Public clouds have been greatly promoted as an approach for organizations to reduce information technology (IT) costs and increase technology flexibility and scalability.  Cloud computing allows smaller organizations to employ IT services that would previously have been too expensive to implement due to high up-front infrastructure costs.  Companies can implement IT solutions faster in a public cloud because they do not have to spend time creating and configuring the technology environment.   Larger organizations, already familiar with remote computing operations, gain flexibility and scalability by utilizing cloud services or implementing private clouds to consolidate IT resources.

A public cloud, sometimes known as Infrastructure as a Service (IaaS), provides computing resources such as processing power, memory and storage to clients in the form of a virtual machine.  The details on the infrastructure hosting this virtual machine may be a “black box” to the customer similar to the Internet.  When you sign up for Internet access, you are provided with a line and bandwidth but you do not know how that service is provided to you, what route your data may take, and so forth.  Similarly, when renting public cloud space, you are provided with a virtual machine but you do not know the specifics of what is involved in providing it to you.

It may be difficult and somewhat unsettling to provide one organization with control over data and systems that are critical to another organization’s success.  Nonetheless, there is constant pressure to reduce IT costs by moving to public cloud services while still exercising due diligence in selecting a secure and reliable cloud provider. With the emergence of large companies like Microsoft and Amazon entering the public cloud marketplace, many major companies have felt more comfortable moving to the cloud.

However, the security of the public cloud is still passionately debated.  Recently, concerns of public cloud security arose with the release of findings from an investigation into four cloud service providers, Amazon, Gigenet, Rackspace and VPS.  Revelations of the above findings have focused on the following issues.

Intra-server security and vulnerabilities

Cloud computing offers customers computing resources generally in the form of virtual machines for rent at generally lower costs than the organization would incur by hosting the servers in-house.  Companies can achieve considerable savings through economies of scale.  The rented computing resources are just a portion of the available resources hosted by the provider as much of the infrastructure is shared between clients of the provider.  This model presents potential security risks to cloud computing clients if the rented space is not adequately separated from other customers.  Inadequate separation could give an attacker, who has compromised one client in the cloud, access to other clients.  Attackers could also rent space in the cloud and then use that space as a base of attack on neighboring clients.

Location concerns

Another risk of sharing cloud space is that the actions of shared clients on a public cloud could indirectly impact fellow users if servers that host multiple clients are blacklisted, thus, causing unavailability to multiple clients due to the actions of one in the cloud. In addition to this potential problem are the concerns about where the servers are actually located geographically.  The laws in one country may differ greatly and the cloud network may be subject to international laws.   There may be limitations on whether data can or should cross international boundaries and contract terms may be less enforceable in another country.

Data backups, restoration, and portability

Backup protocols may also present challenges to businesses moving their IT structure to a public cloud.  Backup sets, rotations and off-site storage are all managed by the cloud provider. Thus it becomes important to understand how the backups work, how reliable the service is, and how long restores are expected to take.  Recovery time is extremely important when essential data is missing from a production system.  It is also important to understand whether backup sets can be moved to another provider or to in-house operations if the contract with the cloud provider is terminated.  Backup operations are often conducted across many clients at once so it may not be possible to extract historical backup data for a specific client from the cloud.

The report found intra-server vulnerabilities – that data on other clients’ storage was accessible through shared disks and networks. The study was able to access other clients’ virtual disk drives which should have been inaccessible as well as access data from other client systems on the network.  These providers did not adequately secure the storage of data and networking resources offered to their clients, thus, leaving them open to a data breach or attack.   The virtual machines were housed on systems running outdated hypervisor software that was vulnerable to attack.

Evaluating a Public Cloud Provider

When evaluating a public cloud provider, consideration of the following security concerns may be utilized to determine if a potential vendor has the essential cloud security measures in place.

• How soon are patches applied to hypervisors after they are released?
• How often are vulnerability scans initiated on cloud equipment?  What is the average vulnerability remediation time frame?
• Are systems periodically audited?  What were the results of the last audit report?
• Is an intrusion prevention system in place?
• Has an incident response plan been created and are response team members familiar with incident response procedures?
• Are access requests to resources logged and monitored?
• How are viruses and malware prevented?
• Is server hardening performed on virtual servers before being issued to customers?
• Are firewalls implemented between customers?
• Is hard drive encryption available?
• With which security standards such as ISO27000, PCI or HIPAA does the potential client comply?
• What data recovery procedures are in place for client systems and what is the recovery time objective?
• What method is provided for client management of servers?  How is access to the management interface authenticated and controlled?

