Recently in Compliance Category

This morning I posted a link on our twitter site about an article from Ross Anderson and Shailendra Fuloria on issues concerning the Governance and Security of Smart Meters.
"Who controls the off switch?" This article was referenced in one of the major Scada Security List Services.

The article does point out the concerns about Cyber attacks by international criminal organizations, military initiatives of foreign nations causing massive black outs and some ways of mitigating those risks.

The article does point out another interesting point about the use of cryptography and key management. How will the keys be managed in Smart Meter technology on hundreds of millions of smart meters with pre-shared secrets or PKI infrastucture?
How will new keys be added for new energy companies? How will the keys be changed?

There is some new work being done by the Oasis Group on key management
The OASIS KMIP Key Management project may be one of the center pieces for offering interoperability across a "Trans-Smart Grid". A 2009 presentation by the University of Colorado also lists KMIP as key to interoperability. The Colorado University presentation by Dr. Edward Chow goes on to show the complexity in monitoring attacks from the trust relationships of various parts of the infrastructure including "Fake ID Hijack Station","Jamming Wormhole Attacks", "Meter Database Tampering" from Insider Attacks to External Attacks and the correlation of events moving through these trust relationships.

The Second paper from Ross Anderson and Shailendra Fuloria also referenced in the
paper Who controls the off switch is On the security economics of electricity metering .
This is an excellent paper that not only provides insight to the history of distributed power but also points out the complexities in providing modern day Smart Grid technologies not only from a technological perspective but from competitive analysis on the struggle for dominance within the distribution system both nationally and internationally and a warning on the comparisons of what happened with Enron when governance is not properly applied.

Not so long ago, I remember that talking about information security management brought a lot of eyebrowse up, something of a black art, kind of like UNIX Administration.
But in today's world, Cyber Security has gotten enough attention recently from the White House, Congress, Military, and Law Enforcement not only in the U.S. but across the globe that discussing the need for Cyber Security and Information Security Management in the public and private sectors is no longer considered a foreign topic or a dark black art. The discussion of Risk Management and Information Security Management are now an interwoven fabric within IT Frameworks for COBIT and ITIL.

At the NJTC meeting yesterday at the Forsgate Country Club, we had a diverse number of parties interested in our solutions to support their Information Security Management Program - from Audit and Financial executives to IT Management. Our solutions will provide a means to help IT and Data Owners identify the threats, and risks to their business processes in these times of round-the-clock international electronic business transactions. Situational awareness of today's highly complex distributed IT Service environments is no longer simply a nice to have but a necessity to survival of digital business transactions against a world of distributed Botnets and pre-zero day vulnerabilities.

I would like to thank the NJTC for giving us the ability to reach out to so many different businesses operating in across the State of New Jersey and those that stopped by to simply hear what our solutions have to offer to their Business Services.

Developing an Information Security Privacy Schedule for Service Provider Transactions by David Navetta.

This article points out the need for customers to develop Information Security and Privacy Schedules as part of their Service Provider agreements. As more and more of our Information Technology and Information Security moves to out sourced technologies, customers need to be aware that not only are they still responsible for the privacy and security of their data, but may be undertaking the risks involved with utilizing the service providers information security environment.

"The Customer should think of the Service Provider's security as an extension of their own internal security." IT Services and Information Security Management must undertake the security of how the trust relationships with their Service Providers are handled and how those relationships may impact the business, should the Service Provider be compromised or suffer a breach.

In David Navetta's closing statement, he mentions the impact of incidents, not from the initial impact of the exploitation of an exposure but the after effects concerning liability and reputation damage. "First, it is not unusual for a security incident to yield "consequential damages" in addition to "direct damages," including loss of profits, lost customers, attorney fees, breach notice costs and other similar costs. If the overall contract contains a consequential damages disclaimer, the Customer should endeavor to get an exception for consequential damages arising out of a security incident and/or breach of the Schedule."

The credibility and reliability of your information security program is now an integral part of stability and reputation of the business along with how well you are maintaining the trust relationships with your business partners and service providers which are now part of your extended business and control environment. The days of IT involving a few core services are gone and now have been replaced by data moving in and out of the environment for outside processing and storage, site to site vpns, international privacy and security laws of internal, external data and the rise of "Cyber insurance". David's article covers a wide variety of suggestions of what can be included in the Security /Privacy Schedule in contractual agreements with Service Providers.

Related articles by Zemanta

• Cloud Security and Privacy (oreilly.com)
• National Survey Reveals Privacy Breach Notification and Reputational Damage among Top Concerns with Regards to New Privacy Rules (eon.businesswire.com)
• Why "Verified By Visa" System Is Insecure (news.slashdot.org)

Yesterday at the Security Awareness for 2010 ISACA meeting in Philadelphia John Raezer delivered a welcomed presentation on Risk Management Effectiveness.

