Monday, July 30, 2007

Information Security Policy 101 – Virus Protection Policy



Part 18 in the Information Security Policy 101 Series

For many organizations the threats posed by viruses are manageable given appropriate controls. A Virus Protection Policy is the first step towards ensuring that appropriate controls are in place on workstations, laptops, email gateways, servers, etc.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Virus Protection Policy is to describe the
requirements for dealing with computer virus, worm and Trojan horse infection,
prevention, detection and cleanup.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Virus Protection Policy applies to all persons with any type of access to an %ORGANIZATION% information resource.

SAMPLE:
Audience
The %ORGANIZATION% Virus Protection Policy applies equally to all individuals
that use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Virus Protection Policy
The Virus Protection Policy is simple policy that you may find some overlap with other information security policies. One additional benefit of having a separate Virus Protection Policy is the ease of reference for users and support personnel. Be careful to write statements that do not contradict those in another policy, however rare.

SAMPLE VIRUS PROTECTION POLICY STATEMENTS:

- All %ORGANIZATION% owned and/or managed workstations, including laptops whether connected to the %ORGANIZATION% network, or standalone, must use the %ORGANIZATION% IT management approved virus protection software and configuration.
- All non-%ORGANIZATION% owned and/or managed workstations, including laptops must use %ORGANIZATION% IT management approved virus protection software and configuration, prior to any connection to an %ORGANIZATION% Information Resource.

Conclusion
The draft, approval, implementation, and enforcement of a Virus Protection Policy can decrease the amount of risk to an organization’s information resources as a result of malware (virus and/or spyware).

Download the SAMPLE VIRUS PROTECTION POLICY.

Next in the series: “Information Security Policy 101 – Policy Approval”

Previous: “Information Security Policy 101 – “Vendor/Third-Party Access Policy”
Read more!

Information Security Policy 101 – Vendor/Third-Party Access Policy



Part 17 in the Information Security Policy 101 Series

Some organizations call on the support of a third-party and/or vendor rarely. Other organizations have third-party support personnel in and out of various areas all day, every day. Most organizations fall somewhere in the middle. I cannot think of a single organization that has not allowed a third-party and/or vendor at least physical access to restricted areas to conduct seemingly innocent tasks.

Question: What governs a vendor and/or other third party's access?

Answer: Vendor/Third-Party Access Policy.

NOTE: Some organizations have already negotiated detailed contracts with vendors and other third-party entities. In some instances an existing contract may need to be appended, a new contract drawn up, or a waiver request approved.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Vendor Access Policy is to establish the
rules for vendor access to %ORGANIZATION% Information Resources and support
services (A/C, UPS, PDU, fire suppression, etc.), vendor responsibilities, and
protection of %ORGANIZATION% information. Vendor access to
%ORGANIZATION% Information Resources is granted solely for the work
contracted and for no other purposes.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Third-Party/Vendor Access Policy typically applies to those persons involved in contracting third-party/vendor support and representatives of the third-party/vendor itself.

SAMPLE:
Audience
The %ORGANIZATION% Vendor Access Policy applies to all individuals that are
responsible for the installation of new %ORGANIZATION% Information Resource
assets, and the operations and maintenance of existing %ORGANIZATION%
Information Resources, and who do or may allow vendor access for support,
maintenance, monitoring and/or troubleshooting purposes.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Vendor/Third-Party Access Policy
The Vendor/Third-Party Access Policy is longer and more in-depth than some of the policies we have covered most recently. Use the information gleaned from your business assessment to determine to what extent your policy should be detailed towards the information resources you are trying to protect.

TIP: Have your legal department (or whoever is in charge for negotiating contracts) review the policy in detail. You may also choose to have your legal department assist you in the drafting of this policy.

SAMPLE THIRD-PARTY/VENDOR ACCESS POLICY STATEMENTS:

- Vendors must comply with all applicable %ORGANIZATION% policies, practice standards and agreements, including, but not limited to:
@ Safety Policies
@ Privacy Policies
@ Security Policies
@ Auditing Policies
@ Software Licensing Policies
@ Acceptable Use Policies
- Vendor agreements and contracts must specify:
@ The %ORGANIZATION% information the vendor should have access to
@ How %ORGANIZATION% information is to be protected by the vendor
@ Acceptable methods for the return, destruction or disposal of %ORGANIZATION% information in the vendor’s possession at the end of the contract
@ The Vendor must only use %ORGANIZATION% information and Information Resources for the purpose of the business agreement
@ Any other %ORGANIZATION% information acquired by the vendor in the course of the contract cannot be used for the vendor’s own purposes or divulged to others

Conclusion
The draft, approval, and implementation of a Vendor/Third-Party Access Policy will assist in ensuring that information security is forethought in contract negotiations and no longer an afterthought. Seasoned information security personnel understand the benefit of information security applied early on vs. retrofitting an existing solution with security after the fact.

Download the SAMPLE VENDOR/THIRD-PARTY ACCESS POLICY.

Next in the series: “Information Security Policy 101 – Virus Protection Policy”

Previous: “Information Security Policy 101 – “Software Licensing Policy”
Read more!

Information Security Policy 101 – Software Licensing Policy



Part 16 in the Information Security Policy 101 Series

“The Business Software Alliance (BSA) is gearing up for a final push to convince companies to fill in their voluntary audit forms.” – VNUNet.com UK

“Thirty-five percent of the world's software is pirated. Software piracy is not only a crime, but it can destroy computers and data.” – Business Software Alliance

There is little doubt that the use of unlicensed and/or pirated software can pose significant risk to an organization’s information resources and assets. Risks can range from malware installation to significant fines. You may notice that there is some slight overlap between the Software Licensing Policy and our Acceptable Use Policy. If you remember, there was mention of using “unauthorized” software in our Acceptable Use Policy.

NOTE: A well-written software licensing policy can limit the amount of time required to satisfy BSA requests for information because it demonstrates proactive action on the part of the organization.

TIP: Many Windows-based organizations grant their users local administrator rights to their workstations. Disallowing this practice can significantly reduce the risk of users installing unauthorized and/or unlicensed software.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Software Licensing Policy is to establish
the rules for licensed software use on %ORGANIZATION% Information Resources.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Software Licensing Policy applies to all of an organization’s information resource users.

SAMPLE:
Audience
The %ORGANIZATION% Software Licensing Policy applies equally to all
individuals that use any %ORGANIZATION% Information Resources.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Software Licensing Policy
Like many of the policies already covered in this series, the Software Licensing Policy is short and simple. The policy makes management’s views regarding software licensing “official”.

