Being a consultant, I work with clients, and with that comes the creation of documents which need to be protected by all means from unauthorized users.
Laptop theft is quite common these days, and with no protection such as encryption in place, its just a question of time before your data is exposed from the many prying eyes around.
Its always been my concern to somehow protect these documents in the eventuality that my laptop gets stolen .
A couple of commercial products are available in the market, PointSec is one of them. But my instinct was not in favour for a paid software, and I was keen to try a free product which came close to the commercial ones.
The one I choose and currently use is a software called TrueCrypt.
TrueCrypt is a Free open-source disk encryption software for Windows Vista/XP/2000 and Linux.
Some of the Main Features in the software as can be found on the website include:
1.Creates a virtual encrypted disk within a file and mounts it as a real disk.
2.Encrypts an entire hard disk partition or a storage device such as USB flash drive.
3.Encryption is automatic, real-time (on-the-fly) and transparent.
4.Encryption algorithms supported: AES-256, Serpent, and Twofish.
More information on the software can be found at http://www.truecrypt.org/
Saturday, November 17, 2007
Monday, October 15, 2007
Mapping Router Audits to ISO 27001
I recently wrote an article for the ISO 27001 forum on google groups.
The idea was to arrive at a Cisco Router Audit Checklists and try and map it to the applicable ISO 27001 controls.
Here is the link to the article.
http://www.iso27001security.com/ISO27k_router_security_audit_checklist.rtf
The idea was to arrive at a Cisco Router Audit Checklists and try and map it to the applicable ISO 27001 controls.
Here is the link to the article.
http://www.iso27001security.com/ISO27k_router_security_audit_checklist.rtf
Sunday, September 16, 2007
A.11.4.3 explained with Cisco Switches
In the ISO 27001 standard, A.11.4.3 talks about the identification of equipment in networks.Taken from the standard itself, A.11.4.3 states that "Automatic equipment identification should be considered as a means to authenticate connections from specific locations and equipment."
Identification has traditionally been associated with usernames. If I log-in as "aaron", it is assumed that aaron has logged into the system (unless I share my password with someone else). When it comes to networks and network equipment, identification can take place at the data link and network layer.
The scope of this article is restricted to the use of identification to meet A.11.4.3 on a layer 2 switch.
Switches(access) work at layer 2 of the OSI stack. The Data link layer is associated with MAC addresses. Each MAC address is globally unique and it allows the administrators to implement simple identification techniques. On cisco switches, the administrator can configure a concept known as port security. Port security is a concept where an administrator can control the MAC addresses and therefore the machine that can be seen on a particular port. So say for example, you have a 12 port switch, and there are 12 users connected to the switch and you have a concern that an unauthorized person or machine can get access to your network by using any one of those ports. The solution is port security, you bind the legitimate MAC addresses of those machines on the respective ports thereby preventing any other machine from accessing the network.
To enable this feature on your cisco switch, use the following command:
Console> (enable) set port security 2/1 enable 00-90-2b-03-34-08
There are other features present with port security such as setting the maximum number of MAC addresses and the action to be taken in case of violation. Further information regarding these can be found at the following link
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/5.x/configuration/guide/sec_port.html
(One of the caveats with this solution though is that a motivated hacker can spoof your MAC address using software and manage to get access to your network.)
Management of the switch can also be controlled through the use of ACL's. This is what the control in the standard also refers too. An administrator can decide which management stations can initiate connections to the switch over telnet or any other management protocol.
Use the following commands to restrict telnet access to the switch to certain IP's only.
Switch(config)#acess-list 10 permit 10.20.1.5
Switch(config)#line vty 0 4
Switch(config-line)#access-class 10 in
where 10.20.1.5 is the machine which should be given access to the switch.
The above two steps on the switch is one of the ways that network devices can work towards getting compliant with A.11.4.3
Identification has traditionally been associated with usernames. If I log-in as "aaron", it is assumed that aaron has logged into the system (unless I share my password with someone else). When it comes to networks and network equipment, identification can take place at the data link and network layer.
The scope of this article is restricted to the use of identification to meet A.11.4.3 on a layer 2 switch.
Switches(access) work at layer 2 of the OSI stack. The Data link layer is associated with MAC addresses. Each MAC address is globally unique and it allows the administrators to implement simple identification techniques. On cisco switches, the administrator can configure a concept known as port security. Port security is a concept where an administrator can control the MAC addresses and therefore the machine that can be seen on a particular port. So say for example, you have a 12 port switch, and there are 12 users connected to the switch and you have a concern that an unauthorized person or machine can get access to your network by using any one of those ports. The solution is port security, you bind the legitimate MAC addresses of those machines on the respective ports thereby preventing any other machine from accessing the network.
To enable this feature on your cisco switch, use the following command:
Console> (enable) set port security 2/1 enable 00-90-2b-03-34-08
There are other features present with port security such as setting the maximum number of MAC addresses and the action to be taken in case of violation. Further information regarding these can be found at the following link
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/5.x/configuration/guide/sec_port.html
(One of the caveats with this solution though is that a motivated hacker can spoof your MAC address using software and manage to get access to your network.)
