ISO17799 Newsletter - Issue 5

Welcome to this, the fifth edition of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to ISO 17799 and information security.

The information contained is free to our subscribers and provides guidance on a range of practical issues, plus commentary on recent Information Security incidents.

In this issue we focus specifically on the dangers of security complacency with everyday devices and technology. Included are the following topics:

1) ISO 17799 or BS7799?
2) The First Steps
3) Mobile Phone Security
4) ISO17799: A World Wide Phenomena
5) E-mail: Virus Control
6) ISO17799: More Frequently Asked Questions
7) Safeguard Your Laptop
8) Specialist ISO17799 Consultancy Division Created
9) COMPSEC - ISO17799 Content
10) Exposures? It's the People!
11) BSI Certifications
12) ISO 17799 Section 4 - Service Level Agreements
13) It Couldn't Happen Here.... Could It?

ISO17799 OR BS7799?
We still receive questions from people asking what the differences between BS7799 and ISO 17799 actually are. Hopefully we can clear this up.

BS 7799 Part 1 (BS7799-1:1999) and ISO17799 (ISO/IEC 17799) are essentially the same. With one or two minor modifications, BS7799-1 was published as ISO/IEC 17799 in December 2000.

Perhaps the confusion arises from the fact that there is a second part to BS 7799. This is a discrete publication and covers information security management systems. It is not an ISO document at this stage.

THE FIRST STEPS
The first steps are usually to obtain the standard itself, perhaps with some of the fundamentals.

The highly acclaimed 'ISO 17799 Toolkit' includes both parts of the standard: ISO17799 and BS 7799-2. Alternatively, both parts can be purchased together or separately from the electronic shop. The URLs for these resources are as follows:

ISO17799 Made Easy: www.27000-toolkit.com
This is the home page for the toolkit. This package was put together to help those taking the first steps towards addressing ISO17799. It includes audit checklists, a roadmap, ISO17799 compliant security policies, both parts of the standard, and a range of other items.

ISO17799 Electronic Shop: www.iso17799.net
This is the ISO17799 / BS7799 Electronic Shop. Essentially it is an online vending site for downloadable copies of the standard.

MOBILE PHONE SECURITY
The Theft of mobile phones continues at an alarming rate. Many users however continue to keep their phones in a "ready to use" state which means that the phone can be used immediately, thereby potentially incurring costs for the user that may not be recoverable. Perhaps more importantly, many phones are used to store confidential data and information.

The following common-sense advice is provided to enhance the security of mobile phones:

Do not openly display a mobile - keep it out of sight in a pocket or handbag
Do not leave a mobile in view in an unattended vehicle
Always use your phone's security lock code or pin number
If possible, avoid using it in crowded areas
Be aware of your surroundings and the people near to you
Do not leave it unattended - keep it with you at all times
Make a note of your phone's IMEI number
Properly mark your phone with your zipcode/postcode
If the phone is lost or stolen, report it straight away to the police and to your service provider

Perhaps more than any other device, the mobile phone is often too familiar to its user to be viewed from a security perspective. If this continues, how long before a mobile phone related incident appears in our "It Couldn't Happen Here, Could It?" section (see later)?

ISO17799 - A WORLD WIDE PHENOMINA
Our source list for purchases of ISO17799 proved to be a popular talking point in the last edition of ISO 17799 News, so here is the up to date version of the most recent 500 or so:

Argentina 1
Australia 6
Austria 6
Barbados 2
Belgium 6
Bermuda 1
Bosnia and Herzegovina 1
Brazil 6
Canada 61
Cayman Islands 1
Chile 4
China 3
Colombia 5
Costa Rica 1
Croatia 1
Cyprus 1
Denmark 6
Egypt 4
France 3
Germany 27
Gibraltar 1
Greece 3
Guatemala 1
Hong Kong 9
Hungary 1
India 3
Indonesia 3
Ireland 12
Isle of Man 1
Israel 1
Italy 22
Japan 4
Malaysia 5
Mexico 11
Netherlands 13
New Zealand 3
Norway 10
Panama 1
Portugal 1
Russia 3
Saudi Arabia 2
Singapore 9
Slovak Republic 1
Slovenia 1
South Africa 5
Spain 11
Sultanate of Oman 1
Sweden 5
Switzerland 17
Taiwan 3
Thailand 2
Tunisia 1
UAE 4
UK 121
USA 237
Venezuela 2

The same health warnings apply as did last time: these are online credit card sales. As a consequence, those cultures that are less familiar with this form of commerce will be under represented in the figures.

SAFEGUARD YOUR LAPTOP
Our final item considering the security of everyday items pertains to the ever popular (for security exposure!) laptop.

Although the laptop is a powerful tool in today's flexible working environment, it is also a magnet for thieves and crooks. Securing proprietary information when traveling or working away from the office is an important issue, which is often not given the priority it deserves. During 1999, Fortune 1000 companies experienced total losses of over $45 billion following the theft of proprietary information, according to the American Society for Industrial Security. A sizable percentage of this actually resulted from laptop exposure!

