Forum for Information Security

Well, for those of you who’ve been living on the ‘other side’ - i.e. those who don’t really have an interest in all things information technology, I’ve got some news for you.

You need to be scared. Very, very scared.

Unbeknownst to you, someone is probably using your computing resources, your personal information, your email addresses, your address books, your credit card numbers….get it?

Conventional anti-virus solutions DON’T work.

Why?

Because they look at signatures (bits of code, strings or any other personal identifiers) and decide to ‘allow’ or disallow data to interact with your PC.

But of course, if they don’t recognize a known pattern, then they will, by default, allow, say, some code to enter and reside on your system when you download a program, visit a website, open an attachment, click on a link, etc.

You won’t know about it.

The AV companies won’t know about it.

But someone will.

And if the person / individual / entity has malicious intent, then you’re done for.

Rootkit technology depends on stealth - and is designed to cover its tracks.

The only way to trace rootkits is to figure out from their behaviour, whether there are anomalies with legitimate program behaviour.

See more on this topic at: http://news.com.com/Rootkit+numbers+rocketing+up,+McAfee+says/2100-7349_3-6061878.html

I’ll post some more interesting (or scary, depending on how you look at it) stuff on rootkits later…

Cheers

oRiOn

Folks, we are going to Infosec Europe as participants for the first time. It should be a great gig, with more than 15,000 visitors (11,000 attended in ‘05).

MIEL have a keynote speaker in Avinash Kadam, who will be providing information on what organizations should be looking for when hiring security professionals.

He is the only speaker from Asia - and we have a stand (G909) at the gallery level, where senior management will interact with the ‘crowd’…

Grand Olympia, Kensington - Apr 25th - 27th, 2006.

See you there!

oRiOn

In the aftermath of Choicepoint and several other high profile incidents, where customer information was compromised, the US Congress issued some strong statements and passes a series of bills aimed at strict disclosures. In short, no more are disclosures going to be voluntary and part of good governance and transparency - they’re going to be necessary and required by law.

Nothing has yet emerged from all this, but the consensus is that there will be Federal legislation in place which will provide at least a universal approach towards disclosures. Most of the states (at last count, there were 13 states which had moved to enact laws on data protection and privacy) have taken the California SB1386 law as the baseline, but some like NY have taken it further - in an attempt to show business that they are serious about forcing companies to implement adequate safeguards which go beyond a simple firewall and intrusion prvention system. In NY, the smallest breach now needs to be reported to an industry watchdog - and this covers encrypted and unencrypted data in any form which is not or cannot be accounted for.

While on the topic of encryption, the National Institute for Standards and Technology (NIST) in the US advocates 256-bit data encryption, which by their reckoning is commercially unviable to break and compromise.

However, this author believes that no matter what the level of encryption, there will always remain the possibility that the encryption key is stolen. This is a very likely scenario in the case of internal breaches where an employee runs off with copied data and then unencrypts it using a stolen key.

Which again raises the issue of how do we protect keys - do we buy expensive devices like Hardware Key Managers? Its a process which can go on and on, with no real end in sight.

Meanwhile, the debate in the US rages on about what regulations and compliance requirements businesses should be subject to, whenever they are ‘handling’ customer information.

There is an interesting article on CSO Online which summarizes these points.

http://www2.csoonline.com/blog_view.html?CID=14426

Post your comments or write to me at rdutta@mielesecurity.com

Cheers

Rion

Banks worldwide have been scrambling to assess Basel II requirements, which come into effect in 2006. At the moment, most banks are identifying what they need to do to reduce their risk exposure and also testing solutios and processes to ensure that they are in line with their overall compliance objectives.

What has been missing though is insight into what banks can actually gain from the exercise. Basel II actually brings about a radical change in statutory ccapital reserves needed to meet operational, credit and commercial risk.

How?

First, Basel II empowers banks to choose their own risk management approach, rather than laying down a standardized procedure and policies.
The different categories of approaches are: Basic Indicator Approach (not much has changed since Basel I , 1998), Standardized Approach and Advanced Measurement Approach. However, there are very clear incentives to move from one approach to another.

