I suppose you could track mean time between failures as a metric to determine when it would next be likely you would petition the money masters at your organization in supplication. Of course this approach reminds me of the old comic strip where the boy, while riding in the family car, asks his father how the load limit on bridges is determined. The response is that they drive bigger and bigger trucks over the bridge until it collapses. The truck is then weighed and the bridge rebuilt exactly as it was before. The mom of course comments to the dad that he should just admit he doesn’t know - an admission many of us would hesitate to make when confronted with a question about how secure is our organization.

I hail from the school that you can measure most anything; unfortunately you may not always do it well. Once, when trying to impress his boss, my boss told him about the X million hits our firewall had taken that month. The boss’s response – so is that good? With that simple question he described the challenge we face with trying to provide metrics the business understands and can use to further strategic or tactical decision-making.

(...)
Read the rest of Crossing the Metrics Rubicon: Quest for the Perfect Measurement (339 words)

© Patrick Foley for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under Technical.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

First, a disclaimer. The writer is not an attorney and is not qualified nor is attempting to give legal advice.

So what is the issue here? Simply it is the Federal Rules of Civil Procedure which were revised in December 2006. In essence they require three things:

1. Plaintiff’s lawyers can request any / all information you have in electronic form that may relate to the case.
2. You could suffer significant financial losses if you can’t produce the requested items.
3. Once you are notified of the pending lawsuit, you must retain information that could relevant to the case and can suffer dire consequences if the information is destroyed. after you are notified of the pending suit. Further, you may be required not only to produce the documents but also to prove that they haven’t been altered.

So how has industry responded so far?

(...)
Read the rest of E-Discovery: Stick ‘em Up (328 words)

© Allan Pomerantz for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under General.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

This scenario occurred to me after I received SPAM with the following headlines:

McCain suffers heart attack
Obama suffers setback in polls due to sex secrets

The process to create disinformation would be fairly easy. First, create a fake news website. The goal is to mix a small amount of fake news with a large amount of legitimate news. On the fake news website, the real news stories should come directly from the AP wires as the primary source. The fake news would be properly embedded in the site to make it seem legitimate. Next, the site should also be branded with a local small town flavor so as not to arouse suspicion. Finally, the disinformation (i.e., the fake news story buried in the AP stories) is SPAMmed to millions of people.

This process would continue unabated until the election ends. It would be a genuine disinformation campaign aimed at the opposite party. If one of these stories was accidentally picked up by the mainstream media and reported as accurate, it would multiply the effect.

One assumes that the US presidential candidates would be the most likely to be engaged in this sort of activity: one may also include foreign governments or rogue groups as people who may engage in this behavior as well. It would be easy to do for any organized group with a vested political interest and small amount of capital.

To be fair to the skeptics: it’s a question of numbers. How many people would these stories reach? How may people would be duped? And, would it be enough to significantly change the outcome of the election? While I cannot definitively answer these questions, it’s an interesting scenario.

© Kenneth F. Belva for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under General.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

One buzzword that has yet to be stricken from my list as of late is TJ MAX. Out of all of the security and technology buzzwords (NBA, NAC, DLP, AES, etc), TJ MAX seems to be the biggest reoccurring and cited incident ever. Why is it that marketing department’s just love citing them as an example of what not to do? Why are they saying their product line will prevent you from being the next TJ MAX? Is there still an ongoing problem at TJ MAX that is relevant to the security industry as a whole? Is it that there simply isn’t anything else to talk about? Or is there another problem? Maybe the companies are providing the wrong solutions, and in order to create more confusion they are stuck citing the industries scapegoat.

Here’s what I mean. DLP currently means two things right now: data leakage protection and data leakage prevention. Which one is it? Protection implies that you protect the data even if the horse has

(...)
Read the rest of Security Buzzword Bingo (219 words)

© Russell Handorf for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under Technical.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

Several years ago, while working in financial services, we were under strict internal and regulatory duress to ensure segregation of duties and least privilege access for all associates who had exposure to investment data (about 4000 people). Unfortunately, the manual processes then in place required not only significant administrative overhead from the access administration team but, more distressingly from management’s perspective, from senior staff who were constantly barraged with access approval requests from a global user community. Needless to say, these manual processes were as ineffective as they were burdensome an almost constant stream of audit findings indicated.

As with many organizations, both the overhead and ineffectiveness of the access approval process became accepted enterprise costs and there was no organizational mandate to address the challenges strategically. However, one tactical approach after another failed to provide any lasting solution, and served only to increase stress on access administrators and approvers alike.

