The best definition of operational risk comes from Basel II, which defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

Although originally designed for the banking system where regulatory safeguards are designed to  protect against large scale failure of the banking system and the economy; a systematic approach to operational risk management is important for any kind of organization

Basel II defines 6 categories of operational risk and  excludes, for example, strategic risk - the risk of damage to the business from a poor strategic business decision.

1. Internal Fraud - misappropriation of assets, tax evasion, intentional mismarking of positions, corruption and bribery
2. External Fraud- theft of information, hacking damage, third-party theft (including data loss) and forgery
3. Employment practices and Workplace Safety - discrimination, workers compensation, employee health and safety Clients, Products, & Business Practice- market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
4. Damage to Physical Assets - natural disasters, terrorism, vandalism Business Disruption &
5. Systems Failures - utility disruptions, software failures, hardware failures
6. Execution, Delivery, & Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets

Make no mistake:

• Today’s most devastating attacks on a business are launched from inside the organization. Competitors and criminals exploit systems and employees in order to access and manipulate customer data, financials, marketing plans and intellectual property.

• Security focus remains on outsiders, despite the fact that insider fraud and data theft are the leading white-collar crimes worldwide. Most firms lack the capability to detect, monitor, quantify and prevent fraudulent events inside their organization.

• Fraud and data theft can be committed through many methods, including mobile phones and the Internet. The difficulty of validating online identity, the speed with which hackers can exploit IT vulnerabilities, the international dimensions of the Web and ease with which users can hide their identity, all contribute to making the Internet the fastest growing area of fraud and data theft.

Control Policy Group’s  free risk and compliance automation tool provides an SME with an extremely cost-effective way of collecting data, analyzing risk, meeting compliance requirements and providing effective internal security to the business.

The Control Policy risk and compliance automation tool provides 4 key benefits for an SME (besides being free…):

1. It’s quantitative: enables business decision makers to define the dollar value of assets, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
2. It’s Robust: preserve the integrity of data you collect during the risk assessment; Excel is the wrong tool for maintaining large, complex, multi-dimensional data models such as we use during a risk assessment.
3. It’s Versatile: enable a business to reuse existing knowledge in new business situations and perform what-if analysis on control scenarios without jeopardizing the integrity of the data.
4. It’s Effective: recommends the right security controls and the most effective order of implementation - saving you money.

The risk and compliance automation tool is implemented as a  plugin  ISO27001 library for PTA Professional. This PTA ISO 27001 library is a full implementation of the ISO 27001 standard and is provided free of charge to any ISO consultant or business wishing to certify to the standard. The user-friendly PTA Professional application  for Windows is available as a free download at the PTA Technologies web site. The Control Policy Risk and Compliance Automation tool is provided free of charge to end users and security and compliance  consultants and is licensed under the Creative Commons Attribution License by the Control Policy Group.

Compliance is a minimum but not sufficient requirement for risk management.

What security controls should a firm implement after a risk assessment? All, none, some?

We all know that a business can be compliant with a standard such as PCI DSS 1.1 and still suffer from a data security breach.

There are always many more available security products and services controls than threats. Many businesses find themselves coping with a long and confusing shopping list of controls specified by  standards like PCI DSS and ISO27001. You can implement all the controls in the standard (if you have deep pockets), you can do nothing (ignore the risk assessment) or you can try and get the biggest bang for your dollar by implementing the right security controls and the lowest cost.

It is well known that implementing additional controls does not necessarily reduce risk.

For example, beefing up network security (like firewalls and proxies) and installing advanced application security products is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and an inflation in the number of firewall and content filtering rules.

The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.

Using the risk and compliance automation tool to get  the right security at the right price

By using the ISO27001 framework with PTA,  the business terms can construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can implement security controls consistent with its budget instead of an expensive all-or-nothing checklist of controls.

ISO27001 specifies that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). The  ISO27001 automation tool provides a systematic, and quantitative approach to risk assessment and adds value with an optimized risk mitigation program. Doing a risk audit process is faster, easier, more robust and lot more fun than with an Excel spreadsheet.