Second, by choosing to ‘upgrade’ to Standard and Advanced Approach, banks will see tangible benefits in terms of capital that they need to set aside to meet their risk exposures - i.e. the benefits are actually monetized and will show up on their balance sheets. This means that, unlike other regulations like SOX, banks will find it comparatively easier to justify cost of compliance, and indeed, upgrades from one approach to another.

Third, Information Security Management is outlined as an operational risk management tool - which, when factored into the banks overall risk management strategy, provides a safe, secure and trustworthy operating framework for banks to do business. Basel II takes good practice and good governance a step further, and actually provides banks with a competitive advantage if they review and improve their risk management strategies.

Here is a summary of the three approaches, provided by Symantec Enterprise Security Services:

“Basel II defines operational risk as ‘the risk of loss resulting from inadequate or failed internal processes, people or systems, or from external events.’ One need look no further than recent virus/worm infections to see examples of the operational impacts of failed or insufficient information security controls. And those impacts were relatively mild compared to what they could have been. This positions information security controls as one of the foundation stones of operational risk management.

Basel II proposes three techniques for calculating the amount of capital that a bank must place in reserve as a buffer against operational risk:

Basic Indicator Approach. Like the earlier Basel I Accord of 1988, Basel II allows a bank to use a single indicator (such as 20 percent of its average annual gross income) to determine its capital charge. There are no qualifying criteria associated with this approach, and little change to current practices is called for. In general, only small banks are expected to use this basic approach.

Standardized Approach - A bank that follows this approach must calculate a capital requirement using a risk indicator (such as annual average assets or gross income) for each one of its business lines. The savings in reserve charges, compared with the Basic Indicator Approach’s across-the-board 20 percent figure, could be large. (And the incentive for banks to move from the Basic Indicator Approach to the Standardized Approach couldn’t be clearer.) As a condition for using this approach, banks must meet the following criteria:

**demonstrate that an operational risk management system is in place
systematically track relevant operational risk data including material losses by business line
**regularly report operational risk exposures, including material operational losses, to business unit management, senior management, and the board of directors have a process in place for ensuring compliance with a documented set of internal policies, controls, and procedures concerning the operational risk management system
**subject their operational risk management processes and assessment systems to validation and regular independent review.

Advanced Measurement Approaches (AMA) - Of the three approaches available for calculating operational risk, the AMA is likely to have the most appeal because of its flexibility and the amount of self-discipline it provides. In the words of the Basel Committee, ‘in the AMA, banks may use their own method for assessing their exposure to operational risk, so long as it is sufficiently comprehensive and systematic.’ As Aberdeen Group has observed, ‘Moving beyond the averaging of the other methods, the bank is allowed to collect the history of its losses, analyze it, and use multiple risk factors to derive a probability of loss.’

Use of the AMA is subject to supervisory approval, and banks need to classify transaction incidents according to their impact on business. Recognizing the rapid evolution in operational risk management practices, however, the Basel Committee has stated it ‘is prepared to provide banks with an unprecedented amount of flexibility to develop an approach to calculate operational risk capital that they believe is consistent with their mix of activities and underlying risks.’

In general, banks must first integrate an internal risk measurement methodology directly into their day-to-day operational procedures and major decision-making processes. But the bottom line here is clear: With the AMA, banks can use their own internal loss data to demonstrate to regulators that they should qualify for reduced capital reserves. While many of the details surrounding the AMA are still being worked out, you can count on this to be an area of paramount interest to upper management.

Information security and operational risk:

It is my conviction that information security is underappreciated as an operational risk management tool. At the same time, I believe that Basel II represents a real opportunity for information security to help financial institutions reduce their operational risk – and thereby positively impact their bottom line.

