Thanksgiving Day is almost here and with it, our focus turns to our family, friends, food, and most importantly, football. As we celebrate one of our country’s most cherished traditions, we give thanks to health, wealth, good company, and of course, turkeys. However, this holiday season, we should recognize our nation’s involvement in cybersecurity and how much we’ve grown with it! Whether it be booking your flight home online, posting a picture of your Thanksgiving feast to Instagram or Facebook, streaming the big game, or FaceTiming your relatives that can’t be there in person, being online is a huge part of this and every day. I’d like to take a moment to share with you some news within our industry that we should be thankful for this year.
Automatic Threat Analysis and Response with New Technologies such as IBM’s Watson:
- Watson, an artificially intelligent computer system capable of answering questions posed in natural language, was developed by a research team working on IBM’s DeepQA (QA stands for question answering) project. It was named after IBM’s first CEO, Thomas J. Watson. Although it was initially designed to answer questions on the popular game show, Jeopardy, its development has opened several doors for cognitive computing. Cognitive security will change the game entirely for both federal and commercial organizations. Built upon existing security intelligence, it will help accelerate responses to threat and reduce the cost and complexity of managing cybercrime. Watson will help analysts find new, more efficient ways of managing security events and building your defenses by searching for solutions in a vast, ever-growing database of software vulnerabilities, countless research articles, and blogs. Cognitive systems bring the ability to spot anomalies and flawed logic and provide evidence-based reasoning — enabling analysts to weigh alternative outcomes and improve decision making. “Analysts will call on cognitive systems to augment or even automate their understanding of a threat — at depth, and with speed and scale, like never before” (IBM). Cognitive security is a tool that will continue to develop as it learns how the human brain functions and thus, security teams will be able to get better at preemptively protecting their networks from the threat with each new interaction.
Politically Driven Security:
- It’s been a tough election season and it was frustrating for all citizens to see the country so divided over the two main candidates. One beneficial result from the media frenzy of the presidential election was the increase in visibility of issues within our nation’s cybersecurity. Members of both major political parties on Capitol Hill have emphasized the importance of building a forum for legislation change regarding cybersecurity. Senator Mark Warner (D-Va) and founder of Nextel, established the Senate Cybersecurity Caucus, which launched just this past summer. The caucus aims to educate lawmakers by introducing them to cybersecurity experts and providing a means of studying cybersecurity’s effect on not only our national security but our economy as well. Warner said that he would work with the president-elect to continue efforts on legislation that would strengthen an organization’s data breach reporting as there is currently no federal legislation in place requiring data breach notification.
Building the Security Workforce:
- National Science Foundation is funding programs like CyberCorps: Scholarship for Service, a “unique program designed to increase and strengthen the cadre of federal information assurance professionals that protect the government’s critical information infrastructure. This program provides scholarships that may fully fund the typical costs incurred by full-time students while attending a participating institution, including tuition and education and related fees. Additionally, participants receive stipends of $22,500 for undergraduate students and $34,000 for graduate students” (OPM). These programs are being used by over 65 large accredited universities across the United States and are helping to increase the visibility of the ever-expanding career field and build the federal workforce.
- Mogul technology conglomerate Cisco Systems, Inc is also investing in cybersecurity centered educations, funding approximately $10 million into their Global Cybersecurity Scholarship program which hopes to increase the talent pool through services like free training, mentoring, and testing designed to aid students to achieve certifications and degrees.
These are just a few topics that are new to our ever-evolving industry. If you’d like to hear more about some of the latest and greatest in cybersecurity, our expert consultants at Cybersheath would love to hear from you. We leverage our security product experience, cutting-edge technology knowledge, and industry best practices to guide your organization through the complexities of cybersecurity implementation.
Hacking into a locked Windows or Mac computer should not be this simple, and yet it is. A security design flaw was recently exposed that shows a PC or Mac that is logged in but locked can have the login credentials stolen. The hack takes an average of 13 seconds and the credentials can then be used to compromise all other accounts sharing those credentials. Here’s how it works and what it means for your enterprise.
What Systems are Vulnerable
Security researcher Rob Fuller recently exposed the vulnerability which has already made headlines around the world. The simplicity and speed of this attack, along with the sheer number of computers that can be compromised by it, makes this attack especially dangerous.
The attack works on computers that are logged in but locked and requires a USB device to be plugged into the system.
Fuller has confirmed the current version of this attack worked on these systems:
- Windows 98 SE
- Windows 2000 SP4
- Windows XP SP3
- Windows 7 SP1
- Windows 10 Enterprise and Home
- OS X El Capitan
- OS X Mavericks
More potential methods and systems are still being tested, including versions of Linux.
