Security breaches make headline news. Even the most seemingly secure and untouchable organizations are vulnerable as security measures are only as effective as the weakest link. Most recently, Equifax was compromised, potentially exposing vital information of half of all adult Americans.
When it comes to protecting digital identity, there needs to be a more sophisticated way to identify, authenticate, and trust identity information. How does your organization need to change the way it thinks about digital identity? And what measures should you take to better protect your systems and information?
Evolving Threat Landscape Makes Identity Management a Challenge
As hackers employ more sophisticated means to infiltrate an enterprise, organizations need to change the way they prove identity – including moving beyond password security. In Verizon’s 2016 Data Breach Investigations Report, it’s revealed that 63% of confirmed data breaches involve password attacks, including phishing or some other kind of password harvesting technique. (http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pdf)
Once the initial breach happens, more damage occurs as the hackers harvest additional passwords to explore the enterprise from the inside, working to compromise more systems and access more information.
How this Impacts Your Business
Passwords are not enough to protect important data. The more valuable the data, the more important it is that only the right people have access to it. To keep up with changing technologies, market conditions, and attack methods, NIST updated their Digital Identity Guidelines to provide a more robust way to approach safeguarding identity.
Version 3 of NIST 800-63 (https://pages.nist.gov/800-63-3/) was released in June. The revised guideline helps organizations by outlining methods to adequately evaluate requirements to authenticate users and evaluate identity management tools. The previous version, NIST 800-63-2, had one measure of identity effectiveness. This revised guideline now outlines three individual measures, providing more clarity on how to measure the trust of digital identities. Instead of a single measure for Levels of Assurance, three new measures are defined. They are:
- Identity Assurance Level (IAL): How well do you know that the person creating this account is the real person he or she claims to be?
- Authenticator Assurance Level (AAL): How well do you know that the person accessing this service is the same person that created the account?
- Federation Assurance Level (FAL): How well do you trust the identity provided to you by a third party Identity Service?
Creating Your Identity Management Approach
- Determine what types of users interact with your various systems. Typically an enterprise will have employees, customers, vendors, partners, and perhaps other user types.
- Map business case and levels of access for each user type. Define what information each role needs to have access to as well as the level of trust that the person accessing it is the person that should be accessing it. If you are not going to require a user to have a high level of assurance, then you are going to restrict the data he or she has access to.
- For instance, you trust your employees more than you trust your partners, perhaps your partners more than vendors, and vendors more than customers. A market system would require a different level of trust than your internal development system with all of your intellectual property.
- Determine how you manage access, and verify and protect digital identity. Some questions to ask include:
- Do you need to look at someone’s Driver’s License in person before authorizing access to high-value information, or is an email address sufficient for accessing lower value information?
- Do you need Multi-Factor Authentication (MFA) before allowing access to critical assets, or is password security sufficient for routine access?
- Important note on MFA: When evaluating MFA vendors, NIST 800-63-3 defines and puts into context the capabilities they need to provide. Some methods of authentication that are in common use today are no longer considered safe – specifically, SMS one-time passwords. If you are currently using SMS or email to send one-time passwords to verify authentication, consider transitioning to push or soft token technologies.
- Do you need a dedicated on-premise identity management system, or can you rely on a third party Identity as a Service (IDaaS) provider such as Google, Facebook, or Microsoft.
Identity Management is a Balancing Act
The onus is on your company to keep information secure – and to make sure those that interact with your systems are protected. It’s also important for identity management systems to enhance – not limit – your enterprise’s productivity. We can help you understand your needs for identity management. Contact us to learn more.
Continuing the topic of my recent blog posts, Government Contractors who store or transmit Covered Defense Information (CDI) are required to comply with the 14 control families of the NIST SP 800-171 by December 2017. The DFARS 252.204-7008 clause dictates the security requirements specified by DFARS 252.204-7012 for Safeguarding Covered Defense Information and Cyber Incident Reporting. The intention of the directive is to ensure the safeguards implemented to protect CDI are consistent across nonfederal information systems as they relate to work contracted by the US government.
