Recently in FISMA Compliance Category

Yesterday at the Security Awareness for 2010 ISACA meeting in Philadelphia John Raezer delivered a welcomed presentation on Risk Management Effectiveness.

How Information Technology and Information Security Management must understand the Business Model. What are the key assets, what are their exposures and vulnerabilities,
and from the peril of a threat what would be the outcome. It is not only the identification or the recognition of a incident but what was the root cause and contributing factors, how does this information get included or relayed back to Business Intelligence information. What are the distribution of events not only in near real-time
but historically their severity, impacts, risk response, what policy and procedures were used in containment, mitigation, follow up step and what was the contributing factors,
who owns the Risk Relationships.

In his example on why Frameworks such as BASEL, COSO, COBIT, are so important was the highest thing that affected corporate reputation to it's business partners, customers, and suppliers was accounting irregularities. By far accounting irregularities had the highest corporate reputation risk of affecting your business with suppliers, business partners, and customers, he sited some recent banking incidents as an example of customer and partner distrust.

The need to study and understand what disruptive technologies will have an impact on business processes how many industries are using chaos theory for risk assessment, black swan events the unexpected, unexpected and how we must understand the Language of Risk, not only in the physical world but in the virtual world and that eventually he believed there will be Risk Management Accounting.

If you get a chance to read his presentation or see him speak on the values of risk management in the enterprise it is well worth the time.

Related articles by Zemanta

• Are You Ready to Implement a Supply Risk Solution? (spendmatters.com)
• ISA chairman assures nation: Your data is safe (go.theregister.com)

Jason Ross's presentation at the Blackhat DC conference related the issues about checkbox compliance, that companies are using checkbox compliance as a means to indicate whether they are secure. When in fact it should be deemed as the lowest possible level of acceptance a baseline of acceptance and he points out as others have that some of the largest privacy compromises of personal information were done at companies that had past their external PCI audits. Compliance is absolutely wonderful it enforces at least a baseline of requirements but it should not be used as a means that you have a seal that protects you from exploits and non-publicized
holes in the grid.

Jason points out the difficulties of detecting Malware in enterprise environments, that by the time the antivirus sends off an alert about a malware or virus being seen it's usually too late you have already been owned, as Dan Geer pointed out a few years ago at the Gartner Risk Conference it's hard to get exact metrics on what is happening because by the time that alert kicks off 6 other events have already happened that were not detected.

For IT and Security administrators that have been through some of these malware wars with Downloaders and Polymorphic attacks know that just because the antivirus says it's cleaning up there are way too many other things happening. I once saw some thing interesting it was a Polymorphic virus that was loaded on a system that had Microsoft's development studio on it, that we could watch as the polymorphic virus recompiled other malware from it's code that would attempt many ways to infect the machine and other machines quickly and one time there was a downloader. Even Microsoft writes about recovering the operating system and files from a known state from before this activity started unfortunately with out historical view of activity on this node and user that information and the correlation of events will be difficult.

Jason Ross points out the goals of malware now is to have Business support models. Their objective is not to be noisy but to be very quietly performing their tasks of infecting other hosts and using a network of hosts to make money and the use of malware like URL Zone and Monkif

In the presentation he talks about Spider Monkey - By Didier Stevens a tool for helping to analyze malcode. The use of SAN NETS to isolate malcode in action so that it can be analyzed to determine what it wants to connect with or what services or files it wants to abuse with Polymorphic viruses that constantly change it's usually interesting to observe them in action in a closed environment.

Years ago I can't remember the movie name, but the analyst in the movie were collecting them and keeping the code and binaries for sale and redistribution or modifying them in some way not to be detected.

Another point from the presentation is that Malcode writers are now writing them so they can not be easily detected by signatures by using multicode that each binary performs a small function of the code.

via this Black Hat briefing

• Internet Explorer could turn your Windows XP machine into a web server, Microsoft warns (guardian.co.uk)

• Massive blackhat SEO of 200K sites (ecombizcenter.blogspot.com)

netForensics will be at HP Universe in Hamburg Germany this week.