Management of the switch can also be controlled through the use of ACL's. This is what the control in the standard also refers too. An administrator can decide which management stations can initiate connections to the switch over telnet or any other management protocol.
Use the following commands to restrict telnet access to the switch to certain IP's only.
Switch(config)#acess-list 10 permit 10.20.1.5
Switch(config)#line vty 0 4
Switch(config-line)#access-class 10 in
where 10.20.1.5 is the machine which should be given access to the switch.
The above two steps on the switch is one of the ways that network devices can work towards getting compliant with A.11.4.3
Thursday, September 13, 2007
Upper Management Support
My first blog on Information Security is about the importance of having upper management be part of the kick-off meeting on an ISO 27001 security project. This idea comes from what i learnt on the Project+ course together with my experience of dealing Information Security with my clients.
I recently was part of an assignment where we consultants were set with the objective of setting up an ISMS for the organization. The scope of the assignment was the setting up of the ISMS for the entire organization (oh boy!). So we started off meeting the IT Team and their various function heads, the Network Department, the Software Development Team, etc. We soon realized that the ease with which we were getting information, we would soon have covered understanding the entire business process for the entire organization in a week's time. Little did we know that it was not meant to be. Post IT we decided to meet the other departments only to be told that we were not being given confirmed dates for the meeting. This practically went on for quite sometime and even the few people whom we met looked at us with suspicion, they were not open enough to discuss the issues they faced. After much hindsight, we realised that we had missed one crucial element in this entire process and that was an initial upper management meeting.
Information Security is generally sold to the IT Department of any organization. What i mean by sold is that generally consulting companies would approach the IT Department to sell a particular service such as a Vulnerability Assessment or a Technical Audit or for that matter even the ISO 27001 standard implementation.
Although the first two services (and the findings from these activities) mentioned are to a great extent the responsibility of the IT Department with probably no intervention with the other business heads, the last one is not. The ISO 27001 exercise is not an IT project in all respects. It demands strong management support and direction even before the start of the project besides the understanding of how the business functions to get a realistic picture of the business risks.
I believe this issue can be overcome by adopting the steps mentioned below.
a)At the time of the tendering process, the IT department should attempt to buy in support from the upper management for the ISO 27001 exercise. ISO 27001 exercises for the entire organization or for that matter even for certain departments are possible only if the upper management (which should also include the CEO or Directors of the company)provides whole hearted support to the process. What I mean by whole hearted is that, they should not just give lip service on their support but by being part of and implementing the ISMS itself.
b)During the kick off meeting, the CEO or an equally high level management member should be requested to be present to give a brief talk about how the management sees information security and how important the project is to them. (This is obviously possible if step one is done right.
I believe if the CEO of a company is able to convey the message to his people "that security is important to us and our business", there shall be a more whole hearted support from the various business leaders in the organization. The ISMS in implemented in the right spirit (and we consultants can breathe easy:)
I recently was part of an assignment where we consultants were set with the objective of setting up an ISMS for the organization. The scope of the assignment was the setting up of the ISMS for the entire organization (oh boy!). So we started off meeting the IT Team and their various function heads, the Network Department, the Software Development Team, etc. We soon realized that the ease with which we were getting information, we would soon have covered understanding the entire business process for the entire organization in a week's time. Little did we know that it was not meant to be. Post IT we decided to meet the other departments only to be told that we were not being given confirmed dates for the meeting. This practically went on for quite sometime and even the few people whom we met looked at us with suspicion, they were not open enough to discuss the issues they faced. After much hindsight, we realised that we had missed one crucial element in this entire process and that was an initial upper management meeting.
Information Security is generally sold to the IT Department of any organization. What i mean by sold is that generally consulting companies would approach the IT Department to sell a particular service such as a Vulnerability Assessment or a Technical Audit or for that matter even the ISO 27001 standard implementation.
Although the first two services (and the findings from these activities) mentioned are to a great extent the responsibility of the IT Department with probably no intervention with the other business heads, the last one is not. The ISO 27001 exercise is not an IT project in all respects. It demands strong management support and direction even before the start of the project besides the understanding of how the business functions to get a realistic picture of the business risks.
I believe this issue can be overcome by adopting the steps mentioned below.
a)At the time of the tendering process, the IT department should attempt to buy in support from the upper management for the ISO 27001 exercise. ISO 27001 exercises for the entire organization or for that matter even for certain departments are possible only if the upper management (which should also include the CEO or Directors of the company)provides whole hearted support to the process. What I mean by whole hearted is that, they should not just give lip service on their support but by being part of and implementing the ISMS itself.
b)During the kick off meeting, the CEO or an equally high level management member should be requested to be present to give a brief talk about how the management sees information security and how important the project is to them. (This is obviously possible if step one is done right.
I believe if the CEO of a company is able to convey the message to his people "that security is important to us and our business", there shall be a more whole hearted support from the various business leaders in the organization. The ISMS in implemented in the right spirit (and we consultants can breathe easy:)
Subscribe to:
Posts (Atom)