Information Security Group www.isg.rhul.ac.uk

p.stoner@rhul.ac.uk z.ciechanowicz@rhul.ac.uk

T: 01784 443101

We have extended the way in which Royal Holloway’s internationally recognised MSc is offered.• CPD/CPE Modules: Most MSc modules are now available as stand-alone courses of one week’s duration

(Block Mode). These modules may be taken with or without an examination.

As a result the MSc now has the following traditional delivery modes:Full-time, one year, on campus; Part-time, two years, on campus; Block Mode, two years, on or off campus; Distance Learning, up to four years via the Virtual Learning Environment.

The introduction of CPD modules has enabled us to introduce even more fl exibility into our methods of delivery.• Latest innovation – ‘Mix and Match’ degree programmes. It is now possible to obtain the MSc by

accumulating modules by any delivery method listed above (maximum period seven years).• Postgraduate Diploma – each module is also available in condensed mode and taught as a one, two or three-

day training course offered by QCC Training Ltd. Students may follow a structured programme of these courses and then undertake an MSc level project to obtain the Postgraduate Diploma in Information Security.

Information Security MScFlexible learning for everyone

5273 Info Security BCS AD.indd 1 18/9/08 13:27:36

Gareth Niblett, chairman of the ISSG, says thatnow is the time to make software secure.

Secure, stable and reliable software is a rare commodity,and one that most can’t actually buy. Although we mayfeel that those who profit from selling us software not upto the task should be held liable and sued, doing so couldalso expose open source developers to unacceptable riskswhen giving us their software.

Unreliable and insecure software is due to a variety of factors, from the lack ofacademic focus within software engineering and computer science courses, to thedevelopment approach that our IT professionals are expected to adopt whenprogramming in-house systems or commercial applications.

Even the formal accreditation of systems, e.g. common criteria, may not detect orprevent software vulnerabilities from arising; it can even compound the issue byforcing a decision to be made between operating a vulnerable but accredited systemand an upgraded but unaccredited system.

SANS and CWE have listed the top 25 most dangerous programming errors(www.sans.org/top25errors), which cover the actual programming errors made bydevelopers that lead to the vulnerabilities that software may be susceptib le to, andprovides useful and authoritative information on mitigation.

Security software even provides ready examples of how to not do it and the f ormalmethods of safety critical systems may be overkill for most commercial offerings.Something needs to be done to improve the security, stability and reliability ofsoftware where more features are delivered ever more rapidly.

We need a ‘secure by design’ approach, where we seek to minimise the existenceand impact of vulnerabilities and other bugs. Secure applications can only come froma top-down design and development ethos, integrated with a robust softwaredevelopment life cycle (SDLC) that includes structured testing.

03Spring 2009 ISNOW

04 Shut that door

06 To encrypt or not to encrypt

08 Securing information systems

10 Software assurance with SAMM

12 Sniffing out the crooks

14 Secure software development

16 Crashing cars and firewall management

18 Control or manage

ISNOW is the quarterly magazine of the BCS Security Forum, incorporating theInformation Security Specialist Group. It can also be viewed online at:www.bcs.org/security/isnow

EDITORIAL TEAM

Henry Tucker EditorBrian Runciman Managing Editor

DESIGN TEAM

Marc Arbuckle Art EditorDavid Williams Graphic Assistant

Registered Charity No 292786The opinions expressed herein are notnecessarily those of BCS or theorganisations employing the authors.© 2009 The British Computer Society.

Copying: Permission to copy foreducational purposes only without fee all or part of this material is grantedprovided that the copies are not mad e or distributed for direct commercialadvantage; the BCS copyright notice and the title of the pub lication and itsdate appear; and notice is given thatcopying is by permission of BCS. To copy otherwise, or to republish,requires specific permission from thepublications manager at the addressbelow and may require a fee.

Printed in Great Britain by: Inter Print, Swindon, Wiltshire.ISSN 1752-2455. Volume 3, number 3.

The British Computer Society First Floor, Block D, North Star House,North Star Avenue, Swindon SN2 1FA, UKtel +44 (0)1793 417 417; fax +44 (0)1793 417 444; www.bcs.orgIncorporated by Royal Charter 1984.

I S N O W I S S G P E R S P E C T I V E

Information Security Specialist Group: www.bcs-issg.org.ukInformation Risk Management and Assurance Specialist Group:www.bcs.org/groups/irma BCS Security Portal: www.bcs.org/securityISNOW online: www.bcs.org/forum/isnow

F U R T H E R I N F O R M A T I O N

I S N O W C O N T E N T S

ISNOW Spring 200904

more pressing than ever. At the same time, applications have

become a target-rich environment forthose seeking monetary gain through themisuse of personal information. Thesetrends have increased the occurrence ofbackdoors being inserted into applications.

Binary-level application testing orcompiled-code analysis makes it possibleto examine the entire application in itsfinal delivered form. It enables the mostcomplete detection of backdoors thatmost often can only be found inapplication binaries.

An application backdoor is a segment

of code that provides an alternative, non-standard entry into an applicationand can permit functionality not intendedby the application's designers. Applicationbackdoors can be inserted unintentionally,intentionally for good reasons, or intentionally for malicious reasons. A common characteristic of backdoors isthat they are often planted into an application with the intent that they willbe exploited at a later point in time.

While backdoors are becoming morecommon, their origins are varied.Backdoors are not always introduced withmalicious intent. For example,conscientious programmers may build abackdoor into an application for thepurpose of remote troubleshooting, anactivity that is more common in today'sdispersed, interconnected applicationenvironments. Less-careful programmerscan unintentionally introduce backdoorsby re-using code that has not beenchecked, or simply by being unaware ofthe backdoor exploitability factor incertain types of code.

Undetected backdoors, regardless oftheir origin or intent, can give attackersaccess to data, including customer andcompany data, and allow them to steal or manipulate that data. This obviouslyexposes the application developers andtheir companies to potentially serious risks.

In the past, manual code reviews orautomated reviews of source code wereused in an effort to detect backdoors.However, these efforts have resulted inlimited success due to both the h igh costof manual reviews and the high falsenegative rate of source code analysistools. Source code analysis tools misssignificant portions of the software suchas third-party libraries, API calls andcode injected via the tool chain duringcompile time, making the techniqueunreliable at best.

Recently, new technology has enabledorganisations to overcome the limitationsof source code testing, by using staticbinary analysis to provide a complete wayto cover application security. Static binaryanalysis of applications represents asuperset of source code analysis.

