Cyber Security Leadership

Improve Your Team’s Productivity

Today’s security professionals must know how to design and implement security transformation programmes on an enterprise-wide scale. In order to be successful at this, not only must they be technically savvy, but they should know how to build, lead and manage a team effectively for this purpose.

When dealing with teams, many people mistakenly assume that some team roles are more important than others, when in reality, all participants are equally essential. The diversity of skills makes a team versatile and is reinforced by the active involvement from all parties. Each role, trade or character type has its own strengths and weaknesses, which should be identified, harnessed and optimized (or reduced, in the latter case) in order to enhance the team’s overall performance. There are several existing resources for thoroughly exploring these complex human dynamics. One of the strongest ones available is the Belbin Model.

Dr. Meredith Belbin designed a personality test, known as the Belbin Team Inventory, in which he defines nine team roles that are necessary for a team’s optimal performance.

Through a 360-degree feedback mechanism (which includes the individual’s as well as the observers’ evaluation, mutually contrasted with one another), this test is designed to identify an individual’s personal behavioural traits and interpersonal strengths. It is not uncommon to see, however, that many people score strong tendencies towards multiple roles.

Based on the assessment of the individual’s behaviour within a team environment, Belbin sorted these nine roles into three main categories which include the action oriented roles, the people oriented roles and the thought oriented roles.

The action oriented roles and their strengths are the following:

Shaper: outgoing and dynamic people who help the team improve by finding the best problem-solving methodologies. The Shaper is responsible for keeping track of all the possibilities while avoiding the team’s complacency. Shapers usually welcome complications and unexpected outcomes as challenging opportunities that could lead to great outcomes: they have the courage to take them on when others feel like quitting.
Implementer: assumes the role that translates the team’s concepts and ideas into practical action plans. Because implementers are very disciplined, well-organized and work systematically in an efficient way: they are the team member who everyone counts on to get the job done.
Completer-Finisher: makes sure that deadlines are met and checks for omissions and errors. Because they tend to be orderly, conscientious perfectionists, they will pay attention to every single detail and ensure the job is completed on time.

The people oriented roles and their assets comprise:

Coordinator: who usually assumes the role of the chairman or traditional team-leader. Because they tend to be excellent listeners, they intuitively recognise the intrinsic value each team member can contribute to the group. With this personal strength, along with their calm and good nature, they are able to delegate tasks efficiently and guide the team to what they observe are the main objectives.
Team Worker: is the member who takes over the role of the negotiator within the team while providing support and ensuring a productive environment in which everybody may work together effectively. Team workers tend to be charismatic and therefore popular and outgoing, which makes them very capable in facilitating team cohesion while encouraging people to get along.
Resource Investigator: assumes the role of identifying and working with external stakeholders in order to enable the team to accomplish its objectives. Resource investigators are typically enthusiastic, extroverted and outgoing making others receptive to their ideas. Because they tend to be curious and innovative, they can easily establish contacts, explore available options and negotiate for resources on behalf of the team.

Finally, the thought oriented roles and their potency characteristics include:

Plant: the person who comes up with innovative ideas and methodologies. He/she is usually introverted and might prefer to work in a separate environment from the rest of the team. Plants do, however, thrive on praise and find difficulties in dealing with criticism.
Monitor–Evaluator: is the objective member every team needs for analysing and evaluating the ideas that other people (usually Plants) come up with. They can easily weigh pros and cons of all the available options before arriving to a decision.
Specialists: these are the individuals who possess a specialised knowledge and experience that is required to get the job done. Their contribution to a team-work environment is reserved as the expert in the field, and they are usually fully committed to the area of their expertise. Their priority lies in maintaining their professional status, and they take great pride in their abilities and skills.

One of the core foundations of the Belbin Team Inventory is that a team can be considered well-balanced when all nine roles are present and participate actively. When we recognise our individual role within a given team, we can further develop our strengths and manage our weaknesses in order to improve our contribution to the team.

If several members within a given team have similar behavioural styles or team roles, the team becomes unbalanced and doesn’t function up to its full potential. The underlying cause for this is that similar behaviours imply overlapping strengths, which can foster interpersonal competition rather than cohesion or mutual collaboration. Additionally, similar behaviours mean similar weaknesses, which can be extrapolated as a general weakness of the entire team. Belbin’s nine role definition also includes the identification of the characteristic weaknesses that tend to accompany each team role. These “allowable” weaknesses should be recognised in order to allow for improvement.

The weaknesses of action oriented roles typically include:

Shaper: might not always be considerate of other people’s feelings and be argumentative.
Implementer: could be rigid and have a hard time changing.
Completer-Finisher: might have difficulties in delegating and suffer from unnecessary worry and anxiety.

The weaknesses associated to the people oriented roles are usually the following:

Coordinator: may tend to be manipulative in nature and might delegate too much of his/her personal responsibilities away.
Team Worker: might struggle to maintain uncommitted positions during decision-making processes or discussions, and have a tendency to be indecisive.
Resource Investigator: might me overly optimistic and can quickly lose enthusiasm.

