Recently in SOX Compliance Category

Developing an Information Security Privacy Schedule for Service Provider Transactions by David Navetta.

This article points out the need for customers to develop Information Security and Privacy Schedules as part of their Service Provider agreements. As more and more of our Information Technology and Information Security moves to out sourced technologies, customers need to be aware that not only are they still responsible for the privacy and security of their data, but may be undertaking the risks involved with utilizing the service providers information security environment.

"The Customer should think of the Service Provider's security as an extension of their own internal security." IT Services and Information Security Management must undertake the security of how the trust relationships with their Service Providers are handled and how those relationships may impact the business, should the Service Provider be compromised or suffer a breach.

In David Navetta's closing statement, he mentions the impact of incidents, not from the initial impact of the exploitation of an exposure but the after effects concerning liability and reputation damage. "First, it is not unusual for a security incident to yield "consequential damages" in addition to "direct damages," including loss of profits, lost customers, attorney fees, breach notice costs and other similar costs. If the overall contract contains a consequential damages disclaimer, the Customer should endeavor to get an exception for consequential damages arising out of a security incident and/or breach of the Schedule."

The credibility and reliability of your information security program is now an integral part of stability and reputation of the business along with how well you are maintaining the trust relationships with your business partners and service providers which are now part of your extended business and control environment. The days of IT involving a few core services are gone and now have been replaced by data moving in and out of the environment for outside processing and storage, site to site vpns, international privacy and security laws of internal, external data and the rise of "Cyber insurance". David's article covers a wide variety of suggestions of what can be included in the Security /Privacy Schedule in contractual agreements with Service Providers.

Related articles by Zemanta

• Cloud Security and Privacy (oreilly.com)
• National Survey Reveals Privacy Breach Notification and Reputational Damage among Top Concerns with Regards to New Privacy Rules (eon.businesswire.com)
• Why "Verified By Visa" System Is Insecure (news.slashdot.org)

Yesterday at the Security Awareness for 2010 ISACA meeting in Philadelphia John Raezer delivered a welcomed presentation on Risk Management Effectiveness.

How Information Technology and Information Security Management must understand the Business Model. What are the key assets, what are their exposures and vulnerabilities,
and from the peril of a threat what would be the outcome. It is not only the identification or the recognition of a incident but what was the root cause and contributing factors, how does this information get included or relayed back to Business Intelligence information. What are the distribution of events not only in near real-time
but historically their severity, impacts, risk response, what policy and procedures were used in containment, mitigation, follow up step and what was the contributing factors,
who owns the Risk Relationships.

In his example on why Frameworks such as BASEL, COSO, COBIT, are so important was the highest thing that affected corporate reputation to it's business partners, customers, and suppliers was accounting irregularities. By far accounting irregularities had the highest corporate reputation risk of affecting your business with suppliers, business partners, and customers, he sited some recent banking incidents as an example of customer and partner distrust.

The need to study and understand what disruptive technologies will have an impact on business processes how many industries are using chaos theory for risk assessment, black swan events the unexpected, unexpected and how we must understand the Language of Risk, not only in the physical world but in the virtual world and that eventually he believed there will be Risk Management Accounting.

If you get a chance to read his presentation or see him speak on the values of risk management in the enterprise it is well worth the time.

Related articles by Zemanta

• Are You Ready to Implement a Supply Risk Solution? (spendmatters.com)
• ISA chairman assures nation: Your data is safe (go.theregister.com)

Jason Ross's presentation at the Blackhat DC conference related the issues about checkbox compliance, that companies are using checkbox compliance as a means to indicate whether they are secure. When in fact it should be deemed as the lowest possible level of acceptance a baseline of acceptance and he points out as others have that some of the largest privacy compromises of personal information were done at companies that had past their external PCI audits. Compliance is absolutely wonderful it enforces at least a baseline of requirements but it should not be used as a means that you have a seal that protects you from exploits and non-publicized
holes in the grid.

Jason points out the difficulties of detecting Malware in enterprise environments, that by the time the antivirus sends off an alert about a malware or virus being seen it's usually too late you have already been owned, as Dan Geer pointed out a few years ago at the Gartner Risk Conference it's hard to get exact metrics on what is happening because by the time that alert kicks off 6 other events have already happened that were not detected.

