Business of Information Security

Information Security, even when is ushered rings bells in everyone’s mind.  It is often taken in negative senses and is seen as a Show Stopper.  But is it so?

 

Why can’t we take a step forward to understand the term of Information Security and create a Business friendly definition of the same?

 

What I opine and openly state that though Information Security is not a Revenue Earner, but certainly adds to the Profits of the organization.  Well its interesting that how a Cost Centre can add to the Profits??  Now here, the first thing I would like to correct is that Information Security Team is not a Cost Centre, rather is a Profit Centre.  The reason I call it a Profit Centre is the fact that it is the Information Security Team that works in real time to patch the vulnerabilities and keep the Risk Spectrum more or less in check and under the acceptable limits.  This certainly lessens the overall impact of the Risks that materialize and thus reduce the Financial Losses that the Organization might incur. So now that when the Information Security efforts lead to fewer losses and that means the bottom line is more that is the profits DO surge.

 

I guess I have clearly made my point from the way I look a things.  Anyone there to discuss this further????

 

 

 

Mayank

 

Addressing Information Security - Tips for Home Machines

Personal computers being used by the users at their home are the worst affected machines when there is a virus or worm outbreak.  These machines are not the actual targets.  Infact these machines are the escape goats for the malicious users for using them for a bigger and more severe attack on the target.  The malicious users or the way we commonly know them as Hackers find the Home machines to be the easier victim to launch their attack on the target networks by converting vulnerable home machines into Zombie machines and thus use them remotely to master their attack strategy.

The reasons that leave the Home machines highly vulnerable can be sighted one for many; following are a few of the ones that may be listed –

1.      Home machines are often left unpatched for the latest service packs and hot fixes

2.      Home machines often lack updated virus signatures.  In many cases the antivirus installed are not capable of countering the latest worms/viruses/malicious codes

3.      Home machines often have unrequired services running

4.      Home users often install freeware and shareware versions without knowing the functionality completely, these also at times open more avenues for weaknesses

5.      Home users often do not think prior to clicking on various links as they are forwarded in the junk/spam mails.  This makes it easier for the hackers to carry out phishing attacks, or attacks that might lead to dissemination of vital information about the surfing patterns etc.

6.      Home users often click open attachments even from untrusted sources, these attachments specifically if are .scr, .pif or as very recently .pdf, can be various malicious codes.

Though there is no best way to defeat the malicious intent but we all can certainly be more aware about the odds of conducting certain activities before we actually do them.  As it is said, it is better to be safe then be sorry.  As for me I would suggest following steps to be taken at the minimum to safeguard a Home Machine from being used as a Zombie by a hacker –

1.      Use a Licensed software so that the patches and latest security service packs could be downloaded and installed on the machine.  Though it might cost dear to purchase the license, but its better to pay a price much higher, lest your machine gets compromised.

2.      Use a standard antivirus solution and there are quite a number of good ones available. Counting between money and safety would never get you the best in longer run as safety comes first and money can be earned if you are safe.

3.      Suggest you to instruct your technical helpdesk/service person to help you stop all the unrequired services on your machine that you have purchased. For instance one can always stop services like – Alerter and Messenger.  Once should also disable autoplay for the plug and play devices as at times they might be the source of malicious codes.

4.      Do not install any shareware and/or freeware unless you are well aware about the functionality it is going to add to your machine.  Also, Beta Software are meant for high skilled professionals and not for the simple end users.  Beta Software are not the final products and might have more than expected levels of vulnerable points.

5.      Ensure that the attachment you are opening is a valid attachment that you are expecting from a reliable source.  Its always better to have the mail sender’s address verified before opening any attachment.

6.      Ensure that the link you are clicking on is the right link and would take you to the source it claims to.  Also ensure that the sender of the link is the authentic sender and ensure that it is coming from a legitimate email address.

Though these are just few of the basic steps, the home users might also consider and evaluate installation of personal firewalls on their machines, but again they need to be sure of the genuinity of the source from where the said personal firewall is being downloaded and installed. Its always advisable to use the best though it might cost a little over a months supply of cigars.

Mayank Trivedi

 

Information Security and Governing Structures

Information Security today is Governed by Regulations, Standards, Guidelines and Industry Best Practices.  They provide for frameworks, methodologies and approaches to attain Information Security baselines. Compliance to any of them is just meeting these baselines, but there is more to be done over and above the compliance.  Compliance achievement is something that holds importance with the industry, but more is to the Management of Sustenance with increased maturity of the Information Security Program and the overall Information Security Posture.  Any Security Program aimed at Compliance does not reflect in the organizational effectiveness as the program that is driven by the Top Management and that precipitates to the Grass Root Level.