Information is critical to the operation of every financial institution -

**If the confidentiality of sensitive or private information is compromised, lawsuits or regulatory sanctions may result in penalties, and violated trust may result in customer flight.
**If the integrity of critical information is corrupted, errors in processing may occur with similar negative consequences.
**If critical information is not available where and when it is needed, important processes may fail completely with similar results.

In all three of the above areas of compromise, recovery costs alone can be major, while the business impacts can range from the annoying to the catastrophic. Managing the security of financial information, particularly when it’s in electronic form, must therefore be a central goal in the management of operational risk.

In the context of the Standardized Approach for calculating capital requirements, the bar is set high with respect to the information security program. As we have seen, the bank must demonstrate that a system of information protection controls is in place; systematically track operational losses by business line (and presumably by root cause); and have a process in place for ensuring compliance with a documented set of internal policies, controls, and procedures concerning intended information security controls.

While these are non-trivial challenges for any institution not already doing them, the degree of risk mitigation (and therefore loss reduction) from such a formal, well-organized information security program will be significant.

Arguably the biggest challenge to the information security profession comes under the banner of the AMA. Quantifying all the important dimensions of information risk management is today a largely unsolved problem. But if it can be done, then such a quantitative model will form the basis for highly confident prioritization of security spending on a risk-adjusted basis. Further, it will support very systematic and precise information risk management, which is exactly what Basel II seeks to reward with the lowest capital reserve requirements. That’s strong motivation, indeed, to develop such a model. ”

The full article is found at:

http://ses.symantec.com/Industry/Regulations/article.cfm?articleid=3270&EID=0

Basel II, in the Indian banking scenario, represents a lot more than purchasing and implementing an Anti Money Laundering (AML) Solution.

More information on Basel II is also available through International Banking Systems (IBS), www.ibspublishing.com

As usual, post your comments or email me at rdutta@mielesecurity.com

oRiOn

The folks at Purdue Uni along with the National Science Foundation are conducting a survey on Privacy - should take 5 - 15 minutes of your time and the results should provide some insight into how Privacy Compliance is being achieved and the comfort that an individual feels today with sharing his / her personal information knowing that the law is backing him / her.

The site is http://survey.theprivacyplace.org/

Happy Diwali to all the readers,

Rion

SOX compliance continues to be a pain area for many smaller companies seeking guidance on how not to run afoul of the regulators.

There is a lot of debates in discussion forums, on consulting company newsletters on the approach and methodology and in boardrooms.

Its a good idea to start with the basics, and work top down, rather than bottom up. So if you’re scratching your head wondering what to do with your emails, voice mails and telephone records, its best to take a step back and look at things in perspective.

SOX can be broken up into 3 areas:

1. Financial Controls
2. Executive Liability
3. IT Controls (General and IT Security)

The objective is to demonstrate that your company has SOME SORT OF CONTROLS - i.e. adequate or inadequate (as the case may be) checks and balances in the financial reporting systems and conduct independent (read: external) risk assessments of the effectiveness of the controls and the reporting systems. Then you get the executive officers to sign a statement saying that all this has been done.

Where IT fits in is where financial reporting systems or business systems sit on technology platforms - this needs to be looked at objectively and a macro / micro level view taken on what Information Security controls can be built in to the IT function to support the compliance effort.

The internal team should comprise of - legal (in house or external), corporate (company secretary or appropriate nominee of the board and executive), external auditors who know your business and have a relationship with you and are reasonably competent in the area of establishing controls, and finally the IT team led or supported by someone who understands business controls, operational risk and can implement IT solutions and IT strategies.

Tip: Don’t get confused by the myriad of IT point solutions which say they’re SOX compliant. They won’t help you achieve compliance, no matter what area they specifically address - for example: an access control solution may claim to be SOX compliant, but it won’t help you unless authorization and access controls are part of the company infosec policy and then implemented with adequate management and reporting support to ensure that the infosec policies are complied with. Only then will you be okay from a SOX perspective. Same thing with Intrusion Prevention Systems (IPS) - the point is to demonstrate that you have done all you can through policies and then solutions to ensure that your financial data has not been tampered with or at least that you have systems in place to demonstrate that the integrity of the financial systems are preserved including change management tools. So, coming back to IT solutions and vendors, an IPS by itself isn’t going to get you anywhere.

