DISC InfoSec blog

Stopping Identity Theft: 10 Easy Steps to Security

Oct 20 2009

Identity Theft Tip off, Countermeasure and Consequence

Category: Identity Theft — DISC @ 3:30 pm

: Image by włodi via Flickr

Americans fear having their identities “stolen” by cybercriminals more than they do becoming victims of a terror attack, getting mugged or having their homes burglarized, according to a new survey released by Gallup, a polling firm.

Identity theft is a crime in which an attacker/hacker obtains your personal information, such as Social Security, credit cards numbers or driver’s license numbers etc. The attacker/thief can use your personal information to obtain credit, merchandise, and services in your name which will ruin your credit and may even create a criminal record.

An identity thief can be any stranger who steals your personnel information or may be someone posing as a bank representative (social engineering) to get your personal information over the internet.
The problem is you may not realize that you have been victimized by identity theft until you receive your statement. That’ why it is important to have some check in place which will tip off that you might have been victim of identity theft until it is too late. As the saying goes “trust but verify”.

10 million Americans fell victim to identity theft last year (08) alone. In a recent story from the Dayton Daily News, the Better Business Bureau’s John North noted that some criminals are using text messages when hunting for consumers’ credit information. The practice, which has been dubbed “smishing”, combines text messaging and the practice of “phishing

Identity Theft Tip Off:
Sacramento county detective Sean Smith told how to detect credit card fraud and potential identity theft by looking for a cheap transaction on your statement.
He said some thieves will charge $1 on a credit card to test whether the card is active. The detective told viewers that’s a red flag that’s something suspicious is going on with your account, and you need to call the credit card company immediately.

Identity Theft Victims:
If you are the victim of identity theft, file a police report and take the following steps:

Notify the Credit Bureaus
Contact the fraud departments of any of the three major credit bureaus to
place a fraud alert on your credit file.

TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance
Division, P.O. Box 6790, Fullerton, CA 92834-6790

Equifax: 1-888-766-0008; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241

Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013

After cleaning your records from identity theft incident, check credit report periodically to make sure no new activity has occurred.

Identity Theft Consequences:
Consequences of identity theft can be serious. Your credit history can be ruined, a loan could be denied because of a negative credit report, you could even be arrested for crimes you didn’t commit because someone has been using your identity.

Identity Theft Countermeasures:

Check your credit card, medical and bank statements regularly, even weekly, to look for any unusual activity or any charges on your card that you didn’t make.

Before throwing any document out that contains your personal information, you need to shred the document. Cross-cuts shredder is recommended.

Do not carry your Social Security card in your wallet.

Only carry the credit card you may be using on the trip.

Do not give personnel information unless you can verify the person.

Avoid business online, unless the site is secure meaning your data is encrypted during the transaction.

Close the accounts that you know or believe have been tampered with or opened fraudulently.

Place a freeze on your credit report.

Tags: credit card fraud, identity fraud, identity theaft, Identity Theft, Identity Theft Consequences, Identity Theft Countermeasures, Identity Theft Tip Off, Identity Theft Victims, social security fraud, Stopping Identity Theft

Comments (3)

Oct 19 2009

Hacks hit embassy, government e-mail accounts worldwide

Category: Cybercrime — DISC @ 1:46 pm

: Image via Wikipedia

Hacks hit embassy, government e-mail accounts worldwide
By Daniel Goldberg and Linus Larsson
Computer Sweden
August 30, 2007

Usernames and passwords for more than 100 e-mail accounts at embassies
and governments worldwide have been posted online. Using the
information, anyone can access the accounts that have been compromised.

Computer Sweden has verified the posted information and spoken to the
person who posted them. The posted information includes names of the
embassies and governments, addresses to e-mail servers, usernames and
passwords. Among the organizations on the list are the foreign ministry
of Iran, the Kazakh and Indian embassies in the U.S. and the Russian
embassy in Sweden.

Freelance security consultant Dan Egerstad posted the information. He
spoke openly about the leak when Computer Sweden contacted him.

“I did an experiment and came across the information by accident,” he
said.

Egerstad says he never used the information to log in to any of the
compromised accounts in order not to break any laws.

Computer Sweden confirmed that the login details for at least one of the
accounts is correct. Egerstad forwarded an e-mail sent on Aug. 20 by an
employee at the Swedish royal court to the Russian embassy. The person
who sent the e-mail, in which she declines an invitation to the Russian
embassy, has confirmed that she sent the e-mail.

“Yes, that is right. We did decline the invitation. As far as I can
remember I did send the e-mail,” she said.

Computer Sweden has not been able to confirm the authenticity of any of
the other information that has been posted.

“When something like this happens you usually contact people and ask
them to fix it. But in this case it felt too big for that, calling to
other countries,” Egerstad said.