 

An efficient Information Security Program brings in paradigm shift in organizational work culture, infusing the Business Process Reengineering to imbibe Security Practice as the Core of Business Operations.

 

 

Mayank Trivedi

 

PCI-DSS - Simplified Approach

PCI-DSS compliance can be achieved with effective and efficient mapping of control requirements with either the ISO 27001 or the COBIT framework as already established and accepted across the world and industry segments.

But whatever framework we follow for PCI-DSS Compliance, following steps must be followed in order to ensure that the compliance is being targeted under the right Category viz - Merchant / Service Provider and for the right level - (Level 4 through 1 for merchants and Level 3 through 1 for Service providers).

1. Identify the category - Payment Gateways, Processors, Call Centers/BPOs would fall under the Service Provider category whereas the Merchant category as the name clearly sets out would have the endpoints where the customer transactions take place.

2. Identify the level applicable for the organization -

· For Merchants - Level 4 to Level 1,

§ Any merchant processing less than 20,000 e-commerce transactions per year, and all other merchants processing up to 1,000,000 transactions per year.

§ Level 3 is for the merchants processing 20,000 to 1,000,000 e-commerce transactions per year

§ Level 2 is for the merchants processing merchant processing 1,000,000 to 6,000,000 transactions per year.

§ Level 1 is for the merchants, regardless of acceptance channel, processing over 6,000,000 Visa transactions per year.
(there is one catch for the merchants for selecting the level irrespective of the size of operations - Any merchant that has suffered a breach that resulted in an account data compromise would also be treated as Level 1. Moreover, for level one, the transaction limit as defined could be composite score of transaction for all the brands of Credit/debit cards forming the PCI Council, or could be the single brand.)

· For Service Providers – Level 3 to Level 1

§ Any service provider that stores, processes, or transmits less than 1,000,000 accounts/transactions annually.

§ Any service provider that stores, processes, or transmits more than 1,000,000 accounts/transactions annually.

§ All payment gateways and processors (Member/non member for any of the credit/debit card network)

3. Establish the Validation Action required for each level –

Level	Validation Action (For Merchants)	Validated By
1	Annual On-site PCI Data Security Assessment Quarterly Network Scan	Qualified Security Assessor or Internal Audit if signed by Officer of the company Approved Scanning Vendor
2	Annual PCI Self-Assessment Questionnaire Quarterly Network Scan	Merchant Approved Scanning Vendor
3	Annual PCI Self-Assessment Questionnaire Quarterly Network Scan	Merchant Approved Scanning Vendor
4*	Annual PCI Self-Assessment Questionnaire Quarterly Network Scan	Merchant Approved Scanning Vendor

*The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

Level	Validation Action For Service Providers	Validated By
1	Annual On-Site PCI Data Security Assessment Quarterly Network Scan	Qualified Security Assessor Approved Scanning Vendor
2	Annual On-Site PCI Data Security Assessment Quarterly Network Scan	Qualified Security Assessor Approved Scanning Vendor
3	Annual PCI Self-Assessment Questionnaire Quarterly Network Scan	Service Provider Approved Scanning Vendor

4. Download the self assessment questionnaire from https://www.pcisecuritystandards.org/tech/supporting_documents.htm for a quick self assessment about the current scenario or the organization has a choice for hiring a Service Provider / Consultant for the same. Other Self-Audit resources are available from SANS, IT Security Magazine, and the individual bloggers.

5. Identify the approach to take in order to fix the issues identified on the first run of the Self Assessment Questionnaire. One thing that needs to be made clear is the steps to be taken here onwards must also be compliant to the other certifications relevant for the merchant/service provider. It is hence recommendable to use either ISO 27001 or COBIT as the base framework.

6. Have all the relevant documentation in place including the Information Security Policy, Procedures, Processes and the respective records as evidence of compliance.

