Tag Archives: separation

[ISN] What every utility should know about the new physical security standard

http://www.intelligentutility.com/article/15/01/what-every-utility-should-know-about-new-physical-security-standard By William E. Reiter intelligentutility.com Jan 29, 2015 On April 16, 2013, an incident in San Jose, California, led to development of a new physical security standard for owners and operators of transmission stations and substations. In the 2013 incident, a sniper attack on a Pacific Gas & Electric transmission substation knocked out 17 large transformers that powered Silicon Valley. The sniper attack served as a dramatic wake-up call for the industry and raised fears regarding the vulnerability of the nation’s power grid to terrorist attack. The more than 160,000 transmission line miles that comprise the U.S. power grid are designed to handle natural and man-made disasters, as well as fluctuations in demand; but what about physical attack? As a result of the San Jose assault, the Federal Energy Regulatory Commission (FERC) in April 2014 required the North America Energy Reliability Corporation (NERC) to establish Critical Infrastructure Protection (CIP) standards to “address physical security risks and vulnerabilities related to the reliable operation” of the bulk power system. NERC developed and issued what is now commonly referred to as CIP-014-1. This is a physical security standard that has a stated purpose to identify and protect transmissions stations and transmission substations and their associated primary control centers that—if rendered inoperable or damaged as a result of a physical attack—could result in uncontrolled separation or cascading within an interconnection. […]


[ISN] Google offers “leet” cash prizes for updates to Linux and other OS software

http://arstechnica.com/security/2013/10/google-offers-leet-cash-prizes-for-updates-to-linux-and-other-os-software/ By Dan Goodin Ars Technica Oct 9 2013 Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google’s current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company’s software and Web properties. Security researchers inside the company considered modifying the program to reward bug reports in open-source software, but eventually decided against that approach. The reason: bug bounty programs often invite a flood of reports of varying quality that can overwhelm the finite resources of open-source developers. What’s more, it’s frequently much harder to patch a vulnerability than merely to find it. “So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug,” Michael Zalewski, a member of the Google security team, wrote in a blog post. “Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just enable ASLR—we want to help.” Beginning immediately, the program will offer rewards between $500 and $3,133.70 for security improvements to core infrastructure network services such as OpenSSH, BIND, and ISC DHCP; image parsers such as libjpeg and libjpeg-turbo; the open-source foundations of Google Chrome; the high impact code libraries OpenSSL and zlib; and security-critical, commonly used components of the Linux operating system kernel. Eventually, Google will pay for fixes to other open-source programs, including the Apache Web server, Sendmail e-mail service, and the OpenVPN virtual private networking app. […]


What is a “Separation of Duties”?

Often, I find in my job as a security professional that I must explain what a separation of duties is and why it is necessary in an organization. The term “separation of duties” seems a little nebulous for many but it is the act of separating a business process into several distinct parts. These distinct parts of a business process that are normally separated are the execution, approval and audit functions of the process.

Examples of Separation of Duties:

1. Security incident investigation – Typically, an investigation is initiated by a security operations function (CSIRT) and then after an investigation is completed the assessment of the incident response process is performed by IT Audit or an Internal Audit department to ensure the process is being executed based on the documented procedure.

2. Payroll – Typically, payroll departments are responsible for the distribution of checks, the manager of the employee being paid approves the hours worked and then an Internal Audit function may check to ensure all the processes are being followed and the appropriate payment amounts are being completed.

3. Vulnerability Management – Security operations or engineering functions typically use a scanning application such as a Rapid7, McAfee Vulnerability Manager or QualysGuard scanning engine to scan devices on the network for security vulnerabilities, once a scan is completed tickets may be created to address these vulnerabilities. An IT Audit department may come in and request a “sample” of the tickets to ensure that proper remediation is being performed and that tickets are not being closed without an actual remediation of the vulnerabilities.

The Goal:

The primary goal for implementing proper separation of duties should always be the prevention of fraud. By separating business processes into these segments, we can ensure that a business process is efficiently executed and checked by an independent party that can assure the execution is appropriately. Implementation of a separation of duties prevents a single business process to be completely managed by a single individual and thus requires collusion to occur before fraud can take place. In most cases, it is more difficult (however not impossible) to enlist the help of others to perform fraud. The primary goal is to reduce the risk of fraud, not to completely prevent it.


The great debate: Is compliance security?

Recently I made the statement to a colleague that compliance is not security and he got all up tight and disagreed with me. But even after our little debate it’s still truely my belief that although security and compliance are intertwined and compliance has driven companies to do much more security than they would have without it, compliance does not equal security. Here is how I explain the separation and what I would encourage you do at your own company.

How do we define security?
Security is an ever changing and unattainable goal that probably began when humans first battled for the availability to keep and retain life supporting resources such as food and water. Back then I imagine a big hairy man and woman guarding over the food they gathered the day before or the land with water on it. Today what we protect is more complex and consist of such things as money, intellectual property, goods, services etc. One thing that many of us tend to forget is that things we do in our lives and the jobs we have still equate to protecting our basic staples from the threat of having them taken away.

What is Compliance?
Compliance in the past was a simple process of checking that a family member were stationed appropriately to keep watch over our valuable goods. They would simply ensure that the person had the right amount of sleep, coffee or tea to keep them up if they had night duty, or the family would ensure they had something to wake them in the event one of the barn doors were to open or a host of other small things done to ensure we’d trigger a response. Compliance is basically a process of “checking” to see that we are doing what we know we ought to do.

Why is security not compliance?
The fact is the family could ensure that all the protections were in place and that the right person were out guarding the fort but meanwhile someone could be digging under the ground right past the guard or hiding behind a bush and moving it closer to the food each time the guard looked away. Compliance sets the BASIC known mechanisms of protection, what compliance does not do is protect against the unknown or the “being discovered” through active research. So my advice to all the security practitioners out there is sure comply…. but then focus on security and create for yourself what I call “natural compliance”, the act of being ahead of the game. Cutting edge security requires that you go beyond the known and invest in technologies that will protect you even if not required by a law or regulation or policy. That my friends is how I make the distinction between security and compliance.