As someone who has been particularly concerned with the cyber security of our critical infrastructure, I couldn’t help thinking how much worse it would have been if there had been a simultaneous cyber attack bringing down our financial market systems, payment systems and e-commerce in general. In that regard, we can consider ourselves most fortunate. We may not be so lucky the next time.

While I have no specific evidence that the disruptions taking place throughout the economy have lead to security compromises, I would be really surprised if they had not. It’s just that with so much focus on the crises themselves, everyone is distracted from basic day-to-day security issues. Such compromises, if they are happening, are likely to be well hidden below the high levels of noise. We may never know their full extent.

My presumption of security compromises is based on prior experience of situations that were not nearly as devastating. Consider that we have a huge cadre of disaffected, disgruntled individuals who have been laid off or are at risk of being so and who had, and may still have, access to critical computer systems. Include the fact that major financial institutions are being taken over, forced together and eliminated. Combine that with the emergency reactions of individuals as they seek safe havens for their assets. And add to that the corporate reaction of freezing expenditures, including those for security.

(...)
Read the rest of Security in Times of Crisis (684 words)

© C. Warren Axelrod for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under CSO/CISO Perspectives, Contingency Planning.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

The paper analyzed trends associated with stock prices of several prominent retail and financial services corporations that had experienced well publicized data breaches.  Ken concluded that, for these organizations, the announcement of a breach was usually followed by a brief dip in the closing price of a company’s stock, quickly followed by a sustained rise.  Ken interpreted this counterintuitive finding as evidence that a data breach does not necessarily pose a reputational risk to an organization, as long as (1) there is no sustained pattern of similar breaches experienced by the company and (2) the organization’s primary business does not involve providing a service where information security is an integral element.  Polo Ralph Lauren and Citigroup-two of the companies discussed in Ken’s study-are not selling security as a major service; ChoicePoint, however, offers security controls as an essential feature of its product.

Ken’s thesis was validated when, in January 2007, TJX (the parent company for Marshall’s, TJ Maxx, and other retail establishments) announced the unauthorized disclosure of credit card data concerning millions of customers.  The breach was announced on January 17.  That day, TJX closed at $29.63, down .22 from the previous day.  On the next day, the stock fell an additional .13.  However, two days following the breach announcement, TJX shares closed at $30.03, a .40 rise since the announcement.

(...)
Read the rest of The Status of Recent Research Concerning Data Breaches and Reputational Risk (1,263 words)

© Sam Dekay for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under General.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

In the newly published anthology, CISO Leadership: Essential Principles for Success [Auerbach Publications, New York, 2008], Robert Coles and Rolf Moulton explore governance as it relates to information security. In chapter 13, entitled “Extending the Enterprise’s Governance Program to Information Risks” the authors provide an eye-opening and somewhat threatening stance:  ”In this litigious age, governance failures could result in damaged careers, shareholder lawsuits or corporate collapse.”

However, because the focus is on compliance with Sarbanes Oxley, Basel II and other knee-jerk regulations, it may be worthwhile to put corporate governance into perspective. The authors position is that it can be leveraged to strengthen information security. Further, since governance is amorphous at best, the authors declare their stance as “Our definition of information security governance is the establishment and maintenance of the control environment to manage the risks relating to the confidentiality, integrity and availability of information and its supporting processes and systems.”

(...)
Read the rest of Corporate Governance: A Dirty Word or a Dirty Job? (335 words)

© Micki Krause for BlogInfoSec.com, 2008. | Permalink | One comment
Want more on these topics ? Browse the archive of posts filed under CSO/CISO Perspectives.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

Step 1: Define the functions and purposes of your network perimeter.
Step 2: Assess the technology used along the perimeter of your network.
Step 3: Assess the Processes used to support your network perimeter.
Step 4: Assess the People that support your network perimeter.
Step 5: Review all the information gathered in steps 1- 4 and establish conclusions and findings.
Step 6: Report conclusions and findings and determine action plans.

In Part I we reviewed tips and tricks for Step 1 “Define the functions and purposes of your network perimeter” and started a spreadsheet.

In Part II we looked at tips and tricks for Step 2: “Assess the technology used along the perimeter of your network.”

