Top ten infosec issues with hints as to the solutions

In a previous posting I mentioned that I get value from various online communities of information security professionals.

One I joined recently is ISM Community. I contributed a few odd comments to their list of top ten information security issues and occasionally chip-in on discussion threads that interest me and where I feel I can add something worthwhile.

Another similar community is the Security Catalyst - again, I contribute to the forum when I can spare the time, admittedly not as much as I'd like.

There are several others including those run by professional bodies such as ISSA, ISACA and IIA. Some of them are Web-based bulletin board systems, others work as newsgroups or email reflectors.

Last but not least is the young community of practitioners implementing the ISO/IEC 27000-series standards. That one I set up on Google Groups, linked to ISO27001security dotcom.

Which communities and fora would you recommend?

Infosec news sources - a top ten

For anyone else who's keen to keep up with information security and related events as they happen, I thought I'd list the hit parade - my top ten favourite Web resources.

Starting with the chart-toppers, here are the six big hits I use practically every single day:

1. ISN (Information Security News) - a handful of relevant infosec news items to my inbox every day, each one supplied as plain text email with a URL in case I need to reference the original source. Always relevant and on-topic. No wasted bits. Moderator William Knowles does a fantastic job.

2. SANS ISC (Internet Storm Center) - a continuous blog/diary of what's hot from the people who are constantly scanning Internet traffic for new attack vectors. Generally first to identify and publish info on emerging malware and vulnerabilities. Makes a great browser home page. SANS Newsbites is not bad either - twice weekly email digests with informed commentary.

3. CISSPforum - a professional community of over 4,000 CISSPs and SSCPs from around the globe. A virtual locker room, ideal for lonely infosec professionals who don't have several hundred qualified peers in the office with whom to pass the time of day.

4. Gigalaw - similar style to ISN but focuses on legal IT-related news such as IPR issues and new privacy legislation. Supplied as one email per day with about 6 headlines leading to short summaries on the Gigalaw site and URLs to the original sources.

5. Blogs like this one - way too many to list. When I have a quiet moment, I use a blog reader to catch up with what other infosec pro's are saying and generally browse through for interesting leads. Good for discovering alternative perspectives on everyday issues and interesting items from obscure places. Bad for time management.

6. Google. 'Nuff said. Well almost: Google's Alerts are a handy way to run those searches that I always run, delivering daily email digests again (yes, you're starting to see a pattern).

Other sources to complete the top ten, used as and when necessary:

7. CERIAS and CERT-CC - a wealth of cool information but you need to set aside time to browse the libraries.

8. ISO, NIST etc. - for security standards

9. ISACA, ISSA, ITGI, CCcure, ITPI and various other professional membership bodies.

10. Selected infosec magazines such as [In]security, CSO/CIO and of course The Register, always good for a laugh.

11 (bonus item). RISKS-List is a long-running source of news and insightful commentary on IT risks.

Conspicuous by their absense from the hitlist are:

- Myriad "portals" that pad out far too many intrusive adverts with "news" (mostly vendor press releases) and "articles" that are also thinly disguised adverts. More biased than a capsizing supertanker.

- Vendor websites and newsletters. At least they admit their bias but I value independence and objectivity over marketing fluff any day. Used selectively to gather information on new and updated infosec products, critical patches etc.

- Podcasts, online seminars, eSymposia and similar. Unless I'm having trouble sleeping, I don't generally have the time to waste listening to some sales machine droning on for hours about how their particular hammer cracks all known nuts, or to waste time listening to cheesy royalty-free muzak from amateur producers who love the sound of their own voices and can't even get the audio levels right [/rant]. The accompanying presentation slides are sometimes worth a quick browse, taking a few minutes to skim not an hour or more. A few online speakers are worth the effort but I'm very choosy. Life's too short.

OK there we are. What about you? What's in your top ten? If there were just one or two resources you'd persuade me to add to my list, what would they be? Please either add a comment here or write your own blog post and send me a link.

Identity cards and all that

Thanks to Paulo, an Italian blogger talking about his attendance at The European e-Identity Conference held in Paris earlier this month, I've been browsing the conference presentations. Many concern ID cards, massive PKI systems plus the national and international interoperability issues arising.