Security’s requests to initiate a strategic solution fell on deaf ears until we were able use some previous lessons learned to make our case financially. While working a few years earlier in the corporate security function, we had sought to quantify the cost in terms of lost productivity of provisioning delays caused by not having a single user identifier and central identity store. While our methodology was pretty raw and

(...)
Read the rest of Provisioning: Security’s First Step to Measuring Organizational Impact (288 words)

© Patrick Foley for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under Technical.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

There is an analogy with IT and information security outsourcing. The rationale is not based upon transportation - indeed the cost of electronic message transmissions is going down, not up. No, it is the high inflation, particularly in the compensation of technical and operational staff in countries such as India, which is beginning to shift the balance. But if the economics tips in favor of bringing back IT and business processes and their commensurate security onshore, would we be as fortunate as the manufacturer in still having individuals with the requisite skills and experience to do the task? Or have we already rid ourselves of these former albatrosses.

There are several issues in this regard, many of which I address in my book Outsourcing Information Security. Let me repeat some of them here. They are:

• Retaining the appropriate staff to oversee the outsourcing relationship
• Including an exit (or extrication) strategy in the service agreement, and
• Having in place a dynamic examination process, which regularly evaluates all outsourcing arrangements from a cost-benefit perspective

I also discuss risks related to planned changes, which include outsourcing and insourcing, in an earlier column, Security and Change (pt. 3) - White Knights.

You can overcome aspects of the above areas after the fact, but it can be considerably less expensive if you anticipate the ending of relationships and potential insourcing when you are negotiating the service agreement.

Let’s look at each of these factors in more detail.

(...)
Read the rest of IT and Infosec Insourcing: Could You Do It If You Wanted To? (588 words)

© C. Warren Axelrod for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under CSO/CISO Perspectives.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

1.  Educational institutions reported the majority of data breaches, followed by (in order of breach frequency) offices and agencies of local, state, and federal governments; private businesses (such as retail establishments); health-related organizations; and financial services.

2.  Data breaches were caused by the following factors, arranged in order of frequency of causation:  Lost/stolen equipment (44%); Inappropriate access to data via the Internet (17%); Hackers (15%); Careless disposal of paper records (12%); Accidental disclosure of data (7%)

3.  Of the 330 data breaches reported in 2007, only 7 (2%) resulted in actual incidents of identity theft or other fraudulent activity.

4.  Four of the 7 (57%) actual incidents of identity theft or fraud were perpetrated by “malicious insiders.”

The purpose of this article is to examine the significance of these findings for risk assessment, security policy, priorities for security controls to reduce the likelihood of breaches, and the role of information security in the breach prevention process.

Validity of the Data
To what extent can we trust the data provided by the Clearinghouse-or, for that matter, any organization that collates and reports breach incidents?  The accuracy of our knowledge concerning the frequency and causes of breaches is dependent upon the thoroughness and validity of the reporting authority.  A recent and thoughtful article, “Can we make any sense out of breach reports?”, maintains that existing statistical data are insufficiently trustworthy to permit the drawing of inferences.  This lack of validity is based upon (1) the fact that different sectors (e.g., education, health, financial services) have different reporting requirements; (2) some states are still in the process of implementing mandatory reporting laws; and (3) inspection of state-sponsored listings of reported notifications reveals that not all breaches reported by states are reflected in national databases, such as the Privacy Rights Clearinghouse “Chronology of Data Breaches.”  In addition, we are not aware of the extent to which sectors underreport the frequency of data breaches.

(...)
Read the rest of An Analysis of the Privacy Rights Clearinghouse “Chronology of Data Breaches” and Implications for Information Security Professionals (pt. 2) (1,147 words)

© Sam Dekay for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under Compliance and Laws.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

They posit that, as with any other business, a security program must have all of the following parts and pieces:

• Planning
• Sales
• Marketing
• Production aka build
• Operations aka delivery
• Financial
• Program management
• Control components

Makes perfect sense, doesn’t it?  Haven’t we said all along that security is an enabler? After all, what is the mission of the information security program if not to serve as a facilitator for the development and delivery of the organization’s products and services?

Remember in one of my earlier columns in this blog, I referenced Chapter 10, entitled “Why and How Assessment of an Organization’s Culture Should Shape Security Strategies.” Once again, in Chapter 5, the authors begin with the assertion that ‘the first task in developing or reviewing a security function is to assess and understand the organization’s culture.’  Working within the organization’s culture is critical. If your job is to develop, approve and implement policies and standards, you need to know how things get done in your company. Is it a top-down patriarchy, where support from executive management ensures complete success? Is it a bottoms-up, consensus-driver organization, where buy-in and concurrence are key? Different cultures demand different perspectives and totally different approaches.