Three types of backdoors

System backdoors allow access to dataand processes at the operating system root

Unintentional backdoors are either introduced due to programming errors oran unawareness of the threat that backdoors present. For example, programmers routinely and purposefullyinsert a backdoor into an application, inorder to access that application later for remote troubleshooting.

As the complexity of modern softwareapplications increases, along with the useof components assembled from reusablebinary components, backdoors can easilycircumvent even the best of QA cycles. Theneed for an accurate and completeapproach to software security testing is

Malicious backdoors are designed by attackers to avoid detectionby traditional security tools such as firewalls, intrusion detectionsystems (IDS), and anti-virus software. To these security tools,backdoor traffic looks identical to typical application traffic. MikePuglia from Veracode explains why you need to shut the backdoor.

F O C U S S O F T W A R E S E C U R I T Y

Shut that door

Spring 2009 ISNOW 05

level. They are typically created by anattacker who has compromised a systemin order to retain access to the sys temlater on. Examples of system backdoorsinclude rootkits, remote access software,malware such as Trojans or bots and deliberate system misconfiguration.

Crypto backdoors are intentionallydesigned weaknesses in a cryptosubsystemfor particular keys or messages that willallow the attacker to gain access to clear-text messages. Applicationbackdoors are sections of legitimatesoftware modified to bypass securitymechanisms under certain conditions.

Application backdoors are sections of legitimate software modified to bypasssecurity mechanisms under certainconditions. These legitimate programs aremeant to be installed and running on asystem with the full knowledge andapproval of the system operator.

Application backdoors can result in thecompromise of the data and transactionsperformed by an application and may also result in a compromise of thecomplete system.

Special credentials

In these cases, the attacker inserts logicand special access credentials into theprogram code, typically in the form of aspecial user name, password, and password hash or key. One company hadsuch vulnerability in its popular commercial database program; it wentundetected for seven years. This vulnerability could have been successfullydetected using a combination of staticdetection strategies, including analysis ofvariables that look like usernames or passwords, identifying static variables thatlook like hashes, and identifying staticvariables that look like cryptographic keys.

Hidden functionality

Attackers use these methods to issue commands or authenticate without needing to perform the designed authentication procedure. More advancedattackers even include a special check sothat there is some protection from anyoneusing the backdoor. In 2007, this type ofbackdoor was inserted in a popular blogpublishing program, WordPress, which ledto a recall of an entire ve rsion of the software. Techniques for identifying this vulnerability should include inspecting theapplication for command injection vulnerabilities, recognising patterns inscripting languages, comparing server-side

code with client-side code, identifyingpotential operating system commandinjection vectors, and identifying static variables that look like application commands.

Unintended network activity

The attacker can exploit networks by listening on undocumented ports, makingoutbound connections to establish a command/control channel, or leaking sensitive information over the network. In many cases, these backdoors arestrengthened with rootkits, which are offurther concern.

In 2002, a backdoor of this type wasinserted in the source code distribution ofa popular network sniffer. It established aconnection to an IP address and l istenedfor commands.

It is possible to detect this type ofactivity using dynamic network utilitytesting, but only if the specific runconditions, under which the program willactivate, are duplicated. A number ofstatic analysis techniques can be used todetect this code, including identifyinginbound and outbound connections,analysing network activity that referencesa hard-coded IP address or por t,identifying potential information leaks,analysing data flows, examining importtables, and more. The goal is to identifyanomalies, then analyse the binary code inmore depth.

Parameters that assign certainprivileges to a process, influence taskscheduling, or restrict operations onmemory pages represent a higher securityrisk. In 2003, an attacker attempted toinsert a backdoor into the Linux kernel.Fortunately, the backdoor was noticed andremoved before users were affected. Themethod the attacker used wasn’tsuccessful in this case, but it revealed avery subtle technique involving just acouple of lines of code that were activatedwhen a particular process was initiated.The technique used by this attacker couldbe mistaken for a common, usually benign,programming flaw - using assign insteadof compare. Static analysis could be usedto identify all instances of this particularbehaviour, taking into account theinstances where this string of code is intentional.

Automated source code analysis.

Several tools are now commercially available to review large and complexapplications without manually going

through the code line-by-line. These toolsare good at finding secure coding flaws,such as memory usage errors, input validation errors, or mishandled error conditions that an attacker can use tocompromise the software.

However, they require access to sourcecode, which many not always be feasibleand doesn’t take into considerationbackdoors that may be injected duringcompile time, via APIs or hidden in thirdparty libraries. Additionally, this methoddoes not detect most types of applicationbackdoors, precisely because they aredesigned to be hidden in the source codeand only become exploitable after compiletime. Static binary, byte-code or compiledanalysis examines a compiled form of anapplication or component to create acomplete picture of real-worldvulnerabilities. It is important tounderstand how its two main aspects:binary and static separate it fromalternative methods.

Commercial off-the-shelf (COTS)programs can be a problem. Anapplication security expert recentlyanalyzed 100 programs. He randomlyselected 100 COTS and open sourceapplication packages, analyzing thoseusing reverse-engineering tools. Upontabulating the results, he found that:

79 packages had dead code;23 packages had unwanted code;89 packages had suspicious behaviours;76 packages had possible maliciou code.

Of these:

21 packages had known worms, Trojans,rootkits, etc.69 packages had possible worms,Trojans, rootkits, etc.

Whether intentional or not, security vulnerabilities present in an applicationcan leave an enterprise or government organisation open to serious legal or commercial risk. Given the complexity,age, and varied pedigree of code that characterises the typical application,source code analysis is incomplete. Oncebackdoors and malicious code are inserted, they are impossible to detectwithout binary application testing analysis. On-demand, static binary application testing for backdoors givesdevelopers and enterprises a completesolution to testing their applications forcritical security vulnerabilities.

ISNOW Spring 200906

I S N O W L E G A L

should be used. There was little guidanceexpressly addressing this point. However,there have been a number of high profilecompanies who have received enforcementnotices which specifically detail a failureto encrypt as being a breach of the DPAand DP principles. Data protection law is therefore, largelyby way of enforcement notices and guidance (issued on security and encryp-tion both in 2007 and 2008), beginning toimpose certain specific obligations andrecommendations on companies, in relation to encryption.

Although these are not definitivelystated, it seems pretty clear that wherepersonal data (data which can identify aliving individual which can include name,HR records etc.) is placed on mobi ledevices, encryption must now be used.

Otherwise, there is currently no strict legalobligation to encrypt personal data,although it may be helpful in some casesto do so voluntarily, for example wheresuch data has to be emai led to a higherrisk country or is particularly sensitive orpotentially valuable or damaging. There isno specific legislation imposing obligationsto encrypt confidential information notcontaining personal data in the UK.

