Storage Security Governance

December 2012
Volume 10 Issue 12
Storage Security Governance: A Case Study
Structured Risk Analysis Offers Rich Rewards
Network Device
Forensics
Network Device
Forensics

Table of Contents
Feature
12 Network Device Forensics
By Didier Stevens – ISSA member, Belgian Chapter
The goal of this article is to raise awareness about the measures
you can take to improve the success of network forensics.
16 Storage Security Governance: A Case Study
By Vinoth Sivasubramanian – ISSA member, UK
Chapter
The author describes the experiences and results
of an assignment that brought about a marked
improvement in storage security for a commodity
trading organization. The practical steps suggested will
aim to answer some of the core challenges surrounding
storage and bring about a continual-improvement
storage security program.
24 Structured Risk Analysis Offers Rich
Rewards
By Greg Jones
Risk analysis is a far from exact science with
assessments continuing to vary in scope. This article
discusses the emergence of context-aware classification
systems and methods that can guide you through the
process with pre-categorized risk information and
could be the key to effective risk and threat analysis.
©2012 Information Systems Security Association, Inc. (ISSA)
The ISSA Journal (1949-0550) is published monthly by the Information Systems
Security Association, 9220 SW Barbur Blvd. #119-333, Portland, Oregon 97219.
Articles
Also in this issue
3 From the President
4 editor@issa.org
5 Sabett’s Brief
Holiday Shopping with My Smartphone
6 Herding Cats
Pocket Storage for All
7 Security Awareness
Security Awareness Training Feedback Surveys
8 Association News
30 Risk Radar
YARA Signatures
32 toolsmith
ModSecurity for IIS:
36 Conferences
2 – ISSA Journal | December 2012 ©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.

From the President
International Board Officers
President
Ira Winkler, CISSP, Distinguished Fellow
Vice President
Andrea C. Hoy, CISM, CISSP, MBA
Secretary/Director of Operations
Bill Danigelis, CISSP,
Senior Member
Treasurer/Chief Financial Officer
Kevin D. Spease, CISSP-ISSEP, MBA
Board of Director Members
Frances “Candy” Alexander, CISSP,
CISM, Distinguished Fellow
Debbie Christofferson, CISM, CISSP,
CIPP/IT, Distinguished Fellow
Mary Ann Davidson
Distinguished Fellow
Geoff Harris, CISSP, ITPC, BSc, DipEE,
CEng, CLAS
Pete Lindstrom, CISSP
George J. Proeller, CISSP, CISM, ISSAP,
ISSMP, D.CS, Distinguished Fellow
Nils Puhlmann, CISSP-ISSMP, CISM
Brian Schultz, CISSP, ISSMP, ISSAP,
CISM, CISA, Fellow
Stefano Zanero, Ph.D., Senior Member
DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
Hello ISSA members
Ira Winkler, International President
The Information Systems Security Asso-
ciation, Inc. (ISSA)® is a not-for-profit,
international organization of information
security professionals and practitioners.
It provides educational forums, publica-
tions and peer interaction opportunities
that enhance the knowledge, skill and
professional growth of its members.
With active participation from individu-
als and chapters all over the world, the
ISSA is the largest international, not-for-
profit association specifically for security
professionals. Members include practitio-
ners at all levels of the security field in a
broad range of industries, such as com-
munications, education, healthcare, man-
ufacturing, financial, and government.
The ISSA international board consists of
some of the most influential people in the
security industry. With an international
communications network developed
throughout the industry, the ISSA is fo-
cused on maintaining its position as the
preeminent trusted global information
security community.
The primary goal of the ISSA is to pro-
mote management practices that will
ensure the confidentiality, integrity and
availability of information resources. The
ISSA facilitates interaction and education
to create a more successful environment
for global information systems security
and for the professionals involved.
T
oday, I reviewed the schedule for
the upcoming RSA Conference
in February, and I am looking
forward to the ISSA Member Recep-
tion that will be held on Tuesday of the
conference. While the whole conference
is generally a great opportunity to get
together with other security profession-
als, our reception is an opportunity to
recognize the accomplishments of our
peers.
This reminds me that the nomination
process for the ISSA Fellow Program is
currently open until December 5. This
program acknowledges sustained mem-
bership and contribution to the ISSA, as
well as the information security com-
munity in general. So, let me take this
opportunity to remind everyone that
you should look to yourselves and fellow
members to consider people to nomi-
nate.
There are several levels in the Fellow Pro-
gram. The first is Senior Member, which
acknowledges sustained membership
within ISSA. Specifically, after five years
of membership you are eligible for the
Senior Member designation. To apply,
you need to complete the online applica-
tion on the ISSA website and have your
local chapter complete the endorsement
form. There are other requirements, but
this is the basic flow.
Yes, it is the intent of the ISSA to engage
members with their local chapters. The
chapters will support the applicants;
the applicants will see the benefits of in-
teracting with other members and take
advantage of the networking opportu-
nities. Hopefully, most applicants have
already been participating within their
chapters, and this engagement increases
the strength of the
chapters as well.
The Fellow and Dis-
tinguished Fellow
designations are reserved for members
who have not only sustained long-term
membership, but have also served in
leadership positions within the ISSA as
well as serving the information secu-
rity community as a whole. There are a
number of qualifications that applicants
must meet. I recommend that you check
the ISSA website (=> Advance) to de-
termine the specific requirements, and
seek out a party who can nominate you
or another deserving member.
Before being elected president, I was
responsible for overseeing the Fellow
Program, and it was actually the most
rewarding aspect of serving on the ISSA
International Board. Specifically, I was
the person responsible for acknowledg-
ing members’ accomplishments. It was
a pleasure to personally congratulate
these people in front of their peers and
large audiences. Rarely is there such an
opportunity to acknowledge people in
our profession.
I have also received messages expressing
appreciation from the people who have
been accepted into the varying levels of
the program. We all appreciate the rare
recognition of our professional accom-
plishments. It encourages us to serve the
ISSA as well as the larger information
security community.
So, please consider reviewing the re-
quirements of the three levels of the
Fellow Program, and consider people to
nominate. They and the ISSA will thank
you.
Ira Winkler
December 2012 | ISSA Journal – 3©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.

The information and articles
in this magazine have not been
subjected to any formal test-
ing by Information Systems
Security Association, Inc. The
implementation, use and/or se-
lection of software, hardware,
or procedures presented within
this publication and the results
obtained from such selection or
implementation, is the respon-
sibility of the reader.
Articles and information will be
presented as technically correct
as possible, to the best knowl-
edge of the author and editors.
If the reader intends to make
use of any of the information
presented in this publication,
please verify and test any and
all procedures selected. Techni-
cal inaccuracies may arise from
printing errors, new develop-
ments in the industry and/or
changes or enhancements to
hardware or software compo-
nents.
The opinions expressed by the
authors who contribute to the
ISSA Journal are their own and
do not necessarily reflect the
official policy of ISSA. Articles
may be submitted by members
of ISSA. The articles should be
within the scope of information
systems security, and should be
a subject of interest to the mem-
bers and based on the author’s
experience. Please call or write
for more information. Upon
publication, all letters, stories
and articles become the prop-
erty of ISSA and may be distrib-
uted to, and used by, all of its
members.
ISSA is a not-for-profit, inde-
pendent corporation and is not
owned in whole or in part by
any manufacturer of software
or hardware. All corporate in-
formation security professionals
are welcome to join ISSA. For
information on joining ISSA
and for membership rates, see
www.issa.org.
All product names and visual
representations published in
this magazine are the trade-
marks/registered trademarks of
their respective manufacturers.
editor@issa.org
Another year is drawing to a close.
T
hank you, authors, most of whom are ISSA members, for
sharing your insights, experiences, and expertise – and I
certainly encourage others to submit as well.
Thank you, advisory board members, for your efforts to keep
the Journal relevant and informative – we’ve developed next
year’s editorial calendar and it looks like another great year
ahead. Visit the ISSA website => Learn => ISSA Journal => 2013 Calendar to see
where you might be able to contribute. Of course, if you think a topic has been over-
looked, let us know, or better yet, submit an article to close the gap.
And thank you, readers – the why we do what we do. I encourage you to let us know
how we are doing; offer up some comments and considerations on an article you’ve
read; send in a letter to the editor, agreeing or disagreeing – let’s keep the dialog
going.
And I wish you all
Happy Holidays and a safe, prosperous,
and secure New Year.
– Thom
ISSA Journal
Editor: Thom Barrie
editor@issa.org
Advertising: advertising@issa.org
866 349 5818
+1 206 388 4584 x101
Editorial Advisory Board
Mike Ahmadi
Michael Grimaila, Fellow
John Jordan, Senior Member
Mollie Krehnke, Fellow
Joe Malec, Fellow
Donn Parker, Distinguished Fellow
Joel Weise – Chairman,
Distinguished Fellow
Branden Williams, Fellow
Services Directory
Website
webmaster@issa.org
866 349 5818
+1 206 388 4584
Chapter Relations
chapter@issa.org
866 3495818
+1 206 388 4584 x103
Member Relations
member@issa.org
866 349 5818
+1 206 388 4584 x103
Executive Director
execdir@issa.org
866 349 5818
+1 206 388 4584 x102
Vendor Relations
vendor@issa.org
866 349 5818
+1 206 388 4584 x101
Headquarters ISSA Inc.
9220 SW Barbur Blvd. #119-333, Portland, OR 97219 • www.issa.org
Toll-free: 866 349 5818 (USA only) • +1 206 388 4584 • Fax: +1 206 299 3366
Welcome to the December Journal
Thom Barrie – Editor, the ISSA Journal