In addition to the above questions, consider running a security audit on the virtual node prior to using it to verify that the above questions are sufficiently answered.  The selection of a cloud provider should be based on the security parameters that are provided and the implementation of necessary security controls.  The recent study demonstrated that security cannot be assumed even when large, reputable companies are involved.  Therefore, it is important to ensure that a cloud provider has these security controls in place by asking questions such as the ones in this article.

For further reading

Assessing Cloud Node Security White Paper

Historically, ecological concerns have been significant drivers for change.  Topics ranging from global warming to protecting various species carry a strong emotional appeal, thus, motivating business and personal change with the ultimate goal of protecting the environment.  These environmental initiatives have been termed “green initiatives” and they impact IT in the form of “green computing.”  The popularity of the green computing initiatives stems not only from environmental concerns but also from a financial concern. A primary goal of many green computing initiatives is to reduce power consumption as this has a direct impact on the bottom line.

This article addresses three green computing initiatives and identifies information security action items associated with each initiative. Information security is a concern when programs such as these are implemented.   These initiatives are important because information security is easier to sell if it’s green.

Setting

Green computing is not necessarily new.  In the early 1990’s, the Environmental Protection Agency (EPA) and the Department of Energy created the Energy Star program that defined, among other things, efficiency requirements for computers.  Restrictions have also been placed on how computing equipment, such as monitors and uninterruptable power supplies, can be disposed of.

Recently, a great deal of government spending has been focused on green initiatives.  In 2009, the American Recovery and Reinvestment Act (AARA) provided $70 billion towards green initiatives including developing more efficient energy use for equipment and software and creating more effective IT cooling solutions. $47 million of that money was allocated to the datacenter energy consumption and efficiency programs.

You might be thinking, “the environment is great and all but my company doesn’t really care about that.”  It is of little consequence if your company is concerned with the environment or not because it has been proven that green computing saves money.  Power is expensive and these costs continue to rise, thus, making green computing an easy sell.

Is it Green?

Software Efficiency and Green Computing

Software efficiency is important to green computing because as equipment consumes less power, machines can be configured to go into a power saving mode resulting in less power being required to perform the same operations.  This initiative saves fossil fuels through the conservation of energy.

Information security practitioners are also concerned with software efficiency because the possible outcome of combining resources provides hackers with fewer options for malicious use. Advocates of consolidation and reduction efforts can claim that these are not only information security initiatives but also green initiatives.

Virtualization and Green Computing

Virtualization, in computing, is the creation of a virtual (rather than actual) version of a device, such as a hardware platform, operating system, a storage device or network resources which makes it possible to consolidate many machines onto fewer platforms.   This is especially advantageous when legacy systems can be consolidated onto newer hardware platforms.  Legacy systems often do not incorporate the latest advances in power technology and thus, are less efficient to maintain.  If these systems are virtualized, fossil fuels can be saved through more efficient power management on the newer hardware.

For information security practitioners, virtualization brings an array of advantages and disadvantages.  It can be a great option for improving security, especially availability and business continuity.  However, unless information security personnel are involved in the process and proper controls are tailored to the virtual environment, it may create more security risks than benefits.

Terminal Based Computing (Thin Computing) and Green Computing

Terminal based computing is another technology that can reduce the amount of energy consumed by workstations.  Because most of the processing power is consumed on the server side where the terminal sessions are managed, the workstations can be very basic machines that require little power to operate.

Terminal based computing provides advantages to the security architecture of a company because more control can be applied over the actions taken on the terminal based environment than in decentralized client server models.  The disadvantage to information security is that the terminal environment can introduce a centralized point of attack and point of failure for an environment. Thus, additional controls  may be needed to ensure availability of the terminal servers and confidentiality and integrity of the information contained on such systems.

Summary

This article looked at software efficiency,  virtualization and terminal based computing to emphasize their inherent  green computing advantage, allowing information security professionals to present the additional value of these initiatives to decision makers.  These options are not just a safe choice; they are a green choice too.

For more than a decade, computer generated digital certificates have made it possible to authenticate the identity of computer systems, data, and web sites by connecting a public key with an identity such as an owner’s name.  The process relies on trust.  “Secure” websites utilize such a certificate to validate their identity.  This digital certificate is usually procured from a company that will verify the identity of the company administrating the site.  The digital certificate issued to them will be validated by a trusted root certificate authority or by a server that is trusted by the trusted root.  This chain of certificates is called a certificate hierarchy.  A small group of trusted certificate authorities is installed on computers within the operating system.  These authorities include such names as Equifax, VeriSign and Thawte.  So what happens when the system breaks down?

