Page 38 of 40

Tis the Season to be Jolly

IT administrators can guarantee one thing after Christmas. Employees will be coming back from their Christmas breaks talking about their holidays, showing off photos of their kids and Santa….and showing off their new toys: Android phones, iPhone 5s, iPads, Galaxy tabs, Kindles and even some Windows Phone here and there.

Apparently device activations went up 332% on Christmas day. Apps download hit 20 million apps per HOUR. That’s a big wow for everyone, because it shows that Santa is a tech geek, and a LOT of people are getting tech gadgets for their presents. I mean, they just don’t wrap a book anymore do they?

As an aside, I wonder why on earth didn’t Blackberry cash in on the Christmas spirit?

Back to our faithful IT admins, the new devices brings in an old headache. How will we control these new, shiny timebombs in the hands of executives, who, through simple carelessness or plain ignorance could send data and information into public domain hell…data that the company has spent millions trying to protect?

We believe in 2013, MDM (mobile device management) will take a firmer hold in the collective consciousness of IT managers. These devices, in essence has taken over the netbooks and ultrabooks out there and should be treated as a device itself in an enterprise. Voice is no longer the primary function of these phones, as users spend less time talking and more time texting, facebooking, googling, youtubing, twittering and all sorts of new verbs invented to describe the new generation of communicating.

While we’re not a system integrator in a strict sense of the word, we do have obligations to get up to speed with new technologies and where we predict that the industry would be heading. We’ve got a few MDMs solutions being tested in our lab, as well as to see how they impact organisations. We don’t need it, yet. Our clients might. We tend to try to bust past the brochure knowledge of products and try them out in behalf of our clients even when there’s no demand yet…in that way, when we talk about technology, we talk about things we’ve experienced, not read about.

We’ll keep up the MDM subject as we enter 2013, and update on the progress on some of the solutions being tested.

IDS: A Technical Understanding

With the rapid advancement in information technology, businesses are moving to an intensive IT-integrated model. By utilizing the features of information technology, businesses are able to reach out to more audiences, regardless of geographical aspects and language barriers. This provides an advantage to business; higher audience in a relative lower costs. However, the utilization of information technology is a double-edge blade, as confidential information are stored as data in servers available in the internet, as compared to printed hard copies of documents kept and locked in cabinets.

To ensure continuous availability of information, the network the server resides is connected to an untrusted network, namely the Internet. In order to protect unauthorised access to the information, security measures are needed to be implemented. In this article, we will discuss about the firewalls and intrusion detection systems.

Difference between Firewall and Intrusion detection system

A firewall is a device or group of devices that enforces an access control policy among networks.” Its main function is to control incoming and outgoing traffic, between two networks by allowing and denying such traffic depending on pre-determined rule sets. Therefore, a firewall is a preventive control acting as keys and locks between the networks, as shown in figure 1 below:

An Intrusion detection system (IDS) on another hand, is a device or application that monitors network activities and attempts to detect suspicious activities going through the network. Consider IDS as a burglar alarm for your office; when they enter your office (i.e. unauthorised access), the alarm will alert you. Therefore, IDS is a detective control; its main function is to warn you of suspicious activity taking place ? not prevent them (Refer to figure 2):

Reason for IDS

A firewall is a crucial component of securing your network. The predefined rule set within the firewall provides protection that any traffic going through the closed ports are denied but also allows some of these through the network as well. However this means that the access allowed is just let through, and firewalls have no clever way of telling whether that traffic is legit and normal. This is where IDS comes into play.

Placed between the firewall and the system being secured, a network based IDS can provide an extra layer of protection to that system. For example, monitoring access from the internet to the sensitive data ports of the secured system can determine whether the firewall has perhaps been compromised, or whether an unknown mechanism has been used to bypass the security mechanisms of the firewall to access the network being protected.

Let’s take a look at an example by referring firewalls to locked doors (key and locks) and IDS to alarm systems (as mentioned above). Let’s say that you have lots of confidential documents stored in a filing room within your office: The locked doors will stop unauthorized individuals from entering the filing room. By themselves, they do nothing to alert you of an intrusion, but they deter unauthorized access. The alarm system will alert you in case an intruder tries to get into the filing room. By itself, it does nothing to prevent an intrusion, but it alerts you to the potential of an intrusion. As you can see, both security mechanisms complement each other, providing better overall security towards the access of such confidential documents.

It should be noted that IDS should not be employed as a single security mechanism. By using a layered approach, or defence in depth, a network should have multiple layers of security, each with its own function, to complement the overall security strategy of the organization.

