Friday, December 21, 2007

How to separate critical application network from network connected to the Internet within a company?

Q: How to separate critical application network from network connected to the Internet within a company?
In many companies users have to access to the Internet and also to some corporate application from the same computer. But in some cases these applications are very critical so we can't accept the fact that a computer can connect to the Internet and to the critical network in the same time, in fact this computer can be a gateway for the threats coming from the Internet to the internal network (Trojan horse, virus, intruder, ...) that's why we think about the separation. The best separation is the physical one, but here we face a problem of duplication (Cable, Computer, NIC) and users can't easily accept .
Is there solutions for this problem, and how to separate networks in the same company with less cost and if we choose the physical separation, what's the best way to do it?

For example, in a bank network, users connect to the bank critical application throw their computers, and we want to provide for them an Internet connection from the same computers without taking risk.
How we can implement a secure solution?

Regards
…..

A: Hi ….,
As you have stated it is close to impossible to guarantee that a client that is connected to Internet is 100% secure.
Here are the basic action list that we see in high risk environments:
1- Make sure that the servers are in a different segment, where access to local servers are regulated with strong security controls, start with firewalls/ACLs and you may deploy all the way up.. IPS, Anomaly detection, content control, stronger auditing, strong auth etc. Most of the banks are deploying internal server segments at the moment.
2- If segmentation is not enough, you can virtualize server access such as terminal access, SSL-VPN , citrix etc. So that server environment is different than client environment. Split tunneling from internet surfing clients to critical servers get really difficult with terminal access.
3- Another option is to virtualize clients so that you can use another client when connecting to high risk servers. This is still difficult. But this option makes split tunneling difficult

After segmentation (when it is not enough), we usually recommend SSL VPN type of control since SSL VPN intermediates all requests, so the end user is never in direct contact with the server resource. We can enforce application-layer visibility, granular authorization to the URL, file, and server level.. SSL VPN solutions usually offer detailed auditing records including user, application, resource, time and event details . You can add factored authentication so that malicious applications cannot reach the server environment without the physical factor (such as tokens)

Another interesting solution is from Blue Coat, I have not personally tried it but the their RA client encrypts all information stored by the browser, including cache, temp files and cookies, and clear all session information at the end of SSL VPN session using DoD 5220.22-spec file deletion Their pre-authentication and continuous spyware scan that leverages AMP (Adaptive Malware Protection) technology may provide a pre-login scan for framegrabbers and keyloggers and continues to scan for duration of user session Configurable split tunneling to block or enforce split tunneling is a good feature.

I can give you more insight about the high-low-medium cost options if you need.
Let me know if you have any questions,
Regards,
- yinal

Sunday, December 9, 2007

PGP or S/MIME?

Q:Which one do you prefer?

A:Hi ...,
As discussed above, the right solution depends on the requirements,

Attached below are the areas that I usually check when I need to compare implementation options:

I assume that your question is for messaging (E-mail and the IM)

1- Interoperability -- For enterprise projects my first priority is the interoperability.
Whichever you choose, there will always be 3rd parties using the other method. I test interoperability before making any other decisions. Even a single protocol like S/MIME can have problems when communication with different implementations. I always check if the preferred solution can switch from PGP to S/MIME, S/MIME to OpenPGP , Open PGP to TLS etc... If you will deploy in-house only the interoperability problem goes away but in that case you can easily claim that the exchange or lotus notes built –in features are good enough.
2-Key Management: Encryption/Signing is not the problem.. Key management makes it tough. Keys/Certs have to be transparent, they should easily be reset/revoked/changed/ If you have an enterprise PKI deployment S/MIME makes sense.. PGP works great if you work with PGP Corp's commercial deployment which makes the key management easy.
3-Use S/MIME v3 only, other version (v3) may create security problems due to 40 bit keys, also check for IETF RFC compatibility in both implementations.
4-I would prefer S/MIME under perfect conditions where most of the messaging clients have built-in support.
S/MIME RFCs are more up to date as well... But again, have you ever seen a full/successful PKI deployment? S/MIME will bring all the cert problems (managing certs?) back. Expired certs and the signed messages with these certs are problem.
5-PGP Corporation's PGP solutions are preferred where you need to have it running tomorrow, and where you integrate disk encryption, transparent gateway, application encryption etc...
6- OpenPGP is a good idea (for home), but check the enterprise key management/interoperability/support issues at your operation
7- I always verify if I have an answer for the delivery of encrypted emails to users who do not have encryption capabilities. There a lot of transparent web based solutions
8- I do check in-the-cloud service providers like Google/Postini or Microsoft/Frontbridge Zix and my current employer.
9- I always check turnkey solutions from PGP, Ironport, Tumbleweed, Ciphertrust, Zix, PostX, Voltage with in-house and co-managed options.

Let me know if this list helps. I may elaborate more based on your feedback,

cheers,
- yinal

Thursday, December 6, 2007

Monitor instant messaging in a regulated industry?

Q:
What are people doing to secure / monitor instant messaging in a regulated industry (healthcare to be specific)?


A:
Hi ....,

As you have stated, corporate IM is now recognized as an official productivity/collaboration tool, so it is not possible to “ban” IM traffic as it used to be in the past. This is no more different than “don’t use email”. IM needs to be “controlled” For healthcare, public IM is no more different than public web based email services like Gmail/Yahoo/Hotmail. IM can be allowed like e-mail, and I think it is pretty straightforward to adapt the policies...

That being said, I think P2P applications should be banned unless stated otherwise or allowed by corp policies. For HIPAA here are some links: http://www.akonix.com/assets/pdf/HIPAA_support_by_Akonix.pdf http://www.facetime.com/solutions/regulatoryrequirements.aspx

The problem is with the way that the public IM works. Public IM networks and the clients transmit all critical information including EPHI, PII, and SSNs etc on public network as their name make it clearer..... Usually in cleartext format. So instead of banning the usage, IT departments (including the healthcare ones) enable IM with applying appropriate controls...

As long as IM is controlled it is no more dangerous than e-mail.


Here is a classic workflow:
1) Build a corporate (internal) IM environment. Corporate IM servers usually support all public network IM clients like MSN, yahoo, gtalk, AIM, jabber etc…with a great add-on: Corp IM servers
i. Enforce your policies on IM traffic
ii. Log all communication for regulatory/audit reason
iii. Encrypt corp IM traffic
iv. Enforce authentication (usually integration with local user repositories like LDAP, AD etc)
v. Generate reports for metrics, security, audit, regulatory reasons
vi. Keep local traffic local This is very helpful because public IM clients offer none, even the data from one cubicle to another traverses Internet on most public IM networks. Big player are IBM Lotus Sametime, Microsoft Live communications Server, Jabber XCP, and Novell Groupwise...

2) When corporate IM infrastructure is built, then it is possible to “ban” the public IM traffic. Users can still message to all IM network, they will be visible by their peers on AIM, MSN, ICQ etc. but they will be using the corp IM client. All business IM traffic can be encrypted /logged etc. This requires banning of illegitimate IM traffic, uninstall of public IM clients, and dropping the packet at network enforcement points. It is very difficult to stop all IM traffic, but it is possible, I may give more detailed information on blocking IM on http/https connections if that is required

3) Build an IM policy; make it public that what is allowed what is not. Attachments are allowed? Content control is enforced? Data Leakage checks? Keyword rewrites? Make sure that your IM Use policy is managed like any other security policy. For the healthcare follow the data classification policies on what can/cannot be transferred over IM networks.

4) With your policy and infrastructure in place, you can start shopping... There are a lot of vendors as indicated above… Most well known ones are Facetime and Akonix but there are at least 20 vendors out there to enforce controls either over the network or on the desktop. Make sure that you address encrypted traffic and VOIP clients (Skype?) on network based control options.

If you have a specific question please let me know,
cheers,
- yinal

Sunday, December 2, 2007

IT Governance, Risk and Compliance (ITGRC) Tools

Lately I found myself in several interlinked IT GRC projects.

Tools do not fix the governance problem but they do help in shaping your project with fewer bodies (and probably for an exchange for good hard cash)

The new era of tools have a better message than the previous "We fix your compliance problems" motto. We all knew that compliance was just another step to achieve governance on Information Security. The new tools have better connections with legacy information security products like patch managers, SEIM tools etc, they also come with several predefined policy frameworks like ISO 27001..

Not there yet, but if you are interested here is a good start list of lists for googling and reading:

IT Governance, Risk and Compliance (ITGRC) Tools


Agiliance
http://www.agiliance.com/
Brabeion
http://www.brabeion.com/
Archer
http://www.archer-tech.com/solutions/index.html
Control Path
http://www.controlpath.com/solutions_advantage.php
Symantec (Control Compliance Suite)
http://eval.symantec.com/mktginfo/enterprise/fact_sheets/ent-datasheet_control_compliance_suite_05-2007.en-us.pdf
Compliance Spectrum -Spectra (Command Center)
http://www.compliancespectrum.com/spectra.pdf
Modulo
http://www.modulo.com/
NeIQ Vigelent Policy center and other NetIQ tools
http://download.netiq.com/CMS/WHITEPAPER/NetIQ_CRM_Methodology_Feb_2007.pdf
eIQ Networks SecureVue
http://www.eiqnetworks.com/products/SecureVue.shtml
CA clarity (formerly NIKU)
http://www.niku.com/it-governance-47.html
IBM Tivoli Series
http://www-306.ibm.com/software/uk/itsolutions/governance/?ca=grm_Lnav&me=w
Relational Security - RSAM
http://www.relsec.com/rsam_overview.htm
Iconium
http://www.iconium.co.uk/Solutions/overview.htm
Security Works - Visible Security
http://security-works.com/?page_id=27
Oracle (formerly Logical Apps and Oracle GRC Manager)
http://www.oracle.com/solutions/corporate_governance/governance-risk-compliance-manager.html
Proteus
http://www.infogov.co.uk/proteus_enterprise/index.php




