In News:Australia replaces outdated security manual

Australia introduces new Protective Security Policy Framework (PSPF)

Come August 1, 2013, Australia is all set to introduce the new Protective Security Policy Framework, known as the PSPF, replacing the old Commonwealth Government Protective Security Manual (PSM), reports Mike Rothery, First Assistant Secretary at the Attorney General’s Department’s National Security Resilience Policy Division. The policy provides guidance on securing information, physical assets and people.

Protective security is a key enabler for government business. Whether it is protecting the privacy of citizens, preventing the theft of assets, ensuring the safety of workers or making sure critical data is available when it is needed, the new PSPF aims to help agencies get their job done. A key driver for the change was a review of the old PSM by the Attorney-General’s Department, which found that the PSM was ‘compliance driven’ and lacked flexibility; impeding the ability of many agencies to effectively conduct daily business and deliver services.

Whilst effective in protecting national security information, the old PSM did not allow for sufficient flexibility in handling unclassified but sensitive material, such as commercial and personal information.

The new PSPF seeks to deal with these limitations, as well as new challenges posed by information technology. The new policy considers the additional risks from the aggregation of data, in addition to the classification of the individual pieces of information. An aggregation of information may require a higher level of protection than its component parts.
For example, where the harm caused by the unauthorised access of an individual piece of unclassified information might be minor, the harm caused by the unauthorised access to a complete library of information at that same classification level may be significantly higher. This consideration is particularly important given developments in technology enabling vast amounts of information to be stored in the one place. 

Consider the huge amounts of data that can be stored on small devices such as USB sticks, for example.
For this reason, the PSPF includes the Australian Government information security management guidelines of aggregated information guideline.In keeping with the move from hard copy to electronic storage, the guideline relates specifically to the security of electronic aggregations of Australian Government information.

One of the most noticeable changes to the policy is a new security classification system. The old systems of separate classifications for national security and non-national security information have been replaced; the new policy has a simplified single classification structure.

The classifications of Restricted and Highly Protected have been abolished to leave a single structure of Protected, Confidential, Secret and Top Secret. This protected change will assist agencies in conducting their day-to-day business by allowing greater interoperability across government and facilitating both information sharing and information protection.

In place of the term ‘in-confidence’, new dissemination limiting markers have been introduced for use by agencies to restrict the availability of official information where disclosure is limited or prohibited by legislation, or requires special handling. This is particularly useful for information covered by the privacy principles.

In addition to changes to information security, the PSPF initiates important broader changes to protective security, including reforms to personnel security, physical security and governance arrangements.
The biggest change in policy is the move from a compliance based approach to one that is risk-based. This marks a significant departure from the ‘one size fits all’ nature of the PSM, and allows agencies the latitude to find the most efficient controls that suit their business.

While the PSPF specifies controls for the handling of classified information, it recognises that the bulk of sensitive information held by government relates to the private sector and the personal information of citizens. With a growing demand for the online delivery of government services, the new policy allows agencies to determine their own controls for the unclassified information they hold, including when using the Internet for service delivery.

The PSPF is engineered to be flexible, so that individual agencies can use it to develop and implement policies and practices that suit their needs while maintaining minimum requirements to protect their most sensitive information.

By actively managing risk, agencies will be able to use the Internet to engage directly with clients, while at the same time ensuring protection of networks and unauthorised access to data libraries.
In addition to the intrinsic sensitivity of information, agencies are now required to consider the full range of negative consequences from a security breach.

These are described in new Business Impact Levels or BILs. These cover such issues as damage to reputation, risk of litigation and the loss of trust with customers or partners. The BILs have been established to guide agencies in the development of their own risk management policies and procedures.

As security vetting assessments of staff are a snapshot in time, the new policy for personnel security emphasises the importance of ‘aftercare’ or whole of career considerations. The policy also supports the centralisation of the security clearance process in the Australian Government Security Vetting Agency.
The physical security policy remains largely unchanged as a result of the PSPF, with the exception of new advice on protecting culturally significant and valuable assets, achieving security for diverse worksites and incorporating physical security into disaster management.

The PSPF includes core public sector governance principles to support a proactive security culture across agencies. Governance arrangements aim to ensure that agencies adhere to applicable protective security standards, have clear roles and responsibilities for protective security functions and decision making, and make the best use of limited protective security resources.

