simplify the scope of the project. The best way to achieve this to put all the PCI related assets in a precise segment to limit the merchant card holder environment.


Comprehensive risk assessment will be performed on the identified scope where risk analysis will identify the gaps based on PCI DSS standards and risk rating will prioritize the gaps for risk management.  Thorough risk analysis will generate a quality technical and process gap analysis, where you decide the mitigation/compensating controls to comply with PCI DSS.  After completion of the risk assessment the task of the risk management begins, to eliminate the gaps in your environment and to comply with the standard. Depending on the numbers of gaps the risk management team should set realistic goals to complete the tasks in hand.  Best practices recommendations suggest that the organization should eliminate/mitigate the high risks (high impact & probability) gaps to the organization, but sometime organizations decide to go after the low hanging fruits to start with their risk management process.


When the risk management process gets close to finishing and you are well on your way to comply with PCI DSS, you might think that perhaps your job is done. Well in a way, it’s just a beginning of a process where your organization is supposed to maintain the compliance with PCI DSS.  Based on expert opinion, PCI DSS is a process not a project. What you have done so far, is baseline your environment. Ongoing compliance is achieved by monitoring the relevant PCI DSS controls. Ongoing compliance will depend on the quality of the merchant’s information security management system (ISMS). A strong  ISMS would include thorough monitoring, logging and reviewing controls to maintain and improve system security over time.  You can develop an automated PCI monitoring process to achieve consistent results and sustain compliance by continuously monitoring your system. ISMS (based on ISO 27001) certainly can be a great value to manage ongoing monitoring, maintenance and improvement cycle.


In a sense, PCI is neither a regulation nor a standard but a contractual agreement between the merchant and their acquirer bank, when merchants start transmitting PAN data that makes them contractually obligated to comply with PCI DSS. To understand their obligations, the merchant should make a proactive effort to understand their acquirer’s particular interpretation of PCI DSS requirements to get compliant.  Ongoing compliance will require adequate resources and automated controls in place to routinely monitor, maintain, review and improve the required systems. Ultimately, ongoing PCI compliance will enhance business efficiency and reduce the potential impact of adverse publicity on your business image.


 












Documentation Compliance Toolkit

PCI Compliance

Practical guide to implementation (Soft Cover)

Practical guide to implementation (Download)



PCI Compliance
httpv://www.youtube.com/watch?v=0NUTs-aFtOA

Tags: business efficiency, business image, compensating controls, comprehensive, contractual agreement, gap analysis, isms, iso 27001, merchant card holder, mitigate, pan, pci compliance, pci dss, risk analysis, Risk Assessment, risk management process, tjx

Aug 08 2008

ISO27k and compliance

Category: Information Security,ISO 27kDISC @ 2:42 am

Security review is performed to identify and analyze risks and weaknesses in the current security posture of an organization. An ISO assessment is performed utilizing international standard ISO 27002 and company security policy, the purpose of the review is to evaluate the information security posture of an organization based on international standard. The level of compliance will indicate how close your organization is to meeting the key objectives for each 133 controls defined within 11 security control clauses collectively containing a total of 39 main security categories and one introductory clause introducing risk assessment and treatment.

It is important to not only assess the control for completeness (all relevant areas are addressed) and comprehensiveness (each individual area is covered completely), but also this balanced framework serves as the basis for both measuring an organization’s effectiveness in addressing risk and structuring an organization’s overall security program. Because ISO 27002 requirements are largely a superset of other major regulations, achieving ISO 27002 compliance positions most organizations to be well on their way to meeting the requirements of SOX, HIPAA and GLBA.

To achieve ISO compliance, thorough assessment utilizing all 133 controls will provide mitigating solution guidelines for gaps. To give your business an edge, conduct a security review based on ISO controls, if you would like to compare your security practices with international standard.
The result of the assessment will not only establish and maintain security policy, but also validates the policy’s completeness, design new controls and provide a road map to mitigate risks. An assessment of risks will determine what issues need to be addressed and provide a guideline to meet security regulations and a road map to build a world class ISMS (Information Security Management System).

ISO27001 is an international standard which is considered as an information security best practice or due diligence and is part of the security controls and audit controls specification document. ISO27002 is a code of practice which recommends guidelines for information security management systems and is closely linked to ISO 27001. ISO27001 continues to provide comprehensive best-practice advice and guidance to private and public organizations around the globe on how to design and implement a compliant information security management system ISMS.
An ISMS is not simply a set of documents. Maintaining and improving ISMS allows it to grow over time to address new business requirements. An ISMS is simply a system which addresses information security risks facing an organization and identifies the level of organization compliance with applicable regulations.

Reblog this post [with Zemanta]

Tags: glba, Health Insurance Portability and Accountability Act, hipaa, Information Security, Information Security Management System, isms, iso 27002, iso assessment, iso compliance, ISO/IEC 27001, ISO/IEC 27002, sox

Aug 08 2008

Risk Assessment and System Profiling

Category: Risk AssessmentDISC @ 2:39 am

In real estate it’s all about location and the same way to succeed in information security risk assessment, it’s all about precise profiling of a system under review. The system profile sets the boundaries of an assessment and the reviewer includes or excludes assets in the review based on their criticality and sensitivity and the business objective of an assessment. A poorly defined system profile will result in a poor quality risk assessment effort, and puts the system at unnecessary risk. A well defined system profile covers all the unacceptable risks to the system and hence is the precursor to a successful risk assessment.


In order to understand business and operational risks, before setting up the scope of an assessment the system under review needs to be profiled with the business owner or system custodian.  For an effective system profile, it is necessary to understand the objective of an assessment, needs driving the project and any inherent threats and weaknesses to the system. In a system profile the reviewer finds out all the main business functions performed by the system and its contribution to the key business objectives is determined. These business objectives will drive the data classification and system criticality of the system profile.  The business impact rating is determined based on financial, operational, technological and physical threats to the confidentiality, integrity and availability of the system


System Interdependencies and Interfaces:


System boundaries identify where one system begins and other one ends. Determining all the interfaces to other systems is an important part of profiling the system. An interface is a connection between two systems, so most systems have multiple interfaces. The reviewer needs to determine what kind of communication and authentication protocols are utilized in the interfaces and how often the passwords are changed on these interfaces. To cover all the related interdependencies of a system, all the relevant application, operating systems, hardware, communication protocol, network topology, dataflow architecture needs to be profiled.  All the applications and operating systems (current release, life cycle, patch cycle) authentication and authorization details need to be evaluated as well. (Who needs authorized access, how often, and are there any exceptions?)


The best way to gather relevant information for an accurate profile is to conduct on-site interviews with the business owner and relevant subject matter experts. In addition, questionnaires, document review and scanning tools can be utilized as well.  Based on the system criticality and data classification and all the other relevant threats to the system, the overall business risk to the system is determined which is based on a (high, medium and low) scale. A carefully done system profile is integral to a sound risk assessment and ensures a common understanding of the system under review. Several business functions can utilize this valuable data and valid security decisions can be made.


 Information Security Books


Internet Security



httpv://www.youtube.com/watch?v=np1kSQHH0uM

Tags: classification, criticality, current release, interdependencies, interfaces, life cycle, patch cycle, protocols, sensitivity, threats, valuable data

« Previous Page