There are also dedicated Risk Management Tools which will soon identify themselves (maybe they already do) for IT GRC marketspace
Callio
http://www.callio.com/
Octave
http://oattool.aticorp.org/Tool_Info.html
Casis
http://www.aprico-consult.com/ (clearpriority)
Cobra
http://www.riskworld.net/
Citicus
http://www.citicus.com/oursoftware.asp
Alion – Countermeasures (makers of Buddy System)
http://www.countermeasures.com/
Siemens – CRAMM
http://www.cramm.com/
Ebios
http://www.ssi.gouv.fr/en/confidence/ebiospresentation.html
GStool
http://www.bsi.bund.de/english/gstool/
RA2
http://www.aexis.de/RA2ToolPage.htm
RiskPAC
http://www.cpacsweb.com/riskpac.html
Risicare (French)
http://www.risicare.fr/
Riskwatch
http://www.riskwatch.com/



Methodologies for Risk Assessment and Management that can be used at IT operations... Endless discussion for quantifying the risks... My prayers are with the ISO but let’s see which method(s) will prevail:

ISO 14971 – Risk Management for Medical Technologies
NIST 800-30 Risk Management Guide for IT Systems - National Institute of Standards and Technology
OCTAVE (Carnegie Mellon)
The Institute of Risk management (IRM) The Risk Management Standard
ISO 13335-2 Information Security Risk Management, To be replaced by ISO/IEC IS 27005
BS 7799-3:2006 Information security management systems. Guidelines for information security risk management
BSI Grundschutz Handbuch
ENISA Regulation (2004)
PARA - Practical application of risk analysis
PTA - Practical Threat Analysis for Securing Computerized Systems
Austrian IT Security Handbook
Federal Financial Institutions Examination Council’s (FFIEC) IT handbook covers information security risk assessment
Threat and Risk Assessment Working Guide from The Government of Canada Security Policy
CRAMM - British Office of Government Commerce or The CCTA's (Central Computer and Telecommunications Agency) Risk Analysis and Management Method
Afhankelijkheids- en Kwetsbaarheidsanalyse (Dutch A&K)
EBIOS (French Government)
FRAP: Facilitated Risk Assessment Process
ISF –IRAM : Information Security Forum Ltd. Information Risk Analysis Methodologies . Also check FIRM (Fundamental Information Risk Management), SARA (Simple to Apply Risk Analysis) , SPRINT (Simplified Process for Risk Identification)
CLUSIF MEHARI - Club de la Sécurité de l'Information Français
Calpana CRISAM
Securitree from Ameneza
OSSTMM RAV (RAV stands for Risk Assessment Values)
SOMAP - Security Officers Management and Analysis Project
FAIR Factor Analysis of Information Risk
DRAM Delphic Risk Assessment Method
Buddy System
AS/NZS 4360 (2004) Risk Management. Australia/New Zealand standard for risk management

What hardware firewall are you using? And why?

Q: What hardware firewall are you using? And why?

Cisco, Sonicwall, Watchguard? What model?

If Cisco, do you like it, is it easy to admin?

Any thoughts appreciated.


A:
Hi ...,

Let begin with classification:
By hardware firewall we do mean that the firewall software is running on the unified platform where hardware and software is purpose built.

Models do vary. In order to recommend a model, you need to define your requirements. Here is a high level of inputs that you may list for a better recommendation:
1- Aggregated throughput
2- UTM features that will be enabled (deep packet inspection, AV , content filter etc)
3- Dynamic routing requirements
4- Failover , HA, load balancing requirements
5- Total number of physical segments needed, interface types, link aggregation requirements
6- SO-HO features like dial-back, wireless, ADSL, WAN interface support
7- VPN requirements, remote access VPN required?
8- Integration requirements (SEM/SIM, Backup, Network monitoring, MSS, desktop security IPS)
9- Your existing environment (all Cisco, all Check Point etc.., routing)
10- Primary function (e.g. Web Farm Protection, Internet Access, VPN, Server Farm Protection etc)

If you send more data on your planned firewall deployments with the hints for the questions above, I can be more specific on the comparison

Sonicwall and Watchguard fit the bill when all you need is a security appliance. They offer not only the firewall functionality, but several other network security features like content filtering, deep packet inspection or AV...They are more often called as UTM (unified threat management) instead of a firewall. Management is rather easy since the interface is unified, and central management servers do exist. Model selection is usually based on performance and interface requirements.


I would prefer Sonicwall on the enterprise (high-traffic) side if you have demanding infrastructure, performance wise multi-core parallel processing will help you a lot...

In Cisco world you have options for models... You can go with ISR series, ASA appliances, good old PIX boxes and the 6509 blades. Performance wise you can never get close to core since multi gig performance is limited unless you choose FWSM. (more blades maybe but not the ASAs ,ISRs etc)
I have managed several Cisco Systems in the past.. Administration is not miraculous when you compare with other systems; there are local GUIs, central management systems, 3rd parties, network management tools... Cisco is actually trying to unify the management piece... CiscoWorks VPN/Security Management Solution (Big bundle), CiscoWorks Management Center for Firewalls (VMS), Cisco Security Manager(this is the new one), Cisco Router and Security Device Manager (SDM) ,Cisco Adaptive Security Device Manager [ASDM]), PIX Device Manager (PDM), command-line interface (CLI) are the just few names in Cisco Firewall management space ..Overall the GUI is not miraculous but it works. If you are the CLI guy you will be happy. Managing a Cisco firewall on any of the models is no more difficult than managing routers. If you like scripting, you can automate 90% of the tasks. Cisco is already integrated with all network management products so you won’t have problems. Base code is stable lately and it does support enterprise features like VOIP or multicast up to a level... New additions to transport mode VPNs will help a lot …Upgrades downgrades are usually easy, backup is simple. Downside with Cisco is the segregation of duties, if your entire infrastructure is Cisco, it won’t help a lot to add one more layer of Cisco for firewalling esp. on the perimeter.

I can give more details on ISRs , ASAs, FWSM and PIX based on your specific questions.

If you are looking at hardware only firewalls you should also be looking at Juniper and Fortinet as well. Check Point/Nokia, Check Point/Crossbeam, Check Point UTM-1, Stonesoft, Secure Computing, Palo Alto Networks and Symantec are other players in the firewall space.

Let me know if you have any questions,
cheers,
- yinal ozkan

Thursday, November 8, 2007

What is the best single sign-on solution?

Q: What is the best single sign-on solution?
We have a few website products that use different sign-on applications with different requirements (account# versus username).

Single sign-on definitely looks like the way to go. What are some of the solutions we should be looking at? I've seen OpenID, and it looks very promising (http://openid.net/).

Thanks
...............


A: Hi ......,
As you already know, the best single sign on solution (SSO) is the one that fits best on your existing infrastructure.

There are 2 main SSO approaches: SSO at the back office and SSO managed by the end-user.

So if you are in charge of multiple systems that utilize different authentication systems (user silos) and you want to integrate all sign-on process to these systems you need SSO with the back-office. Users authenticate to one system and then all systems are synchronized about the credentials…

If you are an end-user and you'd like to use your stored identity with different systems, you are looking at user-centric digital identities. If you are looking at OpenId, I assume that you want user-centric SSO architecture. You can get more information on cross-domain identity management with searching “identity federation”. With OpenId, you can look at personal identity providers (IdP) and relevant initiatives such as Liberty Alliance, WS-Federation, IGF, LID, SXIP, Inames, Yadis, Higgins, Bandit, Shibboleth etc... If you need more information on this area please let me know.

But, if you are looking at implementing SSO at your back office for your systems, a good start would be looking at your
- Existing application types/development environments (web based, java based, client/ server, .NET vs. J2EE, Ajax, LAMP, MS vs. *nix etc),
- Application architecture (server platform, application servers, XML gateways...etc)
- User repositories (Internal proprietary, Active Directory, Radius, LDAP, Novell, Mainframe etc),
- Back office Integration (SAP, Siebel, Oracle etc)...
- End user type (technical/non-technical, internal/external, public/controlled etc)
- End user platform (mixed browsers, mobile browsers, PDAs, IE only, VB client, Java Client etc)

I do recommend that you do set the scope first before choosing the platform. That way, you will have a better decision tree. Sometimes a structured password synchronization policy delivers partial SSO functionality.

Single sign-on usually integrates with entitlements management and so the identity management (IdM) systems. I do recommend checking SSO subsets of existing Identity Management systems

You will notice a lot of “product” solutions in SSO IdM area. All of them are nice and they serve to a specific niche. If you need a larger solution set that you may extend the SSO functionality in the feature, the solution provider name list is narrower (not the price tag). I have worked with CA; CA family includes all single sign on solutions integrated with other pieces of identity management. Esp., the netegrity family integration with policy based management is a well established solution. But I see good solutions from all major identity management providers (CA, IBM Tivoli, BMC, Novell, EMC (RSA), SUN, Oracle and Microsoft)...You can also check other SSO solution providers if they are not acquired by one of the big shops named above (ping identity, imprivata, passlogix, courion etc)

Let me know if you have a specific question,
- yinal

Saturday, October 27, 2007

Where can I get consolidated list of IT best practices for Finance industry?

Q:Where can I get consolidated list of IT best practices for Finance industry?

A:In US, the best path is to go with FFIEC. The FFIEC IT Examination Handbook is the source for technology related risk management considerations for financial institutions. You can get a lot of documentation from the following URL:
http://www.ffiec.gov/ffiecinfobase/index.html

In some countries the banking regulation and supervision agencies enforce Control Objectives for Information and related Technology (COBIT) which is developed by the IT Governance Institute (ITGI). . You can find more information on the following URL:
http://www.isaca.org/cobit/

As discussed above ISO forms the standards and best practices in information security. There are several standards. The following URL will be very helpful to understand what is out there for ISO. It also discusses SSE-CMM and ITIL in security:
http://www.unob.cz/spi/2007/presentace/2007-May-02/01-Novak-Standards.ppt

That being said BASEL-II will be a global requirement for risk management in financial services. Basel II encourages banks to identify the risks, and to develop or improve their ability to manage those risks..You should check that one.