Executive level leadership is integral to achieving agency-wide commitment to good protective security performance. An important element is the new requirement for agency heads to make an annual statement of compliance against the core security requirements to the relevant portfolio Minister.

Some State and Territory governments have expressed interest in applying selected parts of the PSPF in their jurisdictions. Discussions between the Commonwealth and State and Territory governments on these opportunities are continuing.

To assist agencies in implementing the new policy, the PSPF and its supporting guidelines are now publicly available on a dedicated protective security policy website at ww.protectivesecurity.gov.au. Here you will find all the necessary guidance material required to implement the PSPF at agency level. The Protective Security Policy team at the Attorney- General’s Department are also available to assist with protective security policy advice and can be contacted at pspf@ag.gov.au.

Coming into force in August, agencies are now in the transition stage, leading to full implementation by 31 July 2013.

10 Biggest Information Security Stories of 2012

Recently visited an interesting post from Informationweek.com worth sharing. Read on the repost….

10 Biggest Information Security Stories of 2012

From John McAfee’s escape from Belize to the privacy debacle that compromised CIA director Petraeus’ career, 2012 had no shortage of security shockers.

On the information security front, 2012 has featured nonstop takedowns and arrests, breaches and data dumps, and hacktivist-launched distributed denial-of-service (DDoS) attacks.

Early in the year, notably, hackers breached Stratfor, while the FBI arrested alleged Anonymous and LulzSec ringleaders. By year’s end, hacktivists were still out in force — this time supporting Syrian rebels andtargeting picket-happy Westboro Baptist Church. In between, there were a plethora of hacks, defacements, leaks, arrests, mass surveillance, privacy violations and numerous other high-profile information security happenings. Here are the highlights from 2012:

1. Feds Bust Alleged LulzSec, Anonymous Ringleaders.
Hacktivist group LulzSec dominated headlines in 2011 for its 50-day hacking and defacement spree, as well as witty press releases. After those attacks, U.S. and U.K. law enforcement officials began arresting alleged LulzSec participants, many of whom were also accused of participating in attacks launched under the banners of Anonymous and AntiSec. But LulzSec leader Sabu appeared to elude the authorities.
[ Want to read about more 2012 security escapades? See 9 Ways Hacktivists Shocked The World In 2012. ]
That turned out to not be the case, when in March 2012 the FBI arrested a handful of alleged LulzSec and Anonymous leaders — accused of launching attacks against PBS, Sony, Stratfor and more. Court documents unsealed after those arrests revealed a stunning turn of events, and what many hacktivists would soon label as betrayal. In fact, Sabu — real name Hector Xavier Monsegur — had been cooperating with the FBI since being secretly arrested in June 2011. In short order, the former LulzSec leader apparently had helped the bureau identify his alleged former comrades, leading to their arrests.
2. DDoS Attackers Reach New Heights With Bank Attacks.
How do you define a DDoS attack? Many hacktivists label it as a form of online protest, while law enforcement agencies say disrupting websites remains a punishable offense, and have the arrests and convictions to prove it. Regardless, attackers have continued to push DDoS attacks to new levels of packet-overwhelming power, leading security experts to warn that so-called Armageddon attacks — which disrupt not only a targeted site, but every service provider in between — might soon become reality.
A glimpse of that new reality has been seen in the DDoS attacks launched by Muslim hacktivists against U.S. banks. After compromising numerous servers with DDoS toolkits, the attackers have been able tooverwhelm leading Wall Street firms’ websites, despite the attackers revealing in advance which sites they’ll target, and when. The bank attacks reveal that with advance planning and a good DDoS toolkit, attackers might soon be able to disrupt any website they choose.
3. Escape From Belize: AV Founder John McAfee Turns Fugitive.
The security-related world turned surreal in November, when eccentric security expert John McAfee, who’d founded and later sold the McAfee antivirus firm, announced that he was on the run from authorities in Belize. McAfee claimed the government was trying to frame him for a murder after he refused to honor its shakedown request.
McAfee’s freedom proved short-lived when his location was revealed through an information security error: Journalists traveling with him posted an iPhone snap with McAfee, but failed to remove the GPS coordinates that had been automatically included in the image. Soon, the dual American and British citizen was arrested by Guatemalan authorities, requested asylum, faked a heart attack, had his asylum request refused, and was deported to Miami, where’s he’s now reportedly laying low.
4. Espionage Malware Is All Around.
What do Stuxnet, Duqu, Flame, Gauss and Mini-Flame all have in common? They’re all examples of espionage malware, and they were all designed at least in part by the United States. That conclusion can be drawn because unnamed U.S. government officials this year confirmed that Stuxnet was the product of a U.S. cyber-weapons program.
Because security researchers who studied Stuxnet have found evidence that it’s related to Duqu, as well asto Flame and Gauss, it’s clear that the United States hasn’t shied away from using malware to spy on its opponents. Which means that the opposite, of course, is also likely to be true.
5. Attackers Turn To Wire Transfers.
Malware also has long been a favorite tool of criminals, because they can use it to make money, most often by stealing people’s bank credentials and transferring money to dummy accounts, from which money mules withdraw the funds via ATMs. Although such attacks aren’t new, the sophistication and success rate of the related malware appears to be on the increase. In September, notably, the FBI, Financial Services Information Sharing and Analysis Center, and the Internet Crime Complaint Center released a joint warningthat criminals have been targeting bank account information using “spam and phishing e-mails, keystroke loggers, and remote access trojans (RATs),” as well as variants of the Zeus financial malware. Individual heists have bagged up to $900,000 in one go. U.S. officials have claimed that the Iranian government is sponsoring the attacks.

