Global
| SecureWorks - On the Radar Newsletter - September 2008 | |
|---|---|
 |
|
Regulatory Roundup:
Updates in IT Security Compliance
2008 has been a busy year in the IT Security regulatory landscape. PCI DSS has undergone major changes, the ID Theft Red Flags Rule has gone into effect, HIPAA has seen increased enforcement and NERC CIP expanded its reach. In this Regulatory Roundup, we will review the changes that have taken place in the regulatory landscape as well as any updates to regulations expected by the end of the year.
Payment Card Industry Data Security Standard (PCI DSS)
2008 has brought several changes to the PCI DSS:
- In February, the PCI Security Standards Council revised the Self-Assessment Questionnaire (SAQ) format by creating 4 new SAQ variations to be used by different merchant types with the intent to "simplify and streamline" the self-assessment process. Since April 30, all SAQ submissions have used the new format.
- In April, the Security Standards Council issued a supplemental document (PDF) for Requirement 6.6 which focuses on web application security. It clarified the options merchants have for application code reviews and/or application firewalls.
- At the same time in April, they also released a supplemental document (PDF) for Requirement 11.3 to provide clarification on penetration testing regarding scope, frequency, preparation, methodology and also whether it should be performed by an external party.
- On October 1, the PCI Security Standards Council publicly released version 1.2 of the PCI DSS. Previously, the Council released a Summary of Changes between versions 1.1 and 1.2 that details each of the changes and explains why they were made.
Additional 2008 Resources on PCI from SecureWorks:
- PCI Compliance Solutions
- Whitepaper: Achieving PCI Compliance with MSS (PDF)
- Upcoming Webcast: PCI DSS 1.2 – What You Need to Know
- Webcast Archive: PCI DSS Update: SAQ Version 1.1
- Webcast Archive: Building a Successful PCI Program
- Newsletter Archive: PCI DSS Requirement 6.6 Deadline Approaching
- Newsletter Archive: Erik Petersen on PCI and the Hannaford Breach
Identity Theft Red Flags Rule
With the compliance deadline set for November 1, the ID Theft Red Flags Rule (PDF) has been top of mind for financial institutions and other companies that arrange for "the extension, renewal, or continuation of credit." Since the Final Rule (PDF) was issued on November 8, 2007, there has not been much official activity on the part of regulators until the OTS revealed the examination procedures (PDF) for assessing Red Flags compliance. The remaining FFIEC agencies (FDIC, OCC, FRB and NCUA) have agreed to these high level procedures and will be announcing their own procedures soon via their usual methods in the coming weeks.
Additional 2008 Resources on Red Flags from SecureWorks:
- Upcoming Webcast: Red Flag Update – Developing Your Program
- Webcast Archive: Red Flag Update
Gramm-Leach-Bliley Act (GLBA) and Federal Financial Institution Examination Council (FFIEC)
With ongoing turmoil in the financial sector and the new ID Theft Red Flag rules going into effect, there have not been any recent official changes in GLBA / FFIEC compliance. However, some new areas of focus have emerged. In December 2007, the FDIC issued a new IT Officer’s Questionnaire (FIL-105-2007) to be completed by FDIC-regulated banks prior to their next on-site examination. Vendor Management has also become a huge focus for the FFIEC member agencies, with the FDIC issuing guidance and the NCUA confirming that third-party risk is currently a concern for examiners. Application Security has also been under increased scrutiny, with the OCC releasing a bulletin providing guidance to OCC-regulated banks on how to manage application security risks.
Additional 2008 Resources on GLBA / FFIEC from SecureWorks:
- GLBA / FFIEC Compliance Solutions
- The FDIC IT Officer’s Questionnaire
- Webcast Archive: Regulators Raise the Bar – Latest FIL’s and Rules
- Blog: IT Security Officer’s Q&A Session Part 1
- Blog: IT Security Officer’s Q&A Session Part 2
Health Insurance Portability and Accountability Act (HIPAA)
While there have been no changes to the Act itself, there has been an increased focus on HIPAA enforcement. In July, Providence Health & Services became the first organization fined for violating HIPAA’s Privacy Rule. After investigating potential violations, the U.S. Department of Health & Human Services levied a $100,000 penalty on Providence and is requiring them to implement a Corrective Action Plan.
