BayNewsletter_4 by Bay Computing

Bay Newsletter new1.pmd

11/9/2551, 21:01

EDITORâ&#x20AC;&#x2122;S NOTE & NEWS UPDATE ! " !#$" % & ! $" ' ! & ! ( & ) $ "!

Business Continuity Management *+, ( *- Bay Newsletter . , " %+ BCM ' ! " / 0 ! ! 1 " 1 3 / * / / ! " 1 0 4 ' &4 !#$ " ( &" ) *+ , Hello there. Nowadays many organizations are growingly interested in risk management to enable the business continuity in case of an attack. This issue of Bays Newsletter talks about the Business Continuity Management (BCM) part 1; we hope that you can gain knowledge from it and we also welcome any suggestions that you have for us.

Bay Computing Conducted RSA enVision Technical Training ! $ " ! $ Z 3" ! !4& ! & * 0E /4 &

Log ' # ! 0 ( ! $,

' ' ( % ' %$ ! 1 0 " # ! ' % - POC * (-F #* ! "3 !#$" # ! / !* ' % ! / ! 1 Last July, Bay Computing Technical Team conducted technical training for partners on RSA enVision appliances. The sessions were intensive and covered all required information throughout the day. On this event, it was a good opportunity to get together and share experiences on doing the POC on enVision platform for compliance and security information management. At the end of the day, our partners have gained more profound understandings on our log management solution and maximize their knowledge and skills to support their customers.

, Nida Tangwongsiri, General Manager

Seminar News: Best Practices for Optimizing and Protecting Your Web Application - a Joint Seminar brought to you by Bay Computing & Citrix Systems Citrix ' ! #& & , & ! !4& ( " !* ! $ " 8Optimize and Protect Your Web Application by Citrix9 " 26 2551 0 ' Arnoma % 4 & ! 9:30 . E+" F 4 G& 'I * / !

*" Citrix ! J ' %+ !#& " & G&F # ! K ' ## &! 4

Bay Computing and Technology partners joined TOT IT Security Day. ! #& &, ( TOT IT Security Day E+" . 0 *+, ! 1 ( _!#$" !3 '# / ' ( ' ( F " E+"

* , , $ ! K * / #& ! &` j + Technology Partners ! 1 RSA enVision, Citrix, IPScan !3 '# * / ! " ! K ' &

* / Log !#$ " #. . . 3& ! " #& ! ' 3 / " , , Bay Computing has joined TOT IT Security Day which is held annually. With the main theme of Log Management, Bay Computing with its supportive technology partners, ie. RSA enVision, IPScan, and Citrix, distributed valuable information to the participants regarding log management to comply with the Computer Crime Act and other regulations.

(- & " " ' * * / !#& " ! & " ! 0-2962-2223 $ ! matinia@baycoms.com !" !

CITRIX Appointed Bay Computing to CITRIX Value-Added Reseller

You are cordially invited to participate in the seminar on 8Optimize and Protect Your Web Application by Citrix9 on September 26th, 2008. The seminar will be taken place at Arnoma Hotel, Ratchadamri Road at 9:30 a.m. This will bring you opportunity to learn 8What hackers are thinking and hacking demo9 from Citrix Team as well.

! $ " , ! #& & , ' , ! 1 CITRIX Valued - Added Reseller (VAR) ! 1 !#$ " ! 0E /4 ' ( & G&F # ! K ' ## & ! 4 !#$" !#&" ! K *+, 5 ! # , ! K ' ## &! 4 F ( ) ' %4 (

Please RSVP at Tel: 0-2962-2223 or email to matina@baycoms.com Don$t miss the chance!

Recently, Citrix has appointed Bay Computing to be an official Valued-Added Reseller for its Citrix NetScaler solution to accelerate customer}s web application at least 5 times, protects from threats at application layer, and reduce the cost of management and operation.

2 l Bay Computing Newsletter l 4rd Issue Bay Newsletter new1.pmd

11/9/2551, 21:01

COVER STORY

Business Continuity Technology

, Enterprise Solution Manager,

Part I

By Avirut Liangsiri, Enterprise Solution Manager, Bay Computing Co., Ltd.

93% ! " # $ &' $ ( ") 5 *+ , $ )

93% of all companies that experience a major loss of data are out of business within five years+ Gartner Says.

~ ( ! 0 0 Data Protection ' Business Continuity E+" ! " * / ' G( & ! & ! $" *+ , ( *-

G( & ( 4 3 " ' 0 %' ! 1 3 " ' ,

Data protection and business continuity are technologies that protect data and secure business operations to continue without interruptions. They have become necessary tools for organizations because if the business stops, it may cause a severe impact, which can affect several dimensions; details are listed as follows:

3 & 3 " (Productivity Loss) E+" * # , $ 3 & " 3 , ( ' ' ! " * *

Productivity loss is determined by numbers of employees affected business process, lower productivity, and duration.