SOX and JSOX still apply to publicly traded companies in US and Japan. COBIT is the framework.

PCI DSS is the framework where credit card data is stored, transmitted and processed.

US government entities use NIST best practices. Check the following link for references:
http://csrc.nist.gov/publications/CSD_DocsGuide.pdf

Let me know if you have any specific questions,
regards,
- yinal ozkan

Sunday, October 14, 2007

Functionality or ROI?

Q: When you look at new IT projects what do you consider first: Functionality or ROI? EWeek just published an article stating that in 2008, CIOs would be looking at functionality and strategic purpose and down playing extensive ROI calculations. What do you as an IT professional think about that?

A: Hi ..,
I think the ROI calculations are just a part of the full governance in IT projects and CIOs must govern the projects. I simply do not recommend going with ROI alone, terms of return must be defined in advance. It is not feasible to compare functionality vs. ROI since both of them may include each other. Full life-cycle of the solution should be interpreted into evaluation for CIOs. When you look at all IT projects, you may classify them in 4 main categories or a mix these 4:
1- Projects that increase efficiency
2- Projects that reduce cost
3- Projects that reduce risk
4- Projects that increase competitiveness

A CIO must have a grand plan with targets (tactical/strategic) and this plan must be carried out with a structured program. Any new project should be weighted against the program where ROI is just an initial evaluation item. The programs are not static, and the governance of the program itself should be structured as well.

Let me know if you have a specific question,
regards,
- yinal

Security Consultant: How do you define your scope?

Q: Security Consultant: How do you define your scope?
As I make my foray into the security consulting world of side work, I am wondering how other security consultants out there have defined their scope as to what services they offer and where they know to draw the line and/or keep a client within the bounds of what the scope actually is. I know it has a lot to do with your areas of expertise, but what helps you (anyone who might wish to answer) make this definition?

A: Hi ....,
This is a good question. And there is no silver bullet.

I have been managing hundreds of information security SOWs (statement of work documents) every month for the last 5 years..This is a lot about security; it is more about the delivery. Here are a few things that we learned by tough experience (in no particular order):

1- Do not make it one security consultant's job to define scope and the deliverables of the SOW. Build a workflow with multiple check points for peer review. If one consultant defines the scope, make sure that others review it. Peer review is the harshest part for every security project. I think that it is easier to criticize than doing the actual job so you ca get a good reality check prior to sharing your draft scope with client. Engineers/Consultants have a tendency to omit their own mistakes. Shortcuts are always favored by engineers (by nature). Use different teams, e.g. security consultants define the scope, delivery team verifies it...

2- Always share draft versions of the scope with the client. Verbally communicate deliverables. Give client a chance to review to the draft SOW and allow changes. Use change control on the SOW documents.(make sure all revisions are recorded)

3- Create an internal risk document; where you internally discuss possible risks about the project in advance. Make sure that risks are addressed prior to final approval

4- Keep all parties involved. Make sure that your process is transparent to all key stakeholders including project management, client, account management, finance, legal, consultants, engineering, support, vendors etc.

5- You may try using pre-defined scopes with predefined deliverables. Even if this is the ideal, it rarely works, every client is unique. You may better have standard methodology documents and customized deliverables based on top level methodology document. I may elaborate more on the à la carte scoping with prebuilt blocks for security, based on the security project type (e.g. policy /compliance consulting is different than hardware/software deployment or deployment is different than assessments etc)

6- Put everything is writing. No verbal communication will help when there is a dispute. All deliverables should be clearly defined. I like the following clause from our SOWs: "The scope of this project excludes all services and related issues that are not mentioned in this SOW and any additions or changes will be done as set forth in the change control procedures contained herein. Any services not part of this SOW are considered Out of Scope and additional charges may apply"

7- Make the security consultants are responsible for the delivery. They should understand what is easy what is not on the field. They should be able to perform actual deliverables on time, and they should be liable when their scope does not match the reality. Continuous audit of deliverables and the improvement is a must. Make sure that you have post mortems on failures and all of the failures are addressed.

8- Share your internal workflow with the client; make sure that the client understands how you work. Share service descriptions, SLAs, professional service agreements in advance. Make sure that your security consultants relay this information properly. Clients will understand whatever they would like to hear, so you need to cover all bases for confidentiality, deliverables, lead times, cutover times, success criteria, privacy, change management, costs, points of contact, project management, test plans etc.. If they are not written, client's expectations may certainly be different than your consultants’...

Well I think we have a limit on the answers page, but let me know if you have a specific question.

regards,
- yinal ozkan

Thursday, October 11, 2007

BPO market

When I was managing a FWTK firewall in 1994, I was pretty sure that the firewall market will be larger than anything... Every office would need 1 firewall when they were connected to Internet. And every firewall required 1 administrator…..

The server installation, configuration, maintenance, administration, everything was complex with the slackware based firewall. It required dedicated, highly educated manpower for the management.

1 security engineer per firewall seemed pretty reasonable in 1994.

Today, when I look at the BPO industry and the projections for growth such as “McKinsey Report Predicts Robust Growth For Indian IT Services and IT Enabled Services Industry”, I have some sort of déjà vu… There is a belief that more jobs will be created in linear with the market growth, and the BPO cities will be big job markets, and the countries with access to larger human capital will be more successful. That is a dangerous assumption. Job markets will not grow with market especially the low-end/low-cost BPO market. Job markets will shrink with the advancement of technology, there will be need for less people, even the highly trained ones


My “1 firewall 1 administrator” idea was not realistic neither the job market projections for BPO are. From 1994 to 2000, we really worked hard to centralize management, automate operation and improve efficiency with a tremendous investment in high technology services and products. The things done were unbelievable for firewall market, all software moved to appliances, virtual inline firewalls were invented, every type of high availability solutions were integrated, log management became easy with high end event management tools, software got more stable, people needed less support, self service systems were delivered etc….And the result was the elimination of the workforce component. Today 1 group of firewall administrators (e.g. 2 per shift) can manage hundreds/thousands of sites. We do not need a dedicated firewall wizard per site, which was expected. I do expect the similar results in BPO markets, the more technology will be available, the more low-cost routine work BPO jobs will be out of the picture,

BPO industry will continue to grow regardless of the access to low-cost human capital. The need for massive numbers of workers in the industry will shrink regardless.

Creative / well educated minds will always be on demand, but that will take away the advantage having hundreds of thousands of poorly educated engineers. I strongly support the initiatives in India and China on increasing the technical quality of the delivery, and powering the creativity, instead of increasing the low-cost human capital based offerings... In the mean time we may see more Ukraine, Hungary or Egypt as a competitive outsourcing centers.

Wednesday, October 10, 2007

What are your thoughts on Key Performance Indicators or Criteria for Information Security?

Q:What are your thoughts on Key Performance Indicators or Criteria for Information Security?

A: Hi ...,
I strongly believe that key performance indicators for information security have 2 major categories:

1- Risk Related
2- Business Related

There are several readers on this page who can elaborate more about the risk related KPIs. A security KPI can only indicate something relevant only if it is tied to a risk measurement framework. You can measure any metric delta in any of the systems that you can get data from (viruses blocked, attacks succeeded, malware identified etc), but only the metrics that create the risk visibility and the naturally the business impact will help you to have the right measurement. Long story short, good KPIs are the ones that show delta in your risk status. A change in number of the spam e-mail received on a certain domain may mean nothing if it is hosted and filtered at a remote provider and the domain is not in use by your operation.

Second and important category is naturally your business. There are times when your security initiatives are driven by tactical and strategic business needs. I can list hundreds of them but if you want to categorize here are the main business drivers.

1- Reducing cost
2- Increasing efficiency
3- Competitive Advantage’

You may try to map the 3 items into a risk framework but I would rather not. You need to share the same goals with the business (the old aligning IT/Security with the business problem). And if your security related activities can create qualitative/quantitative metrics on how you reduce cost, increase efficiency and create competitive advantage, there you have the good KPIs. e.g. “We moved our e-mail cleansing to a 3rd party, now our cost is lower, we have more resources to focus on core projects, we have due diligence with e-discovery requirements, and now we have a greener data center :) here are the KPIs….”
Let me know if you have a specific question,
regards,
- yinal ozkan

Wednesday, October 3, 2007

EMC should buy Check Point - How to Secure Virtual Machines ?

Virtualization security is an interesting topic. For years many security vendors tried to focus on hardware security, assuming that all network world will be appliance only soon (It is a small Cisco world after all) Now the times are changing, there is a new phenomenon on the market which pushes all software platforms into a single virtual platform...

In the old world of 1 server per blade designs, many enterprise shops have done the right segmentation, by building multiple server farms segregated by beefy firewalls. Server to server communication control was always a challenge. Only a few enterprise shops were lucky enough to deploy firewall appliances and blades between servers. And even less could find out a way to deploy a multi gigabit IPS. Playing with switch ACLs, VLANs inline firewalls were the instant remedies, that didn't really answer the real security question.

Nowadays, 1 server per blade racks are out. It is a green world (and a datacenter) where we have multiple virtual systems (VMs) on 1 box. Segmenting these servers, checking the traffic flow and detecting/blocking malicious activity in between VMs is close to impossible. The nice chic ASIC appliances do not fit there. There are solutions like Bluelane, but there are problems...
- The security solution should be on the vmkernel…
- The security solution must cover CPU virtualization, and memory virtualization issues.
- The security solution should not be another VM (that acts like a virtual switch/router) where the server-to-server communication is filtered. Too much overhead, too many VMs
- Security solution must be trusted, tested approved, and must have certifications from 3rd parties.
- Existing legacy security licenses should be portable (firewall to virtual firewall, ips to vips.
- Security solution should cover virtualized crypto devices (hardware accelerators, host security modules)
- Security solution should be managed by a different console and access right system, probably a different company for risk management and segregation of duties purposes etc... Basically VMware is not the right solution developer (integrating Determina VIPS was a good idea though)
- …..and the list goes on.