7. Select the QSA/ASV from the approved list as available on https://www.pcisecuritystandards.org/resources/index.htm

Once the Audit is conducted the QSA/ASV, the report would then be submitted to the PCI Council along with required recommendations, but that is no the end of the road. The journey of Compliance to PCI-DSS has just begun and it would be a never ending journey to head to. There may be road-blocks, but there is NO Dead End J

Mayank Trivedi

PCI-DSS Challenges and Considerations

With PCI-DSS fast approaching its deadline for the compliance adherence, most of the organizations are putting their act together to meet the compliance requirements. But there lies a challenge to look for the right approach therein. The consultants/implementers/maintainers are often dwindling about what approach to take in this area. Various vendors are pitching for their products and many are claiming to achieve the same through technical deployments. But following questions stand by with us -

• Will technological deployment only help achieve the results as required and desired?
• Will it not be a piecemeal approach to plug the issues with what we see as the right requirement for each of the areas as stated above?
• Will we be able to work towards integrating these distinct products and technologies together to achieve the required output?
• What effect changes in the architecture and infrastructure would have on the other Compliances as ISO 27001, SOX etc.

There are many such other questions that would always be hovering around in our minds for us to answer and act upon. However, whatever the approach be the steps to PCI-DSS compliance must focus on the following –

• Highly Sensitive Payment Card Information stored in business databases
• Identification of all systems within the organization where Payment Card Information is stored
• Legacy systems not supporting the PCI DSS requirements for encryption
• Access to payment card information to large no. of business users
• Log Management and Monitoring
• Data Classification and Handling
• Access Management on various systems and devices
• Information Security Policies and Procedures
• Periodic vulnerability assessment and penetration testing
• Segregation of Duties among Production, Development and Testing Teams

Mayank Trivedi

IT Security Outsourcing Decisions - Considerations

As already raised the bar of suspicion in the previous two articles, now the
thing to think is - what needs to be done to clear the air of suspicion?
What is the possible way out to clear the ambiguity in the Process of
Outsourcing? Well though there are various ways to deal with the situation,
and one can do what may seem to be appropriate, but the steps that need to
be considered are -

* Think as a Hacker

* Decide on Accessibility?

* Control Data Usage and Handling

* Protect the Information

* Maintain Confidentiality

* Apply the Sixth Sense / Instinct

* Deploy Vigilance for Incidence Reporting

Think as a Hacker

There are few things to be considered and understood before finally handing
over the reigns to a stranger. One needs to view the IT issues from a
hacker's perspective. One needs to clearly take a good note of the situation
looking for the answer to the questions -

* What if my confidential information gets into the wrong hands?

* Do I have IT assets worth an abuse?

* What negative consequences would occur if they were abused?

* Is my job going to be on the line if my organization makes the
headlines?

Decide on Accessibility?

Most outsourced IT services require one or other person to have full access
to whole or a part of the organization's IT assets. For instance, IT
Helpdesk support professionals will most likely need administrative rights
to the client machines and probably the respective servers also. This
meaningfully translates into full access to corporate data stored on the
local drives and, potentially, network shares. Consider what an IT auditor
or security consultant may gather during the days, weeks or months while
working onsite at an organization's IT facility. It at times might translate
into more than what even the best guys of the organization know. Certainly
limitless and it only takes one miscreant to cause the damage.

Control Data Usage and Handling

Outsourced IT service provider might have access to the data as highlighted
in the previous point. But that's just one of the points identifying the
risks associated with Outsourcing. What is more important to establish is
what are the various outsourced personnel doing with the data. Data
handling by the outsourced agency is another aspect to be understood. If we
look into the matter we might find that the outsourced agency personnel
could be storing the data on their servers, laptops, CDs or USB drives or
might even be printing hard copies? Clients should expect to turn at least
some of their information over and need to be informed of why it's needed
and how it's going to be used.

Protect the Information

IT Systems deal, process and store vital data and information that is
sensitive, crucial and confidential for the business. When outsourcing the
security of the IT establishment and the organization wide information
security process, one has to consider how the data and information is being
protected? -- if at all. What are they doing with data and/or information?
Are they sharing it with colleagues or competitors? Keeping it to sell on
eBay in a few years? Even if the people you're outsourcing your IT services
to are bound by contract to protect your information, they may not have your
best interests in mind, or they may be just plain sloppy. Consider what a
person has to lose if he ends up leaving the company or getting out of the
IT business altogether. The probability of sales data, source code or
patient information being used for ill-gotten gains is pretty low, but it
can happen.

