ISO17799 Newsletter - Issue 8

Welcome to the eighth issue of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to ISO17799 and information security.

The information contained in this newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents. In view of recent events, this issue focuses particularly upon business continuity and disaster recovery.

Included in this issue are the following topics:
1) Obtaining ISO17799
2) Recent Internet Attacks
3) ISO17799 CSFs (Critical Success Factors)
4) Main Control Types
5) ISO17799 Section 11 - The North American Blackout
6) ISO17799: a World Wide Phenomenon
7) Potential Emergency Types for BCP
8) Back-Up and Recovery Strategy
9) More Frequently Asked ISO17799 Questions
10) Service Availability and the SLA
11) ISO 17799 Related Definitions
12) It Couldn't Happen Here.... Could It?

OBTAINING THE ISO 17799 AND ISO27001 STANDARDS
The first question we usually receive is "Where can I get hold of a copy of the standard?" The standard itself is available from:

ISO17799 STARTER KIT: http://www.27000-toolkit.com
This is the web site for the ISO17799 Toolkit. This downloadable package was created to help those taking the first steps towards addressing ISO17799. It includes both parts of the standard, audit checklists, a roadmap, a set of ISO17799 compliant security policies, and a range of other items and materials.

BSI ELECTRONIC SHOP: http://www.standardsdirect.org/iso17799.htm
This is the ISO17799/ISO27001 Electronic Shop. Essentially it is an online vending site for downloadable copies of the standard.

RECENT INTERNET ATTACKS: BLASTER
Virus attacks remain the most common form of security breach.

One virus-like worm called "Blaster" has recently infected over 300,000 computers. It is also known as LovSan as it leaves a love note to 'San' on infected PCs. Although it does not destroy files it continually shuts down the computer and restarts. Microsoft actually posted a fix for this virus as early at 16 July but many organizations and home users have not installed it, so the vulnerability still remains and infection continues.

The lesson from this: monitor and maintain your operating system and other software with security fixes and upgrades as they are released.

Many organizations typically have a firewall that can repulse such attacks. However, weaknesses in the use of firewalls, including through laptops or home computing equipment, can sometimes allow breach if the software is not kept up to date. Again, PRO-ACTIVE management is required: organizations should introduce and enforce policies and procedures to ensure that firewalls are kept up to date on all equipment that is used by their employees for the organizations business.

Generally therefore, many business are often slow to update their files and software with latest fixes and only respond when a problem occurs. This is a dangerous path.

In accordance with the requirements of ISO17799, all organizations should have clear enforceable policies and procedures that ensure at least firewalls and virus software are kept fully up to date. This requirement should be supported through regular audit and internal control checks.

ISO17799 Reference: Protection against malicious software is covered in Section 8.3 Other References:
www.security-manual.com (security management)
www.zonelabs.com (firewall supplier)
www.symantec.com (AV supplier)

CSF's: ISO17799 CRITICAL SUCCESS FACTORS
We are sometimes asked which factors are most important for the successful implementation of information security. ISO 17799 itself states these as:

- security policy, objectives and activities that properly reflect business objectives
- a sound understanding of security risk analysis, risk management and security requirements
- an approach to security implementation which is consistent with the organization's own culture
- clear management commitment and support
- effective 'marketing' of security to employees (including managers)
- proper distribution and guidance on security policy to all employees and contractors
- provision of adequate education and training
- a balanced and comprehensive measurement system to evaluate performance in IS management and feedback suggestions for improvement

MAIN CONTROL TYPES
Access to information should be controlled through a combination of electronic methods and 'process controls'. These process controls include applying a classification code and assigning ownership to each piece of information within the organization. Once the control process has been applied to each type of information, it is possible to establish access rights and formally authorize these rights in respect of each employee or user. The desired Information Security controls can then be achieved by restricting access to specific information through password controls or other similar access control methodologies.