Of the compromised accounts, 10 belong to the Kazakh embassy in Russia.

Around 40 belong to Uzbeki embassies and consulates around the world.

Login details for e-mail accounts at the U.K. visa office in Nepal were
also posted. Login details for the foreign ministry of Iran, the Kazakh
and Indian embassies in the U.S. and the Russian embassy in Sweden were
also posted.

“I hope this makes them take action. Hopefully, faster than ever before,
and I hope they become a bit more aware of security issues,” Dan
Egerstad says.

Computer Sweden has contacted both the Russian and Indian embassies in
Stockholm for comment. The Russian embassy confirmed the leaks and says
that logins have now been changed. The Indian embassy declined to
confirm the information and give comment.

Computer Sweden has not published where the login details can be found.
The information in this story has been verified by Computer Sweden
without using any of the published login details.

Computer Sweden is an InfoWorld affiliate.

Tags: government hack, government security breach, hack attack, Iran, Nepal, Rusia, Security Breach, Stockholm, Sweden

Cloud Security and Privacy

Oct 16 2009

Web Services and Security

Category: Cloud computing,Information Security — DISC @ 4:01 pm

Because of financial incentive, malicious software threats are real and attackers are using the web to gain access to corporate data. Targeted malicious software’s are utilized to steal intellectual property and other confidential data, which is sold in the black market for financial gain. With use of social media in corporate arena, organizations need to have web services use policy, to ensure employees use the internet for business and comply with company web use policies. To have an effective web use policy makes business sense and to implement this policy efficiently is not only due diligence but also assist in compliance. After implementing, the key to the success of web use policy is to monitor the effectiveness of the policy on regular basis.

webservices

Hosted web security services operate at the internet level, intercepting viruses, spyware and other threats before they get anywhere near your network. These days if malicious software has infected your gateway node the attacker is home free and it is basically game over. How to fight this malice is to use hosted web security services, which is transparent to users and stop the malwares before they get to the corporate network.

Things to look at web security hosted services are protection, control, security, recovery and multilayer protection.

Protect your corporation from anti-virus, anti-spam, and anti-spyware
Content Control of images, URL filtering and enterprise instant messages, all web request are checked against the policy
Secure email with encryption
Archive email for recovery
Multilayer protection against known and unknown threats including mobile user protection

Web Security Anti-Virus, Anti-Spyware – stops web-borne spyware and viruses before they infiltrate your network, protecting your business from information theft and costly diminished network performance.

Web Filtering – enables you to block access to unwanted websites by URL, allowing you to control Internet use and enforce acceptable Internet usage policies

Download a free guide for the following hosted solutions

Hosted email solution
Hosted email archiving
Hosted web monitoring
Hosted online backup

Tags: archive email, boundary encryption, content control, email archiving, email solution, image control, Malicious Software, Malware, multilayer protection, online backup, Spyware, url filtering, web filtering, web monitoring, wen security

eDiscovery Plain & Simple: A Plain English Crash Course in e-Discovery

Oct 15 2009

eDiscovery and planning

Category: eDiscovery — DISC @ 7:47 pm

Electronic discovery (also named e-discovery or eDiscovery) related to processes in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. eDiscovery can be carried out offline on a particular computer or it can be done in a network. Examples of electronic documents and data subject to e-discovery are e-mails, voicemails, instant messages, e-calendars, audio files, and data on handheld devices, animation, metadata, graphics, photographs, spreadsheets, websites, drawings and other types of digital data.

Steps to practical eDiscovery planning:

Cross functionality:
Members from cross disciplinary team (legal, compliance, IT etc.) are one of the most important steps to a success of an effective eDiscovery planning. Every step in the eDiscovery process should be documented and should be tested on regular basis. eDiscovery should have enough resources, in case of small company; you may have to bring some people together on ad-hoc basis, and should have a single point of contact for eDiscovery. Team lead for eDiscovery should be a neutral person rather than having particular bias against IT, Compliance or Legal. Legal has to lead the charge for eDiscovery and then delegate what you can preserve and how to maintain the data. Since the legal team has better understanding of legal implication, such as of a legal hold, a legal hold is a process which an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated. eDiscovery steering committee with legal involved will also help you address compliance issues like HIPAA, PCI and SOX. Vendors need to be involved in the eDiscovery process early as well.

Plan for eDiscovery policy before the data is generated to decide things like either digital signature or trusted time stamps will be utilized. eDiscovery policy should be consistent and repeatable and should be tested by internal audit on regular basis. Establish simple, reasonable and repeatable policies.

