Search This Blog


Tuesday, 17 May 2016

CSIRT: Classifying the Severity of a Breach

We are all aware of the need and value of Classifying our Corporate Data. We all have embedded Information Classification into our Security Policy Framework, and many of us have even gone through the exercise of tagging and classifying our data.  (Read that last sentence as "a vast majority of us have either not started or not completed this daunting exercise").

One tangible outcome of performing an Information Classification exercise is being able to effectively communicate the impact of a potential Information Security Breach.  

I was asked recently to provide guidance to the Executive and Audit team of one of my clients to help identify and classify severity levels related to Breach Communication. They wanted a system to "value" the outcome of any potential Data Breach, should one happen.

I was told to constrain my scope to a High, Medium, Low classification model.

Using their own Information Classification Policy, I was able to quickly provide the following model, and thought it a valuable lesson for others in this situation.

Please feel free to use this or any portion thereof to assist in your own CSIRT exercises.

Information Security Breach Impact Classification

This document, based upon  's Information Classification Policy, provides a basic model to identify and classify the potential impact of a loss of data in the event of an Information Security Breach. This information can provide guidance in Communicating your Breach, as well as in determining requirements and constraints for acquiring CyberSecurity Insurance. 

Significance of Breach: - High Level Breaches
                                          - Medium Level Breaches
                                          - Low Level Breaches

A High level Breach would be considered any breach that exposed PII, PCI, PHI, or Corporate Restricted Information pertaining to either  or it’s Partners/Clients/Vendors

The ‘RESTRICTED’ classification is assigned to data that, if corrupted, disclosed without authority or lost, might result in a critical loss to .
‘RESTRICTED’ information includes but is not limited to personal identifiable information (PII), employees’ medical history, Credit Card information, Bank account information, and encryption keys and passwords.

A Medium level Breach would be considered any breach that exposed Corporate Confidential Information, but not PII, PCI, PHI, or Corporate Restricted Information pertaining to either   or it’s Partners/Clients/Vendors

The ‘CONFIDENTIAL’ classification for information is assigned to data that, if corrupted, lost or disclosed without authority, might result in important or significant loss to  .
‘CONFIDENTIAL’ information includes confidential business proposals, customer information, HR information such as employment contracts and compensation, and general financial data.

A Low level Breach would be considered any breach that either exposes no data, or only Corporate Internal Information. A Low Level Breach does not expose Corporate Restricted or Confidential Information, PII, PCI, or PHI Information pertaining to either  or it’s Partners/Clients/Vendors. 

The ‘INTERNAL’ classification is used to denote information that may be shared within   but is restricted from general release to the public.
‘Examples include training manuals, procedures and communications to all employees.

Personally Identifiable Information (PII), or Sensitive Personal Information (SPI), as used in Canadian, US, and European privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
The Payment Card Industry (PCI) Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

Protected Health Information (PII), generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.


SANS: Information Classification - Who, Why and How
CSO Online: What security leaders need to know about breach communication Classification Policy template
Carnegie Mellon: Guidelines for Data Classification
FIRST: CSIRT Case Classification (Example for Enterprise CSIRT)
Carnegie Mellon: Handbook for CSIRTs.
GIAC: An Introduction to the Computer Security Incident Response Team
CERT: CSIRT Frequently Asked Questions (FAQ)
IAPP: Communicating a Breach: Best Practices and Examples
Your Guide for Data Breach Crisis Communication
Computer Weekly: Lack of data classification very costly to firms, says survey
DHS: Cyber Risk Management and Cybersecurity Insurance

Monday, 7 March 2016

Selling Myself - Michael Ball Consulting Inc.

As of July 2015, I have been providing Information Security Consulting Services on a contract Basis. 
If interested in hiring me for consulting or a speaking engagement, please contact me at the following:
Michael Ball Consulting Inc. 
61 Baxter St. Bowmanville Ontario, L1C 5P8 Cell: (647) 458-5064
Email: unix_guru at Hotmail dot com or @unix_guru on Twitter

Information Security Consulting and Architecture

Over 25 years Information Security Operations and Governance in the Finance and Insurance Sectors.