On December 16th through the 18th at HP Universe 2009 we will be featuring how our Information Security Management tools integrate with HP uCMDB and HP Operation Center Management. IT Enterprise frame works including the OCG's ITIL v3 and the ISACA's COBIT 4.1 call for Information Security Management, Change management. Service Asset and Configuration Management processes to be implemented across the ITIL Service Lifecycle from the Service Strategy, Service Design, Service Transition and Service Operation.

nFX SimOne provides the ability for Information Security Management and Operations Management to be closely aligned throughout the Service Life Cycle, by integrating with HP uCMDB, HP Operations Manager (OVO) and Information Security Management ( SIEM tools ), organizations will have common view of the relationships of host and host resources and applications and automatic change history. This provides organizations a common view of the Service Design and it's control environment allowing Information Security management to create effective correlation event scenarios based on the enterprise framework and business processes, providing effective event management and incident management.

HP UNIVERSE HAMBURG GERMANY 2009

MBSA 2.1.1 is a minor upgrade to add support for Windows 7 and Windows Server 2008 R2. MBSA can be used locally or can be used to look at Windows Systems remotely.

Some of the advanced options are use with Windows Update Services (WSUS) servers ony or use Microsoft Update Sevice only.

Checks system not only for Operating System Updates but for Microsoft Office Updates
Ref:
MSBA 2.1.1 download

Neil deGasse Tyson once said, "To a discoverer all data is valuable even bad data." When looking at data individually, you may believe that the data is not valuable and does not tell you anything. But, when combined with other types of information that are within a relevant time frame, the information becomes very valuablle and the more layers of information being presented more useful.

Some of the most valuable data that you get does not even come within the realm of logical data gathering. It is the information from outside of logical analysis of data which brings to mind Sam Walton's expression "I know what I know but tell me what you know." According to Kevin Mitnick, the most effective approach is to try to exploit the weakest link -- not operating systems, firewalls or encryption algorithms -- but people. In information security, knowing what is of value, where is it located, who has access to it, and what are the trust zones and controls that allow access to it is core to aligning information security with business goals.

Monitoring perimeter scans for known intruders and bogons is information that we all need, but knowing how trust zone can be compromised to gain access to valuable or confidential data is critical. It's the continual discovery process and breaking through the silos of knowledge and control that will help provide additional layers needed in developing an effective information security program.

Why is my executive office printer using https and ftp outbound traffic to a Home ISP DHCP range or using Goto My PC?

Andreas Wuchner of IT RISK Space writes about the difficulties in the adherence to Privacy Laws while doing business internationally. In it, he describes some general definitions which I have listed below verbatum:

Personal Data
Means any information relating to an identified or identifiable natural person (name, birthday, etc.) or material information (income etc.) of a natural person

Special Categories of Personal Data (Sensitive Data)
EU: e.g. data concerning health or sex life, ...
US: e.g. Social Security Number or credit card data

Key-coded Data (Pseudonymized Data)
Identify a person indirectly by references to an identification number (e.g. Patient Identifier in clinical trials)

De-identified Data (Anonymized Data) is not covered by privacy laws

Full Article: IT Risk Space

The Food and Drug Administration recently announced that the Office of the National Coordinator for Health Information Technology is launching the Sentinel Initiative with the ultimate goal of creating and implementing the Sentinel System - a national, integrated, electronic system for monitoring medical product safety.

The Sentinel System, which will be developed and implemented in stages will ultimately enable us to access the capabilities of multiple, existing data systems (e.g., electronic health record systems, medical claims databases) to augment the agency's current capability.

The goal is an understanding of adverse events resulting from treatment creating new methods of signal detection, data mining, and analysis, enabling researchers to generate hypotheses about, and confirm the existence and causal factors, of safety problems in the populations using the products.

Currently the focus has been to integrate data from various large populated databases, from MedSun ( Medical Product Product Safety Network), KIDnet (a postmarket database of pediatric ICU's and Neonatal ICU's), Heartnet (data gathered from electrophysiology laboratories), Labnet (data collected from hospital laboratories), SightNet (a collection of data from the use of ophthalmic devices), and HomeNet (a collection of data from home use devices). The FDA signed agreements with the Veterans Health Administration ( VHA) to build tools and infrastructures for evaluating the safety of drugs, biologics, and medical devices as well as the Department of Defense (DoD) for automated signal generation and data mining tools with the DoD's ALTHA electronic medical record system as well as identify influenza vaccine safety.

