Your SlideShare is downloading. ×
December 2012
Volume 10 Issue 12
Storage Security Governance: A Case Study
Structured Risk Analysis Offers Rich Rewards
Ne...
Table of Contents
Feature
12	 Network Device Forensics
By Didier Stevens – ISSA member, Belgian Chapter
The goal of this a...
From the President
International Board Officers
President
Ira Winkler, CISSP, Distinguished Fellow
Vice President
Andrea C...
The information and articles
in this magazine have not been
subjected to any formal test-
ing by Information Systems
Secur...
Sabett’s Brief
one another”), and
(c) protected stor-
age (a fairly well-
understood con-
cept that “depends
heavily on en...
Pocket Storage for All
I
can hear the
friendly ribbing
now.
“Oh GEE Brando, an issue dedicated
to storage? I am sure you w...
W
hoever said that there’s no
such thing as a stupid ques-
tion, only a stupid answer,
has probably never seen a feedback ...
Association News
Connect with Us
D
o you tweet? ISSA now has a Twitter page! Don’t
forget to like us on Facebook! You can ...
Association News
My First Experience at an ISSA
International Conference
B
eing able to attend the ISSA International Conf...
Association News
A
t ISSA International this year, exhibitor and spon-
sor Ixia interviewed security professionals to gain...
ISSA London 2013 • February 5,2013
Deloitte Offices,2 New Street Square,London,UK
Presented by ISSA International & Genero...
Network Device
Forensics
Network Device
Forensics
12 – ISSA Journal | November 2012
ISSA
DEVELOPING AND CONNECTING
CYBERSE...
Trojanized devices
The operating system of your network devices can be tro-
janized in two ways: by trojanizing the operat...
Pay attention to the fact that al-
though operating systems tro-
janized in RAM are not persistent
(i.e., that rebooting t...
BLACK HAT | BRIEFINGS | MARCH 12-13, 2013
BLACK HAT | TRAININGS | MARCH 14-15, 2013
WWW.BLACKHAT.COM
Black Hat Europe 2013...
S
torage security has always been one aspect of IT man-
agement that never seems to get the attention it de-
serves, regar...
used to capture and record the most important information
is shown below.
DESCRIPTION STORAGE SECURITY RISK
Risks Legal,fi...
ing, accessing, processing, and disposing it. A sample data is
given below.
Data Description ID details of customer
DataTy...
Fortified cloud
Security to the cloud. Security for the cloud. Security from the cloud. Our
solutions do more than bring y...
(UYOA). The table describes in short the policies that we had
tweaked and the ones that were newly written.
POLICY DESCRIP...
column-level encryption for storing the information on the
database. Apply the same principles to database backup – this
i...
security professionals authenticated the knowledge of the
storage admins and storage admins authenticated the storage
know...
the management and business heads. Getting the message
across at all levels and emphasizing the importance of stor-
age se...
Structured Risk Analysis
Offers Rich Rewards
By Greg Jones
Risk analysis is a far from exact science with assessments cont...
we would now consider essential requirements: recommend-
ing AV on servers, the installation of a firewall on Internet
con...
There is no “one-size-fits-all” standard, and risk will vary for
each business and fluctuate over time. But nearly all org...
This is usually such a laborious approach that it quickly loses
management commitment.
These standards and the development...
Storage Security Governance
Storage Security Governance
Storage Security Governance
Storage Security Governance
Storage Security Governance
Storage Security Governance
Storage Security Governance
Storage Security Governance
Storage Security Governance
Storage Security Governance
Storage Security Governance
Upcoming SlideShare
Loading in...5
×

Storage Security Governance

3,296

Published on

Storage Security Governance - My article in ISSA December 2012 Issue

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,296
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Storage Security Governance"

  1. 1. December 2012 Volume 10 Issue 12 Storage Security Governance: A Case Study Structured Risk Analysis Offers Rich Rewards Network Device Forensics Network Device Forensics
  2. 2. Table of Contents Feature 12 Network Device Forensics By Didier Stevens – ISSA member, Belgian Chapter The goal of this article is to raise awareness about the measures you can take to improve the success of network forensics. 16 Storage Security Governance: A Case Study By Vinoth Sivasubramanian – ISSA member, UK Chapter The author describes the experiences and results of an assignment that brought about a marked improvement in storage security for a commodity trading organization. The practical steps suggested will aim to answer some of the core challenges surrounding storage and bring about a continual-improvement storage security program. 24 Structured Risk Analysis Offers Rich Rewards By Greg Jones Risk analysis is a far from exact science with assessments continuing to vary in scope. This article discusses the emergence of context-aware classification systems and methods that can guide you through the process with pre-categorized risk information and could be the key to effective risk and threat analysis. ©2012 Information Systems Security Association, Inc. (ISSA) The ISSA Journal (1949-0550) is published monthly by the Information Systems Security Association, 9220 SW Barbur Blvd. #119-333, Portland, Oregon 97219. Articles Also in this issue 3 From the President 4 editor@issa.org 5 Sabett’s Brief Holiday Shopping with My Smartphone 6 Herding Cats Pocket Storage for All 7 Security Awareness Security Awareness Training Feedback Surveys 8 Association News 30 Risk Radar YARA Signatures 32 toolsmith ModSecurity for IIS: 36 Conferences 2 – ISSA Journal | December 2012 ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  3. 3. From the President International Board Officers President Ira Winkler, CISSP, Distinguished Fellow Vice President Andrea C. Hoy, CISM, CISSP, MBA Secretary/Director of Operations Bill Danigelis, CISSP, Senior Member Treasurer/Chief Financial Officer Kevin D. Spease, CISSP-ISSEP, MBA Board of Director Members Frances “Candy” Alexander, CISSP, CISM, Distinguished Fellow Debbie Christofferson, CISM, CISSP, CIPP/IT, Distinguished Fellow Mary Ann Davidson Distinguished Fellow Geoff Harris, CISSP, ITPC, BSc, DipEE, CEng, CLAS Pete Lindstrom, CISSP George J. Proeller, CISSP, CISM, ISSAP, ISSMP, D.CS, Distinguished Fellow Nils Puhlmann, CISSP-ISSMP, CISM Brian Schultz, CISSP, ISSMP, ISSAP, CISM, CISA, Fellow Stefano Zanero, Ph.D., Senior Member DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY Hello ISSA members Ira Winkler, International President The Information Systems Security Asso- ciation, Inc. (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publica- tions and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members. With active participation from individu- als and chapters all over the world, the ISSA is the largest international, not-for- profit association specifically for security professionals. Members include practitio- ners at all levels of the security field in a broad range of industries, such as com- munications, education, healthcare, man- ufacturing, financial, and government. The ISSA international board consists of some of the most influential people in the security industry. With an international communications network developed throughout the industry, the ISSA is fo- cused on maintaining its position as the preeminent trusted global information security community. The primary goal of the ISSA is to pro- mote management practices that will ensure the confidentiality, integrity and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved. T oday, I reviewed the schedule for the upcoming RSA Conference in February, and I am looking forward to the ISSA Member Recep- tion that will be held on Tuesday of the conference. While the whole conference is generally a great opportunity to get together with other security profession- als, our reception is an opportunity to recognize the accomplishments of our peers. This reminds me that the nomination process for the ISSA Fellow Program is currently open until December 5. This program acknowledges sustained mem- bership and contribution to the ISSA, as well as the information security com- munity in general. So, let me take this opportunity to remind everyone that you should look to yourselves and fellow members to consider people to nomi- nate. There are several levels in the Fellow Pro- gram. The first is Senior Member, which acknowledges sustained membership within ISSA. Specifically, after five years of membership you are eligible for the Senior Member designation. To apply, you need to complete the online applica- tion on the ISSA website and have your local chapter complete the endorsement form. There are other requirements, but this is the basic flow. Yes, it is the intent of the ISSA to engage members with their local chapters. The chapters will support the applicants; the applicants will see the benefits of in- teracting with other members and take advantage of the networking opportu- nities. Hopefully, most applicants have already been participating within their chapters, and this engagement increases the strength of the chapters as well. The Fellow and Dis- tinguished Fellow designations are reserved for members who have not only sustained long-term membership, but have also served in leadership positions within the ISSA as well as serving the information secu- rity community as a whole. There are a number of qualifications that applicants must meet. I recommend that you check the ISSA website (=> Advance) to de- termine the specific requirements, and seek out a party who can nominate you or another deserving member. Before being elected president, I was responsible for overseeing the Fellow Program, and it was actually the most rewarding aspect of serving on the ISSA International Board. Specifically, I was the person responsible for acknowledg- ing members’ accomplishments. It was a pleasure to personally congratulate these people in front of their peers and large audiences. Rarely is there such an opportunity to acknowledge people in our profession. I have also received messages expressing appreciation from the people who have been accepted into the varying levels of the program. We all appreciate the rare recognition of our professional accom- plishments. It encourages us to serve the ISSA as well as the larger information security community. So, please consider reviewing the re- quirements of the three levels of the Fellow Program, and consider people to nominate. They and the ISSA will thank you. Ira Winkler December 2012 | ISSA Journal – 3©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  4. 