Monday, March 26, 2012

How to develop effective Information Security Awareness Program?

Security Awareness Training Topics

Security Awareness is a key challenge in Implementing information security. Many organizations find it difficult to provide the right information security awareness to its staff and thus have less support from its staff in implementing the information security measures.

It is important to tailor the security awareness program to cover the potential threats and risks of the organization.

The first item in the security awareness should be about the password security. The password security awareness should cover topics such as:
  • What is the password policy of the organization

  • How to build secure but easy to passwords in compliance with the password policy

  • Possible tools for password storage and how to use them securely

  • Now writing down of passwords in excel or paper or sickies

  • How the Password sharing is dangerous to the staff in specific and the organization in general
Keeping the work place clean or Clean Desk Policy. This should include topics like:
  • Importance of having a clean workplace from a security perspective

  • Potential confidentiality issues when the critical documents are in the eyes of those who are not supposed to have access

  • Importance of shredding of documents when they are no more required

  • Keeping the printer and fax trays empty all the time
Information Handling and Classification

Classification guidelines and information on how to handle the information should be part of this discussion. this should cover topics such as:
  • Classification labels and when and how to use them

  • Precautions to take when sending or receiving such information
Physical Security

Visitor Control is another area, which can be part of information security awareness. Checkout this cartoon on Physical & Information Security Awareness, it can be part of the security awareness materials.

Key things include (1) questioning the visitors without a badge or who looks suspicious (2) accompanying the visitors to confidential areas such as datacentre (3) about piggybacking etc…

Another Physical Security control is about the protection of laptops and other mobile computing devices. It is often the laptops, smart phones, or removable devices which are getting lost. Protection of these devices are critical in information security. Many times we have heard about data leakage through lost or stolen devices

Another key area to include is Incident Reporting and Management. This should cover the types of incidents to be reported, whom to be reported, means of reporting etc…

Phishing & Social Engineering is another key topic which can be included. This will help the staff not to become a victim of such attacks by malicious internal or external entities. Cover the possibility of email and phone channels for social engineering.

Social Networking and its threats are another set of topic which can be covered within the security awareness session. Topics like what to post in the social media and what not, who represents the company in social media and things like that.
Bring Your Own Device or BYOD and use of the personal device usage within the organization. What are the restriction related to BYOD including the removable media

Acceptable use of the IT environment such as Internet and Email, Desktop systems etc…

Desktop security including the use of antivirus, locking or logging of the system when not in use.

Importance of data backups. Corporate process on backups. Is it allowed to backup only to the file servers? Or can the user backup to a USB or CD.

Critical Success Factors of an Information Security Awareness session
  • Engaging with the staff interactively

  • Quoting real life examples. It would be helpful to include News items on related contents

  • Having good humour included in the topics

  • References to the corporate security policies is a key item to be included in the related topics

  • Choose the right topics for the right group of audience. Social engineering, desktop security etc might be a topic for all groups.

    Your board members or senior management may not want to undergo one hour awareness sessions and thus, the topics should be carefully opted when designing the materials for them

  • Have a test or a quiz at the end of the session. It will give an opportunity to understand the effectiveness of the awareness sessions
The above list gives a number of topics useful for a typical information security awareness session.

Saturday, March 24, 2012

6 Principles for Effective Cloud Computing

ISACA Guide Aims to Minimize Cloud Computing Risks

The cloud, in the long run, should make enterprise computing more efficient and, yes, more secure. In the meantime, those charged with executing their organization's cloud services face a series of tough decisions.

Among the latest experts to offer advice come from ISACA, the professional association focused on IT governance. ISACA counsels that organizations adopting cloud computing should adhere to six principles. Doing so will help enterprises avoid the perils of transferring IT decision making away from technology specialists to business unit leaders.

The six principles - detailed in the recently published ISACA publication Guiding Principles for Cloud Computing Adoption and Use - include enablement, cost/benefit, enterprise risk, capability, accountability and trust. Here's how ISACA defines each of those principles:
  1. Enablement: Plan for cloud computing as a strategic enabler, rather than as an outsourcing arrangement or technical platform.

  2. Cost/benefit: Evaluate the benefits of cloud acquisition based on a full understanding of the costs of cloud compared with the costs of other technology platform business solutions.

  3. Enterprise risk: Take an enterprise risk management perspective to manage the adoption and use of cloud.

  4. Capability: Integrate the full extent of capabilities that cloud providers offer with internal resources to provide a comprehensive technical support and delivery solution.

