Forum for Information Security

Well, for those of you who’ve been living on the ‘other side’ - i.e. those who don’t really have an interest in all things information technology, I’ve got some news for you.

You need to be scared. Very, very scared.

Unbeknownst to you, someone is probably using your computing resources, your personal information, your email addresses, your address books, your credit card numbers….get it?

Conventional anti-virus solutions DON’T work.

Why?

Because they look at signatures (bits of code, strings or any other personal identifiers) and decide to ‘allow’ or disallow data to interact with your PC.

But of course, if they don’t recognize a known pattern, then they will, by default, allow, say, some code to enter and reside on your system when you download a program, visit a website, open an attachment, click on a link, etc.

You won’t know about it.

The AV companies won’t know about it.

But someone will.

And if the person / individual / entity has malicious intent, then you’re done for.

Rootkit technology depends on stealth - and is designed to cover its tracks.

The only way to trace rootkits is to figure out from their behaviour, whether there are anomalies with legitimate program behaviour.

See more on this topic at: http://news.com.com/Rootkit+numbers+rocketing+up,+McAfee+says/2100-7349_3-6061878.html

I’ll post some more interesting (or scary, depending on how you look at it) stuff on rootkits later…

Cheers

oRiOn

Folks, we are going to Infosec Europe as participants for the first time. It should be a great gig, with more than 15,000 visitors (11,000 attended in ‘05).

MIEL have a keynote speaker in Avinash Kadam, who will be providing information on what organizations should be looking for when hiring security professionals.

He is the only speaker from Asia - and we have a stand (G909) at the gallery level, where senior management will interact with the ‘crowd’…

Grand Olympia, Kensington - Apr 25th - 27th, 2006.

See you there!

oRiOn

In the aftermath of Choicepoint and several other high profile incidents, where customer information was compromised, the US Congress issued some strong statements and passes a series of bills aimed at strict disclosures. In short, no more are disclosures going to be voluntary and part of good governance and transparency - they’re going to be necessary and required by law.

Nothing has yet emerged from all this, but the consensus is that there will be Federal legislation in place which will provide at least a universal approach towards disclosures. Most of the states (at last count, there were 13 states which had moved to enact laws on data protection and privacy) have taken the California SB1386 law as the baseline, but some like NY have taken it further - in an attempt to show business that they are serious about forcing companies to implement adequate safeguards which go beyond a simple firewall and intrusion prvention system. In NY, the smallest breach now needs to be reported to an industry watchdog - and this covers encrypted and unencrypted data in any form which is not or cannot be accounted for.

While on the topic of encryption, the National Institute for Standards and Technology (NIST) in the US advocates 256-bit data encryption, which by their reckoning is commercially unviable to break and compromise.

However, this author believes that no matter what the level of encryption, there will always remain the possibility that the encryption key is stolen. This is a very likely scenario in the case of internal breaches where an employee runs off with copied data and then unencrypts it using a stolen key.

Which again raises the issue of how do we protect keys - do we buy expensive devices like Hardware Key Managers? Its a process which can go on and on, with no real end in sight.

Meanwhile, the debate in the US rages on about what regulations and compliance requirements businesses should be subject to, whenever they are ‘handling’ customer information.

There is an interesting article on CSO Online which summarizes these points.

http://www2.csoonline.com/blog_view.html?CID=14426

Post your comments or write to me at rdutta@mielesecurity.com

Cheers

Rion

Banks worldwide have been scrambling to assess Basel II requirements, which come into effect in 2006. At the moment, most banks are identifying what they need to do to reduce their risk exposure and also testing solutios and processes to ensure that they are in line with their overall compliance objectives.

What has been missing though is insight into what banks can actually gain from the exercise. Basel II actually brings about a radical change in statutory ccapital reserves needed to meet operational, credit and commercial risk.

How?