More on this subject later - I will post details on the COSO and COBIT frameworks and controls, and how they can be tweaked to address the needs of a specific company in a case study.

The message we’e getting is that people are confused and don’t know how to approach the whole effort.

Its not that complicated really if you look into the spirit of SOX. To put the onus squarely on the executive for financial mismanagement, and to make sure that they can’t say in their defense that they didn’t know what transpired in their businesses.

Simple, ain’t it?

Rion

California was the first state to come out with comprehensive legislation that required companies to implement adequate safeguards to protect privacy and security of information collected for business purposes. Termed SB1386, it heralded a new era in compliance and assurance legislation - and today, 18 US states have passed privacy and security laws in some form or the other.

The Personal Data Privacy and Security (PDPSA) bill applies to any business “engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of personally identifiable information in electronic or digital form on 10,000 or more U.S. persons.”

It is really aimed at codifying a federal bill in response to over 18 state data protection laws incorporating breach notification, many of which are modeled after California’s SB 1386.

A 91-page bi-partisan bill “The Personal Data Privacy and Security Act of 2005” (PDPSA), cosponsored by senators Patrick Leahy and Arlen Specter is currently in front of congress designed “to prevent and mitigate identity theft; to ensure privacy; and to enhance criminal penalties, law enforcement assistance, and other protections.”

Watch this space for further details.

Certainly seems like things are tightening up as awareness of privacy and security grows at the consumer level.

Expect companies to be face stiff penalties for non compliance and executive officers to be held individually and severally liable - this will force most medium to large companies in B2C space to take proactive measures to secure their databases, internet facing applications and consumer interfaces.

Do send us your comments,

RiOn

In an earlier post, I have outlined a basic 3 step approach to Implementing HIPAA within your organization.

http://mielesecurity.blogsome.com/2005/07/02/hipaa-compliance-a-basic-3-step-approach/

This information is provided for an audience seeking an overview of the Information Security requirements, as outlined in HIPAA. I hope this will be useful as a starting point towards compliance, particularly if you are in the heathcare outsourcing business (claims processing, clinical records management and analysis, customer service, helpdesk, etc).

The Act:

The Health Insurance Portability and Accountability Act (HIPAA), signed into law by President Clinton on August 21, 1996, was established to improve the overall efficiency and effectiveness of the healthcare system by ensuring continued healthcare coverage for individual workers and their families in the event that they change employment. The law includes additional provisions for healthcare systems which address the management of health information, the simplification of administrative aspects of healthcare, as well as rulings which address the privacy and the security of health information.

Key Sections That Pertain to System Security

HIPAA security regulations are intentionally vendor and technology neutral, and consequently are both broad and open to interpretation based on the individual circumstances of the healthcare entity. The Security Rule contains three measures that must be addressed in order to protect and assure the confidentiality of electronic protected health information:

• Administrative Safeguards: Implement and maintain policies and procedures to prevent, detect, contain and correct security violations.
• Physical Safeguards: Implement and maintain policies and procedures to limit physical access to computer systems and their facilities, while ensuring that properly authorized access is allowed.
• Technical Safeguards: Implement and maintain policies and procedures that protect and monitor information access and prevent unauthorized access to data transmitted over a network.
• Technical Safeguards: These standards describe the technical processes of the systems which will be used to enforce the administrative standards. Stated differently, how will you execute your security plan, including the electronic creation, updating, managing and transmittal of the data? At a minimum, each of the following must be addressed:
• Access Controls Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.
• Privacy Controls Ensure that confidential data is secured in transit.
• Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
• Integrity Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
• Person or Entity Authentication Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Best Practices Approach

• The following is a “best practices” approach to securing the “inner” network from internal threats, thereby achieving regulatory compliance. These steps, coupled with an adequate external perimeter defense, will establish and maintain a secure “trusted” internal network environment.
• Define which security relationships are needed.
• Segregate the network into security zones to facilitate easier management.
• Enforce the established security relationships within and across the security zones.
• Perform regular network audits to ensure security relationships are enforced.
• Update security relationships as business needs or compliance issues dictate.
• Provide an audit trail and reporting to satisfy regulatory compliance audits.

