WindowSecurity.com Newsletter of June 2011 Sponsored by: Entrust
Welcome to the WindowsSecurity.com newsletter by George Chetcuti, BSc in Computing & IS (Honors), CISA, MCP, HP Certified. Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: email@example.com
1. The Pitfalls of Security Risk Assessments
Security Risk Assessments help organizations identify and manage risks, however, continuous risk assessments help organizations establish the correct methodology for identifying and managing risks. Risks are dependent on events, specific setups and other organizational explicit elements. Apart from the legal and regulatory requirements, organizations need to make sure that their security and control infrastructure is in place and operating effectively as an added value to the services they provide. These assessments necessitate three main requirements to be successful. They need the commitment and support of senior management, the use of a holistic approach with the involvement of all stakeholders and they must be addressed from an attacker's perspective.
Who owns the assessment?
Normally, security governance is confined within the IT department and only IT staff deal with it. It is incorrectly understood that since the IT staff have the expertise and control of the business IT systems, security risk assessments involve just IT personnel and focus just on what the IT staff are or aren't doing! This may not be the case with large organizations where separate security entities exist but with SMBs we find risk assessments performed by the IT staff with no or little feedback from other departments.
The recent trends in technology have made IT systems linked, in terms of logical and physical means, to more systems than ever before and to an increasingly complex overall infrastructure. Therefore, the business data may have no boundaries and the need of a wider perspective of the business function is required. There may be valuable company assets that IT staff are not aware of but still host sensitive data. To meet today's complex requirements all stakeholders have to have an active part in security risk assessment to ensure that all aspects of the business are addressed. With the participation of all stakeholders, each and every entity within an organization can be held responsible and accountable for the data/processes they manage and own. IT staff are responsible for implementing the specific security requirements for IT systems. HR is responsible for employee security awareness training, operations for business processes while senior management must be responsible for making decisions based on accurate and combined information.
During the assessment process, technical documents are presented to the team but some members may lack an adequate level of IT knowledge. Therefore, network diagrams, systems architectures, and infrastructure layouts should have a basic version which are understandable by non-technical people. An overview picture which explains all components and interconnections will help senior management relate control mechanisms with business needs. They can identify the desired level of security protection without hindering business processes. The task of assessing vulnerabilities and control mechanisms for systems is something that IT staff would normally perform and which definitely require more detailed documentation.
One key weakness is making assumptions about where all the risks lie. To minimize this danger include a wider selection of stakeholders and enlist an external entity to help you with the exercise. Outsiders tend to the see the whole picture as they need to understand how the business operates and they will verify how each unit connects with the others. While, technical staff would normally come up with the most valid concerns they tend to miss or ignore some of the more simple issues. In addition, IT staff may have a biased opinion about the systems they manage and develop. A good practice to overcome this problem is to use checklists as a guideline.
A security risk assessment may be a yearly event but the policy should be dynamic and adaptable to the changing requirements. Threats and vulnerabilities would not wait for next year's assessment and as such the policy framework should cater for the possibility of new risks. It should allow for changes in the set procedures and controls with the approval of senior management. It should include a control flag that notifies a responsible person when business requirements change and there is a need to review some mechanisms. In summary, the goal is to achieve a framework that supports continuous auditing of all critical assets and their respective security measures.
Security Risk Assessments require a collective effort from all stakeholders and this translates to finding the right time to get them around the same table. A senior executive has to take responsibility for announcing the importance of a risk assessment and for requesting the participation of all stakeholders.
Should you have any ideas for content in future editions of the WindowSecurity.com newsletter or would like to ask questions, you're more than welcome to e-mail me at firstname.lastname@example.org.
See you next month! - George
2. WindowSecurity.com Articles of Interest
3. Tip of the Month
Five simple steps to remind you how to secure your computer system
4. Latest Security Exploits and Concerns
5. Ask George a question
This month, I would like to share with you a typical email scam based on the Nigerian chain letter, see below:
SouthEast Asia Regional Headquarters,
I am Abdul Rahim Bin Ibrahim. I am auditor General of Western Union, Malaysia. I have only been recently appointed and transferred from Brunei. On commencement of my duties here, I discovered a pending transfer of US$698,000.00 (Six Hundred and Ninety-Eight Thousand United States Dollars) in the system.
I promptly informed the Malaysian Government and it was agreed that the funds be refunded to either the Sender or the initial Receiver. I intend to input your name as the initial Receiver.
I am contacting you to come across with names which you could use to receive $9,820 daily/ weekly until money is cleared from the system. It is very important that you respond urgently. In case you are wondering, I got your email off an internet index.
I have the M.T.C.N numbers on my desk right now as I send this mail, the government has permitted me to ensure that all the money must be transferred as soon as possible to the receiver.
Please send me the following information;
This scam was received on the 14th of June 2011and was emailed from a fake source - Western Union Pay-Out Office email@example.com to a group address firstname.lastname@example.org which includes my WindowSecurity.com email address. Actually, I am part of the target audience as this email address is publicly available. There are so many eye-opener elements in this scam and I hope that most of you are aware of them but I would like to point out that the message starts by asking basic not-so-confidential information about you so that you may be tempted to reply; simply don't!