Conclusion

Before implementing security controls within the organisation, it is crucial to conduct a risk analysis based on the confidentiality, integrity and availability of the data. As there are almost no servers that are immune to penetration/intrusion, it is recommended that the security mechanism implemented are capable of minimizing the risk.

In the next article, we will talk about Intrusion Prevention System and the reason for having one within an organisation.

CyberInsurance: The New Frontier

I recall back in 2009, I gave a presentation on the importance of risk management in IT, and how having strong technical controls such as proxy gateways will help alleviate network security risks. At that time, I was the head of APAC Services for BlueCoat Systems, a Silicon Valley company specialising in proxy and WAN optimisation technologies.

Someone then asked me, “Why not we just transfer all our cyber risks to someone else?”

I was pitching a sale, but I was a terrible salesman. So we engaged in an interesting discussion on the case for “cyberinsurance”. Back in 2009, my argument was pretty simple: there were limited ways to measure  cyber risks. Unlike life insurance or health, where you had historical records, I can safely say, a majority of cyber breach will go either unreported or unknown. Would anyone insure a company when they did not know if that company was currently hacked, has been hacked, or has been compromised without knowing? Or how would they cover if the company purposely gets hackers to hack their system to claim their insurance? There were too many variables.

Fast forward 4 years and cyberinsurance is still met with a mixture of disdain, disbelief and skepticism. But the numbers show that in the past 4 years, the alarming increase of cyber threat incidents gives the thought of cyberinsurance new legs to run on.

In our Twitter, we list out security issues in the wild wild Cyberspace. Over the years, we’ve seen behemoths like Facebook, Google, NASA, BoA, Sony, Samsung, Amazon, Yahoo, Microsoft…you know what, just throw in Lockheed, RSA, the government of the United States and every big company you can think of…all have their own variance of security incidents, either dealing with data confidentiality breach, integrity compromise or availability issues. According to the article on Wall Street Journal, most of the data breach occurs at SMBs.Those are reported cases. God knows how many dormant trojans, worms and hidden malware were there, systematically sucking information from insecure devices in small businesses or gearing up for a massive zombie DDOS attack on large companies on New Year’s Eve.

Perhaps it’s time to rethink the need for Cyberinsurance.

In PKF Avant Edge, we’ve been engaged on a number of data forensics projects. All these happened after a data breach or suspected fraud in the company. One of the questions we get asked is: “How much does it cost?”

Getting IT forensics experts is not cheap, although we’re quite certain we offer the lowest and most cost effective, qualified consultation in the market. But we’re still more expensive than the Low Yat guy that runs a freeware data recovery tool. Low Yat is this huge computer selling mall in Kuala Lumpur. The problem with these attempts (and boy, have we seen these so many times), is that it’s a hack job that doesn’t hold up in court. Anti-forensics dictate that qualifications, tools and methodologies must be in place. Tell that to Mr Low Yat.

But instead of bearing the cost of after-breach investigation, why not have cyberinsurance to cover instead?

Of course, the golden question here is, what should cyberinsurance at least cover? Followed by equally important and mind stumping questions like: How much premium to charge? What should NOT be covered?

One way to demystify the technical jargons from IT is to look at cyberinsurance as…an Insurance. Before approving a policy, what does a policy cover? Based on that individual, how much premium to charge?

Cyberinsurance should at least cover the following:

1) Data confidentiality and Integrity Risks – regulatory fines such as PDPA, PCI-DSS; forensic costs and investigation costs; PR costs and summonses, consequent security audits; third party claims and expenses. It’s pretty hard to cover the actual data loss since quantifying it to a dollar value is so subjective, but there could be a possibility, for instance the intellectual property of Apple was quantified to a billion. Ask Samsung.

2) Availability Risks – loss of business based on website downtime; DDOS incidents and virus attacks; incident response costs; IT specialists cost for post-attack cleanup and monitoring; PR costs. This should be focused on companies that depend a lot on their websites for their business. If hacked, what is the loss to the business?

Cyberinsurance is still at a very, very young stage. However, we’re going to see an exponential progress in technology in the next 3 years, faster than the last 10 years. Big Data, Virtualisation, Cloud technology. IT will be so soaked into every business that companies will have no choice but to leverage on IT to not just differentiate, but to basically survive. And with IT adoption comes the risks of running IT. Like in nature, the conditions of the environment are just about right for cyberinsurance to become the next step in the evolution of the insurance industry.

