Search This Blog

Wednesday, August 01, 2007

The ISO 27001 and ISO 17799 Newsletter

______________________________________________________

THE ISO 27001 and ISO 17799 NEWSLETTER - EDITION 15
______________________________________________________


Welcome to the Issue 15 of The ISO 27000 Newsletter, designed to provide news and background with respect to the ISO security standards. The information provided is absolutely free to our subscribers and offers guidance on practical issues and commentary on recent incidents.

Covered in this issue are the following topics:

1)  ISO 17799 Becomes ISO 27002
2)  Logic Bomb Dangers Highlighted
3)  The History of The Information Security Standards
4)  Information Ownership Issues
5)  More ISO 17799/27001 Frequently Asked Questions
6)  Information Security News
7)  ISO 27000: The World Wide Phenomenon
8)  The SLA: Prioritization
9)  ISO 27000 Related Definitions and Terms
10) It Couldn't Happen Here, Could It?
11) Contributions

Appendix: Subscription Information

 
ISO 17799 Becomes ISO 27002
=======================
 
Following the decision taken by ISO last year, ISO 17799 has finally been renamed to ISO 27002. The change of name is simply that: a change of name. The purpose is to align it more closely to ISO 27001 in terms of perception.

Of course, the name change could be misleading, as some people my erroneously believe that other changes have been applied. They haven't. We therefore issue two recommendations:

1) If you already have a copy of ISO 17799:2005, you do not need to replace it with ISO 27002. The documents are identical except for references to the name.

2) On their website, ISO simply put up ISO 17799:2005, without even a new cover or any changes within. A single sheet accompanied it with the words "Replace '17799' with '27002'". However, the full replacement, with name changes applied to the document itself, can be obtained from  Standards Direct..


THE ISO 27000 TOOLKIT

To accommodate the change of name, the supporting 'ISO 17799 Toolkit' has also been renamed. It has also been updated, notably the policies, the roadmap and the presentation.

It is documented on the following website: The ISO 27000 Toolkit

 

Logic Bomb Dangers Highlighted
=========================

The recent case of a former US Government contractor pleading guilty to sabotaging Navy computers highlighted the need for constant vigilance with respect to so-called 'logic bombs'.

Also known as 'slag code' and commonly associated with 'disgruntled employee syndrome', a logic bomb is a piece of program code buried within another program, designed to perform some malicious act. Such devices tend to be within the province of technical staff (non-technical staff rarely have the access rights and even more rarely the programming skills required) and operate in two ways:-

1.    'Triggered Event' - for example, the program will review the payroll records each day to ensure that the programmer responsible is still employed. If the programmer's name is suddenly removed (by virtue of having been fired) the Logic Bomb will activate another piece of code to slag (destroy) vital files on the organization's system. Smarter programmers will build in a suitable delay between these two events (say 2-3 months) so that investigators do not immediately recognize cause and effect.

2.    'Still Here' - in these cases the programmer buries coding similar to the Triggered Event type but in this instance the program will run unless it is deactivated by the programmer (effectively telling the program - "I am still here - do not run") at regular intervals, typically once each quarter. If the programmer's employment is terminated unexpectedly, the program will not be deactivated and will attack the system at the next due date. This type of Logic Bomb is much more dangerous, since it will run even if the programmer is only temporarily absent (eg through sickness, injury or other unforeseen circumstances) at the deactivation point. The fact that it wasn't meant to happen just then is of little comfort to organization with a bombed system.  

Logic bombs demonstrate clearly the critical need for audit trails of activity on the system, as well as strict segregation of duties and access rights between those staff who create systems (analysts, developers, programmers) and the operations staff who actually run the system on a day-to-day basis. 


The History of The Information Security Standards
======================================

Examination of the past often illuminates the present. This is certainly the case in terms of untangling the different acronyms and numbers associated with the information security standards.

The embryo of the security standards was actually a document published by the UK Government's DTI in 1992. The was the 'Code of Practice', for Information Security Management. This was subsequently upgraded by BSI (the British Standards Institute) who published 'BS 7799-1 - Code of Practice for Information Security' in 1995. BSI enhanced this document, and also published a second part: BS7799-2, which was a specification for security management, in the late nineties.

In 2000 ISO finally appeared on the scene, adopting BS 7799-1 and renaming it to ISO 17799:2000. However, it wasn't until 2005 that they eventually adopted BS7799-2, which became ISO 27001:2005. ISO 17799 was re-published in the same year, and as explained above, was renamed to ISO 27002 in July 2007.