4. The information and articles in this magazine have not been subjected to any formal test- ing by Information Systems Security Association, Inc. The implementation, use and/or se- lection of software, hardware, or procedures presented within this publication and the results obtained from such selection or implementation, is the respon- sibility of the reader. Articles and information will be presented as technically correct as possible, to the best knowl- edge of the author and editors. If the reader intends to make use of any of the information presented in this publication, please verify and test any and all procedures selected. Techni- cal inaccuracies may arise from printing errors, new develop- ments in the industry and/or changes or enhancements to hardware or software compo- nents. The opinions expressed by the authors who contribute to the ISSA Journal are their own and do not necessarily reflect the official policy of ISSA. Articles may be submitted by members of ISSA. The articles should be within the scope of information systems security, and should be a subject of interest to the mem- bers and based on the author’s experience. Please call or write for more information. Upon publication, all letters, stories and articles become the prop- erty of ISSA and may be distrib- uted to, and used by, all of its members. ISSA is a not-for-profit, inde- pendent corporation and is not owned in whole or in part by any manufacturer of software or hardware. All corporate in- formation security professionals are welcome to join ISSA. For information on joining ISSA and for membership rates, see www.issa.org. All product names and visual representations published in this magazine are the trade- marks/registered trademarks of their respective manufacturers. editor@issa.org Another year is drawing to a close. T hank you, authors, most of whom are ISSA members, for sharing your insights, experiences, and expertise – and I certainly encourage others to submit as well. Thank you, advisory board members, for your efforts to keep the Journal relevant and informative – we’ve developed next year’s editorial calendar and it looks like another great year ahead. Visit the ISSA website => Learn => ISSA Journal => 2013 Calendar to see where you might be able to contribute. Of course, if you think a topic has been over- looked, let us know, or better yet, submit an article to close the gap. And thank you, readers – the why we do what we do. I encourage you to let us know how we are doing; offer up some comments and considerations on an article you’ve read; send in a letter to the editor, agreeing or disagreeing – let’s keep the dialog going. And I wish you all Happy Holidays and a safe, prosperous, and secure New Year. – Thom ISSA Journal Editor: Thom Barrie editor@issa.org Advertising: advertising@issa.org 866 349 5818 +1 206 388 4584 x101 Editorial Advisory Board Mike Ahmadi Michael Grimaila, Fellow John Jordan, Senior Member Mollie Krehnke, Fellow Joe Malec, Fellow Donn Parker, Distinguished Fellow Joel Weise – Chairman, Distinguished Fellow Branden Williams, Fellow Services Directory Website webmaster@issa.org 866 349 5818 +1 206 388 4584 Chapter Relations chapter@issa.org 866 3495818 +1 206 388 4584 x103 Member Relations member@issa.org 866 349 5818 +1 206 388 4584 x103 Executive Director execdir@issa.org 866 349 5818 +1 206 388 4584 x102 Vendor Relations vendor@issa.org 866 349 5818 +1 206 388 4584 x101 Headquarters ISSA Inc. 9220 SW Barbur Blvd. #119-333, Portland, OR 97219  •  www.issa.org Toll-free: 866 349 5818 (USA only)  •  +1 206 388 4584  •  Fax: +1 206 299 3366 Welcome to the December Journal Thom Barrie – Editor, the ISSA Journal 4 – ISSA Journal | December 2012 ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  5. 5. Sabett’s Brief one another”), and (c) protected stor- age (a fairly well- understood con- cept that “depends heavily on encryption and integrity pro- tection”). Again, these can combine to provide some level of protection for the organization. Overall, the Draft SP 800-164 does a reasonable job of introducing the issues of trust and security in a mobile envi- ronment, then providing a conceptual approach for addressing and improving those issues. Future drafts could go fur- ther by addressing three critical things: (1) providing practical guidance on how companies can apply the concepts in the document,(2)theroleofthegovernment in the mobile deployment environment, and (3) how the various technical and policy concepts in the framework can be used to limit the liability of an organiza- tion looking to roll out or improve their mobile deployment. Now, I’m headed off to do all of my shopping…using my Android phone. Have a wonderful and safe holiday season! About the Author Randy V. Sabett, J.D., CISSP, is Counsel at ZwillGen PLLC (www.zwillgen.com), an adjunct professor at George Wash- ington University, and a member of the ISSA NOVA Board of Directors. He was a member of the Commission on Cyber- security for the 44th Presidency and can be reached at randy@zwillgen.com. The views expressed herein are those of the author and do not necessarily reflect the positions of any current or former clients of ZwillGen or Mr. Sabett. S o, how many of you would trust your mobile device to securely handle a high or very high value mobile transaction? After all, security and trust serve as two of the building blocks upon which decisions about risk in the mobile environment can be made. From a corporate perspective, such de- cisions ultimately can affect the liabil- ity that an organization will face as a result of how its employees use mobile technology. Today’s mobile technology, unfortunately, often has weak (or even nonexistent) security and trust. To ad- dress this shortcoming, NIST recently released another draft in their 800-se- ries of Special Publication documents.1 Entitled “Guidelines on Hardware- Rooted Security in Mobile Devices,” Draft SP 800-164 introduces a security framework for mobile devices. Draft SP 800-164 establishes up front that various overlapping roles exist re- lated to mobile devices, with the main use case focused on enterprise deploy- ments of technology and, specifically, “bring your own device” (or BYOD). For example, the roles of Device Owner and Information Owner can be played by either the company or the employee, depending on the particular arrange- ment between the two. Interestingly, Draft SP 800-164 does not mention the role of the government or regulators. It also does not talk about the liability that a stakeholder might have as a result of taking on a particular role. Each of the entities that it does discuss, however, has a particular set of interests and identi- fiable activities within the mobile en- vironment. The resulting liability con- cerns necessitate a deeper inquiry into the security components and hardware 1 See http://csrc.nist.gov/publications/PubsSPs.html. features available (or that should be available) on the particular devices. From a security perspective, various Roots of Trust exist that provide vary- ing degrees of protection to the mobile environment. A future BYOD approach may no longer be limited to a binary “yes, you may bring your device” or “no, you may not bring your own device.” In- stead, depending on how much or how little liability exposure an organization may decide to take on, it may want to examine both the security components and the security capabilities in the de- vices it will be deploying. Draft SP 800-164 states that three se- curity components are required within mobile devices. First, the Roots of Trust (RoTs) mentioned above must be imple- mented as “security primitives com- posed of hardware, firmware, and/or software that provide a set of trusted, security-critical functions.” Second, an Application Programming Inter- face (API) must be implemented that exposes the RoTs to the device and the OS so that those RoTs can be used to provide a chain of trust. Third, a Policy Enforcement Engine must exist to en- able the use of policies on the mobile de- vice. These security components must further be used to implement the three mobile security capabilities of device in- tegrity, isolation, and protected storage. The guidance goes on to describe a num- ber of different contexts in a “notional architecture” of a typical mobile device. Within those contexts, the components above should be used to provide the ca- pabilities of (a) device integrity (defined as “the absence of corruption in the hardware, firmware, and software of a device”), (b) isolation (defined as “the capability to keep different data com- ponents and processes separate from By Randy V. Sabett – ISSA member, Northern Virginia, USA Chapter Holiday Shopping with My Smartphone December 2012 | ISSA Journal – 5©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  6. 6. Pocket Storage for All I can hear the friendly ribbing now. “Oh GEE Brando, an issue dedicated to storage? I am sure you will have fun towing the company line on that one! After all, you joke about how storage is cheaper for you than others when you talk about collection without limita- tions.” Sure, generic security guy, I do joke about that. But I wanted to take this month’s column in a different direction. It does deal a little bit with storage, but it’s the storage we carry with us every day. Yep, the old smartphone problem, and what the heck is that thing doing? I’m presently writing this column about three weeks before you will read it. It’s the week following BSidesDFW, which was a great success thanks to the fan- tastic organizers and community sur- rounding them. One session in par- ticular that I really enjoyed was with Francisco Artes live, and hilarity from Gal Shpantzer via Skype, where they discussed how smartphone storage worked and the security features of both the Android and iPhone platforms. I’ve written and blogged about the super fo- rensic-friendly nature of these devices, but it wasn’t until this session that I re- ally began to understand the nature of what is left around on these devices. I’ve been very interested in doing foren- sic analyses of the phones in my house, but I’ve not had the time or networking abilities to get into the right crowds to both gain the knowledge and equip- ment required. Here’s the good news. If you have an iPhone, you probably have pretty seamless upgrades into newer versions of iOS and the adoption rate is insane (over 61% at the end of Octo- ber). If you have an Android, you may be frustrated with your ability to upgrade depending on the carrier or handset. So let’s talk bad news for iPhone users now, because I was certainly enlightened to learn how the underlying storage and the security models work. Everything on your iPhone is essentially stored in a database. Great for quick ac- cess and organization, and it allows for some containerization such that appli- cation data doesn’t commingle. Sounds great so far, right? But what happens if you delete a text message or something from an application? Since you deleted it, it must be gone, right? Nope. The database entry is marked in a way that allows it to eventually be overwrit- ten, but it still is on the phone. So a fo- rensic analysis will show all those texts that you thought you deleted. But wait, because it gets SO much worse. Every time you back up your iPhone, all of those entries that you have marked as deleted are backed up right with all the good stuff that you want to see. This means that it becomes insanely hard to remove them from your device because they now are in your backups. If you grab the newest iPhone and restore from your old backup, all of those deleted texts now make their way onto your new phone! According to Francisco and Gal, the only way to prevent this is to set up your iPhone as a NEW device, not re- storing from backup. That is, start all over. Now let’s put on our tin foil hats and get really suspicious of everything with a battery. Maybe you are one of the many iPhone users who doesn’t have a (work- ing) home computer. Or maybe you want to take advantage of Apple’s gen- erous offer to back up your phone for you via iCloud so that no matter where you are, you can restore your phone if you have a problem. Do you see where I am going? All of those deleted texts are now up in the cloud and out of your control. If you were thinking of doing something illegal and coordinating it from your iPhone, your backups could be subpoenaed without your knowledge and all of those deleted texts might be in the hands of the Feds. Yikes! The point of Francisco and Gal’s pre- sentation wasn’t necessarily to make everyone run from the room scream- ing in fear, but to uncover some of the good security-related things that mobile devices can do while highlighting the snakes in the grass that we all need to be aware of – especially corporate secu- rity folks who are charged with keeping information secure on those devices. It might be time to re-think about how in- formation moves throughout your com- pany and see how bad a lost cell phone might actually be. About the Author Branden R. Williams, CISSP, CISM, is a CTO at RSA, the Security Division of EMC, ISSA Fellow, and regularly assists top global retailers, financial institutions, and multinationals with their informa- tion security initiatives. Read his blog, buy his book, or reach him directly at http://www.brandenwilliams.com/. By Branden R. Williams – ISSA Fellow and member, North Texas, USA Chapter Herding Cats 6 – ISSA Journal | December 2012 ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  7. 