[SecurityRatty] tag: first-chance

What is a Wise Risk Decision Worth? or ISO 27001 KPIs Follow Up

Wed, 03 Dec 2008 12:47:11 +0000

So yesterday I asked readers to comment on thoughts I had that came from a question asked on the ISO 27001 Google Group:

“How I can communicate the value of an ISO implementation to non-security management?”

This question came to me after one of the posters on the ISO Google Group asked about KPIs for ISO implementation. Got great responses in email, blog comments, and on Twitter from current/former CISO folks and consultants and analysts. Some really great thought and effort, by the way - thank you. It’s really great to be able to have these sorts of conversations online.

First, I have to point out some resources Brian Honan linked to from Gary Hinson, just because they’re so cool. Gary has invested gobs of time and effort to become one of the defacto resources on the ISO (you might also want to read or re-read Gary’s web post on the 7 myths of metrics). Brian links to an implementation guidance document(pdf) and a metrics example(pdf) document.

As full of awesomeness as they are, though, these are simply metrics “mapped” to the ISO (i.e. the ISO isn’t a pre-requisite for generating this information). They are not KPI’s that express the value of ISO implementation. Problem is the metrics created here still require some level of “translation” in order to create some value statement that data owners can understand. As Myrcurial twittered me “27001 is orthoganal to process” meaning (I hope) that metrics have their foundation in events that are generated by processes. 27001 by itself was never meant to create metrics (see above), and so we’re asking a question the ISO can’t answer. But the desire, the need to measure still exists. To that extent we can google “ISO compliance” (whatever that means) and if something can be certifiable or deemed “compliant” we can and are “measuring”. But does that have value? Rybolov (my favorite Guerilla CISO) wrote:

“Whatever you do, don’t start measuring percentage of compliance. Eventually, that’s what all metrics efforts around a framework devolve into.”

I have to agree. Being ISO “compliant/certified” has little expressive business value prima facia. I find that one KPI that absolutely asserts value when expressed properly is risk - and similarly Shrdlu wrote:

“I really have no idea. I personally wouldn’t try to justify an ISO implementation by itself. If I could show traceability on how it affected our overall security risk, then that’s what I’d do.”

And that’s a delightful answer. That “traceability” (geeze-louise Shrdlu - what a word!) is absolutely what I’m after here. How do I get that?

If you’re going to do something with corporate budget (time, money - and goodness knows an ISO implementation is time & money) you better be able to communicate the value. And while the zealotry for ISO implementation differs from person to person, I have yet to come across someone who says that ISO adoption is totally without value. It’s just not apparent what that value of adoption is and how we can measure (metrics) and express it (KPIs).

Jenean Paschalidis wrote what he thought that value was in a very nice email in which he puts a qualitative name on the value of adoption:

“Transparency and accountability-this is what all executive/senior management (the company) is on the hook for. ISO provides that. If you want to understand and have confidence in your operations as supported by security (because you will know the who, what, where, when, why and how of a system (human, technical etc.) and you want to be able to trace back why a decision (risk-vetted) had been made - then adoption of this best international practice will assist in providing these answers.”

So working with our above thoughts a little here - if we agree with Shrdlu that the only value of an ISO implementation can only be expressed if we can say how said implementation affected our overall security risk - and we agree with Jenean that the primary benefit is an ability to have confidence in operations as supported by security, then….

The value of the ISO should be expressed as a KPI or set of KPIs that cleary explain how the confidence it generates helps us understand (and then reduce) our risk.

If risk is a probability issue, ISO adoption helps generate confidence in our predictive analytics. The dollar value the ISO generates (the ultimate KPI) is part of the cost of being able to make wise risk decisions.

So what is that (making wise risk decisions) worth to you?

SOME CONCLUDING THOUGHTS

First, it occurs to me that this is a real shame. In a sense, an inability to generate a quantitative value statement for ISO use is simply more witch-doctory (“use it because we, the wise men of the tribe say you should”). In some future version, the ISO should include some mechanism for measuring and expressing the worth of adoption to the organization (a better reason to use the ISO than “because we said so”).

