Wednesday 9 May 2012

Informaton Security Magazine

I am loving seczine.com an <a href="http://seczine.com">Informaton Security Magazine</a>, it is a crowd sourced security, hacker and risk focused magazine. 

I have published a couple of articles here, but it is great to read the others, as it gives you a perspective that is differnet than traditional media.

Risk Assessment

A risk assessment is a vital element of protecting your employees along with your enterprise, together with complying with the law. It helps you focus on the risks that actually matter in your workplace - those with the possibility to do harm. In many cases, very simple methods can easily control risks, such as, making sure spillages are cleared up quickly so folks don't slip or filing cabinet drawers kept closed to make sure that people do not fall. For almost all, this means very simple, low cost and highly effective measures to ensure your most valuable asset - your employees - is protected.

A risk assessment is simply a cautious study of what, in your work, might cause injury to people, to enable you to weigh up if you have taken sufficient safeguards or ought to do more in order to avoid harm. Workers among others have a right to be protected from harm caused by a failure to consider sensible control measures.

The law doesn't require that you remove all risk, however you are recommended to protect individuals so far as is ‘reasonably practicable’. This article tells you how to reach that goal with minimum difficulty.

This is not the only way to perform a risk assessment, there are more methods that work well, specifically for more complicated . risks and circumstances. Having said that, we believe this approach is the most straightforward for the majority of businesses.

Easy methods to assess the risks inside your place of work

Follow the five stages in stated below. Five steps to risk assessment .

1. Identify the dangers
2. Decide who can be injured and exactly how
3. Assess the risks and choose preventative measure
4. Record your conclusions and implement them
5. Review your assessment and revise if necessary

Don’t overcomplicate the process. In lots of organizations, the risks are well understood and the essential control measures are really easy to apply. You most likely already know whether, as an example, you have staff members who shift heavy loads therefore could hurt their backs, or where individuals are more than likely to slip or trip. If so, make sure that you take sensible safeguards in order to avoid harm.

For those who run a small organisation and you are confident you understand what’s required, you can do the assessment by yourself. You don’t really need to be a health and safety expert.

If you are employed in a more substantial organisation, you might ask a health and safety professional to assist you. If you're not assured, get the aid of someone that is experienced. In every case, you should ensure that you involve your staff or their representatives in the operation. They will have practical information about how exactly the work is done that can make your assessment of the risk more detailed and effective. But remember, you're responsible for seeing that the assessment is carried out adequately.

When considering your risk assessment, remember:

a hazard is anything that could cause harm, such as chemical compounds, electricity, working from ladders, an open cabinet.
the risk is the chance, high or low, that somebody could be harmed by these and other hazards, together with an indication of how serious the harm could be.

SIEM

Security Information Event Management is normally termed as SIEM and is usually a selection of two solutions, Security Information Management (SIM) and Security Event Management (SEM).

Security Information Management is normally sometimes referred to as Log Management, with Security Event Management often referred to as the Correlation Engine part of SIEM.

The Log Management layer should be able to collect audit logs in large quantities, while the Correlation Engine should be able to analysis the accounting and auditing logs, discovering significant behaviours and flagging them for assessment via alerts.

It is unusual, however, not exceptional for vendors to merely provide one of the solutions, either SIM or SEM, for the industry, as an example, Splunk and LogLogic are known as having robust SIM functionality but poor SEM capabilities and NetiQ and RSA have strong SEM capabilities but weak SIM capability. Every one of security vendors added in extra capabilities so that they can address their weak spot. It will be worthwhile picking a product that includes potent abilities spanning both SIM and SEM, for instance Tripwire, Nitro (now McAfee) or Q1 Labs (now IBM).

The challenge with any SIEM solution is that it will capture audit logs from throughout the enterprise, millions of them! For everybody who is amassing these audit logs, you are likely to need to have a look at them, that is certainly where the problem lies.

It is obvious event log analysis boosts your risk profile. In fact the Data Breach Report from Verizon clearly suggests in over 90% of the instances they researched over the last 5 years, proof of your breach is in the log data file. If somebody was conducting a extensive research into the audit logs during the time of the violation the breach would have been identified and might have been completely shut down.

The problem is that to conduct the desired level of assessment mandates dealing with millions or billions of accounting and auditing logs. You could endeavor to perform this manually, in reality that will be your only option if you have gone for a SIM only solution, however a much better choice is to use the intelligence of your SEM solution to examine questionable behaviors.

The key term here is "behaviours", it is generally unproductive for you to search for a single event, such as a new user created, as in large enterprises this event can be quite widespread. However if you could look for a mixture of events, for example a new user created, outside business hours, coming from a non authorised IP number, added to a privilege group, such as Administrators, this would be a behaviour you will be concerned with and really should react to.

It is therefore essential that any SIEM solution your are looking for possesses the capacity to identify "behaviours", rather than singular events and just as essential that creating the behavioural rules is straightforward and intuitive, not demanding vendor support to accomplish this, as your team shall be building a variety of them on an continuing basis.

Once behaviors of interest have been discovered somebody will need to respond. In large enterprises this might be a dedicated Security Operations Centre (SOC) or a Network Operations Centre (NOC), in smaller sized enterprises it is likely to be platform owners.

Standards such as PCI DSS, ISO27001 and GPG 13 require SIEM to meet your compliance obligations.