While the regulation is not intended to impose a burden by requiring additional systems or incurring additional expenses to acquire government contracts, many contractors will not find this to be the case. Although the 800-171 is derived from FIPS 200 and NIST 800-53; the new control set is intended to remove the overhead of the controls specifically geared toward federal agencies. It was expected that most contractors would only need to implement and update policies to comply. This may be valid for contractors who have a mature security baseline in place that contains components of the recommendations included in FIPS 200 or NIST 800-53, it may not be true for all. Unfortunately, for those that do not this regulation may prove to be a challenging and expensive endeavor.
The requirement that I will be focusing on for this post is the need for safeguarding the confidentiality of data at rest. The NIST 800-171 requires contractors to protect the confidentiality of data at rest by employing FIPS-validated cryptography and manage the cryptographic keys that are used for the chosen cryptography employed in the information system. In general terms, this control requires contractors who have systems which process or store CUI safeguard that data effectively with an encryption solution.
What is data at rest?
Data at rest means data that is not moving through networks. Therefore, this generally refers to data stored in persistent storage such as hard drives on servers, workstations, and laptops. Additionally, media such as tapes, CD’s, USB thumb drives and even smartphones can contain data at rest.
What is encryption?
Encryption is the process when data is converted from its original form (plaintext) into an unrecognizable, or encoded text (cyphertext). After being encrypted, the data is unreadable unless an individual has the necessary key or code to decrypt it back to its plaintext form.
Why full disk encryption?
Full disk encryption (FDE) is a security safeguard that protects all data stored on a hard drive from unauthorized access using encryption. With FDE all data is encrypted by default, taking the security decision out of the hands of the user.
Why is it important?
Theft continues to be one of the major causes of data breaches. Common use cases for implementing FDE are to protect data loss due to lost or stolen laptops, smart phones, hard drives or removable media. If a laptop or smartphone falls into the wrong hands, that individual could potentially cause major damage if he or she had access to the CUI contained on that device. However, if the unauthorized user was unable to read the information on the device; then a data breach related to the loss could potentially be avoided.
There are many different encryption methods available. Keeping this in mind, it is important for defense contractors to review their systems to determine what is the best encryption solution to use. Many operating systems include built-in mechanisms for encryption, such as Microsoft’s Bitlocker, and Macintosh’s File Vault. While these options may work well, they are often difficult to manage in a corporate or enterprise environment. In these instances, it is often best to look to a third-party software solution to ensure you are getting the manageability and features you need.
Consider the following when sourcing a system and planning your deployment:
- Find a solution that is easy to implement and manage to limit the burden on your IT support staff. Systems that utilize centralized administration with automated deployment capabilities can streamline installation and day to day management.
- Attempt to find a solution that is compatible with all the client operating systems in your environment. Having only one solution to manage is a major benefit.
- Carefully plan, test, and pilot the intended solution on a test group of machines and users in your environment before rolling out an FDE solution to the full organization.
- Train your IT staff on the procedures for user management, system recovery in case of failure, and the possible issues related to the encryption process and how to manage them.
- Verify users are restricted from disabling the encryption on their systems or attempt to find ways to verify the full disk encryption has not been disabled.
- Do not allow recovery keys to be stored with the client machines and confirm you have a system in place for key management.
- Ensure staff has a general understanding of the solution being deployed to their systems and the need for why it is important. Staff support and acceptance can be beneficial especially if any issues are encountered during or after the deployment.
While the thought of implementing a solution of this magnitude might be a daunting thought for many IT teams; if managed correctly with proper foresight, it can prove to be a smooth and effective implementation.
Does your organization need assistance choosing and implementing the right solutions to become compliant before the December 2017 DFARS compliance deadline? CyberSheath has the expertise to provide you with leading solutions and provide you with the guidance you need. We have a specialized team of Cybersecurity Professionals with proven industry experience to guide and assist your business in achieving compliance.
Serious concerns about potential security flaws in the current global cellular network have been suspected for several years, but have been mostly disregarded as theoretical. In February 2014, suspicions grew significantly when a phone call by a US Ambassador was mysteriously leaked onto YouTube, believed to have been intercepted by someone using the suspected flaws in Russia. Since then, security research teams have confirmed the flaws are very real and made their findings public but have gotten relatively little attention, like the study released in February by AdaptiveMobile.
