Welcome to this, the sixth edition of The ISO27000 Newsletter, designed to keep you abreast of news and developments with respect to the ISO 17799 information security standard.
The information contained is free to our subscribers and provides guidance on a range of practical issues, plus commentary on recent Information Security incidents.
THIRD PARTY CYBER CRIME ATTACKS
This critical topic is covered in ISO/IEC 17799 under Section 9.4 "Network Access Controls".
There is, of course, a high risk of external security breach where network security is inadequate. It is extremely important to have an effective policy statement covering this risk area... for the following reasons:
· Criminals may target your organization's information systems, resulting in serious financial loss and damage to your business operations and reputation.
· Cyber crime is an ever-increasing area of concern, and suitable training must be given to those persons responsible for network security to minimize such risks.
A suitable high level policy statement covering this could be as follows:
"Security on the network is to be maintained at the highest level. Those responsible for the network and external communications are to receive proper training in risk assessment and how to build secure systems which minimize the threats from cyber crime."
It is necessary to build adequate defences against such attacks. The following areas are among those that should be considered: · Verify that the primary safeguards of your network and those of your individual systems are in place.
- Identify the access points of your network layout, and verify that the current safeguards are operational.
- Consider the following network protection facilities, some of which offer multiple features:
- Intrusion detection software that records attempted and successful access to your systems.
- URL blockers, (e.g. your firewall) that can prevent connection from specific, untrustworthy web sites and / or other computers.
- Access control lists and facilities, which record certain activities for specific files, such as: read, write, execute, delete.
- System based accounting records.
- Pattern (usage) analysis, which identifies changes in on-line activity that may indicate a criminal attack.
- Network usage analysis, which identifies application access and reports on user authorization levels.
- Network packet sniffing software to detect attack origins.
- Word pattern usage analysis that can help e-mail system administrators track down breaches in e-mail policies.
Further advice on this risk area and all others covered within ISO/IEC 17799 can be obtained from the RUSecure Security On-line System at: http://www.yourwindow.to/security-policies/