For IT and Security administrators that have been through some of these malware wars with Downloaders and Polymorphic attacks know that just because the antivirus says it's cleaning up there are way too many other things happening. I once saw some thing interesting it was a Polymorphic virus that was loaded on a system that had Microsoft's development studio on it, that we could watch as the polymorphic virus recompiled other malware from it's code that would attempt many ways to infect the machine and other machines quickly and one time there was a downloader. Even Microsoft writes about recovering the operating system and files from a known state from before this activity started unfortunately with out historical view of activity on this node and user that information and the correlation of events will be difficult.

Jason Ross points out the goals of malware now is to have Business support models. Their objective is not to be noisy but to be very quietly performing their tasks of infecting other hosts and using a network of hosts to make money and the use of malware like URL Zone and Monkif

In the presentation he talks about Spider Monkey - By Didier Stevens a tool for helping to analyze malcode. The use of SAN NETS to isolate malcode in action so that it can be analyzed to determine what it wants to connect with or what services or files it wants to abuse with Polymorphic viruses that constantly change it's usually interesting to observe them in action in a closed environment.

Years ago I can't remember the movie name, but the analyst in the movie were collecting them and keeping the code and binaries for sale and redistribution or modifying them in some way not to be detected.

Another point from the presentation is that Malcode writers are now writing them so they can not be easily detected by signatures by using multicode that each binary performs a small function of the code.

via this Black Hat briefing

• Internet Explorer could turn your Windows XP machine into a web server, Microsoft warns (guardian.co.uk)

• Massive blackhat SEO of 200K sites (ecombizcenter.blogspot.com)

netForensics will be at HP Universe in Hamburg Germany this week.

On December 16th through the 18th at HP Universe 2009 we will be featuring how our Information Security Management tools integrate with HP uCMDB and HP Operation Center Management. IT Enterprise frame works including the OCG's ITIL v3 and the ISACA's COBIT 4.1 call for Information Security Management, Change management. Service Asset and Configuration Management processes to be implemented across the ITIL Service Lifecycle from the Service Strategy, Service Design, Service Transition and Service Operation.

nFX SimOne provides the ability for Information Security Management and Operations Management to be closely aligned throughout the Service Life Cycle, by integrating with HP uCMDB, HP Operations Manager (OVO) and Information Security Management ( SIEM tools ), organizations will have common view of the relationships of host and host resources and applications and automatic change history. This provides organizations a common view of the Service Design and it's control environment allowing Information Security management to create effective correlation event scenarios based on the enterprise framework and business processes, providing effective event management and incident management.

HP UNIVERSE HAMBURG GERMANY 2009

The mission and function of the task force will be to provide advice to the Attorney General for the investigation and prosecution of cases of banks, mortgage, loan, lending fraud; securities and commodities fraud, mail and wire fraud, retirement fraud, tax crimes, false claims, unfair competition, discrimination, and other financial crimes and violations.

Federal Register Executive Order 13519--Establishment of the Financial Fraud Enforcement Task Force

Bankinfosecurity.com's article outlines the comments made by the Attorney Generals Office:

"That the nation faces unprecedented challenges in responding to the financial crisis that has gripped the economy for the past year. Mortgage, securities and corporate fraud schemes have eroded the public's confidence in the nation's financial markets and have led to a growing sentiment that Wall Street does not play by the same rules as Main Street."

Recently in the Brazilian Power outage events, even an implied weakness in the controls of Critical Infrastructure could be used to destabilize the financial stability in markets, subverting the controls that are involved in financial trading. There have been conflicting reports about whether the attack was caused by an attack on the controls of its Dam's systems. Employees and Contractors of the system complained that their pay checks and statements had been modified to include a message from the attackers.

With all of this talk on financial fraud and critical infrastructure vulnerabilities, I could not help but be reminded of the 1983 movie Superman III where Robert Vaughn's character sites "Computers rule the world today and the fellow that rules the computer, rules the world." and Richard Pryor hacking into secret defense systems to ruin the coffee crop for the next 5 years, Superman III: Tornado Scene.

While it all may seem very tongue and cheek and some what unrealistic, the simultaneous collapse of the financial markets due to fraudulent transactions combined with the failure of major Scada Systems would have a serious effect on a nation's stability. In 2002 the U.S. Naval War College conducted a study that concluded it would probably take about 5 years to plan and cost about 290 million dollars to plan a significant electronic attack.