Maintain Confidentiality

Call me a pessimist, but I've seen too many digital goods mishandled by
careless IT experts with a general disregard for other people's property.
The root of a lot of this -- which continues to amaze me -- is when
organizations outsource IT support, but never consider the basics such as
running background checks and examining references on the people they're
placing trust in. Confidentiality agreements are being used more and more,
but arguably not enough.

Apply the Sixth Sense / Instinct

Strong contracts and clean criminal records are not a perfect indicator of
safe and sound IT services, so don't rely solely on them. It's also
unrealistic to attempt to completely control where your sensitive data is
housed and what a third-party does with it. Whether you're for or against
outsourcing IT services, you'll have to do it eventually. Do your best to
find good people to do business with - preferably through referrals - and
trust your instincts.

Deploy Vigilance for Incidence Reporting

Don't stop there though. It's not a matter of just having the proper
security controls and paperwork in place to take the risk out of outsourcing
IT services. It's just as important to have watchful employees who can tell
when something's not right and management that's willing to listen, support
their employees and create an overall sense of security vigilance in the
organization.

IT Outsourcing Decision Concerns -II

Loss of Control

By far and the foremost inherent risk of outsourcing is the “Loss of Control” on the outsource process. While outsourcing the IT Security processes, this at times can prove to be the worst nightmare for the organization’s management.

The most common of the concerns, triggered by the decision to outsource lies with the concern of overriding the sense of relief about the day-to-day operations. This may actually be a resultant trend stemming from the difference of perception of internal and external personnel towards the service orientation. Whatever be the case, but at the end of the day it boils down to commitment and dedication to work and the organizational goals.

It is certainly great to do everything IT related in-house. You control access and you control how and when things get done. On the other hand, any smart businessperson knows it's practically impossible for one department or person to do everything and do it well. This certainly makes Outsourcing a trend and a Business Practice involving the transfer of control to the Outsourced Company specializing in the job being outsourced. But while doing this is the organization also realising the fact that the control is being transferred to a complete stranger? This question needs to be answered thoroughly for the outsourced model to be a success.

It is a fact that an employee aligns more to the vision, mission, goals and culture of the organization as compared to the third party or the outsourced staff.

Whatever may be the case, the outsourcing decision can’t just be negatively affected by this factor. At times in the scenario, where the Internal staff may compromise and go with a business decision that might have adverse impact over a period of time, stringer SLA’s would always force the outsourced service provider to stick to the guns and make the organization’s management understand the inevitable.

But still this is a concern that always possesses a risk and this always would give rise to a debate of what and why to outsource.

Availability v/s Quality

This is another concern that hounds the decision of outsourcing. For a large organization with huge operations, it is not of much significance, but for the medium and small size business this is quite a concern to be addressed.

After dealing with the question of losing control and deciding to go ahead with the decision of outsourcing, the organization faces this challenge of availability of quality service.

For medium and small sized organizations, outsourcing might be a concern as they, from a vendor’s viewpoint, may be one of the many as serviced by the vendor and in many cases may account for a small percentage of the total workload and income. This certainly would be associated with the availability and quality of the desired services at the time they are required. In most of the cases the smaller organizations may suffer as the service provider may address the concerns of the larger customers and make the smaller customers wait until the support staff gets free.

For a large customer it is easier to assert the dominance and dictate terms by the sheer size of its order value, but for the smaller organization it becomes an issue. Moreover if the smaller customer is in contention with a larger client, the issue complicates further. In such a competitive battle for preferential availability and quality service, even a smaller customer can gain priority by making the most noise and escalating the issue to the upper management at the service provider, but there is a word of caution that this may not always be fruitful.

To deal with such scenarios, the smaller organizations mostly resort to escalations, stringer time based SLA’s, special relationship and rapport with the senior management etc.

The smaller organizations making the hue and cry at times should also understand that at times, the larger organizations might even be subsidizing for the services being availed by them. At the same time with the same staff servicing the larger and smaller organizations, the smaller organizations tend to be at benefited with the knowledge and expertise of the support staff who has worked at the larger organization.

Mutual Trust

Yet another aspect that needs to be considered in the event of outsourcing the IT Security Processes. It has become very important to ensure that third parties who have access to personal and confidential information are protecting that information from inappropriate disclosure and from misuse.

With the ever increasing responsibilities for security breaches on the senior executives of the organizations from the law and regulatory enforcement bodies, this issue has taken a giant leap from just being another issue. With more and more compliance related concerns, the organizations have to be more alert on the trust aspect from the viewpoint that the vendor might also be providing services to its competitors and in this aspect any leakage of business sensitive and crucial information would turn to be futile and loss making.