The drawbacks of the thought oriented roles include:

Plant: because of their unconventional ideas and suggestions, these may be seen by the rest of the team as impractical. The introverted nature of the Plants can make them poor communicators and might tend to overlook given constraints or parameters.
Monitor–Evaluator: because they are strategic in their methodologies, as well as critical thinkers, they are usually regarded as unemotional or detached. They might be poor motivators who react to a given circumstance instead of instigating it.
Specialist: because their contribution is limited to the field of their expertise, their participation is restricted, which may lead to technicalities and concerns at the expense of a wider scope.

After many years of studying teamwork, Belbin broadly defined a team role as “a tendency to behave, contribute and interrelate with others in a particular way”: a tendency that people normally adopt when they assume a particular team-role. The individual and interpersonal behaviours might, however, depend to some extent on the situation, since it is not only related to one’s own natural style of working, but to the interaction with others and the actual work itself. This means that each one of us may behave and interact quite differently according to the nature of the team members and/or the work we are exposed to.

How to use the Belbin Team Inventory as a tool

The Belbin Team Inventory is a rather handy tool, and can be used in different ways, like in managing interpersonal differences within a given team, for example, or in considering how to construct a balanced team properly before a project starts, or in developing oneself as a team member.

The Belbin model can be used to analyse an existing team, as well as a helpful guide to develop the team’s strengths, and manage its weaknesses. The following tool can be very helpful in analysing team membership, checking for potential strengths and weaknesses within the team:

1. Observe the individual members of your team over a period of time, to see how they perform individually, contribute and how they conduct themselves within the team.

2. Make a list of the team members which includes their observable characteristics: both key strengths and weaknesses.

3. Make a comparison between each team member’s strengths and weakness with the descriptions provided by the Belbin Model. What team role would you say best describes each person more accurately?

4. Once you feel you have identified each individual’s corresponding role, answer the following questions:

o Are there any roles missing from the team? Which ones? If so, which are the strengths that are most likely to be missing from the team overall?

o Is there are prevalent team role that many of the team members share?

When there are teams of people who perform the same job, there will be specific predominant team roles. In a team of business consultants, for example, there might be numerous Shapers and Team Workers, as opposed to a research department which will mainly consist of Plants and Specialists. These are perfect examples of unbalanced teams, which might be lacking key approaches and outlooks.

If the team is considered to be unbalanced, the first step is to identify the overall weakness that results from the team. The following step would be to recognise areas of potential conflict. An example would be an excess of Shapers that might weaken a team if each one wishes to drive the team in different directions.

5. Once potential weaknesses, areas of conflict and missing strengths have been identified, identify the options you have to improve and change this. Consider:

o Whether one or more team members could develop or adapt how they work together and with others in order to avoid potential conflict of their natural styles.

o If an existing team member could compensate by adopting different a team role. Through awareness and intention, this is sometimes possible.

o Whether new skills need to brought onto the team to compensate for the weaknesses.

The Belbin Team Roles model may introduce more coherence into the team.

It is important to mention, however, that although the Belbin model can be very useful, it should mainly be regarded as a good guide for building a team. One shouldn’t mistake this for depending too heavily on it in order to strive for perfection, which might restrict other potential strengths a team and its members may have. It is basically up to the team leader’s professional intuition to evaluate and decide for him/herself what would be the greatest overall benefit. Perhaps the main concept to learn here today is that in order to have a very high performing team, “the key is BALANCE”.

Resources:

http://www.belbin.com/

http://www.mindtools.com/pages/article/newLDR_83.htm

Images courtesy of digitalart and jannoon028 / FreeDigitalPhotos.net

An Introduction to Industrial Control Systems Security Part III: Auditing the Environment

In order to ensure the security of a system sometimes it is not enough to follow the general advice outlined in the Overview of Protection Strategies and one may chose to perform a penetration test.

Security assessments of this highly sensitive environment should be conducted with extreme care. It requires not only basic network security skills but also knowledge of the equipment, SCADA-specific protocols and vulnerabilities.

On the photo you can see different types of PLC and RTU devices, discussed in the Overview of Industrial Control Systems:

Modicon Momentum PLC
Rockwell Automation MicroLogix 1100 PLC
Siemens S7 1200 PLC
Small embedded RTU device

The original SCADA protocols (vendor-specific protocols include ModbusRTU, DF1, Conitel, and Profibus) were serial-based, meaning that the master station initiated the communication with the controllers. Nowadays, almost all SCADA protocols are encapsulated in TCP/IP and can be operated over Ethernet.

To get a better understanding, one can use Modscan32 to connect to the PLC and view register data by entering the IP address and TCP port number in the tool.

If there is no live PLC available to work with, one can always use the ModbusTCP simulator to practice capturing traffic with Wireshark, configuring the OPC server and building human-machine interfaces.