Digital Stenography: The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves.

Infosectoday's article: Digital Steganography Threat or Hype: by James E. Wingate - Summary:
Use of steganography will never be detected if no one ever looks for it.

Oct 24, 2008 - Futures halted as trading enters `panic mode` The Financial Post

Related articles by Zemanta

• Obama's financial fraud task force has miles to go in restoring public confidence (dailyfinance.com)
• Madoff computer programmers arrested; could face 30 years in $60B fraud (dailyfinance.com)
• Cyber gang indicted (ecombizcenter.blogspot.com)
• Feds Launch Anti-Fraud Crackdown (huffingtonpost.com)

MBSA 2.1.1 is a minor upgrade to add support for Windows 7 and Windows Server 2008 R2. MBSA can be used locally or can be used to look at Windows Systems remotely.

Some of the advanced options are use with Windows Update Services (WSUS) servers ony or use Microsoft Update Sevice only.

Checks system not only for Operating System Updates but for Microsoft Office Updates
Ref:
MSBA 2.1.1 download

Neil deGasse Tyson once said, "To a discoverer all data is valuable even bad data." When looking at data individually, you may believe that the data is not valuable and does not tell you anything. But, when combined with other types of information that are within a relevant time frame, the information becomes very valuablle and the more layers of information being presented more useful.

Some of the most valuable data that you get does not even come within the realm of logical data gathering. It is the information from outside of logical analysis of data which brings to mind Sam Walton's expression "I know what I know but tell me what you know." According to Kevin Mitnick, the most effective approach is to try to exploit the weakest link -- not operating systems, firewalls or encryption algorithms -- but people. In information security, knowing what is of value, where is it located, who has access to it, and what are the trust zones and controls that allow access to it is core to aligning information security with business goals.

Monitoring perimeter scans for known intruders and bogons is information that we all need, but knowing how trust zone can be compromised to gain access to valuable or confidential data is critical. It's the continual discovery process and breaking through the silos of knowledge and control that will help provide additional layers needed in developing an effective information security program.

Why is my executive office printer using https and ftp outbound traffic to a Home ISP DHCP range or using Goto My PC?

This year's Gartner Risk Management and Compliance Summit track on IT Security stresses the importance of Information Security's ability to relate the information security risks to business risk. How does the risk impact the business? Aligning your information security management program to provide information about the risks to the Lines of Business, targeting IT processes that are critical to business success. Understanding the Roles and Responsibilities in each process is critical for success. You need to keep the awareness and expression of risk and compliance to executive management, line of business managers, and end users consistent and simple. Jay Heisner's session on "Ending the Culture Wars" calls for the "Criticality" scale to be High, Medium or Low. "Enable the business to understand its own risk, and to accept its own risk."

According to ISACA the Final Acceptance of Residual Risk takes into account the following:

1. Organizational Policy (appetite for risk)
2. Risk Identification and Measurement
3. Uncertainty incorporated in the risk assessment approach
4. Cost and Effectiveness of the Implementation

By understanding the Trust Relationships and Business Processes between Business Units will help determine whether the Residual Risk accepted by one organization would have a business impact on another organization.

Paul Proctor's Session - "Five Practical Tips to Link IT Risk Management and Compliance to Corporate Performance" outlines how to relate your operational risk to executive management aligning your goals to corporate initiatives. Not to use Operational Language: MS08-67 Vulnerability in Server Service Could Allow Remote Code Execution (958644), but use Maturity Model Scales levels 1 - 5 display the status of the Current State, Planned State, Desired State, Developing Project Plans.

Mark Nicolett's session on Applying Monitoring, Assessment and Operations Technologies to Reduce Risk and Improve Compliance - discusses the SOC (Security Operation Center) and NOC (Network Operation Center) integration of work flows. This allows IT Operations to support 24/7 monitoring with security specialists providing 2nd level support. There are some issues though as Mark points out on Privilege User Monitoring and Security Incident Management. Mark outlines the broad scope of SIEM, user access monitoring, real time event aggregation, correlation, alerts, reporting and historical analysis:

1. To Monitor external threats
2. To Monitor the activities of privileged users
3. To Monitor server and database resource access (NDAM and ADAM)
4. To Monitor the activity of a user across multiple systems.

