Blog

We have just finished a new punctual monitoring campaign on the perimeter of our clients, this time focused on possible insecure web accesses. And once again the great importance that our customers give to safety is demonstrated.

This process is harmless to the client since it is carried out remotely and non-intrusively, for which we use our own and/or third-party technology.

We wanted to carry out a campaign combining known vulnerabilities, such as insecure web access, with our LEET benchmark. To do this, we have focused on identifying if they have a valid and secure digital certificate.

The objective of this campaign is that all web connections are secure and trustworthy, protecting the confidentiality of data. To this end, we have analyzed 3 parameters: if you have a certificate from a recognized CA (Certificate Authority), if it is valid ...

To continue with the good performance of the year, we have carried out a second punctual monitoring campaign on the perimeter of our clients, this time on connection protocols.

This process is harmless to the client since it is carried out remotely and non-intrusively, using proprietary and/or third-party technology.

For this time, we wanted to carry out a campaign combining known vulnerabilities, such as insecure access, with our LEET benchmark. To do this, we have focused on the TCP ports that support the different protocols considered insecure:

FTP -port 21

Telnet - port 23

SMTPv1 and v2 - port 25

HTTP – port 80

POP3 - port 110

IMAP - port 143

The objective of this campaign is that all services, protocols and ports are secure, and in case of using it, have a record of the business justification. Additionally, additional security features will ...
(Read more)

If you missed the event we did last May, in which our CEO Antonio Ramos outlined the changes to the new National Security Scheme (2022), it is now available on video.

You can watch it in full here to find out what changes and how it affects you, especially if you operate in the Public Sector.

We have also prepared two annexes detailing all the changes in HIGH and MEDIUM. Contact us if you are interested and we will send you the one you need.

All you need is LEET

Suscribe to our newsletter here

The cybersecurity rating is widely used, among other situations, as a tool in third-party risk management processes, coexisting with other mechanisms such as ISO27001 certification and SOC2 audits.

And as it is usual for many doubts to arise regarding the use of one or the other, we thought it would be useful to make this post about it. Let's start by defining both mechanisms:

• ISO27001 is a standard created by the International Organization for Standardization (better known by its acronym in English, ISO) to implement Information Security Management Systems (ISMS) to protect the information assets of organizations. The objective of the standard is to allow the organization to protect three aspects of the information: its confidentiality, integrity and availability.

• SOC2 are a set of reports resulting from an audit carried out by an independent account auditor. It focuses on ...

Or why supplier questionnaires are not enough

The concept of zero trust (zero-trust) was used for the first time by John Kindervag in 2009 (then a Forrester consultant) and is based on the fact that trust can be a vulnerability of the system and, therefore, security must be protected. designed with the "Never trust, always verify" strategy.

Although it sounds excessive, we have to think that it was the height of the robot networks that turned computers into zombies to do with them what they wanted. Kindervag, after all, what it proposed was that, by the mere fact that a connection request came from a computer in which a user had been authenticated, we could not infer that the request had been made by said user and that, therefore, it was legitimate, since it could be the result of some ...

2022 has arrived and with it, a new monitoring campaign by LEET Security that, on this occasion, has focused on the web servers of our clients.

The specific monitoring campaigns are a free complement included in the service that we offer with the qualification. These campaigns, unlike digital monitoring, which are carried out on a regular basis, are carried out only when a vulnerability is published and on a specific technology or system.

A potential vulnerability in Apache web servers was recently published in version 2.4.49 or earlier. This was the trigger this time, only instead of just sticking to Apache servers, we broadened the spectrum to include other widely used servers as well: Nginx servers and Windows Server.

This process is carried out remotely and non-intrusively using proprietary technology. It verifies which server the client is using ...

And as the English saying goes, "put your money where your mouth is"

That is, to celebrate that today, November 30, and for 33 years (since 1988) the day of what we would call cybersecurity has been celebrated internationally. At LEET Security we want to contribute our bit by promoting awareness and improving information security in the business ecosystem.

At LEET Security we are committed to objectivity and transparency as ways for organizations to be motivated to invest in cybersecurity: to the extent that it becomes evident those organizations that are committed to cybersecurity and this improves their strategic and commercial positioning Compared to those that do not, all managers and administrative bodies will undoubtedly drive an improvement in the cybersecurity levels of the organizations for which they are responsible.

This is like vaccination, if we are all vaccinated, we ...

We have attended a forum and found this comment (see picture above) about digital ratings that has led us to reflection.

Recently, at the IT GRC Forum, Chris Poulin, Deputy CTO / Director, Technology & Strategy at Bitsight, proposed the use of questionnaires to supplement the results of their cybersecurity ratings: “Using a security rating system such as Bitsight is not mutually exclusive of sending vendors questionnaires based upon NIST CSF (or any other cybersecurity framework). The two should validate each other, favoring direct observational evidence over self-attestation.”

But even the sum of both is not enough to obtain a reliable result.

Using a digital rating, such as Bitsight, to evaluate a company or service has great shortcomings, even if it is complemented with questionnaires, since they can only be checked from the outside. It is in the very nature of this ...

This post is available only in Spanish.

All you need is LEET

Suscribe to our newsletter here

We propose the most efficient way to comply with your legal obligations.

Since the entry into force of the General Data Protection Regulation (RGPD) and the (Spanish) Organic Law on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), those organizations that collect some type of personal data (responsible) and those that receive entrust or are hired to do some type of treatment with them (processors), they encounter a series of obligations, of which in particular we are going to refer to article 28 of the LOPDGDD:

Article 28. General obligations of the responsible and processor

1. Those responsible and processors, taking into account the elements listed in articles 24 and 25 of Regulation (EU) 2016/679, will determine the appropriate technical and organizational measures that must be applied in order to guarantee and prove that the treatment is ...

Essential controls and capabilities to get out of a cyber attack

We recently had the opportunity to attend a webinar entitled "The Kaseya Attack - What We Know and What We Must Learn", organized by a company that offers digital rating services, under the motto that these make it easy to understand and act on the risks.

It was interesting to learn the history of the incident, which began its path on April 6, with the notification to Kaseya from the DIVD (Dutch Institute for Vulnerability Disclosure) that they had detected 7 vulnerabilities in their VSA remote monitoring and management software. On May 8, Kaseya released the patches for 4 of them, and on June 26 it finalized those of the remaining 3, proceeding to update its SaaS version, and scheduling the update of the on-premise versions for July 7 .

But ...

This post is only available in Spanish.

All you need is LEET

Suscribe to our newsletter here

This content is available only in Spanish.

All you need is LEET

Suscribe to our newsletter here

In previous posts we have already commented on the origin of these reports (in this post) and on their complementarity with the cybersecurity rating that we carry out in LEET Security (in this other post), but we still frequently receive doubts about them and, therefore, we have decided to publish this new entry in which we are going to recap the most frequently asked questions.

WHO CAN ISSUE THIS TYPE OF REPORTS?

This type of work is carried out by audit firms registered in the corresponding national organizations with agreements with AICPA / CICA.

WHY DO CLIENTS REQUEST THIS TYPE OF REPORTS?

For some time now, the need to manage the risk of third parties has led to a search for mechanisms to ensure that third parties that are part of the supply chain do not pose a risk to end ...

This Post is available only in Spanish.

All you need is LEET

Suscribe to our newsletter here

Going to the mine is not what it used to be ... In the digital context, of course, and focused on obtaining cryptocurrencies. Sometimes in a lawful way, through their own means and resources, and sometimes not so much, taking advantage of the resources of others, with the installation of malware on the victims' computers so that they can use their resources, or because whoever does it is free to roam. taking advantage of its status and the resources it manages (which do not belong to it).

In November of last year the Italian authorities discovered at the Lamezia Terme airport, thanks to the alert of the technicians of the IT services provider company, Sacal (a third party), a cryptocurrency mining campaign that affected computer systems From the airport.

The Reggio-Calabria Police investigation showed that a 41-year-old technician, administrator of the ...

We have introduced an enhancement for customers currently with a LEET Rating. And for those arriving.

In order to increase the protection and the feeling of security that LEET Security rating conveys, we have recently included the continuous monitoring service, whose reports we prepare and send every month to those clients who wish to do so.