How Information Technology and Information Security Management must understand the Business Model. What are the key assets, what are their exposures and vulnerabilities,
and from the peril of a threat what would be the outcome. It is not only the identification or the recognition of a incident but what was the root cause and contributing factors, how does this information get included or relayed back to Business Intelligence information. What are the distribution of events not only in near real-time
but historically their severity, impacts, risk response, what policy and procedures were used in containment, mitigation, follow up step and what was the contributing factors,
who owns the Risk Relationships.

In his example on why Frameworks such as BASEL, COSO, COBIT, are so important was the highest thing that affected corporate reputation to it's business partners, customers, and suppliers was accounting irregularities. By far accounting irregularities had the highest corporate reputation risk of affecting your business with suppliers, business partners, and customers, he sited some recent banking incidents as an example of customer and partner distrust.

The need to study and understand what disruptive technologies will have an impact on business processes how many industries are using chaos theory for risk assessment, black swan events the unexpected, unexpected and how we must understand the Language of Risk, not only in the physical world but in the virtual world and that eventually he believed there will be Risk Management Accounting.

If you get a chance to read his presentation or see him speak on the values of risk management in the enterprise it is well worth the time.

Related articles by Zemanta

• Are You Ready to Implement a Supply Risk Solution? (spendmatters.com)
• ISA chairman assures nation: Your data is safe (go.theregister.com)

Jason Ross's presentation at the Blackhat DC conference related the issues about checkbox compliance, that companies are using checkbox compliance as a means to indicate whether they are secure. When in fact it should be deemed as the lowest possible level of acceptance a baseline of acceptance and he points out as others have that some of the largest privacy compromises of personal information were done at companies that had past their external PCI audits. Compliance is absolutely wonderful it enforces at least a baseline of requirements but it should not be used as a means that you have a seal that protects you from exploits and non-publicized
holes in the grid.

Jason points out the difficulties of detecting Malware in enterprise environments, that by the time the antivirus sends off an alert about a malware or virus being seen it's usually too late you have already been owned, as Dan Geer pointed out a few years ago at the Gartner Risk Conference it's hard to get exact metrics on what is happening because by the time that alert kicks off 6 other events have already happened that were not detected.

For IT and Security administrators that have been through some of these malware wars with Downloaders and Polymorphic attacks know that just because the antivirus says it's cleaning up there are way too many other things happening. I once saw some thing interesting it was a Polymorphic virus that was loaded on a system that had Microsoft's development studio on it, that we could watch as the polymorphic virus recompiled other malware from it's code that would attempt many ways to infect the machine and other machines quickly and one time there was a downloader. Even Microsoft writes about recovering the operating system and files from a known state from before this activity started unfortunately with out historical view of activity on this node and user that information and the correlation of events will be difficult.

Jason Ross points out the goals of malware now is to have Business support models. Their objective is not to be noisy but to be very quietly performing their tasks of infecting other hosts and using a network of hosts to make money and the use of malware like URL Zone and Monkif

In the presentation he talks about Spider Monkey - By Didier Stevens a tool for helping to analyze malcode. The use of SAN NETS to isolate malcode in action so that it can be analyzed to determine what it wants to connect with or what services or files it wants to abuse with Polymorphic viruses that constantly change it's usually interesting to observe them in action in a closed environment.

Years ago I can't remember the movie name, but the analyst in the movie were collecting them and keeping the code and binaries for sale and redistribution or modifying them in some way not to be detected.

Another point from the presentation is that Malcode writers are now writing them so they can not be easily detected by signatures by using multicode that each binary performs a small function of the code.

via this Black Hat briefing

• Internet Explorer could turn your Windows XP machine into a web server, Microsoft warns (guardian.co.uk)

• Massive blackhat SEO of 200K sites (ecombizcenter.blogspot.com)

HP Software Universe 2009

Last day here at HP Universe in Hamburg, talking about integrating Information Security Management more closely into the enterprise architecture and the system development life cycle. Enterprise Frameworks including the new NIST guideline for Special Publication 800-37 Rev. 1 and six step Risk Management Framework, highlights ITIL V3 and COBIT 4.1 frameworks call for information security to be closely aligned with the enterprise for effective Risk Management.

We have been talking about the new Standards and Guidelines concerning the harmonization of IT and Information Security Governance. With netForensics Sim One, information security management enterprise software, HP uCMDB, and HP Operations Manager Software integration, we can provide the proof that IT Operations Management and Information Security Management are working on the same vision of Domain Services for continual monitoring of enterprise services providing IT Operations and Information Security the ability to monitor the effectiveness of the control environment, promoting near real-time risk management.