A case study [PowerPoint presentation and PDF paper] on the national ID card scheme in Estonia ("E-stonia") has several lessons for other nations currently planning their own schemes. It is surely one of the most advanced pilots with live applications in banking, eGovernment (including online voting) and of course routine personal authentication. Mind you, I do hope that Mari-Liis Mannik is happy to see her ID card (complete with mugshot, signature, date of birth and personal code number) displayed for all to see on the WWW.

A fascinating paper (for those with an interest in ePassports and PKI anyway) reveals the authentication schemes being implemented in today's electronic passports. I particularly enjoyed the author's description of Terminal Authentication - no, that's not the final check before execution but the mechanism by which an immigration official's system "convinces" the passport to release sensitive biometric data.

Finally, there's a Carnegie Mellon University study into the privacy implications of social networking sites such as FaceBook. The study team successfully downloaded 4½ thousand FaceBook profiles from the CMU community before being locked out by the site administrators, and then proceeded to analyze the profiles. They correlated information posted on the site with that obtainable from other public sources, and interviewed members to reconcile what people say about privacy to what they actually publish. It is clear that a large proportion of individuals are uniquely identifiable through voluntarily disclosing their real names, email addresses, photographs, birthdays, home towns, schools, interests and even phone numbers. Why people choose to disclose so much in this way is not nearly so clear, though.

Advice on preparing training course materials

Sammy Migues offers thoughtful advice to those preparing PowerPoint presentations for training courses, such as the 100 minute rule (i.e. each slide should take you around 100 minutes on average to prepare, including the slide and the accompanying speaker and student notes) and using graphics in place of words where appropriate.

This is the first of three articles. I'm definitely looking forward to the next two ...

EDPACS - The EDP Audit, Control, and Security newsletter

Now in its 35th year, EDPACS is the world's longest running IT audit newsletter. Published monthly, the newsletter supports the audit and control community with highly-regarded guidance in the fields of audit, control, and security. In addition, EDPACS regularly explores current and emerging issues around IT governance.

Unlike most of the glossies in this field, EDPACS is a peer-reviewed professional journal which means high quality articles with next to no marketing spin and fluff. All meat and no fat makes for good brain food.

Disclaimer: my pal Dan Swanson is EDPACS' new Editor in Chief and I'm on the editorial board. I'm just putting the finishing touches to an article on computer auditing for submission to EDPACS shortly and, yes, my piece has been reviewed and improved by Dan and the other editors just like anyone else's.

Data Protection Act requires personal user IDs

DISCLAIMER: I am not a lawyer. This blog piece is based on incomplete information and hence speculation on various assumptions that may or may not be true. Still, it's an interesting case ...

The UK's Information Commissioner (IC) has released details of an undertaking affecting British mobile phone company, Orange (Orange Personal Communications Services). The issue specifically concerns Orange's practice whereby existing employees share their userIDs and passwords with new employees, presumably before their own have been set up, in contravention of principle 7 of the Data Protection Act.

Principle 7, the security principle, reads as follows:

"7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

The seventh principle is interpreted further in Part II of the Act:
"

9. Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to -
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.

10. The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

11. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle -
(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.

12. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless -
(a) the processing is carried out under a contract -
(i) which is made or evidenced in writing, and
(ii) under which the data processor is to act only on instructions from the data controller, and
(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle."

Possibly the IC may have been unable to determine which of a number of people sharing an ID infringed the Data Protection Act in some way, perhaps a privacy incident? Equally, this action may have been taken to forestall such a situation in future.

It seems strange to me that the IC would be concerned about the internal operations of a data processor in this level of detail, especially given that neither the principle nor the explanatory notes explicitly ban the sharing of user IDs.

Sharing of user IDs is not uncommon in practice but is normally covered by a corporate policy stating that the legitimate owner of an ID must keep their ID and password private, and is personally accountable for whatever happens under their ID. In that way, even if someone shares their ID with someone else who creates a problem, the original person is held to account both for disclosing the password and for the incident that ensued. Perhaps Orange did not have such a policy in place, or perhaps it (in effect) forced employees to share their IDs with others? I can only guess. Anyway, Orange has undertaken to cease the practice and is probably busy slickening-up its security admin processes to get personal user IDs and passwords quickly to new employees.