7. W hoever said that there’s no such thing as a stupid ques- tion, only a stupid answer, has probably never seen a feedback sur- vey for security awareness training ses- sions. Questions such as “Did you learn anything?” and “Do you feel more se- cure?” are as common as they are idiotic. I guess it’s largely shaped by the motives of who is asking the question. The train- ers involved are primarily interested in demonstrating that they are good train- ers and questions are designed to elicit complimentary feedback. Feedback sur- veys are a great chance to obtain valu- able feedback, but only if we’re asking the right questions. In this column we’re going to look at training feedback surveys in more detail. Getting useful feedback from training sessions is challenging, but not impossible. For a start, you need to be aware of people’s biases. Surveys mea- sure “declared preferences” since they rely on people expressing their views. While easier to gather, declared prefer- ences have inherent biases that need to be acknowledged and allowed for when interpreting the results. “Revealed pref- erences” are what people actually do, but measuring what people do accu- rately and efficiently can be difficult, especially if people know they’re being observed. Here are some suggestions for allowing for people’s biases while ob- taining reliable survey data. Selection Bias. By definition, the pop- ulation available to fill out training awareness feedback forms are usually those who actually attended. There- fore, the results do not include those who chose not to attend. Consider care- fully what the people who didn’t attend might say. That the training was too long? Too basic? Too boring? If people have perceptions that are holding them back from attending, it’s important to find out why. It’s not necessarily about the session; it’s about people’s percep- tions of the session which also need to be managed. You may want to consider a survey targeted at people who didn’t at- tend to ask them why. Confirmation Bias. When we signal the desired answer in the phrasing of the question, we deserve the answers we get. It’s human nature to avoid confronta- tion or disappointing people, and there is a tendency for people tell us what we want to hear. To counter for this bias, try to avoid questions which are phrased in moral terms. Look out for the word good as it normally signals a moral norm and therefore an expected answer. Intention Bias. People have all sorts of good intentions. Go to the gym. Lose weight. Stop smoking. However, there is a big gap between intent at a point in time and what people actually do in the following days and months. It’s all very well people declaring their inten- tion to take security more seriously, but you should have a glance at your own 2012 New Year’s resolutions for a real- ity check. If you’re going to bother ask- ing people about their intentions after training, then you should have a way of measuring later how many people fol- lowed through. Phrasing. Questions should be as short as you can make them without becom- ing vague, and you should only ask one question at a time. For example, “Was the training clear and easy to follow?” actually has mixed up two different concepts, which mean different things - training clarity and training pace. Where questions are unclear or confus- ing, the temptation will be to abandon the survey (which reduces comple- tion rates) or skip though (which re- duces data quality). Be Specific. Avoid subjective words that are going to have different interpreta- tions. For example, the word often will mean different things to different peo- ple. Instead of a word like often, try set- ting out a specific time frame such as “at least once a week.” Vocabularies. The use of obtuse lin- guistic structures (complex sentences) and TLA (vague acronyms) will cause problems by impacting both completion rates and data quality. Consider trying out your test questions on some volun- teers and ask them to repeat back to you in their own words what your question is asking. You may be surprised in how your questions were interpreted. When you reliably get people repeating back your questions as you intended, then you’re ready to go. Designing effective surveys does take time and effort, but is worth it in order to obtain valuable feedback. It is im- portant to allow for people’s biases and tendencies when designing a survey. If you’re judging the “success” of your se- curity awareness training by feedback from slackers who hang around to gos- sip after training sessions and tell you what you want to hear, you’re probably wasting your time. About the Author Geordie Stewart, MSc, CISSP, is the Prin- ciple Security Consultant at Risk Intelli- gence and is a regular speaker and writer on the topic of security awareness. His blog is available at http://www.risk-intel- ligence.co.uk/blog, and he may be reached at geordie@risk-intelligence.co.uk. By Geordie Stewart – ISSA member, UK Chapter Security Awareness Training Feedback Surveys Security Awareness December 2012 | ISSA Journal – 7©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  8. 8. Association News Connect with Us D o you tweet? ISSA now has a Twitter page! Don’t forget to like us on Facebook! You can also find us on LinkedIn! When it comes to cybersecurity, be- ing out of the loop is a dangerous place. Keep informed with ISSA social media connections – just click the icons. FEBRUARY 5, 2013 • LONDON, ENGLAND Announcing the 2013 ISSA European Conference.  This event will focus on some key challenges we all face: Cyber Crime, Cyber Conflict, and Cyber Espionage. At this conference at- tendees will hear from leading European and international speakers that will inform and set our future direction in Information Security. A great value, ISSA members can attend for just $35 USD. Visit www.issaconference.org to register today. Space is limited. Keynote Presentations Now Online! Click here to view video recordings of the 2012 International Conference Keynote Presentations. Additional recordings will be available in the months following the conference. Please look for announcements in member communications and on ISSA’s social media sites. T he ISSA Web Conferences bring together ISSA mem- bers from around the world to share leading industry presentations and answer member’s questions. Each event is designed to address the timely needs of our members through a live online event and a subsequent recorded ver- sion for on-demand viewing. All content is developed by the ISSA Web Conference Committee. CPE Credit Available: ISSA members will be eligible for a cer- tificate of attendance, after successful completion of a post- event quiz, to submit CPE credits for various certifications. Predictions for the New Year Date: January 22, 2013 Start Time: 9:00 a.m. US Pacific/ 12:00 p.m. US Eastern/ 5:00 p.m. London Once again some brave (or foolish?) folks volunteer some insights and predictions into where infosec challenges will come from in 2013 and beyond. To a degree, changes in legis- lation and technology are easy meat to predict in a 12-month time frame. But what about environmental impacts such as cyberattacks and cyberwarfare trends? Will the cold wind of social media exploits bring infosec into focus for the igno- rant end user? What is likely to be the next big hurricane of “wikileaks-type” exposure to rock the industry? Where will the wind of change blow security in the “cloud?” Will the heat be turned up further on compliance requirements? Will there be a drought of funds making everything we want to do harder to achieve? Join us, make notes, and then check back in a year to see how we did! Click here for more information on our 2013 schedule. International Director Pete Lindstom’s fireside chat with former US Cybersecurity Coordinator and former ISSA International President, Howard Schmidt. Comments on Howard Schmidt Keynote H earing the interview with Howard Schmidt after his time serving in the US Whitehouse was one of the conference highlights for me. ISSA is so fortunate in having a previous ISSA president serving as a special advi- sor to President Obama. Howard's views on security threats to small-medium-sized businesses were particularly interest- ing.1 This is an area that the ISSA UK Chapter has focussed on for the last two years with the ISSA5173 standard,2 which was presented at the conference by ISSA UK Board member, Gabe Chomic (Critically Unprotected Infrastructure: Information Security and Small Business). Geoff Harris – ISSA International Director and member, UK Chapter 1 http://www.scpr.org/news/2012/10/29/34760/anaheim-ex-cyber-security-czar- warns-threat-smalle/. 2 http://issa5173.com/. Embracing Change Keynote Panel NEW! 8 – ISSA Journal | December 2012 ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  9. 9. Association News My First Experience at an ISSA International Conference B eing able to attend the ISSA International Conference was like opening a treasure chest and finding all kinds of jewels and valuable objects to enjoy: the speakers, the exhibitors, and the time for networking and conversa- tions with people – including those who had only been voices on the telephone.  Our keynote and featured speakers were marvelous in their perspectives of information security and how we can em- brace a changing world – and the surprising key to our suc- cess is communication and building relationships, not the deployment of new technology (although that has its place). Be ready to explain new technologies to the C-suite and show how they relate to business success; they won’t fund what they don’t understand. Day 1 Jay Leek (Taking Your US-Focused Risk Management and Se- curity Program International) had great advice: keep it sim- ple, do not confuse email with communication, pick up the phone and call, and lead by example. Christofer Hoff (Stuff My Cloud Evangelist Says: Just Not to the CSO) discussed the 7 dirty words for security. He said we can’t afford a turf battle; this isn’t West Side Story. Rafal Los (House of Cards - How Not to Collapse When Bad Things Happen) presented an effective perspective for responding to new “challenges” – resilience. Bad things are going to happen, but how are you going to re- spond and “get back to business.” Be pragmatic, create staged attacks, assess your response, and update your response; do it until it is “muscle memory.” On Day 2 Howard Schmidt (morning keynote) reminded us that we have to be able to listen and to negotiate; we need to get per- sonal relationships going with key persons in our organiza- tion. He quoted Althea Gibson: “We can’t accomplish any- thing without others.” Stephen Northcutt (Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprec- edented Change and Challenge) focused on leading in a time of change and having situational awareness; be alert for what you can measure and know what is “ever green.” Consider giving up a low-value task to pursue a high-value task; de- cide what you want to accomplish, make a plan, and you will achieve great things. Andy Ellis (Social Engineering the Risk Hindbrain: How to Avoid Security Subsistence Syndrome) had a captivating pre- sentation topic of “Herding Lizards”; lizards know fear, they run away! People consider risk differently; “safe” means dif- ferent things to different roles: CEO, Sales, Product Development, CFO, Employees, and Security. Train people to get used to fixing risks; make them less afraid of it. If you try for “perfect,” you won’t get to “good.” So, as an individual, get better at what you do now; do three things well and then pick up something else. Next year the conference is in Tennessee, a very hos- pitable location that is reachable from any port. If you didn’t get to attend this year’s conference – or even if you did – definitely consider attending in 2013; it will be a wonderful and enlightening experience (y’all). Conference Recap from Mollie Krehnke, ISSA Fellow and member, Raleigh, USA Chapter [Note: Mollie received her ISSA Fellow award at the conference.] Christofer Hoff Rafal Los December 2012 | ISSA Journal – 9©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  10. 10. Association News A t ISSA International this year, exhibitor and spon- sor Ixia interviewed security professionals to gain insight into their thoughts on cyber terrorism. And here’s what they found: 1. Do you anticipate a major cyber terrorism event to occur in the next year? 79% responded yes to this question. In our discussions with these security experts, many of them said “It’s already hap- pening!” 2. Which industry do you feel is the strongest target for cyber terrorism? • Oil & Gas 12.3% • Finance 22.8% • High Tech 0% • Government 17.1% • Power grid 35.2% • Utilities (water, etc.) 12.4% The respondents viewed the financial industry as the most tempting target, with profit as a chief motivation. However, many acknowledged that the finance industry was better pro- tected than some other industries, such as power grid and utilities, which received a combined 48% of the vote. Utilities and the power grid were called out as being wired-in to the Internet and under-protected, AND a target that would crip- ple the nation if the attack was successful. Also, several re- spondents requested a Select All option as they viewed all op- tions as vulnerabilities. It’s interesting to note that there were no votes for High Tech as a top target for cyber terrorism. Though High Tech is clearly an Advanced Persistent Threat (APT) target, it was not regarded as a cyber terrorism target. 