20 Critical Security Controls by SANS

The most trusted and the largest source for information security training and security certification in the world SANS institute brings guidelines of 20 Critical Security Controls for Effective Cyber Defense. For those who don’t know SANS Institute was established in 1989 as a cooperative research and education organization. It also develops, maintains the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system – the ISC (Internet Storm Center). ISC is program from SANS which monitors the level of malicious activity on the Internet. More about it you can check here.

These Top 20 Controls were agreed upon by a powerful consortium like NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities. Well, all of them are in USA but it does not mean that you cant use it.

As states on SANS page the automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness.

You may ask whats in it for you, well if you are concerned about a security and want to asses and implement security procedure in you organization you may follow these up to date guidelines. Also there is quite good explained how hackers exploit lack of these controls and how to implement and automate these controls.

Reference: http://www.sans.org/critical-security-controls/

Posted in IT Security, Week 36 | Leave a comment

Risk Assessment Plan (Data Security)

I have read an interesting article about creating a risk assessment plan in relation to data security. It covers a 5-step plan in order to develop a solid foundation for security strategy. It requires a team assembled to get started with the process.

  1. 1.       Identify information assets
    Consider important information and create a priority list of what needs to be protected.
    Examples; social security numbers, designs, human resources data etc.

  2. 2.       Locate information assets
    Identify and list where each item on the information resides within the organization.
    Examples; file servers, workstations, phones, databases etc.

  3. 3.       Classify information assets
    Assign a rating to the information asset list and consider using a 1 to 5 scale with the following categories:
    Public information, internal information, sensitive internal information, compartmentalized internal information, regulated information

    NB.
    Read more about the examples within each classification scheme on the article

  4. 4.       Conduct a threat-modeling exercise
    Rate the threats facing the top rated information assets, option of usage would be the Microsoft’s STRIDE method:
    (Spoofing of Identity, Tampering with Data, Repudiation of Transactions, Information Disclosure, Denial of Service, Elevation of Privilege)

  5. 5.       Finalize data and start planning
    Multiply all the cells in each of the worksheet by the classification rating assigned to the asset in step 3. This in relation of the worksheet that needs to be created.

Read the article in order to understand the aspects of this approach. It also includes an STRIDE method chart.

The fact that this method approach is considerable and useful while considering data security would definitely be something I would experiment with and use it in greater advance.

Article available on the following link, LOOK INTO IT!
http://www.smallbusinesscomputing.com/news/article.php/3896756/Data-Security-A-5-Step-Risk-Assessment-Plan.htm

Posted in IT Security, Week 36 | Leave a comment

Security Frameworks

 

A lot of IT Security Framework exists at the moment that can be used in company security. Below wrote simple comparison for each.

ISO Family (27001, 17799, 20000) (International Standard Organization’s security management standards)

A framework of standards that provides best practices for information security management

http://www.iso.org/

ITIL (IT Infrastructure Library)

ITIL is a cohesive best-practices framework drawn from the public and private sectors internationally. It describes the organization of IT resources to deliver business value, and documents processes, functions, and roles in IT Service Management

http://www.ogc.gov.uk/

COSO(Committee of Sponsoring Organizations of the Treadway Commission)

Voluntary private-sector organization dedicated to improving the quality offi nancial reporting through business ethics, effective internal controls, and corporate governance.

http://www.coso.org/

COBIT(Control Objectives for Information and related Technology)

An IT governance framework and supporting toolset that allow managers to bridge the gap between control requirements, technical issues, and business risks.

http://www.isaca.org/

FISMA (Federal Information Security Management Act of 2002)

FISMA imposes a mandatory set of processes that must follow a combination of Federal Information Processing standards (FIPS) documents, the special publications SP – 800 series issued by NIST and other legislation pertinent to federal information systems.

http://csrc.nist.gov/sec-cert/

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)

A risk – based strategic assessment and planning technique for security.

http://www.cert.org/

CMMI (Capability Maturity Model Integration)

A process improvement approach that provides organizations with the essential elements of effective processes.

 
http://www.cmu.edu/
Read more:

PPT

 

 

 

 

 

 

 

 

 

 

 

 

Posted in IT Security, Week 35 | Leave a comment

NIST 800-53

I have read about the NIST (National Institute of Standards and Technology) information security, which is recommended for Federal Information Systems and Organizations. It covers the understanding of providing security controls for information based on three important aspects; confidentiality, integrity and availability.
Security controls are split into three different classes such as the management, operational and technical safeguards in order to protect the above aspects.
I find this standard very relevant in relation to security and risks in general, which kind of reflect each other nowadays. The more risks equals the more security implemented.

Beneath is an example of a format for expressing the security category of an information system. In my opinion, a very important point of view while considering information system.

SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)},

where the acceptable values for potential impact are low, moderate, or high.

The standard also defines a “Risk Management Strategy”, which in my opinion might be worth looking into in order to get a clear understanding of the approach.
Read more about the strategy and the target audience towards the standard in the document on the following link below.

*p.14 covers target audience, p.27-28 covers the strategy

http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

Posted in IT Security, Week 35 | Leave a comment

ISO 27001 + 2 Review

ISO 27001 and  27002 Review

The ISO ( International Organization for Standardization)27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard.

Information security management systems — Requirements =  ISO 27001

It is the specification for an ISMS, an Information Security Management System.

The objective of the standard itself is to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System.

It employs the PDCA, Plan-Do-Check-Act model to structure the processes.

Code of practice for information security management =  ISO 27002

The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001.

http://www.27000.org/

http://en.wikipedia.org/wiki/ISO/IEC_27001

Posted in IT Security, Week 35 | Tagged , | 1 Comment

Standards

If you ever wondered what a standard is, well the answer can be tricky and the explanation can become pretty hard. To clarify it I will qoute standards.gov:  a standard means “Common and repeated use of rules, conditions, guidelines or characteristics for products or related processes and production methods, and related management systems practices”  .  By classifing the standards in prescriptive and performance ones the term may become more understandable. The prescriptive standard comes in discussion when you start working on something and you do it in a known way that has been done before and it was defined somewhere to make it easier for you to follow the correct steps.

The performance standard defines requirements in terms of getting to a required result. It also states ways of verification but it won’t include steps for getting to the desired result.

Also standards can be differentiated based on purpose and can be classified by the intended user group.

To find out more go to the source link.

Source: http://standards.gov/standards.cfm

Posted in IT Security, Uncategorized, Week 35 | Leave a comment

New statistical study of hacking

Ponemon Research as made study for Juniper Networks. The study (pdf) reports the numbers and types of security incidents among US based companies. The study is based on interviews with the CTOs, CSOs and CIOs of 583 North American companies of varying sizes.

The study shows that 90 percent had been hacked within the last year, and that 60 percent had been hacked more than once, also within the last 12 month. Continue reading

Posted in IT Security, Week 25 | Leave a comment