How the Attack Works
Fuller explains in his blog post that a USB dongle can be modified and plugged into an Ethernet adapter, essentially creating simple plug-and-play credentials stealing the device.
The attack is possible because most systems automatically install Plug-and-Play USB devices, so “even if a system is locked out, the device [USB dongle] still gets installed,” Fuller explained. There are restrictions on what types of devices are allowed to be installed on a locked system, as you might assume, but an Ethernet device is currently not restricted.
After the USB plug-and-play device installs itself, it then acts as the network gateway, DNS server, and Web Proxy Autodiscovery Protocol (WPAD) server for the victim’s system. The login credentials are then automatically and quickly transferred to the USB device because of the default behavior of network name resolution services, which can be exploited to compromise authentication credentials.
An application on the USB dongle, in this case, a free application called Responder, spoofs the network, intercepts hashed credentials, and stores them in a database.
The hashed credentials can then be easily decrypted later, giving the hacker the passwords in cleartext.
This is what the entire attack could look like: someone connects a USB device to a locked system, removes the device without a trace, and walks away with the stolen credentials – all in an average of 13 seconds per system.
See a video of Fuller performing the attack on a Windows 10 system here.
How to Secure Your Organization
New vulnerabilities like this one in systems we depend on will continue to be discovered, often after the damage is already done, but the critical resources and information in your organization do not have to also be exposed.
Strong privileged access management practices should be the primary solution for eliminating risks from this vulnerability and many others like it. Credentials will be compromised. Instead of focusing on merely preventing credentials from being stolen, it is extremely important to also focus on reducing the risk posed by those stolen credentials.
A single captured credential can be used to compromise sensitive information and resources, other exposed credentials, and then more sensitive information and resources. Stolen credentials are extremely difficult to detect and are a key part of virtually every major breach today.
Organizations should be fervent and disciplined in ensuring that every credential, or “key”, unlocks as little of the organization as possible to reduce and eliminate exposure if that credential is stolen. Every credential needs to be evaluated for its potential risk to the organization and least privilege principles should be practiced until they become ingrained as a habit.
Requiring two-factor authentication for sensitive assets is another highly effective way to reduce and eliminate the risk of stolen credentials. By requiring two “keys” to authenticate, with one key that is constantly changing, you can eliminate the risk posed by just one of those keys being stolen.
For help preventing risks posed by vulnerabilities like this one in your organization, click below to schedule a risk assessment with CyberSheath privileged access management specialists to get an invaluable report on the risks posed by specific privileged accounts in your enterprise.
Many of us travel for work, and as such, we must connect to a number of untrusted networks in order to stay on top of things. These public networks, while seemingly non-threatening, can be a hostile environment with malicious users seeking to extract any sensitive data they can, such as credit card information, personal information, and passwords. Some may say that this is unlikely and that if there was a malicious user on a public network, they would be protected with the use of encrypted services. However, I would argue that this is not the case at all. Often adverse agents will use “passive” monitoring techniques to intercept data being sent over the network. This can be accomplished with any packet sniffing tool but will only allow an attacker to see traffic that is “in the clear” or unencrypted. If an attacker intends to intercept data transported via TLS, SSL, HTTPS, or from encrypted services like Gmail, Slack, or Dropbox, they need a way to subvert the in-transport data protection mechanisms.
One of the most common methods an attacker can utilize to defeat transport encryption is a Man-in-the-Middle (MIM) attack. At a high level, an attacker can sit in-between a target user and the secure service they are communicating with, break the established secure connection between the user and the service, and force unencrypted clear-text communication of information back to the victim – data that can be easily captured by the attacker. This all happens in the background, almost seamless to the user. In such an attack, the only noticeable difference is likely to be the use of “http” vs. “https” in the address bar of a browser or a missing lock icon, which is likely not enough of a warning to alert the user to what is happening unless they have been trained to detect such an event.
If users do not understand basic attacks that can deceive them into letting attackers through the front door, it is bound to happen and remains a legitimate concern for their organization. Human risk is difficult to mitigate, even though it is one of the easiest and most common weaknesses for an attacker to exploit. Organizations are realizing this, and rethinking how they provide security awareness training to their employees. Security Awareness has long been a compliance-based necessity, but more and more organizations are reaching beyond compliance and trying to achieve best practice standards.
Educating your employees on common cyber threats like SSL spoofing, phishing attacks, and social engineering can reduce your organization’s human risk level. According to Forbes magazine, in 2015, companies spent $1 billion annually on security awareness training in attempts to reduce human risk. When combined with testing procedures to collect relevant metrics, a security awareness program can have very real, tangible effects on your organization’s overall risk. However, building out an effective, mature, security awareness program is not a small undertaking. Understanding what training to provide to particular employees, and how to then test them to ensure they are able to apply the information can be difficult and time-consuming. As organizations begin to recognize the value in addressing human risk, the need to implement security awareness capabilities programmatically and strategically becomes ever more necessary. Approximately 70% of cyber attacks use a combination of phishing and hacking techniques, with the increase in technical security and hardened defenses, end users are proving to be easy targets for attackers.