In addition to that made by Orange, undertakings have been made by the following organizations: Littlewoods, Alliance and Leicester, Barclays Bank, Clydesdale Bank, Co-operative Bank plc, Dipesh Limited, HBOS plc, HFC Bank Limited, National Westminster Bank plc, Nationwide Building Society, Phones4U, Post Office Limited, Scarborough Building Society, The Royal Bank of Scotland plc and United National Bank Limited (and presumably others not currently listed on the IC's website).

[The preponderance of banks and financial services companies in this list arises largely from a mass enforcement action in March resulting from the disclosure of bank customers' personal details in the trash.]

Phishing? What's that?

Nearly half the adult population of the UK does not know what phishing is, and relatively few of them understand it well enough to explain it confidently. Despite that headline, the Banking News piece (based on an interview with PayPal's CISO who probably knows a good deal more about phishing than most phishers) ends with a comment that [just] 2% of people fall prey to phishing scams.

Helping that final 2% see the error of their ways is no easy ask of any security awareness program. A proportion of people in any population is naturally resistant to awareness, training and education, for all sorts of reasons: low IQ, dementia, confusion, "cognitive difficulties", perhaps even dyslexia and other recognised communications issues (how many security awareness programs cater specifically for blind IT users, for instance?); short attention span, distractions, no time to focus on the issue; carelessness etc.

Spreading scare stories is one approach, I guess, but that creates a different risk: reducing confidence in the Internet and banking systems is hardly an effective response by the Internet banks.

Our own preferred approach to security awareness is to be creative and engaging in the modes of delivery of information and advice, consistent in the core security messages, and repetitive. Some people just need to be told something more than once. More than once. There may be a fine line between repetition/reinforcement and brainwashing but that fine line is a long way North of once-a-career induction training or once-a-year security awareness sessions. Can you imagine a world in which Coca Cola, for instance, decided only to advertise once a year using just one medium? No point-of-sale displays, no logos on the delivery trucks and product packaging, no more TV and radio advertisements, no competitions, no posters ... no, neither can I.

Tears in the data center

Have you heard people talking about "tier three data centers" etc. and wondered what planet they were from? Well The Uptime Institute has the answer - a short white paper explaining the characteristics of each of the four tiers, handily numbered I (basic) through IV (fault tolerant) for the Romans amongst us.

It's interesting that the top-of-the-range fault tolerant/highly resistant tier IV data center listed in one of the tables achieved 99.995% availability (down for just under half an hour per year!), still short of the "five nines" availability that people with very deep pockets sometimes insist they need.

US email searches require a search warrant

A ruling by 6th US Circuit Court of Appeals has confirmed that email users have the same 'reasonable expectation of privacy' as they do in respect of their phone calls. A search warrant is therefore required before the Goverment (or indeed anyone I guess) can legitimately access and search emails stored by Internet Service Providers. Furthermore, I understand the owner of the emails must be notified and given the right to object.

"In considering the factors for a preliminary injunction, the district court reasoned that e-mails held by an ISP were roughly analogous to sealed letters, in which the sender maintains an expectation of privacy. This privacy interest requires that law enforcement officials obtain a warrant, based on a showing of probable cause, as a prerequisite to a search of the e-mails."

But remember folks, IANAL. I have no idea whether this ruling is also relevant to companies accessing employees' emails, for example.

Thumbs down for security

A professor on holiday in Madagascar lost a USB drive containing personal data on ~8,000 students, and another one stolen from a Michigan university contained info on ~3,000 students. Both incidents exposed students' names and Social Security Numbers, and could potentially lead to identity theft.

We hear about these kinds of incident because the organizations have to inform the data subjects, and word either leaks out to the media and public or they come clean through press releases.