Additional 2008 Resources on HIPAA from SecureWorks:
- HIPAA Compliance Solutions
- Webcast Archive: IT Security Triage – Critical Needs for Healthcare
- Webcast Archive: The State of Healthcare IT Security
North American Electric Reliability Corporation Critical Infrastructure Protection Standard (NERC CIP)
2008 has been an eventful year for the NERC CIP Reliability Standards. In January, FERC approved (PDF) 8 of the CIP standards and timeline for implementation. In approving the CIP standards, FERC directed NERC to:
- Make modifications to tighten the standards and reduce variable implementation.
- Provide additional guidance on risk assessment and audit procedures to reduce ambiguity for regulated utilities.
- Use NIST Standards where applicable for future development of revisions to the CIP Reliability Standards.
In July, NERC responded (PDF) to Congressional pressure by establishing a Chief Security Officer and committing to make CIP a higher priority. Also, the compliance milestones set forth in the Revised Implementation Plan (PDF) for CIP continue their 3 year progression towards all responsible entities being Auditably Compliant with CIP-002-1 through CIP-009-1 by the end of 2010.
Additional 2008 Resources on NERC CIP from SecureWorks:
- NERC Compliance Solutions
- Whitepaper: Achieving NERC Compliance with MSS (PDF)
- Webcast Archive: Securing SCADA Networks
CTU™ Research: Top 10 Attacking Countries
Leveraging data from our client networks and Internet monitoring in addition to an extensive network of industry contacts and underground intelligence sources, the SecureWorks Counter Threat Unit (CTU) analyzes emerging threats and develops measures to counter them before they impact our clients. Based on their research, here are the Top 10 Attacking Countries based on attacks blocked by SecureWorks’ iSensor Network Intrusion Prevention Service since January 2008.
|
Country |
Attacks |
 |
|
USA |
20,621,039 |
|
|
China |
7,688,823 |
|
|
Brazil |
166,987 |
|
|
South Korea |
162,289 |
|
|
Poland |
153,205 |
|
|
Japan |
142,346 |
|
|
Russia |
130,572 |
|
|
Taiwan |
124,997 |
|
|
Germany |
110,493 |
|
|
Canada |
107,483 |
With more than 20 million attacks coming from computers located in the USA, the United States clearly has the largest number of compromised computers. China is the second largest with over 7 million attacks originating from computers located there.
It is important to note that although most attacks come from computers located in the USA, CTU research and tracking of individuals and groups involved in cybercrime activities indicates that the most prevalent regions for cybercrime still include Eastern Europe, Russia and China. The majority of today’s attacks are being launched by attackers located in these and other regions using compromised computers or "bots" that can be located anywhere with internet access. For example, in the recent Russia/Georgia conflict Russian hackers used command and control servers located in Turkey to direct attacks from bots that were located mostly in the United States.
This information reinforces the fact that once a computer is compromised, the damage is not limited to that system and its data. It also affects the global community because each compromised system provides attackers with additional resources they have available for cyber attacks. Reducing the number of vulnerable computers that cybercriminals have access to will have a significant impact on the number of cyber attacks against organizations and personal computers.
Best Practices for Security Awareness Training
Often referred to as "Strengthening the Human Firewall," Security Awareness Training is essential to protecting against attacks that seek to exploit our natural tendencies to trust and help others. If done well, Security Awareness Training can significantly reduce the risk presented by attacks that rely on social engineering to penetrate your defenses. Unfortunately, not all training methods are equal in their effectiveness. But by following some simple guidelines, you can improve your Security Awareness Training Program and make the most of your "human firewall."