  5. Accountability: Manage accountabilities by clearly defining internal and provider responsibilities.

  6. Trust: Make trust an essential part of cloud solutions, building trust into all business processes that depend on cloud computing.

Thursday, March 22, 2012

15 minute Video: Stuxnet: Computer worm opens new era of warfare

Stuxnet took the world by storm two years ago

Computer virus's evident success in damaging Iran's nuclear facility has officials asking if our own infrastructure is safe.

The worm was different from previous viruses: it wasn't designed to steal money, identities, or passwords. Instead, the malware targeted the controls at industrial facilities such as power plants, inspiring talk of a top secret, government-sponsored cyberwar.

At the time of its discovery in June 2010, the assumption was that espionage lay behind the effort, but subsequent analysis uncovered the ability of the malware to control plant operations outright--specifically an Iranian nuclear facility.

In addition to showing that a cyberattack could cause significant physical damage to a facility, it also raised concerns that future malware, modeled after Stuxnet, could target critical infrastructure, such as power and water-treatment plants in the United States.


Monday, March 19, 2012

NIST Issues Security Guidance on Wireless Local Area Networks

6 Tips to Secure WLANs

Wireless Local Area Networks often have weaker configurations and authentication processes that make them vulnerable for attackers to penetrate and gain access to sensitive information, according to the National Institute of Standards and Technology. New guidance from NIST is aimed at helping organizations meet security challenges.

NIST has released Special Publication 800-153, Guidelines for Securing Local Area Networks, that provides step-by-step recommendations from initiation to maintenance to disposal on securing WLANs. WLANs are wireless network devices within a limited geographic area, such as an office building, that exchange data through radio communications.
"Employees can use mobile devices, including laptops and smart phones, connected to the WLAN to perform tasks that could be done on desktops, but with the freedom to work anywhere in the covered area," NIST says in announcing the guidance.
While WLANs can improve productivity, they can add an additional security challenge. WLANs often have weaker configurations and authentication processes that make them vulnerable for attackers to penetrate and gain access to sensitive information.

NIST says WLAN security depends upon how well all of its components, including client devices and wireless switches, are secured. The new guide provides recommendations to improve security on such topics as standardizing WLAN security configurations, including configuration design, implementation, evaluation and maintenance.

The guide also furnishes guidelines concerning the selection of monitoring tools and the frequency of security monitoring. According to the guidance, organizations should:
  1. Have standardized security configurations for common WLAN components, such as client devices and access points.

  2. Consider the security not only of the WLAN itself, but also how it may affect the security of other networks when planning WLAN security.

  3. Have policies that clearly state which forms of dual connections are permitted or prohibited for WLAN client devices, and enforce these policies through the appropriate security controls.

  4. Ensure that the organization's WLAN client devices and APs have configurations at all times that are compliant with the organization's WLAN policies.

  5. Perform both attack monitoring and vulnerability monitoring to support WLAN security.

  6. Conduct regular periodic technical security assessments for the organization's WLANs.
SP 800-153 supplements other NIST publications on WLAN security and points readers to other NIST publications on system planning, development and security activities. NIST said recommendations included in SP 800-153 are applicable to the protection of unclassified wireless networks and of unclassified facilities that are within range of unclassified wireless networks.

Friday, March 16, 2012

Smartphone Security

5 Tips To Secure Your Smart Phone!

Smartphones are wonderful, yet rife with privacy pitfalls. Here are five quick tips for making your device less prone to a hacker attack.
  1. Do not download apps from unknown sources. Only download those from the official app stores sponsored by the smartphone manufacturers, as they are typically more secure.

  2. Control your location settings. To make your location as protected as possible, turn off all location assessment options.

  3. Before installing an app, be sure to read the Permissions screen. Note where your data is going to be stored. The most secure apps are those that only store data on your device, or store a minimal amount on the vendor systems, and those from vendors that do not share your app data with third parties.

  4. When you no longer use an app, remove it from your phone. An app-happy friend recently realized she had more than 185 unused apps on her device - many of which were tracking her whereabouts.

  5. Encrypt your smartphone data. Many apps inspect your smartphone data storage areas, and the unscrupulous ones will copy what they find interesting and/or valuable.

Wednesday, March 14, 2012

McAfee Report Exposes Contradictions in Security Perception vs. Reality

Organizations Recognize Pervasiveness and Resiliency of Cyber Criminals - "Yet 79 Percent Experienced a Significant Incident in Past 12 Months"

McAfee announced the State of Security report showing how IT decision-makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It also reveals companies’ IT security priorities around processes, practices and technology for 2012.