We don't often hear about such incidents:
- in places where there is no compulsion to inform data subjects about them
- where the loss is unnoticed or goes unreported
- involving loss/disclosure of proprietary or military as opposed to personal information
- on a smaller scale, where it is not considered so newsworthy

... in other words, it's even worse than it seems. USB flash memory drives should be routinely encrypted.

Technology myopia

A white paper, podcast and podcast transcript on insider threats promotes essentially four threat responses: behavioral analysis, integrated security components, automatic response and iterative modeling. All four are technical responses to an essentially human problem. And guess what, the paper is from IBM.

I'm not arguing that expensive technical responses are totally worthless but rather that they need to be supplemented by cheap humanistic responses - policies, procedures, management oversight, awareness/training/education, compliance activities and so forth. I'm sure IBM Consulting would love to sell you those as well.

The difference between black and white

The next DefCon hackers' conference will include a competition to Øwn the box. The idea of the game is for DefCon participants to hack network systems brought along by willing (or is that gullible?) sys admins. If (when) someone successfully compromises (Øwns) a box and finds the hidden random number, they get to keep (own) the box and celebrate their amazing mastery of the black arts.

The white hats who configure and donate the boxes are not allowed to interact with their own boxes (although how the the conference organizers will stop them doing so via the network is unclear). The announcement suggests they should 'take the weekend off' and play Vegas (or more likely hack their peers' systems). Meanwhile, the black hats will work around the clock to bust the systems, presumably living on energy drinks, pizzas and party pills.

To the conference organizers and most of the participants - the black hats - this is all just a lark, a bit of fun. To the sys admins and security pros desperately trying to defend their systems against this kind of attack on a daily basis - the white hats - it's rather more than a simple game. The black hats need only find and exploit one serious hole per system, whereas the whities have to plug all the holes simultaneously. It's inherently unfair. Whitie life sucks.

Still, it sounds like fun to me. Am I turning into a black hat? What can the panel advise?

Microsoft beats Google in privacy stakes

Privacy International, a pressure group on privacy issues, recently rated Google as the worst performer in a ranking of major web services companies, worse even than Microsoft. The summary report notes a catalogue of privacy concerns with the way Google operates (some of which have landed it in court facing EU action), and contrasts that with Microsoft's moves to improve its privacy stance in recent years.

The report's conclusion notes that none of the surveyed companies came out semlling of roses.

"Overall, the privacy standard of the key Internet players is appalling, with some companies demonstrating either wilful or a mindless disregard for the privacy rights of their customers. Even the better performing companies create lapses of privacy that are avoidable. With minimal effort most organizations can improve their privacy performance by at least one grade."

What the white hats are up against

In its usual tongue-in-cheek fashion, The Register describes the Black Hat world through ten features:
1. The Black Hats form a well integrated community that shares knowledge effectively
2. Becoming a Black Hat is a career option even for those who are not super geeks.
3. There are even specialist virus tools designed to circumvent specific AV products.
4. There are SDKs for the more advanced hackers.
5. There's a market for your data.
6. There are botnets to rent.
7. Some rogue websites are very subtly managed.
8. Good hackers know how to stay safe (they stay abroad)
9. The banking system has its channels
10. Not all businessmen are entirely averse to the odd hack (on a competitor)

In the sense of "know your enemy", the article presents an interesting perspective.

Pfizer privacy breached by P2P

Compromise of a laptop PC belonging to Pfizer Inc. has exposed personal data belonging to over 15,000 employees. The breach involved unauthorized peer-to-peer software.

Two more privacy resources

Thanks to a reply to a question on the IIA's IT Audit discussion board, I have discovered two useful privacy resources.

Firstly, the IIA's Global Technology Audit Guide (GTAG) number 5 covers Managing and Auditing Privacy Risks which

"is intended to provide the chief audit executive (CAE), internal auditors, and management with insight into privacy risks that the organization should address when it collects, uses, retains, or discloses personal information. This guide provides an overview of key privacy frameworks which help to understand the basic concepts and aid in finding the right sources for more guidance regarding expectations and what works well in a variety of environments. It also covers the details on how internal auditors complete privacy assessments."

