Ubuntu Malware Removal Toolkit

Ubuntu Malware Removal Toolkit is an Ubuntu-based LiveCD focused on Windows malicious software removal. The purpose of this distribution is to create a portable environment that will make it easier to remove malware from infected Windows systems. Features Detect and clean Windows malware directly from the LiveCD using the best free tools Easy to use […]

Ubuntu Malware Removal Toolkit is an Ubuntu-based LiveCD focused on Windows malicious software removal. The purpose of this distribution is to create a portable environment that will make it easier to remove malware from infected Windows systems.

Features

Detect and clean Windows malware directly from the LiveCD using the best free tools
Easy to use even for Linux novice users
Custom Nautilus scripts to make easier tasks like scanning or hashing multiple files or folders
Find online informations surfing the web with Firefox directly from the LiveCD
Windows network protocols support: Ubuntu MRT can browse Windows networks, resolve Windows hostnames, mount Windows shared folders and use RDP to remotely control Windows Servers
Easily create an Ubuntu MRT Persistent LiveUSB directly from the LiveCD
Browse and query the Windows registry files, detect NTFS timestamp artifacts and much more…
Easily search online for multiple file hashes with a single mouse clic (Virustotal.com, Team Cymru MHR and others services)
Analyze network traffic using preinstalled tools like ntop and BotHunter

Identificare e rimuovere malware con Ubuntu MRT

Lo scopo di questo articolo è quello di mostrarvi come utilizzare i principali strumenti inclusi in Ubuntu MRT, nello specifico tratterò:

AVG Virus Scanner, aggiornamento via Internet e scansione
Reglookup Common Startup Locations (Script)
MiTec Windows Registry File Viewer
VirusTotal e Simple Malware Check Tool
Hashing con MD5Sum
I preferiti di Firefox
Alcuni dei comandi rapidi inclusi nel file manager “Nautilus”

Il paziente

Il sistema preso come esempio è stato infettato con un Bot-Rootkit che sembra programmato per spedire spam e sottrarre credenziali di accesso a varie tipologie di servizi Internet.
Come potete vedere nella seguente immagine il sistema non mostra particolari segni di infezione, non ci sono processi sospetti in esecuzione o in avvio automatico

looking for all of the executables on a drive

Miss Identify is a program to find Win32 applications. In its default mode it displays the filename of any executable that does not have an executable extension (i.e. exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb). The program can also be run to display all executables encountered, regardless of the extension. This […]

Miss Identify is a program to find Win32 applications. In its default mode it displays the filename of any executable that does not have an executable extension (i.e. exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb). The program can also be run to display all executables encountered, regardless of the extension. This is handy when looking for all of the executables on a drive. Other options allow the user to record the strings found in an executable and to work recursively. See the manual page for more information.

Alternate Operating System Scanner

What is PC Tools’ Alternate Operating System Scanner? Once a system is infected with malware it becomes difficult to remove that malware as it is already embedded in the system and has control over many components which are key to the system’s operations. Malware, like rootkits, use system components to hide themselves and prevent other […]

What is PC Tools’ Alternate Operating System Scanner?

Once a system is infected with malware it becomes difficult to remove that malware as it is already embedded in the system and has control over many components which are key to the system’s operations. Malware, like rootkits, use system components to hide themselves and prevent other software from detecting or removing them. This is often the case of who gets there first; if the malware is able to get control of the system earlier on then it also has control over any software that may be run later. Besides just hiding, malware can also block the execution of other security applications. If you cannot install or run a security application in the first place then you cannot scan and detect the malware. The best time to remove this malware is when it is not running, but malware often starts with the Operating System, so we would have to stop the Operating System to stop the malware. On a shutdown OS nothing is running and malware like rootkits cannot hide themselves and so it would be easy to find and remove them.

REMnux

REMnux is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser. John H. Sawyer March 22, 2012 In my last blog about Linux Live Environments, I mentioned REMnux, an environment specifically built for malware analysis. I’d spent a little time […]

REMnux is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.

John H. Sawyer March 22, 2012

In my last blog about Linux Live Environments, I mentioned REMnux, an environment specifically built for malware analysis. I’d spent a little time with REMnux when it first came out, but decided to take the latest version (3.0) for a test drive.