As the corporate data environment expands, effective information security is possible only by creating a Strategic Security Plan (SSP) which incorporates a comprehensive threat analysis and an in-depth, layered security risk mitigation approach. The survey looked to identify some of the key trends facing enterprises in developing their SSPs.

Security Maturity

The survey respondents categorized themselves into various states of security maturity. These categorizations help to understand the mindset of the companies as they view enterprise information security. The terms below are used to describe the level of security maturity of participating organizations:
  • Reactive – uses an ad hoc approach to defining security processes and is event driven. 9 percent of the surveyed companies claim to be at this stage.

  • Compliant – has some policies in place, but has no real standardization across security policies. The organization adheres to some security standards or the minimum required. 32 percent of the surveyed companies claim to be at this stage.

  • Proactive – follows standardized policies, has centralized governance, and has a degree of integration across some security solutions. 43 percent of the surveyed companies claim to be at this stage.

  • Optimized – follows security industry best practices and maintains strict adherence to corporate policy. The organization utilizes automated security solutions which are highly integrated across the enterprise. 16 percent of the surveyed companies claim to be at this stage.
The key findings included:

Organizations are confident about identifying the most critical threats to their environments and knowing where their critical data resides. However, most companies are not confident about quantifying the potential financial impact of a breach should one occur.

Organizational awareness and protection against information security risks is very important. However, one-third of the “Optimized” companies are uncertain about their IT security posture in terms of awareness and protection. Despite having formal strategic plans, 34 percent of the companies believe they are not adequately protected against information security risks which could impact their business.

A majority of the respondents tells that as they develop Strategic Security Plans, they include consideration of potential threats and the associated risk to business and financial analysis. Yet, four out of five of the companies experienced a significant security incident in the past 12 months.

Almost a third of organizations surveyed have either not purchased or not yet implemented many of the next-generation security technologies that are designed to address current-day threats, despite more than 80 percent of the organizations identifying malware, spyware and viruses as major security threats.

Two out of every five organizations have either an informal or ad hoc plan or no security strategic plan in place. The size of the organization matters when it comes to having a formal SSP. Six of every ten large enterprises have a formal SSP, two out of every three mid-size enterprises has a formal SSP, while this ratio dips to only one in two small enterprises.

Organizations in North America and Germany are more likely to have a formal SSP than those organizations in other regions of the world. This may be attributed to the regulatory environments in those countries.

Top priorities for 2012 include implementing stronger controls to protect sensitive data and ensuring business continuity. The lowest priority is to reduce capital and operating expenditures for security infrastructure, which in turn indicates that organizations are willing to spend on the right kind of security solutions.

Conclusions

While organizations are working on their strategic security plans and putting in their best efforts toward protecting business systems and critical data, there is much room for improvement all the way around.

Step up to a higher security maturity level. Only 16 percent of the survey respondents classify their organizations as being at the “Optimized” level. Worse, however, is the fact that 9 percent of the organizations are “Reactive” in their approach to IT security.
  • Executive involvement is crucial While IT and security personnel may take the lead in developing the plan, it’s important to have insight from those who best understand the business systems and the data they use. Moreover, executive involvement is critical to set the tone for the importance of security throughout the organization.
  • Test early, test often, and make adjustments as needed. What good is a plan if it is developed and put on a shelf? If it is never tested? Unfortunately we learned that 29 percent of “Compliant” companies never test how they would respond to an incident. What’s more, the fact that 79 percent of the surveyed companies had security incidents in the past year indicates that there are gaps in the security plans that must be addressed.

  • Use budget allocations wisely. Though every manager would like to have a bigger budget to be able to apply more safeguards, the “Optimized” companies have found ways to reach the highest level of performance with the same level of funding (percentage-wise) as the companies who are less prudent with their budgets.

  • Use the right tools for the current threats. The survey shows that 45 percent of the companies haven’t deployed next-generation firewalls. Mobile security is another area that should not be ignored, yet 25 percent of the organizations have not purchased any tools for this purpose.
Focus on protecting the lifeblood of the company-the sensitive corporate data. The top priorities for 2012 include implementing stronger controls to protect sensitive data and ensuring business continuity.

Additional high-priority activities are all meant to improve each organization’s overall security posture. This is encouraging because without timely recognition and mitigation of security threats, an organization may be the next news headline—and nobody wants that dubious distinction.

