CIO’s Security and Roadblocks

If you’re a CIO and you’re not reporting state of risk and security on a regular basis to your CEO and/or Board, you not only are putting your organisation at greater risk but looking at the bigger picture, also business partners, shareholders and everyone else associated with that business? We’re in 2012 now, not 1999, where ignorance of basic security could still be forgiven (somewhat).

Read more on Drazen Drazic ‘s latest contribution on the CSO Online CSO Bloggers.

http://www.cso.com.au/blog/cso-bloggers/2012/05/30/get-cio-out-reporting-line-security/

Security Management Frameworks

In case you have not seen them, other CSO Online Posts from Drazen Drazic are:

• Security as a Competitive Advantage  http://www.cso.com.au/blog/cso-bloggers/2012/03/22/security-competitive-advantage/
• Data Breach Disclosure Laws – Who’s going to feel the pain ? http://www.cso.com.au/blog/cso-bloggers/2012/03/07/data-breach-disclosure-laws-whos-going-feel-pain/

 

Movements in the PCI DSS – Helen Teixeira and Steve Surdich (Compliance Team)

As a Qualified Security Assessor (QSA) company, we are engaged by many organisations to assist them with obtaining PCI DSS compliance, as well as performing the formal annual audits.

We have noticed an increase in activity in the PCI DSS compliance space in the first half of this year, with many companies ramping up their compliance activities and some returning to resume archived PCI projects. This leads us to think that there may be a more concerted push by the Banks (and other financial institutions) to have their merchants – and service providers – achieve compliance.

We would be interested in hearing from other organisations out there to understand what their first-hand experience has been? Has the external pressure for achieving compliance gone up a few notches, or are organisations just reaching a level of maturity where they feel it is ‘time’ to take the next step? What are you seeing?

PCI DSS Compliance Compliance Solutions

The 7 reasons why businesses (still) struggle with Information Security in 2012 – Drazen Drazic

In 2007, we published an article The 7 Reasons Why Businesses are Insecure!.

We decided to revisit the topic and not surprisingly, little has changed.

We’ve not seen a need to change the framework components (and in some cases, we’ve left the original text). If anything, the relevance and structure of the framework; (it’s order and definitions), and importance has grown. But, as technology has evolved and the way we use technology has grown, basic failures in effectively managing business risks has slipped further behind.
1. Management and Governance – From our 2007 article; “If the CEO and Senior Officers of the business do not ultimately own the responsibility and accountability for the security of the business, then it just does not get the appropriate attention”.

In an upcoming article, we’re going to be expanding on this topic and looking at how IT Risk must and will become a part of a Board’s overall Risk Management Governance and Oversight responsibility. (Few [Boards] do it now and even fewer to levels that align with governance and oversight they provide to other equally as important business risks). Continue reading →

PCI compliance needs highlighted by international operation

Two years of joint operations involving a number of national and international agencies has resulted in the closure of 36 websites suspected to be operating illegal card sales.

Operatives from the Australian Federal Police worked alongside members of the US’s Federal Bureau of Intelligence (FBI), the UK’s Serious Organised Crimes Agency (SOCA) and a number of official European departments to investigate allegations of sites using sales platforms to trade stolen credit card details.

According to reports, SOCA and the FBI were able to obtain nearly 2.5 million items from these criminal activities – including stolen personal and financial details potentially gained through fraudulent activities.

The authorities believe that they will be able to prevent the loss of around $780 million to the payment card industry (PCI) by passing the recovered information along to the card vendors to allow them to block future transactions and track down potential breaches.

Commercial operators who accept card payments must adhere to the PCI compliance guidelines set out by the industry council in order to keep their client’s information safe from exploitation.

The size and scale of this official operation goes to show the importance of getting these procedures right – and the costly outcomes should there be a breach due to negligence.

Ethical hacking helps advanced security planning

Being aware of the strengths and weaknesses of a firm’s security protocols is an integral piece of a diligent manager’s duties – it comes with the territory.

Part of protecting a business’ digital assets is knowing how external parties may attempt to access a particular information stockpile.

While managers can often point to specific areas that would be the most valuable to malicious parties, the problem is that it can be difficult to know exactly how they would execute a breach attempt.

An ethical hacking session performed by accredited professionals can help to give an insight into this pressing security issue – without the danger of actually losing proprietary information in the process.

The expert team can be provided with a brief background on their ‘target’ as well as directions on the avenues of concern to management.

Alternatively they can be given the specific target – perhaps a set of dummy information or a server loaded with outdated files – and directed to access it using any means at their disposal.

Should they be successful, a full report can be provided to the organisation detailing areas of concern, along with a list of recommended actions to help close the gaps.

If I had a Dollar – penetration testing and security myths from Steve Darrall, Securus Global Practice Manager

If I had a dollar…..part 1 of (well, who knows?)

This post will be the first in a series from Securus Global where we dispel a few information security myths that we hear on an all too regular basis to the point that if we were paid every time we heard them we’d be sunning ourselves on a quiet pacific island. 🙂

No doubt, you’ve heard most of these yourselves and may wonder if you’re alone. You’re not.

