Month: October 2004

Whether the Security Assessment is driven by an audit requirement, due-diligence or a compelling event, it is highly likely that there will be a requirement for a third party to conduct the work. Furthermore, the findings and advice identified as a result of the work may need to satisfy internal or external auditors, the board or shareholders. As such, it is clearly important that the style and content of the assessment, those performing the work and the deliverables (i.e. the reports) satisfy the technical requirements set down.

Perhaps more importantly, they must also reflect a business understanding within the context of the project, and be able to present and articulate this to technical and non-technical target audiences.

Business demand has grown alongside the proliferation of information regarding vulnerabilities, their exploitation and remediation. Corporate Internet presence has developed from simple, static brochure sites to increasingly complex interactive applications allowing potential customers and partners alike to delve into the data and systems at the heart of the enterprise.

The requirement may be for a security health check of the underlying infrastructure, comprising vulnerability identification and analysis within the publicly available shrink-wrapped devices and software. This could be a full proprietary web-enabled application allowing users to initiate transactions, accessing and modifying back-end data, for example Internet Banking. It may also be a small collection of scripts handling customer contact or queries, or the configuration of a document presentation and content management application. For example, the site could be enabled for mobile access, wireless technology may be deployed, integrated Voice and Data systems; all presenting new security risks.

It’s important to keep sight of what we are trying to achieve and protect through the assessment – generally the objective is to safeguard the core intellectual and electronic assets of the organisation, and to ensure compliance with regional and global, IT and data safeguard laws such as the UK DPA, US HIPAA, ISO17799 etc.

The Security Assessment industry has grown rapidly, and clients are now presented with a bewildering array of vendors offering services. Unfortunately, the development of practical and appropriate standards and accreditations has lagged behind. Because of this it is imperative to consider whether the prevailing standards are suitable or appropriate for your requirements.

Look for
– Methodologies: Compliance with formal methodologies helps ensure that an assessment is both repeatable and of a consistent standard.
– Certifications: Organisational and individual certifications are also useful in gauging whether a supplier is qualified to satisfy the testing requirements. As although some certification schemes apply to the organisation as a whole, they are typically focussed on the individual team members.
– Standards: There are a number of standards and acts relating to general Information Security, including industry specific schemes. These include ISO17799, the UK Data Protection Act, the US Health Insurance Portability and Accountability Act (HIPAA), VISA and MasterCard schemes.

Conclusions
Third party validation of organisations’security is becoming more prevalent (and indeed required), through security assessments. In order to ensure that testing is of the required quality and depth, clients must ensure their suppliers are able and qualified on a number of levels. This can in part be achieved by ensuring the methodologies in use are compliant with, and ideally exceed, those in the public domain.

http://www.ebcvg.com/articles.php?id=273

Offenders who use spyware to commit other crimes such as stealing user’s credit card details, or computer cracking, could be sentenced up to five years of jail.

The legislation authorises the US Department of Justice to spend $10m targeting organisations which sneak rogue programs on users’ PCs without their consent.

As well as spyware, the bill also targets people and organisation responsible for launching “phishing” attacks.

http://www.xatrix.org/article3671.html

The SANS list is compiled from recommendations by leading security researchers and companies around the world, from institutes such as the National Infrastructure Protection Center and the U.K.’s National Infrastructure Security Coordination Centre.

The Top-20 is actually two lists of 10: the 10 most commonly exploited vulnerabilities in Windows, and the 10 most commonly exploited vulnerabilities in Unix and Linux.

Many of the vulnerabilities have made the list before, but there were some surprises this year, according Ross Patel, director of the Top-20 list. As with IM, file-sharing applications are simple and operational in nature, and security concerns are often overlooked, Patel said.

“Hands down, Web browsers for Windows were the topic that caused most of the harm, pain and passionate debate for experts from every continent,” Patel said. With the number of vulnerabilities in Microsoft Corp.’s Internet Explorer browser prompting some security experts to suggest earlier this year that users switch to other browsers, list contributors were left wondering whether they should recommend the same, Patel said. However, they finally decided that the move was too much to ask and that they should endorse securing whichever platform a user chooses.

According to Gerhard Eschelbeck, chief technology officer at network security firm Qualys Inc. and a list contributor, the Top-20 is widely used by organizations as a security benchmark.

http://www.computerworld.com/securitytopics/security/story/0,10801,96516,00.html