Issue 18 of The ISO 27000 Newsletter Released

Discussion in 'Computer Security' started by Sue Thomas, May 15, 2008.

  1. Sue Thomas

    Sue Thomas Guest

    Welcome to Issue 18 of The ISO 27000 Newsletter, designed to provide
    news and background with respect to the ISO security standards. The
    information provided is totally free to our subscribers and offers
    guidance on practical issues and commentary on recent developments.

    Covered in this issue are the following topics:

    1) Obtaining the ISO 27001 and ISO 27002 Standards
    2) Security Awareness Programs (ISO27002 8.2.2)
    3) Website Hackers: Why?
    4) Third Party Service Delivery Management
    5) More ISO 17799/27001 Frequently Asked Questions
    6) Trials and Tribulations of an Information Security Officer Part 2
    7) Information Security News
    8) Critical Success Factors (ISO 27002)
    9) Disposing of Equipment (ISO 27002 Section 9)
    10) Implementing A COBIT Compliance Initiative
    11) ISO 27000: The World Wide Phenomenon
    12) ISO 27001/2: Common Mistakes Part 2
    13) ISO 27000 Related Definitions and Terms
    14) It Couldn't Happen Here, Could It?

    Appendix: Subscription Information


    Obtaining ISO 27001 And ISO 27002
    =================================

    The most frequent question we receive is "Where can I obtain a copy of
    the standards?" The standards themselves are available from:

    http://17799.cryptovb.com
    This is the web site for the ISO 27000 Toolkit. This download support
    package includes both ISO 27001 and ISO 27002, and was created to help
    those taking the first steps towards addressing the standards. It
    includes both of the standards, audit checklists, a roadmap, a set of
    ISO compliant security policies, and a range of other materials.

    http://17799.standardsdirect.org
    This is the BSI Online Standards Shop, a vending site for instant
    downloadable copies.


    Security Awareness Programs
    ===========================

    The importance of awareness (ISO 27002 8.2.2) is not an issue that be
    over-exaggerated. It is a critical component of your organization's
    security. However, it is also an area which is often taken for
    granted, or simply not given anything like appropriate emphasis.

    Often, serious breaches can be traced back to sheer ignorance, or lack
    of understanding, by one or more internal personnel. This picture
    emerges time and time again, yet time and time again little or no
    thought is given to improving awareness through training or other
    initiatives.

    The most effective programs involve both short formal training
    sessions, and an ongoing plan. The following list of possible
    initiatives should hopefully stimulate some ideas on how to approach
    this essential topic within your own organization:

    - A Security Newsletter, which can include both news and information
    in a topical context (please feel free to extract from this
    publication).
    - Cheap gifts, such as pens, key fobs, and coffee mugs bearing a
    security message (this is actually quite effective).
    - A 'Roadshow' in which security personnel regularly give
    presentations to senior management and staff on current issues.
    - A security DVD (assuming adequate budget).
    - A Screen Saver bearing security related messages
    - If your organization produces internal courses on other topics, make
    sure that the security angle is covered.
    - Posters should be used and replaced often.
    - Competitions are often effective, for example, security crosswords,
    puzzles and problems.

    Whichever route you take, building security awareness into your
    organization's culture is a must.


    Website Hackers: Why?
    =====================

    Defacement of company websites by 'hackers' and others is a constant
    threat. Even the largest and most security conscious of organizations
    have experienced problems with respect to this But why do they do it?
    What is the most common motive?

    The Zone-H monitoring portal performed some research on this via what
    is probably the largest poll ever undertaken. They reported the
    following as the major motives:

    Just for fun: 35%
    No reason specified: 19.2%
    Pride: quest to be the "best defacer": 12.5%
    For a challenge: 11.7%
    Patriotism: 10.5%
    Other political reasons: 9.2%
    Revenge against the particular website: 1.9%

    The other disturbing aspect is the numeric dimension: this is not just
    a handful of individuals, but many thousand across the world.