Last year a series of attacks took place against certificate authorities resulting in the issuance of many rogue certificates. These attacks began with a SQL injection attack against Comodo’s GlobalTrust and InstantSSL databases resulting in the issuance of rogue certificates for addons.mozilla.org, login.skype.com, login.live.com, mail.google.com, google.com, and login.yahoo.com.  This was followed by an attack on DigiNotar where over 500 rogue certificates were issued including some wildcard certificates such as *.google.com which allowed the certificate to be used for any google.com site.  In response, DigiNotar was removed from the trusted list so that all the certificates it had issued  were no longer valid.

Rogue certificates allow attackers to create illegitimate sites that are indistinguishable from real sites like eBay, Google or PNC because their certificate hierarchy can be validated.  Users then will be redirected to such sites through phishing or ‘”man in the middle” attacks where a compromised host in-between the user and a legitimate site sends traffic to an illegitimate site instead.

Some viruses have used rogue certificates to make their content seem legitimate.  For example, fake AV, some Zeus variants, Conficker and more recently, Stuxnet and Duqu have used rogue certificates.  The threat of rogue certificates is so crucial  that McAfee lists rogue certificates as one of their 10 threat predictions for 2012.

In the wake of attacks on certificate authorities, security professionals are speculating whether there are other certificate authorities that are compromised but do not yet know it.  The containment action against DigiNotar was extreme but necessary given the scope of the compromised certificates.  A significant disruption of e-commerce could result if other root certificate authorities need to be similarly revoked.

There are several ways companies can protect their users from the damage caused by the use of rogue certificates.  The most important action that can be taken is to install browser patches as soon as they are released because updates to root certificate authorities will be distributed through these patches.  In order to do this, revisit your patch management policy to determine optimal patch deployment intervals and minimize the amount of time machines are vulnerable to attacks.

Similar to server hardening and other security techniques that limit asset exposure, an examination and subsequent reduction of the number of trusted certificate authorities is important in assuring safe computer usage.  Some certificate authorities are region specific, thus, they can be removed if sites in those countries are not utilized.

It is important to configure the Internet browser to check for certificate revocations.  Certificate revocation lists are maintained by certificate authorities who list the certificates that should not be trusted anymore.  Depending on the browser’s settings, it may be accepting revoked certificates.  Make sure the browser is set to treat certificates as invalid if the Online Certificate Status Protocol (OCSP) connection fails.

Firefox addons such as CertPatrol, Convergence or Perspectives routinely check certificates against a collection of network notaries or against a locally stored database of certificates to further  validate certificate credibility.  These add-ons warn users when the certificates are different from those recorded elsewhere.  A change in a certificate is no guarantee that the certificate is a rogue certificate but it is a warning sign that the certificate is potentially rogue.

Attacks in recent years have shown that the certificate trust relationship can be exploited to be used to impersonate legitimate sites and services.  The best way to assure actual service  is to maintain current computer browser and operating system patches.  In addition to keeping patches current, reduce your potential exposure to rogue certificates by limiting the number of certificate authorities you trust and enforce certificate revocation checking.

For more information:

Why Diginotar may turn out more important than Stuxnet

Certificate authority hack points to bigger problems

Compromised certificate authorities: How to protect yourself

Timeline for the DigiNotar hack

Eric Vanderburg

How often do you speed?  What is your investment strategy?  Answers to questions like these could provide insight into an individual’s level of acceptable risk.  We embrace or avoid risk, consciously and unconsciously, based on the level of risk someone is willing to accept.  This level of risk acceptance is applicable to the use of computers as well.  With the constant influx of new threats and the implementation of security controls, the level of risk felt by employees can fluctuate causing an increase or decrease in risk-taking behavior.

The following example provides insight into risk behavior.  A new policy takes effect and all laptops are to be encrypted.  Now, it doesn’t seem like such a big security risk to leave a laptop lying around anymore since the drive is encrypted.  After all, if someone was to take it, they wouldn’t be able to read the data, right?  However, leaving a computer unattended could result in other risks to the data, especially if the computer is left unlocked.  Common scenarios such as this undermine the overall goal of security initiatives and inhibit the reduction of expected risk.