SAMPLE SOFTWARE LICENSING POLICY STATEMENTS:

- %ORGANIZATION% provides a sufficient number of licensed copies of software such that workers can get their work done in an expedient and effective manner. Management must make appropriate arrangements with the involved vendor(s) for additional licensed copies if and when additional copies are needed for business activities.
- Users must refrain from knowingly violating license agreements and/or requirements.
- Third party copyrighted information or software, that %ORGANIZATION% does not have specific approval to store and/or use, must not be stored on %ORGANIZATION% systems or networks. Systems administrators reserve the right to remove such information and software unless the involved users can provide proof of authorization from the rightful owner(s).

Conclusion
A well-written Software Licensing Policy can save an organization a considerable amount of time and effort, especially given how easy it is to write and get approved. A subject of much debate is the BSA’s million dollar reward to turn-in software pirates:

BSA Rewards Page:
https://reporting.bsa.org/usa/rewardsconditions.aspx

A twist:

Would You Rat Out Your Boss for $1 Million?: http://blogs.pcworld.com/staffblog/archives/004849.html

Wouldn’t it be nice to take out the drama by using a simple policy and enforcement?

Download the SAMPLE SOFTWARE LICENSING POLICY.

Next in the series: “Information Security Policy 101 – Vendor/Third-Party Access Policy”

Previous: “Information Security Policy 101 – “Security Training and Awareness Policy”
Read more!

Information Security Policy 101 – Security Training and Awareness Policy



OK, we're back!

Part 15 in the Information Security Policy 101 Series

“there is a substantial increase in the respondents’ perception of the importance of security awareness training. On average, respondents from most sectors do not believe their organization invests enough in this area.” - 2006 CSI/FBI Computer Crime and Security Survey. If I were going to overspend on any one area of my information security program, it would be for information security training and awareness.

Information security personnel can write whatever they want in their policies, but if nobody is aware of the policies or trained on how they can comply with them then what good are they?

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Information Security Training and Awareness
Policy is to describe the requirements that must be met, in order ensure that each user of
%ORGANIZATION% Information Resources receives adequate training on information
security issues.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Security Training and Awareness Policy applies to all of an organization’s information resource users.

SAMPLE:
Audience
The %ORGANIZATION% Information Security Training and Awareness Policy applies
equally to all individuals that use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Security Training and Awareness Policy
The Security Training and Awareness Policy is a simple policy that states what management expects and gives authority to information security personnel. The policy should state general rules that the audience must comply with and lay the groundwork for the training program.

SAMPLE SECURITY TRAINING AND AWARENESS POLICY STATEMENTS:

- All new users must complete an approved Security Awareness training class prior to, or at least within 30 days of, being granted access to any %ORGANIZATION% Information Resources.
- All users must acknowledge they have read and understand the ORGANIZATION% Corporate Information Security Policy
- All users (employees, consultants, contractors, temporaries, etc.) must be provided with this policy to allow them to properly protect %ORGANIZATION% Information Resources.

Conclusion
Do not underestimate the importance of a formal information security training and awareness program. Understand that many people do not understand their critical role in keeping organization assets secure.

TIP: Find things that you can use to prove a ROI in you training and awareness program. I have used help desk staff in the past for this. We took a one month time frame before information security training, where we tracked the number of laptops that came in for service from field staff with passwords on Post-it notes before training. We tracked the same afterwards then calculated a percentage and extrapolated the number over a one year period. The change was dramatic.

Download the SAMPLE SECURITY TRAINING AND AWARENESS POLICY.

Next in the series: “Information Security Policy 101 – Software Licensing Policy”

Previous: “Information Security Policy 101 – “Privacy Policy”
And here is the rest of it.
Read more!

Thursday, July 26, 2007

Update

To The Trusted Toolkit Blog Readers:

I have been caught up this week with a pretty serious investigation which I cannot detail publicly, so I have fallen behind on my schedule of delivering information security policies.

Stay Tuned. I will be publishing the "catch-up" postings soon. In the meantime, I suggest shoring up your incident response policy and procedures if you have not done so already. Mine are saving me a bunch of time and embarrasment this week!

Thanks for reading! Read more!

Tuesday, July 24, 2007

Information Security Policy 101 – Privacy Policy



Part 14 in the Information Security Policy 101 Series

Writing an organization's privacy policy is not as clear-cut as it may seem. An entire book could easily be written around privacy in the workplace. What an organization states, what it actually does, and what an employee reasonably expects are all critical to privacy/employment matters. To make things worse, privacy rights are not entirely clear under the law.

Two rules of privacy rights (although you could probably come up with more):


One, Write a policy that is focused. Do NOT write “you have no expectation of privacy” as a blanket statement. Privacy is not “all or nothing”.

Two, Do what you say you are going to do consistently. Do NOT follow your policy only when there is an enforcement action. As the US Supreme Court has noted, "[W]hile police, and even administrative enforcement personnel, conduct searches for the primary purpose of obtaining evidence for use in criminal or other enforcement proceedings, employers most frequently need to enter the offices and desks of their employees for legitimate work-related reasons wholly unrelated to illegal conduct."

TIP: Privacy policy should be reviewed by a legal counselor that is familiar with privacy rights and law. Many corporate counselors are not experts in this area.


General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Privacy Policy is to clearly communicate
the %ORGANIZATION% privacy expectations to Information Resource users.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Privacy Policy should apply to all personnel, and in some cases (depending on your organization) contractors, vendors, and other third-parties.

SAMPLE:
Audience
The %ORGANIZATION% Privacy Policy applies equally to all individuals who use
any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Privacy Policy
Privacy policy is a critical policy in most organizations and needs to clearly communicate what amount of privacy a user should expect when using the organization information assets.

NOTE: A very good article written by Mark Rasch; Employee Privacy, Employer Policy.

SAMPLE PRIVACY POLICY STATEMENTS:

- Electronic files created, sent, received, or stored on Information Resources owned, leased, administered, or otherwise under the custody and control of %ORGANIZATION% are not private and may be accessed by %ORGANIZATION% Information Security employees at any time, under the direction of %ORGANIZATION% executive management and/or Human Resources, without knowledge of the Information Resource user or owner.
- To manage systems and enforce security, %ORGANIZATION% may log, review, and otherwise utilize any information stored on or passing through its Information Resource systems in accordance with the provisions and safeguards provided in %ORGANIZATION% Information Resource standards. For these same purposes, %ORGANIZATION% may also capture user activity such as telephone numbers dialed and web sites visited.

Conclusion
Be careful in using a sample Privacy Policy. Be sure that it fits your organization and internal processes. A poorly written or implemented Privacy Policy can leave your organization open to a legal quagmire. Most of the investigation and forensic work I have done in the past has been governed by what the organization’s Privacy Policy stated.