Also in 2005 BSI published BS7799-3. This is 'Guidelines for information security risk management'. Again, the chances are that this will eventually evolve into an ISO standard (possibly ISO 27005).

So we thus have:
ISO 27002:2005 - Code of Practice
ISO 27001:2005 - Specification for an ISMS
BS7799-3 - Risk Management.

It is not actually quite this simple though... because ISO are attempting to 'normalize' their entire numbering system. They want all their information security standards to be similarly numbered. That is reasonable of course, but many would argue what is not reasonable is simply to rename documents at a random point in time, rather than on the next upgrade.

The full numbering intention is documented on the ISO 27000 Directory website.
 

Information Ownership Issues
=======================

It is essential that the ownership of information systems, data and files is formally established within the organization. This formal assignment invariably brings with it a more serious approach, 'top down', to the whole issue of information security.

Historically, all electronic systems and data files were considered to be "owned" by the IT department, but over recent years ownership has correctly moved towards the areas or individuals who actually create the information, or who are ultimately responsible for the data and systems output.
 
Usually, the person who creates, or initiates the creation or storage of the information, is the designated owner. In an organization, possibly with divisions, departments and sections, the owner becomes the unit itself with the person responsible being the designated 'head' of that unit.

The Information owner is normally responsible for ensuring:-

•    that an agreed classification hierarchy is put in place and that this is appropriate for the types of information processed for that business / unit;
•    that all information is classified and stored into the agreed types, and that an inventory (listing) is created;
•    that each document or file within each of the classification categories, has its agreed (confidentiality) classification appended to it.
•    that for each classification type, the appropriate level of information security safeguards are available (e.g. the logon controls and access permissions applied by the Information Custodian provide the required levels of confidentiality)
•    that periodically there is a check to ensure that information continues to be classified appropriately and that the safeguards remain valid and operative.

If a designated owner of information leaves the organization, it is important to ensure that a new owner or custodian is immediately appointed to protect the approved levels of confidentiality and approve or decline access requests.

Many organizations have seen a demonstrable improvement in the cultural approach to security as a result of ownership clarification. It is a move certainly long overdue for those whose IT departments are still seen as data owners.
 

More ISO 17799/27001 Frequently Asked Questions
=======================================

1) Where Do I Start with an ISMS?
The start point most often recommended for the implementation of a formal Information Security Management System (ref: 27001) is a definition of scope. This is in fact pure logic. Unless you define your boundaries you are unlikely to get too far without encountering significant difficulties. The scoping exercise itself is often quite illuminating.

2) Is there a Forum Dedicated To the Standards?
Yes. The biggest forms part of the ISO 27001 and ISO 27002 User Group

3) Where Do I Find a List of Certified Companies?
There is no global list, as companies tend to be certified via national accredited bodies. However, there is an international voluntary register hosted by the ISO 27001 Open Guide.

4) How many companies are now certified?
At the last count this was well in excess of 2,000.

5) What is ISO Guide 62?
This guide contains the requirements applicable to an Accreditation Body (which subsequently bestows authority to issue certificates). 


Information Security News
====================

1) Sophos reports that malware is increasingly being spread via web pages, rather than via email, with sites in China and Hong Kong accounting for more than half the total. Most affected sites are victims themselves, having been compromised by hackers. In a separate report, Pandalabs report that malware detections increased by over 170% last year. Trojans now represent more than half of such attacks, with Bots on 14 percent and backdoors on 13.   

2) A recent survey by Network Box of 250 small businesses demonstrated an alarming indifference to security. 62 per cent had no system in place to protect against phishing, whilst a staggering 99% did not know how often their anti-virus software was updated.

3) The University of Missouri became the latest in a string of universities to suffer a serious security breach when hackers obtained more than 20,000 Social Security numbers (SSNs). Using IP addresses from China and Australia, the hackers made thousands of queries over a span of hours, obtaining one SSN at a time.

4) According to Symantec, Image Spam still accounts for more than 25% of all spam. This is essentially a technique which uses embedded images to bypass phishing filters. Whilst this is down from earlier in the year, the daily rates indicate a high level of variance. Spam itself accounts for 65 percent of all email at the SMTP layer.

