Compiled by Mark E.S. Bernard, CRISC, CGEIT, CISM, CISA, CISSP, PM, PA, CNA, ITIL, ISO27k Lead Auditor, SABSA F2,Information Security, Privacy & Governance Consultant,Mobile: 250-812-7060 or email: mark.bernard@techsecure.ca

•Cloud Predictions

•eCommerce Evolution

•Cloud Analysis

•Risk Management

•Terms

CPA/PA, PM, ISO27k Lead Auditor, CISSP, CISA, CISM, CGEIT, Mark E.S. Bernard

Contact phone: 250-812-7060 ; e-Mail: Mark.Bernard@TechSecure.ca

EXPERIENCE: Mark has twenty-years of proven experience within the domain of Information Security, Privacy

& Compliance within a broad range of industries including: Government, Financial Services, Credit Unions, Charter Banking, Insurance,

Pharmaceutical, Telecommunications, Technology, Manufacturing and Academia.

•In 2009 Mark led Canadian Financial Services ISO/IEC 27001 Registration/Certification of 1st Public Sector organization for the Ministry of

Labour, Citizen Service, Common Business Service and more specifically - Corporate Accounting Services.

•In 2009 Mark led the Transition-In Project of new Core Services Contractor to Corporate Accounting Services on behalf of the Province.

•In 2009 Mark led the Technology and Operations workstream during Negotiated Request for Proposal for Corporate Accounting Services on

behalf of the Province.

•In 2008 Mark led Canadian Financial Services ISO/IEC 27001 Registration/Certification of 1st online banking system for Credi t Union Central

of British Columbia now Central1.

• Mark Led Canadian Financial Services Privacy, Security, and Compliance Office work-stream during outsourcing of Ministry of Small

Business and Revenue and contract refresh on behalf of EDS Advanced Solutions.

• Mark Led International Food Manufacturer Information Security Program development and implementation of the Information Security

Management System based on behalf of McCain Foods Limited a 6.7 billion-dollar global business.

• Mark Led International Technology Services - Independent System Assurance Review against international financial systems located in

Trinidad, Barbados, Nassau, Jamaica and Antigua and financial systems managed in Canada running on behalf of IBM Global Services.

• Mark Led Canadian Insurance HRIS Business Unit for Zurich Insurance for 7 years as Manager of HRIS including in-house payroll systems.

• Mark Led Canadian Financial Systems Project to upgrade IBM iSeries servers supporting the Toronto Stock Exchange and TD Bank Wealth

Management Services.

• Mark Led International Pharmaceutical Manufacturer Project to centralize Enterprise, Resource, Planning systems and ISO 9001 and 9002 re-

certification of lab systems in compliance with FDA and Health Canada regulations for Taro Pharmaceuticals.

VOLUNTEER: Mark has volunteered his time to participate and actively contribute to the local Information Systems Audit and Control Association

chapter and the High Technology Crime Investigation Association chapter. Mark was the founder of New Brunswick’s HTCIA chapter.

MEDIA: Mark has published articles in magazines and contributed to the CISM Common body of knowledge in

addition to appearing as an expert source on Information Security and Privacy topics in local Conferences and

Newspapers, on CBC Radio and Rogers Cable Television.

•Order Series (ORD)

•Materials Handling Series (MAT)

•Tax Services Series (TAX)

•Warehousing Series (WAR)

•Financial Series (FIN)

•Government Series (GOV)

•Manufacturing Series (MAN)

•Delivery Series (DEL)

•Engineering Management & Contract

Series (ENG)

•Insurance/Health Series (INS)

•Miscellaneous ANSI X12 Transactions

Series (MIS)

•Mortgage Series (MOR)

•Product Services Series (PSS)

•Quality and Safety Series (QSS)

•Student Information Series (STU)

•Transportation:

-Air and Motor Series (TAM)

-Ocean Series (TOS)

-Rail Series (TRS)

-Automotive Series (TAS)

CICA is a new approach to message design aimed at resolving the costly

proliferation of differing (and often incompatible) XML messages used for

business-to-business data exchange. CICA gives developers access to reusable

components that can be used to construct interface standards to satisfy common

business requirements as well as industry-specific needs.

CICA is a syntax-neutral architecture that supports both business content and

implementation information. CICA messages ("documents") can currently be

expressed as XML schemata.

Value

Added

Network

Government MinistriesSuppliers

Intranet

Cloud

Internet

Cloud

Internet

CloudCitizens

•Quality of Service standards?