An Introduction to Industrial Control Systems Security Part II: An Overview of Protection Strategies

Initially, since most of the ICS components were physically found in secured areas, and were not connected to IT systems or networks, local threats were the only security concern. Because merging ICS systems and IT networks has become increasingly prevalent, the former have become significantly less isolated from the outside world, thus requiring security measures to protect them from external and remote threats.

Additionally, the implementation of wireless networking makes the ICS vulnerable to physically proximal adversaries who do not have a direct access to the equipment. The endless list of possible rivals or threats to an ICS might include discontented employees, hostile governments, malicious intruders, terrorist groups, natural disasters, accidents, complexities as well as accidental or malicious actions by insiders. Therefore, the security objectives for any ICS must follow the priority of availability, integrity and confidentiality, in that order.

An ICS may face the following possible scenarios:

A modification to the ICS software or configuration settings, or ICS software infection with malware.
ICS operation disruption due to delayed or blocked traffic through the ICS network.
Interference with the operation of safety systems, which could endanger human life.
Unauthorised changes to commands, instructions, or alarm thresholds, which could disable, damage or shut down equipment, create environmental impacts and risk human life.
Inaccurate information sent to system operators, either to disguise unauthorised changes, or to cause the operators to initiate inappropriate actions.

An ICS implementation should include the following main security objectives:

Physical access restrictions to the ICS network and devices. A combination of card readers, locks, and/or security guards could be used as physical access controls to protect the ICS’s components from functionality disruptions.
Individual ICS component protection from exploitation. After testing them under the conditions of the field, security patches can be deployed as quickly as possible. All unused ports and services should be disabled, ICS user privileges should be restricted to only those that are required for each individual role, audit trails should be tracked and monitored, and security controls such as antivirus software and file integrity checking software should be used whenever it is technically feasible to prevent, detect, deter and mitigate malware.
Logical access restrictions to the ICS network and network activity. In order to prevent information flow from travelling directly between the ICS and the corporate networks, a demilitarized zone (DMZ) network architecture with firewalls can be used, along with separate authentication mechanisms and credentials for the ICS and corporate network users. Additionally, a network topology with multiple layers can be implemented, keeping the ICS’s most critical communications in the most reliable and secure layer.
Maintenance of functionality during adverse conditions. In order to do so, the ICS must be designed so that each critical component has a counterpart that is redundant. If and when a component fails, it should do so in a way that avoids unnecessary traffic from generating on the ICS and other networks, or that it doesn’t detonate a cascading event or other problems elsewhere.
System restoration after an incident. Because incidents are inevitable, it is essential to have an incident response program. The mark of an effective security plan is defined by how quickly a system can be restored after an incident has disrupted it. It is thus vital for a cross-functional cyber security team from various domains to share their experience and knowledge and to work together in evaluating and reducing the possible risk to the ICS. This team must at the very least include a member of the company’s IT staff, a control system operator, a control engineer, a network and the system security expert, a member of the management staff, and a member of the physical security department. Additionally, for consistency, this cyber security team must consult with the control system vendor and system integrator. They should report to the organisation’s CIO/CSO or the site management, who must take full responsibility and assume complete accountability for the ICS’s cyber security. An effective ICS cyber security program must focus on a “defense-in-depth” strategy which layers the security mechanisms to minimise the impact of a failure in any one of said mechanisms.

CSSP recommenced defence-in-depth architecture (NIST 800-82)

A defense-in-depth strategy in any typical ICS therefore requires:

Physical access restrictions to the ICS network and devices.
Modern technology, such as smart cards, for Personal Identity Verification (PIV).
The application of an ICS layered network topology, with the most critical communications occurring in the most reliable and secure layer.
The implementation of a DMZ network architecture to prevent traffic between the ICS and corporate networks.
The establishment of a logical separation between the corporate and ICS networks (e.g., stateful inspection firewall(s) between the networks).
The implementation of separate authentication mechanisms and credentials for users of the corporate network and the ICS network.
The application of role-based access control and the configuration of each individual role based on the principle of least privilege, which means restricting ICS user privileges according to who is required for each job.
The employment of security controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS.
The implementation of security techniques such as cryptographic hashes and/or encryption to ICS data storage and communications where appropriate.
The rapid deployment of security patches after testing all patches under field conditions before installation on the ICS.
The disablement of unused ports and services on ICS devices after testing to reduce impact ICS operation.
Tracking and monitoring audit trails on critical areas of the ICS.
Ensuring that critical components are redundant and are on redundant networks.
The design of critical systems for graceful degradation (fault tolerant) to prevent catastrophic  cascading events.
Addressing security throughout the lifecycle of the ICS from architecture design to procurement to installation to maintenance to decommissioning.
The development of security policies, procedures, training and educational material that are specifically applicable to the ICS.
Taking into account the ICS security policies and procedures following the Homeland Security Advisory System Threat Level, and employing progressively amplified security measures as the Threat Level increases.