With respect to eDiscovery, the key is to manage the largest risk, namely, the risk of being held responsible for deleting information in a bad faith effort to destroy evidence. (which is called as spoliation)

Documentation retention:
Classify the records which need to be move to record management systems to decide what you are retaining and for how long. Now courts are looking into company’s internal processes to verify if they have a documented retention policy and implemented it properly. By implementing document management systems you know where your data is and DLM can be use to limit the scope of eDiscovery data.

eDiscovery training:
Personnel’s should be trained on how to testify in the court

eDiscovery cost:
Real cost come in during the analysis of the data, technologies can be utilized to streamline the cost. The cost of the analysis will be more if use outside vendors including attorneys. Have some process in place to analyze the data in-house under the supervision of legal counsel.

Continuous improvement:
Conduct regular reviews, audit, and training to refine the process. Apply the effective technology to automate the process and lower the cost when you can.

Download a free guide for the following solutions

Hosted email archiving
Hosted online backup

Tags: e-discovery, eDiscovery, ediscovery course, electronic discovery, plain ediscovery, simple ediscovery

Principles of Information Security

Oct 08 2009

Security Controls and Principles

Category: Information Security — DISC @ 3:08 pm

checklist

For security controls to be effective apply the pillars of information security

–Principle of least privilege
–Separation of duties
–Economy of mechanism
–Complete mediation
–Open design

Least Privilege
• “Need to Know”
• Default deny – essentially , don’t permit any more to occur than is required to meet business or functional objectives
• Anything extra introduces risk

Separation of Duties
• The idea is that we don’t want to give any one individual so much power that they cloud take dangerous actions without any checks and balances in place.
• You trust them with their job responsibilities but they should be accountable for their actions which is only possible when you measure or monitor their performance.

Economy of Mechanism
• Complexity is an enemy of security, it’s much more difficult to create a simple mechanism and keep it that way.
• The more complexity added to a system, the more chance for error or flaw

Complete Mediation
• The control cannot be bypassed (organization firewall, by creating a backdoor)
• This principle says no unofficial backdoor (no disabling the anti-virus software)

Open Design
• The security of a system must not be based on the obscurity of the mechanism
• Proprietary software are not tested properly and sometime include an undisclosed back door (ballot counting software)

[TABLE=9]

Tags: Complete mediation, Economy of mechanism, open design, Principle of least privilege, security controls, security principles, Separation of duties

Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft

Oct 01 2009

Sophisticated phishing attack and countermeasures

Category: Cybercrime,Email Security,Identity Theft — DISC @ 12:36 am

phishing

Phishing is a practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information. In daily life people advise to retrace your steps when you lose something. The question is how you retrace your steps on cyberspace where some uber hackers know how to erase their footsteps to avoid detection. It is difficult to find phishers in cyberspace, and jurisdictional issues make it even harder to prosecute them. Then there is an issue of trust that phishers dupe people to believe that their web site is not fraudulent to collect personal/financial information.

Below is an example of sophisticated phishing attack
Link to phishing email

It looks very legit, with all the correct data, logos, graphics and signatures.

One giveaway: the TSA rule change has nothing to do with rental cars. It only affects your airline ticket vs your photo ID (drivers license, passport, whatever.)

To verify that this is bad stuff, right click on the links. You get “http://click.avis.com/r/GDYHH9/16HY8/6V5I29/M93XX4/YCCJP/A5/h”, which looks OK on first glance, since it says “avis.com”. But myAvis should not send me to “click.avis.com”. I also noticed that all the other links send you to the same location.

The clincher (here comes the geeky stuff:)

To open a terminal window, press the “Windows key” and the letter “R”.

You will see the “Run Dialog Box”. Type “cmd”, and press “OK

Open a terminal window and run nslookup:

C:\> nslookup
> www.avis.com <<< check IP address of the real AVIS web site Server: 4.2.2.3 Address: 4.2.2.3#53 Non-authoritative answer: www.avis.com canonical name = www.avis.com.edgekey.net. www.avis.com.edgekey.net canonical name = e2088.c.akamaiedge.net. Name: e2088.c.akamaiedge.net Address: 96.6.248.168 <<< get IP address of the real AVIS web site > click.avis.com <<< now check IP address of the bogus AVIS web site Server: 4.2.2.3 Address: 4.2.2.3#53 Non-authoritative answer: click.avis.com canonical name = avis.ed10.net. Name: avis.ed10.net <<< not the same domain as the real AVIS domain Address: 208.94.20.19 <<< note IP address is in a totally different sub net > 208.94.20.19 <<< now do a reverse lookup of the fake AVIS web site Server: 4.2.2.3 Address: 4.2.2.3#53 ** server can't find 19.20.94.208.in-addr.arpa.: NXDOMAIN <<< it should give you the web site name > avis.ed10.net <<< bogus AVIS web site name Server: 4.2.2.3 Address: 4.2.2.3#53 Non-authoritative answer: Name: avis.ed10.net Address: 208.94.20.19 > 208.94.20.19