Finance Sector:

  • AGF Mutual Funds, Toronto (Jan 2016 – Present), Acting CISO
  • CIBC, Toronto (Feb 2016), Application Threat/Risk Analysis –Mobile Money Manager App.
  • Dundee Capital Markets, Toronto (Oct  2015), Information Security Maturity Model (Cobit / ISO 27001 based)
  • Dundee Capital Markets, Toronto (Nov  2015), Information Security Architectural gap analysis and Roadmap
  • HPE/TD, Toronto (Mar 2016) PCI QSA Self Assessment assistance

Health Sector:

  • William Osler Health Institute, Brampton (Aug 2015), Privacy Impact Assessment for Patient Record Viewing Application.
  • William Osler Health Institute, Brampton (Sept 2015), Information Security Threat/Risk Analysis for Patient Record Viewing Application.
  • Trillium Health, Toronto (Mar 2016), SIEM Infrastructure Migration and Governance Review

Transportation Sector:

  • Air Canada, Montreal (Nov 2015), Privileged Password Management Architectural Review (CyberArk).
  • Metrolinx, Toronto (Feb 2016), Privileged Password Management Architectural Design (CyberArk).  

Industrial Supply:

  • Wajax, Mississauga (Sept 2015), Information Security Maturity Model (Cobit / ISO 27001 based)
  • Wajax, Mississauga (Oct 2015), Information Security Threat/Risk Assessment (ISO 27002 based)

 Speaking Engagements:

  • Sector  2015 – Cloud Security Access Brokers
  • DCD Converged Canada (Nov 2015)  - Cloud Security
  • SC Congress 2015 – Cloud Access Security Brokers
  • SC Congress 2015 – The Role of the CISO
  • CIO Innovation Summit 2015 – Identifying Corporate IS Risk
  • SC Congress 2014 – Privileged Identity Access
  • CyberArk Customer Event 2014 – Corporate Use Cases
  • CIO Innovation Summit 2014 – Cloud Security
  • Symantec Vision 2014 – Enterprise Single Sign-On
  • Symantec Vision 2014 – Enterprise Host Based Security


  • Privacy Impact Assessment.
  • Information Security Program Threat/Risk Assessment.
  • Information Security Governance Maturity Model Assessment.
  • Application Threat/Risk Assessment.
  • Network Vulnerability Assessment.
  • Cloud Security Consultation and Architecture.
  • Cloud Provider Access Review.
  • SIEM Governance Review.
  • Perimeter Security Review and Architecture.
  • Network Security Zoning Review and Architecture.

The demise of excess access: A eulogy for traditional VPN
Specialty retail stores not safe from POS attacks

Thursday, 12 November 2015

Toronto's 2015 SecTor Conference.

I feel utterly privileged to have attended this years SecTor Conference at the Metro Toronto Convention Center a few weeks ago now.

For those of you unaware of what Sector is, it is Toronto's pre-eminent Information Security Conference.  Anybody and everybody associated with IT Security is here. SecTor is not only an educational event, but a social one as well.  It is one of the annual events where Security Professionals congregate from around the province and indeed across the country. 

The schedule is hectic, with multiple tracks of discussion panels suited to a variety of current topics. 
Although the main conference is two days in length, there is a third day just before the conference for those who wish to participate in various Infosec educational courses. 

This years daily Infosec sessions can be found here:

Over the two days, there were four Keynotes:
All four of these speakers bring with them a wealth of experience and skill.  I was riveted to my seat the entire time.  

As for the actual Infosec discussions themselves, they were very wisely organized into a Technology track, a Management track, a Security Fundamentals track, and a Sponsor track.  Again, see  for a drill down on the actual discussion topics for each. 

I wish I could tell you I saw them all, I *had* planned on jumping between several presentations, but each one I attended had me fully engaged. I can honestly say that SecTor went out of it's way to select exceptional topics and speakers for this event.
Part of the problem with committing to a track as an attendee is that the CSO Summit is co-hosted alongside SecTor!  The CSO Summit is co-sponsored by KPMG, and this year featured discussions by Kris Lovejoy, the former Global CISO if IBM, and Tim Rains, Chief Security Advisor, Microsoft.

The Expo Hall itself was huge, with a broad cross section of Infosec vendors from Educational Institutions, Compliance and Governance bodies, to Appliance and Software Vendors.  Securesense and  Fortinet showed off their "Forti-Express" a state-of-the-art rolling Briefing and Demo center. 

 Two things that grabbed my attention among all of the commotion in the Expo Hall were the "Lockpick Village" and the "Internet of Things Hack Lab".

The Lockpick Village has been a mainstay of SecTor for the past several years now. It's a free, full participation, workshop in using the standard tools of the trade to learn how to pick physical locks! Attendee times are recorded, with a prise at the end for the quickest time. The people sitting at these seats are among the happiest at the entire event. 