3.Doyoubelieveit’stheresponsibilityoftheUSGovernment to protect you from cyber terrorism? People really had to think about this question. The majority of respondents – 59% – believed it is the US Government’s re- sponsibility to protect us. The remaining 41% disagreed, with many of them lacking faith and trust in the government’s ability to move quickly enough to be effective. Worth noting is the fact that respondents who worked for the government universally felt it was a responsibility of the government. Many respondents who answered positively likened the situa- tion to the expectation that the government is responsible for preventing physical terrorism, and that the parallel should hold for cyber terrorism. On the other side of the coin, shared responsibility was a common theme. Several respondents used the example of protecting your house – the government is expected to provide protection, but in the end homeowners are responsible for protecting themselves with appropriate security measures. The fight against cyber terrorism continues… It was interesting to pick the brains of the security pros at- tending ISSA International this year, since these are the men and women on the front lines of the fight against cyber ter- rorism. While they may have disagreed on the top target for cyber terrorism and whose responsibility it is to stop it, there was no question among our respondents that it’s a growing threat that requires constant vigilance. Conference Recap from Kate Brew – ISSA member, Capitol of Texas Chapter Survey Results on Cyber Terrorism from the International Conference 10 – ISSA Journal | December 2012 ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  11. 11. ISSA London 2013 • February 5,2013 Deloitte Offices,2 New Street Square,London,UK Presented by ISSA International & Generously Hosted by Deloitte The 2013 ISSA London Conference will focus on some key challenges we all face: Cyber Crime,Cyber Conflict,and Cyber Espionage. February 4 This peer-only event will feature executive briefings from Lt Col William Hagestad II USMCR, a leading authority on Chinese Cyber & Information Warfare,and Eddie Schwartz, VP & Chief Information Security Officer,RSAThe Security Di- vision of EMC.Attendance at this event is by invitation only. Register Today • Space is limited. www.issaconference.org February 6 Join ISSA’s European leaders for an event focused on grow- ing and supporting chapters in the region. The Chapter Lead- ers Summit is open to Chapter Board Members and Officers. ISSA will be hosting two satellite events in conjuction with ISSA London 2013: Opening Keynote Digital Identity,State Protective Monitoring,and Civil Liabilities Right Honourable David Davis MP House of Commons, UK Parliament Cooperation in Securing National Critical Infrastructure Dr.Steve Purser Head ofTechnical Competence Department,European Network & Information Security Agency (ENISA) Cyber Crime Challenges for Europe Dr.Victoria Bains Europol Cyber Crime Centre Establishing Trust Across International Communities Patrick Curry OBE Director,British Business Federation Authority Insider Attacks: Lessons Learned Dr.Thiébaut Devergranne Docteur en droit/Doctor of Law in France A great value! ISSA members can attend for $35 USD, non-members for $105 USD. Eddie Schwartz VP & Chief Information Security Officer, RSAThe Security Division of EMC Closing Keynote Red Dragon Rising Across Europe Lt Col William Hagestad II USMCR
  12. 12. Network Device Forensics Network Device Forensics 12 – ISSA Journal | November 2012 ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY I magine that a rogue laptop connects to your corporate WiFi and is able to access the Internet via your corporate proxy server. Let us assume that your WiFi is protected by a pre-shared key, but that this rogue laptop is owned by a former employee. Will you detect this? And will you be able to trace back to the former employee? A foreign competitor hires a tech-savvy criminal to install a trojaned operating system on your edge router. This trojan facilitates access to your corporate network for unauthorized persons by tampering with the authentication control logic. Will you detect the trojaned router? These two examples represent two common classes of foren- sic investigations where forensic evidence needs to be col- lected from network devices. In the first example, network devices contain evidence of the network traffic that flowed through them. In the second example, network devices have been compromised and forensic evidence needs to be lifted from them. Forensic evidence gathered by network devices To operate properly, network devices need to maintain infor- mation about the network traffic they process. Since network devices have limited amounts of memory compared to gen- eral purpose computers, they tend to collect only the bare es- sential information for their processes and this information is discarded rather quickly when it is no longer needed. There is often a significant delay between the time a security incident occurs and the time the forensic investigation starts. And as a switch or router discards obsolete meta data quickly, you will not find forensic evidence if you react too late. But you can improve the success rate of your forensic evi- dence gathering by configuring your switches and routers to collect additional data and persist this data. All professional network devices allow for the logging of events. But the inter- nal event log of network devices is rather small because of the memory constrains. Old events get discarded at a fast rate to make place for new events. Centralized logging Here is an important first opportunity for you to improve the evidence collection phase of your forensic investigations. Install one or more machines as a central log repository and configure all your network devices to forward events to this central log repository. Dimension your central log repository so that it can hold several months worth of events. The syslog standard is often used to centralize events. The second opportunity you have to improve the evidence collection phase of your forensic investigations, is by increas- ing the types of events that are logged, for example DHCP events. Professional network devices classify events by types and by alert level. Not all event types are logged by default, and only events with important alert levels are logged. In- crease the type of events, and lower the alert level for event The goal of this article is to raise awareness about the measures you can take to improve the success of network forensics. By Didier Stevens – ISSA member, Belgian Chapter ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  13. 13. Trojanized devices The operating system of your network devices can be tro- janized in two ways: by trojanizing the operating system files (like Cisco’s IOS image files) and booting from them, or by exploiting a vulnerability in the operating system and tro- janizing it in memory. A release management process for network device image files allows you to know if a network device is running an autho- rized operating system or not. But an unauthorized operating system image is not necessarily a trojanized operating system image. Your success in identifying trojanized operating sys- tem images will depend on your network device vendor. For example, Cisco provides lists with cryptographic hashes of all images they release. If the cryptographic hash of the unau- thorized operating system image matches a hash in this list, you can be sure that it is a legitimate operating system image and that it is not trojanized. Some high-end network devices can operate with digitally signed operating system images. Periodic review of the digital signature of these operating sys- tem images will detect trojanized operating system images. RAM trojans But the hardest forensic case to crack is an operating system trojanized in memory. Many professional network devices operate like this: the operating system is stored in a file which is stored on non-volatile, solid-state memory, like flash mem- ory. When the network device is powered on, a very small logging. Watch out; you will need to strike a balance between resource usage and log level, because increasing the number of log events has an impact on CPU usage and can thus nega- tively impact the performance of your network devices. Utilize on board security features Make sure to research security features available in your network devices that can help you indirectly with your fo- rensic investigations. Enable them if necessary. For example, Cisco switches have a DHCP snooping feature. Enabling this feature instructs the switch to build and maintain a table of all successful DHCP transactions it sees passing through its interfaces. This table lists IP addresses, corresponding MAC addresses, and the interfaces serving these clients. Imagine a contractor connects his laptop to your wired net- work without authorization. You would notice this by moni- toring your DHCP logs for rogue machine names. But this will only give you a machine name and a MAC address. This is often not enough to trace back to the contractor. But with the DHCP snooping binding table, you will be able to corre- late the IP address and MAC address with a switch interface. This will allow you to find the physical location of the Eth- ernet connector used by the contractor. Reviewing physical security evidence like access control logs or CCTV images should be enough to identify the contractor. Or you could just ask your employees working near the network access point who used this connection. In the case of the former employee using your corporate WiFi infrastructure, you would notice this too by monitoring your DHCP logs for rogue machine names. Additional logs from WiFi access points and wireless LAN controllers should en- able you to pinpoint the access point used by the former em- ployee. But since WiFi access points do not need a physical connection, you will find it harder to identify the culprit. Forensic artifacts found in network devices Network devices can become compromised because their configuration gets modified or because their operating sys- tem gets trojanized. Finding forensic evidence for these in- cidents can become much harder. A secure, centralized log repository is vital so that perpetrators cannot erase logs to cover their tracks. To detect unauthorized configuration modifications, a re- lease management and version control process is necessary. The release management process will make sure that only approved modifications are applied to your network de- vices, and the version control process will make sure that these modifications are documented. Periodic review of your network device configurations will allow you to detect un- authorized configuration modifications by comparing them with the configurations kept in the version control system. This review process can be automated. If your network devices support scripting and you have cus- tom scripts like Cisco IOS Tcl, make sure to include these in your release management and version control process. Predictions for the New Year Live Event: January 22, 2013 To a degree, changes in legislation and technol- ogy are easy meat to predict in a 12-month time frame. But what about environmental impacts such as cyberattacks and cyberwarfare trends? Will the cold wind of social media exploits bring infosec into focus for the ignorant end user? What is likely to be the next big hurricane of “wikileaks-type” ex- posure to rock the industry? Where will the wind of change blow security in the “cloud?” Will the heat be turned up further on compliance requirements? Will there be a drought of funds making everything we want to do harder to achieve? Join us, make notes, and then check back in a year to see how we did! Upcoming Click here for more information on our 2013 schedule. December 2012 | ISSA Journal – 13 Network Device Forensics | Didier Stevens ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  14. 