Resources:
Guide to Industrial Control Systems (ICS) Security by NIST

An Introduction to Industrial Control Systems Security Part I: An Overview of Industrial Control Systems

Today’s major industries rely on finely automated industrial control sectors and are operated by critical infrastructures of highly interconnected and mutually dependent systems known as industrial control systems (ICS). These are predominantly found in industries such as transportation, electric, oil and natural gas, utility power, pulp and paper, mining, discrete manufacturing (i.e. durable goods, automotive, aerospace, etc.), chemical, metals, food and beverage, water and wastewater, and pharmaceutical.

The term ICS comprises three main types of systems which include distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems, along with the incorporation of smaller controller hardware components such as the skid-mounted Programmable Logic Controllers (PLC).

DCS are usually found within a localized area, such as an industrial process plant or a factory, as a specific functional distributed control system design that relies on supervisory and regulatory control. DCS emerged as a tool for controlling the systems involved beyond a small cell area, while collecting data in real time on high-bandwidth/low-latency data networks. Because everything operates in real time, loop control will commonly extend up to the DCS top level controllers. Such systems can be found in refineries and chemical plants, among others.

SCADA systems were designed to cater to distribution applications where remote data must be gathered through more unreliable data networks, such as those with low-bandwidth/high-latency links. These systems are implemented in widely separated geographical sites (often scattered over thousands of square kilometers) using an open-loop control, through centralized data acquisition and supervisory control. Supervisory data is typically sent back to a control center through remote terminal units (RTUs), which tend to be restricted to a limited capacity for handling local controls whenever the master station is not available. With technological advances, however, the capability of these RTU systems continues to grow, allowing for better performance. SCADA systems are normally used in water pipelines and natural gas industries, to name a few.

PLCs are computer-based devices and are the result of the technological replacement of relay racks in ladder form. They are the primary components in small control system configuration and are used in almost all discrete industrial processes. PLCs are commonly integrated into DCS architectures as key components that provide feedback or feed forward control loops which automatically maintain the desired conditions of a process around a specific set point. Here, the PLC settings are specified to determine the desired tolerance and provide the rate of self- regulation and self-correction whenever there is a system upset.

Today, the boundaries are blurring between these three system definitions as current ICS architectures are evolving into hybrids that integrate features of both SCADA systems and DCS.

The key components for the operation of an ICS include: a control loop, Human-Machine Interface (HMI) and Remote Diagnostics and Maintenance Utilities (see glossary).

The main control components of an ICS encompass: a control server, a SCADA Server or Master Terminal Unit (MTU), Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCs), Intelligent Electronic Devices (IEDs), a Human-Machine Interface (HMI), a Data Historian and an Input/Output (IO) Server (see glossary).

SCADA system general layout (NIST 800-82)

Control networks have merged with corporate networks in order to facilitate monitoring and controlling systems from the outside, which allows decision-makers at an enterprise level have access to process data. Network topologies can vary greatly from ICS to another, with different characteristics for each layer within a control system hierarchy, but the most important components they must include are: a fieldbus network, a control network, communications routers, a firewall, modems, and remote access points.

Originally, ICS used specialized hardware and software to run proprietary control protocols, making them completely isolated systems with little resemblance to traditional information technology (IT) systems. However, in order to facilitate remote access capabilities and corporate connectivity, IT solutions are being designed and implemented into ICS. The use of standard computers, operating systems (OS) and network protocols, along with low-cost Internet Protocol (IP) devices to replace proprietary solutions, provides new IT capabilities, but reduces the ICS isolation from the outside world, thus increasing the possibility of cyber security vulnerabilities and incidents. Despite the availability of solutions to deal with these security issues in typical IT systems, special considerations and precautions must be tailored to secure the ICS. Additionally, efficiency and safety goals can sometimes conflict with security in the design and operation of control systems. Because each one of these ICS is unique in its performance and reliability, each one requires its own unique, and sometimes unconventional, operating system and applications which might be regarded as odd or challenging by typical IT personnel.

The implementation of an ICS always involves some form of impact, which is complex and can go far beyond the immediate processes at hand. Some of the ICS characteristics differ from traditional information processing systems because they affect the physical world directly. These might risk human and environmental health and safety, as well as detonate financial issues related to production losses which can compromise proprietary information and even have a negative impact on a country’s economy.

Glossary

Control loop – contains measurement sensors, controller hardware (such as a PLC), and actuators (such as motors, switches, control valves and breakers), all interconnected, which share the communication of variables. The sensors transmit controlled variables to the controller which then interprets the signals it receives and, based on the set points, manipulates this information to generate new variables. It sends this new information to the actuators which perform accordingly to adjust the system involved into a stated within the set points. Whenever the system or the process is disturbed, the sensors will send new signals to the controller, in order for there to be a readjustment.

Control network – an interconnection between the lower-level control modules and the supervisory control level.

Control server – a host to the supervisory control software of a PLC or DCS that communicates with lower-level control devices. It has access to subordinate control modules within an ICS network.

Data Historian – a centralized database for storing all the ICS process information. This information can be accessed to support statistical process control.

