The overall theme this year at the RSA 2010 Conference in San Francisco that surrounded the conference was Information Security in Cloud Technologies how to prevent the Cloud Technologies from raining on everyone's parade. The article that I am highlighting in this blog "Research Challenges in Enterprise Cloud Computing: It is important to highlight cloud computing research challenges from an enterprise perspective because cloud computing is not simply about technological improvement of data centers but a fundamental change in how IT is provisioned and used."
Another interesting insight about this article is the inclusion of Nichols Carr's book "The Big Switch: Rewiring the World, from Edison to Google" noting that in the earily 1900's companies maintained their own power plants even though it was not their main expertise and how companies are maintaining their own Data Centers even though it is not their primary expertise. It is interesting though that last week on CBS 60 minutes broadcast the topic was how Cloud Computing providers are leading the way to provide their own green technology power plants.
The effects on IT and Security roles in their relationships with the user community and service providers will continue to evolve, as IT departments must make sure their cloud services can be migrated or failed over between service providers should one cloud service provider go out of business, as well as issues concerning certification, interoperability, API's between cloud vendors as well as SLA management, Privacy Rights Protection, and Intellectual Property Protection. "It it not clear "whether a cloud will be considered to legally be in one designated location [...] or in every location that has a data center that is part of the cloud"
These research challenges are interdisciplinary in nature, and there is a need for more co-operation between researchers, cloud users, and service providers.
According to the New York Times Bits Section Intel and Google were under "sophisticated" Cyber Attacks in around the time frame. Intel reports that although the events were close in time that they were unrelated.
The cyber-attacks against Intel was reported in it's annual report to the Security Exchange Commission. Intel reported that it did not suffer a wide spread attack and no intellectual property was exposed.
On 2/20 the New York times reported that two Chinese Universities were involved in the attacks against Google and other corporations since then the Universities have denied any involvement in the attacks. "It was not until 2006 that our graduates began to join the army. So far, 38 students have been recruited by the military for their talent in auto repair, cooking and electric welding," said Zhou Hui, director of Lanxiang school's general office. He disputed claims in the New York Times article, which cited anonymous officials from the US National Security Agency, that there was a link to a computer science class taught at the school by a Ukrainian professor.
in other news the Telegraph.co.uk published that Cyber attacks in 2009 cost on average 1.2 Pounds a year.
Last October we published information regarding published report by Northrop Grumman a study done for the U.S.-China Economic and Security Review Commission
that describes similar tactics. ( Thank you Niels Groeneveld of "Operation Aurora" for reminding me about the relationship. If you have not read the Northrop Grumman report it is an interesting read on social and economic effects of this type of behavior.
This article points out the need for customers to develop Information Security and Privacy Schedules as part of their Service Provider agreements. As more and more of our Information Technology and Information Security moves to out sourced technologies, customers need to be aware that not only are they still responsible for the privacy and security of their data, but may be undertaking the risks involved with utilizing the service providers information security environment.
"The Customer should think of the Service Provider's security as an extension of their own internal security." IT Services and Information Security Management must undertake the security of how the trust relationships with their Service Providers are handled and how those relationships may impact the business, should the Service Provider be compromised or suffer a breach.
In David Navetta's closing statement, he mentions the impact of incidents, not from the initial impact of the exploitation of an exposure but the after effects concerning liability and reputation damage. "First, it is not unusual for a security incident to yield "consequential damages" in addition to "direct damages," including loss of profits, lost customers, attorney fees, breach notice costs and other similar costs. If the overall contract contains a consequential damages disclaimer, the Customer should endeavor to get an exception for consequential damages arising out of a security incident and/or breach of the Schedule."
The credibility and reliability of your information security program is now an integral part of stability and reputation of the business along with how well you are maintaining the trust relationships with your business partners and service providers which are now part of your extended business and control environment. The days of IT involving a few core services are gone and now have been replaced by data moving in and out of the environment for outside processing and storage, site to site vpns, international privacy and security laws of internal, external data and the rise of "Cyber insurance". David's article covers a wide variety of suggestions of what can be included in the Security /Privacy Schedule in contractual agreements with Service Providers.
