Month: August 2005
Gartner’s latest on tablet PCs, social tagging, and other emerging technologies
First a good analogy: “In the history of business and consumer use of the Internet, the vast majority of security approaches have relied on customer premises equipment — security hardware and software at the edge of every business or on the PC of every consumer. This is the equivalent of the water company telling you to put water purifiers onto the water pipe into your house because it is sending you many poisonous substances mixed into your water.”
Despite usability and liability obstacles, few would argue that “immunizing” the network for cyber threats this way doesn’t make sense.
New security breaches disclosure law
It also helps protect consumers by giving them the information they need to head off possible identity theft when sensitive details such as Social Security, driver’s license and credit card numbers become exposed.
The Information Security Breach and Notification Act in New York is broadly similar to security breaches laws enacted in California more than two years ago.
Legislation requiring consumer notification of data security breaches has been approved in at least 15 states since then.
New York’s decision to go ahead with its legislation follows a series of high profile consumer data security breaches involving US firms including data mining firm ChoicePoint, payment processing firm CardSystems Solutions and others.
New law may tighten power plant security
Part of the 1,724-page energy bill that President Bush signed last week calls for federal bureaucrats to create an “electric reliability organization” that would draft mandatory standards–including cybersecurity guidelines–for electric power system operations.
The Federal Energy Regulatory Commission, or FERC, would be tasked with setting standards to prevent system instability or failures that can be tied to a “sudden disturbance, including a cybersecurity incident.”
FERC may impose penalties for violations and has 180 days to begin the process of certifying the reliability organization.
The new regulations come about three months after a Government Accountability Office report cited “a general consensus–and increasing concern” among officials that systems controlling utility infrastructures face real threats of attack.
A visit from the Slammer worm, for instance, may have been in part to blame for failures at a nuclear power plant in 2003, the report said.
And in March, electric industry security consultants reported numerous intrusions into control systems.
No serious damage was done, they said, but the activity “heightened concerns” about future foul play.
One of the reasons why the control systems are so vulnerable is that they’re increasingly being connected to private networks that use the Internet, so that they can be managed remotely, the GAO report said.
The current computer system used by utilities and public transportation facilities was not designed with the Internet in mind, said Clarence Morey, senior manager for product strategy at Internet Security Systems, a company that counts public utilities among its clients.
“As companies connect these systems to the Net to allow remote access or drive efficiency, they’re opening themselves up to risk,” Morey said.
Morey said his company supported the new legislation, adding that a “three-legged stool” composed of technology, legislation and good policy is the way to fend off attacks.
Right now, no mandatory cybersecurity standards exist for power grid operators, but many of them adhere to voluntary ones set by the North American Electric Reliability Council, said council spokeswoman Ellen Vancko.
The council, which first adopted 24 pages of cybersecurity guidelines in 2003, is on its third draft of permanent, “more defined” standards, she said.
Vancko said she expects that FERC will certify the council as its official Electric Reliability Organization.
The U.S. Department of Energy has already designated the council as coordinator of infrastructure protection for the electric sector, and the council works closely with Homeland Security.
FERC did not return calls for comment on Tuesday.
“We pushed the legislation through, and we’re the only entity out there developing reliability standards,” Vancko said.
“So we’re really the only entity out there qualified to perform such a role.”
US-Cert report on spyware
Starting on page 10 defensive measures are outlined, emphasizing education and awareness.
It notes that social engineering is a major means of distributing spyware by tricking users into downloading and installing malware.
If I had to pick the single most important recommendation in the list, it would be to keep your operating system and software patched, including updating Windows XP to Service Pack 2.
A lot of spyware and malware is being spread through exploits.
Much of this can be prevented by keeping Windows updated and avoiding high risk sources, as stated in the first recommendation.
Porn sites and sites with illegal content, cracks, hacks and warez, are usually the worst offenders.
Lyrics and wrestling sites are also known offenders.
The report includes references that are also excellent sources of more information.
Repositioning the CISO
Problem: Organizational Roadblocks Most organizations view the CISO not as a security and risk manager, but as a manager of security assets, like firewalls, intrusion detection/prevention systems, and incident response capabilities.
According to the 2004 CSO Security Sensor Survey, 38% of respondents place the CISO in the IT chain of command, reporting to the CIO, whose primary responsibility is to maintain the availability of information systems. This placement hinders the CISO’s effectiveness and limits his or her ability to implement change, for a couple of reasons. Security’s message doesn’t reach senior business leadership.
When the CISO reports to the CIO, a primacy is established. Operational responsibilities take priority over strategic planning. Particularly when threats may cause business disruption, tactical issues take precedence over longer-term planning. It is easier to buy and implement firewalls and intrusion detection systems than to develop security policies and implement a sound awareness program.
Without long-term planning, the organization will remain trapped in the patch-and-pray scenario.
“Ideally, the institution should separate the information security program management from the daily security duties required in IT operations. The senior information security officer should be an ‘enterprise’ risk manager rather than a production resource devoted to IT operations. To ensure independence, the information security officer should report directly to the board or senior management rather than through the IT department” (FFIEC Information Technology Examination Handbook).
Firms who take this approach will realize new benefits from their CISOs. IT-independent CISOs can frame security in terms of business issues rather than IT projects.
A traditional security manager’s explanation of the recent ChoicePoint fraud case might sound like this: “The server’s verification and authentication processes for the client Web portal were ineffective, thereby facilitating fraudulent access to sensitive back-end systems and personally identifiable data.” When framed in terms of business issues: “The trust model used by ChoicePoint failed in such a way as to compromise the company’s most vital assets.”
A trust model establishes the standards by which an organization determines who to trust with its assets.
Organizations have several options as to how to reposition the CISO. They can combine information security with physical security and elevate the senior security officer to CSO, reporting directly to the CEO. The CSO Security Sensor Survey indicates that 34% of its respondents have implemented this change, up 15% from the previous year. By combining physical and cyber security under one executive, the organization gains a holistic view of potential threats and the associated vulnerabilities.
Elevating the chief security executive to CRO-chief risk officer-makes sense in medium to small enterprises where key executives often assume multiple roles. The benefit in this approach is that the CRO considers areas of risk beyond those dealt with by a CSO or CISO.
A second compelling reason for many CISOs’ lack of success is their inability to establish a credible economic basis for security investments and to assess information security relative to business initiatives. Much has been said about return on security investment (ROSI) and security metrics. At first glance, metrics seem to be the Yellow Brick Road to the boardroom. However, the CSO Security Sensor Survey reported that 34% of respondents did not use ROSI and had no intention to do so. The problem with ROSI is that its components are too subjective. Right now, there is no standard, statistically valid method of measuring ROSI. Some CISOs are using “homemade” formulas to calculate ROSI, but without sound standards and appropriate rigor, these calculations are not worth the time it takes to create them.
Solution: Use a Standard, Valid, Reliable Metric Be cautious of traditional security metrics, such as “total number of incidents reported.” When you add more firewalls, the number of incidents reported goes up, not down. Associative-Based upon a best practice or security model that enables comparison within the organization, within the industry, or across industries. One way to achieve an associative metric is to use ISO-17799 as the template for your security program. ISO-17799 is a comprehensive set of controls utilizing the best practices in information security.
http://www.securityinfowatch.com/print/Security-Technology-and-Design/Homeland-Security/Repositioning-the-CISO/4789SIW2