Log inskip to content

Archive for June, 2008

Latest Continuity News

Friday, June 20th, 2008

New standard will help with information security risk management
ISO/IEC 27005:2008 ‘Information technology – Security techniques – Information security risk management’.
http://www.continuitycentral.com/news04003.htm
•Date: 20th June 2008• Region: World

Can your call centre handle a disaster?
Creating business continuity plans for call centres. By Jeff Weil.
http://www.continuitycentral.com/feature0591.htm
•Date: 20th June 2008• Region: UK/World

Developing economies using ‘risk’ to increase competitive advantage
Developing economies have overtaken developed markets when it comes to capitalising on the benefits of risk management, according to a new study from BT Global Services.
http://www.continuitycentral.com/news04005.htm
•Date: 20th June 2008• Region: World

Security management in the supply chain
UKAS looking for feedback.
http://www.continuitycentral.com/news04001.htm
•Date: 19th June 2008• Region: UK/World

Posted in Business Continuity Management | No Comments »

2008 Data Breach Investigations Report

Thursday, June 19th, 2008

 

 

Nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place, according to a comprehensive report issued by Verizon Business. The study also provides key recommendations to help businesses protect themselves and urges them to be proactive.

The ‘2008 Data Breach Investigations Report’ spans four years and more than 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported. This first-of-its-kind study, conducted by Verizon Business Security Solutions investigative experts, also found that 73 percent of breaches resulted from external sources versus 18 percent from insider threats, and most breaches resulted from a combination of events rather than a single hack or intrusion.

Some of the findings may be contrary to widely held beliefs, such as that insiders are responsible for most breaches. Key findings include:

- Most data breaches investigated were caused by external sources. Thirty-nine percent of breaches were attributed to business partners, a
number that rose five-fold during the course of the period studied.

- Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.

- Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.

- Nine of 10 breaches involved some type of ‘unknown’ including unknown systems, data, network connections and/or account user privileges. Additionally, 75 percent of breaches are discovered by a third party rather than the victimized organization and go undetected for a lengthy period.

- In the modern organization, data is everywhere and keeping track of it is an extremely complex challenge. The fundamental principle, however, is quite simple - if you don’t know where data is, you certainly can’t protect it.

The breaches investigated represent a broad spectrum of industries. The retail and food and beverage industries account for more than half of all cases investigated. By contrast, financial services - an industry with great monetary assets that are also typically well-protected, especially when compared to other sectors - accounted for 14 percent of breaches studied.

The study’s findings show a marked increase in the number and type of international incidents. For example, attacks from Asia, particularly in China and Vietnam, often involve application exploits leading to data compromise, while defacements frequently originate from the Middle East. Internet protocol (IP) addresses from Eastern Europe and Russia are commonly associated with the compromise of point-of-sale systems.

Pointing to the psychology behind breaches, the reports suggests that data compromise is the easiest, safest and most lucrative way to steal the information necessary to commit identity fraud. By breaking into restricted computer systems and compromising sensitive information stored within them, criminals are able to access systems that contain information on tens of thousands of victims versus just a handful through non-electronic means.

Making this crime even more attractive is the lucrative black market for stolen data. This social network enables criminals to work with one another to find vulnerable systems, compromise data and commit large-scale identity fraud. Within this network, the report finds, criminal conglomerates maintain access to hackers, fraudsters and other organized crime groups.

Recommendations for enterprises

Simple actions, when done diligently and continually, can reap big benefits, the study notes. Key recommendations include:

- Align process with policy. In 59 percent of data breaches, the organization had security policies and procedures established for the system, but these measures were never implemented. Implement,
implement, implement.

- Create a data retention plan. With 66 percent of all breaches involving data that a company did not even know was on their system, it’s critical that an organization knows were data flows and where it resides. Identify data and prioritize its risk to the organization.

- Control data with transaction zones. Investigators concluded that network segmentation can help prevent, or at least partially mitigate, an attack. In other words, wall off data when and where appropriate.

- Monitor event logs. Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Data logs should be continually and systemically monitored and responded to when events are discovered.

- Create an incident response plan. If and when a breach is suspected, the organization must be ready to respond, not only to stop the data compromise but to collect evidence that enables the business to pursue prosecution when necessary.

- Increase awareness. Only 14 percent of data breaches were discovered by employees of the victimized organization, even though employees are the first line of defense in safeguarding data. Educate them to be aware.

