DISC InfoSec blogSecurity Archives | Page 3 of 4

Apr 28 2009

PCI DSS Misconceptions and Facts

Category: pci dss — DISC @ 7:13 pm

M1 – We are relatively small company so we don’t have to worry about PCI compliance
F1 – The PCI DSS must be met by all organizations that transmit, process or store payment card data

M2 – PCI DSS is either a regulation or a standard
F2 – It‘s a neither a standard nor a regulation. It is a contractual agreement between card associations, the merchant banks and merchants

M3 – We neither understand PCI and nor have in house expertise to address compliance
F3 – PCI document clarify most of the questions in business terms but get help to interpret technical questions. Due care imply to understand your requirements to comply and protect your data

M4 – PCI has no ROI and simply too much for a small business
F4 – PCI address a baseline security for payment card infrastructure and its ROI is a total cost of ownership

M5 – Why bother when some companies get breached even though they were compliant
F5 – PCI DSS compliance is not a onetime process it is an ongoing process to maintain it

M6 – PCI compliance cannot be that hard, all we have to do is fill out the questionnaires
F6 – Yes, on the questionnaires has to be validated through scan. Vulnerabilities need to be resolved before submitting the report to merchant bank

M7 – My application and POS equipment are PCI compliant
F7 – PCI DSS compliance apply to an organization neither to an application nor an equipment

M8 – PCI compliance addresses the security of the whole organization
F8 – PCI DSS does not addresses the CIA for the whole organization but only card holder data security

M9 – Data breach will not affect the business revenue
F9 – Become level 1 (cost of monitoring), lose card acquiring ability, forensic charges and fines

M10 – We don’t need to scan PCI assets
F10 – Quarterly scanning is mandatory for all merchants (Level 1-4)

M11 – Merchants can use any application to transmit, process and store PCI data
F11 – Not really, beginning 2010, merchants can only use payment applications validated under the payment application data security standard (PA-DSS)

M12 – We have compensating control in place so we are covered
F12 – You still have to prove how well compensating control covers the PCI requirement. Compensating controls are harder to do and cost more money in the long run

Documentation Compliance Toolkit

PCI Compliance

Practical guide to implementation (Soft Cover)

Practical guide to implementation (Download)

Tags: Company, Financial services, Merchant Services, Payment card industry, pci dss, Security

Comments (10)

Apr 22 2009

RSA and cybersecurity

Category: Information Security — DISC @ 6:52 pm

: Image by Getty Images via Daylife

This week I was in attendance with thousands of people from all over the globe at RSA conference in Moscone Center San Francisco. The conference offers variety of training tracks and this year included two new tracks physical security & governance and risk & compliance. Since Novell CNE was one of my first professional certification, I was glad to see Novell making some headway’s in information security arena, especially Deloitte was promoting Novell identity management solution in the conference.

The cloud computing is the buzz word for this year conference. As far as virtual environment boundaries are concerned , it’s hard to say where it start and where it ends which complicate the matters and complexity of the cloud will introduce new threats and risks. With that in mind cyber security appears to be worse than last year. Attendance might be bit low this year due to budget cut but the conference floor was packed with vendors and enthusiastic audiences.

Most of the security expert understand that companies are cutting budgets and might be decreasing their investment in security. Having a proactive security strategy and spending the security dollars wisely is the key to success of a business in this downturn economy. One thing to understand about information security, there is no ROI (return on investment) in security. ROI is a total cost of ownership.

Another concern in the conference is that the threats and fraud goes up during downturn economy. Companies should have comprehensive policies to tackle insider threats regarding disgruntled employees who might be at verge of getting laid off to prevent them from stealing intellectual property.

There is an outstanding line of keynote speakers like Melissa Hathaway, federal acting senior director of cyberspace. She advised the current (Obama) administration. She will be discussing issues like how much federal government should be involved in protecting critical assets like power grids. The conference like RSA helps security professionals to sharpen their skills and work in collaborative manners to successfully defend their organizations from attackers.

Call for concerted cyber-crime fight (news.bbc.co.uk)
RSA Conference launches its own bailout plan (stillsecureafteralltheseyears.com)
RSA 2009 Conference Session on Cloud Computing Security (blogs.adobe.com)

RSA Conference 2009 Highlights
httpv://www.youtube.com/watch?v=BAxAagvmu6w

Tags: Cloud computing, Consultants, Information Security, Melissa Hathaway, Moscone Center, Obama, RSA Conference, San Francisco, Security

Comments (4)

Apr 09 2009

Social networks and revealing anonymous

Category: Information Privacy — DISC @ 3:02 am

: Image via CrunchBase

Privacy is a fundamental human right and in US a constitutional right. Advancement in technology are breaking every barrier to our privacy; at this rate individuals will be stripped of their privacy unless we enact policy protections. In this situation we need to define reasonable privacy for a society in general while keeping threats and public safety as a separate issue. Social networks are becoming a repository of sensitive information and usually privacy is anonymize by striping names and addresses. Fake profiles have been created on social network to be anonymous and a user may create multiple profiles with contradictory or fake information.

Arvind Narayanan and Dr. Vitaly Shmatikov from Univ. of Texas at Austin established an algorithm which reversed the anonymous data back into names and addresses.

The algorithm looks at the relationships between all the members of social networks an individual has established. More heavily an anonymous individual is involved in the social media, easier it gets for the algorithm to determine the identity of anonymous individual.

One third of those who are both on Flickr & Twitter can be identified from the completely anonymous Twitter graph, which deduces that anonymity is not enough to keep privacy on social network. The idea of “de-anonym zing” social networks extends beyond Twitter and Flickr. It is equally applicable in other social networks where confidential and medical data can be exposed such as medical records in healthcare.

“If an unethical company were able to de-anonymize the graph using publicly available data, it could engage in abusive marketing aimed at specific individuals. Phishing and spamming also gain from social-network de-anonymization. Using detailed information about the victim gleaned from his or her de-anonymized social-network profile, a phisher or a spammer will be able to craft a highly individualized, believable message”

Now is it reasonable to say that social network wears no clothes?

Personally identifiable information
California Senate Bill 1386 defines “personal information” as follows:
• Social security number.
• Driver’s license number or California Identification Card number.
• Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Names, addresses, email addresses and telephone numbers do not fall under the scope of SB 1386.