Download the SAMPLE PRIVACY POLICY.

Next in the series: “Information Security Policy 101 – Security Training and Awareness Policy”

Previous: “Information Security Policy 101 – “Mobile Computing Policy”

Read more!

Monday, July 23, 2007

Information Security Policy 101 – Mobile Computing Policy



Part 13 in the Information Security Policy 101 Series

Few things in my profession give me more shivers than the amount and sensitivity of data that is carried outside the corporate boundary every day on mobile devices such as PDAs, laptops, and Smartphones. Without effective controls mobile devices are easily lost or stolen, data transmissions are easily intercepted, and shoulder-surfing is commonplace. Nearly every week a company is forced to publicly disclose a lost or stolen laptop that contained personally identifiable data (PII).

See: http://attrition.org/dataloss/, http://breachalerts.trustedid.com/, http://doj.nh.gov/consumer/breaches.html, http://www.privacyrights.org/ar/ChronDataBreaches.htm


Often information security is a discipline that constantly attempts to balance the risk of using a technology versus the business benefits gained as a result from such use. How can an information security professional effectively balance the risks inherent with using mobile devices while still allowing the business to benefit from their use?

In order to provide protection to the data that may be contained on a mobile device, organizations must extend protections and controls to such devices. Protection starts with policy.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Mobile Computing Security Policy is to
establish the rules for the use of mobile computing devices and their connection to the
network. These rules are necessary to preserve the Integrity, Availability, and
Confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Mobile Security Policy applies to all individuals in the organization that use, possess, manage, secure, and/or approve the use of mobile devices.

SAMPLE:
Audience
The %ORGANIZATION% Mobile Computing Security Policy applies equally to all
individuals that utilize mobile computing devices and access %ORGANIZATION%
Information Resources.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Mobile Computing Policy
If an organization does not use or allow the use of mobile devices, then a simple statement in an Acceptable Use policy may be all that is needed. If the organization does allow the use of mobile computing devices, general rules around this usage need to be communicated to all relevant personnel. As with all policies, the Mobile Computing Policy should state general rules, leaving room supporting documentation (procedures, standards, and guidelines) to define the specifics.

NOTE: At least 35 states have laws regarding security breach notification and most have safe harbor provisions around data that has been encrypted.

SAMPLE MOBILE COMPUTING POLICY STATEMENTS:

- Only %ORGANIZATION% approved portable computing devices may be used to access %ORGANIZATION% Information Resources.
- Portable computing devices must, at a minimum be password protected in accordance with the %ORGANIZATION% Password Policy.
- %ORGANIZATION% Confidential data should not be stored on portable computing devices. However, in the event that there is no alternative to local storage, all Confidential %ORGANIZATION% data must be encrypted using approved encryption techniques, wherever possible.

Conclusion
Due to the increased risks that mobile computing devices pose to many organizations and the increased reliance on these devices to complete “business critical” tasks, it is recommended that a stand-alone Mobile Computing Policy be developed.

Download the SAMPLE MOBILE COMPUTING POLICY.

Next in the series: “Information Security Policy 101 – Mobile Computing Policy”

Previous: “Information Security Policy 101 – “Physical Security Policy”
Read more!

Information Security Policy 101 – Physical Security Policy



Part 12 in the Information Security Policy 101 Series

In some organizations “physical” security and “information” security are separated into different groups or teams. Whether this is a good idea or not has been the subject of some debate over the years. One issue that should not be debated is the tight interdependence between the two.

Information security is a balance of physical, logical, and administrative controls. Every control must have its roots written in somewhere in policy.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Physical Security Policy is to establish the
rules for the granting, control, monitoring, and removal of physical access to
Information Resource facilities.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Physical Security Policy applies to any person or entity that has the potential to physically interact with information resources or facilities that house information resources under the control of an organization. The policy is specifically written to provide direction to those individuals whom are charged with maintaining physical security.

SAMPLE:
Audience
The %ORGANIZATION% Physical Security Policy applies to all
%ORGANIZATION% individuals that install and support Information Resources, are
charged with Information Resource security and data owners.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Physical Security Policy
The form that a Physical Security Policy takes is dependant on many factors. This article is written with small to medium sized organizations in mind. These organizations do not typically have the staff to support a separate physical security group and/or opt to integrate physical security into a single information security program. In order to determine where a physical security policy fits best in an organization the earlier business assessment should be used.

NOTE: Physical security policy is a must in almost all organizations. If physical security is not adequately defined and applied, all other controls could be easily defeated.

SAMPLE PHYSICAL SECURITY POLICY STATEMENTS:

- Physical security systems must comply with all applicable regulations including but not limited to building codes and fire prevention codes.
- Physical access to all %ORGANIZATION% restricted facilities must be documented and managed.
- All Information Resource facilities must be physically protected in proportion to the criticality or importance of their function at %ORGANIZATION%.

Conclusion
The science involved with physical security is often specialized and there seem to be a limitless supply of available technologies and controls that can be applied. The physical Security Policy should be written in broad enough terms as to not restrict the use of any one specific control. The policy does not usually require an in-depth knowledge of all the available controls, whereas the application and implementation typically do. In most cases, I write the policy then call upon physical security consultants to design effective controls.

NOTE: If you have a keen interest in the physical nature of information security and would like to demonstrate your mastery, check out the Physical Security Professional (PSP) certification from ASIS International.

Download the SAMPLE PHYSICAL SECURITY POLICY.

Next in the series: “Information Security Policy 101 – Mobile Computing Policy”

Previous: “Information Security Policy 101 – “Password Policy”
Read more!

Thursday, July 19, 2007

Information Security Policy 101 – Password Policy



Part 11 in the Information Security Policy 101 Series

Passwords get a bad rap. Nobody likes them, users, administrators, and information security personnel alike. Users don’t like passwords because us “information security police” make them so complex and hard to remember, administrators don’t like them because they have so many that they have to remember, and information security personnel don’t like them because they are arguably the most insecure means of authentication.

All the more reason and justification for a Password Policy.

A Password Policy should be required in all organizations that rely on passwords as a source of authentication.

Let’s get to it.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:.
Purpose
The purpose of the %ORGANIZATION% Password Policy is to establish the rules for the creation, distribution, safeguarding, termination, and reclamation of %ORGANIZATION% user authentication mechanisms.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Password Policy aptly applies to any person or entity uses a password.

SAMPLE:
Audience
The %ORGANIZATION% Password Policy applies equally to all individuals who use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Password Policy
The Password Policy should communicate the general rules for password creation, use, storage, transmission and destruction (the “lifecycle”). Most likely the policy will state many general security “best practices” of password management along with some home grown statements based on the business assessment.