Fieldbus network – a network that connects sensors and other components to a PLC or other controller. Using fieldbus technology eliminates the need for point-to-point wiring between the controller and each device. Communication between the fieldbus controller and the devices is through a variety of protocols. The messages sent between the controller and the sensors identifies each of the sensors uniquely.

Human-Machine Interface (HMI) – these are used by engineers and operators to monitor and configure set points, control algorithms, and establish and regulate parameters in the controller. This interface also displays information on the status of the process, reports, historical information, and other information to administrators, business partners, operators and other authorized users. The platform, interface and location may vary greatly.

Intelligent Electronic Devices (IED) – “smart” devices that combine both sensor/actuator attributes which, when used in SCADA and DCS systems, allow for automatic control at a localized level. They can gather data, communicate with other devices, and perform local processing and control.

Input/Output (IO) Server – a control component that collects, buffers and provides access to process information from control sub-components such as RTUs, IEDs and PLCs. It can be found on the control server or on an independent computer platform. These servers can also be used for interfacing third-party control components such as a control server and an HMI.

Modem – a device that enables communication between components by converting between serial digital data and a signal suitable for transmission over a telephone line. Modems are used in SCADA systems to allow long-distance serial communication between remote field devices and MTUs. They are also used for gaining remote access to operational and maintenance functions in DCS and SCADA systems.

Remote Diagnostics and Maintenance Utilities – are used to identify, prevent and recover from abnormal operation, disruptions or failure.

Remote Terminal Unit (RTU) – (also known as remote telemetry unit) is a control unit for special purpose data acquisition in SCADA remote stations. These field devices support traffic to and from remote sites were wire-based communications are unavailable since they are equipped with wireless radio interfaces.

SCADA Server or Master Terminal Unit (MTU) – this device performs as the master in a SCADA system, in which PLCs and remote terminal units which are located in remote sites act as slaves.

Resources:
Guide to Industrial Control Systems (ICS) Security by NIST

Image courtesy of hin255 / FreeDigitalPhotos.net

NextSec: Junior Professionals Network

I’ve recently joined the NextSec committee to help deliver opportunities to young professionals, so that they can meet and support each other through the first years of their career. We aim to bridge the gap between employers and students, and offer insight to inspire the next generation to join our profession.

NextSec is a networking group for junior professionals working in Information Security and students aspiring to begin a career in this industry.

NextSec’s Aims and Objectives

Networking and Collaboration. We aim to enable networking, drive active participation and collaboration of junior professionals in cyber security coming from a vast range of industry sectors.

Education. Facilitate educational events, seminars and workshops delivered at parent organisations by industry experts and leaders, passionate in preparing today’s “next generation” to be tomorrow’s information security workforce.

Inspiration. Mentor students by providing them with networking opportunities, career advice, job fairs and real insight into the industry to enable them to make informed decisions about their career aspirations.

I’m going to help organise the next event in the first quarter of1 2014. The conference would be hosted by KPMG and be dedicated to information security trends in the oil and gas industry.

The dates and speakers would be confirmed in the near future.
Meanwhile, please feel free to check out the website and join the LinkedIn group.

Playing Information Security

Conducting an awareness training or explaining complex information security concepts can be simplified and made fun through gamification. It is possible to learn more about information security simply by playing card games. Please see below for the three games you can download for free, print and start playing today.

1. Playing with application vulnerabilities

OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

Download for free

2. Playing with threat modelling
EoP_game_screen_shot
Elevation of Privilege (EoP) is the easy way to get started threat modelling, which is a core component of the design phase in the Microsoft Security Development Lifecycle (SDL).

The EoP card game helps clarify the details of threat modelling and examines possible threats to software and computer systems.
The EoP game focuses on the following threats:

Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

An academic-style paper explains the rules motivation and lessons learned in creating the game

Download for free

3. Playing with privacy

The VOME project created a card game to support the discussion and teaching of issues of online privacy and consent. Players make decisions about what information characters might reveal to others and what they keep to themselves.

According to the authors, the main idea behind the game is to use the rules to model the way that information flows around the online environment. In real life, these flows are complex and often hidden. In the game it is possible simplify the relationships and decisions, and provide immediate feedback on the effects of those decisions

Download for free

Thoughts on Voice Biometric Authentication

Requirement: Strong user authentication when accessing an application.

Risk: Users write passwords down or use weak passwords.
Possible solution: Authentication by voice recognition.

This approach has several advantages, such as the cost of implementation (which is low due to no special hardware requirements: a simple microphone is all that is needed to authenticate the user’s voice). Furthermore, voice authentication is generally easy to use and accepted by users.

It also could be used as a self-service password reset system: the system asks questions, authenticates his/her voice and allows him to reset the password. This could result in significant time and cost savings for a company.

However, appropriate user training should be provided before using voice authentication mechanisms. Alternative forms of authentications should also be considered to address the following problems:

Human voice changes over time.
Noise
Colds

Moreover, to prevent gaining unauthorised access by playing back a pre-recorded voice sample from an authorised user, a challenge-response system should be used: for example, the system should ask the user to repeat a random set of words or phrases in a specified order.