About the Survey

The survey was conducted by Evalueserve and included responses from 495 organizations. Countries included in the survey were: United States, Canada, United Kingdom, Germany, France, Brazil, Australia, Singapore, and New Zealand and range in size from a minimum of 1,000 employees to more than 50,000 employees. The report is available at: www.mcafee.com/ssp

Sunday, March 11, 2012

Organizations Often Fail to Fend Off the Obvious Risks

10 Tips to Fight Insider Fraud

Regardless of industry, insiders always pose the greatest threat to an organization's security. Insiders are risky, especially ones with axes to grind.

Researchers within CERT's Software Engineering Institute at Carnegie Mellon have reviewed internal threats for the last decade, examining the threats posed by so-called malicious insiders. Now CERT offers some new insights, about the threats posed by unintentional breaches - those that happen by accident.
"About 50 percent of all companies out there experience at least one malicious insider attack," said Cappelli, who co-authored The CERT Guide to Insider Threats with two other CERT researchers. "And an internal attack has more of an impact than an external attack."

When companies break down breaches, about one-third are directly linked to insiders, and more probably have some link to an insider that the organization simply has not identified. "A lot of the attacks we've seen this year, with cyberattacks, were unintentional," Cappelli says.
CERT is focused on helping companies and organizations with what it calls pattern analysis, which ultimately provides a more scientific way of identifying potential threats before they lead to breaches.

Top 10 Tips

Here are top 10 tips for fighting the insider threat:

1.Repeat Offenders and Offenses: Learn from past incidents. Most organizations get hit more than once because they fail to address their weaknesses.

2.Focus on the Crown Jewels: You can't protect everything, so identify what information is most important and focus on protecting and securing that information first.

3.Use Existing Technology: Don't rush out to buy new systems; just learn to use your existing technologies differently. The same fraud-detection systems used to detect and prevent external attacks can be used to monitor internal behavior.

4.Mitigate Threats from Business Partners: Anyone with access to your systems and databases poses risk.

5.Recognize Concerning Behavior or Patterns: Incidents don't happen in isolation. If you pay attention to the signs, you can often prevent a breach.

6.Recruited Employees: Many internal threats are posed by employees who have either been planted or those who are disgruntled and have been recruited to commit fraud.

7.Watch Behaviour During Resignation or Termination: How much access and information does the individual have, and what can you do to secure it?

8.Be Mindful of Employee Privacy Concerns: Bring your general counsel in to the discussion. You want to monitor behavior, but you don't want to violate employee privacy policies and laws.

9.Cross-Department Involvement: Make the fight against internal fraud an organizational initiative. Create an insider threat program. It's a very complex issue. It involves management and HR, and even the janitor, who could plant malicious code on your network.

10.Get Buy-In from the Top: Executives have to understand the threats, so then they can support your initiatives to mitigate the risks.

Friday, March 9, 2012

NIST Releases Final Smart Grid 'Framework 2.0' Document

Framework will provide an expanded view of the architecture of the Smart Grid

An updated roadmap for the Smart Grid is now available from the National Institute of Standards and Technology (NIST), which recently finished reviewing and incorporating public comments into the NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0.

The 2.0 Framework lays out a plan for transforming the nation's aging electric power system into an interoperable Smart Grid—a network that will integrate information and communication technologies with the power-delivery infrastructure, enabling two-way flows of energy and communications.

The final version reflects input from a wide range of stakeholder groups, including representatives from trade associations, standards organizations, utilities and industries associated with the power grid.

Refer here to read further details or here to download the document.

Tuesday, March 6, 2012

Applying An Ancient Chinese Lesson: Know Your Enemies

7 Levels of Hackers

Terms used in information technology and IT security often are vague. Take, for instance, cloud computing. Some might think of the public cloud; others, the private, hybrid or community cloud. Or, the term could mean software as a service, platform as a service and so on.

The same can be said of the word hacker. Not all hackers are the same, and that presents problems in defending against them. The catch-all media description of a hacker is one who accesses a computer system by circumventing its security system.

But contrary to popular belief, not all are motivated by the prospect of obtaining credit-card details or personal data that they can sell for cash. Not all that fall into the hacker category are cybercriminals. Not all are human.

They are seven levels of hackers, the higher the number, the greater the danger they pose:
  1. Script Kiddies: Essentially bored teens with some programming skills who hack for fun and recognition. They're thrill seekers.

  2. The Hacking Group: A loose collection of script kiddies who wield more power as a collective than as individuals, and can cause serious disruption to business. Think LulzSec, known for attacks last year on Sony, CIA and the U.S. Senate, among others.

