Security Awareness Programs

Security Awareness Programs
======================

The importance of awareness (ISO 27002 8.2.2) is not an issue that be over-exaggerated. It is a critical component of your organization’s security. However, it is also an area which is often taken for granted, or simply not given anything like appropriate emphasis.

Often, serious breaches can be traced back to sheer ignorance, or lack of understanding, by one or more internal personnel. This picture emerges time and time again, yet time and time again little or no thought is given to improving awareness through training or other initiatives.

The most effective programs involve both short formal training sessions, and an ongoing plan. The following list of possible initiatives should hopefully stimulate some ideas on how to approach this essential topic within your own organization:

– A Security Newsletter, which can include both news and information in a topical context (please feel free to extract from this publication).
– Cheap gifts, such as pens, key fobs, and coffee mugs bearing a security message (this is actually quite effective).
– A ‘Roadshow’ in which security personnel regularly give presentations to senior management and staff on current issues.
– A security DVD (assuming adequate budget).
– A Screen Saver bearing security related messages
– If your organization produces internal courses on other topics, make sure that the security angle is covered.
– Posters should be used and replaced often.
– Competitions are often effective, for example, security crosswords, puzzles and problems.

Whichever route you take, building security awareness into your organization’s culture is a must.

Website Hackers: Why?
==================

Defacement of company websites by ‘hackers’ and others is a constant threat. Even the largest and most security conscious of organizations have experienced problems with respect to this But why do they do it? What is the most common motive?

The Zone-H monitoring portal performed some research on this via what is probably the largest poll ever undertaken. They reported the following as the major motives:

Just for fun: 35%
No reason specified: 19.2%
Pride: quest to be the “best defacer”: 12.5%
For a challenge: 11.7%
Patriotism: 10.5%
Other political reasons: 9.2%
Revenge against the particular website: 1.9%

The other disturbing aspect is the numeric dimension: this is not just a handful of individuals, but many thousand across the world.

If your corporate website is therefore of significant importance to the organization, defending it is not something that can just be left to a hosting provider. It should be treated as any other security sensitive production system, with protection commensurate with risk and potential business impact.

Third Party Service Delivery Management
================================

ISO/IEC 27002 provides specific guidance on the implementation and maintenance of information security for organizations who receive third party service delivery. It stipulates that third party service agreements should be regularly checked, and compliance monitored.

Agreed security levels must be maintained by the third party covering specific service definitions and all critical aspects of the service managed. Where there are outsourcing arrangements, within periods of service interruption, the organization should ensure that security is maintained throughout this period. The organization should also ensure that the third party has suitable business continuity and disaster recovery procedures in place to meet agreed levels of continuity of service delivery.

There should be regular formal monitoring of services delivered and delivery performance. Reports and records provided by the third party should be regularly reviewed, and audited. These procedures should ensure that the information security terms and conditions of the agreements are being adhered to in practice.

Specifically, it is important to create a regime which includes the following:
• service performance levels regularly monitored to check compliance with the agreements;
• service reports discussed at regular progress meetings as dictated by the agreements;
• information security incidents fully recorded and actions taken included in a subsequent report;
• regular scanning and checking of audit trails, records of incidents, operational problems, performance deficiencies, and fault resolutions;

In summary, the old adage “You can outsource services, but you can’t outsource responsibility” applies to most third party service situations. It is an important message, particularly with respect to information security.

More ISO 17799/27001 Frequently Asked Questions
=======================================

1) How Does Risk Analysis/Assessment Relate to the Standards?
The next issue of this newsletter will focus primarily on risk issues. Don’t miss it!

2) What is ISO 27799?
This is a version of ISO 27002 (formerly known as ISO 17799) created specifically for the health sector.

3) What is the Certification Process for ISO 27001?
As might be expected, it isn’t trivial. The most straight forward certification route map we have found is the diagram on the following web page:
http://www.27000.org/ismsprocess.htm

4) Can I republish articles from the ISO27000 Newsletter (internally or externally)?
Yes, subject to a link to our website (www.molemag.net).

