ISO27000 Newsletter - Issue 13

Welcome to the latest issue of the ISO 27000 newsletter, designed to provide news and updates regarding the ISO information security standards.

Included in this edition are the following topics:
1) ISO 17799 Becomes ISO 27002
2) Logic Bomb Dangers Highlighted
3) The History of The Information Security Standards
4) Information Ownership Issues
5) More ISO 17799/27001 Frequently Asked Questions
6) Information Security News
7) ISO 27000 Related Definitions and Terms


ISO 17799 Becomes ISO 27002

Following the decision taken by ISO last year, ISO 17799 has finally been renamed to ISO 27002. The change of name is simply that: a change of name. The purpose is to align it more closely to ISO 27001 in terms of perception.

Of course, the name change could be misleading, as some people my erroneously believe that other changes have been applied. They haven't. We therefore issue two clear recommendations:

1) If you already have a copy of ISO 17799:2005, you do not need to replace it with ISO 27002. The documents are identical except for references to the name.

2) On their website, ISO simply put up ISO 17799:2005, without even a new cover or any changes within. A single sheet accompanied it with the words "Replace '17799' with '27002'". However, the full replacement, with name changes applied to the document itself, can be obtained from Standards Direct (see left hand panel).

THE ISO 27000 TOOLKIT
To accommodate the change of name, the supporting 'ISO 17799 Toolkit' has also been renamed. It has also been updated, notably the policies, the roadmap and the presentation. It is documented on the toolkit website (see left hand panel).


Logic Bomb Dangers Highlighted
The recent case of a former US Government contractor pleading guilty to sabotaging Navy computers highlighted the need for constant vigilance with respect to so-called 'logic bombs'.

Also known as 'slag code' and commonly associated with 'disgruntled employee syndrome', a logic bomb is a piece of program code buried within another program, designed to perform some malicious act. Such devices tend to be within the province of technical staff (non-technical staff rarely have the access rights and even more rarely the programming skills required) and operate in two ways:-

1. 'Triggered Event' - for example, the program will review the payroll records each day to ensure that the programmer responsible is still employed. If the programmer's name is suddenly removed (by virtue of having been fired) the Logic Bomb will activate another piece of code to slag (destroy) vital files on the organization's system. Smarter programmers will build in a suitable delay between these two events (say 2-3 months) so that investigators do not immediately recognize cause and effect.

2. 'Still Here' - in these cases the programmer buries coding similar to the Triggered Event type but in this instance the program will run unless it is deactivated by the programmer (effectively telling the program - "I am still here - do not run") at regular intervals, typically once each quarter. If the programmer's employment is terminated unexpectedly, the program will not be deactivated and will attack the system at the next due date. This type of Logic Bomb is much more dangerous, since it will run even if the programmer is only temporarily absent (eg through sickness, injury or other unforeseen circumstances) at the deactivation point. The fact that it wasn't meant to happen just then is of little comfort to organization with a bombed system.

Logic bombs demonstrate clearly the critical need for audit trails of activity on the system, as well as strict segregation of duties and access rights between those staff who create systems (analysts, developers, programmers) and the operations staff who actually run the system on a day-to-day basis.


The History of The Information Security Standards
Examination of the past often illuminates the present. This is certainly the case in terms of untangling the different acronyms and numbers associated with the information security standards.

The embryo of the security standards was actually a document published by the UK Government's DTI in 1992. The was the 'Code of Practice', for Information Security Management. This was subsequently upgraded by BSI (the British Standards Institute) who published 'BS 7799-1 - Code of Practice for Information Security' in 1995. BSI enhanced this document, and also published a second part: BS7799-2, which was a specification for security management, in the late nineties.

In 2000 ISO finally appeared on the scene, adopting BS 7799-1 and renaming it to ISO 17799:2000. However, it wasn't until 2005 that they eventually adopted BS7799-2, which became ISO 27001:2005. ISO 17799 was re-published in the same year, and as explained above, was renamed to ISO 27002 in July 2007.