Since I just received the new “Practical Malware Analysis” book from No Starch Press, the detailed lab exercises seemed like a perfect way to test out the tools included in REMnux. While most of the tools in the book are Windows-based, there are Linux-based equivalents found on REMnux.

The first task was downloading the lab files linked from http://practicalmalwareanalysis.com/labs and extracting them.

If you have issues try https://sourceforge.net/projects/labs-encryptzip/ for an encrypted zip download.

WARNING: The lab binaries contain malicious code and you should not install or run these programs without first setting up a safe environment.

Compatibility: The labs are targeted for the Microsoft Windows XP operating system. Many of the labs work on newer versions of Windows, but some of them will not. The labs are designed to mimic realistic malware. Some of them are well-written code that runs reliable and some of them (just like real malware) are poorly written code that may crash, contain memory leaks, or otherwise behave unexpectedly.

Practical Malware Analysis Labs Web Site

My plan to solely use REMnux was immediately thwarted by the self-extracting Windows executable that contained the lab files. There was a EULA (end user license agreement) wrapper as part of the executable that had to be accepted before the files could be extracted — a problem solved with a quick boot of a Windows XP virtual machine. Ideally, the authors will replace or supplement the self-extracting executable with a standard zip file.

After a quick and easy read through the first few chapters, I started to dig into the lab examples using REMnux’s tools. Chapter 1′s labs want you to upload the example binaries to VirusTotal to see whether any antivirus products detect them as possible malware. While I could have used Firefox to upload the files, I chose to use pyew’s “vt” plugin that searches VirusTotal using the MD5 hash of the file instead of uploading the actual file.

Searching just using the MD5 could have backfired if no one had uploaded the file to VirusTotal yet, but given the popularity of the book, the lab files had already been uploaded many times. It doesn’t appear that REMnux currently comes with a command-line tool to upload files to VirusTotal, so here are a couple of options (#1 and #2) that simply require that you get a free API key from VT first.

A few other tasks in the first few “Practical Malware Analysis” labs include looking at executables’ import/export functions, compile date, and packer identification. Pescanner works pretty well to figuring out those answers, but not all of them. For example, pescanner identifies suspicious import functions but does not list them all, and it incorrectly identified some of the executables as having been packed when they weren’t. Pyew faired better by being able to list all imports and exports and correctly identifying the packer, but it did not have an obvious way to show the compile date. But when used together, you can get the exact answers you need.

The last lab in Chapter 1 asks you to use Resource Hacker to look for resources that are stored in the file. To accomplish the same task on Linux, a command-line tool can be used called hachoir-subfile. Running hachoir-subfile against the Lab 1-4 executable will extract the embedded in PE file.

I’m looking forward to digging into the book more and using REMnux further to see just what I can do without having a Windows virtual machine. It’s not that I have anything against Windows — I just like to find alternative Linux-based tools that do the same thing as Windows-based tools. There’s definitely an advantage to having both platforms available for analysis with the plethora of tools to use.

I highly recommend taking a look at the “Practical Malware Analysis” if you’re interested in the topic, as it is one of the best books I’ve seen on subject and the labs are great. I suspect I’ll have more blogs in the future about the book and tools as I spend more time with it and find alternative tools to use for the analysis.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com and found on Twitter @johnhsawyer.

 

Stuxnet

Israel y Estados Unidos desarrollaron técnicas para atacar sistemas de control industrial con el propósito de fastidiar a Irán,pero el secreto es saber que se puede y ahora el genio se salio de la lampara SAN JOSE, Calif. (AP) — When a computer attack hobbled Iran‘s unfinished nuclear power plant last year, it was assumed to be a military-grade strike, the […]

Israel y Estados Unidos desarrollaron técnicas para atacar sistemas de control industrial con el propósito de fastidiar a Irán,pero el secreto es saber que se puede y ahora el genio se salio de la lampara