Sabett’s Brief
one another”), and
(c) protected stor-
age (a fairly well-
understood con-
cept that “depends
heavily on encryption and integrity pro-
tection”). Again, these can combine to
provide some level of protection for the
organization.
Overall, the Draft SP 800-164 does a
reasonable job of introducing the issues
of trust and security in a mobile envi-
ronment, then providing a conceptual
approach for addressing and improving
those issues. Future drafts could go fur-
ther by addressing three critical things:
(1) providing practical guidance on how
companies can apply the concepts in the
document,(2)theroleofthegovernment
in the mobile deployment environment,
and (3) how the various technical and
policy concepts in the framework can be
used to limit the liability of an organiza-
tion looking to roll out or improve their
mobile deployment. Now, I’m headed
off to do all of my shopping…using my
Android phone. Have a wonderful and
safe holiday season!
About the Author
Randy V. Sabett, J.D., CISSP, is Counsel
at ZwillGen PLLC (www.zwillgen.com),
an adjunct professor at George Wash-
ington University, and a member of the
ISSA NOVA Board of Directors. He was
a member of the Commission on Cyber-
security for the 44th Presidency and can
be reached at randy@zwillgen.com. The
views expressed herein are those of the
author and do not necessarily reflect the
positions of any current or former clients
of ZwillGen or Mr. Sabett.
S
o, how many of you would trust
your mobile device to securely
handle a high or very high value
mobile transaction? After all, security
and trust serve as two of the building
blocks upon which decisions about risk
in the mobile environment can be made.
From a corporate perspective, such de-
cisions ultimately can affect the liabil-
ity that an organization will face as a
result of how its employees use mobile
technology. Today’s mobile technology,
unfortunately, often has weak (or even
nonexistent) security and trust. To ad-
dress this shortcoming, NIST recently
released another draft in their 800-se-
ries of Special Publication documents.1
Entitled “Guidelines on Hardware-
Rooted Security in Mobile Devices,”
Draft SP 800-164 introduces a security
framework for mobile devices.
Draft SP 800-164 establishes up front
that various overlapping roles exist re-
lated to mobile devices, with the main
use case focused on enterprise deploy-
ments of technology and, specifically,
“bring your own device” (or BYOD).
For example, the roles of Device Owner
and Information Owner can be played
by either the company or the employee,
depending on the particular arrange-
ment between the two. Interestingly,
Draft SP 800-164 does not mention the
role of the government or regulators. It
also does not talk about the liability that
a stakeholder might have as a result of
taking on a particular role. Each of the
entities that it does discuss, however, has
a particular set of interests and identi-
fiable activities within the mobile en-
vironment. The resulting liability con-
cerns necessitate a deeper inquiry into
the security components and hardware
1 See http://csrc.nist.gov/publications/PubsSPs.html.
features available (or that should be
available) on the particular devices.
From a security perspective, various
Roots of Trust exist that provide vary-
ing degrees of protection to the mobile
environment. A future BYOD approach
may no longer be limited to a binary
“yes, you may bring your device” or “no,
you may not bring your own device.” In-
stead, depending on how much or how
little liability exposure an organization
may decide to take on, it may want to
examine both the security components
and the security capabilities in the de-
vices it will be deploying.
Draft SP 800-164 states that three se-
curity components are required within
mobile devices. First, the Roots of Trust
(RoTs) mentioned above must be imple-
mented as “security primitives com-
posed of hardware, firmware, and/or
software that provide a set of trusted,
security-critical functions.” Second,
an Application Programming Inter-
face (API) must be implemented that
exposes the RoTs to the device and the
OS so that those RoTs can be used to
provide a chain of trust. Third, a Policy
Enforcement Engine must exist to en-
able the use of policies on the mobile de-
vice. These security components must
further be used to implement the three
mobile security capabilities of device in-
tegrity, isolation, and protected storage.
The guidance goes on to describe a num-
ber of different contexts in a “notional
architecture” of a typical mobile device.
Within those contexts, the components
above should be used to provide the ca-
pabilities of (a) device integrity (defined
as “the absence of corruption in the
hardware, firmware, and software of a
device”), (b) isolation (defined as “the
capability to keep different data com-
ponents and processes separate from
By Randy V. Sabett – ISSA member, Northern Virginia, USA Chapter
Holiday Shopping with My
Smartphone

Pocket Storage for All
I
can hear the
friendly ribbing
now.
“Oh GEE Brando, an issue dedicated
to storage? I am sure you will have fun
towing the company line on that one!
After all, you joke about how storage is
cheaper for you than others when you
talk about collection without limita-
tions.”
Sure, generic security guy, I do joke
about that. But I wanted to take this
month’s column in a different direction.
It does deal a little bit with storage, but
it’s the storage we carry with us every
day. Yep, the old smartphone problem,
and what the heck is that thing doing?
I’m presently writing this column about
three weeks before you will read it. It’s
the week following BSidesDFW, which
was a great success thanks to the fan-
tastic organizers and community sur-
rounding them. One session in par-
ticular that I really enjoyed was with
Francisco Artes live, and hilarity from
Gal Shpantzer via Skype, where they
discussed how smartphone storage
worked and the security features of both
the Android and iPhone platforms. I’ve
written and blogged about the super fo-
rensic-friendly nature of these devices,
but it wasn’t until this session that I re-
ally began to understand the nature of
what is left around on these devices.
I’ve been very interested in doing foren-
sic analyses of the phones in my house,
but I’ve not had the time or networking
abilities to get into the right crowds to
both gain the knowledge and equip-
ment required. Here’s the good news. If
you have an iPhone, you probably have
pretty seamless upgrades into newer
versions of iOS and the adoption rate
is insane (over 61% at the end of Octo-
ber). If you have an Android, you may be
frustrated with your ability to upgrade
depending on the carrier or handset. So
let’s talk bad news for iPhone users now,
because I was certainly enlightened to
learn how the underlying storage and
the security models work.
Everything on your iPhone is essentially
stored in a database. Great for quick ac-
cess and organization, and it allows for
some containerization such that appli-
cation data doesn’t commingle. Sounds
great so far, right? But what happens if
you delete a text message or something
from an application? Since you deleted
it, it must be gone, right?
Nope.
The database entry is marked in a way
that allows it to eventually be overwrit-
ten, but it still is on the phone. So a fo-
rensic analysis will show all those texts
that you thought you deleted. But wait,
because it gets SO much worse.
Every time you back up your iPhone, all
of those entries that you have marked
as deleted are backed up right with all
the good stuff that you want to see. This
means that it becomes insanely hard to
remove them from your device because
they now are in your backups. If you
grab the newest iPhone and restore from
your old backup, all of those deleted
texts now make their way onto your new
phone! According to Francisco and Gal,
the only way to prevent this is to set up
your iPhone as a NEW device, not re-
storing from backup. That is, start all
over.
Now let’s put on our tin foil hats and get
really suspicious of everything with a
battery. Maybe you are one of the many
iPhone users who doesn’t have a (work-
ing) home computer. Or maybe you
want to take advantage of Apple’s gen-
erous offer to back up your phone for
you via iCloud so that no matter where
you are, you can restore your phone if
you have a problem. Do you see where
I am going? All of those deleted texts
are now up in the cloud and out of your
control. If you were thinking of doing
something illegal and coordinating it
from your iPhone, your backups could
be subpoenaed without your knowledge
and all of those deleted texts might be in
the hands of the Feds. Yikes!
The point of Francisco and Gal’s pre-
sentation wasn’t necessarily to make
everyone run from the room scream-
ing in fear, but to uncover some of the
good security-related things that mobile
devices can do while highlighting the
snakes in the grass that we all need to
be aware of – especially corporate secu-
rity folks who are charged with keeping
information secure on those devices. It
might be time to re-think about how in-
formation moves throughout your com-
pany and see how bad a lost cell phone
might actually be.
About the Author
Branden R. Williams, CISSP, CISM, is
a CTO at RSA, the Security Division of
EMC, ISSA Fellow, and regularly assists
top global retailers, financial institutions,
and multinationals with their informa-
tion security initiatives. Read his blog,
buy his book, or reach him directly at
http://www.brandenwilliams.com/.
By Branden R. Williams – ISSA Fellow and member, North Texas, USA Chapter
Herding Cats

W
hoever said that there’s no
such thing as a stupid ques-
tion, only a stupid answer,
has probably never seen a feedback sur-
vey for security awareness training ses-
sions. Questions such as “Did you learn
anything?” and “Do you feel more se-
cure?” are as common as they are idiotic.
I guess it’s largely shaped by the motives
of who is asking the question. The train-
ers involved are primarily interested in
demonstrating that they are good train-
ers and questions are designed to elicit
complimentary feedback. Feedback sur-
veys are a great chance to obtain valu-
able feedback, but only if we’re asking
the right questions.
In this column we’re going to look
at training feedback surveys in more
detail. Getting useful feedback from
training sessions is challenging, but not
impossible. For a start, you need to be
aware of people’s biases. Surveys mea-
sure “declared preferences” since they
rely on people expressing their views.
While easier to gather, declared prefer-
ences have inherent biases that need to
be acknowledged and allowed for when
interpreting the results. “Revealed pref-
erences” are what people actually do,
but measuring what people do accu-
rately and efficiently can be difficult,
especially if people know they’re being
observed. Here are some suggestions for
allowing for people’s biases while ob-
taining reliable survey data.
Selection Bias. By definition, the pop-
ulation available to fill out training
awareness feedback forms are usually
those who actually attended. There-
fore, the results do not include those
who chose not to attend. Consider care-
fully what the people who didn’t attend
might say. That the training was too
long? Too basic? Too boring? If people
have perceptions that are holding them
back from attending, it’s important to
find out why. It’s not necessarily about
the session; it’s about people’s percep-
tions of the session which also need to
be managed. You may want to consider a
survey targeted at people who didn’t at-
tend to ask them why.
Confirmation Bias. When we signal the
desired answer in the phrasing of the
question, we deserve the answers we get.
It’s human nature to avoid confronta-
tion or disappointing people, and there
is a tendency for people tell us what we
want to hear. To counter for this bias,
try to avoid questions which are phrased
in moral terms. Look out for the word
good as it normally signals a moral norm
and therefore an expected answer.
Intention Bias. People have all sorts of
good intentions. Go to the gym. Lose
weight. Stop smoking. However, there
is a big gap between intent at a point
in time and what people actually do in
the following days and months. It’s all
very well people declaring their inten-
tion to take security more seriously, but
you should have a glance at your own
2012 New Year’s resolutions for a real-
ity check. If you’re going to bother ask-
ing people about their intentions after
training, then you should have a way of
measuring later how many people fol-
lowed through.
Phrasing. Questions should be as short
as you can make them without becom-
ing vague, and you should only ask one
question at a time. For example, “Was
the training clear and easy to follow?”
actually has mixed up two different
concepts, which mean different things
- training clarity and training pace.
Where questions are unclear or confus-
ing, the temptation will be to abandon
the survey (which
reduces comple-
tion rates) or skip
though (which re-
duces data quality).
Be Specific. Avoid subjective words that
are going to have different interpreta-
tions. For example, the word often will
mean different things to different peo-
ple. Instead of a word like often, try set-
ting out a specific time frame such as “at
least once a week.”
Vocabularies. The use of obtuse lin-
guistic structures (complex sentences)
and TLA (vague acronyms) will cause
problems by impacting both completion
rates and data quality. Consider trying
out your test questions on some volun-
teers and ask them to repeat back to you
in their own words what your question
is asking. You may be surprised in how
your questions were interpreted. When
you reliably get people repeating back
your questions as you intended, then
you’re ready to go.
Designing effective surveys does take
time and effort, but is worth it in order
to obtain valuable feedback. It is im-
portant to allow for people’s biases and
tendencies when designing a survey. If
you’re judging the “success” of your se-
curity awareness training by feedback
from slackers who hang around to gos-
sip after training sessions and tell you
what you want to hear, you’re probably
wasting your time.
About the Author
Geordie Stewart, MSc, CISSP, is the Prin-
ciple Security Consultant at Risk Intelli-
gence and is a regular speaker and writer
on the topic of security awareness. His
blog is available at http://www.risk-intel-
ligence.co.uk/blog, and he may be reached
at geordie@risk-intelligence.co.uk.
By Geordie Stewart – ISSA member, UK Chapter
Security Awareness Training
Feedback Surveys
Security Awareness