4$ " ! ' F # `- ! "

, / , / , ! & ' (Reputation Loss)

Reputation loss can cause several concerns such as customers, partners, financial market and the society.

/ ! ! $ " 4 !4 , !" , %! K ! & $ ! & !

(Revenue Loss)

Revenue loss resulted from paying compensation, lost future income, loss of financial evidences, and unable to collect debts.

F ( 0 !.# ! ( - 11 .J. 2001 ' F G 4 & " ( ' !#&" *+, %+ ' 0 * &

J/ * / !" J/ *+ , ( *- ! 1 ! Business Continuity ' High Availability #& - ' %$ ! 1 ! 1 ) * CIO ( * ! K $

It cannot be denied that since 9/11, terrorists attacked WTC Buildings, the catastrophe that has changed global}s security concerns and also the increasing severe natural disasters nowadays, these major reasons have risen the IT people to put the need of Business Continuity and High Availability to the agenda. It is something that CIO has to consider whether they are SMEs or large enterprises.

Bay Computing Newsletter l 4rd Issue l 3 Bay Newsletter new1.pmd

11/9/2551, 21:01

COVER STORY 0 IEEE ! (* ! & ! ( * * (Downtime) E Â&#x201A; ' " 40% $ Planned Downtime " 30% 3& # * ( ` " 15% I ' 4 ( $ 3& # " 10% F #' !4 Â&#x201A; , 5% ' ( - ! $ * - 1% E+ " ! K Downtime !" & *+ , ! & &" " ! " ' , & E Â&#x201A; ' , Planned Downtime ' 3& # * (` ! , 4 ! 0 0 ' (Process) !" ! " ~

' 3 G( &

1 : (Downtime Cause)

1 :

(Availability Levels)

Availability ,! 1 " ~ ( ! & *+, $ ! $" , ' & best practice IT 4 ! 1 CobiT $ ITIL %+ ) , ISO 20000 series ' ISO 27000 series E+ " ' $ * " K , ` F ' ! # !#$" % ! & G( & ! $ " ' Availability ! K '" " ! ! & up time !4 up time 99.9% ! 1 0 five nine

$ 99.999% $ ! " 1 _ ( ( !# 0-5 ! , ' $ " ) " 1 % & ! (Gartner) ' * Availability ! 1 5 0 ! $ , ' AL0 %+ AL4 0 ' %+ 3 * / ,

40% Software 30% Planned Downtime 15% Human error 10% Defects and hardware errors 5% Natural phenomenons 1% Devices and Network (source : IEEE)

A research on system downtime conducted by IEEE indicated that software contributed 40 percent, with planned downtime 30 percent and human error accounting for 15 percent respectively. In addition, the Defects and hardware errors cause 10 percent while natural phenomenons contribute to 5 percent of the overall problems. Of 1 percent of the downtime problem is devices and networks. From these statistics, we can see that all of the causes, such as software, planned downtime and human error, can be prevented by employing appropriate processes and technologies.

AL0 : Unprotected Server $ !E& Â&#x201A;! $ " redundant component ) Â&#x2021;& & 0 ' ' * /

Availability Availability is the frequently-used term that has gained its popularity from IT best practices, such as CobiT or ITIL, as well as IT standards, such as ISO 20000 and ISO 27000 series. These standards or regulations emphasize on the importance of information security management and business continuity plan. There are many acceptable data availability for each organization. For example, some organizations may implement 99.9% up-time or 99.999% known as five nines, which indicates that in a course of one year the IT systems can only stop just 0-5 minutes and has the values as Table 1. Gartner Research Institute classifies five levels of data availability (AL0 Â&#x2030; AL4), from the least available to the most available, details of which are as follows: AL0: Unprotected Server is a server that has no redundant components and has no protections whatsoever for operating system, programs, and data.

4 l Bay Computing Newsletter l 4rd Issue Bay Newsletter new1.pmd

11/9/2551, 21:01

COVER STORY

AL1 : Conventional with RAID RAID log-based journal file system ! " ! !