Although various security devices and products are available to protect laptops, the best defense against theft is still the use of common sense. The following guidelines should be considered:

In public places, keep your laptop close at hand, and be particularly vigilant when passing through airport security
Carry your laptop in a non-descript case, rather than a purpose-made case
Ensure that important data is backed up on to suitable storage media, and always carry floppy-disks/CDs/media separately from your laptop
Change access passwords on a regular basis, and never use the default "save password" options
Engrave a suitable identification reference on a conspicuous place on the laptop
Disconnect any Internet connection when not in use, and ensure a firewall is used when connecting from a home DSL or other broadband connection
Strictly confidential data should be encrypted using a strong recognized algorithm.

ISO17799 - MORE FREQUENTLY ASKED QUESTIONS

1) What is risk assessment?
A classical definition of Risk Analysis is one which describes it as a process to ensure that the security controls for a system are fully commensurate with its risks. This embraces the study of relevant threats, vulnerabilities, controls in place and of course potential impacts.

2) What has this got risk got to do with ISO17799?
It is an integral part. It should not only be used for the selection of controls from part 1, but is a mandatory element of part 2, which covers process and IS systems.

3) Where can I learn about risk analysis?
More detail on this topic can be found at: www.security-risk-analysis.com

4) What is the difference between accreditation and certification?
Essentially an accreditation body is an organization (usually national) that grants third parties the authority to issue certificates (to certify). It is the latter, therefore, that issues certificates (certifies) against standards/etc. The former confers the right to do this on the certification company.

5) Is ISO 9000 Involved?
The new release of BS7799 Part 2 has been 'harmonized' with other management standards such as ISO 14001 and ISO 9001. This latest released was issued on Sept 5th 2002 and is available from both of the sources described in Section 2 of this newsletter.

6) How Global is It?
It is indeed a global standard. Quite apart from sales of the standard itself, certification is equally widespread, with certificates being issued in many countries. Amongst these are: Australia, China, Japan, Italy, Egypt, Holland, Norway, Korea, United States, United Kingdom, Germany, Hong Kong, Sweden, UAE, India and many others.

E-MAIL: VIRUS CONTROL
In today's business environment, it is almost obligatory for companies to be easily accessible via e-mail communication. However, our familiarity with this method of communication and the speed with which we can both send and receive messages means that it is all too easy to be caught off guard by e-mails containing destructive viruses.

A recent survey by anti-virus specialists MessageLabs indicated that although the use of e-mail continues to flourish and there is an increased awareness of the possibility of virus attacks, it is still not being matched by a proportional rise in effective virus protection.

We therefore offer the following guidelines, which stress the need for an adequate information security policy, not only in terms of maintaining up-to-date virus protection, but also ensuring that staff remain constantly vigilant in their use of e-mail:
Purchase suitable anti-virus software from a well-established vendor, ensuring that the license is sufficient for all your organization's computers, including laptops. For optimum deployment, install on both servers and workstations.
Ensure that your anti-virus protection is updated regularly, preferably on a weekly basis, or possibly even a daily basis for critical systems. Updates can usually be downloaded from your chosen supplier via the Internet.
Staff awareness of Information Security issues can fade unless continually reinforced. Ensure that all staff, whether permanent or temporary, are fully aware of the risks involved in opening unsolicited e-mails, and provide regular, on-going Information Security awareness training/messages to reinforce key messages.
If you do not have an Information Security Officer, consider appointing a a person to take responsibility for Virus Control, and to ensure that if a virus incident should occur, it is rapidly dealt with to minimize any impact.
Assess the e-mail security awareness of all new staff, and provide any necessary induction training before they are given access to systems.

Useful Resources:
RUsecure Information Security Policies: rusecure.toolkitshop.com
E-Aware Email Security Awareness: www.induction.to/email-security/

A SPECIALIST ISO 17799 CONSULTANCY DIVISION IS CREATED
The advent of ISO17799 has had a dramatic impact on the way consultancy firms offer their security services. Not only is it a benchmark for security itself, but from a deliverable point of view it can provide a benchmark on the quality of the security service actually delivered.... simply by virtue of the fact that something measurable IS delivered. The latter of course could be a compliance level against the standard, or perhaps certification.

One of the first firms to re-act to this is 7safe Ltd. 7safe is a recognized consultancy firm for a range of information security services, but recently re-organized to address the growing demand for ISO17799 related services. Alan Philips, the company's Managing Director told us: "The majority of our customers are now aware of ISO17799 and the number of inquiries we receive on this is growing rapidly. It made sense to address this demand by creating a specialist unit within 7Safe. It is obvious that ISO17799 is here to stay, and that it will continue to grow".

The company offer a range of services designed to support those embracing the standard to different degrees, including training and consultancy. They can be contacted via the following email address: iso17799@7safe.com

COMPSEC 2002
As conference season looms, security professionals consider the best spend options for their training budgets. This is not always an easy choice, with sometimes diverse requirements in play.

