Alan Calder on IT Governance, information security & ISO 27001

At the end of October, we submitted the manuscript of the 5th Edition of our best-selling book on implementing an ISO27001 Information Security Management System (ISMS) to our external publisher, Kogan Page. It should be in bookshops across the world in Spring 2012.

This 5th Edition is completely updated and combines the content of International IT Governance, the version of the book that we produced for the North American market, with that of IT Governance. This means that there will now be a single edition, with coverage of IT governance, legal, security and compliance issues in the UK and in North America, as well as in Europe and elsewhere across the world.

We’ve obviously also updated all the technology content of the book, and have included the most recent information about Advanced Persistent Threats, attack vectors, cyber crime standards, the cyber resilience agenda, social media governance, PCI DSS and, of course, cloud computing.  

While the core standards, ISO/IEC 27001 and ISO/IEC 27002, have not yet been updated from the versions published in 2005, a whole family of ISO27000 standards has been created and are being published with great regularity.  Our new book incorporates material from a number of these standards and places them in their broader implementation context.

While working on the book, I came across a growing number of surveys and reports in which the link between increased expenditure on information security and a reduced incidence of cyber breaches (and, therefore, reduced financial and business impairment) is clear.  It has always been obvious to us that, in an insecure neighbourhood – and the Internet is a deeply insecure environment – it is simply good sense to lock the doors, alarm the house and secure one’s valuable assets.

The growing number of organisations certificated to ISO27001 (many of whom have taken advantage of our range of certificated ISO27001 training courses to prepare themselves) all contribute to greater information security awareness amongst users of digital assets. We hope that the 5th edition of IT Governance: a Manager’s Guide will help many more organisations around the world make the first step toward better digital self-preservation.

Do you imagine that your website and network are as safe and secure against external cyber attack as those of the IMF, the CIA and the US Senate? Are you likely to have spent as much on cyber security as Sony, Nintendo, Sega, Fox, PBS and the rest? And do you think that, because you’re not a high profile organisation, you are immune to cyber attack?

If your answer to the first two questions is ‘No’ but you’ve answered ‘yes’ to third, then I have to tell you that you are deluding yourself: all organizations, irrespective of size or sector, are at risk of cyber attack. The organisations that make the headlines are those with a high media profile – the multitudes of smaller hacked organisations do not make interesting front-page news and therefore get to suffer in silence. Absence of press coverage does not mean absence of cyber attack.

The first part of a cyber attack is usually automated: an free-standing, web-based ‘sniffer’ programme seeks out web security vulnerabilities (remember, security vulnerabilities are all publicly listed) and, in many instances, the subsequent attack - aimed at stealing information or simply taking over computers to use as part of a zombie botnet – is also automated. 

Sometimes the attack comes by means of an increasingly carefully crafted ‘spear-phishing’ email and, increasingly, the attack is made possible when a member of staff downloads malware from an infected site – malware disguised as something important.

Every organisation has to take adequate steps to protect itself against external cyber attack. There are two practical ways of doing this. The first is to have quarterly ‘hackerguardian’ vulnerability scans run to check the security of your websites and externally facing IP addresses. PCI-compliant organisations already do this, but this is a basic security step that all organisations should take.  The second is to have six monthly penetration tests carried out. Pen tests look for opportunities to exploit vulnerabilities and security weaknesses that might have been missed. Sensible organisations will do both of these things, and will also take steps to ensure that they have a tried and tested incident response procedure to deal with those instances where front line defence fails.

Unless you take action today, you may be tomorrow’s cyber victim.

Codemasters have just demonstrated the weakness of a fallback strategy, when attacked by hackers, of taking your website offline: the hackers will already have got away with a whole lot of valuable information. So Codemasters appear now to be in a position where their website is offline, their customers are upset – and a lot of their customers data is in the hands of those not entitled to have it. It’s not really a good way to run an Internet business, is it?

Sensible online organisations will usually do one – or both – of two things. The first is to run quarterly vulnerability scans across all websites that collect customer information – and one of the best tools for doing this is the HackerGuardian Scan service. It is PCI DSS compliant, which means that it meets requirements for e-commerce sites as well as scanning for all other website vulnerabilities.

The second thing to do is to have a detailed external penetration test carried out at least once per year and, ideally, on a quarterly basis – to make sure that your website and network access are both secured against attack. Pen testing is not expensive, and is not complicated – particularly when you purchase a pentesting package.

For most organisations, spending less than £10k per annum on Internet and network security testing must be a more sensible, more cost effective option than hoping that hackers won’t strike you – becasue they will.

“Out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration date may have been obtained,” Sony is reported to have said to the 77 million customers whose personal data was compromised between 17 and 19 April 2011.

Why? Why was Sony storing credit card numbers? It’s a PCI DSS requirement that payment card numbers are never stored or, if there is a clear business reason why they must be stored, then they must be hashed in the database so that they are unreadable. Clearly not something Sony did, or it wouldn’t need to warn customers that this data may have been compromised. Does PCI DSS not apply to Sony, or what? Everyday, we see small e-commerce businesses being hounded into PCI compliance by their acquiring banks, often at expense far greater than the immediate value to their business – but apparently not Sony. Is Sony too big to comply?