    If your corporate website is therefore of significant importance to
    the organization, defending it is not something that can just be left
    to a hosting provider. It should be treated as any other security
    sensitive production system, with protection commensurate with risk
    and potential business impact.


    Third Party Service Delivery Management
    =======================================

    ISO/IEC 27002 provides specific guidance on the implementation and
    maintenance of information security for organizations who receive
    third party service delivery. It stipulates that third party service
    agreements should be regularly checked, and compliance monitored.

    Agreed security levels must be maintained by the third party covering
    specific service definitions and all critical aspects of the service
    managed. Where there are outsourcing arrangements, within periods of
    service interruption, the organization should ensure that security is
    maintained throughout this period. The organization should also
    ensure that the third party has suitable business continuity and
    disaster recovery procedures in place to meet agreed levels of
    continuity of service delivery.

    There should be regular formal monitoring of services delivered and
    delivery performance. Reports and records provided by the third party
    should be regularly reviewed, and audited. These procedures should
    ensure that the information security terms and conditions of the
    agreements are being adhered to in practice.

    Specifically, it is important to create a regime which includes the
    following:

    • service performance levels regularly monitored to check compliance
    with the agreements;
    • service reports discussed at regular progress meetings as dictated
    by the agreements;
    • information security incidents fully recorded and actions taken
    included in a subsequent report;
    • regular scanning and checking of audit trails, records of incidents,
    operational problems, performance deficiencies, and fault
    resolutions;

    In summary, the old adage "You can outsource services, but you can't
    outsource responsibility" applies to most third party service
    situations. It is an important message, particularly with respect to
    information security.


    More ISO 17799/27001 Frequently Asked Questions
    ===============================================

    1) How Does Risk Analysis/Assessment Relate to the Standards?
    The next issue of this newsletter will focus primarily on risk issues.
    Don't miss it!

    2) What is ISO 27799?
    This is a version of ISO 27002 (formerly known as ISO 17799) created
    specifically for the health sector.

    3) What is the Certification Process for ISO 27001?
    As might be expected, it isn't trivial. The most straight forward
    certification route map we have found is the diagram on the following
    web page:
    http://www.27000.org/ismsprocess.htm

    4) Can I republish articles from the ISO27000 Newsletter (internally
    or externally)?
    Yes, subject to a link to our website (www.molemag.net).

    5) Where Do Security Policies Fit Into The Equation?
    Security policies are a critical part of your organization's security
    profile, and are often the major interface between staff and security
    matters. It is essential that they exist and are up to date.

    Regarding ISO 27002, some organizations view them as the bridge
    between this standard and employees: in some respects, a partial
    interpretation of the standard, customized and in plain English. This
    is why the policies included in the ISO 27000 Toolkit (see above)
    contain a tag aligning them with the appropriate part of the standard
    itself.

    6) How many organizations are now Certified?
    These numbers are always approximates, as the certification bodies are
    diverse, but the latest estimates are that over 4,000 certificates
    have been issued.



    Trials and Tribulations of a Part-Time Information Security Officer –
    Part 2
    ============================================================================

    After the embarrassing incident last week in which a confidential
    management document was accessed on the network by employees who
    unfortunately (for the personnel department management that is)
    learned prematurely about their own impending redundancies, the
    Whithertech management have decided to start an information
    classification project urgently. As the part-time Information
    Security Officer the organization of this task apparently falls to
    me. Fortunately, my Information Security Manual contains some useful
    suggestions on how to proceed with this for this project together with
    a number of templates that we can adapt for our use.

    The first part of the project involves setting up some suitable
    classification levels for confidentiality and ownership and then
    applying them to the documents that are produced throughout the
    organization. I have learnt recently that this is an important part
    of information security as it supports the control over sensitive data
    and helps to prevent unauthorized access to key information. My first
    task was to call a meeting of the all the department heads to thrash
    out how it was going to work.