Second, It should be noted that of Jack Jones’ 3 true value statements from which all metrics/KPIs should point to - we’re only talking about one of those value statements - the ability to reduce risk. Using the ISO in an organization most certainly could create operational efficiencies (help us do more with less) - but the ISO isn’t a standard that creates operational efficiencies as a primary goal, nor does it give implicit direction on how to create operational efficincies. The ISO folks do, however, play fast and loose with the idea of “risk” and “risk management” so it’s within this context that I interpreted our conversation.

Finally if you’re going to hire someone to help you with ISO adoption in your organization, the deliverables you ask for in your RFP/SOW/what-have-you should include quantitative (probability) statments about risk reduction and the creation of operational efficiencies. If the firms answering can’t tell you what value their work will be to your company, then drop me a note and I’ll gladly point you to some friends of RMI’s that know FAIR & all our Risk Management frameworks and also do great ISO work.

One More Bit On "Compliance First"

Wed, 03 Dec 2008 11:25:00 +0000

I did say that I am writing a longer blog post on that ("Scary Tales from 'Compliance First' World"), but I just can't resist.

Yes!, Yes!!, Yes!!! - everybody smart and security-savvy KNOWS: focus on security, risk management first AND whatever compliance du jour will come. "Security first" mantra works, it just works.

But you know what? I am constantly SHOCKED since I notice a volume of people who INSIST on "compliance first" AND in silo'ed, regulation by regulation way. OMFG!

Be Wary of Adele Services Small Charges in Your Bank Account

Wed, 03 Dec 2008 08:21:48 +0000

Check your account balances carefully to make sure this isn’t happening to you–

According to Ars Technica, there are a wave of fraudsters right now who are taking small amounts out of consumer bank accounts. They do this to test whether the account is good and verify it. First, they take somewhere between 19-29 cents. Then, when they’ve verified the account, they make as many charges as possible before they get noticed:

Beginning on or about November 20, various card holders began complaining online about unauthorized microtransactions that were suddenly showing up on their accounts. The charges fit the model described above, and were labeled as coming from Adele Services. Adele Services appears to be a dummy corporation; the 1-800 number listed as the customer contact point is disconnected and there’s no official website.

The company may not officially exist, but that hasn’t stopped it from continuing to test accounts. It’s impossible to state how many card holders have been pinged in this manner, but the number of online reports is growing steadily. Theories on which company’s security was breached abound, although the mob of sages has collectively ruled out PayPal, given the number of non-PayPal users affected.

Be careful shopping online this holiday season, and don’t ignore little changes in your account, and hopefully you’ll have a safe secure shopping season.

Online Finance Flaw: TIAA-CREF XSS & Potential CSRF

Wed, 03 Dec 2008 06:42:00 +0000

Before discussing a TIAA-CREF security flaw, allow me to clarify my "terms of engagement".
Prior to offering analysis of any security flaws in online financial services, be assured I have engaged the service provider and offered what I believe to a reasonable amount of time to remedy this issue. Specifically, a minimum of two weeks and three unique contact attempts are made. Should the vendor offer a timeline in which the issue will be resolved, so long as it is not months or years, I will wait until they are ready to deploy the fix, then discuss the vulnerability. If I am not in receipt of a reply other than generic customer service replies, I will follow the two week standard, then discuss the issue.

TIAA-CREF, or the Teachers Insurance and Annuity Association - College Retirement Equities Fund, is a respected, widely utilized provider of numerous financial products and services. The TIAA-CREF site is ranked 26,148 on Alexa.com at the time of this writing.

