The Plan phase is about designing the ISMS, assessing information security risks and selecting the appropriate controls. The Plan phase can be broken down into the following steps:

First, you have to determine the scope of the ISMS. Next, you write your ISMS policy. Make sure to identify the methodology and determine the risk the criteria for the risk assessment and identify the assets, vulnerabilities and threats. Once you evaluate the size of the risks, identify and assess risk treatment options you need to select controls for risk treatment options. Make sure you have management’s approval for residual risks and for the actual implementation of the ISMS. Last but not least, write a statement of applicability that lists all controls that apply and which of them have already been implement as well as those that do not apply.

The Do phase involves actually implementing and operating the information security controls. In order to correctly build your ISMS, you need to understand the different types of security controls. Physical controls are actual objects such as fences, doors, locks, alarms and cameras. Procedural controls are the methods in place such as incident response processes, management oversights and security training and awareness. Items such as user authentication, logical access controls, antivirus software and firewalls fall under technical controls.

What are some of the activities in the Do phase? You need to write a risk treatment plan that describes who, how, when and with what budget applicable controls should be implemented. You will also need to implement the risk treatment plan ad well as the applicable security controls. Include how to determine how to measure the effectiveness of the controls. Make sure to carry out awareness programs and training of employees. There also needs to be a management system for he normal operations of the ISMS and the ISMS resources, as well as an implementation of procedures for detecting and managing security incidents.

The objective of the Check phase is to review and evaluate the performance, efficiency and effectiveness of the ISMS. The Check phase may also include the following tasks. There should be an implementation of procedures and other controls for monitoring and reviewing data to establish any violations, incorrect data processing and whether the security activities are carried out as expected. There also needs to be regular reviews of the effectiveness of the ISMS, the controls and the risk assessments. Internal audits should be conducted at planned intervals and management reviews to check for opportunities to improve.  Make sure security plans are updated so that you can take account of other monitoring and reviewing activities. You should also be keeping records of activities and incidents that may impact the effectiveness of the ISMS.

The last phase in the cycle is the Act phase, in which controls are monitored and changes are made where necessary to sustain and bring the ISMS back to peak performance. The Act phase includes implementing improvements to the ISMS once the changes have been identified. You should take corrective and preventive action, applying your own security experiences ad well as others’. Make sure your stakeholders are aware of all activities and improvements and that these improvements achieve the desired results.

Assess, build and sustain. These three words are the key to building and implementing a successful Information Security Management System.

The post Build and Implement an ISMS – Part 2 How to Build It appeared first on Pondurance.

Why You Need It

A recent New York Times article by Nicole Perlroth referenced these words from an investigative report by security researchers at McAfee into a vast online espionage campaign called Operation Shady RAT.

“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly) with the great majority of the victims rarely discovering the intrusion or its impact,” Dmitri Alperovitch, then McAfee’s vice president for threat research, wrote in his findings.

“In fact,” said Mr. Alperovitch, now the chief technology officer at Crowdstrike, a security start-up, “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”

Lessons from the past

Verizon Business Systems RISK Team found that external agents initiated 98% of all data breaches, 81% of all attacks utilized some form of hacking, and 69% incorporated malware. The 2102 Data Breach Investigation Report went on to say that incidents involving hacking and malware were both up considerably last year, with hacking linked to almost all compromised records. This makes sense, as these threat actions remain the favored tools of external agents, who, as stated previously, were behind most breaches. Many attacks continue to thwart or circumvent authentication by combining stolen or guessed credentials (to gain access) with backdoors (to retain access). Given the drop in internal agents, the misuse category had no choice but to go down as well. Social tactics fell a little, but were responsible for a large amount of data loss.

Cause for even greater concern among information security professionals and business executives is that 79% of the victims were targets of opportunity and that 96% of the attacks were not highly difficult and could have been avoided through simple or intermediate controls. The fact that so many data breaches were executed easily and most likely could have been avoided is primarily due to the lack of financial commitment to information security. This may result not only in a significant financial loss in the event of a data breach but also, for publically traded companies, the potential for charges of negligence.

So…what is the cost of doing nothing? 

What are the costs of a data breach? This varies based on the individual components of each company. Most companies are so focused on defending against an attack that keeping track of the different costs associated with the breach is usually of secondary concern. And many organizations simply aren’t motivated, for whatever reason, to collect data on their financial losses after an incident. There are, however, a number of studies that attempt to quantify these costs. The studies consider not only the hard costs of incident response but also the potential, and likely, loss of customers. Legal costs and regulatory fines are also a consideration.  A recent study from the Ponemon Institute suggest that the average cost of a data breach for US companies was $8.9 million in 2012.