Yesterday at the Security Awareness for 2010 ISACA meeting in Philadelphia John Raezer delivered a welcomed presentation on Risk Management Effectiveness.
How Information Technology and Information Security Management must understand the Business Model. What are the key assets, what are their exposures and vulnerabilities,
and from the peril of a threat what would be the outcome. It is not only the identification or the recognition of a incident but what was the root cause and contributing factors, how does this information get included or relayed back to Business Intelligence information. What are the distribution of events not only in near real-time
but historically their severity, impacts, risk response, what policy and procedures were used in containment, mitigation, follow up step and what was the contributing factors,
who owns the Risk Relationships.
In his example on why Frameworks such as BASEL, COSO, COBIT, are so important was the highest thing that affected corporate reputation to it's business partners, customers, and suppliers was accounting irregularities. By far accounting irregularities had the highest corporate reputation risk of affecting your business with suppliers, business partners, and customers, he sited some recent banking incidents as an example of customer and partner distrust.
The need to study and understand what disruptive technologies will have an impact on business processes how many industries are using chaos theory for risk assessment, black swan events the unexpected, unexpected and how we must understand the Language of Risk, not only in the physical world but in the virtual world and that eventually he believed there will be Risk Management Accounting.
If you get a chance to read his presentation or see him speak on the values of risk management in the enterprise it is well worth the time.
netForensics will be at HP Universe in Hamburg Germany this week.
On December 16th through the 18th at HP Universe 2009 we will be featuring how our Information Security Management tools integrate with HP uCMDB and HP Operation Center Management. IT Enterprise frame works including the OCG's ITIL v3 and the ISACA's COBIT 4.1 call for Information Security Management, Change management. Service Asset and Configuration Management processes to be implemented across the ITIL Service Lifecycle from the Service Strategy, Service Design, Service Transition and Service Operation.
nFX SimOne provides the ability for Information Security Management and Operations Management to be closely aligned throughout the Service Life Cycle, by integrating with HP uCMDB, HP Operations Manager (OVO) and Information Security Management ( SIEM tools ), organizations will have common view of the relationships of host and host resources and applications and automatic change history. This provides organizations a common view of the Service Design and it's control environment allowing Information Security management to create effective correlation event scenarios based on the enterprise framework and business processes, providing effective event management and incident management.
The mission and function of the task force will be to provide advice to the Attorney General for the investigation and prosecution of cases of banks, mortgage, loan, lending fraud; securities and commodities fraud, mail and wire fraud, retirement fraud, tax crimes, false claims, unfair competition, discrimination, and other financial crimes and violations.
Federal Register Executive Order 13519--Establishment of the Financial Fraud Enforcement Task
Force
"That the nation faces unprecedented challenges in responding to the financial crisis that has gripped the economy for the past year. Mortgage, securities and corporate fraud schemes have eroded the public's confidence in the nation's financial markets and have led to a growing sentiment that Wall Street does not play by the same rules as Main Street."
Recently in the Brazilian Power outage events, even an implied weakness in the controls of Critical Infrastructure could be used to destabilize the financial stability in markets, subverting the controls that are involved in financial trading. There have been conflicting reports about whether the attack was caused by an attack on the controls of its Dam's systems. Employees and Contractors of the system complained that their pay checks and statements had been modified to include a message from the attackers.
With all of this talk on financial fraud and critical infrastructure vulnerabilities, I could not help but be reminded of the 1983 movie Superman III where Robert Vaughn's character sites "Computers rule the world today and the fellow that rules the computer, rules the world." and Richard Pryor hacking into secret defense systems to ruin the coffee crop for the next 5 years, Superman III: Tornado Scene.
While it all may seem very tongue and cheek and some what unrealistic, the simultaneous collapse of the financial markets due to fraudulent transactions combined with the failure of major Scada Systems would have a serious effect on a nation's stability. In 2002 the U.S. Naval War College conducted a study that concluded it would probably take about 5 years to plan and cost about 290 million dollars to plan a significant electronic attack.
Digital Stenography: The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves.
Infosectoday's article: Digital Steganography Threat or Hype: by James E. Wingate - Summary:
Use of steganography will never be detected if no one ever looks for it.