By examining similar scenarios, Gerald Wilde postulated an interesting theory called “risk homeostasis.”  Homeostasis is the tendency toward a relative stable state of equilibrium between interdependent elements. Risk homeostasis states that all people have a level of acceptable risk.  When risk in one area decreases to a level below their acceptable level, the individual will take riskier actions in an act of risk compensation to bring the overall risk back to their acceptable level.  This theory is by no means without its flaws and opponents.  However,  some evidence for risk homeostasis can be seen in human behavior in the above scenario.  Awareness of risk homeostasis can impact a decision makers’ selection of security controls and evaluation of risk reduction.

Consider the above scenario in the light of risk homeostasis.  Employees originally were careful not to leave their laptops unattended for fear that the data on them could be lost or compromised.  This fear was diminished once encryption was added to the laptop, thus decreasing the level of vigilance.  Wilde would call this “risk compensation” and because of it, the addition of the encryption security control would not achieve the desired reduction in risk.  Few laptops were stolen before the encryption was enabled but those that were stolen often resulted in data loss.  After the encryption was enabled, a greater number of laptops were stolen but fewer resulted in data loss.

It is human nature to do only what one thinks is necessary to keep risk at an acceptable level. However, acceptable levels are not the same for everyone.  Organizations that implement security controls do so in order to reduce risk that they see as unacceptable.  This action is an essential part of the risk management role but risk managers must also understand risk homeostasis and the impact of risk compensation in the decisions people make.

The effect of risk homeostasis may not be immediately noticeable.  Risk homeostasis is a process and thus compensating actions are gradually introduced as the value of the security control is intrinsically accepted.  Thus, it is important to measure the effectiveness of controls over time.  Awareness of the risk can also aid in adjusting personal risk acceptance levels to bring them more in line with organizational risk levels.  However, this can be difficult in areas where risk apathy has set in as a result of continual high levels of risk.  This scenario can be compared to the airport security alert status  in which individuals become desensitized to the risk since airport risk status is routinely at a high level.

Review the security controls implemented last year and consider these questions.  Do you feel safer or more comfortable with those controls in place?  Have you relaxed your vigilance in another area due to this feeling?  Do others in your organization feel the same way?

After planning  and implementing  security controls and spending valuable time and effort on the project, incorporate a metric to assure that these controls meet  expectations.  Address risk homeostasis by educating employees of the risks both before and after the implementation of a security control.  Reinforce this by explaining the value of existing controls and how they are needed in conjunction with newer controls.  Lastly, measure effectiveness of overall security over time with the knowledge that security in one area may drop when another rises.

For further reading:

Target Risk: A new psychology of safety and health

Risk homeostasis theory: an overview

Is risk homeostasis real?

The latest televisions and Blu-ray players are being shipped with more than high definition video and audio.  Internet access and a host of new applications are being built in to run directly on these devices.  A popular built-in feature is wireless access which enables the user to avoid plugging in an  Ethernet cable.  Accessing the internet and your favorite apps directly from your TV is convenient.  However, what security risk does this pose?

Are TVs and Blue Ray Players a Security Risk?

The primary question is, “Are these devices a security risk?” Examining the features of these systems and comparing it to existing systems that already have a risk profile will help answer  this question.

In order to access the Internet, a device needs a browser. Currently,  manufacturers have decided not to develop their own browsers but to use existing products that have proven effective on other platforms.  Some devices come equipped with a version of Opera while others utilize Google’s Chrome browser. Both browsers have been reasonably responsive in addressing security vulnerabilities and supporting the latest security standards.

Another feature offered by some devices is the ability to retrieve pictures, movies and music from networked computers by using Microsoft’s Windows “media extender technology.”  The default installation of the media center extender provides full access to most of the shared media on the network. This access could allow a compromised television or Blu-ray player access to files on the home or office network.

Yet another consideration is the type of content that will be available on these devices.  In the past year, a large number of exploits focused on Adobe Flash or Java.  Blu-ray players currently support Java in order to display content often included on Blu-ray disks, while some of the TV browsers support flash content.  Additionally, many of the applications available for these devices (like Hulu Plus) use Flash.

Internet capable television or blu ray players are typically connected to the network for extended periods of time. This long-term connection poses another risk. These devices may be configured to automatically download or index programs for future use. Since these devices are rarely monitored and typically used throughout the day, a security breach may go unnoticed for a long period of time.

