Saturday, 9 February 2008

Compliance project

There is a need for a resource that can be used to list/summarise all of the MANY separate IT Governance and IT regulatory requirements. Andrew has pointed out a site that starts to list these (but is expensive and misses many requirements).

What is needed is a simple web driven site where a selection of systems and needs may be matched. I would think that selecting a list of descriptors (such as the server is in an Internet connected DMZ, The system is a web server, the system processes payment card information, ...)

I have all of the data in one form or another from research I have completed in academic study and book writing. I am happy to lead this effort. What I think is needed is more than I alone can do.

So consider this a call for interested parties. The idea is to make this an open source effort.
I would like to start a consensus compliance effort. Something like the centre for Internet security (CIS) and OWASP does for their areas, but with the controls that are required. Somewhere that people can go and find answers to what types of controls they need to implement.

So who is up to staring an interactive controls checklist project?

The idea is that you will be able to enter details system by system or for a site. Answer a set of questions and get a list of requirements and controls that are needed. So as an example I could go through something like:- DMZ Web Server- Located in the US- Processes credit card information - 20,000 transactions per month- Non-listed private company- Banking and Finance industry- GLBA requirements- BASEL II requirements- Dealings with the EUAn the result will be a set of necessary controls and links to how to achieve these (e.g. CIS and OWASP frameworks etc):- Security Policy ... (e.g. SANS Policy project) and details of this and the processes that are necessary- Change management needs...- Protocol Justification (PCI-DSS 1.1.6)- Firewall (Pci...)- System Standards (e.g. see CIS IIS baselines) aim for a min. score of 85% on test xxx- Etc.

So this is a preliminary call for interest to see what type of support I can get in the industry for this. As stated, this would be a GPL'd effort and one designed as a resource that will aid both vendors and end users and make all of our lives easier.

Please let me know if you are interested and let us see if we can start to align security and compliance and thus make the effort worthwhile.

I plan to map all relivant security controls and the consequences - both civil (tort or contract) and criminal (regulatory etc). The idea being that there will be a simple resource to see if you miss something what could occur.

Friday, 8 February 2008

Generic Unix Log Parsing Tools

There are a number of requirements defined in the PCI-DSS for logging. These include:

5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs

Requirement 10: Track and monitor all access to network resources and cardholder data
Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.

12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).


The following section of this post lists some of the MANY log parsing tools that are available. (Expect this to grow as I enter them one by one. That is this is an organic living post).

ACID (Analysis Console for Intrusion Detection) and BASE
A PHP-based analysis engine that searches and processes a database of incidents generated by security-related software such as intrusion detection systems and firewalls.

awk (and maybe SED)
A tool to really show your Unix prowess – or how difficult you can make things. From the author: "It is not a complete toolkit, but rather an approach that can be adapted for a variety of log analysis tasks."

checksyslog
http://www.jammed.com/~jwa/hacks/security/checksyslog/checksyslog-doc.html

colorlogs
http://www.resentment.org/projects/colorlogs/
Colorlogs basically color-codes logfiles for easier reading.

CyberSafe Event Log Analyst (CLA)
The Windows Server Resource Kit includes CyberSafe Log Analyst (CLA) which is a Microsoft Management Console (MMC) snap-in that lets you analyze the Security logs of the systems in a domain. CLA has prebuilt reports that provide useful views of security activity and allows you to design custom reports.

GeekTool
A Macintosh OSX generic logging utility/parser

Scansyslog
Uses code to search for a large number of semi-static patterns in system logs returning only the lines that are not matched.

SL2

A Perl tool that can identify single-line log anomalies

SLCT (Simple Log Clustering Tool)

Code designed to identify patterns occurring in a logfile more frequently than a given threshold.

swatch
Installing, configuring and using swatch 2.2 to analyze log messages on systems running Solaris 2.x Setting up automatic alerting in your UNIX environment

syslogScan

A SyslogScan::Summary object will 'register' a series of SyslogScan::Delivery objects. All registered deliveries are grouped by sender and receiver e-mail addresses, and then added up. Three sums are kept: Total Bytes Recieved, Total Bytes Sent, and Total Bytes Broadcast.


