Classification of security controls are always a problem.. Here is a quick chart for technology based safeguards that I came across while I was browsing risk presentations on the Internet. Credit for Jamie Sharp of Microsoft. Plain and simple:
Wednesday, August 29, 2007
Defense In Depth Technology Classification
In-house Security Operation or Managed Security Service Providers?
Q: You are the manager of the IT department of a medium to large sized company. Like any manager, you have a budget. You can never seem to get enough money from the C-level bosses above you, most of whom may not fully understand the importance of information security and compliance. Tough question.... do you hire/train employees to handle your network security, or do you outsource to a third-party (not unnecessarily off-shore)? What are some of the factors you would consider in each avenue? If you have been in this situation before, what are some of the lessons you have taken away?
A:
Hi Martin,
I think the question comes in two folds... Governing information security and operating information security should be perceived as different topics. I do believe that information security governance should be in-house. Regardless of the resources available, a company should determine what the risks are, and how the risks are addressed. That being said, usually it is much better choice to outsource information security operations. Here is a quick try to summarize the status:
Cons List Managed Security Operations (compared with in-house IT operations)
If data privacy is your main concern, the procedures may get complicated.
Pros List for Managed Security Operations (compared with in-house IT operations)
Segregation of duties. It is good to have a 3rd party for security
- yinal
Sunday, August 26, 2007
What do you use for an incident response console?
“Hi ....., We have been building information security management infrastructure for our customers at several sites. Incident response can be a part of several other tasks so it is hard to have a single console (incident response tasks listed @ http://www.cert.org/csirts/services.html). But in daily operation we do use SEM and ticketing consoles simultaneously. Depending on the reliability of the automatic correlation of events, you may even use a single ticketing console and dig down the events when needed. For me, the basic IR components are as follows: 1- Process Framework – You need a methodology for building the incident response system... Depending on your requirements, resources you may choose ISO 27001, ISACA, NIST based risk management models, or IETF, CERT, OGSF, type CSIRT procedures... Whatever you do, you need to define the incident response process well. There are a lot of resources, books, articles, guides on the technical and operational side. Let me know if you have any questions on that side. 2- Unified Log Collection and Event Correlation – Once you define your processes, it is time to choose the tools. If your infrastructure is not single vendor, you will need a centralized way of collection and correlating events... There is no silver bullet, but there are a lot of tools. Architecture wise you need to define agent based or agentless systems, remote log collectors, aggregation points, traffic forecasts, processing requirements etc. You may choose generic network management powerhouses like HP Openview, CA Unicenter, IBM Tivoli, Micromuse Netcool or specific security SEM players like RSA Envision, Arcsight, netforensics etc .. If you have homogeneous single vendor environment, Cisco Mars, Novell, Check Point Eventia, Symantec type solutions work as well. You do not need to spend big money on SEM if you have limited budget, there are open source log managers or low cost tools like what’s up. 3- Ticket Management/Escalation: For Incident Response, a solid ticketing system is very useful. Regardless of the SEM, NMC tools deployed, you need a helpdesk system. Gold standard is Remedy , but it is for the large enterprises with solid customization capabilities, once the events are correlated on SEM , and marked as incidents you can manage the whole escalation in your ticketing system. There are 1000s of alternatives for ticketing systems. You need to integrate the SEM systems with ticketing systems. 4- 3rd Party Communication and Integration: Messaging with other Computer Security Incident Response Team (CSIRT)s , private vulnerability research centers, managed security services providers, in the cloud vulnerability management services requires integration of your escalation procedures and tools, during the design phase At our own operation, we have built our own log collectors, agents, receivers, correlation engines, agent consoles, correlation and business rules engines because of the specific requirements of the operation, the main drivers were to have a single console for operators and increase efficiency, capacity and security. We still utilize Remedy for asset, change and issue management as well as regular escalation. Let me know if you have a specific question. Regards, - yinal ozkan”
When calculating information asset risk, does the formula C x I x A x (T xV) work?
Your answer was selected as a Good Answer
Your Public Answer:
“Hi ....., I agree with the previous comments. Quantitative risk calculation can only get serious when you define your input variables in details. The C x I x A x T x V formula you have mentioned will give you some numbers like any other combination based on your definition with availability vulnerability etc. but I do not recommend using this formula. You need to add the probability and the impact components of vulnerabilities for a better calculation (if they are not a part of your vulnerability definitions) If it is possible, I recommend using a proven risk management framework. Even in this scenario you need to set your definitions and customize the framework.
A good start address: http://wwwt.zhwin.ch/ui/swp/documents/risk_assessment_approaches_f_136894.pdf
Basically asset risk can be calculated with the answers of the following questions (from infosec handbook): What could happen? (What is the threat?) How bad could it be? (What is the impact or consequence?) How often might it happen? (What is the frequency?) How certain are the answers to the first three questions? (What is the degree of confidence?) Here is a more common approach that you can formulize your risk calculation at high level: Asset: Target of protection Asset Value (AV): Cost or replacement cost of your assets Exposure Factor (EF): Percentage of asset value that might be lost if things go wrong Single Loss Expectancy (SLE): Money lost if risk happens, SLE = Asset Value (AV) x Exposure Factor (EF) Annualized Rate of Occurrence (ARO): This is the frequency element of risk. (Number of repetitions of a risk factor in a unit of time/year), for example probability of a major flood vs. operator typing wrong password is different. The Annualized Loss Expectancy (ALE): When you multiply your expected loss with frequency you get the cost of risk on an asset over a 1 one year period, ALE = SLE x ARO A Google search on these keywords (ale aro sle) brings out several examples. As I have stated above, even the most quantitative method is relative but the attempt to normalize and measure risk is a very good start. Let me know if you have a specific question. regards, - yinal ozkan”
PKI & SAML / Strong Authentication / SOA?
Your answer was selected as a Good Answer
Your Public Answer:
“Hi ...., You have 2 paths to integrate your PKI system with your SOA environment. Option 1 : Get all the RFCs and a cool coder team and implement the security integration solution overlay. It is all RFC based and it is supposed to work. Option 2: Try one of the XML security gateways and check the built-in PKCS #10, X.509 v3, SAML functionality. This is probably a shorter but a more expensive way. As usual in-house development will be more customized when compared with 3rd party gateway. On the other side XML gateways offer a proven environment with good management options. You probably know the vendors but let me reiterate for other readers: Datapower (acquired by IBM) http://publibfp.boulder.ibm.com/epubs/pdf/22475620.pdf Reactivity:(acquired by Cisco) http://www.cisco.com/cdc_content_elements/acquisitions/reactivity/index2.html Forum Systems: http://forumsystems.com/papers/Sentry_Data_Sheet_Spring_2004.pdf Layer7: http://www.layer7tech.com/products/page.html?id=71 let me know if you have a specific question, regards, - yinal”
Is it irresponsible for law offices to use hosted email?