SAN JOSE, Calif. (AP) — When a computer attack hobbled Iran‘s unfinished nuclear power plant last year, it was assumed to be a military-grade strike, the handiwork of elite hacking professionals with nation-state backing.
Yet for all its science fiction sophistication, key elements have now been replicated in laboratory settings by security experts with little time, money or specialized skill. It is an alarming development that shows how technical advances are eroding the barrier that has long prevented computer assaults from leaping from the digital to the physical world.
The techniques demonstrated in recent months highlight the danger to operators of power plants, water systems and othercritical infrastructure around the world.
“Things that sounded extremely unlikely a few years ago are now coming along,” said Scott Borg, director of the U.S. Cyber Consequences Unit, a nonprofit group that helps the U.S. government prepare for future attacks.
While the experiments have been performed in laboratory settings, and the findings presented at security conferences or in technical papers, the danger of another real-world attack such as the one on Iran is profound.
The team behind the so-called Stuxnet worm that was used to attack the Iranian nuclear facility may still be active. New malicious software with some of Stuxnet’s original code and behavior has surfaced, suggesting ongoing reconnaissance against industrial control systems.
And attacks on critical infrastructure are increasing. The Idaho National Laboratory, home to secretive defense labs intended to protect the nation’s power grids, water systems and other critical infrastructure, has responded to triple the number of computer attacks from clients this year over last, the U.S. Department of Homeland Security has revealed.
For years, ill-intentioned hackers have dreamed of plaguing the world’s infrastructure with a brand of sabotage reserved for Hollywood. They’ve mused about wreaking havoc in industrial settings by burning out power plants, bursting oil and gas pipelines, or stalling manufacturing plants.
But a key roadblock has prevented them from causing widespread destruction: they’ve lacked a way to take remote control of the electronic “controller” boxes that serve as the nerve centers for heavy machinery.
The attack on Iran changed all that. Now, security experts — and presumably, malicious hackers — are racing to find weaknesses. They’ve found a slew of vulnerabilities.
Think of the new findings as the hacking equivalent of Moore’s Law, the famous rule about computing power that it roughly doubles every couple of years. Just as better computer chips have accelerated the spread of PCs and consumer electronics over the past 40 years, new hacking techniques are making all kinds of critical infrastructure — even prisons — more vulnerable to attacks.
One thing all of the findings have in common is that mitigating the threat requires organizations to bridge a cultural divide that exists in many facilities. Among other things, separate teams responsible for computer and physical security need to start talking to each other and coordinate efforts.
Many of the threats at these facilities involve electronic equipment known as controllers. These devices take computer commands and send instructions to physical machinery, such as regulating how fast a conveyor belt moves.
They function as bridges between the computer and physical worlds. Computer hackers can exploit them to take over physical infrastructure. Stuxnet, for example, was designed to damage centrifuges in the nuclear plant being built in Iran by affecting how fast the controllers instructed the centrifuges to spin. Iran has blamed the U.S. and Israel for trying to sabotage what it says is a peaceful program.
Security researcher Dillon Beresford said it took him just two months and $20,000 in equipment to find more than a dozen vulnerabilities in the same type of electronic controllers used in Iran. The vulnerabilities, which included weak password protections, allowed him to take remote control of the devices and reprogram them.
“What all this is saying is you don’t have to be a nation-state to do this stuff. That’s very scary,” said Joe Weiss, an industrial control system expert. “There’s a perception barrier, and I think Dillon crashed that barrier.”
One of the biggest makers of industrial controllers is Siemens AG, which made the controllers in question. The company said it has alerted customers, fixed some of the problems and is working closely with CERT, the cybersecurity arm of the U.S. Department of Homeland Security.
Siemens said the issue largely affects older models of controllers. Even with those, the company said, a hacker would have to bypass passwords and other security measures that operators should have in place. Siemens said it knows of no actual break-ins using the techniques identified by Beresford, who works in Austin, Texas, for NSS Labs Inc.,
Yet because the devices are designed to last for decades, replacing or updating them isn’t always easy. And the more research that comes out, the more likely attacks become.
One of the foremost Stuxnet experts, Ralph Langner, a security consultant in Hamburg, Germany, has come up with what he calls a “time bomb” of just four lines of programming code. He called it the most basic copycat attack that a Stuxnet-inspired prankster, criminal or terrorist could come up with.
“As low-level as these results may be, they will spread through the hacker community and will attract others who continue digging,” Langer said in an email.
The threat isn’t limited to power plants. Even prisons and jails are vulnerable.
Another research team, based in Virginia, was allowed to inspect a correctional facility — it won’t say which one — and found vulnerabilities that would allow it to open and close the facility’s doors, suppress alarms and tamper with video surveillance feeds.
During a tour of the facility, the researchers noticed controllers like the ones in Iran. They used knowledge of the facility’s network and that controller to demonstrate weaknesses.
They said it was crucial to isolate critical control systems from the Internet to prevent such attacks.
“People need to deem what’s critical infrastructure in their facilities and who might come in contact with those,” Teague Newman, one of the three behind the research.
Another example involves a Southern California power company that wanted to test the controllers used throughout its substations. It hired Mocana Corp., a San Francisco-based security firm, to do the evaluation.
Kurt Stammberger, a vice president at Mocana, told The Associated Press that his firm found multiple vulnerabilities that would allow a hacker to control any piece of equipment connected to the controllers.
“We’ve never looked at a device like this before, and we were able to find this in the first day,” Stammberger said. “These were big, major problems, and problems frankly that have been known about for at least a year and a half, but the utility had no clue.”
He wouldn’t name the utility or the device maker. But he said it wasn’t a Siemens device, which points to an industrywide problem, not one limited to a single manufacturer.
Mocana is working with the device maker on a fix, Stammberger said. His firm presented its findings at the ICS Cyber Security Conference in September.
Even if a manufacturer fixes the problem in new devices, there’s no easy way to fix it in older units, short of installing new equipment. Industrial facilities are loath to do that because of the costs of even temporarily shutting its operations.
“The situation is not at all as bad as it was five to six years ago, but there’s much that remains to be done,” said Ulf Lindqvist, an expert on industrial control systems with SRI International. “We need to be as innovative and organized on the good-guy side as the bad guys can be.”
___
Jordan Robertson can be reached at jrobertson(at)ap.org