EMC may certainly develop a new security solution for the VMware spin-off using parent company links, or acquire another security company after RSA and Network Intelligence.

But there is one another company who sticks to software only security with a full portfolio of security products... I think it is a good match. Being an IT Security Professional (my main expertise is not the M&A area) and knowing Gil Shwed’s expansion plans, (I do not own any stocks) the "EMC should buy Check Point" idea may not fly. But Check Point would a good and quick response to address VMware security concerns with lots of new expansion possibilities for both operations

Disclaimer: Blog posting on this site are my own and don't necessarily represent my employers' positions, strategies, or opinions

Friday, September 28, 2007

Is Two Factor Authentication for internet banking a flop or success?

Q: Is Two Factor Authentication for internet banking a flop or success. read ard some articles regarding two factor authentication, studies shown that two factor authentication does not address some present issues and with man in the browser attack shown and also recent cases like ABN ambro, one may wonder is two factor authentication tat safe, would like to hear ur views on this guys

A: Hi …,
I agree with the previous answers.
2-factor authentication is more secure than password-only single factor authentication.
• Does it answer some security problems? Yes.
• Does it answer all security problems? No.
This is the fact. I do recommend increasing security levels to mitigate the risk (You can go up several factors but you cannot eliminate the risk)

If you have the second factor on a hardware (token, smart card etc) or biometrics it is even more secure. It is like the ATM card... You loose your PIN, no problem; you still have card in your pocket. You loose your ATM card, no problem; because you still keep the PIN. If you loose both of them, yes you have a problem.

Having 2nd factor on the same media (e.g. on your computer, or 2 passwords) is not as safe as tokens, smart cards etc.

During online transactions the problem of man-in-the-middle, man-in-the-browser threats can bypass 2-factor authentication but this does not mean that the financials should rely on static passwords only.

There are also a lot of creative “virtual” 2-factor authentication systems like Tricipher (more links in the DHS link below).

FFIEC :Single factor authentication methodologies may not provide sufficient protection for internet-based financial services; Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council

In financial sector, after the FFIEC requirements above, many banks implemented cheaper pseudo 2-factor systems (sitekey, captcha type) . Tokens/Cards are better but when the cost is the important factor, sitekey type systems increase security relatively. Mutual authentication systems are better but very difficult to manage (e.g. PKI). I like out band authentication a lot. When I try a high-risk transaction my banks sends a one-time-password to my cell phone.


Here are some links that may help:
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
http://www.forrester.com/Events/Content/0,5180,1429,00.ppt#418,1,Slide 1
http://www.cyber.st.dhs.gov/phishing-dhs-report.pdf


Let me know if you have a specific question,
Cheers,
- yinal

Routing protocol in IPSEC tunnel mode?

Q: Why can't you run a routing protocol in IPSEC tunnel mode? why do you need GRE to run a routing protocol?

A: Hi …,
You can run routing protocols in IPSEC tunnel mode. You don't have to have GRE all the time.

In the past we could not do this due to the limitation on the IPSEC termination gateways...The gateways could not participate in routing and tunnel mode encapsulated on IP headers. In order to eliminate the problems we were tunneling traffic in GRE

Today many of the modern IPSEC gateways (e.g. Check Point, Juniper, Cisco etc) do support route based VPNs via virtual tunnel interfaces (VTI). Implementation does not have a standard (most functions are proprietary) so intra device (e.g. Check Point to Juniper) route based VPNs are very difficult. But if you have a single brand of gateways, you can route in VPN tunnels easily. We have migrated proprietary TELCO MPLS networks to IPSEC VPNs with keeping the redundancy with dynamic route based VPNs.

On the other site Cisco is trying to reinvent the wheel by bringing the 10 year old transport VPNs (encrypting only the payload not the IP header) in order to make MPLS network more secure and scalable. This Cisco Group Encrypted Transport VPN is promising to address multicast VPN problems as well.

All vendors have several solutions for several scenarios so it would be best to run proof of concept before production deployment.

cheers,
- yinal

Wednesday, September 26, 2007

Do you consider web scraping a threat to your organization?

Q: Do you consider web scraping a threat to your organization?
We have a client whose physician finder page was being scraped. A competitor was regularly sucking all of the doctors out of it and probably importing them as leads right into their own CRM database. We found a good solution but I also found out there are many software tools and service companies now who claim to be able to "collect data from the competition and track their behavior over time". I wondered how wide spread this might be and how much people were concerned about it in general. Any war stories or thoughts on web scraping ? Thank you!

A:
Hi ...,
Internet domain is named "public" for a reason. On the long term no protection (applets, images. scripts etc) is valid if the information is on Internet. There is a very common principle for information security. Security through obscurity is not real security.

The only information you may protect on an online directory system maybe the phone numbers and e-mail addresses (by not using them) You can proxy them via some web applications, but even if you do this, it is not very difficult to figure out all e-mail addresses if the names of the doctors are displayed on the pages (assuming that you follow a standard naming convention).

I have been working with enterprise security and web development teams for years and I remember stories from 1996. After the search engines (which are another kind of scrapers) the web/screen industry was legitimized

Scraping technology is relatively simple (programming 101) and in the long run there is no permanent fix. Yes, you can slow them down (no queries in 10 minutes from the same IP address?) but is not the solution.

I do recommend having very strict data classification, and privacy policies
• Identify the classified/sensitive/unclassified etc data
• personally identifiable information
• business and legal requirements (e.g. compliance)
• internal policies
at your operation and design your internet facing content according to your requirements. On public pages, classification is quite straight, so label all internet facing non-authenticated pages “public/unclassified”.

You can protect your private/high security demanding competitive data inside the perimeter, and protect your sensitive information with several DRM solutions.

If you have any question I would be happy to elaborate more.

cheers,
- yinal

Sunday, September 23, 2007

Commercial products for "breakglass" account control

Q: Commercial products for "breakglass" account control
Has anyone reviewed commercially available "breakglass" tools for account control of privileged system and application accounts?. If so, please advise.

A: Hi ......,
There are several ways to achieve your goals. Entitlement and Privilege Management (Authorization Management) is a very active topic and there are several creative approaches to deliver the solution. You can control privilege at the client level, network level and application level.

I will skip the client level applications (yes there are plenty of VB magic out there), and discuss the network and agent based policy/audit/privilege control tools for centralized management.

The idea is very simple, targets systems lack required native controls or the native controls are not centrally manageable, or granularity of the controls are not deep enough for security/compliance requirements, so you need to proxy the authentication requests and authorize the privileged access based on your policy.

Basically all “identity management” shops (IAM, SSO, Entitlements) offer some sort of privilege control (CA, IBM Tivoli, BMC, Novell, EMC (RSA), SUN, Oracle and Microsoft - http://static7.userland.com/oracle/gems/nishantKaushik/gartnerUPQ07.jpg). But the solutions may require some tweaking and coding.

But if all you need is “break-glass” control, you can use some specific applications/appliances like CA’s Access Control, Symark PowerBroker, Cyber-Ark, Securent, Password Auto Repository or Bayshore Networks etc.. These solutions also integrate closely with the applications for entitlements management as well..

If you need a quick and dirty solution, build a SSH proxy server (public domain) with strong authentication, and authorize all system management access via SSH Proxy. But that won’t be a complete solutions like runas, sudo variants

In the past I worked with CA, they have an extensible solution.

cheers,
- yinal

Sunday, September 16, 2007

Defining the Endpoint Security UTM

Endpoint security is getting more complex... At the end of the day we have only 1 endpoint to integrate all those glorious safeguards. The target (laptop, desktop, pda, Smartphone, blackberry) has limited resources.

This makes the perfect case for endpoint unified threat management (UTM) concept. Clientless control is golden so OS specific safeguards such as GPO or remote enforcement tools such as promisec would be great. Or the utility based offerings such as Postini and Scansafe will decrease the load/tax on the client.

Here is my list for the endpoint security functionality list for the UTM (a single executable or everything in the cloud are the golden wishes)

- Port Control (USB, CD, Floppy, Bluetooth, IR, Wi-Fi, Ethernet etc)
- Location awareness
- Encryption (file, disk, mail), key/cert management
- Firewall
- IPS
- Antivirus (http and SMTP)
- Antispam, Phishing, Malware control (http, SMTP, SMS)
- URL filtering
- Application control, and tripwire type change control
- Remote device management (in a secure manner :)
- Biometrics/TPM/SSO/802.1x support
- Easy to scale on multiplatform esp. on mobile

Of course all should be managed centrally.

Do I ask for too much? I already see several initiatives before Microsoft, Nokia, and RIM wakes up.

Deployment is a topic for another post.

cheers,
- yinal

Running a Security Operations Centre

Q: Running a Security Operations Centre
Can anyone tell me is they have had any success is setting up an internal SOC (security operations Centre) compared with outsourcing / smartsourcing it to a third-party to manage or partially manage

A: Hi ......,
We have set up several SOCs for ourselves (us being MSSP) and for our clients.

I assume you are interested in a SOC type that our clients use for internal security operations.

Yes, an internal SOC is very tricky and can be very expensive based upon the initial scope.