NOTE: People will inevitably break some rules in password policy. It is proven that the number and severity of incidents can be reduced by training and awareness. Give users a better way to do things rather than telling them what they cannot do.

SAMPLE PASSWORD POLICY STATEMENTS:

- Password history must be kept to prevent the reuse of passwords
- Stored passwords are classified as Confidential Data and must be encrypted

Conclusion
A Password Policy is not just an efficient method of communicating good password management practices, but it is also an implement for enforcement. A well-written and implemented Password Policy can significantly reduce the amount of risk to the organization’s information.

Download the SAMPLE PASSWORD POLICY.

Next in the series: “Information Security Policy 101 – Physical Security Policy”

Previous: “Information Security Policy 101 – “Network Access Policy”
Read more!

Wednesday, July 18, 2007

107,000 More Records Compromised



This time it's 27,000 names, addresses, and credit cards numbers lost by Kingston Technology Company and 80,000 names, addresses, and social security numbers lost by the Louisiana Board of Regents.

Kingston Technology (27,000)
Wouldn't you know it, there is no mention of this breach anywhere on Kingston's homepage.

Apparently the data was taken through unauthorized access of purchase information made at www.shop.kingston.com. What makes this interesting is that this breach supposedly happened in September, 2005 but went undetected until "recently".

Who is the victim?
"After confirming what data was accessed and who was affected, Kingston had to gather the appropriate contact information and arrange for consumer protection services and materials to notify the impacted consumers," the spokesman said.

Sound Familiar?
"The note added that, for the moment at least, there is no evidence that the illegally accessed data has been misused"

Kingston has an impressive track record of protecting information, and I get the feeling that they will only improve.

News: Computerworld
Letter to the New Hampshire Attorney General

Louisiana Board of Regents (80,000)
The Louisiana Board of Regents has a link on their homepage to some additional details.

I have to admit, this one has me a little miffed! I do not like how the data was compromised, how long it took to detect it, or the official Board of Regents (BOR) response.

The Compromise
A student found/stumbled on the data using Google. The student found a database of student names and 150 other files that he claimed contain up to 75,000 more names of students and employees. This information was accessible from the Internet without any protection whatsoever. According to BOR:

Groups Potentially Affected

Any student who was enrolled in the 10th grade at a Louisiana public high school and took the EPAS (Educational Planning and Assessment) Plan test between 2001 and 2003.
Any Louisiana public college or university faculty or staff member who was employed in either 2000 or 2001.


It is unclear how long the data may have been exposed, but it may have been "as long as two years".

The Response
The official response leaves something to be desired, for sure! Basically, all the BOR seems to have done is make the data inaccessible and offer some tips for those who may have been affected. How about STOP USING SOCIAL SECURITY NUMBERS AS IDENTIFICATION!!!

While researching this incident, I found a document titled "File Layout STS Student Transcript System". Data Element Name: State Identification Number --> Social Security Number, if available. Otherwise, a temporary number assigned according to LDE guidelines.

News: WDSU News Channel 6
Read more!

Information Security Policy 101 – Network Access Policy



Part 10 in the Information Security Policy 101 Series

This is now the 10th entry into the “Information Security Policy 101” series. Are these policies starting to blur at all? Are they all starting to look the same? Believe it or not, the policies look similar on purpose and there are statements in one that may be found in another (also on purpose). The repetition can make things a little boring for the information security personnel, but it really does help “normal” people retain the information.

The Network Access Policy is found in many organizations, or at least the language of the policy statements. Often I will find Network Access Policy statements included in an Acceptable Use Policy instead. Tomayto tomahto.

As always…

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Network Access Policy is to establish the rules for the access and use of the %ORGANIZATION% network infrastructure. These rules are necessary to preserve the integrity, availability and confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Network Access Policy aptly applies to any person or entity that access the organization’s network either locally or through a WAN, VPN, modem, wireless, etc.

SAMPLE:
Audience
The %ORGANIZATION% Network Access Policy applies equally to all individuals with access to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Network Access Policy
The Network Access Policy is a simple policy that should outline some basic ground rules that people need to follow when using the organization’s network.

NOTE: Although the statements in a policy may seem basic and common sense to the author, don’t assume that they are for everyone.

STORY: I once had a user complain to me that a policy I wrote for a client company was too simple and common sense.

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- Remote users may connect to the %ORGANIZATION% corporate networks only after formal approval;
- Remote users may connect to %ORGANIZATION% Information Resources using only the protocols approved by %ORGANIZATION% IT;

Conclusion
The Network Access Policy is simple and you may be able to get away with ditching it in favor of adding the required statements to your Acceptable Use Policy. This decision is up to you. The business assessment exercise could help you in this decision. I almost always separate the policy statements for easy-of-reference, simplified reviews and changes, and reinforcement through repetition.

Download the SAMPLE NETWORK ACCESS POLICY.

Next in the series: “Information Security Policy 101 – Password Policy”

Previous: “Information Security Policy 101 – “Network Configuration Policy”
Read more!

Use Firefox? Upgrade to 2.0.0.5 Now

The Mozilla Foundation, makers of the popular Firefox Web browser announced the release of version 2.0.0.5 yesterday (7/17) and all users are strongly encouraged to upgrade.

There are three "Critical", two "High", one "Moderate, and two "Low" risk vulnerabilities addressed in this upgrade.

To upgrade:

1. Open Firefox
2. Click Help
3. Click Check for Updates.
4. Click "Download & Install Now"



5. Click "Restart Firefox Now"



For more information:
http://www.mozilla.org/projects/security/known-vulnerabilities.html
http://secunia.com/advisories/26095/

Read more!

Tuesday, July 17, 2007

Western Union Breach



Western Union admitted that personal data on as many as 20,000 customers was compromised due to a poorly secured database accessed by “hackers”. Names, addresses, phone numbers, and credit card information is all among the data stolen in the heist.

I looked around the Internet for an official response from Western Union and found nothing. I did notice something ironic on their homepage, http://www.westerunion.com/ though.



The section labeled “Protect Yourself from Fraud” immediately caught my eye. I guess one thing you could do is not do business with Western Union, but this won’t help you much if you are already one of the unfortunate victims!

The “Standard” Response
There seems to be some “standard” responses amongst companies that are losing data belonging to their customers. Mind you it is easy to play “Monday morning quarterback” with security breaches, but honest public disclosure, tangible assurance and change, and open communication with my customers would be near the top of my response list.