14. Pay attention to the fact that al- though operating systems tro- janized in RAM are not persistent (i.e., that rebooting the network de- vices removes the trojan), network devices are not often rebooted and the trojan can easily be present for months if not years. And if a trojan runs in RAM with full system ac- cess, there is nothing to prevent it from modifying the image in flash to achieve persistence. Conclusion There are several preventive steps that you can take to facili- tate a forensic investigation of network devices. You can im- prove the logging of your devices and enable extra informa- tion gathering features on your devices. This will help you gather more forensic evidence. Network devices can also be- come compromised. You can find forensic artifacts in flash and in RAM. There are tools to help you analyze these arti- facts. I hope this article will inspire you to take measures that will facilitate forensic investigations of network devices. References —Dale Liu, Cisco Router and Switch Forensics, ISBN 978- 1597494182. —Felix Lindner, The Shellcoder’s Handbook, 2nd Edition Chapter 13: Cisco IOS Exploitation, ISBN 978-0470080238. —Felix Lindner, “Developments in Cisco IOS Forensics” - Black Hat, http://www.blackhat.com/presentations/bh-usa-08/Lind- ner/BH_US_08_Lindner_Developments_in_IOS_Forensics. pdf. —Felix Lindner, “Router Exploitation” - Black Hat, http://www. blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09- Lindner-RouterExploit-SLIDES.pdf. —Sebastian ‘topo’ Muñiz, Killing the myth of Cisco IOS rootkits: DIK (Da Ios rootKit), http://www.coresecurity.com/files/at- tachments/Killing_the_myth_of_Cisco_IOS_rootkits.pdf. —Andrew Vladimirov, Konstantin Gavrilenko, Andrei Mikhailovsky, Hacking Exposed Cisco Networks, ISBN 978- 0072259179. About the Author Didier Stevens (Microsoft MVP Consumer Security, CISSP, GSSP-C, MCSD .NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP) is a member of the Belgian ISSA chapter and an IT Security Consultant currently work- ing at a large Belgian financial corporation. Didier started his own company in 2012 to provide IT security training services (http://DidierStevensLabs. com). You can find his open source security tools on his IT se- curity related blog at http://blog.DidierStevens.com. He may be contacted at didier.stevens@gmail.com. program stored in ROM will load the operating system from flash into RAM, where it is executed by the CPU. With an op- erating system trojanized in memory, the image file in flash is intact, but the modifications are made in RAM, where the image file is loaded to be executed. One way to make these modifications in RAM is by targeting the network device with an exploit for a vulnerability.1 This exploit contains code to modify the operating system in RAM and trojanize it, for example by adding a backdoor functionality. To investigate such compromise, you need to be able to access and analyze RAM. Cisco IOS has features to access RAM: their routers and switches have a command that allows you to write the content of RAM to a core dump file. This solves the “access” phase of your forensic investigation, but not the “analysis” phase. The structure of the file containing the core dump is not documented. Only Cisco knows the complete details and you will need their cooperation if you need a full analysis. The Cisco Technical Assistance Center (TAC) will sometimes ask clients to provide them with a core dump to help with the analysis of their support cases. But since the RAM core contains everything that was in RAM, it contains a lot of forensic evidence. But you are not completely dependent on Cisco’s TAC for core dump analysis. There are two open source tools that can partially analyze core dumps. The first tool is Cisco Incident Response (CIR) from Recurity Labs GmbH,2 an open source tool that attempts to detect trojanized core dumps by detect- ing memory and process anomalies. CIR has been successful in detecting proof-of-concept trojanized IOS images present- ed at the Black Hat Security conference.3 The second tool is the Network Appliance Forensic Toolkit (NAFT)4 released by me. It is able to analyze the basic struc- ture of memory and processes, but it is not yet able to au- tomatically detect memory and process anomalies. NAFT is a set of Python programs, and it can run on many operat- ing systems. You instruct your IOS device to produce a core dump and transfer it to a tftp server, and then you can ana- lyze this dump with NAFT. For example, command naft- icd.py processes r870-core will dump all processes it finds in core dump r870-core (figure 1). 1 Felix Lindner,“Burning the bridge: Cisco IOS exploits,” http://www.phrack.com/ issues.html?issue=60&id=.7. 2 http://cir.recurity.com/. 3 http://blog.recurity-labs.com/archives/2008/05/27/on_ios_rootkits/index.html. 4 http://blog.didierstevens.com/programs/network-appliance-forensic-toolkit/. Figure 1 — Core dump 1 Cwe 80049B5C 0 3 0 5552/6000 0 Chunk Manager 2 Csp 80371B90 8 341 23 2640/3000 0 Load Meter 3 Mwe 8118AB24 4 1725 2 5300/6000 0 Spanning Tree 4 Lst 80046D90 14780 841 17574 5484/6000 0 Check heaps 5 Cwe 8004F930 0 1 0 5672/6000 0 Pool Manager 6 Mst 808278AC 0 2 0 5596/6000 0 Timers 14 – ISSA Journal | December 2012 Network Device Forensics | Didier Stevens ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  15. 15. BLACK HAT | BRIEFINGS | MARCH 12-13, 2013 BLACK HAT | TRAININGS | MARCH 14-15, 2013 WWW.BLACKHAT.COM Black Hat Europe 2013 - The premiere conference on information security - returns to Amsterdam on March 12-15, 2013. This year we will feature two days of hands on training courses followed by two days of Briefings comprised of over 50 presentations covering the most relevent topics in security today.
  16. 16. S torage security has always been one aspect of IT man- agement that never seems to get the attention it de- serves, regardless of legal, regulatory, and business risks. Storage security should be a concern for any organiza- tion irrespective of size and number due to the multitudes of challenges surrounding it. For example, one recent survey conducted by PWC [1] stated that 29 percent of the organiza- tions still find locating their data as a big challenge; however, going by experiences at the ground level, there are even more challenges such as the following: • There are just not enough eyes on the problem! • Where is the data residing? • Increased regulatory audits • How do we align with the existing standards and reg- ulations? • How do we handle the advances in technology such as increased use of mobile devices, consumerization, etc.? This paper describes the experiences and results of an assign- ment that brought about a marked improvement in storage security for a commodity trading organization. The practical steps suggested will aim to answer some of the core challeng- es surrounding storage and bring about a continual-improve- ment storage security program. Organizational background Phoenix Consulting (The Firm), based in India, is a bou- tique IT audit and consulting firm helping clients meet their compliance requirements and achieve their security objec- tives. The Company (name withheld for security purpose) is a commodity trading organization that aims to reduce the gap between customers and farmers, has a 1000+ client base, and is fitted with state-of-the-art routers, switches, firewalls, Windows servers, and storage area network (SAN) storage ar- chitectures and devices that store customer information, IDs, and bank account details. Though the organization is ISO 27001:2005 certified and had a structured Information Se- curity Management System (ISMS), they had recently faced issues with sensitive data: 1. The Company was not aware of where the data was lo- cated: The storage devices were left out of the purview of the ISO 27001 scope due to an ongoing implementation. 2. Bringing it under the purview of ISO 27001 governance program: The scope was extended to covering storage devices and the data that needed to be protected. As an added advantage, increasing the scope also satisfied guide- lines on storage security imposed by the local authori- ties, aligned with ISO 27001, gave the organization better control and governance, and helped them optimize their resources (time and manpower) on areas that required at- tention. That is when The Firm was called, as we had helped them achieve ISO 27001 certification. The impediments that would arise during the implementation of this project were very well known to us as we had both the expertise and experience in implementing projects of similar nature. Here are the steps involved in making the storage security program a success. The critical steps for the success of this program are the fol- lowing: The author describes the experiences and results of an assignment that brought about a marked improvement in storage security for a commodity trading organization. The practical steps suggested will aim to answer some of the core challenges surrounding storage and bring about a continual-improvement storage security program. By Vinoth Sivasubramanian – ISSA member, UK Chapter Storage Security Governance: A Case Study 16 – ISSA Journal | December 2012 ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  17. 17. used to capture and record the most important information is shown below. DESCRIPTION STORAGE SECURITY RISK Risks Legal,financial,regulatory,and business risks Rewards Elevated customer confidence Effort High Cost Estimation $600,000 USD Time Span 6 Months Approach ISO 27001 approach Cost of damages $10 million USD annually in the event of a breach Cost of protection $2 million for the first year,less than 1 million from next year onwards Return on Investment Roughly $5 million per year ISO Clause Mandatory clause 5 of ISO 27001:2005 – Manage- ment Review of ISMS Gap analysis Since management expectations were very clear and they were already aware of some of the existing gaps, a gap analysis exercise was carried out which detailed the current scenario 1. Gain management support 2. Perform gap analysis 3. Identify assets 4. Perform risk assessment 5. Implement security controls 6. Perform an audit and improve Gain management support Getting management support in our case was quite easy as the organization had recently faced a regulatory issue. Man- agement was briefed about the challenges involved in storage security, the time it would take to implement this program, and our approach bringing it to completion. In circumstanc- es where there are no legal or regulatory issues, get manage- ment support by briefing them of the possible business risks, rewards, and efforts involved. As per ISO 27001, record the minutes of these meetings as per the record control proce- dure1 and management review requirement.2 Unless there are regulatory, contractual, or legal obligations or compulsions, ensure that the cost of protecting the information is less than the information being protected. A sample template that was 1 Mandatory clause 4.3.2 of ISO 27001. 2 Mandatory clause 5 of ISO 27001:2005. December 2012 | ISSA Journal – 17 Storage Security Governance: A Case Study | Vinoth Sivasubramanian ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  18. 18. ing, accessing, processing, and disposing it. A sample data is given below. Data Description ID details of customer DataType Highly confidential,irrespective of location of the data Access No write access to anyone;read access to select few Security type Least exposure to business,legal,or financial risks After getting a clear and comprehensive mandate on the data that needed to be protected as part of this storage security governance program, we laid out the next course of our plan to implement these programs. The first was to form a focus group, identifying members across the enterprise who would help propel the program forward. Lessons learned: Take time to accurately sample the data us- ing automated and manual methodologies. Get management expectations clear on the data that needs to be protected as top priority. This will help the organization prioritize risk and allocate resources wherever needed. Remember this is a program to improve storage security practices and is a one- time solution. Risk assessment The challenge we encountered in doing a risk assessment for this organization was that an ongoing ISO 27001:2005 risk assessment was already being performed, and we were told specifically not to disturb the assessment or change the methodology. So in line with the expectations and directives of senior management, a linked risk assessment approach was carried out, wherein the information that needed to be protected was treated as an individual asset, and the various threats, vulnerabilities, and controls in place were listed out. Lessons learned: Perform the risk assessment exercise with the assistance of the focus groups; this provides them insight into these activities, and also provides the much needed ad- ditional controls which are required at the ground level. We shall now look how the storage security program initia- tive was carried out with the right mix of people, processes, and technology. Implement Controls Based on the results obtained from the risk assessment and inputs from legislative guidelines and various other best practices [2][3][4][5] controls