HIPAA Privacy defines “Individually identifiable health information” as follows
1. That identifies the individual; or
2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
The term “reasonable basis” leaves the defining line open to interpretation by case law.

Arvind Narayanan and Dr. Vitaly Shmatikov paper.

Social network privacy video

httpv://www.youtube.com/watch?v=X7gWEgHeXcA

Tags: Anonymity, Flickr, Personally identifiable information, privacy, Security, Social network, Twitter, Vitaly Shmatikov

Comments (1)

Apr 02 2009

Cloud computing and security

Category: Cloud computing — DISC @ 5:55 pm

https://commons.wikimedia.org/wiki/File:Cloud_comp_architettura.png

Cloud computing provide common business applications online that run from web browser and is comprised of virtual servers located over the internet. Main concern for security and privacy of user is who has access to their data at various cloud computing locations and what will happen if their data is exposed to an unauthorized user. Perhaps the bigger question is; can end user trust the service provider with their confidential and private data.

“Customers must demand transparency, avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms; and the level of testing that’s been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.”

Three categories of cloud computing technologies:

Infrastructure as a Service (IaaS)

Platform as a Service (PaaS)

Software as a Service (SaaS)

Cloud computing is offering lots of new services which increase the exposure and add new risk factors. Of course it depends on applications vulnerabilities which end up exposing data and cloud computing service provider transparent policies spelling out responsibilities which will increase end user trust. Cloud computing will eventually be used by criminals to gain their objectives. The transparent policies will help to sort out legal compliance issues and to decide if the responsibility of security breach lies on end user or service provider shoulders.

Complexities of cloud computing will introduce new risks and complexity is the enemy of security. The organizations and end users should be mindful of this security principle before introducing this new variable into their risk equation. As a consumer you need to watch out and research your potential risks before buying this service and consider getting a comprehensive security assessment from a neutral third party before committing to a cloud vendor.

Possible risks involved in cloud computing
Complete data segregation
Complete mediation
Separation of duties
Regulatory compliance (SOX, HIPAA, NIST, PCI)
User Access
Physical Location of data
Availability of data
Recovery of data
Investigative & forensic support
Viability and longevity of the provider
Economy of mechanism

`Related articles by Zemanta`

Cloud Computing Security Framework May Nudge The Enterprises Towards Clouds (cloudave.com)
Security in the clouds - or clouds in security? (theregister.co.uk)
Your privacy: cloud computing report & tips; privacy notices & ICO consultation (consumingexperience.com)
Are your bumper stickers revealing too much about your family?

Continue reading “Cloud computing and security”

Tags: Cloud computing, cloudcomputing, compliance, Computer security, iaas, IBM, Information Privacy, Infrastructure as a service, paas, Platform as a service, Policy, privacy, saas, Security, security assessment, Security Breach, Services

Comments (1)

Mar 26 2009

Conficker C worm and April fool

Category: Malware — DISC @ 3:24 pm

: Image by david ian roberts via Flickr

Worm like conficker is a digital time bomb which is hard coded to trigger on April 1 (April fool’s day). Antivirus companies are doing their best to minimize the impact of conficker worm. Conficker first variant was introduced few months back and have already caused significant amount of damage to businesses. Conficker is using MD6 hash algorithm, first known case where this new algorithm has been used. Across the globe, there are about 15 million computer infected with conficker worm.

“In computer, a worm is a self replicating virus that does not alter files but resides in active memory and duplicates itself”

This happens to be third variant of conficker in the wild which is named “conficker c” which pose a significant threat to businesses and security expert are still trying to figure out the potential impact of this worm. In new variant, the worm has tendency to morph into something else which makes it harder for antivirus software to detect it. What is known about this worm so far is that at a predefined time on April 1st the infected machine will execute the worm which will be later be exploited by the worm originator. The originator or controller of the worm will control the infected machines and it’s anybody’s guess right now what commands will be given to these zombies. It can be to steal private and personal information, spam, DDoS, or simply wipe the infected machine hard drive. Also bad guys don’t have to give the commands to zombie machines on April 1st, it can be any time after April 1st.

Possible countermeasures:
• Keep up-to-date patches (Microsoft Ms08-067 security update)
• Keep antivirus signature files up-to-date (latest DAT)
• Disable Auto run
• Try different antivirus software to verify and take advantage of McAfee free online scan services
• Free Sophos Conficker clean-up tool
• Make sure your machine is not infected with “conficker c” then you don’t have to worry about April 1st

Microsoft is offering a $250,000 reward for information that leads to the arrest and conviction of the conficker worm’s makers.

[TABLE=12]

April Fool’s Day computer worm (madhavgopalkrish.wordpress.com)
Conficker Windows virus infects 15 million PCs (telegraph.co.uk)
Conficker C Worm to Activate on April Fool’s Day (blippitt.com)
Microsoft: Bounty on Conficker worm creator (crunchgear.com)

httpv://www.youtube.com/watch?v=YqMt7aNBTq8

Tags: Antivirus software, April Fools Day, conficker, Malicious Software, McAfee, Microsoft, Security, Viruses

Comments (9)

Mar 20 2009

Web 2.0 and social media business risks

Category: Web 2.0 — DISC @ 3:01 am

Web 2.0 is major force and has numerous business benefits but it is posing companies to potential new risks.
Social networking sites, such as Facebook, LinkedIn and Twitter, have become the preferred method of communication for a whole generation of people and the ability to post “Status Updates” is fast becoming the new Email. Linkedin is adding one user per second and Facebook has reached 150 million users in just five years.

Some of the associated risks which organizations face as a result relate to phishing, harvesting of email addresses and of course the dangers of (relatively) simple social networking, not only to hack the employee’s present organization, say, but to the organization of losing an employee and all their leads because clients follow ‘their man/woman’ to their new job by tracing where they are at through sites such as LinkedIn. Hackers can follow the conversation on social media to identify the user problem or pain point and pretend to offer a solution which happen to be a malware to steal private and confidential data.

And then of course there is the downside of staff using bandwidth and their work time for purposes other than for which they are employed, and possibly preventing others (due to bandwidth/processing restrictions) from doing what they should. Many of these sites openly encourage people to download video clips.

