Information Security Q&A

Security awareness - what worked for you

noreply@blogger.com (Yinal Ozkan) — Mon, 08 Feb 2010 13:42:00 +0000

Question:

I am interested to know from you guys what methods you have used to prick the consciousness of your end users - from the standard policy delivery & enforcement tools (e.g. neupart, policy matter, netconsent, et al), through posters & startup screens, right through to "guerilla tactics" rather like Chris Nickerson & hisd guys who did the job on the car dealer.

I had thought of gearing ideas around end user pain points - e.g. post-it notes with a PIN on a dummy credit card, etc. Interested in what low-cost ways others have used.

Thanks in advance guys

Answer:

........,

I have gone through several iterations of awareness initiatives. Web based, class based, print media based, campaign based you name it…

Information Security Practitioners usually skip a very important part of awareness programs, these programs are not security projects where you deliver a technical solution; awareness programs depend on the training component…

Here is the most important thing I learned: Adult psychology is different, you cannot train adults as you train kids.. When you put kids a in a class they simply listen and they learn. Adults never do, they keep questioning: “ Why I am here? Is this good for me? What will I lose if I do not listen? What is in it for me? etc” The questions above must be answered within security awareness initiative since they will keep occupying the short focus of the of the adult minds during training..

So the important structural shift of awareness program initiative is that this is not a project, this not about a portal with multiple choice questions with diagrams, this is not about an application that pops-up, this is about training, and the adult training rules apply.

Years ago, I was in charge of security awareness training of a large trading house.. Participation of all employees was mandatory. Everybody in the class (pre WebEx days) thought this was yet another training, and the eyes were focused on the clock.. I started the conversation with, “I am reading all your e-mail” Well, I got the attention. The whole class got mad . But we had established the training rationale, everybody wanted to how and why I was able to read their e-mail , they were questioning on who else can read their e-mail. Until that moment most of them thought the problems were someone else’s.

In order to share create the personal interest, the best way is to demonstrate vulnerability in day to day applications with live demonstrations (not the checklists, and the pop-quizzes) that employees can associate themselves individually. The demo should not be about the millions that a distant company lost (yes we all heard about TJ Max) or powerpointing defaced web sites to death to bore sales team away. There must be personal interest in security awareness program. Unfortunately not too many people care about the greater good of their employers or the security teams…A salesperson will be more interested so see his CRM database being stolen using his own small blackberry. Or displaying chain of evidence for intellectual property for design engineers, more examples can be given but I think everybody who has managed to read until this paragraph gets the idea; unless there is personal interest there won’t be success.

That being said classical program components like continuous improvement, cyclic approach, audit, measurement/metrics etc will help. ISO programs or the programs like neupart can be used as a good base program management.

-Regards,

- Yinal Ozkan

Using Certificates for Authentication ? Where to store them ?

noreply@blogger.com (Yinal Ozkan) — Sun, 06 Dec 2009 18:57:00 +0000

Question:

Has anyone deployed a VPN solution that leverages user certificates for authentication?

We are considering the possibility of leveraging digital certificates as an authentication factor for VPN. Has anyone implemented this or looked at solutions that do this? We are not comfortable with solely relying on a certificate and the security/integrity of the PC as an authentication mechanism. If you are currently using certificates, I would be interested in hearing how you are deploying this.

Answer:

.....,

The short answer is yes. We did deploy several off-the-shelf certificate based authentication solutions for remote access VPN systems such as Cisco, Check Point, Juniper, Citrix, Nortel.. It is again very possible to deploy similar solutions over SSL VPN solutions (This time easier since browser is the client). I worked with Entrust as the PKI integration provider. When using certs, most of the questions/problems are generic PKI related questions (CRLs, OCSP, identity management etc)

9 out of 10, enterprise shops store the certs on PC or mobile devices since they want to avoid using tokens/smart cards. Using a 3^rd party storage is ideal but to be honest smart cards share the fate of PKI for complexity so many solution sets avoid tokens/smart cards, unless the policies mandate certificates.

When smart cards are more expensive/complex (readers, personalization etc) enterprises use USB tokens to store certificates. (Several companies provide tokens with certificate support, ActivIdentity, Aladdin, Authenex, Entrust, SafeNet (merged with Aladdin) , RSA (RSA has a hybrid token for OTP + certs)).

If you would like to use smart cards as the certificate container, or use the same certs for physical security simultaneously, you can simple take one of the ready to use HSPD-12 Personal Identity Verification (PIV) Card solutions (http://fips201ep.cio.gov/apl.php) so that you can avoid designing all components architecture yourself.

Of course do it yourself path is more fun, technically it is straightforward to integrate certs with any 802.1x based authentication server but as you know it usually gets more complex. We have deployed a complete system for enrollment, biometrics, cards, CMS etc, (took 3+ years)

cheers,

- - yinal ozkan

Best way to stop malware from spreading in a large secure network

noreply@blogger.com (Yinal Ozkan) — Mon, 16 Nov 2009 12:14:00 +0000

Question :What's the best way to stop malware from spreading in a large secure network with no internet connectivity and a multi-platform environment?

Even though the secure environment has no internet access and is on a controlled environment, external USB devices have been added to the network and viruses have been introduced. I'm trying to think of the best ways to stop such external threats being added to a secure closed network. I've got a few ideas bouncing around my head as I believe Antivirus software should be deployed on the workstations in case additional methods of malware introduction are given other that USB. The USB ports could be disabled on all workstations and then the external devices could be scanned before adding to the network. But I'm sure there could be other ideas so can someone offer some suggestions?

Answer:There are multiple approaches, but “the” best way will depend on the mix of your devices in your multi-platform environment (if you still have NT4s and ancient slackware linux copies the solutions you are looking at will be different) and your network status. If there is no internet connectivity naturally you should focus more on entry points (intranets, USB, CD, Floppy, Bluetooth, IR, Wi-Fi)

If you want to classify approaches, your solutions can be at 3 levels, host based, network based and hybrid.

1- Host Based:

a. Use a comprehensive “endpoint security” solution that will have

i. Port Control (USB, CD, Floppy, Bluetooth, IR, Wi-Fi, Ethernet etc)

ii. Encryption (file, disk, mail), key/cert management

iii. Firewall

iv. IPS

v. Antivirus (http and SMTP)

vi. Antispam, Phishing, Malware control (http, SMTP, SMS)

vii. URL filtering

viii. Application control

ix. File integrity Monitoring

x. Remote device management (in a secure manner :)

xi. Biometrics/TPM/SSO/802.1x support

b. Lock down the environment. Do not allow end users to modify any system settings. (e.g. use group policies on windows environment, security blanket on Linux etc)

c. Use point solutions start with port control, anti malware, AV, IPS, firewall . Monitor system resource utilization you may kill endpoints by multiple clients

d. Get physical; super glue all USB ports, remove the CD Drives, break IR sensors, turn off the radios.

e. For old unsupported platforms, deploy file integrity monitoring on critical areas (e.g. tripwire)

f. Use a big brother monitoring tool like Raytheon Oakley’s SureView (check with legal first : )

2- Network Based:

a. Use IPS on the network. IPS will alert you on suspicious traffic you that you can take action faster. If the network traffic is encrypted, IPS will not be very helpful. You may consider decrypting traffic but the solution is a topic for another post

b. Use anomaly detection tools. I really like using these tools; they are my most favorite malware detection solutions. They can either sniff traffic over taps or get flow data. Good solutions are Q1 Labs, Mazu (now Riverbed Cascade).. But any netflow tool will help

c. Segment your network with firewalls

d. Do not allow all protocols (who needs IPX, NetBeui, AppleTalk, SNA anyway : )

e. Use ACLs on network devices. Only allow known ports, lock down network for SRC/DST APP based access rules

f. Monitor Airspace… Make sure that nothing flies out /comes in via wi-fi/Bluetooth et al. I can recommend several tools.

3- Hybrid

a. Use Network access control (NAC). You can have all the security in the world until the cable guy plugs-in his laptop to the Ethernet port in the cafeteria.

b. Use an agent-less scanning tool. Compare all hosts, applications vs your approved gold copies. Monitor all malware constantly from remote. My favorite is Promisec. But you can even use Microsoft SMS

c. Never forget the phones, the smartphones, VOIP phones are the new hosts for the virulent outbreaks/pandemic

If you have a specific question please let me know.

Regards,

- Yinal Ozkan

The "Cyber" Word

noreply@blogger.com (Yinal Ozkan) — Sat, 17 Oct 2009 00:11:00 +0000

I got the following e-mail from one of my peers.
==================
From: Chris Camejo
Sent: Sunday, October 04, 2009 2:19 PM
To: ---------------------
Subject: Cyberwords
I saw this “Cybersecurity” article on CNN and the ridiculous overuse of cyberwords is good for a chuckle:
http://www.cnn.com/2009/POLITICS/10/02/dhs.cybersecurity.jobs/index.html
Apparently the government wants a “cyberczar” and more “cyberexperts” to work as “cyberanalysts” to protect “cybernetworks” from “cyberthreats” and engage in “cyberwarfare” so they can be a an effective “cyberorganization”. Yes, all of those words were really used in the article.
It scares me that there are people making decisions in government who write stuff like that.
-Chris
=====================
I could not agree more.

Every time I see an acronym or a government program that starts with “cyber” prefix I get irritated. I quickly associate the misapplication of the “cyber” prefix with ill-thought, wrong- footed, erroneous information security initiatives – cybersecurity, cyberczar, cybercop, cyberspace and the list goes on…Even my MS Word spell check doesn’t like them. This (using cyber prefix) simply takes the meaning of many serious topics that we are working on by diluting the significance, to the point of serious confusion to everyone except the small number of cyber experts : )

It is also very interesting that only state and federal agencies use “cyber”

The word cyber entered English language in 1991 as “of, relating to, or involving computers or computer networks” according to Merriam-Webster.

