My previous research work with Annie Searle & Associates has been compiled into an e-book named as “Reflections on Risk”. The notes I wrote were a consolidated way of research done by several authors and organizations that gather disaster information in the industry. Here’s the Amazon Link.
A private organization might not be interested in considering organized state-sponsored attacks in their risk management plan but this operation might emerge out as a severe threat to multinational companies in near future.
Operation SHADY RAT (Remote Access Tool), named by McAfee’ senior threat researcher, Dmitri Alperovitch is a hacking campaign against several government companies, private companies and other defense organization. I found some interesting articles (posted below) about this operation, how it was discovered, which companies were compromised and who might be responsible for such attacks. The increased technical adeptness of cybercriminals and deadly motives of countries to attack government systems has created a sense of insecurity and depicted lack of security knowledge in the IT industry. Some companies are not even aware if such threat exists to their intellectual property. Operation RAT is something that might grow in intensity in near future and therefore needs immediate attention by government and critical organizations.
Here are some articles that talk about Operation RAT:
This case was part of my independent research work in the field of Information Security. The aim of this study was to develop a complex case scenario and understand different facets of assessing an organizational Information Assurance program. Later part of the case involves risk assessment and remediation.
Case Background
SHMF Financial Services*, headquartered in New York City is a start-up financial firm which has started to provide various services like property and asset management, underwriting services, securities handling and tax consulting to its clients, which includes private organizations, government and individuals. SHMF Financial Services grew quickly in last one year with their number of customers increasing from 15 to 80.
Since SHMF Financial Services had major client base in various domains with some reputed organizations, their security strategies and controls need to be well-established and audited regularly internally as well as by their clients. SHMF Financial Services had a small security team to ensure compliance with several local laws and regulations (majorly SOX, GLBA, ISO 27002 and PCI DSS). Some of their important controls included role-based access controls, segregation of critical data, source code version control and physical security controls for protecting the customer data and complying with local regulations.
After the drastic increase in the number of clients, the company’s security and IT support needs to be revaluated. This case analyzes the key considerations to be assessed, identifies the current business and technical risks of SHMF Financial Services and provides contingency and mitigation actions.
Risk Identification and Assessment
Risk Statement 1:
Inability to provide fraud intelligence support and forensic supports which might lead to hefty legal fines and other legal complications.
Risk Drivers:
Risk Statement 2:
Inability to maintain client satisfaction, prevent corporate reporting errors and potential frauds while ensuring regulatory compliance for clients, due to lack of effective SOD (Segregation of Duties) policies.
Risk Drivers:
Risk Statement 3:
Inability to prevent unauthorized access to the internal IT systems leading to a data breach which might be accompanied with legal fines, customer loss and market reputation loss.
Risk Drivers:
Risk Statement 4:
Inability to limit the collection and use of customer information and protect their privacy to what we believe would be useful to service their financial accounts, administer our business, or tell them about our services might lead to loss of customer trust and market credibility.
Risk Drivers:
Risk Statement 5:
Inability to adapt to any newly introduced U.S. governmental policies for financial auditing and transactions.
Risk Drivers:
Risk Remediation
Risk Remediation of the above mentioned risks is critical for successful operations of SHMF Financial Services. The three pillars of Security – Confidentiality, Integrity and Availability have to be maintained in order to keep the balance between the risks and costs. “Physical security measures, software password protection, and user access profiles are all basic tenets of confidentiality in the security framework. Access to information is not only limited to authorized personnel but is further restricted to use only for authorized purposes by authorized personnel.” (White, 2011)
Another pillar of Information Assurance Program is maintaining Integrity for the organization. The basic idea of providing integrity of system is to preserve the form of data at a static location as well as throughout it’s transmission from one place to another. The need of preserving integrity of data increase exponentially while handling personally identifiable information or data of high risk (e.g. PHI). Therefore, having secure communication channels within SHMF is essential.
Maintaining availability of data is a foremost goal of an Information Assurance program. The timely availability of stored data, through utilization of the security controls and hardware/software in place manages this facet of an Information Assurance program. “Availability is compromised when a malicious “denial of service” attack prevents customers or users from accessing a website or computer network.” (White, 2011)
There are several other controls that are essential for the mitigation of the risks mentioned above–
Through the above mentioned steps and protecting the IT Infrastructure through a thorough security assessment, SHMF Financial Services can expand their business. A safe and secure environment can assure the management and provide better support to other divisions of SHMF Financial Services.
Bibliography
White, Terro. (2011, May 13). What You Need To Know About Information Assurance These Days. Retrieved June 09, 2011, from Finance Article Directory: http://financearticledirectory.com/accounting/what-need-know-about-information-assurance-these-days.html
* All details (company name, setting, location etc.) used in this case study are purely fictitious and any resemblance to any company, business or person is purely coincidental.
I have read this statement in several cyber security news articles and books that talk about securing information assets. Intruders often explore gaps in a secure system and exploit those gaps again and again. Understanding threats and vulnerabilities of previously compromised systems and maintaining a database of those T&V’s is essentially important to explore the trends of attacks. This enables an organization to develop a baseline of all the risks associated with the organization and develop as well as prioritize security controls to mitigate those risks. In other words, staying current is an offensive technique to be defensive against intruders and preventing direct damage.