If your organization is struggling with controlling human risk and implementing an effective security awareness program to do so, CyberSheath can assist you in constructing a program to train your employees on a variety of security topics in order to enable a broad security mindset, and address behavioral risks as they relate to security and ultimately reduce the number of security events due to human risk. We provide services that assist clients in building and maintaining security awareness programs that not only meet compliance requirements but go above and beyond to impact an organization’s human risk level through effective policy/program design, implementation and a proven metrics framework.
Cybersecurity researchers are increasingly concerned with Internet-connected vehicles. Vehicles nowadays are connected to owners’ homes, traffic signals, insurance companies, and more and are just as vulnerable as corporate networks. Security analysts and researchers have demonstrated ways to remotely manipulate a car’s system that controls braking, accelerating, steering, and other critical functions. Furthermore, these vulnerable systems were not limited to one brand or model of car. As such, the FBI and National Highway Traffic Safety Administration (NHTSA) issued a public service announcement in March warning of the potential cyber threats.
According to the public service bulletin, researchers could gain control over these critical safety functions by exploiting wireless communications vulnerabilities. According to the bulletin, despite remediating the wireless vulnerabilities, third party and aftermarket equipment and devices with the Internet or cellular access plugged into diagnostic ports could also introduce additional wireless vulnerabilities. By exploiting weaknesses in vehicles’ wireless communication and entertainment functions and connected to the controller area network (CAN), researchers were able to accomplish the following:
Target vehicle at 5-10 MPH
- Engine shutdown
- Break disablement
Target vehicle at any speed:
- Door locks
- Turn signals
While it is important to note that there have not been any reported incidents involving vehicles being hacked, manufacturers did issue a recall notice (NHTSA Recall Campaign Number: 15V461000) in order to remediate the vulnerabilities. The NHTSA and FBI provide additional tips and security awareness here.
According to Deloitte, the vast amount of software running in cars raises many concerns about the quality and security of the vehicle and everything connected to it. Manufacturers and suppliers will need to address these issues including cyber risk, building cybersecurity into software and component design lifecycles, monitoring the threat actors, and collect and share cyber threat intelligence.
Regardless if you are a vehicle manufacturer, Fortune 500 organization, or a small business, security is everyone’s responsibility. CyberSheath can help you on the path towards security maturity.
ARS Technica recently published an article on the security of inflight Wi-Fi. Providers like GoGo Wireless and Global Eagle Entertainment offer passengers to pay for use of Wi-Fi services. While customers may think their communications and activities are secure, think again, says USA Today columnist Steve Petrow. Mr. Petrow was “hacked” while on an American Airlines flight – a man claimed to have been able to read his email communication with a source for a story. Given the overall Wi-Fi security lapses, as addressed in this post from ComputerWorld, it is easy to begin to understand how this can happen. But what can be done about it?
First, Wi-Fi on an airplane operates similar to public Wi-Fi networks. Access is granted through a “captive portal” where you have to provide login details and/or payment info and accept the terms of service. Once that is done – the user is granted access to the web. There is no password protection on the connection, which means the traffic that is carried on the Wi-Fi network’s packets is being transmitted in the clear. This means anyone listening can grab the data that passes through the access point.
Second, inflight wireless networks have taken a further step that affects the privacy of the network by blocking basic network security tools such as secure HTTP and some virtual private networks. Without these basic building blocks of security, it becomes clear how Mr. Petrow was “hacked.” When you are on a public Wi-Fi your device becomes visible to other people on the network. Unencrypted traffic is visible and in cases where the user is using POP/SMTP, that traffic is also readily visible.
While it appears that blocking basic security measures appears to be an oversight, it is indeed intentional. Gogo and Global Eagle Entertainment block some commercial VPN networks and GoGo was issuing its own certificates for secure websites such as Google. By stripping away SSL encryption this allows Gogo to prevent passengers from accessing sites with inappropriate content and gives law enforcement more visibility into the browsing and search habits of GoGo customers. ARS Technica reported that GoGo works closely with law enforcement and designed their inflight network with law enforcement in mind:
“In designing its existing network, Gogo worked closely with law enforcement to incorporate the functionalities and protections that would serve public safety and national security interests…”
While the jury is still out as to whether or not Wi-Fi networks do not pose a threat to airplane communications or functionality, the passengers using the service should be aware of what they are signing up for. Attackers sitting on flights wishing to hack into a passenger’s device can easily set up a fake access point, rerouting legitimate traffic to their laptop with two Wi-Fi signals. While SSL would still protect passengers from accessing other user sessions, a determined attacker can overcome this with tools like SSL Strip.