The National Interest online's article by Richard Clarke outlines the difficulties in of countries in protecting their economies from disruption of processing data that manages the controls of the nations power grid, fuel supply, or food supply chains, etc... or the ability for private commerce to perform business.
Although the article concentrates on the United Stateseconomy, it is a concern world wide that the electronic infrastructure that controls physical and logical stability of nations is fragile and vulnerable and that our systems are complex and perhaps too overly complex.
There is real concern that between nations that having the superiority to disable the other nations ability to perform commerce or defend it's controls on infrastructure that supplies services to it's citizens in times of political or resource conflict is way too much of an advantage, and then there is as Richard Clarke points out the "who dun it" piece.
Although I don't necessarily think that this is limited to cyber warfare, certainly in conventional warfare through covert activities groups have tried to blame conflicts on others not involved to escalate hostility between factions already at odds with each other.
As in the recent denial of service attacks in July, was it really who we thought it was or was it some one else trying to make it look like that. It is always not the recent notification or alert that may allow you to traverse an incident but being able to perform historical correlation on transactions that were allowed through trust environments.
The other point is although not discussed, usually, where are all the electronics made? Who makes all the components inside the equipment?
Richard Clarke -
"The major differences between cyber war and conventional war--one that makes the battlefield more perilous--is what cyber warriors call "the attribution problem." Put more simply, it is a matter of whodunit. In cyberspace, attackers can hide their identity, cover their tracks. Worse, they may be able to mislead, placing blame on others by spoofing the source."
"The "critical infrastructure" of the transportation, finance, energy and communications sectors are owned and operated by nongovernmental entities, corporations that have proven highly resistant to regulation. The Federal Energy Regulatory Commission (FERC) issued new cybersecurity guidelines to U.S. power companies in January 2008, requiring greater separation of the operations systems from the public Internet."
Richard Clarke was special adviser to the president for cybersecurity in the George W. Bushadministration. He is now chairman of Good Harbor Consulting. His book Cyber War, coauthored with Robert Knake, will be published by HarperCollins in the spring.
Neil deGasse Tyson once said, "To a discoverer all data is valuable even bad data." When looking at data individually, you may believe that the data is not valuable and does not tell you anything. But, when combined with other types of information that are within a relevant time frame, the information becomes very valuablle and the more layers of information being presented more useful.
Some of the most valuable data that you get does not even come within the realm of logical data gathering. It is the information from outside of logical analysis of data which brings to mind Sam Walton's expression "I know what I know but tell me what you know." According to Kevin Mitnick, the most effective approach is to try to exploit the weakest link -- not operating systems, firewalls or encryption algorithms -- but people. In information security, knowing what is of value, where is it located, who has access to it, and what are the trust zones and controls that allow access to it is core to aligning information security with business goals.
Monitoring perimeter scans for known intruders and bogons is information that we all need, but knowing how trust zone can be compromised to gain access to valuable or confidential data is critical. It's the continual discovery process and breaking through the silos of knowledge and control that will help provide additional layers needed in developing an effective information security program.
Why is my executive office printer using https and ftp outbound traffic to a Home ISP DHCP range or using Goto My PC?
The Food and Drug Administration recently announced that the Office of the National Coordinator for Health Information Technology is launching the Sentinel Initiative with the ultimate goal of creating and implementing the Sentinel System - a national, integrated, electronic system for monitoring medical product safety.
The Sentinel System, which will be developed and implemented in stages will ultimately enable us to access the capabilities of multiple, existing data systems (e.g., electronic health record systems, medical claims databases) to augment the agency's current capability.
The goal is an understanding of adverse events resulting from treatment creating new methods of signal detection, data mining, and analysis, enabling researchers to generate hypotheses about, and confirm the existence and causal factors, of safety problems in the populations using the products.
