Ten things you should know about ISO/IEC 27001


By Shannon Lane

1.    What it ISO 27001

ISO 27001 is an international standard for information security management.

2.    Why is ISO 27001 important to me?

Information is the lifeblood of most contemporary organisations’. It provides intelligence, commercial advantage and future plans that drive success. Most Organisation store these highly prized information assets  electronically. Therefore, protection of these assets from either deliberate or accidental loss, compromise or destruction is increasingly important. ISO 27001 is a risk-based compliance framework designed to help organisations effectively manage information security.

3.    Why are international standards like ISO 27001 important?

Many Industries and many Governments have adopted ISO 27001 as the de facto standard for information security management practices. ISO is particularly popular at the State Government level within Australia where it is often mandated, and in industries such as ICT and data centre hosting.International Standards provide significant benefits overall to the domestic and global economy.

For Consumers
Proof of conformity to International Standards helps reassure consumers that products, systems and organisations are safe, reliable and good for the environment.

For Business
International Standards can be a strategic tool to help businesses tackle challenges and compete on a global stage.
Adoption can: open up new markets, improve competitiveness through greater customer satisfaction, reduce costs, streamline systems and processes, and increase productivity.

For Society
Standards improve safety, quality and environmental outcomes as well as encouraging international trade.

4.    Why is ISO 27001 important?

Having an international standard for information security allows a common framework for managing security across business and across borders. With an ever more connected world, the security of information is increasing in importance.

Data and information needs to be safe, secure, and accessible. The security of information is important for personal privacy, confidentiality of financial and health information and the smooth functioning of systems and supply chains that we rely on in today’s interconnected world.

ISO 27001 provides the framework for you to effectively manage risk, select security controls and most importantly, a process to achieve, maintain and prove compliance with the standard.
Adoption of ISO 27001 provides real credibility that you understand security and take security seriously.

5.    What are the elements of ISO 27001?

ISO 27001 is made up of a number of short clauses, and a much longer annexe listing 14 security domains and 114 controls. The most important of the short clauses relate to:

  • The organisational context and stakeholders
  • Information security leadership and high-level support
  • Planning of an Information Security Management System (ISMS), including risk assessment; risk treatment
  • Supporting an ISMS
  • Making an ISMS operational
  • Reviewing the system’s performance
  • Adopting an approach for corrective actions

Based on the risk profile of the organisation, controls may be selected to manage identified risks. Within the Annex, the 114 listed controls are broken down into 14 key domains which are listed below:

  • Information security policies
  • Organisation of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance

6.    How does it work? – What is a Risk-Based Approach to Compliance?

Unlike other security standards, for example, the Payment Card Industry – Data Security Standard (PCI-DSS) and Sarbanes-Oxley (SOX), which are highly prescriptive and control driven, ISO takes a risk-based approach to security compliance. In other words, there are no defined set of security controls that must be implemented regardless of the type of business operation, as is the case with PCI-DSS. Controls are selected based on their ability to mitigate risks to the organisation

ISO 27001 is concerned with the process of continual improvement and a demonstrated commitment to managing information security based on risks to the organisation’s information assets.
A risk-based approach to managing information security ensures that security risks are appropriately prioritised, cost effectively managed as well as ensuring that only those controls that are necessary to manage these risks are implemented. It is a comply or explain approach. Based on your organisations’ risk, you can comply with the controls that help manage risk, or simply explain why they aren’t relevant and why you don’t need them. There is no compliance for the sake of compliance with ISO.

7.    Where should I start?

Before starting out on the path to certification, it may be worthwhile understanding if certification is required, or if compliance will suffice. For many organisations, certification is not a requirement.

For those industries where certification is a requirement, the path to achieving certification should not be treated as a one-off project. Firms that successfully maintain certification over multiple years, treat information security as a critical business process and invest time, resources and effort into ongoing compliance. Certification is the logical consequence of compliance, and should be relatively easy if a solid compliance regime is established and maintained.

For most organisations, the logical place to start is to conduct a gap analysis against the requirements of ISO 27001.

8.    The Audit Process

External certification can only be conducted by an Accredited Certification Body (CB). In Australia, Shearwater recommends certification services from reputable CB’s only, such as BSI and SAI Global.

The initial audit process is undertaken in two stages:

  • Stage 1 – A Documentation Review that focuses on a desktop review of available ISMS documentation and processes. Sufficient evidence of a functioning ISMS is required in order to progress to the Stage 2 audit.
  • Stage 2 – Focuses on evaluating the implementation and effectiveness of the management system. The audit will assess evidence and will typically require the ISMS to have been running for a period of at least three months.

The certification cycle also requires regular external surveillance audits to be performed and evidence that the management system is being actively maintained. Surveillance audits for ISO 27001 are typically performed every six months, however, mature systems in low-risk industries can be extended to an annual audit cycle in consultation with the certification body. ISMS re-certification occurs every 3 years.

9.    Who wrote ISO 27001? – History

ISO (International Organization for Standardization) is the world’s largest developer of voluntary International Standards. Many Countries have their own national standards governing everything from railway gauges, electrical power point specifications, building materials, personal protective equipment and children’s toys, to name just a few. When a standard reaches maturity and has widespread application in more than one jurisdiction, ISO forms a working group and works towards publishing an International Standard.
The original forerunner of ISO 27001 was written by the UK Government’s Department of Trade and Industry (DTI), and then published by the British Standards Institute (BSI) as BS 7799 in 1995.

10.    Tips, trick and pitfall avoidance

Before Certification
Don’t underestimate the number of stakeholders you will need to consult. In large organisations, stakeholder management can be a large undertaking and key requirement for a successful compliance activity.