In Part III we looked at tips and tricks for Step 3 “Assess the Processes used to support your network perimeter.”

In Part IV we will be looking at tips and tricks for Step 4 “Assess the People that support your network perimeter.”

(...)
Read the rest of It’s All About the People: Assessing Your Organization’s Network Perimeter (pt. 4) (734 words)

© Frank Cassano for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under Human Elements.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

I had said to Jim that I thought GRC was the buzzword du jour and that, in my opinion, each of the three areas were different in form and intent and therefore were not readily combined in a meaningful way. I told Jim that I thought that governance and compliance should fall under the risk management function rather than being co-equals.

Well, as so often happens, we live to regret our more dogmatic statements. And retribution wasn’t far behind. A few days later, I was asked to run a workshop on GRC at the FST Summit, which was held on June 3-5 in New York City, before a group of high level IT officers from the financial services industry. So now I was put in the position to defend my beliefs, which this auspicious group would surely roundly attack.

Coincidentally, Michael Rasmussen, who happened to write the foreword to my book Outsourcing Information Security, has become a leading guru in the GRC space. I looked up various sources and found that Mike’s definitions and thoughts on the subject are prominently displayed on Wikipedia.

Having acquired a somewhat better understanding of the topic, would I find myself retracting my prior position at the workshop? The answer was “no.” Now that I had done a little more research, I recognized that substantial effort is being put into integrating and automating procedures and processes required to establish and run good governance, manage risk, and comply with laws, regulations and audit findings. But there still seemed to be problems where well-run institutions continued to stub their toes, as in the case of the sub-prime mortgage mess. So I examined the question: “Is this an example of form over content?”

(...)
Read the rest of Governance, Risk Management, Compliance (pt. 1): Form over Content? (490 words)

© C. Warren Axelrod for BlogInfoSec.com, 2008. | Permalink | One comment
Want more on these topics ? Browse the archive of posts filed under CSO/CISO Perspectives, Compliance and Laws, Risk Analysis.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

Definition of Terms

Risk Analysis (RA) is the identification and estimation of risks. Risk identification is the process whereby one identifies the sources of risk. (In an information security risk analysis, risk identification is the identification of hazards.) Risk estimation is the process whereby one estimates the probability and utility of prospective risks. In an information security risk analysis, the probabilities of threats are often measured conditionally-conditional upon the vulnerabilities present in the asset.

In other words, risk analysis answers three questions:

(1) What can happen? (In information security risk analysis, this could be reworded as, “What can go wrong?”, since information security risks are usually associated with negative outcomes.)
(2) How likely is it?
(3) What are the consequences? (Again, since information security only recognizes risks with negative outcomes, this question could be reworded as, “How bad could it be?)

In addition to the above standard three questions, Steven Long has convinced me that a fourth question should be added to the list:

(4) How much uncertainty is present in the analysis? (In other words, how reliable are the answers to questions 1-3?)

(...)
Read the rest of The Difference between Quantitative and Qualitative Risk Analysis and Why It Matters (Part 1) (774 words)

© Jeff Lowder for BlogInfoSec.com, 2008. | Permalink | One comment
Want more on these topics ? Browse the archive of posts filed under Risk Analysis.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

I got into Information Security less than 10 years ago when my current boss (bless his technology-driven heart) thought I had an interesting background and hired me to deliver a global identity management program for a not-to-be-named (think Boston-based, highly secretive, fiercely private – don’t worry, it will come to you) financial services company. I was a stranger in a strange land where everyone seemed related – well their last names were all CISSP, except for a few CISM or CISA cousins. Over time, I absorbed the culture, but like the mutt that I am, could never become a “made man”. In fact, even today, when the talk turns to the OSI stack or syslog, I generally remember I have a blog article to write or some personal dental surgery to perform.

But as a person who has filled a variety of roles in academic, military, athletic, non-profit, private, and public entities, I look with tremendous respect at those who have built a career in information security and wonder what they would do if organizations reengineered security. I have led many teams over the years and have always tried to focus on achieving the goals that ensures the organization’s success (no job if they go out of business!), but, more important, have tried to nurture in each team member a sense of ownership of their role and their future.