High Availability

AL3 : Advance High-Availability Cluster automatic failover ,&) user session workload +#,& backup components ' AL2 / & / +#,&! & /' SAN

8 ! & High Availability (HA) 9 !& +:' "'8 ! !&, *+ 2 (& ;' / %!, &0 * ', ' / !, 9 & ! +:' 2 !, , . 0 * ,' ' ' +#,& * ' * ( & Back Up ReplicationFailover ( & ,)& 2 0 * ,'' ) ' ' + +< & * = * # # # 99* * ' ! !&, ! /0 * ', / $ ' ' ' # # & 9 ' & 9#,& ! #/ & / ' & (Availability Centric) (& + ! # Clustering Continuous Availability

AL4 : Continuous Availability 100% & 0 ''

5& ,' / &. redundancy ( )% ') / transaction loss / " / " *

' ' #) &, ;' "'8 ! / / 0 * ', #,&0 , +#,& & / & ,' 0!#0 * ', Backup Replication /&$ +< +#,& , * & 0 * ',

AL2 : Basic High-Availability Cluster ! #$! %& ' (') ' & ! & '(& % # ##* +#,& & ' . %& ' ! ' #. / , ! / ,' /' SAN # User Session Interruption ' & 0!#+ , / % Session Synchronization

2 : ! " # " # High Availability (High Availability technology market diagram)

AL1: Conventional with RAID is a server or system that use RAID and log-based or journal file system to monitor and modify errors. AL2: Basic High-Availability Cluster is a system that stops normal operations so it moves users to work the substituted machine. Several systems connect through the same disk, such as SAN. The downside of this method is the user session interruption, because the system does not normally implement the session synchronization. AL3: Advance High-Availability Cluster is a system that has automatic failover and move both user session and workload to the backup components. Like AL2, several systems connect through the same disk, such as SAN. AL4: Continuous Availability is a system that achieves 100% component and function performance; redundancy system and has no transaction loss as well as effects to users.

Current High Availability technology market High Availability (HA) market can be depicted as the Figure 2. From the diagram, it can be determined that the solutions are divided into 2 main parts: back-up and replication-failover solution. Both solutions aim to protect data loss as well as prevent damage and can recover the lost data. Another type of solution is availability centric and tries to make the system available at all time. This solution type consists of clustering and continuous availability. This diagram also indicates that each solution focuses on different targets: backup and replication solution which aims to protect data; while clustering solution focuses on Bay Computing Newsletter l 4rd Issue l 5

Bay Newsletter new1.pmd

11/9/2551, 21:01

COVER STORY Impact) ! +5 = " ! ! * = # & * ',) ' . ' * #/* ' ' K #,& ,)& #/* ' *+ & ! M ' + " ! # 0!# # . / Information Asset % '! %!, % ,= (Prioritise) & * ,! ' ! (& % + ' / # & , % & * 2 / RTO RPO

Clustering +:' /$& +< ' ' +#,& %& ' #/ & / ' & & , ' 0 * , ' Continuous Availability /$& +< ' ' +#,& business process ' & +< # & G$ ! #/ & * J ' + ' ' ! &0 * ,' % +:' & ! # , ! + 8 & * (Data Classification) % + ' #& (Risk Analysis) " ! ()' (Business

application availability, and the continuous availability solution intends to preserve the business processes so it can fulfill the business needs. To evaluate or select a proper solution, organizations must classify their data first. Then they should conduct the risk analysis as well as determining the business impact in case of when there is a problem or error occurring to the information asset, which includes information written on paper and executed in the systems.

RPO (Restore Point Objective) % '/& (Point) ' Timeline ( % '/& ' '(& .) & # ' , + * * ' , ! /' * % % & (Back Up) % $ . 1 , 0 & +:' ' ( & # /

!+5= (') * / $! 9 ' * ' 1 , 0 &

RTO (Restore Time Objective) !$ ! % , * ' * , * + #' + & / / % ,= & 9 & ' ! & Downtime % /' * ,&) ! &9* * ' , & ' / ! 8 # ' 15 ' +:' '

'V , / + *!9(& # #! & / 0 * ', / / & ,' #/ & , ,' ! ! # 9(& $! ' ,! ' 0 * ', / +

backed up every 1 hour. By this method, once the system is down, data can be restored within the last hour. RTO (Restore Time Objective) or the longest time that data can be recovered. It is suitable for important data that has not been updated frequently, it must be available at all time and need low occurrence of downtime. For example, all data must be restored in 15 minutes.

In the next issue, we will discuss the details of these solutions, their differences, and applications that can be best applied on solutions as well as benefits, downsides and decision factors.

Once the data is prioritized and has their scope defined, organizations can now determine the value of RTO and RPO. The details are as follows: RPO (Restore Point Objective) or a point of time in which the system has to roll back to recover the data. For example, the data is

6 l Bay Computing Newsletter l 4rd Issue Bay Newsletter new1.pmd

11/9/2551, 21:01

SOLUTION UPDATE

% &' ' ( )( * Log 2 Log Management Best Practice

Part II

â&#x20AC;&#x153;Infrastructure Requirementsâ&#x20AC;? ! " # $

Infrastructure Requirements

& & %'(&9(&+5 ,# / +' ) ' &0 & & ') X ' & ,! Log ,' +:' X ' & ,! + !8,# & * ,! $ J &! ' + !8,#

To build an infrastructure for log (event) management that will lay the foundation for comprehensive security information and event management, organizations should consider the following categories of requirements.