Work within the organization, don’t fight it
Every organization is unique. From people to processes, businesses are individually tailored for maximum effectiveness and efficiency. Following this concept, Security Awareness Training should also be customized to fit your organization and its culture. Use training methods and mediums that employees are familiar with and understand. Leverage programs and activities that are already institutionalized (like regular "lunch and learn" meetings or "training days") to bring Security Awareness Training to your employees, instead disrupting their regular activities or requiring a people to go out of their way. This will not only improve attendance – your employees will also be more receptive and willing to learn.
Teach concepts, but make it real
Explain the risks in language that is meaningful for your audience. Use real-life examples pulled from the headlines and go a step further by illustrating how the training concepts help to stop similar incidents from happening to individuals and the organization. Provide insight into how good personal security habits benefit the company AND the individual. Limit the amount of FUD (Fear, Uncertainty and Doubt) you use. It may have a positive short term impact, but ultimately it will reduce your credibility. Once employees recognize the underlying reasons behind security precautions, they will begin to appreciate the procedures - significantly increasing the likelihood of their compliance.
One idea often used for this is to conduct a basic social engineering exercise prior to an upcoming Security Awareness Training session. Then, during the training, use good AND bad examples from the exercise to illustrate concepts and highlight their importance.
Encourage discussion and questions
Make training interactive. Being involved keeps individuals interested and improves retention of security awareness concepts. Ask questions frequently and encourage employees to ask questions anytime. If you get questions in the middle of a presentation, keep track of them on a whiteboard. Follow key topics immediately with 5-10 minutes of "Q&A time" instead of waiting until the end of the entire session when many people will be ready to go and want to avoid prolonging the wait. Also, create scenarios that foster discussion of "What should I do if…" situations between employees and act as a moderator. The more interactive your Security Awareness Training is, the better.
Test, measure and improve
Testing your employees is essential. It helps you measure your training’s effectiveness as well as areas in need of improvement. Regular tests will reinforce the rules discussed during training and keep your staff alert. Eventually, not knowing whether a situation is a test or 'the real thing' will lead to doing the right thing. Prove that complying with security procedures makes a positive impact, not a negative one; even if it takes you 30 seconds more to complete a project.
Use carrots, not sticks
After testing employees, whether it's a formal exercise or simply a spot check, you must follow up on testing results. Rewarding good security awareness positively reinforces the likelihood that the employee continues to exhibit that good behavior in the future. And the more visible to others the reinforcement is, the more likely it is that other employees will seek positive reinforcement as well through good security awareness. Punishing poor performance in awareness tests or exercises is not recommended, especially if your Security Awareness Training program has not been in place for a long time or if you are dealing with a relatively new employee. But you should review with them what they did wrong, what could have happened were it real and not a test situation, and what they should do in similar situations in the future.
Maintain "Mindshare" with frequent touches
Keep it fresh and top of mind. Regulations often require Security Awareness Training to be conducted yearly. However, quarterly sessions are highly recommended and are proven to be more effective in increasing the overall security of an organization. Awareness diminishes over time, so breaking training up into 1-2 hour sessions spread across multiple days throughout the year instead to trying to fit it all into one long day will help you maintain a higher level of security awareness. If possible, have the sessions over lunch sponsored by your security team to encourage high attendance and have employees looking forward to the training instead of wishing they didn't have to do it. Other light touches like well-placed awareness posters, company-wide emails and other forms of communication that catch attention are also good ways to promote ongoing awareness between training sessions.
Conclusion
It has long been understood in the security community that people are one of the weakest links when it comes to preventing data breaches and securing systems. In fact, many of today's attackers rely on exploiting the people in your organization to slip past your defenses. But with effective Security Awareness Training that follows the guidelines above to strengthen your "human firewall," your people can become an asset to your organization's security program instead of a liability. To learn about services SecureWorks provides for Security Awareness Training, click here.
SecureFacts
20,621,039
Attacks from U.S.-based computers blocked by iSensor since January 2008
Source: Counter™ Threat Unit