Secondly, the American Institute of Certified Public Accountants (AICPA)'s Generally Accepted Privacy Principles (GAPP) cover the following ten key privacy issues:

1. Management: the organization must define, document, communicate and assign accountability for its privacy polices and procedures.

2. Notice: the organization must provide notice about its privacy policies and procedures and identify the purpose for which personal information is collected, used, retained and disclosed.

3. Choice and consent: the organization must describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

4. Collection: the organization must collect personal information only for the purposes identified in the notice.

5. Use and retention: the organization must limit the use of personal information to the purpose identified in the notice and for which the individual has provided implicit or explicit consent.

6. Access: the organization must provide individuals with access to their personal information for review and update.

7. Disclosure to third parties: the organization must disclose personal information to third parties only for the purposes identified in the notice and only with the implicit or explicit consent of the individual.

8. Security for privacy: the organization must protect personal information against unauthorized access (both physical and logical).

9. Quality: the organization must maintain accurate, complete and relevant personal information for the purposes identified in the notice.

10. Monitoring and enforcement: the organization must monitor compliance with its privacy policies and procedures and have procedures to address privacy-related inquiries and disputes.

Anyone familiar with the EU's data protection principles will probably recognize the commonality with GAPP.

New privacy book

A draft of a new book on privacy (Engaging Privacy and Information Technology in a Digital Age) is available for free download from the publisher. Its 400+ pages cover everything from conceptual frameworks to privacy and related laws in the US and elsewhere. If privacy is a core topic for your organization, I'd recommend making time to go through this in depth.

Zen and Art of Information Security

We've reviewed Ira Winkler's latest book. It's a mixed review: the book may be suitable for its intended audience (i.e. non-technical readers new to information security) but we quarreled with some of the simplifications and were left wanting much more.

Privacy and insider threats collide in databases

A Ponemon Institute survey into database security found that:

"- Trusted insiders remain a significant, and largely unmonitored risk
- A majority of organizations do not have the technology or processes required to effectively manage against insider threat
- Due to perceived business value, many large organizations assign lower priority to the protection of customer and employee data versus intellectual property
- The vast majority of data exposed in the past two years has been confidential customer and employee information.
The survey found that “trusted” insiders’ ability to compromise critical data is the most serious concern for respondent organizations. Despite this concern, fifty-seven percent of those surveyed do not believe that their organizations have taken adequate measures to protect against malicious insiders and fifty-five percent do not believe that they have taken adequate measures to protect against “data loss.”
The survey also found that despite being aware of these threats, inadequate protection of corporate databases is the norm rather than the exception. Forty percent of those surveyed do not have the mechanisms in place, or are unaware of whether databases are monitored for suspicious activity. This shortfall can be attributed to the massive scale of corporate data stores and the lack of IT resources. Eighty-eight percent of those surveyed manage greater than one hundred databases and a majority of respondents manage in excess of 500 databases."

Although the survey was sponsored by a company with a vested interest in database security, the survey sample was large enough for the results to be statistically significant. The Ponemon Institute is a respected survey institution, for instance including notes in the report about possible biases in the respondants and responses. To a non-scientist, it may seem perverse that pointing out possible weaknesses in the method actually makes is stronger, but better that than to ignore or gloss over them.

As to what needs to be done about database security, the survey commentary merely suggests a few hints e.g.:

"Among core security and IT professionals, operational efficiencies and system optimization are consistently higher priorities than efforts related to Sarbanes-Oxley, PCI, NIST 800-53 or other similar compliance initiatives ... our results show that intellectual property and business confidential information in databases is not generally protected. Even in the face of frequent, expensive, and highly publicized breaches, respondents have not made protecting customer and employee information a high priority."

... so priorities need to be adjusted (but how?).

Perhaps Lloyds TSB has (part of) the answer?

Privacy breach affects 100k Texan police

The personal information of "every police officer in Texas" (nearly 100,000 people) has been compromised by the theft of a laptop from a Houston company that stores sensitive records for the Texas Commission on Law Enforcement.

Well that's one way to raise police awareness about identity theft, I suppose.