 

PCI-DSS, ISO27001, COBIT and a Partridge in a Pear Tree

We just secured another PCI-DSS deal today, and once the customary celebration has died down, we will set aside time to start planning for the project. For this project, PKF works with our QSA (Qualified Security Assessor) vendor, Control Case, to ensure that our clients get the best consultation and services possible, and to almost guarantee a certification in PCI-DSS. I say almost guarantee, because there are no such thing as 100% in this world. For instance, what if a meteor crashes on earth just as the PCI-DSS audit was about to start? Sure, we’ll all go the way of the dinosaurs, but was our client certified? No!

Anyway, jokes aside, we’re gearing up for the new year, with PCI-DSS, some ISO27001 and our normal COBIT assurances in the pipeline. The reason why we focus so much on these 3 standards and framework (COBIT is NOT a standard!) is because they are inter-related. ISACA and other groups have mapped all three to each other in a sort of matrix fashion, so that sitting down with a PCI-DSS guy and talking about the 12 requirements, you inherently can map COBIT controls on those 12 requirements, and hey, presto, to the 11 domains of ISO27001. PCI-DSS can be mapped against ISO27001 as well, especially to the holy Annex A controls of the ISO standard. The fact is, anyone that has ISO 27001 experience will be interlaced with PCI-DSS and COBIT as well. They are all siblings of the same mother, IT governance and audit.

Of the 3, both PCI-DSS and COBIT has taken major steps forward. PCI-DSS 2.0 came out 2 years back and added in virtualisation and a lot more clarifications on testing procedures. The big step forward was that now risk assessment documentation must be verified against accepted risk management methodology. Before this, there wasn’t such a need. In doing so, PCI-DSS is moving closer to his bigger brother, ISO27001, which is risk-based.

COBIT has always been risk based. Anyone that comes at you with a COBIT checklist should be questioned. We’re not saying checklist is wrong, but there must be a context of that checklist. We see a lot of “checklist based on industry benchmarks.” That’s one way. But each business is different. Not every IT division needs a IT strategic roadmap with a 5 year plan on IT investments. I know one of my client whose IT guy is basically the guy from Low Yat, doesn’t. That client needs more controls on information leakage and policies governing that Low Yat guy. Fix what’s priority. Fix what is highest risk. And in order to do that, you need to know, interact, interview with the client.

COBIT 5 takes this literally. For too many years, practitioners has been throwing COBIT controls like fireworks on Chinese New Year Eve. Comply to this, else we will give you a big fat zero! We’ve been using COBIT 4.1 for a long time now, and it still remains an ‘auditor’s framework’. With COBIT 5, we move up the ranks to IT governance. It’s a different way to audit. Here we look at the causal relationships of IT and business. The controls tie to the governance of IT within the context of the organisation, hence putting practitioners with risk experience to the forefront. Unlike the haphazard way of trying to tie RISK IT, VAL IT and COBIT together, COBIT 5 hopes to bring in a more uniform approach to IT auditing, one that will hopefully transpose the audit from the realm of the IT techies to the board.

With COBIT 5, the checklist wielding junior internal auditor whose knowledge of IT consist of facebook and farmville will, hopefully, go the way of the dinosaur, and be replaced by practitioners who has real world experience, management insights and the technical-business acumen to bridge technology into corporate relevance.

Web Trawling: Your life is on the Net

I remember, almost 20 years ago, a movie called “The Net” came out, starring Sandra Bullock. It was one of the first few movies dealing with information security and theft, and invalidation back in the heydays, when we thought the internet was a new brand of spandex.

Fast forward 20 years and here we are. The information highway was incorrectly named. It wasn’t a high way, or even a super highway. It is now an intergalactic, hyperspeed wormhole that every single imaginable information is being collected and stored, and waiting to be trawled.

Trawling is a term we often use when we want to find out more about certain people or things on the internet. We use specialised tools to help us create informational relationships, connecting the dots.

In Avant Edge, we do quite a bit of forensics work. Part of forensics is actually forming the context. If it is an individual, we’d like to know not just what’s in his laptop, but his online habits, the forums he has posted, whether he is active in the social network, who has he been in frequent touch with; and whether he eats green or red apples. So it has to be the CIA or FBI then, right?

Nope, because most information can be obtained freely on the net. It’s scary. You can basically vanity search your own name and you’ll be surprise what’s out there. Private investigators can now conjure up scenarios based on bits and pieces found on the internet.

Web Trawling could be another branch of information audit we will be including for 2013. With some customised tools, we can basically craft relationships of an entity as we trawl entirely through the internet.

Here’s a very scary proposition, illustrating our idea:

 

 

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