However, you should consider usingencryption in relation to relevanttechnology to protect important businessinformation. This is likely to includecertain HR information (which also getssquarely caught by the DPA), plus boardinformation, certain financial informationsuch as pricing, confidential informationon customers and other importantconfidential information.

So, outside of mobile devices, youshould be making judgments around thetypes of data that should be encrypted aswell as keeping an eye on ICO and othersecurity guidelines on this area.

With newly granted powers given tothe Information Commissioner now is agood time to undertake a review of thesecurity applied to personal data beingprocessed within your organisation andhow this is treated in your contracts, forexample with service providers, includingyour encryption obligations. This will assistin guarding against a security breach andthe resultant adverse publicity,reputational damage and loss of customer confidence which flows from such incidents.

In addition, buoyed by a plethora ofrecent data loss incidents and new powersrecently introduced, such as the ability tolevy fines for serious breaches, it is clearthat the Information Commissioner will belooking to flex his new found muscles.

© Copyright 2009 EvershedsPlease note that the informationprovided above is for general information purposes only andshould not be relied upon as adetailed legal source.

More than 8,500 laptops are left i n UKairports and over 10,000 are left inLondon taxis every year. Human error andthe increasing adoption of portable technology inevitably means these figuresare unlikely to decrease. The InformationCommissioner’s Office (ICO) is starting toget tough, giving clear messages that datacontrollers (in this context employers)must encrypt certain personal data.

It had previously been a question forconsideration as to whether, under the 7thPrinciple of the Data Protection Act1998, which requires data controllers totake ‘appropriate technical andorganisational measures againstunauthorised or unlawful processing ofpersonal data and against accidental lossor destruction of, or damage to, personaldata’ meant that encryption technology

Charlotte Walker-Osborn, technology partner, and Aonghus

Martin, technology solicitor, from Eversheds LLP, discuss the

English legal position in relation to encryption.

To encrypt, or not to encrypt: that is the question...

Part of

Stay connected at the UK’s leading event for Public Sector ICT

GC Live is your best opportunity this year to discover the latest solutions that are driving efficiency and reducing costs across the public sector.

→ Connect to over 100 innovative ICT suppliers in just two

days, including; BT, Canon UK, Corporate Document Services,

Hays IT, ntl Telewest Business, Siemens Plc and many more.

→ Connect to the hottest debates and the most important

issues affecting the future of public sector ICT in the

Public Sector Talks.

→ Connect to a wealth of hands on ICT solutions

which will immediately benefit your day to day role

in the Government Computing Talks.

Register today at gc-live.com

Does your procurement colleague know about Procurement Solutions Live? It is the UK’s official government procurement event. Over 100 approved buying solutions suppliers will be showcasing their products and services. Visit procurementsolutions.gov.uk

FREE

ENTR

Y

In association withOfficial media partner Supported by Organised by

ISNOW Spring 200908

Closer to home we witnessed theBuncefield oil explosion and subsequentfires in 2005. What was perceived as anenvironmental peril soon became an ITinformation problem. The fires causeddamage to IT data s torage companyNorthgate Information Systems’equipment. The knock-on effect led toAddenbrooke’s Hospital IT-centred patientadmission system failing, causing major disruption.

Safeguarding our complex

information systems

To counteract these security fears, weneed innovative and technical solutions toenable systems to be managed – to mitigate risk. These systems will get evenmore complex in the future, so there is anelement of the unknown. We need expertise today to start predicting futuresecurity problems. We need to start takinga prevention approach, not cure.

We need collaborations across diverseindustry sectors such as transport,healthcare, engineering and finance - allunderpinned by IT expertise. We’re facinga massive societal and business challenge,but we believe the UK has the expertise totackle this challenge – and the TechnologyStrategy Board is at the forefront of thissocietal problem.

We are working with the Centre for theProtection of National Infrastructure andthe Engineering and Physical SciencesResearch Council to allocate £6m inresearch funding to secure our businessinformation systems.

During this funding period, we wantorganisations with the necessary skills todevelop tools, techniques and services totackle the ever-increasing threat to ourinformation systems. This investment willdirectly target the complexity anddependency challenges associated withintricate information systems that UKgovernment and businesses use daily.

This funding competition will addressinnovative solutions for making ourinformation infrastructure more robust.

Picture the scene: it’s a typical day inyour business or private life. You’ve wokenup, checked the television or radio newsfor transport updates, read emails on yourBlackBerry, tweaked your SatNav system on the way to school, work, or the supermarket.

You’re barely an hour into your day,and yet, you’ve become reliant on complexsystems underpinned by IT. We’re at thestage in modern society where you simplycan’t go back to paper information. Whata wonderful technology-inspired world welive in. But wait, these systems cannot fail,can they?

The answer, of course, is yes they can.As our dependence on information systemsincreases, so does the risk of thesecomplicated tools failing through capacityoverload, human intervention, or naturaldisaster. In fact, not only do we depend onthese systems, but the systems themselvesare also heavily reliant on each other. Inthe home we are running multiple internetconnections, home entertainment systems,digital televisions and telephone lines thatconverge into a single set top box, dealingwith more complex information year uponyear. As an information system matures, itconverges with many other technologiesdue to the demand for increased agility,virtualisation and interconnection. The endresult is an unplanned ‘system of systems’where functionality overrides resilience,leading to security concerns. If this fails, itcan take out many systems at once.

For example, a significant systemsfailure was the electrical blackout of theeastern seaboard of the United States inAugust 2003. This breakdown in continuitylasted for more than 48 hours andaffected more than 50 million people. Itwas suggested that the initial event, whichlead to a chain reaction, started at apower plant in Ohio. A breakdown in thecomputer control system failed to detect asmall electrical problem and rectify it.This small scale local event cascad ed intoa major outage for a large population ofeastern United States and Canada.

This could include the development ofreal-time predictive models withparticular emphasis on interdependencyanalysis and supply chains.

No ‘silver bullet’ solution

We don’t see there being a ‘one size fitsall’ solution, but we welcome innovativeideas that will address high level challenges that include:

increasing understanding and management of complex interdependentIT infrastructures and systems;development of models focusing on real-world practical applications to enable SMEs and large companies to secure their information systems; producing systems with better scope fordata capture, security and data segregation across industries such as healthcare, assisted living, intelligent transport; bringing together diverse groups such as IT professionals, academics, health professionals, economists, transport planners and insurance professionals toshare knowledge and ideas;making software more secure, and therefore less susceptible to security vulnerabilities and attacks.