With this service, for which we use the MrLooquer tool, we observe from outside in a non-intrusive way, without touching, possible modifications that may increase your exposure to the Internet. But we believe that we can improve even more in this direction, so now we have decided to introduce a new enhancement in the service we provide and that is also included in the rating: A specific monitoring of specific vulnerabilities. We have called it ‘specific monitoring campaigns’.

We like to stay informed on ...

If you are a provider of a bank or a credit institution, this event may interest you.

The Interbank Cooperation Center (CCI), with the participation of Leet Security, is going to hold an information session on Pinakes, virtual.

May 5, 2021, from 11:00 a.m. to 1:00 p.m.

During the last five years, the processes of outsourcing services by all companies, and more specifically, in the financial sector have grown significantly, especially in those fields related to digitization, multiplying the efforts necessary to guarantee security, cybersecurity, of those services provided by third parties. Do we have the necessary tools to know and guarantee the cybersecurity conditions of these external providers? How do we comply with the international regulations promulgated for this purpose? Can we reduce the monetary and time costs dedicated to guaranteeing the security of those ...

The Pinakes platform is already up and running and the first company to be certified as a cybersecurity risk auditor has been LEET Security.

In the image, Herminio del Campo, director of the Centro de Cooperación Interbancario, and Antonio Ramos, CEO and founding partner of LEET Security, at the signing of the agreement.

It is the starting signal for the Pinakes service, which thanks to the LEET methodology, allows improving efficiency and simplifying processes in the selection of suppliers and in risk management and cybersecurity, while financial institutions comply with the requirements of the EBA (European Banking Authority)

All you need is LEET

Suscribe to our newsletter here

This content is available only in Spanish.

All you need is LEET

Suscribe to our newsletter here

With the recent launch of the PINAKES service by the CEntro de Cooperación Interbancaria (CCI), doubts may arise about how to register for the service to take advantage of being one of the first providers to use it. So, let's try to shed a little light on the process.

Although the service's website is not yet operational, interested providers can already start the procedures to get the qualification.

1. The first step is to contact the ITC and request the adhesion contract. The easiest thing is to send an email to organizacion@pinakes.es.

2. To register a service, it will be necessary to provide the audit report of one of the approved evaluators, therefore, it would be advisable to also request in the same initial email, the contact details of said evaluators.

3. The relationship between evaluator and service ...

This post is available only in Spanish.

All you need is LEET!

Subscribe to our newsletter here.

This post is available only in Spanish.

All you need is LEET!

Subscribe to our newsletter here.

This post is available only in Spanish.

All you need is LEET!

Subscribe to our newsletter here.

Well yes, oddly enough, it's been 10 years since the birth of this exciting project that is LEET Security.

It was December 2010 and it had been 6 months since I had disassociated myself from my previous project. After declining to accept the offers that had come to me (they only gave me more of the same, at most, and I wanted new challenges) I began to think about the opportunity to create my own project. After 12 years in the world of security, it was in my head to create something aimed at increasing transparency and making insecurity comes at a price. My first idea was to create something like a market similar to the one that exists for pollution rights (yes, a rating agency was not my first choice) so that those who wanted to pollute (aka ...

This content is available only in Spanish.

These are basic questions that will help you decide if your company is safe.

We believe 11 questions are not quite enough, but they are a starting point. So if you want more info, we put at your disposal E-Qualify that, in its Corporate version, which is free, is made up of 39 questions with which 14 cybersecurity domains are evaluated, and in its Premium version it confronts you with 343 issues.

1. On good governance of Information Systems, Do you proactively manage the security operation of your systems? Do you know your weaknesses and strengths?
2. The weakest link is Personnel and Operations. Do you make your employees aware that they should take care of the company?
3. Cloud versus physical systems. Do you have on-site control over the systems that support your services?
4. Do you monitor the supply chain and yourself ...

Would you entrust your savings to a fund that boasts of channeling all its investments exclusively on the basis of press reports?

Credit rating agencies, Moody's, Standard & Poors, Fitch, and others not so well known, are hired by the main public and private organizations in the world to analyze and assess their financial soundness, so that the better the rating obtained in this analysis, it provides investors with more confidence and, consequently, the organization will have more ease in raising capital and better conditions for financing its debt.

To carry out this analysis, companies open their books of accounts to agencies, and for this reason, their ratings are widely accepted - which persists after the blow of the 2008 crisis - as the most reliable method of evaluating financial risk, and it is one of the fundamentals on which the most ...

(This content is available only in Spanish)

All you need is LEET

Suscribe to our newsletter here

I landed on Monday, March 9 from Galicia. It was at night and I was coming back from an audit. The cell phone rang with an email from my boss, Ding! And on Tuesday I already stayed at home. Well, I went one day to the office, almost furtively, to collect some things, not knowing quite well what. do I take everything? Will it be for long? Do I water the plants?… I'm sure it sounds familiar to you.

When the dance began, those first few weeks we were all walking around without believing it too much, like floating, and the audits that we had yet to close were in the air and were not finished. Three weeks later we had the first remote audit and it was difficult, quite a challenge. But I'm getting ahead of myself ...
(Read more)

Take the hint!

On January 31, 2020, the EIOPA (European Insurance and Occupational Pensions Authority), the European regulator of insurers and reinsurers, published document EIOPA-BoS-20-002, which establishes the guidelines for the supervision of cloud service providers that insurers hire to carry out activities considered critical or important to their business.

In addition to the pertinent analysis of the risks related to the outsourcing of these activities, it should be noted that the guidelines provide for an evaluation of potential suppliers prior to their hiring, to ensure that they are appropriate to the risk analysis carried out.

On the other hand, the obligation to carry out active supervision of suppliers is also established, to verify that they comply with the security requirements that entities must have defined, and that this compliance is maintained during the provision of their services.

Consequently, insurance ...
(Read more)

(This content is available only in Spanish)

All you need is LEET

Suscribe to our newsletter here

(This content is available only in Spanish)

All you need is LEET

Suscribe to our newsletter here

Our CEO, Antonio Ramos, has been interviewed in Melodía FM, chatting with Juanma Ortega, in his program 'Despiértame Juanma', about the security of the videconference Apps that we now use a lot (Zoom, Google Meet ...)

Entertaining, interesting and illustrative.

You can find it here

Do not miss it!

All you need is LEET

Suscribe to our newsletter here

This content is only available in Spanish.

This content is only available in Spanish.

LEET Security launches its third Study ‘Business and Cybersecurity’, focused on Security in the Value Chain.

Who owns cybersecurity in organizations? Is it up to the CEO, CIO, CISO, CSO ...?

Can an incident suffered by one of your suppliers harm your business? A new study, the third one being carried out, tries to answer these and other questions, in order to know the importance that Spanish companies, across the board, attach to cybersecurity.

In 2017, we carried out the first edition of the Cybersecurity and Business Study, with the aim of having a perspective on the consideration and importance that organizations give to cybersecurity within their management models, and with a particular focus on the treatment given to the impact that they may have, for the development of their own business, the security employed or the incidents suffered by the ...
(Read more)

In the last 3 years, at least 6 cases of relevant security incidents related to software manipulation have been made public, such as that incident called NotPetya, back in 2017.

These incidents (which seem to be linked to a Chinese group that, depending on the research firm that you ask, is known as Barium, ShadowHammer, ShadowPad or Wicked Panda) have made us realize that, not only should we evaluate the security of the companies that connect to our systems, and of those others that manage our information, but we must also know the security level of the internal systems of those companies that develop the software we use.

Yes, Yes. We have not gone mad. These attacks we mentioned, and we can call attacks on the software supply chain, cannot be easily detected by any other route, since the attackers ...
(Read more)

This post is only available in Spanish

This post is only available in Spanish

This post is only available in Spanish

This post is only available in Spanish

This post is only available in Spanish

This post is only available in Spanish

This post is available only in Spanich

Threats swell and regulations pressure

According to data provided by INCIBE (Spanish Cibersecurity National Institute ), Spain was the third most attacked country in the world in 2017 with 120,000 incidents, only behind the United States and the United Kingdom; and everything seems to indicate that 2018 has exceeded this number, since By the end of August, 88,677 incidents had been managed, of which 83,165 (94%) corresponded to citizens and businesses and 5,512 (the remaining 6%) to the academic network and critical operators.

