Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners has been released by the Institute of Internal Auditors. We are encouraged to share it with our management and Boards.
More governance links
30 Apr 2006
29 Apr 2006
A fun information security dictionary
A Portuguese information security community - Communidade ISMS PT - has published an entertaining Security Dictionary based on an article in CSO Magazine, itself derived from The Hackers Dictionary and The Devil's DP Dictionary. I particularly liked their description of a laptop: "a computer designed to allow employees to easily store vast amounts of customer data in the backseat of a taxicab." Too true.
Further general infosec resources
Further general infosec resources
22 Apr 2006
Boeing worker data on stolen laptop
The Seattle Times reports yet another security breach involving the potential compromise of thousands of confidential personal details. "The laptop was grabbed from a Boeing human-resources employee at an airport," said company spokesman Tim Neale. "The laptop was password-protected and was turned off," he said. But the file containing the names, Social Security numbers and in some cases, addresses and phone numbers for 3,600 current and former employees was evidently not encrypted, despite a directive issued five months ago to remove or encrypt all sensitive information on laptops.
Whereas a few years ago it would have been infeasible for anyone to carry 3,600 personnel records without a large trolley for the filing cabinets, all modern laptops have sufficient hard disk space for the data and a whole lot more. They also have the CPU capacity to apply strong encryption. Boeing is certainly not alone in failing to apply suitable security measures to protect senstive data on vulnerable hardware.
More confidentiality resources.
Whereas a few years ago it would have been infeasible for anyone to carry 3,600 personnel records without a large trolley for the filing cabinets, all modern laptops have sufficient hard disk space for the data and a whole lot more. They also have the CPU capacity to apply strong encryption. Boeing is certainly not alone in failing to apply suitable security measures to protect senstive data on vulnerable hardware.
More confidentiality resources.
21 Apr 2006
NB wins TopBlogger award
[Cue drum roll] The winner the trophy for top security blog at FileRatings.com ... is ... [ta-daaaah] NoticeBored! On behalf of the NoticeBored team, IsecT CEO Gary Hinson said "I'd like to thank the nice people at FileRatings for this fabulous award. I must thank my producer, the editorial team, my mum, my dad and everyone else who knows me. Such an honor! You guys are great. Thanks." [leaves podium, blubbing]
20 Apr 2006
The value of security awareness
A new item at Silicon.com included the following quote: "'Companies must make strong and effective security practices part of their culture through awareness, education and accountability,' says Jan Babiak, head of the information security practice at Ernst & Young. 'This needs to be enforced by the CEO and the board, with organisations aspiring to implement well designed controls and fostering a security-conscious culture led from above. Without this top-down endorsement, employees will often ignore controls or worse avoid them, placing the entire enterprise at great risk.'" We'd certainly support the need for senior management's proactive support but there's rather more to the issue than that.
Take security policies for example. Policies without a management mandate are practically worthless. Policies with a clear mandate are fine, but are not in themselves effective. Policies with a clear mandate, a communications program to make sure people are aware of and understand their obligations towards the policies are an improvement ... but even that is not enough. People need to be led the extra mile to commit to the policies and, in time, adapt their behaviors to fall into line with the policies. Compliance activities can help but (yes, you guessed it) are not necessarily The Answer either - "comply or else" expletives from management can cause enormous damage to the changes necessary to achieve positive cultural shifts.
In a truly security-aware culture, people comply with security policies not so much because someone tells them to do so, but because they genuinely appreciate the need, just like an experienced driver instinctively uses mirror-signal-manouver whereas a learner driver consciously mutters the reminder under their breath. Get the security habit through awareness, training and education - but make sure your management get in the habit too. Awareness really does start at the top.
