InfoSec News

Hack in the Box will host its 10th security conference this week in Kuala Lumpur featuring an all-star cast of hacking luminaries and a cutting-edge program.
The ISO27000 series consists of a number of standards that apply to information security. The main standard that you can actually certify against is ISO 27001. The remaining standards are mainly supporting standards that help you address specific areas of information security.
ISO27001 is an information security management standard. The main objective of which is to make sure that an organisation has the processes in place to manage information security within the organisation. Unlike the Payment card Industry Data Security Standard (PCIDSS, more on that in a later diary) ISO 27001 is not prescriptive. It doesn't tell you exactly what to do, it provides high level guidance and you have to work the rest out yourself. This is where the supporting standards come into play. ISO27002 for example provides more information on implementing specific controls and provides examples. If you are stuck on how you should be assessing risk, then you need to take a look at ISO27005 (ISO31000 is also excellent it is the old AS/NZS 4360).
One of the main difficulties of complying with the standard is the first realisation that you are complying with sections 4 through to 8 whereas many people concentrate on the controls in annex A (Annex A BTW is 27002 with less detail provided). Sections 4 through to 8 outline the system that needs to be in place. The Plan, Do Check, Act cycle. The standard is risk based, the idea being that you identify your assets, assess the risk, based on those risks select controls that you are going to implement, monitor how it is all going and then rinse lather and repeat the cycle. The other key idea is that it is a system for the security of information. So not specifically computer systems, but the information it manages and holds as well as the information used to manage the environment. Many ISO27001 systems initially concentrate on the technical aspects of ITsecurity, do Ihave a firewall, do Ihave AV, do Ihave processes to manage it, etc. As the system matures the system tends to go up a level and looks at the processes that are being performed by a group or division and the information they need to successfully do this. For Example, the CISOneeds to report on the status of information security in the organisation. What information is needed? They might need stats from various systems, pentest results, vulnerability analysis results, risk assessments, and so on. All are information assets that the CISOneeds to do their job. How is that information generated, by whom? How reliable is it? So in ISO 27001 world there are a number of different levels that your system can work at.
Just going back to sections 4 through to 8 for a little bit. One of the first things you will be doing is to define the scope of the system you are about to implement. Typically this will be phrased along the lines of management of information security for system/group/division/product/application/service by responsible group. Usually it will be a little bit prettier than that, but you get the general idea. Like a quality system (ISO9000 series) you define the scope of the environment. If you have a scope that doesn't include a HRfunction, then the HRfunction will become an input into your system, but not part of it. CYou may have to request them to do certain check prior to hiring, but in my experience those types of processes are usually mature. Good scoping can be your saviour if you are going for certification.
So certify or just comply? That is one of the main questions we get when talking about 27001. The choice is quite simple. If you are going to use it as a marketing tool to improve confidence in your organisation's ability to manage information security, then certify. If you just want to make sure that you are covering the bases that should be covered, then complying but not certifying may be the right choice for you.
Where to start. Well after you have bought your copy of the standard you could perform a gap analysis on what you currently do and what the standard expects to be done. Be brutally honest. You can use this mechanism to monitor your progress and show improvement as thing change. Expect to fail miserably and make sure that management understands this before you start. You haven't needed to comply with the standard before, therefore there are going to be gaps. If you've never run a 5km race previously, the chances of you finishing it on your first go are pretty slim. Once you have your gaps you will have a starting place and you can start working on progressing and improving security.
In order to certify you must have what are called the documented processes in place (Sorry Ican't really list them as without the standard to provide context they won't make sense). Without these processes, written down, being followed and maintained, you cannot pass a certification audit. Likewise it will be difficult to pass a certification audit if you do not have an information security policy, change control, Business Continuity Plan, Incident response plan, Acceptable usage policy and more. However what you do or don't have will come out in the gap analysis.
As a management system ISO27001 is quite reasonable. If you do it correctly the overhead on your scarce resources won't be too bad. It makes you document those processes that are actually important to the organisation, which is never a bad idea. It forces you to think about issues that you may not have thought about previously. In fact that probably goes for most standards.The standard forces the engagement of management in information security matters and this often results in better understanding of what you really do and possibly even more funding. The main thing to remember is don't work for the standard, make the standard work for you. If you are doing it to tick a box, you will likely fail
It is a brief overview of ISO27001. If you have anything specific, let us know via the comments, or contact form.
Mark H (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

From £35000 to £45000 per year + £35k - £45k
Career Engineer
Senior Infosec Engineer : International Defence Organisation based in Bristol is currently looking to recruit a Senior Infosec Engineer. Please Note: you must be eligible for SC (Secret Level) Security Clearance. The salary on offer is 35k - 45k and ...

and more »
Dr. J started the week with commentary on what we will be attempting to write this month. One of the things we hope to accomplish this month with our focus on standards is awareness of their existence and how they can assist in solving some of the information security challenges we are faced in our everyday work. Dr. J also mentioned guest diaries, but as of this writing I am not aware of any guest diaries that have been accepted, so if youre interested, please drop us a note.

For CSAM day 4 Dr. J wrote about crypto standards, due to the announcement of the winner for the competition for the new SHA-3. One key point Dr. J mentions in his article is the discussion of performance. The application of cryptography should always be weighed against the risk of exposure and impact to performance.

For CSAM Day 5 Richard Porter wrote on the different groups that publish standards that may be of interest. The Handler group is a very diverse group of individuals, some who have actually written some of the standards we use today, with much experience implementing these standards. The task of implementing one of these standards can be daunting, so let us know what we can do to help. There is tons of great information at each of the links, for example the NIST publications include the 800- series of Special Publications, which covers Computer Security.

For CSAM Day 6 Manuel discussed the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards. NERC CIP is an excellent example of a set of non-government standards that are fairly easy to interpret. NERC is a non-government organization which has statutory responsibility to regulate bulk power system users, owners, and operators through the adoption and enforcement of standards Granted we all are not bulk power system users, owners, etc. however the approach is based on solid practices that can be adapted to many environments, regardless of mission.

The challenge with standards has often been trying to interpret or understand the intent, and fit that material to the world we work in. The Handlers here at the Internet Storm Center have a very diverse set of experiences, so if you have questions about where to start, what does it mean, etc., we can certainly assist. Feel free to ask, thats why we are here :)

tony d0t carothers -gmail (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Gitex to feature 25 French digital firms [TradeArabia]
Infosec Communication designs, manufactures and sells a comprehensive range of UPSs and surge protectors adapted to market needs. Infosec UPS System offers electrical protection systems. HR Access designs, develops, implements and delivers a ...

and more »

InfoSec Skills Acquires Online Information Security Resources Site, InfoSec ...
PR.com (press release)
UK–based information security training company, InfoSec Skills has today announced the acquisition of Information Security resources company, InfoSec Reviews, which is now fully assimilated into the InfoSec Skills website. London, United Kingdom ...

Internet Storm Center Infocon Status