Category: Uncategorized

Chris Farrow, director of the center for policy and compliance for Configuresoft, says the creation of a security benchmark for virtual machines began last year.

Some large financial firms were retooling their data centers with virtualization, and they urged CIS to consider addressing virtual machine security as well.

“We found that no one was building a best-practices [model] for securing the virtual infrastructure,” says Farrow, who works with the CIS, which is made up of vendors, universities, consultants, government agencies, and enterprises.

Configuresoft is among the organizations working on the security benchmark, which will include benchmarks for specific virtualization software, including VMware’s ESX Server, Microsoft’s Virtual Server, and Xen Virtual Machine. To prevent malicious activity from a “guest” virtual operating system, for instance, the benchmark recommends disabling the copy-and-paste operations between the guest OS and the remote console, says Joel Kirch, information assurance programs manager for WBB Consulting and a member of the CIS team working on the virtualization benchmark.

http://www.darkreading.com/document.asp?doc_id=130189&WT.svl=news2_1

When asked this, many independent observers – former CSOs or consultants working with CSOs – offer a different perspective. They think security pros need to worry more about retaining the best staff and should be careful not to become too consumed with regulatory compliance.

What has security pros worried?Michael Barrett, CISO at eBay money-transfer service PayPal, says there is always an undercurrent of panic in the event that something blows up. “Most datacenters are held together by sheer heroic effort,” he says. Because PayPal is a global company, Barrett says he worries whether the company has the right interpretation on legislation and regulation related to data privacy around the world and the right controls in place. His long-range concerns have him asking questions such as: In terms of stopping criminals and attackers, do we have the right investment mix and the right set of projects?

Adam Hansen, the IT security chief at Sonnenschein Nath & Rosenthal in Chicago, says his main worry is data privacy and the possibility of a data breach. The creative content, whether pre- or post-production, is held in film canisters and digitally on servers, and Technicolor guards it through tight physical and IT security.

Risk management can sound like a “Mission: Impossible” episode in large organizations with many lines of business, tens of thousands of employees, and lots of applications and networks to keep an eye on.

“I’m always on call,” says Jalal Zamanali, senior vice president of IT and CISO at Temple-Inland in Austin, Texas, and its subsidiary Guaranty Financial Services, with combined interests in corrugated packaging, forestry, real estate, and financial services. Although he has a security staff of 17 to stay abreast of IT projects, Zamanali says his top concern is making sure security controls are on track in terms of regulatory compliance rules related to the SOX (Sarbanes-Oxley) and Gramm-Leach-Bliley laws. “The chief audit officer has to translate these laws into control points,” Zamanali explains. Consequently, Zamanali – who reports to the chief risk officer – makes sure he meets with the chief audit officer about once a week to discuss compliance issues.

Beth Cannon, CSO at merchant bank Thomas Weisel Partners in San Francisco, says audits to provide evidence that security policies are enforced in IT systems and processes are her main worry.

What CSOs should be worrying aboutConsultants and other industry experts don’t dismiss the issues that CSOs and CISOs are worrying about, though they recommend a host of things that might warrant even more of security professionals’ attention. CSOs should worry about losing their jobs because all too often their stance on security is seen by upper management as overly technical or a bad fit, says Jon Gossels, president and CEO of consultancy SystemExperts in Boston.

Brad Johnson, vice president at SystemExperts, say one key worry that CSOs should have is where and how they’re going to find and retain the best security-savvy employees.

Zeitler, whose 30-year career included positions as CISO at Volkswagen Credit and head of security at Charles Schwab and Fidelity Investments, says a top concern for CSOs should be whether they can find personnel with the right skills at the right price. He points to computer forensics, which requires people trained in procedures to capture potential evidence and preserve it appropriately, as an example.

What to do about compliance Howard Schmidt, the former security chief at eBay and Microsoft and former White House cybersecurity advisor, says there’s no doubt that regulatory-compliance issues are going to be a top worry for the CSO or CISO.

http://www.infoworld.com/article/07/07/24/security-standard-01_1.html

While many criticize FISMA for being all documentation and no action, the law simply emphasizes the need for each federal agency to develop, document and implement an organizationwide program to secure the information systems that support its operations and assets. NIST SP 800-53, Recommended Security Controls for Federal Information Systems, describes log management controls including the generation, review, protection and retention of audit records, plus steps to take in the event of audit failure. It describes the need for log management in federal agencies and ways to establish and maintain successful and efficient log management infrastructures — including log generation, analysis, storage and monitoring.

NIST 800-92 discusses the importance of analyzing different kinds of logs from different sources and of clearly defining specific roles and responsibilities of those teams and individuals involved in log management.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines relevant security standards for health information.

NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule, details log management requirements for the securing of electronic protected health information.

The Payment Card Industry Data Security Standard (PCI-DSS), which applies to organizations that handle credit card transactions, mandates logging specific details and log review procedures to prevent credit card fraud, hacking and other related problems in companies that store, process or transmit credit card data.

