Tag Archives: ISO 27001

Top secret information about Australia’s military hacked – SME’s overstretched with Cyber Security Frameworks

15 October 2017

Lisa Martins report Top secret information about Australias military hacked, published on October 12th, 2017 at news.com.au, about a one year old attack on an Australian defense contractor is another example that small businesses are technically and organizationally overstretched with the challenges of cyber security.

The best approach for SMEs would be to set up a cyber security framework like the NIST Cyber Security Framework or an ISO 27001 based framework. But the effort to do this is for small businesses just too high.

For SMEs to stay ahead of the cyber security curve a light version of such frameworks is required, with focus put on actively managing the risk.

The Strategies to Mitigate Cyber Security Incidents of the Australian Signals Directorate (ASD) puts focus on the basics. If carefully implemented and regularly assessed, the security level goes up and this kind of attacks are no longer possible. Even large businesses can raise their security level when implementing the ASDs recommendations.

But when it comes to critical infrastructures a full implementation of a cyber security frameworks is the only way to survive in the long-term. By the way, the first task in the NIST CSF core is asset management…

Have a great week.

New York’s Cybersecurity Requirements for Financial Service Companies are a real game changer

1 November 2016

In post ‘Learn How the NYDFS Cybersecurity Regulations Will Impact Your Company‘ Shawn E. Tuma talks about the impact of the New York Department of Financial Services Cyber Security Regulation on the daily business.

Negotiating service contracts and working with third parties will require considerably more effort after the entry into force of the regulation. But a regulation has long been overdue, at least since the details of the Target data breach in December 2013 come to be known.

From a security point of view the Cybersecurity Regulation is a real game-changer. Some concepts are borrowed from the ISO 27001, but in some areas the NYDFS Cybersecurity Regulation goes much further than the ISO requirements.

The scope of the regulation, Nonpublic Information, is clearly and sufficiently broad defined in section Definitions (500.01). In my opinion, the focus on Nonpublic Information might create blind spots because significant damage can be caused by compromised Public Information as well.

Section 500.02 demands the implementation of a Cybersecurity Program. The program shall be designed to

(3) detect Cybersecurity Events;

(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;

The requirement to mitigate any negative effects‘ is new, and will have a major impact on IT security operations.

Section Audit Trail (500.06) requires the implementation of a Privileged Account Management (PAM) solution.

Section Multi-Factor-Authentication (500.12) states, where Multi-Factor Authentication (MFA) is required. Unfortunately, MFA is not mandatory for the access to non-web applications. I would prefer so secure all applications with MFA.

The strict application of the Principle of Least Privilege, which is demanded in section Access Privileges (500.07), for access to Nonpublic Information is a big step forward.

All in all, the Cybersecurity Requirements for Financial Service Companies are a big step forward towards increased cyber security. If implemented well, the likelihood of data breaches will decrease dramatically.

If your company is implementing a cyber security program currently, it makes definitely sense to take a closer look at this regulation. It can be easily adapted to whatever type of business.

Have a good day.

Patient privacy: Can past lessons prevent future failures?

7 May 2016

Niam Yaraghi’s post ‘Patient privacy: Can past lessons prevent future failures?’, published May 5, 2016 on Brookings Techtank Blog, is absolutely worth reading. The post is a summary of the research report ‘Hackers, phishers, and disappearing thumb drives: Lessons learned from major health care data breaches’. In this report Niam Yaraghi provides a superb root cause analysis of the data breaches in the U.S. health care industry of the last years, and some recommendations for getting a grip on the problem.

A big issue comes from HIPAA itself. HIPAA came into force in 1996. With that, it falls short of addressing modern cyber security challenges. The statements of a CIO on page 18 of the report make this impressively clear:

“HIPAA reflects how nerds thought about security 20 years ago.”

“HIPAA is in complete disconnect with the realities of today’s digital technology and we cannot expect a national standard to be agile enough and be in pace with cyber technology. For example, HIPAA has nothing about malware and ransomware, intrusion detection, specific cyber incident responses, or multifactor authentications.”

It is the same old story with standards. Without regular review and adaptation, the effectiveness of standards decreases dramatically. For that reason, ISO 27001 demands the implementation of a risk management process according to ISO 27005. This ensures that changes in external conditions, e.g. new cyber security challenges, are considered during risk assessment even if internal conditions have not changed.

The report lays out some recommendations on how to mitigate the problem.

  • The health care sector should embrace cyber insurance

This is a really interesting idea. A cyber insurance has the potential to become a game-changer because organizations will have a direct economic incentive to cut insurance costs.

  • OCR should establish a universal HIPAA certification system

To me, this sounds like reinventing the wheel. HIPAA should be developed further to meet today’s cyber security challenges. But this must not inevitably lead to a new umbrella standard.

I would propose to develop a smart HIPAA standard on top of a ISO 27001 ISMS. This has the big advantage that it can be quickly adapted to meet new cybersecurity challenges. In addition, health care businesses can start immediately managing risks by implementing an ISMS due to ISO 27001.

