NBlog Sept 4 - standardising ISMS data interfaces

NoticeBored - Thu, 09/03/2020 - 10:26pm

We've been chatting on the ISO27k Forum lately about using various IT systems to support ISO27k ISMSs. This morning, in response to someone saying that a particular tool which had been recommended did not work for them, Simon Day made the point that "Each organisation trying to implement an ISMS will find it’s own way based on their requirements."
Having surveyed the market for ISMS products recently, I followed-up with my usual blurb about organisations having different information risks and business situations, hence their requirements in this area are bound to differ, and in fact vary dynamically (in part because organisations mature as they gain experience with their ISMS: their needs change). The need for flexibility is why the ISO27k standards are so vague (essentially: figure out your own requirements by identifying and evaluating your information risks using the defined governance structure - the ISMS itself), rather than explicitly demanding particular security controls (as happens with PCI-DSS). ISO27k is designed to apply to any organisation. 
That thought sparked a creative idea that I've been contemplating ever since: wouldn’t it be wonderful if there was a standard for the data formats allowing us to migrate easily between IT systems supporting ISO27k ISMSs?
I’m idly thinking about a standard file format with which to specify information risks (threats, vulnerabilities, impacts and probabilities), controls, policies, procedures, metrics, objectives etc. - maybe an XML schema with specified field names and (where applicable) enumerated lists of values.
Aside from migrating between ISMS IT support systems and services, standard data formats would facilitate data sharing between application systems, services or sub-functions (e.g. for vulnerability management, incident management and information risk management), and between departments or even organisations (e.g. insurance companies, auditors and advisors and their clients and partners).
Perhaps we should develop an outline specification and propose such a standard to ISO/IEC JTC1 SC 27. A New Work Item Proposal would need sufficient details to be clear about what is being proposed and why, expanding on the requirement. Researching the topic and generating a basic draft as a starting point would ease the process of developing an ISO27k standard, so that's something else to add to my to-do list. I wonder if there are already XML schemas in this general area?
Categories: NoticeBored

NBlog Sept 3 - ISO27001 rocket fuel

NoticeBored - Thu, 09/03/2020 - 12:03am

We're on a mission to convince every organisation that managing information risks properly is more than just a compliance imperative. It's good for business.
Is your organisation looking to raise its security game? Are managers worried about ransomware, privacy breaches and intellectual property theft, especially now with so many of us working from home? 
What about the business continuity risks as supply chains are stressed to breaking point by COVID-19? Are your suppliers cutting corners on privacy and security, hoping nobody will notice? Are desperate competitors taking advantage of the disruption to undermine your cyber-defences?
Worse still, is management blissfully unaware of the issues, with everyone heads-down, rowing hard, too busy to notice the icebergs dead ahead?
... Or is there a strong drive to secure and exploit information as an integral part of operations? Does being trusted by customers and stakeholders equate to brand value, new and repeat business, opening up strategic opportunities?
This is a great opportunity to
take the first step on your mission!

We have developed a modular approach based on ISO/IEC 27001. An Information Security Management System facilitates the management of information risks, information security controls, governance and assurance arrangements and so forth, 'systematically' i.e. in a structured and coherent way.
Despite being standards, ISO27k acknowledges that each organisation needs to adapt the ISMS according to the business situation and the associated information risks. Within the same general governance structure, the specific requirements vary markedly between organisations and industries. With that in mind, we've developed a suite of materials covering the mandatory requirements for every ISMS, plus add-ons for the discretionary parts. In truth, all of them - even the mandatory ones - are templates, designed to be customised ... and we can even help you with that if you like!
Through, we offer several packages:
  • ISMS Launchpad is a minimalist set of templates for the mandatory documentation that certification auditors are likely to insist upon - the ISMS scope, SOA, RTP and others.  Start here! 
  • ISMS Take-off adds a bundle of management-level documents. An ISO27k ISMS is, after all, a management system. There are template policies, procedures, job descriptions and more, designed to inform and engage management in the ISMS. If you don't yet have the go-ahead, build on the business case and strategy papers to convince the boss. 
  • ISMS Orbit, released this week, provides templates aimed at bringing your information security and related professionals/specialists rapidly up to speed with ISO27k. These are lengthier, more detailed documents on the whole, for example an 85-page FAQ about implementing the standards, and a hyperlinked glossary of over 350 pages (basically a book!). 
  • ISMS Mission bundles all of the above, saving you 30%.
Browse the SecAware website for listings of the modules and a few samples. 
I wrote all the materials hence the whole suite is consistent, reflecting my three decades in the field, using and contributing to the ISO27k standards while working/consulting for all manner of organisations around the world. I'm confident you won't find better quality templates anywhere else ... but if you do, or if you see gaps in our coverage, please let me know. This is a new product and we are already looking to enhance it, before the ink is even dry. On the horizon I see the possibility of further templates supporting the security controls in Annex A - more policies, more procedures, more metrics, awareness content, more advice and guidance ... 
Must dash, lots to do!
Categories: NoticeBored