Logs, which by nature allow for tracking IT infrastructure activity, are the best way to assess if, how, when and where a data breach has occurred. The major effect the age of compliance has had on log management is to turn it into a requirement rather than just a recommendation, and this change is certainly to the advantage of any organization subject to these regulations. It is easy to see why log collection and management is important, and the explicit inclusion of log management activities in major regulations like FISMA, HIPAA and PCI-DSS highlights how key it truly is to enterprise security as well as broader risk management needs.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027080

The problem, Oltsik says, is that although enterprises are mostly satisfied that they are keeping their IP safe, they are mostly dissatisfied with the amount of time and effort they have to expend to do it. “The bad guys want to steal what they can sell, and often, that’s a company’s IP.”

As a result, upcoming spending on intellectual property security will probably be geared toward automating the IP discovery, classification, and protection processes, Oltsik suggests.

http://www.darkreading.com/document.asp?doc_id=127306&WT.svl=news1_4

Lost data includes customer, financial, corporate, employee, and IT security data that is stolen, leaked or destroyed. Loss of sensitive, confidential corporate data can also give a rival company a competitive advantage. It might, for example, include results of market research, competitive intelligence analysis of another company, research and development results, financial information, or a list of possible staff redundancies.

“In most organisations, the most sensitive information is in emails,” says Milton Baar, the director of IT Security consultants Swoose Partnership, and committee member of the ISO 27001 international security standard for information management. Mr Baar says three factors should be considered in assessing data loss: confidentiality, integrity, and availability. The integrity of data is maintained by ensuring that information is changed only by those allowed to do so, but organisations also need to make sure that data can be accessed when it is required. Confidentiality is often breached when emails are sent, accidentally or intentionally, to people who should not be seeing them, or when emails are sent before information should be made public.

Mr Baar says staff should be trained in the use of email, helping them understand what information is sensitive. “Have black and white lists, where the server stops sending out and/or receiving emails to or from certain places,” he says. “Have word searches in outbound emails to ensure that sensitive information isn’t disclosed, accidentally or intentionally. Mark the information physically or electronically with its security classification.” Attachments could be protected from email disclosure by having Access Control List entries that allowed them to be sent or blocked depending on the classification and destination of the information, he says.

Cybertrust security consultant Andrew Walls says that the “number one issue” for organisations is classification of their data. Is it important that some data remains confidential no matter whether its integrity is critical or how important it is to have the information readily accessible.

“The critical thing is for business to say what is important, then apply security controls. What role does the data play in an organisation’s plans, including its profitability? At a simple level decide what is a secret, and what is not. If it is a secret, talk to us before accessing it or publishing it,” Mr Walls says. “Don’t expect the IT security people to make these decisions; classifying the data is a business decision.”

Mr Walls says the Australian Government has five tiers of classification: public data, internal use only, confidential, protected and highly protected. At each tier a decision is made on how important are confidentiality, integrity and availability. Mr Baar says the proper use of information standards, such as AS/NZS4360, a risk management standard, would provide a much better basis for decision making. “Poor risk analysis means that the real risks, likelihoods and consequences are not known in detail, therefore the real losses are also unknown,” he says.

Symantec systems engineering manager Paul Lancaster agrees that compliance is not just about the data, but its integrity and availability. Compliance means adhering to regulations that affect a business and what that means for its data storage systems. “Data loss occurs when it can’t be accessed,” says Mr Lancaster. “Organisations have their own products and services they deliver as a business and the data behind that is key. Not having the ability to obtain data to show the public that their data is intact, with no integrity loss, can be detrimental to a business.”

Backing up is one obvious strategy, but how many organisations do this critical task properly? MR BAAR says most hospitals in NSW have multiple secure systems, with servers in two locations to keep patient records secure.

For example, witness protection program lists are closely guarded, and kept on a computer system accessible to only a few, not including the systems administrator. It has Defence Signals Directorate (DSD) certification for its internet gateway service for Australian Commonwealth customers.

Pharmaceutical companies have high security networks, cut off from all other networks. They encrypt their entire networks, “down to the hardware,” Mr Walls says.

Identity theft is a more common problem in Australia, Mr Lancaster says, with fraudsters trying to access laptops and servers to get credit card details or personal information. Employees may have ASIO checks and security clearances for their staff but what about the cleaning staff?

http://www.theage.com.au/news/security/plug-the-holes-in-your-cone-of-silence/2007/05/28/1180205158743.html

Most recently updated in September, the PCI standard requires, among other things, firewalls, the encryption of cardholder and other sensitive data sent across public networks, and restrictions on physical access to cardholder data.

Still, he estimates 70% of companies who are obligated by compliance regulations to have PCI — and who would face fines and cur penalties for non-compliance — have PCI in some form today, and are heading toward full implementation.

To counteract such attitudes, Visa, one of the backers of the PCI standard, has embarked on a carrot-and-stick approach with merchants, rewarding those who comply, and threatening financial penalties and other consequences to those who don’t.

http://www.darkreading.com/document.asp?doc_id=124780&f_src=darkreading_section_318