5) Where Do Security Policies Fit Into The Equation?
Security policies are a critical part of your organization’s security profile, and are often the major interface between staff and security matters. It is essential that they exist and are up to date.

Regarding ISO 27002, some organizations view them as the bridge between this standard and employees: in some respects, a partial interpretation of the standard, customized and in plain English. This is why the policies included in the ISO 27000 Toolkit (see above) contain a tag aligning them with the appropriate part of the standard itself.

6) How many organizations are now Certified?
These numbers are always approximates, as the certification bodies are diverse, but the latest estimates are that over 4,000 certificates have been issued.

Trials and Tribulations of a Part-Time Information Security Officer – Part 2
========================================================

After the embarrassing incident last week in which a confidential management document was accessed on the network by employees who unfortunately (for the personnel department management that is) learned prematurely about their own impending redundancies, the Whithertech management have decided to start an information classification project urgently. As the part-time Information Security Officer the organization of this task apparently falls to me. Fortunately, my Information Security Manual contains some useful suggestions on how to proceed with this for this project together with a number of templates that we can adapt for our use.

The first part of the project involves setting up some suitable classification levels for confidentiality and ownership and then applying them to the documents that are produced throughout the organization. I have learnt recently that this is an important part of information security as it supports the control over sensitive data and helps to prevent unauthorized access to key information. My first task was to call a meeting of the all the department heads to thrash out how it was going to work.

The meeting was pretty well attended considering it was being held on a Friday evening. I suppose that was probably a reaction to the CEO’s undisguised anger. Some of those present at the meeting felt that the significant levels of additional work were unnecessary and that it was all a bit of a knee-jerk reaction, but I think most saw immediately the benefits of getting better control over sensitive information. I presented an overview of what the project would entail and we got down to a detailed discussion on the classification levels that would be adopted. We eventually decided that the following five levels would be suitable for Whitertech:

1. Top Secret: Highly sensitive internal documents.
2. Highly Confidential: Information which is considered critical to the organization’s ongoing operations and could seriously impede them if made public or shared internally.
3. Proprietary: Information that is normally for proprietary use by authorized personnel only.
4. Internal Use Only: Information not approved for general circulation outside the organization where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility.
5. Public Documents : Information in the public domain.

This was considered to be a good first step for the project and I was charged with the task of providing a proper description for each proposed classification level. The next meeting will be on Wednesday morning and I was also asked to come up with some suggestions for establishing information ownership criteria and for labeling of information in time for this meeting. This was not actually too onerous a set of tasks as I already have some boilerplate texts.

I will let you know how the project progresses in due course.

Related Information: The Security Officer’s Manual

Information Security News
====================

1) 2008 On Track For Security Breach Record
The Identity Theft Resource Center reports that in the first three months of 2008, the number of data breaches more than doubled over the same period in 2007. A rise in insider thefts, particularly within the business community, is also reported.

2) Internet Crime Rises Too
In a similar vein, IC3 reports that internet-related criminal activities resulted in nearly $240 million in reported losses last year, up $40 million from 2006, Auction fraud was the most widely reported criminal activity referred to law enforcement agencies.

3) FTC Settle With Reed Elsevier and Seisint
The US Federal Trade Commission has announced a settlement with data brokers Reed Elsevier and Seisint on charges that they failed to provide ‘reasonable and appropriate security’ for sensitive consumer information. The FTC alleged that Reed Elsevier, through its LexisNexis data broker business, and Seisint allowed customers to use easy-to-guess passwords to access Seisint’s Accurint databases, which contained sensitive consumer information. The FTC stated that identity thieves exploited these security failures accessing the information of about at least 316,000 consumers.

4) 4.2 million Card Numbers Stolen
The Hannaford Bros grocery store chain has disclosed that hackers have stolen 4.2 million debit and credit card numbers from its computer systems. The thefts occurred whilst the cards were being verified for purchase.
5) Smart Phone Attack (winCE//infojack Trojan)

Researchers at Sophos and McAfee have discovered a trojan that attacks the Windows Mobile smartphone platform. The devices become infected with the trojan when a user visits one of several websites in China, which is bundled in an apparently legitimate package of applications. It then lowers the security settings on the device so it accepts unsigned programs.