Although there have not been any reported vulnerabilities for televisions and Blu-ray players yet, do not expect it to remain this way for long.  It did not take long for cell phones to be exploited after internet access and applications were ported to them. Similarly, as internet capable televisions and Blu-ray players grow in popularity, they will become a more sought after target of hackers.

So What Can You Do? 

Since no vulnerabilities have been published, companies have not developed security patches to prevent unwanted breaches. In reviewing recent firmware update release notes from mainstream television and Blu-ray manufacturers, none of the release notes documented fixes for security vulnerabilities.   These updates only enhanced functionality, not security.

Companies who have adopted Internet capable devices should consider keeping them on a separate network segment.  Both home and business users can disconnect devices from the network if internet features are not needed.  By staying up to date on new vulnerabilities, corrective action can be taken when needed.

For added security, also consider turning off features that automatically index or download content.  This, combined with setting the device to turn fully off, will reduce the amount of time the device is potentially vulnerable each day.  When using the media center extender, consider reducing access from the default of full access to read only.  See this article for details on configuring tightened security for media center extenders (please be aware the article is rather technical).   Eventually, security patches for these internet capable devices will be released just like security patches are released for software applications and operating systems.  However, unlike computers, users are not familiar with the firmware update process and not all companies make it easy to upgrade their products. In the future, companies will need to develop  procedures for regularly updating devices.

In conclusion, an Internet TV or Blu-ray player could be vulnerable once exploits are developed for these devices.  As the consumer usage for these devices increases, the likelihood of malicious code being developed will likewise increase.  The firmware on these devices can be upgraded but manufacturers have not released any security updates for their devices. Until manufactures address the invasions as they occur, the three best ways to protect a device from undisclosed vulnerabilities are:

1. Disconnect it from the network unless it is needed to use specific Internet features
2. Allow the device to turn off and not download content automatically
3. Configure tighter security on Windows media extenders.

Eric Vanderburg

Organizations are accumulating data at a pace that would cause a hoarder to blush.  Just like that old bicycle seat stored in the attic, data is often kept “just in case it may be needed someday.”  This practice, however, comes at a cost.

Some organizations think that it is inexpensive to store data, especially with the steady decline in hard drive prices.  The fact is, however, data is expensive to keep.  Organizations spend a significant portion of time managing, archiving and securing data.  Data is housed on servers, each of which must be maintained.  Data is also archived regularly according to the organization’s backup schedule and it is audited and secured against loss.  Each of these activities consumes the time (i.e. increases the cost) for those in information management.

Excessive data retention can also pose a risk to an organization in regard to compliance and electronic discovery requirements.  Personally identifiable information that is lost could result in significant fines.  In addition, old document drafts that may not provide organizational value could still damage the organization if disclosed.  Data related to litigation is costly to obtain, organize, and produce.  Searching through an organization’s legacy data adds additional complexity and cost.

For the above stated reasons, it is important to remove unnecessary data.  A structured approach is necessary to avoid the loss of important data and to provide consistency throughout an organization.  Structure can be accomplished through a data retention policy.   A data retention policy should specify how long certain types of data such as emails, documents, drafts, instant message conversations, or even voice mails should be kept and how the data will be properly disposed of.

Contents

At a minimum, a data retention policy should contain a scope section that outlines the types of data covered.  Examples would be tax records, personal information, business records and legal documents. In addition, the policy will need to spell out how long and in what form each type of document will be retained.  Some policies may include guidelines on removal of data – or this may be left to a data destruction policy.

Retention Term

One of the most difficult parts of defining a  data retention policy is specifying the length of time to retain certain types of documents.  Compliance requirements may determine the minimum or maximum length of time while business requirements may stipulate other terms.  Both the compliance and business requirements will need to be considered in defining the duration. The following are some best practices and can be used a starting point in the formation of a data retention policy:

• Audit documentation and associated financial documents will need to be kept for at least 7 years if there is a SOX requirement. The IRS requires that tax documents be retained for at least 4 years after they were due.

• The list of hazardous chemicals provided by OSHA contains many substances common in the workplace and data retention policies should define how long documentation of hazardous chemical exposure data will be kept.  OSHA requires that such documents be retained for 30 years.

• The Health Insurance Portability and Accounting Act (HIPAA) requires that information disclosure authorizations, patient requests, business associate contracts and other such covered documents be retained for at least 6 years from the last transaction or 2 years following the patient’s death.

• Exceptions may be made to these recommendations when pending litigation or audits require an information freeze or legal hold for specific data.  In these instances, organizations will need to show that they have made reasonable efforts to prevent the destruction of discoverable information.

