Friday, 29 February 2008

Current Statistics on InSecurity - The REAL Issue!

The numbers of each class are included in the previous posts as are the descriptors. The three system classes are:

  • Financal Systems Databases,
  • User Management Systems (Including Active Directory Domain server),
  • Key Critical System (this is the system with the highest loss or damage value for the organisation).
In this post I am detailing the very basics of system security on these hosts. I have set a VERY poor security strandard as the baseline for this post. I have used compliance with the "Level 1" system configuration guidelines from the Center for Internet Security (http://www.cisecurity.org/). To pass and be listed in the "ok" class for these statistics, an organisation need to get at least 50% compliance with the CIS baseline.

By the way, 50% on CIS "level 1" benchmarks is generally a fail to most security people. This is a system that will only survive as it has a firewall. On the Internet, it will last hours. I would have used at least 80% on level 1, but I have seen only three organisations that have met this level. So making this the baseline for this would just be a line of zeros.

Financal Systems Databases
Working for an Audit firm, these are the systems that are generally of most concern. These are systems that hold user data, client data, confidential trade secrets, personally identifiable information on staff and the finances of the organisation.
In Australia, it is a criminal offense not to protect an employees tax file number. I would point the reader to: http://www.privacy.gov.au/act/tfn/ and the guidelines from http://www.privacy.gov.au/publications/tfngls.pdf.

Forgetting even the provisions of the Corporations Act and the requirements to protect and ensure the integrity of financial data, "Unauthorised use or disclosure of tax file numbers is also an offence under the Taxation Administration Act 1953 with a penalty of up to $10,000 fine, two years imprisonment, or both". The Privacy Commissioner has the power to conduct audits on TFN recipients pursuant to section 28(1)(e) of the Act. What a pitty more do not occur.

The commissioner notes that "tax file number information handling procedures and safeguards should anticipate all reasonably foreseeable risks to security. "

With BASEL II, the finacial sector has cleaned up their act in the last couple years. It is a shame about the rest. Shareholders should be hitting retail with a barage of requests for explainations. In one case, a firm I audted was losing over $1,500,000 due to fraud across the POS system alone. This is not even the fact that identity theft was (and is) likely occuring. The fix - about $200,000 to $300,000 as a project taking 12 months. The issue being that it would pay for itself in months.

Why did this project NOT occur (or at least in a highly cut down version that is not effective and that will not comply to PCI-DSS)? Because this would mean disclosure to shareholders. Something I believe is legally required.

User Management Systems (Including Active Directory Domain server)
In this I have included Domain controllers, Active Directory systems and the like.

Again, there is a move towards improvement in some sectores, but it is by no means good.

Key Critical System (this is the system with the highest loss or damage value for the organisation).

This is THE system that the organisation needs the most. This is the system that they have defined as their core system. In a newspaper firm, this is the system that runs the press and which if it was to crash would result in no papers in the morning. In the case of a Stock Exchnage, this is the trading platform.

This gives an idea of how bad things really are.

Finance seems to care more - they understand money so at least protect some systems.

Go Retail! Forget PCI. Forget the criminal provisions, all these get in the way of losing money! It you want to ensure that you do not have your credit card stollen, use cash - forget giving it to a store.

2 comments:

Mark Palmer said...

Craig-

Out of curiosity, where are you pulling information for these groups of companies? Are these folks you directly (or indirectly) work with?

You present some good statistics to represent where folks should focus their attention.

Peace and Cheers,
Mark Palmer

Craig S Wright said...

Hi Mark,
Working with a Chartered Firm we get to see a large number of clients. At the least there is a requirement for "information gathering". This is where we are engaged with a Financial Audit, but need to do a quick and nasty risk assessment of the financial systems for the client.

I run the team, so I (much to the disdain of many others) get to spend a little more time then is billed and have a lower productivity to offer a better result.

There are over 500 clients, but we see some of these only every 2-3 years. So any of this type are excluded.

I will add the full description as a blog.