(...)
Read the rest of So Why Do We Need Security Professionals, Anyway? (507 words)

© Patrick Foley for BlogInfoSec.com, 2008. | Permalink | One comment
Want more on these topics ? Browse the archive of posts filed under Human Elements.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

The first tool that we will employ to help create the first visualization is GraphViz (http://www.graphviz.org/). GraphViz uses a relationship language called DOT, whose grammar is easy to understand and interpret by two easy steps: define a graph and create relationships. For our purpose, we want to create a flow graph that helps us visualize attackers, and possibly further define attack types. To do so, we simple write a script that will parse the net-flow data from our network, and query those IP addresses against our SIEM’s threat database. If there is a match on the IP address, we can change the context of the relationship in the visualization. For instance, if the source is an internal IP address going out, we can color the bubble red based on the assumption that it is infected. The lines that radiate from that host can have two relationships, a solid for TCP protocols and dotted for UDP with a label on the line for the communicating port. If there is a virus infection running amok in the network, you can then imagine the visualization that is rendered, and further more if there is a Command and Control in use it may become more easily identifiable. With the discussion above, you would have the following DOT syntax, and once rendered the following graph snippet that shows a spoofed UDP communication going to my DNS server, along with hosts attacking it.

The second tool we will use is Google Earth. The technique used above to extract the information will be slightly modified; we wont use source or destination ports, and we also wont be as fancy with our line classifications. What we will add to the information is a Geo Location database so that we can lookup the IP address and get a latitude and longitude, and we’ll only consider three forms of communications: clean (green), hostile (red), and live hostile (purple).

(...)
Read the rest of Attack Visualizations Using GraphViz and Google Earth (178 words)

© Russell Handorf for BlogInfoSec.com, 2008. | Permalink | 2 comments
Want more on these topics ? Browse the archive of posts filed under Technical.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

My friend is 55, and has been employed in the field of Information Security for more than two decades.  Until a few days before the phone call, he had served as CSO at a major manufacturing company.

I asked him how the function of CSO would be replaced by his former employer.  He said that the job would be delegated to another senior executive in IT.  “And the other security roles will also be reassigned-network security will be moved to Telecommunications; policy and procedures will transfer to Communications.”  In other words, the central Information Security unit would be dissolved and its functions incorporated into several existing operational, technical, and other areas.  “But how,” I wondered aloud, “will all these areas work together to create something resembling a consistent information security program?  Where’s the managerial glue to hold it together?  Who’s in charge?”  My friend replied, quite simply, “I don’t know.”

This single telephone conversation is one among many indicators that, to an increasing extent, the problem of governance continues to haunt the field of information security.

(...)
Read the rest of Who’s In Charge Here? The Problem of Information Security Governance (1,794 words)

© Sam Dekay for BlogInfoSec.com, 2008. | Permalink | 2 comments
Want more on these topics ? Browse the archive of posts filed under Compliance and Laws.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

As a reminder the identified steps were:

• Step 1: Define the functions and purposes of your network perimeter.
• Step 2: Assess the technology used along the perimeter of your network.
• Step 3: Assess the Processes used to support your network perimeter.
• Step 4: Assess the People that support your network perimeter.
• Step 5: Review all the information gathered in steps 1- 4 and establish conclusions and findings.
• Step 6: Report conclusions and findings and determine action plans.

In Part I we reviewed tips and tricks for step 1 “Define the functions and purposes of your network perimeter” and started a spreadsheet.

In Part II we looked at tips and tricks for Step 2: “Assess the technology used along the perimeter of your network.”

In Part III we will be looking at tips and tricks for step 3 “Assess the Processes used to support your network perimeter.”

Processes are an important element of any program and provide the overall framework and ongoing guidance to ensure the program operates as prescribed, and effectively. Formal processes to specifically support the network perimeter are often integrated with other processes and almost never centralized to ensure that there is a cohesive flow. Since the network perimeter is often the most vulnerable point of an organization’s operating environment it is important that the processes that support its operation and security are developed with a focus to ensure that they are comprehensive and performed effectively. When doing a review of processes it is important to speak to the key personnel that either own or support the network perimeter and ask them what they do to support the network perimeter. During the conversations you should ask them

(...)
Read the rest of Assessing your Organization’s Network Perimeter (pt. 3) (1,220 words)

© Frank Cassano for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under General.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!