To protect your session, ARS technica recommends using a VPN connection (if it will work), and ensure that sharing has been disabled. Also, pay attention to the certificate warnings. If chrome or firefox warns of a bad or unknown certificate, don’t proceed – wait until you are on the ground with a better network to connect to. Of course, the best defense is to turn off your Wi-Fi and work offline.
What does this mean for your organization? As your organization sends workers around the globe, it is important to develop good security habits. Start with security awareness training. Ensure devices are protected. An employee who travels a lot is likely to introduce something back into the network when she connects with the “mothership” so it is imperative that devices are routinely patched and monitored for vulnerabilities.
Whether or not you send your employees on the road frequently, CyberSheath can help you build your security program to make informed and secure travelers.
With 2016 underway, and CIO’s taking a more critical eye at cybersecurity costs, and boards having a better-informed definition of information risk, security organizations will be forced to evolve from past practices that were once seen as appropriate. With today’s advanced threats weighed against business priorities, CISO’s may need to abandon some assumptions and methodologies that are no longer acceptable.
3 Security Myths that Will No Longer Fly in 2016
1: A Products vendor can drive the organization’s entire security strategy
Security product salespeople will tell you that simply buying their expensive software will “address all your PCI compliance needs” or “cover 14 of the 20 critical security controls.” But the truth is that these tools neither solely ensure compliance nor fully meet the security needs of the business. Information security is about people and processes. Spending an entire year’s security budget on security software will leave an organization without the appropriate amount of staff to run the tools, and lacking in the maturity that only documented procedures can provide.
2: Vendor Security isn’t necessary (or isn’t the responsibility of the CISO)
For years the capability for a security organization to identify and assess the risk associated with third parties have been put on the back burner or left to other parts of the company. The efforts expended to protect data on internal networks are shockingly unequal to that being used to protect data of the same criticality handed without any consideration to vendors. With the criticality of data entrusted to cloud providers and application hosts and the large percentage of high profile data breaches coming from vendor relationships in 2016, vendor security management needs to be #1 on the list of gaps to close for a CISO.
3: You won’t have any security staff turnover
It’s estimated that there will be one million unfilled cyber security jobs in 2016. Organizations invest a lot to develop security professionals internally, and the projects and initiatives of the company can often be built on the skills of these employees. However, even employees who are highly engaged and seemingly well-compensated will experience salary and opportunity temptations this year that will pull a good percentage of the workforce away into new jobs. Without properly documented processes, a security organization can expect to lose a significant amount of knowledge when key employees leave for new challenges.
So What’s the Answer?
The common thread in each of these soon-to-be abandoned myths is that organizations need documented processes to address cyber risk. Set out on a plan this year to document and put in place the most critical and common security procedures that your security organization can use to enable the business and reduce threats. Having well-documented processes will lessen your dependence on tools, address third-party risks, and reduce the impact of staff turnover. By discarding these out-of-date myths, you aren’t really losing anything, but rather gaining capabilities that move you towards a more sustainable and mature security organization.
Did You Like This Post?
Subscribe to CyberSheath’s blog today to receive email updates as new posts become published.
In the years before business leaders truly understood cyber risk, requested budgets for cybersecurity departments were often approved without thoughtful consideration or review. There was a day when CISO’s could basically say to a CIO, “I can’t tell you how much safer this will make us, and I can’t say we absolutely won’t have a data breach, but I need 3.5 million dollars.” Most of those inflated numbers were driven by the desire to buy the latest security tools that vendors promised would solve all security problems. The funds were to be spent, generally, on products and the staff to support them.
CISO’s can no longer expect to have large annual budgets approved without tangible, quantified data to back up the necessity. The days have passed when budgets were built on fear, uncertainty, and doubt (FUD), empire-building, or opportunities to buy the trending tools. Security funding needs to produce measurable results, or at a minimum, be supported by credible metrics that validate the business needs.
Two Components of a Successful Budget Request
1: Funds to Close Compliance Gaps
Businesses understand the language of compliance. Regulatory gaps and deficiencies can prevent companies from entering markets, and have a real impact on the organization’s ability to win and retain contracts. By tying budget line items to specific compliance gaps, CISO’s can implement short and long-term projects to remediate the deficiencies and show actual value through compliance achievements. If in addition to compliance gains, those funds also help grow the maturity of the security organization as a whole, great. Use compliance requirements to make smart budgeting requests that both close gaps and advances the security mission.
