Current high focus area for CISOs should be APT

These APTs has been getting lot of attention recently and reasons why CISOs should focus on this threat now are:

a)      These are essentially a type of targeted attack

b)      And if they miss they reload and fire again till they hit the target

c)       These are “Advanced” meaning  they use publicly available exploits as well as develop custom ones

Draw up action items like; more focus on log analysis and checking out the reason behind the traffic to that  xyz country IP(s) where your company has no business, more aggressive SPAM filtering, etc... And it helps to do things like network pruning and review of your IT policies & procedures

Posted via email from Ramki's posterous

Automated tool assisted vulnerability assessments

ISO27001 requirements 15.2.2: Technical compliance checking Control states - "Information systems shall be regularly checked for compliance with security implementation standards"

Code of practice ISO27002 states "Technical compliance checking should be performed either manually (supported by appropriate software tools, if necessary) by an experienced system engineer, and/or with the assistance of automated tools, which generate a technical report for subsequent interpretation by a technical specialist"

ISO27k certified companies need to conduct periodic vulnerability assessment and hence employ consultants for this. Mostly the scope is to run a series of predominantly automated tests using vulnerability scanners and provide a report & recommendations.

This makes them comply but Is this enough? NO

This post was triggered by thoughts after

> Reading  Information Escapology, part five – Careful with That Proxy, Eugene... Will a standard vulnerability assessment address this? i guess no. It depends on who is doing? depth? methodology? etc.

> After hearing this from a consultant (someone i trust). It seems after a capability presentation session to a large company, the company's CISO asked him if they were the Authorized Scanning Vendor for the scanning tools & was the consulting company PCI DSS compliant... these were the only questions he had on the vulnerability assessment service process; nothing on things like what is the typical approach, methodology, depth, etc. Is it enough if your consultant is an ASV for a tool? Do you need to be PCI DSS compliant to do a vulnerability scan?

Conclusion: For most of them it looks like only compliance matters (or) they want a testing service that is so cookie cutter that the scope will be automatically limited to the basic scan-and-patch kind of findings

Posted via email from Ramki's posterous

CISO and/with IT roles; few thoughts...

CISO reporting to board of directors: Myth or for real? Has some quite interesting views on the role of CISO; certainly worth reading and discussing.

“… four aspects to be kept in mind, while deciding a CISO's reporting pattern:
(a) The CISO should be seen as a strategic role.
(b) He must be at a leadership level.
(c) The CISO should be independent of IT
(d) He should report to a very senior person in the organization, who has strong hold within the organization”

While the points above are good in general; I believe point “c” is too idealistic and actually depends on the organization dynamics. The IT & CISO roles can conflict in certain scenarios but certainly not impossible to manage.

“When a CISO becomes independent of IT, he comes out of his shell. According to the CISO of a leading Indian BPO, this widens the CISO's ability to think about security from an organizational perspective than just IT.”

One cannot presume that IT roles (I am talking about leadership roles) will so severely constrain views to the extent of being considered to be in a shell; any experienced IT pro will have the capability to avoid this state.

“if a CISO is expected to limit himself only to day-to-day operational tasks, instead of assuming a larger responsibility for enterprise-wide coordination of security and risk management, he will not be able to usher in improvement”

I disagree on this; an organization having a CISO role in the ORG chart will have a reasonably mature management systems where roles are clearly defined. If a person here is doubling up for CISO role he/she will be at a level on which their involvement in the execution of day-to-day operational tasks/transactions will be nil or at the most minimal. Of course I am in agreement with the CISO being responsible for risk management and improvements.

I play multiple roles; project management, service delivery, information security, etc… though I face tough conflicting situations regularly they are being managed effectively. 

Finally it all depends on the organization dynamics no standardizations can be applied.

Well… though off-topic this article Let a Hundred Flowers Blossom has made me re-think about standardization. Right now I am thinking about the various standardizations present on our management systems.

Posted via email from Ramki's posterous