Your Public Answer:
“Hi ..., I think it is irresponsible for law offices to use insecure e-mail. Legally law offices should have secure messaging. The delivery type of the e-mail service from in-house facilities/ or from a remote hosted environment should not be the question. There are several cases where the law firms or financial institutions were liable for not maintaining secure e-mail operation at their own premises. A hosted option might be more secure based on existing security and privacy controls. Ask your hosting provider the following questions: 1- Who can access to my data? Do they all have background checks? 2- Do you have 3rd party security certifications/audits? (SAS-70 type II, ISO 27001 etc) What was the scope of audit/certification? What are the audit results? 3- What are the data retention/archiving/backup policies? What are your plans for BCP/DR? When was the last time you performed a test? What are the results? How long do you keep the backup copies? 4- Do you have a privacy policy at your facilities? 5- What are the existing security safeguards for securing my data? (Physical, access control, encryption etc) 6- How do you segregate my data from your other customers? 7- Where do you store my data? Where are your data centers? 8- Can I see the service level agreement? 9- Does your archiving solution support stringent e-mail regulations, specifically SEC 17a-4 requirements? Can I search my archived messages? The question list can be extended. If you cannot get satisfactory answers from your hosting provider, it is a better option to have e-mail in-house. Google will not answer most of the questions above so probably they are not a good enterprise partner at the moment. Expect to have a business level messaging service from Google as a follow-up to their Postini acquisition.(2 years?) Let me know if you have a specific question, regards, - yinal ozkan”
Internet based VPN services - what's available ?
Your answer was selected as Best Answer
Your Public Answer:
“Hi J..., Someday (and hopefully soon) several companies will figure out that using Internet based VPNs may solve several problems in a very cost-effective way. Managed Services is the logical way to go for small companies since it does not make sense to keep subject matter VPN experts on board for smaller companies. VPNs are the bloodlines for multi-office, inter-company, partner workflows and they must be managed properly. So I think your idea is a good call and developing an offering in this area does not suck. That being said, several companies called "Managed Security Services Providers - MSSPs" offer managed VPN services. (My current company being one of them). I am not sure about your definition about non-enterprise, but most of the MSSPs have solutions for SMB market. I have been working in MSSP market for the last 5 years. The usual suspects for MSSPs are, Telcos (e.g. BT, AT&T, Verizon, Orange, T-Systems etc), Global Outsourcing Providers (Wipro, HCL, Unisys, EDS etc..) , Security Vendors (Symantec, ISS/IBM, Specialists (Verisign, Cybertrust and Integralis) For go to market strategy you have 2 options on the low cost area. You either go with a vendor solution or develop your own. You have to be careful about low-cost of entry to market from the competitors. With vendor products (like Check Point, Juniper, Cisco, Fortinet, Nokia, Symantec) any company can come up with a solution but the solution will require a lot of CAPEX budget from the clients. SMBs usually do not like to pay in full in advance so it may make a sense to modify a Linux distro and deliver VPN solutions without paying to vendor, this may work since SMBs will not have ultra complex solutions. When you develop and deliver your own VPN solution you may have high margins. Managed Security Services is not just about products, I have written another long Q&A on linked in which might be helpful to build your service. http://www.linkedin.com/answers/technology/information-technology/information-security/TCH_ITS_ISC/13800-2070053 I also have several studies on why/when/how VPNs should be preferred over Telco WAN solutions. Let me know if you have any specific questions. Regards, - yinal ozkan”
Managed Security Services Market/Partners/Potential Contacts? (for Asia and Middle East region)
“Hi ... Here are my comments for your questions: 1- MSSP market is bullish. There is no way that all the companies will have subject matter experts for 3 shifts on all information security domains, even if they do, spending around $40M for the security management infrastructure will not make sense. It makes sense to work with someone who has expertise, 7x24 operations, and the infrastructure. I have several reports from 3rs parties with the same highlights. Also having 60% security does not mean any security, so that is more market share for MSSPs. Yes, I do think Asia and Middle East will be key enlargement areas for MSSPs where security is a part of daily life. The more operations get online, the more companies will demand certified 3rd parties for security. My company (Integralis) has been a long time household name in information security has invested key resources on MSS solutions and we have recently acquired a company in UAE to expand our MSSP operations in Middle East. Now we have operations in Dubai. We are actively looking at MSSP operations at Pacific Rim as well. 2- All the MSSPs should be interested (See my recent linkedin answers for active player names) . That being said, I do recommend getting in touch with Integralis Channel contacts. We do have several system integrators and Telco's co branding our MSSP offering. 3- Well, I do know hundreds of contacts :) but that is probably related with the position I am in. But we had conducted several market surveys in multiple countries, it looks like 15% of the survey groups are already outsourcing or ready to outsource, that percentage increase with certain technologies such as IPS and E-mail.. I do have a lot of resources, so let me know if you have any specific solutions, Regards, - yinal ozkan
What is the most important IT Controls of organizations?
Your answer was selected as Best Answer
Your Public Answer:
“Hi ...., For a refined category list of information security controls, I do recommend ISO 27001 Global Information Security Framework: Here is the list of domains: 1. Security Policy 2. Organization of Information Security 3. Asset Management 4. Human Resources Security 5. Physical and Environmental Security 6. Communications and Operations Management 7. Access Control 8. Information Systems Acquisition, Development and Maintenance 9. Information Security Incident Management 9. Business Continuity Management 10. Compliance 11. Measurement of Metrics Of course there are more controls under each domain. If you like to have predefined controls instead of risk based ones, PCI framework offers a good list of security controls as well. And as an answer to your main question, which one is more important... I do believe (like many others posted on this topic) that the importance is directly related with risks and the business requirements, and there is no single "list". If you define a specific vertical (e.g. health, financial) it might be possible to make some assumptions for a simplified list, but in general it is a very difficult task. Here is a quick methodology to detect which IT Controls are more important than the others... 1- Find out what the information assets are, and determine their value 2- Run a risk assessment with your choice of methodology. Determine threats, vulnerabilities, impact, probability etc, so get the risk 3- Run business requirements analysis, and find out what is important for business, what are the shortcomings of current systems, compliance requirements, budgets, which systems are desired/in the pipeline etc. 4- Run a Gap Analysis with the inputs from Risk Assessment and the Business Requirements Analysis, this should generate a correct priority list for you. Let me know if you have any specific questions, Regards, - yinal”
Firewall technical question (SQLNET in Cisco ASA)
“Hi .., Allowing all ports over 1024 is not a good way. As you have described. SQL*NET opens dynamic ports so it is not nice to open high ports (>1024) The way SQL*NET is written is very familiar to FTP and it is not packet filter (ACL) friendly. You need a special handler for this protocol. I didn’t have to use the following in production but let me know if this works for you: You can use “class-map” command to use sqlnet inspections on a range of port numbers. The good news is that ASA has one. If you have the SQL*Net (formerly OraServ) protocol passing through your ASA system, then only an inbound data connection is permitted through the adaptive security appliance. Cisco ASA supports both versions 1 and 2 of Oracle SQL*NET. ASA is able to perform NAT and look in the packets for all embedded ports to allow the necessary communication for SQL*Net. To enable SQL*Net inspection, use the “inspect sqlnet” command (In the past this command was known as “fixup protocol sqlnet”). The default port assignment for SQL*Net is 1521. This is the value used by Oracle for SQL*Net, but this value does not agree with IANA port assignments for Structured Query Language (SQL). Use the class-map command to apply SQL*Net inspection to a range of port numbers. SQL*Net inspection is enabled by default on ASA. To enable the SQL*Net inspection engine check the following example, which creates a class map to match SQL*Net traffic on the default port (1521). The service policy is then applied to the outside interface. hostname(config)# class-map sqlnet-port hostname(config-cmap)# match port tcp eq 1521 hostname(config-cmap)# exit hostname(config)# policy-map sqlnet_policy hostname(config-pmap)# class sqlnet-port hostname(config-pmap-c)# inspect sqlnet hostname(config-pmap-c)# exit hostname(config)# service-policy sqlnet_policy interface outside To enable SQL*Net inspection for all interfaces, use the global parameter in place of interface outside. Generic usage is as follows: …. access-list 100 extended permit tcp host 192.168.1.1 host 172.16.1.1 eq sqlnet …… class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect sqlnet ! service-policy global_policy global This is supposed to work but I personally do not like any dynamic port mapping protocols, starting with RPC, all of them are firewall headaches and vulnerability points ; http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml http://www.cisco.com/en/US/customer/products/ps6120/products_command_reference_chapter09186a008063f0e8.html#wp1667425 I hope this helps, Regards, - yinal”
Why do you hire high-tech consultants?