The reason I cannot associate cyber is that etymologically it is wrong. Cyber prefix is derived from cybernetics. Cybernetics as a concept in society has been around at least since Plato used it to refer to government. Maybe that is why the government today likes to use it. In modern times, the term became widespread because Norbert Wiener wrote a book called "Cybernetics" in 1948. The study is described as the science of communication and control theory that is concerned especially with the comparative study of automatic control systems (as the nervous system and brain and mechanical-electrical communication systems) Cybernetics is an established interdisciplinary science not a sci-fi flick or an internet buzz word (http://en.wikipedia.org/wiki/Cybernetics) ) The word comes from Greek “kybernetes” pilot, governor (from kybernan to steer, govern) + English –ics.

So what is the relationship between Internet and Cyber? I do not see a real one ..Maybe it is the cyborgs which is a combination of cybernetic + organism.

-yinal

Web Application Security Tools

noreply@blogger.com (Yinal Ozkan) — Tue, 15 Sep 2009 15:49:00 +0000

I have been checking tools for a while for web application security engagements. Here is my list for web application scanners, test tools, proxies, source code analyzers, web application firewalls, XML SOA gateways (I will crosscheck methodologies in another post)

Remote Web App Test Tools and test proxies
1- SPI Dynamics WebInspect - Now HP Webinspect - https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__
2- Sanctum then Watchfire AppScan - Now IBM Rational AppScan - http://www-01.ibm.com/software/awdtools/appscan/
3- Kavado Scando - Now Protegrity - http://www.protegrity.com/DefianceSecuritySuite
4- AppSecInc AppDetective Pro - http://www.appsecinc.com/products/appdetective/index.shtml
5- Cenzic Hailstorm - http://www.cenzic.com/products/software/overview/
6- NT Objectives NTOSpider http://www.ntobjectives.com/products/ntospider.php
7- Acunetix Web Vulnerability Scanner http://www.acunetix.com/vulnerability-scanner/
8- Burp Suite -proxy- http://www.portswigger.net/
9- Sandsprite Web Sleuth - http://sandsprite.com/Sleuth/about.html
10- Positive Technologies MaxPatrol 7 - http://www.ptsecurity.com/mp_eval.asp
11- NGS Typhon III - http://www.ngssoftware.com/products/internet-security/ngs-typhon.php
12- Parasoft http://www.parasoft.com/jsp/solutions/soa_solution.jsp?itemId=319#web_iface_penetration
13- Hyperscan -Art of Defense - http://www.artofdefence.com/en/hyperscan/hyperscan.html
14- HP Assessment Management Platform software - https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9580_4000_100__
15- nCircle - http://www.ncircle.com/index.php?s=products_webapp360
16- Qualys - Web Application Scanning - http://www.qualys.com/solutions/web_application_scanning/
17- Foundstone - Now McAfee Vulnerability Manager - http://www.mcafee.com/us/enterprise/products/risk_and_vulnerablity_management/vulnerability_manager.html
18- Nessus - Tenable Security - http://www.tenablesecurity.com/nessus/
19- Syhunt SandCat http://www.syhunt.com/
20- Saint - No Web App Customization - http://www.saintcorporation.com/products/vulnerability_scan/saint/saint_scanner.html
21- MileSCAN Web Security Auditor (WSA) - Paros Proxy - http://www.milescan.com/hk/ , http://www.parosproxy.org/index.shtml
22- N-Stalker Web Application Security Scanner http://www.nstalker.com/products
23- Nikto - Open Source (GPL) web server scanner http://www.cirt.net/nikto2
24- Canvas (formerly SpikeSecurity) - http://www.immunitysec.com/products-canvas.shtml
25- WebScarab -proxy- http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
26- Odysseus - proxy- http://www.bindshell.net/tools/odysseus
27- CoreImpact - http://www.coresecurity.com/content/core-impact-overview
28- Metasploit - http://www.metasploit.com/
29- Wikto - http://www.sensepost.com/research/wikto/
30- Proventia Scanner (formerly ISS) -http://www-935.ibm.com/services/us , http://www-935.ibm.com/services2
31- e-Eye Retina Web Scanner http://www.eeye.com/html/products/RetinaWebScanner/index.html
32- SQL Power Injector http://www.sqlpowerinjector.com/
33- Sensepost BiDiBLAH - Security Assessment Power Tools (not sure for Web App features) http://www.sensepost.com/research/bidiblah/
34- The Security Auditor's Research Assistant (SARA) - http://www-arc.com/sara/
35- Founstone Tools - http://www.foundstone.com/us/resources/freetools.asp
36- Wapiti Web application vulnerability scanner / security auditor - http://wapiti.sourceforge.net/
37- Curl - httptools, not a scanner - http://curl.haxx.se/
38- Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/
39- Fiddler Proxy - http://www.fiddler2.com/fiddler2/
40- Pantera - another spikeproxy- http://www.owasp.org/index.php/Pantera
41- Suru - proxy from sensepost - http://www.sensepost.com/research/suru/
42- Charles Proxy - http://www.charlesproxy.com/
43- Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/
44- RatPrxoy from Google http://code.google.com/p/ratproxy/
45- JS Proxy - for javascript - http://jscmd.rubyforge.org/
46- OWASP Phoenix Chapter - Another List of Tools : http://www.owasp.org/index.php/Phoenix/Tools

Source Code Analysis
1.Coverity Integrity Server / Prevent -http://www.coverity.com/products/coverity-prevent.html
2.Escher Technologies Eschertech - http://eschertech.com/
3.Fortify Software Suite (analysis, workbench, metrics & trending console, customization module) http://www.fortify.com/products/fortify-360/vulnerability-detection.jsp
4.Gimple PC and Flexe-Lint C/C++ -http://www.gimpel.com/html/products.htm
5.Grammatech CodeSurfer C/C++ - http://www.grammatech.com/products/codesurfer/overview.html
6.Ounce Labs - Now IBM - http://www.ouncelabs.com/application_security/
7.Parasoft JTest Parasoft Application Security- Java Static Code Analysis - http://www.parasoft.com/jsp/products/home.jsp?product=Jtest
8.Secure Software CodeAssure Workbench C/C++, Java (Now Fortify)
9.Veracode - http://www.veracode.com/solutions
10.Armorize Codesecure - http://www.armorize.com/?link_id=codesecure
11.Klocwork Insight/Solo http://www.klocwork.com/products/product-comparison-matrix/
12.Hypersource - Art of Defense - http://www.artofdefence.com/en/hypersource/hypersource.html
13. PHP Pixy - http://pixybox.seclab.tuwien.ac.at/pixy/
14. BFBTester: Brute Force Binary Tester - http://bfbtester.sourceforge.net/
15. CROSS (Codenomicon Robust Open Source Software) -http://www.codenomicon.com/solutions/cross.shtml
16. Flawfinder - C/C++ source code - http://www.dwheeler.com/flawfinder/
17. Gendarme -.NET applications and libraries - http://www.mono-project.com/Gendarme
18. Stanford SecuriBench -open source - http://suif.stanford.edu/~livshits/securibench/
19. OWASP Phoenix Chapter - Another List of Tools : http://www.owasp.org/index.php/Phoenix/Tools

Web Application Firewalls:
I am excluding network firewalls with deep inspection features such as Cisco, Juniper, Check Point, Fortinet

F5- ASM -Application Security Manager - http://www.f5.com/products/big-ip/product-modules/application-security-manager.html
Breach Security - http://www.breach.com/products/
Imperva - SecureSphere -http://www.imperva.com/solutions/web-application-security.html
Cisco ACE Web Application Firewall http://www.cisco.com/en/US/products/ps9586/index.html
White Hat Sentinel (add-on for F5, Imperva, Breach) - http://www.whitehatsec.com/home/services/waf.html
Citrix NetScaler http://www.citrix.com/English/ps2/products/product.asp?contentID=25636
Protegrity WAF - http://www.protegrity.com/WebApplicationFirewall
Fortify Real Time Analyzer RTA - http://www.fortify.com/products/detect/
AQtronix for IIS - http://www.aqtronix.com/?PageID=99
DenyAll rWeb - http://www.denyall.com/products/rweb_en.html
Applicure DotDefender - http://www.applicure.com/About_dotDefender
Armorlogic Profense - http://www.armorlogic.com/
Bee Ware i-Sentry http://www.bee-ware.net/en/product/i-sentry/
BinarySec (French) http://www.binarysec.com/cms/docs/products/products.html
BugSec WebSniper http://www.bugsec.com/index.php?q=WebSniper
e-Eye SecureIIS http://www.eeye.com/html/products/secureiis/index.html
webscurity web.AppSecure http://www.webscurity.com/products.htm
Phion Airlock http://www.phion.com/INT/products/websecurity/Pages/default.aspx
Radware AppWall http://www.radware.com/Products/ApplicationDelivery/AppWall/default.aspx
Hyperguard - Art of Defense : http://www.artofdefence.com/en/hyperguard/hyperguard.html
Barracuda Web Application Firewall - http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php

XML Firewalls
Radware AppXML http://www.radware.com/Products/ApplicationDelivery/AppXML/default.aspx
DataPower (now owned by IBM) - WebSphere DataPower SOA Appliances -http://www-01.ibm.com/software/integration/datapower/
Reactivity, Inc. (acquired by CISCO), The Cisco ACE XML Gateway - http://www.cisco.com/en/US/products/ps7314/index.html
Forum Sentry XML Gateway - http://www.forumsys.com/products/index.php
Layer 7 Technologies' SecureSpan XML Firewall - http://www.layer7tech.com/main/solutions/firewalling.html
Vordel XML Gateway - http://www.vordel.com/products/vx_gateway/
Dajeil - http://www.dajeil.com/Products.asp
Sarvega (now owned by Intel) Intel SOA Expressway - http://www.intel.com/cd/software/products/asmo-na/eng/373233.htm
Bloombase Spitfire Security Server - http://www.bloombase.com/products/spitfire/index.html
Sonoa http://www.sonoasystems.com/product-matrix#anc-security
inferno - opensource - http://ixmlfirewall.sourceforge.net/
DAXFi - Dynamic XML Firewal - Opensource - http://sourceforge.net/projects/daxfi/

open for feedback,
- yinal ozkan

RSA Conference Notes (US 2009)

noreply@blogger.com (Yinal Ozkan) — Sun, 13 Sep 2009 02:28:00 +0000

Better late than never...