6) 419 Scammers Plead Guilty
Three men pleaded have guilty in New York to running 419 spam schemes via email. A fourth defendant fled to Nigeria where he is being held pending extradition to the US. They are understood to have made more than $1.2 million, according to the Justice Department (DOJ). Sentencing is pending.

7) More Website Breaches
Two of the most popular websites (Expedia.Com and Rhapsody.com) have recently been compromised by malicious banner advertisements, designed to deliver malware. According to Trend Micro the adverts utilized Flash software.

Critical Success Factors
==================

The question of which factors are considered most critical when implementing the ISO 27001 standard, particularly with respect to ISO 27002 (ex-17799), is one which is raised frequently. However, guidance on this actually provided within the standard itself, which indicates that these are:

– security policy, objectives and activities that properly reflect business objectives
– clear management commitment and support
– proper distribution and guidance on security policy to all employees and contractors
– effective ‘marketing’ of security to employees (including managers)
– provision of adequate education and training
– a sound understanding of security risk analysis, risk management and security requirements
– an approach to security implementation which is consistent with the organization’s own culture
– a balanced and comprehensive measurement system to evaluate performance in IS management and feedback suggestions for improvement

These of course are all basic and very sensible measures… but it is amazing how many organizations fall short on many of them.

How do you measure up?

Disposing of Equipment
==================

Disposing of unwanted equipment brings with it a number of potential security issues:

– Legacy data from old systems can still remain accessible and thus compromise the confidentiality of information.
– Old media can still have data in situ unless de-guaged or securely erased.
– The disposal of old equipment can prevent the restoration of its associated data files on which you may be relying.
– Inadequate planning for the disposal and upgrade of entire systems can threaten business continuity and result in severe loss.
– Equipment used periodically but infrequently may be disposed of accidentally.
– During the legitimate disposal of unwanted equipment other items can be ‘lost’ or stolen.

Why are we highlighting this issue again at this point? Because we have just heard of a significant disclosure of sensitive data breach at a major international corporation. It DOES happen, more frequently than most realize.

If you haven’t got one in place, a high level policy might be something along the lines of: “Equipment owned and/or used by the organization should only be disposed of in accordance with approved procedures including independent verification that the relevant security risks have been mitigated”.

The topic is dealt with largely with ISO 27002 Section 9.

Implementing A COBIT Compliance Initiative
==================================

Through its COBIT framework, ISACA is one of the leading internationally accepted producers of guidance materials for IT governance. COBIT provides comprehensive controls and guidance covering each key stage of the IT process, with the Control-IT Toolkit (CITT) providing invaluable implementation support for these controls as well as simplifying the process.

The first stage in checking compliance is “scoring” your existing IT control processes to see how closely they comply with the guidelines and standards. The Audit Compliance module of the CITT assists with this task by providing a list of COBIT based control areas which must be measured for compliance. Each topic can be weighted according to your management’s views on the relative importance of a particular control point to your organization’s security and overall well being. As well as providing a “scoring” method for measuring compliance with each control policy, the module also provides information and calculations on each control domain and the overall compliance level for the organization.

The second task is to set a target for the required level of compliance to be achieved in the future, and consider the resources, timeframe and costs of achieving that level of compliance. It is not feasible for all organizations to achieve overall compliance levels of 5 (in a 0 – 5 measurement) as the costs and resources required would very likely be prohibitive. It is for management to decide on an acceptable level of security and control commensurate with the risks and costs of providing additional safeguards.

Each topic is to be “scored” within a range of “0 to 5” to reflect the level of assessed compliance of the topic and this “scoring” will result in each section automatically calculating a “score” for that section including use of the weighting factor for that topic. In addition, the “score” for each Domain will be automatically updated using the weighted “scores” for each section. Although implementation of full COBIT compliance is a fairly complex process, use of the CITT Templates will make the task significantly more manageable.