An ISO 27001 risk assessment with Control Policy involves a two-stage process:

• Stage 1 is a “first cut” review of the existence and completeness of key documentation for Security Policy and Information Security Management System (ISMS). This is done by cycling through the threat model, tagging top-level vulnerabilities with a status and storing appropriate documentation in the model, while linking to the appropriate entity.
• Stage 2 is a detailed, in-depth audit that tests existence and effectiveness of control policies as well as their supporting documentation. Controls that already exist would be marked as “Already Implemented” in PTA Professional Edition countermeasures detail screen. Controls needing work would be tagged with an action-required status (see the tagging option of the PTA tool).

Step by Step with the ISO27001 automation tool

First download and install  the PTA Professional Edition free risk assessment software on a Windows XP PC. Then download the PTA ISO27001 library.

• Step 0 - Fire up the program
• Step 1 - Load the ISO27001.2.thl library into your own threat model or just open the ISO27001.2.thm data model in its entirety
• Step 2 - Create assets with valuations
• Step 3 - Enter the costs of countermeasures; the PTA ISO 27001 library that we provide is agnostic; we understand that each organization has their own estimates of how much a control policy should cost.
• Step 4 - Run the Optimized Countermeasures report. You have just built a cost-justified plan of controls compliant with ISO 27001.
• Step 5 - Refine the model. Don’t stop here; return to the model periodically and test the effectiveness of your risk mitigation program. For a structured methodology of continuous security assessment see the excellent article on the Software Associates Web site titled “Practical software security assessment”

The power of the PTA ISO27001 library is demonstrated by a simple risk assessment with assets and threats that was built in just a few minutes - available online Download now

We believe that security and compliance operations in a company are synergistic.Question is - How can you do it without committing political suicide in your company?

I saw a good example of this last year in an IT security audit we did for a NASDAQ-traded company as part of their Sarbanes-Oxley annual compliance effort.   The VP Global IT was careful to explain to us that our scope of work was the information systems - we needed to look at the three pillars of Information security - confidentiality, integrity and availability. When I asked what about fraudulent use of the line of business applications (they’re a big Oracle Applications user) - he said:

“Oh no - we’ve setup a separate fraud committee, if anything bad happens - it definitely is not my problem.”   I paused for a moment and  thought to myself - this guy is really smart; he doesn’t have responsibility for financial reporting controls - so why should he have any responsibility for the risk damage?

It’s like I learned at Intel - Organizational Politics is not a dirty word and staking at a turf - avoiding turf wars by “segmentation” of the risk - is a very good thing.

Segmentation of risk is a central precept in any risk management activity, not just from the political perspective.  Segmentation allows a company to separate functions on the basis of operational responsibility and need to know.

The International Standards Organization - ISO is going in this direction with a relatively new 55 page standard that was released in June 2008 - ISO 27005. As ISO explains on the ISO 27005 information page:

“ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2008. ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization’s information security.”

We think it is interesting to analyze the causes for this situation

1. We believe that US and EU government regulators are responsible for the focus on the compliance process as opposed to focus on cost-effective risk-mitigation (which does have a common language of dollars and Euros).  It is ironic that regulation which was primarily created for consumer protection has turned into an onerous corporate audit activity far removed from the original charter of protecting customers.

Regulators generally provide a checklist of things companies must do and in the case of Sarbox, a general statement for financial reporting guidelines (section 404 of SOX).   When government uses a regulatory stick with business organizations, we are essentially telling them that research into understanding the root cause of risk, is a non-value-added activity. Ours is not to reason why…

2.  However - there an excellent methodology for understanding the root cause of risk already exists and it is complementary to the compliance process.  The methodology is called threat modeling.  Threat modeling is a mature methodology with implementations from Microsoft and groups like PTA (Practical Threat Analysis) Technologies.

