________________________________________________

THE ISO17799 NEWSLETTER - EDITION 10

__________________________________________________

Welcome to the tenth issue of ISO 17799 News, designed to keep you abreast of developments and news with respect to ISO17799 and information security. The information within the newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents. Included in this edition are the following topics:  

2)  Implementing ISO17799 in Your Organization

3)  Security Awareness: ISO17799 Section 4

5)  Introducing an Effective Email Security Policy

6)  Hacked Websites

7)  Security News

9)  ISO17799: a World Wide Phenomenon

10)  Introducing a Disaster Recovery Team Into Your Organization

12) Preparing for an Information Security Audit

15) It Couldn't Happen Here.... Could It?

16) Contributions

17) Subscription Information

IMPLEMENTING ISO 17799

=====================

It is becoming increasingly critical that information security is given the attention and level of importance it deserves. Most organizations are now totally dependent upon their information and business systems, so much so that serious disruption to those systems and the business information they contain can mean disaster or critical loss.

ISO17799 is the only internationally accepted worldwide standard/code dealing comprehensively with these issues.  Purchasing this standard is a good first step, but as the standard is by necessity a comprehensive and therefore a fairly complex document, guidance is often necessary to help organizations decide where to start and what priorities should be applied to the implementation process.

The ISO17799 Toolkit was of course introduced to solve many of these issues in one step.  As well as containing both parts of the standard, it also includes a full set of compliant policies ready for implementation, a road map for potential certification of the organization, an audit kit for network based systems, a business impact analysis questionnaire together with many other supportive items (eg: a disaster recovery kit, a management presentation and an IS glossary).  This toolkit represents extremely good value as it can enable organizations to commence work with the introduction of vital security aids without reference to expensive external consulting resources.

However, even armed with a support kit like this, it is important to understand that the key to the standard is PROCESS... the creation and maintenance of a robust ISMS. This is occasionally overlooked, as some organizations simply adopt a tick list from the first part of the standard (ISO 17799). This is certainly a good stride forward, but is by no means the end of the journey.

When first considering the standard, therefore, it should be understood that the path forward will certainly include enhancement and improvement of security, but it will largely be driven via the creation and maintenance of information security management systems and supporting procedures.

SECURITY AWARENESS: ISO17799 SECTION 4

====================================

Most security breaches occur at ground level, through employees making mistakes or inadvertently revealing information. It is ironic therefore that so many organizations do not have a comprehensive awareness program in place, perhaps missing the obvious and focusing upon the more stimulating high-tech threat instead.

Security should ideally be part and parcel of company culture. To meet this objective however requires determination, support from the top, and a properly planned and comprehensive awareness program. 

This program should include a range of different aspects. To assist, we list some of the most common below:

- A Security Newsletter. This is an important vehicle and can include both news and information in a topical context. Please feel free to extract from this newsletter for inclusion.

- A 'Roadshow'. Security personnel regularly give presentations to senior management and staff on current threats and issues.

- The Screen Saver. Why not use it for security related messages?

- Posters. Use them and replace them often.

- Hijacking Training. If your organization produces internal courses for staff on other topics, make sure that the security angle is covered.

- Video/DVD. If you have the budget, produce and distribute.

- Cheap gifts. Pens, key fobs, and coffee mugs bearing a security message may seem tacky, but they work.

- Competitions. Security crosswords, puzzles and problems, with a suitable prize for the winner.

Some of these may well be seen as mundane. But in the final analysis, threats are usually far more likely to materialize through lack of awareness than through complex cyber crime.

INTRODUCING AN EFFECTIVE EMAIL SECURITY POLICY

==========================================

Email security breach is becoming an increasingly significant threat to organizations around the world. To counter this, most organizations will already have a firewall and anti-virus software in place. Hopefully, as new viruses are found daily, they have made sure that their virus protection is also updated on a daily basis.

Viruses, of course, can sometimes penetrate the firewall by hiding within emails. Once opened, the virus can spread and cause significant damage to internal systems. The virus may not always be serious enough to cause permanent damage but, even with moribund viruses, the disruption may well take time and money to rectify.

Despite these risks, there is no escaping the fact that e-mail is rapidly becoming the principal means of business communication. Draconian restrictions on use are therefore not tenable. However, rigid application of stringent security policy certainly is.

The following high level best practice statements should be adhered to as a basic minimum

• Personnel should understand the rights granted to them by the organization in respect of privacy in personal e-mail transmitted across the organization’s systems and networks. Human Resources Department should incorporate a suitable wording into employee contracts to ensure that this privacy issue is fully understood.

• Confidential and sensitive information should not be transmitted by e-mail - unless it is secured through encryption or other secure means.

