Recently in Audit Category

Image by Angus Kingston via Flickr

Oct 24, 2008 - Futures halted as trading enters `panic mode` The Financial Post

Image via Wikipedia

Some of the advanced options are use with Windows Update Services (WSUS) servers ony or use Microsoft Update Sevice only.

Checks system not only for Operating System Updates but for Microsoft Office Updates
Ref:
MSBA 2.1.1 download

May 21st 2009: ICANN published it's 2009‐2012 Strategic Plan.

"Security,stability and resiliency will remain a top priority and ICANN will work
effectively with other Internet stakeholders to enhance and protect the security and stability of the Internet, paying particular attention to ICANN's mission to protect the security, stability and resiliency of the Internet's systems of unique identifiers."

ICANN is moving forward with its commitment to enhance DNS Security through DNSSEC, working with Verisign and the NTIA implementing root level resource public key infrastructure practices in the Top Level Domain (TLD) community. ICANN has been working with the Internet Registry's using DNSSEC to sign the reverse parts of the Internet Tree in an effort to authenticate ip addressing and boarder gateway routes through rPKI.

ICANN is investigating implications for the root server system as a whole, with regard to a series of potential changes within the DNS including the implementation of new gTLDs and IDNs, along with possible implementation of DNSSEC signing of the root zone over the following 18 months. Their report on this study is expected September 2009.

ICANN staff plans to work with the Software Engineering Institute (SEI) at Carnegie Mellon University to leverage the SEI Resiliency Engineering Framework (REF) to ensure its security, continuity and risk management programs incorporate best practices, and to measure improvements to maturity over time.

For the complete Plan Draft view:

Security, Stability and Resiliency Program

The international community is calling for more international control of ICANN. I don't know what will be the international response to ICANN's design plans for 2009-2012. There are a lot of outreach programs listed in this document to international country code top level domain operators and registry's, but I don't know if this design will be enough to satisfy the international community's request for more control.

This year's Gartner Risk Management and Compliance Summit track on IT Security stresses the importance of Information Security's ability to relate the information security risks to business risk. How does the risk impact the business? Aligning your information security management program to provide information about the risks to the Lines of Business, targeting IT processes that are critical to business success. Understanding the Roles and Responsibilities in each process is critical for success. You need to keep the awareness and expression of risk and compliance to executive management, line of business managers, and end users consistent and simple. Jay Heisner's session on "Ending the Culture Wars" calls for the "Criticality" scale to be High, Medium or Low. "Enable the business to understand its own risk, and to accept its own risk."

According to ISACA the Final Acceptance of Residual Risk takes into account the following:

1. Organizational Policy (appetite for risk)
2. Risk Identification and Measurement
3. Uncertainty incorporated in the risk assessment approach
4. Cost and Effectiveness of the Implementation

By understanding the Trust Relationships and Business Processes between Business Units will help determine whether the Residual Risk accepted by one organization would have a business impact on another organization.

Paul Proctor's Session - "Five Practical Tips to Link IT Risk Management and Compliance to Corporate Performance" outlines how to relate your operational risk to executive management aligning your goals to corporate initiatives. Not to use Operational Language: MS08-67 Vulnerability in Server Service Could Allow Remote Code Execution (958644), but use Maturity Model Scales levels 1 - 5 display the status of the Current State, Planned State, Desired State, Developing Project Plans.

Mark Nicolett's session on Applying Monitoring, Assessment and Operations Technologies to Reduce Risk and Improve Compliance - discusses the SOC (Security Operation Center) and NOC (Network Operation Center) integration of work flows. This allows IT Operations to support 24/7 monitoring with security specialists providing 2nd level support. There are some issues though as Mark points out on Privilege User Monitoring and Security Incident Management. Mark outlines the broad scope of SIEM, user access monitoring, real time event aggregation, correlation, alerts, reporting and historical analysis:

1. To Monitor external threats
2. To Monitor the activities of privileged users
3. To Monitor server and database resource access (NDAM and ADAM)
4. To Monitor the activity of a user across multiple systems.

The items above that I have covered only cover a fraction of the sessions available at the IT RISK Summit. INFORMATION SECURITY RISK is just one of the Summit's Tracks and I covered a small section of that. Next Year's RISK and Compliance Summit will be held in Washington D.C.

I recommend reading "IT RISK turning business threats into competitive advantage"
by George Westerman and Richard Hunter and also "Implementing IT Governance using COBIT and VAL IT" a course offered by ISACA.

netForensics SIEM and RISK Management

nFX SIM One version 4.1 introduces CMDB integration into its SIEM Business Topology Frame Work.

Assets can be imported by their CMDB domain with their associated asset attributes, including quantitative or qualitative asset valuation. CMDB is a fundamental component of the ITIL framework's Configuration Management process.

nFX SIM One assets are grouped by Customers, Business Units and Asset groups. This allows the SIM One information security management framework to match the Business Organizational structure or Mission Area Types providing a consistent view of the organization to ITIL Operations, as well as to SOC and NOC Operations.

Vulnerability Assessment Scans of corresponding assets are automatically linked to CMDB defined assets. CMDB integration and Vulnerability Scan Assessment integration can be defined as automated processes or manual processes.

nFX SIM One reports on synchronization differences between the last and current CMDB state of its asset information and also reports on assets that are defined in nFX SIM One to those not seen in CMDB. Assets can be automatically created and assigned value from Vulnerability Assessment Scans, so it could be that assets were detected by Assessment Scanners that are not defined in CMDB.

