Category: Uncategorized

“Regulations recognize you can’t protect yourself from everything,” Proctor told delegates at Thursday’s Information Security Decisions conference.

But, he acknowledged, their built-in flexibility also can work against an organization if controls aren’t mapped to a proactive, process-oriented security program based on an ongoing risk assessment.

Corporate governance-oriented SOX, which holds public companies’ top executives accountable for internal data controls, is especially vague on security.

The real deal with Sarbanes-Oxley: Perspectives for the security manager Delve below the surface and examine how SOX applies to the work done by the security manager.

Companies that must meet multiple regulatory laws should find common denominators and then roll out a security program based on the general legal requirements, such as record-keeping, incident reporting and following best practices.

Build a defensible case for anyone likely to challenge those controls, such as data owners and both internal and external auditors who ultimately decide who is and isn’t meeting security and privacy guidelines.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1013875,00.html

PLCs are microprocessor-based systems programmed to make the timing and control decisions in machine automation that once required arrays of electromechanical relays.

On older systems, PLCs communicated over RS-232 serial lines — slow going, but relatively secure. But modern PLCs can plug right into a plant’s Ethernet, exposing them to whatever threats lurk therein.

Coming from an IT environment, Cupps hoped to find that the control systems at his company’s plants were protected by at least as much security as a Windows desktop. The controls systems at Cupps’ company are made by Rockwell Automation, but Cupps hastens to point out that the absence of authentication on PLCs is an industrywide problem, and not at all limited to one particular vendor.

Other experts agree, and say the root cause is historical: the control systems rely on protocols and industry standards that were built for dedicated serial lines – not shared TCP/IP networks.

“It’s script kiddy material to control PLCs,” says Eric Byres, a researcher and critical infrastructure security specialist at the British Columbia Institute of Technology (BCIT).

The implications are disturbing to Byres and Cupps; in factories across the globe PLCs control pumps, conveyer belts, paint sprayer booths, welding machines, motors and other equipment. “We found numerous ways to perform single-packet denial of service attacks against PLCs,” says Byres.

The 13 cyber security incidents logged between the years 1982 and 2000 were almost all attributable to accidents, inappropriate employee behaviour, or sabotage by disgruntled employees.

Processer Power Issues In a lot of those external attacks, control systems were merely collateral damage from IT issues like worms, “because we have Windows running all over the plant floor,” says Byres. Michael Bush, security program manager at Rockwell Automation, acknowledges that Ethernet-enabled control systems “change the rules significantly” from the days of dedicated serial lines.

For his part, Cupps says he took emergency measure to shore up the control systems at his company, then committed to a massive reorganization of its networks, putting the factory floors on their own subnets, adding firewalls between them, and installing intrusion prevention systems, among other things.

http://www.securityfocus.com/news/9671

Rather than thinking about the value of their mobile or laptop, employees need to be trained about the value of information to their company,” said Perry.

Esther George, policy advisor for the Criminal Prosecution Service (CPS), said that the authorities are limited in what they can do when it comes to prosecuting criminals by a general reluctance on the part of companies to admit to hack attacks.

During the debate, some criticism was made of the lack of new legislation to tackle hacking but George argued that despite the lack of new laws, older ones were wide enough in scope to be applied to modern Internet crimes.

Martin Jordan, a senior manager from KPMG, said that despite the best efforts of the security community, end users would always be playing catch-up to hackers and criminals — what companies need to decide is how far they are want to lag behind.

During the debate, some criticism was made of the lack of new legislation to tackle hacking but George argued that despite the lack of new laws, older ones were wide enough in scope to be applied to modern Internet crimes.

Computer Associates’ Perry said that another key factor in combating hacking is for home users to take security as seriously as business users, because many new viruses and spyware are propagated on personal machines.

http://news.zdnet.co.uk/internet/security/0,39020375,39168216,00.htm

An emerging class of security compliance gateways can scan networks to ensure that any new machines being hooked onto the network comply with an organization?s security policies and are configured properly, said Alan Paller, research director at the SANS Institute, a security training and education organization.