During the RSA conference (April 2009) organizers had flip cameras for us (where they announced over twitter)
Instead of typing/blogging my notes, I experienced the "vlogging" which was easy. Here are RSA edited notes from RSA Conference web site:

Part I
Part II
Part III

Sometimes it is positive to see and hear the author, sometimes it is not. But as far as I see we should better not hide behind anonymous posts. I think that we can communicate better with the new gadgets offered us literally at no cost.

cheers,
- yinal

IT Governance, Risk and Compliance (ITGRC) Tools August 2009

noreply@blogger.com (Yinal Ozkan) — Sun, 16 Aug 2009 19:26:00 +0000

Here are the updated links for the IT-GRC vendors, IT-GRC wanna be GRC vendors, and some IT based risk management tool/software providers.

There is still a thin line between IT, Financial and ERP GRC solution providers.

I have noticed that SAP has created its own GRC context where GRC means a lot of other things... SoD- Segregation of Duties, entitlements management, users access/authorization for applications/transactions, audit managment, role management etc.Basically a dull extention of IT audit controls. SAP's Virsa and SUN's Vaau acqusitions are good examples of this trend. That is not GRC -- that is mediocre IT controls audit. The term GRC is used without any consideration. This statement is also valid for the other usual suspects l(Oracle, PeopleSoft, Hyperion, JD Edwards,)

Here is a quick M&A update from last post:
Brabeion is acquired by Archer (Big News)
Controlpath is acquired by Trustwave.
Paisley is acquired by ThomsonReuters
Iconium is acquired by Logicalis
IBM dropped their own suite and working with Modulo
Favored GRC has a new name Highpoint GRC
Achiever is gone
I looked at ACL, Approva,Aveksa,Opentext,SecurityWeaver, Xpandion, Spatiq solutions,, I will be checking these vendors in the future, these solutins tend to manage ERP security only)..

IT-GRC solution Providers:

Agiliance
http://www.agiliance.com/
Archer ( acquired Brabeion)
http://www.archer-tech.com/solutions/index.html
Trustwave GRC
https://www.trustwave.com/GRC.php
Symantec (Control Compliance Suite)
http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-datasheet_control_compliance_suite_9.0-11_2008_14121573.en-us.pdf
Compliance Spectrum
http://www.compliancespectrum.com/
Modulo
http://www.modulo.com/home.jsp
NeIQ
http://www.netiq.com/solutions/scm/default.asp
eIQ Networks SecureVue
http://www.eiqnetworks.com/products/SecureVue/SecureVue_Technology.shtml
CA GRC
http://www.ca-grc.com/
Relational Security - RSAM
http://www.relsec.com/rsam_overview.htm
Logicalis grace (acquired Iconium Assets)
http://www.uk.logicalis.com/business_issues/governance_grace.asp
Lumension (acquired Security-Works)
http://www.lumension.com/landing.spring?contentId=154643
Oracle (formerly Logical Apps and Oracle GRC Manager)
http://www.oracle.com/solutions/corporate_governance/it-grc-management.html
Proteus
http://www.infogov.co.uk/proteus_enterprise/index.php
BPS
http://www.bpsinc.com/
Avedos
http://www.avedos.com/257-Home-EN.html
BWise
http://www.bwise.com/
Neupart
http://www.neupart.com/
Metric Stream
http://www.metricstream.com/
Nemea
http://www.nemea.us/
Highpoint
http://www.highpointgrc.com/
Paisley (now Thomson Reuters)
http://www.paisley.com/
OpenPages
http://www.openpages.com/Solutions/Technology_17.asp
Qumas
http://www.qumas.com/products/index.asp
IDS Scheer
http://www.ids-scheer.com/us/en/ARIS/ARIS_Solutions/Governance_Risk__Compliance_Management/139893.html Axentis
http://www.axentis.com/offerings/solutions/itgovernance
Methodware
http://www.methodware.com/it-security/
Protiviti
http://www.protiviti.com/grc-software/Pages/default.aspx
Cura Software
http://www.curasoftware.com/pages/content.asp?SectionId=7&SubSectionID=48
Mega
http://www.mega.com/index.asp/l/en/c/grc
ControlCase
http://controlcase.com/it-grc.htm
McAfee Risk and Compliance Manager (formerly McAfee Preventsys),
http://www.mcafee.com/us/local_content/white_papers/dashboard_reporting_it_grc.pdf
Greenlightcorp (SAP GRC)
http://www.greenlightcorp.net/sap_grc_cross_platform.html
Trintech -Financial GRC only
http://www.trintech.com/
SAI global
http://www.saiglobal.com/compliance/grc-software/
SAP
http://www.sap.com/solutions/sapbusinessobjects/large/governance-risk-compliance/index.epx
eFortresses
http://www.efortresses.com/Compliantz.htm
Simeio Solutions GRCAXS (IT GRC module)
http://www.simeiosolutions.com/
Compliance 360 ( eGRC )
http://www.compliance360.com/news.asp

There are also dedicated Risk Management Tools which will soon identify themselves (maybe they already do) for IT GRC marketspace
Callio
http://www.callio.com/
Casis
http://www.clearpriority.com/ (clearpriority)
Strategic Thought Active Risk Manager
http://www.strategicthought.com/riskmanagement.html
Cobra
http://www.riskworld.net/
Citicus
http://www.citicus.com/oursoftware.asp
Alion – Countermeasures (makers of Buddy System)
http://www.countermeasures.com/
Siemens – CRAMM
http://www.cramm.com/
Acuity Stream
http://www.acuityrm.com/
EAR/Pilar
http://www.ar-tools.com/en/index.html
GStool (mainly German)
https://www.bsi.bund.de/cln_136/EN/topics/ITGrundschutz/ITGrundschutzGSTOOL/itgrundschutzgstool_node.html Sigea GxSGSI (this site is in Spanish only)
http://www.gxsgsi.es/
RA2
http://www.aexis.de/index.php?site=static&staticID=4
RiskPAC
http://www.cpacsweb.com/riskpac.html
Risicare (French)
http://www.risicare.fr/
Riskwatch
http://www.riskwatch.com/
ISmart
http://www.biznet.com.tr/english/ismart_info.htm
Resolver
http://www.resolver.ca/
RMStudio
http://www.riskmanagementstudio.com/
RiskConnect
http://www.riskonnect.com/riskonnect_products.html
PTA Risk Assessment Tools and Technology
http://www.ptatechnologies.com/
Avedos Risk2Value
http://www.avedos.com/111-Short-Facts.html
Non-IT Risk Software
http://www.riskworld.com/SOFTWARE/sw5sw001.htm

I still need time to add URL links for the well known risk assessment methodologies. A little bit googling will take you to the right resources if you want to build your won system using a methodology or a framework.
Methodologies for Risk Assessment and Management listed below can be used at IT operations... Endless discussion for quantifying the risks... I like ISO 27000 series to lead, but each case is different.

ISO 14971 – Risk Management for Medical Technologies
NIST 800-30 Risk Management Guide for IT Systems - National Institute of Standards and Technology
OCTAVE (Carnegie Mellon)
The Institute of Risk management (IRM) The Risk Management Standard
ISO 13335-2 Information Security Risk Management, To be replaced by ISO/IEC IS 27005
BS 7799-3:2006 Information security management systems. Guidelines for information security risk management
BSI Grundschutz Handbuch
ENISA Regulation (2004)
PARA - Practical application of risk analysis
PTA - Practical Threat Analysis for Securing Computerized Systems
Austrian IT Security Handbook
Federal Financial Institutions Examination Council’s (FFIEC) IT handbook covers information security risk assessment
Threat and Risk Assessment Working Guide from The Government of Canada Security Policy
CRAMM - British Office of Government Commerce or The CCTA's (Central Computer and Telecommunications Agency) Risk Analysis and Management Method
Afhankelijkheids- en Kwetsbaarheidsanalyse (Dutch A&K)
EBIOS (French Government)
FRAP: Facilitated Risk Assessment Process
ISF –IRAM : Information Security Forum Ltd. Information Risk Analysis Methodologies . Also check FIRM (Fundamental Information Risk Management), SARA (Simple to Apply Risk Analysis) , SPRINT (Simplified Process for Risk Identification)
CLUSIF MEHARI - Club de la Sécurité de l'Information Français
Calpana CRISAM
Securitree from Ameneza
OSSTMM RAV (RAV stands for Risk Assessment Values)
SOMAP - Security Officers Management and Analysis Project
FAIR Factor Analysis of Information Risk
DRAM Delphic Risk Assessment Method
Buddy System
AS/NZS 4360 (2004) Risk Management. Australia/New Zealand standard for risk management

There are also Compliance Management/SIM/SIEM solutions which partially present GRC.
Here are a few links:

Tivoli Security Compliance Manager
http://www-01.ibm.com/software/tivoli/products/security-compliance-mgr/
Novell Compliance Management Platform
http://www.novell.com/products/compliancemanagementplatform/
Easy2comply (formerly Dynasec)
http://www.easy2comply.com/
AlertLogic
http://www.alertlogic.com/
NetForensics
http://www.netforensics.com/compliance/
Arcsight
http://www.arcsight.com/solutions/solutions-compliance/
RSA enVision
http://www.rsa.com/solutions/compliance/datasheets/9373_ISOENV_DS_0408-lowres.pdf
Intellitactics
http://www.intellitactics.com/int/solutions/compliance.asp