Moral of the story: be very careful with links in emails and web pages. To check the authenticity of the link, right click on the link, copy that to a text file and take a good look.
Don’t click on the phisher’s email. Type URL into web browser yourself

——————————————————————————————————————————–
In the table below are the 12 threats to your online identity which can be manipulated in phishing scams, and possible countermeasures to protect your personal and financial information. Some threats are inadequate or no security controls in place. The last row of the table is a monitoring control to identify the warning signs of identity theft.
——————————————————————————————————————————–
[TABLE=7]

Download a free guide for the following cloud computing solutions

Hosted email solution
Hosted email archiving
Hosted web monitoring
Hosted online backup

Tags: email archiving, Email Security, Identity Theft, online backup, phishing, phishing countermeasures, phishing threats, web security

Fighting Computer Crime: A New Framework for Protecting Information

Sep 21 2009

Due Diligence, and Security Assessments

Category: Information Security,Security Risk Assessment — DISC @ 9:21 pm

: Image via Wikipedia

Risk assessment demands due diligence, which makes business sense and derives organization mission. Due care care is also about applying the specific control that counts. In information security, due diligence means a complete and comprehensive effort is made to avoid a security breach which could cause detrimental effects and identify various threats that may be exploited for a possible security breach.

Donn Parker defines due care as a “use of resonable safeguards based on the practices of similiar organizations”

Fred Cohen defines “due diligence is met by virtue of compliance review.”

Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
(FIPS 200, Section 3, Minimum Security Requirements)

Tags: donn parker, due care, due diligence, Fred Cohen, security controls

Comments (6)

Sep 10 2009

Way beyond the edge and de-perimeterization

Category: Cloud computing,Information Security — DISC @ 2:59 pm

: Image by pittigliani2005 via Flickr

De-perimeterization term has been around almost for a decade and finally industry is taking it seriously because of virtualization and cloud computing popularity. Is it time for businesses to emabrace de-perimeterization?

De-perimeterization is a double edge sword for industry which creates scalable options for operation and huge challenges for safeguarding the assets beyond the edge. One of the major advantages for de-perimeterization is that user can access corporate information over the internet; in this situation user can access corporate data from any where, it’s hard to draw the line where the edge begins and where it ends. All you basically need a functional laptop with internet connection. On the other hand, de- perimeterization poses a great challenge due to possibility of viruses, spywares and worms spreading in your internal protected infrastructure.

In de-perimeterized environment, security attributes shall follow the data, wherever the data may go or reside.

In security architecture where firewall was considered a very effective perimeter defense has been weakens by virtualization and cloud computing. In early days of firewall defense, organization only needed to open few necessary protocols and ports to do business. Internet accessible systems were located on the DMZ and the communication was initiated from the corporate to internet. Now there are whole slew of protocols and ports which needs to be open to communicate with application in the cloud. As corporate application move out of the organization network into the cloud, the effectiveness of firewall diminished.

Defense in depth is required for additional protection of data because as new threats emerge, the firewall cannot be used as an only layer of security. The key to the security of de-perimeterization is to push security at each layer of infrastructure including application and data. Data is protected at every layer to ensure the confidentiality, integrity and availability (CIA). Various techniques can be utilized for safeguarding data including data level authentication. The idea of data level authentication is that data is encrypted with specific privileges, when the data move, those privileges are moved with the data.

layered-defense

Endpoint security is relevant in today’s business environment especially for laptop and mobile devices. Agents on laptops and mobile devices utilized pull/push techniques to enforce relevant security policies. Different policies are applied depending on the location of the laptop. Where security policy will ensure which resources are available and what data need to be encrypted depending on the location of the device.

When corporate application and important data reside in the cloud, SLA should be written to protect the availability of the application and confidentiality of the data. Organizations should do their own business continuity planning so they are not totally dependent on the cloud service provider. For example backup your important data or utilize remote backup services where all data stored is encrypted.

Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance

Download a free guide for following cloud computing applications

Hosted email solution
Hosted email archiving
Hosted web monitoring
Hosted online backup

Tags: business continuity, Cloud computing, cloud computing article, cloud computing concerns, cloud computing email, cloud computing hosting, cloud computing information, cloud computing security, cloud computing services, cloud security, cloud services, de-perimeterizations, DMZ, iso assessment

Information Technology Control and Audit

Sep 01 2009

Audit of security control and scoping

Category: Risk Assessment,Security Compliance — DISC @ 3:53 pm

The audit is utilized as a tool to check compliance control based on standards such as ISO 27002 or NIST 800-53 etc. Some other terms which are not sometime rigorous audit have been used to asses controls are gap analysis, benchmarking and control review.

Scoping sets the boundaries of the audit, where dependencies are marked and exclusions are sorted out.

The consultant/team lead that has a thorough understanding of security risk management ought to carry out these reviews. The quality of the work depends on correct scoping, fieldwork assignment, and appropriately reporting the findings to management.