A voice authentication solution should be used in conjunction with another form of authorisation, such as a password to achieve maximum security.

Legal and privacy issues should be considered due to storage of biometric data.
Further analysis should be carried out to decide on the use of several commercial software packages available or in-house development.

Penetration Testing: Questions answered

1. Why perform penetration testing?

Penetration testing is an instrument for getting additional information about the systems’ state of security. A penetration test shows where hackers may breach your system; hence, this information can be used to support the decision-making process when implementing protection mechanisms.

In a nutshell, penetration testing would help with:

Vulnerability analysis for the target system,
Assessment of the loses due to a potential breach,
Gaining an unbiased view on the state of the system and protection mechanisms,
Gaining insight on the qualification of the internal security staff.

2. Who should perform penetration testing?

To get unbiased view, penetration testing should be performed by third party independent professionals.

You should also consider the ethical aspect, and only hire teams with a proven reputation in the field. Otherwise, information about companies’ critical vulnerabilities may be leaked to competitors.

3. When is the best time to perform penetration testing?

The best time to perform penetration testing is after the implementation and configuration of a new system. You should apply all the security mechanisms according to the good practices and legal and regulatory requirements before undergoing a penetration test; otherwise the necessity of such an exercise would be questionable.

4. Who would benefit from penetration testing?

Organizations that realise the importance of information security and protection of information assets would highly benefit from penetration testing.

Banks and insurance companies are not the only ones on this list. There is nothing more valuable that human life, which is why penetration testing could be valuable for transport and energy companies.

But what if a company is not large enough for the system breach to cause a crisis or substantial financial losses? Even in these cases, penetration testing may prove to be useful. Small and medium-sized enterprise are likely to have a website which helps to sell goods or services. Losses due to a system breach could substantially harm their reputation and competitive advantage.

5. What penetration testing approaches are there?

White box: where the penetration testing team already has some initial information on the system, including the range of IP addresses, ports, source code, hardware and software components, etc.

Black box: where the penetration testing team has no information on the system at all. The team has to model a potential hacker’s actions from the ground up. In doing so, they might, for example, use social networks to find victims of social engineering. This approach is usually more expensive and requires more time.

6. Penetration testing: only a set of tools?

One may think that penetration testing is limited to running several vulnerability scanners, password cracking utilities, traffic sniffing tools, etc., which are, no doubt, the main tools that are used by penetration testing professionals. These are, however, only limited to aiding the expert in finding weaknesses. A comprehensive and robust penetration test mainly relies on the expert’s skills and experience..

7. Can a penetration test be performed to discover vulnerabilities, which don’t lead to significant financial losses?

An attacker might not be motivated by the financial gain, but still can cause some harm. For example, a company might use network printers. Each printer would have it’s own IP address with the open 9100 port. An attacker might:

discover the printers’ addresses by scanning the network
remotely connect to a printer using the ‘telnet <printer’s IP address> 9100′ command
print messages at his / her own choice.

8. What should one expect as a result of the penetration test?

The company that commissions penetration testing normally receives the following full descriptions on:

penetration testing activity and its stages.
tools used
vulnerabilities discovered
exploited vulnerabilities
likelihood and risk of the identified vulnerabilities and their potential impact
recommendations on how to mitigate the outlined risks

Image courtesy of hywards/ FreeDigitalPhotos.net

Modelling Conflicts Presentation

Modelling conflicts from neicher

Information security policy compliance, business processes and human behaviour

This article aims to review the literature on information security policy compliance issues and their relation to core business processes in the company and users’ behaviour. It also provides an insight into particular implementation examples of the ISO 27001 Standard, and methods of analysis of the effectiveness of such implementations.

Information security

Information security issues in organisations have been brought up long before the rapid development of technology. Companies have always been concerned with protecting their confidential information, including their intellectual property and trade secrets. There are many possible approaches to addressing information security. Wood [30] points out that security is a broad subject including financial controls, human resource policies, physical protection and safety measures. However, Ruighaver et al. [23] state that information security is usually viewed as a purely technical concern and is expected to have the same technical solution. On the other hand, Schneier [25], Lampson [17], and Sasse and Flechais [24] emphasise the people aspect of security, and people play crucial role as they use and implement security controls.

As stated by Anderson [3], it is essential to properly define information security in order to pay merit to all these aspects.

The Standard for Information Security Management ISO 27001 [32] defines information security as “the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximise return on investments and business opportunities.”

Dhillon [10] states security issues in organisations can arise due to absence of an information security policy. One of the ways to implement such a security policy is to take ISO 27001 standard as a framework.

ISO 27001 Standard

ISO 27001 Standard which is a member of the ISO 27000 standards family evolved from British national standard BS7799 [31]. It aims to provide guidance on managing the risk associated with threats to confidentiality, integrity and availability of organisation’s assets. Such assets, as defined in ISO 27001 [32] include people, software, hardware, services, etc.