Your answer was selected as a Good Answer
Your Public Answer:
“Hi ...., Here are my thoughts on full-time employee vs. consultant decision making: - Some of the tasks are temporary, not permanent; it does not make sense to make investment for a full-time employee for a project that will last only 3 months. - Sometimes the resources are not that deep to cover the costs for an area specialist. Hiring a subject matter expert consultant is the only solution. For example if our clients have security experts but not ethical hackers on board, it is logical to hire a consultant who is focused on a very specific area. Hiring a full-time ethical hacker would be a waste of time for clients since there aren’t enough tasks or projects to utilize a hacker on board, and it is not a good practice to ask them to work on areas out of their focus. - Sometimes there is a deadline. There is no way with full-time hiring process to get the right team of people. Simply working with a consultant shop that already holds the right resources to complete your project is the only way. Even if you have unlimited budget you cannot find a full team of tested reliable team in limited timeframes. - Sometimes you have to work with a consultant because of a requirement. Some consultancy companies hold some certifications that you require (e.g. ISO, clearance etc). It may not be wise to go through full certification for a couple of projects - On some areas a 3rd party is a must for the segregation of duties... You have to hire a consultant. Like in accounting or security, a 3rd party consultant must verify your internal controls. Even if you have better internal resources , you still require a consultant - Consultants are unattached internal company politics, usually they have no history with the client’s internal politics, history of projects, and new full-time hires will not be able to escape from local drivers. Consultants can act more independent - Sometimes it is not the consultant, but the consultant company’s know how that matters. So hiring a full-time employee will not bring in the value of a large organization’s depth to client operations. Usually consultant companies accumulate a large chunk of intellectual capacity, and the clients can reach those reserves via hiring consultant companies’ resources. - Depending on the hiring organization’s structure, contracting somebody would be much faster and easier for the hiring manager when compared with a full-time employee; no benefits, no commission, no career plans etc. I may increase the number of the examples, as you see this is a pro-consultant view. As a consultant I can also write another batch of bullet points on why full-time employees are the right decision, depending on the client’s request :) Let me know if you have any specific questions cheers, - yinal”
How would you measure security? Is security measurable ?
Your Public Answer:
“Hi ..., I have been answering this question for the last 10 years. Against the public infomercials, security is not priceless and security can be measured. There are several approaches, but I strongly recommend a version that is well defined and quantifiable. This method leads to risk based information security measurement. The idea is very simple, you know your assets and their value for your operation, calculate all threats, vulnerabilities and risks based on your business operations and safeguards. Assigning some metrics to your risk level will help you to measure your security level. When measuring information security you need solids metrics. Defining metrics is a tricky process. First you need clearly defined processes that can be measured Then you need to define the method for measurement Defining frequency of measurement, data collection, analysis and reporting follow these basic steps. I do recommend following the ISO 27004 framework for Information Security measurement and metrics. ISO 27004 is still in draft, you can also use a British Standards Institute document (BSI) BIP0074. ISO requires an well defined processes and Information Security Management System (ISMS). This duo will ease your job to measure the effectiveness of information security. Each ISMS control comes with an objective, so that you can measure the effectiviness of each objective. If you Google the keywords above, you will get plenty of information. Let me know if you have any specific questions, Regards, - yinal ozkan”
Are CISSP, CISA and CISM credentials necessary?
Your Public Answer:
“Hi ..., Depending on your point of interest, the value you get out of specific certification varies. Certifications in general do not indicate that an individual does carry necessary skills for a job, but it is a very clear sign that certain individual has spent plenty of time on a specific topic. I usually say that certifications do not measure what you know but they do measure what you have studied. That is why I always ask about them during the hiring process. There is no way that a regular network security guy has studied IT governance or Audit Standards unless he/she is forced to do so via certification. Certifications also point out future willingness to study on more difficult topics. For an ambitious governance program CISSP, CISM and CISA will help you to form a baseline for all team members. Usually engineers do not have time to study about exams during regular business hours, as usual they are busy with something else; the certifications signify the time they have spent for their job with a sacrifice of their personal time. That is a dedication. When I ask any of engineers, “Can you get this certification because I need it in my team “(e.g. for an RFP), the answer usually gives an idea about how well my team is aligned with the short and long term goals. I have seen so many engineers with excellent skills on what they do on daily operations but most of them lacked a solid grasp of strategic initiatives. Interestingly, I found out that the engineers with several certifications have a tendency to be more efficient on strategic projects. I don’t buy the line “I develop my skills when needed...” Studying for certifications is better than surfing Slashdot. I do have all of those certifications. I leverage them in several different ways. a) First of all everybody speaks the same jargon. I have been working on enterprise security for more than 12 years and it had never been easier to tell an audience about the CIA triad. b) As Javed put it, certifications allow me to access specific resources through portals, e.g. I really like what I get out of ISACA portals. Mailings lists are another plus. c)They help a lot in customer facing engagements, I do have more than 10 of them, when customers notice the work behind those certifications we do pass the initial step of “Does this guy know anything?” phase. d) Certifications bring discipline; all of them come with specific experience requirements, continuous learning prerequisites so it is better than not having them. e) In many of the contracts, RFPs, assessments these certifications became an individual baseline like the SAS70 and ISO 27001 for the organizations, it is useless to get into we do not believe in certifications discussion That being said, here is what I think about those specific certifications: CISSP: As everybody says, the scope is as broad as a sea, but the depth is 2inches. It is a very useful certification for the people who are getting into the information security field from other disciplines. If a regular information security guy has a problem with getting it that is a red alert. I usually make it prerequisite for managers, network and system engineers. It even works for sales people if your core practice is security CISA: This was a very good exam. The curriculum is good. It gives instant access to years of audit experience. The COBIT framework is nice. I use the information I gained from this certification daily. I recommend for everyone. CISM: Another good solution from ISACA. It is a good start for the governance, and a basic overhaul of information security for managers. This is recommended if you are getting into information security management. There are also other frameworks like ISO 27001 and ITIL which are very helpful. For hands on GIAC certifications are nice but I still recommend vendor certifications for hands-on such as Cisco and Check Point... regards, - yinal ozkan
How can a company measure risk and security levels?