Here are the initial problems that we faced for internal SOC initiatives

1) Developing the redundant infrastructure. Real time active-active SOCs are recommended, this makes the infrastructure complex
2) Finding right people: It is tough to find people who can work in 7x24x365 work schedule with a lot of stress. It is tough to keep trained security experts in-house. It is tough to run follow-the-sun or 3-shift teams. If this is the first time for the client, expect major problems for the first year
3) Developing operational procedures: Unless you mimic a working operation, starting from the scratch will not be easy. Security monitoring and management procedures are dependant on the toolsets, resources and the architecture. Internal SOCs require a long learn by mistake period..
4) Integration with internal workflow. All internal IT procedures must be updated to work with the new SOC
5) Integration with existing IT infrastructure. All existing systems and policy should work together.
6) Achieving the certification and compliance for the new SOC (SAS 70 type II, ISO 27001, PCI etc)

If you have any specific questions I might give more definite details. I think the link below will help you for the SOC operation scoping on the technical side:

http://infosecforum.blogspot.com/2007/08/ideal-managed-security-service-provider.html

regards,
- yinal ozkan

Thursday, September 13, 2007

Classification of Information Security Products

We usually use 4 main solution categories... Perimeter, Threat and Vulnerability, Content, and IAM... But if you want to look at the solutions with product categories, here is my high level view:

Security Product Areas
• Firewall
• IPS IDS
• Antivirus,Antispam, Malware(email)
• Encryption
• URL Filtering (and AV AS Malware)
• Proxy-Cache-WAN Acceleration
• Web/XML gateway frontend security
• VPN management
• Remote Access (SSL ,client)
• DRM
• Authentication
• NAC, 802.1x
• Wireless
• UTM
• Endpoint UTM
• DDOS
• NBAD
• SIM
• Risk Management
• BCP/DR
• Vulnerability Management
• Patch Management
• Virtual Machine - Vmware
• Compliance / Policy management
• Identity / Provisioning Management
• Incident management
• Secure Application Development
• Platform Security (e.g Sap, Mainframe )
• Database

There are also generic areas, and a detailed endpoint products area which I will discuss in another post.

Wednesday, September 12, 2007

What benefits have you received from ISO 17799 certification?

Q:What benefits have you received from ISO 17799 certification?
Other then usual (managerial and legal) benefits of getting standards compliant, what exactly have you gained from doing 17799? Would it really improve security for small organizations, or those with distributed working environments?


A: Hi ...,
ISO 27001 certification is very useful for any company whose business requires information security.

What I see in thousands of organizations is the unstructured security practice. Or the malpractice.

This (Information Security) discipline requires maturity like any other and ISO 27001 is a one nice way of getting maturity in practice.

Here are the characteristics of Information Security operations that we see everyday:
Information security operation does not have a clear defined scope (e.g. is accounting in your scope?),
information security does not have well defined process/lifecycle model,
information security operation does not have a risk management model and risk analysis,
information security operation does not have document management,
information security operation does not enforce regular audits,
information security operation does not have metrics and measurement in place..


ISO 27001 like many other security frameworks promotes one main idea; a more secure operation.. You may individually applying one or two of the missing components but having everything organized under 1 framework , having this certified by a 3rd party ha a different value.

Your organization gains a very important thing for information security operation: Governance.
With the certification you and the rest of the world will know the scope, processes, policies, documentation, risk management, audit plans, metrics and measurement, where you can continuously improve your security level.. As you know according to the very basics of information security principles, you cannot improve a system where you do not have a well defined scope, where you do not know the assets and risks and where you cannot measure the metrics.

ISO27001 actually delivers a security program to address your organization’s information security requirements. You can check CMM offerings to value the changes in information security with ISO27001.

My organization gained a lot with the certification in terms of certification and we still do because every year we go through it again.. The certification is not for compliance, we actually improve our security posture and this progress is verified/certified by 3rd party accreditors.

Let me know if you have a specific problem
cheers,
- yinal

Tuesday, September 4, 2007

Web Application Testing

Q: I am a performance tester. can you suggest me a third party tool for network monitoring? Our application is web based and my client requirement is to find Latency and Bandwidth.

A: Hi …
To find real latency and bandwidth requirements of your web applications a dedicated performance measurement tool would be more helpful than a network monitor.

For network monitoring, you can use free domain or commercial packet sniffer with analysis capability. Check the utilities that use PCAP or simply tcpdump, snoop, kismet or wireshark (a.k.a. ethereal). But seeing all network data and analyzing raw data for application level latency and bandwidth problems will require a lot of additional time from you. There are also professional network monitoring tools but I will skip that part. You can monitor all traffic via taps and traffic replicators or simply use netflow, sflow, cflow data from routers. There are many tools to analyze network capture and flow data.

For your web applications what you need is a web performance test tool. A long list of test tools are listed at the URL address below:
http://www.softwareqatest.com/qatweb1.html

Your options are
1- Use a free domain tool from the list above
2- Use a web based performance measurement service. To use this kind of in-the-cloud services, your application must have public IP addresses (Internet Facing). Gomez, Keynote and Alertsite are a couple of examples. Network Computing had ran a test long ago: http://www.networkcomputing.com/showitem.jhtml?docid=1423f4
3- You can use a professional load generator. All these appliances have a web testing feature. Web testing is not their strongest point (they are really good at generating IP traffic at all sizes –helps to measure performance) These tools are for deep pocket projects. Spirent Avalanche / Reflector, IXIA IXChariot are the first names
4- For web application testing, there are complete toolsets (big ticket items again). You can get much more than latency and server response time data. These tools come with ready to use test scripts and scripting environments. The big players are usual suspects:
a. Mercury interactive tools (Acquired by HP) : http://www.mercury.com/us/
b. BMC Performance Management: http://www.bmc.com/products/products_services_detail/0,,0_0_0_2001,00.html
c. CA Wily : http://www.wilytech.com/solutions/products/BRTAdapter.html
d. Compuware: http://www.compuware.com/products/vantage/464_ENG_HTML.htm . You can also get good network analysis tools from Compuware
e. NetIQ's AppManager: http://www.netiq.com/products/am/default.asp
f. IBM (which is a mix of rational, candle and micromuse) : http://www-306.ibm.com/software/tivoli/products/composite-application-mgr-rtt/
g. Quest: http://www.quest.com/performance-management/
h. Veritas (now Symantec) http://www.symantec.com/enterprise/products/overview.jsp?pcid=2246&pvid=1861_1

Monday, September 3, 2007

Security of MVNO and MVNE

Q: I'm interested to deepen the threats and risks connected to the deployment of MVNEs (Mobile Virtual Network Enablers) in a MNO (Mobile Network Operator) environment. If you have concrete experience in this area I ask you to share the main important aspects a MNO should consider for the deployment of MVNEs.

A: A very important question. I am not from the TelCo world but here is my view as an information security professional.
The answer depends on the deployment type. If MNO will keep existing services in house but offer MVNE services to MVNOs; proper segmentation and segregation of roles are the key points.

If MNO will replace existing internal operations or acquire new functionality with MVNE based offerings that is a more complex security status. I will not discuss the specifics for that scenario since it is specific to MNO infrastructure.

For security controls on MVNE services for MVNOs, I do not think that any MNO has the means to differentiate the virtual service provider's traffic at the field (Base Station) level. Base station's are trusted by Authentication Stations and Service Gateways. I think it is okay to assume native GSM security is sufficient. Basically MVNO and the MNO users will have same level of security experience. This will be the least expensive way for the MNO as well.

Here are the possible problem points for MNO/MVNO/MVNE type of deployment security:

User Space:
1- Any existing application/feature that is based on handsets’ properties will not be valid for MVNO users (SIM based applications, java applications such payment/banking, or client based application such as content players). Handsets will basically be out of control, it is a good practice for MNO to have a solid disclaimer at the initiation of the project.

2-MNO will still be able to identify/authenticate and authorize all end users by SIM. I will not discuss how secure this is , but MVNO users will be as secure as MNO users. MVNE will not utilize any new services but will need to access MNO resources. Communication must be managed

Backoffice:
3-As it has been stated above the biggest concern will be the provisioning, performance and the utilization of infrastructure (basically how to share it). The links between MNO and NVNE systems, esp. messaging/data access must be regulated. Physical segmentation with proper audit trails would be nice. MNO must have a very clear visibility for MVNE operations and the MNO infrastructure should support multiple MVNEs for business and technical reasons. Capacity planning will be very complex. QOS, VOIP, RSVP will be the tough words.. But it is more of a deployment question than security

4-Backoffice Service Gateways esp. IP security systems (e.g. Proxies, LDAP, GPRS firewalls, URL filters, SPAM gateways, Email/SMS gateways) are capable of supporting multiple providers. This won't be a main security issue. Check support for virtual systems on these gateways (e.g. virtual firewalls).. MNOs can cross sell their existing gateways to MVNEs or buy services from MVNEs for their own users. Security deployment should be structured. I do recommend following a framework like ISO 27001 to verify that all controls are in place.

If the architecture and the scope of the services are listed it is possible to elaborate more on the specific controls.

cheers,
- yinal

MSSP History and Company Names,,

Since I have started working actively in the MSSP field.. I have heard hundreds of stories about how lucrative the market is ,why everybody should be in this business. There aren't so many pure play managed security services providers but all companies are offering something: Integrators, TelCos, Product Vendors, ASPs and ISPs keep offering managed security services. Of course this makes the market complex after several M&As , bankruptcies, takeovers, name changes and spin offs. Here is a draft map that I had scratched on my notes. Again this is draft and open for corrections. Let me know what is missing in the picture..