First, Basel II empowers banks to choose their own risk management approach, rather than laying down a standardized procedure and policies.
The different categories of approaches are: Basic Indicator Approach (not much has changed since Basel I , 1998), Standardized Approach and Advanced Measurement Approach. However, there are very clear incentives to move from one approach to another.

Second, by choosing to ‘upgrade’ to Standard and Advanced Approach, banks will see tangible benefits in terms of capital that they need to set aside to meet their risk exposures - i.e. the benefits are actually monetized and will show up on their balance sheets. This means that, unlike other regulations like SOX, banks will find it comparatively easier to justify cost of compliance, and indeed, upgrades from one approach to another.

Third, Information Security Management is outlined as an operational risk management tool - which, when factored into the banks overall risk management strategy, provides a safe, secure and trustworthy operating framework for banks to do business. Basel II takes good practice and good governance a step further, and actually provides banks with a competitive advantage if they review and improve their risk management strategies.

Here is a summary of the three approaches, provided by Symantec Enterprise Security Services:

“Basel II defines operational risk as ‘the risk of loss resulting from inadequate or failed internal processes, people or systems, or from external events.’ One need look no further than recent virus/worm infections to see examples of the operational impacts of failed or insufficient information security controls. And those impacts were relatively mild compared to what they could have been. This positions information security controls as one of the foundation stones of operational risk management.

Basel II proposes three techniques for calculating the amount of capital that a bank must place in reserve as a buffer against operational risk:

Basic Indicator Approach. Like the earlier Basel I Accord of 1988, Basel II allows a bank to use a single indicator (such as 20 percent of its average annual gross income) to determine its capital charge. There are no qualifying criteria associated with this approach, and little change to current practices is called for. In general, only small banks are expected to use this basic approach.

Standardized Approach - A bank that follows this approach must calculate a capital requirement using a risk indicator (such as annual average assets or gross income) for each one of its business lines. The savings in reserve charges, compared with the Basic Indicator Approach’s across-the-board 20 percent figure, could be large. (And the incentive for banks to move from the Basic Indicator Approach to the Standardized Approach couldn’t be clearer.) As a condition for using this approach, banks must meet the following criteria:

**demonstrate that an operational risk management system is in place
systematically track relevant operational risk data including material losses by business line
**regularly report operational risk exposures, including material operational losses, to business unit management, senior management, and the board of directors have a process in place for ensuring compliance with a documented set of internal policies, controls, and procedures concerning the operational risk management system
**subject their operational risk management processes and assessment systems to validation and regular independent review.

Advanced Measurement Approaches (AMA) - Of the three approaches available for calculating operational risk, the AMA is likely to have the most appeal because of its flexibility and the amount of self-discipline it provides. In the words of the Basel Committee, ‘in the AMA, banks may use their own method for assessing their exposure to operational risk, so long as it is sufficiently comprehensive and systematic.’ As Aberdeen Group has observed, ‘Moving beyond the averaging of the other methods, the bank is allowed to collect the history of its losses, analyze it, and use multiple risk factors to derive a probability of loss.’

Use of the AMA is subject to supervisory approval, and banks need to classify transaction incidents according to their impact on business. Recognizing the rapid evolution in operational risk management practices, however, the Basel Committee has stated it ‘is prepared to provide banks with an unprecedented amount of flexibility to develop an approach to calculate operational risk capital that they believe is consistent with their mix of activities and underlying risks.’

In general, banks must first integrate an internal risk measurement methodology directly into their day-to-day operational procedures and major decision-making processes. But the bottom line here is clear: With the AMA, banks can use their own internal loss data to demonstrate to regulators that they should qualify for reduced capital reserves. While many of the details surrounding the AMA are still being worked out, you can count on this to be an area of paramount interest to upper management.

Information security and operational risk:

It is my conviction that information security is underappreciated as an operational risk management tool. At the same time, I believe that Basel II represents a real opportunity for information security to help financial institutions reduce their operational risk – and thereby positively impact their bottom line.