Doherty and Fulford [11], Von Solms [28], and Canavan [8] all came to the conclusion that well-established standards such as ISO 27001 might be a stepping-stone to implementing good information security programs in organisations.

However, Anttila and Kajava in their study [4] identify the following issues with ISO 27001 Standard:

– The standard is high-level and basic concepts are not presented consistently in the standard.

– It is hard to measure business benefits from implementing this standard.

– Presented process management is not fully supporting current business practices.

– The standard struggles to recommend solutions to contemporary business environments.

Neubauer et al. [19] in their research states that the main problem with security standards, including ISO 27001 is their “abstract control deﬁnition, which leaves space for interpretation”. Furthermore, the authors suggest that companies focus on obtaining formal certification and often do not to assess and put in place the adequate security controls according their main business goals. Ittner et al. [14] support this point, adding that organisation also fail to estimate the effectiveness of the investments in such initiatives.

According to Sharma and Dash [26], ISO 27001 does not provide detailed guidance requires substantial level of expertise to implement. Moreover, the authors claim that “If risk assessment is flawed, don’t have sufficient security and risk assessment expertise, or do not have the management and organizational commitment to implement security then it is perfectly possible to be fully compliant with the standard, but be insecure.” Results of their study suggest that the organizations, which participated in the study implemented information security mainly to comply with legal and regulatory requirements. The consequence of that was low cost-effectiveness of such implementations. However, the researcher don’t analyse the level of users’ acceptance of implemented controls. The authors also fail to recommend an approach which would support security manager’s decision-making process in implementing ISO 27001 Standard controls.

Karabacak and Sogukpinar in in their paper [16] present a flexible and low-cost ISO 17799 compliance check tool. The authors use qualitative techniques to collect and analyse data and sate that “the success of our method depends on the answers of surveyors. Accurately answered questions lead to accurate compliance results.” However, the researchers stop short of analysing the impact of compliance with security policy on users’ behaviour. The authors do not consider the issue that a security manager’s decisions regarding a particular implementation of security policy affects that organisation as a whole and may introduce additional cognitive burdens to users. These issues in extreme cases (e.g. obstructing core business processes) may result in non-compliance as users prioritise their primary task.

Vuppala et al. their study [29] discuss their experience from implementing ISO27001 information security management systems. One of the most important lessons learnt was developing an understanding of the role of users’ behaviour in this process. The authors recommend to “not make drastic changes to the current processes; this will only infuriate the users. Remember, users are an important, if not the most important, part of the overall security system.”

Human behaviour

Johnson and Goetz in [15] conducted a series of interviews with security managers to identify main challenges of influencing employees’ behaviour. The results of this study revealed that security managers rely extensively on information security policies, not only as a means of ensuring compliance with legal and regulatory requirements, but also to guide and direct users’ behaviour.

To explore the question of the impact on users’ behaviour while implementing security policies, the following theories were researched:

1. Theory of Rational Choice – a framework, which provides insight into social and economic behaviour. It implies that users tend to maximise their personal benefits [13]. Beautement et al. in their paper [6] uses this theory to build a foundation explaining how people make decisions about whether to comply or not to comply with any particular information security policy.

Herley [12] suggests that it is rational for users not to comply with security policy, because of the perceived risk reduction is lower than the effort needed.

2. Protection Motivation Theory – a theory which describes four factors that individuals consider when trying to protect themselves [22]:

– perceived severity

– probability of the adverse event

– efficiency of the preventive behaviour

– self-efficiency

Siponen builds on this theory to gain an understanding of the attitude of individuals towards compliance with security policies. Siponen refers to it in order to study the impact of the punishment on the actual compliance and on intention to comply [27], [20].

3. The Theory of General Deterrence – this suggests that users will not comply with the rules if they are not concerned with punishment [1].

4. Theory of Planned Behaviour – this suggests that subjective norms and perceived behavioural controls influence individuals’ behaviour [2]. Siponen [27] and Pahnila [20] discovered that social norms play a significant role in users’ intention to comply.

These theories suggest that to effectively protect a company’s assets, the security manager should develop and implement security policies not only to ensure formal compliance with legal and regulatory requirements, but also to make sure that users are considered as a part of the system. Policies should be designed in a way that reduces the mental and physical workload of users [1], [6].

Business process visualisation and compliance

It is important to consider information security compliance and users’ behaviour in the context of a company. Users in organisations involved into activities, which could be presented as business processes.

Business process is defined as a set of logically related tasks (or activities) to achieve a defined business outcome [9].

The continuous monitoring of their business processes is essential for any organisation. This can be achieved by visualisation of business processes [21]. However, they are usually complex, due to number of different users or user roles in large companies [7]. Barrett [5] also argues that it is essential to create a “vision of the process” to successfully reengineer it.