syslog-summary

A Python script that summarizes the contents of a syslog output file, by displaying each unique line once (timestamps are not included in the determination of line uniqueness). This script also provides the number of times each unique line appeared in the given file. Lines are displayed in the order they occur in the input file. This code is GPL'ed; it's written and maintained by Lars Wirzenius.

tklogger

Monitors any plain text log file and identifies user-configurable events (not limited to syslog data). Application is well documented, and includes a sample startup script as well as a sample rule configuration file.

xlogmaster

A system monitoring tool that allows administrators to monitor everything that's happening on a system in a very quick and comfortable way. It allows reading logfiles, checking devices or running status-gathering programs, translating all available data, and displaying results with filters and associated actions (including highlighting or lowlighting lines, hiding data, or taking actions on user-defined events.

PCI requires more then an external scan...

Section 11.3 of the PCI-DSS states:

Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:
11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests


To do this requires testing on the DMZ and internal segments. This is both ingress and egress tests. The typical scan from an Internet vendor is not adequate and will not make you compliant!

Sweet relief

And I finally have a net connection (other then the phone) outside of work. Well 4 days for a 24 hours response...

I finally have a connection to the Internet again (using the phone for email outside of work is not fun).

Wednesday, 6 February 2008

APRA and protecting Finacial Records.

APRA in 2004 stated:
19. The technical resources that a [licensed superannuation fund trustee] is required to maintain, or have access to, at an adequate level include, but are not limited to: …
(b)adequate systems and resources to ensure protection, security and privacy of confidential, personal and sensitive material; and …
(d) evidence of the inclusion in the risk management framework of processes to ensure security of records and compliance with statutory privacy laws
.” (pp. 8-9)
APRA Guidance Notes and Circulars, July 2004, Superannuation guidance note SGN 140.1 - http://www.apra.gov.au/Superannuation/upload/SGN-140-1-Adequacy-of-resources.pdf

APRA also advise that security should be specifically addressed in any ‘outsourcing’ contracts
APRA Guidance Notes and Circulars, July 2004, Superannuation guidance note SGN 130.1 - http://www.apra.gov.au/Superannuation/upload/SGN-130-1-Outsourcing.pdf, and Prudential Standard APS 231- Outsourcing - http://www.apra.gov.au/policy/final_adi_standards/APS231.pdf

So what does this mean? If yoiu are running a licensed superannuation fund you do not get to hand the need for securing your system to somebody else.

Tuesday, 5 February 2008

Vicarious Liability

Civil Liability
The conduct of both agents and employees can result in situations where liability is imposed vicariously on an organisation through both the common law[i] and by statute.[ii] The benchmark used to test for vicarious liability for an employee requires that the deed of the employee must have been committed during the course and capacity of their employment under the doctrine respondeat superior. Principals’ liability will transpire when a `principal-agent' relationship exists. Dal Pont[iii] recognises three possible categories of agents:

(a) those that can create legal relations on behalf of a principal with a third party;
(b) those that can affect legal relations on behalf of a principal with a third party; and
(c) a person who has authority to act on behalf of a principal.

Despite the fact that a party is in an agency relationship, the principal is liable directly as principal as contrasting to vicariously, “this distinction has been treated as of little practical significance by the case law, being evident from judges' reference to principals as vicariously liable for their agents' acts”[iv]. The consequence being that an agency arrangement will leave the principle directly liable rather then liable vicariously.

The requirement for employees of "within the scope of employment" is a broad term without a definitive definition in the law, but whose principles have been set through case law and include:
where an employer authorises an act but it is performed using an inappropriate or unauthorised approach, the employer shall remain liable[v];

the fact that an employee is not permitted to execute an action is not applicable or a defence[vi]; and the mere reality that a deed is illegal does not exclude it from the scope of employment[vii].
Unauthorised access violations or computer fraud by an employee or agent would be deemed remote from the employee's scope of employment or the agent’s duty. This alone does not respectively absolve the employer or agent from the effects of vicarious liability[viii]. Similarly, it remains unnecessary to respond to a claim against an employer through asserting that the wrong committed by the employee was for their own benefit. This matter was authoritatively settled in the Lloyd v Grace, Smith and Co.[ix], in which a solicitor was held liable for the fraud of his clerk, albeit the fraud was exclusively for the clerk's individual advantage. It was declared that "the loss occasioned by the fault of a third person in such circumstances ought to fall upon the one of the two parties who clothed that third person as agent with the authority by which he was enabled to commit the fraud"[x]. Lloyd v Grace, Smith and Co.[xi] was also referred to by Dixon J in the leading Australian High Court case, Deatons Pty Ltd v Flew[xii]. The case concerned an assault by the appellant's barmaid who hurled a beer glass at a patron. Dixon J stated that a servant's deliberate unlawful act may invite liability for their master in situations where "they are acts to which the ostensible performance of his master's work gives occasion or which are committed under cover of the authority the servant is held out as possessing or of the position in which he is placed as a representative of his master"[xiii].