Many business software packages, of course, have integral security features that support the protection and disclosure of information. Microsoft Office 2000®, for example, has a wide range of document protection and on-line tracking features, which can simplify the process controls applicable to access authorization and restriction (Note: these features are located within 'File', 'Properties', 'Tools', 'Track Changes' and 'Tools', 'Protect Document'). We recommend that such features should be evaluated with your own business software packages and, if found appropriate, incorporated in the organization's information security processes.

The key to remember however is that protection should embrace BOTH electronic and process controls. Weakness in either is weakness of the whole.

NOTE: Additional details on controlling access to information can be found in a number of publications. A good example is the Interactive Information Security Officer's Manual referenced above (www.security-manual.com)

ISO17799 Reference: Asset classification and control is covered in Section 5.2

ISO17799 SECTION 11: THE NORTH AMERICAN POWER BLACKOUT
The sudden loss of the North American grid on 14 August 2003 caused severe outages that affected electricity supplies, water supplies, air conditioning, transportation, sanitation, traffic lights and much more. It is estimated that over 50 million people and many thousands of businesses were impacted directly.

It was also reported that large numbers of people were trapped for hours in subway trains and in pitch black elevators in temperatures of more than 90 degrees All airports in the region were reported to be immediately closed as security equipment would not operate.

The relief that this did not appear to have been caused by terrorism was tempered by the realization that despite the corrective activities following 911, most organizations located in the region were not adequately prepared for such unexpected catastrophes. This event is likely to intensify efforts around the world to speed up business continuity planning and contingency planning projects. Although this particular emergency is not believed to be related to terrorism, it is fairly easy to envisage how terrorist actions could result in similar catastrophes both in the US and the rest of the world.

But how difficult is it for your organization to quickly prepare base level plans to meet the most serious eventualities?

Actually this is a relatively simple process when using a template process, such as the widely acclaimed BCP Generator. This user friendly business continuity support product supplies the outline plan structure, all necessary templates, and project management assistance together with interactive comprehensive advice and guidance on how to develop the plans.

To develop a business continuity plan, in simple terms:
- The first task is to appoint a member of senior management to oversee the process and be responsible for the development of suitable continuity plans.
- The organization's critical business activities need to be reviewed to determine what types of disaster would have a serious impact on the business
- Concentrate initial efforts on the most critical business system functions and do NOT restrict the plan to cover only information technology systems
- The potential financial impact of such disasters on the organization's bottom line needs to be assessed
- Alternative strategies and procedures need to be identified that would enable critical business activities to continue or recover in the shortest possible time.
- Prepare a plan allocating responsibilities and required actions
- Review and test the plan under realistic conditions
- Train the staff and prepare alternative procedures to be used in emergencies - ensure everyone knows exactly what is expected of them in a particular emergency
- Identify and train a core team to look after the initial organization and emergency handling
- Keep the plan current with regular reviews of critical functions

All these issues and many more are comprehensively covered by tools like the above.
Further information is available from:
www.disaster-recovery-plan.com
www.time.com/time/powergrid/
www.ksg.harvard.edu/hepg/Blackout.htm

ISO17799 and ISO27001: A WORLD WIDE PHENOMINON
Our source list for purchases of ISO17799 always proves to be a popular talking point, so here is the up to date version of the most recent thousand or so:

Argentina 2
Australia 9
Austria 8
Bahrain 1
Barbados 2
Belgium 11
Bermuda 2
Bosnia and Herzegovina 1
Brasil 7
Brunei 1
Canada 87
Cayman Islands 1
Chile 5
China 3
Colombia 6
Costa Rica 1
Croatia 2
Cyprus 1
Denmark 12
Egypt 4
Estonia 1
Faroe Islands 1
France 10
Germany 42
Gibraltar 1
Greece 4
Guatemala 1
Hong Kong 9
Hungary 3
India 7
Indonesia 5
Ireland 18
Isle of Man 1
Israel 2
Italy 28
Jamaica 2
Japan 7
Malaysia 6
México 2
Netherlands 23
New Zealand 5
Norway 14
Panama 1
Philippines 1
Poland 1
Portugal 5
R.O.C. 1
ROMANIA 2
Russia 4
Saudi Arabia 4
Singapore 11
Slovak Republic 1
Slovenia 3
South Africa 6
Spain 17
Sultanate of Oman 1
Sweden 9
Switzerland 32
Taiwan 5
Thailand 2
Tunisia 1
Turkey 3
UK 277
United Arab Emirates 5
USA 432

The same health warnings apply as usual: these are online credit card sales from one source. As a consequence, those cultures that are less familiar with this form of commerce will be under represented.