The items above that I have covered only cover a fraction of the sessions available at the IT RISK Summit. INFORMATION SECURITY RISK is just one of the Summit's Tracks and I covered a small section of that. Next Year's RISK and Compliance Summit will be held in Washington D.C.

I recommend reading "IT RISK turning business threats into competitive advantage"
by George Westerman and Richard Hunter and also "Implementing IT Governance using COBIT and VAL IT" a course offered by ISACA.

netForensics SIEM and RISK Management

nFX SIM One version 4.1 introduces CMDB integration into its SIEM Business Topology Frame Work.

Assets can be imported by their CMDB domain with their associated asset attributes, including quantitative or qualitative asset valuation. CMDB is a fundamental component of the ITIL framework's Configuration Management process.

nFX SIM One assets are grouped by Customers, Business Units and Asset groups. This allows the SIM One information security management framework to match the Business Organizational structure or Mission Area Types providing a consistent view of the organization to ITIL Operations, as well as to SOC and NOC Operations.

Vulnerability Assessment Scans of corresponding assets are automatically linked to CMDB defined assets. CMDB integration and Vulnerability Scan Assessment integration can be defined as automated processes or manual processes.

nFX SIM One reports on synchronization differences between the last and current CMDB state of its asset information and also reports on assets that are defined in nFX SIM One to those not seen in CMDB. Assets can be automatically created and assigned value from Vulnerability Assessment Scans, so it could be that assets were detected by Assessment Scanners that are not defined in CMDB.

HP UCMDB asset valuation modifications and other attribute changes are sent to HP OVO as an alarm that the asset valuation has changed for this particular asset,
with the nFX HP OVO Connector.

This allows information security to view what controls are protecting critical business processes and allows information security to view the effectiveness and efficiency
of the controls in place.

nFX SIM One's Vulnerability Correlation Engine correlates the threat criticality with the vulnerability criticality and the asset criticality to the business in real-time and offers the ability to notify ITIL operations, NOC and SOC when the attack matched a specific vulnerability.

nFX SIM One's Rules Based Correlation Engine allows information security to build custom rules that will help identify trust relationship issues between service providers, business partners, business units, asset groups, assets, applications or users. Identifying when threats are getting closer through layered controls to critical business assets and that have a severe business impact.

nFX SIM One provides integration with Network and IT Operations Center monitoring systems, selected events or incidents can be sent to end users for notification and analysis, provides Helpdesk ticket integration with major help desk vendors.

To provide segregation and integrity of incident management, nFX Sim One provides it's own Incident Management Resolution Built-in Application where security analysts can work on various Investigations without having other operational users be able have access to that information. nFX SIM One also has the ability to allow its incident management system to have two way integration with OVO letting the operations staff and IT management know what state a incident is being worked on and to whom it is assigned by the request of the analyst or incident manager working on the incident status at the time.

nFX SIM One allows the CIO, Risk Management, and the CISO the ability to jumpstart their information security program, reduce risks, and improve compliance.

NIST FIPS Publication 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. NIST SP800-60 1 and 2 provides the guidelines for the classification of Mission Area types.

The technology journalist John C. Dvorak is generally worth reading, whether or not you agree with his frequent, sweeping pronouncements and hyperbole. He wrote a recent column on "Why Tech Today is Boring." He makes a pretty good, if overstated point about one of the rarely considered side-effects of the knee-jerk Sarbanes-Oxley Act of 2002 - that it killed the technology IPO, and with it, innovation:

The law killed the IPO market that innovative small companies used to get funding for continued growth. The only thing a small company could hope for was to be bought by Google or Microsoft.

This one law, which should be completely repealed, is responsible for everything bad that has happened in the technology world. The irony is that while decimating the scene to protect the public from corporate wrongdoing, it did nothing at all to protect the public or shareholders during the current financial worldwide collapse.

While I agree with his primary points about SOX being the death-knell of dotcom era IPOs, that it has done little to protect us from anything, and it has done more harm overall than good, I doubt SOX is truly responsible for "everything bad that has happened in the technology world."

One point we often make around here is that compliance should follow from security, but security does not automatically follow from compliance. In light of that, the one good thing I have seen from companies considering SIM and other security technology to achieve compliance (SOX, PCI, HIPAA, FISMA or any other acronym) is that some of the more forwarding-thinking ones use these systems to actually improve their security posture. It isn't innovative, and it isn't exciting, but it is a proper step for companies entrusted with our private data.