This year Tripwire introduced the Internet of Things Hack Lab. Employees from Tripwire, as well as one of their previous hackathon winners were onsite to  guide attendees into the world of IoT hacking. They brought samples of common IoT devices with them, and were willing to educate anyone who wanted to sit for a while and get an understanding of the security (or specifically lack thereof) of the Internet of Things.

SecTor was an overall success in my books.  They brought the right people to discuss relevant topics, the vendor space was very well represented, and the social quality was outstanding.  Thank you SecTor for once again putting on a remarkable event.



Wednesday, 14 October 2015

What is a Security Governance Review, and why do I need one?

Regardless of what service or product your company produces, Information is your most critical asset. The organization, management, and protection of that data could make or break your ability to stay operational in today's corporate environment.

Many high-profile organizational failures over the past several years have driven home the requirement to adopt appropriate Information Systems policies, processes, and standards.

Privacy requirements, regulatory compliance, shareholder and customer transparency are all mandating a more mature approach to Information Security.

Your corporate reputation and well being depend on your ability to manage, organize, and protect your Information Assets.

This article, and the next few, will try at a high level to explain the various tools we can use to assess and document your roadmap to Information Security Maturity.

Let's start with the definition of an Information Security Governance Maturity Model:
An Information Security Governance Maturity Model is a representation of how well your company understands, organizes, manages, and maintains security controls and processes specific to your Corporate Information assets.

There are a few models to chose from, but the Industry accepted standard is the 6-level COBIT maturity model, which is based on work pioneered at the Software Engineering Institute at Carnegie Mellon, to evaluate each of the ISO 27002:2013 security control groups.   

That said, the ISO 27002:2013 security control groups, in and of themselves are the Industry Standard set of controls - based on 18 specific sections - that provide guidance in protecting your corporate assets.

The COBIT definitions for the 6 levels of maturity are:

0 – Non-existent – Management processes are nonexistent or not applied

  • Complete lack of any recognizable processes. The organization has not even recognized that there is an issue to be addressed.

1 – Initial – Processes are ad hoc and disorganized

  • There is evidence that the organization has recognized that the issues exist and need to be addressed. There are, however, no standardized processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganized.

2 – Repeatable – Processes follow a regular pattern
  • Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.
3 – Defined – Processes are documented and communicated
  • Procedures have been standardized and documented, and communicated through training. However, it is left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.
4 – Managed – Processes are monitored and measured
  • It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
5 – Optimized – Best practices are followed and automated
  • Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other organizations. Information technology is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

To understand where your company sits with respect to each of the ISO 27002:2013 security control groups, you would engage a non-biased 3rd party to conduct a Security Governance Review. This review would be an immersive engagement between the Security Assessors and various members of your organization. Everyone from Human Resources, Privacy, IT administrators, Network Administrators, Database Administrators, Software Developers, Project and Change Managers, Internal Auditors, and Corporate Executive.

A Security Governance Review  (SGR) provides guidance for Corporate Executives and Board of Directors in establishing and maintaining an appropriate Information Security programme within your company.

A Security Governance Review provides critical feedback regarding the adequacy of existing controls and safeguards in maintaining your security posture.  This feedback can provide guidance in the reduction and/or mitigation of Information Security risks within the company.

Typically, this report would consist of a high level executive summary of your organization's maturity levelsacross the ISO security domains, compared to peers in your particular industry.  Remediation recommendations and a roadmap to completion would usually be included.  Most Security assessors would also deliver the detailed ISO27002:2013 working sheets with which the domains have been assessed.

The Radar Map to the right represents a sample posture map compared to a baseline of your industry.

This chart illustrates, by ISO 27002:2013 control area, the areas which Acme Widgets Inc. is performing at a evaluated level to its industry peers (yellow within the red boundary), and the areas which Acme Widgets Inc. is evaluated to be performing at a level below its industry peers (yellow outside the red boundary), as along with the relative degree of effort required to accomplish improvements (more yellow exposed = more effort).

You will want to periodically (annually?) review this maturity model to ensure that you are on track as things change both outside and within your organization. This periodic review will allow you to show metrics regarding your security governance programme growth.

In future posts, we will be discussing the following:
  • What is a Threat Risk Assessment?

  • What is a Privacy Impact Assessment?

  • What is a Vulnerability Assessment?

  • What is a Penetration Test?