6. Privacy Bill Of Rights Lacks Force Of Law.
Earlier this year, the White House unveiled a pioneering Consumer Privacy Bill of Rights, building on FTC recommendations for increasing the transparency of how businesses use people’s personal information. Unfortunately, because the bill of rights hasn’t been passed by Congress and become law, the White House has to encourage businesses to say they’ll voluntarily abide by the recommendations.
Also this year, California’s attorney general began requiring that all mobile apps distributed to its residents — and thus, really, any U.S. resident — would need to contain clear privacy policies, or be in breach of California law. Later in the year, California carried through by warning and then suing Delta Airlines for failing to offer a privacy policy for its mobile apps.
Beyond the White House and California, however, the body that’s most notably been absent from advancing consumer privacy protections has been Congress, which has so far failed to pass any laws aimed at protecting people’s online privacy.
7. How Girlfriends Stop Hackers.
What stops hackers from hacking? Simple: Jobs, relationships, children and other adult responsibilities. Some readers, perhaps not making it past the related story headline —“One Secret That Stops Hackers: Girlfriends” — took offense at the suggestion that more hackers need girlfriends. Others suggested that the actual cost of procuring girlfriends for hackers might prove exorbitant, while other respondents reported that yes, in fact they’d dropped hacking because they’d gotten a girlfriend.
Based on research conducted by online psychology expert Grainne Kirwan, who lectures at Ireland’s Dun Laoghaire Institute of Art, Design and Technology, as do other criminals most law-breaking hackers simply “age out” of their life of crime after getting more responsibilities. But even with that knowledge, the next step toward preventing more teenagers from breaking the law by hacking remains an open question.
8. Revealed: Outsourced Brokerage Firm IT Meltdown.
Although the downfall of brokerage firm GunnAllen occurred in 2010, its demise arguably began a decade before, when one broker began running Ponzi schemes, followed by another concocting a “trade allocation scheme” that routed profits from profitable picks to his wife. But the firm’s demise could also be glimpsed by the manner in which the firm’s executives outsourced all IT responsibilities for at least several years to the Revere Group, and never looked back.
But former Revere employees revealed this year that numerous IT errors had remained unreported to regulators, and perhaps even GunnAllen management. Among other incidents, network traffic-handling trades were routed through a home network; unencrypted lost laptops remained unreported to regulators; and a rogue engineer apparently was sabotaging equipment and playing hero by fixing it. Also notable was the fact that the missteps remained undetected by regulators.
9. Designerware PC Rental Surveillance Tool Revealed.
Consumers who buy rent-to-own PCs, beware: A judge has ruled that it’s okay to spy on you and your children. That fact emerged during a court case against software developer Designerware, as well as multiple rent-to-own businesses that used the company’s software for “loss prevention” purposes. Although many of the businesses claimed they only used the software to recover laptops from people who missed payments, former employees told a court that rent-to-own managers and employees regularly used the software to remotely activate webcams and spy on people’s “intimate activities.”
Those revelations led to FTC charges, which in September both DesignerWare and seven rent-to-own businesses agreed to settle, although Florida’s attorney general launched her own investigation. Meanwhile, Designerware’s two principals declared bankruptcy after seeing their court costs mount — so some related privacy justice, while delayed, does seem to finally have been served.
10. FBI Investigation Snares CIA Director Petraeus.
Consumer advocates have long maintained that the privacy protections afforded to Americans, and their personal data, remain sorely lacking. Perhaps the best illustration to date of people’s poor privacy rights arrived in November via an FBI agent outing an affair between the director of the CIA, David Petraeus, and his biographer, Paula Broadwell.
Petraeus’ career was undone by Broadwell sending anonymous emails of an allegedly threatening nature to Jill Kelly, a friend of Petraeus whom Broadwell viewed as a rival. Kelly showed the emails to an FBI agent, who alerted the bureau’s cybercrime investigators, who traced them back to the sender, in part via a Gmail account Broadwell shared with Petraeus to coordinate their affair.
After the bureau found no evidence of wrongdoing that it wished to prosecute, the FBI agent friend of Kelly suspected that the White House was covering up the incident, and so leaked details to Rep. Dave Reichert (R-Wash.), who took it to Rep. Eric Cantor, the GOP majority leader, who — not knowing that the FBI had dropped the investigation — took the information to Petraeus’ boss, James Clapper, the director of national intelligence. Clapper told Petraeus to resign. One upside from the case is that the ease with which Petraeus’ affair was discovered and his career apparently wrecked has finally driven more members of Congress to weigh better consumer privacy protections for all.