In threat modeling exercises - analysts and business decision makers use a model of assets, vulnerabilities of assets, threats (that attack by exploiting vulnerabilities) and countermeasures (that mitigate threats).   Threat modeling provides a common language that any person working in an organization can understand.

You can download the free risk assessment tool PTA Professional - we’d be happy to hear if you also think that threat modeling is a useful tool for risk assessment. Please feel free to contact us at any time by phone or email.

Perhaps you have been in this situation before:

You’re a CIO/VP IT/IT manager and you’re preparing to implement a packaged business application - for example a new CRM system. Something in the back of your mind says that the vendor’s development organization is probably not a lot different than yours (although you hope they’ve thought through the security issues first). What should you do?

• First inspect and penetration-test the system using black-box testing.
• Then, using white-box testing - assess infrastructure components, database interfaces and Web applications for vulnerabilities using our Legacy Risk Analysis Loop technique.
• We will help you identify fault-prone modules in your particular operation and evaluate those modules with the most impact on system reliability and downtime.
• We can go in and perform an onsite audit of the vendor secure software development practices during your RFP/RFI/pre-purchase stages.

This process helps give your organization a much better picture of software defects  before you send the vendor the purchase order. Our Web collaboration tool supports continuous risk analysis and management with two main applications: a knowledge base and issue tracker:

The database of standard CVSS scores for components and CLASP problem types classifications is always available for the entire organization. Users can add new entities and modify scores as the business environment changes. By using an  issue tracker you can see a:

• A consistent thread of requests, changes and open action items during the risk analysis process and in particular in the Validate findings step
• An Updated implementation status of countermeasures.
• Real-time status tracking where unlike email, issues cannot get lost or be ignored!

Problems in a security audit

The biggest problem is prioritizing your security control implementation. ISO 27001 and PCI DSS 1.1 provide standard or mandatory controls - but the standards lack the functionality to weigh control cost against risk damage cost. In early 2007, after realizing that Excel was basically broken for data collection and analysis in a risk assessment, we started looking for a tool that would help us automate the entire ISO 27001 life cycle from data collection, perform risk analysis and produce a cost-effective, prioritized control implementation plan. We felt that threat modeling would be a good way to add additional dimensions of assets, vulnerability and threats to the ISO 27001 security control model.

What is PTA (Practical Threat Analysis)?

PTA Professional is a free risk assessment application that can be downloaded from the PTA Technologies Web site. The PTA ISO 27001:27005 library is available for free download and distribution, licensed from the Control Policy Group under the Creative Commons Attribution License.

Feel free to download and introduce the PTA ISO 27001 library to your colleagues and promote it via postings to security forums and adding links to our web site . We wish to freely distribute the ISO 27001:27005 library to the security community and hope that its popularity and availability will contribute to your productivity and let you benefit from the experience of security colleagues world wide. Contact us at any time with questions or suggestions for improvement.

How PTA helps automate ISO27001

The PTA data model includes assets, threats, vulnerabilities (that are exploited by threats) and controls (that mitigate vulnerabilities). The PTA threat model entities are measured in dollar values and enable a security analyst to quickly calculate threat impact and optimal security control plan.

By using PTA in a risk assessment,  you get a robust database for the data collection and a user-friendly application that runs on all versions of Windows. PTA Professional helps you understand how threats exploit vulnerabilities to create risk. During a ISO 27001 audit - PTA helps you store your findings, produce reports, prioritize controls and save money for the security control implementation.

Motivation - ISO Standards

The ISO standard for information security risk assessments-ISO 27001, continues to gain a reputation for helping organizations improve their business practices and protect information assets. ISO 27001 is both important and increasingly popular for two reasons:

1. Compliance
2. The need to achieve the most effective risk mitigation controls

Perhaps one of the more significant comments that underscores the relevance of ISO 27001 for the industry was made last year by ISO Secretary-General Alan Bryden :

“SMEs may mistakenly perceive of International Standards as being only for big business and government. In fact, SMEs too can benefit from the state-of-the-art technology and management practices disseminated by International Standards which also open the door to export markets and participation in global supply chains”.