The solution?
Usually the controls in ISO 27002 code of practice can be selected and applied in a manner to address the associated risks through a combination of management and technical policies, but of course this should be as the result of a risk assessment and should balance the three attributes of C, I and A.

For clear best practice guidance on how to tackle ‘Threat 2.0’, you should download
Web 2.0: Trends, benefits and risks!

This 112-page best practice report from IT Governance separates the hype from the tangible reality and provides:

1. A workable description of what ‘Web 2.0’ is and what it means, within the business environment, complete with a glossary of Web 2.0 terms.
2. A description of the business benefits to be derived from Web 2.0 technologies, with examples taken from real-life case studies.
3. An identification and discussion of ‘Threat 2.0’ – the information security risks inherent in Web 2.0 technologies, together with latest best-practice recommendations for mitigation.

During financial crisis when companies are cutting budgets. It is imperative that information security will have some budget cut but any drastic budget cut might not be wise. A major security breach might put the organization in irrecoverable situation. In this tough economy security professionals have to do an extraordinary job to sell the security to management and show them how security due diligence can make business safe, successful and compliant.

Do you think the advantages of social media outweigh the potential risks?

Tags: facebook, iso 27002, linkedin, Security, Social network, Social network service, Twitter, Video clip, Web 2.0

Comments (35)

Mar 17 2009

Congressional data mining and security

Category: Information Security — DISC @ 12:42 am

: Image by moonhouse via Flickr

“By slipping a simple, three-sentence provision into the gargantuan spending bill passed by the House of Representatives last week, a congressman from Silicon Valley is trying to nudge Congress into the 21st Century. Rep. Mike Honda (D-Calif.) placed a measure in the bill directing Congress and its affiliated organs — including the Library of Congress and the Government Printing Office — to make its data available to the public in raw form. This will enable members of the public and watchdog groups to craft websites and databases showcasing government data that are more user-friendly than the government’s own.”

Would be great if this passes BUT, Government would have to have security provisions so hackers could not manipulate databases in this case raw data. Without proper controls, databases can be easily modified and stolen, so before making the raw data available to public, Congress might need a comprehensive legislation to protect the confidentiality, integrity and availability of the data.

Security principles and controls which should be considered in database legislation?
• Principles of least privilege
• Separation of duties
• Defense in depth at every level
• Strong auditing and monitoring controls
• Security risk assessment to assess risks based on ISO 27002 and NIST 800-53
• Comprehensive risk management program to manage risks

Congressional Data Mining: Coming Soon? (Mother Jones)

Bulk Data Downloads: A Breakthrough in Government Transparency (radar.oreilly.com)

httpv://www.youtube.com/watch?v=wqpMyQMi0to

Tags: Business, Data mining, database, defense in depth, iso 27002, Mike Honda, National Institute of Standards and Technology, Risk Assessment, Risk management, Security, separation of duities, Silicon Valley

Comments (2)

Mar 12 2009

Cybersecurity and congressional hearing

Category: Information Warfare — DISC @ 2:02 am

Cybersecurity experts were at congress floor this week to discuss security strategy and threats to federal government infrastructure for not having an appropriate strategy and funding.

“Where are we today in cyber security? From one perspective, we are in remarkably bad shape. In the last year, we have seen the networks of the two Presidential campaigns, secure networks at the U.S. Central Command and computer networks in Congress and other Federal agencies penetrated by outsiders.” Dr. Jim Lewis, Center for Strategic and International Studies

“But in our rush to network everything, few stopped to consider the security ramifications of this new world we were creating. And so we find ourselves in an extremely dangerous situation today – too many vulnerabilities exist on too many critical networks which are exposed to too many skilled attackers who can inflict too many damages to our systems. Unfortunately, to this day, too few people are even aware of these dangers, and fewer still are doing anything about it.” Rep. Yvette Clarke, D-N.Y., who chairs the subcommittee

Amit Yoran said that research and development must be bolstered, standards for securing systems must be reformed, and a legal analysis of the governance, authority and privacy requirements is needed. cybersecurity focuses on monitoring adversaries, determining their methods and techniques, tracking their activities to a point of origin, and determination of compromise scope, intent and objective.

Copies of written testimony from 3/10 proceedings are available on the Committee on Homeland Security site.

Detection of cyber attacks and emergency response plan is a paramount to be successful against cybersecurity attacks. I think federal government needs a new proactive paradigm for cybersecurity, which inspect the packet (deep packet inspection) to distinguish malicious packet from normal packet. This way malicious packet can be dealt appropriately at perimeter before it create a havoc at inside network or at end user desktop.

Obama taps Bush aide to review federal cybersecurity (infoworld.com)
Defending the U.S. Cyber Castle: Core Security’s Tom Kellermann on Internet Attacks and Obama’s Strategy (xconomy.com)
Government Hack Attacks Prompt Scrutiny (blogs.wsj.com)
Report: White House should oversee cybersecurity (cnn.com)

httpv://www.youtube.com/watch?v=5rDEw3uSK54

Tags: Amit Yoran, Barack Obama, Center for Strategic and International Studies, Computer security, Congress, Federal government of the United States, Security, United States

Comments (0)

Mar 04 2009

HIPAA accountability and security program

Category: hipaa,Security Risk Assessment — DISC @ 7:34 pm

Last year the department of Health and Human Services (HHS) started penalizing healthcare organizations for security breaches and lack of security program. Healthcare stimulus bill says that HHS will post a breach of healthcare organization on their website. In both cases the intent is clear that HHS want to hold healthcare organizations accountable for security lapses.

World Privacy Forum (WPF) states in recent report that medical identity theft is on the rise and it leaves false information in medical records that can torment victims’ medical lives for years. Medical identity theft mostly carried out by insiders with legitimate access to medical and insurance billing. Patient medical files, and addresses can be changed to reflect phony medical care, and insurance payments are forwarded to different address.

HHS has given ample warning and time to healthcare organization to get their house in order. Healthcare stimulus bill which require digitizing healthcare records will demand even more stringent security program from healthcare organizations. Time is of the essence for healthcare organizations to start their security strategy planing now to implement their security program before HHS come knocking at their door.

