Welcome to the SecAware blog

I spy with my beady eye ...

21 Nov 2007

One in two Brits at risk of identity theft, admits HM Government

After two CD-ROMs containing personal data on 25 million Brits from Her Majesty's Revenue and Customs office failed to arrive at the National Audit office, questions were asked in Parliament. Yes, AFTER the event.

Both the BBC and the Grauniad report on the "gasps of astonishment" from MPs when told of the incident. Given the British tendency for understatement, this is about as close as you'll get to a public expression of outrage.

The officials who posted the CD-ROMs evidently did not "follow procedures". If the data hadn't been going to the auditors, there is a very good chance we would never have heard about this incident ... but I can't help asking whether the NAO would have created a stink if the CDs had simply turned up in the ordinary post, instead of being send by a secure courier. I'd be willing to bet that all sorts of juicy stuff turns up in their mail and email every day, but I can't recall seeing them jumping up and down about the risk.

Whether Chancellor Alistair Darling swings for this is presumably in Her Majesty's hands. I believe the death sentence is still on the cards for treason in the UK. Now that's what I call accountability.

20 Nov 2007

Password video

Watchfire's latest awareness video offers advice on choosing a strong password, in the style of a 1950's public service announcement (but with modern day video effects: look out for the steaming hot coffee and more).
Watch as hapless Bud makes every password mistake in the book! Shudder as he blunders through one near calamity after another. Chuckle at the painful familiarity of his plight. Will Bud ever succeed in his quest to LOG IN?

Short videos like this are good to break up security awareness/training presentations.

19 Nov 2007

Singapore sling

Here's a sad tale of woe. A good friend of mine in Singapore is suddenly facing redundancy through absolutely no fault of her own. Her employer is simply cutting costs, slashing the workforce it seems without considering their employees' net value (i.e. business benefits created less salary and other expenses). What makes this really sad is that the organization in question is a bank that really ought to have a better idea of basic economics.

So, if anyone out there in Blogoland knows of Singapore-based/regional openings for a highly qualified and experienced IT auditor cum information security manager cum IT governance expert, and understands that value equation, do please get in touch with me (email Gary@isect.com). My friend has a CISSP (with the ISSMP concentration), CISM, CISA and 2 decades in the field with globally-renowned financial services companies. She is also one of the most gracious, friendly and genuinely committed individuals I know. It's hard to think of a better definition of "asset".

ISSA eSymposium on PCI compliance

ISSA has a “PCI Compliance” webcast on December 6th 2007. Speakers will present "live and online" giving you the opportunity to interact in real-time from the convenience of your desk. Register for this free event.

9 Nov 2007

Attention fellow CISSPs, SSCPs and CAPs - a call to action

Voting for the ISC2 Board elections will start in just a few days (Nov 16th). If you have the slightest interest in ISC2, your qualifications and your future career in information security, this is important.

The ISC2 bylaws allow the sitting Board to nominate a bunch of candidates for the election without reference to the membership. Naturally, they tend to put themselves forward for re-election and/or propose their colleagues who, generally speaking, are similar to themselves in background and outlook. In practice, this means the Board is very conservative and favours the status quo. I personally have no issue with stability and continuity unless it prevents ISC2 from responding appropriately to changes in the environment. There comes a point when stability becomes inertia that stifles all innovation and creativity.

If you are entirely happy with the way ISC2 is run right now, if you feel you are getting the best possible value from your membership dollars, and if you see no need to change the way ISC2 is operated and managed, then go back to sleep: you need do nothing at all. Like a giant supertanker, ISC2 will continue indefinitely in the same direction without you doing anything.

However, if you want ISC2 to change for the better, then you have to do something about it, now.

