Two recent events highlighted radically different approaches to IS: the Black Hat Briefings and BS7799 training. The Black Hat Briefings are highly technical - forensic analysis of a hacked server or web exploits via SQL will make most managers eyes glaze. Naturally, BS7799 is very management-oriented, no discussions of buffer-overflow techniques.
Black Hat Briefings is a wonderful opportunity for technical staff to improve their skills and gain new perspectives, and this is applies not just to security-related staff. Your development team, naturally, concentrates on getting your applications working and available, but it is their oversights that create the buffer overflow vulnerabilities and insecure configurations that hackers exploit. They could certainly benefit from the paradigm shift of seeing how obvious the flaws are, and how easily hackers exploit them (this is "obvious" as in "why didn't I think of that", but in many cases, no tools beyond a browser were required). Some tolerance of eccentric behaviour is required, in Hong Kong the speakers were almost exclusively younger than the business-attired audience, and dressed "casual" (or perhaps "scruffy"). Some took this "information warrior at the edge of civilisation" attitude too far - was it really necessary for Rain Forest Puppy to require the organisers to sign a non-disclosure agreement before he would reveal his real name so that travel arrangements could be made? Do his friends call him Rain, and should we address him as Mr. Puppy? The important point is to see the truth behind the distractions - the vulnerabilities and exploits covered are real, and many sites on the Internet, probably including the sites many of you are responsible for, are at risk.
However, many of the technical experts at Black Hat Briefings have difficulty in practical security for real organisations. This could be seen in statements like, "users should avoid executing ..." or others implying developers are responsible for buffer overflows, or that systems administrators are to blame for not applying security patches.. This is blaming the victim for the crime. The real question for organisations is, given that we have human staff and tight schedules, how do we minimise the cost of incidents? The keynote speaker, Bruce Schneier addressed this, saying that the way forwards is to think "risk management", not "threat avoidance"..
Information Security is a management problem, and the responsibility of the whole organisation, not just IT. So, organisations need both approaches: top-level support for a clearly-defined security policy and delegation to expertise in specific technical areas so that the details are addressed.
Information Security Management: ISO17799, BS7799
Many people have heard of ISO9000, the International Standard for Quality Management but soon we will be hearing a lot more about ISO17799, the Information Security Management standard. It was first published in December 2000, and is based on the British Standard BS7799-1. BSI Business Solutions have recently been presenting their courses introducing BS7799, and preparing organisations to implement it, around the world.
ISO17799 is not a standard that your organisation can be certified against - it contains a Code of Practice. It is not possible to be certified under a code of practice. However, BS7799-2 is a Specification which organisations can be certified under. Although ISO is also considering adopting BS7799 part 2 as an ISO standard it is understood that the process will take a minimum of five years.
Like ISO9000, preparing your organisation for BS7799-2 certification is a lot of work, what are the benefits? It will not guarantee that your organisation will have no security incidents, but it will make sure that you know about the incidents, that there is cost-effective prevention, that there is effective incident response, in short, that the risks are managed. In the future, BS7799 (or the equivalent ISO standard) may become a requirement for doing business - just like some organisations are demanding or preferring suppliers with an ISO9000 certificate now.
BS7799 certification is not for every organisation, SMEs in particular will find the requirement daunting, and the format Assessment costs prohibitive. However, the guidelines are well-worth following. Developers of security products naturally emphasise the problems their product addresses. Taking a structured approach to information security, where the controls really address the largest threats, not just the latest hype, is to be recommended.
China Lab Launches Website
China Accredited Laboratory Anti-Virus Products Testing and Certification Center launched their new website on 15th April, 2001. They are surveying virus prevalence in China through this web site. About 4000 people have visited the site on the first day.
CSI Sixth Annual "Computer Crime and Security Survey."
The Computer Security Institute published its' latest annual survey on 12 March. Based on responses from 538 USA corporations and organisations, it found the costs of computer crime are still rising. 85% reported having a security breach in the previous 12 months, 186 of those were able to quantify the cost and reported $377,828,700 in financial losses. This was a 42% increase from last year, when 249 respondents reported only $265,589,940 in losses, or, in losses per respondent, a 90% increase.
The most serious losses were from theft of proprietary information (34 respondents reported $151,230,100) and financial fraud (21 respondents reported $92,935,500). 70% reported the Internet as a frequent point of attack, against only 31% reporting internal attacks to be frequent. On a positive note, more were reporting intrusions to the police: 36% against 25% in 2000 and 16% in 1996.
Many types of attack were on the rise, external penetration, DOS, employee misuse, and virus incidents. Virus incidents rose from 85% in 2000 to 94% in the latest report.
Patrice Rapalus, CSI Director, commented: "The survey results over the years offer compelling evidence that neither technologies nor policies alone really offer an effective defense for your organization. Intrusions take place despite the presence of firewalls. Theft of trade secrets takes place despite the presence of encryption. Net abuse flourishes despite corporate edicts against it. Organizations that want to survive in the coming years need to develop a comprehensive approach to information security, embracing both the human and technical dimensions."
How important is this survey for organisations? On one hand, it is a survey of a small number of organisations in what, for most people is a foreign country (very small, when you consider the size of the USA), so the accuracy and applicability of the statistics should be considered cautiously. On the other hand, the Internet knows no borders, and the general trends have been confirmed by local surveys and reports around the world.
The CSI Press Release and an application for a full copy of the survey can be found at the CSI website: http://www.gocsi.com/prelea_000321.htm