Risk Management Process:

Like other compliance initiatives, HIPAA also require organizations to build a security risk management program to manage their daily risks. The process of risk management consists of risk assessment (analyzing the risks), design/select control, implement control, test control, maintain/ monitor control. At high level, risk management is accomplished by balancing risk exposure against mitigation costs and implementing appropriate countermeasures and controls.

Risk assessment states the security posture of an organization at a given point in time. Therefore organization should conduct risk assessment of their assets on a regular basis. Risk assessment looks at the impact and likelihood of threat/ vulnerability pair to assess the risk. What is the likelihood of a threat to exploit a given vulnerability and what will be the impact of the threat if the given vulnerability is exploited. If either likelihood/impact is low, the overall risk is low.

Performing vulnerability assessment of critical assets on monthly basis is highly recommend to find out new vulnerabilities and making sure the hardened systems configuration have not changed. Also any changes introduced to a system will require checking the necessary system configurations are intact.

A Five-step Roadmap to HIPAA Security Compliance

Related videos by youtube
httpv://www.youtube.com/watch?v=3Srhrow67f8

Tags: Health care, Health Insurance Portability and Accountability Act, Identity Theft, Risk management, Security, Security Risk Assessment, United States Department of Health and Human Services

Comments (2)

Feb 25 2009

Small business and assessment of IT risks

Category: Security Risk Assessment — DISC @ 5:02 pm

According to a study released by European Union ENISA, Small-to-Medium-Sized (SME) enterprises require extra guidance in assessment of IT security risks of their assets.

Agency also established that in the first implementation it is improbable that SME can utilize a risk assessment & risk management approach without external assistance and simplified information security approach was extremely useful for security awareness on the part of business to improve their information security management approach. One of the main drivers that have pushed ENISA towards a simplified Risk Assessment and Management approach was the idea that SMEs need simple, flexible, efficient and cost-effective security solutions.

Regarding the entire process applied for the life-cycle of the simplified approach, ENISA has applied the Plan-Do-Check-Act model:
o PLAN: creation of a simplified Risk Assessment & Risk Management approach for SMEs
o DO: run pilots in different contexts inside EU
o CHECK: get feedback from pilots and aggregate and analyze it
o ACT: review and improve the simplified approach starting from the feedback
It is expected that through repetitions of the above life-cycle a proper maturity of the simplified ENISA method will be achieved.
ra-process
Diagram: Overview of the phases of the ENISA simplified approach
ENISA simplified and standardized approach for risk assessment for SMEs is designed for untrained users and organization with small IT infrastructure. Security of SMEs is crucial for European economy, since they represent 99% of all enterprises in EU and around 65 million jobs, said ENISA said.

ENISA report and findings

As economic slowdown is looming ahead in US economy, it makes sense to adopt a lifecycle approach which is simplified, standardized in managing and securing the SMEs data. SME is the core engine of US economy as well; taking a standard based approach for data protection will not only serve to increase awareness and secure businesses but will also satisfy various compliance needs. Complexity is an enemy of security and SME most of the time don’t have inside expertise to tackle organizations information security needs. The main idea is to build a simple, flexible and cost efficient risk assessment and risk management program for non-expert users and management with relatively less complex IT infrastructure which fits the needs of all SME. This program will serve as an IT risk assessment tool; fulfill the needs of several regulations and serves as a great security awareness tool as well. As business needs change, risk assessment and risk management process can be improved utilizing Deming PDCA model. Start with a base model program and improve the process to tailor your business needs down the road.

Another methodology which is worth mentioning here for simplified risk assessment approach for SME is Facilitated Risk Analysis and Assessment Process (FRAAP) created by Tom Peltier which can be utilized to identify and quantify threats to IT infrastructure. Tom also teaches a class how to complete a risk assessment in 5 days or less utilizing FRAAP and his book on “Information security risk analysis” where he explains his FRAAP methodology.

Survey reveals SME security priorities (strivepr.com)

Computer Security
httpv://www.youtube.com/watch?v=MUQzEJ82TrQ

Tags: Business, Computer security, Consultants, European Network and Information Security Agency, European Union, information security risk analysis, Risk management, Security, Security Risk Assessment, Small and medium enterprises, SME

Comments (0)

Feb 13 2009

Global economic insecurity and rise of insider threats

Category: Insider Threat — DISC @ 6:04 pm

information

According to BBC news article by Maggie Shiels (Feb 11, 2009) the world’s biggest software maker has warned companies to expect an increase in “insider” security attacks by disgruntled, laid-off workers. Microsoft said so-called “malicious insider” breaches were on the rise and would worsen in the present downturn.

Below are the high points:
• With 1.5 million predicted job losses in the US alone, there’s an increased risk and exposure to these attacks

• Insider threat is one of the most significant threats companies face. Said Microsoft Doug Leland

• The malicious insider is classed as the greatest security concern because they have access, and relatively easy access to corporate assets

• During economic insecurity people are motivated by revenge, fear or greed

• 88% of data breaches were caused by simple negligence on the part of staff

• Employees steal information to sell to a third party, to get back at a company for being laid off or demoted or to try and get a job at another company

• Even though Insiders attacks are lower in numbers but they could be more devastating because the employee knew where “the crown jewels” were kept – unlike a hacker who had to go on something of a “fishing expedition” to find a company’s valuable assets

• The outstanding, unsolved, unaddressed risk management problem that has existed for years is that everyone is focusing on the hacker

• Data loss prevention systems specialize in the detection of precisely these events

Here is the article: Malicious insider attacks to rise

To find the correct balance between data security and data availability, organizations are urged to buy a copy Data Breaches: Trends, costs and best practices.

Even in good time management focused on driving shareholder value by increasing revenue and profits. I think during this economic downturn information security will be the last thing on their mind which will not only compound the problem but gives an edge to a attacker and simply a bad business decisions considering the circumstances. It’s about time to start paying attention to regulatory compliance for sake of securing organization assets. Good place to start is to have some sort of baseline based on information security framework and come up with a strategy to improve that baseline. ISO assessment can be utilized to baseline the organization security posture and is a great first step towards ISO 27002 compliance or for that matter any compliance audit.

What do you think board rooms are appropriately prepared to tackle or perhaps slow down the wave of data breaches coming our way?