Compliance

Standards and privacy compliance regulation like ISO, SOX and PCI are fueling demand to improve information security practices. It has becomes a trend trickling up and down the value chain of regulators, customers and suppliers. Customer data breach incidents have steeply increased over the past 3 years, pouring additional fuel on the value chain of compliance. Once the exclusive domain of large institutions; many SMEs are now performing risk assessments as their customers call on them to manage their data better and prove it by certifying to ISO 27001.
Attaining effective risk reduction

The output of an ISO 27001 risk assessment is two fold:

1. Certification
2. Identify appropriate risk reduction controls for the organization

The certification process can be as simple or as involved as an organization wants but there are always far more available controls than threats and then, organizations, large and small, find themselves coping with a long and confusing shopping list of controls. You can implement the entire check list of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase and risk control policy ( i.e. get the most for your security investment dollar) with a set of controls optimized for your business situation.

It is worth noting at this point that additional security controls do not necessarily reduce risk.

Modifying your existing infrastructure (like firewalls and proxies) and installing more security products is never a free lunch and tends to increase the total system risk and cost of ownership, as a result of the interaction between the elements. Many firms see the information security issue as mainly an exercise in Access Control (Section 11 of ISO 27001) that requires better permissions and identity management (IDM). However, further threat analysis reveals that (a) IDM does not mitigate the threat of a trusted insider with appropriate privileges and (b) the majority of IDM systems are notorious for requiring large amounts of customization (as much as 90% in a large enterprise network) and may actually contribute additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats, is that your cost of attacks and ownership go up, instead of your risk going down.

The PTA ISO 27001 library enables a risk analyst to provide a quantitative risk model to her client and construct an economically-justified, cost-effective set of countermeasures that reduces risk in the customers business environment. More importantly, a company can execute a “gentle” implementation plan of controls concomitant with its budget instead of taking an all-or-nothing strategy.

ISO 17799 compared to ISO 27001

ISO 17799 is Part 1 of BS 7799 (the ISO standard for information security). ISO 17799 is a code of best practice for information security management and provides practical guidance on implementation of the security controls that should be implemented on the basis of the ISO 27001 risk assessment. ISO 17799 will be renumbered to ISO/IEC 27002 in the course of 2007.

ISO 27001 is Part 2 of BS 7799 is the risk assessment standard for certification and sets the requirements that an organization must fulfill in order to establish an information security management system. The PTA ISO 27001:27005 is a full implementation of the ISO 27001 compliance check list. If you find that ISO 17799 is more relevant to your practice, please contact us and we may consider development of a PTA library for this standard as well.

How we created the PTA ISO 27001 library

The ISO 27001 contains 185 items in 11 sections, where each item has a reference number, and describes a security policy and a corresponding security control. For example Item 6.1.5 is a “Confidentiality agreements” security policy with the following control: “Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed”

First we needed to map the ISO 27001 data model to the PTA threat model concept which is composed of threats, vulnerabilities, assets and countermeasures

Unlike PTA, the ISO data model does not refer to particular threats or assets. We realized that the top level items in each section (number x.y) mapped nicely to PTA vulnerabilities and that the the sub-items were controls that translate directly to PTA countermeasures. For example:

06.1 “Internal organization; information security is lacking or not well-defined” can be easily defined as a PTA threat model vulnerability mitigated by the following PTA threat model countermeasures:

* 6.1.1 Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of information security responsibilities.
* 6.1.2 Information security activities shall be co-ordinated by representatives from different parts of the organization with relevant roles and job functions.
* 6.1.3 All information security responsibilities shall be clearly defined
* 6.1.4 A management authorization process for new information processing facilities shall be defined and implemented.
* 6.1.5 Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed.
* 6.1.6 Appropriate contacts with relevant authorities shall be maintained.
* 6.1.7 Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
* 6.1.8 The organization’s approach to managing information security and its implementation (i.e. control objectives, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur.

