So, for instance, it’s hard to say exactly how much the HR database is worth, but it’s a fair bet that it is less valuable to the organization than the Sales and Marketing database containing commercial details on customers and prospects. Therefore, it probably makes commercial sense to put more effort and resources into securing the S&M database against disclosure incidents, than for the HR database.
While Gary is ‘classically’ right, there’s a hidden gotcha in all that.
On the ISO2700 forum one user gave a long description of his information gathering process but expressed frustration over what to do with it all all, the assets, the threats and so forth, and trying to make it into a risk assessment.
It was easy for the more experienced of us to see what he was missing.
He was missing something very important — a RISK MODEL
The model determines what you look for and how it is relevant.
Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
It’s a perfectly valid question we all have faced, along with the “where do I begin” class of questions.
The ISO-27001 standard lays down some necessities, such as your asset register, but it doesn’t tell you the detail necessary. You can choose to say “desktop PCs” as a class without addressing each one, or even addressing the different model. You can say “data centre” without having to enumerate every single component therein.
How do you know WHAT assets are to be included in the ISO-27K Asset Inventory?
This question and variants of the “What are assets [for ISO27K]?” comes up often and has seen much discussion on the various InfoSec forums I subscribe to.
Perhaps some ITIL influence is need. Or perhaps not since that might be too reductionist.
The important thing to note here is that the POV of the accountants/book-keepers is not the same as the ISO27K one. To them, an asset is something that was purchased and either depreciates in value, according to the rules of the tax authority you operate under, or appreciates in value (perhaps) according to the market, such as land and buildings.
Here in Canada, computer hardware and software depreciates PDQ under this scheme, so that the essential software on which you company depends is deemed worthless by the accountants. Their view is that depreciable assets should be replaced when they reach the end of their accounting-life. Your departmental budget may say different.
“Once the hacker gained access to Honan’s iCloud account, he or she
wasable to reset his password, before sending the confirmation email
to thetrash. Since Honan’s Gmail is linked to his .mac email address,
thehacker was also able to reset his Gmail password by sending a
passwordrecovery email to his .mac address.
Minutes later, the hacker used iCloud to wipe Honan’s iPhone, iPad
andMacbook Air remotely. Since the hacker had access to his email
accounts,it was effortless to access Honan’s other online accounts
such as Twitter.”
Every new technology has people, the pioneers, who buy into the vendors hype … and pay a price for that.
From the left hand doesn’t know what the right hands is doing department:
Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be “hard-pressed” to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.
Well, lets leave the vested interests of security sales aside for a moment.
I read recently an article about the “IT Doesn’t matter” thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don’t fully utilise their resources, don’t fully understand the capabilities of the technology they have, don’t follow good practices (never mind good security), this is all a moot point. Continue reading Tight budgets no excuse for SMBs’ poor security readiness
Let us leave aside the poor blog layout, Dejan’s picture ‘above the fold’ taking up to much screen real estate. In actuality he’s not that ego-driven.
What’s important in this article is the issue of making OBJECTIVES clear and and communicating (i.e. putting them in your Statement of Objective, what ISO27K calls the SoA) and keeping them up to date.
Dejan Kosutic uses ISO27K to make the point that there are high level objectives, what might be called strategy, and the low level objectives. Call that the tactical or the operational level. Differentiating between the two is important. They should not be confused. The high level, the POLICY OBJECTIVES should be the driver.
There are many holes in this, but I think they miss some important points.
First is setting IT HR to look for Infosec.
That is because many people think InfoSec is a IT function as opposed to an organizational function. This goes in cycles: 20 years ago there was the debate: “Should Infosec report to IT?” The overall decision was no;. Infosec might need to ‘pull the plug’ on IT to protect the organization.
Second there is the vast amount of technology claiming to do InfoSec.
It is all network (and hence IT) as opposed to business fulfilment. This has now spread to “Governance”. You can buy governance software. What does this do for the ethical outlook of the executive, the board and management? How is Governance tied to risk management and accountability and visibility by this software?
Technology won’t solve your problems when technology *is* your problem.
InfoSec is about protecting the organization’s information assets: those assets can be people, processes or information. Yes technology may support that just as technology puts a roof over your head (physical security) and somewhere to store the information. Once this was typewriters, and hand-cranked calculators and filing cabinets, and copying was with carbon paper. The technology may have changed but most of the fundamental principles have not. In particular the ones to do with attitudes and people are the same now as they were 50 or 100 years ago.
I often get hit on by wannabes who want to – as they put it – “break into security” and get a job as a security consultant. Perhaps the media has something to do with it, making it look glamorous when in fact it is tedious and requires a lot of study and self-discipline. The most often question is about which certification they should get first in order to get a job. Some people seem to view certification as a job ticket because so many job postings have various certifications as a requirement.
What these people are forgetting is that a certification is there to certify you have the experience; you need the experience to get the certification.
But this goes one step beyond that. This person got a job in security though faking an complete ID with all the supporting documentation:
Bimbo Olumuyiwa Oyewole, known to his fellow workers as “Jerry Thomas,” obtained his job as a security guard supervisor at the Newark Liberty International Airport with credentials he’d allegedly stolen in 1992 from a petty criminal who was shot and killed in New York that year, according to CBS.