In addition to the Board-nominated candidates, members can stand for election provided they gain sufficient support from the membership (meaning at least 1% must sign their petitions to stand). For obvious reasons, the sitting Board doesn't exactly go out of its way to help independent candidates contact the membership or canvass for the necessary level of support and votes. Electioneering is explicitly banned on CISSPforum, for example, and there have even been accusations of bias in the way candidate profiles/manifestos are presented on the ISC2 website. Nevertheless, a few valiant membership-supported candidates (precisely three out of the 12 on offer) have made it onto the slate and they need our votes to make a difference to ISC2.

Turnout for the ISC2 elections is traditionally extremely poor (though it's hard even to squeeze this little piece of information from ISC2 management). What this means is that your vote counts more than ever.

I'm not going to recommend any particular candidates at this point (maybe later!) but encourage you to do the following:

1. Sign-in to the ISC2 website. Please note: without informing the membership, ISC2 management has recently implemented some significant changes to the website including a new login process - you should be able to login with your original password but using "the primary email address on file with ISC2" instead of your member/certificate number. Several members have had difficulties with this process (e.g. forgetting which email address they originally nominated), requiring support calls to ISC2 that can take days or weeks to resolve. DO THIS NOW to avoid delays that might prevent you from voting when the poll opens.

2. Once logged-in, visit the page listing the 12 candidates and read their submissions. Think very carefully about what they are proposing to do for ISC2 and the certifications in the future. Look for clues as to whether they merely support the status quo (same old same old) or want to do something new and worthwhile for the members. If you agree with the general thrust of what they are proposing, make a note of the candidates' names.

3. If you are interested enough to want to discuss the elections, interact with the candidates and clarify what they really stand for, join the discussion at cissp elections, a mailing list established specifically for that purpose (simply email a polite request to cissp-elections-subscribe@yahoogroups.com). Perhaps you might like to explore issues such as:
- Why the current management recently changed the rules for CPEs, requiring a minimum number of CPEs in every year instead of during a 3 year period.
- Whether the candidates are happy with the way ISC2 communicates important changes (such as the above) with members, if not actually involving them in the decision-making process;
- Relaxing the tight control over CISSP training courses and coinfidentiality of the CBK, limiting the opportunities for other/non-ISC2 training providers and exams in other locations;
- How come volunteers for ISC2 duties such as exam proctoring, and the speakers' bureau, never seem to get anywhere?;
- Membership meetings - ways for CISSPs and others to meet face-to-face in Real Life;
- Other things that concern you about ISC2, the profession and your career.

ISC2 belongs to its members. Its future is in our hands. Don't let this chance to make things better just slip by without raising a finger.

8 Nov 2007

Who's responsible for security awareness?

A blogger bemoaning the effect of inadequate awareness and training on mobile computing and wireless networking security asks who should be responsible for it? Why do so few organizations run comprehensive security awareness and training? The blooger seems to think the CIO, or possibly HR, should be responsible but I'm not sure about either of those suggestions. Most CIOs naturally focus on IT - as in technical - security, if indeed they take any interest in security. Relatively few HR people I've worked with have had much interest in IT, let alone information security.

No, it seems to me the blogger has created a false dichotomy, offering a choice of two inappropriate owners. The more appropriate home for security awareness is surely the Information Security Manager, especially if management are open-minded enough to ensure that the ISM role has influence right across the enterprise, rather than being buried out of sight in the depths of IT. The ISM should be working hand-in-hand with IT, HR, Legal, Risk, Compliance, R&D, Ops ... in fact I can't think of anyone the ISM can safely ignore (is there any department that doesn't rely on information?).

To have any real effect on the organization's security stance and culture, the ISM needs the full support of executive management. My reasoning goes like this:
- Security awareness is part of information security.
- Information security is part of IT governance.
- IT governance is part of corporate governance.
- Corporate governance applies across the whole organization, and is a matter for senior management collectively.
- Ultimately the CEO and the Board are accountable for information security. They have the power to prioritize it, allocate sufficient funding, mandate security policies, standards etc. The CIO is much too far down the food-chain to have teeth.

