NOUVEL Research

iPhone Insecurity: 2011 Update

Tue, 19 Apr 2011 14:14:43 +0200

UPDATE > Apr 18, 2011: the SANS Information Security Webcast is scheduled for 3pm CEST (Central European Summer Time), 2pm BST (British Summer Time), 9am EDT (Eastern Daylight Time), Tuesday, Apr 19, 2011.
NOUVEL Strategies partner Jim Herbeck will be the featured speaker at a SANS Information Security Webcast on Apr 19, 3pm CET (9am EST). The topic will be “iPhone Insecurity: 2011 Update”:
Last year was the first SANS iPhone Insecurity webcast. This year, the presentation has been updated to include a review of security problems with the iPhone in the past year, information about security enhancements with iOS 4, and a comparison of security features with other major smartphone operating systems. (The original SANS iPhone Insecurity webcast is available online at https://www.sans.org/webcasts/iphone-insecurity-93463.)
SANS Information Security Webcasts are web broadcasts, including live audio while viewing presentation slides downloaded in advance. Participation is free, though registration is required. Details can be found at the SANS website.
SANS Webcast archive: https://www.sans.org/webcasts/iphone-insecurities-2011-update-94443
Webcast handout: PDF file (English)
Research Resources
(available soon)

CPI-RISC: Continuous Process Improvement–Risk, Information Security, and Compliance

Wed, 1 Sep 2010 11:33:37 +0200

In cooperation with the Business Information Security Competency Center, NOUVEL has released the CPI-RISC White Paper.
The Continuous Process Improvement–Risk, Information Security, and Compliance (CPI-RISC) methodology is a pragmatic, standards-based, business-oriented approach to information security. NOUVEL developed CPI-RISC to help organizations create sustainable information security programs and demonstrate measurable improvement over time.
CPI-RISC uses a continuous process improvement cycle, adapted for information security. The three steps are:

The first step is to Assess Risk. Risks are assessed in the context of the business environment, organized by business function, and prioritized based upon their impact to critical business processes.
The second step, Implement Information Security, takes the risks identified in the first step, and addresses them using an ISO 27001-like Information Security Management System (ISMS).
The third step, Verify Compliance, provides assurance to the organization that the information security program is effectively managing IT- and information-related risk.
The methodology is based on well-known industry standards: ISO 27001, ISO 27002, ISO 27005, the SANS Institute 20 Critical Security Controls, and the Software Engineering Institute Capability Maturity Model.
In addition to the White Paper, an Information Risk Framework and Implementation Guide are also available for download.
—Jim Herbeck
CPI-RISC White Paper: PDF file (available mid-Jun)
CPI-RISC Information Risk Framework: PDF file (English)

iPhone Insecurity

Tue, 18 May 2010 16:48:39 +0200

UPDATE > Jun 21: Apple announced the new iPhone 4 and iPhone OS 4 (renamed iOS 4) on Jun 7. iOS 4 was released today. The presentation will be updated to reference Apple’s new iPhone hardware and software.
This presentation on “iPhone Insecurity” was given for a SANS Information Security Webcast on May 18:
The Apple iPhone is rapidly becoming the most popular smartphone in the world. Despite concerns over the security features—or rather, lack of security features—the iPhone has been sold in large quantities to Fortune 100 corporations and government agencies. This webcast discusses the information risks associated with using the iPhone, security features that are available, and why everyone is excited to see the new security features to be released this summer with the next version of iPhone OS.
A recording of the webcast (slides + audio) can be found in the SANS Webcast Archives: https://www.sans.org/webcasts/iphone-insecurity-93463. The slides are available below.
—Jim Herbeck
Webcast handout: PDF file (English)

Research Resources
Here are some web links I found valuable while researching the topic:

Apple Computer, “iPhone Configuration Utility” download page.
http://www.apple.com/support/iphone/enterprise/

Apple Computer, “New enterprise features in iPhone OS 4” page; “Enterprise features” is Apple’s code phrase for “security features.”
http://www.apple.com/iphone/business/preview-iphone-os/

iPhone Insecurity website, Jonathan Zdziarski’s iPhone Forensic research site;
(I had already picked and published the name for the talk before I discovered that a website existed with the same name.)
http://iphoneinsecurity.com/

Bernd Marienfeldt, “iPhone business security framework” blog, Mar 22, 2010; includes May 17, 2010 update for iPhone/Linux data protection vulnerability.
http://marienfeldt.wordpress.com/2010/03/22/iphone-business-security-framework/

Nicolas Seriot, “iPhone Privacy” presentation, Black Hat DC, Feb 3, 2010.
http://seriot.ch/blog.php?article=20100203

Jonathan Zdziarski, “iPhone Forensic Method FAQ” blog, Sep 17, 2009.
http://www.zdziarski.com/blog/?p=524

Jonathan Zdziarski, “Bypassing iPhone 3G[S] Encryption” blog, Jul 24, 2009; includes links for YouTube demos of bypassing the iPhone passcode and removing data from an iPhone.
http://www.zdziarski.com/blog/?p=516

ISO Soup: A Brief History of ISO 17799/27002

Tue, 1 Sep 2009 12:05:12 +0200

It is ironic that the most important Information Security standard in the world today, ISO 27002, has also had the most convoluted and confused naming history. On numerous occasions when I have been speaking about ISO 27002, “A Code of Practice for Information Security,” someone will ask, “But what about ISO 17799,” or “We’re committed to implementing BS 7799–we’re not interested in any ISO standard.” Of course these are different names for the same standard. As a result, I now begin presentations about ISO 27002 with a brief history to avoid the confusion before it occurs. A client asked me to turn this introduction into a separate presentation, which I thought was a good idea. So, here is a brief history of ISO 27002 (including its predecessors ISO 17799, BS 7799 Part 1, and BS 7799) and the closely related ISO 27001 (including its predecessors BS 7799 Part 2). —Jim Herbeck
PDF file (English)

The New C-Words for InfoSec: Continuity and Compliance

Tue, 8 Jul 2008 16:34:07 +0200

In July, 2008, I participated in the Workshop on Interdisciplinary Studies in Information Security at Monte Verita in Ascona, Switzerland. The conference was organized by Arjen Lenstra’s Center for Interdisciplinary Studies in Information Security at the École Polytechnique Fédérale de Lausanne (EPFL). I gave a presentation about how two c–words, “continuity” and “compliance” have made it radically easier to talk to business organizations about information security.
—Jim Herbeck
PDF file (English)