as outlined below were imple- mented, not in particular order. Review of security policies Armed with the results from the risk assessment exercise, in- formation security policies were reviewed [4] where needed and new ones written where found missing. In our case we tweaked the configuration management policy to include the storage devices, and wrote fresh policies in relation to Bring Your Own Device (BYOD) and Use Your Own Applications of the organization in regards to storage security. After a de- tailed gap analysis, the following area emerged as the single stumbling block to achieving the management objectives and meeting compliance requirements: where is the data located? Lessons learned: Conduct a gap analysis, irrespective of the compliance level of the organization – keeping in mind man- agement expectations and objectives – and then chart out the stumbling blocks. Form a focus group and engage all the in- formation users, as you will get to know the security posture of the organization in reference to storage security better, which will help improve the initiative. Solving data location challenge To solve the challenge of data location, we used a two- pronged approach. The first part was using an automated tool – ManageEngine3 asset man- ager in this case – to capture all the IP devices located in the enterprise. Next we listed the non-IP devices, namely USB and mobile devices. The organization had provided only organization-approved USBs to be used by their employees, and these was given only to the senior man- agement. Since mobile applications were also used, mobile devices were listed in the asset register. After comprehensive discussions with the asset custodians and stakeholders, we had gathered enough information on the locations of the most critical data. Lessons learned: Capture IP and non-IP devices within the enterprise and list them in the asset register. Capture the in- formation residing on these devices through multiple itera- tions with the asset users and custodians (to increase the ac- curacy of the information collected, it is necessary to perform at least two iterations to eliminate errors and miscommuni- cations, which we will encounter when we go about capturing the information residing on devices). Authenticate informa- tion discovery/classification technologies. Identify assets – knowing what to protect After getting to know the devices and the information resid- ing on these devices, authenticate the automated data gen- erated using comprehensive sampling methodology: we did a 98 percent sample to provide comprehensive assurance to management that the data collected was authentic. This also enabled management to make better decisions. In our case this sampling provided a better insight into what needed to be protected. Using the data on hand, management deter- mined which information was very critical to the organiza- tion; incidentally, these were also in line with local laws and regulations. Management identified this information, classi- fied it as highly confidential, and provided directives for stor- 3 http://www.manageengine.com/products/desktop-central/software-hardware- inventory.html. Get management expectations clear on the data that needs to be protected as top priority. 18 – ISSA Journal | December 2012 Storage Security Governance: A Case Study | Vinoth Sivasubramanian ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  19. 19. Fortified cloud Security to the cloud. Security for the cloud. Security from the cloud. Our solutions do more than bring you to the cloud, they keep your business secure when you get there. + FIND OUT how CA Technologies can help you accelerate, transform and secure your IT by visiting ca.com/secure-IT and learn more by reading our cloud strategy and vision white paper at ca.com/IAMfortheCloud Copyright © 2012 CA. All rights reserved. Join us at Gartner IAM Visit us at Booth S19 December 3-5, 2012 Las Vegas, NV
  20. 20. (UYOA). The table describes in short the policies that we had tweaked and the ones that were newly written. POLICY DESCRIPTION 1. Access control policy Tweaked,to support the management directives 2. BringYour Own Device and Use Your Own Applications Newly drafted 3. Configuration management Tweaked,brought SAN under the configuration management database (CMDB) 4. Patch management policy Tweaked,to include upgrading of SAN storage devices 5. Incident management Tweaked,to include storage security issues to be reported through the inci- dent management system 6. Information control policy Newly written,to provide greater clarity to management and stakeholders in identifying the most critical informa- tion and how it must be controlled Lessons learned: Always earmark the policy effective data in concurrence with management before going ahead in draft- ing the procedures that are required to support these poli- cies. Since in most organizations procedures, meaning the steps that are required to support the high-level statements of management, are generally driven bottom up, earmark- ing a policy effective date will bring in greater commitment amongst middle management, thereby helping the initiative propel fast forward. Review of Procedures With management’s directives being very clear, we now re- viewed the procedures that were directly related to storage security. The procedures that we had reviewed in line with the task on hand were backup, asset management, internal audit, media disposal, legal, and compliance. The table below describes some of the tweaks performed on the procedures and their cross references to the ISO 27001:2005 standard. PROCEDURE DESCRIPTION ISO CLAUSES Asset management procedure Asset management procedure was tweaked to include automated scan- ning of all the IP devices and verifying information on all non-IP devices on a fortnightly basis. Mandatory Clause 4.2.1d and Control A.7 Asset Manage- ment Backup procedure Back up procedure was spruced up to include correct identifiers and method of storage and disposal, which are often missing factors in backup procedures.Technologies to eliminate manual tapes were also charted out. A.10.5.1 Informa- tion Back-up Internal audit procedure The internal audit procedure was enhanced to include audit of storage devices and the allied storage houses of information. Mandatory Clause 6 (Internal Audit), A.15.3.Informa- tion Systems Audit Legal and compliance procedure Resources were allocated to manage the agile compliance landscape;the procedures to report the changes were documented. A.15.1.1 – A.15.1.5 Compli- ance with legal requirements Media disposal procedure How to dispose of the media,contain- ing the information that needs to be protected,in the event of a total failure of the device.Incorporating authorized agents to carry data off site for disposal. A.10.7 Media Handling and A.10.8 Exchange of Information Lessons learned: While doing a review of the various pro- cedures, make time to discuss the technological investments that need to be made in this regard. Knowledge of these in- vestments will help in procuring the technology while the process is still in place. This will help save a lot of time, and help move things at a quicker pace. Technological perspective With knowledge of the information that needs to be protect- ed being clear, the first step we took was to reinspect the ap- plication architecture and redesign the business processes to meet the organization’s expectations. Business process re-engineering With the very critical organization assets lying scattered across various applications and reports, the business pro- cesses were re-engineered, wherein multiple processes of cap- turing user information and completing the sale processes were integrated into one simple application and screen. In a similar manner the reports that were associated with this in- formation were also confined to one single area. This helped control access to the information and the related aspects of storage, retention, and disposal of the storehouses of the most vital assets of the organization. Lessons learned: A very important aspect in redesigning business processes is to never lose sight of the task in hand; in this case we redesigned the process, keeping in mind cus- tomer ID and bank account details and confining them to a centralized location. Very often people lose sight of the spe- cific goal and go into complete process re-engineering. Application architecture inspection The application architecture was also inspected, incorpo- rating secure and privacy-by-design principles wherein pri- vacy and data protection guidelines were integrated within the entire life cycle of the code, starting from requirements gathering to implementation of the code, which was not the case earlier. An important concept implemented after this in- spection was that the customer information capturing screen did not use cookies or store any kind of information at all. The information that was captured was stored in the data- base in an encrypted format. To minimize cost we went chose 20 – ISSA Journal | December 2012 Storage Security Governance: A Case Study | Vinoth Sivasubramanian ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  21. 21. column-level encryption for storing the information on the database. Apply the same principles to database backup – this is often overlooked and forgotten. Access to this encrypted data was made available only to a select few. Information integrity monitoring software The next technology that we implemented was to invest in information integrity monitoring software, wherein any changes in the access or availability or the information entity itself was allowed only after approvals from the entire man- agement. This software used an all-approvers’ hierarchy, in which each member of management undertook the responsi- bility of approving changes to the confidentiality matrix. Server and media encryption Since the physical server housing the database and the criti- cal information need to be adequately protected, we looked at the various encryption solutions available on the market and finally decided on an encryption solution that suited budget- ary requirements, ease of operability, and service delivery ca- pabilities of the vendor. Similarly end point encryption was performed on endpoint devices using appropriate tools to protect the media that might be used to contain the protected information. Since the organization had a zero-tolerance pol- icy towards using unapproved USB devices, controlling them through the media encryption and end point software also provided the required protection. The following best prac- tices were used: • Aligned encryption technology with existing crypto- graphic standards and controls [4] • Selected location-at-rest encryption to minimize user impact to server availability • Implemented in-flight and at-rest encryption mecha- nisms Lessons learned: There were challenges involving encryp- tion; the lessons learned are the following tips: • If undecided between two potential points of encryp- tion, pick the one closest to the application generating the data • Ensure deduplication is performed before encryption to minimize data duplication • Ensure encryptions create adequate log entries in line with business, legal, regulatory, and compliance re- quirements [3][4] Third-party agreements Third-party agreements were spruced up to incorporate se- cure working practices of the service providers, in the event of maintenance of the storage devices. In particular we made them agree to let us audit their work and working practices, thereby ensuring good security practices. Lessons learned: As part of regulatory compliances, third- party service providers and consultants are also required to adhere to the practices adopted by the organization. Howev- er, many organizations miss out in auditing their service pro- viders. Initially service providers may be a bit apprehensive of this, but informing them of the long-term benefits and how it could work in their favor will make them oblige. As a reward act as a brand ambassador by giving a good recommendation for them, allowing them to include your name on their web- site, etc. In short, have a reward mechanism with penalties for missing out on security practices. System controls Even though confidential information was accessible to only a select few clearly defined with roles, we made the system even stronger by mapping their access to the MAC addresses of the user’s sys- tem. Integrated with a log manage- ment system, any deviations were recorded, tagged as incidents, and closed through the corrective and preventive action processes. Network-level controls We used VPN-anywhere software [9] (a software used to ensure only authorized users access resources) to identify and authenticate user access to the application’s front end for internal users who had access to the privileged information. Rules on firewalls were adequate- ly created to check for leakage of the protected information. Fiber channel security Secure fibre channel storage networks were used in this or- ganization, which are basically SAN devices. A storage area network is an architecture to attach remote computer storage devices such as disk arrays, tape libraries, and optical juke- boxes to servers in such a way that to the operating system the devices appear locally attached. These SANS were on a fibre channel topology that utilized the fibre channel protocol. Storage area network best practices (configuration manage- ment database) [2]: • Restricted switch interconnections • Disabled unused ports • Hard zoning was used as the management wanted strict controls in relation to the movement of the data • Implemented LUN masking Audit After having implemented various controls, we conducted a detailed audit to check the effectiveness and efficiency of the controls. Specific audits conducted by us are described below. Vulnerability assessment and penetration testing As the final stage before signing off this project, a penetra- tion testing and vulnerability analysis exercise was carried out on the servers, SAN storage, media, desktops, laptops, In short, have a reward mechanism with penalties for missing out on security practices. December 2012 | ISSA Journal – 21 Storage Security Governance: A Case Study | Vinoth Sivasubramanian ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  22. 