Sections of the ISO27002:2013 
 5. Security Policy Management
 6. Corporate Security Management
 7. Personnel Security Management
 8. Organizational Asset Management
 9. Information Access Management
10. Cryptography Policy Management
11. Physical Security Management
12. Operational Security Management
13. Network Security Management
14. System Security Management
15. Supplier Relationship Management
16. Security Incident Management
17. Security Continuity Management
18. Security Compliance Management


ISACA: Information Security Governance Guidance for Boards of Directors and Executive Management
Comparing different information security standards: COBIT vs. ISO 27001  
ISACA: Assessing IT Security Governance Through a Maturity Model and the Definition of a Governance Profile 
ISO 27002:2013 in plain English.
ISO/IEC 27002:2013 Information technology — Security techniques -Code of practice for information security controls 
Wikipedia: ISO27002 technology-cobit 

Friday, 25 September 2015

From Blueline to BlueZone - PCI Tokenization Matures

Last year, I wrote about a new Canadian company that had entered the Compliance Appliance market space.  Blueline Data had developed a tokenization gateway that would help you define and isolate your PCI compliance scope boundary.  This isolation was not only for Point Of Sale and Web Merchant portals (Shopping portal), but for Telephony and Unified Communications traffic as well!  This was a revolutionary step in this industry. Several other companies had tokenization systems available for structured and/or unstructured data, however no one had a viable solution that would also cover voice and unified communications. 

A lot has gone on in the past year, and I decided to revisit them, to see where their technology has progressed...


Last year, Forrester issued a paper defining the requirements necessary to secure data into the future, and discussing the technologies that will get us there. The Document titled "TechRadar™: Data Security, Q2 2014", states clearly that you need to:

  • Restrict and strictly enforce access control to data. This includes denying access to unauthorized persons or blocking their attempts to gain access.
  • Monitor and identify abnormal patterns of network or user behavior. This includes tools that analyze traffic patterns and/or monitor user behavior to detect suspicious anomalies (e.g., improper or excessive use of entitlements such as bulk downloads of sensitive customer information).
  • Block exfiltration of sensitive data. These are tools or features of tools that detect, and optionally prevent, violations to policies regarding the use, storage, and transmission of sensitive data.
  • Render successful theft of data harmless. Once you’ve identified your most sensitive data, the best way to protect it is to “kill” it.6 “Killing” data through encryption, tokenization, and other means renders the data unreadable and useless to would-be cybercriminals who want to sell it on the underground market.

The first three have been the bread and butter of the Information Security industry for the past 20 years or so.  From firewalls and both signature and heuristics based Intrusion Detection/Prevention, to Data Loss Prevention systems, the industry has been diligently protecting our perimeters.

It's that fourth one that I'm interested in here.  "Render successful theft of data harmless."  In other words, replace any valuable data such as Payment Card Info, Personal Health Info, Social Insurance Numbers, etc... with a "token" that has no value to would be thieves. These tokens can be made to preserve the format requirements of the original data, so as not to break backend processing, as well as including search/index criteria. 

To properly provide security through tokenization, one must be able to implement it not only on the server side for data at rest, but also for data in transit, as well as at the client side, such that the relevant sensitive data never even leaves the client's network.

What if, there was a service... APIs that could provide tokenization either at the client browser, or as data is passed to cloud apps?

I know that I'm not new to this train-of-thought, but the cost of non-compliance is growing exponentially. 
Financial Damage can be insured against... Reputational damage cannot.

As I said... a lot has gone on in the past year.  Blueline has matured from just providing on-premise gateway appliances, to hosting Compliance Services in the cloud.  

Blueline is about to introduce several hosting options.  You can still get on-premise control if that is what you desire, but that has been augmented with  co-located gateway services as well as true Cloud based "Compliance as a Service"  Tokenization/Encryption through APIs. 

Another move that Blueline has made it to provide "Diskless Tokenization".  Typically, tokenization services keep a very secure database in a cryptographic vault.  This database would include a table of  sensitive data to token pairs that are used to index and manage the tokens.  Across the industry,  customers have expressed concern over having this database, even though it is protected in a vault.  Complaints from too much residual risk, to database latency in very large token pair tables (tens or hundreds of millions of pairs) have driven out an alternate solution.

Blueline has introduce a diskless solution that creates a "derived" token using a one time pad, without the need for the data/token pairs to be stored. These derived tokens, can be recalculated from some secret value that do not need to be stored in a database.

Blueline has created two new offerings:

bluegrid™ is a turnkey solution for  "Compliance in a Box".  It is a standard 19" cabinet, consisting of a series of redundant "bluenodes™" that provide the various security, and compliance services required for a self contained Compliance DMZ. It can be installed in your own data center, or hosted externally for you.  Applying the "Zero Trust" model, bluegrid™ encapsulates your sensitive application environment and provides a full security stack to protect that environment, from firewall, IPS, authentication store, tokenization, encryption, logging and storage.