White paper on the value of security awareness
Take security policies for example. Policies without a management mandate are practically worthless. Policies with a clear mandate are fine, but are not in themselves effective. Policies with a clear mandate, a communications program to make sure people are aware of and understand their obligations towards the policies are an improvement ... but even that is not enough. People need to be led the extra mile to commit to the policies and, in time, adapt their behaviors to fall into line with the policies. Compliance activities can help but (yes, you guessed it) are not necessarily The Answer either - "comply or else" expletives from management can cause enormous damage to the changes necessary to achieve positive cultural shifts.
In a truly security-aware culture, people comply with security policies not so much because someone tells them to do so, but because they genuinely appreciate the need, just like an experienced driver instinctively uses mirror-signal-manouver whereas a learner driver consciously mutters the reminder under their breath. Get the security habit through awareness, training and education - but make sure your management get in the habit too. Awareness really does start at the top.
White paper on the value of security awareness
13 Apr 2006
Security survey backs the value of awareness
In their 4th annual security benchmark study, Committing to Security - A CompTIA Analysis of IT Security and the Workforce, the Computing Technology Industry Association reports that "Security software has become more capable and pervasive, and is able to detect attacks that may have gone unnoticed for long periods in the past. Many seem to believe that these fully automated solutions are able to turn back nearly all attacks. This led to the emergence of a fair degree of complacency in 2005. Unless countered, this complacency could leave significant vulnerabilities open to the twisted innovation that hackers are rightfully notorious for. The fact remains that no software solution or automated response can match the security offered by training and mass awareness of security issues in the workplace."
Just under half the organizations surveyed say they have already implemented, or plan to implement, security awareness training, despite the fact that "there is a widespread recognition (84%) that it has resulted in a lower number of major security breaches".
The full report is available to CompTIA members.
More security awareness links and a white paper on the value of security awareness
Just under half the organizations surveyed say they have already implemented, or plan to implement, security awareness training, despite the fact that "there is a widespread recognition (84%) that it has resulted in a lower number of major security breaches".
The full report is available to CompTIA members.
More security awareness links and a white paper on the value of security awareness
12 Apr 2006
Safe browsing at Internet cafes
Microsoft's advice on Strong passwords: How to create and use them recommends "Do not type passwords on computers that you do not control. Computers such as those in Internet cafes, computer labs, shared systems, kiosk systems, conferences, and airport lounges should be considered unsafe for any personal use other than anonymous Internet browsing. Do not use these computers to check online e-mail, chat rooms, bank balances, business mail, or any other account that requires a user name and password. Criminals can purchase keystroke logging devices for very little money and they take only a few moments to install. These devices let malicious users harvest all the information typed on a computer from across the Internet - your passwords and pass phrases are worth as much as the information that they protect."
Sound advice. You need to balance the convenience of web access whilst waiting for your coffee, plane or train, against the inconvenience of having your identity stolen and your bank accounts cleaned out.
More links on keeping secrets
Sound advice. You need to balance the convenience of web access whilst waiting for your coffee, plane or train, against the inconvenience of having your identity stolen and your bank accounts cleaned out.
More links on keeping secrets
Microsoft exec warns: Beware rootkits
If your system gets infiltrated by a rootkit, you might as well just “waste the system entirely,” said a program manager from Microsoft's security solutions group. The point is that rootkits are deliberately constructed to conceal themselves, making it extremely difficult to (a) detect that your system has been rootkitted (compromised with a rootkit), and then (b) remove said rootkit and revert the system to its uninfected state. An active rootkit has full access to your machine. By taking control of the system hardware before the operating system loads, it has the potential to mediate calls to the network and hard drives, and can intercept keyboard and mouse commands. Your have no secrets from a rootkit.
More links on keeping secrets and malware
More links on keeping secrets and malware
11 Apr 2006
ISM-cubed, a new infosec management model
Information Security Management Maturity Model (ISM-cubed) is a new method that seeks to apply ISO 9000-style quality management processes to information security management. The method’s description paper naturally mentions ISO 17799, ISO 27001, COBIT, ITIL, CRAMM and other buzzwords. Unfortunately it does not explain how the method was developed (e.g. does it have an academic or pragmatic basis?).