Association News
Connect with Us
D
o you tweet? ISSA now has a Twitter page! Don’t
forget to like us on Facebook! You can also find us
on LinkedIn! When it comes to cybersecurity, be-
ing out of the loop is a dangerous place. Keep informed with
ISSA social media connections – just click the icons.
FEBRUARY 5, 2013 • LONDON, ENGLAND
Announcing the 2013 ISSA European Conference. This event
will focus on some key challenges we all face: Cyber Crime,
Cyber Conflict, and Cyber Espionage. At this conference at-
tendees will hear from leading European and international
speakers that will inform and set our future direction in
Information Security.
A great value, ISSA members can attend for just $35 USD. Visit
www.issaconference.org to register today. Space is limited.
Keynote Presentations
Now Online!
Click here to view video recordings of the 2012 International
Conference Keynote Presentations. Additional recordings
will be available in the months following the conference.
Please look for announcements in member communications
and on ISSA’s social media sites.
T
he ISSA Web Conferences bring together ISSA mem-
bers from around the world to share leading industry
presentations and answer member’s questions. Each
event is designed to address the timely needs of our members
through a live online event and a subsequent recorded ver-
sion for on-demand viewing. All content is developed by the
ISSA Web Conference Committee.
CPE Credit Available: ISSA members will be eligible for a cer-
tificate of attendance, after successful completion of a post-
event quiz, to submit CPE credits for various certifications.
Predictions for the New Year
Date: January 22, 2013
Start Time: 9:00 a.m. US Pacific/
12:00 p.m. US Eastern/ 5:00 p.m. London
Once again some brave (or foolish?) folks volunteer some
insights and predictions into where infosec challenges will
come from in 2013 and beyond. To a degree, changes in legis-
lation and technology are easy meat to predict in a 12-month
time frame. But what about environmental impacts such as
cyberattacks and cyberwarfare trends? Will the cold wind of
social media exploits bring infosec into focus for the igno-
rant end user? What is likely to be the next big hurricane of
“wikileaks-type” exposure to rock the industry? Where will
the wind of change blow security in the “cloud?” Will the
heat be turned up further on compliance requirements? Will
there be a drought of funds making everything we want to do
harder to achieve? Join us, make notes, and then check back
in a year to see how we did!
Click here for more information on our 2013 schedule.
International Director Pete Lindstom’s fireside chat with former US
Cybersecurity Coordinator and former ISSA International
President, Howard Schmidt.
Comments on Howard Schmidt Keynote
H
earing the interview with Howard Schmidt after his
time serving in the US Whitehouse was one of the
conference highlights for me. ISSA is so fortunate
in having a previous ISSA president serving as a special advi-
sor to President Obama. Howard's views on security threats
to small-medium-sized businesses were particularly interest-
ing.1
This is an area that the ISSA UK Chapter has focussed on
for the last two years with the ISSA5173 standard,2
which was
presented at the conference by ISSA UK Board member, Gabe
Chomic (Critically Unprotected Infrastructure:
Information Security and Small Business).
Geoff Harris – ISSA International Director and
member, UK Chapter
1 http://www.scpr.org/news/2012/10/29/34760/anaheim-ex-cyber-security-czar-
warns-threat-smalle/.
2 http://issa5173.com/.
Embracing Change Keynote Panel
NEW!

Association News
My First Experience at an ISSA
International Conference
B
eing able to attend the ISSA International Conference
was like opening a treasure chest and finding all kinds
of jewels and valuable objects to enjoy: the speakers,
the exhibitors, and the time for networking and conversa-
tions with people – including those who had only been voices
on the telephone.
Our keynote and featured speakers were marvelous in their
perspectives of information security and how we can em-
brace a changing world – and the surprising key to our suc-
cess is communication and building relationships, not the
deployment of new technology (although that has its place).
Be ready to explain new technologies to the C-suite and show
how they relate to business success; they won’t fund what
they don’t understand.
Day 1
Jay Leek (Taking Your US-Focused Risk Management and Se-
curity Program International) had great advice: keep it sim-
ple, do not confuse email with communication, pick up the
phone and call, and lead by example. Christofer Hoff (Stuff
My Cloud Evangelist Says: Just Not to the CSO) discussed the 7
dirty words for security. He said we can’t afford a turf battle;
this isn’t West Side Story. Rafal Los (House of Cards - How Not
to Collapse When Bad Things Happen) presented an effective
perspective for responding to new “challenges” – resilience.
Bad things are going to happen, but how are you going to re-
spond and “get back to business.” Be pragmatic, create staged
attacks, assess your response, and update your response; do it
until it is “muscle memory.”
On Day 2
Howard Schmidt (morning keynote) reminded us that we
have to be able to listen and to negotiate; we need to get per-
sonal relationships going with key persons in our organiza-
tion. He quoted Althea Gibson: “We can’t accomplish any-
thing without others.” Stephen Northcutt (Everything I Know
is Wrong! How to Lead a Security Team in a Time of Unprec-
edented Change and Challenge) focused on leading in a time
of change and having situational awareness; be alert for what
you can measure and know what is “ever green.” Consider
giving up a low-value task to pursue a high-value task; de-
cide what you want to accomplish, make a plan, and you will
achieve great things.
Andy Ellis (Social Engineering the Risk Hindbrain: How to
Avoid Security Subsistence Syndrome) had a captivating pre-
sentation topic of “Herding Lizards”; lizards know fear, they
run away! People consider risk differently; “safe” means dif-
ferent things to different roles: CEO, Sales, Product
Development, CFO, Employees, and Security. Train
people to get used to fixing risks; make them less
afraid of it. If you try for “perfect,” you won’t get to
“good.” So, as an individual, get better at what you do
now; do three things well and then pick up something
else.
Next year the conference is in Tennessee, a very hos-
pitable location that is reachable from any port. If you
didn’t get to attend this year’s conference – or even if
you did – definitely consider attending in 2013; it will
be a wonderful and enlightening experience (y’all).
Conference Recap from
Mollie Krehnke, ISSA Fellow and member,
Raleigh, USA Chapter
[Note: Mollie received her ISSA Fellow award
at the conference.]
Christofer Hoff Rafal Los

Association News
A
t ISSA International this year, exhibitor and spon-
sor Ixia interviewed security professionals to gain
insight into their thoughts on cyber terrorism. And
here’s what they found:
1. Do you anticipate a major cyber terrorism event to occur
in the next year?
79% responded yes to this question. In our discussions with
these security experts, many of them said “It’s already hap-
pening!”
2. Which industry do you feel is the strongest target for
cyber terrorism?
• Oil & Gas 12.3%
• Finance 22.8%
• High Tech 0%
• Government 17.1%
• Power grid 35.2%
• Utilities (water, etc.) 12.4%
The respondents viewed the financial industry as the most
tempting target, with profit as a chief motivation. However,
many acknowledged that the finance industry was better pro-
tected than some other industries, such as power grid and
utilities, which received a combined 48% of the vote. Utilities
and the power grid were called out as being wired-in to the
Internet and under-protected, AND a target that would crip-
ple the nation if the attack was successful. Also, several re-
spondents requested a Select All option as they viewed all op-
tions as vulnerabilities. It’s interesting to note that there were
no votes for High Tech as a top target for cyber terrorism.
Though High Tech is clearly an Advanced Persistent Threat
(APT) target, it was not regarded as a cyber terrorism target.
3.Doyoubelieveit’stheresponsibilityoftheUSGovernment
to protect you from cyber terrorism?
People really had to think about this question. The majority
of respondents – 59% – believed it is the US Government’s re-
sponsibility to protect us. The remaining 41% disagreed, with
many of them lacking faith and trust in the government’s
ability to move quickly enough to be effective. Worth noting
is the fact that respondents who worked for the government
universally felt it was a responsibility of the government.
Many respondents who answered positively likened the situa-
tion to the expectation that the government is responsible for
preventing physical terrorism, and that the parallel should
hold for cyber terrorism. On the other side of the coin, shared
responsibility was a common theme. Several respondents
used the example of protecting your house – the government
is expected to provide protection, but in the end homeowners
are responsible for protecting themselves with appropriate
security measures.
The fight against cyber terrorism continues…
It was interesting to pick the brains of the security pros at-
tending ISSA International this year, since these are the men
and women on the front lines of the fight against cyber ter-
rorism. While they may have disagreed on the top target for
cyber terrorism and whose responsibility it is to stop it, there
was no question among our respondents that it’s a growing
threat that requires constant vigilance.
Conference Recap from
Kate Brew – ISSA member, Capitol of Texas
Chapter
Survey Results on Cyber Terrorism from the International Conference