The complication in this aspect is multi-fold with the cost of satisfying the regulators and the board of directors that the due care has been taken and the difference of the regulations and the laws that might exists due to different geographical locations of the organization and the service providers.

It is however a good practice to test whether the vendor’s stated policy and procedures are enforced and implemented. Either the customer organization or the service provider may hire third-party auditors or security assessment consultants to perform security and control assessments. Such specialty assessment firms are likely to do a more orderly, structured, and complete evaluation than an in-house staff might achieve, because they perform so many more assessments over a period of time than an in-house group.

Costs – Real and Uncertain

This is an area that is mostly untouched or overlooked during the due-diligence exercise. This could be attributed to the fact that at times its just difficult to quantify certain costs or to certain the probability of their occurrence.

Some of the hidden or uncertain costs may be related to vendor’s financial viability and sustainability or the presence of adequate infrastructure to survive and sustain in the business in case operations at its primary facility are adversely affected due to one or other reason.

There might be cases where the vendor faces a financial crunch situation and this might lead to it being merged with some other larger organization or may even with a competitor. In such cases though most of the business of the vendor gets transferred to the acquiring party, but this is not the right approach to follow and for this the agreements should follow a stringer approach to include the clause of termination of services in any such case with ‘No Liability’ for the outsourcing organization.

In the event of availability of infrastructure and continued support the outsourcing organization must conduct a due diligence at the vendor to assure the management and the regulators that the selected vendor has adequate infrastructure for continued service and support in even the adverse situations of war and terrorist attacks.

But there is a word of caution associated - Even during analysis, some costs might be hidden or excluded altogether, either unintentionally or through the analyst’s ignorance or inexperience.

Knowledge Transfer

One of the key aspects of the outsourcing and that needs quite an attention of the management and the decision makers. The issue here is more the functions and roles outsourced, lesser the chances that the internal staff would be able to address them should they be moved back in-house.

To address this issue however, the SLAs are drafted in a manner that the vendor would be conducting trainings and would be liable to keep the internal staff up-to-date, but do this actually happen? If yes, then in how many cases and to what extent?

The cost of not maintaining a up-to-date and knowledgeable internal staff might prove to be costly and can add to the hidden and uncertain costs of outsourcing. The impact can include loss of negotiating power or movement to an alternative service provider.

Shared v/s Dedicated Operations

One decision that is of prime importance and that is to select the right option of getting a dedicated facility at the outsourced agency or to go ahead and utilize the shared operations. Certainly the cost of dedicated operations at the vendor facility is higher and most of the MSSPs charge a premium for such service, but the overall security and risk of exposure of confidential business information is relatively lower.

But with tighter budgets for IT Security operations and Security operations still being seen as the Cost Centre, most of the organizations opt for Shared Operations. This certainly increases the exposure of the information and can certainly add to the hidden costs.

Legal and regulatory Compliance

Compliance, to what? Their regulatory and statutory requirements, the likes of Banking Regulations, SOX and HIPPA, International standards like Cobit and ISO 17799 etc. More we drill down more we identify the likes of FISMA, GLBA, CASPR etc. Why are they doing this? and what is the need for this?

The requirements are not set upon by the organizations themselves, rather they are imposed, imposed upon them by the concerns of cyber crimes that are increasing day-by-day and as is the extending regulatory periphery of the respective authorities, be it the Government or the Regulatory Bodies for the industry verticals.

References

Berinato, S., “Security Outsourcing: Exposed!” CIO Magazine, August 1, 2001, http://www.cio.com.

Warren Axelrod C., “Outsourcing Information Security”

Various Articles on – http://www.searchsecurity.com

IT Outsourcing Decisions - Concerns

Outsourcing of IT Services is the trend of today, and why not it helps an organization in focusing towards its core business where the strength lies. Why should an organization spend the time, effort and other resources where it does not specialize and which is not its core area of operations.