NBlog Aug 28 - NZ Stock Exchange DDoS continues

NoticeBored - Thu, 08/27/2020 - 11:19pm

The New Zealand Stock Exchange is having a rough week.  Under assault from a sustained DDoS attack, its web servers have crumpled and fallen in an untidy heap again today, the fourth day of embarrassing and costly disruption.
DDoS attacks are generally not sophisticated hacks but crude overloads caused by sending vast volumes of data to overwhelm the servers.  
The Host Error message above shows "RedShield" which appears to be a security service remarkably similar to a Web Application Firewall (although the company claims to be producing something far better) ...

If so, RedShield appears to be passing DDoS traffic to the stock exchange web servers which can't cope. Presumably, this particular DDoS attack does not fit the profile of the attacks that RedShield is designed to block, in other words RedShield is patently not preventing the DDoS.

I don't know whether RedShield is supposed to block DDoS traffic and is failing to do so, or if DDoS protection is simply not part of the RedShield service. Either way, it appears a DDoS attack is causing business impacts.
Whether RedShield is still working as designed to block application-level attacks is a moot point if the web servers are down ... but it is possible that the DDOS attack may be an attempt to over-stress the security systems, allowing more sophisticated hacks to leak past the weakened defences.  Hopefully, RedShield is still faithfully blocking all of them.
More likely, I suspect, this is a classic DDoS extortion: the attackers are demonstrating their power to disrupt the Stock Exchange's business, repeatedly, despite the defensive measures in place, as a way to force the Exchange to pay a ransom (probably - they are understandably reluctant to reveal the details with the spooks at GCSB actively investigating the incident).
Defences against DDoS attacks start with the basics such as network and server security, plus the policies and procedures to make sure the controls are effective in practice. Routine security monitoring and incident responses should include characterising the attack in progress, leading to active responses ranging from 'simply' disconnecting the network feeds (perhaps literally pulling the cables out) to filtering, diverting or slowing down the network traffic, ideally blocking the malicious traffic while allowing legitimate traffic to flow as normal. I'm talking about fairly conventional network security controls (mostly firewalls), albeit with sufficient throughput to cope with the onslaught. 
Almost certainly the responses would need to be coordinated with Internet service providers, internal IT service providers, and the authorities. Given the clearly disruptive impacts on the business, a crisis team would be liaising with all involved while keeping senior management and other stakeholders informed. From personal experience, this is an extremely stressful time for all involved, all the more so if there was inadequate preparation i.e. business continuity management, crisis planning, incident management exercises etc. with lashings of security awareness and training.  [If it turns out the Exchange was not, in fact, adequately prepared for this, there are governance and accountability implications for senior management. DDoS is just one of several 'real and present dangers' for any Internet connected business.] 
From there, the sky's the limit in terms of potential investment in increased server and network capacity, resilience, flexibility and redundancy, even cloud-based DDoS mitigation services such as Cloudflare and Akemai and other business continuity arrangements designed to guarantee at least a minimal level of service for essential business activities. Quite possibly these are in effect and working just fine right now, despite the apparent disruption to the Exchange's website: I have no inside track here but I'll be watching the news with interest as the incident unfolds. [Normally, I would be busy preparing a case study for security awareness purposes but since the NoticeBored service has ended, I'm spending my valuable time on Other Stuff, such as writing this very blog.]
Categories: NoticeBored

NBlog Aug 27 - creative teamwork post-lockdown

NoticeBored - Thu, 08/27/2020 - 2:07am

A couple of days ago I blogged about MURAL, just one of many creative tools supporting collaborative working. If you missed it, please catch up and contemplate about how you might use tools such as that right now for teamworking during the COVID19 lockdowns.
Today I've been thinking about 'the new normal' as the world emerges from the pandemic, inspired by the intersection of two threads.
Firstly, thanks to a Zoom session with participants and presenters from Queensland, I've been reading-up on "industry 4.0". I'm not totally au fait with it yet but as I see it the key distinguishing features are:
  • Ever-increasing automation of manufacturing, with smart devices and robotics supplementing the capabilities of both manual and knowledge workers;
  • Industrial IoT, coupling sensors and actuators on the production line with each other, allowing workers to interact with the machinery through screens and keyboards etc. and a growing  layer of automation smarts and networking;
  • Ever-increasing reliance on IT, data, analytics, systems and artificial intelligence (with implications for risk, resilience, reliability and security);
  • New capabilities, particularly in the specification and design areas - such as virtual reality simulations and rapid prototyping of jigs, machines and products by "additive manufacturing" (industrial 3D printers);
  • An increasing focus on adding value through knowledge work in research and development plus product service/support, de-emphasising the manufacturing production core activities (which, I guess, started with the off-shoring of manufacturing to low-wage economies, and is now leading to both on- and off-shore automated manufacturing);  
  • Rapid innovation and change, leading to difficulties in strategic corporate planning (with credible planning horizons falling to just a couple of years!) and personal career planning (e.g. how can workers learn to use tools and techniques that either aren't refined enough to be taught, perhaps not even invented yet?);
  • Shortages of people with the requisite skills, knowledge and adaptability, able to thrive despite the challenges and seize opportunities as they arise.