This increase in threats together with the pressure exerted by  General Data Protection Regulation (GDPR) compliance , in force since May 25, 2018, has forced companies to become aware of the need to manage cybersecurity and define responsibilities regarding it.

In this cyber risk and regulatory compliance scenario, business organizations should appoint new managers such ...
(Read more)

Chronicle of Supply Chain Cybersecurity Summit Barcelona 2019

The title may seem pretentious, but several of the presentations during the 3rd Annual Third Party & Supply Chain Cyber Security Summit, which was held on 7 and 8 February in Barcelona, have shown the motivation that took Antonio Ramos a few years ago to create the referential of controls and methodology of qualification that gave origin to LEET Security.

Still young, this third edition has had more than 75 participants from 15 countries. With the presence of international companies such as Bank of America, BBC, IKEA, Freddie Mac, KPN, Galp or Swisscom, as well as Caixabank, Santander Group, Banco Sabadell or Amadeus; and LEET Security, which has participated as a sponsor, along with Bitsight, NormShield, One Trust and SIMS Recycling Solutions.

We were especially struck by the presentation of Marc van Kasteren ...
(Read more)

Cyberattacks such as NotPetya or WannaCry and individual incidents such as the Equifax data breach in september 2017, or the cyberattack that caused the US pharmaceutical company Merck damages of 260 million dollars, have caused companies of any size to start to consider the option of contracting a cyber-risk insurance as a measure to mitigate the economic losses caused by a information cyber incident.

The need for cyber insurance

The threat involved by a cyber risk is as real as physical threats to a company's tangible assets. This is why it is understandable that companies consider transferring the risk they can´t control; for example by hiring a cyber insurance

Cybernetic and technological risk assessment

The estimation of both, the technological risk, which affects  to the business processes continuity, and the cyber risk related to intangible aspects of the ...
(Read more)

In Spain, as everybody knows, most of the business fabric is made up of SMEs. According to data provided by the Ministry of Employment and Social Security in June 2018 in Spain we have 1,312,813 companies. Of which, 87% turn out to be micro-SMEs (1 to 9 employees), 11% are small companies (10 to 49), 1.9% are medium-sized (50 to 249 employees). And only 4,578 are large companies with more than 250 employees.

Studies by recognized entities in this field, such as the Ponemon Institute, mean SMEs are increasingly vulnerable to cyber attacks. In the report published by this organization in 2017, it is shown that up to 64% of the companies interviewed declared having suffered a cyber attack, of which 54% would have concluded with information leaks. And only 55% of the respondents in the ...
(Read more)

Currently this entry is only available in Spanish

As we discussed in the previous post, the European Banking Authority (EBA) in its report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process, includes a section describing how to inspect technology  risk management  within the framework of global operational risk management.

This assessment will be obtained from different sources, including activities, reports and results of the entity's risk management, risk self-evaluations and ICT controls, periodic reports on ICT risk, specific information on incidents, and results of internal and external audits related to ICT

EBA defines its ICT Risk Assessment method including some controls matching other information security frameworks, but adapting to the financial institutions distinctive features. For which it establishes 4 stages:

1 Review of the entity's ICT risk profile

It obtains a first approach of the impact produced by the ICT risk on ...
(Read more)

The European Banking Authority (EBA) published in May 2017 the guidelines to be followed by the competent authorities (Bank of Spain in the national territory) in the exercise of the supervision of the ICT strategy and government, as well as the evaluation of technological risk exposure.

These Guidelines have been developed by the EBA on its own initiative and in accordance with the provisions of Article 16 of Regulation (EU) No 1093/201. Being mandatory from January 1, 2018 for those competent authorities, such as the Executive Commission of the Bank of Spain, which decided to adopt them on November 7, 2017

In short, we are facing the governance and ICT risk  management rules by which European banks are assessed, including spanish banks. It is important to note that in these Guidelines the proportionality  principle applies to the scope, frequency ...
(Read more)

This content is only available in Spanish.

Sorry, this content is not currently available in English

According to the study "Organizations and Cybersecurity" recently published by LEET Security, 87% of spanish managers are concerned about the cybersecurity of their companies. And they don´t lack reason since almost 60% of these companies claim to know they have suffered a cyberattack.

Until a few years ago, many of these managers were relaxed because they didn't consider their business to be of special interest to cybercriminals. But the exponential cybercrime growth in recent years and its widespread dissemination in the media, together with the growing dependence on business processes regarding technology (digital transformation) have made companies more concerned about the economic losses derived from the services unavailability , and almost 70% of the General Direction is involved in this matter. 

When we observe other studies, like the New Threats, New Mindset: Being Risk Ready in a World ...
(Read more)

I remember that it was to Julio Linares, in a remote Telecommunications Meeting in Santander, the first person to whom I heard the expression "Internet of things", which at that time sounded tremendously shocking to me. Now, IoT is one of the most frequently used acronyms in technological environments. According to the ENISA definition, the Internet of Things is a cyber-physical ecosystem of interconnected sensors and actuators that allow decision-making

Today, The Internet of Things is an intelligent infrastructure enabler that provides advanced functionalities to business processes, and facilitates the provision of higher quality services. In this sense, it is important to understand that the IoT means something more than gather, transport and analyze information. IoT projects have a direct impact on the processes improvement and the decisions that directly affect the business; which results in a obvious improvement in ...
(Read more)

(Read more)

In response to the need of service providers to accredit the security level to their customers, in 2011 the American Institute of Certified Public Accountants (AICPA) created the Service Organization Controls (SOC) framework, which replaced the old SAS 70. Its objective is to help IT service providers to build trust in their processes and in the security assessment controls that they apply.

SOC encompasses three report types, which we referred to in a previous post. The reports are written by independent and external auditors, and their objective is the certification of the quality and effectiveness of the selected and applied controls.

Regardless of its effectiveness as an evaluation mechanism, the SOC 2 Type II report is not easy to read by someone unaffiliated to the service. That is because it requires a thorough knowledge of its internal operation, and always ...
(Read more)

Looking backwards on some of the most notable cyberattacks that have taken place in recent history, we are led to reflect that even today many companies, specially some very relevant ones, still don’t apply efficiently  the minimum security measures, let's say " the basics ", which should be included in any cybersecurity program.

Reviewing the security breaches found in two of the cybersecurity incidents with the most media coverage in recent years, we observe the following:

Panama Papers. April 2016

The Panamanian law firm Mossack Fonseca suffered the exfiltration of 11.5 million internal documents, bringing to light the involvement of a large list of international personalities in opaque company registration, and in tax evasion.

Weaknesses pinpointed in the IT infrastructure were the following:

•    Every firm's services were hosted on the same server: customer documentation access, public website, and ...
(Read more)

Among the actors involved in the new RGPD regulation, the controller and the processor (usually third party suppliers) stand out for having a more active role and for their direct action on personal data.

It is interesting to observe the difference between both figures because, although they have different tasks within the data processing, they are often confused. While the controller is the ultimate responsible for guaranteeing the security and privacy of personal data, the second actor is the one who directly operates the data processing. The processor always acts on behalf of the controller, and must be chosen in such a way that it offers sufficient guarantees to apply appropriate technical and organizational measures.

Service outsourcing is a widespread practice in all kind of organizations. This practice has many well-known advantages, but in the case of the personal data ...
(Read more)

Regulation demands its application, but without defining any

In this second post in our blog about the contribution of LEET Security to the efficient compliance with RGPD, we discuss an aspect that will be of interest to those who must provide security by design (how?) to the data processed.

The Regulation establishes that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate” (Art 32.1). This is a consequence of the accountability principle, which exudes all the regulation. But, unlike the well-known LOPD, it leaves in your hands, and without any reference model, the determination of which are those appropriate measures.

The flexible control framework by LEET Security offers an unbeatable tool for controllers and processors when applying both the organizational measures ...
(Read more)

Published final report with recomedations

Following the European Banking Supervisors guidelines on outsourcing (CEBS directives), and in accordance with Article 16 of Regulation (EU) No 1093/2010, the European Banking Authority (EBA) published on December on 20th 2017 the final report with the recommendations on the outsourcing cloud services. The recommendations will apply from 1 July 2018.