We see these challenges being met by pioneering thinkers within the informationsecurity and IT community. We understandthat staff from SMEs are very busy, oftenworking on their own, which is why theTechnology Strategy Board is offering itsfull support to the SME community toencourage individuals to form collaborations and apply for this funding.SMEs who successfully apply for competition funding will be able to keepand exploit the intellectual property theydevelop from their work. This will befinancially beneficial, especially if anentrant’s work is produced for a new burgeoning commercial market.

We want to make it clear that this competition is not about funding research

The IT industry is at the heart of developing future resilient information systems says Andrew Tyrer from the Technology Strategy Board.

F O C U S S O F T W A R E S E C U R I T Y

Securing information systems

Spring 2009 ISNOW 09

that won’t produce tangible results. Thecompetition offers the only UK publicmoney currently available to address thesecurity of society’s complex informationsystems, so naturally we want to see areturn from our investment.

It’s vital that research proposalsclearly demonstrate positive economic and business impact, coupled withenvironmental and social sustainability.We strongly encourage projects that candemonstrate tangible benefits acrossbusiness sectors. It’s essential that theresearch outputs could, for example,benefit the banking industry as well as transport planning and healthcare systems.

The solutions

We are not going to pretend that solvingsystem security weaknesses will be easy,but we are confident we have the expertiseto benefit services that make our lives easier to live, in the home, in the work-place and on roads we travel upon.

In the home, we see this researchmaking our internet connections safer.Also, as our population ages, we could seethe funding design a safer home wheretechnology can support our wellbeing. Theresearch funding could enable systems toremain robust, avoiding downtime,allowing constant monitoring of a person’shealth and activities.

In the workplace research has manypotentially successful and beneficialapplications. The banking industry couldbenefit from better software that predictsrisks from cyber attacks. In healthcareindustries, better information systems toensure patient’s records are maintainedsecurely can be designed andimplemented. Transport systems couldbenefit from more robust IT systems.

These are possible solutions toimproving our complex informationsystems. We know there are many others.We’re challenging industry to play a major part in making our business andprivate lives more efficient through secure systems.

We have become a digitally-dependentsociety; the days of paper systems are welland truly a thing of the past, so we needto collaborate, to strengthen ourinformation-based society, for the now and in the future.

Further information

www.networksecurityip.org

ISNOW Spring 200910

procedures for their software modifications as bestpractice items under a few of the requirements. Incontrast, the latest version of the standard (v1.2)dedicates the majority of one of its 12 requirementareas (requirement 6) to the s ecurity of softwareapplications.

Software security issues

As an application security consultancy, a questionwe get asked a lot is what issues are you seeing yourclients? What do you help them with? Organisationshave differing drivers for security such as compli-ance (DPA, SOX, PCI-DSS), governance, protectionagainst crime, brand reputation, etc, but the primaryissue our clients face is figuring out how to manageand operate information security processes effectively within their organisation. Due to the pervasive nature of information security controls,they must be embedded within business and IT processes.

Information security within softwaredevelopment is a prime example of this.

Many organisations struggle with how to

Within the security industry, a recent trend is afocus around considering security from the startduring the development of applications. This is by nomeans a new concept; it simply was not a focus inthe industry as vulnerabilities within infrastructure(network, operating systems, and databases) werewhat were being exploited at the time.

However, as these vulnerabilities were remediatedand defence mechanisms at those levels improved,attackers shifted their focus to other avenues suchas phishing and application level vulnerabilities. Inaddition, as we are more connec ted to the internetvia high speed connections, more and more organisations have migrated their software applications to the internet for wider accessibility.As a result, focus within the security industry has shifted to software security.

An example of this shift in focus can be seen inthe evolution of the payment card industry datasecurity standard (PCI-DSS). The earlier version ofthis standard (when it was called Visa CardholderInformation Security Program) mentions thatorganisations should follow change control

When it comesto creating software itneeds to be donewith a securebase. MattBartoldus fromGotham DigitalScience has theassurance.

F O C U S S O F T W A R E S E C U R I T Y

Software assurance with SAMM

Spring 2009 ISNOW 11

incorporate information security into theirsoftware development projects effectively,largely due to time and budgetconstraints. Some of the more commonquestions we get asked include:

What does ‘it’ look like?How can we understand and manage ‘this’?Do we have enough resources / skills to do ‘this’?How does ‘this’ fit in with the security function, shouldn’t they do ‘it’?We are used to security projects that implement tools or systems but now weneed to change our processes?Isn’t there an established method ormodel for all ‘this’?

You may have noticed that I have refe rredto information security within the softwaredevelopment process as either ‘this’ or ‘it’.Currently, information security within thesoftware development process is still adiscipline in definition. There have beenmany guides and methodologies publishedin recent years by both public and privatesector organisations. While many of thesediffer in naming conventions and presentation, they are all very similar innature. While there are many definitionsand acronyms for this discipline, it is commonly referred to as software assurance.

OpenSAMM

Recently, an attempt has been mad e tocapture the elements of the discipline ofsoftware assurance within a frameworkthat varying organisations can use aseither reference, to assess where they arein terms of software assurance maturity,or to build a roadmap to implement security into their software developmentprocess. My company has adopted thesoftware assurance maturity model(SAMM) in order to put all of ‘this’ into aframework that the business can understand. It has been released under anopen license, the creative commons attribution-share alike license, and is setto be an official project within the openweb application security project(OWASP). As such, it is also commonlyreferred to as OpenSAMM or simplySAMM. This body of work was writtenand edited by a group of software securityexperts within the industry under the sup-port and funding of Fortify Software, Inc.,a leading provider of application lifecyclesecurity and source code analysis tools. Itcan be downloaded from

www.opensamm.org Here I will discuss some of the core

activities within SAMM but firstly, Iwould like to mention what SAMM is not.SAMM is not a prescriptive ‘how to’document for software assurance; nor is ita ‘one size fits all’ methodology; nor is itan audit checklist around secure softwaredevelopment.