POTENTIAL EMERGENCY TYPES FOR BUSINESS CONTINUITY PLANNING:
PART 1

A key part of the business continuity planning process is to examine what types of potential disaster or emergency situations will need to be catered for. The focus here should be on the level of business disruption likely from each serious incident. One category of potential emergencies to be considered are those caused by one or more of the following Information Security incidents:

a) Loss of records or data
The loss of records or data can be particularly disruptive where poor back up and recovery procedures result in the need to re-input and re-compile the records (if possible). This is normally a slow process and is particularly labour intensive. This can result in an increase in costs through additional working hours and a great deal of embarrassment and potential direct loss where information is unexpectedly not available.

b) Cyber crime
Cyber crime is a major area of information security risk. It includes attacks by hackers, denial of service attacks, virus attacks, hoax virus warnings and premeditated internal attacks. All cyber crime attacks can have an immediate and devastating effect on the organization's normal business processes. The average cost of an information security incident has been estimated at US$30,000 and over 60% of organizations are reported to experience one or more incidents every year.

c) Disclosure of sensitive information
Not necessarily an availability issues, but nonetheless a serious information security incident which can result in severe embarrassment, financial loss, and even litigation where damage has been caused to someone's reputation or financial standing. Further types of serious disclosure involve secret patent information, plans and strategic directions, secret recipes or ingredients, information disclosed to legal representatives etc. Deliberate unauthorized disclosure of sensitive information is also referred to as espionage.

D) IT system failure
With the almost total level of dependence on IT systems within many businesses, a failure of these systems can be particularly devastating. The types of threats to computer systems are many and varied, including hardware failure, damage to cables, water leaks and fires, air conditioning system failures, network failures, application system failures, telecommunications equipment failures etc.

Each of the above scenarios needs to be developed and examined in detail, and an analysis prepared of the potential consequences. Each scenario should also be assessed for possibility of occurrence (probability rating) and possible impact (impact rating). A suggested rating structure for probability and impact assessment is given in the table below:

PROBABILITY    RATING LEVEL   IMPACT SCORE   RATING LEVEL
1                     VERY HIGH                     1          TERMINAL
2                     HIGH                              2          DEVASTATING
3                     MEDIUM                         3          CRITICAL
4                     LOW                              4          CONTROLLABLE
5                     VERY LOW                      5          IRRATATING

Again, this sort of approach is covered by a tool such as the BCP Generator (www.bcpgenerator.com) as described above, or by an automated system like COBRA. The key, however, is the process: rationalizing issues which superficially do not seem to lend themselves easily to analysis.

BACK-UP AND RECOVERY STRATEGY
One of the most important aspects of Business Continuity Planning for the majority of organizations is in choosing an appropriate strategy for the back-up and recovery of the IT based systems.

In this phase, the key business processes are matched against the IT system and an appropriate speed of recovery strategy is chosen. This may require some in-depth research to determine the relevant costs of each strategy. For large systems, it may also be necessary to prepare a detailed Request for Proposal for vendors to establish the viability and cost of the preferred strategic approach.

Consideration should also be given to the impact of potential severe damage to both premises and communication systems which could, of course, also have a significant impact on the organization's IT services and systems.

