ISO 27000 Newsletter

ISO 17799 BECOMES ISO 27002
===========================

Following the decision taken by ISO last year, ISO 17799 has finally
been renamed to ISO 27002. The change of name is simply that: a change
of name.

Logic Bomb Dangers Highlighted
==============================

The recent case of a former US Government contractor pleading guilty
to sabotaging Navy computers highlighted the need for constant
vigilance with respect to so-called 'logic bombs'.

Also known as 'slag code' and commonly associated with 'disgruntled
employee syndrome', a logic bomb is a piece of program code buried
within another program, designed to perform some malicious act. Such
devices tend to be within the province of technical staff
(non-technical staff rarely have the access rights and even more
rarely the programming skills required) and operate in two ways:-

1. 'Triggered Event' - for example, the program will review the
payroll records each day to ensure that the programmer responsible is
still employed. If the programmer's name is suddenly removed (by
virtue of having been fired) the Logic Bomb will activate another
piece of code to slag (destroy) vital files on the organization's
system. Smarter programmers will build in a suitable delay between
these two events (say 2-3 months) so that investigators do not
immediately recognize cause and effect.

2. 'Still Here' - in these cases the programmer buries coding similar
to the Triggered Event type but in this instance the program will run
unless it is deactivated by the programmer (effectively telling the
program - "I am still here - do not run") at regular intervals,
typically once each quarter. If the programmer's employment is
terminated unexpectedly, the program will not be deactivated and will
attack the system at the next due date. This type of Logic Bomb is
much more dangerous, since it will run even if the programmer is only
temporarily absent (eg through sickness, injury or other unforeseen
circumstances) at the deactivation point. The fact that it wasn't
meant to happen just then is of little comfort to organization with a
bombed system.

Logic bombs demonstrate clearly the critical need for audit trails of
activity on the system, as well as strict segregation of duties and
access rights between those staff who create systems (analysts,
developers, programmers) and the operations staff who actually run the
system on a day-to-day basis.

The History of The Information Security Standards
=================================================

Examination of the past often illuminates the present. This is
certainly the case in terms of untangling the different acronyms and
numbers associated with the information security standards.

The embryo of the security standards was actually a document published
by the UK Government's DTI in 1992. The was the 'Code of Practice',
for Information Security Management. This was subsequently upgraded by
BSI (the British Standards Institute) who published 'BS 7799-1 - Code
of Practice for Information Security' in 1995. BSI enhanced this
document, and also published a second part: BS7799-2, which was a
specification for security management, in the late nineties.

In 2000 ISO finally appeared on the scene, adopting BS 7799-1 and
renaming it to ISO 17799:2000. However, it wasn't until 2005 that they
eventually adopted BS7799-2, which became ISO 27001:2005. ISO 17799
was re-published in the same year, and as explained above, was renamed
to ISO 27002 in July 2007.

Also in 2005 BSI published BS7799-3. This is 'Guidelines for
information security risk management'. Again, the chances are that
this will eventually evolve into an ISO standard (possibly ISO 27005).

So we thus have:
ISO 27002:2005 - Code of Practice
ISO 27001:2005 - Specification for an ISMS
BS7799-3 - Risk Management.

It is not actually quite this simple though... because ISO are
attempting to 'normalize' their entire numbering system. They want all
their information security standards to be similarly numbered. That is
reasonable of course, but many would argue what is not reasonable is
simply to rename documents at a random point in time, rather than on
the next upgrade.

The full numbering intention is documented on the ISO 27000 Directory
(http://www.27000.org)

Information Ownership Issues
============================

It is essential that the ownership of information systems, data and
files is formally established within the organization. This formal
assignment invariably brings with it a more serious approach, 'top
down', to the whole issue of information security.

Historically, all electronic systems and data files were considered to
be "owned" by the IT department, but over recent years ownership has
correctly moved towards the areas or individuals who actually create
the information, or who are ultimately responsible for the data and
systems output.

Usually, the person who creates, or initiates the creation or storage
of the information, is the designated owner. In an organization,
possibly with divisions, departments and sections, the owner becomes
the unit itself with the person responsible being the designated
'head' of that unit.

The Information owner is normally responsible for ensuring:-

� that an agreed classification hierarchy is put in place and that
this is appropriate for the types of information processed for that
business / unit;
� that all information is classified and stored into the agreed types,
and that an inventory (listing) is created;
� that each document or file within each of the classification
categories, has its agreed (confidentiality) classification appended
to it.
� that for each classification type, the appropriate level of
information security safeguards are available (e.g. the logon controls
and access permissions applied by the Information Custodian provide
the required levels of confidentiality)
� that periodically there is a check to ensure that information
continues to be classified appropriately and that the safeguards
remain valid and operative.

If a designated owner of information leaves the organization, it is
important to ensure that a new owner or custodian is immediately
appointed to protect the approved levels of confidentiality and
approve or decline access requests.