Your answer was selected as a Good Answer
Your Public Answer:
“Hi ..., I have just answered a similar question. Every industry has a specific risk level definition. There are several frameworks to manage and measure risk. Once risk is measured, the controls are applied accordingly. It is not like a predefined black book of Security levels that dictate security controls in most of the risk systems. These levels are relative so the safeguards are not expected to be the same. For risk management options check FRAP, FIRM, OCTAVE, DRAM, CRAMM, NIST 800-30, ISO 27005 , ISACA are the initial ones that come to mind as a framework. The most suitable ones would be based on your environment, operation and resources.Check the following URL: http://www-t.zhwin.ch/ui/swp/documents/risk_assessment_approaches_f_136894.pdf For measurement and metrics: I do recommend following the ISO 27004 framework for Information Security measurement and metrics. ISO 27004 is still in draft, you can also use a British Standards Institute document (BSI) BIP0074. ISO requires an well defined processes and Information Security Management System (ISMS). This duo will ease your job to measure the effectiveness of information security. Let me know if you have a specific question, regards, - yinal ozkan”
Does anyone know of a good Unix security auditing tool? (for DoD projects)
“Hi, When you are looking at DoD audits, it is better to follow their documents. The Security Technical Implementation Guides (STIGs) from DISA of DoD (The Defense Information Systems Agency) list a lot of tools for these audits.. For Unix audit, recommended tool is System iNtrusion Analysis & Reporting Environment- SNARE.. This toolset is opensource and licensed under GPL. (SNARE- http://sourceforge.net/projects/snare/). Full Unix STIG is at http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf This guide lists several other security tools recommended by DoD. That being said, I agree with other comments, there are a lot of low cost tools that you can utilize, (starting with syslog parser scripts) Let me know if you have a specific question, cheers, - yinal”
Where does Information Security belong?
Your answer was selected as a Good Answer
Your Public Answer:
“Hi ...., In corporate world there is a discussion about Information Technology department. I think IT departments will soon become Business Technology Support departments... Information Security has multiple branches. It makes sense to segregate operations and the security management parts. Information Security Operations definitely belongs to Information Technology. Corporate information security goals must be carried out via information security operations groups. I work with several Fortune 100 companies and this infosec operations organization type looks like the trend. On the other side, I do think that the information security policy/assurance should not be an independent discipline nor it must be related to information technology: The right place for information security is where it belongs; enterprise risk management. So that all security risks including information security can be analyzed and managed in a holistic way. Today's complex IT infrastructure makes it impossible to segregate information security from the rest of the operation risks. For me it makes sense to have an independent "Risk Management" disciple to oversee all threats. That being said, Information security based risks will form one of the core disciplines in risk management. Regards, - yinal”
Information Risk Tools - what do you use?
Your answer was selected as Best Answer
Your Public Answer:
“Hi ...., You may capture vulnerability data with vulnerability assessment scanner tools such as data (network scanners like Foundstone, ISS, eEye. Qualys, Nikto, Nstalker Languard, or application testers like SPI dynamics Web Inspect, Appscan, Cenzic or database security scanners, code analysis etc.. The list goes on, I recommend the following presentation for the taxonomy. http://www.owasp.org/images/f/ff/AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt ) But at the end you vulnerabilities gathered from scanning make just one part of the information systems risk picture, you need to add other risks derived from vulnerabilities of policies, people, access control, authorization, audit, physical security, BCP/DR, HR, capacity management, compliance requirements etc. in addition to the risk data you collect from vulnerability scanninf tools. These risks should also be scaled either quantitative or qualitative way based on your business requirements (value , business impact) As you have stated more important task is to prioritization and classification, You need to map the vulnerability data with asset inventory and the business based risks. For this one you need a methodology for risk management. FRAP, FIRM, OCTAVE, DRAM, CRAMM, NIST 800-30, ISO 27005 , ISACA are the initial ones that come to mind as a framework. The most suitable ones would be based on your environment, operation and resources. http://www-t.zhwin.ch/ui/swp/documents/risk_assessment_approaches_f_136894.pdf As stated above you can use SkyBoxView (http://www.skyboxsecurity.com) for the analysis of assets and vulnerability scans. We have deployed this tool in several environments and it works great. Skybox is in Security Risk Management category which Another option is Mc Afee’s recently acquired Preventsys series. (You may also check Archer; nCircle; Xacta) For risk assessment only any ISO 27001 toolkit or Citicus will do the jobas well. I have found the fault-tree based risk assessment tools difficult to use (like secureitree) Let me know if you have any specific questions, Regards, - yinal ozkan”
Anyone ever do any work or research regarding self-service password reset?
Q:Anyone ever do any work or research regarding self-service password reset?
Hi all,
We are looking to implement a password self-reset service within our organization (for use of internal systems only). The product we are looking at uses a variety of personal questions that need to answered before resetting the password. I was wondering if any of you have ever done any research in this area as to what would consitute an adequate level of confidence into the identity of the user. For instance, what type of questions should be asked, how many, and what percentage of correct answers are required to identify the user, etc. ?
Any help you can provide would be greatly appreciated.
A:Your answer was selected as Best Answer
Your Public Answer:
“Hi ....,
We have had a similar dilemma before.
I recommend segregating initial registration from the password reset. During the initial registration the control should really be tight since the data required has to be something that user knows ( like employee ID, mother's maiden name, etc) that you can pull from HR systems.
We allowed only 2 failed login attempts for registration. Actually the authentication data (questions and answers) for most of the similar deployments came with the ESS portal, You may utilize the ESS database links for the initial questions.
During the initial registration end users can define their own question/answer pairs (this is the one I like). . I recommend this setting if you have single sign on (where the risks are higher).
For password resets we used random 2 user-defined questions. End-users who are trying to see the second question had to pass the first question. We allowed 3 failed attempts at each phase (4th one locks the account, 3rd and 4th trial generate audit trail – remedy ticket)
As a second option you can use pre-defined questions and ask end user to fill-in their answers during registration. We used predefined questions to accelerate the registration process, but this model has more risk than user defined questions&answers. We used questions like "What was your father's first car?" or "Your primary school teacher's first name" We hope that this will increase the chance of limiting access to answers (just an assumption no real data) I do not recommend the questions that are directly related with end-user's real identity (like birth date/SSN/employee ID) which can be tracked.
If you have all windows environment you can use client certificates in order to build bidirectional transparent authentication before asking questions.(easy to deploy on all desktops, will take time for mobile phones/pdas) Certs will help for audit and quick termination.