Detecting Insider Threats
httpv://www.youtube.com/watch?v=2Ce3S6DkvwY

Tags: BBC, Consultants, Data loss prevention products, Information Security, International Organization for Standardization, iso 27002, Microsoft, Risk management, Security

Comments (1)

Feb 10 2009

Defense in depth and network segmentation

Category: Information Security,Network security — DISC @ 2:17 am

Traditional security schemes are incapable of meeting new security challenges of today’s business requirements. Most security architectures are perimeter centric and lack comprehensive internal controls. Organizations which are dependent on firewall security might be overtaxing (asking security mechanism to do more than it can handle). Some of the old firewalls rule set stay intact for years, which might be a liability when the firewall rule set neither represent current business requirements and nor are protecting critical assets appropriately.

“Firewalls are typically managed by a succession of administrators who create their own rules, which then accumulate over a period of years. This creates rule duplication, which can impinge on performance, but also brings risks such as the use default or open passwords.”

The first step in defense in depth is designing a corporate network segmentation policy which describes which departments, application, services and assets should reside on a separate network. Network segmentation will assure that threats are localized with minimal impact on the organization. NIST, ISO27002, and PCI emphasis the importance of network segmentation but does not mandate the requirement. At the same time PCI Standard committee emphasize in new standards that the compliance scope can be significantly minimized by placing all the related assets in the same segment. Network segmentation is not only a common sense in today’s market but also one of the most effective and economical control to implement, simply a great return on investment.

Network segmentation benefits:
o Improve network performance and reduce network congestion
o Contain attacks (viruses, worms, trojans, spam, adware) from overflowing into other networks.
o Improve security by ensuring that nodes are not visible to unauthorized networks. Reduce the size of broadcast domain

Basic idea behind defense in depth is to protect your crown jewel in multiple layers of defense, should one fail, another will provide crucial protection. Another important thing to remember is that we cannot defend everything, so our defense in depth approach should be asset centric rather than perimeter or technology centric. Perform a thorough risk assessment to find out your most important assets and apply the defense in depth approach to protect the confidentiality, integrity and availability of those critical assets. Examples of network segmentation include wireless network, where you place the wireless network users in their own segment behind a firewall with their own rule set. This rule set will help to contain the users on wireless network as well as any potential attacks on the organization. To get to the content of another segment in the network, the wireless users has to pass through all the layers of protection.

Defense in depth diagram
defenseindepth
Different attacks will be handled by different layers. In the outer layer 1 will handle most of the network related attacks while the layer 2 will handle most of the script based attacks which target the operating system. Layer 3 will handle most of the application attacks which are complex and only utilized by skilled attackers. Layer 4 is your final frontier where you protect your crown jewel by moving many of the tools and techniques used at the perimeter closer to critical assets.

Related article
• Network segmentation is a common sense

Defense in depth
httpv://www.youtube.com/watch?v=zTJSMjYd9c4&feature=related

Tags: Consultants, Firewall, ISO/IEC 27002, National Institute of Standards and Technology, Products, Rate of return, Security, Wireless network

Comments (3)

Jan 30 2009

ISO 27k and CMMI

Category: Information Security,ISO 27k — DISC @ 2:00 am

To become a successful business in today’s market, optimized information security controls may be the panacea for unmet security needs. One way to achieve optimized information security control is to perform ISO assessment and assess the organization security posture based on ISO 27002 code of practice and map each control with Capability Maturity Model Integration (CMMI) to find out the current CMMI level for each control. The goal is to address the organization security needs as a whole, and assess how different departments and business functions are addressing the current business security requirements. The CMMI has five levels and evaluate security controls based on levels, not on specific objectives. Each level provides the basis for the next level where it is not possible to get to the next level without complying with previous level. ISO 27002 is a comprehensive framework which can be utilized to obtain the baseline upon which to build each level. For each control in ISO 27002, maturity levels are defined using maturity definition found in CMMI. In the assessment report maturity level of each control of ISO 27002 standard can be evaluated. Utilizing the color coded scheme provided by CMMI model, create a one page ISO control summary for executives which will not only help them to understand the current security posture but also can be instrumental for measuring progress and resource allocation.

The scope of the ISO27k standards includes various aspects of IT. The introduction to ISO 27002 states clearly: “Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post of using electronic means, shown on films, or spoken in conversation. Whatever form information takes, or means by which it is shared or stored, it should always be appropriately protected.”

Benefits of ISO 27k framework:
o Framework addresses the security issues for the whole organization and limit data breaches
o Address compliance with various regulations like (SOX, HIPAA, and PCI) without creating silos.
o Reduce total cost of security by decreasing total number of controls required
o Perception of your business that you are serious about information security not just compliance
o Enhance partners and vendors confidence to do business with your organization
o Future deciding factor for national and especially international partners for more business
o Internationally recognized standard which addresses security awareness for the whole organization

isotocmmi

Assessment will give an organization a high level view of their current security posture and provide a road map for security strategy in a sense what needs to be addressed first utilizing risk based approach. This is also a good start if your organization is interested in the Information Security Management System (ISMS) or ISO 27001 certification. ISO 27001 is the standard for the certification which includes the set of requirements for ISMS. Justifiable scoping is the key to a quick and successful certification; organization may adjust their scope in a re-certification attempt. Perhaps in the first attempt you may need to include just a web portal in your scope and the entire infrastructure behind supporting that portal. Once the ISMS project scope is determined, here are some steps you can follow to prepare for ISO 27001 auditors.

1. Based on your scope, create an asset list
2. Find out asset threats and vulnerabilities and classify the asset based on CIA scale
3. Come up with risk matrix based on impact and likelihood of the risk
4. Create priorities based on impact and likelihood of the risk
5. Based on priorities, implement appropriate controls for risks which needs to be addressed
6. Do the risk assessment again, PDCA improve ISMS

“ISO27001 is a structured, technology-neutral, vendor-agnostic specification and code of practice for information security management in organizations of all sizes that should be adopted as part of an organization’s overall risk management strategy.”