This article discussed the need for data retention policies and outlined some regulatory requirements that should be included in business retention requirements.   An effective data retention policy can go a long way in reducing data clutter, improving organizational efficiency and reducing risk.  However, defining the policy will not be enough.  Employees will need to be aware of the policy and motivated to follow it.

For additional information on data retention as it pertains to eDiscovery, visit ESIBytes for free podcasts.  Select episodes include:

• Dealing with Legacy Data – What to do About ESI Messes Today
• Records Management – An Insider’s Perspective and its Impact on eDiscovery
• Legacy Data Issues and eDiscovery Pain
• The 12 Days of Remediation – A Holiday Classic
• Electronic Discovery and Medical Records
• Should we be Scared of Backup Tapes in eDiscovery?

Try to imagine a world without metrics.  The temperature would only be “hot” instead of 95° or a project would be “in progress” instead of 75% complete.  Metrics provide an effective way to keep track of vital information.  They are particularly useful for identifying trends and measuring the progress of activities.  When used effectively, security metrics provide a uniform way to make decisions and to measure progress in information security.

The first step in implementing effective information security metrics is to choose a meaningful set of metrics.  Meaningful metrics are relevant to the organization and associated with its goals.  If the business contends that  it will protect customer data, then significant metrics may include the number of days since a data breach or average time to resolve incidents.

Sample information security metrics

The National Institute of Standards and Technology (NIST) and The SANS Institute have both defined sample metrics that give an idea of different items that may be used to measure the status of an organization’s security structure.  Similar to the security snapshot, which measures 25 metrics in 5 categories, the NIST and SANS metrics provided here are divided into six categories with select metrics provided as samples.

Access Control

Access control metrics measure the efficiency and effectiveness of methods used to grant and restrict usage of information.  Some Access Control metrics include:

• Percentage of remote access points used to obtain unauthorized access
• Percentage of false positive access rejections

Awareness and Training

Security awareness and training metrics measure the level of investment given to furthering and solidifying skills in information security for both information security practitioners and employees. Some Awareness and Training metrics include:

• Percentage of information security personnel who have received training this year
• Average number of security awareness training given this year

Contingency Planning

Contingency planning metrics measure the level of planning and efficiency and effectiveness of response to a state of emergency where critical systems become unavailable, effectiveness of backup operations and recovery for critical information systems.  Some Contingency Planning metrics include:

• Number of days since the last system failure
• Availability percentage of key information systems

Incident Response

Incident response metrics are concerned with the effectiveness of activities taken to detect and correct information security incidents.  Incidents are defined as situations where information security controls are compromised, subverted or circumvented.  Incidents may or may not result in loss of data confidentiality, integrity or availability.  Some Incident Response metrics include:

• Average number of hours needed to recover from a system failure
• Percentage of incidents that were reported within the organization during a specified period of time.

Media Protection

Media protection metrics track important data relative to how well the organization protects the media on which important data resides.  Media types include hard drives, flash drives, data tapes and optical media such as compact disks and DVDs.  Some Media Protection metrics include:

• Number of flash drives containing sensitive data
• Percentage of decommissioned hard drives that were forensically wiped and/or destroyed

Risk Assessment

Risk assessment metrics show the effectiveness of risk management activities within the organization.  Some Risk Assessment metrics would include:

• Percentage of risks identified requiring mitigation that were successfully mitigated within specified time frames
• A bar chart showing the number of critical, high, medium and low level risks identified

Security metrics are necessary to understand and interpret various data points and measurements.  Once these points are collected, they can provide an organization with an easy way to measure the efficiency and effectiveness of its information security activities.  The most useful metrics are those tailored to the company’s individual needs and requirements as reflected in the company’s values and goals.  Metrics provide the ability to monitor and control specific, measurable information security activities in a logical and easily understood manner.

Further Reading:

http://www.itl.nist.gov/lab/bulletns/bltnaug03.htm

http://www.sans.org/reading_room/whitepapers/auditing/guide-security-metrics_55

http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf

The last two articles on compliance have covered the Health Insurance Portability and Accountability Act (HIPAA) and the ramifications of that bill on healthcare providers and business associates and the Payment Card Industry Data Security Standard (PCI-DSS) which provides guidelines for securely handling credit card and related personal data.  This article outlines the ISO (International Organization for Standardization) 27000 and its benefits for organizations.