The first and foremost thing that is considered while taking the step of outsourcing is the selection of the right company. Yes, it is very important to select the right company to execute the outsourced job and in the manner and with the effect as the outsourcing organization would prefer it to be conducted. But is it the only requirement in outsourcing scenario? May be most out there would say ‘Yes’, but there is a difference somewhere, somewhere we are lagging. Why shall we just focus on the efficiency of the outsourced Company’s delivery mechanism and why not address the some other issues? Other than the effective and efficient delivery mechanism followed by the Outsourced Company, there are other areas that are more important and rather critical to the success of the Outsourcing Model being followed. These issues are rather related to the mechanism followed by the Outsourced Company to address the security risks involved in the overall outsourcing model.

For instance lets’ have a look at the US market that is one of the biggest market for the Outsourced Business Process concept. The organizations there are increasingly outsourcing their IT divisions including their IT Security set-up. Certainly to manage the growing cost of managing the IT establishment and at the same time to focus on the more profitable Business Divisions/Processes.

But then there is a flip side of the decision and that might have more of impact than the benefits. The flip side is for the obvious risks associated in outsourcing the IT function; the function that deals with processing and storage of the information that even includes critical and business sensitive information.

Now, coming from an Outsourcee background and being and being one of the Lead Consultants on the Outsourced jobs for my company, I would be one of those in the bandwagon to support the Outsourcing trend. Why should not I and why should I ever oppose it? After all I get my bread and butter from the outsourced jobs.

But just because I am an Outsourcee I should defy the fact that there is no risk in the Outsourcing models and approach as being followed? Should I just try to conceal the fact that when an Organization outsource a process to a third-party, be it for desktop support, security testing or network monitoring, the more accessible the electronic assets are and the greater is the risk of something bad happening. There is always a potential for loss increases given the seemingly endless amount of data stored processed and transmitted through so many different devices.

Though it might seem to be but it would not be a wild statement to say, “While most IT consultants are trustworthy and responsible, some might not. Seemingly not so bad people are doing bad things on computers all the time – and often the company who hired them doesn't even realize it.”

Let us examine the various risks that are associated with the outsourcing decision and then we can look into the aspects or steps that would help us in making the appropriate decision on outsourcing and what to outsource.

Concerns of Outsourcing

As every aspect of business has inherent concerns and the related risks, so is with the decision to outsource. Making a decision with the knowledge of these inherent risks makes life easier as we would be ready to take steps to avoid any materialization of these risks and avoid any adverse impact of the business profitability.

So what are the risks? and where they exist? are the main questions to be known. Let’s have a closure look at the risks that exist with the decision to outsource –

n Loss of Control

n Availability v/s Quality

n Mutual Trust

n Costs – Real and Uncertain

n Knowledge Transfer

n Shared v/s Dedicated Operations

n Legal and regulatory Compliance

Different views - Skype Detection - It's a Reality

I had written this article in November 2005, when there was a article published on VOIP Softwares by Jim Wagner, well the summary of the same is –

"Researchers: Skype, VoIP Are Hot And Risky" by Jim Wagner. As per this article, the research firm noted in an recent advisory, Skype doesn't leave an audit trail and could get companies into trouble on the compliance front; there's also the question of whether VoIP calls in general constitute a business record" are the words from a senior research analyst at Info-Tech.

But me and my team were already identifying and blocking skype usage in the corporate network from June 2005. Following was the article that I had written then –

Peer to Peer voice services are the talk of the Internet users. Why not, as they provide inter computer calling for free. So if you have a machine with sound card and an Internet connection, you can connect to other users using the same Peer to Peer voice service software and well its absolutely free.

Skype is one such software that has become quite popular. The developers of Skype have gone a step further in providing with service they call as SkypeOut. This is though a subscription based service but provides with a facility to Users to call landlines and cellphones for a fee

With the increased usage of Skype and other such Peer to Peer voice services, the IT Security experts started throwing up warning flags about VoIP on the corporate network and pointing to one provider in particular. Research from VeriSign and Info-Tech Research Group said security risks surrounding increasingly-popular Internet phone software could put networks at risk and should be addressed.

Quoting from article "Researchers: Skype, VoIP Are Hot And Risky" by Jim Wagner – "As it stands, the research firm noted in an recent advisory, Skype doesn't leave an audit trail and could get companies into trouble on the compliance front; there's also the question of whether VoIP calls in general constitute a business record" are the words from a senior research analyst at Info-Tech.

Somehow I disagree with the point that Skype does not leave any Audit Trail for usage. Atleast we have successfully tested and are using the detection method in live environment. The test that was conducted to detect presence and usage of Skype in the network had two instances –

1. Port based detection

For port based detection we derived that Skype tries to contact peers using TCP fixed port 54045 when a conversation starts. In case it fails on the identified port, it tries TCP or UDP random ports.