Actually all SIM SIEM vendors have a compliance management solution. For their list you can check the following post:
http://security.24kasim.org/2008/12/differentiation-of-log-management.html

PCI Reporting Requirements for Merchants

noreply@blogger.com (Yinal Ozkan) — Fri, 31 Jul 2009 16:00:00 +0000

Facts:
- Check your PCI Merchant levels and validation requirements from the following post: http://security.24kasim.org/2009/06/pci-levels-for-merchants-2009.html

Amex

Level 1-
If compliant, Attestation of Compliance –AOC- (recommended) or exec summary of onsite security assessment report (QSA/internal) annually and quarterly network scan
If not compliant, AOC (recommended) or exec summary of onsite security assessment report and Remediation Plan annually and quarterly network scan and Remediation Plan

Level 2-
Quarterly Network Scans (and Remediation Plan if not compliant)
AOC (Recommended) or Executive Summary
In EU: PCI SAQ

Level 3- Level 4 -
No reporting Required for Amex at L3 and L4

Discover

Level 1 –
Network Merchants:
If compliant Appendix D of PCI DSS requirements and Security Assessment Procedures v1.2 - Attestation of Compliance –AOC-
If not fully compliant must also complete the Action Plan for Nono-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year

Level 2:
Network Merchants:
If compliant Attestation of Compliance –AOC- from applicable SAQ
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year

Level 3:
Network Merchants:
If compliant Attestation of Compliance –AOC- from applicable SAQ
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year

Level 4:
Network Merchants
If compliant Attestation of Compliance –AOC- from applicable SAQ maybe required
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form or Level 4 Merchant Action Plan to Discover twice a year

JCB

JCB has no reporting requirements at this time

MasterCard

Level 1-
Acquirers register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly

Level 2-
Acquirers annually register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly

Level 3 –
Acquirers register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly

Level 4-
No requirements

Visa Inc

Level 1-
At least a twice a year , a statement of merchant compliance / non-compliance
Annual AOC form
Upon request a copy of Report on Compliance (ROC)

Level 2-
At least a twice a year , a statement of merchant compliance / non-compliance
Annual AOC form
Upon request a copy of Report on Compliance (ROC)

Level 3-
At least a twice a year , a statement of merchant compliance / non-compliance

Level 4-
Set by the acquirer

Visa Europe
Level 1-
Annual statement of merchant compliance
For merchants in progress, quarterly update until compliance confirmed
Upon request a copy of Report on Compliance (ROC) including indication of scan completion

Level 2-
Annual Statement of compliance / non-compliance
For merchants in progress, quarterly update until compliance confirmed

Level 3-
Quarterly statement of compliance / non-compliance for merchants above 20000 transactions/year. Annual statement for merchant below 20000 transactions/year

Level 4:
Annual statement of compliance / non-compliance for merchants processing < 1 million Visa transactions/year.

Service Providers are not merchants so if you are providing card processing for 3rd parties (Payment Service Provider) PSP or if you are a TPP (Third Party Processor) PCI levels, validation and reporting requirements are different. The charts above are for merchants only.

Clouds and the VPN

noreply@blogger.com (Yinal Ozkan) — Sun, 28 Jun 2009 21:04:00 +0000

Question:
Do I need VPNs in the cloud?

Answer:
There are several questions regarding the necessity of VPNs in the cloud.

I think the first step is to clear the concept of cloud. Currently the word “cloud” is used interchangeably for TelCo service provider transport clouds (Network Clouds) (e.g.MPLS) and Cloud computing web services that provide resizable compute capacity as a cloud (like Amazon EC2).. We can also define private service providers like SaaS providers, managed service providers MSPs) as cloud/utility providers (like force.com from salesforce.com, webroot SaaS). Here are some articles defining cloud and transport options.
http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf
http://mediaproducts.gartner.com/reprints/f5networks/vol3/article4/article4.html

When the necessity of VPNs in the clouds are analyzed, it is obvious that encryption is indeed one of the key pillars of modern information security. And VPNs do provide confidentiality and integrity for data at transit. When cloud networks do transport the data they should provide integrity and confidentiality of data. That being said this does not have to be at layer 3 (IPSEC) or layer 6 (SSL). So focusing on an IPSEC client does not help to address the issue. Confidentiality and integrity services can also be provided via applications themselves. When data is critical you may certainly encrypt data at application layer. (e.g. rights management solutions)

Here is the high level satus for VPNs in the cloud

1- TelCo Network Clouds (Service Provider) – This is the most interesting part. TelCos claim that their shared infrastructure and MPLS VPNs are secure. This is questionable (see article below) but the answer depends on the security needed.
If service provider cloud is not trusted enough you always encrypt at another layer (usually with the application).I personally believe that cloud service provider (TelCos) must be subject to heavier inspection when they are transporting almost all of the intersite traffic. Here are some articles discussing the issue
http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Rey-up.pdf
http://www.techworld.com/networking/features/index.cfm?featureid=3360

I also do not understand why TelCos are exempt from security regulations. (PCI is a good example) TelCos (and their admins, applications, helpdesk people, servers, cable guys…) do have access to almost all interoffice data traffic when MPLS type of TelCo backbone is used. And when the MPLS cloud is compromised, all clear text (yes even the tunneled ones) will be compromised. Real encryption is rarely used. TelCos have been promoting themselves as secure service providers while promoting layered tunnels as segmentation, but I believe they must seal these claims with 3rd party certifications and allowing encryption friendly (where keys are held by the data custodians) clouds.

2- Cloud Computing providers: These providers addressed encryption at their inception thanks to their security aware generation. Before encryption there are several other questions. Here is my post on generic cloud computing security issues: http://security.24kasim.org/2009/02/cloud-computing-security.html

3- SaaS providers. SSL looks like the king at these providers. Segregation of customer data, and customer driven/controlled encrpytion for data at rest and data at transit is required. For data at transit, SSL is secure enough when proper authentication/cert management is provided.

I am still following the following basic principles when I evaluate a platform. Regardless of the nature of technology, all platforms (clouds and others) should answer properly to following areas of information security:
1- Authentication
2- Authorization
3- Confidentiality
4- Integrity
5- Non-Repudiation

cheers,
- yinal

PCI Levels and Validation Requirements for Merchants 2009

noreply@blogger.com (Yinal Ozkan) — Mon, 01 Jun 2009 04:04:00 +0000

This topic is always in the air so here are the official numbers for 2009 from PCI Security Standards Council the official governing body on the PCI requirements for merchants:

Facts:

- Payment Brands determine Merchant PCI levels. Payment Brands are Visa, Mastercard, Discover , Amex etc. They do have the last word on this topic

- Transaction volume is determined by Acquirer

- Transaction volume is aggregate number of transactions (chain stores do count if cards are processed centrally)

Amex

Level 1- Over 2.5 Million Amex card transactions/year, or any merchant who is Level 1 according to another Payment Brand

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans

Level 2- 50000-2.5Million Amex transactions/year, or any merchant who is Level 2 according to another Payment Brand

Action: EU only annual SAQ, Quarterly ASV scans

Level 3- Less than 50000 AMEX transactions/year

Action Quarterly ASV scans (recommended) , EU only SQA (recommended)

Level 4- N/A

Action: None

Discover

Level 1 - Over 6 Million Discover card transactions/year, anybody who Discover thinks that they level 1 (discretionary) or any merchant who is validated/reported as Level-1 to another Payment Brand

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans

Level 2- 1-6 Million Discover transactions/year, or any merchant who is validated/reported as Level-2 to another Payment Brand

Action: Annual SAQ, Quarterly ASV scans

Level 3- 20000-1 Million Discover transactions/year, or any merchant who is validated/reported as Level-3 to another Payment Brand

Action: Annual SAQ, Quarterly ASV

Level 4- Everybody else with Discover card processing

Action: Determined by Acquirer, Annual SAQ, Quarterly ASV recommended

JCB

Level 1 - Over 1 Million JCB card transactions/year or anybody who is compromised

Action: Annual Onsite QSA audit, Quarterly ASV scans

Level 2- Less than 1 Million JCB transactions/year

Action: Annual SAQ, Quarterly ASV scans

Level 3- N/A

Action: none

Level 4- N/A

Action: None

MasterCard

Level 1- Over 6 Million Mastercard card transactions/year, or any merchant who is Level 1 according to another Payment Brand or anybody who is compromised

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans

Level 2- 1-6 Million Mastercard transactions/year, or any merchant who is validated/reported as Level-2 to another Payment Brand

Action: Annual SAQ, Quarterly ASV scans

Level 3- 20000-1 Million Mastercard “e-commerce” transactions/year, or any merchant who is validated/reported as Level-3 to another Payment Brand

Action: Annual SAQ, Quarterly ASV

Level 4- All other Mastercard merchants

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Visa Inc

Level 1- Over 6 Million Visa card transactions/year (all transactions not just e-commerce), or any global merchant who is identified as Level 1 by Visa by any Visa Region

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans and attestation of compliance form

Level 2- 1 Million to 6 Million Visa card transactions/year (all transactions not just e-commerce),

Action: Annual SAQ, Quarterly ASV scans and attestation of compliance form

Level 3- 20000-1 Million Visa “e-commerce” transactions/year

Action: Action: Annual SAQ (In Canada SAQs require QSA reviews), Quarterly ASV

Level 4- Merchants processing less than 20000 e-commerce transactions/year or merchants processing up to 1M any channel Visa transactions/year

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Visa Europe

Level 1- Over 6 Million Visa card transactions/year (all transactions not just e-commerce), or compromised merchants

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans and attestation of compliance form

Level 2- 1 Million to 6 Million Visa card transactions/year (all transactions not just e-commerce),

Action: Annual SAQ, Quarterly ASV scans and attestation of compliance form

Level 3- 1 (one) to 1 Million Visa “e-commerce” transactions/year

Action: Annual SAQ, Quarterly ASV or use PCI DSS certified processor for all transactions

Level 4- Merchants processing up to 1 Million any channel Visa transactions/year

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Of course all parties who process store or transmit credit cards must follow PCI requirements (PCI-DSS) regardless of their levels.