Standard Response #1:
“We are not aware of any ID theft or any kind of fraudulent use that was made from this information.” This sounds eerily familiar. Certegy responded to their recent 2.3 million record breach with “No Fraudulent Activity or Identity Theft Detected” in their press release. To be honest this means nothing to me. Just because the company has not detected any fraudulent activity does not mean that none has occurred or that none will in the future as a result of the disclosure.

Standard Response #2:
“It (Western Union) also offered to pay for one year of credit monitoring to affected customers.” From the letter sent to the victims of the Pfizer breach (17,000 victims) “support and protection package includes a credit monitoring program for one year.” I do like how Pfizer has responded although there are rumblings that they took too long to notify victims.

Western Union Breach
As I stated earlier, I still cannot find any “official” response from Western Union so it is hard to comment on their response. Among the things I would like to know are how the vulnerable database was accessed, what is Western Union doing to prevent future breaches, and any other information that can help me as a consumer feel confident that they take the security of my data seriously. The Certegy breach was a case of a criminal DBA, is this a case of an DBA with poor skills?

Content for this article refers to information originally reported by the New York Post, here.
Western Union has been in the news for a security breach before.


Feel free to comment!

Read more!

Information Security Policy 101 – Network Configuration Policy



Part 9 in the Information Security Policy 101 Series

Most network configuration policies are fairly straightforward.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Network Configuration Policy is to establish the rules for the maintenance, expansion and use of the network infrastructure. These rules are necessary to preserve the Integrity, Availability, and Confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically a Network Configuration Policy applies to all individuals in an organization.

SAMPLE:
Audience
The %ORGANIZATION% Network Configuration Policy applies equally to all individuals with access to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Network Configuration Policy
Although many organizations do not have a separate Network Configuration Policy, many of the statements are important enough to communicate in one form or another. Some organizations will include these statements in other information security policies. I prefer to separate.

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- %ORGANIZATION% IT owns and is responsible for the %ORGANIZATION% network infrastructure and will continue to manage further developments and enhancements to this infrastructure
- To provide a consistent %ORGANIZATION% network infrastructure capable of leveraging new networking developments, all cabling must be installed by %ORGANIZATION% IT or an approved contractor.

Conclusion
Read through the sample policy, and together with the business assessment, determine if a Network Configuration Policy makes sense in your organization.

Download the SAMPLE NETWORK CONFIGURATION POLICY.

Next in the series: “Information Security Policy 101 – “Network Access Policy”

Previous: “Information Security Policy 101 – “Incident Management Policy”
Read more!

Monday, July 16, 2007

Information Security Policy 101 – Incident Management Policy



Part 8 in the Information Security Policy 101 Series

Let’s start off with a scenario. Bill Johnson works as the Information Security Officer of a medium-sized regional bank and its Monday morning. Bill receives a phone call from the bank service desk reporting that a laptop was lost or stolen over the weekend. Uh oh, Bill doesn’t have incident response policy or procedures.

Try to put yourself in Bill’s shoes for a moment. What risk does this incident pose? Does the laptop contain regulated data, i.e. social security numbers, credit card numbers, other personally identifiable (PII) data, etc.? Does the laptop contain usernames and passwords? Will this incident make the evening news? Who should Bill notify? Should Bill contact the authorities, i.e. local police, Secret Service, FBI, etc.? Panic might begin to set in for Bill. Maybe Bill should just drop everything, run, and find a new profession.

Bill shouldn’t have to worry about how to respond to such an incident.

All companies large and small should have an incident management program. What the program looks like and how it is run will differ from company to company as expected, but they all start with policy.

NOTE: The first actions taken following an incident are often critical and could dictate the entire course of an investigation. If an incident is handled incorrectly, cause identification and eventual prosecution could be impossible.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Incident Management Policy is to describe the requirements for dealing with computer security incidents. Security incidents include but are not limited to: virus, worm, and Trojan horse detection, unauthorized use of computer accounts and computer systems, as well as complaints of improper use of Information Resources as outlined in the Acceptable Use Policy.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Incident Management Policy applies to all individuals in an organization. The policy is meant to be referred to by personnel charged with incident response.

SAMPLE:
Audience
The %ORGANIZATION% Incident Management Policy applies equally to all individuals that use any %ORGANIZATION% Information Resource

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Incident Management Policy
The Incident Management Policy is intended to communicate what is expected of personnel when confronted with an incident pertaining to information resource confidentiality, integrity, and/or availability. The policy provides the vital framework necessary to develop detailed incident response procedures.

NOTE: Incident response procedures will detail (preferably step-by-step) how personnel are expected to respond to an incident. Incident response procedures should be tested on a regular basis (quarterly, semi-annually, or yearly).

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- %ORGANIZATION% management will establish and provide overall direction to an %ORGANIZATION% Incident Response Team (IRT)
- %ORGANIZATION% IRT members have pre-defined roles and responsibilities which can take priority over normal duties

Conclusion
Do yourself a favor and create an incident management program. The incident management program does not need to be complicated and account for every possible scenario that could occur. Supporting procedures can be written in such a manner to be flexible enough to apply to most conceivable incidents. Incidents WILL occur, so be prepared!

Download the SAMPLE INCIDENT MANAGEMENT POLICY.

Next in the series: “Information Security Policy 101 – Network Configuration Policy”

Previous: “Information Security Policy 101 – “Data Classification Policy”
Read more!

Thursday, July 12, 2007

Information Security Policy 101 – Data Classification Policy



I will forewarn you, data classification can be a real doozy. The policy is simple enough to write and the concepts are simple enough to sell, but adoption and implementation is usually a whole different story. If done well the benefits can far outweigh the risks.

The purpose for most data classification projects (yours may differ) is to identify the data that is sensitive to an organization, classify (or label) this data, and apply appropriate controls based on the sensitivity-label pair.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Data Classification Policy is to provide a system for protecting information that is critical to the organization, and its customers. In order to provide more appropriate levels of protection to the information assets entrusted to %ORGANIZATION%, data must be classified according to the risks associated with its storage, processing, and transmission. Consistent use of this data classification policy will facilitate more efficient business activities and lower the costs of ensuring adequate information security.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Data Classification Policy applies to all entities that interact with data in any tangible manner.

SAMPLE:
Audience
The %ORGANIZATION% Data Classification Policy applies equally to any individual, or process that interacts with %ORGANIZATION% Information Resources in any tangible manner. All personnel who may come in contact with Confidential information are expected to familiarize themselves with this Data Classification Policy and consistently use it.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Data Classification Policy
The Data Classification Policy differs from most other information security policies due to the additional information required. The Data Classification Policy will introduce new concepts, roles, and responsibilities.