ISSA London 2013 • February 5,2013
Deloitte Offices,2 New Street Square,London,UK
Presented by ISSA International & Generously Hosted by Deloitte
The 2013 ISSA London Conference will focus on some key challenges we all face:
Cyber Crime,Cyber Conflict,and Cyber Espionage.
February 4
This peer-only event will feature executive briefings from
Lt Col William Hagestad II USMCR, a leading authority on
Chinese Cyber & Information Warfare,and Eddie Schwartz,
VP & Chief Information Security Officer,RSAThe Security Di-
vision of EMC.Attendance at this event is by invitation only.
Register Today • Space is limited.
www.issaconference.org
February 6
Join ISSA’s European leaders for an event focused on grow-
ing and supporting chapters in the region. The Chapter Lead-
ers Summit is open to Chapter Board Members and Officers.
ISSA will be hosting two satellite events in conjuction with ISSA London 2013:
Opening Keynote
Digital Identity,State Protective
Monitoring,and Civil Liabilities
Right Honourable David Davis
MP House of Commons,
UK Parliament
Cooperation in Securing
National Critical Infrastructure
Dr.Steve Purser
Head ofTechnical Competence
Department,European Network &
Information Security Agency (ENISA)
Cyber Crime Challenges
for Europe
Dr.Victoria Bains
Europol
Cyber Crime Centre
Establishing Trust
Across International
Communities
Patrick Curry
OBE Director,British Business
Federation Authority
Insider Attacks:
Lessons Learned
Dr.Thiébaut Devergranne
Docteur en droit/Doctor of
Law in France
A great value! ISSA members can attend for $35 USD, non-members for $105 USD.
Eddie Schwartz
VP & Chief Information
Security Officer,
RSAThe Security Division of
EMC
Closing Keynote
Red Dragon Rising
Across Europe
Lt Col William Hagestad II
USMCR

Network Device
Forensics
Network Device
Forensics
12 – ISSA Journal | November 2012
ISSA
DEVELOPING AND CONNECTING
CYBERSECURITY LEADERS GLOBALLY
I
magine that a rogue laptop connects to your corporate
WiFi and is able to access the Internet via your corporate
proxy server. Let us assume that your WiFi is protected
by a pre-shared key, but that this rogue laptop is owned by a
former employee. Will you detect this? And will you be able
to trace back to the former employee?
A foreign competitor hires a tech-savvy criminal to install a
trojaned operating system on your edge router. This trojan
facilitates access to your corporate network for unauthorized
persons by tampering with the authentication control logic.
Will you detect the trojaned router?
These two examples represent two common classes of foren-
sic investigations where forensic evidence needs to be col-
lected from network devices. In the first example, network
devices contain evidence of the network traffic that flowed
through them. In the second example, network devices have
been compromised and forensic evidence needs to be lifted
from them.
Forensic evidence gathered by network devices
To operate properly, network devices need to maintain infor-
mation about the network traffic they process. Since network
devices have limited amounts of memory compared to gen-
eral purpose computers, they tend to collect only the bare es-
sential information for their processes and this information
is discarded rather quickly when it is no longer needed.
There is often a significant delay between the time a security
incident occurs and the time the forensic investigation starts.
And as a switch or router discards obsolete meta data quickly,
you will not find forensic evidence if you react too late.
But you can improve the success rate of your forensic evi-
dence gathering by configuring your switches and routers to
collect additional data and persist this data. All professional
network devices allow for the logging of events. But the inter-
nal event log of network devices is rather small because of the
memory constrains. Old events get discarded at a fast rate to
make place for new events.
Centralized logging
Here is an important first opportunity for you to improve
the evidence collection phase of your forensic investigations.
Install one or more machines as a central log repository and
configure all your network devices to forward events to this
central log repository. Dimension your central log repository
so that it can hold several months worth of events. The syslog
standard is often used to centralize events.
The second opportunity you have to improve the evidence
collection phase of your forensic investigations, is by increas-
ing the types of events that are logged, for example DHCP
events. Professional network devices classify events by types
and by alert level. Not all event types are logged by default,
and only events with important alert levels are logged. In-
crease the type of events, and lower the alert level for event
The goal of this article is to raise awareness about the measures you can take to improve
the success of network forensics.
By Didier Stevens – ISSA member, Belgian Chapter
©2012 ISSA • www.issa.org • editor@issa.org • All rights reserved.

Trojanized devices
The operating system of your network devices can be tro-
janized in two ways: by trojanizing the operating system files
(like Cisco’s IOS image files) and booting from them, or by
exploiting a vulnerability in the operating system and tro-
janizing it in memory.
A release management process for network device image files
allows you to know if a network device is running an autho-
rized operating system or not. But an unauthorized operating
system image is not necessarily a trojanized operating system
image. Your success in identifying trojanized operating sys-
tem images will depend on your network device vendor. For
example, Cisco provides lists with cryptographic hashes of
all images they release. If the cryptographic hash of the unau-
thorized operating system image matches a hash in this list,
you can be sure that it is a legitimate operating system image
and that it is not trojanized. Some high-end network devices
can operate with digitally signed operating system images.
Periodic review of the digital signature of these operating sys-
tem images will detect trojanized operating system images.
RAM trojans
But the hardest forensic case to crack is an operating system
trojanized in memory. Many professional network devices
operate like this: the operating system is stored in a file which
is stored on non-volatile, solid-state memory, like flash mem-
ory. When the network device is powered on, a very small
logging. Watch out; you will need to strike a balance between
resource usage and log level, because increasing the number
of log events has an impact on CPU usage and can thus nega-
tively impact the performance of your network devices.
Utilize on board security features
Make sure to research security features available in your
network devices that can help you indirectly with your fo-
rensic investigations. Enable them if necessary. For example,
Cisco switches have a DHCP snooping feature. Enabling this
feature instructs the switch to build and maintain a table of
all successful DHCP transactions it sees passing through its
interfaces. This table lists IP addresses, corresponding MAC
addresses, and the interfaces serving these clients.
Imagine a contractor connects his laptop to your wired net-
work without authorization. You would notice this by moni-
toring your DHCP logs for rogue machine names. But this
will only give you a machine name and a MAC address. This
is often not enough to trace back to the contractor. But with
the DHCP snooping binding table, you will be able to corre-
late the IP address and MAC address with a switch interface.
This will allow you to find the physical location of the Eth-
ernet connector used by the contractor. Reviewing physical
security evidence like access control logs or CCTV images
should be enough to identify the contractor. Or you could
just ask your employees working near the network access
point who used this connection.
In the case of the former employee using your corporate WiFi
infrastructure, you would notice this too by monitoring your
DHCP logs for rogue machine names. Additional logs from
WiFi access points and wireless LAN controllers should en-
able you to pinpoint the access point used by the former em-
ployee. But since WiFi access points do not need a physical
connection, you will find it harder to identify the culprit.
Forensic artifacts found in network devices
Network devices can become compromised because their
configuration gets modified or because their operating sys-
tem gets trojanized. Finding forensic evidence for these in-
cidents can become much harder. A secure, centralized log
repository is vital so that perpetrators cannot erase logs to
cover their tracks.
To detect unauthorized configuration modifications, a re-
lease management and version control process is necessary.
The release management process will make sure that only
approved modifications are applied to your network de-
vices, and the version control process will make sure that
these modifications are documented. Periodic review of your
network device configurations will allow you to detect un-
authorized configuration modifications by comparing them
with the configurations kept in the version control system.
This review process can be automated.
If your network devices support scripting and you have cus-
tom scripts like Cisco IOS Tcl, make sure to include these in
your release management and version control process.
Predictions for the New Year
Live Event: January 22, 2013
To a degree, changes in legislation and technol-
ogy are easy meat to predict in a 12-month time
frame. But what about environmental impacts such
as cyberattacks and cyberwarfare trends? Will the
cold wind of social media exploits bring infosec
into focus for the ignorant end user? What is likely
to be the next big hurricane of “wikileaks-type” ex-
posure to rock the industry? Where will the wind of
change blow security in the “cloud?” Will the heat
be turned up further on compliance requirements?
Will there be a drought of funds making everything
we want to do harder to achieve?
Join us, make notes, and then check back in a year
to see how we did!
Upcoming
Click here for more information on our 2013 schedule.
December 2012 | ISSA Journal – 13
Network Device Forensics | Didier Stevens