Within the package, security measures constitute a key aspect for risk management. These include the need to identify the appropriate level of protection to ensure confidentiality, integrity, availability, and traceability of data, the right to audit and the development of contingency plans.

Next, see a summary of the recommendations:

 
Another relevant aspect addressed by EBA recommendations is the risk associated with chain outsourcing. In this line, the service provider should only subcontract with a third party that meets all the requirements.

How can ...
(Read more)

Publication on Januray 30th of Commission Implementing Regulation 2018/151 defines the technical and organizational controls that digital services providers (aka. online marketplaces, online search engines and cloud computing services) have to adopt following article 16 of NIS Directive (2016/1148).

Implementing Regulation Analysis

It is a really simple document that only have 5 articles, of which, discounting the objective and the entry into force, we are only left 2 articles settled to evaluate incident impact for notification effects and 1 [yes, one, you are right] for the security measures that digital service providers have to implement (article 2. Security elements); which is the focus of this post.

Obligations that this article defines for this kind of providers in Euroe are the following:

1. Carry out a systematic management of network and information systems, establishing "appropriate" security policies, including risk management ...

(Read more)

Last December, 6th finished the feedback period that European Commission opened on September, 13th to its proposal for regulation about ENISA and ICT cybersecurity certification (reference COM(2017)477). Finally, 32 organizations have given their feedback, as can be consulted in the Cybersecurity Package website. The objective of this post is to share our feedback but, before that, we would like to highlight that, of the 32 opinions submitted, there are 11 submitted from Belgium (since is where many lobbies and european organizations are based), but after those, 5 opinions have been sent from France, 3 from UK, USA and Germany, and only 1 from the rest of countries (Poland, Portugal, The Netherlands, Denmark, Finland, Czech Republic and Spain)... So our first reflection would be, as the opportunity is given to provide feedback about upcoming regulation, why not being more ...
(Read more)

We continue today with the section named #ratingenthusiasts in which we include the opinion of relevant people we have talked to in relation with #securityrating.

In today post, we have Eduardo di Monte. Eduardo is Cybersecurity and Business Continuity Chief of Agbar Group (Suez Spain), for Spain and Chile. Eduardo is Telecommunications Engineer and MBA by EuroMBA Consortium, he is specialist on industrial cybersecurity (IoT) and business continuity. With more than 13 years of experiencie, he has spent the last 8 years working hard on cybersecurity aspects of automatization and industrial control systems, specially on processes soported by critical infrastructures. He has combined this dedication with crisis coordination and implementation of resilience and business continuity models for critical process in industrial environments.

1. Is it typical the outsourcing of services in your organization?

Besides that every IT department has limited ...
(Read more)

(This entry is cross-posted in CERTSI_ blog)

As explained in the first post of this series dedicated to the C4V model, the cyber security level of outsourced services is key to assess the cyber security capabilities of any organisation: It is no use increasing the cyber security levels of an organisation if their suppliers’ levels are not as high, because -it goes without saying that- "security is as strong as its weakest link".

In this sense, the C4V model is based on the same idea as the other ENSI elements: providing CERTSI users with tools to improve the protection level of critical infrastructures.

So, how is C4V used to protect the value chain? As the model itself shows, C4V is expected to be used as part of the risk-supplier management model that the operator has to implement. For those not ...
(Read more)

(This entry is cross-posted in CERTSI_ blog)

The outsourcing of processes is not something we can consider new. In fact, the contrary is true. And in particular, in terms of how it applies to ICT (Information and Communication Technology), it is common for at least part of our systems to be accessed by third parties or managed directly by third parties. The range of options is broad, encompassing maintenance of equipment, remote operation-administration, on-site and remote support, maintenance of applications and all of this without taking into account other types of third parties (whom we could refer to as unrelated) who, without access to our information systems, do store and/or process information on their own systems (consultants, auditors, general consultants etc., etc.).

Even critical operators are not alien to this phenomenon, considering that, moreover, many industrial environments are affected ...
(Read more)

Recently, ENISA has published version 1.0 of a document that seems highly interesting, title "Indispensable baseline security requirements for the procurement of secure ICT products and services" (link).

It is a document elaborated by a group of experts named by different Member States (in particualr, by Austria, France, Germany, Czech Republic, Spain, The Netherlands and Finalnd) that is applicalbe to service providers.

Before mapping security requirements listed in the ENISA document with LEET Security methodology, let us introduce some reflections about it:

1. We completely agree that some minimum security requirements should exist for every kind of component or device, to assure that there is no weakest link.
   Nevetheless it seems to us a bit dared to say that those elements that meet these requirements can be considered "secure" and those that do not, should be considered "insecure", because ...

ENISA has poblished in December 2016 the report "Challenges of Security Certification in emerging ICT environmets" [PDF] in which they analyze certification scenario in five sectors: energy, water transport and rail transport, ICT and health care.

The objectie of this post is comment on some of the conclusions of that report:

"...without an EU approved standrd, harmonised testing and corresponding certification..."

It is clear that the possibility of a certification issued in one Member State can be used in another one should exist. Nevertheless, the approach that we should use is not that all Europeans speak esperanto, but considering that many languages are going to coexist in Europe, we are able to translate French into English, this into Spanish and, then into Italian.

In this way, instead of trying to reach a global agreement -which is going to be really ...
(Read more)

This entry is only available in Spanish

In the past number 4 of ISACA Journal, the article "Managing Cloud Risk. Top Considerations for Business Leaders" written by Phil Zongo was published. Among other references, the article echoes of a document from Australian Prudential and Regulatory Authority (APRA) that raises a concern about the reporting to Board of Directors of cloud risks in regulated entities because it focuses on benefits forgetting about associated risks. For APRA, it is fundammental that BoD analyzes if the risk is alligned with business strategy and risk appetite in the Organization.

This balance between cloud risk and risk appetite needs to take into consideration information like:

• Cloud value proposition
• Main business risks and treatment staregy
• Cloud deployment model
• Cloud service delivery model
• Service provider selection criteria
• Plausible business disruption scenarios
• Service Level Agreements (SLA)
• Third-party assurance, penetration testing, vulnerability assessments and right-to-audit clauses ...

Last 17th of May, we have the opportunity to participate in the cybersecurity event of reference for the governmental administration of Poland, CyberGOV2016. This event brought together almost 340 participants and the keynote speaker was Vladimir Nowak, Plenipotentiary Minister of Ministry of Digitalization that advanced the creation of a national CERT to coordinate the incident response at national level and to coordinate with the rest of Europe (in relation to the NIS Directive). Related with this Directive, also Jakub Boratynski from European Commission also took part in the event (remotely from Brussels) making a summary of the Directive text and its main implications for Member States.

Another moment of great interest was the presentation of the review made during the past year of cybersecurity situation in six public organisms by the Supreme Chamber of Control that shows that Polish State ...
(Read more)

"Not-connected" service providers can also be a risk

Yesterday, April 3rd 2016, a TV station and a digital newspaper brought breaking news with the initial details of what will be a much wider reporting: after almost a year of "investigation" by ICIJ (international Consortium of investigative journalists), brought to light the "Panama Papers", to show the secrets about the creation of companies in tax havens.

We write investigation in quotes, not as a question to all the journalistic work, on the contrary, is is really impressive to read that nearly 400 journalists from a hundred different media have been working together and well synchronized to obtain and publish all the information that they are anticipating now.

What does this have to do with cybersecurity? Of course, journalists are not hackers ... or they are? In this case, they tell us that ...
(Read more)

Those of you that have analyzed ISO/IEC 27017 (or even if you are certified on it) have seen that it is a standard that, based on controls repository on ISO/IEC 27002, adds additional controls specific for cloud computing.

Besides, it has the peculiarity that controls added have into consideration customer and provider roles, in order to provide guidance to one or both of them in how to implement all its controls.

Anyway, we will like to analyze the control 14.1.1 Security requirements analysis and specification. In this control, the standard includes different functions for the previous roles:

• On the one hand, customer should specify security requirements, and, later, analyze and assess if her requirements are correctly implemented in the service.
• And, on the other hand, provider should provide information related to controls implemented for helping customer ...