Core activities of OpenSAMM

As mentioned before, there have beenmany guides and methodologies publishedaround software assurance over the yearswith common areas addressed. The following are some of the key core activities within SAMM in which we work with our clients to achieve software assurance:

Education and guidance - EG. This includes focusing on the right security training for the right personnel involvedwithin all stages of the software development process. SAMM goes as far as suggesting information security related certifications in areas of software development which can be a good motivator for technical staff.Security requirements – SR. In order to plan for information security to be built in to software, it has to be detailed as requirements so they can bedeveloped and tested in the same way as other functional or non-functional requirements. SAMM recognises that not all software development projects are the same. Security requirements need to be tailored based on several risk factors such as the type of software being developed, data that willbe processed or who will have access. Threat modelling – TM. Threat modelling is an activity performed in order to focus on what the threats are to an application and likely attacks it may face once developed and deployed.Information security requirements are then matched up against the identified threats in order to determine whether the security requirements have addressed all identified threats appropriately. This is done early in the software development process usually prior to when functional and technical specifications have been finalised.Architecture review – AR. The architecture review activity is focused on the review of software designs and architecture models for potential security related deficiencies. This allows

an organisation to detect architecture-level issues early in software development to avoid potentially large costs from refactoringdown the road. The security requirements developed for the project as well as either the organisation’s security architecture or best practices are used as the basis for the review.Standards and compliance – SC. In order to meet the information security requirements of the organisation (both internal and external), software development projects need to have an understanding of such requirements as well as have periodic compliance reviews at the appropriate project gateways.Security testing – ST. This activity is the one that is mos t recognisable in theindustry as it has been performed for many years. This includes traditional penetration testing such as black-box and white-box testing. SAMM also suggests performing more tailored testing based on test cases derived from the security requirements as well as source code analysis for informationsecurity related issues using automated tools.

Within this article through the introduction of OpenSAMM, I have highlighted the core areas in which wework with organisations as they addresstheir issues around how to implement andoperate information security into theirsoftware development processes. As software assurance is still a young discipline within a young industry such as information security, we believe thatorganisations can benefit greatly inembracing a framework such asOpenSAMM. This is in much of the samemanner as how the BS7799 standard wasembraced by organisations over the past10 years to incorporate the fundamentalsof information security into their business.

Matt Bartoldus is an informationrisk management professional withover 10 years of experience managing and delivering informationsecurity projects. Service deliveryexperience spans the scope of ITaudit; security penetration and vulnerability assessments; regulatorycompliance and information securitygovernance consulting; policy andstandard development; as well assecurity business transformation.

ISNOW Spring 200912

Having left Egg, Tom said that Garlik’s founderswanted to build another large-scale consumer-focused technology business and looked at twothings: what was happening to consumers in the digital world, and what would be the interestingtrends over the next few years? The main thing thatstruck them as interesting, he said, was the sheeramount of personal information that was appearingin the digital world about consumers.

What Garlik does is to look around the digitalworld, particularly focusing on those areas that areconsidered to be high risk - sites that trade personalinformation - scanning for personal informationabout the person who has commissioned the search,to see if it turns up in there.

Having done this they go back to the user andadvise them of the information they’ve found andwhat they should do about it. The next step is oftento get the data removed, but this isn't alwayspossible. However, there may be other possible steps.

‘One example I like to give is that banks oftenask you for your mother’s maiden name as asecurity word,’ said Tom. ‘You will discover that yourmother's maiden name is publicly available on theinternet along with everyone else’s because thebirths, marriages and deaths records have been published.

‘The bank doesn’t care after all. So why givethem the precise word that's on that l ist that anyonecan see? So even when you can’t get the sourceinformation removed, sometimes there are smartthings that you can do.’

Having discovered data that's out there,sometimes Garlik can trace how it was compromised

as it’s obvious. However, often they can’t do so at anindividual level, but because they have seen so muchinformation from so many similar sources, they cantell that various people are in the same situation.

‘For example there was one case we came acrosswhere someone had used an online retailer to buysomething and that site had par ted company withits system administrator. It turned out that onleaving, he made a couple of changes that alteredall of the details that were held in secure form ontheir server into open text and made them publicly available.

‘Now this system administrator clearly didsomething wrong. Whether he committed a crime isnot clear; he didn't use the information for personalgain, he was just really irritated at the way thatthings had come to an end and so pu t a tick boxthere where there wasn't one before.’

According to Tom, the problem now is companiesdon’t appreciate just how valuable the personalinformation they hold is and that they are hol dingthe information on trust for the people.

‘The mindset in the bank traditionally has beenthat it is looking after the money but it’s not theirmoney. Companies though don’t have the same sor tof mindset when it comes to personal information.They feel that people have given them their personalinformation and they can use it to run theirbusiness. They just have the view that “we'veharvested Tom’s information, that's mine now and Ican do whatever I like with it.” Fundamentallythough it still belongs to the individual and thecompany has a duty of care to look after it in thesame way as if it were something else of value.’

I N T E R V I E W T O M I I U B E

Tom Ilube is CEO

of Garlik, the

online identity

company which

he helped to

found in 2005.

He is also former

CIO of the

internet bank

Egg, and he

spoke to Henry

Tucker about

identity theft,

professionalism

and building

secure software.

SNIFFING OUT THE CROOKS

Spring 2009 ISNOW 13

Tom feels that if companies adoptedthe above mindset, the controls thatcompanies would put around their use andtheir management of that personalinformation would get a whole lot tighter.

To back up this theory, Garlik did someresearch into the government, issuing 30freedom of information requests acrossalmost every major governmentdepartment. It asked a series of questionsabout how they handle their information.Garlik asked if departments had ever beenindependently audited to see whether theycomply with the Data Protection Act?None have.

‘They are not required to have aud its,but if they did and they don’t cost a hugeamount, but just said once a year: “Wewant our existing auditors to also checkthat we are compliant”, you would just seepeople reacting,’ said Tom. ‘People wouldsay: “The auditors are coming, let’s have alook at our processes and procedures andso forth.” And they don't do that at the moment.’

Another question they asked was to seeif the information held by the organisationwas correct. This is very importantbecause if the information is wrong anddecisions are being made about anindividual based on it, how can they put itright? Garlik asked what policies andprocedures these departments had in placeto check that the information that theyhold is correct and how a person cancorrect it if something goes wrong.

Garlik soon found out that hardly anyof them have got these basic procedures inplace. None of them keep statistics on theerror rates in their information, none ofthem have budgets put aside for error correction.

Duty of care

‘I think it comes back to the issue of companies and government and owners ofbig databases not treating these databasesas things that they have a du ty of care tolook after. If the systems administrator inthat company really felt “I've got a dutyof care to look after this information” itwould have some double checks in placeand procedures when people leave so thatsomeone else checks things. If data is los t,the organisation still has it, unlike whenmoney is stolen, so they don't feel a senseof loss.'

When asked if embracingprofessionalism would help improve thissituation Tom agreed.