5) A video clip was recently posted on YouTube showing union protestors examining trash awaiting collection outside Chase Bank in New York. The video (http://www.youtube.com/watch?v=G_8xRnzQqME) shows loan application forms and other sensitive data being examined by the Service Employees International Union supporters. The clip again illustrates that low tech security issues remain a constant threat.   

6) An audit has revealed that the IRS (The US Internal Revenue Service) lost almost 500 PCs in the 3 year period to the middle of 2006.It is believed that the personal information of at least 2,000 taxpayers could have been compromised as a result. The IRS have subsequently stated that they are "taking aggressive steps to further secure government equipment and protect sensitive data to mitigate the risk of potential identity theft or other fraudulent activity."
 
 
ISO 27000: The World Wide Phenomenon
===============================
 
Our source list for recent purchases of the standard always proves to be a popular talking point. The most recent thousand or so is as follows:

Argentina 6
Australia 25
Austria 10
Barbados 1
Belgium 12
Bermuda 1
Bosnia and Herzegovina 2
Brasil 16
Canada 122
Cayman Islands 1
Chile 7
China 18
Colombia 14
Costa Rica 1
Croatia 2
Cyprus 2
Denmark 12
Egypt 4
Estonia 1
France 10
Germany 65
Gibraltar 1
Greece 7
Hong Kong 16
Hungary 9
Iceland 1
India 29
Indonesia 5
Ireland 24
Israel 1
Italy 37
Jamaica 1
Japan 25
Jordan 1
Korea 2
Lebanon 1
Luxembourg 1
Malaysia 18
Malta 2
México 28
Netherlands 52
New Zealand 15
Norway 17
Panama 1
Peru 1
Philippines 10
Poland 11
Portugal 7
R.O.C. 2
Romania 5
Russia 10
Saudi Arabia 14
Singapore 19
Slovak Republic 1
Slovenia 1
South Africa 19
Spain 27
Sultanate of Oman 1
Sweden 16
Switzerland 59
Taiwan 4
Thailand 1
Tunisia 1
Turkey 11
UK  371
United Arab Emirates 16
USA 542
Venezuela 1

The usual health warnings apply: these sales are through an online credit card outlet, so those cultures that are less familiar with ecommerce will be under represented.
 
 
The SLA: Prioritization
=================
As previous editions of the newsletter have demonstrated, the SLA can prove to be an important tool with respect to information security, particularly regarding service availability. One such aspect pertains to prioritization.

The purpose of defining and prioritizing problems within service level agreements is to ensure that resources are concentrated on resolving the most critical incidents, ensuring that these are resolved on a basis reflecting their seriousness with respect to impact on the Client. It enables the Client to understand how the incident management process will be operated and the Supplier to concentrate scarce resources towards resolution of the incidents themselves.

To this end, it is important that the potential impact of the incident on the Client's business is properly defined.

The SLA should thus contain a suggested structure for classifying problems, and the supplier and client should both ensure that this structure meets their requirements.  A suggested simplified structure is given below:

Problem         Priority Status        Impact
Priority 1        Mission critical    Serious financial impact
Priority 2        Extremely urgent    Significant financial impact
Priority 3      Urgent         Medium financial impact
Priority 4        Medium priority    Minimal financial impact
Priority 5        Low Priority        No financial impact

Information Source: The SLA Toolkit.

.

ISO 27002 Related Definitions and Terms
===============================
In each ISO 27000 Newsletter we include a selection of terms and definitions to unravel and explain some of the jargon and strange language used by IT and Information Security professionals. In this edition, we provide a further selection of terms that all start with the letter 'F'.

Finagle's Law
The 'folk' version of Murphy's Law, fully named 'Finagle's Law of Dynamic Negatives' and usually rendered 'Anything that can go wrong, will.'. One variant favored among hackers is 'The perversity of the Universe tends towards a maximum.'. The label 'Finagle's Law' was popularized by SF author Larry Niven in several stories depicting a frontier culture of asteroid belt miners. This 'Belter' culture professed a religion and/or running joke involving the worship of the dreaded god Finagle and his mad prophet Murphy.

Fit for Purpose
Fit for Purpose is a general expression which can be useful to ensure that Information Security solutions are appropriate for your organization. Vendors will sometimes attempt to 'fit' their solution to your problem. Fit for Purpose is an expression which, when used within the solution negotiation context, places an onus of responsibility upon the vendor to ensure that its solution is (indeed) fit for the purpose which their client expects.
Example : a well known systems company contracted for the sale of their system. Inclusive in the price was one of week training in the system. During implementation it became apparent that one week for training was totally inadequate. The customer successfully claimed (prior to legal action) that the supplier's solution was inadequate and hence not fit for purpose. When considering Information Security solutions, it is good practice to remind any potential suppliers in your requirement that the solution must be fit for purpose.

