ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Archive for March, 2010

Beware of the photocopier as an Information Thief

Wednesday, March 31st, 2010


“High- tech copy machines a gold mine for data thieves” was as story printed on March 18, 2010 in the Toronto Star, which should give pause to every one of us.  That is, everybody who uses a smart photocopier or who provides access to one for others.

You may think this is overreaction, but is it?

By smart photocopier, I mean one with a computer inside that provides all the great features.  The computer also has a disk, which indiscriminately retains images of sensitive and personal images like tax returns (social insurance numbers), job applications, and legal documents.

It also unwittingly retains images of critical information like executive summaries about corporate plans, new business strategies, and unpublished quarterly financial reports.

So everybody using a smart photocopier really needs to give some thought as to the consequences of their confidential material falling into the hands of those who would benefit from its unauthorized use for personal gain.  How could this happen? you think.  Well, lots of ways.

Someone such as a photocopier service person could simply copy the disk data.   Or someone with unauthorized access  to the machine at night.  If the copier has a data access port, anyone familiar with the data communications capabilities of the data port could walk by with their smart phone and download the data.

Twenty years ago I remember watching a news documentary describing a similar but lower tech use of photocopiers to steal sensitive and critical information.  Apparently during the cold war spies would insert a camera into a photocopier destined for the opposition’s embassy.  Then the “copier tech” would surreptitiously remove the film from the hidden camera in the photocopier and, of course,  replace it with more unused film.

So, without becoming paranoid about photocopiers, how can you get them to do you bidding with confidence that your sensitive and critical information will not fall into the hands of others?

Some simple things you can do are:

1. Always do your own photocopying whenever possible.

2. If you must use a copy service, then keep your eyes on your original documents and all copies of them, just as diligently as you would keep eye contact with your credit /debit card during a purchasing transaction.

3. Don’t use smart photocopiers unless you are sure of the security policy by which they are managed.

As the custodian of a smart photocopier, ensure your telecommunications and security people have configured it to:

a. Configure it to communicate only as mandated by your corporate security policy.

b. Implement an ongoing process to regularly scrub (rather than just “deleted”).

c. Implement an ongoing process to monitor the event logs of the copier and alert on suspicious activity such as unauthorized attempts to connect it to a telecommunications network, unauthorized attempts to communicate with its data port in order to upload data, and unauthorized attempts to open or tamper with the machine.

Prior to sending the copier off premises for service or for disposal, ensure the disk is either removed and destroyed or that data is scrubbed and destroyed completely.  Otherwise, you could end up with the same consequences as confidential data on a used and resold computer work station or laptop being retrieved by its new owner.

Of course we all know that there are dumb users even for smart photocopiers.  How many times have we all found original documents left by some previous users of the copy machine?  So it’s probably a good practice to count your original documents before and after using a photocopier.

Have a secure week.

Ron Lepofsky, B.A.SC. (Mech Eng), CISSP

President

ERE Information Security Auditors

www.ere-security.ca

www.ere-security.com

Tags: , , ,
Posted in Information Security, Security Postings | 1 Comment »

E-Banking: Watch out!

Tuesday, March 23rd, 2010

Great article this week by Brian Krebson about the risks and liabilities of on line banking for businesses, on Brian’s blog: http://www.krebsonsecurity.com/2010/03/ebanking-victim-take-a-number/

But no need to just believe Brian; there are lots of news articles every month about security and privacy breaches of information handlers and service providers for banks and credit card companies as well as for actual banks and credit card companies.

My opinion on the subject of IT security and privacy with regard to on-line banking is:  Caveat Emptor:  Buyer Beware!  There are several sources of security threats with corresponding vulnerabilities beyond the control of most consumers of on-line services.  So I strongly advise on-line users to compare the potential cost of impact of a security breach against the time savings of on-line banking.

If the potential losses are large, say $25,000 for a small business, compared to 2 hours per week of time saved at $75 / hour which equates to $7,800 annually, then it may be advisable to take another step in evaluating the risks involved.

Let’s say the user is not technically strong with regards to IT security and therefore needs to make some qualitative, anecdotal assumptions about the risk of on-line banking.  The user may consider the following risk factors:

  1. Banks make errors.
  2. Users make errors in all sorts of ways, such as; not keeping their anti-virus signatures updated, not keeping their security patches and operating system patches / updates completed in a timely manner; not visiting web sites that may inject malware into their systems; opening email attachments; opening email from unknown individuals; etc. etc.
  3. Banks may not fully refund funds caused by a security breach during an online transaction.
  4. Banks may refund funds but not in a timely fashion.
  5. Do you want to do battle with a bank?

Based upon these and other risks, a user can decide if their risk is high, medium, or low.  They could then go a step further and allocate values of 70% – 100% to high risk; 40% – 69% to medium risk; 0% – 68% for low risk.

As a sanity check, they can estimate the impact of one loss as % chance of loss x possible cost of loss.  So a user who estimates they face medium risk of 50% and have in their on-line account a maximum of $50,000 at any time, the cost of security breach could be 50% X $50,000 or $25,000.

Perhaps compared with $7,800 in annual savings, it may be a good idea to consider other options, such as:

  1. Doing only online bank enquiries, ensuring there are no change privileges attached to the account.
  2. Asking to see the bank’s written policy about how they deal with clients who suffer losses due to a security breach.
  3. Purchase insurance for losses caused by an online banking error or security breach.
  4. Dramatically improving the security procedures they follow for protecting the computer(s) and the network on which they reside, for doing e-banking.