More Information:
COBIT CITT
ISACA

ISO 27001/2: Common Mistakes Part 2
=============================

David Watson was one of the earliest exponents of the standards, and is one of the most well known industry figures. In the second of this series of articles for the ISO 27000 Newsletter he outlines some of the most common errors and mistakes he has encountered over the years:

PERSONNEL SECURITY
– There are rarely up to date job descriptions. If they do exist, they seldom have any information security requirements in them for all staff;
– Generally, little advice exists on reporting security incidents;
– Rarely are references checked properly – including for ‘sensitive’ positions;
– I have yet to see a Contractor or a Consultants references checked to prove that they actually hold qualifications claimed. This can allow all sorts of charlatans and criminals into your organization. Lying on your CV in the UK is a criminal offence [eg: Shrewsbury and Telford Hospitals NHS Trust case (up to 5 years in Jail for ‘Pecuniary Advantage by Deception). S16 of the Theft Act 1968 defines this as ‘Being given an opportunity to earn remuneration or greater remuneration in an office or employment (e.g. where D lies about his qualifications and secures a job as a result, the job is the pecuniary advantage obtained by deception’)]
– There is frequently no process for HR checking of Third Parties or Contractors;
– Contracts often do not afford adequate protection for the organization;
– Confidentiality agreements are rarely used by the organization and are not centrally recorded. Staff signing Confidentiality Agreements or Non Disclosure Agreements (NDAs) often do not understand what they are signing.

SECURITY ORGANIZATION
– Often, no-one is tasked with the job of monitoring security regularly. This is frequently a part-time job for someone in IT who gets pulled off it to do project work elsewhere;
– Sometimes no security awareness or training is undertaken for staff or third parties working for the organisation. Some HR departments will not touch anything to do with Consultants, Contractors or other third parties;
– Too often the Information Security Manager is an IT person who reports to the IT Department with no ability to go direct to the board. In effect, they are reporting on the people they are reporting to. The chances of serious issues getting escalated in this setup are slim, to say the least, unless it is so catastrophic it cannot be hidden;
– Outsource the problem – often with disastrous consequences. There are numerous scare stories in the press about outsourcing, but few organizations either monitor or manage outsourced contracts appropriately. There are some good contractual and outsourcing controls in A4.2.2 andA.4.3.1. – even if I say so myself – these were carried forward from the 1999 version;
– Too little outside contact with similar minded professionals or exchange of views with other security processionals is enabled;
– I sometimes encounter a wholly ineffectual Information Security Forum that either rarely meets, has the wrong level staff attending, has whole business areas that do not/will not get involved, does not have the authority to alert the Board, and maintain no minutes for meetings to show issues carried forward and resolved.

SYSTEM DEVELOPMENT AND MAINTENANCE
– There is often claimed to be no development or maintenance – but on research this it is often found not to be the case;
– Few standards are made available and implemented for development or change management;
– Testing is often omitted – there is sometimes a ‘fix on fail’ mentality as someone in Marketing (for example) has promised the delivery without consulting the Development Team. Some cynics would say that this is why Microsoft has a beta testing program, but I could not possibly comment;
– Source code is sometimes accessible from live systems;
– Little segregation of duties or development/testing/production environment;
– Often ‘real’ data is used for testing that could divulge either recent corporate data or personal data in breach of Data Protection legislation. This is often not properly protected during use or at disposal. Typically access control is less well implemented on development or test systems than it is on ‘live’ or ‘production’ systems;
– On projects I sometimes find little (or out of date) documentation and that none of the current staff were present when the project started. This makes it impossible to determine how security was to be addressed in the project, if at all.

ISO 27000 Related Definitions and Terms
===============================

In this edition of the ISO 27000 Newsletter we look at further definitions and terms related to ISO 27001 and ISO 27002 that commence with the letter “B”.

Bespoke
In the same way as this term means ‘made to measure’ in clothing, it is used generally to describe software which has been written/developed specifically for one organization. Bespoke differs from customized in that customization usually refers to modification of existing software rather than starting from scratch.