Capability maturity model and metrics are particularly interesting aspects of the method. Standards such as ISO 17799 and COBIT are quite 'flat' with no obvious sequence in which organizations might implement the basics and then progressively improve their security. ISO 27001 does include the classic Deming PDCA continuous quality improvement model but falls short on metrics. ISO 21827 is a security maturity model, again with limited metrics. NIST SP 800-55 includes an enormous list of security metrics but little in the way of practical guidance on selecting or using them to mature an organization's information security management.
More information security management links
Capability maturity model and metrics are particularly interesting aspects of the method. Standards such as ISO 17799 and COBIT are quite 'flat' with no obvious sequence in which organizations might implement the basics and then progressively improve their security. ISO 27001 does include the classic Deming PDCA continuous quality improvement model but falls short on metrics. ISO 21827 is a security maturity model, again with limited metrics. NIST SP 800-55 includes an enormous list of security metrics but little in the way of practical guidance on selecting or using them to mature an organization's information security management.
More information security management links
10 Apr 2006
Blue Security
*** UPDATE: Please see our May 2nd blog entry ***
A considered and thought-provoking paper from Marcus Ranum reviews the spam response system from Blue Security. The system combines the advantages of a widespread user base monitoring their inboxes for spam (which guards against malicious or inept spam reporting), with automated responses that aim to flood spammers with complaints (in effect, a denial of service attack but with self-imposed ethical limits i.e. one response per complainant). A further key feature is the manual intervention before the multi-barrel bit-guns are unleashed: the Blue Security team contacts the relevant domain admins/users to ask for an explanation, and gives them an opportunity to respond. If the spammer machine is in fact a zombie that has been compromised by a hacker and used by a spammer without the legitimate owner even being aware of the issue, the contact gives them the chance to take their machine off the web and clean it up.
Spammers are cordially invited to cleanse their mailing lists of Blue Security registrants, which unfortunately implies that other email addresses are fair game. The system designers have paid attention to the potential security implications of allowing spammers access to opt-out mailing lists, and use cryptographic techniques to obfuscate the list. However, personally, I would question the need for this function, and hence the associated residual risk, at all. Those spam recipients who do not actively opt-out are clearly disadvantaged. The merest hint of a business model starts to rear its ugly head at this point.
Active response is generally frowned-upon by the professional information security community in principle but it sounds to me as if Blue Security may have invented a workable and ethical scheme.
More email security resources
A considered and thought-provoking paper from Marcus Ranum reviews the spam response system from Blue Security. The system combines the advantages of a widespread user base monitoring their inboxes for spam (which guards against malicious or inept spam reporting), with automated responses that aim to flood spammers with complaints (in effect, a denial of service attack but with self-imposed ethical limits i.e. one response per complainant). A further key feature is the manual intervention before the multi-barrel bit-guns are unleashed: the Blue Security team contacts the relevant domain admins/users to ask for an explanation, and gives them an opportunity to respond. If the spammer machine is in fact a zombie that has been compromised by a hacker and used by a spammer without the legitimate owner even being aware of the issue, the contact gives them the chance to take their machine off the web and clean it up.
Spammers are cordially invited to cleanse their mailing lists of Blue Security registrants, which unfortunately implies that other email addresses are fair game. The system designers have paid attention to the potential security implications of allowing spammers access to opt-out mailing lists, and use cryptographic techniques to obfuscate the list. However, personally, I would question the need for this function, and hence the associated residual risk, at all. Those spam recipients who do not actively opt-out are clearly disadvantaged. The merest hint of a business model starts to rear its ugly head at this point.
Active response is generally frowned-upon by the professional information security community in principle but it sounds to me as if Blue Security may have invented a workable and ethical scheme.