Through this authority, it is generally accepted that if an employee commits fraud or misuses a computer system to conduct an illicit action that results in damage being caused to a third party, the employer may be supposed liable for their conduct. In the case of the principles agent, the principle is deemed to be directly liable.

In the context of the Internet, the scope in which a party may be liable is wide indeed. A staff member or even a consultant (as an agent) who publishes prohibited or proscribed material on websites and blogs, changes systems or even data and attacks the site of another party and many other actions could leave an organisation liable. Stevenson Jordan Harrison v McDonnell Evans (1952)[xiv] provides an example of this type of action. This case hinged on whether the defendant (the employer) was able to be held liable under the principles of vicarious liability for the publication of assorted “trade secrets” by one of its employees which was an infringement of copyright. The employee did not work solely for the employer. Consequently, the question arose as to sufficiency of the “master-servant” affiliation between the parties for the conditions of be vicarious liability to be met. The issue in the conventional “control test” as to whether the employee was engaged under a “contract for services”, against a “contract of service” was substituted in these circumstances with a test of whether the tort-feasor was executing functions that were an “integral part of the business” or “merely ancillary to the business”. In the former circumstances, vicarious liability would extend to the employer. Similarly, a contract worker acting as web master for an organisation who loads trade protected material onto their own blog without authority is likely to leave the organisation they work for liable for their actions.

In Meridian Global Funds Management Asia Limited v Securities Commission[xv], a pair of employees of MGFMA acted without the knowledge of the company directors but within the extent of their authority and purchased shares with company funds. The issue lay on the qualification of whether the company knew, or should have known that it had purchased the shares. The Privy Council held that whether by virtue of the employees’ tangible or professed authority as an agent performing within their authority[xvi] or alternatively as employees performing in the course of their employment[xvii], both the actions, oversight and knowledge of the employees may well be ascribed to the company. Consequently, this can introduce the possibility of liability as joint tort-feasors in the instance where directors have, on their own behalf, also accepted a level of responsibility[xviii] meaning that if a director or officer is explicitly authorised to issue particular classes of representations for their company, and deceptively issues a representation of that class to another resulting in a loss, the company will be liable even if the particular representation was done in an inappropriate manner to achieve what was in effect authorised.

The degree of authority is an issue of fact and relies appreciably on more than the fact of employment providing the occasion for the employee to accomplish the fraud. Panorama Developments (Guildford) Limited v Fidelis Furnishing Fabrics Limited[xix] involved a company secretary deceitfully hiring vehicles for personal use without the managing director’s knowledge. As the company secretary will customarily authorise contracts for the company and would seem to have the perceptible authority to hire a vehicle, the company was held to be liable for the employee’s actions.

Criminal Liability
Employers can be held to be either directly or vicariously liable for the criminal behaviour of their employees.

Direct liability for organisations or companies refers to the class of liability that occurs when it permits the employee’s action. Lord Reid in Tesco Supermarkets Limited v Nattrass[xx] formulated that this transpires when someone is "not acting as a servant, representative, agent or delegate" of the company, but as "an embodiment of the company"[xxi]. When a company is involved in an action, this principle usually relates to the conduct of directors and company officers when those individuals are acting for or "as the company". Being that directors can assign their responsibilities, direct liability may encompass those employees who act under that delegated authority. The employer may be directly liable for the crime in cases where it may be demonstrated that a direct act or oversight of the company caused or accepted the employee’s perpetration of the crime.