I will cover reporting requirements for merchants in another post.

Securing Legacy Windows Applications

noreply@blogger.com (Yinal Ozkan) — Sun, 05 Apr 2009 16:52:00 +0000

Question:

What are some techniques for securing legacy Windows server applications using virtualization and/or sandboxing?

Answer:

……,

I do come across these legacy applications everyday and you are right they are not going away and we have to deal with them.

VMware and the other virtualization solutions will not make legacy windows applications more secure (or less secure) . They will just virtualize legacy host systems and fill the need for multiple hardware hosts. You may certainly choose to segment hosts via virtualization, if you believe that it is easier to apply high end IPS/FW/Content security systems inline. This is technically possible in several ways,

1- Deploying hypervisor behind security controls

2- Deploying virtualized security appliances in between vm images.

Your options are not that much different on non-vm deployments. Legacy windows systems are tough to secure for the following reasons:

1- They are usually deployed on vulnerable operating systems, the patches are not available for the operating systems.

2- Host based security controls are usually not compatible (HIPS, AV, FW, Logging, Identity Management etc)

3- Ancient communication protocols are used (RPC, older network stacks, clear text non authenticated file transfers etc)

4- Don’t have the developers of the apps at reach, it is not easy to patch application vulnerabilities…

And the list goes on for the reasons that you already know.. Here are practical solutions: 1- Deploy file integrity monitors, registry monitors. These MD5/SHA1 based tools are independent of the OS, they bring some security. You need to identify critical files/filesystems yourself.

2- Migrate user management to new systems if possible (this is usually not possible but try – avoid NT4 domains, allow local admin users only). Migrate old databases/database connectors to new ones if possible (applications stays intact /data moves to a new home, technically to a more secure one)

3- Segment these servers, they will be compromised since they cannot be properly secured. Do not keep them in the same segment with other “decently” secured hosts/applications. If possible use 1 new segment per host. Usually it is difficult to change IP settings so you can use transparent firewalls/IPS at Layer2

4- After segmenting , assume that these legacy segments are untrusted, apply the security controls that you apply to untrusted segments.

5- Run vulnerability assessments continuously, and know your vulnerabilities. Run your action plan based on the findings…Pen test if the stakes are higher.

6- You will probably see buffer overflows, monitor uptime and get curious after unplanned reboots ,systems halts

7- Log everything at network level (not on host or at application level). Allow access at need to know level. Restrict access by any means (IP, client etc).. Make sure that you have audit trail.

8- Have a migration plan, if not make sure that your risk statement includes the risks associated with these hosts.

Good luck, cross your fingers,

cheers,

- yinal ozkan

Productivity Metrics

noreply@blogger.com (Yinal Ozkan) — Sun, 05 Apr 2009 16:50:00 +0000

Question:

What do you think are key productivity metrics for an infrastructure operations group? What according to you are key productivity metrics for running an infrastructure operations group.

Answer:

That is a tough question. I would start with definition of productivity since it is not a generic metric like uptime measurement…

Productivity is a simple measurement of input vs. output. There are several mathematical models but I would recommend staying simple.

The inputs are usual suspects; they are the resources you have: time, people, and money… You may turn each input into another but I would recommend staying with three.

In productivity metrics, my approach is to compare the delta in output for a fixed input. That is why it is slightly different than regular metrics such as plain uptime, or MTTRs.

I like the COBIT classification for the metrics:

Quality Principles: Cost, quality and delivery fulfillment.

Fiduciary Principles: Effectiveness and efficiency of operations, reliability of information, regulatory compliance.

Security requirements: Confidentiality, Integrity, and availability

But it is easy to classify in different ways, the idea is to measure productivity metrics instead of raw metrics (build a baseline for an input and start comparing a baseline of metrics and get an idea on the productivity for certain input)

For the key metrics representation I would go with %#$” (percentage, number, dollar and time,)

The outputs at infrastructure operations to build comparative productivity metrics can be (but not limited to):

Per Role Outputs:

# Last year Level 1 Engineer was closing 8 priority-1 tickets a day this year 20

# Last quarter Level III engineers were completing 2 projects/month, this quarter 1

% Percentage of positive feedbacks per role

Time Based Outputs: Our “Mean Engineering Fix Hours” time was 2 hours now it is 90 minutes..

Time: MTTR/MTBFs baselines

Time: Unplanned downtime baselines

Time: Cycle time provisioning a new infrastructure component was 1 week now it is 3 days

Money based:

$ Per ticket cost was $100 now it is $20

% Percentage of infrastructure costs charged back to business was 50% now 80%

$ Cost of running my team was $x now $y

$ Unplanned downtime impact in $ terms was $x now $y

Quality Based

% Percentage of planned/on time completed change requests – over time/cost

% Percentage of systems compliant with policy requirements – over time/cost

% Percentage of systems with the required OS/patch levels – over time/cost

e.g. Last month our team had 3000 hours 90% of changes were within planned range.

It is easy to deploy custom metrics based on your environment as long as you stay with the productivity focus. You can also build your metrics from the frameworks you are following (PCI, FFIEC, COBIT etc)

Also in reporting you need to explain surges, drops and trend changes that effect productivity metrics.

Yes, it is not an exact science but as it is said “you cannot improve what you cannot measure” . I also recommend Andrew Jaquith’s “Security Metrics” book even if it is security focused.

regards,

- yinal ozkan

Information Security Career Advise

noreply@blogger.com (Yinal Ozkan) — Tue, 24 Mar 2009 03:57:00 +0000

Question:

I have a masters in Network security and working as a Information security and network analyst. I also have a CCNA and trying to figure out if i should head the cisco way to get ccsp/ccnp or get into the ISC2 arena. How are Infosec jobs in the North west region? What are the exact skill set companies are expecting for entry,mid level positions in information security and network administration ?

Answer:

xxxxx,

As usual getting them all is the best but we all know that you need to prioritize. I think with a grad degree you have already made a good investment.

On the policy/information security/risk side CISSP and CISM best practices certifications do help you to speak the same jargon with the industry. When you get these certs, you will naturally acquire the jargon and you may also become a member of ISSA, ISC2 or ISACA to join the social networks that come with these certifications. I also like the CISA certification where you get an official auditor title. These certifications will play nice with your Masters Degree in Network Security. The member websites also provide plenty of frameworks, tools and methodologies to begin with.

Product vendor certifications are different. These certifications usually open the door for entry level positions. For example if you have CCSP, and the position you are applying to is a Cisco shop, you have a higher chance. There is a big gap when you compare vendor certifications with generic security best practice certifications though; vendor certifications are usually very hands on and they do require day to day sharpening of skills- and you cannot do this alone, yourself, away from the vendor, try this path only if

- you like operations and hands-on troubleshooting

- you have a change to use these products in your daily life

- you have a chance to work on complex requirements (for example if you have never worked on a complex dynamic routing environment, your Cisco routing cert is valueless)

Once you become a subject matter expert on a vendor product you may command a higher income, but that is not a work from home and then get certification process.

Your main question is about the jobs. In small shops information security and network management are usually merged in 1 group/role... In SoHo operation this is 1 person…. Getting skills in both (best practices and vendor space) will help you to find something faster in SME space. But for the larger >Fortune 1000 shops, usually information security and network operations are segregated, so focusing on one side pays better on larger companies. It is always better to know both, but I rarely seen experts of both sides...

Again, certifications are just 1 component of the hiring decision matrix; experience, work ethic, income expectations, work authorizations, people skills usually play a larger role in hiring decision, but it is correct that certifications may help you to pass the non-IT recruiter screenings.

You should choose the path that makes you happy to work. That will make you successful regardless of the path you choose. If you will enjoy working on security policies at 11pm, if you won’t see the work as “pays the bill” thing, that is the right path for you. If you are ambitious, and you believe you have the bandwidth to get both vendor and best practice certifications just go for them, it is not tough.

The trick is that “job market” can drive you only to a certain point, the rest is dependant on your personal interest and you enthusiasm for the path you choose.

Let me know if you have a specific question,

Regards,

- yinal ozkan

p.s. you may check my previous posts related with this topic:

http://security.24kasim.org/2008/10/it-security-consultant-jr.html

http://security.24kasim.org/2007/08/are-cissp-cisa-and-cism-credentials.html

Cloud Computing Security

noreply@blogger.com (Yinal Ozkan) — Sat, 28 Feb 2009 23:06:00 +0000

Question:

What are your concerns about cloud computing security?

Answer:

I am not concerned. What we expect from any solution provider is no more different than what we expect from a cloud computing service/infrastructure provider. Can they deliver it? Well,, I do not think they (cloud computing providers) are worse than incumbent corporate IT security teams in charge today. At the end of the day , cloud computing is going through a similar security management path that private networks had followed for years (on a different scale :)

In the last month, I have seen several posts on several platforms regarding “Cloud Computing Security”. Without getting into the context so many experts delivered whitepapers, articles posts. Here are the concerns in simple English:

1- Who reaches to my data? Any privacy?

2- Where is my data?

3- Can they control outbreaks in a distributed environment?

4- Can I get through compliance?

5- Can I or can my peers audit security?

On the western front security requirements are same. Cloud computing does not change the requirements of information security, so to simplify the concept, we may claim that the what we expect from cloud computing provider is no more different than what we expect from corporate IT.

Who reaches your data in the cloud? – Well that is a question that you must ask before signing the contract, technically it is not worse than what your TelCo providing MPLS; did you ever wonder who taps your data over the WAN? Make sure that the contract terms are in favor of PII and relevant compliance requirements that you are subject to. And do not be contained with sales material from Cloud Computing provider, audit it, (I actually know ways to bypass queries, so hire a good auditor who can accredit cloud computing provider’s claims – e.g. they can say access to data is subject to need to know, but it is usually not the case)

Where is my data? – Your data is factually in the cloud, you cannot know; it can be everywhere, but as long as it is secure, your BCP/DR plans are in place, and you are not breaking the law by sending data overseas you should be fine, why do you care, do you see your money when it is in the bank, you worry because it is not in your home safe? (I think this is a bad allegory for today:) Again, audit the claims, put it in the contract.