To address this, COMPSEC, one of the worlds most established and highly regarded conferences, offers four simultaneous security streams: Management, Technical, Case Studies and Infrastructure, Legal & Ethics. Between them, these embrace dozens of sessions, presented by some of the biggest names in the information security industry. The scope of the conference covers a significant number ISO17799 relevant issues.

COMPSEC runs for three days, from 30th October to 1st November inclusive. It is hosted at the QEII Conference Centre in London. For more information, see the COMPSEC 2002 web site at: www.compsec2002.com

EXPOSURES? IT'S THE PEOPLE!
It was recently disclosed by one of Microsoft's executives how the company's top secret source code was accessed last year by a hacker. This particular incident resulted in worldwide concern about the security of networks.

Although Microsoft's security system is considered to be one of the best in the industry, hackers often target it. On this occasion, access was gained by the hacker because a member of staff, when configuring a server, left a password field blank.

Bob Herbold, Microsoft's retiring Executive VP said, "It's not the technology, folks, it's the people. When we trace them (the errors) back, it's always human error". This attack shows again how important basic protective features such as passwords are and that awareness education in respect of security procedures should be given to all users.

BSI - CERTIFICATIONS
We are pleased to add the following to the list produced in Issue 4 of those who have been certified by BSI with respect to BS7799 Part2 for at least one system in at least one location:

Eastlands Benefits Administration; Glaxo Wellcome; HackersLab Taiwan Co Ltd; Hanwha Solutions & Consulting Korea; International Integrated Systems Inc; The Dacom Corporation; Data Centres, Networks and Internet Managed Services; Dental Practice Board; JMC Co Ltd; Kensington Mortgage Co; Legal Document Management; NTT Data ITSC Group Japan; Prism Communications Corp ; TQM Consultants Ltd.

Congratulations to all these organizations.

We intend to produce a more complete list in a future newsletter. This will also include certificates issued by some of the growing number of other certification bodies across the world.

ISO17799 SECTION 4: SERVICE LEVEL AGREEMENTS - THE SLA
Service Level Agreements (SLAs) are actually relevant to several sections in the standard. However, section 4, focusing on security organization, gives perhaps the most focused coverage of agreements and contracts.

The SLA is actually an extremely important document. It defines the parameters of your service - whatever that service may be. It is the common basis of understanding between the parties involved.

Part of the definition of course should be focused upon security. Expectations and requirements should be fully embraced by this. However, it should also go much further, describing what actions are required in the event of problems, what happens if one party breaks the agreement, and so on.

Unfortunately, SLAs tend to be viewed in a similar way to business continuity plans: essential to have but a painful exercise! Well: that need not be the case. It is not actually necessary to re-invent the wheel.

EasyTec have recently released 'The SLA Toolkit'. The comprises a full SLA Template (MS-Word) and an interactive guide to take you through it. It also includes an audit checklist to review existing agreements and a training presentation to explain SLA's more fully and in some detail.

For information on this kit see: www.service-level-agreement.net Whichever approach you adopt, if you do not yet have an SLA for critical services, it is certainly time to address this.

IT COULDN'T HAPPEN HERE....COULD IT?
Every issue of the newsletter features at least one TRUE story of an information security breach and its consequences:

1) The Old Duplication Trick
Two friends, one an employee of an international oil company, created a new company between them. The purpose of the company was entirely to receive payments fraudulently from the oil company.

Their first step in the saga was to gain access to the oil company's London offices out of hours. This was achieved by hiding an electronic micro-transmitter behind the wiring of the magnetic card junction box outside the office entrance. This was placed at a time when the employee had legitimate access to the building. A small room was hired near to the building to receive the actual transmissions.

The employee could now leave the company's employment. Before doing so, however, he had established that the account payment system was split into two discrete suites... one for services, the other for goods. There was no cross checking at all between them.

Over 18 months, the ex-employee entered the building at night, took advantage the feeble terminal access controls, and activated step two.

He essentially gained access to the above payment system and entered invoices and payment orders to his newly created company. All these invoices were duplicates of existing legitimate orders, but were made on the other suite. They were all of approximately 10,000 UKP in value.

Over 18 months the company lost 318,000 UKP. The incident only came to light during a manual audit when an auditor spotted that an invoice for a product had been placed in the service suite. When it was moved across, it was then spotted that two companies were seemingly supplying exactly the same product, which was highly suspicious and merited the full investigation which revealed the fraud.

2) Confidential Litter?
When an explosion occurred at the head office of a major bank, the surrounding streets were littered with thousands of papers containing confidential customer information.

As well as recovery from the physical incident itself, which happened on a non-working day, the bank therefore had to contend with a serious issue of breach of confidentiality, and the resultant (significant) bad publicity which followed.

This was possibly the one area they had not covered properly in what was otherwise an exemplary disaster recovery plan!