Tuesday 8 May 2012

Risk Types

There are a variety of different ERM frameworks that summarize a method for determining, analysing, addressing, and tracking risks and opportunities, among the many inner and external ecosystem facing the business enterprise. Management would normally choose a risk response strategy for particular risks identified and analysed, that could include:

Avoidance - Stop the activity which is raising the risk profile

Reduction - Apply measures to lessen the likelihood or effect linked to the risk

Alternative Actions - Identify alternate measures and assessing the actual outcome towards present risk profiles.

Insure or Distribute Risk - As risk can not be averted you could insure against the risk transpiring or disperse the risk using a partner or partners willing to onboard some of the risk.

Accept Risk - Consider no response and accept the outcome of the risk

It's expected that management would probably implement a program of constant observing along with a feed-back system to make sure they have an understanding of their risk profiles at any stage in time, this might include conduction a Risk Assessment. This includes meetings with domain experts, recognition of current risk state along with the state of response or backup plans.

There are numerous definitions of Risk, one of the most preferred is the Casualty Actuarial Society model which conceptualised ERM as continuing across the two dimensions of Risk Type and Enterprise Risk Management Processes.

The most frequent described Risk Types are:

Financial Risk - That would include Currency Risk, Counter Party Risk, Pricing Risk, Asset Risk, Liquidity Risk

Operational Risk - Which would include Reputational Risk, Customer satisfaction, Product failure, Supply Chain Risk

Hazard Risk - Which includes Disasters, Hazardous Materials, Liability Torts, Property Injury

Strategic Risks - Which includes Social Trends, Competitive Responses, Investment capital Availability,
Market Analysis

Sunday 6 May 2012

GPG 13 Protective Monitoring



What on earth is GPG 13 and how do people get GPG13 compliance? Protective Monitoring, otherwise known as Good Practice Guide 13, or GPG13, is a UK central government highly recommended set of people and business functions and IT Solutions to greatly enhance enterprise risk profiles.


Fundamentally, a Protective Monitoring solution will give you awareness and an knowledge of who is obtaining access to the companies sensitive data.


Execution of protective monitoring solutions are endorsed in many regulatory and industry best practices, such as PCI DSS , Cyber Security and SOX. Even though it is not compulsory for private sector organizations to implement a Protective Monitoring solution, most businesses could well be remiss in their care of duty if you're not executing a solution, in relation to security controls required to defend third party data within their enterprises. It thus remains most likely that Protective Monitoring will make up a percentage of the IT Security and risk controls in most, if not all, enterprises.


Implementation of Good Practice Guide 13 is a strong recommendation for any HMG ICT Systems, and is in essence mandatory for systems that store high impact level data.The aim of a Protective Monitoring strategy is to insure that there is a a higher level operational insight, to confirm that organisations fully understand how their IT systems are used or abused by internal or external agents.


You'll find significant proof points that demonstrate organisations without having a monitoring system will take a significant time frame to uncover that the internal or external violation has occured. In fact, for almost all enterprises, an average of, it could be months following a breach has transpired before it would be observed. It is additionally likely, in 86% of cases, that the actual discovery will be uncovered by an external party, that would then advise the breached enterprise.

Obviously that is a tremendous risk to the companies reputation, in addition to a considerable financial threat if the organisation is under an obligation to employ effective controls.Enterprises without Protective Monitoring are likely to impact the IT systems confidentiality, integrity and availability (CIA), further impacting business sustainability and reputation.

The
Security Policy Framework , published by the UK Cabinet Office, sets out compulsory standards and offers guidance on risk management, compliance and assurance programs.

The Security Policy Framework is a publically
obtainable guide that replenishes the much less distributed Manual of Protective Security and the Counter-Terrorist Protective Security Manual.

Good Practice Guide 13, Protective Monitoring, is
compelled by the Security Policy Framework on businesses that process or stores high impact data.

Additionally, execution of GPG 13 will support HMG IA Standard No.1; which is a collection of guidelines to complete Technical Risk Assessment. 
GPG 13 is made up of twelve Protective Monitoring Controls (PMC), each of which is designed to make improvements to a companies risk profile.

Enterprise Risk Management


Enterprise Risk Management, often labelled as ERM is a group of processes and methods utilised by organizations to control risks and make the most of opportunities associated with the achievement of their specific goals. 

ERM offers a structure for Risk Management, which often involves analyzing specific events or conditions highly relevant to the organisation's objectives (risks verse opportunities), assessing the probability and degree of effect, selecting a response strategy, and monitoring progress. 

Risks can crop up after a while, especially if motivated by cultural trends, to give an example public attitude to the following have noticeably altered throughout the decades, Slavery, Tobacco smoking, Real furs, Spanking, Banking Bonus deals and Nuclear Power Generation.

By identifying and preparing for risks and opportunities, business enterprises protect the organisations valuation for their stakeholders. Stakeholders could range from stockholders, employees, authorities, customers, banking institutions, regulators, and the general population. 

ERM is often identified as a risk-based technique to managing an organization, integrating ideas of management and the workforce. ERM has developed to handle the desires of varied stakeholders, who required to be of aware of the broad array of risks facing sophisticated organisations to ensure that they are appropriately managed. Government bodies, counter parties and financial debt rating agencies have raised their scrutiny on the risk management processes of businesses.