gpg4usb

To say it straight in only one sentence: gpg4usb is a very easy to use portable-application, which combines a simple text-editor with a GnuPG-frontend to write, encrypt and decrypt your text-messages and files. gpg4usb should work on almost any computer you’re working on, should it be a Linux-machine or even one with a Microsoft-OS running. Almost […]

To say it straight in only one sentence: gpg4usb is a very easy to use portable-application, which combines a simple text-editor with a GnuPG-frontend to write, encrypt and decrypt your text-messages and files. gpg4usb should work on almost any computer you’re working on, should it be a Linux-machine or even one with a Microsoft-OS running.

Almost the only thing required is an available usb-port you are allowed to access. With this application you can write safe and encrypted messages anywhere you are: should it be an internet-cafe, at work or somewhere else on holiday… and you always have the encryption-keys available for usage!

The usage of gpg4usb should be highly self-describing, since the user-interface and all the options it offers are clear cut: Simply execute the binary on your usb-pendrive and start typing e.g. the Mailtext you want to be encrypted. If you’re done, choose the right gpg/pgp-key for the person you are writing to and hit the encrypt-icon at the top of the application-window. The resulting encrypted text you can save as a text-file to send it as mail-attachment, or copy it directly into your mail-user-agent or webmail-website. To make sure, you can read this message by yourself afterwards, encrypt it for the recipient and to yourself at the same time – if you want, you can mark as much keys as you want to encrypt for.

You want to add a gpg/pgp-key to your mobile keyring? Nothing’s easier than that: just hit the crypto-menue-entry and choose Import Key from File or Import Key from Editor. This means that it’s possible to import an ascii-armored pubkey via file-dialog, or via copy&paste into your editor-window. If you find a key e.g. on a website, just copy it, paste it into the gpg4usb-editor and hit Import Key from Editor – that’s it, and the key shows up on your keyring!

Pasted from <http://gpg4usb.cpunk.de/about.html>

Download

You can get our latest Release v0.3.2 by clicking the download link below. Since v0.2.4 the included executables are upx-compressed by default.