2: Operational Metrics and Staff Utilization
You cannot request additional funds to hire more full-time security employees without data to substantiate them. Imagine a CIO replying to your ambiguous request for staff with, “You already have 6 people, why should I give you money to hire 4 more?” Smart CISO’s measure the workload of their employees through metrics and reporting to justify the need for more support. By tracking the number of incidents an analyst investigates daily, hours supporting business initiatives, or vulnerability tickets closed per month, a security organization can prove, empirically, that they are understaffed for the processes they need to support. By measuring full-time employees vs. the tools and tasks they are assigned to daily, the conversation now changes to, “We have requirements and tasks for a staff of 10, and I only have 6.”
The data that you are collecting this year will support your budget request in the upcoming fiscal year. Security budget requests demand a level of rigor and proof commensurate with other parts of the business. Security assessments and security program development help you obtain and understand your compliance gaps as well as your staffing utilization and operational needs. Take the time this year to independently assess your organization against industry standards and submit a security budget next year based on facts.
Don’t Know Where To Start?
CyberSheath’s Strategic Security Planning service offering can help you plan, build, and manage a strategic information security organization that enables your business. Our operational strategy and budgeting plans aggressively drive security organizations towards pursuing higher levels of performance. Our Strategic Security Planning service will enable you to successfully create a security budget that directly matches your business needs and goals.
Modern Healthcare recently reported that “Health insurer Centene Corp. is hunting for six computer hard drives containing the personally identifiable health records of about 950,000 individuals…” While this potential data loss doesn’t come close to the monumental data breaches suffered by Anthem, Blue Cross and Blue Shield and others in 2015; it highlights 5 actions that companies of any size in the healthcare space should be taking now to optimize security.
5 Actions You Should Take to Improve Security
1: Manage and Encrypt Assets
Know what you own, who it’s assigned to and if it’s mobile encrypt it. Wrap these efforts into your existing Governance, Risk, and Compliance efforts for HIPAA Hitech, PCI DSS and any other relevant business requirements around compliance. As a goal measure once, comply many but whatever you do encrypt and track your endpoints.
2: Manage Your Vulnerabilities
Establish a capability to assess the risk of systems, applications, and IT services by evaluating the prevalence of vulnerabilities in your environment. You won’t ever be able to remediate them all but you don’t have to. Focus on the high risk/high probability first and establish a documented, repeatable program to continually address this basic requirement for IT security.
3: Privileged Access Management
Monitor and manage your privileged accounts as these will be the accounts likely exploited in a successful breach. Ignoring this accepted minimum standard of care for information security is akin to not encrypting laptops, it’s a necessity, not a luxury. For further explanation, we discuss privileged account exploitation more in-depth in our white paper, CyberSheath APT Privileged Exploitation.
4: Protect the Network
Provide protection for your network environment with a set of network security tools to detect, alert, and automatically respond to malicious activities targeting your environment. Prioritize requirements here to fit your budget and make tradeoffs were required to include protection for internally and externally available systems, email platforms, and internet use via browser.
5: Incident Response, Logging, and Monitoring
Build a capability to monitor critical systems, applications, and IT services as well as to detect and respond to incidents and/or breaches when information is improperly handled, accessed, or transmitted as it inevitably will be at some point. Do what you can with what you have as not everyone can afford 24/7 monitoring. Outsource where necessary but do not get caught with no plan or capability or you will spend exponentially more being reactive.
How Can CyberSheath Help Your Organization?
All of these efforts can and should be integrated with the day-to-day delivery of IT operations to maximize your efficiency and effectiveness. CyberSheath will work with your organization, large or small, to help secure your valuable assets. CyberSheath offers security assessments to help your organization begin with a clear understanding of where you stand in regards to industry standards and regulations.
The FDA recently issued draft guidance entitled “Postmarket Management of Cybersecurity in Medical Devices” and once again NIST is setting the standard as a recommended framework, specifically the NIST “Framework for Improving Critical Infrastructure Cybersecurity.” The draft guidance issuance date is January 22, 2016, CyberSheath has expanded on what this guidance means for medical device manufacturers in a recent blog post, below you can review the FDA press release and draft guidance.
Cybersecurity Recommendations for Medical Device Manufacturers:
Submit Comments and Suggestions on Draft Guidance
Interested parties should “submit comments and suggestions regarding the draft document within 90 days of publication in the Federal Register of the notice announcing the availability of the draft guidance. Submit written comments to the Division of Dockets Management (HFA-305), Food and Drug Administration, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852 or submit electronic comments. Identify all comments with the docket number listed in the notice of availability that publishes in the Federal Register.”
How Can CyberSheath Help Your Organization?
The FDA guidance continues a trend where the government is using its ability to influence industry and improve cybersecurity across every critical infrastructure sector. CyberSheath will work with your organization, large or small, to understand the NIST framework recommended within the FDA draft guidance. CyberSheath offers security assessments to help your organization begin with a clear understanding of where you stand in regards to industry standards and regulations.