HP UCMDB asset valuation modifications and other attribute changes are sent to HP OVO as an alarm that the asset valuation has changed for this particular asset,
with the nFX HP OVO Connector.

This allows information security to view what controls are protecting critical business processes and allows information security to view the effectiveness and efficiency
of the controls in place.

nFX SIM One's Vulnerability Correlation Engine correlates the threat criticality with the vulnerability criticality and the asset criticality to the business in real-time and offers the ability to notify ITIL operations, NOC and SOC when the attack matched a specific vulnerability.

nFX SIM One's Rules Based Correlation Engine allows information security to build custom rules that will help identify trust relationship issues between service providers, business partners, business units, asset groups, assets, applications or users. Identifying when threats are getting closer through layered controls to critical business assets and that have a severe business impact.

nFX SIM One provides integration with Network and IT Operations Center monitoring systems, selected events or incidents can be sent to end users for notification and analysis, provides Helpdesk ticket integration with major help desk vendors.

To provide segregation and integrity of incident management, nFX Sim One provides it's own Incident Management Resolution Built-in Application where security analysts can work on various Investigations without having other operational users be able have access to that information. nFX SIM One also has the ability to allow its incident management system to have two way integration with OVO letting the operations staff and IT management know what state a incident is being worked on and to whom it is assigned by the request of the analyst or incident manager working on the incident status at the time.

nFX SIM One allows the CIO, Risk Management, and the CISO the ability to jumpstart their information security program, reduce risks, and improve compliance.

NIST FIPS Publication 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. NIST SP800-60 1 and 2 provides the guidelines for the classification of Mission Area types.

A Bill to Amend the Federal Power Act - Critical Electric Infrastructure
With more than a trillion dollars worth of assets, 200,000 miles of transmission lines, and 800,000 megawatts power serving 300 million people, the electric infrastructure has been become increasingly dependent on computer control systems and are now connected directly or indirectly to open systems networks. Legislators are concerned that our electric power grid will come under cyber attack by foreign nations, or e-social protests as well as exposed to EMP "Magnetic Pulse Events." Legislators and the Department of Homeland Security believe that utilities are only reporting a small percentage of their Critical Infrastructure Assets.

The Bill states that the Secretary of Homeland Security working with other National Security Agencies will identify threats and vulnerabilities that require immediate proactive correction, and that the DHS will perform ongoing threat and vulnerability assessments. FERC may issue orders or rules needed to protect the critical electric infrastructure and may issue an emergency rule without prior notice or review effective for 90 days.

In today's business environment of takeovers, acquisitions, and mergers of some of the world's largest financial institutions, banks, and service providers coupled with the downsizing of IT and Information Security personnel, what is happening with the world's largest and most complicated networks and application services? One can only hope that these large transitions of internal knowledge of infrastructure and the their control, continue to be monitored and audited and that incidents are managed effectively. This may be an excellent time before the next boom to re-evaluate the controls that are currently in place. Are we monitoring all that we should be monitoring? Do we really know all of the interconnections between telephone services, building infrastructure services, remote access, and new or existing service providers?

Although in this age one would believe that dial-in capability is no longer an issue, dial-in access still continues to be one of the most unmonitored access points. How many of us have recently performed phone sweeps of our environments? While trying to get the rogue wireless access point under control with corporate policies and implementing best practice wireless services for our business and engineering users, we may have forgotten about the old fashion modems. In our rush to implement VOIP services for telephony cost savings, did we really map out how the VOIP network is integrated with the Data Networks? Did we really provide enough controls that prevent tampering? In the new merger or acquisition how will the consolidation of VOIP services be handled? How many of us are actually monitoring and alerting on access attempts or violations on these networks?

How many us have actually mapped out or had audited how the infrastructure of building services is integrated with our networks -- and where are all the possible inter-connections? Access points, which exist in building closets, may contain building services switching with PSDN and Data Networks -- have these been bridged? Where are all the connections to the fire extinguishing systems, air conditioning, elevator services, UPS and power distribution systems or industrial controls? Who has access to our devices, Firewalls, IPS's, Routers, Switches, PSDN, Wireless Access Points, VPN devices, Authentication Management Systems? Is this access monitored? Are there alerts for policy violations, CPU utilization, transaction thresholds, and large data transfers?

Are the internal controls just as efficient as the internet protection controls, and are all transactions being monitored effectively internally? Do we really know what our assets and applications are? Where is personally identifiable customer and employee information stored? What applications need to communicate with what? Which applications and assets provide business critical services? How many databases can employees reach? How many of those databases have default logons and passwords? Have you checked what your network printers are storing or accessing?

We are all trying to do the best we can to put in enough controls and monitoring into our ever-changing and expanding technology environments, while also keeping up with all the compliance requirements, but today's electronic threat might not be thousands of miles away scanning your internet firewall -- they may be in your elevator or lobby.

A sincere thanks to Gordon Smith of canaudit.com for his discussion at this month's ISACA meeting in Philadelphia and reaffirming the concern for all of us auditors everywhere that hackers don't sleep.