‘I think professionalism within IT

security is really important. One of thechallenges for us in the IT industry is tobuild systems that are secure by design.What often happens is the emphasis is onthe facing functionality and at the end ofthe cycle the security guys get involvedand have to almost patch up the securityas best they can, given that it has alreadybeen built and you have business guysstanding there saying: “Put it live, put it live.”

He feels that if you can get securitypeople involved in the design process rightfrom the start and if you can get softwareengineers educated in how to build securesystems, it just becomes a part of what they do.

With this in place you would end upwith the whole industry building muchmore secure systems and that feedsthrough into trust in an age when themainstream consumer uses the systems.It’s not just the professionals using thesystem, it’s also about our parents and theman on the street, and so forth, who willbe attracted to things that they can trustand trust comes through security, sosecurity gives a competitive edge as well.

Systems built securely will avoid databreaches too. If breaches happen and acompany deals with them veryprofessionally, it has an impact on thebusiness. People see security and theprofessional approach to developingsoftware that results in secure systems asa constraint on a business, the speed atwhich they can move and get things done.

‘What I say to people is look at it l ikethe brakes on a Formula One car,’ saidTom. ‘The reason why Lewis Hamilton cango faster is because he knows that he is incontrol with those brakes, he canaccelerate because he knows he can tweakthose brakes and come round the corner.So those controls aren’t stopping him,they are enabling him to go that fast.

‘In Egg one of the things I did as CIOwas to introduce an agile programmingapproach and agile development.Sometimes people can misunderstand thatagile approach and say either you canhave a professional waterfall approach oryou can throw caution to the wind and go agile.

‘But actually an agile approach isextremely professional as you get all ofthose people involved right from the startbefore anything has been created. I thinkwe need to think broader about what isprofessionalism and not get s tuck onprofessionalism always looks like this. The

idea that we as an industry need to getmore professional in what we do – Idefinitely agree with that.’

Tom also feels that a way to d eal withthe increasing amount of data loss is toimplement laws similar to the data breachnotification legislation in place in the US.

He believes that the UK and the EUwill end up with similar data breach lawsto the USA. He thinks, that part of thechallenge is that, even in the US, in somestates individuals are getting quite used tobeing told that their data has beenbreached and sometimes they start to tune out.

‘I think what we don’t appreciate withall these stories is that the informationbeing lost is very useful to these sorts ofpeople. If it goes missing today it’s goingto come back and bite the people andwe’re not really feeling the effects of it atthe moment.’

What he thinks is going to happen ifyou project forward two or three years isthat the amount of information about allof us will continue to grow. If you’re onFacebook or LinkedIn, Google and all ofthese places where the information doesn’tgo away, then there will be times whenpeople have talked about you or taggedyou in photos, as well as information thatthe government has put out there aboutus, and documents that we have f illed inthat the local authority has put on itswebsite. The information keeps flowing.

With this information, identity thieveshave worked out that it’s can be easier tohit individuals with a fraud than to hit anorganisation. The only reason that theydon’t do it in a big way at the moment isthat if you hit an organisation with afraud and it works, you make more than ifthey hit individuals. But if they can hit athousand individuals at the same time andobtain money from everyone, maybe that’sa lower risk, easier way to do it, ratherthan via one big organisation.

This doesn't mean that all is alread ylost though. Tom feels that currently wehave a window where we can recognisethat personal identity is important andneeds to be looked after and get that intoindividuals’ mindsets, governments’mindsets and use some of the technologiesthat can help us in this area.

‘If you leave it then I th ink it could getvery difficult,’ said Tom ‘It’s like Spam, ifthere were no spam filters then emailwould be unusable. Why we don’t see it isbecause there is a whole industry battlingthat problem.’

ISNOW Spring 200914

1: Protect the brand your

customers trust

As cybercriminals evolve, so must thedefenders. It’s the defenders and theirorganisations that need to s tay a stepahead of the cybercriminals as they will be held responsible for security breaches.Breaches leading to disclosure of customer information, denial of service,and threats to the continuity of businessoperations can have dire financial consequences. Yet the real cost to theorganisation will be the loss of cus tomertrust and confidence in the brand. Such aloss may be irreparable and impossible toquantify in mere monetary terms.Fundamentally, the recognition that theorganisation is obligated to protect the

customers should powerfully motivate the organisation in creating more secure software.

2: Know your business and support

it with secure solutions

The answer to the question – ‘Why werebrakes invented?’ could be answered intwo ways, ‘To prevent the vehicle from anaccident’ or ‘To allow the vehicle to gofaster’. Similarly, security can prevent thebusiness from a crash or allow the business to go faster. One must work witha thorough understanding of the business,to help in the identification of regulatoryand compliance requirements, applicablerisk, architectures to be used, technicalcontrols to be incorporated, and the users

The infamous release-and-patch cycle ofsoftware security management can nolonger be the modus operandi or tolerated.A growing community of professionals,supported by the global information security professional certification body(ISC)2®, understand that escaping this vicious cycle requires a systemic approach.

Given below is a compilation of tenbest practices for secure softwaredevelopment that reflect the experienceand expertise of several stakeholders ofthe software development lifecycle(SDLC). These stakeholders include analysts, architects, coders, testers, auditors, operational personnel and management.

Security attacks are moving from today’s well-protected IT network infrastructure to the softwarethat everyone uses – increasing the attack surface to any company, organisation or individual.Paradoxically, productivity-enhancing software that is embraced often invariably houses largeamounts of sensitive data, both personal and corporate writes Mano Paul of (ISC)2.

F O C U S S O F T W A R E S E C U R I T Y

Best Practices for SecureSoftware Development

Spring 2009 ISNOW 15

to be trained or educated.

3: Understand the technology

of the software

A thorough understanding of the existinginfrastructural components such as:network segregation, hardened hosts, public key infrastructure, to name a few, isnecessary to ensure that the introductionof the software, when deployed, will atfirst be operationally functional and thennot weaken the security of the existing computing environment. Understandingthe interplay of technological componentswith the software is essential to determinethe impact on overall security and supportdecisions that improve security of the software. Further, when procuring software, it is vital to recognise vendorclaims on the ‘security’ features, and alsoverify implementation feasibility withinyour organisation.

4: Ensure compliance to governance,

regulations and privacy

An industry that is not regulated is todayan exception to the norm. Governance, riskand compliance (GRC) is a means tomeeting the regulatory and privacyrequirements. One must understand theinternal and external policies that governthe business, its mapping to necessarysecurity controls, the residual risk postimplementation of security controls in thesoftware, and the compliance aspects toregulations and privacy requirements.