(Article originally posted at Red Segurid@d - only in Spanish)

That NIS Directive will mean a significative advance in cybersecurity in Member States as it gets past is doubtless. An intengral approach all over EU, the need to report to national authorities (that should be name) the security incidents or the setting-up of a network of Computer Security Incident Response Teams (CSIRT) are its main elements.

But, by contrast, it will only require measures for improving resilience against attacks to organizations providing essential services (essential services operators) -which includes digital services like search engines, online shops or cloud services- and, besides, exclude SMEs, according to definition included in European Commission Recomendation 2003/361/EC, it means, those entities invoicing less than 10 millions euros and up to 50 employees.

This scope definition has a problem: It forgets that small or ...
(Read more)

Uptime Institute Certification for Data Centers are between most recognized in the market, and, often, are exhibited by holders with proud. Who do not have heard something like: "Our DC is Tier III / III+ / IV certified! So it is really secure…”

And, obviously, to this statement, how raise any doubt? Well, at least, we must have one, what type of certification do you hold? In fact, Uptime Institute issues four types of certifications:

• Planning
• Design Documents
• Construction
• Operational Sustainability

Planning certifications take into account availability, reliability, capacity and performance requirements, together with growth horizon, analyzing business drives and, also, location selection, architecture, mechanic and support infrastructures.

Design certifications confirm functionality and capacity identified in engineering and architecture specifications. These certifications assure that plans have been defined to meet availability goals through analysis of mechanic, eletectric, structure and location elements following ...
(Read more)

Sorry!! This post is only in Spanish

A few days ago, our founding partner, Antonio Ramos, visited IDGtv, being interviewed by Marlon Molina, Director of Computerworld University.

This time we will not say anything, but invite you to spare a few minutes to watch the video with quick and easy explanation of LEET Security, and what we bring to market, closer understanding of cybersecurity and facilitating the procurement of services, both for customers and suppliers of the same.

Here is link to the video in IDGtv. We invite you to view and  share.

Thanks to Marlon and IDG for this opportunity to talk about our security rating.

ISACA Madrid Chapter hosts next October, 28th its 38th Technical Event (Hotel EXE Puerta de Castilla from 17:30 to 19:30) about How Minimize Risks in Client/Provider Relationships that will be sponsored by LEET Security and AUDISEC - GlobalSuite.

Antonio Ramos (@antonio_ramosga), founder partner of LEET Security,will open the event introducing attendes the concept of ICT services security rating. Next, José A. Lorenzo, General Manager of IDC España, will explain the market vision of Cyber Analitycs with a specialized talk.

Next, as central part of the event, there will be a Expert Panel about risk reduction between clients and service providers. A real good opportunity to know in first hand the opinion and knowledge from BBVA, Aiuken, BT Global Services, Rural Servicios Informáticos (RSI) and Virtual Care.

Finally, Alejandro Delgado (@aledelgal), COO and partner of Audisec ...
(Read more)

Security rating as a key tool to drive companies to "digital transformation"

Duncan Brown (@duncanwbrown), Director of Cybersecurity Analysis for Europe at IDC, has published a report on how security rating of services builds trust and confidence in the digital transformation era that we are experiencing.

The report has a clear meaning and a message: the information security is an increasingly worrying aspect of our economy, and companies are being forced to undertake a series of processes and activities, which were previously in second plane (if not ignored), in order to control the inherent risks when hiring services with external suppliers.

IDC analysts have repeatedly stressed that uncertainty about aspects of security is the main factor of concern when adopting cloud computing services (although these growth is 27% in 2014 -2018).

As a knowledgeable expert in both product and services ...
(Read more)

IDC and IDG bring the new 2015 edition of the CIO Directions event. It will take place next 29^th september, under the tittle: “The new role of the CIO and the IT Organisation”.

According to IDC, this new role comes from the increasing direct responsibility of the business lines in the technological decisions of the company. According to a recent analysis carried out by IDC, 43% of the business managers being interviewed declared that they feel comfortable with IT projects within technological environments. Thus, Business lines are financing 61% of these projects (in the scope of the survey) – with or without the participation of IT.

We at LEET Security are participating in this edition, with a relevant implication and contribution to facilitate companies in their task to manage information ...
(Read more)

Today we start a new blog section called #ratingenthusiasts for showing the opinion that very important people have aobut #securityrating.

[Interview only available in Spanish]

Llorenç Vives Ramis es Ingeniero Técnico en Informática de Gestión por la Universidad de las Islas Baleares, certificado CISA, CISM y CGEIT por ISACA y CCS-G por la Agencia de Certificaciones de Ciberseguridad. Actualmente desempeña las funciones de dirección del área de Planificación y Control de IT en Meliá Hotels International siendo responsable de la gestión y contratación de servicios IT a nivel global, así como del control y desempeño económico de los servicios IT recibidos y prestados a las unidades de negocio a nivel global. Además ha desarrollado las funciones de IT Security durante 10 años en la compañía, siendo durante ...
(Read more)

The right to complaint is, at the end, what we have after a successful cyberattack (of course, I mean success from the point of view of the hacker that carry out it).

And this what executives of Ashley Madison are doing with their press release published on 18th August, explaining that the data breach they have suffered is not a case of "hacktivism", but a criminal attack. In fact, nobody can doubt that it looks a criminal act, but the result is, spite of them, 10 GB with information of the last 8 years including clients data like telephones, adresses, transactions... including from written off clients (without considering aftermaths, true or not, that multiply this quantity).

Now they claim that there is people that knows the authors and they invite to report them. But, in the end, and independently of ...
(Read more)

Financial sector is one the main investors in cybersecurity without doubt. And this is because, financial sector is one of the main affected by cybercrime. This situation leads to European Central Bank, leaded by Mario Draghi, to be specially worried about the cybersecurity capabilities of european financial entities to fight against cyberthreats.

During last months, european financial entities have had to answer a (quite) long questionnaire sent by ECB about cybersecurity that includes questions related with what mechanisms financial entities have implemented to prevent data theft from malicious (internal or external) users or what controls they have to detect cyberattacks. And even, and this has been what more has call our attention because it is close related with LEET Security activity, what mechanisms are financial entities addopting to assure that third party providers are compliant whit security measures wrote down ...
(Read more)

As stated in the note published by Adif, yesterday at 06:00 there were detected “intermitten failures in traffic management operating processes" that led "delays rail traffic [...] of Barcelona and Girona provinces and part of Tarragona and Lleida. The incidence has affected both main system and two redundants ones that are activated in case of incidents in the main system. This has led to momentary traffic stops, selective suppresion of trains and delays in the service". This incidence has made Adif to open an expedient to company that provides the technology for the Barcelona Centralized Traffic Control, Schneider-Telvent.

We have consider relevant to analyze this piece of news because it shows an issue LEET Security thinks that is essential in client-provider relationships: As service provided is a client responsibility, it is essential that the client has supervision mechanisms that allows ...
(Read more)

Some days ago, a column titled 'Trust in Cloud' was published at Cinco Días [Spanish]. In this column, it is highlighted something we completely agree on: "Cloud service and provider selection is an strategic option that impacts on companies' business".

For this reason, the author suggests considering the following aspects before taking the decission:

• availability,
• security and certification levels as, for example, ISO 27.001
• connectivity
• performance
• service maturity level
• financial estability
• physical location, and
• compliance

Between all of them, a half (availability, security, financial estability and compliance) are elements included in leet security rating and the rest, except physical location, are operational aspects (connectivity, performance and service maturity) that, obviously, have to be considered by the potential cloud customer.

For this reason, we consider that using rating is a tool that simplifies the use of cloud services due ...
(Read more)

Deception. That could be the word that summarize our feelings after having contributed to the Cloud Standards Coordination (CSC) Working Group of ETSI (European Telecommunications Standards Institute) that was launched in December, 2012 in a meeting in Cannes with the objective to help the European Comission to "cut through the jungle of standards" and "to identify a detailed map of the necessary standards".

And why deception?

