Don’t overlook your employees’ rejection of your security policies. Without their understanding and acceptance, your company’s information security is at stake.

Here is a very good article why we should and how we can enforce security policies in a corporate environment:

http://www.cw.com.hk/article.php?type=article&id_article=2588

As we have discussed before in this blog, the point is that you need to let employees know why there are security policies and how the policies are benefiting them. And let them know the consequences of violating the policies.

CISCO has recently released a study that shows many employees do not follow Security Policies in the work environment. The reason is that they think the policy is not fair to them, and that the policy is not aligned with the reality of their daily work activities.

http://www.cw.com.hk/article.php?type=article&id_article=2591

In the article, it states:
“The study found that the majority of employees believe their companies’ IT security policies are unfair. Indeed, surveyed employees said the top reason for non-compliance is the belief that policies do not align with the reality of what they need to do their jobs, according to Cisco”.

This reconfirms that the human factor in Information Security is still the primary issue we need to deal with in our day-to-day security management.

Tags: Information Security Policy, Information Security Policy Management, Employee Attitude to Security Policy, Security Policy, Security Policy Management

Technorati Tags: Information Security Policy, Information Security Policy Management, Employee Attitude to Security Policy, Security Policy, Security Policy Management

Let’s begin by looking at the meaning of the word “policy”. Walt, C. (2001a) defines a policy in practical security terms as “a published document (or set of documents) in which the organization’s philosophy, strategy, policies, and practices with regard to confidentiality, integrity and availability of information.”

In other words, it’s actually management’s intention for how various stakeholders, especially employees, should uphold and follow the required security standards in operating the company’s activities.

Policies should:

• state reasons why the policy is needed
• describe what is covered by the policy - whom, what, and where
• define contacts and responsibilities to outside agencies
• discuss how violations will be handled

A recent journal by James and Coldwell (2007) states that corporate policies should consider security and ethics issues. Management should include explicit statements about the following:

• An organization’s method of handling the security of its system and information;
• Privacy and security issues of information;
• Informational assets complying with the impact of ethical behavior and conflict.

Users should be educated to recognize the value of assets, risks, and costs of compromise, as the human being is always the weakest link in security management. Therefore, when designing a security policy, human factors should be closely examined and reviewed. This view is supported by a white paper from British Telecommunication plc (BT White Paper 2004).

If you take a look at most security life cycle models, you will notice that a security policy is at the center of security processes, as shown in some typical models below:

http://www.sans.org/reading_room/whitepapers/testing/260.php (SANS Institute)

http://www.bradreese.com/andrew-r-reese.htm (BradReese.com)

http://www.audisec.com/html/philosophy.html

You should not overlook this important security tool in your organization n, should you?

Reference:

BT Write Paper (2004), ‘Why Security Policies Fail’, http://www.mis.uwec.edu/keys/Teaching/is365/208770-BT%20Why%20Security%20Policies%20Fail%20-20000718.pdf Accessed 08/08/08

James, H. and Coldwell, R.A. (1993), ‘Corporate Security: An Australian Ostrich’, Information Management & Computer Security, Vol 1, (Issue 4), 10-12

Walt, C. (2001a), ‘Introduction to Security Policies, Part One: An Overview of Policies’, SecurityFocus, August 27, 2001, http://www.securityfocus.com/print/infocus/1193 Accessed 08/08/08

Walt, C. (2001b), ‘Introduction to Security Policies, Part Three: Structuring Security Policies’, SecurityFocus, October 9, 2001, http://www.securityfocus.com/infocus/1487 Accessed 08/08/08

Weil, S. (2004), ‘How UTIL Can Improve Information Security’, December 22, http://www.securityfocus.com/infocus/1815 Accessed 08/08/08

Tags: Security Life Cycle Model

Technorati Tags: security policy, security life cycle, Security Life Cycle Model

In this article, I will use layman’s terms and descriptions to help you understand the various fundamental concepts of Risk Management in Information Security.

To illustrate those concepts, I like to use a popular diagram¹ from Common Criteria, shown below:

In the center of this diagram you’ll find the term vulnerabilities. Vulnerabilities are any weaknesses of a system. A system always contains vulnerabilities. You cannot build a 100% perfect system with no vulnerabilities, even if you have unlimited power, money, and time to build such a system. All systems contain imperfect components, and the integration of imperfect components produces an imperfect system that always possesses certain vulnerabilities.

Threats are elements from various sources that can exploit vulnerabilities and that increase risk. Risk is the probability that the system’s asset will be damaged/abused by the threats that exploit the vulnerabilities. Assets can be tangible (such as hardware/software) or intangible (such as good will and customers’ confidence).

Threats can be initiated by threat agents. A common threat agent for IT systems is people. They can accidentally or intentionally exploit vulnerabilities of a system to impact an IT system.

In order to manage risk, we deploy countermeasures (controls) to a system to reduce the vulnerabilities. The decision to deploy certain countermeasures to reduce the vulnerabilities and hence reduce risk lies solely on the information owner, who bears all consequences arising from the risk.

In a formal risk management exercise, an organization should undergo an intense brainstorming session to discover all possible threats that can exploit the vulnerabilities of a system. The difficult part of this step is not determining whether a certain threat will cause risk to a system, but the effort required to locate all possible threats to a system. Anything overlooked could lead to possible serious exposure to risks that have not been identified.