I'll first direct you to the TIAA-CREF Security page, where they discuss the expected elements like identity theft, spoofing, tips, and my favorite, phishing.
Here's where the trouble begins. Obviously, most phishing occurs when some miscreant creates a fake page and attempts to lure victims via email.
The severity of phishing risks are greatly increased by the introduction of a cross-site scripting (XSS) vulnerability in a site that is of high value to phishing attackers.
With such a vulnerability available, the prospect of success for a phisher are much higher given that the malicious URL they would craft could include the actual target domain, rather than a faked misrepresentation. A simple script insertion at the vulnerable variable would then allow the attacker to redirect victims to a maliciously crafted logon page in the context of the vulnerable site.
Sad side note: when you search security at the TIAA-CREF site, the above mentioned Security page is not returned in the results as I write this.
However, the resulting search URL serves as the starting point for our discussion of the flaw:
http://www.tiaa-cref.org/explore/portlets/search.jsp?query=security&strtfrm=1&totpresults=75&srchtype=4&sc=1&frmsite=0
The vast majority of non-search input variables on the TIAA-CREF site offer reasonable XSS protections, likely a blacklist method that redirects you to the following language when common XSS strings are noted, particularly where it counts at logon pages.
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
Unfortunately, this methodology was not deployed globally, and thus the following online finance flaw.
All input variables used in TIAA-CREF's search.jsp script are vulnerable to XSS.
Utilized by an attacker, this could have a much more significant impact on TIAA-CREF customers who fall victim to a now more convincing social engineering effort.
Here's the site before script insertion:

Here's the site after script insertion:

Further, certain parts of the site, including the Trust Company logon page, show potential signs of cross-site request forgery (CSRF) in that they accept updates via GET or allow submittal with the referrer stripped.

Lessons learned:
1) Don't assume all is well even though a site may offer examples of how attentive they are to security.
2) Never log on to an online financial service offering (or anything else for that matter) via a link sent to you in an email. Period.
3) Take all steps at your disposal to ensure you are logging in to and transacting with the actual site you intended to utilize. Don't depend on security badges and SSL certificates as your sole means of confirmation.
4) If you note something of concern at a site you utilize, advise them immediately and demand repair or clarification until you're satisfied.

Please feel free to send feedback to TIAA-CREF as I have per my "terms of engagement" above. Hopefully they'll resolve this issue soon, on behalf of customers in their care.

Up next in our series, two of the top five banks mentioned in Javelin Strategy & Research's Banking Identity Safety Scorecard are vulnerable to similar issues.

del.icio.us | digg | Submit to Slashdot

Online safety is a science, dont get infected!

Tue, 02 Dec 2008 13:17:11 +0000

Ran across this great article, its written with a touch of science applied to the threats that are out there online.
A must read.

clipped from www.sciencenewslive.com

Antispyware Software Helps Stop Cyber Intruders

One of the key weapons effective in fighting the battle against these despicable internet threat security trends that are so widespread these days is to have a robust and dependable antispyware software package installed on your system. But, it must be noted that installing internet security software is simply the first step, since it must be actively used and continually updated.

Links for 2008-12-01 [del.icio.us]

Mon, 01 Dec 2008 21:00:00 +0000

Last In - First Out: Janke’s Official 2009 Technology Predictions
Prediction 6: There will be a major security panic over some widely used but inherently insecure Internet protocol. The problem will not get resolved. Prediction 9: Web Apps will continue to be deployed with a 1:1 ratio of new web applications to applications that are vulnerable to SQL injection, XSS or XSRF. A few new applications will not be vulnerable. The rest will make up for those few with multiple vulnerabilities, keeping the overall ratio constant.

ISP's secret opt-in advertising test draws the UK's ire

Mon, 01 Dec 2008 15:50:02 +0000

It's no surprise that ISPs are aggressively pursuing new revenue streams, but UK ISP BT may have crossed the line. Two years ago it retained search records and information on some 18,000 users, without informing them first.

Sun Gives Advance Notice of Java Update

Mon, 01 Dec 2008 14:52:01 +0000

Tomorrow, Dec. 2, 2008, Sun will release updates for various versions of Java. This is the first example, to my knowledge, of an advance notification of an update by Sun Microsystems. In fact, it's the first advance notification I know of except for those from Microsoft, which started the practice to accommodate planning by IT departments. Microsoft's advance notifications come four days in advance of the actual update release. Sun's is one day in advance, and contains only minimal information. It says the following updates will be released:

JDK and JRE 6 Update 11
JDK and JRE 5.0 Update 17
SDK and JRE 1.4.2_19
SDK and JRE 1.3.1_24

It also lists Sun alert numbers for the updates, but there are no links or indications of what the alerts mean. I tried to search for the numbers but had no luck. Still, advance notification is a good thing and this is a step in the right direction. I hope it's a trend.

