Tuesday, November 30, 2010

Some Basics on Data Protection

Verizon recently released a report in which it concluded that data security has not improved since it began its current series of surveys in 2008. It's a short time, but nevertheless, one would hope that there would have been some improvement, especially in view of the widely reported data breaches that have occurred during that period.

Even more surprising is the series of recommendations they put forward. These are recommendations that IT Auditors and security experts have been making for many years. A panel from Computerworld put together  four basic points:

1. Don't just log, monitor - Logging by itself accomplishes nothing; the results need to be monitored.
2. Tweak your network configuration - constant addition of new applications and upgrades can change the system by adding in unexpected defaults. These need to be reviewed and perhaps changed.
3. Educate your users - User understanding of the system its security routines is critical. As is the development of a strong security culture.
4.  Document and monitor access privileges - So fundamental. Security management needs a record of which users have access to sensitive data or functionality and those users need to be monitored. The current Wikileaks case, where a soldier in a remote base downloaded confidential documents to CDs is a case in point.

The Verizon report said that 64% of the data breaches could have been prevented with the use of these simple procedures. When will we ever learn?? Click this link for a report on these four security measures.

Monday, November 29, 2010

Security Holding up Cloud Adoption

The recently announced second annual Mimecast Cloud Barometer Survey, conducted by Loudhouse Research, finds that 74 percent of IT departments surveyed point to the trade-off between cost and IT security, and 62 percent indicate a risk in storing data on servers outside the business. For Canadian companies, the situation is complicated by the US Patriot Act. Most Cloud providers are US based, and many hold their data on servers in the US, which gives the authorities access to it under that act. There are concerns that this violates the provisions of the Canadian Privacy Act (PIPEDA). In any event it adds to the risk for Canadian companies and has contributed to slow cloud adoption, particular in the BI area.

Thursday, November 25, 2010

COSO Announces Project to Modernize Internal Control - Integrated Framework

Last week, the COSO committee announced that it would be updating the COSO framework. "The Committee of Sponsoring Organizations of the Treadway Commission (COSO) today (sic) announced a project to review and update the COSO Internal Control - Integrated Framework (Framework). This initiative is expected to make the existing Framework and related evaluation tools more relevant in the increasingly complex business environment so that organizations worldwide can better design, implement, and assess internal control."

The intention is to update the guidance to reflect changes in the environment, such as technological changes and regulator expectations, but not to change the fundamental principles of the framework. PwC has been hired to support the update, which is expected to be released in 2012. For the announcement, click this link.

Wednesday, November 24, 2010

Honeypots

Often a very useful and efficient intrusion detection device, honeypots have been around for a long time, but now are getting more sophisticated and complex.  Honeypots are devices (often just an old pc), connected to the internet or a network, which contain features designed to lure hackers. For example, they might contain fake bank login information of credit card information resident in places where hackers might look.

Software is available for honeypots, which not only sets up the lures, but also detects and records the activities of intruders. Any intruders are deemed to be suspicous.

Most systems connected to the internet should have honeypots. They are simple to install and cost effective to run, having virtually no maintenance cost.

For a series of excellent articles on honeypots as well as some reviews of current honeypot software, check out this link.

Sunday, November 21, 2010

Virtualization and the Cloud

The spread of cloud computing, particularly in the form of Infrastructure as a Service (IAAS), has been accompanied by a growth in virtualization. There has been a great deal written about the security implications of each, but not so much on the implications of both taken together, yet this is a common occurance.

CA has released a white paper that addresses this area. The white paper suggests the following:


"A comprehensive solution for privileged access management is required in order to mitigate the risks associated with the new breed of security considerations and satisfy auditors. Service providers delivering Infrastructure-as-a-Service will need to provide premium visibility and control features to their customers if they want to attract the enterprise market.

An effective solution must ensure limitations on privileged users performing authorized operations on the virtualization infrastructure. This reduces the risk associated with over-privileged accounts or external intrusions which may compromise the gateway to guest images. Machine-to-machine protection through network isolation should be supplemented by access enforcement amongst them."

A copy is available from this link. (Free registration required)

Monday, November 15, 2010

5 tips for effective cloud security


Security in the cloud remains a serious concern for many companies, particularly those who have private or sensitive information on their systems about customers. Overcoming that concern takes some foresight and planning. This article points out the following considerations:

·        1.  Find out as much as you can about a software-as-a-service provider's security measures and infrastructure. If you are going with an infrastructure-as-a-service provider, ask what tools it can provide you to protect your virtual environment.
·        2. Encrypt data at rest and in transit; otherwise, don't put sensitive information in the cloud.
·        3, Divvy up responsibilities between your administrators and the service provider's administrators, so no one has free access across all security layers.
·        4. Check whether a vendor has been accredited as meeting SAS 70 Type 2 and ISO 27001 security standards. If you are an international company, check for European Safe Harbor accreditation as well.
·        5. Go with a high-end service provider with an established security record. "You get what you pay for," says Gartner analyst Jay Heiser.

    
      For the Article, click this link.