After the conceptual mapping of the ISO 27001 data model to the PTA threat model, we then used the import entities from text file functions in the PTA Professional Edition in order to load an Excel worksheet of the ISO 27001 checklist into a baseline PTA threat model of vulnerabilities and countermeasures and packaged as a PTA library.

How analysts use the PTA ISO 27001 library

The standard specifies that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). The PTA ISO 27001 library provides not only a systematic, but also a quantitative approach to risk assessment that adds a great deal of value by enabling you to arrive at a set of controls optimized for your business situation.

You will discover that doing a risk audit process with the PTA ISO 27001 library is faster, easier and a lot more robust than with an Excel spreadsheet.

An ISO 27001 risk assessment typically involves a two-stage process:

Stage 1 is a “table top” review of the existence and completeness of key documentation for Security Policy and Information Security Management System (ISMS). This would be done by cycling through the PTA threat model, tagging top level vulnerabilities with a status and storing appropriate documentation in the model, while linking to the appropriate entity.

Stage 2 is a detailed, in-depth audit that tests existence and effectiveness of control policies as well as their supporting documentation. Controls that already exist would be marked as “Already Implemented” in the PTA Professional Edition countermeasures detail screen. Other controls needing work, would be tagged with an action-required status (see the tagging option of the PTA tool).

Step by Step with  ISO27001 for PTA

First download and install  the PTA Professional Edition free risk assessment software on a Windows XP PC. Then download the PTA ISO27001 library.

• Step 0 - Start the PTA program by clicking on the eye icon on your desktop
• Step 1 - Load the ISO27001.2.thl library in order to build your own threat model or just open the ISO27001.2.thm data model and start working
• Step 2 - Create assets, assign Euro values to the assets, The asset value might be replacement value or equivalent damage to the business if the asset were attacked successfully.
• Step 3 - Enter the costs of countermeasures; the PTA ISO 27001 library that we provide is neutral and does not specify countermeasure costs; we understand that each organization has their own estimates of how much a control policy or security product should cost.
• Step 4 - Run the Optimized Countermeasures report. You have just built a cost-justified plan of controls compliant with ISO 27001.
• Step 5 - Refine the model. Don’t stop here; return to the model periodically and test the effectiveness of your risk mitigation program. For a structured methodology of continuous security assessment see the excellent article on the Software Associates Web site titled “Practical software security assessment”

The power of the PTA ISO27001 library is demonstrated by a simple risk assessment with assets and threats that was built in just a few minutes - available online Download now

This article reviews the main areas for concern for protecting information assets from internal threats and vulnerabilities. It starts with an anecdote from an interview with a senior manager and concludes with a recommendation for implementing an approach to protect data directly (as opposed to commonly-used methods that attempt to protect the network and limit user permissions).

The background to problem

We start by sharing an anecdote taking from an interview with a senior manager  at a bank.

…I’m not concerned about data theft. We’ve outsourced our entire IT operation to a big bank’s data center and they’re up to speed on information security. I can always go back to the logs and figure it out if something happens.
Vice President Internal Audit of a private banking institution with $5BN in assets.

Just 2 months later, the “big bank” had a major data theft event. Both banks missed their earnings estimates and took a beating in the market. Today the private institution is trying to break out of their 5 year outsourcing contract.

Data Loss is any unauthorized transfer of valuable information assets - credit cards, customer records, transactional information, source code or other classified information.

Data loss is an internal threat with a strange nature that derives from unexpected actions by trusted insiders and systems in an environment assumed to be secure. For this reason, extrusion prevention requires both management and technology controls.

Management and technical controls for extrusion prevention

Human resources controls

Ensuring employee loyalty and reliability starts with HR, which has responsibility for hiring and guiding the management of employees. High-security organizations (such as? Could you name a few areas?)defense contractors or securities traders add additional screening such as polygraphs and security checks to the hiring process. Over time, organizations may sense personality changes, domestic problems or financial distress that indicate increased extrusion risks for employees in sensitive jobs.