Pay attention to the fact that al-
though operating systems tro-
janized in RAM are not persistent
(i.e., that rebooting the network de-
vices removes the trojan), network
devices are not often rebooted and
the trojan can easily be present for
months if not years. And if a trojan
runs in RAM with full system ac-
cess, there is nothing to prevent it
from modifying the image in flash to achieve persistence.
Conclusion
There are several preventive steps that you can take to facili-
tate a forensic investigation of network devices. You can im-
prove the logging of your devices and enable extra informa-
tion gathering features on your devices. This will help you
gather more forensic evidence. Network devices can also be-
come compromised. You can find forensic artifacts in flash
and in RAM. There are tools to help you analyze these arti-
facts.
I hope this article will inspire you to take measures that will
facilitate forensic investigations of network devices.
References
—Dale Liu, Cisco Router and Switch Forensics, ISBN 978-
1597494182.
—Felix Lindner, The Shellcoder’s Handbook, 2nd Edition Chapter
13: Cisco IOS Exploitation, ISBN 978-0470080238.
—Felix Lindner, “Developments in Cisco IOS Forensics” - Black
Hat, http://www.blackhat.com/presentations/bh-usa-08/Lind-
ner/BH_US_08_Lindner_Developments_in_IOS_Forensics.
pdf.
—Felix Lindner, “Router Exploitation” - Black Hat, http://www.
blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09-
Lindner-RouterExploit-SLIDES.pdf.
—Sebastian ‘topo’ Muñiz, Killing the myth of Cisco IOS rootkits:
DIK (Da Ios rootKit), http://www.coresecurity.com/files/at-
tachments/Killing_the_myth_of_Cisco_IOS_rootkits.pdf.
—Andrew Vladimirov, Konstantin Gavrilenko, Andrei
Mikhailovsky, Hacking Exposed Cisco Networks, ISBN 978-
0072259179.
About the Author
Didier Stevens (Microsoft MVP Consumer
Security, CISSP, GSSP-C, MCSD .NET,
MCSE/Security, MCITP Windows Server
2008, RHCT, CCNP Security, OSWP) is a
member of the Belgian ISSA chapter and
an IT Security Consultant currently work-
ing at a large Belgian financial corporation.
Didier started his own company in 2012 to
provide IT security training services (http://DidierStevensLabs.
com). You can find his open source security tools on his IT se-
curity related blog at http://blog.DidierStevens.com. He may be
contacted at didier.stevens@gmail.com.
program stored in ROM will load the operating system from
flash into RAM, where it is executed by the CPU. With an op-
erating system trojanized in memory, the image file in flash
is intact, but the modifications are made in RAM, where the
image file is loaded to be executed. One way to make these
modifications in RAM is by targeting the network device
with an exploit for a vulnerability.1
This exploit contains
code to modify the operating system in RAM and trojanize
it, for example by adding a backdoor functionality.
To investigate such compromise, you need to be able to access
and analyze RAM. Cisco IOS has features to access RAM:
their routers and switches have a command that allows you
to write the content of RAM to a core dump file. This solves
the “access” phase of your forensic investigation, but not the
“analysis” phase. The structure of the file containing the core
dump is not documented. Only Cisco knows the complete
details and you will need their cooperation if you need a full
analysis. The Cisco Technical Assistance Center (TAC) will
sometimes ask clients to provide them with a core dump to
help with the analysis of their support cases. But since the
RAM core contains everything that was in RAM, it contains
a lot of forensic evidence.
But you are not completely dependent on Cisco’s TAC for
core dump analysis. There are two open source tools that can
partially analyze core dumps. The first tool is Cisco Incident
Response (CIR) from Recurity Labs GmbH,2
an open source
tool that attempts to detect trojanized core dumps by detect-
ing memory and process anomalies. CIR has been successful
in detecting proof-of-concept trojanized IOS images present-
ed at the Black Hat Security conference.3
The second tool is the Network Appliance Forensic Toolkit
(NAFT)4
released by me. It is able to analyze the basic struc-
ture of memory and processes, but it is not yet able to au-
tomatically detect memory and process anomalies. NAFT is
a set of Python programs, and it can run on many operat-
ing systems. You instruct your IOS device to produce a core
dump and transfer it to a tftp server, and then you can ana-
lyze this dump with NAFT. For example, command naft-
icd.py processes r870-core will dump all processes it
finds in core dump r870-core (figure 1).
1 Felix Lindner,“Burning the bridge: Cisco IOS exploits,” http://www.phrack.com/
issues.html?issue=60&id=.7.
2 http://cir.recurity.com/.
3 http://blog.recurity-labs.com/archives/2008/05/27/on_ios_rootkits/index.html.
4 http://blog.didierstevens.com/programs/network-appliance-forensic-toolkit/.
Figure 1 — Core dump
1 Cwe 80049B5C 0 3 0 5552/6000 0 Chunk Manager
2 Csp 80371B90 8 341 23 2640/3000 0 Load Meter
3 Mwe 8118AB24 4 1725 2 5300/6000 0 Spanning Tree
4 Lst 80046D90 14780 841 17574 5484/6000 0 Check heaps
5 Cwe 8004F930 0 1 0 5672/6000 0 Pool Manager
6 Mst 808278AC 0 2 0 5596/6000 0 Timers
14 – ISSA Journal | December 2012
Network Device Forensics | Didier Stevens

BLACK HAT | BRIEFINGS | MARCH 12-13, 2013
BLACK HAT | TRAININGS | MARCH 14-15, 2013
WWW.BLACKHAT.COM
Black Hat Europe 2013 - The premiere conference on information
security - returns to Amsterdam on March 12-15, 2013. This year
we will feature two days of hands on training courses followed by
two days of Briefings comprised of over 50 presentations covering
the most relevent topics in security today.

S
torage security has always been one aspect of IT man-
agement that never seems to get the attention it de-
serves, regardless of legal, regulatory, and business
risks. Storage security should be a concern for any organiza-
tion irrespective of size and number due to the multitudes
of challenges surrounding it. For example, one recent survey
conducted by PWC [1] stated that 29 percent of the organiza-
tions still find locating their data as a big challenge; however,
going by experiences at the ground level, there are even more
challenges such as the following:
• There are just not enough eyes on the problem!
• Where is the data residing?
• Increased regulatory audits
• How do we align with the existing standards and reg-
ulations?
• How do we handle the advances in technology such
as increased use of mobile devices, consumerization,
etc.?
This paper describes the experiences and results of an assign-
ment that brought about a marked improvement in storage
security for a commodity trading organization. The practical
steps suggested will aim to answer some of the core challeng-
es surrounding storage and bring about a continual-improve-
ment storage security program.
Organizational background
Phoenix Consulting (The Firm), based in India, is a bou-
tique IT audit and consulting firm helping clients meet their
compliance requirements and achieve their security objec-
tives. The Company (name withheld for security purpose) is
a commodity trading organization that aims to reduce the
gap between customers and farmers, has a 1000+ client base,
and is fitted with state-of-the-art routers, switches, firewalls,
Windows servers, and storage area network (SAN) storage ar-
chitectures and devices that store customer information, IDs,
and bank account details. Though the organization is ISO
27001:2005 certified and had a structured Information Se-
curity Management System (ISMS), they had recently faced
issues with sensitive data:
1. The Company was not aware of where the data was lo-
cated: The storage devices were left out of the purview of
the ISO 27001 scope due to an ongoing implementation.
2. Bringing it under the purview of ISO 27001 governance
program: The scope was extended to covering storage
devices and the data that needed to be protected. As an
added advantage, increasing the scope also satisfied guide-
lines on storage security imposed by the local authori-
ties, aligned with ISO 27001, gave the organization better
control and governance, and helped them optimize their
resources (time and manpower) on areas that required at-
tention.
That is when The Firm was called, as we had helped them
achieve ISO 27001 certification. The impediments that would
arise during the implementation of this project were very well
known to us as we had both the expertise and experience in
implementing projects of similar nature. Here are the steps
involved in making the storage security program a success.
The critical steps for the success of this program are the fol-
lowing:
The author describes the experiences and results of an assignment that brought about a marked
improvement in storage security for a commodity trading organization. The practical steps
suggested will aim to answer some of the core challenges surrounding storage and bring about a
continual-improvement storage security program.
By Vinoth Sivasubramanian – ISSA member, UK Chapter
Storage Security
Governance: A Case Study
ISSA

used to capture and record the most important information
is shown below.
DESCRIPTION STORAGE SECURITY RISK
Risks Legal,financial,regulatory,and business risks
Rewards Elevated customer confidence
Effort High
Cost Estimation $600,000 USD
Time Span 6 Months
Approach ISO 27001 approach
Cost of damages $10 million USD annually in the event of a breach
Cost of protection $2 million for the first year,less than 1 million from
next year onwards
Return on Investment Roughly $5 million per year
ISO Clause Mandatory clause 5 of ISO 27001:2005 – Manage-
ment Review of ISMS
Gap analysis
Since management expectations were very clear and they
were already aware of some of the existing gaps, a gap analysis
exercise was carried out which detailed the current scenario
1. Gain management support
2. Perform gap analysis
3. Identify assets
4. Perform risk assessment
5. Implement security controls
6. Perform an audit and improve
Gain management support
Getting management support in our case was quite easy as
the organization had recently faced a regulatory issue. Man-
agement was briefed about the challenges involved in storage
security, the time it would take to implement this program,
and our approach bringing it to completion. In circumstanc-
es where there are no legal or regulatory issues, get manage-
ment support by briefing them of the possible business risks,
rewards, and efforts involved. As per ISO 27001, record the
minutes of these meetings as per the record control proce-
dure1
and management review requirement.2
Unless there are
regulatory, contractual, or legal obligations or compulsions,
ensure that the cost of protecting the information is less than
the information being protected. A sample template that was
1 Mandatory clause 4.3.2 of ISO 27001.
2 Mandatory clause 5 of ISO 27001:2005.
Storage Security Governance: A Case Study | Vinoth Sivasubramanian