Friday, November 12, 2010

IT Internal Audit Effectiveness

An IT Internal Audit department always has the risk of becoming mired in routine computer control functions, which don't change very much and are generally quite controllable anyway. Auditing conventional computer controls by rote can lead to a very ineffective IT audit function.

What is more important is to align the audits with the overall risk assessments of the enterprise. The IT audit function has a lot to offer in this area. It is an interactive process, with the auditors using the risk assessment as a guide and also providing input on areas where it can be improved.

Deloitte has published a series of CEO reports, one of which deals with the effectiveness of an IT Internal Audit (IT IA) function. The booklet provides numerous examples of risk areas that should be considered for inclusion in the audits, They include contract compliance, green IT, adaptability readiness, and readiness for upcoming regulatory changes. The guide also suggest strategies for using continuous monitoring techniques to improve the audits.

It is an excellent guide and is available on the Deloitte website for free download.

Thursday, November 11, 2010

Personal Use of Enterprise Related Mobile Devices

The use of mobile devices has proliferated in organizations, with some of them being owned by the enterprise and others owned by the individual employees. Either way, many of them are being used for personal purposes in addition to enterprise work. This is a matter of concern to organizations, partly because of the time that can be consumed through such activities on the job and partly because of the increased risk that such activities pose for increased phishing attacks on the organization, which carries the risk of loss of sensitive data.

A recent ISACA survey - 2010 Shopping on the Job - showed that 26% of companies surveyed in Canada believe that employees will use their work-related mobile devices for shopping to the tune of 1 - 2 hours during the coming Christmas season. The cost of this in lost time is perhaps $1500 - $2000, according to the survey.

A majority of companies have a policy with regard to personal use of such devices, but very few prohibit it. Probably a recognition of the unforceability of such a rule.

Mobile devices are common now, and growing in their use. Every company should at least have in its risk assessment a consideration of the risks related to mobile devices and specifically, personal use of them. Then appropriate policies can be developed. The results of the ISACA survey and the related white papers can be downloaded from the ISACA site.

Wednesday, November 10, 2010

The Importance of Logs

Most auditors are well aware of the importance of logs. However, many of their clients are not, and usually need to be reminded periodically.

Much of the literature on security breaches deals with prevention. And prevention is important, no question about that. However, breaks cannot always be prevented, and when they do occur, logs are critical to determine what happened, what vulnerabilities led to the success of the attack, and what can be done to prevent another one.

Logs often present an issue to system operators or management because they can slow down a system, and response time is even more important than it used to be, since users have little or no patience with slow responses. The issue, therefore, is to balance the security needs of the company with system performance.

When logs are turned on, they need to be configured to identify the systems for which data is to be gathered, specify the level of security to be used for key components of the system and establish the level of detail to be recorded for events.

The level of security and the level of detail gathered are crucial to the potential drag on system performance. They therefore need to be set according to the security strategy of the company and so as not to gather unnecessary data. So well planned configuration is the key. This article discusses this issue and provides some useful guidance.

Tuesday, November 9, 2010

Cloud Security

Security in the cloud has been a hot topic ever since that regime began. Many feel that security can be good. However, the mere question being asked in certain circumstances can be a business problem in itself. For example,

"I believe if you set it up correctly, the cloud can be as secure as anything else," says the CTO of a financial services startup. "But we don't want to have to waste time communicating to potential customers that the public cloud is secure. It's a conversation you don't want to have."

As a result of this concern, the company opted out of the cloud and went with a private co-location facility. While they felt that the security in the Amazon service they were using could be configured to be as secure as anything else, they feared the questions in customers minds could cost them business, and made their decision accordingly. For the full story, please see this article.

Thursday, November 4, 2010

The Responsibility is Yours

A new section of the Homeland Security Department in the US has launched a public campaign stressing that internet security begins with you - the user. The campaign is part of the President's efforts to improve on internet security, which increasingly is being regarded as a matter of national security.

The trouble is, telling people that they have some responsibility in an age when people refuse to accept responsibility for almost everything, is a tough message to get out. However there is a lot of validity to it. Just yesterday, there was another report of data being found in a dumpster. There have been several others this year. For example, medical records and some info from Macy's. How may times does this need to happen before companies implement and enforce proper data disposal procedures? It is one of the oldest problems in the age of computers (and even pre-computers), and yet hasn't yet been solved. Is there hope? Here's an article about the Homeland Security campaign.

Monday, November 1, 2010

Social Networking and Security - Are they compatible?

The question of the compatibility of good IT security and social Networking has been extensively discussed over the past couple of years and recently it was a big issue at the Interop NY 2010 Convention in New York City. Some of the sessions are quite instructive about the do's and don'ts of security in the social networking environment. One of them, Ben Rothke, Senior Security Consultant at British Telecom, began with the observation that the issue cannot be avoided because social networking has now gone mainstream.

He presented six steps to mitigate the risks. Of course, they include proper organization for social networking security, including setting up a specific security team, planning and identifying the risks inherent in the particular social networking systems being used. good common sense. There is a report on these ideas at this link.