Roles and Responsibilities:
The following are typical roles and responsibilities defined in the Data Classification policy:

Data Owner
The Data Owner is normally the person responsible for, or dependent upon the business process associated with an information asset. The Data Owner is knowledgeable about how the information is acquired, transmitted, stored, deleted, and otherwise processed.

- The Data Owner determines the appropriate value and classification of information generated by the owner or department;
- The Data Owner must communicate the information classification when the information is released outside of the department and/or the organization;
- The Data Owner controls access to his/her information and must be consulted when access is extended or modified; and
- The Data Owner must communicate the information classification to the Data Custodian so that the Data Custodian may provide the appropriate levels of protection.

Data Custodian
- The Data Custodian maintains the protection of data according to the information classification associated to it by the Data Owner.
- The Data Custodian role is delegated by the Data Owner and is usually Information Technology personnel

Data User
The Data User is a person, organization or entity that interacts with data for the purpose of performing an authorized task. A Data User is responsible for using data in a manner that is consistent with the purpose intended and in compliance with policy.

Data Classifications
Confidential
Confidential Data is information protected by statutes, regulations, organizational policies or contractual language. Managers may also designate data as Confidential.

Confidential Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a “need-to-know” basis only.

Disclosure to parties outside of the organization must be authorized by executive management, approved by a Vice President and General Counsel, or covered by a binding confidentiality agreement.

Examples of Confidential Data include:

- Medical records
- Clinical trial data
- Credit card numbers
- Social Security Numbers
- Personnel and/or payroll records
- Any data identified by government regulation to be treated as confidential, or sealed by order of a court of competent jurisdiction
- Any data belonging to an %ORGANIZATION% customer that may contain personally identifiable information
- Patent information
- Regulatory filings

Internal
Internal Data is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Data is information that is restricted to personnel designated by %ORGANIZATION%, who have a legitimate business purpose for accessing such data.

Examples of Internal Data include:
- Employment data
- Business partner information where no more restrictive confidentiality agreement exists
- Internal directories and organization charts
- Planning documents
- Contracts

Public
Public data is information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data, while subject to organizational disclosure rules, is available to all %ORGANIZATION% employees and all individuals or entities external to the corporation.

Examples of Public Data include:
- Publicly posted press releases
- Publicly available marketing materials
- Publicly posted job announcements

Disclosure of public data must not violate any pre-existing, signed non-disclosure agreements.

NOTE: The policy MUST NOT define HOW data will be classified (or tagged), use standards, guidelines and/or procedures to communicate how the different types of data should be appropriately labeled.

SOME SAMPLE Classification Protections
Confidential
- When stored in an electronic format must be protected with a minimum level of authentication to include strong passwords, wherever possible.
- When stored on mobile devices and media, protections and encryption measures provided through mechanisms approved by %ORGANIZATION% IT Management must be employed.

Internal
- Must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure
- Must be protected by a confidentiality agreement before access is allowed

Conclusion
In my experience, the Data Classification Policy has been the most difficult policy to create and receive approval on. The most common and valid question I receive is “How will we ever comply?” Compliance with a Data Classification Policy has proven to be extremely difficult is most organizations due to a number of primary factors:

- People do not want to assume the responsibilities that come with their role, primarily the data owner
- Labeling standards are sometimes extensive and time consuming to write
- Data is strewn throughout the organization without centralized management
- Classifications assigned will vary from data owner to data owner and management is not “cut and dry”

Understand that information security is a science of evolution and it will take time to get data classification properly implemented. This is expected and accepted. All things in information security should start in policy and data classification is no exception. Approval of a policy does not mean formal adoption and compliance (we will cover post-approval of policy in “Information Security Policy 101 – Policy Approval” due on 7/30).

Download the SAMPLE DATA CLASSIFICATION POLICY.

TIP: Write your Data Classification Policy without worrying about the details of implementation, but at the same time make sure you will be able to implement each statement through the use of additional supporting documentation.

Next in the series: “Information Security Policy 101 – "Incident Management Policy”

Previous: Information Security Policy 101 – “Information Security Policy 101 - Backup Policy”

Read more!

Wednesday, July 11, 2007

Information Security Policy 101 – Backup Policy



On the surface it may seem that data backups are mundane and simple tasks to carry out. Backups are often repetitive and change infrequently. Don’t believe it! Although there are SOME tasks that a backup administrator does that are simple and mundane, anyone who has spent any amount of time with or as a backup administrator knows how complex the job can be. There are a vast number of options and methods available to conduct and manage backups. Of these options and methods, some are more secure than others.

The Backup Policy is meant to address some of the grey area and provide direction to the development of more detailed procedural and standardization documentation.

General Policy Format

All information security policies should have the following sections at a minimum:



Purpose – This is the stated purpose of the policy and clearly communicates why it was written.



SAMPLE:

Purpose

The purpose of the %ORGANIZATION% Backup Policy is to establish the rules for the backup and storage of electronic %ORGANIZATION% information.



Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Backup Policy applies to IT administrative personnel and those persons responsible for data backups specifically.



SAMPLE:

Audience

The %ORGANIZATION% Backup Policy applies to all individuals within the enterprise whom are responsible for the installation and support of %ORGANIZATION% Information Resources, individuals charged with %ORGANIZATION% Information Resource backups, security and data owners.


Policy – The section that contains the actual policy statements.



Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.



Backup Policy

A Backup Policy is written to provide rules and expectations around the treatment and management of data backups. It is a simple policy that rarely exceeds a page in length, but should/could be viewed as important in many organizations.

NOTE: A Backup Policy should not state backup settings requirements except in a general sense. The Backup Policy should not be confused with a Disaster Recovery Plan (DRP) which is much more extensive and outside of the scope of this article.


SAMPLE BACKUP POLICY STATEMENTS:
- The frequency and extent of backups must be in accordance with the importance of the information and the acceptable risk as determined by the data owner.
- The %ORGANIZATION% Information Resource backup and recovery process for each system must be documented and periodically reviewed.

Conclusion
Do not assume that backups are simple tasks with limited options and flexibility. Backups are often a critical process for many organizations so it would only make sense to develop some policy around them.



Download the SAMPLE BACKUP POLICY.



Next in the series: “Information Security Policy 101 – Data Classification Policy”



Previous: Information Security Policy 101 – "Administrative and Special Access Policy"

Read more!

Tuesday, July 10, 2007

Information Security Policy 101 – Administrator and Special Access Policy



And now I present to you the Administrative and Special Access Policy! OK, I admit it isn’t all that exciting, but it is a policy that provides value in many organizations. In many instances users of administrative accounts have the ability to do just about anything in a corporate server and/or network environment. Administrators can often create accounts, change passwords, change access rights, delete audit logs, etc. Without proper control, the risk of inadvertent errors and malicious abuse of rights is unacceptable.