& , + , & Log ; * Log $+ J ! , ; Log + +< & , M + !8,# & Log

General requirements Log generation and capture Log retention and storage Log analysis Log security and protection

Bay Computing Newsletter l 4rd Issue l 7 Bay Newsletter new1.pmd

11/9/2551, 21:01

SOLUTION UPDATE I. - 1. ' /' * % 0 0!# , + ,! Log ',)' & 9 & , ; * ' ! =/ #' * & $+ J !, ; ! ! ; 0!# * / ',)' & / *= # # # ' ',') #,& 9 # !* * + " ,! % #& ' ! #/ & ! ; /' ,' 0 & & )'X ' 9 %& ' ! + G 8 *&',)' / # #& / / # ' & & &0 & & ') X ' / + G 8 *& ()' JY + '+ G 8 & ! / ' ! * Log / '( & ' ( &+ , ,! +:' %' ' $ J ! ()' ' '( & ' (events per second: EPS) 0!# J ,&) / & ! $ J '8 + / & *& $!

%' ' &" * & #& ' ' / , 0 & / ,' 0!# J ,)& ' / & " * & '+ / & *& $!

' ! * &'% / '( & ,' '(& , 0 & 0!# J ,&) ' ! * + =/ !$

%' ' #& ' ' / , 0 & / , ' 0!# J ,)& ' / & #& ' + ' / & !$

+ J '! ! G ,) & ' / & + / & $!

& ' $+ J ,! ; * ,)& ' / & + ' / & & ' $!

, M + !8,# & * Log /' 9 & , * Log /&"/ ' / & 2 + " (')

'! !G ' / # ()'

The typical and peak number of users requiring analysis and report generation per hour and per day

I. General Requirements

1. Provides high and consistent performance Generally, a platform for log management must be able to sustain a high volume of data collection, a high rate of writing to the storage resources without data loss or corruption, a high response rate for retrieving the data, and a high rate of data processing for analysis and reporting. Implementing a high performance infrastructure avoids the prohibitive costs of having to later re-architect for performance.

The typical and peak volume of data to be processed for analysis per hour and per day

Performance requirements are determined based on parameters such as:

The typical and peak volume of log data required to be collected per second (i.e. usually measured in events per second)

2. '+5 $ ', & '/ #& ' # /& ' ! =/ # #/ * 8* 8 / &. + # ' + & #/* ! ,! / ' & , * Log / &. 9 ' & / & /'' ) ! ,! ; * Log ,! ; ! # ,! ; * "/ ' / # (networked storage system) &,) #/* J %', & ' ',') . " * G [ & ' 9!(& * '% + , ! % #& ' ! #/ & ! ; # ! #/$ ' ' ) , & $ + 8 ,&) #,& 9+ , + # ' ! #/ & ! ; + # ' + & + # ' + & %' '" * & '

The typical and peak volume of reports to be generated per hour and per day.

The typical and peak usage of network bandwidth The typical and peak usage of data storage resources

The security needs for the log data. For example, if log data needs to be encrypted when transmitted between systems, this could require more processing by the systems as well as increased usage of network bandwidth.

+ 0# ' , + & & # & , ' / * 9* ,! ; ',') / = * # # # ,! ; * ,)& #/* J %', & '',)'. ,! ; ! #/ & ! ; " * & ' 9 & ! / ' ',') & #

2. Enables a distributed deployment Many enterprises and government agencies today are large, geographically-dispersed and dynamic organizations. These types of organizations are best served by a centrally managed yet distributed infrastructure that can meet the needs of a geographically-dispersed and constantly evolving organization. With a distributed infrastructure, raw data logs are collected and stored locally on networked storage systems and are then rapidly retrieved and aggregated for analysis and reporting by authorized users. The flexibility of a distributed solution means that the infrastructure can be mapped to any kind of organizational structure. It also means that organizations can quickly adapt to changes as systems or groups of users are added or moved. Another important benefit of a distributed deployment is that it helps to ensure that no

