The InfoSec Blog

About ISO 27001 Risk Statement and Controls

Posted by Anton Aylward

On the ISO27000 Forum list, someone asked:

I'm looking for Risk statement for each ISO 27k control; meaning
"what is the risk of not implementing a control".

That's a very ingenious way of looking at it!

One way of formulating the risk statement is from the control
objective mentioned in the standard.
Is there any other way out ?

Ingenious aside, I'd be very careful with an approach like this.

Risks and controlsare not, should not, be 1:1.

On the HP Printer Hack

Posted by antonaylward

The hack to make the HP printers burn was interesting, but lets face it, a printer today is a  special purpose computer and a computer almost always has a flaw which can be exploited.
In his book on UI design "The Inmates are Running the Asylum", Alan Cooper makes the point that just about everything these days, cameras, cars, phones, hearing aids, pacemakers, aircraft, traffic lights ... have computers  running them and so what we interface with is the computer not the natural mechanics of the device any more.

Applying this observation makes this a very scary world. More like Skynet in the Terminator movies now that cars have Navi*Star and that in some countries the SmartStreets traffic systems have the traffic lights telling each other about their traffic flow. Cameras already have wifi so they can upload to the 'Net-of-a-Thousand-Lies.

Some printers have many more functions; some being fax, repro, and scanning as well as printing a document.   And look at firewalls. Look at all the additional functions being
poured into them because of the "excess computing facility" - DNS, Squid-like caching, authentication ...

I recently bought a LinkSys for VoIP, and got the simplest one I could find. I saw models that were also wifi routers, printer servers and more all bundled onto the "gateway" with the "firewall" function. And the firewall was a lot less capable than in my old SMC Barricade-9 home router.

I'm dreading what the home market will have come IP6

I recall the Chinese curse: yes we live in "interesting security issue" times!

But in the long run of things the HP Printer Hack isn't that serious.   After all, how many printers are exposed to the Internet.    We have to ask "how likely is that?".
Too many places (and people) put undue emphasis on Risk Analysis and ask "show me the numbers" questions. As if everyone who has been hacked (a) even knows abut it and (b) is willing to admit to the details.

No, I agree with Donn Parker; there are many things we can do that are in the realm of "common sense" once you get to stop and think about it. Many protective controls are "umbrellas", that its about how you configure your already paid-for-and-installed (you did install it, didn't you, its not sitting in the box in the wiring closet) firewall; by spending the money you would have spent anyway for the model that has better control/protection -- you do this with your car: air-bags, ABS and so on so why not with IT equipment? The "Baseline" is more often about proper decisions and proper configuration than "throwing money at it" the way governments and government agencies do.

Requirements for conducting VA & PT – Take 2

Posted by Anton Aylward

Soe people ae under the mistaken impression that a Pen Test simulates a hacker's action.  We get ridiculous statements in RFPs such as:

The tests shall be conducted in a broader way like a hacker will do.

LOL! If a real hacker is doing it then its not a test 🙂

Seriously: what a hacker does might involve a lot more, a lot more background research, some social engineering and other things. It might involve "borrowing" the laptop or smartphone from one of your salesmen or executives.

Further, a real hacker is not going to be polite, is not going to care about what collateral damage he does while penetrating your system, what lives he may harm in any number of ways.

And a real hacker is not going to record the results and present them in a nicely formatted Powerpoint presentation to management along with recommendations for remediation.

IT AUDIT VS Risk Assessment – 2

Posted by Anton Aylward

We were discussing which should be done first and someone said:

The first has to be risk assessment as it is foundation of information
security. You first need to know where is the risk before putting up
any controls to mitigate that risk. Putting up adhoc controls will not
make the controls effective nor will it protect the organizations
against the risk.

While I understand the intent, I think that is very prejudicial language.

Donn Parker makes a very good case that we have the cultural context - read that sophistication and awareness of the baseline risks - to see that there should be a set of baseline controls. IAM, firewall, AV, backups and so forth. We don't need to leave the assets exposed to threats while we we wait around for a Risk Analysis to tell us that these baseline protective controls are needed.

Risk Analysis

You don't need to know the specific risks any more than you need to know the specific risks to have a lock on the front door of your house and close your windows.

I certainly wouldn't call this approach "ad-hoc".

What drives the RA? Need or Fashion?

Posted by Anton Aylward

A colleague in InfoSec made the following observation:

My point - RA is a nice to have, but it is superfluous. It looks nice
but does NOTHING without the bases being covered. what we need
is a baseline that everyone accepts as necessary (call it the house
odds if you like...)

