The Security Pub

Random Thoughts About Security

Monthly Archives: October 2009

Tips For Writing Information Security Policies

I have been involved in the process of writing a number of documents including corporate security policies, standards & procedures & below are some of the most common questions that come up during this process.

Yes it is a process. :)

What you should consider when developing an information security policy?

Consider what the policies structure will be before writing the policy. Policies are ineffective when employees dread reading them, can’t understand them, or can’t easily reference them. Information security policies by nature require periodic updating due to changes in regulatory requirements, technology, and business environments. The problem that many organizations experience is that their policies evolve over time into complex, disorganized documents.

The policy’s structure should allow users to find the requirements for a specific subject by perusing the table of contents. Categorize related policies appropriately so users don’t have to search for information. Proper layout also allows the policy administrator to accurately modify policies. The policy’s primary goal is to educate staff on the guidelines you establish. If the document isn’t legible and is poorly organized, contradictions and confusion can result.

What should be included in the policy?

Some common policy topics are setting data classifications, roles and responsibilities, acceptable use of the Internet and e-mail, remote access, protection measures, and response procedures. Depending on the organization and its business there could be many more security topics to cover in the security policy.  Policies are legal documents, so include nondisclosure rules and an employee acceptance agreement.

Don’t write precise rules for every possible scenario. Doing so can create loopholes that can work against your organization. Instead, write policies in a general manner. For example, remote access rules should apply to any form of remote access. This accounts for future technology. When you authorize access, you further can define in a policy how it’s controlled.

Boards and management should regularly review policies and procedures to ensure their completeness and effectiveness. Mergers; changes in technology, business models, and staff roles; and new regulations are key instigators of the review process. As events occur, review existing policies to ensure proper modifications.

Policies involve compliance, business process, technology, and employee awareness, so include all managers in policy reviews. Review policy considerations at each management meeting. Assign a policy manager to facilitate policy review, approval, and writing, and employee awareness. Make policy review a section of your organizations third-party security assessment process that should be performed annually.

How do you monitor compliance?

Monitoring requires periodic testing. If you don’t test, there’s no way to know if your policies are being adhered to. With information technology (IT), seemingly minor procedural mistakes can go undetected until an incident occurs. A basic example is an e-mail policy. It’s hard to know if a user routinely opens unsolicited e-mail attachments until a worm cripples the network.

You can perform testing in creative and educational ways. You could have an outside firm perform a social engineering-based penetration test, where a mock attack is performed using techniques that exploit existing policy rules. Or you could implement a more direct policy test, using a Q&A exam sent via e-mail, hard copy, or intranet. Remember, the testing’s intent is to educate staff on their role in security, not to identify a guilty party. Make education fun to maximize retention. Make monitoring policy compliance an integral part of a more encompassing employee awareness program.

Don't be tricked by this Phishing Scam

phisingWe all get ton’s of spam/phishing emails some easier to spot than others. Today I saw this phishing email that could be very tricky for most to identify. It came from “Administrator” and reads:

Attention!

On October 22, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour. The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure. This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That’s all.

http://updates.[cut for safety]

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

The reason I was able to detect this was a phishing scam was because of the URL.  The URL clearly is not that domain (but you have to see the entire URL).  According to twitter this message was generated from a Zbot.

Attention!
On October 22, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour. The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure. This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That’s all.
http://updates.[cut for safety]
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrato

The parallels between Information Security & Sun Tzu’s-The Art of War – Does your organization know their "Terrain"?

Here is another quote from Sun Tzu from the Art of War.

The experienced soldier, once in motion, is never bewildered; once he has broken camp, he is never at a loss. Hence the saying; If you know your enemy and you know yourself, your victory will not stand in doubt; if you know heaven and know earth, you make your victory complete.

Security attacks are executed across a very broad range of terrain including hardware platforms, operating systems, networks, communications protocols and applications. If organizations are not aware of all aspects of their organizations critical systems they may be disorientated when responding to security incidents.

Many organizations use outsourcing to effectively manage and run much of the organizations “terrain”. The nature of their contractual agreements and service level agreements may not cover their roles and responsibilities in dealing with security attacks. For example, some organizations have experienced a situation in which their outsourcing partner agreed to a set of availability targets and, during a security attack, had to continually delete firewall logs to keep the firewalls online and to meet the organizations availability target.

The impact of this action was to destroy a critical piece of evidence needed to identify the attacker and secondly prosecute them. In an increasingly outsourced world, organizations must make special efforts to ensure that they know the full extent of their terrain.

The parallels between Information Security & Sun Tzu’s-The Art of War – Continued

sun

Here is another quote I liked from Sun Tzu’s, The Art of War & just so everyone knows I’m not posting after every chapter I read :) , just the quotes that I think can be applied to Information Security. My first posting can be found here at Infosec Island.

This quote comes from Chapter 2 “Waging War”

The skilful General does not raise a second levy, neither are his supply wagons loaded more than twice. Once war is declared he will not waste precious time in waiting for reinforcements, nor will be turn his army back for fresh supplies, but crosses the enemies’ frontier without delay.

Assuming that organizations have their planning right, they will be prepared for a wide range of attack vectors. However, the attacks will be distributed, unannounced &rapid.  So its important that organizations balance the amount of effort that is put into repelling attacks consistent with the outcome the organization needs.

Some of the attacks will be unexpected, so organizations must assume that some of their security standards, may fail as a result. If the whole premise of survival is only defense and the organization therefore relies on the cyber equivalent of holding the proverbial City walls, there is really only two probable outcomes:

  • the walls hold and are their position is sustained or;
  • the walls collapse and they are overrun.

Most of the advice I have read on approaches to cyber-security commonly says that, when attacked, organizations should not break the law themselves in responding to the attack. This advice could be construed as only allowing the holding of the City wall. So maybe it is time that organizations actively discuss responses to cyber-attack that are not just defense but are active or offensive.