History

ISO 27000 came out of the BS (British Standard) 7799, originally published in 1995 in three parts.  The first part of BS 7799, dealing with the best practices of information security, was incorporated in ISO 17799 and in made part of the ISO 27000 series in 2000.  Part two, titled “Information Security Management Systems – Specification with Guidance for Use” became ISO 27001 and dealt with the implementation of an information security management system.  The third part was not incorporated into the ISO 27000 series.  Similar to ISO’s 9000 series, which focuses on quality, ISO 27000 is an optional accreditation that can be used to show that an organization meets a certain level of information security maturity.

Overview of the ISO 27000 sections

The six parts to the 27000 series each deal with a different area of an Information Security Management System (ISMS).  This document  will briefly outline each section and then concentrate on ISO 27001, the section that details the requirements for ISMS.  An overview of what the series deals with can be found  in the table below.

As can be seen in the table above, ISO 27001 details the actual requirements for businesses to comply with the ISO 27000 standard.  ISO 27002 builds on ISO 27001 by providing a description of the various controls that can be utilized to meet the requirements of ISO 27001.  ISO 27003 provides details on the implementation of the standard including project approval, scope, analysis, risk assessment, and ISMS design.  ISO 27004 outlines how an organization can monitor and measure security in relation to the ISO 27000 standards with metrics.  ISO 27005 defines the high level risk management approach recommended by ISO and ISO 27006 outlines the requirements for organizations that will measure ISO 27000 compliance for certification.

Series contents

The ISO 27000 series provides recommendations for “establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System” (http://www.27000.org).  The standard can be broken down into the following sections:

• Risk assessment – a quantitative or qualitative approach to determining the risks to organizational assets. The degree of risk is based on the impact to the asset and the likelihood of occurrence.
• Security policy – formal statements defining the organization’s security expectations.
• Asset management – inventory and classification of information assets.
• Human resources security – security aspects for employees joining, moving within or for those leaving an organization.
• Physical and environmental security – physical/tangible systems used to protect systems and data such as alarm systems, guards, office layout, locked doors, keypads, cameras, etc..
• Communications and operations management – management of technical security controls in systems and networks.
• Access control – restriction of access rights to networks, systems, applications, functions and data; maintaining the confidentiality of access credentials and the integrity of access control systems.
• Information systems acquisition, development and maintenance – building security into applications when they are designed or purchased.
• Information security incident management – planning and responding appropriately to information security breaches.
• Business continuity management – protecting, maintaining and recovering business-critical processes and systems when they become unavailable.

Certification process

Within the ISO 27001 document there are specifications to which a company’s ISMS can be submitted for potential certification.  The certification process begins after an accredited organization finds that the corporation has met the requirements as outlined in ISO 27001.  Once this organization determines that the company has met the requirements of ISO 27001, the certification is granted.  Certification must be renewed every three years and is subject to audits.

Benefit to business

Compliance with the ISO standards provides companies with a credential which demonstrates that the company is in compliance with the requirements of this well-recognized standard.  It also gives employees and clients more assurance that their data is safe with the company.  In some cases, companies may require ISO certification in order to do business.  The ISO 27000 standard contains many useful recommendations and companies are encouraged to familiarize themselves with the recommendations, even if they do not plan on becoming certified.  The acquisition of the standard does cost money to obtain; however, qualified compliance practitioners can assist with the preparation for the compliance effort.

Summary

ISO 27000 is comprised of six parts outlining the requirements for certification, guidelines for achieving the requirements, and guidelines for accrediting organizations. The standard provides many useful recommendations for companies seeking certification as well as those merely interested in improving their security.  Similar to the ISO 9000 quality standard, ISO 27000 is optional but it may soon be a business requirement.

The site is down!  These are haunting words for most businesses, and today’s topic: the DDoS (Distributed Denial-of-Service) attack. This particularly nasty type of attack attempts to disrupt the availability of systems by overwhelming servers, saturating bandwidth or through other techniques.  Your business is most likely heavily reliant upon specific systems and this article provides an overview of the DDoS attack that could potentially take these key systems down and techniques for combating the DDoS.

Understanding the DDoS

DDoS attacks rely on the power of many distributed machines so the first part of a DDoS attack is assembling an army of bots.  Using automated tools, attackers scour the Internet in search of vulnerable machines that are exploited and turned into bots by installing software on them that waits for commands from a command and control server.  These bots are used to enslave other bots until a sufficient army is assembled for the attack.