VA privacy breach leads to significant security improvements

A decidedly up-beat Computerworld article identifies 5 significant security improvements that were spurred on, if not triggered, by the theft of a U.S Department of Veterans Affairs laptop and external hard drive containing personal data on 26.5 million vets and active-duty military personnel:

1. A greater focus on data encryption within government
2. Stronger breach notification guidelines within agencies
3. More attention to data retention, classification and minimization
4. Stronger remote access policies
5. More authority for agency CIOs

The piece is so positive in style, it almost smacks of wishful thinking or marketing spin but even if only partly true, these are all indeed worthwhile changes, especially if they are as widespread in US Government circles as the journalist says.

It is a shame, of course, that it took a massive security breach (ex facto rather than a priori risk analysis) to prompt the changes but nevertheless this is a good example of closing the circle on an incident.

An everyday privacy incident (averted)

Today I was fortunate enough (lucky me! How exciting!) to be invited to participate in an online Technology Management survey, "an opportunity for IT Executives to share their opinions on the evolving role and influence of the CIO in today's corporate enterprise" being conducted by CIO Magazine, apparently. I say apparently because the survey URL in the email took me first to a page on the CXOmedia.com website (which is presumably CIO Mag's publisher) and then auto-redirected me here. That final destination is a third party, and looks like a typical market survey site. Unfortunately, that page also looks a lot like a typical phisher site, complete with CIO logo (but not other elements of the CIO mag website's standard design) and typo i.e. "The drawing is open to legal U.S. and Canadian (expect Puerto Rico and Quebec) residents".

But it's OK because, according to the email, "Your responses are completely confidential and will be used only in combination with other survey responses." So, let's find out what CIO Mag means by 'competely confidential'. One of the links on the survey page points me at CIO's privacy policy which makes fascinating reading for those who take the trouble, like for starters the unfinished sentence at the end of section 1 part 4:

"For more information about our ad-serving company or for your choices about not having this anonymous information used, please visit" [sic]

And wait, it gets worse. I quote for a bit further down section 1:

"Postal addresses, and other personally identifying information and data will be used to promote CIO and other IDG companies ‘ products and services, and may be rented and/or licensed to selected outside firms for promotional purposes. Offers for which the personally identifying information and data are rented and/or licensed for use and the users are required to target their offers carefully.

Telephone numbers of CIO print subscribers are used by CIO to collect re-qualification data and may be used by CIO, IDG and other IDG companies, affiliates and it's advertisers for promotional purposes. CIO may rent and/or license for use phone numbers to selected outside firms for promotional purposes. Offers for which the numbers are rented and/or licensed for use are required to target their offers carefully."

So, by participating in this "survey", I am opening myself up to 'carefully targeted offers' (read spam and junk mail) from third parties. Yippee. Just what I need.

Of course, I need not actually enter the survey to participate in the prize draw. According to the full rules, I can simply ...

"legibly print your name, street address, city, state, zip code, telephone number, complete e-mail address, and your full entry code URL on a 8.5” x 11” piece of paper, and fax to Claudette Sears at IDG Research Services Group, fax # 508-370-0020. Please reference “Sweepstakes Drawing – CIO Technology Management Survey” in your fax."

You know, it hardly seems worth it for the infinitesimal chance of winning a pair of headphones, not least because as an NZ resident I am not even eligible to win them. So much for their oh-so 'carefully targeted' email!

A little something to browse over lunch

"Today’s information systems are incredibly complex assemblages of hardware, software, firmware, and people, all working together to provide organizations with the capability to process, store, and transmit information on a timely basis to support various organizational missions and business functions. The degree to which organizations have come to depend upon these information systems to conduct routine and critical missions and business functions means that the protection of the underlying systems is paramount to the success of the organization. The selection of appropriate security controls for an information system is an important task that can have major implications on the operations and assets of an organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity (including non-repudiation and authenticity), and availability of the system and its information. Once employed within an information system, security controls are assessed to provide the information necessary to determine their overall effectiveness; that is, the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Understanding the overall effectiveness of the security controls implemented in the information system is essential in determining the risk to the organization’s operations and assets, to individuals, to other organizations, and to the nation resulting from the use of the system.