Although a cultural assessment can be extensive, some key questions to ask are:

• What will the enterprise-wide security governance process look like?
• Will the security organization be centralized, decentralized or a combination of the two?
• What is the level of management commitment and budget oversight?
• What is the balance and organizational relationship between the policy functions and the operational aspects of security?
• How and where does the security organization fit in the organizational structure?

There’s an ongoing debate about the last question above. Some say security should report to the CEO. Others say it should report anywhere but under IT. Regardless, it should fit where it has the best chance of succeeding. In any event, leadership of the function is essential; as the authors claim, “… a successful business function is led by a person who can effectively communicate and collaborate with other executives, managers and staff.

So, how does one go about it? The authors of Chapter 5 lead us step by step, in a plan, build, run model

• Plan: Clearly stated goals, vision and mission of the information security function. It includes the business plan, objectives, timeline to implement desired projects and ongoing tasks, performance metrics and budget requirements.

• Build: focuses on the policy and standards framework, the processes to be put in place, the tools to make or buy, and the metrics to assess risk and security.

• Run: Based on the scope of the information security function, the functional roles of the CISO organization may include:  assessing security, acting as an internal consultant, operations, marketing / selling security to the rest of the organization.

In summary, business requirements drive the information security function. Running information security as a business is key to keeping the function relevant and successful.

© Micki Krause for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under General.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

Analysts said that as-Sahab is outfitted with some of the best technology available. Editors and producers use ultralight Sony Vaio laptops and top-end video cameras. Files are protected using PGP, or Pretty Good Privacy, a virtually unbreakable form of encryption software that is also used by intelligence agencies around the world.

I’m always fascinated when something in one field impacts another in a non-obvious way. In this case it’s global warming and national security.

“The conditions exacerbated by the effects of climate change could increase the pool of potential recruits into terrorist activity ,” he said.

The MoD faults the recent information security security lapses on the fact that the value of security not translated to younger generation:

[T]oday’s Facebook generation failed to understand the culture of security which was ingrained during the Cold War.

“These well-developed processes and procedures have not been translated effectively into the information age,” he wrote.

Identity theft the traditional way: raiding the physical mailbox.

Brown says the two women stole the identities of the married couple by asking the postal service to forward the couple’s mail back to their old address in Rego Park, Queens. The DA says they then opened numerous credit card accounts in the couple’s name between January 2008 and June 2008.

© Kenneth F. Belva for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under General.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

How much better is it to have a world-class patching process compared to an average one? Could it ever be detrimental to patch too fast?

The idea that “patching too fast” could be “detrimental” is clearly related to this column’s focus on the concept of “agile security,” so this immediately caught my attention. Verizon sums up the answers to their own questions nicely:

The recently published “Verizon Business 2008 Data Breach Investigations Report” describes characteristics of more than 500 computer crime investigations performed over the past four years. Our data shows that in only 18% of cases in the hacking category (see Figure 11) did the attack have anything to do with a “patchable” vulnerability. Further analysis in the study (Figure 12) showed that 90% of those attacks would have been prevented had patches been applied that were six months in age or older! Significantly, patching more frequently than monthly would have mitigated no additional cases.

Patching more frequently than monthly was not only unnecessary to prevent the vast majority of compromises included in their research, but there is evidence that in at least some cases the focus on frequent patching caused more harm than good.

In summary, the Sasser worm study analysis found that companies who had succeeded at “patching fast” were significantly worse off than “average” companies in the same study. This seemed to be because, as a group, these companies tended toward less use of broad, generic countermeasures. They also thought they had patched everyone, when in reality they hadn’t. You might say they spent more of their energy and money on patching and less on routing, ACLs, standard configurations, user response training, and similar “broad and fundamental” controls.

And the above quotation only considers the impact of “patching fast” from a security effectiveness perspective. It says nothing about the potential for other negative impacts of “patching fast” on an organization’s agility.

Compare the results of Verizon’s research with an industry benchmark, the very well-intentioned Payment

(...)
Read the rest of PCI DSS Position on Patching May Be Unjustified (443 words)

© Jeff Lowder for BlogInfoSec.com, 2008. | Permalink | 2 comments
Want more on these topics ? Browse the archive of posts filed under Compliance and Laws, Risk Analysis, Security Metrics.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!