These flaws are now getting more public attention because of a recent 60 Minutes report where German security researchers used the flaws to spy on US Congressmen Ted Lieu, who agreed to help.
In the report, 60 Minutes sent a new phone to Congressman Lieu for him to use for communicating with his staffers, knowing they were participating in the test. They then gave the German hackers nothing but the phone number attached to the phone, challenging them to prove that intercepting SMS messages and phone calls really is that simple. The German hackers were successful.
Because of these security concerns, the US National Institute of Standards and Technology (NIST) has stated in their latest Digital Authentication Guideline that authentication via SMS messages should not be used. According to NIST:
“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.”
These security concerns apply to all uses of the current global telecom network, so it is important to understand why popular SMS authentication is insecure.
Why SMS Authentication is Insecure
SMS messages (for most carriers, including Verizon and AT&T) are sent over the Signal System 7 (SS7) global telecom network. The SS7 network helps connect calls, among other functions, and has flaws in the original design that make the privacy of all phone calls and texts of the world’s billions of cellular customers vulnerable to being intercepted and redirected.
The flaws in the design make it possible for users of a cellular carrier in one part of the world to access information used by carriers on the same SS7 network anywhere else in the world with relative ease. The system was designed in the 1980s as a global network to be used by only a known few large mobile carriers and is now used by thousands of groups of all sizes and purposes around the world. The current system is known to have been exploited for locating users of the network and intercepting their communications. The system is planned to be replaced over the next decade. Learn more about the flaws with SS7
These design flaws make it possible for SMS messages containing passcodes to be intercepted, allowing the codes to be used to hijack services that send verification codes via SMS. Today these SMS codes are commonly used to login, reset passwords, and perform other sensitive actions with services like Facebook, Gmail, Twitter, and many others.
SMS messages are also often visible on the screen of mobile devices even when the device is locked, making stolen devices a greater security risk for your accounts. Fortunately, there are many other options available for both authenticating and using the cellular network securely.
In general, these cellular network vulnerabilities apply to communications sent to a phone number, such as traditional phone calls and SMS messages. Communications sent to and from secure accounts, like the instant messaging and voice calling with the Facebook Messenger service or Facetime and iMessaging from Apple, allow you to have more secure communication over an insecure cellular network.
The NIST guidelines recommend the use of secure apps or biometrics, like a fingerprint reader or increasingly popular facial recognition, to secure your account.
Many services like Facebook and Google offer secure authenticator apps to generate codes that do not use insecure SMS-based communication. Use of these authentication apps substantially improves the security of your accounts with little extra effort and is highly recommended.
Companies like Apple and Okta offer authentication via push notifications to mobiles devices, making securing accounts even easier and faster.
Google also recently released its own push notification authentication called Google Prompt, which is an excellent way to secure Google accounts.
Until a more secure global cellular network is designed and put in place, SMS authentication is not a secure way to authenticate and should be disabled. Authentication that relies on a mobile phone number of any kind should be decommissioned from use immediately and thoughtfully replaced with authentication options that offer better security based on each individual use case.
For help securing your enterprise with the latest innovative and reliable authentication methods, contact us.
This is part three of a continuing series on the Federal Acquisition Register ruling 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. If you haven’t read part one or part two, please take a few minutes to read it before continuing.
The recent FAR ruling, released with input from the General Services Administration (GSA) and the National Aeronautics and Space Administration (NASA), have expanded on definitions that affect contractor organizations that process or store Federal contract information on behalf of the federal government in support of government contracts. This post with explore the definitions in an attempt to bring a little clarity to the vague terms that apply to these systems.
Covered contractor information system: This is an umbrella term covering unclassified information systems that are owned or operated by a contractor. A covered contractor information system can apply to a single system, or multiple systems networked together. File servers, data backup systems, desktop, and mobile endpoints can be considered a covered contractor information system if it processes, stores or transmits Federal contract information.
Federal contract information: This means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. This does not include information provided by the Government to the public (such as that on public web sites) or simple transactional information, such as that necessary to process payments.