Another security measure is a text message (SMS) confirmation to user cell phone for each failed attempt, which becomes out-of-band control
That being said the real answer to your question; the numbers (number of attempts for before lock) are not set for any deployment. All I can say is to use the risk assessment that you have performed before, and go through. Let me know if you have any questions. cheers,
- yinal
What logging solution do you think is nr 1?
Your answer was selected as a Good Answer
Your Public Answer:
“Hi ..., There are several "commercial" solutions to manage log data win servers, network equipment, unix servers, security devices etc. Depending on your requirements and event sources, the solutions may vary. I personally work with RSA Envision (formerly Network Intelligence), Cisco MARS, Loglogic, Q1 Labs and eIQNetworks but there are many other solutions. A good starting point for solution space research might be: http://www.novell.com/products/sentinel/novell2074.pdf Let me know if you have any specific questions, cheers, - yinal”
This one goes to all of you security and IT personnel, what sort of security would you expect to have on a USB drive that employees use in your organi
Your answer was selected as a Good Answer
Your Public Answer:
“Hi Alon, Here are my expectations on a USB drive. 1- Device authentication: It would be nice to authenticate the hardware the endpoint mutually before attachment. Only authorized drives should connect to authorized endpoints. 2- Policy Enforcement: Ability to enforce bidirectional access control lists (ACLs) between the endpoint (e.g. PC) and the USB drive 3- Enterprise Integration: Ability to extend enterprise policies to the USB drive such as user access management and audit trails. 4- Accountability: Ability to create logs/audit trail on endpoint, or other central management systems 5- Integration with other endpoint devices.(e.g. central device authentication) such as media & I/O devices, CDs. DVDs printers, modems, PDAs, scanners, RIM, iPOD, Bluetooth, wi-fi security and management products . 6- Transparent encryption and remote data recovery 7- Theft prevention, dial home and remote data erase 8- If the USB drive supports applications, then application control is needed, only the signed/approved applications should be allowed to run on endpoint, Integration with other endpoint security tools may be useful - e.g. desktop firewall). 9- Support for integrity checks. Ability run AV, malicious code, and content checks before approval of data access. 10- Support for central backup/restore esp. in transparent mode. Let me know if you have any questions, cheers, - yinal”
SOA and Enterprise Security ?
Your answer was selected as Best Answer
Your Public Answer:
“Hi ....., I work at several large-scale sites. What I have seen is that the understanding of “SOA security” is poles apart for different groups. They all have their own version/perception of security for SOA. Usually, the project owner team behind SOA security projects are Enterprise Application Development groups which lead the SOA projects, and then there are enterprise information security groups which are trying impose security requirements into the SOA components in development... We see network security groups trying to mimic some parts of the SOA security functionality at network layer appliances (like XML firewalls) instead of the applications., C-level is sometimes interested in SOA security too, usually after security (aka gartner) conferences :).. And of course the audit groups who are trying take their piece from the upcoming SOA project.. This heterogeneous interest group audience makes a single unified presentation difficult .As an example Network Security team’s understanding of anything that starts with WS-* at Layer 7 will not be very close to developer team’s messaging standards.. I do recommend targeted discussions prior to a generic discussion so that all audience understands the basic requirements with the same jargon. Following query at google brings some presentations to start with: "soa security" filetype:ppt Let me know if you have any questions, Regards, - yinal ozkan”
Security Architecture frameworks?
Your Public Answer:
“Hi ......, I work with several customers regarding the same question. Unfortunately it is not possible to redirect them to a single compliance framework and get all the answers ( I usually say that compliance is like religion; they all tell you to be a good person, not to lie, not to cheat, be good to your neighbor etc, but it is not exactly about how to get there) That being said it will be wrong to accept a generic enterprise architecture framework for security like Zachmann, you may get lost within the steps of the steps. Security architectures are risk driven (at least they should be) so most of the blocks in the frameworks might be irrelevant. Instead of a full framework I am following a brief methodology based on security risk management principles: 1- Build Asset, Documentation, Architecture and Resource Registries 2- Run business requirements analysis, determine what business, compliance, partners, peers, industry requires, determine what is important for target operation 3- Run risk analysis (full-cycle: threats, vulnerabilities, safeguards, risks, impacts etc). Use the data from the 2 previous steps. 4- Run gap analysis and compare requirements vs. risks. That usually tells where the security architecture should be. To determine the blocks to fill-in the gaps, you may use a management framework like ISO 27001, NIST, COBIT or even PCI DSS... Let me know if you have a question regarding actual implementation of the methodology, Regards, - yinal ozkan”
What are the pros and cons (client perspective) of offshore outsourcing, co-shoring and just local outsourcing?
Hi ..........., Here is the generic concerns that I get back from our clients:
Off-shore Cons:
- Lack of existing technical skills (e.g. difficult to find people with a certain skill set like Check Point firewalls, Juniper VPN solutions)
- US Customer dissatisfaction for the accent (for voice ,e.g., telesales, helpdesk)
- Security concerns for the data
- Political instability
- High turnover rate for the employees (in India)
- Poor management skills (problem in China)
- Legal concerns
Off-shore Pros:
- Cost
- Solid technical education (you can hire MS degree engineers out of 1500 applicants per position in India for a call center, in US the best pool you have is the high school graduates)
- Good practices (most of the outsourcing providers have ISO 27001, CMM L5, ITIL etc) bring good quality
- Ability scale up easily
- Good execution
Secure FTP, campus and cross border solution ?
Your answer was selected as Best Answer
Your Public Answer:
“Hi ...., When the European Commission Data Protection directives and other regulatory requirements are considered, it becomes a nightmare to transmit even 1 single file (it goes to legal first :) Here is a bad start: http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en.htm Better one @ Crypto Law Survey http://rechten.uvt.nl/koops/cryptolaw/ I personally keep a long list of privacy requirements per country.. On the technical side sftp and scp based solutions work just fine but what you need is : 1- Policy based file transfers 2- Full/Extensive audit trails of transfers 3- Policy based data-leakage management 4- Easy integration with existing user directories 5- Secure data life-cycle management (deleting files after a certain period) Solutions vary based on your scope, if you will transfer files intra company, it will be easier to enforce policies on both ends.. with 3rd party file transfers, you can only enforce rule on your premises. Keep in mind that a simple SSL based web site can regulate secure file transfers and you can use all the over the counter security solutions (like authentication, data leakage, audit, policy etc) You may check the following vendor web sites to dig through commercial solutions that may help you to accelerate your project: I have seen our customers developing their solution with PGP Command Line toolset, or using Forum Systems Presidio gateway products for regulatory compliance. There are also products from Accelion and Tumbleweed to control/audit secure file transfers. All these vendors offer several whitepapers. cheers, - yinal”
A client of mine has asked me to "rightsize" their IT Infrastructure. What SPAM filtering solution do you use and why?