Many organizations have seen a demonstrable improvement in the
cultural approach to security as a result of ownership clarification.
It is a move certainly long overdue for those whose IT departments are
still seen as data owners.

More ISO 17799/27001 Frequently Asked Questions
===============================================

1) Where Do I Start with an ISMS?
The start point most often recommended for the implementation of a
formal Information Security Management System (ref: 27001) is a
definition of scope. This is in fact pure logic. Unless you define
your boundaries you are unlikely to get too far without encountering
significant difficulties. The scoping exercise itself is often quite
illuminating.

4) Where Do I Find a List of Certified Companies?
There is no global list, as companies tend to be certified via
national accredited bodies. However, there is an international
voluntary register hosted by the ISO 27001 Open Guide:
http://iso-17799.safemode.org/index.php?page=ISO_27001_Certifications

4) How many companies are now certified?
At the last count this was well in excess of 2,000.

5) What is ISO Guide 62?
This guide contains the requirements applicable to an Accreditation
Body (which subsequently bestows authority to issue certificates).

Information Security News
=========================

1) Sophos (http://www.sophos.com) reports that malware is
increasingly being spread via web pages, rather than via email, with
sites in China and Hong Kong accounting for more than half the total.
Most affected sites are victims themselves, having been compromised by
hackers. In a separate report, Pandalabs
(http://www.pandasoftware.com/virus_info/pandalabs report that malware
detections increased by over 170% last year.
Trojans now represent more than half of such attacks, with Bots on 14
percent and backdoors on 13.

2) A recent survey by Network
Box (http://www.network-box.co.uk) of 250 small businesses
demonstrated an alarming indifference
to security. 62 per cent had no system in place to protect against
phishing, whilst a staggering 99% did not know how often their
anti-virus software was updated.

3) The University of Missouri became the latest in a string of
universities to suffer a serious security breach when hackers obtained
more than 20,000 Social Security numbers (SSNs). Using IP addresses
from China and Australia, the hackers made thousands of queries over a
span of hours, obtaining one SSN at a time.

4) According to Symantec (http://www.symantec.com), Image
Spam still accounts for more than 25% of all spam. This is essentially
a technique which uses embedded images to bypass phishing filters.
Whilst this is down from earlier in the year, the daily rates indicate
a high level of variance. Spam itself accounts for 65 percent of all
email at the SMTP layer.

5) A video clip was recently posted on YouTube showing union
protestors examining trash awaiting collection outside Chase Bank in
New York. The video (http://www.youtube.com/watch?v=G_8xRnzQqME) shows
loan application forms and other sensitive data being examined by the
Service Employees International Union supporters. The clip again
illustrates that low tech security issues remain a constant threat.

6) An audit has revealed that the IRS (The US Internal Revenue
Service) lost almost 500 PCs in the 3 year period to the middle of
2006.It is believed that the personal information of at least 2,000
taxpayers could have been compromised as a result. The IRS have
subsequently stated that they are "taking aggressive steps to further
secure government equipment and protect sensitive data to mitigate the
risk of potential identity theft or other fraudulent activity."

The SLA: Prioritization
=======================

As previous editions of the newsletter have demonstrated, the SLA can
prove to be an important tool with respect to information security,
particularly regarding service availability. One such aspect pertains
to prioritization.

The purpose of defining and prioritizing problems within service level
agreements is to ensure that resources are concentrated on resolving
the most critical incidents, ensuring that these are resolved on a
basis reflecting their seriousness with respect to impact on the
Client. It enables the Client to understand how the incident
management process will be operated and the Supplier to concentrate
scarce resources towards resolution of the incidents themselves.

To this end, it is important that the potential impact of the incident
on the Client's business is properly defined.

The SLA should thus contain a suggested structure for classifying
problems, and the supplier and client should both ensure that this
structure meets their requirements. A suggested simplified structure
is given below:

Problem Priority Status Impact
Priority 1 Mission critical Serious financial impact
Priority 2 Extremely urgent Significant financial impact
Priority 3 Urgent Medium financial impact
Priority 4 Medium priority Minimal financial impact
Priority 5 Low Priority No financial impact

Information Source: The SLA Toolkit
(http://www.service-level-agreement.net)

ISO 27002 Related Definitions and Terms
========================================

In each ISO 27000 Newsletter we include a selection of terms and
definitions to unravel and explain some of the jargon and strange
language used by IT and Information Security professionals. In this
edition, we provide a further selection of terms that all start with
the letter `F'.

Finagle's Law
The 'folk' version of Murphy's Law, fully named 'Finagle's Law of
Dynamic Negatives' and usually rendered 'Anything that can go wrong,
will.'. One variant favored among hackers is 'The perversity of the
Universe tends towards a maximum.'. The label 'Finagle's Law' was
popularized by SF author Larry Niven in several stories depicting a
frontier culture of asteroid belt miners. This 'Belter' culture
professed a religion and/or running joke involving the worship of the
dreaded god Finagle and his mad prophet Murphy.