Also in 2005 BSI published BS7799-3. This is 'Guidelines for information security risk management'. Again, the chances are that this will eventually evolve into an ISO standard (possibly ISO 27005).

So we thus have:
ISO 27002:2005 - Code of Practice
ISO 27001:2005 - Specification for an ISMS
BS7799-3 - Risk Management.

It is not actually quite this simple though... because ISO are attempting to 'normalize' their entire numbering system. They want all their information security standards to be similarly numbered. That is reasonable of course, but many would argue what is not reasonable is simply to rename documents at a random point in time, rather than on the next upgrade.


Information Ownership Issues
It is essential that the ownership of information systems, data and files is formally established within the organization. This formal assignment invariably brings with it a more serious approach, 'top down', to the whole issue of information security.

Historically, all electronic systems and data files were considered to be “owned” by the IT department, but over recent years ownership has correctly moved towards the areas or individuals who actually create the information, or who are ultimately responsible for the data and systems output.

Usually, the person who creates, or initiates the creation or storage of the information, is the designated owner. In an organization, possibly with divisions, departments and sections, the owner becomes the unit itself with the person responsible being the designated 'head' of that unit.

The Information owner is normally responsible for ensuring:-

• that an agreed classification hierarchy is put in place and that this is appropriate for the types of information processed for that business / unit;
• that all information is classified and stored into the agreed types, and that an inventory (listing) is created;
• that each document or file within each of the classification categories, has its agreed (confidentiality) classification appended to it;
• that for each classification type, the appropriate level of information security safeguards are available (e.g. the logon controls and access permissions applied by the Information Custodian provide the required levels of confidentiality);
• that periodically there is a check to ensure that information continues to be classified appropriately and that the safeguards remain valid and operative.

If a designated owner of information leaves the organization, it is important to ensure that a new owner or custodian is immediately appointed to protect the approved levels of confidentiality and approve or decline access requests.

Many organizations have seen a demonstrable improvement in the cultural approach to security as a result of ownership clarification. It is a move certainly long overdue for those whose IT departments are still seen as data owners.


More ISO 17799/27001 Frequently Asked Questions

1) Where Do I Start with an ISMS?
The start point most often recommended for the implementation of a formal Information Security Management System (ref: 27001) is a definition of scope. This is in fact pure logic. Unless you define your boundaries you are unlikely to get too far without encountering significant difficulties. The scoping exercise itself is often quite illuminating.

2) How many companies are now certified?
At the last count this was well in excess of 2,000.

3) What is ISO Guide 62?
This guide contains the requirements applicable to an Accreditation Body (which subsequently bestows authority to issue certificates).


Information Security News
1) Sophos reports that malware is increasingly being spread via web pages, rather than via email, with sites in China and Hong Kong accounting for more than half the total. Most affected sites are victims themselves, having been compromised by hackers. In a separate report, Pandalabs report that malware detections increased by over 170% last year. Trojans now represent more than half of such attacks, with Bots on 14 percent and backdoors on 13.

2) A recent survey by Network Box of 250 small businesses demonstrated an alarming indifference to security. 62 per cent had no system in place to protect against phishing, whilst a staggering 99% did not know how often their anti-virus software was updated.

3) The University of Missouri became the latest in a string of universities to suffer a serious security breach when hackers obtained more than 20,000 Social Security numbers (SSNs). Using IP addresses from China and Australia, the hackers made thousands of queries over a span of hours, obtaining one SSN at a time.

4) According to Symantec, Image Spam still accounts for more than 25% of all spam. This is essentially a technique which uses embedded images to bypass phishing filters. Whilst this is down from earlier in the year, the daily rates indicate a high level of variance. Spam itself accounts for 65 percent of all email at the SMTP layer.

5) A video clip was recently posted on YouTube showing union protestors examining trash awaiting collection outside Chase Bank in New York. The video shows loan application forms and other sensitive data being examined by the Service Employees International Union supporters. The clip again illustrates that low tech security issues remain a constant threat.

6) An audit has revealed that the IRS (The US Internal Revenue Service) lost almost 500 PCs in the 3 year period to the middle of 2006.It is believed that the personal information of at least 2,000 taxpayers could have been compromised as a result. The IRS have subsequently stated that they are "taking aggressive steps to further secure government equipment and protect sensitive data to mitigate the risk of potential identity theft or other fraudulent activity."


ISO 27002 Related Definitions and Terms

In each ISO 27000 Newsletter we include a selection of terms and definitions to unravel and explain some of the jargon and strange language used by IT and Information Security professionals. In this edition, we provide a further selection of terms that all start with the letter ‘F’.

Finagle's Law
The 'folk' version of Murphy's Law, fully named 'Finagle's Law of Dynamic Negatives' and usually rendered 'Anything that can go wrong, will.'. One variant favored among hackers is 'The perversity of the Universe tends towards a maximum.'. The label 'Finagle's Law' was popularized by SF author Larry Niven in several stories depicting a frontier culture of asteroid belt miners. This 'Belter' culture professed a religion and/or running joke involving the worship of the dreaded god Finagle and his mad prophet Murphy.

Fit for Purpose
Fit for Purpose is a general expression which can be useful to ensure that Information Security solutions are appropriate for your organization. Vendors will sometimes attempt to 'fit' their solution to your problem. Fit for Purpose is an expression which, when used within the solution negotiation context, places an onus of responsibility upon the vendor to ensure that its solution is (indeed) fit for the purpose which their client expects. Example : a well known systems company contracted for the sale of their system. Inclusive in the price was one of week training in the system. During implementation it became apparent that one week for training was totally inadequate. The customer successfully claimed (prior to legal action) that the supplier's solution was inadequate and hence not fit for purpose. When considering Information Security solutions, it is good practice to remind any potential suppliers in your requirement that the solution must be fit for purpose.

Flag
A message indication, sometimes, but not always, a warning to a user, which appears when a certain event takes place. For example, an inventory monitoring program may well 'flag' certain products when stocks fall below a predetermined level, to alert the user to re-order. An alternative use is to warn of an event which will take place in the future, but has not yet occurred, for example, a financial institution aware of large check-based transaction on a customer's account may 'flag' the account to avoid an unauthorized overdraft. Flags may be generated manually or automatically, depending on circumstances. In the case of the stock monitoring this would be automatic, while the check transaction example would be processed manually. Automatic flags serve a useful purpose in drawing users' attention to situations which otherwise may be overlooked.

Flame
'Flame' is abusive communication by E-mail or posting to a newsgroup, which attacks an individual or organization for some real or imagined grievance. The real problem is broader than that of a few rude e-mails: flame represents the anarchistic side of the Internet. The flame may start with only one abusive message, but it is broadcast so widely that large numbers of unconnected browsers join in - often on both sides of the argument. This can lead to 'Flame Wars', where the traffic load becomes so high that communications network performance degrades, and E-mail boxes become blocked - as is the case with bottlenecking and mail bombing. Problems for companies may arise if a member of staff has used an organization's e-mail address to start the flame - another reason to monitor staff activities. Flame has some redeeming features. Deeply unpleasant (or disturbed) individuals who posted lengthy racist (or sexist, or some other -ist) diatribes have found themselves flamed off the Net....

Freeware
Literally, software provided for free - no charge. This is not as uncommon as might be expected. Major software developers often give away old versions of their products to allow users to try them at no charge and, hopefully, succeed in tempting them to purchase the current release. Independent developers may give away small programs to establish a reputation for useful software, which then enables them to charge. Cover disks attached to a computer magazine often contain Freeware. As with Shareware, Freeware should be approached with caution, and staff dissuaded from trying out their new Freeware on organization equipment.