Information Security Management Principles in a Nutshell

  • Security is an emergent property of people using information/information systems. Therefore, security in inherently dependent of this context.
  • It is possible to determine what people expect from information/information systems.
  • It is possible to increase the likelihood of security expectations by using appropriate tools and processes.
  • An incident by definition is any instance of a security expectation of a user being failed.
  • Lessons learnt from Incidents must be used to improve tools and processes. The same type of incident should never happen twice.
  • The cost of tools and processes must be proportionate to the cost of the incidents they protect from.
  • Incidents should be prevented using two or more complementary tools and processes. This should eliminate single points of failure.
  • Protection and Monitoring should be performed at the highest abstraction level possible, thus protecting from business significant incidents. (Protect the pound, not the byte.)

Download the new O-ISM3 v2.0 today!

O-ISM3 is a Standard method published by The Open Group. It is the only Standard that introduces the use of short cycle continuous improvement in information security.

The main improvements are:

  • Improved definition of types of metrics and added guidance on how to use metrics.
  • Improved definition of maturity levels.
  • Improved definition of management practices.

Learn more:

Future ransomware will attack Trust in your Data, not Access

The road ahead

I knew it. It is too late to say now, but I knew a ramsonware worm attack was going to happen. Really. And I feel so bad about not writing about that I need to make a forecasts of other things to come in the world of malware attacks. I am sure I was not the only one who knew.

No, the recent WannaCry attack was not the largest infection in history. Conficker, Slammer, ILoveYou, infected more computers and perhaps created more damage. Why did WannaCry had to happen? Because it could.

We have seen for the last few years ramsonware distributed using phishing and drive-by downloads. It was just a question of time before someone connected the dots and thought of creating a ransomware worm.

Many have learnt now something that had been forgotten: Vulnerabilities need to be patched. As the consequences of not patching are not immediately apparent, and the consequences of not testing the restore of backed up data is not immediately apparent, for many IT teams it became acceptable not to patch and not to test. For the next few months, this will no longer be the case. After that, managers will have new worries, or will follow new fads, IT personnel will move onto new jobs, and in two or three years a new worm will shake the world.

Just as IT learn how to prevent worm attacks. attackers will learn about their mistakes. WannaCry writers made several mistakes:

  • The infection spread to companies that were not the original target.
  • The infection spread too fast: This attracted attention and the response was relatively fast and effective.
  • There was a bug in the code that was supposed to prevent the code from being sandboxed and analyzed. It was used, albeit unintentionally, as a kill switch for additional infections.
  • The number of bitcoin accounts was tool low to track who makes and individual payment. This clearly indicates that they where not aiming for multiple targets.

The interest of the ransomware attackers is that the infection is discovered quickly after some useful data has been encrypted, but not before. It is in their best interest that the ransom claimed is low enough to entice payment, and creating a sense of urgency by adding a time limit for the payment. It is in their interest that antivirus measures don't detect them, and that a system being patched or not does not stop the attack. How will they achieve their goals?

  • Future ransomware attacks will trigger out of business hours instead of upon infection. As the data is not being actively used, the amount of data encrypted will be larger.
  • Future ransomware worms will spread using multiple channels: Mail, Bluetooth, LAN, drive-by downloads, social networks.
  • Future ransomware will target narrower and narrower targets more and more accurately, exploiting known vulnerabilities that have not been patched according to information collected by "malware scouts".
  • Future ransomware will stop encrypting data. Instead, file names and contents, and specially database contents will be subtly changed over several days. This will render useless to have of backup copies, and will diminish the trust on the information so much that payment will be inevitable. Remember that data encryption is only used in order to prevent access to the data. Destroying the TRUST in the data will be even more damaging.

I would not be surprised if the change log is recorded encrypted in a blockchain based legger.

What gives data value is the cost of data acquisition, storage and processing, the quality of the data (In what degree can you trust it?). Young data is of relatively little value if it can be acquired again. Very old data may have become obsolete. Business quality data can be very expensive to replicate or validate. This is where the future ransomware will hit. Among all data types, dates are particularly vulnerable, as you can change them without losing credibility. Think of the damage of not knowing if the contract renewal of your clients is correct or not. What about the appointment of all your patients?

Inevitably, when this attack becomes common, companies will get ransom claims when no data has been changed. Will this be called bluffware?

And finally, attackers may stop using bitcoin. They may move on the stock market and demand the attack to the published, trusting to profit from the predictable changes in the stock value because of the company being in the news.

What can you do to prevent being a victim of this future ransomware?

  • Implement highly mature security processes that stay in place after changes in management or personnel.
  • Educate your users.
  • Keep backup copies. Check periodically that restores work.
  • Keep your systems up to date with security patches.
  • Keep your systems protected with updated antivirus.
  • Monitor that all changes in your business grade data are monitor and logged.

I sincerely think that this is the future of ransomware, but as a professional, I hope this time I am wrong.

You can subscribe to updates in this blog at the bottom of this page

Pages

Subscribe to Information Security Management using O-ISM3 RSS