It is of the utmost importance for the owner (the “Owners” in the diagram) of an organization to identify all possible threats to its information system to the very best of his/her effort and knowledge, in order to fulfill fiduciary duties to customers and other stakeholders. Without knowing what the risks are, it’s impossible to implement suitable countermeasures to contain and mitigate those risks.

Reference:

¹Picture from Common Criteria

http://www.commoncriteria.org/docs/PDF/CCPART1V21.PDF p.14

Tags: Vulnerability, Countermeasure, Security Controls, Risk mitigation, Information Security Management, Information Risk Management

Technorati Tags: Risk, Common Criteria, vulnerabilities, Threats, threat agents, information owner, risk management, Vulnerability, Countermeasure, Security Controls, Risk mitigation, Information Security Management, Information Risk Management

A Password Cracker is a piece of software that attempts to break into a system by trying many different user names and passwords.

To break a password, a Password Cracker uses two methods of attack to break into your account.

The first method is Brute Force Attack. In this type of attack, the software generates passwords of every possible combination of words, letters, or even symbols to try to break into your account. The longer the password, the longer it takes to break into the system. However, since computers are gearing up the speed every year (according to Moore’s law, the computer speed doubles every 18 months), the time to break a password of any certain length reduces 50% every 1.5 years.

The second method is Dictionary Attack. This is a more clever method in which the attacker uses a pool of words such as names, common vocabularies, etc., and tries various combinations of them to crack the system. The pool of effective possible choices to use in the trial and error process is much smaller than in a Brute Force Attack because of the more confined choices of numbers and letters to combine. It is very easy to get a word list. Do a search on Google for the search phrase “word list” to look for many databases available on the web.

Originally, I’d planned to write a summary on tactics you can use to choose passwords that you can easily memorize but at the same time are difficult to be cracked. But then I accidentally stumbled upon a page that has this done nicely. And in the interest of not reinventing the wheel, here is the link to that page:

http://www.wikihow.com/Remember-Your-Password

Enjoy, and if you have other innovative ways to remember difficult passwords, let me know.

Tags: password management, password generation methods, how to craft a password

Technorati Tags: Password Cracker, Brute Force Attack, Dictionary Attack, password management, password generation methods, how to craft a password

Yesterday morning, I managed to find some time to attend the 9th INFOSECURITY CONFERENCE in Hong Kong. One of the keynote speakers was Bruce Schneier, a security guru and founder and CTO of BT Counterpane – an information Security firm offering managed security services. Bruce, the author of several best-selling books on the subject, presented an excellent talk on his views about security concepts. Some of his books that I have on my shelf are: Applied Cryptography, Secrets and Lies, and the recently published Beyond Fear.

Bruce began the discussion by stating the difference between two types of security in our lives. One type has to do with what you feel about security, and other type is about the reality of security.

These are two separate things. You can feel secure yet not actually be secure. On the other hand, you can have real security but not feel it. These two tend to diverge from each other. But what surprises us is that in linguistics, we do not find two different words to describe these two types of security. We have only one word in English and it seems the situation is quite similar in other languages.

Perhaps the reason for this is that in the ancient world, while our languages were being developed, these two types did always go together. You can observe the physical environment with your five senses and judge whether it is secure or not. So essentially you feel secure when you really do in fact have physical security.

But today in the information world, these two types of security do not go together all the time. We have security measures installed in our information systems that “safeguard” our information assets, even when we do not actually “see” or “feel” them.

What is worrisome is that most of the time we may not actually “feel” there is lack of security in our system when in fact it does contain serious security flaws.

So the first thing we need to do in regards to security is educate people to be more aware of the need for security. Educate them so they have the knowledge necessary to “see” the security measurements installed in their systems.

What helps us do this, according to Schneier’s idea, is to use “systems” to explain the security implementations in our society. System refers to the simplification of the real world situation into models, to help people understand in a simpler way how something works. For example, we can explain the mechanism of a camera surveillance system in a way that helps people understand its value in not only monitoring a crime taking place, but also in helping to deter the crime from happening as well, since criminals know that its presence increases the risk of being caught.

By helping people understand the working mechanism behind a camera surveillance system, people are more likely to support its implementation, and to be less likely to object to the concern about privacy issues involved with a surveillance system.

As I have always emphasized, successful security management has to first be built on the trust, support, and understanding of people. After all, it is always a tradeoff to obtain security. You need to forgo first convenience, and second, the time and money invested in the security system in exchange for something you cannot really “feel,” even when has been properly put into place.

So security is kind of a “second thought” in many people’s minds. People tend to think of many excuses not to commit to the best security practices simply because they don’t really feel insecure, even when they do not have proper security measures in place.

All in all, I think Bruce used a very good approach to present this idea at the conference. If you want know more about Bruce Schneier, visit his personal website here: http://www.schneier.com/.

For details of the conference, please visit: http://www.infosecurityproject.com/

Tags: Information Security Awareness

Technorati Tags: 9th INFOSECURITY CONFERENCE in Hong Kong, information Security, Applied Cryptography, Secrets and Lies, Beyond Fear, security management, security, Bruce Schneier, Information Security Awareness