All information security controls must have their roots in policy and those meant to limit the risk inherent with the use administrative access accounts is no different.

NOTE: This has been stated before, but I state it again in order to drive the point home. Supporting standards, guidelines, and/or procedures will need to be created in support the policy after the policy has been formally approved and adopted by management.

General Policy Format

All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Administrative and Special Access Policy is to establish the rules for the creation, use, monitoring, control and removal of accounts with special access privilege.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Administrative and Special Access Policy applies to IT administrative personnel or persons authorized and responsible for information resource management.

SAMPLE:
Audience
The %ORGANIZATION% Administrative and Special Access Policy applies equally to all individuals that have, or may require, special access privilege to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Administrative and Special Access Policy
The Administrative and Special Access Policy is written to communicate the general rules and guidance to those persons in an organization with authorized access to administrative accounts. The policy also applies to users of accounts that have access rights that exceed those of "general" user accounts.

As with all information security policies, the Administrative and Special Access Policy should be general in nature and not detail specific settings requirements. The Administrative and Special Access Policy should adequately address all areas of administrative access that reflect expected and acceptable use.

SAMPLE POLICY STATEMENTS:

- All users of Administrative and Special access accounts must have account management instructions, documentation, and authorization

- Each individual that uses Administrative and Special access accounts must refrain from abuse of privilege and must only perform the tasks required to complete his/her job function

Conclusion
Remember that a policy is a series of statements that accurately reflect management’s expectations with respect to information security in the organization. It is easy to forget about those users in an organization that have “special” rights and privileges. This is a mistake. Users with these rights and privileges, if not properly informed and trained can pose one of the most significant threats to the confidentiality, integrity and/or availability of organizational information.

Download the SAMPLE ADMINISTRATIVE AND SPECIAL ACCESS POLICY.

TIP: The use of administrative and special access accounts needs to be strictly monitored and reviewed. Include regular monitoring and auditing in supporting procedures.

Next in the series: “Information Security Policy 101 – Backup Policy”

Previous: Information Security Policy 101 – Account Management Policy

Read more!

Monday, July 9, 2007

Buy your exploits here?



Are you in the market for a previously undisclosed exploit and/or vulnerability? If so, maybe you should check out the WabiSabiLabi MarketPlace, an online exploit auction site (or not).

So far, I have only seen four exploits listed for sale with only two receiving bids. Supposedly, I can become the high-bidder on a Yahoo! Messenger 8.1 remote buffer overflow exploit for only 2000 Euro (~$2720 US).

Let’s take a look at this.

The Site



If you have used eBay or U-Bid before, you already understand how online auctions work so I won’t explain any of that.

What sets this online auction site apart from others is the commerce, previously undisclosed exploits. Upon first examination of the site it appears to be legitimate, but due to my nature I want to dig a little more.

Call me naïve, but I gotta tell ya I am a bit suspicious.

First off, I had not heard of “WabiSabiLabi Ltd.” before this encounter. Before I do business with anyone, I certainly want to know who they are and rarely will I take their word for it.

There is little or no history of the company presumably because they are a startup. DNS provides little information as it is a GoDaddy private registration. The site itself (http://www.wslabi.com/) is hosted through California Regional Intranet, Inc. (cari.net).

Let’s say for a second that I have a “zero-day” exploit that I would like to profit from, and let’s say that I am a good guy (I am!). Should I sell my work through WabiSabiLabi and trust that they will make sure it is sold to another good guy?

WabiSabiLabi FAQ:
Q: Can everybody purchase vulnerabilities from the market place?

A: No, all purchasers will be carefully evaluated before granting them access to the market platform to minimize the risk of selling the right stuff to the wrong people.

Personally, I would like a little more disclosure on “how” WabiSabiLabi will evaluate a purchaser.

Now let’s say that I am a bad guy with a zero-day exploit to sell. Should I sell my work through WabiSabiLabi and risk disclosure of my identity or should I sell it to the highest bidder within “my network”? This is a simple question to answer!

Hey, maybe I am a bad guy with money to buy a zero-day exploit. Will the exploit be worth squat after the extensive “hinting” that takes place by disclosing even trivial details on http://www.wslabi.com/.

And lastly, let’s say I am a good guy again (following me?) and I work for one of the vendors mentioned with an exploit on http://www.wslabi.com/. Would I buy? What happens if I don't buy the exploit when I could have and it turns out to be a good one that causes harm to my customers? This scenario could hurt. Tough decision, but almost sounds like blackmail by WSLabi.

There is just not enough information on http://www.wslabi.com/ for me to make the decision to disclose anything, i.e. submit any zero-day information I had on hand. I agree that security researchers need to get paid for their work as I know the work can be extremely detailed, time-consuming, and stressful. I am just not convinced that this is the place to do it. I will take a wait and see approach to this one.

You will have to make your own decision.

WabiSabiLabi Information, According to the site:
“WSLabi laboratory in Switzerland covers a large quantity of high-severity ITSEC issues through its global research network of independent security researchers and third part organizations”

Their moto: “The art of continuous improvement of imperfect security “

Their Blog: http://wabisabilabi.blogspot.com/


Read more!

Sunday, July 8, 2007

Information Security Policy 101 – Account Management Policy



The Account Management Policy is next in our alphabetical list of information security policies that I will be covering as part of the Information Security Policy 101 series. Typically an Account Management Policy has more usefulness in organizations with a group of individuals whom are authorized to create, monitor, control, and/or remove user accounts.

The business assessment process that we covered in “Information Security Policy 101 – Assess the Business” should give information security personnel the information needed to determine if an Account Management Policy will provide value to the organization.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %Organization% Account Management Policy is to establish the rules for the creation, monitoring, control, and removal of user accounts.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically an Account Management Policy applies to persons authorized and responsible for account management.

SAMPLE:
Audience
The %Organization% Account Management Policy applies equally to all individuals whose authorized business duties include account management pertaining to any %Organization% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Account Management Policy
The Account Management Policy is written to communicate the general rules and guidance to those persons in an organization with account management responsibilities. As with all information security policies, the Account Management Policy should be general in nature and not detail specific settings requirements. The Account Management Policy should adequately address account creation, monitoring, control, expiration, disablement, and deletion.

SAMPLE POLICY STATEMENTS:

  • All accounts created must have an associated and documented request and approval
  • All accounts must be uniquely identifiable using the user name assigned by MGI IT

Conclusion
In the companies that I have had the opportunity to assess, many did not include an Account Management Policy in their greater global information security policy, although most of these companies could benefit from having one. The Account Management Policy is a very simple policy to write due to its limited scope and in most cases its creation, approval, and adoption is well worth the investment

Download the SAMPLE ACCOUNT MANAGEMENT POLICY.