A standard bluegrid™ rack would consist of a mix of the following bluenode™ appliances:

bluenode tx - Traffic Manager (zero-impact deployment)
bluenode dx - Data Gateway (financial network integration)
bluenode cx - Cyber Vault (diskless tokenization, encryption)
bluenode ix - Identity Manager (device and service access)
bluenode ex - Event Manager (logging and event analytics)
bluenode sx - Storage Block (low-latency shared storage)

bluegrid™ can centralize and limit most of your PCI compliance scope to a single rack in the data center. (Point-of-Sale systems excluded)

bluezone™ takes this one step further, providing a Cloud based Security Infrastructure - leveraging APIs to isolate the sensitive data outside of your IT environment and enabling secure financial or other confidential data processing and exposing the following security services: 
  • Tokenization–replacement of the original sensitive data with a risk-free replica for secure transmission, processing or storage
  • Encryption–military-grade cryptographic protection of digital content
  • Key Management–cryptographic key storage and lifecycle control
  • Payment Gateway–secure real-time and offline merchant acquirer processing of tokenized e-commerce and m-commerce transactions
  • Credit Scoring–secure personal or commercial credit check against a credit bureau, reference agency or central bank
  • Address Verification–secure cardholder address validation
  • Issuer Reconciliation–transaction batch transfer to issuer bank
  • Digital Wallet–secure checkout for merchant commerce sites and mobile applications with the e-wallet payment method
bluezone™ can effectively remove most of your PCI compliance scope from your environment altogether.(Point-of-Sale systems excluded)

Forrester TechRadar report on Data Security Q2 2014 clearly shows Tokenization having "Significant Success" in securing sensitive data.


Friday, 8 May 2015

Test Driving The Aegis Secure Key 3.0

I just received a new item across my desk, and was so excited I had to share!

The Apricorn Aegis Secure Key 3.0 is a high capacity hardware encrypted USB 3.0 flash drive with up to 240GB in Storage Capacity.

The one I received, an ASK-30GB is.. well.. 30GB capacity. 
The first thing I noticed in this impressive device, is the crush resistant black aluminum extruded case.  Rubber seals provide dust and water resistance. The buttons on the front present a very good high quality tactile feel. A comfortable aluminum case closes over the keypad with the aforementioned rubber seals. There is also a nice comfortable weight to it.  Not too heavy... 
More like "This feels like a tool, not a toy" heavy.

Now, there *is* a very slight learning curve to getting it up and running, as you have to train two separate 7-16 digit PINs: one Administrator, and one User pin. As a corporate tool, this is very much a requirement.  If the user loses/forgets their PIN, we can still retrieve the secured contents. Once completed, daily use just requires your User PIN.
This is a true hardware encryption (256-Bit AES XTS Hardware Encryption) based USB media key.  What this means is that there are no specific drivers required for your Operating System to share encrypted files. Aegis are currently awaiting FIPS 140-2 Level 3 certification, expected Q2 this year.

Once unlocked via the keypad, the device shows up as a standard USB media drive.   I was able to read/write files easily between Windows 7, my Ubuntu Laptop, my OSX machine, as well as a Raspberry Pi, and an embedded microcontroller board I'm working on.  Serious compatibility across the board. 

Data transfer was fast.  I did not measure it, but it was quicker than many of the "normal" USB 3.0 flash drives I have on hand.  The documentation put it capable of

Specifications according to Apricorn:

• 256-Bit AES XTS Hardware Encryption
• Software-Free Design
• Cross-Platform Compatible
• Embedded Authentication
• No Authentication Info Shared with Host
• Two Read-Only Modes
• Programmable Brute Force Protection
• Separate Admin and User Modes
• Lock-Override Option
• Forced Enrollment
• 3-Year Limited Warranty
• FIPS 140-2 Level 3 (Pending Q2)
• IP-58 Certified: Dust and Water Resistant

Having come from using a few other software based "Secure Flash" Keys, this device is a godsend. The software keys typically have to store multiple binaries on an application partition in support of the popular Operating Systems. (Windows and OSX are usually included, and more frequently, Linux binaries are available.)  Running the appropriate binary unlocks the remainder of the drive once authenticated. 

I highly recommend this Aegis Secure Key 3.0 anywhere you require sensitive data to be securely stored and transferred between machines. 

Interactive Product Tour