•Service Level Agreement?

•Eliminating capital expenditures on hardware and software.

•Transferring for Service Management to the Service Provider.

•Access to broader ranges of applications at lower costs?

•More functionality though their service offerings?

•More flexibility with capital budget vs operating budget?

•Improve the efficiency of their data center by transferring inefficient processes.

•Who will champion the adoption of Cloud Computing?

•Open standards that fuelled the rapid growth of Cloud Computing?

• Clouds are complex comprising highly specialized applications made up of even more granular, yet simple application procedures replicated thousands of times

• Clouds can generate both security benefits and risks

• How can we establish and maintain trust?

• How can the virtualization of servers, and systems maintain acceptable levels of security?

• How can encryption be successfully deployed and managed over extremely complex over millions and maybe billions of unique data streams and business channels?

• How can we even hope to achieve mandatory compliance with statutes, regulations and contractual obligations?

•Tactically “Virtualization” is about saving money

•Strategic “Virtualization” leads to flexible resourcing

1). Enables economies of scale: Cloud providers maximize the usage of their resources to make money.

2). Decouples users from implementation: Virtualization forces the relationship to change from

implementation, to service level agreements.

3). Speed, flexibility, agility: Early adopters of cloud computing talk about how quickly they can get new

servers online. Compared to the 4-6 weeks it takes an average IT shop to deploy a server, just about

anything is faster. However, virtual machines can be deployed roughly 30 times faster.

4). Breaks software pricing and licensing: Software Manufacturers can’t charge users for physical

capacity when only a small portion of that is used. Its also impossible to charge for every potential server

the software might be running on.

5). Enables, motivates chargeback: When servers can be delivered in minutes rather than weeks, IT users

ask for more – roughly two times as much. IT needs to focus more on usage accounting, and chargeback.

The term "Web 2.0" (2004–present) is commonly associated with web applications

that facilitate interactive information sharing, interoperability, user-centered design

and collaboration on the World Wide Web. Examples of Web 2.0 include web-

based communities, hosted services, web applications, social-networking sites,

video-sharing sites, wikis, blogs, mashups and folksonomies.

A Web 2.0 site allows its users to interact with other users or to change website

content, in contrast to non-interactive websites where users are limited to the

passive viewing of information that is provided to them.

•Authority Attack (with or without artefact): using fake identification or badge, utility service, or law enforcement

uniform, to gain access or identify a key individual by name/title as supposed friend or acquaintance or claiming

authority such as a lawyer or auditor and demanding information (impersonation).

•Zero-Sum Knowledge Attack: Baiting someone to add, deny or clarify pieces of information or incorrect

information, claiming to know more than they actual do, to solicit more information.

•Persistent Attack: Continuous harassment using guilt, intimidation and other negative ways to reveal information.

This could take place over days, weeks, months.

•Stake-Out Attack: Analyze operational activity over a period of time including people, regular mail, or special

courier, and/or supply deliveries, the patrol patterns of guards, location of CCTV, off hours activity.

•“The boy who cried wolf” Attack: Setting off a series of false alarms, either physical or digital, until some gets

tied of responding and disables the alarm system.

•Help Desk Attack: Impersonating a current or new end-use needing help with access to a network or server.

•Fake Survey/Questionnaire Attack: Win a free trip to Hawaii, or somewhere special in exchange

for completing a survey and answering questions about work or you network.

•Quality of Service Standards

•Open Standards

•Ajax (asynchronous JavaScript and

XML)

•Java

•Delphi

•Product Realization

•Software Development Life Cycle

•Acceptance Criteria

•Quality Management – ISO 9001:2008

•7 Product realization

•7.1 Planning of product realization

•7.2 Customer-related processes

•7.3 Design and development

•7.4 Purchasing

•7.5 Production and service provision

•7.6 Control of monitoring and

measuring equipment

•Distributed background worker pool

•Load-balanced, edge-service processes

handling user requests (often virtualized)

•Distributed caches (like memcached)

•CDN (content delivery network like Akamai)

•Distributed blob storage (aka S3)

•Asynchronous, durable message

queues (aka SQS)

•Non-Relational-/non-transactional

databases (like SimpleDB, Google

BigTable, Azure SQL Services)

•Kiosk Mode

•Unauthenticated Access

•(Un)Hidden Hotkeys

•Restricted Desktop Access

•Attack Microsoft Office

SCOPE: Review and assess proposed Cloud services for Software as a Service, Platform as a

Service and Infrastructure as a Service.