If anyone has questions / comments, do post them here.

RiOn

For folks in the pharmaceutical business, and operating in North American markets, there are regulatory standards that need to be complied with. These are summarized in the FDA 21 Code of Federal Regulations Part 11 -
(FDA 21 CFR) - this is particularly relevant to Indian companies who have acquired US pharma companies, are present in generics or bulk drugs formulations and even extend to biotech companies and other companies who undertake contract manufacturing for US pharmaceutical companies.

FDA 21 CFR Part 11 became effective in August, 1997,
and affects companies in all FDA-regulated industries,
including, but not limited to, Bio-Pharmaceutical
(Human and Veterinary), Personal Care Products,
Medical Devices and Food and Beverage. The regulation
specifies the FDA requirements for accepting
electronic records in lieu of paper records. So far,
the focus of FDA auditing efforts has mostly focused
on manufacturing, clinical trials and drug
development.

FDA 21 CFR PART 11 key requirements:

FDA 21 CFR Part 11 outlines procedures and controls
for ensuring the authenticity, integrity,
non-repudiation and confidentiality of electronic
records and signatures. The controls themselves
differentiate between “closed systems” and “open
systems”. An example of a closed system would be an
information system that is contained within an
organization’s local area network or Intranet, while
an open system would be one that uses the Internet.

The controls essentially state that “Persons who use
open systems to create, modify, maintain, or transmit
electronic records shall employ procedures and
controls designed to ensure the authenticity,
integrity, and confidentiality of electronic records
from the point of their creation to the point of
receipt, and as appropriate, additional measures such
as encryption and digital signature standards”.
Key IT Security Requirements of FDA 21 CFR Part 11

1. Manage access rights in distributed and
networked environments.
2. Confirm only authorized users have access to
sensitive information and systems.
3. Prevent unauthorized access to computer system
resources.
4. Prevent unauthorized access to information held
in application systems.
5. Confirm only authorized users have access to
sensitive information and systems.
6. Prevent unauthorized access to computer system
resources.
7. Prevent unauthorized access to information held
in application systems.
8. If digital signatures are utilized with the
organization then the controls require that the system
be effectively managed, secured and kept up to date.
9. Put procedures processes and systems in place to
ensure system integrity.
10. Enforce data integrity and privacy while in
transit.

Best Practices Approach

The following is a “best practices” approach to
securing the “inner” network from internal threats,
thereby achieving regulatory compliance. These steps,
coupled with an adequate external perimeter defense,
will establish and maintain a secure “trusted”
internal network environment.

1. Define which security relationships are needed.
2. Segregate the network into security zones to
facilitate easier management.
3. Enforce the established security relationships
within and across the security zones.
4. Perform regular network audits to ensure
security relationships are enforced.
5. Update security relationships as business needs
or compliance issues dictate.
6. Provide an audit trail and reporting to satisfy
regulatory compliance audits.

For more information, visit the FDA’s CFR database section’s Part 11, which deals with electronic records and electronic signatures.

http://www.fda.gov/ora/compliance_ref/part11/

Hope this information is useful,

oRiOn

By the way, its worth mentioning that the cost and effort of SOX compliance is driving many smaller businesses up the wall. See what a small community bank had to say about SOX:

http://www.sec.gov/news/press/4-497/rouchi031405.pdf

Not surprising really, when you consider that compliance costs run into millions of dollars and smaller companies JUST don’t have the internal resources, and external consultants are very expensive.

I don’t hear any comments from the consulting chaps.

They must be wishing that there’s a new SOX passed by Congress every year.

Comments?

RiOn