MSSP Market - http://istanbul.tc/blog/MSSPhistory.pdf

Here are the list of companies in the Map :

Charted:
AT&T, Ameritech, Pacific Telesis, Southwestern Bell, Bellsouth, Us West, QWest, Nynex, Bell Atlantic GTE, BBN Planet, Verizon Communications,SBC, SNET, Nap Net, Intermedi Network, Genuity, Fiberlink, Sprint, Verizon, Level 3, Nextlink, Concentric, XO, Allegiance, Exodus, Cable & Wireless, SIT Europe Aethis, Netvision, Global Sign, Network Exchange, ubizen, Baltimore PKI, Be Trusted, Three Pillars, Digital Mojo, TruSecure, Defcom , Cybertrust, Verizon Business, MCI, NetSec, KSR, Virtela, Aptegrity, Globix, Postini, Google, Unisys, Altoria, PresiNet, Neon, RCN, Quality Tech,E^Deltacom, Verio, NTT Bangalore Labs, Net ProActive, Planet One,UUNET, worldCom, OneSecure, RipTech, iDefense, Telenisus, DefendNet, Guardent, Symantec, Verisign, Farm9, Mailmax, SecurePipe, Alasson, Articon, Content Technologies, Articon-Integralis, Atlantic, Axipe, NetSecure, Abax Partners, ComCad, Tercom, Centaur, MessageNet, Guarded, Cybergnostic, MessageSecure, USNetworks, Permiter, RedCliff, Breakwater, Global One, Equant, Orange, Infonet, BT, Counterpane, T-Manage, Netrex, ISS, IBM, Verisect, Secure 360, RedSiren, SecureWorks, Lurgh, Boxing Orange, Megapath, Netifice, Solicium, Start Technology, Omnipod, MessageLabs, Vistorm, Netstore, Securalis, Thales, Telindus, Belgacom, Espria, Vigiland Minds, Solutionary, Diebolt, ExpertCity, Citrix, NetSolve, Cisco, MessageRite, Frontbridge, Microsoft,SiegeWorks, TrueNorth, FishNet,

Not Charted:
Alliant Technologies, Altoria, Anchor Technologies, asiGuardian, BigCity Networks, CNS, CSC, Cyberklix, Generis Technologies, HostMySite.com, indevis, Lightedge, McKesson, Nexum, Positive Networks, QuoVadis, RKON, SADA Systems ,Secure Network Technologies, Signify, VanguardMS, Wipro, BTI Net, Armadillo ,NETBENEFIT, Zen Internet , Mistral Internet,DXI Networks. Atos Origin, Damavo, aimNet Solutions, iOmega, Netboundary, NUSpire, Rackspace, sureSec, Global Crossing, Open Systems, Netsieben, Above Security, Elefire Limited ,Wavenet, Illumen, eSentire,HarrierZeuros, EXL , Koc Net, VeroTek, Sirocom, VPN Solutions, Coalfire Systems, Total Sentry, Isblanket, Sentry Metrics, VPNet, Earthwave, Ambersail, NABLA, FrontGate Systems, Backbone Security, NetworkCloaking, Secure Crossing, Exceed Security, Lazarus Alliance,Intrusion Protection,Oxstrad

Wednesday, August 29, 2007

Defense In Depth Technology Classification

Classification of security controls are always a problem.. Here is a quick chart for technology based safeguards that I came across while I was browsing risk presentations on the Internet. Credit for Jamie Sharp of Microsoft. Plain and simple:


In-house Security Operation or Managed Security Service Providers?

Q: You are the manager of the IT department of a medium to large sized company. Like any manager, you have a budget. You can never seem to get enough money from the C-level bosses above you, most of whom may not fully understand the importance of information security and compliance. Tough question.... do you hire/train employees to handle your network security, or do you outsource to a third-party (not unnecessarily off-shore)? What are some of the factors you would consider in each avenue? If you have been in this situation before, what are some of the lessons you have taken away?

A:
Hi Martin,
I think the question comes in two folds... Governing information security and operating information security should be perceived as different topics. I do believe that information security governance should be in-house. Regardless of the resources available, a company should determine what the risks are, and how the risks are addressed. That being said, usually it is much better choice to outsource information security operations. Here is a quick try to summarize the status:

Cons List Managed Security Operations (compared with in-house IT operations)


  • It is scary to rely to a 3rd party for all your security... it usually feels like hiring legionnaires. Pro Soldiers versus highly taxed IT peasants. Trust is the key word.
  • Communication on wire is still slower than face to face communication. Local IT team integrates better with the local projects (naturally)
  • As a manager you cannot order as you wish to a MSSP. They do not code for SOA application, or fix your internal routing when you ask them to do so... You cannot allocate their resources to different project.
  • Usually the MSSP service is customized for a target audience, not exactly for your specific operation... The choice is very much like tailor made dress vs. Hugo boss (and sometimes banana republic...)
  • SLA management still requires an internal resource at your organization.
    If data privacy is your main concern, the procedures may get complicated.
  • Your business advantage of being more secure than your competition maybe stolen very easily since MSSPs are not exclusive for your operation.


Pros List for Managed Security Operations (compared with in-house IT operations)


  • All services are guaranteed with an SLA
  • All services are usually verified by a 3rd party (e.g. SAS-70, ISO 27001)
  • Economies of scale. Even the large company InfoSec operations are dwarfed by regular MSSPs operations
  • Constant access to trained engineers. A larger pool of information security know-how.
  • Operational Excellence. MSSPs are constantly evaluated, audited by 1000s of parties. They have to be better in operations.
  • Certified Engineers for specific products. The luxury of accessing subject matter experts of various fields
  • Better connections with hardware and software vendors
  • Cookie-cutter compliance solutions
  • Better visibility of information security space via hundreds/thousands of different customers
  • Established procedures for change management, asset management, configuration management, BCP/DR etc.
  • Opportunity to focus core business instead of working for security operations
  • Avoid fixed infrastructure cost for a highly redundant high capacity expensive infrastructure
  • Shifting the dirty tasks to MSSP (3am Saturday changes?)
    Segregation of duties. It is good to have a 3rd party for security
  • 7x24x265 real-time availability of all security resources.


- yinal

Sunday, August 26, 2007

What do you use for an incident response console?

“Hi ....., We have been building information security management infrastructure for our customers at several sites. Incident response can be a part of several other tasks so it is hard to have a single console (incident response tasks listed @ http://www.cert.org/csirts/services.html). But in daily operation we do use SEM and ticketing consoles simultaneously. Depending on the reliability of the automatic correlation of events, you may even use a single ticketing console and dig down the events when needed. For me, the basic IR components are as follows: 1- Process Framework – You need a methodology for building the incident response system... Depending on your requirements, resources you may choose ISO 27001, ISACA, NIST based risk management models, or IETF, CERT, OGSF, type CSIRT procedures... Whatever you do, you need to define the incident response process well. There are a lot of resources, books, articles, guides on the technical and operational side. Let me know if you have any questions on that side. 2- Unified Log Collection and Event Correlation – Once you define your processes, it is time to choose the tools. If your infrastructure is not single vendor, you will need a centralized way of collection and correlating events... There is no silver bullet, but there are a lot of tools. Architecture wise you need to define agent based or agentless systems, remote log collectors, aggregation points, traffic forecasts, processing requirements etc. You may choose generic network management powerhouses like HP Openview, CA Unicenter, IBM Tivoli, Micromuse Netcool or specific security SEM players like RSA Envision, Arcsight, netforensics etc .. If you have homogeneous single vendor environment, Cisco Mars, Novell, Check Point Eventia, Symantec type solutions work as well. You do not need to spend big money on SEM if you have limited budget, there are open source log managers or low cost tools like what’s up. 3- Ticket Management/Escalation: For Incident Response, a solid ticketing system is very useful. Regardless of the SEM, NMC tools deployed, you need a helpdesk system. Gold standard is Remedy , but it is for the large enterprises with solid customization capabilities, once the events are correlated on SEM , and marked as incidents you can manage the whole escalation in your ticketing system. There are 1000s of alternatives for ticketing systems. You need to integrate the SEM systems with ticketing systems. 4- 3rd Party Communication and Integration: Messaging with other Computer Security Incident Response Team (CSIRT)s , private vulnerability research centers, managed security services providers, in the cloud vulnerability management services requires integration of your escalation procedures and tools, during the design phase At our own operation, we have built our own log collectors, agents, receivers, correlation engines, agent consoles, correlation and business rules engines because of the specific requirements of the operation, the main drivers were to have a single console for operators and increase efficiency, capacity and security. We still utilize Remedy for asset, change and issue management as well as regular escalation. Let me know if you have a specific question. Regards, - yinal ozkan”

When calculating information asset risk, does the formula C x I x A x (T xV) work?

Your answer was selected as a Good Answer
Your Public Answer:
“Hi ....., I agree with the previous comments. Quantitative risk calculation can only get serious when you define your input variables in details. The C x I x A x T x V formula you have mentioned will give you some numbers like any other combination based on your definition with availability vulnerability etc. but I do not recommend using this formula. You need to add the probability and the impact components of vulnerabilities for a better calculation (if they are not a part of your vulnerability definitions) If it is possible, I recommend using a proven risk management framework. Even in this scenario you need to set your definitions and customize the framework.
A good start address: http://wwwt.zhwin.ch/ui/swp/documents/risk_assessment_approaches_f_136894.pdf
Basically asset risk can be calculated with the answers of the following questions (from infosec handbook): What could happen? (What is the threat?) How bad could it be? (What is the impact or consequence?) How often might it happen? (What is the frequency?) How certain are the answers to the first three questions? (What is the degree of confidence?) Here is a more common approach that you can formulize your risk calculation at high level: Asset: Target of protection Asset Value (AV): Cost or replacement cost of your assets Exposure Factor (EF): Percentage of asset value that might be lost if things go wrong Single Loss Expectancy (SLE): Money lost if risk happens, SLE = Asset Value (AV) x Exposure Factor (EF) Annualized Rate of Occurrence (ARO): This is the frequency element of risk. (Number of repetitions of a risk factor in a unit of time/year), for example probability of a major flood vs. operator typing wrong password is different. The Annualized Loss Expectancy (ALE): When you multiply your expected loss with frequency you get the cost of risk on an asset over a 1 one year period, ALE = SLE x ARO A Google search on these keywords (ale aro sle) brings out several examples. As I have stated above, even the most quantitative method is relative but the attempt to normalize and measure risk is a very good start. Let me know if you have a specific question. regards, - yinal ozkan”

PKI & SAML / Strong Authentication / SOA?