Most Likely Threats – 2013

Many security experts believe that the primary threats to information security in 2013 will be exploits of cloud-based applications, mobile device attacks, and all out cyber warfare. The RISK Team at Verizon takes a different view, one with which we agree:

The threats that will most likely occur in 2013 will involve authentication attacks and failures, web application exploits and social engineering according to Verizon’s Wade Baker in this AOL Government article. Larger enterprises and governments must also remain on high alert from adversaries motivated by espionage and hactivisim. Hacktivists breaking into a computer system, for a politically or socially motivated purpose, will evolve in frequency and sophistication.

Now that you know why you need an Information Security Management system, how do you go about building one? We’ll be discussing that next week in Part 2.

What are your reactions to some of the statistics we’ve presented here? Please share in the comments.

The post Building and Implementing an Information Security Management System – Part 1 appeared first on Pondurance.

The annual event is an effort to empower people to protect their privacy and control their digital footprint and to draw attention to the protection of privacy and data as a priority for everyone. The Day began in the United States and Canada in January 2008, but has its roots in the Data Protection Day celebration in Europe, commemorating the signing in 1981 of Convention 108, the first legally binding international treaty that speaks to privacy and data protection. Today, with the far-reaching influence of the Internet, the issues that surround data privacy are more pervasive than ever before.

If you’ve ever had the uneasy feeling of being spied upon as you browse the Internet, if you’ve ever been bombarded with unsolicited emails or other advertisements, or if you have been the victim of identity theft, you already know some of the potential consequences of privacy infringements. From online threats such as spyware, viruses, and other forms of malware to the outright physical theft of personal data devices that can contain all manner of personal information, protecting your data privacy means being vigilant with both your virtual and your real valuables.

According to the recently released results of a survey of 1,000 U.S. adults commissioned by Microsoft, many people believe they have little to no control about how their data may be collected by online companies.

Some of the points gleaned from the study include:

• Forty-five percent said they feel they have little or no control over the personal information companies gather about them while they are browsing the Web or using online services, such as photo-sharing, travel or gaming.

• Four in 10 said they feel they totally or mostly understand how to protect their online privacy.

• An equal number of people (39 percent) said they are turning to friends and family, as well as company privacy statements, as their top source for privacy information.

• A third of those surveyed (32 percent) said they are paying attention to companies’ privacy reputations, track records and policies when choosing which websites to visit or services to use.

(Source: http://www.microsoft.com/en-us/news/press/2013/jan13/01-23DPDPR.aspx)

Fortunately, there is much that can be done to protect one’s personal data privacy.

Some tips from StaySafeOnline.com include:

• Keeping security software current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
• Automating software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if the option is available.
• Protecting all devices that connect to the Internet: Along with computers, smart phones, gaming systems, and other web-enabled devices also need protection from viruses and malware.
• Securing your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you verify who you are before you conduct business on that site.
• Making passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.
• Having unique accounts and unique passwords: Separate passwords for every account helps to thwart cybercriminals.
• Storing passwords and logins in safe, secure place away from a computer
• Owning your online presence: When available, set the privacy and security settings on websites to your comfort level for information sharing.
• Getting savvy about Wi-Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine.
• Protecting your money: When banking and shopping, check to be sure the sites is security enabled. Look for web addresses with “https://” or “shttp://”, which means the site takes extra measures to help secure your information. The “http://” designation, for example, is not secure.
• Staying current. Keep pace with new ways to stay safe online: Check trusted websites for the latest information, and share with friends, family, and colleagues and encourage them to be web wise.
• Thinking before you act: Be wary of communications that implore you to act immediately, offers something that sounds too good to be true, or asks for personal information.
• Backing up data: Protect your valuable work, music, photos, and other digital information by making an electronic copy and storing it safely.

While Data Privacy Day aims to draw attention to the issues of information privacy and cyber security by by means of a single day’s event, the real takeaway message is for data privacy to be an everyday concern that we all share. Pondurance is proud to be a StaySafeOnline.org Champion of Data Privacy Day.

The post Data Privacy Day is January 28 appeared first on Pondurance.

The ITRs are part of a worldwide treaty, which while agreed upon initially in 1988, had not been revisited since. At that time, the treaty set principles for international telecommunications services, emergency calls, and charges across national borders. To say that things in the industry have changed a bit since then is to put it mildly. To put things in perspective, the last time the ITU put together a document on the world regulation of communications, mobile phones were the latest thing and the Internet was still waiting in the wings of the world stage.

So it was that December’s conference, which centered largely on governmental regulation of the Internet’s functions, its financial models, and its availability, caused quite a stir, particularly among advocates of online free speech. Particularly in light of recent world events that involved electronic telecommunications to disseminate controversial messages, hanging in the air was a basic question: Are national governments that restrict freedom of the press trying to restrict the freedom of speech on the Internet, too? On the subject of regulation of email, for example, representatives from several countries, including the United States, suggested that as governments are given power to approve or reject email, they may in effect choose to curtail or prohibit forms of free speech, such as political messages.