If your looking for solutions to help you manage risk-based decisions with regard to the organizational information systems supporting their core missions and business functions, we already have it.

netForensics will be at HP Universe in Hamburg Germany this week.

On December 16th through the 18th at HP Universe 2009 we will be featuring how our Information Security Management tools integrate with HP uCMDB and HP Operation Center Management. IT Enterprise frame works including the OCG's ITIL v3 and the ISACA's COBIT 4.1 call for Information Security Management, Change management. Service Asset and Configuration Management processes to be implemented across the ITIL Service Lifecycle from the Service Strategy, Service Design, Service Transition and Service Operation.

nFX SimOne provides the ability for Information Security Management and Operations Management to be closely aligned throughout the Service Life Cycle, by integrating with HP uCMDB, HP Operations Manager (OVO) and Information Security Management ( SIEM tools ), organizations will have common view of the relationships of host and host resources and applications and automatic change history. This provides organizations a common view of the Service Design and it's control environment allowing Information Security management to create effective correlation event scenarios based on the enterprise framework and business processes, providing effective event management and incident management.

HP UNIVERSE HAMBURG GERMANY 2009

MBSA 2.1.1 is a minor upgrade to add support for Windows 7 and Windows Server 2008 R2. MBSA can be used locally or can be used to look at Windows Systems remotely.

Some of the advanced options are use with Windows Update Services (WSUS) servers ony or use Microsoft Update Sevice only.

Checks system not only for Operating System Updates but for Microsoft Office Updates
Ref:
MSBA 2.1.1 download

It is amazing and rather disturbing that a US federal judge has recently ordered Google to lock a gmail user out his own account despite the fact that he has done nothing wrong.

It seems that a bank accidentally sent this user a file containing sensitive information. They asked the user to destroy it without reading it, but didn't receive an answer. At that point the bank sought legal action.

Again, I am left with questions and thoughts:

- How did this happen? Did someone intend to send this sensitive file via email to a different address and simply mistyped? If so, was the sender not aware of the inherent risks in sending unencrypted email?

- Does the bank have a policy regarding sending unencrypted sensitive information over the Internet using an insecure protocol like SMTP? If so, do they have any tools to enforce it?

- How did the bank discover this mistake? Did the sender realize his or her mistake and informed the compliance / security group, or was some automated detection system in place?

- What legal responsibility does the innocent email recipient have? Sure the data is sensitive, but it was freely given to him. Can't he do what he pleases with it (short of committing crime, such as theft)?

- As much as I would like to see the prevention of information leakage, I am still disturbed by the legal precedent set here. What if they send it to a corporate email system next time? Does the government have similar authority to disrupt the business of a private organization by forcing a shut down of their Internet connection?

The onus of correcting this problem should fall 100% on the bank. They should have to compensate the affected customers. They should have to compensate the email recipient for any harm they cause him. And most importantly, they should learn their lesson and prevent this type of leak from happening again.

Here's an interesting story making the rounds today about an Ohio man who used a commercial spyware program on an (ex?) girlfriend. He expected it to track her activities on her home computer, but instead ended up getting an ongoing screenshot feed from a computer in a hospital pediatric cardiac surgery department, where she works. He sent the file to her Yahoo! Mail account. She opened it and unknowingly installed the software on a work computer.

Needless to say, instead of getting juicy details on her online activities a la Joey Greco, he ended up with a feed of sensitive data, including PII and ePHI. While this was indeed an unintended result, he is still on the hook for big fines and possible jail time.

There is a lot of blame to spread around here for sure. There are also many questions (some rhetorical) that popped into my head as I read this:

- How did he convince her to run the installer and infect the PC? Obviously, he had an advantage over a random malware spreader since she knew the sender. Still, it must have required at least a small amount of social engineering skill. She didn't even know she had infected the system (or didn't think it wise to tell anyone).

- Does the hospital have a webmail policy? Do they have the tools to enforce it? Blocking access to Yahoo! Mail at the gateway would have nipped this problem in the bud, at least for the hospital.

- Did the PC in question have adequate anti-malware protection? By the looks of things, whatever they were using was insufficient.

- What else could the hospital have done to prevent the leak of ePHI in accordance with HIPAA regulations? Of course SIM comes to my mind, but SIM would need to rely on feeds from web gateways, AV servers, DLP systems, firewalls, etc.

- The hospital is actually lucky here in that the person who stole the sensitive information had no nefarious plans for it. They were shown the weakness of their defenses without having to pay for an audit and without the need to pay ransom or experience worse consequences. They should view this incident as a gift and use it to improve their security stance.

- The stalker / boyfriend was clearly in the wrong no matter how you slice things. I imagine it's just as illegal to spy on a private citizen this way as it is to do it to a hospital. To borrow from an old saying: Spyware doesn't steal information - people do.