IT Governance (part3)

20 nov. 2012

E-commerce (ch16)
services and business transactions electronically like web, storage, software, content. Paying via "physical electronic money" like bitcoin, Centrally controlled like PayPal and normal transactions via credit/debet cards. Specific web related dangers are user submitted content, user separation and all sorts of authentification and none-repudiation (sent, received), notaries service, an independent 3. party able to verify what is true. Timing is important in stock marked training. SSL/TSL and badly configuration. IPSec and S/MIME. Certificates and qualified certificates described in laws (EU). Protection of web servers getting virtual in the cloud. Don't wait too long testing security patches before they are applied. Penetration testing from internal resources or combined with them (developers) to be efficient.

Authentication --> Access Control --> (Confidentiality and integrity) --> Non-repudiation

E-mail and the Internet (ch17)
This control should be integrated as it's an integral part of any business nowadays, funny disclaimers, We rely on internet connectivity. Privacy vs company's reputation. Norwegian laws for business to read employees email (only mail accounts given by employee). Involve necessary personell, tell the one involved.

Access control (ch18)
Internal (employees) and external ("hackers") threats. Mandatory vs discretionary. Need to know, and layered security for more sensitive information.

External --> Firewall --> DMZ --> Internal router --> internal firewalls with protected servers and clients

User management (access control) (ch19)
Two factor (strong authentication) like biometrics and cryptographic gadgets, single sign-on, unique IDs, not using group IDs (shared user IDs), not recycle user IDs, disable vs delete user accounts, personal delivery of passwords, password change, help desk reset of password, unattended work station --> screen saver locks or smart cards.

create --> operate --> temp block --> disable

Network access (ch20)
Wireless issues of bad implementation of security. Bluetooth, infra red, 3G/4G, smaller wireless networks with limited reach, Firewalls, NAT's, IDS's.. Document routers and switches. Avoid single sign on on servers and monitoring equipment. External connections (partners and internal via VPN), session time out for network connections (like when logged in to a banking website), working hours restrictions. Smart phones and PDA's traveling or from home.

System life-cycle
Development process, waterfall vs iterative. Iterative might have trouble with implementing security.

Security in development
Security of system files and security in development/testing. Testing: Code analysis (automated and manual), stress test. Factory (FAT) and System (SAT) test. Source code: version control/change control, ownership of code (intelectual property)

Moving from "Planning" to "Do"

Monitoring, reporting and management. Keep logs and audits for a long enough period (archiving) (often required by law), conflicts with data protection laws? Not only storing logs, but using it. Protecting logs against tampering. Forensics work to figure out what happend, but requires "evidence soundness". Log of administrator actions, fault logging, and maintaining synchronized clocks. Manual log book. Security metrics, anomaly detection (determine what is normal and detect unusual activity) and adaptive security. Reporting: Events (relevant - reported) vs incidents (immediate action - managed)

4 kinds of security events
* security breach
* security threat
* weakness
* malfunction

ISMS forum 1-2 times a year do analysis of how reporting is working. Business continuity management (BCM) --> survive major disasters: Document, train, evaluate. How and when to escalate a situation, mobilization of internal and external resources. Backup of hardware, where are backup stored. Simulation and walk-trough of redundancy and contingency plans.

Audit
Auditor from the same "domain" and language is preferable, similarities with Quality Assurance systems. Two stages: document and compliance audit. Auditor is supposed to "help" the organisation. Non-conformance: major or minor.
There must be at least one cycle of Check-Act before the first audit tryout. There must be evidence of all processes in the ISMS. Carefully review the Statement of Applicability (SoA).


Ongoing research: Non-repudiation, anomaly detection, adaptive security