Namiri and Stojanovic in their paper [18] present a scenario demonstrating a particular business process and implement controls necessary to achieve compliance with regulatory requirements. The authors separate business and control objectives, introducing two roles: a business process expert, who is motivated solely by business objectives, and a compliance expert, who is concerned with ensuring compliance of a given business process.

References

[1] Adams, A. and Sasse, M.A. 1999. Users are not the enemy. Commun. ACM. 42, 12 (Dec. 1999).

[2] Ajzen, I. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes. 50, 2 (Dec. 1991).

[3] Anderson, J.M. 2003. Why we need a new definition of information security. Computers & Security. 22, 4 (May 2003).

[4] Anttila, J. and Kajava, J. 2010. Challenging IS and ISM Standardization for Business Benefits. ARES ’10 International Conference on Availability, Reliability, and Security, 2010 (2010).

[5] Barrett, J.L. 1994. Process Visualisation: Getting the Vision Right Is Key. Information Systems Management. 11, 2 (1994).

[6] Beautement, A. et al. 2008. The compliance budget: managing security behaviour in organisations. Proceedings of the 2008 workshop on New security paradigms (New York, NY, USA, 2008).

[7] Bobrik, R. et al. 2005. Requirements for the visualization of system-spanning business processes. Sixteenth International Workshop on Database and Expert Systems Applications, 2005. Proceedings (2005), 948–954.

[8] Canavan, S. 2003. An information security policy development guide for large companies. SANS Institute. (2003).

[9] Davenport, T.H. and Short, J.E. 2003. Information technology and business process redesign. Operations management: critical perspectives on business and management. 1, (2003), 1–27.

[10] Dhillon, G. 2007. Principles of information systems security: text and cases. John Wiley & Sons.

[11] Doherty, N.F. and Fulford, H. 2005. Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis. Information Resources Management Journal. 18, 4 (34 2005).

[12] Herley, C. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. Proceedings of the 2009 workshop on New security paradigms workshop (New York, NY, USA, 2009).

[13] Herrnstein, R.J. 1990. Rational choice theory: Necessary but not sufficient. American Psychologist. 45, 3 (1990).

[14] Ittner, C.D. and Larcker, D.F. 2003. Coming up short on nonfinancial performance measurement. Harvard business review. 81, 11 (2003), 88–95.

[15] Johnson, M.E. and Goetz, E. 2007. Embedding Information Security into the Organization. IEEE Security Privacy. 5, 3 (2007).

[16] Karabacak, B. and Sogukpinar, I. 2006. A quantitative method for ISO 17799 gap analysis. Computers & Security. 25, 6 (Sep. 2006).

[17] Lampson, B.W. 2004. Computer security in the real world. Computer. 37, 6 (2004), 37–46.

[18] Namiri, K. and Stojanovic, N. 2007. Pattern-based design and validation of business process compliance. On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS. Springer. 59–76.

[19] Neubauer, T. et al. 2008. Interactive Selection of ISO 27001 Controls under Multiple Objectives. Proceedings of The Ifip Tc 11 23rd International Information Security Conference. S. Jajodia et al., eds. Springer US. 477–492.

[20] Pahnila, S. et al. 2007. Employees’ Behavior towards IS Security Policy Compliance. 40th Annual Hawaii International Conference on System Sciences, 2007. HICSS 2007 (2007).

[21] Rinderle, S.B. et al. 2006. Business process visualization-use cases, challenges, solutions. (2006).

[22] Rogers, R.W. 1975. A Protection Motivation Theory of Fear Appeals and Attitude Change1. The Journal of Psychology. 91, 1 (1975).

[23] Ruighaver, A.B. et al. 2007. Organisational security culture: Extending the end-user perspective. Computers & Security. 26, 1 (Feb. 2007).

[24] Sasse, M.A. and Flechais, I. 2005. Usable Security: Why Do We Need It? How Do We Get It? Security and Usability: Designing secure systems that people can use. L.F. Cranor and S. Garfinkel, eds. O’Reilly.

[25] Schneier, B. 2003. Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Springer.

[26] Sharma, D.N. and Dash, P.K. 2012. Effectiveness Of Iso 27001, As An Information Security Management System: An Analytical Study Of Financial Aspects. Far East Journal of Psychology and Business. 9, 5 (2012), 57–71.

[27] Siponen, M. et al. 2010. Compliance with Information Security Policies: An Empirical Investigation. Computer. 43, 2 (2010).

[28] Solms, R. von 1999. Information security management: why standards are important. Information Management & Computer Security. 7, 1 (Mar. 1999).

[29] Vuppala, V. et al. Securing a Control System: Experiences from ISO 27001 Implementation.

[30] Wood, M.B. 1982. Introducing Computer Security. National Computing Centre.

[31] BS, BS7799 – Information Technology – Code of practice for information security management, London: BS, 1995.

[32] ISO/IEC, ISO/IEC 27001 – Information technology – Security techniques – Information security management systems – Requirements, Geneva: ISO/IEC, 2005 and Draft for the new revision ISO/IEC JTC 1/SC 27 N10641, 2011.