Team lead should have a clear understanding of audit scope before the initial briefing to client. Basically what exactly the client wants and who are the target audiences in the final report and presentation. Clear understanding of the scope includes making sure that the whole organization is included in the audit or just part of it. Before starting an audit, the auditor should have a complete list of assets included in the scope. Sort the assets list into different group of infrastructure which could be handed over to technical consultant for validation of the controls. At this point team lead should point out to technical consultant, the minimum number of assets which are required to be validated to satisfy sampling requirement.

Scope of final report/presentation should be clear regarding the list of non-compliance, prioritized recommendation or action plans which needs to be included in the report. During presentation of the findings, and to keep C level folks interested in the presentation, presenter needs to relate the findings to business risk and avoid using security acronym.

Scoping will take into account the length of the time available for field work, analysis, reporting and size and competence of the team to perform a successful audit. Especially if limited time is available for field work, the competence of the team matter to cover various infrastructure, to validate and document the controls effectively.

Tags: assessment profile, assessment scope, iso 27002, NIST 800-53, security audit, security control, security review, Security Risk Assessment

Aug 24 2009

Vulnerability management and regulatory compliance

Category: Security Compliance — DISC @ 8:09 pm

: Image by Michele Mondora via Flickr

Information security requirements are growing for financial, healthcare and government sectors. Especially a new ARRA and HITECH provision for HIPAA mandates compliance for business providers/vendors.
The business owners have seen growing number of government and industry specific regulations for protecting the confidentiality, integrity and availability of data from ever growing threat landscape. Now most of the regulatory compliance has some teeth, organizations who may not fully comply shall face serious penalties which include but not limited with fines, civil and criminal penalties.

Those days are gone when manual vulnerability management use to be sufficed to satisfy the auditors. Vulnerability management can assist management in operational compliance. Most of vulnerability management organizes vulnerabilities by severity level. Severity level is determined by business impact and how easily the attacker can exploit the vulnerability. Remediation can be prioritized based on the asset categorization. Asset categorization is based on company scale (L,M,H) which is associated with overall business impact of an asset to the company.
The best way to automate vulnerability management is to use software as a service (SAAS). SAAS vendor run their application on a secure server (web, database), which user operate with a web browser on a secure SSL connection. SAAS provider handles all the maintenance of SAAS infrastructure. Organization security staff can spend most of their time on remediation rather than running manual vulnerability management. Automated vulnerability management shows ongoing compliance with standards and regulations and provides documentation for audits.

Tags: Security, Security Scanners, vulnerability

Information Security Risk Analysis

Aug 18 2009

Control selection and cost savings

Category: Security Risk Assessment — DISC @ 3:53 pm

In risk management, risk treatment process begins after completion of a comprehensive risk assessment.
Once risks have been assessed, risk manager utilize the following techniques to manage the risks

• Avoidance (eliminate)
• Reduction (mitigate)
• Transfer (outsource or insure)
• Retention (accept and budget)

Now the question is how to select an appropriate control to avoid or reduce risk. While selecting appropriate control to mitigate and avoid risk we need to consider compensating control to cut cost and supplemental control to increase protection for sensitive or classified assets.

Compensating control is a safeguard or countermeasure is employed by an organization in lieu of recommended security control from standards such as ISO 27002 or NIST 800-53. Compensating control provides an equivalent or comparable protection for information system to the original control requirement form standard. For example, even though most standards recommend separation of duties, but for a small operation it might be an unacceptable cost to separate the duties of system administration and system auditing. In that case system owner can utilize compensating control such as strengthening the audit and personnel security.

On the other hand with supplemental control, the system owner may decide to supplement the control to achieve more protection for sensitive and classified assets. If there is high likelihood or magnitude of impact is high should a threat exploit a given vulnerability you might want to consider a supplemental control because overall risk is high. For example you might want to utilize defense in depth method to safeguard your crown jewel.

Implementing and monitoring security control can be expensive, system owner are pressured by management to look for cost savings without any reduction in the security posture of an organization. The system owner can either inherit the common controls or segment the system exposure to reduce cost and risks.
Common controls are the security controls which have been implemented by another information system that your system can utilize. Basically working with another system owner who has utilized some of the security controls need to be implemented in your system. For example utilize the corporate office base line hardening configuration for Windows and Unix system instead of developing your own. This will significantly reduce the cost of developing, testing and maintaining a secure baseline configuration.

