Thanks so much for everyone who attended my class. I have published notes and links at the Class Notes link below. Please let me know if you have any questions, or need additional information.
Chris
Class Notes
Wednesday, February 25, 2009
Monday, February 23, 2009
Outsourcing Risk Management
You’ve heard it before “you can outsource the business process, but you can’t outsource the risk”. SaaS, cloud computing, BPO, or simply external hosting of an internally developed application can open up an organization to a much larger risk appetite than they might have if the data and solutions remained in-house. Of course if an organization’s policies, procedures, and standards are bad enough it could also reduce the risk. Either way, organizations must manage that risk to determine if there are significant changes that need to be addressed. COBiT, ISO 27K, PCI, and most other standards and many regulations call for the proper management and oversight of outsourced providers, so this should be no surprise to organizations or the companies that provide these type of services.
The first place to start is during contract negotiations with the external party. It should be clear what the organization expects, and what standards, policies, and procedures should be met. There should be penalties and consequences if these are not meant, and audit rights should always be present in any obligations. The FFIEC statement on this entitled Risk Management of Outsourced Technology Services.
The following is a good baseline of items that should be included.
Service Level Agreements for 10% of the yearly expenditures for each breach of the SLA.
The service provider and its agents are prohibited from using or disclosing the institution’s information, except as necessary to or consistent with providing the contracted services, and to protect against unauthorized use (e.g., disclosure of information to institution competitors).
All third-party or sub-contractors who will be storing or processing data must be approved.
Provider must disclose any known, suspected or future security issues or incidents
Any BITS FISAP, SAS 70 Type II, or other external third party audits
Qualified information security management must be in place in the organization
Regularly scheduled reviews of the third-party’s policies
Monday, December 1, 2008
Protecting our most valuable gifts
Children are the most precious gift we could ever receive. It is our job to protect them, and arm ourselves and our children with the knowledge needed to keep them safe. Protecting our children on the Internet is only one aspect of their overall safety and security. Below are links to sites that promote the education of both children and their parents on various safety and security issues.
Various Internet Safety links for parents and children
http://www.netsmartz.org/
http://www.ConnectSafely.org
http://www.safekids.com
http://www.safeteens.com
http://www.kidswatch.com/
Wireless routers with filtering software built-in
http://www.pcmag.com/article2/0,1759,1619375,00.asp
http://tech.yahoo.com/blogs/devlin/5684
http://www.netgear.com/Products/RoutersandGateways/SuperGWirelessRouters/WGT624SC.aspx
Fire Safety for the home
http://www.firstalert.com/tundra_fire_extinguishing_spray.php
http://www.usfa.dhs.gov/kids/flash.shtm
Great sites about auto safety, and other safety items for kids
http://www.kidshealth.org/kid/watch/out/car_safety.html
http://www.aap.org/healthtopics/carseatsafety.cfm
http://www.nhtsa.dot.gov/portal/site/nhtsa/menuitem.9f8c7d6359e0e9bbbf30811060008a0c
Teen Driving
http://www.nsc.org/issues/teendriving/guide.htm
http://www.skipbarber.com/driving_school/mazda/new_driver.aspx
Various Internet Safety links for parents and children
http://www.netsmartz.org/
http://www.ConnectSafely.org
http://www.safekids.com
http://www.safeteens.com
http://www.kidswatch.com/
Wireless routers with filtering software built-in
http://www.pcmag.com/article2/0,1759,1619375,00.asp
http://tech.yahoo.com/blogs/devlin/5684
http://www.netgear.com/Products/RoutersandGateways/SuperGWirelessRouters/WGT624SC.aspx
Fire Safety for the home
http://www.firstalert.com/tundra_fire_extinguishing_spray.php
http://www.usfa.dhs.gov/kids/flash.shtm
Great sites about auto safety, and other safety items for kids
http://www.kidshealth.org/kid/watch/out/car_safety.html
http://www.aap.org/healthtopics/carseatsafety.cfm
http://www.nhtsa.dot.gov/portal/site/nhtsa/menuitem.9f8c7d6359e0e9bbbf30811060008a0c
Teen Driving
http://www.nsc.org/issues/teendriving/guide.htm
http://www.skipbarber.com/driving_school/mazda/new_driver.aspx
Monday, November 3, 2008
Encryption and Security Awareness – it’s the law!