What do you think?

Regards, Ron Lepofsky, CISSP

www.ere-security.ca

Tags: , , , , ,
Posted in Security Postings | 1 Comment »

Quantifying Risk and Cost of IT Security Compliance: Part 5

Thursday, March 18th, 2010

This week’s blog is Part 5 of 5 parts of a series.

You may not have heard of the IT security team called ROSI; it stands for return on security investment.  It’s really the same as ROI but it helps to convey to executives that a business case is being build according to best security practices.

Determining if ROSI Objectives are Met

Tires meet the road when it is time to determine whether or not ROSI objectives for security / policy / compliance have been met.  Conveying this determination is essential to building (or destroying) credibility of the group who made the mitigation recommendations in the first place.

Determining ROSI is quite simple. The actual costs resulting from events are compared with the projected costs after mitigation.  If mitigation was successful, then the actual costs should be near or below the projected costs.  This information can be presented as an updated version of Exhibit 3, shown as

Exhibit 5 – Projected vs. Actual Cost of Losses.  For purposes of accuracy new trends that developed in the security environment over the period of study should be considered.  If new trends increased the cost of losses, and the effect can be quantified, then the results should be reported accordingly.

Exhibit 5 – Projected vs. Actual Cost of Losses  This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca

Summary

The task of getting approval for a sufficient budget for IT security, privacy compliance, and IT regulatory compliance is usually frustrating and arduous. The task can be made easier by presenting the IT Security Governance body with simple to understand graphics, rather than with complex business plans.  The graphs should depict the relationship between the cost of risk and the cost of mitigation.  The presentation process should occur both at budget request time to show the intended plan, and after the budget cycle to show the actual results.  Hopefully the results trump the plan.

Sources of Information

(1) ANZ 4360:2004 Risk Management Standard http://www.ncsi.com.au/as4360.html

(2) Calculations of ALE are based upon The Official CISSP CBK, 2009, published by ISC2 www.isc2.org

(3) NIST- 88 series http://csrc.nist.gov/publications/PubsSPs.html

(4) ISACA: CISM Review Manual 2010 www.isaca.org

(5) PCI Security Standards – PCI https://www.pcisecuritystandards.org/index.shtml

(6) NERC – CIP 02 – 09 www.nerc.com

(7) ROSI  Calculating Security Return on Investment, Don O’Neil Software Engineering Institute, 2007, CERT

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/677-BSI.html

(8) Gartner whitepaper:“Incorporating Security into the Enterprise Architecture Process, Jan 2006 www.gartner.com

(9) EISA: http://en.wikipedia.org/wiki/Enterprise_information_security_architecture

(10) The U.S. Department of Defense (DoD) Architecture Framework (DoDAF) http://www.architectureframework.com/dodaf/

(11) Extended Enterprise Architecture Framework (E2AF) from the Institute For Enterprise Architecture Developments. http://www.enterprise-architecture.info/

(12) Federal Enterprise Architecture of the United States Government (FEA) http://www.whitehouse.gov/omb/e-gov/fea/

(13) Capgemini’s Integrated Architecture Framework

http://www.capgemini.com/services-and-solutions/technology/soa/overview/ent_architecture/iaf/

(14) NIH Enterprise Architecture Framework http://enterprisearchitecture.nih.gov/About/Approach/Framework.htm

(15) Open Security Architecture ]http://www.opensecurityarchitecture.org/cms/index.php

(16) The Open Group Architecture Framework (TOGAF) http://www.opengroup.org/architecture/togaf8-doc/arch/

(17) Zachman Framework http://www.zifa.com/

(18) Control points from the COBIT framework.  http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditor

www.ere-security.ca

Tags: , , ,
Posted in Information Security | No Comments »

What about Smartphone Security Threats?

Monday, March 1st, 2010

In an article today entitled Researchers Warn Of SmartPhone Security Threats, conveniently located in the RSS feed on our web site www.ere-security.ca (no self serving here), the researchers in question discuss rootkit vulnerabilities to smart phone operating systems.

From the article, it appears that some people may / would be surprised by rootkits turning up in smart devices.  Why would anybody be surprised?

Please don’t get me started about rootkits.  For those of you not too familiar with these insidious creations by devious minds, rootkits are nasty programs that are designed to:

Do whatever the author intends, including but not limited to, providing admin privileges to the author, stealing information, damaging the host system, and migrating to other neighboring devices on a network.  They are proficient at hiding themselves by using very sophisticated techniques involving system registries, and in turn may hide other malware from anti-virus technology.  A very clear summary of the hows / whys / wheres  of rootkits may be found at: http://en.wikipedia.org/wiki/Rootkit

I’d like to hear from those of you who:

  1. Found rootkits on your own or your clients’ devices.
  2. Were asked by the clients to not bother identifying the vector used by the rootkit to insert itself.
  3. How you found them; by forensic audit processes for instance?
  4. Found any software that is supposed to be resident on workstations or servers and identifies rootkits.
    1. Any rootkit software I’ve tested finds .dll files which appear as unidentified.
    2. I know there are lots of claims about tools that find / remove rootkits.  My question is: has anyone found / built one that conclusively works, without creating too many false positives?

We all know the usual ways to guard against malware.  The questions are:

  1. Why would anybody be surprised when rootkits invade the domain of intelligent portable devices?
  2. Why do some users of said devices treat security with complete abandon, like the “wild west”?

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditors

www.ere-security.ca

Tags: , , ,
Posted in Internet Security | No Comments »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button