Partner with experienced information security providers who know the implication of advice, in particular with respect to the selection of information security controls. Many controls sound like a good idea, but the implementation can be much more challenging.
Start with an understanding of risks and development of a management system before jumping into controls and technology. Investing time up front to understand your risk posture will pay long-term benefits.

During Certification

Avoid anybody who guarantees certification within 1 month. They can’t! Certification Bodies require at least 3 months of evidence at the stage 2 Audit to make a recommendation for certification to the Accreditation Body.

Certification Bodies are prevented under another ISO standard (19011) and scheme rules from performing certification and consulting/advisory services due to conflict of interest issues. Some get around this by offering extended pre-assessments of gap analysis. Whilst these may appear cheap, there are limits to the amount of actionable recommendations that can be provided.

After Certification
You will be entitled to display an ISO 27001 certification mark. The certification mark is tangible proof that you take care of information, are committed to protecting data entrusted to you, and are fulfilling your commercial, contractual and legal responsibilities with respect to information security. A great idea would be to promote this certification on your marketing collateral and website as a source of differentiation from your competitors.

MS15-034 – HTTP.sys Advisory


By Mark Hofman, Terry Darling, and Simon Treadaway


1- Background on Microsoft Security Bulletin MS15-034 (CVE CVE-2015-1635)

Microsoft earlier this week released a patch for both servers and workstations, MS15-034. This patch addresses an issue in the file http.sys. The http.sys file is used by the operating system to accept and process HTTP and HTTPS requests. At the time of release the information provided by Microsoft was that remote code exploitation may have been possible. Since its release on Tuesday Proof Of Concept (PoC) code has been published on the Internet. The initial versions would only check for a particular response from the server. However these have now morphed into simple requests that will cause a Denial of Service (DoS) and cause the Windows system to blue screen.

The vulnerability may result in a complete takeover or disruption of systems and services through a successful DoS attack. Microsoft states it has not received any information to indicate that this vulnerability has yet been publicly used in attacks, however since its release PoC code has emerged, and multiple threat intelligence honeypots are detecting scans for this vulnerability utilising the strings that result in a DoS.

Mass scale exploitation of Internet-facing web-servers having the vulnerability is expected.

As exploitation does not require authentication or an indicator of compromise the most effective response is to implement remediation measures as soon as reasonably possible.


2- How does it work

The vulnerability is in the main component of the Windows HTTP protocol stack known as http.sys and is caused when http.sys improperly parses what Microsoft describes as “specially crafted HTTP requests”. The specially crafted packet is a header request sent to the server with a RANGE parameter and some values.

 

GET / HTTP/1.1 Host: MS15034 Range: bytes=0-18446744073709551615

 

Successful exploitation of the vulnerability could allow an attacker to remotely execute arbitrary code in the context of the IIS account being used (the default IIS user account is SYSTEM) and to thereby gain full remote access to the affected Windows system. It is however more likely that the DoS version of the code will be used to disrupt services.

Further technical details can be found at:


3- Who is affected

Any Microsoft server or workstation that accepts HTTP/HTTPS traffic is likely to be affected by this issue. Whilst most of the information available focuses on IIS, as this is the main application that utilises this particular file, it is not the only product running in Windows environment that will be vulnerable.

Microsoft states the following versions of their operating system is vulnerable:

  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2012 (Server Core installation option)
  • Windows Server 2012 R2 (Server Core installation option)


4- How can you identify if you are vulnerable

The mainstream testing tools such as Nessus, Nexpose and nmap have updated scripts and signatures to perform checks.

The simplest method to test if your machine is vulnerable is to perform the following check from either a linux system or windows system (that has curl):

$ curl -v [ipaddress]/ -H “Host: test” -H “Range: bytes=0-18446744073709551615”


if the response includes “Requested Header Range Not Satisfiable” the server is likely vulnerable.

 

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML
4.01//EN””http://www.w3.org/TR/html4/strict.dtd”>
<HTML><HEAD><TITLE>Requested Range Not Satisfiable</TITLE>
<META HTTP-EQUIV=”Content-Type” Content=”text/html; charset=us-ascii”></HEAD>
<BODY><h2>Requested Range Not Satisfiable</h2>
<hr><p>HTTP Error 416. The requested range is not satisfiable.</p>
</BODY></HTML>


Some PowerShell alternatives are available but testing suggests these scripts may not be reliable.


5- How can you remediate

To fix the issue the only approach at this time is to patch and apply the fix released earlier this week (i.e. MS15-034). Priorities:

  1. Internet facing Microsoft web servers should receive first priority, especially those utilising IIS as the web server.
  2. As a second priority any remaining internet facing Windows systems should be patched.
  3. Internal servers utilising IIS
  4. Remaining internal servers
  5. Workstations (unless these are running IIS in which case they should be treated as a level 3 priority)

Alternate options:

  • Disable IIS caching (IIS 7 upwards) – This will prevent the attack from being successful however will have significant impact on the performance of the server and is not a first choice.
  • Intrusion Prevention Signatures – The main Intrusion Detection vendors as well as those with Next Generation firewalls will already have signatures for this attack. Please be aware that effectiveness depends on the signature.
    • The more effective signatures will target the RANGE request as that means it will identify and drop all requests. It is not a parameter that is regularly passed in a normal application.

Given the criticality of the vulnerability Shearwater’s recommendation is to patch in accordance with the priorities outlined above.


6- How can we help

If required there are several ways in which we can assist. These include:

  • Identifying vulnerable services
  • Prioritising patch deployment
  • Assisting with risk management

Shearwater is dedicated to its customers’ security, and are always happy to provide advice. If any assistance is required please contact us via email to: seh@shearwater.com.au or via phone on: 1300 228 872