Filename Size* sha1
gpg4usb-0.3.2-1.zip 14.8MB / 18.6MB efeeaeff2883ded6abfe6378113c219e5e897bb0

* Size zipped / unzipped

Just download the zip-File and unzip it onto your usb-pendrive. Then simply change into the folder gpg4usb at your usb-drive, and execute the binary in there:

start_linux or start_windows.exe – should be easy to determine, which one’s yours ;)

Since gpg4usb is free software, licensed under the GNU General Public License (GPL), you can use it on as many machines as you want. Copy it, modify and redistribute it, give gpg4usb to as many people as possible! 

Pasted from <http://gpg4usb.cpunk.de/download.html>

ISO/IEC 27001

ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements. […]

ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements.

ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard (more below).

Most organizations have a number of information security controls. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Security controls in operation typically address certain aspects of IT or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole. Moreover business continuity planning and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.

ISO/IEC 27001 requires that management:

  • Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts;
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.

The key benefits of 27001 are:

  • It can act as the extension of the current quality system to include security
  • It provides an opportunity to identify and manage risks to key information and systems assets
  • Provides confidence and assurance to trading partners and clients; acts as a marketing tool
  • Allows an independent review and assurance to you on information security practices

A company may want to adopt ISO 27001 for the following reasons:

  • It is suitable for protecting critical and sensitive information
  • It provides a holistic, risked-based approach to secure information and compliance
  • Demonstrates credibility, trust, satisfaction and confidence with stakeholders, partners, citizens and customers
  • Demonstrates security status according to internationally accepted criteria
  • Creates a market differentiation due to prestige, image and external goodwill
  • If a company is certified once, it is accepted globally.

While other sets of information security controls may potentially be used within an ISO/IEC 27001 ISMS as well as, or even instead of, ISO/IEC 27002 (the Code of Practice for Information Security Management), these two standards are normally used together in practice. Annex A to ISO/IEC 27001 succinctly lists the information security controls from ISO/IEC 27002, while ISO/IEC 27002 provides additional information and implementation advice on the controls. The domains covered by ISO 27002 include

Organizations that implement a suite of information security controls in accordance with ISO/IEC 27002 are simultaneously likely to meet many of the requirements of ISO/IEC 27001, but may lack some of the overarching management system elements. The converse is also true, in other words, an ISO/IEC 27001 compliance certificate provides assurance that the management system for information security is in place, but says little about the absolute state of information security within the organization. Technical security controls such as antivirus and firewalls are not normally audited in ISO/IEC 27001 certification audits: the organization is essentially presumed to have adopted all necessary information security controls since the overall ISMS is in place and is deemed adequate by satisfying the requirements of ISO/IEC 27001. Furthermore, management determines the scope of the ISMS for certification purposes and may limit it to, say, a single business unit or location. The ISO/IEC 27001 certificate does not necessarily mean the remainder of the organization, outside the scoped area, has an adequate approach to information security management.

Other standards in the ISO/IEC 27000 family of standards provide additional guidance on certain aspects of designing, implementing and operating an ISMS, for example on information security risk management (ISO/IEC 27005).

The ISO 27001 adopts the process model “Plan-Do-Check-Act” (PDCA) which is applied to the structure of all the processes in ISMS.

BS 7799 was a standard originally published by BSI Group[1] in 1995. It was written by the United Kingdom Government’s Department of Trade and Industry (DTI), and consisted of several parts.

The first part, containing the best practices for information security management, was revised in 1998; after a lengthy discussion in the worldwide standards bodies, it was eventually adopted by ISO as ISO/IEC 17799, “Information Technology – Code of practice for information security management.” in 2000. ISO/IEC 17799 was then revised in June 2005 and finally incorporated in the ISO 27000 series of standards as ISO/IEC 27002 in July 2007.

The second part of BS7799 was first published by BSI in 1999, known as BS 7799 Part 2, titled “Information Security Management Systems – Specification with guidance for use.” BS 7799-2 focused on how to implement an Information security management system (ISMS), referring to the information security management structure and controls identified in BS 7799-2. This later became ISO/IEC 27001. The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) cycle (Deming cycle), aligning it with quality standards such as ISO 9000. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.