Several states are jumping on the information security and privacy legislation train, and it is leaving the station at full speed. Similar to the data breach laws that are now in place for 44 states now, we can expect a similar rush by states to initiate similar laws calling for specific security measures to be enacted to protect personal information, and liability for companies that have breaches
Massachusetts for example passed the following legislation, which calls for some very specific controls and measures to be enacted to comply with the state law.
This regulation is applicable for entities who “own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts”.
According to the regulation personal information and records are defined as such:
"Personal information," a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
“Record” or “Records,” any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.
Two of the more interesting and detailed requirements are:
“The encryption of all personal information stored on laptops or other portable devices, and “to the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly”
“Each covered entity must train employees on the proper use of the computer security system and the importance of personal information security.”
Nevada has similar legislation that went into effect on October 1, 2008, which prohibits businesses from transmitting unencrypted personal information on consumers on external networks.
So how can your organization begin to comply with this type of legislation?
- Consult internal and external counsel on these matters and ensure you have someone specialized in privacy & data security law.
- Ensure you have a written information security plan that uses a published industry standard to use as a guideline (ISO, PCI, etc.). Most of the legislation is based on using “reasonable” security measures that cover (and this is the de facto language) administrative, technical, and physical safeguards.
- Once your standard is in place in your program – work to achieve that standard, by performing a risk assessment against the organization so you know where to start, and where to properly spend money and resources.
- Know where your important and confidential data is within the organization, and how people are using it. Get line managers that are responsible for this type of data together and ask them in a very non-accusatory manner how the organization is using and protecting this type of data.
- Exercise control over service providers and require them to contractually protect your data and follow your standards, as well as auditing them to ensure they are doing so.
- Have a plan ready in case none of this work and you have to report a breach.
Obviously, these are all very high-level requirements and are by no means an exhaustive list. Every organization is different and requires different controls and processes. The more you understand the data flows, and the risks to the organization the better you will be when the worst happens.
One quick note - in the definition of person, the commonwealth intentionally left any of their agencies out of this definition so they wouldn't have to abide by this legislation - NICE!
Friday, October 10, 2008
Spotting bogus e-mails using grammar checking
Bogus E-mail from Microsoft
isc.sans.org and several other sites are reporting a bogus e-mail from Microsoft containing malicious code, an example of which is below. In addition to the various technical measures that can be taken such as blocking executables in e-mail, effective spam filtering, A/V protection, and endpoint protections, users should also be reminded to be on alert for these types of issues. Besides telling them to never click on these types of items, and not giving them the local rights to accomplish this, I believe we can go further in order to promote more security conscious activities at home, and hopefully reduce the number of zombied systems available for bot herders. In this example it is easy to spot the poor grammar in the e-mail as a sure giveaway that this is bogus. OK, my grammar is not exactly perfect either, but that is not the point. Now Microsoft or any company would most likely never distribute updates in this manner, but hopefully any valid communication from a company of this size would certainly not contain as many errors as I have illustrated below in bold, and that is exactly one of the items I point out to end users in classes I teach. My guess is that someone for whom English is not his or her native language wrote this – a former or current Russian state would be my guess.
Dear Microsoft Customer,Please notice that Microsoft company has recently issued a Security Update for OSMicrosoft Windows. The update applies to the following OS versions: MicrosoftWindows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft WindowsXP, Microsoft Windows Vista.Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.Since public distribution of this Update through the official websitehttp://www.microsoft.com/ would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users. As your computer is set to receive notifications when new updates are available, [how do they know that?] youhave received this notice. In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine.