This should give you a jump start to certification. You have already started the process of certification because most of the documentations in the risk assessment will become part of certification process later and will lead you to 12 steps which are part of PDCA cycle. ISMS certification process utilized Plan-Do-Check-Act (PDCA) cycle methodology which continually improve information security management system and meet the contractual, legal, and regulatory requirements for information security.

ISO assessment is utilized to analyze the current security posture of an organization where each control is defined and can be color coded using the base definition found in CMMI. Therefore ISO assessment is a great first step towards the final ISO 27001 certification audit or for that matter any compliance audit.

[TABLE=2]

ISO 27k framework for today’s security challenges
httpv://www.youtube.com/watch?v=yRFMfiLbNj8

Three useful titles on ISO 27k by Alan Calder

vsRisk and security risk assessment (deurainfosec.com)
Open Network and Security (deurainfosec.com)
ISO 27001: Information Security (futurehealthit.com)

Tags: Capability Maturity Model Integration, CIA scale, Information Security, Information Security Management System, International Organization for Standardization, isms, iso 27001, iso 27002, ISO/IEC 27001, PCI, PDCA, Risk Assessment, Risk management, Security, SOX HIPAA, vsrisk

Comments (4)

Jan 22 2009

Web 2.0 and malware 2.0

Category: Malware,Web 2.0 — DISC @ 5:43 pm

A new position paper from ENISA describes the risks associated with web 2.0 and malware 2.0. Web 2.0 includes social networking, photo sharing, wikis and social bookmarking sites and malware 2.0 is defined as a web based infection in which user can be entrap by visiting website.

Web 2.0 applications are thriving because of their dynamic contents, in which users chip into the content and interact with each other. This dynamic interaction with other users comes with new threats of malware 2.0, in web 2.0 environment user trust the information without knowing anything about the author or integrity of the source, and that’s precisely why criminals are attacking these applications and using it to circulate malware 2.0.

ENSIA survey also evaluates the methods used by people to figure out if the web page is phony. People will be suspicious of a source if it only appears once on the web, but will start trusting the source (integrity of the source) if it appears more than once on the web. Assumption is somebody down the chain might have validated the source and as the source start spreading on the web somehow people start believing in the authenticity of the content.

“Misinformation is easily propagated through syndicated news stories, blog posts, and social data, which provides few trust cues to users. This has very serious consequences such as stock price manipulation and control of botnet via RSS feeds”

There is a need to establish an independent third party on the web to validate the source of the content. Availability of the web 2.0 content has to be balanced with a fitting dose of confidentiality and integrity of the content.

Survey results

[TABLE=12]

Related article
• 25 Most Shocking Crimes in Social Media History

The Machine is Us/ing Us
httpv://www.youtube.com/watch?v=NLlGopyXT_g

Tags: availabiliy, confientiality, integrity, malware 2.0, On the Web, Photo sharing, risks, RSS, Security, Social bookmarking, Social network service, threats, Web 2.0, Web page, Website

Comments (2)

Jan 14 2009

Cyber warfare and possibility of cybergeddon

Category: Information Warfare — DISC @ 1:56 am

Background and Risks Associated with Various SCADA Systems | Envista Forensics

Cyber warfare poses a serious threat to critical infrastructure of a country. It has been a major challenge for DoD officials, cyber attackers have already stolen tera byte of data from their infrastructure.

Most of the security expert and FBI agree that cyber attacks pose biggest threat to US vital infrastructure. “Cybergeddon” our daily economy which depend on inter connected vital network infrastructure is hacked by cyber attacker.

SCADA (Supervisory Control and Data Acquisition – control power grids in all the utilities) “systems are used in industry to monitor and control plant status and provide logging facilities and are highly configurable“. SCADA system is a connection between control systems and the switches.

Cyber attackers have already led to multicity power outage outside of US. Recent attacks show that cyber attackers are getting more knowledgeable about SCADA system. In the past SCADA use to be exclusive system but now slowly getting integrated with the rest of the infrastructure and utilizing IP addressing scheme. Both introduce new threats and raise the risk of cyber attack.

Utilities are the most critical infrastructure in a sense because of other vital infrastructure dependency on power supply. Cyber attack on SCADA system has a potential of cybergeddon and should be protected as a very critical asset by both public and private sectors. Security through obscurity is not the answer for SCADA anymore.

In SCADA system, reasonable security can be achieved by embracing ISO 27k standard as a policy and eventually acquiring ISO 27001 (ISMS) certification. Organizations may start the certification process with limited scope (of critical processes) in the beginning, and increment the scope in each recertification attempt based on the resources available and management risk appetite. Information Security Management System (ISMS) can be a great value added process to manage ongoing monitoring, maintaining and for process improvement of SCADA. ISMS as a process in-place provides reasonable security safeguard to zero day attacks.

How do I prepare for a power outage?

“SCADA system has been poorly managed for decades”

What is SCADA?

Tags: Cyber-warfare, cybergeddon, Information Security Management System, Information Warfare, International Organization for Standardization, ira winkler, iso 27001, SCADA, Security

Comments (1)

Dec 29 2008

Network Access Control and Security

Category: Access Control — DISC @ 4:24 am

The purpose of network access control is to protect and safeguard assets attached to network from threats of unauthorized users gaining access to organization’s assets.

Network Access Control (NAC) authenticate users to make sure they are authorized to login and following the policies and procedures for login before authorized to use organization assets. Some of the threats to assets are insider fraud, identity theft and botnet infestation, where botnet can be utilized as a launching pad for attacks to other organizations.

Various laws and regulations have been introduced for various industries to protect organization data. Organization can be held liable, if they don’t practice due diligence or have adequate protection for their assets. Before putting the policy in place to protect these assets it might help to know specific threats to environment. Today’s threats come from well organized criminals who take advantage of unprotected assets. These days most of the cyber crimes are international crimes. Even though most of the countries have cyber crimes laws today but the legal system varies from country to country which slows cooperation between countries. Today’s technology is changing fast but the legal system is not changing fast enough to tackle new cyber crimes. We don’t have comprehensive international laws yet which cover cyber crimes to prosecute these criminals; most of cyber crimes are conducted from a country whose law enforcement agency either don’t have time and training to pursue these crimes vigorously or don’t have a jurisdiction in the country where the crime is committed. Sometime law enforcement agencies get help from Interpol to prosecute these individuals, but most of the time law enforcement agencies in various countries are helpless because these criminals are not in their jurisdiction. In some cases these criminals are utilizing state of the art tools to cover their tracks.