Your answer was selected as a Good Answer
Your Public Answer:
“Hi ...., You have 2 paths to integrate your PKI system with your SOA environment. Option 1 : Get all the RFCs and a cool coder team and implement the security integration solution overlay. It is all RFC based and it is supposed to work. Option 2: Try one of the XML security gateways and check the built-in PKCS #10, X.509 v3, SAML functionality. This is probably a shorter but a more expensive way. As usual in-house development will be more customized when compared with 3rd party gateway. On the other side XML gateways offer a proven environment with good management options. You probably know the vendors but let me reiterate for other readers: Datapower (acquired by IBM) http://publibfp.boulder.ibm.com/epubs/pdf/22475620.pdf Reactivity:(acquired by Cisco) http://www.cisco.com/cdc_content_elements/acquisitions/reactivity/index2.html Forum Systems: http://forumsystems.com/papers/Sentry_Data_Sheet_Spring_2004.pdf Layer7: http://www.layer7tech.com/products/page.html?id=71 let me know if you have a specific question, regards, - yinal”

Is it irresponsible for law offices to use hosted email?

Your Public Answer:
“Hi ..., I think it is irresponsible for law offices to use insecure e-mail. Legally law offices should have secure messaging. The delivery type of the e-mail service from in-house facilities/ or from a remote hosted environment should not be the question. There are several cases where the law firms or financial institutions were liable for not maintaining secure e-mail operation at their own premises. A hosted option might be more secure based on existing security and privacy controls. Ask your hosting provider the following questions: 1- Who can access to my data? Do they all have background checks? 2- Do you have 3rd party security certifications/audits? (SAS-70 type II, ISO 27001 etc) What was the scope of audit/certification? What are the audit results? 3- What are the data retention/archiving/backup policies? What are your plans for BCP/DR? When was the last time you performed a test? What are the results? How long do you keep the backup copies? 4- Do you have a privacy policy at your facilities? 5- What are the existing security safeguards for securing my data? (Physical, access control, encryption etc) 6- How do you segregate my data from your other customers? 7- Where do you store my data? Where are your data centers? 8- Can I see the service level agreement? 9- Does your archiving solution support stringent e-mail regulations, specifically SEC 17a-4 requirements? Can I search my archived messages? The question list can be extended. If you cannot get satisfactory answers from your hosting provider, it is a better option to have e-mail in-house. Google will not answer most of the questions above so probably they are not a good enterprise partner at the moment. Expect to have a business level messaging service from Google as a follow-up to their Postini acquisition.(2 years?) Let me know if you have a specific question, regards, - yinal ozkan”

Internet based VPN services - what's available ?

Your answer was selected as Best Answer
Your Public Answer:
“Hi J..., Someday (and hopefully soon) several companies will figure out that using Internet based VPNs may solve several problems in a very cost-effective way. Managed Services is the logical way to go for small companies since it does not make sense to keep subject matter VPN experts on board for smaller companies. VPNs are the bloodlines for multi-office, inter-company, partner workflows and they must be managed properly. So I think your idea is a good call and developing an offering in this area does not suck. That being said, several companies called "Managed Security Services Providers - MSSPs" offer managed VPN services. (My current company being one of them). I am not sure about your definition about non-enterprise, but most of the MSSPs have solutions for SMB market. I have been working in MSSP market for the last 5 years. The usual suspects for MSSPs are, Telcos (e.g. BT, AT&T, Verizon, Orange, T-Systems etc), Global Outsourcing Providers (Wipro, HCL, Unisys, EDS etc..) , Security Vendors (Symantec, ISS/IBM, Specialists (Verisign, Cybertrust and Integralis) For go to market strategy you have 2 options on the low cost area. You either go with a vendor solution or develop your own. You have to be careful about low-cost of entry to market from the competitors. With vendor products (like Check Point, Juniper, Cisco, Fortinet, Nokia, Symantec) any company can come up with a solution but the solution will require a lot of CAPEX budget from the clients. SMBs usually do not like to pay in full in advance so it may make a sense to modify a Linux distro and deliver VPN solutions without paying to vendor, this may work since SMBs will not have ultra complex solutions. When you develop and deliver your own VPN solution you may have high margins. Managed Security Services is not just about products, I have written another long Q&A on linked in which might be helpful to build your service. http://www.linkedin.com/answers/technology/information-technology/information-security/TCH_ITS_ISC/13800-2070053 I also have several studies on why/when/how VPNs should be preferred over Telco WAN solutions. Let me know if you have any specific questions. Regards, - yinal ozkan”

Managed Security Services Market/Partners/Potential Contacts? (for Asia and Middle East region)

“Hi ... Here are my comments for your questions: 1- MSSP market is bullish. There is no way that all the companies will have subject matter experts for 3 shifts on all information security domains, even if they do, spending around $40M for the security management infrastructure will not make sense. It makes sense to work with someone who has expertise, 7x24 operations, and the infrastructure. I have several reports from 3rs parties with the same highlights. Also having 60% security does not mean any security, so that is more market share for MSSPs. Yes, I do think Asia and Middle East will be key enlargement areas for MSSPs where security is a part of daily life. The more operations get online, the more companies will demand certified 3rd parties for security. My company (Integralis) has been a long time household name in information security has invested key resources on MSS solutions and we have recently acquired a company in UAE to expand our MSSP operations in Middle East. Now we have operations in Dubai. We are actively looking at MSSP operations at Pacific Rim as well. 2- All the MSSPs should be interested (See my recent linkedin answers for active player names) . That being said, I do recommend getting in touch with Integralis Channel contacts. We do have several system integrators and Telco's co branding our MSSP offering. 3- Well, I do know hundreds of contacts :) but that is probably related with the position I am in. But we had conducted several market surveys in multiple countries, it looks like 15% of the survey groups are already outsourcing or ready to outsource, that percentage increase with certain technologies such as IPS and E-mail.. I do have a lot of resources, so let me know if you have any specific solutions, Regards, - yinal ozkan

What is the most important IT Controls of organizations?

Your answer was selected as Best Answer
Your Public Answer:
“Hi ...., For a refined category list of information security controls, I do recommend ISO 27001 Global Information Security Framework: Here is the list of domains: 1. Security Policy 2. Organization of Information Security 3. Asset Management 4. Human Resources Security 5. Physical and Environmental Security 6. Communications and Operations Management 7. Access Control 8. Information Systems Acquisition, Development and Maintenance 9. Information Security Incident Management 9. Business Continuity Management 10. Compliance 11. Measurement of Metrics Of course there are more controls under each domain. If you like to have predefined controls instead of risk based ones, PCI framework offers a good list of security controls as well. And as an answer to your main question, which one is more important... I do believe (like many others posted on this topic) that the importance is directly related with risks and the business requirements, and there is no single "list". If you define a specific vertical (e.g. health, financial) it might be possible to make some assumptions for a simplified list, but in general it is a very difficult task. Here is a quick methodology to detect which IT Controls are more important than the others... 1- Find out what the information assets are, and determine their value 2- Run a risk assessment with your choice of methodology. Determine threats, vulnerabilities, impact, probability etc, so get the risk 3- Run business requirements analysis, and find out what is important for business, what are the shortcomings of current systems, compliance requirements, budgets, which systems are desired/in the pipeline etc. 4- Run a Gap Analysis with the inputs from Risk Assessment and the Business Requirements Analysis, this should generate a correct priority list for you. Let me know if you have any specific questions, Regards, - yinal”

Firewall technical question (SQLNET in Cisco ASA)

“Hi .., Allowing all ports over 1024 is not a good way. As you have described. SQL*NET opens dynamic ports so it is not nice to open high ports (>1024) The way SQL*NET is written is very familiar to FTP and it is not packet filter (ACL) friendly. You need a special handler for this protocol. I didn’t have to use the following in production but let me know if this works for you: You can use “class-map” command to use sqlnet inspections on a range of port numbers. The good news is that ASA has one. If you have the SQL*Net (formerly OraServ) protocol passing through your ASA system, then only an inbound data connection is permitted through the adaptive security appliance. Cisco ASA supports both versions 1 and 2 of Oracle SQL*NET. ASA is able to perform NAT and look in the packets for all embedded ports to allow the necessary communication for SQL*Net. To enable SQL*Net inspection, use the “inspect sqlnet” command (In the past this command was known as “fixup protocol sqlnet”). The default port assignment for SQL*Net is 1521. This is the value used by Oracle for SQL*Net, but this value does not agree with IANA port assignments for Structured Query Language (SQL). Use the class-map command to apply SQL*Net inspection to a range of port numbers. SQL*Net inspection is enabled by default on ASA. To enable the SQL*Net inspection engine check the following example, which creates a class map to match SQL*Net traffic on the default port (1521). The service policy is then applied to the outside interface. hostname(config)# class-map sqlnet-port hostname(config-cmap)# match port tcp eq 1521 hostname(config-cmap)# exit hostname(config)# policy-map sqlnet_policy hostname(config-pmap)# class sqlnet-port hostname(config-pmap-c)# inspect sqlnet hostname(config-pmap-c)# exit hostname(config)# service-policy sqlnet_policy interface outside To enable SQL*Net inspection for all interfaces, use the global parameter in place of interface outside. Generic usage is as follows: …. access-list 100 extended permit tcp host 192.168.1.1 host 172.16.1.1 eq sqlnet …… class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect sqlnet ! service-policy global_policy global This is supposed to work but I personally do not like any dynamic port mapping protocols, starting with RPC, all of them are firewall headaches and vulnerability points ; http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml http://www.cisco.com/en/US/customer/products/ps6120/products_command_reference_chapter09186a008063f0e8.html#wp1667425 I hope this helps, Regards, - yinal”

Why do you hire high-tech consultants?