Bring your own device (BYOD) is the use of an employee’s personal mobile device, e.g., smartphone, tablet and/or laptop, to access a company’s data or network. Once a trend, BYOD has gained wide acceptance across businesses succeeding in today’s markets. Findings from Tech Pro Research in early 2015 indicated “74 percent of organizations [are] either already using or planning to allow employees to bring their own devices to work.” What is the main motivator for this movement? A study conducted by IBM found the main advantages of the BYOD environment were a rise in employee productivity and satisfaction as well as overall financial savings for the business. The benefits of BYOD are great, but what does it mean for the overworked IT environment already combating constant attacks on their network?
Ultimately, allowing employees to use personal devices to access company proprietary information opens the business to potential cybersecurity risks. The risk of a non-company owned device being lost or stolen, lacking necessary anti-virus software, or accessing data that is not encrypted, all leave an organization’s data vulnerable and can lead to a data breach resulting in significant financial loss. As 2016 gets underway, the discussion on the protection of organization-controlled data becomes even more relevant. With the growth of BYOD in 2015, it is not a question of how an organization can avoid the adoption of this movement, but rather how can a business mitigate the risks associated with it? To address some of these concerns, CyberSheath has outlined 3 common industry best practices to begin the process of ensuring your data is secure within a BYOD environment.
3 Tips to Secure Data in a BYOD Environment
1: BYOD Policy
For starters, employees must have permission to use their personally owned devices for business purposes. A good place to begin is with a strong BYOD policy. The policy must clearly define the organization’s expectations of its employees when using their personal devices to conduct company business. Requirements for employees, such as requiring anti-virus software on non-company devices, enforcing a two-step authentication or putting company proprietary information into secure content lockers, are guiding principles that offer increased security to an organization. Industry educational institutions, such as the SANS Institute, encourage the use of policy development and describe them as the “practical steps necessary for defending systems and networks.” Policies enable organizations to hold employees accountable for their actions.
While policies provide guidance and permission to employees, policies in of themselves do not secure the data. Encryption is one of many ways to secure data on a personally owned device. In 2015 the Office of Personnel Management (OPM) learned the hard way the importance of encryption when discovered in hearings held by the House Committee on Oversight and Government Reform that “the data stolen in the massive OPM breach was not protected by practices like data masking, redaction, and encryption.” Encryption is an excepted best practice to meet compliance regulations that require the protection of data, and as expressed in hindsight by Rep. Elijah Cummings, D-Md. at the OPM hearing, “should become the norm.”
The third most important tip for the BYOD environment is training. While having a good policy in combination with strong encryption can protect the data, training brings it all together for the employees. Training employees on policies, how and when to use encryption and secure content lockers, go a long way in the fight against data breaches. Training enforces acceptance of the BYOD policy and employees can no longer use the reason “I didn’t know how” to secure my [data/mobile device/email/document]. While the above suggestions can be implemented relatively easily properly training employees on the policy and technology to support the policy is far more cost-effective than dealing with a data breach due to an uninformed employee.
How CyberSheath Can Assist Your Organization Mitigate the Risk of the BYOD Environment?
To start, as part of our Staffing and Residency service offering CyberSheath can provide the experts necessary, whether transitioning or reevaluating your current BYOD environment, to create the policies and procedures critical to securing your digital assets.
Security Operations Centers (SOC) provide businesses with the ability to see what’s going on in order to respond accordingly. SOC teams rely on the ability to learn skills and processes on-the-fly to meet expectations from stakeholders across the business and combat an ever-evolving persistent cyber threat. One of the critical contributors to any SOC’s success is skill availability. While technical experts and vendors have done great work building cybersecurity solutions, a SOC is nothing without the right people.
The majority of SOCs today struggle to justify their value to the business. Cybersecurity represents a vague and fairly intangible field of work that cannot be quantified through profit margins and in the absence of compromise or breach businesses are prone to undervaluing a SOC’s criticality to the business. This business reality coupled with the inherent challenge associated with safeguarding businesses physical and logical assets makes running a SOC an incredibly daunting task. And so it should come as no surprise that the most challenging and critical roles for a SOC to staff are its leaders.
SOC leadership (director, manager, shift leads, senior analysts, etc.) must be able to understand the larger cybersecurity picture, translate security into the language of the business, and hold some degree of deep technical knowledge matured over a long cybersecurity career. The wrong leadership in a SOC can lead to over-promising, under-delivering which effectively defeats a SOC from within especially if they have yet to develop a track record of success. Throughout my career, I have witnessed SOC leadership either succeed or fail based on how they navigate through three very common pitfalls found within a SOC.