IaaS Security Challenges: New Draft Guidance from NIST

The National Institute of Standards and Technology has come out with a publication explaining selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. The publication titled “TRUSTED GEOLOCATION IN THE CLOUD: PROOF OF CONCEPT IMPLEMENTATION (DRAFT) (NIST Interagency Report 7904 or simply IR 7904) describes a proof of concept implementation that was designed to address those challenges. The publication is intended to be a blueprint or template that can be used by the general security community to validate and implement the described proof of concept implementation. IR 7904 provides sufficient details about the proof of concept implementation so that organizations can reproduce it if desired.
From the publication, here’s how NIST explains the problems the draft guidance addresses:

    Shared cloud computing technologies are designed to be very agile and flexible, transparently using whatever resources are available to process workloads for their customers. But there are security and privacy concerns with allowing unrestricted workload migration.

    Whenever multiple workloads are present on a single cloud server, there is a need to segregate those workloads from each other so that they do not interfere with each other, gain access to each other’s sensitive data, or otherwise compromise the security or privacy of the workloads. Imagine two rival companies with workloads on the same server; each company would want to ensure that the server can be trusted to protect their information from the other company.

    Another concern with shared cloud computing is that workloads could move from cloud servers located in one country to servers located in another country. Each country has its own laws for data security, privacy and other aspects of information technology. Because the requirements of these laws may conflict with an organization’s policies or mandates – for instance, laws, regulations – an organization may decide that it needs to restrict which cloud servers it uses based on their location.

    A common desire is to only use cloud servers physically located within the same country as the organization. Determining the approximate physical location of an object, such as a cloud computing server, is known as geolocation. Geolocation can be accomplished in many ways, with varying degrees of accuracy, but traditional geolocation methods are not secured and they are enforced through management and operational controls that cannot be automated and scaled, and therefore traditional geolocation methods cannot be trusted to meet cloud security needs.

    The motivation behind this use case is to improve the security of cloud computing and accelerate the adoption of cloud computing technologies by establishing an automated hardware root of trust method for enforcing and monitoring geolocation restrictions for cloud servers. A hardware root of trust is an inherently trusted combination of hardware and firmware that maintains the integrity of the geolocation information and the platform. The hardware root of trust is seeded by the organization, with the host’s unique identifier and platform metadata stored in tamperproof hardware. This information is accessed using secure protocols to assert the integrity of the platform and confirm the location of the host.

    NIST requests comments on Draft IR 7904 by Jan. 31. Comments should be sent to ir7904-comments@nist.gov, with “IR 7904 comments” in the subject line.