    The meeting was pretty well attended considering it was being held on
    a Friday evening. I suppose that was probably a reaction to the CEO’s
    undisguised anger. Some of those present at the meeting felt that the
    significant levels of additional work were unnecessary and that it was
    all a bit of a knee-jerk reaction, but I think most saw immediately
    the benefits of getting better control over sensitive information. I
    presented an overview of what the project would entail and we got down
    to a detailed discussion on the classification levels that would be
    adopted. We eventually decided that the following five levels would be
    suitable for Whitertech:

    1. Top Secret: Highly sensitive internal documents.
    2. Highly Confidential: Information which is considered critical to
    the organization's ongoing operations and could seriously impede them
    if made public or shared internally.
    3. Proprietary: Information that is normally for proprietary use by
    authorized personnel only.
    4. Internal Use Only: Information not approved for general circulation
    outside the organization where its disclosure would inconvenience the
    organization or management, but is unlikely to result in financial
    loss or serious damage to credibility.
    5. Public Documents : Information in the public domain.

    This was considered to be a good first step for the project and I was
    charged with the task of providing a proper description for each
    proposed classification level. The next meeting will be on Wednesday
    morning and I was also asked to come up with some suggestions for
    establishing information ownership criteria and for labeling of
    information in time for this meeting. This was not actually too
    onerous a set of tasks as I already have some boilerplate texts.

    I will let you know how the project progresses in due course.


    Related Information: The Security Officer’s Manual http://www.security-manual.com


    Information Security News
    =======================

    1) 2008 On Track For Security Breach Record
    The Identity Theft Resource Center (http://www.idtheftcenter.org)
    reports that in the first three months of 2008, the number of data
    breaches more than doubled over the same period in 2007. A rise in
    insider thefts, particularly within the business community, is also
    reported.

    2) Internet Crime Rises Too
    In a similar vein, IC3 (http://www.ic3.gov/media/annualreports.aspx)
    reports that internet-related criminal activities resulted in nearly
    $240 million in reported losses last year, up $40 million from 2006,
    Auction fraud was the most widely reported criminal activity referred
    to law enforcement agencies.

    3) FTC Settle With Reed Elsevier and Seisint
    The US Federal Trade Commission (http://www.ftc.gov) has announced a
    settlement with data brokers Reed Elsevier and Seisint on charges that
    they failed to provide 'reasonable and appropriate security' for
    sensitive consumer information. The FTC alleged that Reed Elsevier,
    through its LexisNexis data broker business, and Seisint allowed
    customers to use easy-to-guess passwords to access Seisint's Accurint
    databases, which contained sensitive consumer information. The FTC
    stated that identity thieves exploited these security failures
    accessing the information of about at least 316,000 consumers.

    4) 4.2 million Card Numbers Stolen
    The Hannaford Bros grocery store chain has disclosed that hackers have
    stolen 4.2 million debit and credit card numbers from its computer
    systems. The thefts occurred whilst the cards were being verified for
    purchase.

    5) Smart Phone Attack (winCE//infojack Trojan)
    Researchers at Sophos (http://www.sophos.com) and McAfee (http://
    www.mcafee.com) have discovered a trojan that attacks the Windows
    Mobile smartphone platform. The devices become infected with the
    trojan when a user visits one of several websites in China, which is
    bundled in an apparently legitimate package of applications. It then
    lowers the security settings on the device so it accepts unsigned
    programs.

    6) 419 Scammers Plead Guilty
    Three men pleaded have guilty in New York to running 419 spam schemes
    via email. A fourth defendant fled to Nigeria where he is being held
    pending extradition to the US. They are understood to have made more
    than $1.2 million, according to the Justice Department (DOJ).
    Sentencing is pending.

    7) More Website Breaches
    Two of the most popular websites (Expedia.Com and Rhapsody.com) have
    recently been compromised by malicious banner advertisements, designed
    to deliver malware. According to Trend Micro (http://
    www.trendmicro.com) the adverts utilized Flash software.


