WindowSecurity.com Newsletter of August 2011 Sponsored by: ManageEngine

Welcome to the WindowsSecurity.com newsletter by George Chetcuti, BSc in Computing & IS (Honors), CISA, MCP, HP Certified. Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: gchetcuti@windowsecurity.com

1. Building a security entity within your organization

Internet access is a necessary evil simply because any organization would not survive without it. The very moment you connect your assets, whether they are mobile devices, desktop computers or whole setups to the Internet, you inherit a threat which needs to be mitigated. Organizations may end up with out-of-the-box setups that were overlooked or ignored during routine security checks but these low priority assets may expose the organization's other critical resources. For instance, an unprotected and unpatched Windows server or client has backdoors and can be scanned within a few hours or minutes if it is connected to the Internet. Even well planned and secure assets can pose a risk to an organization.

In an environment where security is dealt with due diligence, risks are minimized but still present. We all know that you can never achieve a 100% secure environment. Assume that your IT infrastructure is not likely to suffer from data theft, break-ins or loss of data but what if it is taken offline due to some DoS attacks or unplanned service provider  downtime? Downtime costs big money and organizations in some business sectors (such as, selling low cost items) consider availability of their online shops more vital than top-notch security!

What further steps do we need to take after securing our IT environment?

In large organizations a Computer Security Incident Response Team (CSIRT) is responsible for receiving, reviewing and responding to computer security incidents. They are full time security experts handling security incidents but in order to be proactive they need to perform additional duties such as continuous examination of incident reports for possible future threats, research studies, and implement monitoring tools. While a large organization may afford the budget to maintain a security team (or may be obliged to maintain one due to regulatory compliance), a smaller organization can either implement a cut-down version of a CSIRT with reduced functionality or outsource these services. What are the basic elements you need in place to implement such an entity?

• A clear mission statement - in large entities this would take the form of a security strategy developed with the participation of all stakeholders, however, in smaller setups the support and commitment of senior management is crucial to the success of this vision. Security operations in an organization with blurred or weak organizational structures may fail due to lack of authority. Therefore, a mission statement or declaration of intent issued by senior management is an excellent starter.
• Define a basic framework - apart from the definition of elements that make up the framework, such as policies, security classification, process flows, etc., it should include properties that allow the framework to be updated from time to time. In other words, you should build a dynamic framework that caters for changes in threat vectors and business objectives. It is a common mistake that people build a set of rules without updating them over time as new challenges emerge.
• Perform a risk assessment - analyze your environment carefully and make sure that you involve all stakeholders. A common mistake is to assess risks from the technology point of view. In many cases, systems' vulnerabilities may pose the greatest threats; however, criticality of assets should be viewed from the business point of view. Get senior management to sign-off this exercise. Remember to update your framework according to the risk assessment results!
• Implement an incident handling mechanism - whether you implement a fully fledged system or a documented manual process, the success factor is always how much users are willing to do and follow it! You should focus on a user friendly mechanism that captures the most important information artifacts. Another important process element in an incident handling system is the information manipulation capabilities such as, reporting and trend analysis.

Building a security response entity and achieving results depends on the reputation such an entity acquires as it goes along. Putting in place practical security polices, having an excellent incident handling management system and clear strategy in place does not guarantee success. The ultimate goal has to be the effective resolution of security incidents and the greatest asset in all this is training. Make sure that any security staff delegated with incidents is well trained and is able to get help from other experts. In fact, a recommended additional requisite for effective CSIRTs is to establish contacts with other teams. Support from security experts would give your entity a broader knowledge and will keep you updated with the latest trends. I suggest looking for any national entity such as, national CSIRTs that may exist in your country. Surely, the added benefits are many as such teams can provide you with the required expertise and current threats from the data collected throughout their region.

Training does not end with the security experts. End users must have their fair share as well. Security awareness programs reduce the number of incidents--and remember that small things often prevent great disasters. Security awareness programs for end users should be seen as a preventive tool, however, the end users' cooperation is a big asset when it comes to collecting evidence.

To conclude this month's newsletter I would like to recap, mentioning the most important objectives of an organization's security entity. A security entity, whether it is a formalized team such as, CSIRT or an ad hoc team such as individuals from an IT department, must be based on both reactive and proactive services. The reactive services include vulnerability handling alerts, incident and artifacts handling while the proactive include security audits and announcements, secure configurations and routine maintenance, amongst others. Additionally, if enough funds are available, I would suggest security tools such as intrusion detection, supervisory control, and data acquisition tools that would make your proactive service more complete. Security quality can be enhanced further by adding other layers to the reactive and the proactive services. These are continuous risk analysis and disaster recovery plans. When an incident scenario has a devastating effect and is considered as a major crisis then your life saver would be a well-thought BCP (Business Continuity Plan).

Should you have any ideas for content in future editions of the WindowSecurity.com newsletter or would like to ask questions, you're more than welcome to e-mail me at gchetcuti@windowsecurity.com.

See you next month! - George

2. WindowSecurity.com Articles of Interest 

• Hunt Down and Kill Malware with Sysinternals Tools (Part 1)
  
• Building a Malware Analysis Lab
  
• Applocker: Scenarios for Use and Deployment
  
• Security Issues when Connecting Computers to Cellular Networks
  
• Disk Encryption - The Next Generation (Bitlocker Administration and Monitoring)
  
  

3. Tip of the Month

Check this additional information about Security Emergency Response Teams:

• CSIRT FAQ
• FIRST Community
  

4. Latest Security Exploits and Concerns

• Social Engineering
  
• The risks and benefits of shortened URLs
  
• Password Reset Disks
  
• Spear-phish cyber attacks
  
• Monitoring Files and Folders
  
• The Rustock Botnet
  
• Cyber-war test lab!
  
  

5. Ask George a question

QUESTION:

What is a National CSIRT?

ANSWER:

As nations get more and more dependent on IT systems, the underlying technology infrastructure has become vital to the economy. Fraud may be the major cyber threat; however, there are other possible disruptions such as, organized attacks on a country's IT infrastructure, as we have seen couple of years ago! To ensure security and economic vitality, governments are legislating frameworks that manage cyber security and a National CSIRTs is one element of that framework.

A National Computer Security Incident Response Team (National CSIRT) coordinates incident management and facilitates an understanding of cyber security issues for the national community. It also provides the specific technical competence to respond to cyber incidents of national interest. An important function within a national CSIRT is the dissemination of information throughout the country's industries and other entities. They become a focal point for a national discussion on cyber security.