“...., I work with various solutions in the market. Let me try to categorize the e-mail anti-spam solutions by architecture: 1- Gateway level solutions: Usually an inline server catches the spam traffic at your infrastructure before it hits your e-mail servers (in your case MS Exchange). The advantage is that your server resources are not hit by spam processing. 2-Server level solutions: You can deploy anti-spam solution on your mail gateway. The spam will be filtered before it hits the user mailboxes. 3-Hosted anti-spam services: This is the world of software as a service :). You may simply redirect your mail traffic to a service provider (e.g. Postini, MessageLabs, Frontbridge). This solution filters spam even before it hits your internet pipes. SMTP traffic (so MX records) is redirected to a service provider so all the mail is filtered before it is redirected to your site. These services are managed solutions you do not need software or a gateway, everything can be handled on the provider side. 4- Client level solutions - Antispam is filtered at your e-mail client application (e.g. Outlook, Eudora, Thunderbird).. This solution is cost effective for individuals and very small shops, but it is not an infrastructure solution. That being said, there are several quality factors that you may check to find the right sized solution: 1- Is your operation subject to any compliance requirements? 2- What is the OPEX for the planned anti-spam solution? 3- What are the end-user interface requirements (categorization, white/black lists), how flexible is the management interface? 4- Do you require anti-virus integration? Do you require encryption support? 5- What kind of notification systems do you need for spams? Reporting requirements? 6- How many messages do you receive per day? Do you have latency requirements? Do you have/require SLAs? 7- Do you have high availability requirements? And the list goes on. We work with many of the gateway solutions, and we offer and use a hosted solution, which works for our operation. If you have any questions I would send the names and the resources for your research,let me know. regards, - yinal”
What is your experience with Visa 3DES Compliance?
Your answer was selected as Best Answer
Your Public Answer:
“Hi ...., You mentioned about 2 different programs. The first one is Visa Authenticated Payment Program - the The 3-D Secure protocol. 3-D secure (a.k.a. 3-Domain Secure) is a Visa program for "card not present" internet transactions. In US a similar program exists with the "Verified by Visa" name. As far as I know there are no compliance requirements for 3-D secure. The intend is the decrease the fraud rate with extented authentication. More information is available at: http://partnernetwork.visa.com/pf/3dsec/main.jsp On the other side all payment brands formed and organization called Payment Card Industry Security Standards Council (PCI SSC) to enforce higher level of standards for safe handling of sensitive information. The standard is called PCI DSS (Data Security Standard). Any organization that stores, processes, or transmits cardholder data is subject to 12 main requirements in the latest PCI DSS 1.1 standard. Compliance requirements vary by scale, operation type and the geographical region. The best starting point is : https://www.pcisecuritystandards.org I have been involved in actual audits so let me know if you have any specific questions. Regional payment brands web sites are good for getting local requirements (e.g. Visa, Mastercard) cheers, - yinal”
Architecture for Employee & Manager Self-Service Applications?
“Hi .., By all means you have an aggressive project. The scope makes it very difficult to address all questions with a simple architecture/tool set. Of course big "me too" shops (IBM, Microsoft, Oracle, CA etc.) can address all areas when certain consulting hours are included in the scope :) Architecture-wise data stores, directories, messaging, existing application integration tools, security, content/portal management and HR/Finance back office they all matter. As you know, the correct answers lie in your current resources and investment. If you have all-Microsoft IT/HR shop, you may choose SharePoint with plug-ins and BizTalk for SOA (cost effective) . Or if you have SAP for SRM, HR, etc then SAP is the right path, or if you have TIBCO for SOA there is your integration, same for IBM and the WebSphere family, or the Oracle family. Any radical, from the scratch project will require a detailed requirements analysis to say anything that will make sense...The rest is just an educated guess. That being said, on ESS/MSS side, it makes sense to check whitepapers from CA and IBM (Tivoli) identity management solutions with HR systems plug-ins. On integration side TIBCO, webmethods, IBM, Microsoft have good papers I believe search and navigation can be added to your data/metadata deployment solutions and can be added later (autonomy, engenium, google etc) On content management the following ppt is a good start: http://media.skybuilders.com/IASummit/CMfIA/Busch.ppt I believe all change/request/KB systems can be integrated as well. The key is to use the shared common datastore (DB). On sales centric organizations I recommend adding CRM data to these solutions sets as well. regards, - yinal ozkan”
Is there anyone working on payment security mechanisms (especially in the payment card industry) in India at the moment?
“Hi ..., Visa runs a program called "Payment Application Best Practices" to assist software vendors create secure payment applications. And the list of global companies and their India branches who are working on payment security algorithms can be good start point, Qualified Payment Application Security Company (QPASC) List is accessible at : http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_payment_applications.html In india the following companies might be interesting to check: http://www.technoparkcorp.com/ http://www.epayments.in http://www.transecute.com/ regards, - yinal”
How can I index Words documents like CVs into an Access db to effectively manage thousands of them ?
Your answer was selected as Best Answer
Your Public Answer:
“Hi Massimo, 5 years ago I worked on a similar project (I used RevSolutions Inc.’s ResumeBreaker). The best options for parsing resumes in MS Word or other formats is using the xml parsers. There are several tools in the market that extracts CV data and converts them to XML . There is actually a standard around it:www.hr-xml.org .. Checking tools around this standard will help for specific document types like CVs. You can achieve your goal via using an hr-xml certified tool or a component like rex from resumemirror (http://resumemirror.com/downloads/pdfs/Resume%20Mirror%20REX%20Product%20Datasheet.pdf) Following link explains the idea: http://www.cambridgedocs.com/resources/whitepapers/id35.htm You may easily import XML formatted data to access databases. But if all you want is just indexing, then a simple seacrh engine will do the job.(e.g. google) Complex correlation requests, document types require complex tools, you may check http://www.engenium.com/ ,http://ixmatch.com/ixfind.html or even http://autonomy.com for requirements like matching job requests with existing resumes. But these tools are really expensive. Other names: http://burning-glass.com/resumeparsing.html http://www.daxtra.com cheers, - yinal”
The ideal managed security service provider?