8 l Bay Computing Newsletter l 4rd Issue Bay Newsletter new1.pmd

11/9/2551, 21:01

SOLUTION UPDATE

#,& / # ' & ,==, & ^ # / '# # * +#,& / &+ K '% ++ " " * & ' 9 9(& * ! V / ' & ' ) ! 3. ! " # # " ,! Log & 9 / , #/ * +:' / ' '(& & 9 ,! ! & / # ' 8 ! & +_ , & ' +: ' #/* & # !, ! & ' , #/ & /' 0'0 # SIEM 9 / , & #/* 9 % +:' & ,! ; * / ,! ; ' ) / /&" , + G 8 & ! % !% ' '& ' ' & & !$! & 4. $%& &' ( )* % " & 9 $ J # ' & ' J $ J ' )9* ,! ; /* , ! ; +! # * ! &/ #.

data is lost or corrupted as localized collection and storage of the data is faster and more reliable. It also helps in complying with laws that prevent data from being physically moved to another country for processing. While the data is stored locally, specific records can be selectively accessed by authorized users based on content and context. 3. Easily integrates with existing infrastructure An infrastructure for log management must easily integrate with existing systems to become part of the enterprise`s overall IT infrastructure and be manageable within the context of existing operations. The organization should be able to leverage existing systems, for example the SIEM technology should easily integrate with existing storage system. If new storage systems will be required, the deployment should not negatively impact performance

+ " ',) ' 9 & ' $ J ! ()' ! ' J ',)' 9 ,' ( $ J + . ,' " * 9'% $ J ,' ( ! ',)'

* ' , X ' ' / 5. # & $ ( !" , ! Log & 9 & , & ' '8 + ,)' *& $! ! & & "' & , 0 & * Log * $ J ' & / &. ()' 0 & & )'X ' & 9 & , 0 & ' ! * Log * $ J ,' ' & /& * ()' "/ ' + % '! & &! ' + !8,# / &. / & " ; * Log ()' ' ' ) & & & 0 ()' + %!, & / , ()' /' ,' & 9 , ! , * Log () ' 0!# / / & " , + G 8

of other systems or create major disruptions to operations. 4. Ensures parallel analysis and storage An organization should be able to act on the analysis of correlated events while those events are being written to storage. In other words, the platform should be able to support real-time alerts and at the same time be reliably retaining all of the log data as it is collected, so that the data will be available later for audits or forensic analysis. 5. Offers scalability to meet not only current needs but also future needs A platform for log management must be able to handle average and peak loads. Organization should plan for surges in the volume of log or event data due to increased activity. The infrastructure also needs to be able to handle

6. + $ % # , ' $' ' +:' & % ! ! +5 ,# # + + / /&" / #/*' # ,)& ' / & ! ,)& '9(& & ' ' / ' " *!* 9 ! ,)& , ! ,! Log 0!# , M # # ' # $ ! ' !* # & / ' ,! Log / & K,#" * %' = V & /' " !* * X ' * " !* * / # ' & ' ,! * Log ',)' & )' ' ,! ; *& !,&',)' +:' ! ' $' +:' & & & 0 * ,' #& ; Log / !+ 0# ' + 0# ' ,! ; ! #/ & ; 0'0 # SIEM ,! X ' * & , ,'G (RDBS) ' 0' ! ! & * (data explosion) /' ' ; * ' ! 1 0 '',) & ' )

increased overall volumes of log or event data due to the addition of more sources of data. Over time, regulations or security requirements may call for more logs to be collected. As well, the organization`s IT systems will most certainly grow and more devices will be added. The system should be able to handle increased streams of log data without impacting application performance. 6. Provides a low total cost of ownership (TCO) A low total cost of ownership (TCO) is realized through a number of factors. First, it requires minimizing the impact on IT system not only during deployment but also over time. The time, skill, and effort required by the IT staff to deploy, maintain, upgrade and manage the infrastructure should be minimized; as well as the number of full-time equivalent (FTE) staff required to run the systems. The infrastructure should not require Bay Computing Newsletter l 4rd Issue l 9

Bay Newsletter new1.pmd

11/9/2551, 21:01

SOLUTION UPDATE

9(& 12-15 0 0!# %' ' ',)' ' & & * / ' ! !, & ',) ' 0'0 # SIEM / RDBS ( & & * & , ! ; ' # / ' ',') 9 & ! 0'0 # SIEM 0'0 # ,! * &+ G 8 ; / & # & ' ) ') !, ; 0 & & ,! ; * /& +:' ,)' #,& / ! + 0# ' )' ,! ; ! #/ & ; * /9 * # / # 9* ,! ; ' '/ # ,! ; ' $' % / ' + ; ' '/ # ,! ; , (& / # ! ' $' / MB 0!# & '/ # ; * ,! % +:' & '/ # , ! ; , # / #! ' specialized staff such as database or network administrators. Since a platform for log management has the potential to use massive amounts of storage resources, to achieve a low TCO, look for a solution that not only avoids generating undue amounts of log data, but also optimizes the use of storage resource. SIEM technology based on traditional relational database systems (RDBS) can generate extraneous data. In fact, RDBS have the potential to create a data explosion (DE), for example, requiring 12K to 15K of data storage for every 1K of raw log data. This is due to the construction of tables and other overhead. Therefore SIEM technology not based on a relational database will generate less data to store. Also, if SIEM technology uses efficient compression techniques, you can avoid unnecessary purchases of additional storage capacity.