Here are the three most common pitfalls SOC leaders should avoid:
1. Negative Reinforcement
The SOC leadership team has a responsibility to ensure they are providing the appropriate level of training and mentoring to the younger and less experienced security analysts. They must be sensitive and actively aware when they reward, discipline, or punish any individual on the team. For a SOC that’s ever-evolving, discipline and punishment tend to reduce the free thinking successful SOC’s depend on. Disciplining or punishing a security analyst that took liberties with data to improve their work efficiency could decrease the likelihood that they would innovate or improve upon operation processes in the future, even if it represents a positive step forward in operational maturity. It is imperative that a SOC’s leadership team be cognizant of how they apply positive and negative reinforcement as to not steer an individual away from innovating on security tools and processes, which may result in better operational practices and instead explore methods that provide constructive reinforcement and help analysts learn how to make better decisions.
2. Muddled Communication
A very simple and quick win for any SOC leader is to apply simple communication practices into their daily activities. For instance, if a leader is making a decision on behalf of a security analyst then it is very important that the leader communicates their intent and thought processes to the security analyst. Little things like data normalization and timestamp assumptions can make a world of difference. Maintaining a transparent level of communication with your team will help them understand their role in the larger picture and enable them to better position themselves for success. Time is extremely valuable in a SOC and less abstraction from data is critical to understanding the intricacies of complex systems and improving response times.
3. Unrealistic Expectations
The phrase “real-time detection” has become commonplace marketing lingo for cybersecurity tools but it has also created a new paradigm that puts the quality and accuracy of analysis at risk. While systems and tools may provide real-time detection and analysis over data, human interpretation operates at a slower speed. Most SOC leaders today believe that if an analyst receives an alert and is presented with some degree of data that they will then be able to make a rapid decision on whether or not a breach has occurred, and to what extent. This places immense pressure on the SOC team and the mandate for a quick and final decision is not grounded in the needs of the situation at hand, but rather, the unrealistic expectation placed on the team. It is logically unreasonable to expect to detect and ascertain all of the pertinent details of a potential compromise in any kind of manner that resembles real-time or near real-time. Even if a security analyst is able to determine that malware has been installed and C2 communication is present, they still don’t know how the attacker got in, what other machines they are interacting with, the nature of the attacker (structured or unstructured), or if an attack if ongoing. The average statistics on real-world cyber attacks illustrates that attackers will often persist within a network for up to a year before executing the attack. As a SOC leader, it is critical that you consider the sheer volume of planning and preparation that the attacker is bringing to the table and that you respond calmly and ensure analysis quality, efficiency, and consistency across the team.
The last week or so marks what I would describe as an unprecedented shift in the impact of cyber attacks with the Sony breach. I run from the constant fear, uncertainty, and doubt (FUD) that gets circulated and recirculated by vendors and media outlets but I see this attack and more specifically the impact as different for several reasons. The Sony attack is also a call to action for the government of the United States to get their act together on cybersecurity and DO something to help American businesses large and small better defend themselves.
So what was different about the Sony attack?
Scope and impact. The scope of the attack as we know it so far is different from anything I can ever have remembered seeing before. Instead of a massive attack targeting specific information like large volumes of credit card or social security numbers, this attack stole intellectual property, HR records and caused disruption to “the network”. That’s malice and the intent to do measurable harm to a specific company rather than gain financially, the scale and scope of which we have never seen before.
The impacts of this attack were swift and far-reaching. Intellectual property in the form of five or more movies from Sony Pictures was stolen and are being shared illegally around the web. Salaries, home address and other Human Resources related data of 6,000 Sony Pictures employees were stolen and shared and posted in one form or another across the web. Finally, the company was reportedly shut down and held hostage to ransom demands that left many computers unresponsive.
All of these details in both and scope and impact represent an unprecedented attack on a US-based company (Sony Pictures Studios is located in Culver City, CA). Our government has fiddled while Rome burns and it’s time that the government step in and partner with industry to find a way to stop the bleeding. I’ve had the pleasure to be part of a measurably productive government/industry partnership in cybersecurity with the Defense Industrial Base (DIB) program and I testified before the House Armed Services Committee (HASC) Subcommittee on Emerging Threats and Capabilities extolling the incredible value of the DIB program and how it could and should be meaningfully expanded. So I know we have the talent, both in government and industry to address (not solve) this issue.
We have all the right people to deal with this in a meaningful way that can improve the current situation. I’m the last person to ever ask the government to lead anything but in this case, I really do think it’s their job and I know firsthand that they have a template for doing it.
When I was a CISO for a global defense company, I realized that a company of any significant size or complexity could never “do” security for themselves. Why can’t big companies go it alone? Partly because of specific resources and expertise that is not resident in-house and partly because of all the things that compete with delivering security, namely projects, politics, personalities, egos and all the other fun stuff that comes with being in a big company. Political correctness and all of the other impediments of a big company naturally get in the way of delivering actual security. Executives have pet projects that compete with core mission requirements and day to day security falls behind.