There are a number of strategic options to be investigated when considering IT systems back up and recovery processes. The two most important factors to be considered are the criticality of the IT systems to the business processes (the speed of recovery needed), and the amount of money available for IT back up and recovery strategies. The options, in order of cost, are as follows:

a) A Fully Mirrored Recovery Site
This strategy entails the maintenance of a fully mirrored duplicate site which would enable instantaneous switching between the live site and the back up site. This is normally the most expensive option.

b) A Switchable Hot Site
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to maintain an identical site with communications to enable you to switch your IT operations to his site within an agreed time period, usually less than one to two hours.

c) A Hot Site
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to maintain a compatible site to enable you to switch your IT operations to his site within an agreed time period, usually less than six to twelve hours.

d) A Cold Site
This strategy involves the setting up of an emergency site once the crisis has occurred and has a standby arrangement with a vendor to deliver the minimum configuration urgently. This option usually enables the organization to be operational within two to three days.

e) Relocate and Restore Option
This strategy involves the identification of a suitable location, hardware and peripherals and re-installing the systems and backed up software and data after an emergency has occurred. This strategy is usually considered to be inadequate for the needs of today's business.

f) No Strategy At All
This is the cheapest strategy. This also carries the highest risk and will involve no off-site back up of system or data. This option often ends up with the organization going out of business.

ISO17799: MORE FREQUENTLY ASKED QUESTIONS (FAQ)
1) What is Security Risk Analysis?

A classical definition of Risk Analysis is one which describes it as a process to ensure that the security controls for a system are fully commensurate with its risks. This 'process', however, can be complex in itself. Most methods though employ the following interrelated elements:

THREATS
These are things that can go wrong or that can 'attack' the system or business. Examples might include fraud or fire. Threats are ever present for every business and information system.

VULNERABILITIES
These make a system more prone to attack by a threat, or make an attack more likely to have some 'success's or undesired impact. For example, for fire a vulnerability would be the presence of inflammable materials (e.g. paper).

CONTROLS
These are the countermeasures for vulnerabilities. There are basically four types:

Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact
Corrective controls reduce the effect of an attack
Deterrent controls reduce the likelihood of a deliberate attack
Detective controls discover attacks and trigger preventative or corrective controls.

It is common for all these to be weighed against each other (manually or automatically) to produce a set of metrics, which enable business decisions regarding security to be more easily taken. Hence references to 'risk level', 'risk score' and so on.

The above information was derived from: www.security-risk-analysis.com

2) What has this to do with ISO 17799?
Risk analysis is actually an integral part of the standard. It is a mandatory element of BS7799-2 (process and IS systems) and should be used for the selection of controls from part 1.

3) Can I republish articles from ISO17799 News internally, on our company intranet, or even on our external internet site?
Yes, subject to a reference (a link) to the newsletters archive web site (http://www.molemag.net).

4) What is accreditation and certification?
This question keeps cropping up. An accreditation body is an organization (usually national) that grants third parties the authority to issue 'certificates' (to certify) against standards. This third party is the certification company.

5) Where can I discuss ISO17799 with other people online?
A Yahoo forum exists at: http://groups.yahoo.com/group/iso17799security/ with a similar resource at : http://www.17799.com

SERVICE AVAILABILITY AND THE SLA
Service availability can be described in terms of the time that a specific service will be made available by the supplier to the client, or perhaps stated as a percentage of an elapsed period of time.

For critical services, it is essential to describe the time period in which a specified service is expected to be available, and specifically the minimum percentage amount of time that that service has to be available to satisfy the Client's minimum level requirements. This is normally achieved through a Service Level Agreement (SLA).

In order to keep the structure of the SLA simple, the information for Service Availability for both Standard and Non-Standard Services is normally included in a separate Schedule Agreement. Within the main body of the SLA the following suggested basic wording or similar is normally used to state that the information is held in the separate Schedule: "The availability, operational reliability and response times of the Services to be delivered under this Agreement are as specified in Schedule C to this Agreement."

Should this wording not be suitable for either the Supplier or the Client and a decision is taken not to use a separate Schedule for this purpose, then the two parties should obviously agree on an alternative wording and the new wording inserted into the SLA accordingly.

Wherever it is described, however, the availability section is critical. It defines the client's requirements and expectations, and the supplier's obligations. Clearly these are vital issues in a business continuity context.

Useful Resources:
General information: www.sla-zone.co.uk
A comprehensive SLA template: www.service-level-agreement.net

ISO 17799 RELATED DEFINITIONS AND TERMS
In each ISO17799 Newsletter we will include a selection of terms and definitions to unravel and explain some of the jargon and strange language used by IT and information security professionals. In this edition we have provided a selection of terms that all start with the letter "S".