Basically because of two reasons:

• Firstly, because despite of having the instruction of developing a picture of actual situation, the report that will be published in some days will only include documents issued by Standards Developing Organizations (SDOs), leaving apart organizations like us only because being private organizations. Despite other considerations, private companies have shown being able to develop standards or, haven't you heard about PDF?
  How can you make a diagnostic without ...

It has been some time since the last post and it was time to post again. We have been working hard, so it has been difficult to find the time needed to come back to post. In fact, last weeks we have been contributing to some very interesting initiatives that have keeped us completely busy:

• ETSI Cloud Standards Coordination, that is working in helping the EU in identify future normalization issues and it is ending its report at this time.
• SC38 Study Group on Future Work, that has been created inside ISO SubComittee 38 to work on the same idea (identify future works for this SC).
• ISACA. In particular, in a work related con controls definitions and assurance in cloud that will be published in the following weeks.
• ENISA. As a member of resilience and cloud working group, we have ...

Following our tradition of analyze security documents that could apply to cloud computing, in this post it is the turn of Jericho Forum(R) "Self-Assessment Scheme" (PDF). We find this scheme interesting because it applies a rating system, in this case, with two levels.

This scheme is applicable for evaluating how a system meet Jericho Forum eleven commandments throuhg a self-assessment carried on by the own system provider, without validation for any third party (unlike leet security methodology that implies a validation from the rating agency).

But, conceptually, we applies the same way of evaluating rating levels:

• Providers could use it for answering RPFs and shows the security level they implement.
• Customers coudl evaluate the needs for every product, depending on the requirements.

And we, both, also agree in the way of assigning rating levels:

• To achieve level n, all ...

Following our post about "EU Cyber Security Strategy", we have analyzed the proposed European Directive on Networks and Information Security that was published simultaneously.

Our general conclusion is that, if approved as it is, we will be in front of a qualitative step ahead in the way we understand information security in the EU that will pose us as a reference in this field.

Nevertheless, in our opinion, there is some room for improvement that we would like to highlight in this post.

Scope

Proposed text does not consider organization besides "market operators" and public administrations and, explicitly, microenterprises. In our opinion, in a defense scenario like the one we are trying to improve, this means to leave weak links in the security chain that, could affect the overall level  [security level is not an average, is the minimum of ...
(Read more)

This post is only in Spanish

Sometimes we are asked about the failures of rating agencies and if a rating system could be a good approach for security evaluations. We have posted about it some time ago, but we think it is interesting to comment about the  article titled "How Certification Systems Fail: Lessons from the Ware Report" (pdf), where Steven H. Murdoch, Mike Bond, and Ross Anderson give us a fantastic view of the reasons that make certification systems fail.

This article based on the report, "Security Controls for Computer Systems" (pdf) (commonly known as the Ware Report, after the chair of the task force - Willis H. Ware), summarizes the facts identified in that report from 1970 (!!!!) that explains the failures in certification systems.

Basically, there are three main reasons:

1. Conflict of interest - Testing laboratories are selected and paid by the vendor of the product ...

DG Connect launched some weeks ago a web-based Public Consultation regarding the definition of future research priorities in Cloud Computing, Software and Services, ahead of the H2020 ICT Work Programme. From leet security, as developers of a security labeling system based on rating, we have sent our comment that is attached below:

In addition to technical mechanisms that contribute to reduce lock-in and to improve interoperability, cloud services need a efficient way to negotiate security conditions of services between users and providers.

Traditional ways of audit and certification have shown to be necessary but not sufficient to build trusted relationships (they are expensive, complicated and not compatible between users).

One option could be a security labeling system that helps users to understand the security measures implemented by the providers, and to the providers to show what security measures are they ...

The objective of this post is to think over how the Guideline published byPCI Security Standards Council to clarify the compliance with PCI-DSS when using cloud computing services (" title="pdf del guideline" href="https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf" target="_blank">pdf) affect the ICT services security rating.

First, we would like to remember that actual security rating methodology includes special levels in confidentiality dimension to show compliance with PCI DSS. Those levels can be distinguished by the an asterisk (*), it means, services with a rating C*-- or higher are suitable to store, process or transmit cardholder data according to PCI DSS.

Once said this, we highlight the contributions that rating makes to those that, using cloud services, needs to comply with PCI DSS:

• The guideline indicates the importance to identify all providers that participate in the service ...

Recently, the European Commission has just published the Cybersecurity Strategy of the European Union (pdf) in which, Catherine Ashton, High Representative of Foreign Affairs and Security Policy recognizes how important is this issue.

We bring this document into our blog because it includes a concept that we consider of high importance to the security model we push from leet security as rating agency. We are talking about service labelling.

In particular, the Cybersecurity Strategy of the European Union includes an activity to be developed by public and private stakeholders called "Develop industrial and technological resources for cybersecurity" and more specifically in the chapter devoted to "Promoting a Single Market for cybersecurity products":

Develop industry-led standards for companies' performance on cybersecurity and improve the information available to the public by developing security labels or kite marks helping the consumer navigate the ...

Today is Data Protection Day in Europe and, as security rating agency, we want to contribute to the acts organized, in  Europe but, also in Spain. It is sadly to say that privacy protection and doubts about vendor compliance levels are, evidently, stopping cloud services adoption by the industry. For this reason, we have thought that our contribution to privacy today should be remember how using a security rating servie could help us to solve these doubts. As we have commented before (link), to help potential cloud users to choose the service that better fits their needs, leet has included specific ratings that serve to show data privacy legislation compliance (at present, only with Spanish Law). These ratings can be identified by the '+' character. In this way, services with a rating in confidential security dimension of:

• 'D+' only are suitable ...

In some occasions, specially when the issue we want to analyze or study is complex or very new, it could be useful to use analogies. We say that because, to explain the use of the security rating model we propose, we like to draw upon a very daily analogy: We compare cloud services with an hotel room.

You could tell us that we are crazy and that they do not have anything in common, but if we think again about it, in both cases:

• We are talking about a sharing infrastructure
• There is a huge and diverse offer with great disparity of prices
• A priori, it is really difficult to know (until you arrive the room) the real quality and the environment (above all, if we think in cities we do not know well)
• Once we have chosen one, it ...

This analysis is based on the "User Guide" (only for ISACA members) published by ISACA and AICPA for this type of reports.

For those or you who do not know, we will start explaining what are SOC 2 reports (sucessors to the famous SAS 70 reports). To begin with, SOC means Service Organization Controls and there are three types of them:

• SOC 1 -Report on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting.
• SOC 2 y SOC 3 - Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy in accordance with AICPA Trust Services Principles Criteria.

The difference between SOC 2 and SOC 3 reports is that, while the former includes a detailed understanding of the design of controls at service organization and tests performed by the service ...
(Read more)

As part of ISACA Series about cloud computing, we find the document "Security Considerations for Cloud Computing"  with the objective of provide a practice guide and facilitate the decision process for IT and business professionals when taking the decision of moving to the cloud.

We have thought that it could be interesting to analyze it because one of the main advantages of rating systems as the one proposed by leet is, precisely, facilitate this decision making. ISACA document is organized in four big chapters that collect, besides the explanation of the own document, a brief summary of what is cloud computing, a general vision of risks and threats related specifically with the cloud and, finally, the guide regarding how to evaluate cloud potential as answer for business needs (providing decision trees and checklists). We agree with ISACA that the key ...
(Read more)

Study results about cloud computing market maturity have been just released thanks to the collaboration between  CSA and ISACA (pdf), and it highlights the 10 issues eroding cloud confidence.

The study collects opinions from 252 organizations of all types (users, service providers, integrators, and consultants) in 48 countries (mainly in North America and Europe), and concludes that, in one side, IaaS and PaaS are in their infancy and that they will need three years to be in the growth stage, while SaaS are almost in growth, where they will arrive in two years.

But, as study states, "users need to be able to trust that services will meet their needs and provide a stable foundation [...] to better serve their stakeholders" and the ten issues that most erode this confidence in participants opinion are the following (from more to less importance ...
(Read more)

Following our tradition of commenting schemes similar to security rating for helping to understand it, we are going to analyze the aforementioned certification scheme developed by EuroCloud Germany (EuroCloud Deutschland_eco e.V.).