7 Nov 2007

New PCI security standard

The Payment Cards Industry (PCI) Security Standards Council (SSC) is adopting Visa's Payment Application Best Practices (PABP) standard as the Payment Application Data Security Standard (PA-DSS). It is due to be finalized and released early in 2008. Anyone wishing to access and contribute to the draft standard must join the PCI SSC (i.e. this is not an open standard).

PA-DSS will presumably be implemented by mandating it on those developing commercial credit card applications (not those developed and used internally) and checking their compliance through a network of Qualified Security Assessors (QSAs), accredited by PCI SSC.

It will complement the existing PCI Data Security Standard (PCI DSS).

6 Nov 2007

Chicago data center robbed, again

A Chicago shared data center (a "co-location facility") has been broken into and robbed for the fourth time in two years, despite claiming physical security measures that would put some data centres to shame.

Masked robbers allegedly broke in through a wall using a power saw (although this is disputed by customers who visited the site), tazered and hit the center manager, and made off with a hoard of servers worth at least $20k (presumably that's just the hardware cost: the data content could be worth rather more and CI Host customers whose websites are down are fast losing their customers). The following physical security controls are mentioned in the Register piece and on CI Host's website, although the existence of some is doubted by slashdotters:
- Multiple layers of 24x7 security cameras with 360-degree perimeter and roof surveillance and Facilities 24 hour DVR systems with 14 day video storage (foiled by masks and by allegedly stealing the CCTV equipment)
- Proximity card readers plus biometric access controls and key pads, with double-locking mantraps at data center entrance (bypassed by using a convenient hole in the wall instead of the doors)
- Reinforced walls (vulnerable to a power saw, so "reinforced" seems a bit of artistic license)
- On-site personnel 24x7 (perhaps only one person? It's not entirely clear whether he was already there or responded to an alarm. There's no mention of security guards or alarms being sounded, as far as I've read so far)
- Non-customers enter equipment area by escort only (presumably not the robbers!)
- All cabinets, cages, and suites have locking mechanisms (a.k.a. "locks") and security upgrades are available (padlocks? Cages? Bullet-proof Kevlar vests?)
- Physical audit trails on all entry points (visitor logs?)
- Anti-pass back and tail gating systems (passback is permitted through holes in the wall)
- 24x7 intruder, smoke, heat and fire alarms monitored by police and fire departments for instant reaction (for large values of "instant")
- No signage, nondescript building (the building's street address - 900 North Franklin, 3rd Floor, Chicago, IL 60610 - and photo is provided on CI Host's website, and of course the robberies make the news. Hardly what one would call discreet!).

Banks know a thing or two about physical security, yet bank robberies do still occur. Robbers naturally avoid the strongest controls but exploit the weakest, which often includes the employees. Bank employees are not, as a rule, expected to fight to the death to defend their employer's and customers' assets. Automated security controls such as time-locked vaults and silent intruder/hold-up alarms are designed to at least delay if not foil the robbers while the cavalry trot along. On top of that, many of the security controls in a bank are designed to protect the employees. Maybe CI Host should consider taking advice from local bank security people ... or moving out of Chicago?

3 Nov 2007

IT audit checklist on privacy/data protection

A new checklist from the IT Compliance Institute on privacy and data protection suggests some 270 items to check, and offers advice and tips on the associated controls. It also gives hints on what the auditors do/don't expect to see, good for getting your house in order before they call.

National paranoia index

Unisys is using market survey techniques to assess public perceptions of the state of security in various nations. I'm not entirely clear quite what the survey tells us (other than the general state of paranoia in the countries surveyed), or what use it is (apart from the pharmaceuticals companies selling brain-calming drugs), but no doubt selected numbers will magically appear in assorted PowerPoint slide decks in due course supporting all sorts of hypotheses.

New US infosec laws

SecurityCatalyst blogs on two new US information security laws. Minnesota's Plastic Card Security Act adds a legal mandate to PCI DSS. The Identity Theft Enforcement and Restitution Act gives victims of identity theft compensation rights. I'm hunting for more information on both of these and will provide an update if I have add anything to add to SecurityCatalyst's post.