Staying current with Information Security trends and emerging security risks is very important. The Internet provides access to wide variety of news articles, publications, white papers and insights from leading IT professionals to understand the manage the emerging change happening in the IT Security world.
Here are few links that I use to stay current:
http://www.infosecurity-us.com/
http://www.csoonline.com/ (My favorite)
PWC Publications on Security: http://www.pwc.com/us/en/it-risk-security/publications.jhtml
Symantec Security Response: http://www.symantec.com/business/security_response/index.jsp
NIST News: http://www.nist.org/news.php
Identity Management specific, http://www.computerweekly.com/Home/research/tech-topics/233016/identity-management.htm
http://www.continuitycentral.com/
I will add more as I come across some new news sources for Information Security.
Shirish
In this hyper competitive dynamic world of technological advancements, major tech firms are striving to manage their firm in complying with the IT regulations. To adhere to the compliance, organizations need to change their current state to a desired state which would fulfill the regulatory requirements. With changing compliance like PCI DSS and HIPAA, not only healthcare and consumer industries, but every firm with IT services needs to have a compliance motivated organizational change. Often organizations worry about the low level privacy and data security issues, while ignoring the major regulations.
When I mention organizational change, the first step towards an effective change is to assess the current condition of the organization. To have an effective approach, executives need to be an integral part of the change and drive the changes in Information Security. With a team of security experts, security consultants, internal auditors and the upper management should collectively built the IT strategy to comply to the regulations.
Once the stage of assessment of the current state is complete, the team should define a target state for the organization. Compliances principles should be assigned to different departments within the company.
The last step is to fill the gap between the current state and the target state.
Prof. Dr. Roland Gabriel’s model for having a compliance motivated change talks about the RACI (Responsible, Accountable, Consulted, Informed) model to assess the current state of organization. In his paper to “improve security compliance: A process-based approach for organizational change“, he gives detailed examples of ITIL and COBIT to drive the organizational change for IT compliance.
On one hand, business continuity is important for an organization to keep everything running in an event of disaster like hurricane, earthquake or a terrorist attack. On the other hand, the increasing amount of data breaches and attacks by intruders has become a major concern for the CSO’s and security experts across the globe. But, which one of these risks is a major concern for the technological giants?
Here’s a survey by BDO published in CSO magazine which talks about the increasing concerns of business continuity as a major risk:
“Data security and breach prevention ranks low as a risk factor for most big technical companies, according to new research that identifies the most widespread concerns among the 100 largest U.S. public technology companies. The research, released by BDO, a professional services firm, examines the risk factors listed in the fiscal year 2009 10-K SEC filings of the companies; the factors were analyzed and ranked in order by frequency cited.
Read more: Business Continuity, not data breaches, a major concern for top firms
“Network World — The organization in charge of defining security for the payment-card industry’s merchants and service providers Tuesday issued two guidance papers, the first on end-to-end encryption and the second on payment card technology used more commonly in Europe than the United States.” – CIO Magazine, October 5, 2010.
My major thoughts are on the point-to-point encryption and validation provided by PCI. They have provided an Initial Roadmap in the first paper about point-to-point encryption and adherence to PCI DSS Compliance. The document is not an exhaustive analysis of P2P encryption; but gives a perspective from merchants point of view who may be considering to improve their security posture and mitigate the compliance efforts.
The main goal of P2P Encryption is that the data should remain encrypted at a particular place or during transmission from source to destination, with no decryption possible at any point between the source and destination.
The document talks about considerations for compliance and answers key questions that might pop up in a merchants mind for implementing P2P Encryption to improve security.
You can read more about the document here: https://www.pcisecuritystandards.org/pdfs/pci_ptp_encryption.pdf
News Source: http://www.cio.com/article/622017/PCI_Security_Group_Speaks_Out_on_Encryption?taxonomyId=3089
Bigger companies like IBM, HP have a business continuity plan. Often small and mid-sized companies know that they need to prevent their company from day-to-day disasters as well as major disasters like earthquake, hurricane etc. They might have a plan on paper or have an idea in mind but they do not know what to do next.
How do you go about having a business continuity plan for your company. I will list down few simple steps:
Writing more…
http://www.ecommercetimes.com/story/70034.html?wlc=1284504144
The article, The Security-Compliance Divide That Can Threaten Your Business, by Ron Hovesepian, talks about the requirement of security and compliance department in an organization working together to face various critical challenges.
Often it happens in companies that employees have access to information that they are not supposed to know. This increases the vulnerabilities and risks of data breach. Moreover, companies feel that increasing IT security would ensure compliance with regulations such as SOX or vice versa.
The article highlights the key issues being faced by organizations by moving the IT infrastructure to cloud and introduction of enterprise mobility. To ensure proper compliance and security simultaneously, identity management rules have to be enforced. As Ron mentions, ”Without a strong identity management infrastructure, it’s nearly impossible for a business to comply with today’s complex security and compliance requirements.“. The CSO and CCO must work closely to ensure who has access to the IT assets and how the IT assets are managed and handled. An effective risk and vulnerabilities management plan can prove efficient for the CSO and CCO.
Therefore, thinking from both, the compliance and security standpoint, the C-level executives should work towards identifying and mitigating key risks and move ahead towards common goals.
Source:
http://www.forbes.com/2010/09/14/security-compliance-it-leadership-governance-hovsepian.html