Fit for Purpose
Fit for Purpose is a general expression which can be useful to ensure
that Information Security solutions are appropriate for your
organization. Vendors will sometimes attempt to 'fit' their solution
to your problem. Fit for Purpose is an expression which, when used
within the solution negotiation context, places an onus of
responsibility upon the vendor to ensure that its solution is (indeed)
fit for the purpose which their client expects.
Example : a well known systems company contracted for the sale of
their system. Inclusive in the price was one of week training in the
system. During implementation it became apparent that one week for
training was totally inadequate. The customer successfully claimed
(prior to legal action) that the supplier's solution was inadequate
and hence not fit for purpose. When considering Information Security
solutions, it is good practice to remind any potential suppliers in
your requirement that the solution must be fit for purpose.

Flag
A message indication, sometimes, but not always, a warning to a user,
which appears when a certain event takes place. For example, an
inventory monitoring program may well 'flag' certain products when
stocks fall below a predetermined level, to alert the user to
re-order. An alternative use is to warn of an event which will take
place in the future, but has not yet occurred, for example, a
financial institution aware of large check-based transaction on a
customer's account may 'flag' the account to avoid an unauthorized
overdraft.
Flags may be generated manually or automatically, depending on
circumstances. In the case of the stock monitoring this would be
automatic, while the check transaction example would be processed
manually. Automatic flags serve a useful purpose in drawing users'
attention to situations which otherwise may be overlooked.

Flame
'Flame' is abusive communication by E-mail or posting to a newsgroup,
which attacks an individual or organization for some real or imagined
grievance. The real problem is broader than that of a few rude
e-mails: flame represents the anarchistic side of the Internet. The
flame may start with only one abusive message, but it is broadcast so
widely that large numbers of unconnected browsers join in - often on
both sides of the argument. This can lead to 'Flame Wars', where the
traffic load becomes so high that communications network performance
degrades, and E-mail boxes become blocked - as is the case with
bottlenecking and mail bombing. Problems for companies may arise if a
member of staff has used an organization's e-mail address to start the
flame - another reason to monitor staff activities. Flame has some
redeeming features. Deeply unpleasant (or disturbed) individuals who
posted lengthy racist (or sexist, or some other -ist) diatribes have
found themselves flamed off the Net....

Freeware
Literally, software provided for free - no charge. This is not as
uncommon as might be expected. Major software developers often give
away old versions of their products to allow users to try them at no
charge and, hopefully, succeed in tempting them to purchase the
current release. Independent developers may give away small programs
to establish a reputation for useful software, which then enables them
to charge. Cover disks attached to a computer magazine often contain
Freeware. As with Shareware, Freeware should be approached with
caution, and staff dissuaded from trying out their new Freeware on
organization equipment.

IT COULD'NT HAPPEN HERE COULD IT?
================================

Most editions of The ISO 27000 Newsletter features at least one TRUE
story of an information security related incident or its consequences:

1) In case you ever wondered why the term 'dumb users' emerged:

Login: yes
Password: i dont have one
password is incorrect

Login: yes
Password: incorrect

2) A genuine quote: "Morons. These people who live in my apartment
complex are connected to my wireless. They must think they're
super-cool hackers by breaking into my completely insecure network.
Unfortunately, the connection works both ways. Long story short, they
now have loads of (censored) on their computer."

3) Finally, not a true story (or is it?), but funny regardless.

The six phases of an ISO 17799 implementation (adapted):
Enthusiasm
Disillusionment
Panic
Search for the guilty
Punishment of the innocent
Praise for the non-participants

Messages in this topic (1) Reply (via web post) | Start a new topic

•  7
  New Members

Visit Your Group

SPONSORED LINKS

• Computer internet security
• Cissp study
• Cissp study guide
• Cissp exam

Date sent: Sun, 5 Aug 2007 11:43:35 +0100 (BST)
From: vijay tikkoo < vijay.tikkoo%40yahoo.co.in">vijay.tikkooyahoo.co.in>

> Can any one help me in getting 27002 standards

They are available on the ISO website at
http://www.iso.org/iso/en/ISOOnline.frontpage
and probably also on the British Standard Institute site as well. Your national
member standards organization probably has them, and they may be cheaper that
way.

====================== (quote inserted randomly by Pegasus Mailer)
rslade%40vcn.bc.ca">rsladevcn.bc.ca slade%40victoria.tc.ca">sladevictoria.tc.ca rslade%40computercrime.org">rsladecomputercrime.org
The name is Geek, Bona Fide Geek. I like my milk with chocolate,
neither shaken or stirred. - Vern Crouch
http://victoria.tc.ca/techrev/rms.htm

Messages in this topic (0) Reply (via web post) | Start a new topic

.

2;

---

5, 50, 500, 5000. Store N number of mails in your inbox. Click here.

Messages in this topic (0) Reply (via web post) | Start a new topic

.