Information is critical to the operation of every financial institution -

**If the confidentiality of sensitive or private information is compromised, lawsuits or regulatory sanctions may result in penalties, and violated trust may result in customer flight.
**If the integrity of critical information is corrupted, errors in processing may occur with similar negative consequences.
**If critical information is not available where and when it is needed, important processes may fail completely with similar results.

In all three of the above areas of compromise, recovery costs alone can be major, while the business impacts can range from the annoying to the catastrophic. Managing the security of financial information, particularly when it’s in electronic form, must therefore be a central goal in the management of operational risk.

In the context of the Standardized Approach for calculating capital requirements, the bar is set high with respect to the information security program. As we have seen, the bank must demonstrate that a system of information protection controls is in place; systematically track operational losses by business line (and presumably by root cause); and have a process in place for ensuring compliance with a documented set of internal policies, controls, and procedures concerning intended information security controls.

While these are non-trivial challenges for any institution not already doing them, the degree of risk mitigation (and therefore loss reduction) from such a formal, well-organized information security program will be significant.

Arguably the biggest challenge to the information security profession comes under the banner of the AMA. Quantifying all the important dimensions of information risk management is today a largely unsolved problem. But if it can be done, then such a quantitative model will form the basis for highly confident prioritization of security spending on a risk-adjusted basis. Further, it will support very systematic and precise information risk management, which is exactly what Basel II seeks to reward with the lowest capital reserve requirements. That’s strong motivation, indeed, to develop such a model. ”

The full article is found at:

http://ses.symantec.com/Industry/Regulations/article.cfm?articleid=3270&EID=0

Basel II, in the Indian banking scenario, represents a lot more than purchasing and implementing an Anti Money Laundering (AML) Solution.

More information on Basel II is also available through International Banking Systems (IBS), www.ibspublishing.com

As usual, post your comments or email me at rdutta@mielesecurity.com

oRiOn

The folks at Purdue Uni along with the National Science Foundation are conducting a survey on Privacy - should take 5 - 15 minutes of your time and the results should provide some insight into how Privacy Compliance is being achieved and the comfort that an individual feels today with sharing his / her personal information knowing that the law is backing him / her.

The site is http://survey.theprivacyplace.org/

Happy Diwali to all the readers,

Rion

SOX compliance continues to be a pain area for many smaller companies seeking guidance on how not to run afoul of the regulators.

There is a lot of debates in discussion forums, on consulting company newsletters on the approach and methodology and in boardrooms.

Its a good idea to start with the basics, and work top down, rather than bottom up. So if you’re scratching your head wondering what to do with your emails, voice mails and telephone records, its best to take a step back and look at things in perspective.

SOX can be broken up into 3 areas:

1. Financial Controls
2. Executive Liability
3. IT Controls (General and IT Security)

The objective is to demonstrate that your company has SOME SORT OF CONTROLS - i.e. adequate or inadequate (as the case may be) checks and balances in the financial reporting systems and conduct independent (read: external) risk assessments of the effectiveness of the controls and the reporting systems. Then you get the executive officers to sign a statement saying that all this has been done.

Where IT fits in is where financial reporting systems or business systems sit on technology platforms - this needs to be looked at objectively and a macro / micro level view taken on what Information Security controls can be built in to the IT function to support the compliance effort.

The internal team should comprise of - legal (in house or external), corporate (company secretary or appropriate nominee of the board and executive), external auditors who know your business and have a relationship with you and are reasonably competent in the area of establishing controls, and finally the IT team led or supported by someone who understands business controls, operational risk and can implement IT solutions and IT strategies.