BS 7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with ISO/IEC 27001.

Plan (establishing the ISMS)
Establish the policy, the ISMS objectives, processes and procedures related to risk management and the improvement of information security to provide results in line with the global policies and objectives of the organization.
Do (implementing and workings of the ISMS)
Implement and exploit the ISMS policy, controls, processes and procedures.
Check (monitoring and review of the ISMS)
Assess and, if applicable, measure the performances of the processes against the policy, objectives and practical experience and report results to management for review.
Act (update and improvement of the ISMS)
Undertake corrective and preventive actions, on the basis of the results of the ISMS internal audit and management review, or other relevant information to continually improve the said system.
An ISMS may be certified compliant with ISO/IEC 27001 by a number of Accredited Registrars worldwide. Certification against any of the recognized national variants of ISO/IEC 27001 (e.g. JIS Q 27001, the Japanese version) by an accredited certification body is functionally equivalent to certification against ISO/IEC 27001 itself.In some countries, the bodies that verify conformity of management systems to specified standards are called “certification bodies”, while in others they are commonly referred to as “registration bodies”, “assessment and registration bodies”, “certification/ registration bodies”, and sometimes “registrars”.The ISO/IEC 27001 certification,[2] like other ISO management system certifications, usually involves a three-stage external audit process:

  • Stage 1 is a preliminary, informal review of the ISMS, for example checking the existence and completeness of key documentation such as the organization’s information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP). This stage serves to familiarize the auditors with the organization and vice versa.
  • Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/IEC 27001. The auditors will seek evidence to confirm that the management system has been properly designed and implemented, and is in fact in operation (for example by confirming that a security committee or similar management body meets regularly to oversee the ISMS). Certification audits are usually conducted by ISO/IEC 27001 Lead Auditors. Passing this stage results in the ISMS being certified compliant with ISO/IEC 27001.
  • Stage 3 involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended. These should happen at least annually but (by agreement with management) are often conducted more frequently, particularly while the ISMS is still maturing.

Asset Management

The asset management domain deals with analyzing and attaining the necessary level of protection of organizational assets. The typical objectives of the asset management domain is to identify and create an inventory of all assets, establish an ownership on all assets identified, establish a set of rules for the acceptable use of assets, establish a framework for classification of assets, establish an asset labeling and handling guideline. Asset management, broadly defined, refers to any system that monitors and maintains things of value to an entity or group. It may apply to both tangible assets such as buildings and to intangible concepts such as intellectual property and goodwill.

An asset is anything that has value to the organization. Assets can include infrastructure (e.g. buildings, store houses, towers etc.), physical assets ( computer equipment, communications, utility equipment, heavy machinery), software assets ( applications, software code, development tools, operational software etc.), information (database information, legal documentation, manuals, policies & procedures, organizational documents etc.), services ( transport, air conditioning, communications, utilities etc.), people (management, skills, experience etc.) and imperceptible (reputation, image etc.).

Asset management is a systematic process of operating, maintaining, upgrading, and disposing of assets cost-effectively. Organizations need to identify all assets and create and maintain security controls around them. For each asset a designated owner needs to be made responsible for implementation of appropriate security controls. When creating an asset management policy the organization needs to define the scope of the policy (which parts of the organization are covered under the policy), responsibility (who is ultimately responsible for the policy), compliance (is compliance mandatory or not, what are the guidelines to follow), wavier criteria (on what basis can someone ask for a waiver) and effective date (from when to when is the policy applicable).

  • Typical policy statements for Asset Management include:
  * All assets shall be clearly identified, documented and regularly updated in an asset register
  * All assets of shall have designated owners and custodians listed in the asset register
  * All assets will have the respective CIA (Confidentiality, Integrity and Availability) rating established in the asset register
  * All employees shall use company assets according to the acceptable use of assets procedures
  * All assets shall be classified according the asset classification guideline of the company

Asset management comprises of all the activities associated with ongoing management and tracking of assets some of which are as follows: asset discovery (physical & logical), create & maintain conclusive software library, create & maintain conclusive hardware stock, configuration management, physical asset tracking, software license management, request & approval process, procurement management, contract management, assessment on ISO 27001 and PCI controls, supplier/ vendor management, re-deployment & movement, retire & disposal Management, compliance to laws if applicable etc.