... so starts the latest and greatest draft of NIST SP 800-53A "Guide for Assessing the Security Controls in Federal Information Systems - Building Effective Security Assessment Plans". What a neat way to sum up the whole of information security in just one paragraph!

The standard essentially comprises a large audit checklist for checking a broad range of information security controls against good practice advice in NIST SP 800-53, FIPS 200 and other standards (including ISO27k), topped-and-tailed with background/context, explanation, glossary and references. Being a typical NIST SP, it is well-written and comprehensive.

NIST is seeking feedback on the draft. I'm currently skimming my copy and scribbling a few notes while eating my lunch 'al desco'. We have until the end of July to respond but I'm sure project leader Ron Ross would appreciate comments sooner rather than later.

Another Google privacy concern erupts

Users of Street View, Google's new facility to get ground-level views of selected city streets have noticed that some of the images may not be entirely appropriate for public viewing. Examples quoted in a NY Times piece include bikini-clad women, a man scaling a gate, a man entering a porn shop and readable vehicle number plates. The images were captured by cameras mounted on a car, in other words anyone who happened to be there at the time would have seen whatever was on show. The privacy issues arise from (a) not asking permission of those photographed to publish their pictures; (b) publishing the captured images on the World Wide Web; and (c) adding Google's legendary search capabilities into the mix.

For its part, Google claims to have considered the privacy implications and evidently made the decision to go ahead with the Street View project, so far at least.

This is just one of many privacy concerns raised by Google's services, and another interesting 'unintended consequence' of modern high tech. Google is at the same time both a wonderful search tool with an impressive lineup of innovative services, and a threat to those who accidentally publish sensitive things on the WWW or now step out in public in selected city streets. Google's desktop search utility was previously slammed for disclosing details of the contents of users' C: drives on the Web and the European Community is currently deeply concerned about Google's privacy policies.

Other search engines raise privacy concerns too, of course, but Google is the biggest and hence is bound to be in the firing line.

More security awareness materials on privacy in this month's NoticeBored module.

Net Crimes & Misdemeanors - book review

Net Crimes & Misdemeanors - Outmaneuvering Web spammers, stalkers, and con artists
explores the dangers of the online world covering a broad assortment of Internet security issues, with useful descriptions and helpful advice for all Web users. This is a good security awareness book for anyone who is relatively new to the net, combining realistic threat descriptions with pragmatic security advice.

Privacy breach for BoS mortgage customers

The Bank of Scotland has admitted that a computer disk containing personal information (names, addresses, dates of birth and mortgage account numbers) for 62,000 customers has gone missing en route by post to a credit reference agency.

BoS said that "no customer would be left out of pocket in the 'unlikely event of fraudulent activity'." Ah, so that's OK then.

Read about our latest awareness module on privacy and data protection

E&Y European fraud study

Ernst & Young have released a 30 page Survey into Fraud Risk Mitigation in 13 European Countries (it is very slow to download, at least in my case).

The report discusses the need for anti-fraud controls such as a Code of Conduct, whisleblowers' hotline (plus suitable governance/control structures to protect whistleblowers from reprisals), awareness (going beyond simply signing the Code of Conduct) and others.

How E&Y came up with the list of controls used in the survey is not explained, but presumably reflects their prior experience (and hence potential prejudices) in the field. Section 4 and Figure 8, for example, state that most employees report fraud to their line managers. This in turn implies that managers should be given training and support in how to encourage and handle fraud reports by their staff.

I found the statistics on the incidence of fraud in section 6 very surprising. Only one in five respondents (described as "corporate management") acknowledged fraud in their companies in 2006, whereas I would expect the true incidence to be much closer to 100% ... depending on one's definition of fraud. Perhaps "fiddling" of expense claims and timesheets is not considered fraud by management? Or perhaps respondents were blissfully unaware of the extent of 'minor' fraud in their organizations? A survey of internal auditors would, I'm quite sure, have shown different results in this section.

The report's conclusion introduces a neat diagram summarizing anti-fraud controls:

It's a shame the report did not provide much information on the latter steps, particularly fraud incident response plans. Still, the report is well worth reading.