Tip: Don’t get confused by the myriad of IT point solutions which say they’re SOX compliant. They won’t help you achieve compliance, no matter what area they specifically address - for example: an access control solution may claim to be SOX compliant, but it won’t help you unless authorization and access controls are part of the company infosec policy and then implemented with adequate management and reporting support to ensure that the infosec policies are complied with. Only then will you be okay from a SOX perspective. Same thing with Intrusion Prevention Systems (IPS) - the point is to demonstrate that you have done all you can through policies and then solutions to ensure that your financial data has not been tampered with or at least that you have systems in place to demonstrate that the integrity of the financial systems are preserved including change management tools. So, coming back to IT solutions and vendors, an IPS by itself isn’t going to get you anywhere.

More on this subject later - I will post details on the COSO and COBIT frameworks and controls, and how they can be tweaked to address the needs of a specific company in a case study.

The message we’e getting is that people are confused and don’t know how to approach the whole effort.

Its not that complicated really if you look into the spirit of SOX. To put the onus squarely on the executive for financial mismanagement, and to make sure that they can’t say in their defense that they didn’t know what transpired in their businesses.

Simple, ain’t it?

Rion

California was the first state to come out with comprehensive legislation that required companies to implement adequate safeguards to protect privacy and security of information collected for business purposes. Termed SB1386, it heralded a new era in compliance and assurance legislation - and today, 18 US states have passed privacy and security laws in some form or the other.

The Personal Data Privacy and Security (PDPSA) bill applies to any business “engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of personally identifiable information in electronic or digital form on 10,000 or more U.S. persons.”

It is really aimed at codifying a federal bill in response to over 18 state data protection laws incorporating breach notification, many of which are modeled after California’s SB 1386.

A 91-page bi-partisan bill “The Personal Data Privacy and Security Act of 2005” (PDPSA), cosponsored by senators Patrick Leahy and Arlen Specter is currently in front of congress designed “to prevent and mitigate identity theft; to ensure privacy; and to enhance criminal penalties, law enforcement assistance, and other protections.”

Watch this space for further details.

Certainly seems like things are tightening up as awareness of privacy and security grows at the consumer level.

Expect companies to be face stiff penalties for non compliance and executive officers to be held individually and severally liable - this will force most medium to large companies in B2C space to take proactive measures to secure their databases, internet facing applications and consumer interfaces.

Do send us your comments,

RiOn

There is some talk in companies about creating a new position to ensure regulatory compliance across the enterprise.

The term being used for the moment is Chief Compliance Officer.

According to Tech Target, this is a basic job description:

Staying current with new and updated regulations. These may include state and federal laws, as well as industry-based accreditation requirements.

Developing and maintaining a repository of regulations and the organization’s compliance status. This provides a quick snapshot and a valuable reference document. When new regulations emerge, this tool can identify any overlap with pre-existing regulations.

Understanding how each regulation affects the organization and explaining the impact of non-compliance to leadership.

Developing cooperative relationships with those charged with implementation, such as the ISO and the Privacy Officer.

Developing documented and repeatable evaluation processes to verify that underlying controls are adequate to meet requirements.

Periodically performing evaluations and reporting outcomes to senior management.

Developing processes for the workforce to report non-compliance issues to the CCO and how the CCO will respond to those issues.

Reporting compliance deficits and lapses to senior management and ensuring they are remedied.

Tech Target goes on to say:

‘An effective CCO is a great asset to the CISO and the information security program. The CISO can make a case for this position as an added layer of protection for the organization. The CCO brings a fresh perspective to security and other regulatory controls and may spot program opportunities or weaknesses that the CISO is too close to see. …’

See the entire article on:
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1111697,00.html

In my view, while it is okay to appoint someone as CCO, the position should be defined and structured in such a way to avoid duplication with other job functions - especially those in legal, risk management, operations and of course security departments.

How do companies ensure internal ‘buy-in’ so a candidate is able to discharge his responsibilities, how is the position structured so that he can get the necessary cooperation from various other sections of the enterprise. As we all know, large corporations have power centres which may not necessarily reflect the organizational structure.