• Personnel should not open emails or attached files without ensuring that the content appears to be genuine. If you are not expecting to receive the message or are not absolutely certain about its source, do not open it.

• Personnel should be familiar with general e-mail good practice e.g. the need to save, store and file e-mail with business content in a similar manner to the storage of letters and other traditional mail. E-mails of little or no organizational value should on the other hand be regularly purged or deleted from your system.

From these, it is recommended that more specific corporate requirements are produced and implemented.

HACKED WEBSITES

================

Fact: Every day of every week dozens of corporate websites are hacked and defaced. This statement may surprise some people, but it does illustrate that this problem is extremely large scale and the threat is very significant. Even on the very day this item is being written, well known sites owned by Lycos and the European Union have been defaced.

A future edition of this newsletter will therefore investigate this issue in some depth. We will explore some of the more high profile attacks, and offer advice on what to do to minimize risks... and recover should you become a victim.

In the meantime, if you ever wondered what drives these people, Zone-H  reports the following (from a substantial sample):

Heh...just for fun!   35%                      

No reason specified   19.2%                            

I just want to be the best defacer 12.5%                      

As a challenge        11.7%                   

Patriotism            10.5%                      

Political reasons      9.2%                     

Revenge against that website    1.9%

They also report that over half of successful hacks exploit either configuration errors, or un-patched systems: which are very basic security issues!

SECURITY NEWS

=============

-  Security Focus reports that charges have been filed against a Florida man known as 'The-Rev', for his alleged role in the high profile 'Deceptive Duo' hacking team. The 'Deceptive Duo' are responsible for defacing a significant number of government and corporate websites.

- Currently, of course, we have ISO17799 and BS7799-2. However, efforts are currently on-going to convert BS7799-2 to an ISO document as well (ISO17799-2). We hope to provide an update on this in the next issue.

- At time of publication a security alert has been issued regarding a new fast spreading worm, the 'Sasser' worm. This already has several variants and threatens to achieve similar notoriety to previous attacks last year (eg: Blaster). Now seems a pretty good time to update those anti-virus definition files.

ISO17799: THE WORLD WIDE PHENOMINON

===================================

Our source list for recent purchases of the ISO17799 standard always proves to be a popular talking point. The up to date version of the most recent thousand or so is as follows:

Argentina 3

Australia 18

Austria 9

Barbados 2

Belgium 14

Bermuda 3

 Brasil 11

Brunei 1

Canada 101

Chile 7

China 5

Colombia 6

Costa Rica 1

Croatia 2

Cyprus 3

Denmark 16

Egypt 5

Estonia 1

Faroe Islands 1

France 19

Germany 55

Gibraltar 1

Greece 5

Guatemala 1

Hong Kong 12

Hungary 4

Iceland 1

India 12

Indonesia 5

Ireland 27

Isle of Man 1

Israel 2

Italy 36

Jamaica 2

Japan 10

Jordan 2

Korea 1

Lebanon 2

Luxembourg 2

Malaysia 8

Malta 1

México 22

Netherlands 39

New Zealand 5

Norway 19

Peru 1

Philippines 2

Poland 3

Portugal 6

ROMANIA 2

Russia 4

Saudi Arabia 9

Singapore 15

Slovak Republic 1

Slovenia 3

South Africa 11

Spain 23

Sweden 11

Switzerland 48

Taiwan 5

Thailand 2

Tunisia 1

Turkey 3

UK   379

United Arab Emirates 5

USA 588

Venezuela 2

The same health warnings apply as usual: these are online credit card sales from a single source. As a consequence, those cultures that are less familiar with this form of commerce will be under represented.

INTRODUCING A DISASTER RECOVERY TEAM

========================================

Even for small enterprises, it is often necessary to establish a Disaster Recovery Team to handle the initial stages of an emergency situation. Certainly, it is essential for larger corporations.

The Disaster Recovery Team should be made up of a group of specialists who have previously been nominated as being able to assist in dealing with the initial emergency.  These will not necessarily be the same persons who are members of the Business Recovery Team.  Although the configuration of the DRT will depend upon the type and severity level of the emergency, and the nature of the organization itself, the following personnel may need to be involved depending upon the circumstances:

•           Key members of Senior Management

•           Personnel Manager

•           Premises of Facilities Manager

•           Fire and Safety Officer

•           Premises Maintenance Staff

•           IT technicians

•           Communication technicians

•           Security staff

•           Information Security Officer

The Disaster Recovery Team (DRT) is responsible for working with the emergency services to clear the initial emergency crisis situation, in order that the Business Recovery Team is able to start their activities.  The DRT itself will only be able to start their own recovery activities once the emergency services have given permission for these duties to commence.  During the initial emergency, the DRT will normally make themselves available to provide assistance to the emergency services, as appropriate.