5: Know the basic tenets

of software security

When it comes to secure software, thereare some tenets with which one must befamiliar: protection from disclosure (confidentiality), protection from alteration (integrity), protection fromdestruction (availability), who is makingthe request (authentication), what rightsand privileges does the requestor have(authorisation), the ability to build historical evidence (auditing) and management of configuration, sessions and exceptions. Knowledge of these basictenets and how they can be implementedin software is a mus t have while they offera contextual understanding of the mechanisms in place to support them.Some of these mechanisms includeencryption, hashing, load balancing andmonitoring, password, token or biometricfeatures, logging, configuration and auditcontrols, and the like.

6: Ensure the protection of

sensitive information

Any information upon which the organisation places a measurable value,which by implication is not in the publicdomain, and would result in loss, damageor even business collapse, should the information be compromised in any way,could be considered sensitive. While it maybe easy to identify the sensitivity of certain data elements like health recordsand credit card information, others maynot be that evident.

One must consider data classificationand protection mechanisms againstdisclosure, alteration or destruction. Dataclassification is the conscious decision toassign a level of sensitivity to data as it isbeing created, amended, stored,transmitted, or enhanced, and willdetermine the extent to which the dataneeds to be secured. Software that eithertransports, processes or stores sensitiveinformation must build in necessarysecurity controls.

7: Design software with

secure features

When someone is exclusively focused onfinding security issues in code, they run therisk of missing out on entire classes of vulnerabilities. Security issues in designand other concerns, such as business logicflaws need to be inspected by performingthreat models and abuse cases modelingduring the design stage of the softwaredevelopment lifecycle. Threat modeling, aniterative structured technique is used toidentify the threats by identifying thesecurity objectives of the software andprofiling it. Attack surface analysis, a subset of threat modeling can be performed by exposing software tountrusted users.

8: Develop software with

secure features

It is imperative that secure features not beignored when design artifacts are converted into syntax constructs that acompiler or interpreter can understand.Once developed, controls that essentiallyaddress the basic tenets of software security must be validated to be in placeand effective by security code reviews andsecurity testing. This should complementand be performed at the same time asfunctionality testing. Definition of thescope of what is being reviewed, the extentof the review, coding standards, securecoding requirements, code review process

with roles and responsibilities and enforcement mechanisms must be pre-defined for a security code review tobe effective, while tests should be conducted in testing environments thatemulate the configuration of the production environment to mitigate configuration issues that weaken the security of the software.

9: Deploy software with

secure features

Secure deployment ensures that the software is functionally operational andsecure at the same time. It means thatsoftware is deployed with defence-in-depth, and attack surface area is notincreased by improper release, change, orconfiguration management. It also meansthat assessment from an attacker’s pointof view is conducted prior to or immediately upon deployment. Softwarethat works without any issues in development and test environments, whendeployed into a more hardened productionenvironment often experiences hiccups.Post mortem analyses in a majority ofthese cases reveal that the developmentand test environments do not simulate theproduction environment. Changes thereforemade to the production environmentshould be retrofitted to the developmentand test environments through properchange management processes. Release management should also includeproper source code control and versioningto avoid a phenomenon one might refer toas “regenerative bugs”, whereby softwaredefects reappear in subsequent releases.The coding defect (bug) is detected andfixed in the testing environment and thesoftware is promoted to production without retrofitting it into the development environment. Further, vulnerability assessment and penetrationtesting should be conducted in a stagingpre-production environment and if need bein the production environment with tight control.

10: Educate yourself and others on

how to build secure software

As Charles Dickens once eloquently said:‘Change begets change.’ When one who iseducated in turn educates others, therewill be a compound effec t on creating thesecurity culture that is much need ed—tocreate a culture that fac tors in softwaresecurity by default through education thatchanges attitudes. IT security is everyone’s job.

ISNOW Spring 200916

With all the doom and g loom of the pastfew months and billions of whatever currency you like being poured into theeconomy I have to repor t on a ray ofhope. I think my son may have h it on thesolution completely inadvertently. He’s nota renowned economist, just an honest,hard working car mechanic.

However, having written off the fifthcar in the last three years, although credit

where it’s due, this time it was his fiancéethat managed it, not only is he trying tosave the motor industry single handedlybut at the same time his insurancepremiums have reached a level where hemay be also saving the financial sector.

Not only that, but out of sympathy I’vehad to break open the res erves and helpfinance number six, which of coursemeans that what money I had left is

now circulating.But what, may you ask, does this have

to do with IT and s ecurity come to that?Actually quite a lot because his latestaccident triggered a chain reaction thatwe’re all too familiar with.

First, a lack of risk assessmentresulted when according to his fiancée ‘awoman driver decided to stop on orange’with the result that she ploughed i nto theback of the car. Mind you had themechanic bothered fixing his brakes, aseveryone was telling him to do, it all mighthave been avoided. And as is so often thecase in IT security, improper risk

The similarity between the two might not be obvious but theycan set off a chain reaction according to Calum Macleod, regionalmanager, Tufin Technologies.

F O C U S S E C U R I T Y B E S T P R A C T I C E

Crashing cars and firewall management

Spring 2009 ISNOW 17

assessment can have disastrousconsequences.

Not enforcing information securitypolicies or firewall policies can very oftenresult in failed audits, network breachesand other such things.

Firewall rules

Second, it had major business continuityimpact. Having no car meant having toborrow somebody else’s car. Everybodywas impacted. A very common problem inmany organisations is the impact on dayto day business because of errors beingmade in translating service requests into

structured firewall changes, or failing toadhere to information security policy, orplacing firewall rules where they shouldnot be, brings everything to a grindinghalt. Third, the failure to deal with therisk resulted in a problem, with the resultthat the financial impact on the familyorganisation was significant.

I’m not saying the accident would nothave happened but had the brakes beenworking it might have resulted in whatbecame a ‘right-off’ being no more than asmall dent.

Bottom line failure to deal with therisk in order to save money eventuallyended up costing a lot more than it shoul dhave. So what should you do? Useautomated risk assessment tools – fix the brakes.

Risk assessment

One of the key reasons why risk assessment is not done is simply that it isextremely time consuming if it is donemanually. When I ask companies the question, the responses vary from ‘we havenever done’ a risk assessment to ‘so farwe’ve got away with it because the auditors have never asked.’

Additionally it is surprising evenamong financial institutions that auditorsare not addressing this problem. This islikely to be due to the fac t that they donot know what to look for. Relying onspecialist consultancy companies to dothis job for you can also be a very hit andmiss affair because you are at the mercyof a consultant who may or may not havethe necessary skills to do this. And in anycase if they haven’t got the right tools thechances are they’re no better than anyone else.