Super User
The term 'Super User', is one that denotes the highest level of user privilege and can allow unlimited access to a system's file and set-up. Usually, Super User is the highest level of privilege for applications, as opposed to operating or network systems. Notwithstanding the possible semantics, the use of Super User should be under dual control as such a user could, if they so wished, destroy the organization's systems maliciously or simply by accident; neither is acceptable!

Software Licensing
The use of unlicensed software is illegal, and whilst the majority of organizations would not condone it, the vast majority are believed to be using unlicensed software to some extent or another. In many cases, software piracy occurs totally unintentionally; perhaps where a genuinely licensed program is copied for use on multiple workstations. It is common practice for software vendors to permit customers to 'try before they buy'. In this case, they offer the software as 'shareware' and propose a trial of say, 30 days. At the expiration of the 30 day period, and depending upon the ingenuity of the developer, the software can refuse to load without the input of a valid license key; or it can continue to run as normal or can require the continue depression of a button to signify your understanding of the terms of the license. Unlicensed software is major threat to an organization's Information Security because, not only does this jeopardize the legal position, it also threatens the data held on such systems as no support will be provided. The End User License Agreement is normally seen during the install process of the software.

Stripping
Deliberately deleting files, records, or data, from a system. This can be an authorized activity when, for example, duplicate files are identified and removed from the system to reclaim the disk storage space they occupy. More often, however, stripping is associated with the removal of records which evidence some fraudulent or other criminal activity. It is not unusual for Auditors, or Law Enforcement officers to find that the records they need for their investigations are not there. Deleted records can be recovered if the storage media is secured quickly enough, but a skilled stripper can usually remove all trace of them before such action can be taken. The only recourse then is to backup files where (hopefully) copies can be obtained.

Shoulder Surfing
Looking over a user's shoulder as they enter a password. This is one of the easiest ways of obtaining a password to breach system security. The practice is not restricted to office computers, it is used wherever passwords, PINs, or other ID codes are used. Could the person behind you at the bank ATM be a shoulder surfer?

IT COULDN'T HAPPEN HERE....COULD IT?
Every issue of The ISO17799 Newsletter features at least one TRUE story of an Information security breach and its consequences:

1) When is Disposal is Not Disposal?
Secure disposal of computer media is by now a fairly well known requirement. It is widely, although not universally practiced.

The history of information security, however, is littered with examples of disclosure through uncontrolled disposal. Stories of competitors, or their agents, retrieving old diskettes/CDs/listings/etc from garbage bins are rife. However, there are plenty of other routes:

a) Not too many years ago a network was uncovered which specialized in the recovery and sale of corporate data. One of their methods was to purchase old tapes and diskettes from large companies and then restore the data using their own recovery software. This was then discretely offered for sale to selected competitors!

b) A more recent example along the same lines: On this occasion the perpetrators tracked the disposal route of a computer engineering firm. This firm was responsible for the maintenance of peripherals and routinely replaced the faulty media of their clients. Sadly the hardware fault was not always terminal for the data stored.

Although many of the customers had excellent disposal procedures in place, they had not covered this eventually. Their data as exposed as a result.

2) Confidential User-Ids?
Organizations rightly stress the importance of password confidentiality. Some also urge staff to select sensible passwords, which cannot be easily guessed or calculated.

Sometimes this is not taken as seriously as it should be, as individuals believe that, for example, a password of Sept2003 simply isn't going to be guessed by a perpetrator within the maximum number of input attempts allowed.

However, exposure doesn't always work like this. One breach occurred because the perpetrator discovered the format of a firm's user-ids (company code followed by 3 initials and a single digit number). He then reverse engineered the process: He selected a password similar to the above (eg: June2003) and then tried this password once against hundreds of combinations of user-id initials. The net result was that the accounts were not closed because each only had one invalid attempt. Eventually he hit a user with that password. He wreaked havoc.