Nominated members from the DRT should actually be ‘on-call’ or available at all times, and should ensure that their contact details are known. All members of the DRT should maintain an up-to-date copy of the BCP in a secure location off-site, and each member should also be issued with special equipment such as torches, hard hats, gloves, overalls, hand held dicta-phones and mobile phones to use in such emergencies.

These initial preparations can of course make all the difference to the outcome of the disaster situation, and at the very least, will create a sound platform for the Business Recovery Team.

PREPARING FOR AN INFORMATION SECURITY AUDIT

===========================================

For an Information Security audit to be effective it must be planned and have adequate preparation. A common purpose of conducting the audit is to enable the Information Security Officer (or the person who is responsible for the security of information) to measure the level of compliance with the organization’s Information Security Policies and associated procedures.

At the highest level, the Information Security Officer should initially prepare an audit program which ensures that all key risk areas are audited and reviewed on a regular basis. The greater the threats, and the higher the risk or probability of an Information Security incident, the more often the audit should be conducted.

Once the risk area to be audited has been selected, the Information Security Officer should prepare a list of the INFORMATION that needs to be collected to carry out the audit.

As an example, if the audit chosen is regarding the Portable Computing Facilities, the documents to be considered for review are:

• Insurance documents.

• Hardware register.

• Software register.

• User Profile.

• Network Profile.

• Issue form.

• General terms of use.

• Removal of equipment authorization.

The Information Security Officer will also decide on which PERSONNEL need to be audited and arrange an interview schedule. In the same example, the following personnel would be audited:

• The issuers of portable computers.

• A sample of the user population who use portable computers.

• Ancillary staff.

As with many tasks, pre-planning is sometimes seen as a necessary evil, and there is temptation to shortcut. However, in most cases, there is little doubt that the quality of the planning is likely to go a long way in determining the quality of the audit.

IT COULDN'T HAPPEN HERE....OR COULD IT?

=======================================

Every issue of The ISO17799 Newsletter features at least one TRUE story of an information security breach and its consequences. This issue considers genuine cases illustrating different threats from WITHIN the organization:

1) The Disgruntled Employee

An organization in the US fired an employee who had been known to be less than happy in his work and had been causing problems for management through a variety of activities.  Unbeknown to the organization, this employee had made a copy of the main client database for himself and therefore had access to sensitive information.

Shortly after the employee was dismissed, major customers started receiving offensive material purportedly being sent by the organization itself. The ex-employee used a simple open SMTP server to simulate the organization's email addresses. Customers immediately started to move away from the organization and even when they were informed that this material had been maliciously sent to them by a previous employee, they remained unimpressed with a company that had so little security in place. 

The organization quickly went out of business, paying a heavy price for not having sufficient control over employee access to sensitive information.

2) Intellectual Property Rights

A firm in London developed a range of new products mainly by utilizing the services of one of its employees who was particularly skilled at these activities.  Once these products had been developed, they were successfully marketed by the firm and a good revenue stream emanated from this new business area.

Unfortunately, the firm had not considered protecting the intellectual property rights of work undertaken during the employee’s time with them and it was subsequently successfully sued by the employee who had authored the products, and who then claimed ownership over the intellectual property rights contained within them.

The lesson to be learned here is that employees' contracts should clearly state the ownership of any work developed for the company during his/her employment.  This agreement should be signed by the employee to signify acceptance of these terms and conditions prior to undertaking this type of work.

3) Who Audits the Auditor?

A large financial company thought they had security in the bag. Their security department was active, and involved in most activities of the Group. It had a reputation for being on top of new technology, and had an aggressive audit schedule, with all sensitive applications and projects being regularly audited.

What a pity they got a fundamental principle so badly wrong! As the Group's security area they had full access to security settings, and administered access control for key applications. As auditors they audited the same. That was the crunch.

The same individuals who set security levels and granted access to information resources, also audited them. A classic case of insufficient segregation of duties.

In one sense they were lucky. The incident which brought this to light was petty. The individual in question could not resist the temptation to adjust his overtime figures on the payment database. He inflated the figures by several hundred dollars, each month, for several months. He was caught because someone else on his team spotted his payslip (which he had left inside his briefcase, which he left open!) and knew instinctively that he had not been working long hours in recent weeks and therefore that the salary figure was far too high.

It could, however, just as easily been an accounting database he adjusted, or a number of financial databases, and the company could have been facing a substantial and embarrassing loss.

The golden rule of course is that auditors usually need only read access to audit, and not update.