Secondly, various governance experts have been grappling with changes brought about directly and suddenly by COVID19, and what remains to be done as we collectively recognise that, thanks to dependencies, incidents can spread ripples far and wide through the extended supply networks we've built. For example, through a YouTube session, David Koenig emphasised the governance need for resiliency, implying not just a greater appreciation of supply network risks, but better quality information and stronger control of those risks. David promotes a positive view of risk, in other words boards and senior exec management deliberately taking risks where that best serves the needs of the business and its stakeholders (implying a convergence of their clear rooftop view of the rapidly changing external environment with solid management information about the situation way down in the engine room, driving the corporation towards effective and efficient achievement of its business objectives).
[Aside: where do you stand on this if you are an infosec pro? Do you accept the duality of risk and opportunity, or that the "exploitation" of information can be both illegitimate and legitimate? Do you see information risk as a business and human issue, rather than purely a technology issue? If so, you may be CISO material!]
So, this evening I'm wondering about the governance and enterprise risk management aspects of Industry 4.0. Yes there are all manner of risks associated with automation, industrial IoT, rapid innovation and change ... but at the same time there is significant potential for strong organisations that understand what they are getting into, and are both willing and able to exploit opportunities opened up, in part, by COVID19.
I'm intrigued by the possibility of small, nimbler, innovative organisations collaborating to take down the industry goliaths - the lumbering supertankers. Those creative collaborative teamworking tools I mentioned earlier could be game-changers. Being frank about it, although some SMEs will fail valiantly, they are more expendable than those misguided supertankers heading inexorably for the rocks. 
Now is the time to be bold, SME friends! Watch your ankles, goliaths! 
Categories: NoticeBored

NBlog Aug 26 - ISMS templates

NoticeBored - Tue, 08/25/2020 - 8:38pm
Systematically checking through ISO/IEC 27001:2013 for all the documentation requirements is an interesting exercise. Some documents are identified explicitly in the standard and are clearly mandatory, while many others are only noted in passing, often in ambiguous terms or merely alluded-to ... which can make it tricky to both comply with the standard and persuade the certification auditors of that.
Here's an example, one of the document templates from SecAware ISMS Launchpad:

That succinct one-pager addresses two requirements from the standard:
  • Clause 9.2 (c) says (in part) "The organisation shall plan, establish, implement and maintain an audit programme(s)" - an explicit documentation requirement that the certification auditors will definitely check for compliance;
  • Clause 9.3 says (in part) "Top management shall review the organization's information security management system at planned intervals to ensure its continuity suitability, adequacy and effectiveness." - an implicit documentation requirement that the certification auditors will probably check for compliance, and although the standard doesn't literally demand it, they may well insist on seeing written evidence that management reviews have been planned.
Those clauses lay out fairly succinctly what it means to internally audit or management review the ISMS: I have interpreted the requirements in terms of activities that might be performed quarterly over two years as shown on the schedule, with brief descriptions about the approaches to be taken ... but, as with all the SecAware materials, they are merely generic suggestions that customers are encouraged to adapt. 
Large, mature organisations with Internal Audit functions, for instance, may well engage them to plan and perform the ISMS internal audits using their conventional audit approach and whatever associated documentation they normally produce. They may prefer to audit the ISMS just once during the three year certification cycle, or conversely they may want to focus on a series of specific areas of risk and concern over successive audits, perhaps integrating the ISMS audit work with other IT, risk, cybersecurity or compliance audits.
Small organisations may feel that the absolute minimum of audits and reviews will suffice for them since they are short of resources and are already tackling all the significant issues anyway - but determining 'the absolute minimum' involves interpreting the wording of the standard very carefully, and then hoping the certification auditors accept whatever they do. 
Yesterday I completed a supplementary document template with the scopes and objectives of those audits and reviews. Today I'm developing a fill-in-the-blanks reporting template to be used for both audits and reviews: again, these are simple, generic documents, designed to be customised. Based on my experience in this area, we provide 'typical' generic templates in the hope of inspiring customers to develop whatever they need. 
Imagine yourself implementing clauses 9.2 and 9.3 of the standard in your organisation. Faced with those requirements, would you know what to do - how to go about the audits and reviews? Or would you be scratching your head, staring blankly at the screen wondering where on Earth to start? We can help with that! 
Find out more about the first two packs of SecAware ISMS templates, and keep an eye on this blog for news of the third one, currently in preparation.    
Categories: NoticeBored