In that case,at this point the upgrade of your OS will be finished.We apologize for any inconvenience this back order may be causing you.
isc.sans.org and several other sites are reporting a bogus e-mail from Microsoft containing malicious code, an example of which is below. In addition to the various technical measures that can be taken such as blocking executables in e-mail, effective spam filtering, A/V protection, and endpoint protections, users should also be reminded to be on alert for these types of issues. Besides telling them to never click on these types of items, and not giving them the local rights to accomplish this, I believe we can go further in order to promote more security conscious activities at home, and hopefully reduce the number of zombied systems available for bot herders. In this example it is easy to spot the poor grammar in the e-mail as a sure giveaway that this is bogus. OK, my grammar is not exactly perfect either, but that is not the point. Now Microsoft or any company would most likely never distribute updates in this manner, but hopefully any valid communication from a company of this size would certainly not contain as many errors as I have illustrated below in bold, and that is exactly one of the items I point out to end users in classes I teach. My guess is that someone for whom English is not his or her native language wrote this – a former or current Russian state would be my guess.
Dear Microsoft Customer,Please notice that Microsoft company has recently issued a Security Update for OSMicrosoft Windows. The update applies to the following OS versions: MicrosoftWindows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft WindowsXP, Microsoft Windows Vista.Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.Since public distribution of this Update through the official websitehttp://www.microsoft.com/ would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users. As your computer is set to receive notifications when new updates are available, [how do they know that?] youhave received this notice. In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine.
In that case,at this point the upgrade of your OS will be finished.We apologize for any inconvenience this back order may be causing you.
Friday, October 3, 2008
Travelers Privacy Protection Act of 2008
A bill has been introduced into Congress that would finally put protection and requirements in place before the Customs Service could confiscate your laptop, or perform an inspection of the data on the laptop without reasonable cause. The act further defines specific periods the equipment can be maintained and requires a warrant to be issued before a device could be seized. The bill also prohibits profiling and sets privacy requirements while the Customs Officials are looking at your computer or electronic device. I believe this is a step in the right direction, and a small return of our privacy and dignity that travelers lose every time they enter an airport, supposedly in the name of security. Our constitutional rights should not be thrown out the door in this current purgatorial zone of legality that currently exists at every US airport, and the comedic security measures that are taken, like removing your shoes, are doing little if anything to reduce the risk to the country or the particular flight you happen to be on. However, they are visible and easy, and that seems to be the mantra for the TSA – but I digress.
I still don’t believe you can legally be compelled to reveal your password, and the cases that have been tried have had so many other circumstances that had the person simply refused to divulge their password they would have probably prevailed. There is no judicial precedent on this matter, but it seems to be ill conceived on so many levels, not the least of which is the 5th amendment. Laptop computers and other electronic devices contain too much personal or corporate confidential information on them to simply let a government employee have complete access and copies of that data. Strong encryption and just one judicial precedence will hopefully end this matter for most of us law abiding citizens, and I’m sure the law breakers would never think to store this information in e-mail, or some other Internet storage application they can send back and forth across most borders without any checks.
But perhaps that is the government's next priority into our lack of privacy – let’s hope not.
I still don’t believe you can legally be compelled to reveal your password, and the cases that have been tried have had so many other circumstances that had the person simply refused to divulge their password they would have probably prevailed. There is no judicial precedent on this matter, but it seems to be ill conceived on so many levels, not the least of which is the 5th amendment. Laptop computers and other electronic devices contain too much personal or corporate confidential information on them to simply let a government employee have complete access and copies of that data. Strong encryption and just one judicial precedence will hopefully end this matter for most of us law abiding citizens, and I’m sure the law breakers would never think to store this information in e-mail, or some other Internet storage application they can send back and forth across most borders without any checks.
But perhaps that is the government's next priority into our lack of privacy – let’s hope not.
Wednesday, September 24, 2008
Information Security and Privacy Class
Thanks so much for everyone who attended my class on Tuesday. I have published notes and links at the Class Notes link below. Please let me know if you have any questions, or need additional information.
Chris
Class Notes
Chris
Class Notes
Subscribe to:
Posts (Atom)