22. security professionals authenticated the knowledge of the storage admins and storage admins authenticated the storage knowledge of security personnel within the enterprise. This ensured the challenges were clearly understood and solved amongst them. Improve You cannot improve what you cannot measure. Therefore, based on some simple metrics satisfying compliance and legislative requirements, a simple measurement exercise was conducted. One of the measurement exercises with a tem- plate is described below. Measurement After completion of the above activities, an improvement measurement exercise was carried out. The result clocked a 90 percent improvement of the information visibility, which was in line with the regulations of the local government. A sample result is tabulated as an example (table 1). Lessons learned: Always ensure you earmark a follow-up au- dit on the measurement results. Check for improvements and sustained results. This way you build up a long-term relation, providing greater value to your projects. Overview summary With storage security seriously impacting business, we pres- ent a brief overview of the process before (figure 1) and after (figure 2) implementation of the storage security program pictorially for better understanding. Conclusion Even though The Company was already ISO 27001:2005 cer- tified, the concept of storage security was something new to network devices, and the members of the organization. This also included conducting configuration review assessments of the networks, servers, database, SAN storage, desktops, company-owned mobiles, and social engineering tests. The tools used to conduct these assessments are listed below. All tools were selected based on budgets, ease of operability, and service delivery capability of the vendor. DESCRIPTION NAME OFTHETOOL Desktops and server assessment MS Baseline [6] Networks OpenVAS [7] SAN storage devices SNIA Standards [2] Database Appdetective Pro [9] Social engineering Manual Source code review Source code review is one area generally missed and is re- ally the Achilles heel in storage security. It is here that data is generated. So as part of the audit stage, source code of the application was checked thoroughly using static testing methodologies wherein the entire code was tested manually to identify vulnerabilities in the code and dynamic analysis to uncover potential leakage points on the system. The source code was also audited from a process perspective as to how the organization went around in freezing the code before be- ing developed. An end-to-end, development-to-release man- agement audit was also carried out to identify any process- related gaps. Log management Logging is an essential part of storage security. Log all storage devices with clear mark up on the data to be protected as well as the storehouses. We used benchmark logging wherein the current configuration snapshot was benchmarked and stored within the log management solution; any changes to the con- figuration parameters of any asset will be recorded, and de- viations were set to be categorized as incidents and closed off through a proper root cause analysis (RCA) using corrective action/preventive action (CAPA) form. Training and retraining One of the biggest challenges towards storage security is that storage admins are not aware of security, and security per- sonnel are not aware of the storage challenges. To fill this gap the services of the SAN provider were utilized effectively to teach security principles and practices to storage admins and to teach storage principles and practices to security per- sonnel. A reverse knowledge transfer was employed wherein DESCRIPTION BEFORE THE INITIATIVE AFTER THE INITIATIVE IMPROVEMENT BENEFIT EFFORT What needs to be stored more carefully No data available Available 100 Percent Minimization of regula- tory fines,enhanced customer confidence High Table 1 – Improvement measurement exercise Figure 1 – The Process during ISO 27001:2005 Certification. ISO 27001: 2005 Management Determines the Scope of ISO 27001:2005 Identify the Assets under the Identified Scope Perform Risk Assessment on the Identified Controls Treat the Identified Risks through Implementation of Various Controls Audit, Measure & Improve the Controls Implemented 22 – ISSA Journal | December 2012 Storage Security Governance: A Case Study | Vinoth Sivasubramanian ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  23. 23. the management and business heads. Getting the message across at all levels and emphasizing the importance of stor- age security and its long-term benefits was the most chal- lenging. Once we had the support of management, others fol- lowed suit and it was then easy for us to help the organization achieve its security objectives. The guidelines laid out above are the experiences learned from implementing a storage se- curity program and are meant only to act as a guide to propel storage security in the right direction. Overall, organizations that are certified against standards such as ISO 27001 and COBIT can find the going a bit easier because of the many cross references. References [1] http://www.idgconnect.com/view_abstract/7945/global-state- information-security-survey-2012. [2] https://www.snia.org/forums/ssif/programs/best_practices. [3] http://deity.gov.in. [4] http://www.iso27001security.com. [5] http://searchstorage.techtarget.com/definition/storage-securi- ty. [6] http://www.microsoft.com/en-us/download/details. aspx?id=7558. [7] www.openvas.org. [8] www.appsecinc.com/products/appdetective. [9] www.vpnanywhere.com. About the Author Vinoth Sivasubramanian is a passion- ate information security professional with more than eight years of experience in various domains such as telecomm, con- sulting, and finance. In addition to volun- teering time for security associations such as ISACA and ISSA, he dedicates time to sustainable living by investing time and money in organic farming activities through local volunteers with a vision to lead people to a stable and balanced living. He can be reached at Vinoth.sivasubramanian@gmail.com. JANUARY 2013 Risk Analysis / Risk Management Editorial Deadline 12/1/12 FEBRUARY Emerging Threats Editorial Deadline 1/1/13 MARCH Legal, Regulatory, Privacy, and Compliance Editorial Deadline 2/1/13 APRIL Selling to the C-Suite and the Changing Roles of InfoSec Professionals Editorial Deadline 3/1/13 MAY Education, Academia, and What’s Happening in Research Editorial Deadline 4/1/13 JUNE The Cloud and Virtualization Editorial Deadline 5/1/13 JULY Identity Management Editorial Deadline 6/1/13 AUGUST Convergence of Technologies Editorial Deadline 7/1/13 SEPTEMBER Mobile Security / BYOD – Technology/Business/ Policy/Law Editorial Deadline 8/1/13 OCTOBER Big Data and the Use of Security Controls Editorial Deadline 9/1/13 NOVEMBER Forensics and Analysis Editorial Deadline 10/1/13 DECEMBER Disaster Recovery / Disaster Planning Editorial Deadline 11/1/13 EDITOR@ISSA.ORG • WWW.ISSA.ORG For theme descriptions,visit www.issa.org/?CallforArticles ISSA Journal 2013 Calendar Past Issues – www.issa.org/?page=ISSAJournal Figure 2 – ISO 27001:2005 Linked Storage Security Implementation ISO 27001:2005 Scope Directed by Legislative Guidelines in Combination with Management Directives Risk Assessment on the Data Reservoirs Information to Be Protected Was Identified Information Storage Devices Were Captured and Listed Business Process Walkthrough to Identify Data Flows and Storage Reservoirs Audit, Measure & Improve the Controls Implemented December 2012 | ISSA Journal – 23 Storage Security Governance: A Case Study | Vinoth Sivasubramanian ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  24. 24. Structured Risk Analysis Offers Rich Rewards By Greg Jones Risk analysis is a far from exact science with assessments continuing to vary in scope. This article discusses the emergence of context-aware classification systems and methods that can guide you through the process with pre-categorized risk information and could be the key to effective risk and threat analysis. tively tackle threat elements, from data leakage or theft to malicious attacks. However, if limited to the requirements of many standards, it can be highly subjective and limited in scope, looking only for risk within a given context with little consideration given to the wider picture such as user buy-in, emerging threat vectors, and industry-specific threats. With- out these factors, any threat assessment can quickly lose its relevance and its value. Risk management needs to a measured but continual process, because its true value lies in being able to alert the organiza- tion to an issue before it is realized and manage it into reso- lution. However, the overall management process can only be successful if it contains accurate methods for the evalu- ation of risks and threats. Many of the common approaches currently used fail to provide sufficient guidance and fail to capture knowledge from the early adopters of either business or technology. Furthermore, early adopters will need support from more technical frameworks as they “forge a path” for the rest of us. Prescriptive measures Of course, we have come a long way in the development of risk analysis. In the mid 1990s, technical computer security was embryonic. The implementation of even the most basic security control would often result in executive foot stamp- ing, as a result of which few had installed antivirus (AV), fire- walls, or passwords. When it came to designing and testing the first Internet banks, risk analysis was often a good way of ensuring executive buy-in and of protecting investment. Abstract Risk analysis is a far from exact science with assessments con- tinuing to vary in scope. But the emergence of context-aware classification systems could be about to change that. Meth- ods that guide you through the process with pre-categorized risk information could be the key to effective risk and threat analysis. R isk analysis is now an integral part of any business decision and essentially involves playing Devil’s Ad- vocate in a commercial context, looking for potential issues, their impact, and the time and cost involved in reme- diation. It’s a far-from-exact science precisely because it deals in “what if” scenarios and the “cause and consequences” of them. Today’s regulation and security frameworks go some way to providing consistent risk analysis with processes and proce- dures that can be used to systematically evaluate risk. These provide a valuable starting point, but the danger is that orga- nizations embark upon a risk analysis assessment as a box- ticking exercise and mistakenly believe they have covered all the angles. In reality, implementing a risk analysis has to be a more methodical, context-based process which seeks to ex- plore elements of risk and the fallout involved beyond that stipulated by regulations, not least because security stan- dards are prone to date and become out of step with the ever changing threat spectrum. Whenever an enterprise embarks on a new venture or change in strategy, there will inevitably be some element of risk analysis to protect the existing business. Risk assessment is invaluable in enabling the business to identify and then ac- 24 – ISSA Journal | December 2012 ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  25. 