Disconnect #1: HR isn’t accountable for the corporate brand and therefore doesn’t pay the price when trusted employees and contractors steal.

Internal audit

Extrusion prevention needs to be part of an overall internal audit process that helps an organization achieve its objectives in the areas of:

• Operational effectiveness
• Reliability of financial reporting
• Compliance with applicable laws and regulations

Internal auditors in the insurance industry say regulation has been their key driver for risk assessment and implementation of preventive procedures and security tools such as intrusion detection. Born in the 1960s and living on in today’s Windows and Linux event logs, log analysis is still the mainstay of the EDP (What does EDP mean? My guess is electronic data processing) Yes it does - EDP audit is sort of a buzz word I thought - we can use IT audit if you think it is clearer audit. Over the past 7 years our industry evolved to Client-Server computing, XML Web services and converged IP networks. Welcome to stateless http transactions, dynamic IP addressing and Microsoft Active Directory, where your ability to audit network activity depends on which versions of Windows run on your workstations and servers. Offline analysis of logs has fallen behind and yields too little, too late for the EDP auditor!

Disconnect #2: EDP audit have the job but they don’t have the tool.

Physical security

Physical security starts at the parking lot and continues to the office, with tags and access control. Office buildings can do a simple programming of the gates to ensure that every tag leaving the building also entered the building. Many companies run employee awareness programs to remind the staff to guard classified information and to look for suspicious behavior.

Disconnect #3: Perfect physical security will be broken by a Nokia 3650 (cell-phone with camera)

Information security

Information security builds layers of firewalls and content-security at the network perimeter, and permissions and identity management that control access by trusted insiders to digital assets, such as business transactions, data warehouse and files. This structure lulls the business managers into a false sense of security. Let’s not forget that firewalls let traffic in and out, and permissions systems grant access to trusted insiders by definition. Could your explain a little more what you mean here or give an example of what you mean? For example, an administrator in the billing group will have permission to logon to the accounting database and extract customer records using SQL commands. He can then zip the data with a password and extrude the file using a private Webmail account.

Content-security tools based on http/smtp proxies are used against viruses and spam. These tools weren’t designed for extrusion prevention; they don’t inspect internal traffic, they only scan authorized e-mail channels, they rely on file-specific content recognition and have scalability and maintenance issues. When content security tools don’t fit, we’ve seen customers roll out home-brewed solutions with open source software such as Snort and Ethereal. A client of ours recently used Snort to nail an employee who was extracting billing records with command line SQL and extruding the results by Web mail.

Disconnect #4: Relying on permissions and identity management is like running a retail store that screens you coming in but doesn’t put magnetic tags on the clothes to prevent you from wearing that expensive hat going out.

Implementing the controls

To correct the disconnects and protect your digital assets, you need CEO level commitment to management and technology controls. Your company’s management should mandate direct protection of digital assets in addition to conventional methods that protect the network, the servers and control access to resources by users.

• Soft controls - Training and continuous behavior sensing
• Direct controls - Good hiring and physical security
• Indirect controls - Internal Audit

The management controls must be based on classifying your key digital assets in financial terms and what the damage and probability of impact of a threat might be.  The PTA (Practical Threat Analysis) freeware is a great way to do a risk assessment of your digital assets.
Mandate this direct approach independently of privileged system managers, permissions and identity management systems and complex perimeter security systems.

If you’re an IT executive you are probably familiar with this predicament:

• You need to provide your CEO with financial justifications in Euro - not high or low risk.
• You need security controls that don’t disrupt the business.