BlueHat SDL Sessions Wrap-up

Mon, 01 Dec 2008 14:51:00 +0000

Hi everyone, Bryan here. The debut BlueHat SDL Sessions are over, and they were a resounding success: 96% of attendees completing evaluation surveys reported that they will be able to apply knowledge that they learned in the SDL sessions to make their products more secure. This is a great score and I’d like to thank all of our speakers and the BlueHat planning team for their hard work. As for the other 4% of attendees, we’ll just have to work that much harder next year to bring them actionable guidance for dealing with new vulnerabilities.

As promised, we recorded all of the day’s presentations and we’ve published them on TechNet:

Keynote Address by Scott Charney, Corporate VP, Microsoft Trustworthy Computing

Threat Modeling at EMC and Microsoft by Danny Dhillon of EMC and Adam Shostack of the Microsoft SDL team (of course)

Mitigations Unplugged by Matt Miller, Microsoft Security Science team

Concurrency Attacks on Web Applications by Scott Stender and Alex Vidergar of iSEC Partners

Fuzzed Enough? When it’s OK to Put the Shears Down by Jason Shirk, Dave Weinstein and Lars Opstad, Microsoft Security Science team

Real World Code Review – Using the Right Tools in the Right Place at the Right Time by Vinnie Liu of Stach & Liu

In addition to the presentations, we also recorded some short interviews (about 10 minutes long) with each of the speakers. If you’re just looking for a quick summary of a particular talk, these interviews are the place to start:

Threat Modeling at EMC, Danny Dhillon

Threat Modeling at Microsoft, Adam Shostack

Mitigations Unplugged, Matt Miller

Concurrency Attacks on Web Applications, Scott Stender and Alex Vidergar

Fuzzed Enough? Jason Shirk and Dave Weinstein

Real World Code Review, Vinnie Liu

I hope at least 96% of online readers will be able to directly apply this material to their products, just like the show attendees. Please post back and let us know, either way. And let us know what you’d like to see for next year. We have big plans to build on our success and make SDL Sessions 2.0 even bigger and better than the first.

Communications During Terrorist Attacks are Not Bad

Mon, 01 Dec 2008 09:02:50 +0000

Twitter was a vital source of information in Mumbai:

News on the Bombay attacks is breaking fast on Twitter with hundreds of people using the site to update others with first-hand accounts of the carnage.
The website has a stream of comments on the attacks which is being updated by the second, often by eye-witnesses and people in the city. Although the chatter cannot be verified immediately and often reflects the chaos on the streets, it is becoming the fastest source of information for those seeking unfiltered news from the scene.

But we simply have to be smarter than this:

In the past hour, people using Twitter reported that bombings and attacks were continuing, but none of these could be confirmed. Others gave details on different locations in which hostages were being held.
And this morning, Twitter users said that Indian authorities was asking users to stop updating the site for security reasons.

One person wrote: "Police reckon tweeters giving away strategic info to terrorists via Twitter".

Another link:

I can't stress enough: people can and will use these devices and apps in a terrorist attack, so it is imperative that officials start telling us what kind of information would be relevant from Twitter, Flickr, etc. (and, BTW, what shouldn't be spread: one Twitter user in Mumbai tweeted me that people were sending the exact location of people still in the hotels, and could tip off the terrorists) and that they begin to monitor these networks in disasters, terrorist attacks, etc.

This fear is exactly backwards. During a terrorist attack -- during any crisis situation, actually -- the one thing people can do is exchange information. It helps people, calms people, and actually reduces the thing the terrorists are trying to achieve: terror. Yes, there are specific movie-plot scenarios where certain public pronouncements might help the terrorists, but those are rare. I would much rather err on the side of more information, more openness, and more communication.