2. Signature based detection

For signature based detection packet analyzers can be used to analyze the Skype traffic, but it’s slightly difficult due to encryption. Still the conversation can be detected using custom signatures, which can look for certain pattern in the packets flowing through network gateway. Thus an alarm can be raised whenever a matching event is found

In either case, rst settings could be configured on the IDS and the skype could be blocked. Additionally, Websense could be configured in Network Sensor mode and the traffic could be blocked.

Driving Factors for Information Security

Information Security has become the need for survival of the Business today. Irrespective of the Geographic Location or Industry sector, following could be identified as the common Driving factors for the Information Security -

Information Security Threats and Risks

Any information system usage or implementation may be a target for range of serious threats, including computer based fraud, espionage, sabotage, vandalism and other forms of systems failure or disaster. This may result in risk of data loss from accidental/malafide unauthorized access, use, misappropriation, modification or destruction of information and information systems.

Moreover, sharing of information for business reasons using new applications and inter-connected resources increases the threat of information pilferage. Ensuring security of business critical information is important for Organization maintain competitive advantage in the marketplace. In the course of conducting business, any such information must be shared hundreds, even thousands of times each day. Designing, building, marketing and selling products requires discussing, faxing, e-mailing or otherwise sharing sensitive, proprietary information. Each time such information is shared, it is further exposed to the risk of being lost or compromised. Each conduit for information sharing presents opportunities to unauthorized persons to attempt to acquire such information.

Inconsistent policies for assigning system usage may also result in access rights to information and information systems exceeding the needs of employees’ job responsibility. While the number of users accessing information systems are increasing, the control exercised by the system owners or provider is being dissipated.

While technological advancement has provided significant benefits, it has also equipped malicious users with more advanced means and tools to obtain unauthorized access to data/information. With the availability of Internet, there is an increasing risk that these tools are freely available.

Legal and Statutory Requirements

Security requirements also arise from and are subject to the statutory and contractual requirements of Organization, its service providers and third parties. Information Security Department will also ensure that the security policies factor account these requirements as well.

(The U.S. government has created new laws that specifically address Information Age misconduct; Sarbanes Oxley Act, GLBA and HIPAA are the mentionable names in this aspect. In India too initiatives have been taken in this regard and “Indian Information Technology Act 2000” has been rolled out. More is expected to fall in place as the Government and Industry consortium is working in Unison to create much awaited infrastructure for secure organizational practices.)

Apart from the laws, there are the internationally acclaimed best practices and the standards that have evolved. 27001, ISO/IEC 17799; 21827; 15408 etc from ISO, CoBit, COSO, SAS 70 etc are few of such standards where the organizations are seeking compliance for the Security Practices and Operations.

But beyond these laws, best practices and standards, organizations need to know how to create a system and a culture that will not be susceptible to this type of illegal behavior. It’s a good practice to put some basic policies and guidelines in place and share it with the associates, consultants, customers & vendors.

Gaining User Support

It is also necessary to ensure adequate IT control environment to minimize the risk of any negative incidents involving computers. This assumes significance in view of the rapid strides that Organization has achieved in adopting newer technologies. The end-user confidence and support is one of the fundamental building block for deriving full benefits of IT resources.

Building Customer Confidence

Customers must have confidence that information systems will operate as intended without unanticipated failures or problems. Otherwise, the systems and its underlying technologies may not be utilized to its optimum level and further growth and innovation may be inhibited.

Any views?

Principles of Information Security

Information Security has three basic principles commonly referred to as the CIA Triad of Information Security (i.e. Confidentiality, Integrity and Availability). These principles include standards, conventions and mechanisms that form the basis for defining and implementing security controls and practices.

In addition to the base principles (i.e. confidentiality, availability and integrity), there are the few additional principles which are more related to the technological and process controls that could be deployed to achieve the desired level of Information Security. Following paragraphs detail the base as well as additional principles which assist in effective management of Information Security:

Confidentiality

Providing the framework to restrict data/information access, Confidentiality refers to protection of information from disclosure to or interception by unauthorized individuals. The concept of Data / Information Privacy stems out from the Confidentiality Principle.

Simple question to be answered for Confidentiality Part is - "Is the Person Accessing Data/Information the right person to do so?"