Your answer was selected as a Good Answer
Your Public Answer:
“The answer has a business and a technical dimension On business side, the managed security services provider (a.k.a. MSSP) must determine the target market correctly. Services differ from country to country, from sector to sector. An ideal MSSP should be addressing the target markets’ concerns. I will not elaborate more about it and focus into the technical side. Here are the initial check marks on an ideal MSSP 1) Information security know-how of existing workforce. People matters; the engineers who will be handling complex operations are a key element. Check retention rate, average years of INFOSEC experience, certifications, network know-how etc 2) 3rd party security certification. Customers give the keys of all of their assets to MSSP. MSSPs must be audited , tested by 3rd parties regularly, check for ISO 27001, SAS-70 or similar certifications 3) Redundancy and resilience. MSSPs must have more than 1 security operation center, all of your data cannot be risked in a single location. Operation of customers' business should not be effected with a failure of any single component on MSSP side 4) Privacy Concerns. Make sure that the MSSP understands the privacy as well as the security. Verify regional privacy requirements 6) Support for a large set of over the counter security appliances. Most of the MSSPs can only support a small subset of security devices, this will limit the functionality at customer side 7) Event correlation engines and algorithms. Security Event Management is a key feature. Verify that the MSSP can correlate alerts among multiple systems, brands, locations etc. This is a very complex business when billions of alerts are received. 8) Device management capability. IT is not just remote monitoring, sometimes MSSPs need local presence at customer premises. Large scale MSSPs do not rely on central management consoles and develop their own customer premises equipment. These devices allow log collections, local alert correlation, backups, out-of-band access, power control, dial-backup, bare metal installs etc. MSSP CPE allows 1 single connection from MSSP to customer instead of hundreds of punches on external firewalls. 9) Vendor relationship, if the MSSP is managing an information security appliance, there will be times where strong vendor support is required, make sure that the MSSP has highest vendor partnerships, and maximum number of product certified engineers 10) Portal. All customer facing operations should be available on portal with extensive reporting. Access must be controlled with strong authentication. Portal should have its own application server to increase functionality and speed (instead of a database interface). 11) 7X24X365 multilingual phone support. Ability create ticket, requests via alternative channels (portal should not be the only interface) 12) Rock Solid Service Level Agreements.(SLAs). SLAs must be detail oriented and they should cover all the corners. There must be clear response times, availability promises, escalation procedures. A charge back schema is essential when SLAs are not met. 13) Change Management, Problem Management, Incident Management, Configuration Management and other major tasks must be well documented, and MSSP must supply these services for the customers 14) Compliance support. IF the target markets require compliance, MSSP should offer packaged solution (e.g. PCI) 15) Dedicated technical account manager (TAM). Customers should not be talking with a new face when they have questions. Customers need a technical contact who understands their resources, network, requirements etc. 16) Solid QA process, quality of the services must be monitored by an independent QA process 17) Integration with 3rd parties. MSSP should be able to communicate with customer hosted or internet hosted services, like compliance packages, risk management systems, SMTP security providers, DR Services etc truncated by linkedin..”
Where to start in a BS 7799 certification project?
Your Public Answer:
“Hi ..., I would recommend checking ISO/IEC 27001:2005 since the BS 7799 had been superseded by ISO 27001 series. There are several sources on the Internet for implementing, managing and auditing information security management systems but the quality varies based on your requirements. I would check Google with the following keywords: "ISMS, Statement of Applicability, PDCA, ISO 27001:2005" As a beginner's guide I liked the content in the following presentation: http://www.fvcme.com/fvc/fvcweb/Files/ISO27001%20Introduction.pdf I have access to several other resources; let me know if you need specific questions.”
How do you feel Mr. IDS ?
Your answer was selected as a Good Answer
Your Public Answer:
“Gartner’s response is a very usual one for an analyst who reads the specifications of the products and then comes with "research" conclusion. Well, the reality on the hands-on world is different. If you start shopping today, you will not be able to find an IDS/IPS product effective over 5Gbps. (I should say even 2Gbps the real full duplex gigabit pipe is very difficult with mixed traffic type). Today enterprise deployments move firewall systems closer to the core, next to the server farms. We are looking at multiple aggregated gigabit channels to enforce information security policies. Firewalls by nature look at the headers of the packets, and if they detect a pattern they simply allow traffic, this accelerates the traffic. On the other hand application level firewalls and IDS/IPS systems need to look at the full payload of the traffic, they need to understand the application and detect threats, and this process is slow. Did you ever see an application in the middle of the core routers? If Gartner is right it will be Gartner’s firewalls. If everybody enables IDS/IPS features on firewalls, they would be either investing 10 fold in infrastructure or they would be slowing their network severely. Dedicated IDS/IPS systems are designed to handle full packet analysis fast, firewalls aren’t. I am working with almost all of the major firewall vendors and if the production environment is mission critical we always recommend dedicated/best of breed IDS/IPS solutions. On the other hand, if you are looking at a T1/E1 internet pipe, the whole picture changes, it makes sense to use an integrated appliance, not just the firewall and the IDS maybe URL filtering, AV, QOS etc in a single device. This category is called unified threat management (UTM) and there are several vendors on this space. There is another argument in the architectural design of firewalls and IPS systems. Firewall are the security gateways, they are designed to fail-close upon failure/overload, IPS systems on the other hand are not the security guards, they are the intrusion alarms, they are usually deployed in a fail-open design unless a heavy investment is done in IPS high-availability. Mixing these 2 approaches on a single platform may require revamping of operational procedures. Last but not the least, ask Check Point about the NFR acquisition, or ask Nokia why there is a different IPSO platform for Sourcefire, or ask Juniper why there is a dedicated blade for IPS, or ask Cisco why their ASA box cannot run full mode with IPS features, or check with Cisco on how many IPS blades you need on 6509 to secure 8 gigabit ports, or check with Fortinet about IPS enabled performance numbers, or listen to the sad story of why Microsoft does not have the IPS features on ISA :)”
Which URL Filtering products and configurations have given you the least operational headaches?
Your answer was selected as Best Answer
“If you choose Blue Coat as the base platform you may have flexibility in URL filtering solutions. Websense is the 800-pound gorilla in URL filtering on the other side Blue Coat's own Web Filter system works really well (cost effective too) Blue Coat supports ALSI, SmartFilter, Websense, SurfControl, and ISS as 3rd part URL filtering databases.”
Security metrics ?
“Hi ..., We have several customers working on implementing the security metrics. Success is relative. Yes, they all see a dashboard of figures but I am not sure if the results are mature enough. The metrics are relative and not global so that not comparable as it is in manufacturing sector (hopefully ISO 27004 will close the gap -still in draft, or you can get (BSI) BIP0074, these are the best guidelines). But if you need a quick fix, for the beginning you can use the SEM dashboards integrated with manual data from other systems (such as AV, Door Access etc). That is a very quick/practical kickstart.. Integrating a basic report to your ISMS will require constant updates. Another option is to use a 3rd party monitoring service like a MSSP. This way you can get your metrics predefined and compared with global trends. This is an easy start as well. I cannot share the specifics of how our customers feel on metrics, but you use the public domain information about the security metrics. I am reading the book from Andrew Jaquith - Security Metrics - 2007 from Addison Wesley.. I think it is a good start. I do recommend it. There is also an 800pager from Auerbach "Complete Guide to Security and Privacy Metrics" but I did not read it.. Let me know if you have a specific question, Regards, - yinal ozkan”
I'm an information security professional in the United States. How do I get involved with reviewing and commenting on draft national and international
“Hi ..., I had the same question a while ago. Here is the answer: In US, The InterNational Committee for Information Technology Standards has a web site where you can join the working groups including U.S. Technical Advisory Group to ISO/IEC JTC 1, SC 27.(SC 27 drafts ISO 27000 series) The web site address is: http://www.incits.org/”
Where should Information Security report in a modern organization and why?