ing, accessing, processing, and disposing it. A sample data is
given below.
Data Description ID details of customer
DataType Highly confidential,irrespective of location of the data
Access No write access to anyone;read access to select few
Security type Least exposure to business,legal,or financial risks
After getting a clear and comprehensive mandate on the data
that needed to be protected as part of this storage security
governance program, we laid out the next course of our plan
to implement these programs. The first was to form a focus
group, identifying members across the enterprise who would
help propel the program forward.
Lessons learned: Take time to accurately sample the data us-
ing automated and manual methodologies. Get management
expectations clear on the data that needs to be protected as
top priority. This will help the organization prioritize risk
and allocate resources wherever needed. Remember this is a
program to improve storage security practices and is a one-
time solution.
Risk assessment
The challenge we encountered in doing a risk assessment
for this organization was that an ongoing ISO 27001:2005
risk assessment was already being performed, and we were
told specifically not to disturb the assessment or change the
methodology. So in line with the expectations and directives
of senior management, a linked risk assessment approach
was carried out, wherein the information that needed to be
protected was treated as an individual asset, and the various
threats, vulnerabilities, and controls in place were listed out.
Lessons learned: Perform the risk assessment exercise with
the assistance of the focus groups; this provides them insight
into these activities, and also provides the much needed ad-
ditional controls which are required at the ground level.
We shall now look how the storage security program initia-
tive was carried out with the right mix of people, processes,
and technology.
Implement Controls
Based on the results obtained from the risk assessment and
inputs from legislative guidelines and various other best
practices [2][3][4][5] controls as outlined below were imple-
mented, not in particular order.
Review of security policies
Armed with the results from the risk assessment exercise, in-
formation security policies were reviewed [4] where needed
and new ones written where found missing. In our case we
tweaked the configuration management policy to include the
storage devices, and wrote fresh policies in relation to Bring
Your Own Device (BYOD) and Use Your Own Applications
of the organization in regards to storage security. After a de-
tailed gap analysis, the following area emerged as the single
stumbling block to achieving the management objectives and
meeting compliance requirements: where is the data located?
Lessons learned: Conduct a gap analysis, irrespective of the
compliance level of the organization – keeping in mind man-
agement expectations and objectives – and then chart out the
stumbling blocks. Form a focus group and engage all the in-
formation users, as you will get to know the security posture
of the organization in reference to storage security better,
which will help improve the initiative.
Solving data location challenge
To solve the challenge of data location, we used a two-
pronged approach. The first part was using an automated
tool – ManageEngine3
asset man-
ager in this case – to capture all the
IP devices located in the enterprise.
Next we listed the non-IP devices,
namely USB and mobile devices.
The organization had provided only
organization-approved USBs to be
used by their employees, and these
was given only to the senior man-
agement. Since mobile applications
were also used, mobile devices were
listed in the asset register. After
comprehensive discussions with the
asset custodians and stakeholders, we had gathered enough
information on the locations of the most critical data.
Lessons learned: Capture IP and non-IP devices within the
enterprise and list them in the asset register. Capture the in-
formation residing on these devices through multiple itera-
tions with the asset users and custodians (to increase the ac-
curacy of the information collected, it is necessary to perform
at least two iterations to eliminate errors and miscommuni-
cations, which we will encounter when we go about capturing
the information residing on devices). Authenticate informa-
tion discovery/classification technologies.
Identify assets – knowing what to protect
After getting to know the devices and the information resid-
ing on these devices, authenticate the automated data gen-
erated using comprehensive sampling methodology: we did
a 98 percent sample to provide comprehensive assurance to
management that the data collected was authentic. This also
enabled management to make better decisions. In our case
this sampling provided a better insight into what needed to
be protected. Using the data on hand, management deter-
mined which information was very critical to the organiza-
tion; incidentally, these were also in line with local laws and
regulations. Management identified this information, classi-
fied it as highly confidential, and provided directives for stor-
3 http://www.manageengine.com/products/desktop-central/software-hardware-
inventory.html.
Get management
expectations
clear on the data
that needs to be
protected as top
priority.

Fortified cloud
Security to the cloud. Security for the cloud. Security from the cloud. Our
solutions do more than bring you to the cloud, they keep your business secure
when you get there.
+ FIND OUT how CA Technologies can help you accelerate, transform and
secure your IT by visiting ca.com/secure-IT and learn more by reading
our cloud strategy and vision white paper at ca.com/IAMfortheCloud
Copyright © 2012 CA. All rights reserved.
Join us at
Gartner IAM
Visit us at Booth S19
December 3-5, 2012
Las Vegas, NV

(UYOA). The table describes in short the policies that we had
tweaked and the ones that were newly written.
POLICY DESCRIPTION
1. Access control policy Tweaked,to support the management
directives
2. BringYour Own Device and Use
Your Own Applications
Newly drafted
3. Configuration management Tweaked,brought SAN under the
configuration management database
(CMDB)
4. Patch management policy Tweaked,to include upgrading of SAN
storage devices
5. Incident management Tweaked,to include storage security
issues to be reported through the inci-
dent management system
6. Information control policy Newly written,to provide greater clarity
to management and stakeholders in
identifying the most critical informa-
tion and how it must be controlled
Lessons learned: Always earmark the policy effective data in
concurrence with management before going ahead in draft-
ing the procedures that are required to support these poli-
cies. Since in most organizations procedures, meaning the
steps that are required to support the high-level statements
of management, are generally driven bottom up, earmark-
ing a policy effective date will bring in greater commitment
amongst middle management, thereby helping the initiative
propel fast forward.
Review of Procedures
With management’s directives being very clear, we now re-
viewed the procedures that were directly related to storage
security. The procedures that we had reviewed in line with
the task on hand were backup, asset management, internal
audit, media disposal, legal, and compliance. The table below
describes some of the tweaks performed on the procedures
and their cross references to the ISO 27001:2005 standard.
PROCEDURE DESCRIPTION ISO CLAUSES
Asset
management
procedure
Asset management procedure was
tweaked to include automated scan-
ning of all the IP devices and verifying
information on all non-IP devices on a
fortnightly basis.
Mandatory Clause
4.2.1d and Control
A.7 Asset Manage-
ment
Backup
procedure
Back up procedure was spruced up
to include correct identifiers and
method of storage and disposal,
which are often missing factors in
backup procedures.Technologies to
eliminate manual tapes were also
charted out.
A.10.5.1 Informa-
tion Back-up
Internal audit
procedure
The internal audit procedure was
enhanced to include audit of storage
devices and the allied storage houses
of information.
Mandatory Clause
6 (Internal Audit),
A.15.3.Informa-
tion Systems Audit
Legal and
compliance
procedure
Resources were allocated to manage
the agile compliance landscape;the
procedures to report the changes
were documented.
A.15.1.1 –
A.15.1.5 Compli-
ance with legal
requirements
Media
disposal
procedure
How to dispose of the media,contain-
ing the information that needs to
be protected,in the event of a total
failure of the device.Incorporating
authorized agents to carry data off
site for disposal.
A.10.7 Media
Handling and
A.10.8 Exchange
of Information
Lessons learned: While doing a review of the various pro-
cedures, make time to discuss the technological investments
that need to be made in this regard. Knowledge of these in-
vestments will help in procuring the technology while the
process is still in place. This will help save a lot of time, and
help move things at a quicker pace.
Technological perspective
With knowledge of the information that needs to be protect-
ed being clear, the first step we took was to reinspect the ap-
plication architecture and redesign the business processes to
meet the organization’s expectations.
Business process re-engineering
With the very critical organization assets lying scattered
across various applications and reports, the business pro-
cesses were re-engineered, wherein multiple processes of cap-
turing user information and completing the sale processes
were integrated into one simple application and screen. In a
similar manner the reports that were associated with this in-
formation were also confined to one single area. This helped
control access to the information and the related aspects of
storage, retention, and disposal of the storehouses of the most
vital assets of the organization.
Lessons learned: A very important aspect in redesigning
business processes is to never lose sight of the task in hand;
in this case we redesigned the process, keeping in mind cus-
tomer ID and bank account details and confining them to a
centralized location. Very often people lose sight of the spe-
cific goal and go into complete process re-engineering.
Application architecture inspection
The application architecture was also inspected, incorpo-
rating secure and privacy-by-design principles wherein pri-
vacy and data protection guidelines were integrated within
the entire life cycle of the code, starting from requirements
gathering to implementation of the code, which was not the
case earlier. An important concept implemented after this in-
spection was that the customer information capturing screen
did not use cookies or store any kind of information at all.
The information that was captured was stored in the data-
base in an encrypted format. To minimize cost we went chose

column-level encryption for storing the information on the
database. Apply the same principles to database backup – this
is often overlooked and forgotten. Access to this encrypted
data was made available only to a select few.
Information integrity monitoring software
The next technology that we implemented was to invest in
information integrity monitoring software, wherein any
changes in the access or availability or the information entity
itself was allowed only after approvals from the entire man-
agement. This software used an all-approvers’ hierarchy, in
which each member of management undertook the responsi-
bility of approving changes to the confidentiality matrix.
Server and media encryption
Since the physical server housing the database and the criti-
cal information need to be adequately protected, we looked at
the various encryption solutions available on the market and
finally decided on an encryption solution that suited budget-
ary requirements, ease of operability, and service delivery ca-
pabilities of the vendor. Similarly end point encryption was
performed on endpoint devices using appropriate tools to
protect the media that might be used to contain the protected
information. Since the organization had a zero-tolerance pol-
icy towards using unapproved USB devices, controlling them
through the media encryption and end point software also
provided the required protection. The following best prac-
tices were used:
• Aligned encryption technology with existing crypto-
graphic standards and controls [4]
• Selected location-at-rest encryption to minimize user
impact to server availability
• Implemented in-flight and at-rest encryption mecha-
nisms
Lessons learned: There were challenges involving encryp-
tion; the lessons learned are the following tips:
• If undecided between two potential points of encryp-
tion, pick the one closest to the application generating
the data
• Ensure deduplication is performed before encryption
to minimize data duplication
• Ensure encryptions create adequate log entries in line
with business, legal, regulatory, and compliance re-
quirements [3][4]
Third-party agreements
Third-party agreements were spruced up to incorporate se-
cure working practices of the service providers, in the event
of maintenance of the storage devices. In particular we made
them agree to let us audit their work and working practices,
thereby ensuring good security practices.
Lessons learned: As part of regulatory compliances, third-
party service providers and consultants are also required to
adhere to the practices adopted by the organization. Howev-
er, many organizations miss out in auditing their service pro-
viders. Initially service providers may be a bit apprehensive of
this, but informing them of the long-term benefits and how it
could work in their favor will make them oblige. As a reward
act as a brand ambassador by giving a good recommendation
for them, allowing them to include your name on their web-
site, etc. In short, have a reward mechanism with penalties for
missing out on security practices.
System controls
Even though confidential information was accessible to only a
select few clearly defined with roles, we made the system even
stronger by mapping their access to
the MAC addresses of the user’s sys-
tem. Integrated with a log manage-
ment system, any deviations were
recorded, tagged as incidents, and
closed through the corrective and
preventive action processes.
Network-level controls
We used VPN-anywhere software
[9] (a software used to ensure only
authorized users access resources)
to identify and authenticate user
access to the application’s front end
for internal users who had access to
the privileged information. Rules on firewalls were adequate-
ly created to check for leakage of the protected information.
Fiber channel security
Secure fibre channel storage networks were used in this or-
ganization, which are basically SAN devices. A storage area
network is an architecture to attach remote computer storage
devices such as disk arrays, tape libraries, and optical juke-
boxes to servers in such a way that to the operating system the
devices appear locally attached. These SANS were on a fibre
channel topology that utilized the fibre channel protocol.
Storage area network best practices (configuration manage-
ment database) [2]:
• Restricted switch interconnections
• Disabled unused ports
• Hard zoning was used as the management wanted
strict controls in relation to the movement of the data
• Implemented LUN masking
Audit
After having implemented various controls, we conducted a
detailed audit to check the effectiveness and efficiency of the
controls. Specific audits conducted by us are described below.
Vulnerability assessment and penetration testing
As the final stage before signing off this project, a penetra-
tion testing and vulnerability analysis exercise was carried
out on the servers, SAN storage, media, desktops, laptops,
In short, have
a reward
mechanism
with penalties
for missing
out on security
practices.