Best and cheapest method of cost reduction is to segment the information system into multiple systems which will add different layers and levels of security into each system. Basically you put your crown jewel in multiple layers of security if one control breaks there is another control in place to monitor and protect your assets. This will allow the system owner to focus implementing higher security controls to the segment with most sensitive or classified information instead of entire system

Tags: common control, iso 27002, iso assessment, ISO audit, NIST 800-53, NIST audit, risk analysis, Risk Assessment, Risk management

FISMA Certification & Accreditation Handbook

Aug 10 2009

Managing Risks and NIST 800-53

Category: Security Risk Assessment — DISC @ 5:48 pm

: Image via Wikipedia

The organizations need to establish security program to manage their day to day risks. Before selecting the controls from standards such as (NIST 800-53 or ISO 27002), organizations need to have complete inventory of the assets involved in the scope. Assets involved in the scope would require a comprehensive risk assessment to determine the sensitivity/criticality of these assets. Depending on the categorization of these assets will determine an appropriate control from standard to mitigate relevant risk. In some cases supplemental controls may be required.

Management of risks involves the risks to the organization with the operation of an information system or information security management system. Risk management is an effective frame work for selecting appropriate security controls for an information system and assist in selecting of appropriate security controls to protect assets.

Both ISO and NIST standards follow the similar path in control selections. NIST 800-53 has 163 high level controls and 154 medium level controls which have around 95% mapping with ISO 27002 which has 133 controls. While NIST SP 800-53 is required for federal (unclassified) information system, NIST encourages its use in commercial space. Commercial organizations can utilize the NIST standard to create their security program, which will provide a road map to their security strategy and assist in making informed decisions for securing their information assets.

The management of day to day risks is a key element in an organization’s information security program and both NIST and ISO provide an effective framework for selecting and managing the appropriate security controls for information system. ISO utilize PDCA (Plan, Do Check, and Act) Deming model for selecting the appropriate security controls and managing its information security management system. NIST on the other hand utilize the similar framework for selecting and managing appropriate controls for information system and is called risk management framework security life cycle. Copy of the NIST risk management framework security life cycle is available to see an eerie resemblance with PDCA model.

nist_rmf1

Around 80% of critical infrastructure resides in private sectors which required to be protected by various regulations. Both NIST and ISO can be utilized to protect assets, however in some cases one standard might fit better in your environment then the other or perhaps you are able to manage one standard better then the other. Both standards required their information system to be audited or reviewed by authorized organizations to achieve apporpriate certifications.

Cloud Security: NIST Releases Guide to Enterprise IT Security (elasticvapor.com)
Rise of cybercrime and management responsibility (deurainfosec.com)
Security controls and ISO 27002 (deurainfosec.com)

Tags: iso 27001, iso 27002, NIST 800-53, PDCA, Risk management

Comments (38)

Jul 28 2009

PCI DSS Law and State of Nevada

Category: Information Security,pci dss — DISC @ 12:09 am

: Image by purpleslog via Flickr

45 States followed California when they introduced “SB1386”, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.

Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!

From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

Not only does this effect Navada-based organisations, it affects EVERY organisation that collect or transmit payment card information about any person who lives in Nevada.

Where One leads – others WILL follow!

PCI DSS Misconceptions and Facts (deurainfosec.com)
PCI security rules may require reinforcements (computerworld.com)
PCI compliance is essential and why you have to (deurainfosec.com)

Tags: california, Credit card, Nevada, Payment card, pci dss, privacy, Security, Texas

Comments (4)

Jul 16 2009

Common Information Security lapses

Category: Information Security — DISC @ 4:36 pm

: Image by purpleslog via Flickr

User Security

Opening email attachments with integrated email clients

Not updating client software

Downloading untrusted software

Not creating or testing backups

Using wireless router connected inside the LAN

Strategic Security

Not providing training to security personnel

Only addressing physical security, neglecting data security

Not validating security fixes

Relying on firewall for all security needs

Not evaluating impact on reputation and data of security breach

Not implementing long term security decisions, relying on hot fixes to put out fires

Not addressing issues, neglecting security as policy

Operational Security

Not hardening internet connected host

Connecting test systems to the internet

Not updating systems on a regular and emergency basis

Using unencrypted protocols for management, reporting

Choosing bad default user passwords, changing passwords in insecure manner, or notifying users in insecure manners

Not testing or maintaining backups, not understanding the intricacies of backup software and procedures

Tags: Backup, Information Security, poor security, Security, security mistakes

Comments (9)

Jul 08 2009

Cyber attacks on US Government websites

Category: Cybercrime — DISC @ 4:51 pm

: Image by Boyce Duprey via Flickr

Associated Press reported by Hyung-jin Kim, Wed Jul 8 “South Korean intelligence officials believe North Korea or pro-Pyongyang forces committed cyber attacks that paralyzed major South Korean and U.S. government Web sites, aides to two lawmakers said Wednesday.”