Can they control the outbreaks? Is it a controlled environment? – I can make a bold claim that the cloud computing services have a higher availability than corporate IT services. They are usually redundant in gigantic terms, and they do hire brilliant engineers in bulk (see the providers, google, microsoft, amazon, salesforce ? ).. Things go wrong everywhere, so make sure that you always have an isolated plan b in the cloud, and again put it in the contract and test it, make sure BCP/DR works

Can I get through compliance? - Easily, if it is included in the contract , passing compliance will be easier than ever, my cloud computing provider goes through PCI, HIPAA, SoX, ISO 27001 et al, they pass , I pass, what a wonderful feeling.. Well, if your provider does not offer compliance services, then ask for it, at the end of the day you may not be able to dispatch auditors to 500 data centers (big 4 dream)

Can we/peers audit it? – You must, the cloud computing provider must open like an encryption algorithm, remember the old basics security thorugh obscurity is no security at all..Again put it in the contract, do the sampling right (you cannot audit it all, be a pramatist) and audit it.

If you have a specific question, I can write the specifics and play the devils advocate,

Regards,

- yinal ozkan

Differentiation of Log Management Solutions

noreply@blogger.com (Yinal Ozkan) — Sat, 27 Dec 2008 04:09:00 +0000

Question:
Centralized Log Management
I'm look for an enterprise log management solution, which can collect log of various network devices, servers(primarily windows servers). The purpose of the same is primarily for complaince. eg:- detecting security issues, troubleshooting etc. I have read lot of articles, but haven't found a good document containing technical differentiation of the various Log Management products on offer. I require your professional suggestion on the subject.
Rgds
xxxxxx

Answer:
xxxxxx,
Here is a good start if you are looking for high level documents:
http://www.securitynews.cz/secnews/security.nsf/0/D328A8B95CC377A2C12572EF0069DF63/$file/Gartner_MQ.pdf

http://www.sans.org/score/esa_current.doc

On the technical site I would check the following areas with the solution provider:
1- Compatibility (which products are officially supported as the log source)
2- What are the event aggregation/consolidation/normalization and correlation options
3- What if the log source is not supported? How easy is it to integrate?
4- How is licensing? When the deployment is distributed, and you have remote event collectors how does it work? (per event, per core, per site etc)
5- What are the out of the box reports? (Ask for actual reports, do not just say yes to report names, do not just buy in ISO 27001 or PCI report are ready sales pitch)
6- How do you configure custom reports? Easy?
7- Do you have role-based management? Integration with LDAP, AD et al?
8- How do you integrate with other enterprise tools? Ticketing? GRC? Workflow etc? Easy?
9- Do you baseline data for anomaly detection? Do you support flow data analysis?
10- Can you get the solution in SaaS or fully managed MSSP format?
11- How do you scale?
12- How do you integrate with 3rd party storage solutions?
13- Is it more difficult than Google when you run a search?
14- How many people are required to run the operations? How many people are required to deploy it? Do you have formal training classes?
15- How do you maintain high availability? (Esp when you have multiple levels of agregation
16- Is it possible to store/analyze raw network traffic?

As discussed above and in other previous posts there are several "commercial" solutions to manage log data win servers, network equipment, UNIX servers, security devices etc. Depending on your requirements and event sources, the solutions may vary. I personally work with RSA Envision (formerly Network Intelligence), Cisco MARS, Loglogic, Q1 Labs and eIQ Networks but there are many other solutions. (e.g. IBM, CA, Novell, Arcsight, Intellitactics, NetForensics, TriGeo, Symantec, Quest, Consul, SenSage, and OpenService) In the meantime Nortel, Juniper and Enterasys have Q1 based offerings as well.
If you look at just the logging manager, you can extend solution set with LogRhythm, Splunk, Snare and Kiwi Syslog Daemon.

If you have a specific question let me know,
cheers,
- yinal

Why GRC does not stick?

noreply@blogger.com (Yinal Ozkan) — Sat, 27 Dec 2008 02:17:00 +0000

GRC in IT field is supposed to be next best thing. But why is it not here yet? IT-GRC is not a fabricated solution set, it is a real world response to a present need which has evolved in many directions… At the beginning there were only simple logs and policies, then came the tools, methodologies, and integrated solutions. Even that wasn’t enough we needed a solution set for governance risk and compliance all together and then we had the IT GRC.

All the good signs of the next killer solution, but why IT GRC is not mainstream? Many people including myself ask the same questions..

I would like to use the analogy in a very popular business book “Made to Stick” by Chip and Dan Heath.

Here is the book’s outline: The acronym "SUCCES" (with the last s omitted) forms the correct components of an offering that stick to the minds... Each letter refers to a characteristic that can help make an idea "sticky":

Simple — find the core of any idea … First of all GRC has 3 cores like the new processors, and they all point at different directions and groups in IT organizations. Just explaining the core values of one them (Governance Risk or Compliance) is complex enough where GRC solution providers are struggling to bring out the synergy of those 3 cores all together.

Unexpected — grab people's attention by surprising them. GRC is not surprising. We have been waiting for such a solution for years, there was simply not enough drivers for a commercial one. Within the name of toolkits, methodologies everybody had a hodgepodge workflow, at the end who beats a nice combination of excel, word and lately sharepoint documents :) . An organized solution that can tie into the governance of IT processes risk and compliance was always a project in progress. Luckily some vendor delivered much better organized solutions. But at the end of the day it was not surprising.. When I make a presentation on GRC, the first question that I get it (Can I buy a tool that delivers what you telling about?) The question is wrong of course but it steals all the “unexpected beauty of the solutions sets

Concrete — make sure an idea can be grasped and remembered later. No it won’t be remembered easily even if Gartner says so. GRC covers a broad area, and it is not easy to find individuals who carry the responsibility and the attention span for all the GRC solutions.

Credibility — give an idea believability. GRC is too good to be true. Since it is new in the IT field, credibility is not easy. Many of the vendors will oppose to this statement, but it is difficult to give credibility to a toolset where the implementation and the operational details of specific customers carry a higher role. Like ERP deployments, IT GRC deployments have to be unique for every operation. Toolsets require deployment and they need to be supported by management and operation teams. Credibility will eventually show up with the maturity of the solutions. There are some vendors out there with great customer names, which may form a good start.

Emotion — help people see the importance of an idea. The emotion was lost for most of the IT with the departure of the dot-com companies. But it is not difficult to create the emotion where governance can positively change the bottomline of the operations. I think this is a matter of time

Stories — empower people to use an idea through narrative. I can tell stories about the firewalls we built in 1994. GRC needs more stories. IT GRC is new, and our stories are limited, a search on Amazon ends up with SAP Oracle and the business side of old world GRC. IT GRC stories are not fully published yet.

It will stick at some point, but hopefully no too late.
cheers,
- yinal

What is 201 CMR 17:00?

noreply@blogger.com (Yinal Ozkan) — Tue, 18 Nov 2008 04:33:00 +0000

Question:
What is 201 CMR 17:00?

Answer:

201 CMR 17:00 is yet another bigger brother telling us to the right thing…

The requirements simply enforce security of state of Mass residents’personal information… You may presume that the data is already secure. Well, that is wrong, just listen to the complaints for the requirements,
If you have a business and you do carry “personal information” about a Massachusetts resident then you must take care of the requirements listed in 201 CMR 17:00

The Office of Consumer Affairs and Business Regulation (OCABR) issued a comprehensive set of final (yes it is always final :) regulations establishing standards for how businesses protect and store consumers’ personal information as of September 22 2008. There is an executive order signed by Mass governor Deval L, Patrick related with this regulation., the irony is that it ends with “God Save the Commonwealth of Massachusetts”

The 201 CMR 17:00 standard is related with the M.G.L c. 93H because with the "general law chapter 93H –security breaches" there comes the enforcement leg of the regulation.

Implementation deadline is January 1, 2009 but an extension to May 2009 is hughly expected. Companies will be required to conduct internal and external security reviews and complete employee training

Of course most the technology associations, CPAs oppose to the regulation. They all have their reasons (not enough time, slow investment , harsh economic times etc). Mass CPA web site states that the compliance deadlines have been extended to May 1, 2009 (Jan 1, 2010 for 3rs party verifications and encryption). It is scary to know that the personal information is staying “clear” until then.

So what is it? “Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information”

Personal information is defined with the following:Resident’s first name and last name or first initial and last name in combination of the one or more of the following data elements:
1. Social Security number
2. Driver's License number
3. Financial Account number (credit card, debit card)
4. Any means of access information for personal financial information

After a quick read, I came up with the following short/dirty to-do list for the 201 CMR 17:00 requirements:

1. Verification of current information security management system or framework
2. Assessment of current asset inventory for customer owned systems
3. Assessment of current information security roles and workflow
4. Assessment of policy enforcement for existing policies.
5. Verification of an information security risk management framework. Review of internal and external risk assessments.
6. Assessment of risk mitigation plan
7. Assessment of options for employee awareness programs for information security
8. Delivery of required policies matrix
9. Assessment of current employee termination procedures. Verification of enforcement
10. Assessment 3rd party business partners’ access to customer owned personal information. Cross-verification of 3rd party privacy policies
11. Assessment of workflow for personal information data collection. Verification of need-to-know principle
12. Assessment of access to personal information at customer facilities. Verification of need-to-know principle
13. Assessment of data classification for personal information at customer facilities.
14. Assessment of access logging for personal information
15. Verification of annual audit plan for personal information
16. Assessment of incident management
17. Assessment of patch management
18. Assessment of desktop/server firewall agent management, and enforcement
19. Assessment of encryption for all transmitted records and files containing personal information
20. Assessment authentication and authorization controls for personal information
21. Assessment of unique identifiers for personal information access (e.g. usernames)
22. Assessment account (password) management policy
23. Assessment of antivirus and malware policies, controls and enforcement.