The attacker is now ready to initiate an attack with their bot army.  Attacks are initiated automatically or semi-automatically.  Automatic attacks already have the target programmed into them by the attacker so the attack takes place as soon as the bot army is assembled.  This minimizes interaction the attacker has with the bot army and makes it more difficult for him or her to be identified.  In semi-automatic attacks, instructions are sent to the bot army by the attacker through command and control servers once the bot army is assembled.

Some DDoS attacks called protocol attacks target a specific protocol or vulnerability and others use brute-force.  Protocol attacks take advantage of a bug in the software or a feature of the communication to tie up resources of the target so that legitimate traffic cannot be serviced.  Brute-force attacks bombard the system with otherwise seemingly legitimate transactions.   Protocol attacks would seem like the more advanced method but they can be stopped by altering the system to remove the bug or changing the way the system operates so that the feature cannot be exploited.  The brute-force attack is no different from legitimate traffic except for its increased volume so it is more difficult to combat.

So what can you do to prevent or mitigate DDoS?  We have selected five practical things you can do to protect against a DDoS attack.

Infrastructure Improvements

First, consider increasing bandwidth and server performance.  DDoS attacks attempt to overwhelm available resources so additional resources will allow you to withstand greater attacks.  This involves having more server space or bandwidth than necessary.  Such over-provisioning addresses the number one problem brought on by a DDoS attack, link and equipment saturation.  Unfortunately, it can be difficult to determine how much extra hardware and bandwidth is necessary to sustain an attack as even some of the largest companies have succumbed to DDoS attacks.  When attacks fail, attackers often gather a larger bot army and try again.

Traffic Filtering

Consider configuring your firewall or IDS (Intrusion Detection System) to filter DDoS traffic, if the functionality is available, or consider upgrading to a system that does.  DDoS traffic filtering devices prevent SYN, TCP Flooding and other types of DDoS attacks.  Such devices typically analyze TCP flow control, conduct packet filtering and utilize blacklists and whitelists.

Real Time Monitoring

Another way to protect your data against a DDoS attack is through real-time monitoring.  Real-time monitoring can identify a DDoS attack early.  Such a system must be actively monitored so that action can be taken quickly to resolve the situation.  DDoS attacks can ramp up quickly so administrators might not have much time to respond once an alert comes in.  Integration of site and device monitoring with SIEM can leverage existing technology to protect against this attack.

It should be noted that not all DDoS attacks happen immediately.  Some attacks develop slowly so that they will not be noticed as easily.  They gradually increase the number of requests made to resources until the resources become unavailable.  It is important to have baselines of system performance and expected use so that these can be compared to active data in order to classify traffic as legitimate or a potential DDoS attack.

Consider monitoring log file sizes and growth rates.  Some monitoring tools will create a more critical event and alert when a large number of informational events are generated so that administrators can stay on top of problem areas.  Informational events might not appear in reports and individually they would not indicate a problem but collectively they could indicate a DDoS attempt or some other hacking activity.

Log Maintenance 

Genuine users and DDoS attacks both log server events and this can cause some services to reject connections if the log fills up.   As mentioned earlier, log file growth rates and sizes could indicate an attack but in order to prevent a full log from making a system unavailable you can either increase log file sizes, archive logs, or roll the logs over.  If systems are set to refuse connections when the log is full you should not implement log rollover because the refusal is a security mechanism meant to prevent unauthorized access.  In this case you should either use archiving or larger log files to keep servers available.

Community

Finally, information security departments can work closely with the botnet hunter community.  DDoS attacks rely on bots to perform their work, but if the bots are known about, control of the bots can potentially be wrested out of the attacker’s hands. Knowing who to call that can nip the attack in the bud rather than allow it to get too big can save valuable time and effort.  Know who to call at your upstream service provider to help filter attacks.  Your Internet provider might have specialized equipment to help reduce DDoS attacks so put a plan in place to work with them to stop the attack.

The DDoS is an outside invasion, but not one that looks to install or plant something within the company in order to gain information.  Instead, this type of attack constantly hits the server with requests that business is halted.  DDoS can cause a lot of damage to organizations that rely on the availability of key information systems. That is why we have outlined the above five activities that can mitigate the effects of an attack.

Sources and Further Reading

http://www.securityweek.com/content/how-defend-against-ddos-attacks

http://www.computerworld.com/s/article/94014/How_to_defend_against_DDoS_attacks?taxonomyId=17&pageNumber=1

http://www.fortguard.com/DDOS/ucla_tech_report_020018.pdf