See the details at the link below:
Cyber attacks on South Korean and U.S. government Web sites

Information Warfare: How to Survive Cyber Attacks

Cyber Threat

Cyber Security

Tags: cyber attack, cyber attacks, cyber crime, cyber criminals, cyber security, cyber terrorism, cyber threats, Cyber-warfare, cybergeddon

Cloud Application Architectures: Building Applications and Infrastructure in the Cloud

Jul 07 2009

Cloud Computing Pros and Cons

Category: Cloud computing — DISC @ 6:19 pm

Cloud computing is the future of the computing, which happens to provide common business applications online that run from web browser and is comprised of virtual servers located over the internet. Basic idea behind cloud computing is the accessibility of application and data from any location as long as you are connected to the internet. Cloud computing makes the laptop the most essential tool to get the job done.

For example Hosted Email (SaaS) Security provides safeguards at the Internet level, eliminating spam and malware before they reach your internal network infrastructure. The hosted email provides centralized security with built-in redundancy, failover, and business continuity, while easing network and security administration. In the hosted email software as a service the security controls are at work at the internet level. It’s about time to expand the corporate perimeter beyond firewall and one of the major benefit of cloud computing is to give organizations capability to implement security controls at internet level and eliminate threats before they reach the internal network.

An online backup service is another example of software as a service (SaaS) which provides users with an online system for backing up and storing computer files.

Cloud computing incorporates several different types of computing, including:
 software as a service (SaaS)
 platform as a service (PaaS)
 infrastructure as a service (IaaS)

It is a range of technologies that have come together to deliver scalable, tailored and virtualized IT resources and applications over the Internet.

Cloud Computing have several benefits and potential risks which you may want to know before signing a contract with a cloud vendor.

Cloud Computing benefits

Users can avoid capital expenditure on hardware, software, and other peripheral services, when they only pay a provider for those utilities they use;

Consumption is billed as a utility or subscription with little or no upfront cost;

Immediate access to a broad range of applications, that may otherwise be out of reach, due to:

The lowering barriers to entry;

Shared infrastructure, and therefore lower costs;

Lower management overhead.

Users will have the option to terminate a contract at any time, avoiding return on investment risk and uncertainty.

Greater flexibility and availability of ‘shared’ information, enabling collaboration from anywhere in the world – with an internet connection.

Cloud computing associated risks

Cloud computing does not allow users to physically possess the storage of their data which leaves responsibility of data storage and control in the hands of their provider;

Cloud Computing could limit the freedom of users and make them dependent on the cloud computing provider;

Privileged user access – how do you control who has access to what information?

Security of sensitive and personal information lay with the vendor. How do you explain this to your customers when their data is compromised without sounding like you’re ‘passing the buck’?

From a business continuity stand point, can you rely on each vendor to have adequate resilience arrangements in place?

Long-term viability — ask what will happen to data if the company goes out of business; how will data be returned and in what format?

Complexities of cloud computing will introduce new risks and complexity is the enemy of security. The organizations and end users should be mindful of this security principle before introducing this new variable into their risk equation. As a consumer you need to watch out and research your potential risks before buying this service and consider getting a comprehensive security assessment from a neutral third party before committing to a cloud vendor.

Recomended books on cloud computing

Tags: Cloud computing, cloud computing article, cloud computing benefits, cloud computing concerns, cloud computing email, cloud computing hosting, cloud computing information, cloud computing network, cloud computing platform, cloud computing risks, cloud computing security, cloud computing services, cloud computing solutions, cloud security, cloud services, Infrastructure as a service, Platform as a service

50 Ways to Protect Your Identity and Your Credit: Everything You Need to Know About Identity Theft, Credit Cards, Credit Repair, and Credit Reports

Jul 02 2009

Credit Card Primary Account Number and Encryption

Category: Information Security,pci dss — DISC @ 7:24 pm

Primary Account Number (PAN) is a
“12-digit or 19-digit numeric code embossed on the face side of a bank card, and also encoded in the Magnetic Stripe. The primary account number is a composite number containing: the Major Industry Identifier of the card issuer; an individual account identifier, which includes part of the account number; and a Check Digit or code that verifies the authenticity of the embossed account number.”

There are three pieces of information that are included in a financial transaction. Which are PAN, primary identification number (PIN) and card’ expiration date. The PAN is 12 to 19 digit number embossed on the front of the card.
For a successful transaction PIN, PAN and card expiration date are transmitted along with other information from the merchant, the merchant will transmit the information to merchant bank, the merchant bank will transmit the information to service provider (processor), the processor will transmit to the card issuer entity to authorize the transaction.

Credit card authorization process:
1) Creditholder swipes card at merchant. A request is sent to merchants bank
2) Merchants bank “asks” processor to determine the cardholder bank
3) Processing network finds cardholders bank and request approval for purchase
4) Cardholders bank approves purchase and generates a approval code
5) Processor sends an approval code merchants bank
6) Merchants bank sends approval code to merchant
7) Purchase is complete and cardholder receives a receipt

“Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.”