    Critical Success Factors
    ========================

    The question of which factors are considered most critical when
    implementing the ISO 27001 standard, particularly with respect to ISO
    27002 (ex-17799), is one which is raised frequently. However, guidance
    on this actually provided within the standard itself, which indicates
    that these are:

    - security policy, objectives and activities that properly reflect
    business objectives
    - clear management commitment and support
    - proper distribution and guidance on security policy to all employees
    and contractors
    - effective 'marketing' of security to employees (including managers)
    - provision of adequate education and training
    - a sound understanding of security risk analysis, risk management and
    security requirements
    - an approach to security implementation which is consistent with the
    organization's own culture
    - a balanced and comprehensive measurement system to evaluate
    performance in IS management and feedback suggestions for improvement

    These of course are all basic and very sensible measures... but it is
    amazing how many organizations fall short on many of them.

    How do you measure up?


    Disposing of Equipment
    ======================

    Disposing of unwanted equipment brings with it a number of potential
    security issues:

    - Legacy data from old systems can still remain accessible and thus
    compromise the confidentiality of information.
    - Old media can still have data in situ unless de-guaged or securely
    erased.
    - The disposal of old equipment can prevent the restoration of its
    associated data files on which you may be relying.
    - Inadequate planning for the disposal and upgrade of entire systems
    can threaten business continuity and result in severe loss.
    - Equipment used periodically but infrequently may be disposed of
    accidentally.
    - During the legitimate disposal of unwanted equipment other items can
    be 'lost' or stolen.

    Why are we highlighting this issue again at this point? Because we
    have just heard of a significant disclosure of sensitive data breach
    at a major international corporation. It DOES happen, more frequently
    than most realize.

    If you haven't got one in place, a high level policy might be
    something along the lines of: "Equipment owned and/or used by the
    organization should only be disposed of in accordance with approved
    procedures including independent verification that the relevant
    security risks have been mitigated".

    The topic is dealt with largely with ISO 27002 Section 9.


    Implementing A COBIT Compliance Initiative
    ==========================================

    Through its COBIT framework, ISACA is one of the leading
    internationally accepted producers of guidance materials for IT
    governance. COBIT provides comprehensive controls and guidance
    covering each key stage of the IT process, with the Control-IT Toolkit
    (CITT) providing invaluable implementation support for these controls
    as well as simplifying the process.

    The first stage in checking compliance is "scoring" your existing IT
    control processes to see how closely they comply with the guidelines
    and standards. The Audit Compliance module of the CITT assists with
    this task by providing a list of COBIT based control areas which must
    be measured for compliance. Each topic can be weighted according to
    your management’s views on the relative importance of a particular
    control point to your organization's security and overall well being.
    As well as providing a "scoring" method for measuring compliance with
    each control policy, the module also provides information and
    calculations on each control domain and the overall compliance level
    for the organization.

    The second task is to set a target for the required level of
    compliance to be achieved in the future, and consider the resources,
    timeframe and costs of achieving that level of compliance. It is not
    feasible for all organizations to achieve overall compliance levels of
    5 (in a 0 – 5 measurement) as the costs and resources required would
    very likely be prohibitive. It is for management to decide on an
    acceptable level of security and control commensurate with the risks
    and costs of providing additional safeguards.

    Each topic is to be "scored" within a range of "0 to 5" to reflect the
    level of assessed compliance of the topic and this "scoring" will
    result in each section automatically calculating a "score" for that
    section including use of the weighting factor for that topic. In
    addition, the "score" for each Domain will be automatically updated
    using the weighted "scores" for each section. Although implementation
    of full COBIT compliance is a fairly complex process, use of the CITT
    Templates will make the task significantly more manageable.