Awareness survey raises more questions than it answers

An assessment of the state of information security awareness by US Federal agency employees, based on the Federal Information Security Management Act 2002 (FISMA), found that:

"FISMA is not widely known and its mission and purpose are often misunderstood. When known, FISMA is often viewed as a compliance headache rather than a framework for improving information security.
Protecting information assets can only be accomplished if organizations implement a sustainable information security program, of which awareness training is an essential and foundational component. However, implementing awareness training is not enough. [The] results demonstrate that awareness programs must be continually measured for effectiveness."

The report repeatedly links measurement of security awareness with improving its effectiveness, without providing any theoretical or empirical evidence of that link. I would agree that measurement is one important element in the effectiveness of a security awareness program, but it is not the only factor by a long chalk. By analogy, I can measure the height of a tree all I like without making any impact whatsoever on the tree's growth rate. The report is somewhat light on suggestions for how to improve security awareness.
The report also frequently uses the phrase "awareness training" although it does acknowledge (by reference to the definitions in NIST SP 800-50) that awareness and training are different albeit related concepts.
Most damning of all, the survey was based on responses from just 85 people. The report doesn't say how the respondees were selected or surveyed - it is entirely possible, for example, that they self-selected by responding to an online survey having already expressed an interest in information security, awareness and/or training. Questions of this nature on the experimental methods are only partly answered in the report. Speaking as a reformed scientist, I would challenge the validity of the report on this basis alone. The fact that it was released and promoted by a vendor active in the security market ultimately seals its fate for me.

Wi-Fi not entirely vulnerable to jammers

A well-written article discussing the potential threat of wideband noise sources to Wi-Fi networks concludes that it is not as easy as some people assume to jam Wi-Fi. The use of frequency-hopping and spread-spectrum techniques (which are different, by the way) in the microwave bands makes Wi-Fi substantially less vulnerable (though admittedly not totally immune) to interference than it might appear.

The article systematically dismantles naive claims that a "simple 100W broadband noise generator" would knock out Wi-Fi networks within a couple of miles. The main argument is that the 100W of energy would be spread across 0-2.4GHz if the noise generator were truly simple (i.e. presumably untuned), resulting in a low energy density in the Wi-Fi band/s. In practice, I suspect a jammer would probably design his system to produce most of the 100W in the specific microwave frequencies used by Wi-Fi.

A 'proof of concept' noise generator should not be too difficult to construct although getting 100W at microwave frequencies is a technical challenge unless you have the $$$ to buy commercial microwave amplifiers ... or the technical nouse perhaps to adapt a Klystron from, say, a microwave oven.

Don't try this at home folks. High power microwaves are used in ovens because they cook things - your cornea, retina and brain, for example.

Student SSNs exposed at University of Colorado

IN yet another SSN-related privacy breach last month, a worm exploited an unpatched bug in Symantec's antivirus software to infect a University of Colorado server, potentially exposing SSNs and other personal information on ~45,000 students.

Privacy breach affects 25,000 DOT employees

A security breach on a server at the end of May created a privacy incident, exposing the names and Social Security Numbers of ~25,000 North Carolina Department of Transportation employees and contractors. Based on information in the press, I presume the server was used to record employee ID badges - most likely a database system used by physical security people I guess.

People who used their employee identification number instead of their Social Security number are not at risk.

Social Security Numbers are convenient personal identifiers for American citizens since they are more unique than full names. However SSNs are supposedly secret numbers (like credit card numbers) so systems and processes should avoid using them unless it is essential (i.e. for social security-related purposes). Systems that have to use SSNs for some reason need appropriate security measures including strong system and data access controls with encryption.

US public bodies have been known to post official documents containing SSNs online.

It seems to me the real problem with SSNs is their use for authentication as well as identification of individuals. Biometrics would make much better authenticators, and we'll be covering biometrics in next month's NoticeBored security awareness module. Watch this space.

Privacy and data protection awareness

The latest NoticeBored security awareness module is out, covering privacy risks and data protection controls. This is a topic that concerns us all as individuals and affects all organizations, making it a good security awareness topic.

Read all about the latest module on the NoticeBored website.