Asset Register

The asset register documents the assets of the company or scope in question. Typically all business functions are required to maintain an asset register of their business units. The asset register is required to contain, at a minimum, the following information about the assets: the asset identifier, the asset name, the type and location of assets; the name of the function and process that uses this asset, the asset owner, custodian and user and the CIA (Confidentiality, Integrity, Availability) ratings of the asset. Organizations can choose to additional information into the asset register as necessary for example for IT assets can have IP address as part of them etc.

For all asset registers, a primary person responsible for the asset register needs to be identified. Typically the business unit head or director is the owner of the asset register and recognized functional heads identified are asset custodians. The asset owner is accountable for the comprehensive protection of assets owned by him/her. The asset owner may delegate the responsibility of applying the relevant controls for the maintenance of the assets to an individual/ function referred to as the ‘asset custodian’. It is the responsibility of the asset custodian to implement appropriate security controls that are required for the protection of information assets. It is the responsibility of all employees and third party staff to maintain the confidentiality, integrity and availability of the assets that they use.

Asset Classification

Assets need to be classified in order to provide an appropriate level of protection for a certain category of assets. Information assets need to be classified in terms of its value, requirements and criticality to the business operations of the company. Typical company classification guidelines follow restrictive principles. Some of the common classifications criteria which are used by companies are given below:

RESTRICTED: The restricted level of asset information pertains to highly sensitive information to the company; which when disclosed would cause substantial damage to the reputation and competitive position of the company in the market. Its unauthorized disclosure could adversely impact its business, its shareholders, its business partners and/ or its customers, leading to legal and financial repercussions and adverse public opinion. Examples of restricted information are details of major acquisitions, divestments and mergers, business and competition strategy, sensitive customer, competitor, partner or contractor assessments, intellectual property information, law enforcement and government related information.

CONFIDENTIAL: This category refers to asset information that relates to individuals or is otherwise restricted only to authorized users, but if disclosed outside the company would not harm the organization, its customers, or its partners. This classification applies to any sensitive business information which is intended for use within the company. Examples of confidential information include customer information, negotiating positions, marketing strategy, personnel information, internal company memos and presentations.

INTERNAL This classification refers to asset information that is potentially available to all personnel within the company, but is not public. This can also include information that is restricted to a group or project within the company, but is not designated as “Private” or “Restricted.” Examples of internal information include product design information, system documentation, company employee details, company organizational charts, minutes of department meetings.

PUBLIC This classification refers to asset information that has been published or obtainable from a published source, e.g. the Internet. Example of public information include published marketing material, company public statements or announcements, published company performance information, published job vacancies.

Asset Labeling

All important and critical assets to the company shall be labeled physically / electronically as per the information labeling and handling procedures of the company. The asset owners are required to ensure that their assets are appropriately labeled (marked) for ease of identification. This may exclude information classified as ‘public’. For each classification level, the handling procedures should include the assets introduction; secure processing, storage; transmission and destruction. Classification level must be indicted wherever possible for all forms of physical / electronic information that are sensitive in nature. For example: subject of email stamped with “Confidential” etc.


Por empezar fuerte el curso hoy quiero compartir un enlace de gran interes para los dedicados al mundillo de la gestión de la seguridad entorno a la norma ISO 27001.

Dentro de mis protocolos de seguimiento de las normas 27001, 27002 y las publicaciones o comentarios entorno a ella utilizando las alertas de Google, hoy quiero compartir un par de enlaces que proporciona en un documento PDF una traducción no ofical al castellano de las normas ISO 27001 e ISO 27002.

Aunque los enlaces no aparecen refereciados en ninguna página principal de esta Web, Google la enlaza al buscar sobre controles de la ISO 27002.

Dado que puede ser de interés para el público hispanohablante disponer de una versión en nuestro idioma, comparto la url que Google proporciona por si es del interés de todos.
Ambos documentos aclaran que su uso es autorizado sólo para fines didácticos, objetivo que comparte también este blog.
Las urls donde se encuentran son: