ISO27000 Newsletter - Issue 15

Welcome to the latest issue of the ISO 27000 newsletter, designed to provide news and updates regarding the ISO information security standards.

Included in this edition are the following topics:
1) Cell Phone / Mobile Phone Security
2) Trials and Tribulations of an Information Security Officer
3) Using COBIT: The Acquisition Process
4) Information Security News
5) Business Continuity Management: Preparation and Risk
6) ISO 27001 / 2: Common Mistakes Part 1


Cell Phone / Mobile Phone Security
The wide scale use of cell / mobile phones for business purposes has brought with it a raft of new risks and potential exposures. These devices can not only store voice messages (information), but text messages, and often complex data, particularly with the advent of internet browsable smartphones.

It is hardly surprising therefore that there has been a gradual increase in the number of security breaches and consequential losses resulting from phone theft or unauthorized phone access.

These issues are covered in a number of sections within ISO 27002. These include Section 9.2.5 (Security of Equipment Off Premises) and 10.8.1 (Information Exchange Policies and Procedures). However, most focus is applied within section 11.7.1: Mobile Computing and Communication.

The general objective of this section states: "The protection required should be commensurate with the risks these specific ways of working cause. When using mobile computing the risks of working in an unprotected environment should be considered and appropriate protection applied."

The section offers specific guidance with respect to the physical protection of the device itself, cryptography of the data held, backups of the data/information, and of course virus protection (particularly relevant to smart phones).

We would argue that awareness is also a major factor with respect to phone security. This type of device can very easily be taken for granted, and the security aspects overlooked. The following is perhaps a start point for a list to include in an awareness campaign for your employees:
- Do not openly display a phone: keep it out of sight in a pocket or handbag
- If possible, avoid using it in crowded areas
- Make a note of your phone's IMEI number
- Properly mark your phone with your zipcode/postcode
- If the phone is lost, report it straight away (police, service provider, security officer)
- Be aware of your surroundings and the people near to you
- Do not leave it unattended: keep it with you at all times
- Always use your phone's security lock code or pin number

Now is an excellent time to review this section (11.7.1) with respect to the Cell Phones / Mobile Phones within your own organization. Our crystal ball tells us that losses due to security exposure in this area are going to increase significantly over the coming months and years. Hopefully, our subscribers will be sufficiently prepared to avoid being one of the major victims.


Trials and Tribulations of a Part-Time Information Security Officer
Thursday was certainly a challenging day. As the newly appointed part-time Information Security Officer for Whithertech Associates I now have responsibility for trying to hold together the Information Security process. This is naturally in addition to all my normal duties.

On Friday I was a little late and was greeted in the corridor by my Director shouting that our network was down and our website had been hacked and defaced. He said I should get downstairs and help June to sort it out and, by the way, I should make more effort to get to work on time. I mumbled an apology and dashed off to see June, the acting network administrator and webmaster, to try to find out what was happening.

She was looking more than a little flustered when I arrived and said that all hell seemed to be breaking loose. She had only been doing the job for two weeks since our usual network administrator/webmaster Jack had gone off on long term sick leave, and although she understood most the technical aspects of the job, a lot of it was still new to her. Jack was good at controlling the network but never wrote anything down, so there were few procedures to follow.

We decided that the network was the priority so we put up a temporary holding page on the website and then got hold of the network logs and started to work through them. It was a lengthy process as Wednesday night included the month-end processing and there were literally thousands of entries. With few written procedures to explain the complexities of the coding it took over an hour to identify a couple of unusual log events affecting the network access. It also took some while to track down the cause, but with some additional technical support, and to cut a long story short, it was eventually identified that an IT operator who left the company last week had “allegedly” left some malicious code in the network control system, which had partially wiped out the network access directories. I went to advise my Director that the network should be back up running shortly while June called up the back-up access directories and restored them. I left my director fuming, having told me to make sure we collected good admissible evidence to support a possible legal case.

We then got on with sorting out the website problem. We had thought that the website was pretty secure but someone had managed to place some pretty heavy “Triple-X” links onto our “Welcome” page. The first task was to change the passwords and get the website up and running again, which we did from the back-ups that had now arrived from our off-site storage. We then looked at the logs for the FTP server and found that during the night the welcome page had been downloaded, the additional content added, and then re-uploaded to the server. Investigations into all this spurious activity are now ongoing involving some of our auditing staff, but I have my own suspicions that the same disgruntled IT operator may be involved.

Having lost most of Thursday on these incidents I needed to work pretty late that night to catch up on my main job. I was also left wondering if we could have managed the incidents better and got the systems up and running more quickly than we did.

The main lessons I learned that day –
1) In future we must change all our passwords immediately when staff with access permissions leave;
2) We must make sure we have MUCH better written procedures for critical processes;
3) We need to consider purchasing some scanning software to help detect malicious software and prevent it from causing future denial of service incidents;
4) I will have to spend more time learning about my new duties from my security manual; and finally,
5) I must go out and purchase a louder alarm clock before I end up losing my job!


Using COBIT: The Acquisition Process
ISO 27001/2 are of course the major international standards for information security. However, several wide spectrum governance frameworks exist which compliment these, the most well known being COBIT. This widely used framework provides comprehensive controls and guidance covering each key stage of the IT process.

The supporting 'Control-IT COBIT Toolkit' (http://citt.privacyresources.org) provides valuable implementation support for the framework and simplifies the implementation process. The following snapshot, which is based on the toolkit guidance, covers the IT SYSTEM ACQUISITION PROCESS.

HIGH LEVEL POLICY FOR IT SYSTEM ACQUISITION
Procurement procedures in respect of the purchase, lease or rental of all technology based products and services need to be developed. Internal control procedures covering these processes are to be developed and approved incorporating these requirements and providing the means to verify that these procurement control policies are being complied with on an ongoing basis.

The Key Performance Indicators are:
• Lower delays in meeting requests for new systems or IT equipment
• Higher percentage of procurement requests met on time
• Higher availability of comprehensive user and operations documentation

The Process Critical Success Factors are:
• Lower number of problems caused through poor acquisition procedures
• Lower cost of maintaining systems
• Lower cost of procuring systems

The IT Key Goal Indicator is:
• Higher level of business system owner satisfaction with systems and equipment

The compliance level measurement criteria are as follows:
• NIL - No procedures exist to manage IT systems acquisition. The only procedures available relate to general purchases or goods and services
• POOR - Although the management is aware that IT systems acquisition controls should be effectively controlled, there is no real implementation of these ideals. There is very little integration or liaison between business activities and systems acquisition
• INADEQUATE - There is recognition that IT systems acquisition controls should be in place and some efforts have been made to identify some basic level rules. The quality of the procedures remains fairly poor
• BASIC - There is a defined process for controlling IT system purchases but use of these procedures is inconsistent. Actual procedural content lacks conformity with agreed standards and these deficiencies are not addressed satisfactorily
• ACCEPTABLE - There is a reasonable degree of compliance with approved IT system acquisition procedures and a defined framework for review and approval. The approach covers all systems and applications. Strategic management of the purchasing processes is evolving and performance measurement and management is being integrated into these processes
• FULL - A formalized and comprehensive process for purchasing new systems and equipment is in place and is followed in all cases. The organization has a high level of technical awareness and can relate system acquisition requirements and system quality criteria to improving business performance levels

Overall, the above outlines a robust, consistent, and proven framework within which to operate a sound system acquisition process. It is a very good example of the COBIT approach, in that it illustrates the provision of measures and indicators, which are outside the scope of ISO 27001/2.


Information Security News
1) Lottery Scams Are Latest Spam Fad
According to Microsoft (http://www.microsoft.com), 50% of spam emails are currently lottery scams (usually inviting the victim to claim their "winnings" or similar). Surprisingly, their poll also revealed that 16% of recipients actually opened them, indicating an almost complete lack of security awareness.

2) University Fined For Security Breach
The University of California has agreed to pay the U.S. DoE a $2.8 million fine as a result of a security breach at its Los Alamos National Laboratory. The fine stems from an incident in which a subcontractor's employee stole classified documents and stored others on a USB drive in 2006.

3) Anti-botnet Charges
The FBI has announced that it has charged eight men with using internet 'botnets' to perform fraud and to launch other malicious attacks. The men are alleged to have profited by lifting sensitive credentials off their victims' computers, releasing DDoS attacks and leasing 'zombie computers' to other parties.

4) Vista Security Fixes
Microsoft has released a detailed list of more than 300 security patches within the upcoming initial service pack (SP1) for its Windows Vista operating system. The complete list of SP1 service pack items is posted on Microsoft's website

5) Security Gap
Gap, the clothing retail outlet, have admitted that the unencrypted Social Security numbers of 800,000 job applicants was stolen from a third-party vendor. The vendor contacted law enforcement authorities about the breach.

6) Software Piracy Settlement
6 US based companies have recently settle claims with the Business Software Alliance (http://www.bsa.org) over use of unlicensed software following self audits. The total settlement was for almost $700k.


Business Continuity Management: Preparation and Risk
ISO27001 places a great deal of emphasis on the business continuity management regime (in fact it devotes a whole chapter to this topic). The BCM objectives as defined within the standard are “to counteract interruptions to business activities and to protect processes from the effects of major failures of information systems or disasters and to ensure timely resumption”.

Usually, the better prepared you are, the more likely you will be to meet this objective, and the more effective will be your recovery. Unfortunately, many organizations do not properly embrace risk assessment, and often start their business continuity project ill prepared.

PREPARATION
It is important at the outset to have the full commitment of the Board or Governing Body of the organization. Without this, problems downstream are inevitable. An awareness campaign should follow, to ensure that all staff are notified of that commitment.

The business continuity project can then be initiated (central to which is the delivery of a business continuity plan). It is essential, however, that this project is formal and structured.

Initial steps for the project itself will include defining scope, and obtaining copies of all appropriate documents and information. A formal risk assessment exercise must follow.

RISK ASSESSMENT
Initial emphasis on effective risk assessment will enable you to predict different types of incidents with more accuracy. It will help ensure that focus is applied to those areas to which it is most needed.

This aspect of BCM involves analyzing the business processes and identifying vulnerabilities through risk assessment and probability analysis. It includes the establishment of critical business timeframes including recovery time objectives (RTO) and maximum tolerable period of disruption (MTPD). The RTO will represent the time interval between the incident occurring and the time when a measurable negative impact will result on the business whereas the MTPD will represent the time interval between the incident occurring and the time when the impact from the incident will become extremely serious for the business.

Following a detailed risk analysis of the business and its processes, suitable levels of safeguards and controls should be implemented that will protect the business processes and product delivery

It is important to understand that none of the above tasks can be short cut. Proper planning and preparation may seem to be a burden, but the pay back could well be the survival of the organization itself.


ISO 27001 / ISO 27002: Common Mistakes Part 1
David Watson was one of the earliest exponents of the standards, and is one of the most well known industry figures. In this series of articles for the ISO 27000 Newsletter he outlines some of the most common errors and mistakes he has encountered over recent years:

COMMUNICATIONS AND OPERATIONS MANAGEMENT (Section 10)
There are often no standards and little or no documentation of the Corporate Systems;

Rarely is there an effective and properly implemented change management process. There are sometimes no formal change management processes or records of change meetings available. Change management meetings often have the wrong level staff attending, have whole business areas that do not/will not get involved, and no minutes for meetings to show changes successfully and unsuccessfully implemented;

There is often no management software for the network, or any form of planning for the IT systems or capacity;

Rarely are Service Level Agreements in place and if they are they are rarely monitored and used effectively. Sometimes the business has unrealistic ideas of IT Service availability and the IT Department cannot meet the requirements without serious investment, which the business may not be willing to provide. This can lead to a breakdown in relationships between business units and IT;

Often the Information Security Manager is not advised of new projects or is so stretched that he cannot make the time to provide assistance;

I often find a backup process that does not provide full backup integrity or recovery capability.

SECURITY POLICY (Section 5)
This can be an enormous can of worms, as policies are:
- Often missing (Some companies do not even have a set of policies!);
- Frequently out of date;
- Often unknown by staff especially third parties and most especially IT Contractors and Consultants;
- Not enforced;

There are often no ecords to show who has received the policy with supporting training, and there is rarely evidence of policy review.