So I think that before businesses rush to employ a CCO, a lot of consideration should be given to what value someone will bring to the organization and how the individual can deliver clear, measurable results on an ongoing basis.

Broadly, the way that companies work these days is that they engage an external consultant to scope the work required to achieve compliance and also to conduct ongoing compliance audits to verify that they aren’t breaking any rules which may land them in trouble with the regulator or law making bodies.

This effort is largely coordinated by a few top level internal executives - since compliance is a complicated field which requires in depth domain and technical knowledge, legal expertise and also practical hands on industry experience.

Is it possible to find skillsets? Will the results be better than hiring outside consultants, who bring specialization and experience with their services? And, if the CCO fails in his / her duty, what is the backup procedure or verification process to ensure compliance. Another guard to watch the guard.

Time will tell. In my experience, a lot of Information Security Officers or Privacy Officers are stunted by internal obstacles, lack of planning and budgetary support, lack of clear direction given from the board, etc. Additionally, they are simply bestowed with the title in addition to their existing job responsibilities - like a Company Secretary may be the Privacy Officer, etc.

Comments? Let me know.

RiOn

Dear Folks -

We would like to extend a warm welcome to all the infosec professionals who use this forum on behalf of MIEL’s Information Security Training Institute.

From hereon, we will be posting topics relevant to infosec training here.

Feel free to post your comments and feedback.

Happy blogging!

Abigail and RiOn

In an earlier post, I have outlined a basic 3 step approach to Implementing HIPAA within your organization.

http://mielesecurity.blogsome.com/2005/07/02/hipaa-compliance-a-basic-3-step-approach/

This information is provided for an audience seeking an overview of the Information Security requirements, as outlined in HIPAA. I hope this will be useful as a starting point towards compliance, particularly if you are in the heathcare outsourcing business (claims processing, clinical records management and analysis, customer service, helpdesk, etc).

The Act:

The Health Insurance Portability and Accountability Act (HIPAA), signed into law by President Clinton on August 21, 1996, was established to improve the overall efficiency and effectiveness of the healthcare system by ensuring continued healthcare coverage for individual workers and their families in the event that they change employment. The law includes additional provisions for healthcare systems which address the management of health information, the simplification of administrative aspects of healthcare, as well as rulings which address the privacy and the security of health information.

Key Sections That Pertain to System Security

HIPAA security regulations are intentionally vendor and technology neutral, and consequently are both broad and open to interpretation based on the individual circumstances of the healthcare entity. The Security Rule contains three measures that must be addressed in order to protect and assure the confidentiality of electronic protected health information:

• Administrative Safeguards: Implement and maintain policies and procedures to prevent, detect, contain and correct security violations.
• Physical Safeguards: Implement and maintain policies and procedures to limit physical access to computer systems and their facilities, while ensuring that properly authorized access is allowed.
• Technical Safeguards: Implement and maintain policies and procedures that protect and monitor information access and prevent unauthorized access to data transmitted over a network.
• Technical Safeguards: These standards describe the technical processes of the systems which will be used to enforce the administrative standards. Stated differently, how will you execute your security plan, including the electronic creation, updating, managing and transmittal of the data? At a minimum, each of the following must be addressed:
• Access Controls Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.
• Privacy Controls Ensure that confidential data is secured in transit.
• Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
• Integrity Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
• Person or Entity Authentication Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Best Practices Approach

• The following is a “best practices” approach to securing the “inner” network from internal threats, thereby achieving regulatory compliance. These steps, coupled with an adequate external perimeter defense, will establish and maintain a secure “trusted” internal network environment.
• Define which security relationships are needed.
• Segregate the network into security zones to facilitate easier management.
• Enforce the established security relationships within and across the security zones.
• Perform regular network audits to ensure security relationships are enforced.
• Update security relationships as business needs or compliance issues dictate.
• Provide an audit trail and reporting to satisfy regulatory compliance audits.

If anyone has questions / comments, do post them here.

RiOn