We must say in first place that we have carried out this analysis based on documents published in its  web, in particular, "General product information and pricing" (pdf) and "Quick Reference" (pdf) because auditing guides are not public, existing a confidentiality agreement with clients covering audit guide and scope [what surprised us a little] and that is commented through workshops organized by EuroCloud with a price of 600€ (which is deducted from the audit price, if ordered in the following 6 months).

Below we will explain the similarities and differences that have been detected along both documents:

Use of levels

We feel a great success the fact of ...
(Read more)

We have published today a post at INTECO blog (in Spanish) about the certification proposed by Cloud Security Alliance (CSA) together with British Standard Institution (BSI) for cloud services security based on CSA's Open Certification Program. The goal of this post is analyze this certification from our perspective as security rating agency.

Use of levels

We are glad to see that the use of levels as mechanism to provide information is becoming common in the information security field. In this case, the CSA - BSI certification proposal also uses three levels (auto-assessment, third party audit and continuous audit), although levels depend on the evaluation rigor more not on the security controls as we do in security rating.

Approach

Considering CSA mission, proposed certification is focused on cloud services, being the security controls evaluated those included in CSA research material (basically ...
(Read more)

Following our trend, we are going to comment FFIEC (Federal Financial Institutions Examination Council) cloud computing public statement published past July, 10 (pdf). First, we would like to highlight some ideas that we also support:

• FFIEC considers cloud computing as a type of outsourcing.
• The use of third's parties "does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws and regulations".
• "It is important to look beyond potential benefits and perform a thorough due diligence and risk assessment of elements specific to that service" (see previous post about Cloud ROI).

And, secondly, we have extracted FFIEC statements and analyzed how security rating addresses them. We have summarize the analysis in the following table with three columns:

• First ...

Some of you have asked us about similarities between the rating scheme and Consensus Assessments Initiative (CAI) launched by Cloud Security Alliance, so we have decided to write down this post to explain similarities and differences between them.

First of all, the Initiative is part of what is called GRC stack that includes other "pieces" like the very famous Cloud Control Matrix  (CCM) or the Cloud Audit Project.

Secondly, we must say that the Initiative has involved the development of a questionnaire (used as base of STAR - Security, Trust and Assurance Register) that we will explain in further posts.

The questionnaire that should be accomplished by vendors is divided into 11 areas that are subdivided in 100 groups of controls and 197 questionas about specific controls traced to very well known standards, and guidelines as CobiT, HIPPA, ISO27001 or FedRamp ...
(Read more)

This is the title of the new ISACA document in relation with cloud computing that has been published last July. It addresses ROI calculating issue in order to evaluate in a right way an investment in this kind of service, considering all the costs and gains involved.

We would like to highlight some aspects of this document from our perspective as  security rating agency that helps to simplify ICT services procurement processes, in general, and cloud computing services, specifically.

• "We must stay within the enterprise's risk tolerance". It means, as defined in the methodology proposal of ISACA, a risk analysis of current service model should be performed for including in the further cost estimation all the investments needed to assure that risk tolerance is the same at the end of the process (this is useful to assure that comparison ...

Last July 1st, Article 29 Working Group published opinion 05/2012 on cloud computing (pdf). We think it was interesting to analyze it in detail from our perspective as rating agency considering the importance of these "opinions" and the relevance of their findings, specially, the undoubtedly support it means for trusted third-party services, such as security rating from leet security.

We have divided the content of opinion document in five parts: 1. Data protection risks Document considers two main types of risks: lack of control over personal data and insufficient information about data processing. Contribution of rating: As we have mentioned before, being rating, basically, a transparency mechanism, it helps with the last identified risk, providing information to clients (data controller) about security measures implemented in provider (data processor) processes. 2. Key drivers Document identifies three key drivers: Security, Transparency ...
(Read more)

Este es el título de un Documento de Opinión (PDF) recientemente publicado por el Instituto Español de Estudios Estratégicos (ieee) realizado por Gregorio Pablo Álvarez Rubial.

Se trata de un documento que recoge de manera bastante sucinta la historia y las particularidades de las agencias de calificación (prefiero esta denominación a la de rating para evitar términos ingleses siempre que sea posible) o ECAI (por su denominación técnica en inglés, External Credit Assessment Institutions).

Como bien recoge el documento, la importancia de estas agencias nace con el requerimiento de la SEC a los bancos en 1936 de invertir en bonos que no sean especulativos según estas agencias y de la utilización de dichas calificaciones a partir de 1975 para calcular los recursos propios de la banca, o que ...
(Read more)

Thanks to INTECO-CERT, we have analyzed the document published by Fraunhofer Institute for Secure Information Technology regarding security in cloud storage services (link).

Basically, the document is a basic analysis of security characteristics of a sample of this kind of services (specifically, CloudMe, CrashPlan, Dropbox, Mozy, TeamDrive, Ubuntu One y Wuala). We consider it a basic analysis because it only analyze aspects related with the registration process,  information transport and encryption, sharing mechanisms, deduplication, legal considerations, and only from the client perspective (without analyzing server security).

Main conclusions of the report are that:

1. Client encryption mechanisms improve, significantly, confidentiality levels.
2. It is worth to consider using more than one service to reduce downtimes.
3. To reduce vendor dependency, users could have a vendor change plan.

Regardless of these conclusions we would like to analyze the document from its methodological perspective:

• Service ...

La pasada semana tuvimos la oportunidad de participar en el II Encuentro del CSA-ES, en concreto, en la mesa redonda que cerraba el encuentro.

Como nos quedamos sin tiempo para clarificar algunos puntos, me gustaría hacer aquí los comentarios que se me quedaron en el tintero:

• Resaltar que el tema de conversación durante todo el encuentro fue la necesaria generación de confianza y el papel que la transparencia tiene en ese proceso.
• Preocupa el hecho de que las PYMEs no tengan los conocimientos y el asesoramiento necesario para hacer un traspaso al cloud computing adecuado (tanto en relación a los procesos que más le convengan, como en la forma más adecuada) como ya han comentado algunos.
• También preocupa que esas PYMEs tienen una capacidad de negociación muy reducida, lo cual, puede hacer ...

La pasada semana se publicó el informe "Cloud Computing. Retos y oportunidades" (enlace) realizado por el Observatorio Nacional de las Telecomunicaciones y de la Sociedad de la Información - ontsi. Es un estudio tremendamente interesante que analiza, por primera vez en España, el impacto de la informática en la nube en las PYMEs.

El objetivo de esta entrada es analizar dicho estudio desde la perspectiva de una agencia de calificación que trabaja en facilitar la contratación de servicios TIC mediante la generación de confianza a través de la transparencia.

Antes de nada, algunas citas del informe:

"La mayoría de las empresas consultadas que son usuarias de cloud (55%) se encuentran preocupadas por la confidencialidad y la seguridad de los datos corporativos gestionados. Este problema es el principal factor que hace que las PYMEs ...

Ayer publicamos en el blog de INTECO una entrada titulada "Gestión de riesgos en la cadena de suministro TIC". En dicha entrada, comentábamos un informe de auditoría del GAO estadounidense sobre los riesgos existentes en la cadena de suministros TIC (tanto software como hardware, como servicios).

Dicho informe pone de relevancia que, si consideramos la provisión de servicios de cualquier organismo como una cadena de valor, existen eslabones que son provistos por empresas TIC externas (proveedores / suministradores) y que, evidentemente, un error o fallo o una actuación malintencionada de éstos puede acabar afectando al outcome del proceso. Es decir, que los riesgos de esos proveedores, pueden llegar a ser nuestros riesgos, si no prevemos esta situación y creamos los cortafuegos adecuados o, si esto no fuera posible, establecemos los mecanismos alternativos necesarios. Estos conceptos ...
(Read more)

Definitivamente, no.

Elegir el servicio con el nivel de calificación más elevado (AAA) es una tentación, sobre todo para los profesionales de la seguridad, que siempre buscan (instintivamente) asumir el menor riesgo posible. Sin embargo, no es, en absoluto, la decisión óptima.