Some Considerations to tackle NAC: adapt ISO 27002 domain 11 sub category 11.4 (NAC) controls as a policy suitable to your organization.

1. Create a network access control policy: policy on use of network services
2. User authentication for internal and external connections
3. Enforce access control policy
3a. Up-to-date signature file (anti-virus, anti-worm, anti-trojan, anti-adware)
3b. Up-to date patches
3c. Equipment identification in network
3d. Backup access control logs remotely and review regularly
3e. Multihome firewall installed which segregate networks
3f. Harden system configuration
3g. Network connection control
3h. Network routing control
4. Assess the posture of your network regularly to redefine policies
5. Gartner MarketScope for Network Access Control, 2008
6. The Forrester Wave™: Network Access Control, Q3 2008

“In Forrester’s 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft’s NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base.”

Nortel Secure Network Access and Microsoft NAP integration
httpv://www.youtube.com/watch?v=rqu88yx4FGc

Tags: Cisco Systems, Forrester, Gartner, iso 27002, Juniper Networks, jurisdiction, Law, Law enforcement agency, Microsoft, Microsoft Windows, NAC Policy, Network Access Control, Police, Security

Comments (2)

Dec 16 2008

Unstable economy and insider threats

Category: Information Security,Insider Threat — DISC @ 2:42 am

: Image by Pulpolux !!! via Flickr

During the current unstable economy, organizations face increased threats from insiders during tough economic years ahead. During hard time organizations not only have to worry about outsider threats but will be facing an increased threat from disgruntled employees who might see no future with the organization during unstable economy. During these circumstances, when new jobs are hard to come by, revenge or financial need might play a motivating factor for a disgruntled employee.

In July 2008, San Francisco city network administrator (Terry Childs who hijacked the city network) was arrested and charged with locking his own bosses and colleagues out of city network. Basically his bosses got caught sleeping on their jobs because they were not monitoring this guy who happens to have the key to their kingdom. San Francisco city network controls data for its police, courts, jails, payroll, and health services. After 8 days in jail cell Terry Childs finally relinquished the password to Mayor Gavin Newsom in his jail cell. Why San Francisco’s network admin went rogue

Here are some considerations to tackle insider threats

Manage and monitor access
Manage your users through single sign on source like Windows active directory or Sun single sign on directory, which not only enable control access to sensitive data but also let you disable access to all resources when employee leave the company from a single location. Single sign on solution also provide comprehensive audit trail which can provide forensic evidence during incident handling.

Limit data leakage
Intellectual property (design, pattern, formula) should be guarded with utmost vigilant. Access to IP should be limited to few authorized users and controls should be in place to limit the data leakage outside the organization. Protect your online assets, and disable removable media to prevent classified data being copied into USB drives, CDs, and mobile phones.

Principle of least privilege
Which requires that user must be able to access to classified information only when user has legitimate business need and management permission. Sensitive data should be distributed on need to know basis and must have system logs and auditing turned on, so you can review the access is limited to those who are authorized. Proactively review the logs for any suspicious activity. In case suspicious activity is detected, increase audit and monitoring frequency of the target to detect their day to day activity. Limit access to critical resources through remote access.

Conduct background check
Conduct background check on all new and suspicious employees. All employees who handle sensitive data must go through background check. HR should conduct background verification, reference check and criminal history for at least 5 years. What type of checks will be conducting on an individual will depend upon their access to classified information.

Risk assessment
Conduct a risk analysis of your data on regular basis to determine what data you have, its sensitivity and where it resides and who is the business owner. Risk analysis should determine appropriate data classification based on sensitivity and risks to data. Regular risk assessment might be necessary, due to passage of time data classification might change based on new threats and sensitivity of the data.

Digital Armageddon – The Insider Threat
httpv://www.youtube.com/watch?v=FQ4bvCPwFMY

Tags: Background Check, Detect activity, Gavin Newsom, Intellectual Property, Manage access, Monitor access, Online assets, risk analysis, San Francisco, Security, Tough Economy

Comments (2)

Dec 05 2008

Telcos and information privacy

Category: Information Privacy — DISC @ 2:26 pm

: Image via Wikipedia

With the economy in the tank, breach of privacy is not going to be a priority in Obama’s administration to do list. It will be quite difficult to make it a priority when Obama has signed a bill indemnifying telcos from suits due to privacy breaches.

During the presidential election campaign, Verizon employee gained unauthorized access to President-elect Obama’s mobile phone records. You might assume that if telcos are having a hard time protecting the privacy of high profile individuals, how would that make you feel as a cell phone owner? Don’t you wonder why the mainstream media didn’t publicize this case of high profile privacy breach more widely?

Basically Telcos have been immunized from privacy lawsuits so that big brother can snoop around our private phone records as they please. In this instance, law only applies to people and makes it illegal to snoop on each other but the telecom entities have been granted an exception by congress. Legal ruling require law enforcement to meet high “probable cause” standard before acquiring cell phone record. In recent report, document obtained by civil liberties group under FOIA request suggest that “triggerfish” technology can be used to pinpoint cell phone without involving cell phone provider and user knowing about it.

Organizations should implement directive, preventive and detective controls to protect the privacy of information. Where directive controls include the policies, procedures, and training. Preventive controls deal with the separation of duties, principle of least privilege, network, application and data controls. Detective controls involve auditing, logging and monitoring.

Verizon case shows lack of detective controls. Organization should have a clearly defined privacy policy which states that private information should be logged, monitored and audited. High profile individual should be identified and documented and reviews of audit logs should be conducted to identify inappropriate access to the privacy information of high profile individuals. The authorized person who has access to private information should be audited on regular basis to find out if they are following the privacy policies and procedures of the company. For privacy information, log who accessed which data, for who and when. Managers should train and monitor subordinate to help protect privacy information, which not only educate the subordinate but also serve as a major deterrence. Privacy is an essential ingredient of liberty and must be guarded with utmost due diligence.

