There is an article on The Register web site claiming security spending has soared to 20% of the IT budget.  This is based on a poll of 1070 organizations.

http://www.theregister.co.uk/2007/10/11/comptia_security_survey/

It is a shame the article doesn’t provide more detail.  It would be nice to know the industries surveyed, size of the organizations, and all of the categories assessed.  Does this review include staffing, business continuity, disaster recovery, Application security, etc.?

My experience shows that most organizations can’t account for the actual security dollars spent.  When evaluating IT security within an organization, excluding physical security and business continuity, most organizations I review are in the 1% to 5% range of the IT budget with the exception of the major financial firms and a few others.  These numbers are also pretty much inline with the CSI/FBI annual surveys conducted.

• What is your experience? 
• Can you account for your total security budget? 
• What does that budget include?

Unfortunately this area of security is still lacking in the amount of free information available to the public and many of the assessments are limited to less then 1000 respondents.  I would be happy to post some links on this site if anyone has some good free resources or whitepapers.

There are updated guides for anyone who does security compliance assessments of works with the Public Health Information Network (PHIN).  These were updated in June of 2007.  There are many changes from the previous 1.0 version guides.  For the new requirements guide see below.

PHIN Requirements 2.0

The PhishMe blog on building employee awareness to social engineering tactics was inspiring so I finally decided to put up a paper on this site regarding similar subject matter.

Extreme Social Engineering

Combating the Insider Security Threat - A Security Awareness Exercise

This paper has been developed to address the human factor of security and the apparent weaknesses within organizations due to employees’ lack of security awareness.  The purpose is to provide organizations a simple solution for increasing security awareness and combating other malicious insider security threats through a series of social engineering exercises. The document is available by clicking the name above or by accessing the “Papers” section of the site.  

PhishMe Blog Entry:

http://blog.phishme.com/2007/09/time-to-phish-your-customers/

The other day I performed an external penetration test and obtained access using a default password (which is common) that was not changed.  Afterwards I began looking up statistics on passwords and here is one of the links that was listed on a regular Google search.

http://staff.washington.edu/krl/stats/pwc/

Amazing that someone would to this day post such information out on a public website.  Nice to know if this was my next external penetration target.  Wait it gets better!  Looking at the URL it was only obvious there had to be more so instead of going to the /pwc directory I modified the URL to go back one, which led me to these:

http://staff.washington.edu/krl/stats/ 

http://depts.washington.edu/ast/projects.old/

http://depts.washington.edu/ast/projects.old/pwedit.html

Thanks Ken for showing us all a perfect example of “What NOT to Do”! I especially enjoy the mention of the following:

• Home directories /rc, /cg, /mailer

• The mail server statistics that show me what appear to be system names and the number of entries in the etc/passwd file.

• The large directory listing with a plethura of information

• The nice picture of your license

• A password hash U:4001     A:2B314469   N:noyd       P:MWlJQdaJvoxaE    G:15       C:6

Ken

So why did I post this?

Two reason’s.  One, I have a blog. Two because sometimes the best lesson you can learn is by seeing the mistakes of others.  Of course I plan to send an email to Ken and show him this blog entry.  If there is any follow-up to the story I will post another message.

The BS 31100 Code of practice for risk management is also out in draft form free to download and review.  This document has the same deadline as the BCM. 

http://www.bsi-global.com/en/Standards-and-Publications/Industry-Sectors/All-Standards/BS/BS-31100-Draft-for-Public-Comment-DPC-/

The BS 25999-2 Specification for business continuity management is out in draft form free to download and review.  My apologies for sitting on this so long and not getting it out earlier because the deadline is today for review.  Anyway it’s still good to download while you can. 

http://www.bsi-global.com/en/Standards-and-Publications/Industry-Sectors/All-Standards/BS/BS-25999-2-Draft-for-Public-Comment-DPC-/

Please at anytime why’ll browsing this blog you notice a link is not working leave a comment or send an email.  Yesterday I noticed the policy whitepaper link is not working at Foundstone.  I am currently working with McAfee to try and figure out where the document moved or to get it uploaded back on the site.  My apologies, but in the future if you notice a problem with a link please point it out and I will update the site ASAP.  There is nothing more frustrating then broken links on a user’s website or blog.