¿Y cuál es entonces la mejor decisión? Pues algo que nos posibilita la calificación: elegir el servicio con las medidas de seguridad (o en otras palabras, con la calificación) que mejor se adecuen a nuestras necesidades. Es decir, deberemos entender para qué queremos usar el servicio TIC que vamos a subcontratar para identificar qué requerimientos de seguridad le son exigibles (en función de las normativas o las políticas internas que le sean de aplicación) y, en consecuencia, qué calificación es la más acorde a nuestras ...
(Read more)

FedRAMP (Federal Risk and Authorization Management Program) es el instrumento creado por el gobierno americano para facilitar la contratación de servicios en la nube por la administración americana. Este programa ha sido promovido por los departamentos con responsabilidad en esta materia: DOD (Defensa), DHS (Interior) y GSA (Administración de Servicios Generales) mediante la creación de un órgano conjunto denominado JAB (Joint Administration Board) que vendría a ser algo similar al Payment Card Industry Security Standard Council ya que ejerce funciones semejantes, es decir, fundamentalmente:

• Estandarizar los requisitos de seguridad (partiendo de la publicación 800-53 del NIST, "Security and Privacy Controls for Federal Information Systems and Organizations")
• Homologar asesores (3PAOs - Third-party assessment organizations)
• Llevar registro de proveedores y asesores homologados (en el caso de PCI SSC solo son los asesores)
• Adicionalmente, FedRAMP incluye modelos de ...

Antonio nos proponía en su blog hace un par de días un ejercicio para definir lo que hacemos de una manera curiosa... mediante un pseudo-haiku con la estructura: ¿A quién ayudamos? / ¿qué hacemos por ellos? / ¿por qué nos necesitan? que proponían originalmente en the [non]billable hour. Nosotros también nos hemos atrevido y aquí va nuestra propuesta:

Ayudamos al mercado de TI a simplificar procesos de contratación de servicios mediante la transparencia que aportamos

¿Qué les parece? ¿Lo hemos conseguido?

La pasada semana, la Agencia Europea para la Seguridad de la Información y las Redes (ENISA) ha publicado este documento que lleva por subtitulo "Una guía para la monitorización de los niveles de seguridad de servicio para contratos en la nube" [pdf] y que, como su propio nombre indica recoge las pautas para ayudar a los que quieran contratar este tipo de servicios a definir la forma en la que se realizará esta supervisión.

El documento identifica ocho grandes capítulos...

Along with exciting new opportunities, cloud computing presents new challenges for both IT professionals and business managers. The former have to change their mindsets from an internally provided service to an outsourced one, and the latter have to consider security issues in their decision about moving to the cloud.

But both parties share one request: due diligence in the process of service selection.

Due diligence will help organizations considering the cloud to clarify their risk posture, choose the cloud service that best meets their needs and avoid surprises down the road.

However, the due-diligence process is not an easy one. We should consider security measures implemented by the vendor, but also service-level agreements, compliance with different regulations, and a host of critical aspects regarding the potential vendor—financial stability, long-term strategy, experience in the field, human-resources policies, guarantees in case ...
(Read more)

En el pasado volumen 6 de 2011 del ISACA Journal aparecía un artículo titulado "Developing a Unified Approach to Information Security in Business Associate relationships" (solo para asociados de ISACA) que nos parece interesante comentar, puesto que analiza en detalle la contratación de servicios TIC. Sus autores Michael R. Overly, Chanley T. Howell y R. Michael Scarano de la firma Foley & Lardner LLP, proponen tres herramientas para reducir las amenazas que pueden suponer los nuevos socios, asegurar una adecuada diligencia (documentada) y proporcionar remedios en caso de compromiso:

1. Un cuestionario de 'due diligence'
2. Protecciones contractuales básicas
3. Un documento de requerimientos de seguridad de la información

Lo que nos gustaría resaltar es que los autores incluyen, entre la información a obtener en el proceso de selección, datos como responsabilidades corporativas, cobertura de seguros ...
(Read more)

Hace unos días, en Seguridad y Gestión, el blog de Joseba Enjuto, compartía una entrada titulada "Ceder la seguridad a la nube" que nos ha parecido muy interesante. En dicha entrada, Joseba plantea las dudas que existen habitualmente en cuanto a la contratación de servicios en la nube y lo que va a pasar con la seguridad de esos servicios.

En nuestra opinión, la opinión de Joseba refleja de manera clara la situación con la que se enfrentan ahora mismo los proveedores de servicios en la nube cuando se acercan a sus clientes. Además, como muy bien dice Joseba (opinión autorizada como experto en seguridad que es), se produce una situación de desconfianza. Desde nuestro punto de vista, esta situación de desconfianza no implica que la seguridad de los ...
(Read more)

Gracias al blog de Infosec Island hemos llegado al "Informe sobre el estado de seguridad en la nube" (pdf) que, recientemente ha publicado Alert Logic y que, según los autores, tendrán un carácter semestral.

En dicho informe, se analizan los datos relativos a 2,200 millones de eventos y más de 62.000 incidentes gestionados por Alert Logic en sus clientes para comparar la situación entre los proveedores de servicios y las instalaciones in-house, todo ello con el objetivo de responder a la pregunta típica de, ¿qué es más seguro, llevar la gestión de los sistemas internamente o en la nube?

Pues bien, las conclusiones de este primer informe son claras: "Los entornos en proveedores de servicios muestran menores tasas de ocurrencia para todas las clases de incidentes analizadas" y eso que ...
(Read more)

Todos aquellos familiarizados con la protección de datos personales, saben que la subcontratación de servicios no es algo trivial. Y es que las tareas se pueden delegar, pero no así la responsabilidad: La responsabilidad no se puede delegar. Y para los que tuvieran alguna duda, el artículo 20.2 del Reglamento de desarrollo de la LOPD (pdf) no deja lugar a dudas:

"Cuando el responsable del tratamiento contrate la prestación de un servicio que comporte un tratamiento de datos personales sometido a lo dispuesto en este capítulo deberá velar por que el encargado del tratamiento reúna las garantías para el cumplimiento de lo dispuesto en este Reglamento"

De esta forma, no queda lugar a dudas de que, en caso de subcontratar, el responsable del tratamiento debe realizar una adecuada selección del proveedor ...
(Read more)

Last week, Amazon announced the Amazon Web Services GovCloud, a new cloud service that steps up "the security and access features of its cloud services in an effort to attract more government agencies as customers". This is a clear example of a tendency that, in our opinion, is going to be the normal evolution of cloud services.

At this moment, clients face a very standard set of cloud services and very few options to adapt the service to their needs (image yourself entering into your car dealership and not having the ability to choose different colors, tires, engines...). In particular, this is very important related to security issues, so we think that rating could be a very useful option for providers willing to segment their offer.

Thanks to rating, a provider could arrange basically the same service but with different ...
(Read more)

ISACA acaba de publicar el libro "IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud" (pdf solo para socios, el resto tendrá que comprarlo) en el que analiza como utilizar los materiales ya publicados previamente (COBIT, RiskIT, ValIT y BMIS) de modo específico a la problemática de la computación en la nube.

Nos gustaría resaltar algunos aspectos del documento que tienen relación con nuestra actividad como agencia de calificación de servicios.

En primer lugar, al analizar los retos de la computación en la nube, se mencionan algunos en los que la utilización de la calificación de los servicios podría tener un efecto muy positivo. Nos referimos concretamente a:

• La transparencia de los procedimientos / políticas de seguridad - La utilización de la calificación es, sobre todo ...

En estos tiempos que corren y después del protagonismo que han tenido las agencias de calificación de riesgo de crédito en la situación financiera actual, muchos se preguntan si la calificación continúa siendo un método adecuado para introducir transparencia en los mercados.

La opinión de leet es que no debemos confundir los errores que se hayan podido producir en la implantación del mecanismo con la validez del propio mecanismo. Digamos que sería como decir que los bancos ya no son una forma adecuada de canalizar las inversiones en el sistema financiero, más bien, habría que decir que hay que cambiar los mecanismos de incentivos y las reglas de los mercados.

En este sentido nos ha parecido interesante recuperar el paper elaborado por los profesores Zach Z. Zhou y ...
(Read more)

Video of talk in the past rooted con where we explained how the rating system can be applied to the acquisition of ICT services: Antonio Ramos - La asimetría en el mercado de la seguridad (Rooted CON 2011)