Where the prosecution of the crime involves substantiation of mens rea[xxii], the company cannot be found to be vicariously liable for the act of an employee. The company may still be found vicariously liable for an offence committed by an employee if the offence does not need mens rea[xxiii] for its prosecution, or where either express or implied vicarious liability is produced as a consequence of statute. Strict liability offences are such actions. In strict liability offences and those that are established through statute to apply to companies, the conduct or mental state of an employee is ascribed to the company while it remains that the employee is performing within their authority.

The readiness on the part of courts to attribute criminal liability to a company for the actions of its employees seems to be escalating. This is demonstrated by the Privy Council decision of Meridian Global Funds Management Asia Ltd v Securities Commission[xxiv] mentioned above. This type of fraudulent activity is only expected to become simpler through the implementation of new technologies by companies. Further, the attribution of criminal liability to an organisation in this manner may broaden to include those actions of employees concerning the abuse of new technologies.

It is worth noting that both the Data Protection Act 1998[xxv] and the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000[xxvi] make it illegal to use equipment connected to a telecommunications network for the commission of an offence. The Protection of Children Act 1978[xxvii] and Criminal Justice Act 1988[xxviii] make it a criminal offence to distribute or possess scanned, digital or computer-generated facsimile photographs of a child under 16 that are indecent. Further, the Obscene Publications Act 1959[xxix] subjects all computer material making it a criminal offence to publish an article whose effect, taken as a whole, would tend to deprave and corrupt those likely to read, see or hear it. While these Acts do not of themselves create liability, they increase the penalties that a company can be exposed to if liable for the acts of an employee committing offences using the Internet.

[i] Broom v Morgan [1953] 1 QB 597.
[ii] Employees Liability Act 1991 (NSW).
[iii] G E Dal Pont, Law of Agency (Butterworths, 2001) [1.2].
[iv] Ibid [22.4].
[v] Singapore Broadcasting Association, SBA's Approach to the Internet, See Century Insurance Co Limited v Northern Ireland Road Transport Board [1942] 1 All ER 491; and Tiger Nominees Pty Limited v State Pollution Control Commission (1992) 25 NSWLR 715, at 721 per Gleeson CJ.
[vi] Tiger Nominees Pty Limited v State Pollution Control Commission (1992) 25 NSWLR 715.
[vii] Bugge v Brown (1919) 26 CLR 110, at 117 per Isaacs J.
[viii] unreported decision in Warne and Others v Genex Corporation Pty Ltd and Others -- BC9603040 -- 4 July 1996.
[ix] [1912] AC 716
[x] [1912] AC 716, Lord Shaw of Dunfermline at 739
[xi] [1912] AC 716
[xii] (1949) 79 CLR 370 at 381
[xiii] Ibid.
[xiv] [1952] 1 TLR 101 (CA).
[xv] [1995] 2 AC 500
[xvi] see Lloyd v Grace, Smith & Co. [1912] AC 716
[xvii] see Armagas Limited v Mundogas S.A. [1986] 1 AC 717
[xviii] Demott, Deborah A. (2003) "When is a Principal Charged with an Agent's Knowledge?" 13 Duke Journal of Comparative & International Law. 291
[xix] [1971] 2 QB 711
[xx] [1972] AC 153
[xxi] ibid, at 170 per Lord Reid
[xxii] See Pearks, Gunston & Tee Limited v Ward [1902] 2 KB 1, at 11 per Channell J, and Mousell Bros Limited v London and North-Western Railway Company [1917] 2 KB 836, at 843 per Viscount Reading CJ.
[xxiii] See Mousell Bros Limited v London and North-Western Railway Company [1917] 2 KB 836, at 845 per Atkin J.
[xxiv] [1995] 2 AC 500.
[xxv] Data Protection Act 1998 [UK]
[xxvi] Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 [UK]
[xxvii] Protection of Children Act 1978 [UK]
[xxviii] Protection of Children Act 1978 and Criminal Justice Act 1988 [UK]
[xxix] Obscene Publications Act 1959 [UK]

Monday, 4 February 2008

The fun of Telstra

Owning all the copper has advantages. You can make life difficult for people who do not exclusively use your service.

SDSL with an ADSL tail seems to provide some redundancy, but for the fact that both (and also ISDN did when I had this) use the same exchange. No exchange, no internet link.

So things are going to be a little slow while I wait to have Telstra check within 48hours the service that is gaurenteed under legistlation a 24 hour turn around. The fun of monoploy...