It’s amazing that after so many disasters and crisis in NYC that the MTA (Metropolitan Transportation Authority) still can’t seem to get it correct.  The link below has a summary of the disaster scenario

NYC Steam Blast Explosion  

Anyway, so NYC is falling apart and all the people that live in Connecticut and upstate New York require transportation out of the city.  Usually the commuters take the Metro North trains.  Unfortunately the explosion is located outside of Grand Central Station where the Metro North trains depart NYC, so access to trains is limited.

Problem

More then 45 minutes after the disaster occurred MTA still did not have its continuity plan in full action.  If you dialed the MTA-Info number listed on their web site you would be out of luck.  Response - All lines are busy.  The website did not have a service alert message for commuters.

http://www.mta.info/ 

Ok phones out of service expected, except that only MTA’s phones are the issue.  Next step call 311, (NYC information hotline) maybe the NYC main government information center can help figure out how to get out of the City.  311 staff didn’t know the status of the MTA trains.  311 staff also couldn’t contact MTA because phones were still out of service at MTA.  Out on the street it was worse.  The police were controlling the area, so they were the only government staff that a person could ask a question.  The answer the police responded with was “you have to wait around”. 

I can’t recall if it was the news or 311 that mentioned going to 125th street, which is one of the locations that the Metro North trains pass while going up north.  Only problem is that train stops were not modified so it was pretty sad to say that many commuters watched trains drive right past.

Improvement

This is basic, but many companies fail at crisis management, business continuity, and disaster recovery for some of the simplest items, like phone hotlines.  MTA needs to update their current plan to include:

Phone hotline that gets immediately updated with current crisis status and directions for customers (This should not be the normal MTA line it should be a crisis information hotline, or utilize the current 311 system more effectively.).

Faster update of the website for emergency situations.

Identify key contacts to improve downstream communications to the police on the street.

Re-evaluate train stops by communicating with the employees in the field to identify over capacity issues at particular stops, such as the 125 street location.

Good Practice

What did MTA do right?  They finally got the information out to the news channels and on the website, but I’m sure it was hard for people standing on the street to get the information.

More on Emergency Management and Business Continuity

FEMA has a great deal of information on Emergency Management

http://www.training.fema.gov/EMICourses/EMICourse.asp

DRJ has a good deal of information on business continuity and disaster recovery

http://www.drj.com/new2dr/model/bcmodel.htm

Where do you get statistics and probabilities on threats?  It seems organizations always ask for hard facts on threat statistics, but the research doesn’t appear to be very mature.  Creating a good threat library and making a best guest effort seems to be common practice among others in the security industry.  There are a few good sources for this information that exist such as:

• CERTs Ecrime Surveys

http://www.cert.org/archive/pdf/ecrimesurvey06.pdf

• The National Counter Terrorism Center

http://www.fas.org/irp/threat/nctc2005.pdf

• FEMA

http://www.fema.gov/hazard/

• Workshare Reports

http://www.workshare.com/go/research/07aprilthreats.pdf

And then you have all kinds of different sites that can help you build a threat library but are lacking statistics such as:

• Georgia Institute of Technology

http://www.oit.gatech.edu/information_security/architecture/threat.html

Some of these sources were used to start the ISM’s list, but my involvement has slipped, however time and time again there is a need for this information.  If anyone has other good resources let me know and I will add them to the links page and see about getting some of this information into the ISM community threat library.

I came across a pretty good list of topics that Auditors ask for in a HIPAA audit.  This is usually the stuff looked at during a HIPAA risk assessment too.  If you haven’t incorporated all of these topics in your risk assessment then now is a good time to go through the list and update your tactics. 

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025253&pageNumber=1