Couple that with an executive audience that didn’t grow up with and therefore can’t understand the threat, at least not in a way they can quantify like other business issues, and you have a recipe for excess spending on underperforming solutions. This article makes the point. It’s not the sexiest breach to be reported but I’d argue it’s the kind that most likely applies to the majority of companies. Said another way, this was work that probably could and should have been done by internal resources but there are no villains in the story. Security and IT were probably overworked and delivering some IT projects rather than actually delivering security.
I don’t think this is going to change anytime soon which is why I think deliverables-based engagements with trusted partners are here to stay.
Day 1 at RSA wrapped up yesterday evening when the vendor expo opened and conference attendees had an opportunity to visit vendors and check out the latest and greatest products. The vendors are primarily products vendors which reminded me how important it is for a CISO to have a services partner to help cut through the FUD and deliver value.
CISO’s are inundated with point solutions, some of them excellent, but many of them duplicative of existing investments. I’ve found that in selecting products the process/project often ends with “100% deployment” leaving security organizations unable to measure the return on their investment. A simplified view of the process goes something like this:
- Identify a need
- Hold a “bake-off” and select a product
- Set deployment objectives (entire enterprise, all Windows desktops, etc…)
- Achieve deployment objectives
- Declare victory with reports showing deployment saturation metrics
It’s a missed opportunity for security to instead align with the business and demonstrate quantifiable value by defining the project in the context of the business problem that is being solved. Security organizations can get myopic in viewing risk and laser-focused on point solutions that address specific security requirements missing the opportunity to tell the story of the business issue they are addressing as a part of the bigger picture.
100% deployment isn’t the goal, that’s just your day job. Enabling the business to engage customers, capture sales and recognize revenue is the goal. When you are in the trenches every day it’s difficult, sometimes impossible, to address the bigger picture but in my experience, the organizations that do are the most effective.
All checked in @RSA 2013 here in San Francisco!
It’s interesting to me the difference in perspective in attending one of these industry conferences as the CEO of a security services company rather than a CISO. When you are a CISO for a Fortune 500 company EVERY vendor wants your time and you can be sure you will meet for as long as you want with whomever you want. As the CEO of a services company you’re competing for time with all of the big vendors and had better have something important to say as you vie for precious the precious time of oversubscribed CISO’s.
It’s a great reminder for me of how important the work we do is. C level executives are inundated with competing demands on their time and what they need most is someone to solve real-world problems for them. They need a vendor, individual, product or service that literally takes something off of their plate so that they can move on to other priorities. Adding value in the security space is about delivering real-world pragmatic solutions that improve security posture.
Do you need that kind of a partner for your company? Let’s talk; I’ll be here all week, firstname.lastname@example.org.
Siobhan Gorman of the Wall Street Journal wrote yesterday that “Fortune 500 companies in a range of industries back a system of voluntary cybersecurity standards”. The topic of cybersecurity standards being voluntary or mandatory often sparks lively debate, but unfortunately, it’s the wrong discussion.
As a knowledge-based economy, intellectual property is the lifeblood of many businesses in America today and ultimately protecting it, collectively, is a matter of national security. The government has an appropriate role, indeed a responsibility, to regulate how that is done and they have done a tremendous amount of good work in defining recommended controls with the National Institute of Standards and Technology Special Publication 800-53. So I write this as a believer that the government has an important role to play in defining and implementing cybersecurity standards given the national security implications.
Compliance to standards and regulations like PCI DSS, HIPAA and others, voluntary or not, should be outcomes of an effective security program and not separate objectives divorced from day to day operations. When viewed in a vacuum, compliance to standards can be bureaucratic, costly and not materially effective in reducing actual risk. Fortunately, there is an efficient and effective way to deal with compliance and that’s the discussion we should be having.
The work being done in security operations centers and IT delivery organizations to secure a company’s assets and information should be documented, measurable and process-driven. If your security program meets these criteria then the outcomes and effectiveness of your efforts can be easily measured against compliance to standards, often in an automated fashion. If your security program isn’t documented, can’t be consistently measured for effectiveness, and is not process-driven then compliance to standards is a paperwork exercise that adds little or no value. Security programs like this often struggle to demonstrate their relevance to the underlying business, as well, because the business isn’t sure what they should be getting for their security dollar.
If compliance to prescribed standards is a drain on your resources and you can’t see the value that could be a red flag that your overall security program isn’t meeting its objectives. Seize the opportunity to develop a strategy for your security organization, set success criteria, define metrics and articulate your value to the business. If you’re doing that, compliance will be easy.