More email security resources
54m Americans' privacy breached
A paper from the Privacy Rights Clearinghouse giving A Chronology of Data Breaches Since the ChoicePoint Incident identifies that the privacy of well over 54 million Americans has been compromised since February 2005. The list of more than 150 reported incidents (meaning an average of around three per week) is an eye opener for anyone that thinks this is not a risk.
More confidentiality and privacy resources
More confidentiality and privacy resources
8 Apr 2006
Fighting the spamalanche
Abuse is an open source program to respond automatically to spam messages, automatically composing responses to go to the abuse addresses listed for the IPs of the sending machines. As the senders are commonly compromised zombie PCs, informing the owners and getting the machines cleaned up helps fight the avalanche of spam, and has other security advantages.
More email security links
More email security links
5 Apr 2006
SiteAdvisor for safer browsing
Cool free browser extension (IE and Firefox) that automatically checks websites you visit against its database, and warns you of potentially unsafe sites with a red button. The database has been compiled by automated and manual tests across "sites representing more than 95% of web traffic" looking for dubious practices such as excessive popups, spamming on emails submitted, spyware downloads, browser reconfiguration etc. Green/red/grey [untested] buttons magically appear next to each of the search results on Google and Yahoo too, so you get a heads-up before even visiting a site. Isn't the web a wonderous thing?
More Internet security links
More Internet security links
4 Apr 2006
Scanning for rogue Wi-Fi
Tools to help the overworked Security Manager identify wireless networks in their premises range from free to $thousands. At the bottom end are Wi-Fi snooping tools such as NetStumbler and kismet, and the cheap-n-nasty wLAN detectors given away as merchandising at computer shows. In the mid range is commercial software that uses standard wireless LAN cards to scan the normal Wi-Fi frequency bands, and wide range UHF/SHF scanners. High end tools use very expensive software to get more information from the wLAN cards, or use dedicated spectrum analyzer hardware to get even more gen, provided the user has the technical skills to control the machine and interpret the output. Read about (some of) the range on Informit's review of Wi-Fi audit tools.
More wireless networking security resources
More wireless networking security resources
Phishing Incident Reporting and Termination
CastleCops and Sunbelt Software have launched PIRT (Phishing Incident Reporting and Termination squad - an initiative to receive and analyze phishing reports and to help get the phishing sites taken offline as soon as possible. Whether they can do any better than the professional organizations already doing this (at a cost) remains to be seen.
More authentication resources
More authentication resources
Confidential pizzas
If you've ever ordered a pizza online and wondered what happens to all the personal data on the pizza company's telephone ordering database, take a look at this Flash movie. Unfortunately, the scenario is all too believable.
More confidentiality links
More confidentiality links
2 Apr 2006
Anti-phishing tips
After briefly debunking some dubious advice about how to avoid phishing sites, an article on HexView makes just three recommendations to avoid phishing.
More user authentication links here
More user authentication links here
Virginial schools to teach Internet security
A new state law forces Virginia schools to teach Internet security and safety skills to schoolchildren. The Washington Post article quotes Del. William H. Fralin Jr.: "We teach our kids not to talk to strangers. We teach our kids not to take candy. But in today's world on the Internet, not only can you be talking to strangers without supervision, but you can be talking to someone you think is not a stranger, but who is one. There needs to be some sort of basic training on that." Absolutely! [We will be encouraging the New Zealand Government to plan along exactly the same lines - the Ministry of Economic Development's discussion paper on information security strategy is open for submissions until April 13th. Have your say too!]
More web security links
More web security links
Keeping secrets
It's no secret that the latest NoticeBored awareness module covers confidentiality, privacy and related matters. NoticeBored customers receive posters, briefing papers, presentations, mind maps, awareness surveys, puzzles, checklists and newsletters on this important topic: the newsletter is also available separately as a PDF free of charge to anyone who cares about information security.
Sign up for the newsletter.
Subscribe to:
Posts (Atom)