Recently in Information Security Governance Category

This morning I posted a link on our twitter site about an article from Ross Anderson and Shailendra Fuloria on issues concerning the Governance and Security of Smart Meters.
"Who controls the off switch?" This article was referenced in one of the major Scada Security List Services.

The article does point out the concerns about Cyber attacks by international criminal organizations, military initiatives of foreign nations causing massive black outs and some ways of mitigating those risks.

The article does point out another interesting point about the use of cryptography and key management. How will the keys be managed in Smart Meter technology on hundreds of millions of smart meters with pre-shared secrets or PKI infrastucture?
How will new keys be added for new energy companies? How will the keys be changed?

There is some new work being done by the Oasis Group on key management
The OASIS KMIP Key Management project may be one of the center pieces for offering interoperability across a "Trans-Smart Grid". A 2009 presentation by the University of Colorado also lists KMIP as key to interoperability. The Colorado University presentation by Dr. Edward Chow goes on to show the complexity in monitoring attacks from the trust relationships of various parts of the infrastructure including "Fake ID Hijack Station","Jamming Wormhole Attacks", "Meter Database Tampering" from Insider Attacks to External Attacks and the correlation of events moving through these trust relationships.

The Second paper from Ross Anderson and Shailendra Fuloria also referenced in the
paper Who controls the off switch is On the security economics of electricity metering .
This is an excellent paper that not only provides insight to the history of distributed power but also points out the complexities in providing modern day Smart Grid technologies not only from a technological perspective but from competitive analysis on the struggle for dominance within the distribution system both nationally and internationally and a warning on the comparisons of what happened with Enron when governance is not properly applied.

Not so long ago, I remember that talking about information security management brought a lot of eyebrowse up, something of a black art, kind of like UNIX Administration.
But in today's world, Cyber Security has gotten enough attention recently from the White House, Congress, Military, and Law Enforcement not only in the U.S. but across the globe that discussing the need for Cyber Security and Information Security Management in the public and private sectors is no longer considered a foreign topic or a dark black art. The discussion of Risk Management and Information Security Management are now an interwoven fabric within IT Frameworks for COBIT and ITIL.

At the NJTC meeting yesterday at the Forsgate Country Club, we had a diverse number of parties interested in our solutions to support their Information Security Management Program - from Audit and Financial executives to IT Management. Our solutions will provide a means to help IT and Data Owners identify the threats, and risks to their business processes in these times of round-the-clock international electronic business transactions. Situational awareness of today's highly complex distributed IT Service environments is no longer simply a nice to have but a necessity to survival of digital business transactions against a world of distributed Botnets and pre-zero day vulnerabilities.

I would like to thank the NJTC for giving us the ability to reach out to so many different businesses operating in across the State of New Jersey and those that stopped by to simply hear what our solutions have to offer to their Business Services.

netForensics CEO Dale Cline Named to Rutgers University's CEO Roundtable

President and CEO Dale Cline has been named to Rutgers University's CEO Roundtable. Cline, one of just a handful of technology leaders selected to the roundtable, joins forty other CEOs and corporate leaders throughout the tri-state area. "We are very excited that Dale Cline has decided to participate in this roundtable," said Michael Pazzani, Vice President of Research for Rutgers University. "Dale's impressive experience in the technology industry and as a leader of one of the foremost security information management companies in the world is of great value to our community and to our students. We look forward to his feedback and expertise."

Click here for the full story

Image via Wikipedia

In the below article Microsoft reviews the Waledac Botnet take down, as well as, mentions a number of botnet shutdowns that have recently taken place. The article also mentions sudosecure.net a Waledac tracking site

The article goes on to talk about Operation 49, a Botnet Take Down taskforce, an "innovative application of a tried and true legal strategy"

"On February 22, in response to a complaint filed by Microsoft ("Microsoft Corporation v. John Does 1-27, et. al.", Civil action number 1:10CV156) in the U.S. District Court of Eastern Virginia, a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot."

"This legal and industry operation against Waledac is the first of its kind, but it won't be the last"

Microsoft Technet on Waledec-takedown

Image via Wikipedia

The overall theme this year at the RSA 2010 Conference in San Francisco that surrounded the conference was Information Security in Cloud Technologies how to prevent the Cloud Technologies from raining on everyone's parade. The article that I am highlighting in this blog "Research Challenges in Enterprise Cloud Computing: It is important to highlight cloud computing research challenges from an enterprise perspective because cloud computing is not simply about technological improvement of data centers but a fundamental change in how IT is provisioned and used."

Another interesting insight about this article is the inclusion of Nichols Carr's book "The Big Switch: Rewiring the World, from Edison to Google" noting that in the earily 1900's companies maintained their own power plants even though it was not their main expertise and how companies are maintaining their own Data Centers even though it is not their primary expertise. It is interesting though that last week on CBS 60 minutes broadcast the topic was how Cloud Computing providers are leading the way to provide their own green technology power plants.