We recommend employing a 7 step  process with the Practical Threat Analysis (PTA) free risk Assessment software that will help you generate financial justification in dollar/Euro terms before the evaluation and implementation

• Step 1 - Assess your assets and valuate them
• Step 2 - Assess and mitigate  threats:
  • Data leakage
  • Data abuse by trusted insiders
  • Network abuse by trusted insiders
• Step 3 - Assess your vulnerabilities
• Step 4 - Identify cost-effective security controls
• Step 5 - Build the financial justification for the CEO. The output of our practical threat analysis process is a financial justification for an effective risk mitigation plan. The plan includes the most cost-effective countermeasures that reduce the risk level to a minimum at a given capital and variable cost.
• Step 6 - Approve implementation plan
• Step 7 - Implement the countermeasures

Data loss prevention is a rapidly emerging network security technology area that has matured from simple regex-based Web / email content filtering products into products such as Fidelis Security Systems XPS that perform deep inspection of documents such as Microsoft Word and Adobe PDF with high levels of precision and recall.

Motivation

Network content monitoring is generally used for monitoring of employee or students surfing and filtering out violence, pornography and drug-related content.This sort of Web content filtering became “mainstream” by 2005 with wide-scale deployments in schools and larger businesses by commercial closed source companies such as McAfee and Bluecoat and Open Source products such as Censor Net and Spam Assassin.Similar signature-based technologies are also used to perform intrusion detection and prevention.

However, a new class of content monitoring products has emerged that is aimed squarely at protecting firms from unauthorized “information leakage”, “data theft” or “extrusion”. The motivation for using these products is economic not behavioral; transfer of digital assets by trusted insiders or trusted systems can cause much more economic damage than viruses to a business. Unlike viruses, once a competitor steals data you cannot reformat the hard disk and restore from backup. Companies often hesitate from publicly reporting extrusion events because it damages their corporate brand, gives competitors an advantage and undermines customer trust.

There are two potential “internal customers” for content monitoring in a company – business management (risk management and/or internal audit) and IT infrastructure management.

Senior business management wants to protect their brand by protecting their information assets from criminals, competitors and trusted insiders.There seem to be three schools of thought on this with CxO’s; one common approach is to ignore the problem and brush it under the carpet of compliance monitoring. Another approach is to monitor asset flows without telling employees or the whole world. The smart CEO seems to like an extrusion prevention system as a deterrent and as a way of enhancing the brand (“your assets are safer with us”).Passive content monitoring of asset flows in the network that operates independently of existing I.T systems can be an effective auditing tool for threats to digital assets in any case.Employees and hackers cannot detect a Layer 2 Sniffer device and a Sniffer is immune to configuration and operational problems in the network. If it can’t be detected on the network than school of thought number 2 has plausible deniability.

Firewalls are not enough

Many firms now realize that a firewall is not enough to protect digital assets inside the network and look towards incoming/outgoing content monitoring. This is because:

1. The firewall might not be properly configured to stop all the suspicious traffic.
2. The firewall doesn’t have the capability to detect all types of content, especially embedded content in tunneled protocols.
3. The major of attacks and extrusions are not on the IT infrastructure but on the data itself.
   
4. Most hackers do not expect creative defenses so they assume that once they are in, nobody is watching their nasty activities.
5. The firewall itself can be compromised. As we have more and more Day-0 attacks and trusted insider threats, so it is good practice to add additional independent controls.

Detection, Prevention and Security Management

Detection

Sophisticated incoming and outgoing content monitoring technologies basically use three paradigms for detection:

1. AD- Anomaly Detection - describes normal network behavior and flags everything else
2. MD- Misuse Detection - describes attacks and flags them directly
3. BA - Burglar alarm – describes abnormal network behavior (“detection by exception”)

In anomaly detection, new traffic that doesn’t match the model is labeled as suspicious or bad and an alert is generated. The main limitation of anomaly detection is that if it is too conservative, then it will generate too many false positives (a false alarm) and over time the analyst will ignore it. On the other hand, if a tool rapidly adapts the model to evolving traffic change, then too little alerts will be generated and the analyst will again ignore it.