The PIN is protected from malicious activity by encryption from POS terminal to all the way to the cardholder bank; However PAN is currently transmitted unencrypted. Valid PAN in wrong hands increase the possibility of credit card fraud. So the industry has decided that PAN must be protected. Below are the requirements for PAN protection.
cardapproval

Requirements for PAN protection
1. The PAN protection mechanism must support multiple source methods, including manual entry, magnetic swipe, chip, and NFC.
2. The PAN protection mechanism is encryption using an X9 or ISO approved algorithm.
3. Financial transaction message format and protocol standards must be modified to handle encrypted PAN data.
4. Transaction processing systems must be able to access some of the PAN digits.
5. For different transactions, encryption of the same PAN with a given encryption key should not predictably produce the same encrypted value.
6. For transaction routing by an intermediary between a sender and a receiver, the PAN must be translated from the sender’s encryption key to the receiver’s encryption key.
7. PAN translation must reveal some of the PAN digits for the intermediary to process the transaction.
8. PAN encryption keys must be changed periodically using X9 or ISO approved key management methods.
9. PAN encryption keys must only be used for their intended purpose.
10. Different encryption keys must be used for protection of PAN storage and transmission.
11. PAN encryption keys and the associated key encryption key (KEK) must be protected using X9 or ISO approved tamper resistant security modules (TRSM).
12. The customer must be advised in writing of the importance of the PAN with guidelines on the proper use of the card and the PAN.

PAN encryption is a major step forward toward protecting the card holder data.

New standard for encrypting card data in the works; backers include Heartland (computerworld.com)
Credit card authorization process weakness (deurainfosec.com)
PIN Crackers Nab Holy Grail of Bank-Card Security (wired.com)

Fake a Credit Card
httpv://www.youtube.com/watch?v=V3pElQD8UZg

Tags: Bank card number, Credit card, credit card encryption, credit card fraud, credit card privacy, credit card secure, credit card security, credit card theft, credit card transaction, encryption, Financial services, Identity Theft, Magnetic stripe card, Personal identification number, Primary Account Number, secured card, TRSM

Comments (10)

Jun 30 2009

Security controls and ISO 27002

Category: Information Security,ISO 27k — DISC @ 1:56 pm

seeyourdata Usually security breach occurs due to lack of basic security controls or lack of effective control which is not relevant over the time. Security controls also disintegrate over the time due to lack of maintenance and monitoring.
According to Privacy Rights Clearinghouse survey, the top three breaches resulted from laptop theft, software or human error, and hackers. Most of these breaches could have been prevented by procedural, management and technical security controls. Most of the security breaches happen during the state of non-compliance. The most famous TJX security breach happens in 2007, at the time of the breach TJX complied with only 3 out of 12 PCI-DSS requirements.

Small organizations sometimes don’t have enough resources to comply with all the requirements of regulations and standards like HIPAA and PCI. But that is not an excuse of not understanding the relevant regulations and standards requirements to your business and having a clear security strategy which explains how to achieve the compliance down the road. Also your security strategy will be an evidence of your due diligence to secure your critical assets. On the other hand big organizations have enough resources to implement security controls, but for whatever reason they often do not have clear strategy how to establish security controls.

Information security is not a onetime static process but an ongoing assessment of risks in your business, where you need to understand the your critical assets, classification of those assets based on CIA, sensitive data and its access, policies, standards, procedures , training, security reviews and continuous monitoring.

One of the most popular baseline for security controls is the international standard ISO 27002 – Code of Practice for Information Security management. ISO 27002 have 11 security clauses and 133 security controls are high level which provides a reasonable guidance for implementing an Information Security Management System (ISMS). Due to ISO 27002 broad scope, it’s relevant to every industry and size of business.

Organization should have a baseline of security controls before barging onto complying with PCI or HIPAA regulation. ISO assessment will help you to understand what controls are in place and assist you with security strategy and later will become a measuring stick for your ISMS.

Ongoing compliance is achieved by monitoring the relevant controls. Ongoing compliance will depend on the quality of your information security management system (ISMS). ISMS would include thorough monitoring, logging and reviewing controls to maintain and improve system security over time. You can develop an automated monitoring process to achieve consistent results and sustain compliance by continuously monitoring your system. ISMS (based on ISO 27001) certainly can be a great value to manage ongoing monitoring, maintenance and improvement cycle.

How ARRA and HITECH provisions affect HIPAA compliance (deurainfosec.com)
Rise of cybercrime and management responsibility (deurainfosec.com)
Web 2.0 and social media business risks (deurainfosec.com)
Congressional data mining and security (deurainfosec.com)
PCI compliance is essential and why you have to (deurainfosec.com)

[TABLE=2]

Tags: Computer security, Health Insurance Portability and Accountability Act, Information Security, Information Security Management System, ISO/IEC 27001, pci dss, Privacy Rights Clearinghouse