RATIONALE: Consideration was given for the fact that Cloud services are a new service

deliver approach that has not been fully implemented. More emphasis on patterning with service

providers and dependency on managing necessary controls through collaborative partnerships

and/or transferring risk completely to the service providers. Transparency of processes,

consistency of outcomes, and quality of service and deliverables will become more and more

important and thus understanding of the potential issues important to its success.

The threat-risk assessment was facilitated against existing best practices for information security

management systems, ISO/IEC 27001:2005. These controls are based on industry best practice

for information handling based on known vulnerabilities and risks associated with most

businesses, however this standard was initially developed by and for government in the UK.

http://gizmodo.com/5449037/google-hacked-the-chinese-hackers-right-back;

•Unauthorized and/or up coordinated and planned changes

•Ineffective acceptance criteria

•Ineffective application tests for malicious code

•Broken or ineffective cryptographic controls

•Unchecked technical vulnerabilities

•Missing security requirements

•Noncompliance with legal obligations

•Missing audit requirements

•Ineffective security in development and support processes

•Missing confidentiality agreements

•Ineffective or broken network access control

•Unknown users accessing the network

•Ineffective privilege management

•Incomplete removal of access rights upon exits

•Ineffective or missing fault logging

•Weak external party service delivery management

•Missing or weak governance of external party services

•Missing capacity management

•Lack of information handling procedures

•Missing or weak information exchange policies and procedures

•No exchange agreements

•Below standard network controls

•Weak security of network services

•No independent reviews of information security

•Unchecked risks related to external parties

•No flow down security and privacy obligations in external party agreements

•Weak application and information access controls

•No corrective and/or preventive actions for errors in processing of applications

•Broken or weak electronic commerce services

•Ineffective Audit logging

•No security of log information

•Inability to collect evidence

•Ineffective Business Continuity planning

•Week or ineffective control of secure areas

•Operating system access control

•Unprotected system files

•No reporting of information security incidents

•No reporting of security weaknesses

•Ineffective compliance with security policies and standards

•Missing authorization process for information processing facilities

•No communication concerning acceptable use of assets

•Noncompliance with classification guidelines

•Missing information labelling and handling

•Ineffective employee/contractor security screening

•Missing or ineffective information security awareness, education and training

•No disciplinary process for employees or contractors

• Reduce risk by transferring it to Cloud Service Provider

• Security auditing and testing could be simplified

• Streamline the automation of security management

• Built-in redundancy will improve disaster recovery and business continuity

• Lower Total Cost of Ownership

• Lower costs of services

• Reduce the need for capital by as much as 40%

• Provide a broader range of services

• Provide an agile response to increases and decreases in service demands

• Establishing Trust?

• Suppliers response to audit findings

• Support for investigations and evidence gathering

• System administrator accountability

• Drawing the line between proprietary and nonproprietary for examination.

• Virtualized servers and applications

• Physical control of that data

• Mandatory compliance with statutes, regulations and contractual obligations

Security Posture:

•Equilibrium State (EQ): In this state the threats are identified and the appropriate safeguards are deemed to be in place .

•Vulnerable State (VU): In this state the threats far outweigh the safeguards.

•Excessive State (EX): In this state the safeguards far outweigh the threats. This can result in an overspending in the area of security

measures.

Information Classification:

•Low Sensitivity (L): a). limited financial losses, b). limited impact in service level, or, c). performance, embarrassment and

inconvenience.

•Medium Sensitivity (M): a). loss of competitive advantage, b). loss of confidence in the government program, c). significant financial

loss, d). legal action, or, e). damage to partnerships, relationships and reputations.

•High Sensitivity (H): a). extremely significant financial loss, b). loss of life or public safety, c). loss of confidence in the government, d).

social hardship, or, e). major political or economic impact.

•Unclassified (U): a) information of public knowledge that can be found on most government web sites and would include such

information as the government telephone books, advertisements for job opportunities in the various ministries, government-wide

initiatives such as Government-On-Line, public health information, job classification level and range of pay scale.

Compiled by Mark E.S. Bernard, CRISC, CGEIT, CISM, CISA, CISSP, PM, PA, CNA, ITIL, ISO27k Lead Auditor, SABSA F2,Information Security, Privacy & Governance Consultant,Mobile: 250-812-7060 or email: mark.bernard@techsecure.ca