Flag
A message indication, sometimes, but not always, a warning to a user, which appears when a certain event takes place. For example, an inventory monitoring program may well 'flag' certain products when stocks fall below a predetermined level, to alert the user to re-order. An alternative use is to warn of an event which will take place in the future, but has not yet occurred, for example, a financial institution aware of large check-based transaction on a customer's account may 'flag' the account to avoid an unauthorized overdraft.
Flags may be generated manually or automatically, depending on circumstances. In the case of the stock monitoring this would be automatic, while the check transaction example would be processed manually. Automatic flags serve a useful purpose in drawing users' attention to situations which otherwise may be overlooked.

Flame
'Flame' is abusive communication by E-mail or posting to a newsgroup, which attacks an individual or organization for some real or imagined grievance. The real problem is broader than that of a few rude e-mails: flame represents the anarchistic side of the Internet. The flame may start with only one abusive message, but it is broadcast so widely that large numbers of unconnected browsers join in - often on both sides of the argument. This can lead to 'Flame Wars', where the traffic load becomes so high that communications network performance degrades, and E-mail boxes become blocked - as is the case with bottlenecking and mail bombing. Problems for companies may arise if a member of staff has used an organization's e-mail address to start the flame - another reason to monitor staff activities. Flame has some redeeming features. Deeply unpleasant (or disturbed) individuals who posted lengthy racist (or sexist, or some other -ist) diatribes have found themselves flamed off the Net....

Freeware
Literally, software provided for free - no charge. This is not as uncommon as might be expected. Major software developers often give away old versions of their products to allow users to try them at no charge and, hopefully, succeed in tempting them to purchase the current release.  Independent developers may give away small programs to establish a reputation for useful software, which then enables them to charge. Cover disks attached to a computer magazine often contain Freeware. As with Shareware, Freeware should be approached with caution, and staff dissuaded from trying out their new Freeware on organization equipment.


It Couldn't Happen Here - Could It?
===========================

Most editions of The ISO 27000 Newsletter features at least one TRUE story of an information security related incident or its consequences:

1) In case you ever wondered why the term 'dumb users' emerged:

Login: yes
Password: i dont have one
password is incorrect

Login: yes
Password: incorrect

2) A genuine quote: "Morons. These people who live in my apartment complex are connected to my wireless. They must think they're super-cool hackers by breaking into my completely insecure network. Unfortunately, the connection works both ways. Long story short, they now have loads of (censored) on their computer."  

3) Finally, not a true story (or is it?), but funny regardless.

The six phases of an ISO 17799 implementation (adapted):
Enthusiasm
Disillusionment
Panic
Search for the guilty
Punishment of the innocent
Praise for the non-participants 
 

 
Contributions
==========
Have you got something to say on the standards, or a fresh insight or some information which might benefit others?  If so, please feel free to submit your contribution to us. Sponsors are also welcome.

 

Newsletter Reminder
================

We hope that you have found this issue to be informative and useful. Subscription is entirely free (although 'opt-in' only). Please feel free to pass this copy on to your friends and colleagues. If you do not wish to receive further copies, simply email us at the address below with a title of 'Un-subscribe'. 

If your friends or colleagues wish to receive the newsletter directly, they should simply send an email to: news@27005.com with a title of 'subscibe'.

 

Finally, the publishers accept no liability or responsibility for errors or omissions in this newsletter. This also applies to any loss or damage caused, arising directly or indirectly, by the use of or reliance on the information contained within. 

 

The ISO 27000 Newsletter 



This message was sent from The ISO 27000 Newsletter to security.world@gmail.com. It was sent from: TKL, Whitby Road, Manchester, Manchester M14 6QL, United Kingdom. You can modify/update your subscription via the link below. Email Marketing Software

Manage your subscription

2 comments:

Fábio Ramos, CISSP, CISM, CIFI said...

Hello Aamir,

I here to tell we have lauched a full solution to ISO 27001. It´s Axur ISMS and you can try it at http://isms.axur.net

Regards :-)

forfin said...

Hello Aamir,

If you find information of ISMS and ISO 27000 family, you can try it at ISMS Guide Blog

Regards