Beta Software
Term used to describe software which is almost fully developed but not yet quite ready for release to the market, or internal users. The Beta version of the software is preceded by the alpha version. Beta versions of commercial programs are often made available to consumers at attractive prices on the basis that there are numerous bugs still to be sorted out, and the first batches of users to install the product are, effectively, taking part in an enormous acceptance testing program. The developer will take note of the findings and comments made by Beta users to incorporate modifications, fixes, patches, etc., in the version which is finally released. Beta versions of software, whether purchased or developed in-house, should not be installed on live systems and should never be used for mission critical processes.

Binders
Binders are programs that allow hackers to ‘bind’ two or more programs together to result in a single .EXE file. These may be useful tools but they easily allow a hacker with malicious intent to insert Trojan executables into harmless .EXE animations, e-greetings and other .EXEs that are commonly passed around as e-mail attachments. The only way to stop an executable from harming your PC is to run it in a proactive ‘sandbox’ environment and monitor its behavior for malicious activity in real-time.

Biometric Access Controls
Security Access control systems which authenticate (verify the identity of) users by means of physical characteristics (e.g. face, fingerprints, voice, or retina pattern.).

BIOS
BIOS is the Basic input system of a personal computer. The BIOS contains the code which results in the loading (booting) of a computer’s operating system e.g. Microsoft Windows®. The BIOS also controls the flow of data to/from the operating system and peripheral devices, such as printer, hard disk, keyboard and mouse.

Bitloss
Loss of data bits during a transmission. Such losses are usually self evident when the incoming file is reviewed, but, occasionally the loss is such that it goes unnoticed. Bit loss can be counteracted by use of control totals.

BMUS
Beam Me Up, Scotty. From the original Star Trek series, now used as a plea for help by any techie in a tight spot. Also the source of the term ‘Beam’.

It Couldn’t Happen Here, Could It? More True Stories:
=========================================

THE SLOPPY SECURITY OFFICER

A security Officer working for one of the biggest corporations in the world was slightly concerned when he noticed that from time to time the “Time of last login” to the mainframe system did not always correlate with his last activity. He was not, however, concerned enough to do anything about it… until on one day, he could not login because he was apparently already logged in. Panic ensued. Full paranoia mode quickly followed.

The last activity warnings suddenly fell into place. He reasoned that he was being monitored by someone, and working in security, that ‘someone’ must be a person perpetrating an attack, and making sure that they were not being detected by him. He had been working on several sensitive cases recently… this must be serious!

He escalated instantly, to try to catch the perpetrator whilst still logged in. The management bought his assumptions and invoked emergency procedures, closing non-critical systems (at cost) and creating a ‘bridge’ to investigate the actions and location of the perpetrator ‘live’ (Operations, Security and Audit management were paged to attend).

They traced the perpetrator’s precise location: internal… Database Administration… Terminal c25k2. This was a team with live database access, and there had been some costly database issues recently. So off they went, mob handed, to c25k2.

The ‘perpetrator’ was taken completely by surprise, to say the least. He did a great job in protesting his bewilderment, claiming he was logged on as HIMSELF and had no idea what was going on. But looking at the terminal, he was clearly logged in as the Security Officer.

Then, suddenly, the Auditor spotted his name on the ID block on his desk. He had the same initials as the Security Officer. It surely couldn’t be… could it?

He asked him for his username and password. Username = cmmjs2, CMM was the project code, with JS being his initials. The last character was #2 because on this system JS1 had already been taken (by the Security Officer of course).

Password? “October2006”.

Auditor to Security Officer: “And your password is October2006 too, isn’t it?”.

Bingo – case solved. The Database Administrator usually used cmmjs1, but couldn’t on this system, and so used cmmjs2 instead. However, he sometimes forgot and went into auto-pilot during login, thus finding himself logging in to someone else’s account. When he noticed, he just logged off.

Apart from everyone’s time, the losses from this incident stemmed from closure of some production systems for a couple of hours. Another loss was the total loss of credibility of the specific Security Officer in question, who was also “spoken to by senior management”.

The incident did also demonstrate starkly:
– appalling security awareness by staff with respect to password constructs
– a lack of proper procedures for emergency management and escalation
– a culture of “rules only apply to them” within the security area, and a general sloppiness within.

Posted in Third Party.