Your answer was selected as a Good Answer
Your Public Answer:
“Hi ...., Here are my thoughts on full-time employee vs. consultant decision making: - Some of the tasks are temporary, not permanent; it does not make sense to make investment for a full-time employee for a project that will last only 3 months. - Sometimes the resources are not that deep to cover the costs for an area specialist. Hiring a subject matter expert consultant is the only solution. For example if our clients have security experts but not ethical hackers on board, it is logical to hire a consultant who is focused on a very specific area. Hiring a full-time ethical hacker would be a waste of time for clients since there aren’t enough tasks or projects to utilize a hacker on board, and it is not a good practice to ask them to work on areas out of their focus. - Sometimes there is a deadline. There is no way with full-time hiring process to get the right team of people. Simply working with a consultant shop that already holds the right resources to complete your project is the only way. Even if you have unlimited budget you cannot find a full team of tested reliable team in limited timeframes. - Sometimes you have to work with a consultant because of a requirement. Some consultancy companies hold some certifications that you require (e.g. ISO, clearance etc). It may not be wise to go through full certification for a couple of projects - On some areas a 3rd party is a must for the segregation of duties... You have to hire a consultant. Like in accounting or security, a 3rd party consultant must verify your internal controls. Even if you have better internal resources , you still require a consultant - Consultants are unattached internal company politics, usually they have no history with the client’s internal politics, history of projects, and new full-time hires will not be able to escape from local drivers. Consultants can act more independent - Sometimes it is not the consultant, but the consultant company’s know how that matters. So hiring a full-time employee will not bring in the value of a large organization’s depth to client operations. Usually consultant companies accumulate a large chunk of intellectual capacity, and the clients can reach those reserves via hiring consultant companies’ resources. - Depending on the hiring organization’s structure, contracting somebody would be much faster and easier for the hiring manager when compared with a full-time employee; no benefits, no commission, no career plans etc. I may increase the number of the examples, as you see this is a pro-consultant view. As a consultant I can also write another batch of bullet points on why full-time employees are the right decision, depending on the client’s request :) Let me know if you have any specific questions cheers, - yinal”

How would you measure security? Is security measurable ?

Your Public Answer:
“Hi ..., I have been answering this question for the last 10 years. Against the public infomercials, security is not priceless and security can be measured. There are several approaches, but I strongly recommend a version that is well defined and quantifiable. This method leads to risk based information security measurement. The idea is very simple, you know your assets and their value for your operation, calculate all threats, vulnerabilities and risks based on your business operations and safeguards. Assigning some metrics to your risk level will help you to measure your security level. When measuring information security you need solids metrics. Defining metrics is a tricky process. First you need clearly defined processes that can be measured Then you need to define the method for measurement Defining frequency of measurement, data collection, analysis and reporting follow these basic steps. I do recommend following the ISO 27004 framework for Information Security measurement and metrics. ISO 27004 is still in draft, you can also use a British Standards Institute document (BSI) BIP0074. ISO requires an well defined processes and Information Security Management System (ISMS). This duo will ease your job to measure the effectiveness of information security. Each ISMS control comes with an objective, so that you can measure the effectiviness of each objective. If you Google the keywords above, you will get plenty of information. Let me know if you have any specific questions, Regards, - yinal ozkan”

Are CISSP, CISA and CISM credentials necessary?

Your Public Answer:
“Hi ..., Depending on your point of interest, the value you get out of specific certification varies. Certifications in general do not indicate that an individual does carry necessary skills for a job, but it is a very clear sign that certain individual has spent plenty of time on a specific topic. I usually say that certifications do not measure what you know but they do measure what you have studied. That is why I always ask about them during the hiring process. There is no way that a regular network security guy has studied IT governance or Audit Standards unless he/she is forced to do so via certification. Certifications also point out future willingness to study on more difficult topics. For an ambitious governance program CISSP, CISM and CISA will help you to form a baseline for all team members. Usually engineers do not have time to study about exams during regular business hours, as usual they are busy with something else; the certifications signify the time they have spent for their job with a sacrifice of their personal time. That is a dedication. When I ask any of engineers, “Can you get this certification because I need it in my team “(e.g. for an RFP), the answer usually gives an idea about how well my team is aligned with the short and long term goals. I have seen so many engineers with excellent skills on what they do on daily operations but most of them lacked a solid grasp of strategic initiatives. Interestingly, I found out that the engineers with several certifications have a tendency to be more efficient on strategic projects. I don’t buy the line “I develop my skills when needed...” Studying for certifications is better than surfing Slashdot. I do have all of those certifications. I leverage them in several different ways. a) First of all everybody speaks the same jargon. I have been working on enterprise security for more than 12 years and it had never been easier to tell an audience about the CIA triad. b) As Javed put it, certifications allow me to access specific resources through portals, e.g. I really like what I get out of ISACA portals. Mailings lists are another plus. c)They help a lot in customer facing engagements, I do have more than 10 of them, when customers notice the work behind those certifications we do pass the initial step of “Does this guy know anything?” phase. d) Certifications bring discipline; all of them come with specific experience requirements, continuous learning prerequisites so it is better than not having them. e) In many of the contracts, RFPs, assessments these certifications became an individual baseline like the SAS70 and ISO 27001 for the organizations, it is useless to get into we do not believe in certifications discussion That being said, here is what I think about those specific certifications: CISSP: As everybody says, the scope is as broad as a sea, but the depth is 2inches. It is a very useful certification for the people who are getting into the information security field from other disciplines. If a regular information security guy has a problem with getting it that is a red alert. I usually make it prerequisite for managers, network and system engineers. It even works for sales people if your core practice is security CISA: This was a very good exam. The curriculum is good. It gives instant access to years of audit experience. The COBIT framework is nice. I use the information I gained from this certification daily. I recommend for everyone. CISM: Another good solution from ISACA. It is a good start for the governance, and a basic overhaul of information security for managers. This is recommended if you are getting into information security management. There are also other frameworks like ISO 27001 and ITIL which are very helpful. For hands on GIAC certifications are nice but I still recommend vendor certifications for hands-on such as Cisco and Check Point... regards, - yinal ozkan

How can a company measure risk and security levels?

Your answer was selected as a Good Answer
Your Public Answer:
“Hi ..., I have just answered a similar question. Every industry has a specific risk level definition. There are several frameworks to manage and measure risk. Once risk is measured, the controls are applied accordingly. It is not like a predefined black book of Security levels that dictate security controls in most of the risk systems. These levels are relative so the safeguards are not expected to be the same. For risk management options check FRAP, FIRM, OCTAVE, DRAM, CRAMM, NIST 800-30, ISO 27005 , ISACA are the initial ones that come to mind as a framework. The most suitable ones would be based on your environment, operation and resources.Check the following URL: http://www-t.zhwin.ch/ui/swp/documents/risk_assessment_approaches_f_136894.pdf For measurement and metrics: I do recommend following the ISO 27004 framework for Information Security measurement and metrics. ISO 27004 is still in draft, you can also use a British Standards Institute document (BSI) BIP0074. ISO requires an well defined processes and Information Security Management System (ISMS). This duo will ease your job to measure the effectiveness of information security. Let me know if you have a specific question, regards, - yinal ozkan”

Does anyone know of a good Unix security auditing tool? (for DoD projects)

“Hi, When you are looking at DoD audits, it is better to follow their documents. The Security Technical Implementation Guides (STIGs) from DISA of DoD (The Defense Information Systems Agency) list a lot of tools for these audits.. For Unix audit, recommended tool is System iNtrusion Analysis & Reporting Environment- SNARE.. This toolset is opensource and licensed under GPL. (SNARE- http://sourceforge.net/projects/snare/). Full Unix STIG is at http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf This guide lists several other security tools recommended by DoD. That being said, I agree with other comments, there are a lot of low cost tools that you can utilize, (starting with syslog parser scripts) Let me know if you have a specific question, cheers, - yinal”

Where does Information Security belong?

Your answer was selected as a Good Answer
Your Public Answer:
“Hi ...., In corporate world there is a discussion about Information Technology department. I think IT departments will soon become Business Technology Support departments... Information Security has multiple branches. It makes sense to segregate operations and the security management parts. Information Security Operations definitely belongs to Information Technology. Corporate information security goals must be carried out via information security operations groups. I work with several Fortune 100 companies and this infosec operations organization type looks like the trend. On the other side, I do think that the information security policy/assurance should not be an independent discipline nor it must be related to information technology: The right place for information security is where it belongs; enterprise risk management. So that all security risks including information security can be analyzed and managed in a holistic way. Today's complex IT infrastructure makes it impossible to segregate information security from the rest of the operation risks. For me it makes sense to have an independent "Risk Management" disciple to oversee all threats. That being said, Information security based risks will form one of the core disciplines in risk management. Regards, - yinal”

Information Risk Tools - what do you use?

Your answer was selected as Best Answer
Your Public Answer:
“Hi ...., You may capture vulnerability data with vulnerability assessment scanner tools such as data (network scanners like Foundstone, ISS, eEye. Qualys, Nikto, Nstalker Languard, or application testers like SPI dynamics Web Inspect, Appscan, Cenzic or database security scanners, code analysis etc.. The list goes on, I recommend the following presentation for the taxonomy. http://www.owasp.org/images/f/ff/AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt ) But at the end you vulnerabilities gathered from scanning make just one part of the information systems risk picture, you need to add other risks derived from vulnerabilities of policies, people, access control, authorization, audit, physical security, BCP/DR, HR, capacity management, compliance requirements etc. in addition to the risk data you collect from vulnerability scanninf tools. These risks should also be scaled either quantitative or qualitative way based on your business requirements (value , business impact) As you have stated more important task is to prioritization and classification, You need to map the vulnerability data with asset inventory and the business based risks. For this one you need a methodology for risk management. FRAP, FIRM, OCTAVE, DRAM, CRAMM, NIST 800-30, ISO 27005 , ISACA are the initial ones that come to mind as a framework. The most suitable ones would be based on your environment, operation and resources. http://www-t.zhwin.ch/ui/swp/documents/risk_assessment_approaches_f_136894.pdf As stated above you can use SkyBoxView (http://www.skyboxsecurity.com) for the analysis of assets and vulnerability scans. We have deployed this tool in several environments and it works great. Skybox is in Security Risk Management category which Another option is Mc Afee’s recently acquired Preventsys series. (You may also check Archer; nCircle; Xacta) For risk assessment only any ISO 27001 toolkit or Citicus will do the jobas well. I have found the fault-tree based risk assessment tools difficult to use (like secureitree) Let me know if you have any specific questions, Regards, - yinal ozkan”