Misuse detection describes attacks and flags them directly, using a database of known attack signatures and constantly tries to match the actual traffic against the database. If there is a match, an alert is generated. The database typically contains rules for:

1. Protocol Stack Verification– RFC’s, ping of death, stealth scanning etc..
2. Application Protocol Verification – WinNuke , invalid packets that cause DNS cache corruption etc.
3. Application Misuse – misuse that causes applications to crash or enables a user to gain super user privileges; typically due to buffer overflows or due to implementation bugs.
4. Intruder detection. Known attacks can be recognized by the effects caused by the attack itself. For example, Back Orifice 2000 sends traffic on default port is 31337
5. Extrusion detection. Detect unauthorized network transfer of data according to the content itself – for example by file types, compound regular expressions, linguistic and/or statistical content profiling. Extrusion detects functions at a much higher level than an IDS/IPS – since it needs to understand file formats and analyze the actual content such as Microsoft Office attachments in a Web mail session as opposed to doing simple pattern matching of an http request string.

Using a burglar alarm model, the analyst must have deep understanding of her network and what should not happen with it. She builds rules that model how the monitored network should work, in order to generate alerts when suspicious traffic is detected. The richer the rules database, the more effective the model. The advantage of the burglar alarm model is that a good network administrator can leverage knowledge of servers, segments and clients (for example a Siebel CRM server which is a client to a Oracle database server) in order to focus-in and manage-by-exception.

Prevention

Anomaly detection is an excellent way of identifying network vulnerabilities but a user cannot prevent data breach events based on general network anomalies such as usage of anonymous ftp. When it comes to prevention there is also a fundamentalproblem with misuse detection. If misuse is detected then unless the event can be prevented (either internally with a TCP reset, blocking inline or by notifying the router or firewall) – then the usefulness of the devices is limited to forensics collection. An additional hurdle to overcome in the area of prevention of data breach events is performance. The widespread usage of load balancers and multiple IDS servers will not work since packets that compose a client-server application session may be spread over multiple servers and it will be impossible to prevent data leakage since no single server has a complete picture of the entire session.

Management - event analysis and reporting

A SIM (or security information management) system consolidates reporting, analysis, event management and log analysis.There are a number of dedicated tools in this category, Net Forensics is one, but the direction appears to be that the content monitoring system will include its own analytical database of events due the specialized nature of content monitoring and filtering. Note that the management sub-system itself does not perform detection or prevention functions – it manages and receives reports from other system components. A typical architecture has a central SIM (management console) and multiple / distributed sensors that feed events (not raw traffic) into the SIM.

I believe many people involved with IT security have a feeling of frustration that stems from continuously reacting to external forces: spam attacks, spyware attacks, insider threats, analyst reports and new product announcements. What should you do?

Consider the three basic tenets of IT Security

1. Network Security is Warfare, if its “kill or be killed” in the sales department, then why not in IT Security?
2. Most of your information security strategy is reactionary with “Penetrate and Patch” methods
3. Few implementations address the collection of information about attackers

The key Elements in Information Security Strategy

Stop reacting and go back on the offensive, with a proactive security strategy based on control, collection, capture and change:

Control: Managing the access of information to and from the network and systems.
Collection: Gathering information about user habits and systems behavior.
Capture: The capture of information from anomalous events on the network.
Change: Adapt the security posture to meet new situations.

By basing both defensive and offensive tactics on these four strategic elements, you can poractively control who accesses your network, collect information about abnormal transactions, capture anomalous events, and adapt your security posture to meet changing situations.
Traditional Information Security Tactics are Defensive

* Backups
* IDM - Identity Management
* Network Access Control using firewalls/routers
* Host Access Controls
* Intrusion Prevention Systems/Intrusion detection systems
* Inbound content filtering for abusive/malicious content

Offensive Information Security Tactics

* Attacking and auditing your own systems.
* Proactive response to attacks.
* Extrusion prevention
* Honey Pots and Honey Nets.

I’d like to thank Chris Neitzert (Chris[at]Neitzert[dot]com) for his ideas on improving IT security with both offensive and defensive tactics. Download Chris’ well-written article at: Guerilla Anti-Penetration Tactics