Best practice

The only effective way to really assess ifyour firewalls are protected is to use toolsthat are able to examine your firewall configuration based on known best practices. Additionally, the better toolsallow the firewall administrator to addressnew vulnerabilities in real time. Since thisprocess is fully automated it takes themanual, subjective approach away fromthis task and it ensures that you can analyse in minutes what would normallytake weeks or months to do manuall y. Andthis has to be a continuing process.

Communicate with the business andknow what are your business criticalapplications. It won’t be a big surprise butmany IT administrators and firewall

administrators do not know whichapplications are business critical. Theresult frequently is that either rules areleft in firewalls because no one darestouch them, which in turn results in poorfirewall performance. The other situationthat often occurs is that rules or servicesare removed because they do not appearto be used. Again the problem isfrequently due to the fac t that manualprocesses are used to examine usage andvery often services can be unused formonths simply because the applicationsthat use them are not run on a regularbasis but may be business critical.

Policy management

Again the only effective way to ensure youavoid these mishaps is to use technology.Firewall policy management (FPM) technology enables an organisation todefine business critical applications sothat any changes which impact theseapplications can be identified quickly. Infact some tools enable you to model scenarios before making changes. Themodeling allows you to identify if achange will impact business continuity sothat you can avoid making the errors inthe first place.

Another key use of FPM tools is beingable to translate business requests intoactual changes. In a recent meeting acustomer told me that they spent two daystrying to activate a service for a clientbecause they were not able to identify thatchanges were required on two firewalls toenable the service. An FPM tool thatprovides ‘What If’ capability will ensurethat all necessary changes are shownbefore implementation is necessary.

Rule usage analysis is also a majorproblem without the proper tools.Administrators can very often take days toanalyse a single rule because as rulesmove in the rule base, without automatedtracking tools it is virtually impossible tofollow the rules and their contents in alarge rule base.

Fix the brakes

Choosing to deal with the risk or leaving itin the hope that it doesn’ t happen to youis a choice you make. Not dealing with itis hoping that your colleagues don’t makemistakes. So like my son, if you’re going tolet somebody else ‘drive’ your firewall,you’d better be sure that the ‘brakes’ are working.

www.tufin.com

I S N O W O P I N I O N

(HMRC). I use this software to completemy tax declaration to HMRC and as theyprovide it I expect it to be suitable for itsintended purpose. Not so. This year Idetected three quite significant errors inthe software. Initially it did not take anynotice of any declared foreign income,which was quite surprising in view of thegovernment’s publicity campaign topersuade us to declare such income. Thiswas, however, quite swiftly rectified. Next,the PDF copy of what I was submittingdid not agree with what I had input. Thisis quite serious as it means that I do nothave a true record of what I havesubmitted. I have received a fulsomeapology from HMRC for this, but the faultstill remains un-rectified since I firstreported it last September. Third, theactual tax year for payments made onaccount is incorrect. I have reported this too, but still have not received anacknowledgement despite sending three reminders.

I used the Freedom of Information Actto ask how many software errors had been

detected in the previous twelve monthsand how many remained outstanding? Acommendably swift response revealed that70 software errors had been reported ofwhich 25 were still outstanding.Remember, this is live software being usedby citizens to declare their earnings.During my correspondence with the helpdesk I asked that as I could not be certainthat what I had entered was what theyreceived, did they have a ‘work around’ forme. Yes, they responded, I could submit apaper return.

I pointed out that the deadline forpaper submissions had past. Never mind,they responded, just attach a noteexplaining things and perhaps my local taxoffice would look kindly on me. Thisaltruism was somewhat tarnished by thereminder that a late submission made meliable to a £100 fine, but it was unlikelythat I would be charged interest on anylate tax that I owed! So this is how itgoes. You use software provided by thegovernment at your peril. It may containknown errors, but you will not be informedyou of these.

Their testing process is so poor thatthe software enters production withnumerous errors. You have a duty tosubmit an accurate and timely tax return,but cannot be sure of w hat you aresubmitting as the PDF copy provided bytheir software does not agree with whatyou have entered.

When you raise issues you are told todrop the technology and revert to pen andpaper, but what if you cannot drop thetechnology? If your company submitsPAYE information to the government thenthere is no option other than to use thetechnology as paper returns are no longerpermitted. One hopes that the PAYEtesting and change managementprocedures are more robust than thoseused by their self assessment colleagues.

My letter to the chancellor on theseissues remains unanswered, but I suspectthat he has more pressing concerns at themoment than the integrity of his taxcalculation software.

John Mitchell is Managing Directorof LHS Business Control,a corporate governance consultancy. He is currently a member of the BCS Specialist Groups Executive Committee.

This difference between control and management needs to be understood whenbalancing the absolute against the discretionary in any security structure,process, or mechanism. People are boththe strongest and weakest components inthe security paradigm in that they havethe ability to both detect security weaknesses and also to create them.

Technology does not deliberatelyattempt to manipulate a process, althoughit may sometimes feel like that. People onthe other hand have the ability to makepoor systems work and good systems fail.So if security is only as strong as itsweakest link, then once the securityprocess is in place it is only likely to varyat the behest of a person. Technology mayfail but it is not manipulative, so if I findan error in some software I know with agreat degree of certainty that the error isthere as a result of either human failureor deliberate manipulation.

Which brings me neatly to the selfassessment income tax software suppliedby Her Majesty’s Revenue and Customs

The four pillars of information security are: confidentiality,

integrity, availability and compliance. A good security manager

will ensure a balance of these components across the enterprise,

based on materiality and risk. The IT side of information security

can be controlled pretty absolutely, but the people side can only

be managed because people have free will and can choose whether,

or not, to follow a particular policy, standard, or procedure.

Control or manage?

ISNOW Spring 2009 18

IMAGE GENERATED USING SOURCE CODE F

ROM EMAIL VIRUS NETSKY

>INTRODUCING EMAIL VIRUS NETSKY>IT PROPAGATES THROUGH EMAIL TO INFECT HOST FILES

>WE ELIMINATED IT >AND IT FELT GOOD

>WE DISCOVER & DESTROY THOUSANDS OF UNIQUE VIRUSES EACH MONTH>THE ANTI-VIRUS COMMUNITY RELIES ON OUR ADVANCED INTELLIGENCE>WE HAVE A 100% GUARANTEE AGAINST ALL VIRUSES>VISIT MESSAGELABS.COM/THREATS FOR A FREE TRIAL

Now part of Symantec