The effects on IT and Security roles in their relationships with the user community and service providers will continue to evolve, as IT departments must make sure their cloud services can be migrated or failed over between service providers should one cloud service provider go out of business, as well as issues concerning certification, interoperability, API's between cloud vendors as well as SLA management, Privacy Rights Protection, and Intellectual Property Protection. "It it not clear "whether a cloud will be considered to legally be in one designated location [...] or in every location that has a data center that is part of the cloud"

These research challenges are interdisciplinary in nature, and there is a need for more co-operation between researchers, cloud users, and service providers.

REF;

Research Challenges in Enterprise Cloud Computing

Image via Wikipedia

On 2/20 the New York times reported that two Chinese Universities were involved in the attacks against Google and other corporations since then the Universities have denied any involvement in the attacks. "It was not until 2006 that our graduates began to join the army. So far, 38 students have been recruited by the military for their talent in auto repair, cooking and electric welding," said Zhou Hui, director of Lanxiang school's general office. He disputed claims in the New York Times article, which cited anonymous officials from the US National Security Agency, that there was a link to a computer science class taught at the school by a Ukrainian professor.

in other news the Telegraph.co.uk published that Cyber attacks in 2009 cost on average 1.2 Pounds a year.

Last October we published information regarding published report by Northrop Grumman a study done for the U.S.-China Economic and Security Review Commission
that describes similar tactics. ( Thank you Niels Groeneveld of "Operation Aurora" for reminding me about the relationship. If you have not read the Northrop Grumman report it is an interesting read on social and economic effects of this type of behavior.

Image by musha68000 via Flickr

"The Customer should think of the Service Provider's security as an extension of their own internal security." IT Services and Information Security Management must undertake the security of how the trust relationships with their Service Providers are handled and how those relationships may impact the business, should the Service Provider be compromised or suffer a breach.

In David Navetta's closing statement, he mentions the impact of incidents, not from the initial impact of the exploitation of an exposure but the after effects concerning liability and reputation damage. "First, it is not unusual for a security incident to yield "consequential damages" in addition to "direct damages," including loss of profits, lost customers, attorney fees, breach notice costs and other similar costs. If the overall contract contains a consequential damages disclaimer, the Customer should endeavor to get an exception for consequential damages arising out of a security incident and/or breach of the Schedule."

The credibility and reliability of your information security program is now an integral part of stability and reputation of the business along with how well you are maintaining the trust relationships with your business partners and service providers which are now part of your extended business and control environment. The days of IT involving a few core services are gone and now have been replaced by data moving in and out of the environment for outside processing and storage, site to site vpns, international privacy and security laws of internal, external data and the rise of "Cyber insurance". David's article covers a wide variety of suggestions of what can be included in the Security /Privacy Schedule in contractual agreements with Service Providers.

Image by Cold Cut via Flickr

How Information Technology and Information Security Management must understand the Business Model. What are the key assets, what are their exposures and vulnerabilities,
and from the peril of a threat what would be the outcome. It is not only the identification or the recognition of a incident but what was the root cause and contributing factors, how does this information get included or relayed back to Business Intelligence information. What are the distribution of events not only in near real-time
but historically their severity, impacts, risk response, what policy and procedures were used in containment, mitigation, follow up step and what was the contributing factors,
who owns the Risk Relationships.

In his example on why Frameworks such as BASEL, COSO, COBIT, are so important was the highest thing that affected corporate reputation to it's business partners, customers, and suppliers was accounting irregularities. By far accounting irregularities had the highest corporate reputation risk of affecting your business with suppliers, business partners, and customers, he sited some recent banking incidents as an example of customer and partner distrust.

The need to study and understand what disruptive technologies will have an impact on business processes how many industries are using chaos theory for risk assessment, black swan events the unexpected, unexpected and how we must understand the Language of Risk, not only in the physical world but in the virtual world and that eventually he believed there will be Risk Management Accounting.

If you get a chance to read his presentation or see him speak on the values of risk management in the enterprise it is well worth the time.

Image via Wikipedia

On December 16th through the 18th at HP Universe 2009 we will be featuring how our Information Security Management tools integrate with HP uCMDB and HP Operation Center Management. IT Enterprise frame works including the OCG's ITIL v3 and the ISACA's COBIT 4.1 call for Information Security Management, Change management. Service Asset and Configuration Management processes to be implemented across the ITIL Service Lifecycle from the Service Strategy, Service Design, Service Transition and Service Operation.

nFX SimOne provides the ability for Information Security Management and Operations Management to be closely aligned throughout the Service Life Cycle, by integrating with HP uCMDB, HP Operations Manager (OVO) and Information Security Management ( SIEM tools ), organizations will have common view of the relationships of host and host resources and applications and automatic change history. This provides organizations a common view of the Service Design and it's control environment allowing Information Security management to create effective correlation event scenarios based on the enterprise framework and business processes, providing effective event management and incident management.

HP UNIVERSE HAMBURG GERMANY 2009

Image by Angus Kingston via Flickr

Oct 24, 2008 - Futures halted as trading enters `panic mode` The Financial Post