    More Information:
    COBIT CITT - http://citt.privacyresources.org
    ISACA - http://www.isaca.org


    ISO 27000: The World Wide Phenomenon
    ================================

    Our source list for recent purchases of the standards always proves to
    be a popular talking point. The most recent thousand or two is as
    follows:

    Argentina 6
    Australia 27
    Austria 7
    Barbados 2
    Belgium 16
    Bermuda 1
    Bosnia and Herzegovina 1
    Brasil 29
    Canada 144
    Cayman Islands 1
    Chile 4
    China 25
    Colombia 11
    Costa Rica 1
    Croatia 2
    Cyprus 1
    Denmark 17
    Egypt 1
    Estonia 1
    France 22
    Germany 75
    Gibraltar 1
    Greece 6
    Hong Kong 15
    Hungary 4
    Iceland 1
    India 56
    Indonesia 5
    Ireland 21
    Israel 1
    Italy 33
    Jamaica 1
    Japan 39
    Jordan 1
    Korea 3
    Lebanon 1
    Luxembourg 1
    Malaysia 27
    Malta 1
    México 26
    Netherlands 63
    New Zealand 9
    Norway 7
    Panama 1
    Peru 1
    Philippines 11
    Poland 10
    Portugal 7
    R.O.C. 1
    Romania 3
    Russia 15
    Saudi Arabia 22
    Singapore 23
    Slovak Republic 1
    Slovenia 1
    South Africa 33
    Spain 33
    Sultanate of Oman 1
    Sweden 19
    Switzerland 71
    Taiwan 3
    Thailand 1
    Tunisia 1
    Turkey 12
    UK 394
    United Arab Emirates 21
    USA 618
    Venezuela 1

    The normal health warnings apply: these are sales through an online
    credit card store, so those cultures that are less familiar with this
    type of commerce will be under represented.


    ISO 27001/2: Common Mistakes Part 2
    ===================================

    David Watson was one of the earliest exponents of the standards, and
    is one of the most well known industry figures. In the second of this
    series of articles for the ISO 27000 Newsletter he outlines some of
    the most common errors and mistakes he has encountered over the years:

    PERSONNEL SECURITY

    - There are rarely up to date job descriptions. If they do exist, they
    seldom have any information security requirements in them for all
    staff;

    - Generally, little advice exists on reporting security incidents;

    - Rarely are references checked properly - including for ‘sensitive’
    positions;

    - I have yet to see a Contractor or a Consultants references checked
    to prove that they actually hold qualifications claimed. This can
    allow all sorts of charlatans and criminals into your organization.
    Lying on your CV in the UK is a criminal offence [eg: Shrewsbury and
    Telford Hospitals NHS Trust case (up to 5 years in Jail for ‘Pecuniary
    Advantage by Deception). S16 of the Theft Act 1968 defines this as
    ‘Being given an opportunity to earn remuneration or greater
    remuneration in an office or employment (e.g. where D lies about his
    qualifications and secures a job as a result, the job is the pecuniary
    advantage obtained by deception’)]

    - There is frequently no process for HR checking of Third Parties or
    Contractors;

    - Contracts often do not afford adequate protection for the
    organization;

    - Confidentiality agreements are rarely used by the organization and
    are not centrally recorded. Staff signing Confidentiality Agreements
    or Non Disclosure Agreements (NDAs) often do not understand what they
    are signing.


    SECURITY ORGANIZATION

    - Often, no-one is tasked with the job of monitoring security
    regularly. This is frequently a part-time job for someone in IT who
    gets pulled off it to do project work elsewhere;

    - Sometimes no security awareness or training is undertaken for staff
    or third parties working for the organization. Some HR departments
    will not touch anything to do with Consultants, Contractors or other
    third parties;

    - Too often the Information Security Manager is an IT person who
    reports to the IT Department with no ability to go direct to the
    board. In effect, they are reporting on the people they are reporting
    to. The chances of serious issues getting escalated in this setup are
    slim, to say the least, unless it is so catastrophic it cannot be
    hidden;

    - Outsource the problem – often with disastrous consequences. There
    are numerous scare stories in the press about outsourcing, but few
    organizations either monitor or manage outsourced contracts
    appropriately. There are some good contractual and outsourcing
    controls in A4.2.2 andA.4.3.1. - even if I say so myself – these were
    carried forward from the 1999 version;

    - Too little outside contact with similar minded professionals or
    exchange of views with other security processionals is enabled;

    - I sometimes encounter a wholly ineffectual Information Security
    Forum that either rarely meets, has the wrong level staff attending,
    has whole business areas that do not/will not get involved, does not
    have the authority to alert the Board, and maintain no minutes for
    meetings to show issues carried forward and resolved.