“Those who give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety” Benjamin Franklin

Presidential Phone Compromised

Privacy Debate: Shouldn’t Public Demand High Threshold?
httpv://www.youtube.com/watch?v=HR6IEz4T7Yw

Tags: auditing, Barack Obama, breach of privacy, Civil liberties, detective, directive, Lawsuit, logging, mobile phone, monitoring, preventive, privacy, Security, tiggerfish, Verizon

Comments (4)

Nov 26 2008

Cyber threats and overall security assessment

Category: Information Warfare,Risk Assessment — DISC @ 3:13 am

: Image via Wikipedia

In the past when senior management (execs) needed to understand the financial implication of cyber threats and their exposures, they turned their questionnaires toward IT for relevant answers. In other words IT risk assessment was the answer in the past to understand the financial implications of cyber threats. The IT risk assessment is not the comprehensive or overall assessment of the company to understand the total implications of cyber threats. The overall assessment will not only include IT but also other departments like HR and legal etc… Basically cyber threats are neither IT issue and nor a legal or HR issue any more, it’s simply an enterprise management issue.

In old days the firewall was used as a major defense against potential cyber threats. The new cyber threats are sophisticated enough to demand better defense. New threats (virus, adware, worms, Trojan, spyware, spam, phishing) use modern techniques to bypass defenses. The potential risks of these new threats demand an immediate attention (of CFO or higher) and approval for resource allocation to protect against cyber threats. To make a solid business case for security ROI, senior level execs need to know the overall risk they are reducing, and their highest priority.

[TABLE=12]

ANSI and ISA have jointly released a document to assist senior management to prepare for financial implications for cyber threats. Basic essence of the guide is to provide a tool to execs to understand the financial implications of potential cyber threats to their organizations.

“The 40 page guide was put together by task force of risk management execs from more than two dozen organizations. The new guide offered by ANSI and the ISA recommends that CFO ask their various team’s questions about the biggest threats to data confidentiality, integrity and availability,” to get to know the existing controls in place and any relevant mitigation plan. Risk analysis of this information can help execs to map the cyber threats risks into correct financial terms and make better resource allocation.
The senior execs who want to implement information security as a process in their organization should consider ISO 27001 (ISMS) as a best practice, which provides a reasonable on-going due diligence to protect and safeguard organization data.

Tags: availability, Business, Chief financial officer, cyber threats, data confidentiality, exposure, Financial services, Human resources, Insurance, integrity, isms, ISO/IEC 27001, Management, overall assessment, risk analysis, Risk Assessment, Risk management, roi, Security

Comments (1)

Nov 17 2008

Harmful Spyware and their stealthier means

Category: Information Security,Malware — DISC @ 2:55 pm

Spyware is utilized to gather information about a person with or without their consent and it intercept or record personal/financial information. Some spyware are capable of sending information back to another computer (originator of the spyware).

Characteristic of Spyware

• Compromise user machine without their knowledge
• Use vulnerabilities in the software to push a spyware code on the machine
• Install Trojans to gather data
• Gather personal and financial information to send it to attackers

Spyware are used to gather different kind of information which includes but not limited to advertising, corporate monitoring, child monitoring, governmental monitoring. Besides their legal use which is based on company policy or regulations monitoring spywares can be used for spying on a person without their consent. More common types of spywares are adware (serve advertising) and key-loggers (record keystrokes)

How you can get spyware on your machine: Spyware can be installed on your machine in many ways.

Below are some of the common ways to deliver spyware.
• Spyware can be installed on a computer via a virus or an email Trojan.
• Spyware can be installed on a computer by taking advantage of security flaws in Internet Explorer.
• Spyware sometime are included in the shareware program. User agreement for the shareware may make a reference to grant permission to allow the recording of your internet use
• Pop-up downloads are becoming a preferred method of installing spyware and adware. Pop-up download windows ask the users to download a program to their computers.
• Another popular way to distribute spyware is a drive-by download. It installs itself on the computer without user knowledge. It can be installed by simply visiting a website.

Windows Defender is software that helps protect your computer against pop-ups, and security threats caused by spyware and other unwanted software by detecting and removing known spyware from your computer. Most popular antivirus products now include adware and spyware scanning. You can find more adware and spyware removal tools at the Spyware Protection and Removal guide. This Web page includes links to popular spyware removal programs, as well as a number of useful articles. Also in Internet Explorer 7 (IE7) you can turn on/off the pop-up blocker. IE7 -> Tools -> Pop-Up Blocker. There is a pop-up blocker setting where you can allow exceptions for some sites and setup pop-up filter to high, medium and low.

Anti-Spyware, Registry Cleaner & PC Optimizer

Computer users particularly need to watch out for bogus spyware removal programs. They are dangerous because they punish the user for doing something right. Victims think that this will remove the spyware, instead in some cases computer users are paying to install a spyware.
Checkout the Rouge Anti-Spyware Products table

How to Protect from Spyware
httpv://www.youtube.com/watch?v=_w-DZNbq66I&feature=PlayList&p=18F23434175F964D&playnext=1&index=26

Tags: adware, bogus spyware, drive-by download, financial information, Internet Explorer, keylogger, Pop-up ad, rouge anti-spyware, Security, shareware, Spyware, trojan, virus, Windows Defender, World Wide Web

Comments (8)

« Previous Page — Next Page »

DISC InfoSec blog

PCI DSS Misconceptions and Facts

Conficker C worm and April fool

Congressional data mining and security

Cybersecurity and congressional hearing

HIPAA accountability and security program

Small business and assessment of IT risks

Global economic insecurity and rise of insider threats

Defense in depth and network segmentation

ISO 27k and CMMI

Cyber warfare and possibility of cybergeddon

How do I prepare for a power outage?

What is SCADA?

Network Access Control and Security

Unstable economy and insider threats

Telcos and information privacy

Cyber threats and overall security assessment

Harmful Spyware and their stealthier means

Follow DISC InfoSec blog

DISC InfoSec Titles

>>> DISC InfoSec Facebook Page <<<

DISC online store for recommended InfoSec products

vCISO as a service

Related articles by Zemanta

Social network privacy video

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

What is Data Mining?

Related articles by Zemanta

Related videos by YouTube

Related articles by Zemanta

Related articles by Zemanta

What is SCADA?

vCISO as a service

`Related articles by Zemanta`