security professionals authenticated the knowledge of the
storage admins and storage admins authenticated the storage
knowledge of security personnel within the enterprise. This
ensured the challenges were clearly understood and solved
amongst them.
Improve
You cannot improve what you cannot measure. Therefore,
based on some simple metrics satisfying compliance and
legislative requirements, a simple measurement exercise was
conducted. One of the measurement exercises with a tem-
plate is described below.
Measurement
After completion of the above activities, an improvement
measurement exercise was carried out. The result clocked a
90 percent improvement of the information visibility, which
was in line with the regulations of the local government. A
sample result is tabulated as an example (table 1).
Lessons learned: Always ensure you earmark a follow-up au-
dit on the measurement results. Check for improvements and
sustained results. This way you build up a long-term relation,
providing greater value to your projects.
Overview summary
With storage security seriously impacting business, we pres-
ent a brief overview of the process before (figure 1) and after
(figure 2) implementation of the storage security program
pictorially for better understanding.
Conclusion
Even though The Company was already ISO 27001:2005 cer-
tified, the concept of storage security was something new to
network devices, and the members of the organization. This
also included conducting configuration review assessments
of the networks, servers, database, SAN storage, desktops,
company-owned mobiles, and social engineering tests. The
tools used to conduct these assessments are listed below. All
tools were selected based on budgets, ease of operability, and
service delivery capability of the vendor.
DESCRIPTION NAME OFTHETOOL
Desktops and server assessment MS Baseline [6]
Networks OpenVAS [7]
SAN storage devices SNIA Standards [2]
Database Appdetective Pro [9]
Social engineering Manual
Source code review
Source code review is one area generally missed and is re-
ally the Achilles heel in storage security. It is here that data
is generated. So as part of the audit stage, source code of
the application was checked thoroughly using static testing
methodologies wherein the entire code was tested manually
to identify vulnerabilities in the code and dynamic analysis
to uncover potential leakage points on the system. The source
code was also audited from a process perspective as to how
the organization went around in freezing the code before be-
ing developed. An end-to-end, development-to-release man-
agement audit was also carried out to identify any process-
related gaps.
Log management
Logging is an essential part of storage security. Log all storage
devices with clear mark up on the data to be protected as well
as the storehouses. We used benchmark logging wherein the
current configuration snapshot was benchmarked and stored
within the log management solution; any changes to the con-
figuration parameters of any asset will be recorded, and de-
viations were set to be categorized as incidents and closed off
through a proper root cause analysis (RCA) using corrective
action/preventive action (CAPA) form.
Training and retraining
One of the biggest challenges towards storage security is that
storage admins are not aware of security, and security per-
sonnel are not aware of the storage challenges. To fill this
gap the services of the SAN provider were utilized effectively
to teach security principles and practices to storage admins
and to teach storage principles and practices to security per-
sonnel. A reverse knowledge transfer was employed wherein
DESCRIPTION BEFORE
THE INITIATIVE
AFTER
THE INITIATIVE
IMPROVEMENT BENEFIT EFFORT
What needs to be stored
more carefully
No data available Available 100 Percent Minimization of regula-
tory fines,enhanced
customer confidence
High
Table 1 – Improvement measurement exercise
Figure 1 – The Process during ISO 27001:2005 Certification.
ISO 27001:
2005
Management
Determines the Scope of
ISO 27001:2005
Identify the
Assets under the
Identified
Scope
Perform Risk
Assessment on the
Identified Controls
Treat the
Identified Risks through
Implementation of
Various Controls
Audit, Measure
& Improve the
Controls
Implemented

the management and business heads. Getting the message
across at all levels and emphasizing the importance of stor-
age security and its long-term benefits was the most chal-
lenging. Once we had the support of management, others fol-
lowed suit and it was then easy for us to help the organization
achieve its security objectives. The guidelines laid out above
are the experiences learned from implementing a storage se-
curity program and are meant only to act as a guide to propel
storage security in the right direction. Overall, organizations
that are certified against standards such as ISO 27001 and
COBIT can find the going a bit easier because of the many
cross references.
References
[1] http://www.idgconnect.com/view_abstract/7945/global-state-
information-security-survey-2012.
[2] https://www.snia.org/forums/ssif/programs/best_practices.
[3] http://deity.gov.in.
[4] http://www.iso27001security.com.
[5] http://searchstorage.techtarget.com/definition/storage-securi-
ty.
[6] http://www.microsoft.com/en-us/download/details.
aspx?id=7558.
[7] www.openvas.org.
[8] www.appsecinc.com/products/appdetective.
[9] www.vpnanywhere.com.
About the Author
Vinoth Sivasubramanian is a passion-
ate information security professional with
more than eight years of experience in
various domains such as telecomm, con-
sulting, and finance. In addition to volun-
teering time for security associations such
as ISACA and ISSA, he dedicates time to
sustainable living by investing time and
money in organic farming activities through local volunteers
with a vision to lead people to a stable and balanced living. He
can be reached at Vinoth.sivasubramanian@gmail.com.
JANUARY 2013
Risk Analysis / Risk Management
Editorial Deadline 12/1/12
FEBRUARY
Emerging Threats
MARCH
Legal, Regulatory, Privacy, and Compliance
APRIL
Selling to the C-Suite and the Changing Roles of
InfoSec Professionals
MAY
Education, Academia, and
What’s Happening in Research
JUNE
The Cloud and Virtualization
JULY
Identity Management
AUGUST
Convergence of Technologies
SEPTEMBER
Mobile Security / BYOD – Technology/Business/
Policy/Law
OCTOBER
Big Data and the Use of Security Controls
NOVEMBER
Forensics and Analysis
DECEMBER
Disaster Recovery / Disaster Planning
EDITOR@ISSA.ORG • WWW.ISSA.ORG
For theme descriptions,visit
www.issa.org/?CallforArticles
ISSA Journal 2013 Calendar
Past Issues – www.issa.org/?page=ISSAJournal
Figure 2 – ISO 27001:2005 Linked Storage Security Implementation
ISO 27001:2005
Scope Directed by Legislative Guidelines
in Combination with Management Directives
Risk
Assessment
on the Data
Reservoirs
Information to
Be Protected
Was Identified
Information
Storage Devices
Were Captured
and Listed
Business Process
Walkthrough to
Identify Data Flows
and Storage
Reservoirs
Audit, Measure
& Improve the
Controls
Implemented

Structured Risk Analysis
Offers Rich Rewards
By Greg Jones
Risk analysis is a far from exact science with assessments continuing to vary in scope. This article
discusses the emergence of context-aware classification systems and methods that can guide you
through the process with pre-categorized risk information and could be the key to effective risk
and threat analysis.
tively tackle threat elements, from data leakage or theft to
malicious attacks. However, if limited to the requirements of
many standards, it can be highly subjective and limited in
scope, looking only for risk within a given context with little
consideration given to the wider picture such as user buy-in,
emerging threat vectors, and industry-specific threats. With-
out these factors, any threat assessment can quickly lose its
relevance and its value.
Risk management needs to a measured but continual process,
because its true value lies in being able to alert the organiza-
tion to an issue before it is realized and manage it into reso-
lution. However, the overall management process can only
be successful if it contains accurate methods for the evalu-
ation of risks and threats. Many of the common approaches
currently used fail to provide sufficient guidance and fail to
capture knowledge from the early adopters of either business
or technology. Furthermore, early adopters will need support
from more technical frameworks as they “forge a path” for
the rest of us.
Prescriptive measures
Of course, we have come a long way in the development of
risk analysis. In the mid 1990s, technical computer security
was embryonic. The implementation of even the most basic
security control would often result in executive foot stamp-
ing, as a result of which few had installed antivirus (AV), fire-
walls, or passwords. When it came to designing and testing
the first Internet banks, risk analysis was often a good way of
ensuring executive buy-in and of protecting investment.
Abstract
Risk analysis is a far from exact science with assessments con-
tinuing to vary in scope. But the emergence of context-aware
classification systems could be about to change that. Meth-
ods that guide you through the process with pre-categorized
risk information could be the key to effective risk and threat
analysis.
R
isk analysis is now an integral part of any business
decision and essentially involves playing Devil’s Ad-
vocate in a commercial context, looking for potential
issues, their impact, and the time and cost involved in reme-
diation. It’s a far-from-exact science precisely because it deals
in “what if” scenarios and the “cause and consequences” of
them.
Today’s regulation and security frameworks go some way to
providing consistent risk analysis with processes and proce-
dures that can be used to systematically evaluate risk. These
provide a valuable starting point, but the danger is that orga-
nizations embark upon a risk analysis assessment as a box-
ticking exercise and mistakenly believe they have covered all
the angles. In reality, implementing a risk analysis has to be
a more methodical, context-based process which seeks to ex-
plore elements of risk and the fallout involved beyond that
stipulated by regulations, not least because security stan-
dards are prone to date and become out of step with the ever
changing threat spectrum.
Whenever an enterprise embarks on a new venture or change
in strategy, there will inevitably be some element of risk
analysis to protect the existing business. Risk assessment is
invaluable in enabling the business to identify and then ac-
ISSA