    SYSTEM DEVELOPMENT AND MAINTENANCE

    - There is often claimed to be no development or maintenance – but on
    research this it is often found not to be the case;

    - Few standards are made available and implemented for development or
    change management;

    - Testing is often omitted – there is sometimes a ‘fix on fail’
    mentality as someone in Marketing (for example) has promised the
    delivery without consulting the Development Team. Some cynics would
    say that this is why Microsoft has a beta testing program, but I could
    not possibly comment;

    - Source code is sometimes accessible from live systems;

    - Little segregation of duties or development/testing/production
    environment;

    - Often ‘real’ data is used for testing that could divulge either
    recent corporate data or personal data in breach of Data Protection
    legislation. This is often not properly protected during use or at
    disposal. Typically access control is less well implemented on
    development or test systems than it is on ‘live’ or ‘production’
    systems;

    - On projects I sometimes find little (or out of date) documentation
    and that none of the current staff were present when the project
    started. This makes it impossible to determine how security was to be
    addressed in the project, if at all.




    ISO 27000 Related Definitions and Terms
    =======================================

    In this edition of the ISO 27000 Newsletter we look at further
    definitions and terms related to ISO 27001 and ISO 27002 that commence
    with the letter “B”.

    Bespoke
    In the same way as this term means ‘made to measure’ in clothing, it
    is used generally to describe software which has been written/
    developed specifically for one organization. Bespoke differs from
    customized in that customization usually refers to modification of
    existing software rather than starting from scratch.

    Beta Software
    Term used to describe software which is almost fully developed but not
    yet quite ready for release to the market, or internal users. The
    Beta version of the software is preceded by the alpha version. Beta
    versions of commercial programs are often made available to consumers
    at attractive prices on the basis that there are numerous bugs still
    to be sorted out, and the first batches of users to install the
    product are, effectively, taking part in an enormous acceptance
    testing program. The developer will take note of the findings and
    comments made by Beta users to incorporate modifications, fixes,
    patches, etc., in the version which is finally released. Beta versions
    of software, whether purchased or developed in-house, should not be
    installed on live systems and should never be used for mission
    critical processes.

    Binders
    Binders are programs that allow hackers to ‘bind’ two or more programs
    together to result in a single .EXE file. These may be useful tools
    but they easily allow a hacker with malicious intent to insert Trojan
    executables into harmless .EXE animations, e-greetings and other .EXEs
    that are commonly passed around as e-mail attachments. The only way
    to stop an executable from harming your PC is to run it in a proactive
    ‘sandbox’ environment and monitor its behavior for malicious activity
    in real-time.

    Biometric Access Controls
    Security Access control systems which authenticate (verify the
    identity of) users by means of physical characteristics (e.g. face,
    fingerprints, voice, or retina pattern.).

    BIOS
    BIOS is the Basic input system of a personal computer. The BIOS
    contains the code which results in the loading (booting) of a
    computer’s operating system e.g. Microsoft Windows®. The BIOS also
    controls the flow of data to/from the operating system and peripheral
    devices, such as printer, hard disk, keyboard and mouse.

    Bitloss
    Loss of data bits during a transmission. Such losses are usually self
    evident when the incoming file is reviewed, but, occasionally the loss
    is such that it goes unnoticed. Bit loss can be counteracted by use
    of control totals.

    BMUS
    Beam Me Up, Scotty. From the original Star Trek series, now used as a
    plea for help by any techie in a tight spot. Also the source of the
    term ‘Beam’.



    It Couldn't Happen Here, Could It? True Stories:
    ===============================================

    THE SLOPPY SECURITY OFFICER

    A security Officer working for one of the biggest corporations in the
    world was slightly concerned when he noticed that from time to time
    the "Time of last login" to the mainframe system did not always
    correlate with his last activity. He was not, however, concerned
    enough to do anything about it... until on one day, he could not login
    because he was apparently already logged in. Panic ensued. Full
    paranoia mode quickly followed.