At the core of this collaboration is Information Technology, the (CCHIT) The Certification Commission for Healthcare Information Technology provides processes that provide interoperability for Electronic Healthcare Records (EHR). The Healthcare Information Technology Standards Panel (HITSP) provides interoperability specifications (HITSP C 32, 35, 36) to exchange patient data between Community Heath Centers they share ( HIE's or Health Care Information Exchange).

The Nationalwide Health Information Network (HHIN) is being developed to provide a national, secure and interoperable network. The network of networks will connect diverse entities at the state and regional (HIE's) that need to exchange health care information. The FDA is planning on using the HHIN existing framework to provide Sentinel access to diverse networks to retrieve data from a number of healthcare resources.

Healthcare IT services now interconnect patient health care medical devices that are local and remote to the health facility to Medical Device Data Systems (MDSS) that collect and store status and performance data from medical devices. The MDSS systems interconnect with EHR systems that connect to the Healthcare network (HIE) and the (HHIN) "network of networks" grid. The Holland & Hart Healthcare Law Blog article on Internet Medicine points out the challenges to the interoperability of medical devices to electronic health record systems and the proliferation of internet worms (Conflicker). Robert Nadler's article from RDN Consulting on Medical Devices provides a diagram and shows protocols used for the interoperability of connecting Medical Devices to the Health Care Network.

In another article from Ph.D. Rex Gantenbein from the University of Wyoming displays the Federated model of the HIE and its advantages.

Monitoring the efficiency and effectiveness of the control environment of HIE connections as well as the back end infrastructure to EHR systems and their trust relationships with medical data systems and connections to patient medical devices will require a strong information security program that is integrated within the IT Medical framework and the Medical Business supply chain. Prevention of Intrusions and Data Breaches will be an on-going lesson learned as data is liberated from applications and becomes more liquid and data silos are taken down. Medical data is valuable information for those that depend on it for survival. Imagine botnets that are able to infiltrate healthcare medical devices or has the ability to turn off medical monitoring equipment.

Links:
Health Information Technology (HealthIT).
Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information
The FDA Sentinel Initiative.
Common Framework for Networked Personal Health Information

This year's Gartner Risk Management and Compliance Summit track on IT Security stresses the importance of Information Security's ability to relate the information security risks to business risk. How does the risk impact the business? Aligning your information security management program to provide information about the risks to the Lines of Business, targeting IT processes that are critical to business success. Understanding the Roles and Responsibilities in each process is critical for success. You need to keep the awareness and expression of risk and compliance to executive management, line of business managers, and end users consistent and simple. Jay Heisner's session on "Ending the Culture Wars" calls for the "Criticality" scale to be High, Medium or Low. "Enable the business to understand its own risk, and to accept its own risk."

According to ISACA the Final Acceptance of Residual Risk takes into account the following:

1. Organizational Policy (appetite for risk)
2. Risk Identification and Measurement
3. Uncertainty incorporated in the risk assessment approach
4. Cost and Effectiveness of the Implementation

By understanding the Trust Relationships and Business Processes between Business Units will help determine whether the Residual Risk accepted by one organization would have a business impact on another organization.

Paul Proctor's Session - "Five Practical Tips to Link IT Risk Management and Compliance to Corporate Performance" outlines how to relate your operational risk to executive management aligning your goals to corporate initiatives. Not to use Operational Language: MS08-67 Vulnerability in Server Service Could Allow Remote Code Execution (958644), but use Maturity Model Scales levels 1 - 5 display the status of the Current State, Planned State, Desired State, Developing Project Plans.

Mark Nicolett's session on Applying Monitoring, Assessment and Operations Technologies to Reduce Risk and Improve Compliance - discusses the SOC (Security Operation Center) and NOC (Network Operation Center) integration of work flows. This allows IT Operations to support 24/7 monitoring with security specialists providing 2nd level support. There are some issues though as Mark points out on Privilege User Monitoring and Security Incident Management. Mark outlines the broad scope of SIEM, user access monitoring, real time event aggregation, correlation, alerts, reporting and historical analysis:

1. To Monitor external threats
2. To Monitor the activities of privileged users
3. To Monitor server and database resource access (NDAM and ADAM)
4. To Monitor the activity of a user across multiple systems.