For its part, before and during the conference, the U.S. championed a so-called multistakeholder approach to the Internet. In this model, governments, private companies, and independent organizations are all involved voluntarily, and independent from any new law, treaty, or international regulatory body. The U.S., along with Australia, Canada, the Czech Republic, Denmark, Sweden, and the United Kingdom, openly opposed several proposed revisions to the ITRs throughout the course of the two-week long conference.

In the end, the delegation from the United States decided to reject the treaty, largely due to language related to “internet governance”, specifically, to a section of a separate, legally nonbinding resolution stating that “all governments should have an equal role and responsibility for international internet governance and for ensuring the stability, security, and continuity of the existing internet and its future development and of the future internet and that the need for development of public policy by governments in consultation with all stakeholders is also recognized.”

In the end, 89 countries, including Russia, China, and a number of developing nations, did sign the treaty. But not all was bleak and divisive: On the subject of availability, governments did agree to a provision to extend Internet access to disabled persons, one of the fundamental tenets of equal access to the World Wide Web.

The treaty signed in the United Arab Emirates was hardly the last word, however.  It’s clear from the schedule of similar ITU meetings this year and the next that the subject of government involvement in the Internet is an ongoing conversation– and one with much at stake.

The post WCIT-12: What’s it to you? appeared first on Pondurance.

The User-Centered Approach

No matter how much they identify with the “team”, people still want to know “what’s in it for them.” And people, being people, often take better to something novel if they understand the goal or underlying principle(s) at work. For many, nothing is more off-putting than the phrase “It’s technical-you wouldn’t understand.”

Here, looking at users’ needs can increase buy-in of a new security process.  This is often termed the “user centered approach” in technical communication. No matter the security goal, people need to understand why new security measures are important to the organization, and that often starts at the individual level.

Look for Common Ground

Claudia Girrbach, CISSP, offers these five tips for creating a new security process:

• Focus on users’ needs
• Make the message memorable
• Recruit opinion leaders to show them
• Guide them on information security processes
• Ensure compliance

Girrbach uses confidential information as one form of common ground within an organization as a way of focusing on users’ needs. Many, if not all, employees in an organization have some access to confidential information that could be misused to the detriment of co-workers, customers, and business partners.  A company’s competitors, for instance, would relish the prospect of a well-publicized security breach to shake customer confidence, while criminals would like nothing more than to gain access to employee and customer data for their own purposes.

Choose the Messengers

Rather than rely strictly on a hierarchical, bureaucratic announcement of a new system, Girrbach suggests recruiting opinion leaders to help deliver and reinforce key messages. Employing a broad range of opinion leaders as messengers can help draw attention to the importance of security goals, since these leaders tend inspire respect from colleagues in the various groups from which they are chosen.

Positive reinforcement yields better results, to say nothing of better morale, than negative reinforcement.  So it’s important to be ready to recognize and show appreciation for good security behavior as it occurs.

Be Ready to Measure Success

Of course, success should be measurable, so plans should include the development of a metric to ascertain users’ acceptance of a new measure, for example, a new authentication process, by tracking how many passwords are strong.

Due diligence and due care should apply just as much to the human element as the technical.  Researching the tools and processes different departments use on regular basis can help any new security process yield results that are relevant, memorable, and ultimately, successful.

The post Creating a Successful Information Security Process – Part 2 appeared first on Pondurance.

Prevention, detection, response

Are these security processes really addressing risks, or are they simply quashing productivity for no other reason than ‘this is the procedure we have always had in place’, or more colloquially, ‘if it isn’t broken, don’t fix it’? Do we require more consistent security processes and, if so, how do we go about defining, justifying and implementing them?

Due Care, Due Diligence

We would be remiss if we ignored the concepts of due diligence and due care in a discussion about creating a successful security process.

Due care must be documented and verifiable and due diligence implies ongoing activities. According to Shon Harris, author of All-In-One CISSP Certification Exam Guide, “Due care are steps that are taken to show that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees.” And, [Due diligence includes the] “continual activities that make sure the protection mechanisms are continually maintained and operational.”

 ‘Selling’ a New Security Process

As security professionals, it is part of our job to introduce better processes to improve security.  But some of the greatest challenges we face are the human factors at work within our own organizations: apathy, or even hostility, toward new initiatives-or any changes to daily work routines-can often stand in the way of successful implementation.

People are often regarded as the weakest link in any IT security operation, yet without well-informed employees, any enterprise languishes. Therefore, security professionals should make an effort to plan for both the technical and the human aspects when developing any new security processes.

Fortunately, it’s not necessary to reinvent the wheel. Many social engineering techniques used in other fields, such as psychology, marketing, and technical communication, can be used to help develop new security processes, from the planning stages to the roll out.

Next week’s post will cover four more ideas to keep in mind.