; ' # & + %!, ' & * / ',)' 9* ,! ; ' '/ # ,! ; % & ( & ,! ' # !,&',)' '/ # ,! ; , + % ,& / ' #' ! ; ()' ( & % + G 8 0!# & ! ()' 7. + (#!& 0#1 $ Log $ ) 8 ' &0 & & * Log & / ' +:' , X ' ' & ^ # & % % '! & ^ # &+ * Log '% + $!+ & / ' ) & +:' * / + # ' + & !. ,&) ')

An infrastructure that uses tiered storage also helps to optimize the use of the storage resources. With tiered storage, log data that is infrequently accessed does not take up capacity on primary storage but instead is storage on lower-cost tiers. This reduces the overall cost per MB of storage and puts off the need to acquire additional primary storage system. Administrative costs are also reduced as data archived to lower tiers typically requires less management. Freeing up resources on primary storage systems enables read and write requests to be processed much more quickly, which improves overall performance. 7. Supports the retention and retrieval of â&#x20AC;&#x153;evidence-gradeâ&#x20AC;? log data At some point, an organization may need to produce log record to be used as legal evidence or to meet regulatory requests

', & ' & * , X ' & & 9 # * , X ' ' ,)' & # ' , X ' ' * '

, X ' +: ' ; ' ' ) & & 9 !& ! / * , X '',)'. / + # ' + & !& & ' / # & & ! +:' ' 0 & &' ) 9 , ; * , X '0!# / + #' + & ' ) !,)& ! ,)& )' !(& * / ' ) '() +:' , X ' & ^ #

* ' , X ' / + ! 'V , ' *!9(& & Log ; , M Log ( & +:'+5 ,# 2 3 ' & ') X ' & ,! Log for information. To be used as evidence, the logs should be in the original, unaltered form. When called upon for evidence, organizations must be able to produce log data as part of a discovery process in a reasonable fashion. As well, to provide a digital chain of custody for forensic analysis, you must be able to demonstrate that data has not been altered and that it can, for example, document network usage in an indisputable manner. The infrastructure should capture and store logs in their original format, allowing retrieval of evidence-grade log data for legal, regulatory or forensics purposes. In the next issue, we will talk about Log Generation and Log Retention that the second and third categories for build an infrastructure for log (event) management system.

10 l Bay Computing Newsletter l 4rd Issue Bay Newsletter new1.pmd

11/9/2551, 21:01

SOLUTION UPDATE

' - ISO 27001:2005 2 , Senior Network and Security Engineer, By Phakkhanat Phothongborwonphak, Senior Network and Security Engineer, Bay Computing Co., Ltd.

, , ' ,) & ' , / ' ' , ! / '" * / ' ' ! & ISO 27001:2005 X ' # , , ' &+ !8,# & ' K ' ! % * , , ISO 27001:2005 9( & +: ' + 0# ' & +_ , X ' ISO 27001:2005 ' '' ) !* ', / 0 , MJ #/ & & " 9* 0 9 /& +:'! ' / &. #/ & (& !* ,' / ISO 27001:2005 / # ! #/ & ' ,

Welcome back to the second part of ISO27001:2005. Firstly, let me thank all of you who are interested in our scoop on ISO27001:2005 - an information security management standard. From the last edition, we have learned the introduction and benefits of the standard and this issue, we are going to learn about security threats, their impact, and how ISO27001:2005 can help protect us.

Information Security Treats of 2008 Information Security Treats of 2008 * / $ " !* % ' ' ,! % ISO 27001:2005 / $ " * ! Certificate CISSP ! ,! /$ *+ & 0 '+~ 2551 (Information Security Threats of 2008) !&, ' )

ISO27001:2005 implementer and volunteer who have CISSP Certificate have listed the top information security threats of 2008, which includes

Bay Computing Newsletter l 4rd Issue l 11 Bay Newsletter new1.pmd

11/9/2551, 21:01

SOLUTION UPDATE

Imposition of legal and regulatory obligations & & ^ # / &

' ) ' Cyber criminal / = '0 ' '; Malware, Trojans 0 Virus, Spyware, Trojan '. $ & 0 # * / ' , Phishers / $ &" * & ; &

0 # * Login /' 0 # * Login E-Banking Spammers / $ &" * &/ / '