The items above that I have covered only cover a fraction of the sessions available at the IT RISK Summit. INFORMATION SECURITY RISK is just one of the Summit's Tracks and I covered a small section of that. Next Year's RISK and Compliance Summit will be held in Washington D.C.

I recommend reading "IT RISK turning business threats into competitive advantage"
by George Westerman and Richard Hunter and also "Implementing IT Governance using COBIT and VAL IT" a course offered by ISACA.

netForensics SIEM and RISK Management

nFX SIM One version 4.1 introduces CMDB integration into its SIEM Business Topology Frame Work.

Assets can be imported by their CMDB domain with their associated asset attributes, including quantitative or qualitative asset valuation. CMDB is a fundamental component of the ITIL framework's Configuration Management process.

nFX SIM One assets are grouped by Customers, Business Units and Asset groups. This allows the SIM One information security management framework to match the Business Organizational structure or Mission Area Types providing a consistent view of the organization to ITIL Operations, as well as to SOC and NOC Operations.

Vulnerability Assessment Scans of corresponding assets are automatically linked to CMDB defined assets. CMDB integration and Vulnerability Scan Assessment integration can be defined as automated processes or manual processes.

nFX SIM One reports on synchronization differences between the last and current CMDB state of its asset information and also reports on assets that are defined in nFX SIM One to those not seen in CMDB. Assets can be automatically created and assigned value from Vulnerability Assessment Scans, so it could be that assets were detected by Assessment Scanners that are not defined in CMDB.

HP UCMDB asset valuation modifications and other attribute changes are sent to HP OVO as an alarm that the asset valuation has changed for this particular asset,
with the nFX HP OVO Connector.

This allows information security to view what controls are protecting critical business processes and allows information security to view the effectiveness and efficiency
of the controls in place.

nFX SIM One's Vulnerability Correlation Engine correlates the threat criticality with the vulnerability criticality and the asset criticality to the business in real-time and offers the ability to notify ITIL operations, NOC and SOC when the attack matched a specific vulnerability.

nFX SIM One's Rules Based Correlation Engine allows information security to build custom rules that will help identify trust relationship issues between service providers, business partners, business units, asset groups, assets, applications or users. Identifying when threats are getting closer through layered controls to critical business assets and that have a severe business impact.

nFX SIM One provides integration with Network and IT Operations Center monitoring systems, selected events or incidents can be sent to end users for notification and analysis, provides Helpdesk ticket integration with major help desk vendors.

To provide segregation and integrity of incident management, nFX Sim One provides it's own Incident Management Resolution Built-in Application where security analysts can work on various Investigations without having other operational users be able have access to that information. nFX SIM One also has the ability to allow its incident management system to have two way integration with OVO letting the operations staff and IT management know what state a incident is being worked on and to whom it is assigned by the request of the analyst or incident manager working on the incident status at the time.

nFX SIM One allows the CIO, Risk Management, and the CISO the ability to jumpstart their information security program, reduce risks, and improve compliance.

NIST FIPS Publication 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. NIST SP800-60 1 and 2 provides the guidelines for the classification of Mission Area types.

Most folks in the security business realize that peer-to-peer (P2P) file sharing exposes organizations to certain risks. Because P2P applications are often used to share pirated media such as music and movies, it is all too easy to underestimate the nature of those risks. The impact of P2P file sharing can easily extend beyond resource consumption, viruses, and threat of litigation from the entertainment industry.

Two examples of serious information breaches through P2P file sharing have recently been publicized. In the first case, blueprints of the presidential helicopter Marine One were accessible through P2P file sharing on the computer of a defense contractor. Other sources indicate that this data had been shared as far as Iran and other hostile nations. This is particularly surprising not only due to the highly sensitive nature of the information but also due to the fact that defense contractors are typically required to adhere to stringent security policies.

The second case involves a Dartmouth College finding that turned up a treasure trove of health related information from many sources over a handful of popular P2P sharing networks. This information included highly sensitive patient records, pre-signed prescription forms, social security numbers, and patient billing information. The impact to HIPAA compliance is obvious, but real world exploitation of this data is potentially even more serious.

It goes without saying that sensitive information must be secured. We often focus on outsider threats, but peer-to-peer file sharing can be a trojan horse that can originate with a non-malicious insider. The implications of this vulnerability can be much greater than might seem obvious.