Integrity

Providing the framework for Data / Information accuracy and completeness, Integrity refers to the Quality of Data / Information. Integrity ensures that information once recorded and approved cannot be modified in an unauthorized manner through improper channels.

The focus is more so on the accuracy and completeness a the consequences of using inaccurate information could result in inaccurate / inadequate inputs for decision making purpose.

Availability

Providing the framework to the timeliness and extent of Data /Information availability to the users, Availability refers to the continuity of services and controls for the reachability of the users to the required Data / Information.

Availability also encompasses the technical deployment i.e. - networked machines and other aspects of the technology infrastructure.

Authentication

Authentication refers to the mechanism deployed to ensure that the person trying to access the Data / Information is the right person to do so. It involves the Identification step and can be called as the Gate Keeper Stage for Data / Information Access.

Authorization

Authorization refers to the mechanism deployed to control the kind of access a user gets on the Data / Information and the systems as deployed to store, process and transmit the Data / Information.Its a usual practice to define the Authorization levels as per the roles and responsibilities of the authenticated user.

Accountability

Accountability refers to the mechanism deployed to ensure that the ownership of actions carried out by a user while dealing with Data / Information could be ascertained and that the users are made responsible for the overall Security of the Data / Information.

Auditability

Auditability refers to the system controls that would ensure that the System has a mechanism to record the user actions and assist in establishing the accountability of the user. The Auditability feature is vital during troubleshooting exercises.

Assurance

Assurance highlights the need of ensuring that the interest of the various parties involved in the are safeguarded. Assurance of Data / Information Security is required from the perspective of the various stack holds including Governmental / Law enforcement Agencies, Investors, Management, Employees etc.

Awareness

Last but not the least, Awareness is still not a much stressed principle. Awareness about the Policies/Procedures/Process/Guidelines/Organizational Operating Procedures etc, provides for the mechanism of trained and efficient users, to support the Effective Processes and Procedures.

IT Security V/S Information Security

IT Security and Information Security are the two different domains often misunderstood as one. Though both of them have some common areas that are to be dealt, but by large, IT Security is a subset of Information Security.

IT Security deals with the technical set of controls and revolves more around the technological deployments across the Business to store, process, generate or transmit the Information. On the contrary Information Security also covers up the additional functionalities as those of Business Operations, legal, Human Resource, Facility Management etc. i.e. the Information Security also encompasses the various departments that deal with the data/information in other than electronic format.

If we talk of the controls that make part of the IT Security, then we would have controls revolving around following heads -

1. IT Risk Assessment
2. IT Asset Classification and Management
3. Logical Access Control
1. User Management
2. Password Guidelines
   
3. Access Rights and Permissions
4. Login Restrictions
4. Physical Access Control
1. To the Data Center / Server Room
2. To End User Terminal
5. Emanation Security - dealing with Cabling security etc
6. Communication Security - dealing with security during electronic transmission
7. Systems Development, Acquisition and Management
1. In-house Development
2. Out-Sourced Development
3. Off the Shelf Purchase
4. System Change Management
8. End User Computing
1. Access to End User Development - Usage of Scripts and Macros in documents and spreadsheets
2. Access to Install Custom Programs and Free-wares
3. File Sharing through Local Shares
4. Email and Internet Usage
5. Acceptable usage of IT Resources
   
9. Disaster Recovery Planning
   
1. Back and Archiving
2. DR Site Planning
3. Fault Tolerance and Site Redundancy Planning
10. Network and Operations Management
1. Network Documentation
2. Network Controls
3. IP Addressing and Network Zoning
4. Network Performance Monitoring and Capacity Management
5. Remote Connectivity and Remote Access Management
6. Usage of Cryptographic Techniques
7. Operations Management
8. Malicious Content Management
9. Incident Monitoring and Management
10. Media Handling and Storage
11. Audit Logging and Log Retention
12. Segregation of Development, Test and Production Environment

The Additional Control Areas that would make part of the Information Security can be listed as -

1. Physical and Environmental Security - Encompasses Emanation and Cabling Security along with deployment of Human Personnel, CCTV Monitoring mechanism etc.
2. Third Party Operations
3. Business Continuity Management
4. Compliance Audit and Management
5. Human Resource Security - Identifying Human resource involved in operations as a source of threat
   
6. Business Threat and Risk Assessment including Business Impact Analysis

References -

ISO/IEC 17799, ISO/IEC 27001, CObIT