' # ' 0!# K,# & / &0 / / # ' /& &,) / $ ,&) Negligent staff /$ & ', & ' # / +_ , +_ , & & M, Storms, Tornados, Floods - Acts of God *+ 0 &/$ ,& & & M, / 9 + ! Hackers / $ & $ # # & & M, & % # *

/$& ,&" + 0# ' & #/ &

% , " # # & ! , 9* 0 , * ' K & & (Information Security Impact) /& +:'! ' / &. ! !&, ' )

Imposition of legal and regulatory obligations - legal and financial fraud Cyber criminal - someone who commits a crime on the Internet Malware, Trojans - attacks from virus, spyware, Trojan and other malicious software that control computers and steal personal data Phishers - website developer group who use a trick to get log-in account from legitimate users, such as stealing log-in account from e-banking system

Unethical employees who misuse/misconfigure system security functions / $ & ', & ' # J ( & & ' * 0!# / %'( & 9( & , M + !8,# & & M , Unauthorized access, Modification, Disclosure of information assets / G 9(& * +Â !0+& * & & 0!# / ! , '$= Nations attacking critical information infrastructures to cause disruption 0 ' !, * ') X ' / 9 & ' ! + Technical advances that can render encryption algorithms obsolete / $ &" * * 9 &! ' ' ,') *& ' 9 / ' * , !

Information Security Impact

Spammers - self-serving marketers who harass and sell stuff by sending e-mails both intentionally and randomly Negligent staff - users who neglect to comply with company policies Storms, Tornados, Floods - Acts of God attacks that may disrupt, damage and destroy company services Hackers - a group of people who try to attack to destroy information assets or gain some financial benefits Unethical employees who misuse/misconfigure system security functions - employees who are unethical and misuse/misconfigure system security functions as well as ignoring security policies Unauthorized access, Modification, Disclosure of information assets - No authorization to access systems, modify data and disclose information assets Nation attacking critical information infrastructures to cause disruption - attacking

Disruption to organizational routines and processes " / !% ' 'G$ & & M, Direct financial losses through information theft and fraud " &! ' # ! & M , 9* 0 # * 9* V 0 & Decrease in shareholder value " / * / $' & & M, Loss of privacy " / +:' / ' , Reputation damage causing brand devaluation " / #& '/ 9 & & M, Loss of confidence in IT " / ,' & ' K & & M , Expenditure on information security asset and data damaged, stolen, corrupted or lost in incidents " ! '& + J ' +5= & * $ J / &. /' * # # * *= # / & ! $ J Loss of competitive advantage " / /& ,' &G$ & & M, Reduced profitability " / " + & M,

critical information of the Nation that may cause disruption to the infrastructure Technical advances that can render encryption algorithms obsolete - advanced technical subjects that can make encryption algorithms obsolete

Information Security Impact Information security impacts are consequences of security incidents and can be classified as follows:

Disruption to organizational routines and processes Direct financial losses through information theft and fraud Decrease in shareholder value Loss of privacy Reputation damage causing brand devaluation Loss of confidence in IT Expenditure on information security asset

12 l Bay Computing Newsletter l 4rd Issue Bay Newsletter new1.pmd

11/9/2551, 21:01

SOLUTION UPDATE

Impaired growth due to inflexible infrastructure/ system/application environments Infrastructure, System, Application Injury or loss of life if safety-critical systems fail ! " #$% # & ' ()#%

8 # 9 - ; 9 # " 1

% ( # " #-

ISO 27001:2005 $ '( 4 ' '( %

< (# -

( !'" " ( + - '. # ' ()#% ! / 0 '. # ' ()#% ! # " ' 1 ! # ISO 27001:2005 / % # # ' ()#% 6 # #

8 % '. # ' ()#% ! ( %

( % 1 ! #

) %0 # / ISO 27001: 2005 / % # # ' ()#% 6 # - ' ( % 0 - ( " ( - #- ( # ISO 27001:2005 # 8

# - ( # ISO 27001:2005 / % # # ' ()#% 6

and data damaged, stolen, corrupted or lost in incidents Loss of competitive advantage Reduced profitability Impaired growth due to inflexible infrastructure/ system/application environments Injury or loss of life if safety-critical systems fail At this stage, the security attacks and possible impacts have been raised, they are derived from absence of information security or information security management standard. Further section, we will explore the information security management system standards or ISO27001:2005 and letKs see how it can help us protect the information assets. We have begun with ISO27001:2005 standard components earlier and provided some terms and definitions exercised in the standard. For more and completed details of ISO27001: 2005, please order through its website or authorized distributors.