we would now consider essential requirements: recommend-
ing AV on servers, the installation of a firewall on Internet
connections, that users have unique userIDs each with pass-
words, and that data was routinely backed-up.
The antipathetic reaction was mainly due to the security com-
munity’s discomfort concerning the gap between the actual
controls and those specified by the standard. Most medium-
sized organizations would receive an unfavorable benchmark
if their security was compared to the standard (and would do
for many years). Correspondingly, later versions of the stan-
dard and its successor ISO2700x, selected controls via a free-
form risk analysis where threats were not pre-calculated and
impacts not pre-described, as this drove the whole security
process and was ultimately used to select the organization’s
security controls when they were codified into a risk treat-
ment plan. In reviewing this risk treatment plan, key con-
trols were often missing. Sometimes these errors happened
because of a lack of a solid framework for the risk assessment.
However, many skilled security officers could play the system
to “risk assess” away essential controls for reasons of budget-
ary success or political expediency. Until recently, it was very
common to find that controls in the areas of segregation of
duties, monitoring of administrative users, and network sep-
aration were de-selected supposedly because of the low risk.3
3 Michael Cobb,“Segregation of Duties: Small business best practices,” Application
Security, 11 December 2011, Searchsecurity.com - http://searchsecurity.techtarget.
co.uk/tip/Segregation-of-duties-Small-business-best-practices.
In 1995 the British Standards Institute published BS77991
(later to become ISO17799 and) as a “prescriptive” security
standard. This was great for organizations that needed guid-
ance in implementing tangible security measures in com-
mercial environments, which at that time could mainly be
described as “security greenfields” – at the time many orga-
nizations didn’t have systemic security environments. The
standard had ten simple “key controls” which all organiza-
tions should maintain.
It seems quite incredible now but the most essential of con-
trols (such as firewalls and AV) were not installed as a matter
of course. To do so, the security practitioner needed to justify
them. But it was a different time. I remember giving a pre-
sentation at the time for ISACA on the differences between
circuit-level, proxy, and state-full inspection firewalls to a
security interest group, when a representative from a large
US telco who was sharing the stage, turned into a unfriendly
combatant fighting for a “firewall-free world.” Not a cause
that many would rally to defend these days.
There was a surprisingly negative reaction to this prescrip-
tive standard. Many CISOs and security consultants claimed2
that it did not take into account risk or different organiza-
tions security requirements. Yet the standard only had what
1 “ISO/IEC 27002,” ISO 27001 security, http://www.iso27001security.com/html/27002.
html.
2 “Alan Calder on IT Governance, information security and ISO 27001,” BS 779, 16
October, 2007, http://www.alancalderitgovernanceblog.com/tag/bs-7799/.
PROTECT, DETECT & DEFEND
AGAINST CYBER CRIME
Build specialized career-advancing
strengths in fighting cyber crime with these
online degree programs:
M.S. in Cybersecurity with Specializations in:
• Intelligence
• Forensics
B.S. in Cybersecurity with Concentrations in:
• Cybercrime Investigations and Forensics
• Information Assurance
CALL: 315.732.2640
VISIT: www.onlineuticacollege.com/ECJS
Structured Risk Analysis Offers Rich Rewards | Greg Jones

There is no “one-size-fits-all” standard, and risk will vary for
each business and fluctuate over time. But nearly all orga-
nizations use the Internet, use PCs, and comprise of people,
thereby sharing common threats. Modern methods need to
embrace the benefits and efficiency of standard controls and
common threats in the same way as organizations buy stan-
dard application systems rather than building from scratch.
Selective security
Of course, the development of ISO27005 in 2008 formalized
the approach to risk, but this still focused on the process of
risk identification and estimation, thereby failing to close the
gap between actual and perceived risk. And therein lies the
crux of the matter, for although risk assessment is a very valu-
able tool, a skilled and forceful security officer will always
be able to “risk-assess away” the need for essential controls if
the methodology being used for the assessment is unbound-
ed and not parameterized. For example, until recently it was
very common to hear from online businesses that the risk
of DDoS was invented mainly because the cost of mitigation
was high, even when the list of victims of such attacks was
growing.
These days, information security has become more methodi-
cal and science based. Newer standards have adjusted to be-
come more sophisticated. A baseline level of security is re-
quired to which additional controls can be added as required
for increased threat/impact but not reduced as the underlin-
ing threats are ubiquitous and so the control is mandatory.
Many standards now include predefined and codified impact
tables and threat categorization, and generic risk categories
help focus the risk analysis. These are described below.
The Payment Card Industry Data Security Standard (PCI-
DSS) is an example of one of these standards with predefined
technical controls. It mandates computer security controls
which are routinely deployed. The card issuers who have im-
posed the standard, believe that the risk associated with pro-
cessing customers’ data warrants the minimum acceptable
security requirement laid out by the PCI-DSS. However, it
too has been criticized. In recent industry conferences, many
organizations subject to PCI-DSS have been lobbying for a
reduction in the requirements, favoring instead the introduc-
tion of a risk-based approach. Interestingly, a review of PCI-
DSS4
will show more than a passing relation to the controls
annex of ISO27001 (given that many of the organizations
struggling to meet the requirements of DSS are also IS027001
certified). Surely the similarity between the controls annex
and PCI-DSS means most of the technical controls should al-
ready be in place in a ISO27001-certified organization.
Baselines and impact tables
Most organizations (at least within a peer group sector) share
a risk profile, so there will always be common ground. The
industry is beginning to embrace this through benchmark-
ing and risk score analysis. An example of an approach which
provides a structured application of security controls based
on different risk profiles is the combination of Standards for
Security Categorization of Federal Information and Informa-
tion Systems FIPs199 and Minimum Security Requirements
for Federal Information and Information Systems FIPS200.
These are “amplified” (a word used throughout the docu-
ments) into the US National Institute of Standards and Tech-
nology (NIST) “Recommended Security Controls for Federal
4 “PCI vs ISO,” 12 October 2012, Focus on PCI, http://www.focusonpci.com/site/
index.php/Articles/pci-vs-iso.html.

This is usually such a laborious approach that it quickly loses
management commitment.
These standards and the development of impact tables have
greatly enhanced the risk management process, enabling the
security practitioner to hone assessments to business need
and to communicate risk more effectively to management,
but they are far from infallible. If the risk assessment doesn’t
place the business within a real-world context, for example, it
cannot accommodate emerging risks that are sector specific.
Skewed judgements
Upon engagement, most practitioners seek to capture in-
formation on customer sensitivity, contract type, customer
Information Systems and Organizations” (SP800-53).5
The
idea is that an organization determines the risk associated
with computer security failures based on a series of impact
tables. The categorization of High, Medium or Low is then
used to produce a tailored control baseline that accounts for
this risk.
The key fact here is that the control specification can always
be set as more stringent but not reduced through a standard
assessment process. PCI-DSS and SP800-53 alike do allow for
the modification of controls in a “compensating controls”
section; any entry here will receive suitable scrutiny. The pro-
cess will always result in a “good” control environment which
covers the commonplace risks because it mandates specific
necessary controls and leaves little room for omitting par-
ticular sections. Detractors claim that this method does not
cover any organization exposed to unique risks, but as they
are the exception rather than the rule, these regulations are
still highly relevant in tackling the most frequent, likely, and
destructive threats in the most common business environ-
ments.
What is really impressive about this scheme is the “science”
that has gone into it. Not only is the security content good
but each control is codified into a control category and each
control within that control category is systematically coded.
Where a control is amplified based on risk, the control is
named after an indexed scheme. For example, if we review
one specific control within the standard named AU-5 (1) (2)
(Audit Control Number 5) with the control amplified or ex-
tended, add the pre-defined control extension (1) and control
extension (2). This allows for extreme rigor in quality control
and supports future initiatives such as determining the im-
pact and likelihood of various vulnerabilities.
Similarly, in the UK the HMG InfoSecurity Standard No. 1
(IS1)6
risk calculations classify assets and the potential im-
pact of security events, breaking them down into Confiden-
tiality, Integrity, and Availability (CIA) in pre-defined tables
called the Business Impact Level. This allows a consultant to
engage with key directors to determine the likely impact of
a breach in Confidentiality, Integrity, and Availability. Fur-
thermore, IS1 also incorporates a structured assessment of
the capability of threat agents or actors.
In our experience of working with other firms, we have noted
that consultants sometimes use a very similar approach in
their proprietary “low-touch” security architecture frame-
work service. Although there are more comprehensive archi-
tecture design methods, they often engage with senior man-
agement with a clean sheet of paper, and at a technical rather
than a business level. Often this approach is used because
previous assessments have been conducted incorrectly or the
results have not been understood or available to the assessor.
5 “Recommended Security Controls for Federal Information Systems and
Organizations,” August 2009 (updated May 2012), NIST Special Publication 800-53
Revision 3, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-
final_updated-errata_05-01-2010.pdf.
6 “HMG IA Standard No.1, Technical Risk Assessment,” Issue No 3.51, October
2009, CESG and Cabinet Office, http://www.cesg.gov.uk/publications/Documents/
is1_risk_assessment.pdf.
Easy and
Convenient!
The holidays are right around the
corner! Indulge yourself and surprise
your friends with an ISSA golf shirt or
baseball cap with our new logo.
Place Your Order Today: ISSA Store !
*Note: Prices do not include shipping charges.
Pin with Butterfly Back
Sticky Note Pads (package of 12)
Travel Mug • Baseball Cap
Conference Bags
Fraud-Resistant Pen (Ballpoint, Blue Ink)
Short-Sleeve Shirt • Long-Sleeve Shirt
We’ve stocked our shelves with
ISSA merchandise featuring our
new logo. Visit our online store
today – it’s easy and convenient
to securely place your order and
receive great ISSA-branded items.
Just click the links.

Storage Security Governance

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Storage Security Governance

Ähnlich wie Storage Security Governance (20)

Mehr von Vinoth Sivasubramanan

Mehr von Vinoth Sivasubramanan (8)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Storage Security Governance