Most of us in the profession have met the case where a Risk Analysis would be nice to have but is superfluous because the baseline controls that were needed were obvious and 'generally accepted', which makes me wonder why any of us support the fallacy or RA.

It gets back to the thing about the Hollywood effect that is Pen Testing. Quite apart from the many downsides it has from a business POV it is non-logical in the same way that RA is non-logical.

All Threats? All Vulnerabilities? All Assets?

Posted by Anton Aylward

One list I subscribe I saw this outrageous statement:

ISO 27001 requires that you take account of all the relevant threats
(and vulnerabilities) to every asset - that means that you have to
consider whether every threat from your list is related to each of
your assets.

"All"? "Every"?
I certainly hope not!
Unless you have a rule as to where to stop those lists - vectors that you are going to multiply - are going to become indefinitely large if not infinite. Its a problem in set theory to do with enumberability.

See
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/
for a more complete discussion of this aspect of 'risk'.

See
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/
in which Jeff Lowder has a discussion of the "utility value" approach to controls

Because its the controls and their effectiveness that really count.

Admin username/password clouds

Posted by Anton Aylward

That's a very interesting and pertinent presentation by a guy named Grubb from RedHat:
http://www.redhat.com/promo/summit/2008/downloads/pdf/hardening-rhel5.pdf

A few items caught my eye:

Slide 7 points out that the CERTs really don't do a good job, comparatively speaking, of detecting vulnerabilities. It seems that the "million eyes" of other FOSS parties, developers, other distributors & packagers and individuals are much more effective than companies and organizations targeted at such things.

Slide 15 addresses partitioning. I'm amazed at the number of people I hear on the *IX forums I subscribe to and web sites I read that fail to partition and protect their disks. Its as if they think the way Microsoft's OEM/consumer systems ship with everything under C: is the way to go with Linux as well. Oh, I do see some separate /home, but it seems only a few of the corporate admins have noted the security bugs possible if /tmp is on the root partition. The advantages of further partitioning I have found to be immense - compartmentalization prevents so many minor problems from becoming major ones. The designers of the Titanic should have realised.

There's so much more good stuff in that about specifics of configuration. My advice to many less security-experienced sysadmins is "just do it". Why? In my database of quotes I have

Bullet proof vest vendors do not need to demonstrate that naked
people are vulnerable to gunfire. Similarly, a security
consultant does not need to demonstrate an actual vulnerability
in order to claim there is a valid risk.
The lack of a live exploit does not mean there is no risk.
- Crispin Cowan, 23 Aug 2002

That *I* can't demonstrate or document an exploit is no reason for the
sysadmin to fail to apply a well known baseline control such as those documented in this slideshow and many other books and articles. Yes, I know that I sound like Donn Parker when I say that, but this is sensible prudence.

"Just Do It"

Throwing in the towel

Posted by Anton Aylward

I was saddened to hear of an InfoSec colleague who met with overwhelming frustration at work:

After two years of dealing with such nonsense, I was forced to resign
within two months of discovering a serious security issue which possibly
jeopardized overseas operations. I have since found out that they are
selling the company and didn't want any who knew the problems around.

Hmm.
Thank you.
Speaking as an auditor who occasionally does "due diligence" with respect to take-overs, you've just shown another use for LinkedIn - contacting ex-employees to find out about such problems.

Certainly a lot of employees leaving or being fired in the couple of years before the pending acquisition is a red flags, eh?

Encyclopedia of IT terms

Posted by Anton Aylward

CMP ChannelWeb have an on-line encyclopaedia of IT terms. This is a useful addition to my toolbar for composition, along with a more conventional dictionary.

ChannelWeb Logo

The definition of 'information security' seems limited to access control, which is very disappointing. The definition for 'computer security' is more comprehensive. Never the less, to a security professional both these definitions are lacking.

What screams out to me, and this is very obviously my bias, is the lack of any mention of INTEGRITY in these definitions. As I keep pointing out, if you don't have integrity, any other efforts at security, be it information security, or "Gates, Guards, Guns and Dogs" physical security, be it backup and disaster recovery, be it access control, be it 1024-bit SSL, are all going to be pointless.

Its not until we follow a few links at the Encyclopaedia do we come to a mention of Donn Parker's six fundamental and orthogonal attributes of security is there mention of 'integrity'. Even so, that definition has only a like to 'data integrity'. There is a separate definition for 'message integrity'. While these specific items are important, they are details. What is lacking is a general definition of "Integrity". Once again, Fred Cohen's seminal 1997 article on the importance of Integrity comes to mind.

No, a much better reference is Rob Slade's "Dictionary of Information Security", which, of necessity, encompasses many IT terms.

Enhanced by Zemanta