So without further ado, here’s our first installment…

Once security testing is complete, we’ll put it into production”. This isn’t the best of project management approaches to take from our experience. Any project should allow time for remediation and retesting activities to take place. Security testing shouldn’t be seen as a tick in the box on your project schedule. Continue reading →

Penetration testing can give a clear picture of the security puzzle

From within a business or organisation, the task of providing an objective review of any feature, project or asset can be difficult to manage without it being clouded by certain factors.

In some cases the points under consideration are the results of the efforts of the reviewer, while in others the person in charge is highly likely to know the staff members concerned.

As professional as these individuals may be, it still remains in the best interests of the organisation as a whole to consider the possibility of bias affecting the outcome of a review.

Rather than place the onus on internal stakeholders to prove their detachment from projects that may be very close to their heart, it may be more productive in the long run to simply avoid this scenario entirely.

This is where the value of ethical penetration testing services comes to the fore – with dedicated professionals performing external evaluations in order to determine the most likely avenue of entry for a malicious party.

The main advantage is that a firm will be able to gain an insight into where their coverage may be lacking – with gaps that are obvious to those outside a firm that might not be considered by the professionals immediately responsible for the every operations.

IT developments to factor in security audits

A new survey from Gartner has shown that 2012 may be set to become the year of cautious IT behaviour, as companies face economically turbulent market conditions.

For many chief executive officers (CEO), the uncertain financial situation presented by their competitors and stakeholders presents a powerful argument towards investing in new developments.

Gartner’s survey of over 220 CEOs published on April 16 found that – while fiscal responsibility and cost control had grown in priority – IT investment was to grow over the remainder of the year.

Vice president at Gartner Jorge Lopez explained that the drive to produce additional value from technology investment was “comparatively healthy”.

Mr Lopez asserted: “The newer trends, such as mobile and cloud, are rising to the foreground of CEOs attention.

“However, CRM remains CEOs’ favourite IT capability because marketing is a never-ending competitive quest for customer retention.”

While the value generated from effective use of data mining and long-term relationship management activities, due diligence demands that the level of online security needs to reflect the value represented by the material kept on hand.

Ideally, vulnerability management measures should be an integral part of the planning process – with the costs and benefits factored into additional IT project planning.

At what point in your Systems Development and Implementation Life Cycle does security risks and vulnerability management begin ?

 

Well informed staff members assist vulnerability management

Forward thinking employers take the security of information assets as seriously as they do the protection of their commercial property and their staff members.

This is because – like other more tangible resources – the data collected and stored by a firm offers a range of value-adding opportunities that are unique to the business concerned.

Understandably this makes the collection and analysis of information from a range of sources a sound investment in future development – allowing managers to gain insight into market patterns and buyer behaviour that might otherwise slip by unnoticed.

Anonymous trend data in itself can seem fairly innocuous – after all, there are no names attached and the details used will be of little use to anyone outside the industry.

However, the proprietary nature of this information – or rather the planning resources it can provide – mean that it can be a target for malicious parties looking to disrupt the organization’s developmental capacities.

When these resources are combined with client details, account numbers or contact channels, the threat posed by the loss or misappropriation of these data stores grows even more.

This is because such attentions hurt not only the planning activities normally undertaken by managers but also have the power to damage the company’s hard won reputation.

Moreover, should the details be made freely available there is a very real chance that valued customers and clients could become the unwilling targets of endless spam campaigns and social engineering attempts.

This is why it is a good idea for managers to ensure that staff members are well informed of the role they play in actively enforcing vulnerability management.

Professional security audits can go a long way towards ensuring that employees are aware of how their behaviour and routines can be tightened to ensure that breaches are less likely to occur.

In addition these professional teams are able to offer sound advice on measures that can be used to restrict unauthorised access should a gap in the defences become known – reducing the potential for damage to brand image.

When combined with other strategic moves – such as training sessions and proactive feedback initiatives – businesses are able to keep staff members informed of the role they play in managing data security while also allowing workers to contribute to the safety of proprietary information.

This engagement is perhaps the greatest measure of employee commitment – as they feel like a valuable part of a team that is working together, rather than viewing due diligence as a chore to be avoided.

What is the situation in your organisation ? Have social engineering Assessments, vulnerability assessments and security audits identified issues that enabled you to address risk proactively. Or, has something happened that illustrated that something could have been done better?

Australian government looking for a security vote

The Australian government is considering its options in relation to the communications monitoring powers held by the Australian Security Intelligence Organisation (ASIO).

In particular, the federal body is reviewing public sentiment on a number of proposals that could force internet service providers (ISP) to retain user details for up to two years. However, it has been decided that the data retention scheme will be put forward for public debate before it is entered into legislation. According to Chris Owen – spokesman for the federal attorney-general Nicola Roxon – a review will be held by a parliamentary joint committee to determine how the laws will be put into effect.Mr Owen told SC Magazine on May 4: “We haven’t drafted legislation yet and we are seeking a wide view of opinion before we consider the reforms in detail.

“This move is being made nearly two years after discussions between intelligence authorities and ISPs regarding data retention, vulnerability management and the use of federal warrants.Current plans will see the number of agencies that are able to access potentially sensitive user information reduced over time.However, greater information-sharing protocols will see more exchanged between authorities more freely than in previous years – enabling the use of a single warrant to be used across multiple organisations.