My recommendation is the follow a larger framework such as ISO 27001 since there will be more compliance requirements in the future. ISO 27001 covers almost all requirements of 201 CMR 17:00

let me know if you have any questions,
- yinal

Security in outsourcing deals: problem or solution?

noreply@blogger.com (Yinal Ozkan) — Tue, 14 Oct 2008 03:26:00 +0000

Question:
Security in outsourcig deals: problem or solution?
It seems to be somekind of paradox. Outsourcing could lead to efficiency if processes are standardized. So implementing security as a part of standard governance should be part of some solution. At the same time every customer demands their own security standards implemented which often differ in approach and/or weight. Each line of industry (ofcourse) have their own standard. This makes it next to impossible to deliver according all those standards at the same time (according contract) and still reach efficiency goals. Or is the whole community silently agreeying to deliver uncompliant? Anyone have any thoughts about this matter which they would like to share with me in Dutch or in English?

Answer:
.......,
I have been evaluating/auditing security aspect of outsourcing operations for a while.

It is actually possible to find efficiency in delivering security requirements for outsourcing providers.

Security has a universal interpretation, regardless of the languages that it is spoken.

You are right that every customer/ every industry/ every information security framework brings some new obligations to the solution providers, and it is not possible to offer a standard cookie-cutter solution set for a broad customer base.

Here are the tested approaches to ease the pressure of never-ending customer security requirement on outsourcing providers:

1)- Map it : When analyzed thoroughly, you will find more common requirements than the exclusive ones. In my own projects I can tell that more than 80% of the security requirements are common. The first step is to form cross-industry requirement matrixes. Several organizations deliver these mapping matrixes (e.g. ISACA) Customer has requirement A, which matches your solution B. You can find mapping matrixes for COBIT, ITIL, ISO27001, PCI, etc. For example if you have an ISO 27001 compliant service and your customer is asking for HIPAA you may easily map your existing ISO controls to HIPAA.

2)- Offer Self-Service: Flexibility of the delivery infrastructure is the most effective answer for the diverse customer requirements: When we initially developed a reporting portal, we thought that having 100 reports would be sufficient for our customer base. It wasn’t. As you have indicated, it never ends, every day there is a new requirement. We ended up building a reporting engine so that the customers can build their own reports . Today if a customer has a new security report requirement, we tell them to go to the portal and build one. For the workflow we took the same approach. We could not enforce our own workflow for escalation to all customers so we ended up developing a business rules engine. Now incidents are escalated according to customer requirements on the backoffice system. If a customer requires sophisticated flow, they choose to pay for developing their own business rules on our rules engine. It is possible to increase the number of example but I assume the idea is clear

3- Get Modular: Even the mighty outsourcing providers are brought to their knees by weird customer requirements. Make sure that the operational flow and the compliance of the outsourcing operations can interface with 3rd party specialists. That is the beauty of multi-sourcing under single contract. I was working with a large TelCo where outsourcing provider had everything but the DNS appliances, introducing a 3rd party specialist under outsourcer’s umbrella fixed the problem. If the interface agreements are done, and if there is a structured framework for auditing outsourcing service partners this is a way to grow healthy operations (low on cost side as well).

4-Focus on Service Management: Usually service/outsourcing companies rely on generic service managers who are afraid to go outside the contract terms. That does not work well in information security world. If the service managers can understand customer requirements properly and relate to outsourcing backoffice operations, many of the problems can be fixed before escalation. I like to see all customer facing members of the team working at the delivery side in the operations for a while. It is the only way to learn to flip the burger before selling it.

At the end of the day, the whole community is silently following a darwinist path, the ones who are adapting the requirements intelligently without hurting the operations and the budgets survive… The old way of my way or the highway approach just hurts the whole service industry.

I would have written more since the topic requires more attention, but please let me know if you have a specific question.

regards,
- yinal ozkan

IT Security Consultant Jr.

noreply@blogger.com (Yinal Ozkan) — Sun, 12 Oct 2008 04:09:00 +0000

Question: How can I train myself in IT Security?
I've been a technical consultant, developer and other various SDLC-related roles for quite a while now. My goal is to move into IT Security, so how do I jump-start? What should I read, or do?
I would very much appreciate if anyone can clarify what skillsets an IT Security Consultant should/must have

Answer:......,
As discussed above you have the right foundation to kick-start an IT security career.
IT Security career is a broad term and it can be defined by the combination of several practice areas, and you need the fundamental skills to take the first step. Specializations like Network Security, Application Security, Penetration Testing, Database Security, Cryptology, Audit will come later with specific skill-set requirements.
First fundamental skills:
1- Have a solid understanding of TCP/IP for today’s interconnected world of digital assets.(if any other network technologies are used you need to understand them as well) You may either read one of the good books in the market, (e.g. TCP/IP Illustrated) or write a small socket application from the scratch. You should be able to pass Cisco CCNA cert with your development background without any detailed help/courses, just a few books... When you read a network capture file you must be confident.
2- Have solid understanding of the basic pillars of information security; authentication, authorization, integrity, encryption and non-repudiation. You should be able to relate all the applications you use, in a security perspective. Try evaluating the applications that you use daily in terms of the pillars I mentioned above. Understand approaches, methodologies and solution sets.
3- Have a solid understanding of risk. Make sure that you understand the full risk life-cycle. Assets, Threat, Vulnerabilities, Safeguards, Gaps etc. Once you understand the threats and the safeguards, your vision gets clearer. You can study risk management frameworks that are available publicly.
4- Have solid understanding of IT security specific initiatives like COBIT, ISO27001, NIST, PCI NSA, CERT, CVE etc...
If you want to be a consultant then you need some more basics:
1- Understand market requirements, trend, and solutions sets. Start reading. Start following the top 10 blogs, other interesting blogs for information security, set up your google alerts, subscribe to the mailing lists, start checking security research sites daily
2- Build up your jargon, study CISSP, GIAC, CISM, CISA etc… these certifications help you to speak the same jargon with the rest (the CIA triad, role-based management etc…) When you say web access blocking instead of URL filtering your interviews will be short.
3- Get familiar with common solution sets, vendors, methodologies. Name 3 alternative solutions for each security requirement.
Another shortcut is to focus on 1 area only, if you like any of the areas above (Network Security, Application Security, Penetration Testing, Database Security, Cryptology, Audit) I can provide different paths. You may also try getting a vendor certification first and then start practicing security (Check Point, Cisco etc) as a shortcut.
Again, these are basics, these things will open the door for you, and they will make you book smart... Being a consultant requires active projects and hands-on expertise. On the job training is priceless if you can get an opportunity. If you do not have a project, then you may join to one of the community projects like OWASP, Snort, OSSTMM et al.
I have seen many self starters choosing the security management path. Without genuine information security experience, security management claim will be fun material for the veterans. Baby steps recommended.
I think this is a good start but let me know if have any specific questions.
Cheers,
- yinal ozkan

WAF over SSL VPN?

noreply@blogger.com (Yinal Ozkan) — Sat, 27 Sep 2008 19:53:00 +0000

Question: When is it a good idea to add a Web Application Firewall (WAF) to an existing VPN/SSL connection ? Is it even necessary at all
Approximately 100 End-Users
Medium Security (No Cash Transactions)
Web Server IIS based
scalability

Answer:
The answer depends on your security requirements.

If you have a assessed requirement (e.g. PCI) to secure your applications with a front-end like a web application firewall (WAF), then you should have a web application firewall in front of your web applications.

In general SSL VPN adds the following features to the shops that require layer 7 web application firewalls (when configured properly):
1 - All users accessing your web applications using SSL VPN are authenticated when it is enforced. If authenticated users are considered trusted, then you do not need an extra WAF protection.
2- SSL VPN systems can bring pre-authentication posture checks like malicious software scans. If you consider scanned clean systems trusted then you do not need a web application firewall
3- Some SSL systems come with integrated security features like content security, layer 7 security, protocol checks, firewalls etc. If the security level offered by the SSL VPN vendor is good enough for your web application security requirements you do not need an additional layer for WAF.

Let me know if you have any specific questions,
Regards,
- yinal ozkan

Web Filtering for ISP's, who would you recommend?

noreply@blogger.com (Yinal Ozkan) — Sat, 27 Sep 2008 19:37:00 +0000

Question: I'm working on a Regulation to allow the content Regulator to issue website blocking requests to ISP's in ......... Blocking of a few websites is not a problem, but blocking an entire category of websites on the other hand (such as "pornography", for example) should be made possible.

The regulation will specify technical solutions (whether software or hardware based) that are acceptable and recognized of being capable of complying with individual, and blanket, blocking requests. Most of the solutions I've found online are tailored towards enterprises for managing employee access to websites; what I'm looking for, however, must be capable of handling access requests from all users of a given ISP. Given the fact that a single URL could have multiple IP addresses, the recommended solution should robust enough to deal with such complexities.

What would you recommend? How was your experience with it? A brief summary would do just fine, there's no need to take a lot of your time in answering this question.

Answer: We have been deploying web filtering solutions for TELCOs for a while. In the TelCo world the requirements are different from the enterprise:
1- No authentication is required
2- Performance and scalability is a major decision criteria
3- Pricing is important when the userbase is over 100K.
4- URL categories must fit your requirements, when needed you should be able to apply more than 1 filter database.
5- Management should not require an army of engineers.
6- Not too many pie charts are required for reporting

http://mediaproducts.gartner.com/reprints/securecomputing/160130.html
Is a good start for checking vendors

Big enterprise appliance based solutions usually have a custom ISP product.
Blue Coat, Ironport, SecureComputing (Now McAfee) , MI5 Networks and Optenet are used commonly at TelCos.