Have a good weekend.

To be successful a SIEM implementation should follow the ISO 27001 approach

20 July 2015

Last Wednesday I participated in a workshop on Production IT Security in Frankfurt. The presentations about Security Assessments, SIEM solutions, Next Generation Firewalls and Threat Intelligence were very interesting, but, as always, I got the most valuable information from the discussions with the other attendees during coffee break. It was really amazing to hear that the attendees, although they came from different companies, talked about the same mostly negative experiences in their SIEM projects.

During my ride back to Leverkusen I had time to think about this. Expectation management was a big issue in the discussions. The PowerPoints of the vendors suggest a quick and easy installation and start-up, and with some days training in Big Data methods the SIEM operator can set up dashboards which show the current security status of your company. Far from it!

The key capabilities of a SIEM solution are:

(1) Data aggregation and correlation:  Collect event data from various sources, correlate them, and integrate them with other information sources to turn the data into useful information.

(2) Compliance: Gather compliance data to support security, governance and auditing processes.

(3) Retention and Forensic analysis: Long term storage of historical event data for correlation over time and forensic analysis in the case of a security incident.

(4) Dashboard: Turn aggregated and correlated data into informational charts to aid security staff in identifying abnormal usage patterns.

(5) Alerting: Automated analysis of correlated events and production of alerts, to notify recipients of immediate issues.

The implementation of each function requires a big effort in preparation and operation. Let me show this by the means of two examples:

(4) Dashboard. In order to find abnormal usage patterns you have to define normal usage patterns first. This takes not only time. It is really hard to find relevant patterns from the ocean of events that systems create during normal operation. To ensure fast start-up it is required to cleanup your systems of e.g. event errors created by mis-configured services before you start operation.

(5) Alerting is probably the most interesting capability of a SIEM system. It allows you to act directly upon security incidents. To get the most of alerting you have to set up an incident response process, ideally depending on the classification of the information assets to prevent wasting of time and effort.

This requires that all assets are listed in an asset repository, classified and an asset owner is assigned, before your SIEM solution goes into production.

In addition it is required that your SIEM operations group is sufficiently staffed, the operators are well-trained, and enabled to take proper actions on an incident, e.g. alerting your server operators or shutting down a server to prevent larger damage.

Sounds like the preparations required for the implementation of an Information Security Management System due to ISO 27001.

With this my advice is: For a successful and quick SIEM implementation you should follow the major steps for implementation of an ISMS.

Bonne semaine!

HTTPS encryption for all federal websites requires new endpoint protection concepts

13 June 2015

Starting in 2017, all federal websites that are publicly accessible in the US should have HTTPS encryption as the standard secure communication protocol.

This directive, issued by The White House Office of Management and Budget (OMB), is a real game-changer because it makes it harder for attackers to intercept sensitive communications or to steal personal data that is entered on federal web sites.

I just finished my preparations for my ISO 27001 Information Security Officer exam when I read the announcement in a LIFARS post. ISO 27001 deals with cryptographic controls in Annex 10.1. In the related chapter A.10.1 of ISO 27002 you learn:

When developing a cryptographic policy the following should be considered:

g. the impact of using encrypted information on controls that rely on content inspection (e.g. malware detection).

Encryption means death for all traditional malware protection systems. Traditional malware detection tries to match patterns in a data stream with patterns stored in the pattern database of the anti-malware system. Since the patterns in the data stream are encrypted matches are no longer found. Game-Over!

This has only a minor impact on enterprises. They can use already available technology that breaks the SSL encryption for inspection, but this is too expensive for end-users.

Vendors of endpoint protection systems have to develop new concepts to protect consumers of unknown malware hidden in the encrypted data stream. And federal agencies have to grow their efforts to make sure that data exchanged through their websites does not contain malware.

‘HTTPS everywhere’ is indeed a real game-changer. Hopefully someone in the OMB has thought of the impact on endpoint protection.

Don’t panic… and have a good weekend.

An ISO 27001 Certification is worth every dollar

15 May 2015

Some weeks ago I took part in an ISO 27001 Foundation training. The students were all IT professionals, some of them involved in certification projects. Many of them complained about the high effort in getting certified.

Certification is often seen as a pure cost factor, in particular information asset classification. But once you have identified and classified the information assets the entire organization can start working smarter. Let me show this by the means of two examples.

Since you know exactly who is responsible for an information asset, you know the information owner and who is able to grant access to an asset if required. The onboard process of employees is simplified because based on the job description access to the relevant information assets could be granted much easier. The same is true for the off-board process or the transfer of employees.

Your IT organization knows exactly what information assets are stored and processed on what IT systems. In the case of a new vulnerability you know exactly what systems have to be patched first. Thus IT organizations could focus again on their primary role as business enabler.

From my point of view an ISO 27001 certification is worth every dollar. It’s just a question of the right marketing…

Have a good day.