  3. Hacktivists: Collectives that often act with a political or social motivation. Anonymous is the best known hacktivist group that has been credited - or blamed - with attacks against child-porn sites, Koch Industries, Bank of America, NATO and various government websites.

  4. Black Hat Professionals: Using their expert coding skills and determination, these hackers generally neither destroy nor seek publicity but figure out new ways to infiltrate impenetrable targets, developing avenues of attacks that could prove costly for governments and businesses.

  5. Organized Criminal Gangs: Led by professional criminals, these serious hackers function within a sophisticated structure, guided by strict rules to ensure their crimes go undetected by law enforcement.

  6. Nation States: With massive computing power at their disposal, they target critical infrastructure, military, utilities or financial sectors.

  7. The Automated Tool: Fundamentally, it's a piece of software that acts like a worm virus and tries to affect as much as possible to give itself the largest possible framework. A well-crafted tool could be utilized by any one of the other six criminal types.

Sunday, March 4, 2012

Intrusion Detection System in Plain English?

Intrusion detection aids in reacting to network infrastructure incursions

IT decentralization clearly has increased the need for effective network security. In response, entities typically deploy several layers of information security technologies. Furthermore, due to technological and operational diversity, it is critical to have standard processes to control access that will permit economies of scale.

Network monitoring of packets to identify malformed packets and known attacks should be an entity’s Threat Management control objective. Unauthorized access incidents are often preceded by reconnaissance activity to map hosts and services and to identify vulnerabilities.

Precursor exploits may include port scans, host scans, vulnerability scans, pings, trace-routes, DNS zone transfers, Operating System fingerprinting, and banner grabbing. Such unethical, if not unlawful, activities are discovered primarily through Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) software and secondarily through log analysis.

Intrusion detection aids in reacting to network infrastructure incursions. Derivatively, the main value of intrusion detection is early incident or event awareness and subsequent, timely intervention resulting in a loss experience that is less than what might otherwise ensue from a security breach.

After all of the access control rules are implemented and the software is updated and patched, an IDS should provide the ability to determine if and when security controls have been bypassed. Consequently, the primary IDS purpose is to provide the ability to view IT activity in real time and to identify unauthorized IT activity.

Friday, March 2, 2012

SCADA Security System protects industrial infrastructure

Norman Announces New SCADA Security System to Protect Industrial Infrastructure

With recent Stuxnet malware attacks on industrial software and systems, manufacturers, utilities and industries are seeking sophisticated security solutions to protect SCADA systems used for monitoring and control of industrial infrastructure.

To meet the challenge against advanced persistent threats like Stuxnet, Norman ASA - www.norman.com, has developed the Norman SCADA Protection (NSP) system to protect against cyber attacks from malware such as trojans, worms and viruses that can cause millions of dollars of damage and disruption to production and services delivery.

SCADA (supervisory control and data acquisition) describes computerized industrial control systems (ICS) that monitor and control industrial and infrastructure processes. SCADA systems can be found in manufacturing environments, public transportation systems, power generation and distribution, nuclear plants, pipelines, in oil and gas industries and in maritime environments.

According to government studies, SCADA networks have been designed to maximize functionality - and are engineered for performance, reliability, flexibility and safety, while security has been weak to non-existent.
"SCADA environments are without a doubt one of the biggest challenges in security today. Many industries are poorly protected against cyber threats to their infrastructure," said Audun Lodemel, vice president, Marketing. "Norman's NSP solution is the industry's most comprehensive solution focused on the advanced persistent threats targeting SCADA networks."
NSP is a part of the Norman Network Protection (NNP) product family, which is a high performance anti-malware protection system, designed to provide security to corporate and industrial networks.

Easy to install and easy to use, NNP family solutions are engineered to protect manufacturers, SMB, financial institutions, health care and government agencies seeking the strongest malware protection.

More information about Norman SCADA Protection can be found at www.norman.com.

Thursday, March 1, 2012

SNC Client Encryption Now Available Free of Charge for SAP NetWeaver Customers

Secure Network Communication Client Encryption

SNC (Secure Network Communication) Client Encryption is an optional feature for SAP GUI and the SAP NetWeaver technology platform. This software component enables users to protect communications between SAP GUI and the SAP Application Server ABAP using symmetric encryption algorithms.

It also offers encryption of business data for RFC (Remote Function Call) clients, such as the BEx Query Designer. SNC Client Encryption is based on Microsoft Kerberos technology; it does not offer single sign-on capabilities.

For detailed information, please refer to SAP Note 1643878. The software is available for download on the SAP Service Marketplace (login required): https://service.sap.com/swdc, then select Installations and Upgrades.