I do work with Blue Coat appliances since it is stable, scaleable and it does support 3rd party URL databases like Websense. But this combination can burn your budget. Blue Coat is in use at several neighboring states for you. Blue Coat also offers its own URL database:
http://www.bluecoat.com/

I have seen large ISP deployments with Optenet (the pricing options were good)
http://www.optenet.com/en-us/ispproducts.asp

Load balancing is a key issue, I am not sure how these ISPs are interconnected to Internet backbone but you will need to load balance content filters. You can check F5, Cisco, Citrix, Radware etc for L4-7 load balancing switches.

And a few recommendations: Do not get ambitious stay away from content AV. It does not scale at ISP level.
DNS poisoning , TCP resets are not very effective go with the content gateway.
Because of you specific requirements, in the cloud services like webroot and Scansafe may not be the best option.
This is a commodity market you have so many alternatives like 8e6, Barracuda, Clearswift et al.

If you have a specific vendor or design question, please let me know,
Regards,
- yinal ozkan

IT-GRC and GRCM tools revisited

noreply@blogger.com (Yinal Ozkan) — Fri, 19 Sep 2008 14:05:00 +0000

The line between IT-GRC and the old world GRC are getting thinner everyday. So I updated my list with old world GRC players.. As you can tell they all have IT-GRC solutions

It is difficult to say which sets of tools are exactly for IT-GRC, or GRC Management (GRCM) or enterprise governance, risk and compliance (EGRC).

IT controls are everywhere when you check the 4 pillars of GRCM:
1- Audit management
2- Compliance management
3- Risk management
4- Policy management

Tools do not fix the governance problem but they do help in shaping your project with fewer bodies (and probably for an exchange for good hard cash)

The new era of tools have a better message than the previous "We fix your compliance problems" motto. We all knew that compliance was just another step to achieve governance on Information Security. The new tools have better connections with legacy information security and risk management tools, they also come with several predefined policy frameworks like ISO 27001, COSO, COBIT, PCI etc..

Not there yet, but if you are interested here is a good start list of lists for googling and reading:

Governance, Risk and Compliance (GRC) Tools with IT Controls (IT-GRC)

Agiliance
http://www.agiliance.com/
Brabeion
http://www.brabeion.com/
Archer
http://www.archer-tech.com/solutions/index.html
Control Path
http://www.controlpath.com/solutions_advantage.php
Symantec (Control Compliance Suite)
http://eval.symantec.com/mktginfo/enterprise/fact_sheets/ent-datasheet_control_compliance_suite_05-2007.en-us.pdf
Compliance Spectrum -Spectra (Command Center)
http://www.compliancespectrum.com/
Modulo
http://www.modulo.com/
NeIQ Vigelent Policy center and other NetIQ tools
http://download.netiq.com/CMS/WHITEPAPER/NetIQ_CRM_Methodology_Feb_2007.pdf
eIQ Networks SecureVue
http://www.eiqnetworks.com/products/SecureVue.shtml
CA clarity (formerly NIKU)
http://www.niku.com/it-governance-47.html
IBM Tivoli Series
http://www-306.ibm.com/software/uk/itsolutions/governance/?ca=grm_Lnav&me=w
SAP
http://www.sap.com/solutions/grc/index.epx
Relational Security - RSAM
http://www.relsec.com/rsam_overview.htm
Iconium
http://www.iconium.co.uk/Solutions/overview.htm
Security Works - Visible Security
http://security-works.com/?page_id=27
Oracle (formerly Logical Apps and Oracle GRC Manager)
http://www.oracle.com/solutions/corporate_governance/governance-risk-compliance-manager.html
Proteus
http://www.infogov.co.uk/proteus_enterprise/index.php
Avedos
http://www.avedos.com/257-Home-EN.html
BWise
http://www.bwise.com/
Neupart
http://www.neupart.com/
Metric Stream
http://www.metricstream.com/
Nemea
http://www.nemea.us/
Favored Solutions
http://www.favoredsolutions.net/
Paisley
http://www.paisley.com/
OpenPages
http://www.openpages.com/Solutions/Technology_17.asp
Qumas
http://www.qumas.com/products/index.asp
IDS Scheer
http://www.ids-scheer.com/en/ARIS/ARIS_Solutions/Governance_Risk__Compliance_Management/88815.html
Axentis
http://www.axentis.com/axentis_solutions_5.aspx
Achiever
http://www.goachiever.com/ACHIEVERPLUS/aweb2.nsf
Methodware
http://www.methodware.com/products/oprisk/idx-oprisk.shtml
Protiviti
http://www.protiviti.com/portal/site/pro-us/menuitem.32f530ef9aa26f4acd230ef2f5ffbfa0/
Cura Software
http://www.curasoftware.com/pages/content.asp?SectionId=7&SubSectionID=48
Mega
http://www.mega.com/index.asp/l

The Frequency for Security Report Reviews

noreply@blogger.com (Yinal Ozkan) — Thu, 24 Jul 2008 22:18:00 +0000

Q: How often do you review your security reports? Often, sometimes or never?
Security requires a hands on aproach, monitoring, reviewing and patching. In the case where there is no dedicated security personal onsite, are you reviewing the reports on a weekly basis, (often), monthly, (sometimes), or never? If sometimes or never, why not?

A: ....,
As you know, on a broader picture security reports must be managed.

The frequency for the review (which is a part of security management) can be determined by the security management approach of the operation. The frequency of reviews depends on the risk level of the protected assets.

Calculation of the review frequency can be based on a simple logic: The cost of the review (people/time/other resources etc) should be justified by the cost of risk avoided.
If the cost is right, then perform the reviews as often as possible.

As an example real-time log monitoring, on-site information security team and daily security review of reports make sense for a financial or healthcare operation where lives, hard cash figures determine the risk. On the other side it might be ok to batch process logs and review the reports weekly for a mom & pop hardware store based on the information risk appetite taken.

Other management concerns for security report reviews (besides frequency) are:
1- Who reviews the reports
2- Who approves/signs-off the reviews
3- How is the review process documented
4- How are the reviews’ effectiveness measured
5- How are the reviews are improved

Let me know if you have a specific question.
regards,
- yinal ozkan

Managed CPE Services and Green Data Center

noreply@blogger.com (Yinal Ozkan) — Tue, 01 Jul 2008 03:06:00 +0000

Data Center Energy Efficiency is the new buzz word. There are several creative solutions on the market from controlling HVAC to virtualizing physical servers.

One of the data center energy savings methods is very simple. Find the clusters that are not fully utilized (e.g proxy cluster) and then shutdown the idle servers in the cluster farm, monitor utilization on active servers and boot spares to join cluster when needed. You do not have to have hot cluster members in cluster where more than 2 members exist.(unless this is required by utilization)… Batch task servers can be shutdown as well.

This action requires 7x24 careful monitoring and usually a service solution that can pass turing test. Managed Service Providers and managed security services providers do carry the know-how to monitor every cluster member and interfere full device boot cycle as of today. That is why we are not far away from “energy saving” offerings from Managed CPE providers.

On the operational level, simple SNMP monitoring of cluster members or monitoring the monitor (F5 LTM / Citrix Netscaler) systems will do the gratious shutdowns and joins for the unused cluseter members at no cost.

Let’s wait and see more creative offerings from MSPs and MSSPs. On the other hand, I personally believe that the data centers are cutting the emissions regardless of their green image. Data centers deliver massive automation and they do eliminate the traditional emission sources such are vehicles. (and unfortunately sometimes people)

Firewall best practices

noreply@blogger.com (Yinal Ozkan) — Sun, 25 May 2008 20:27:00 +0000

Q: Checkpoint firewall R62 & Nokia IP 560 Hardware based appliance best practices
We have Checkpoint firewall R62 & Nokia I 560 Hardware based appliance , we do audit of rules on quarterly basis but still i feel that lot of tuning to be done on Nokia IP 560 and Checkpoint .Can some one please help me in getting best practices for firewall.

A: Hi ...,
Best practices can be classified in 2 main areas:
1- Information Security
2- Operational

For information security, make sure that you follow a higher level information security framework with integrated risk management. Firewalls must be a part of the bigger picture, not standalone devices.
ISO 27001, NIST, COBIT or FFIEC can be a good start.
There are several guidelines by FFIEC if you are operating at financial services industry.
http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

You can also check firewall specific guidelines from NIST
http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf

Once you make sure that you address governance, risk and compliance (GRC) related concerns you can dive into operational issues such as reliability, high availability, performance, scalability, manageability.

We have been managing thousands of Check Point systems under Nokia platform. It is difficult to cover best practices in single post (from change management to patching, from backup policy to cluster optimization) There are several good recommendations in other posts as well; here is a quick view from my side.

1- Optimize rulebase (most used rules at the top, use logging intelligently, avoid duplicate objects, check unused objects rules, make sure that overlaps do no exist, use network object, decrease NAT usage etc)
2- Upgrade to R65 for Check Point. It is more stable and you will get all the new fixes faster.(when compared with R62)
3- IPSO 4.2 will bring you more features with SecureXL, QOS etc. but go over the release notes carefully. Make sure that SecureXL is enabled within the current deployment.
4- If you have performance issues and you are not planning to upgrade platform check the new ADP cards from Nokia.
5- Architecture-wise avoid running non-firewall features such as SmartCenter, AV, filtering on your Nokia unless you need them.
6- If you have site-to-site VPNs check the route based VPN feature with dynamic routing for better redundancy

I also recommend using 3rd party test services which include DDOS.

For automation, you can use firewall audit, change management tools such as Tufin, Algosec and Firemon (we work with Tufin). These tools will give you a lot of input on audit. On the security risk management side if you have budget, you can check SkyboxSecurity and RedSeal. They will be really helpful.

If you have any specific questions please let me know,

cheers,
- yinal