Foreword 1 1 Introduction 1 Scope / Normative References / ISO 27001:2005 0 Terms and Definitions " 1 1 #( Information Security Management System # - #( 1 ISMS Management Review of the ISMS 1 ISMS ISMS Improvement ' # ' * 1 ISMS %

1 Annex A (Normative) - Control Objectives

and Controls # *' # * " 0 * Annex B (Informative) - OECD Principles and This International Standard =&> OECD # / ISO 27001:2005 Annex C (Informative) - Correspondence between ISO 9001:2000, ISO 14001:2004 and This International Standard (

# / ISO 9001:200, ISO 14001: 2004 # / ISO 27001:2005 Bibliography B *

Information Security Terms and Definitions Management System To understand ISO27001:2005 correctly, let me explain the terms and definitions that standard are frequently used in the standard. ISO27001:2005 consists of the following component :

Foreword Introduction Scope Normative References Terms and Definitions Information Security Management System Management Review of the ISMS ISMS Improvement Annex A (Normative) - Control Objectives and Controls Annex B (Informative) - OECD Principles and This International Standard Annex C (Informative) - Correspondence between ISO 9001:2000, ISO 14001:2004 and This International Standard Bibliography

Asset In the context of ISO 27001 and ISO 27002, an asset is any tangible or intangible thing that has value to an organization.

Availability It is significant to have information resource in place. By saying that it means that the availability of information generates benefits to manage the assets. An asset should be available and accessible at anytime when needed by an authorized entity. On the standard practice of ISO 27001, asset term includes information, systems, facilities, networks and computers.

Bay Computing Newsletter l 4rd Issue l 13 Bay Newsletter new1.pmd

11/9/2551, 21:01

SOLUTION UPDATE ) ) $ %0 6+ & / ISO 27001:2005 ( %

0 8 " $!(8+ 1 1 #( # $ %< ( "

# ! % 10 "

! 8" ( 0 ; 'Z( ' '%# * X [ # & # 8+ 'Y # " (1

Asset 0 1 X % 1 # ISO 27001 " ISO 27002 1

Asset %

#$% # ( # ( !

& # Availability $ 0 0 ! 'Y *B # $ 6& 1 0 ' % # #$% #$% $ 0 8 8! 8+ " 0 * X 0 ( * 0 1 X % 1 # ISO 27001 #$% * 8+ ! 1 % (

% " $ #$%

< $ 0 ! X 0

Confidentiality # & # ! 'Y *B # $ 6& 0 # ! $ '. # " *

Control # * 'Y " 1 # ! * ! !(!" ( " !(!" ( > % 0 0 * % " 'Y # '. # " # # % ( +- # * 8+ X' \ # % % X( 1 " % " % % &# Corrective Actions 'Y #- ']^ * B ( + - " 1 " ']^ " ' # ' * 0 ( +-

Confidentiality When taken security concern into account, confidentiality is a key to apply on managing sensitive information. To protect and preserve the confidentiality, it means that we need to ensure that it does not disclose to unauthorized entities. In this context, entities combine both privacy and process. Controlling factor A controller destines managing strategies and plan. In this scenario it can be an administrator,

Information Processing Facility % Information Processing Facility * < 0 * < $ - / 8 1 % ( 0 1 1 % ( 'Y ( #- (1 8 'Y ( #- # ( " # (

Information Security * * %

% # '. # " * ! " 'Y * %

% # '. # " * # & # 8! 8 $ 0 0

8 !

Document ! %0 (1 X* 8 'Y

< * ( 0 0 (1 X* 1 # ISMS +- % ! #

'Y $ % 1 1 #( 0 _ #

1 0 % 1

< 0 0 ISO 27001:2005 # 0 3 %

( #

a management, a technical advisor or might even be a legal advisor who used to manage risk. Controllers are safeguards or countermeasures. Controlling index includes several concerns such as practices, policies, procedures, programs, techniques, technologies, guidelines, and organizational structures.

9# 9 ( " # &B (1 X* "

Corrective Actions Corrective actions are steps taken to address existing nonconformities and make improvements.

Document The document may not simply refer to only written document as we are usually familiar. As such document can be any form or use of any type of medium. The extent of your ISMS documentation will depend on the scope of your ISMS, the complexity of your security requirements, the size of your organization, and the type of activities in which the organization does.

Information Processing Facility An information processing facility is defined as system, service, or infrastructure, or physical location that provides fundamental support. A facility can be either an activity or a place, it can be either tangible or intangible. Information Security Information security contains related information such as protecting and preserving information. They will protect and preserve the confidentiality, integrity, authenticity, availability, and reliability of information.

Last but not least, as essential information and definition have been provided on above paragraphs, I hope you gain useful information of SO27001:2005 standard. The final part of the details on ISO27001:2005 can be found in our next issue. See you next time!