The four essential items are:
1. Vulnerability Management
2. Automated Patch Management
3. Enterprise firewalls and intrusion prevention
4. Token Based Identity Management

http://www.fcw.com/fcw/articles/2004/0920/tec-4sec-09-20-04.asp

If you want your security organization to be supported (or at least tolerated) by management, the department must become a communication station. Avoid subjective interpretations or even anecdotal information; instead, focus on metrics that are objective and indisputable.

As an example, to calculate the impact of spam filtering, the team began counting e-mails the filter rejected. Despite a few user complaints, the metrics showed these were isolated incidents and proved that a great majority of legitimate mail was getting through. This correlation of traffic to outbreaks would later help the IT staff react faster to outbreaks, because they could see worm signs before it spread.

Most infrastructure metrics are designed for gearheads, and the data is not useful to business managers.

Start with the message you want to communicate to management, then figure out which metrics would support that point. A mix of good news and bad news is to be expected–any manager knows that an employee who communicates only great news is probably a liar. If your security reports are always full of sunshine, expect management to become suspicious–and with good reason.

For instance, clients who use desktop-management and antivirus software appreciate being able to perform a “check-in”–that is, every workstation on the network “phones home” to the master console, ensuring each is in compliance with policies, such as pattern updates. This type of report is a good indicator that (a) your software investment is functioning; (b) the majority of users haven’t cleverly disabled the agent so they can download porn and install cute screensavers; and (c) you can, if necessary, invoke additional software functionality.

Indeed, any process you monitor will show that you’re on top of things–particularly if the process is new to your organization, such as vulnerability remediation, server- configuration compliance, unsuccessful login monitoring or log-exception monitoring.

When you must express dollar figures, try to associate some measure of probability with them–IT security is equivalent to risk management, after all.

Ultimately, use caution and be conservative when estimating dollar payback or you risk damaging your credibility.

Finally, in security and in business, timing is everything.

http://www.securitypipeline.com/46200070

USB flash drives, MP3 players and the like are everywhere nowadays. Giving your staff free rein to use them at work could lead to breaches of security and loss of data.

Businesses are increasingly putting themselves at risk by allowing the unauthorized and uncontrolled use of portable storage devices. The use of unauthorized portable storage devices poses many dangers, not least for the malicious code that they can introduce. High data capacity and transfer rates, and broad platform support mean that a Universal Serial Bus (USB) or FireWire (IEEE 1394) device has the capacity to quickly download much valuable corporate information, which can be easily leaked to the outside world.

Portable devices include any kind of pocket-sized portable FireWire hard drive, like those from LaCie or Toshiba, or USB hard drive or keychain drive, such as M-Systems’ DiskOnKey. They also include disk-based MP3 players, such as Apple’s iPod, and digital cameras with smart media cards, memory sticks, compact flash and other memory media.

The devices pose two kinds of threat. Intentionally or unintentionally, users can bypass perimeter defenses like firewalls and antivirus at mailserver, and introduce malware such as Trojan Horses or viruses that, if not discovered, can cause serious damage. Also, companies are at risk of losing intellectual property and other critical corporate data.

The impact of the latter goes beyond the commercial value of the data for two reasons. There are different privacy laws in different countries. This means there is more risk of legal action if personal information – belonging to corporate clients or employees – ends up in the hands of an unauthorized third party. Companies’ reputations may be damaged as a consequence of information leaks. This is particularly the case for those operating in areas where client privacy must be preserved, such as the financial market.

Managers should advise on the main procedures to be followed for the eventual use of such devices; for instance, to confirm the need for password and security protection (encryption) of stored corporate data.

Adopt personal firewalls to limit what can be done on USB ports. Leading products to consider are from vendors like Sygate Technologies, Zone Labs and Symantec. Vendors like Pointsec Mobile Technologies, Information Security Corporation and PC Guardian Technologies offer alternative specialist solutions.

On a broader level, and especially for those industries where intellectual property is of critical importance, the use of digital rights management software ensures the persistent protection of digital assets by maintaining constant control over their use and distribution.

http://www.csoonline.com/analyst/report2714.html