Shaheen N Abdul Jabbar

Posts Tagged ‘Regulations’

The Open Group Security Practitioners Conference opened with Allen Brown and Jim Hietala of The Open Group welcoming the community followed by the presentation by Murray Rosenthal of City of Toronto.

Murray says security is not just the integration with system development life cycle, but also deals with industry sectors, legal framework, and should be based on established standards. The intent of having security should marry with the reality.

Domain architecture should supplement solution architecture. He says if you don’t have security architecture, then you end up with trial and error methods, reverse engineering existing enterprise letting the enterprise go out of business. Similar is the case even for projects too.

Manu Namboodiri of BitArmor presented a different approach perspective on security virtualized environment. He suggests avoiding the legacy way of thinking and approach to security – think out of the box.

In virtualized environment, everything except data is virtualized. Data is tangible and traverse between environments. It could be duplicated and may remain remanent for ever unless disposed securely. Data is the lifeblood of the business and that’s what the business is primarily concerned about; infrastructure and the rest come secondary. Data has more threat surface than any other component in virtualized world. It requires higher and stronger security controls in the virtualized world.

Alex Woda of Avient Solutions Group, Steve Whitlock of Boeing, Predrag Zivic and Bob Steadman of Loblaw presented their thoughts on Security Architecture and how it should be developed.

The second half of the day concentrated on Cloud Computing and how to secure various types of clouds. Tim Brown of CA presented the concept of Cloud Computing followed by Views of Cloud Computing Architecture and Security by Chris Hoff of CISCO. Chris Hoff introduced Cloud Security Alliance to the community and encouraged everyone to be part of its efforts.  Steve Whitlock provided a short illustration of how Cloud Security Alliance aligns with Jericho Forum Cloud Architectural Views.

A recent survey by the Canadian Press Harris-Decima poll on the internet traffic management in Canada suggests one in five surveyed supports the idea as long as all users are treated fairly.

From the Internet Service Provider’s (ISP) point of view, they are doing the right thing by reducing clogs during peak-use-time due to peer-to-peer file sharing services. However, I believe that type of service comes with a cost to regular subscribers. In order to execute such monitoring service, ISP will need to know activities of each and every subscriber which breaching their privacy. The Privacy Commissioner of Canada should be involved in the discussions that Canadian Radio-television and Telecommunications Commission (CRTC) are currently having ensuring the privacy of Canadians.

With regards to the Canadian Press Harris-Decima survey, I am curious if the survey ever educated the respondents with the details especially about the ramifications to the regular ISP subscriber if the ISP is allowed to shape internet traffic. According to the report by the Canadian Press, 54 per cent of the respondents did not know whether the traffic management affects them personally.

Couple this with two recent bills – the Investigative Powers for the 21st Century Act and the Technical Assistance for Law Enforcement in the 21st Century Act – just introduced before the House of Commons that will allow police to collect information about Canadian Internet users without a warrant and to activate tracking devices in their mobile devices and cars; wouldn’t it be a free pass to the privacy of every Canadian internet user?

Critical Security Controls (CSC) are baseline of information security measures and controls agreed by US federal CIOs and CISOs based on the tenet – “offensive must inform defense”. These measure and controls should be continuously monitored through automated mechanisms. Even though the primary reason to develop this framework is to address US federal organizations, it can be adopted by both commercial and non-commercial institutions to secure their environment.

It identifies 20 crucial controls that can be used to prepare the roadmap in securing an enterprise. Each controls are provided with sub-controls grouped into Quick Wins (QW), Improved Visibility and Attribution (Vis/Attrib), Hardened Configuration and Improved Information Security Hygiene (Config/Hygiene) and Advanced (Advanced) that help in the preparation of the roadmap.

Critical Controls Subject to Automated Collection, Measurement, and Validation:
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
5. Boundary Defense
6. Maintenance, Monitoring, and Analysis of Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based on Need to Know
10. Continuous Vulnerability Assessment and Remediation
11. Account Monitoring and Control
12. Malware Defenses
13. Limitation and Control of Network Ports, Protocols, and Services
14. Wireless Device Control
15. Data Loss Prevention

Additional Critical Controls (not directly supported by automated measurement and validation):
16. Secure Network Engineering
17. Penetration Tests and Red Team Exercises
18. Incident Response Capability
19. Data Recovery Capability
20. Security Skills Assessment and Appropriate Training to Fill Gaps

The first fifteen of the above list can be monitored automatically and continuously; according to the document. The controls not only block the initial compromise of system, but also address detecting already-compromised ones and to prevent or disrupt an attacker’s session. It recommends periodic and continual testing of controls to protect IT systems as well personally identifiable information.

It would help if a spreadsheet is prepared to identify QW, Vis/Attrib, Config/Hygiene and Advanced for each control. The spreadsheet will help to prioritize the controls for the roadmap.

CSC is available at http://sans.org/cag/