25. we would now consider essential requirements: recommend- ing AV on servers, the installation of a firewall on Internet connections, that users have unique userIDs each with pass- words, and that data was routinely backed-up. The antipathetic reaction was mainly due to the security com- munity’s discomfort concerning the gap between the actual controls and those specified by the standard. Most medium- sized organizations would receive an unfavorable benchmark if their security was compared to the standard (and would do for many years). Correspondingly, later versions of the stan- dard and its successor ISO2700x, selected controls via a free- form risk analysis where threats were not pre-calculated and impacts not pre-described, as this drove the whole security process and was ultimately used to select the organization’s security controls when they were codified into a risk treat- ment plan. In reviewing this risk treatment plan, key con- trols were often missing. Sometimes these errors happened because of a lack of a solid framework for the risk assessment. However, many skilled security officers could play the system to “risk assess” away essential controls for reasons of budget- ary success or political expediency. Until recently, it was very common to find that controls in the areas of segregation of duties, monitoring of administrative users, and network sep- aration were de-selected supposedly because of the low risk.3 3 Michael Cobb,“Segregation of Duties: Small business best practices,” Application Security, 11 December 2011, Searchsecurity.com - http://searchsecurity.techtarget. co.uk/tip/Segregation-of-duties-Small-business-best-practices. In 1995 the British Standards Institute published BS77991 (later to become ISO17799 and) as a “prescriptive” security standard. This was great for organizations that needed guid- ance in implementing tangible security measures in com- mercial environments, which at that time could mainly be described as “security greenfields” – at the time many orga- nizations didn’t have systemic security environments. The standard had ten simple “key controls” which all organiza- tions should maintain. It seems quite incredible now but the most essential of con- trols (such as firewalls and AV) were not installed as a matter of course. To do so, the security practitioner needed to justify them. But it was a different time. I remember giving a pre- sentation at the time for ISACA on the differences between circuit-level, proxy, and state-full inspection firewalls to a security interest group, when a representative from a large US telco who was sharing the stage, turned into a unfriendly combatant fighting for a “firewall-free world.” Not a cause that many would rally to defend these days. There was a surprisingly negative reaction to this prescrip- tive standard. Many CISOs and security consultants claimed2 that it did not take into account risk or different organiza- tions security requirements. Yet the standard only had what 1 “ISO/IEC 27002,” ISO 27001 security, http://www.iso27001security.com/html/27002. html. 2 “Alan Calder on IT Governance, information security and ISO 27001,” BS 779, 16 October, 2007, http://www.alancalderitgovernanceblog.com/tag/bs-7799/. PROTECT, DETECT & DEFEND AGAINST CYBER CRIME Build specialized career-advancing strengths in fighting cyber crime with these online degree programs: M.S. in Cybersecurity with Specializations in: • Intelligence • Forensics B.S. in Cybersecurity with Concentrations in: • Cybercrime Investigations and Forensics • Information Assurance CALL: 315.732.2640 VISIT: www.onlineuticacollege.com/ECJS December 2012 | ISSA Journal – 25 Structured Risk Analysis Offers Rich Rewards | Greg Jones ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  26. 26. There is no “one-size-fits-all” standard, and risk will vary for each business and fluctuate over time. But nearly all orga- nizations use the Internet, use PCs, and comprise of people, thereby sharing common threats. Modern methods need to embrace the benefits and efficiency of standard controls and common threats in the same way as organizations buy stan- dard application systems rather than building from scratch. Selective security Of course, the development of ISO27005 in 2008 formalized the approach to risk, but this still focused on the process of risk identification and estimation, thereby failing to close the gap between actual and perceived risk. And therein lies the crux of the matter, for although risk assessment is a very valu- able tool, a skilled and forceful security officer will always be able to “risk-assess away” the need for essential controls if the methodology being used for the assessment is unbound- ed and not parameterized. For example, until recently it was very common to hear from online businesses that the risk of DDoS was invented mainly because the cost of mitigation was high, even when the list of victims of such attacks was growing. These days, information security has become more methodi- cal and science based. Newer standards have adjusted to be- come more sophisticated. A baseline level of security is re- quired to which additional controls can be added as required for increased threat/impact but not reduced as the underlin- ing threats are ubiquitous and so the control is mandatory. Many standards now include predefined and codified impact tables and threat categorization, and generic risk categories help focus the risk analysis. These are described below. The Payment Card Industry Data Security Standard (PCI- DSS) is an example of one of these standards with predefined technical controls. It mandates computer security controls which are routinely deployed. The card issuers who have im- posed the standard, believe that the risk associated with pro- cessing customers’ data warrants the minimum acceptable security requirement laid out by the PCI-DSS. However, it too has been criticized. In recent industry conferences, many organizations subject to PCI-DSS have been lobbying for a reduction in the requirements, favoring instead the introduc- tion of a risk-based approach. Interestingly, a review of PCI- DSS4 will show more than a passing relation to the controls annex of ISO27001 (given that many of the organizations struggling to meet the requirements of DSS are also IS027001 certified). Surely the similarity between the controls annex and PCI-DSS means most of the technical controls should al- ready be in place in a ISO27001-certified organization. Baselines and impact tables Most organizations (at least within a peer group sector) share a risk profile, so there will always be common ground. The industry is beginning to embrace this through benchmark- ing and risk score analysis. An example of an approach which provides a structured application of security controls based on different risk profiles is the combination of Standards for Security Categorization of Federal Information and Informa- tion Systems FIPs199 and Minimum Security Requirements for Federal Information and Information Systems FIPS200. These are “amplified” (a word used throughout the docu- ments) into the US National Institute of Standards and Tech- nology (NIST) “Recommended Security Controls for Federal 4 “PCI vs ISO,” 12 October 2012, Focus on PCI, http://www.focusonpci.com/site/ index.php/Articles/pci-vs-iso.html. 26 – ISSA Journal | December 2012 Structured Risk Analysis Offers Rich Rewards | Greg Jones ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.
  27. 27. This is usually such a laborious approach that it quickly loses management commitment. These standards and the development of impact tables have greatly enhanced the risk management process, enabling the security practitioner to hone assessments to business need and to communicate risk more effectively to management, but they are far from infallible. If the risk assessment doesn’t place the business within a real-world context, for example, it cannot accommodate emerging risks that are sector specific. Skewed judgements Upon engagement, most practitioners seek to capture in- formation on customer sensitivity, contract type, customer Information Systems and Organizations” (SP800-53).5 The idea is that an organization determines the risk associated with computer security failures based on a series of impact tables. The categorization of High, Medium or Low is then used to produce a tailored control baseline that accounts for this risk. The key fact here is that the control specification can always be set as more stringent but not reduced through a standard assessment process. PCI-DSS and SP800-53 alike do allow for the modification of controls in a “compensating controls” section; any entry here will receive suitable scrutiny. The pro- cess will always result in a “good” control environment which covers the commonplace risks because it mandates specific necessary controls and leaves little room for omitting par- ticular sections. Detractors claim that this method does not cover any organization exposed to unique risks, but as they are the exception rather than the rule, these regulations are still highly relevant in tackling the most frequent, likely, and destructive threats in the most common business environ- ments. What is really impressive about this scheme is the “science” that has gone into it. Not only is the security content good but each control is codified into a control category and each control within that control category is systematically coded. Where a control is amplified based on risk, the control is named after an indexed scheme. For example, if we review one specific control within the standard named AU-5 (1) (2) (Audit Control Number 5) with the control amplified or ex- tended, add the pre-defined control extension (1) and control extension (2). This allows for extreme rigor in quality control and supports future initiatives such as determining the im- pact and likelihood of various vulnerabilities. Similarly, in the UK the HMG InfoSecurity Standard No. 1 (IS1)6 risk calculations classify assets and the potential im- pact of security events, breaking them down into Confiden- tiality, Integrity, and Availability (CIA) in pre-defined tables called the Business Impact Level. This allows a consultant to engage with key directors to determine the likely impact of a breach in Confidentiality, Integrity, and Availability. Fur- thermore, IS1 also incorporates a structured assessment of the capability of threat agents or actors. In our experience of working with other firms, we have noted that consultants sometimes use a very similar approach in their proprietary “low-touch” security architecture frame- work service. Although there are more comprehensive archi- tecture design methods, they often engage with senior man- agement with a clean sheet of paper, and at a technical rather than a business level. Often this approach is used because previous assessments have been conducted incorrectly or the results have not been understood or available to the assessor. 5 “Recommended Security Controls for Federal Information Systems and Organizations,” August 2009 (updated May 2012), NIST Special Publication 800-53 Revision 3, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3- final_updated-errata_05-01-2010.pdf. 6 “HMG IA Standard No.1, Technical Risk Assessment,” Issue No 3.51, October 2009, CESG and Cabinet Office, http://www.cesg.gov.uk/publications/Documents/ is1_risk_assessment.pdf. Easy and Convenient! The holidays are right around the corner! Indulge yourself and surprise your friends with an ISSA golf shirt or baseball cap with our new logo. Place Your Order Today: ISSA Store ! *Note: Prices do not include shipping charges. Pin with Butterfly Back Sticky Note Pads (package of 12) Travel Mug • Baseball Cap Conference Bags Fraud-Resistant Pen (Ballpoint, Blue Ink) Short-Sleeve Shirt • Long-Sleeve Shirt We’ve stocked our shelves with ISSA merchandise featuring our new logo. Visit our online store today – it’s easy and convenient to securely place your order and receive great ISSA-branded items. Just click the links. December 2012 | ISSA Journal – 27 Structured Risk Analysis Offers Rich Rewards | Greg Jones ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.

×