The post Creating a Successful Information Security Process – Part 1 appeared first on Pondurance.

“Organizations, with respect to the mobile threat landscape, need to understand that the notion of an organizational perimeter is quickly disintegrating,” said Paul Royal, associate director of Georgia Tech’s Information Security Center, in an interview published in Healthcare Info Security magazine.

In the interview, Royal discusses:

• The four top emerging threats to organizations;
• How organizations and information security pros can counter these threats;
• New training techniques to improve threat awareness and response.

Read entire article

The post Article Review: Addressing the Top 4 Cyber Risks for 2013 appeared first on Pondurance.

In his proclamation, the president notes that the nation’s critical infrastructure is complex and interconnected, and that it is vulnerable to emerging threats from cyberspace despite its strengths.

Read entire article

The post Article Review: December Is Infrastructure Protection & Resilience Month appeared first on Pondurance.

1. Designate and train someone to be responsible for managing the protection of critical information assets.

2. Establish an annual board or executive review of your information security posture.

3. Create and/or update documented information security policies consistent with your company’s business requirements, organizational structure, legal obligations, insurance policies, and risk management processes

4. Discover, map, and classify your data. Restrict access according to business need.

5. Implement an ongoing information security awareness training program for all employees and contractors.

6.  Document your recovery procedures in the event that a break-in, virus infestation or other security events occur.

7. Maintain weekly back-ups for all workstations and servers and test monthly to ensure the ability to restore data.

8. Review your system architecture and configuration standards to ensure that they are in accordance with network security principles and practices.

9. Make sure that the virus protection software on all servers and workstations is monitored for alerts and that virus protection is up-to-date.

10. Proactively monitor security patches and alerts and ensure that hardware and software systems are up-to-date and properly protected.

11. Have an independent 3rd- party information security vulnerability assessment or penetration test executed.

12. Conduct annual compliance mandated risk assessment (HIPAA, PCI DSS, FFIEC, etc.)

If you are like 99% of the InfoSec professionals out there, you didn’t get everything done this past year. So now is the time to finish your 2013 plan, build a business case around the importance to your organization’s continued success, get executive sponsorship and, most importantly, get the budget approved!

The post End of the Year Review: Your Information Security Checklist appeared first on Pondurance.

In February, a group of hacktivists temporarily took down the CIA Website. The attack, one in a series for which the group took credit, was soon followed by an uploaded video from an alleged hacktivist group member on why the CIA should have been better prepared.

In a security conference in July, director of the National Security Agency Director Gen. Keith Alexander told audience members that since 2009, there had been a 17-fold increase in the number of attempted cyber attacks on the country’s infrastructure systems. Alexander said that on a scale of 1 to 10, the United States sits at a 3 in terms of preparedness to handle a cyber attack. He said he was most concerned about disruptions to services provided by water treatment facilities and power plants.

Also in July, the “Black Monday” predicted after the FBI pulled the plug on servers that supported millions of users infected by the DNS Changer Malware around the country turned out to be less drastic than many predicted. After months of warnings, the FBI finally cut off the safety net that allowed as many as 4 million virus-infected computers to continue to safely access the Internet over the first half of 2012. However, it was widely believed that various outreach efforts helped avert an all-out “Internet Doomsday” predicted by some.

August saw the defeat in the senate of the Cybersecurity Act, a bill aimed at putting teeth into government involvement in information security to protect the nation’s critical infrastructure. The bill was an outgrowth of congressional committee meetings on cyber security held since the late 1990s. While giving the government more power over the sharing of information security information, the act also would have given the public the right to sue the government if it intentionally or willfully violated the law. Some critics of the bill, including a number of legislators and business organizations, warned that creating another government bureaucracy would do more harm by saddling organizations with increased costs of doing business. Another commonly voiced criticism of the bill was that it was not clear just what incentive measures would be offered to private companies for compliance.

So what will the year ahead bring? Rather than dust off our crystal ball, we would be better served by looking at information security trends that ran through 2012 and will likely continue into 2013.

Malware will become increasingly sophisticated and will be a fixture on the information security scene for the foreseeable future. Hacktivism, a startling phenomenon to many in 2011, appears here to stay, as well.

As mobile, social media and BYOD use continues to pick up pace, so will interest by cybercriminals, who will continue to look for ways to exploit the sheer number of data sources and additional points of entry these trends make possible.

And regulatory compliance related information security activities will continue to grow with the expanded enforcement of HIPAA/HITECH standards and the increased attention on PCI DSS compliance. Vulnerability management programs are a critical component of compliance and few organizations have a plan in place to address this key aspect.

Yes, it does sound like more of the same for 2103. But hackers, social engineers, and identity thieves will continue to take advantage of these weaknesses until they are eliminated or at least substantially strengthened.

The post Information Security – Looking Back to Look Ahead appeared first on Pondurance.