- Engage in mock-incident testing: Making sure employees are well-trained to respond to a breach. Run drills and test people’s abilities, judgments and actions during a mock crisis.

 

Posted in Compliance Management, Industry News | No Comments »

Learn from NIST: Best practices in security program management

Wednesday, June 18th, 2008

Mike Rothman, Contributor - 06.17.2008

Information security is a hard practice. When nothing happens, it’s a good day. Attackers only have to hit the jackpot once in order to be successful. Security professionals have to be right every time. No wonder most practitioners continue searching for the "silver bullet," which makes all of the angst and risk go away.

A large portion of effective security practice is reaching a common level of proficiency. Since patching systems in a timely fashion and configuring them in a secure manner increases the likelihood that an organization will remain secure, the U.S. government, after a rash of information security issues, decided the best way to make that happen would be for all agencies to adhere to a certain set of standards to protect their information.

This act of legislation, known as FISMA, or the Federal Information Security Management Act of 2002, put the job of defining what is right and what each agency needs to do into the hands of the national standards bearers — namely NIST (the National Institute of Standards and Technology). Thus, NIST has put forth standards and guidelines intended to provide a level of protection for information resources.

Two of NIST’s seminal documents are special publication 800-100, the Information Security Handbook: A Guide for Managers (pdf) and special publication 800-53, Recommended Security Controls for Federal Information Systems (pdf). As every security practitioner looks for a leg up on the bad guys, a great way to do that is to take a look at these two documents and figure out whether the guidelines conflict with what currently exists in your organization. What you discover will help define problems that demand critical attention.

The Information Security Handbook (800-100) attempts to define all of the considerations required to protect information. It treats terms such as governance, systems development life cycles, security assessments, risk management, incident response and many others in detail — in fact, one hundred seventy-six pages of detail. Think of 800-100 as a framework for information security, much like COBIT and/or ISO 27001/2 define the scope of an information security program.

Looking past the dry style and constant references to other NIST documents, the clear message in 800-100 is that security is a broad and complicated discipline that requires a lot of cooperation throughout the entire enterprise. Most already know that, but unfortunately too few organizations practice it.

Practitioners, however, should use some sort of framework to guide their efforts, whether it’s ISO 27001, or 800-100 because of a mandate (for U.S. agencies, for instance). When considering a framework, consider the overarching goals of the security organization. If its goals are more modest, such as simply becoming more relevant to the business, then guidelines like those in The Pragmatic CSO may be appropriate (shameless plug).

There are no wrong (or right) answers. There are no rewards for using one approach or framework over another. The only reward for missing something, which results in a breach or incident, is tossing hard work out the window.

The recommended security controls document, 800-53, takes 800-100 down to a practical level by defining the scope of potential security controls, as well as detailing a process to figure out which ones should be implemented. The document clearly states that controls in the absence of a structured program will not be effective, which is absolutely true.

The controls specified in the appendix of 800-53 are without context, so they aren’t particularly useful aside from providing a laundry list of the many controls that exist. What the appendix doesn’t (and shouldn’t) have is a directive concerning what should be implemented.

The process of defining the control set is simple. It starts by categorizing the data to be protected, then goes through selecting, documenting and implementing the controls. It also presents a closed-loop system of assessing and monitoring the control set to ensure it’s accurate.

Overall, even with all the constant churn and change inherent in protecting information, there is certainly some valuable information in NIST’s special publications. It wouldn’t hurt for most practitioners to go back occasionally and refresh their memories of the theory behind the activities they perform every day.

NIST has a lot of smart people and spends a lot of time trying to figure out what will work for the U.S. Government, so there is bound to be useful information there for enterprises as well. Not everything will be applicable, but a lot will be.

The skilled security professional understands the difference.

About the author:

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com’s expert-in-residence on information security management. Get more information about The Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman@ securityincite.com.

Posted in Business Continuity Management | No Comments »

« Previous Entries

« May iCalendar Jul »
June 2008
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
30EC

Upcoming Events

  • No events.

Just as with the Y2K crisis of seven years ago, IT workers are being called upon to don superhero suits and save the enterprise from impending technology trouble. But this time, IT will be sifting through the complexities of the federal Sarbanes-Oxley Act of 2002

Public Companies over 75 million already need to comply by 12/15/2007...

Will your SMB be Ready?

Monthly Archives

Google
Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon Sign up for our Email Newsletter