TIP: Be sure that each account in your organization corresponds to a single entity (person, service, application, etc.) whenever possible.

Next in the series: “Information Security Policy 101 – Administrator/Special Access Policy”

Previous:
Information Security Policy 101 – Acceptable Use Policy


Read more!

Friday, July 6, 2007

When a DBA goes bad



What happens when a DBA goes bad? In the recent case involving Certegy Check Services (a Fidelity National Information Services), the confidentiality of 2.3 million consumer records containing credit card, bank account, and other personal information is compromised.

In the July 3rd press release:


“Fidelity National Information Services Announces Misappropriation of Consumer Data by Employee of Certegy Check Services Division

Data sold to Marketing Solicitation Companies;
No Fraudulent Activity of Identity Theft Detected”


The data was stolen and subsequently sold to data brokers by a high-level DBA at Certegy who was entrusted with defining and enforcing data-access rights. The DBA; a guy named William Sullivan also allegedly owns a side-business named S&S Computer Services in Largo Florida. Allegedly, Mr. Sullivan took the data out of the building "via physical processes" not by transmission.

How does a business protect itself (and customers)?
I can think of two things right off the bat; extensive employee screening for employees with access to sensitive information and segregation of duty.

Employee Screening
Obviously employee screening does very little to protect against someone who has never been caught or someone who goes bad after being hired, but it is a good precaution nonetheless. I would be surprised if this was the first thing that Mr. Sullivan had ever stolen or if this was the first time he had done something unethical if not illegal. Perhaps he would have been screened out, perhaps not. Screening is only one layer of defense.

Segregation of Duty
DBAs are very powerful people in most companies. A DBA typically has access to vast amounts of very sensitive data, defines who else can access the data, and also audits who has accessed the data! Bad news. As security professionals, we should never accept a single entity with all three of these rights. There are good products in the marketplace to audit what DBAs do. Any company storing sensitive (and/or regulated) data would do well to have their security personnel look into these products.

Certegy
Although Certegy assures the public that no fraudulent activity has been detected with any of the personal information that was disclosed, there is essentially no effective way to prevent such things. Once confidential data is disclosed to unauthorized individuals, confidentiality can no longer be assured in any tangible manner. The best thing Certegy can do is take steps to ensure that this will not happen again and disclose to its customers what these steps are.

Certegy's Actions (thus far)
Certegy has filed suit against Mr. Sullivan in the case of Certegy Check Services Inc. v. William Sullivan, No. 076271CI13, Circuit Court, Pinellas County, Florida (St. Petersburg.)

NOTE: This really does nothing to protect the victims (consumers) and will do little to remedy the situation other than make people feel better that someone pays a price.

Certegy is implementing a fraud watch associated with the stolen records, and has notified credit-reporting agencies TransUnion, Equifax and Experian of the incident.

NOTE: TransUnion, Equifax, and Experian are three of the BIGGEST data brokers in the world! I would not trust them to do too much other than alert after the fact.

From Renz Nichols, president of Certegy Check Services "It's a reminder that the best security systems are not immune to rogue employees." I agree with Mr. Nichols in the respect that you cannot stop all rogue employees, but I think you can certainly do more to detect them.


Read more!

Information Security Policy 101 – Acceptable Use Policy


Finally, our first policy! If we have done this right, we have already done much legwork. So far we have defined what a policy is, and obtained management’s endorsement. We have also identified what information our organization uses, how our organization uses the information it possesses, and identified the laws that pertain to the security of information. We should be in a good position to write policy according to what our organization needs.

As stated in the first Information Security Policy 101 post, I will cover some of the more common policies found in organizations. I will cover them in alphabetical order, NOT in order of importance. The first policy is Acceptable Use.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
This policy is established to achieve the following:

  • To ensure compliance with applicable statutes, regulations, and mandates regarding the management of Information Resources.
  • To establish prudent and acceptable practices regarding the use of %Organization% Information Resources.
  • To educate individuals who may use %Organization% Information Resources with respect to their responsibilities associated with such use.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically an Acceptable Use Policy applies to all persons.

SAMPLE:
Audience
The %Organization% Acceptable Use Policy applies equally to all individuals granted access privileges to any %Organization% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Acceptable Use Policy
An Acceptable Use Policy is written to communicate what practices are prudent and acceptable to management in regards to the use of the organization’s information resources. An Acceptable Use Policy should address:

General Information Resource Use

SAMPLE “General Information Resource Use” POLICY STATEMENTS:

  • Users must not attempt to access any data or programs contained on %Organization% systems for which they do not have authorization or explicit consent
  • Users must not intentionally access, create, store or transmit material which %Organization% may deem to be offensive, indecent or obscene

Email Access and Use

SAMPLE “Email Access and Use” POLICY STATEMENTS:

  • Auto-forwarding electronic messages to e-mail addresses other than those within the %Organization% internal e-mail system is prohibited
  • An employee’s personal e-mail account may not be used to send or receive %Organization% Confidential Information

Internet Access and Use

SAMPLE “Internet Access and Use” POLICY STATEMENTS:

  • Use of the Internet with %Organization% networking or computing resources for recreational games, or for obtaining or distributing pornographic or sexually oriented materials, is prohibited
  • Using %Organization% networking and computing resources to make or attempt unauthorized entry to any network or computer accessible via the Internet is prohibited

Voicemail Access and Use

SAMPLE “Voicemail Access and Use” POLICY STATEMENTS

  • Use of the %Organization% voice mail system to defame, harass, intimidate or threaten any other person(s), or to send unnecessarily repetitive messages (i.e. chain mail) is prohibited
  • Users must refrain from disclosing any Confidential data in voice mail greetings

Incidental Use

SAMPLE “Incidental Use” POLICY STATEMENTS

  • Incidental personal use of electronic mail, Internet access, fax machines, printers, copiers, and so on, is restricted to %Organization% approved users; it does not extend to family members or other acquaintances
  • Incidental use must not interfere with the normal performance of an employee’s work duties

Many times there are statements in an Acceptable Use Policy that overlap with statements in other policies.

Conclusion
An Acceptable Use Policy in a necessary policy in many organizations. It is important to keep the communication as clear as possible and encourage constant reference.

Download the SAMPLE ACCEPTABLE USE POLICY.

TIP: When all policies are written, combine them together as a global %Organization% Information Security Policy.

Next in the series – “Information Security Policy 101 – Account Management Policy”

Previous: “Information Security Policy 101 – Assess the Business”


Read more!