    The last activity warnings suddenly fell into place. He reasoned that
    he was being monitored by someone, and working in security, that
    'someone' must be a person perpetrating an attack, and making sure
    that they were not being detected by him. He had been working on
    several sensitive cases recently... this must be serious!

    He escalated instantly, to try to catch the perpetrator whilst still
    logged in. The management bought his assumptions and invoked emergency
    procedures, closing non-critical systems (at cost) and creating a
    'bridge' to investigate the actions and location of the perpetrator
    'live' (Operations, Security and Audit management were paged to
    attend).

    They traced the perpetrator's precise location: internal... Database
    Administration... Terminal c25k2. This was a team with live database
    access, and there had been some costly database issues recently. So
    off they went, mob handed, to c25k2.

    The 'perpetrator' was taken completely by surprise, to say the least.
    He did a great job in protesting his bewilderment, claiming he was
    logged on as HIMSELF and had no idea what was going on. But looking at
    the terminal, he was clearly logged in as the Security Officer.

    Then, suddenly, the Auditor spotted his name on the ID block on his
    desk. He had the same initials as the Security Officer. It surely
    couldn't be... could it?

    He asked him for his username and password. Username = cmmjs2, CMM was
    the project code, with JS being his initials. The last character was
    #2 because on this system JS1 had already been taken (by the Security
    Officer of course).

    Password? "October2006".

    Auditor to Security Officer: "And your password is October2006 too,
    isn't it?".

    Bingo - case solved. The Database Administrator usually used cmmjs1,
    but couldn't on this system, and so used cmmjs2 instead. However, he
    sometimes forgot and went into auto-pilot during login, thus finding
    himself logging in to someone else's account. When he noticed, he just
    logged off.

    Apart from everyone's time, the losses from this incident stemmed from
    closure of some production systems for a couple of hours. Another loss
    was the total loss of credibility of the specific Security Officer in
    question, who was also "spoken to by senior management".

    The incident did also demonstrate starkly:
    - appalling security awareness by staff with respect to password
    constructs
    - a lack of proper procedures for emergency management and escalation
    - a culture of "rules only apply to them" within the security area,
    and a general sloppiness within.

    They were lucky. It could have been much much worse.




    CONTRIBUTIONS
    =============
    Have you got something to say on the standards, or a fresh insight or
    some information which might benefit others? If so, please feel free
    to submit your contribution to us. Sponsors are also welcome.


    NEWSLETTER REMINDER
    ===================

    We hope that you have found this issue to be informative and useful.
    Subscription is entirely free (although 'opt-in' only). Please feel
    free to pass this copy on to your friends and colleagues. If your
    friends or colleagues wish to receive the newsletter directly, they
    should simply send an email to: with a title of
    'subscribe'.



    Finally, the publishers accept no liability or responsibility for
    errors or omissions in this newsletter. This also applies to any loss
    or damage caused, arising directly or indirectly, by the use of or
    reliance on the information contained within.


    ISO 27001 and 27002 Newsletter
    http://www.molemag.net
    Sue Thomas, May 15, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gary - US
    Replies:
    0
    Views:
    399
    Gary - US
    Jul 30, 2003
  2. Andy Foster

    Re: A Great Certification Newsletter

    Andy Foster, Aug 1, 2003, in forum: MCSE
    Replies:
    1
    Views:
    386
    Diana K Brown
    Aug 1, 2003
  3. Patrick Casher

    Swen worm problems follows newsletter.

    Patrick Casher, Nov 11, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    383
    Thund3rstruck
    Nov 11, 2003
  4. Mark L Kirkby

    ISO 17799 / BS7799 Security News: Issue 10 Released

    Mark L Kirkby, May 8, 2004, in forum: Computer Security
    Replies:
    1
    Views:
    546
  5. Sue Thomas
    Replies:
    0
    Views:
    839
    Sue Thomas
    Oct 28, 2008
Loading...

Share This Page