And what exactly does Sony mean when they talk about ‘an abundance of caution’? They weren’t cautious enough to protect card holder data in the first place and, as Michael Paller was reported by Reuters to have said, Sony may also have a tendency to throw up unreviewed, unsecure code in a rush to get products to market – so, overall, not very cautious at all. Negligent, in fact, you might think.

Some UK acquiring banks have a determined campaign in place right now to get all level 2,3 and 4 merchants to PCI DSS compliance by October. Larger merchants should all not be compliant, which means that hackers and fraudsters will logically turn their attention to smaller companies that may still be vulnerable. So, while PCI Compliance for smaller businesses will certainly create a resources challenge for them, it one to which they are simply going to have to rise – or face fines and penalties from the payment brands.

In Nevada, PCI compliance for all merchants who accept a Nevadan citizens payment card has now been made law with effect from 2010 – this is a major step forward in terms of bringing this compliance regime onto a statutory footing, and we shoudl expect to see the process gather pace.

Apparently, we’re today kicking off the UK National Identity Fraud Prevention Week – and research for RSA reveals wide-spread disbelief (as in, 90% of Britons) that their personal data are safe with banks and retailers, and half the people think that not enough is done to protect these personal details.

That’s better than I thought! Let me explain: in today’s insecure world, everyone has to be concerned about his or her own personal data – this is a critical personal asset that needs safeguarding. And, for far too long, people have simply not been adequately concerned about this issue. Clearly, this is changing – let’s hope that, as more people learn about the poor care exercised by data controllers in the UK, they get better at insisting that adequate steps are taken - and voting with their feet where they are dissatisfied with the standard of care. 

From an organisational point of view, of course, it’s not hard to respond to the findings of this research – take adequate steps, today, to comply with the Data Protection Act in the UK, or whatever data protection legislation applies in your business jurisdiction. If you accept payment cards, PCI DSS compliance should be a given. And, for every organisation, ISO27001 is the best practice standard for securing information – and this week would be a good week to get started on an ISO27001 project!

Well, that’s a relief – the UK government has caught up with the fact that there are criminals on the Internet. The government has said that it will spend £7 million to establish the Police Central E-crime Unit (PceU) in London, that it will be run by London’s Metropolitan Police and will be more than half-funded by the Met.

I’m not going to waste time talking about the fantastic stupidity of creating and then, after three years, disbanding the High-Tech Crime Unit (creating SOCA, the Serious and Organised Crime Agency, whose priorities were drugs, people smuggling and similar more ‘traditional’ crimes) just as serious criminals migrated to the Internet. I am, though, going to make the obvious point that, even if the PceU does get going fairly early in 2009, it will still be something like two years before it will start being effective – it just takes a long time to get a new organisation (particularly a publicly-funded one) working, to get objectives and modi operandi and personnel and media and all those things properly sorted. And, in that time, cybercrime will become more sophisticated and the challenge of controlling it even more complex.

Let me put it another way: establishment of the PceU will be no panacea, anytime soon, for cyberthreats. Sensible organisations are just going to have keep on doing their own risk management around this issue.

Lots of organisations think they don’t need to worry about theft of credit card data. I don’t know why. Payment card data theft is now big business – the level of professionalism available in this industry includes the development of bespoke software supported by an extremely efficient helpdesk and you don’t usually get this level of specialization until the industry is starting to mature.

Apart from the interesting fact that darkside helpdesks appear to be more efficient than many over on this side, you have to wonder why every organisation that accepts payment card data isn’t already at least PCI DSS compliant? Why hasn’t the PCI Security Council already come up with some form of ‘PCI DSS Compliant’ badge and certification scheme so that paying customers can concentrate all their business on the websites and businesses of those organisations that have actually bothered to do what it takes to protect their card holder data?

The private sector needs to take data privacy more seriously if it is to stop the Information Commissioner’s Office getting the power to audit their information security systems without warning. According to ComputerWeekly, this is the warning from James Alexander, technology security partner at management consulting firm Deloitte.

His comments followed Deloitte’s finding that only 54% of technology, media and telecommunications (TMT) firms will tell customers if their data privacy is breached.

Well, I take the contrary view here. What we NEED is for the ICO to take some action, because the the voluntary approach doesn’t work – just look at how organizations in both the private and public sectors are dragging their feet over PCI DSS compliance! The privacy of individual data requires more stick.

As ample proof, one need only look to the latest cases of lost MoD laptops and Carphone Warehouse’s recent misdeeds.

I rest my case!

Once upon a time, there was only BS7799 for information security – now there are three parts to it, two of which have become internationalised (ISO27001) and are part of a series which has something like 20 numbers reserved for future use – and we also have the PCI DSS to provide a more prescriptive approach to protecting commercially important card holder data. You would have thought that, with all these standards, business would have become more secure.

Perhaps – but, clearly continuity needs have not been adequately recognized. The first part of BS25999 (already published) was just a code of practice – but the arrival of part 2, the management system specification, will make it possible for organizations to get a BS25999 certificate – to go alongside their ISO27001 and ISO20000 certificates, no doubt.

Or will the proliferation of certificates simply lead to confusion in the minds of stakeholders as well as managers and customers?