Authorities say Oyewole, who entered the U.S. illegally in 1989, began using Thomas’ birth certificate and Social Security number three weeks before he was murdered, though there’s no immediate evidence that he was involved in Thomas’ death. He used these documents to obtain a New Jersey driver’s license in Thomas’ name, as well as a state security guard license, airport identification and credit cards.
He used the fraudulent documents to gain employment with several contractors at the Newark airport, most recently with FJC Security Services.
That really inspires confidence in the system, doesn’t it?
So what careful vetting and though investigation by the FBI and others uncovered this threat, a threat that could have been practised by a ‘sleeper’ for a terrorist organization?
Authorities discovered Oyewole wasn’t the man he said he was only after an anonymous letter was sent to the Port Authority of New York, which oversees the region’s main airports, and to the New Jersey’s inspector general’s office. The letter indicated that “Jerry Thomas” was known by other names.
Might we suspect a disgruntled ex-lover?
Good policing that, eh? It makes you wonder how many other TSA operatives and supervisors are using fake ID or whose backgrounds and origins have not been adequately investigated.
Oh, right, there are so many of them, that level of investigation is impractical.
Last month, this question came up in a discussion forum I’m involved with:
Another challenge to which i want to get an answer to is, do developers
always need Admin rights to perform their testing? Is there not a way to
give them privilege access and yet have them get their work done. I am
afraid that if Admin rights are given, they would download software’s at
the free will and introduce malicious code in the organization.
The short answer is “no”.
The long answer leads to “no” in a roundabout manner.
This kind of question keeps coming up, many people are unclear about the Statement of Applicability on ISO-27000.
The SoA should outline the measures to be taken in order to reduce risks such as those mentioned in Annex A of the standard. These are based on ‘Controls’.
But if you are using closed-source products such as those from Microsoft, are you giving up control? Things like validation checks and integrity controls are are ‘internal’.
Well, its a bit of a word-play.
SoA contains exclusions on controls that are not applicable because the organization doesn’t deal with these problems (ie ecommerce)
SoA contains exclusions on controls that pose a threat (and risks arise) but cannot be helped (ie A.12.2 Correct processing in applications) and no measures can be taken to reduce these risks.
With this, a record must be present in risk assessments, stating that the risk (even if it is above minimum accepted risk level) is accepted
If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
Yes but as RSA demonstrated, it is a moving target.
An interesting list, since it covers issues of public structural security.
I recall reading that the greatest contribution to the health of individuals came about from good public sanitation and clean water, that is civic changes (presumably enabled by legislation) that affected the public in a structural manner.
The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at “service” when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite the opportunity for profits that just about everyone else in the world seems able to cash in on, the RIAA etc seem to want to shut it down.
Well if they did there would be outcries not from all the people who had minor copyright infringements from quoting one another, but from all the businesses that were loosing customers, not just from direct action but from the word-of-mouth style propagation, reviews, snippets that had nothing to do with them but caused shut-downs and lockouts. A ripple effect. The Laws of Unintended Consequences doing what it always does, biting in the ass.
Yes, if the media industry provided the service that customers want piracy wouldn’t be an issue. As the article says, look at the economics.
It’s not a physical product that’s being taken. There’s nothing going missing, which is generally the hallmark of any good theft.
There’s a corollary to that: if the media companies were selling on the net their cost of reproduction is zero. They can sell the same movie hundreds of times over and it doesn’t cost them any more.
With VHS and DVD there is the cost of production, shipping and retail mark-up. There’s that for every sale. And those are costs that are going up year by year. And if there’s a mistake in estimates about volume then either there are lost sales for lack of product, or waste as it gets remaindered.
But with a ‘Net based distribution scheme there is only the cost of storage and bandwidth, and those are going down.
Its as if the RIAA have it exactly backwards.
So it costs, what, lets say $20 to buy a movie as a DVD.
That’s my budget. If I got to the store and found the movie I wanted was $5, then I’d be inclined to buy some more. Maybe at $5 a shot I’d spend more than $20 as I found other movies that I marginally considered. Now suppose that I didn’t have to drive to the store? Many people I know buy more books at Amazon than they ever did in a bricks-and-mortar store. many bricks-and-mortar bookstores are shutting down. Lower the cost of a movie to $1 and make it available on the ‘Net, mail buyers about new releases and packages the way Amazon does and there will be more impulse buying. See low-res, high-res and super-high res/HD, alternate endings, have consumers write reviews … you know how it goes, Amazon does it well.
Amazon have shifted from selling books to selling e-books. No more packaging, inventory or shipping. Instant gratification.
The RIAA are not just stupid, they are extremely stupid.
If we can learn from the mistakes of others, if they will freely disclose that they have been breached, the how and why and openly discuss remediation and prevention, they yes, this would be of value to the community as a whole.
But does that mean we mus NOT notify those affected by the breach? I don’t see why they have to be exclusive.
As to free and open disclosure: I suspect there may be issues of legal liability and shareholder/stock-price value to consider.