Currently the focus has been to integrate data from various large populated databases, from MedSun ( Medical Product Product Safety Network), KIDnet (a postmarket database of pediatric ICU's and Neonatal ICU's), Heartnet (data gathered from electrophysiology laboratories), Labnet (data collected from hospital laboratories), SightNet (a collection of data from the use of ophthalmic devices), and HomeNet (a collection of data from home use devices). The FDA signed agreements with the Veterans Health Administration ( VHA) to build tools and infrastructures for evaluating the safety of drugs, biologics, and medical devices as well as the Department of Defense (DoD) for automated signal generation and data mining tools with the DoD's ALTHA electronic medical record system as well as identify influenza vaccine safety.
The Nationalwide Health Information Network (HHIN) is being developed to provide a national, secure and interoperable network. The network of networks will connect diverse entities at the state and regional (HIE's) that need to exchange health care information. The FDA is planning on using the HHIN existing framework to provide Sentinel access to diverse networks to retrieve data from a number of healthcare resources.
Healthcare IT services now interconnect patient health care medical devices that are local and remote to the health facility to Medical Device Data Systems (MDSS) that collect and store status and performance data from medical devices. The MDSS systems interconnect with EHR systems that connect to the Healthcare network (HIE) and the (HHIN) "network of networks" grid. The Holland & Hart Healthcare Law Blog article on Internet Medicine points out the challenges to the interoperability of medical devices to electronic health record systems and the proliferation of internet worms (Conflicker). Robert Nadler's article from RDN Consulting on Medical Devices provides a diagram and shows protocols used for the interoperability of connecting Medical Devices to the Health Care Network.
In another article from Ph.D. Rex Gantenbein from the University of Wyoming displays the Federated model of the HIE and its advantages.
Monitoring the efficiency and effectiveness of the control environment of HIE connections as well as the back end infrastructure to EHR systems and their trust relationships with medical data systems and connections to patient medical devices will require a strong information security program that is integrated within the IT Medical framework and the Medical Business supply chain. Prevention of Intrusions and Data Breaches will be an on-going lesson learned as data is liberated from applications and becomes more liquid and data silos are taken down. Medical data is valuable information for those that depend on it for survival. Imagine botnets that are able to infiltrate healthcare medical devices or has the ability to turn off medical monitoring equipment.
Today Canada's Public Safety Minister Peter Van Loan said, Cyber Security is like the new arms race. He said there is not one minute of the day that someone somewhere is trying to break-in to our information systems.
Everyone knows information security and information services in this global economy
of interconnected services, that what he said is correct - that every minute of every day, someone or something launched by someone is analyzing what it can do to break-through a trust zone. Chances are your business supply chain is online 24/7 and if your really analyzing your data and doing your research you know these attacks do not stop. In a matter of minutes what you once thought was at least up to date, could now be openly attacked by new discovered flaws and it becomes a race of what is the grace period before applying new security updates and the testing of implementing the new updates and when there will be a massive outbreak. And then, there are the flaws have not been made public that you need to convince the LOB managers that these outstanding exposures should be mitigated before the next security update.
Peter Van Loan's comments go along to point out that executive governance on information security practices and procedures are not just coming in the government sector but in the private and public sectors as well.
In the U.S. we have seen mandates from states on the protection of privacy information and new bills introduced for the forth coming legislation on Information Security. PCI Security Standards for the way that your information security architecture needs to be structured for Payment Card applications and the new Red Flag Law for Identity Theft.
At the same time the U.S and Canada met to discuss a new partnership to protect against trans-border theats: UPI.com . They discussed:
-- Developing joint threat and risk assessments.
-- Advancing initiatives that manage risk while facilitating movement of legitimate goods and people.
-- Working to ensure that separate systems prevent entry of dangerous goods or people to either country when national laws bar sharing managed risk initiatives.
-- Expanding integrated law enforcement operations along the border and waterways to prevent criminals and terrorists terrorists from evading enforcement or harming the two countries.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=500f41f9-76be-4338-a0ce-b69405cf5c7c)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=9d33d275-2e19-4064-bda4-0ebe34d87e71)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=f2179a52-acbb-40c8-ae84-f7648a59b885)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=4011c3f1-5552-4ee7-9262-2c11a7a6670f)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=a62363bc-497f-4d21-a8bc-d8da436859ff)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=23c7882d-6721-446e-87a3-7071bed41284)