“Hi ..., This is one of the hot topics we come across at enterprise level customers. I think IT departments will soon become Business Technology Support departments (after all those aligning IT with the business discussions)... Information Security has multiple branches. It makes sense to segregate operations and the management branches for information security. Information Security Operations definitely belong to Information Technology (Business Technology Support) Groups. In terms of reporting, that goes to CIO. Corporate information security goals must be carried out (executed) via information security operations groups. I work with several Fortune 100 companies and this “InfoSec Operations” organization type looks like the trend. On the other side, I do think that the information security policy/assurance should not be an independent discipline nor it must be related to information technology: The right place for information security management is where it belongs; enterprise risk management- GRC. So that all security risks including information security can be analyzed and managed in a holistic way. Today's complex IT infrastructure makes it impossible to segregate information security from the rest of the operation risks. For me it makes sense to have an independent "Risk Management" disciple to oversee all threats. That being said, Information security based risks will form one of the core disciplines in risk management. And security must report to Chief Risk Officer Let me know if you need more cases for the options listed above regards, - yinal ozkan”
Are you using a security product to manage or block the storage of confidential data on endpoint devices (USB drives, CD burners, etc.)?
“Hi ...., Your question is in multiple layers. As you have underlined, the options are 1- Solutions that block endpoint ports (USB drives, CD, media bays etc) 2- Solutions that can encrypt removable media 3- Solutions that can enforce polices on endpoint ports 4- Solutions that can tag data as internal only For questions 1-3, the endpoint security vendors can provide answers for most of the requirements. You are probably familiar with the solutions, but you can crosscheck SafeBoot, Utimaco, Pointsec (Check Point), PGP, Promisec, Centennial, Fiberlink, Safend, SecureWave and Smartline. If you want to tag data, I would recommend the DRM tools. Active DRM deployment for critical data will confine your data to internal systems. On theory tagged data will be useless on USB or CD when DRM system is not present. (I haven’t deployed a large scale DRM system so far) We have deployed PGP and PointSec in several locations (more than 1000s in some occasions) as a part of disk encryption initiatives. My personal belief is to minimize the total number of security clients on endpoints; endpoints are not like enterprise security systems where we can deploy 10 different tools. Patch Management, Firewall, IPS, VPN Client, Application Control, Backup,Web Filtering, AV, Encryption, Port control, the list goes on. This (multiple clients) is the biggest reason for a "no go" for an endpoint security solution. Other problems are lack of understanding for application deployment on endpoints, compatibility with specific operating systems, and integration with other central management tools were the other problems I have seen. I would check clientless solutions through policy control for USB and CD based device control. Promisec is an interesting approach... Or I would go with a single vendor that can answer many endpoint needs. If you have a specific question, let me know, regards, - yinal ozkan”
How can Risk Management be promoted and highlighted in a company?
“Hi .., This is a tough question... There are multiple facets of a correct approach, and unfortunately there is no silver bullet... First of all let's underline the options which create negative opinion in upper management on information security: 1- Many managers assume that security (and the security budget) is overrated. If the Information Security team is perceived as "exaggerators" the whole credibility is lost. Being honest and realistic is the best way. Never choose the FUD play. Instead be the down to earth, cost saving person. Tell them how hard you are trying to cut costs. And the risks that you are accepting as a company,, 2-As stated in other answers if the source of the security initiatives is the internal team members, credibility and the adaptation risk management principles are lower. Trusted 3rd parties always work... For example, if you invite a C level exec to a security workshop or a security conference, the executive will probably be in defensive mode to accept new ideas, since all events will be considered as a "brain-wash" sessions. Instead, security information should come from unexpected 3rd parties at an SOA conference, Golf course, Green Data Centers whitepaper, or on the Wall Street Journal... This makes the real effect. Management should feel like they have figured out the importance of security. 3-Security is not a problem, and naturally when you present it as a problem it is not positive. Security is a part of business process: You have your assets to run your business, and you have some risks that may affect your assets... Security should be presented as a base for running business. You have a delta between your existing risks and safeguards, how you answer to close the gap between risks and safeguards is a management decision. It is not a problem, but all key stakeholders should understand their responsibilities... 4- Underline the other benefits. Security may certainly be a competitive advantage, as a sales tool. Think about millions of manufacturing companies with ISO 9001 certifications...This is not just because these manufacturing companies believe in quality management... Risk Management can certainly be a sales tool when used properly. Any growth oriented organization will recognize the benefits of a "Risk Aware" certified operation. Or talk about documentation... Verify if you had any documentation before the security initiatives, and the merits of good documentation 4-Play the ugly side... Ask for how much was spent on security and try to measure improvement. If your organization does not have security management program, they are probably not measuring security that means they don’t know what they are spending money on... Ask the question, why are they spending money? Ask them to stop spending completely because it is non-sense... Or ask them to build a security management program where they can measure and improve security. The moment your organization start measuring then all parties will understand what is at stake and where the money is going... That is a good highlight... 5- Sometimes it is not all about security, or security risks. Talk about availability... In today's world, we are connected, the security infrastructure is interconnected and it is usually inline... Poor interest in information security not only means breaches but downtime... Downtime is hard cash dollar lost. Underline risks, and underline how these risk can be mitigated.. 6-Don't use poster statistics like FBI survey, or TJ Max, They already know about it. As key information security stake holder, start sending out managed risk memorandum of understanding letters to other stakeholders. Tell them as a cost-cutting feature you are accepting the risk of ..... And ask for a sign-off.. Tell upper management that in order to save money tactically, accepting risk is their best option. Also discuss about the strategic options like controlling the risk in a structured approach. Compare benefits..”
How do you get your employees to spend less time browsing the web?
“Hi .., Employee internet access control is keyword. For IT tools, I do recommend a combination of forward proxy and a URL filters for the beginning. Proxies are big brothers, and they do intercept every internet connection when deployed right. You can control all internet access, authenticate and log users based on their directory credentials... Best known proxies are Squid as free software, Microsoft ISA as a windows solution and Blue Coat as an appliance. Of course there are several other variances. (esp. for IM control there are specific IM proxies) On the URL filtering side, the idea is to categorize internet addresses by a list of database and dynamic identification method combinations. For example you may block gambling and web mail sites, but allow shopping sites. SmartFilter, 8e6, Websense, Webwasher, ISS Proventia, Optenet, ALSI Intersafe, and DAJ iFilter are the known vendors. Also many firewall vendors deliver integrated URL filtering solutions (e.g. Fortinet, Juniper, and Cisco) Proxied traffic can be tuned to manage the bandwidth allowed per application/site/user. It is also possible to enforce a mandatory user splash page for every login that explains the policies... Time based polices are also very useful, on the proxy or the firewall, you can allow internet access rules based on time; I usually allow unlimited access over the weekends and off-hours. Logging is another key point. If the employees know that all connections are logged they will spend less time on web surfing. First make sure that you have a published monitoring and logging policy and every employee receives a copy. If every internet connection is authenticated then you can get your logs per user (instead of per IP address) Publishing top users on intranet is a very effective/harsh way of curbing unnecessary Internet use... Once upon a time, I cut traffic in several folds without applying any filter- the only point was the publishing of internet access logs on the intranet. The options are limitless in logging (from storing every key stroke, to recording full internet sessions for replays) If you do not control endpoints (like group policies on windows clients) some tech savvy users will find a way to bypass controls, on these cases if your budget allows using an inline SSL decryptor will be very useful I tried to focus on IT tools, but if you have any specific question on any of the topics, or governance of employee internet access, please let me know, regards, - yinal ozkan.”
Subscribe to:
Posts (Atom)