Information system: This term as defined by FAR clause 52.204-21, is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. The traditional definition of an information system is any organized system for the collection, organization, processing, storage, and communication of information. Organizations and people use information systems to collect, filter, process, create and distribute data often times using networked computers. A typical information system is made up of hardware, software, data, policies and procedures, people, and feedback.
Information: Traditionally, information is defined as facts provided about something or someone or something that is conveyed or represented by a particular arrangement. In the context defined by FAR clause 52.204-21, this term means any communication or representation of knowledge such as facts, data or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual. It is important to note that any medium is covered under this definition, so the focus will not just be electronic systems, but also safeguarding digital and non-digital media.
Whether your organization is just learning about the new FAR ruling for the first time, or you are updating your security controls to be compliant, CyberSheath can help you. Don’t wait to begin your path to compliance.
Earlier this week, the Federal Risk and Authorization Management Program (FedRAMP), released the high-security baseline for cloud services. The release date for the baseline has slipped multiple times over the last few months, due to what sources have said is the result of the Department of Homeland Security’s review process as they made final changes to control features.
The new high-security baseline allows federal agencies to utilize cloud-based services for their most critical data, services like Microsoft Azure, CSRA, and Amazon Web Services (AWS). Federal agencies are currently allowed to use cloud-based service providers for low and moderate security baseline. The new baseline is mapped to NIST SP800-53 Rev. 4 security controls and requires that cloud-based service providers secure their datacenters per Federal Information Processing Standard (FIPS) for unclassified data. Once cloud-based service providers get approval from the FedRAMP Authorization Board, federal agencies can begin to use the services for highly sensitive data.
FedRAMP Director Matt Goodrich said that “We addressed about half” of the federal IT market with “low and moderate” security baselines. He believes that the new high-security baseline will address the remaining half. As a result, a surge of privileged account management solutions can be expected as sensitive data including health records and personally identifiable information are moved into the cloud.
The release of NIST SP800-53 Rev. 4 added increased requirements for securing privileged accounts to defend against Advanced Persistent Threats (APTs), in addition to the moderate baselines previously published. If federal agencies begin to move their high-security information into cloud-based services, they’ll need to manage, protect, and monitor privileged accounts just as they would in a traditional datacenter.
Cloud services companies seeking approval from FedRAMP need to address the rigorous identification and authorization, and access control requirements in the baseline, which can be accomplished using a modern Privileged Account Security/Management solution. One such solution is the CyberArk PAM System. CyberArk’s Privileged Account Security solution supports cloud service providers Microsoft Azure and Amazon Web Services (AWS) out of the box, both as Infrastructure-as-a-Service (running CyberArk in a cloud environment) and Software-as-a-Service (protecting cloud-based privileged accounts). This solution allows both federal agencies the ability to easily protect, manage and monitor these cloud-based privileged accounts, and cloud-based companies to meet the new baseline requirements.
Learn more about how CyberSheath can help secure your cloud-based services by visiting our Privileged Access Management service area.
The financial industry is beginning to recognize that cybersecurity is no longer a part of the information technology department but has greater importance throughout the entire business workflow. As the growing complexity of cyber threats continues to pose serious risks for financial institutions, robust compliance and risk management platforms have become increasingly crucial to the protection of assets. While malware such as worms and viruses still pose an everyday threat to organizations, attacks that compromise Internet-of-Things (IoT) devices and ransomware are considerably larger dangers to critical data and processes.
To better combat and prevent these attacks, banks need to employ GRC platforms such as RSA Archer to assist in identifying critical business processes and the assets that support those processes. Additionally, a successful compliance management solution will enable banks to be able to monitor and assess their control standards and procedures to ensure protections and safeguards are being implemented effectively. GRC tools like Archer also provide banks with a bigger picture of attack activity and tie it to the specific business processes and assets that are being targeted through real-time report metrics.
Financial institutions, as well as organizations across all industries, can no longer solely rely on IT departments to fix any holes in their defenses, they must track the flow of data across the enterprise and track the behavior of all components that interact with that data. CyberSheath employs security experts that are ready to provide you with a comprehensive assessment of your security policies and processes in addition to professional GRC implementation services for private and public corporations alike. We are the one-stop-shop for your cybersecurity needs!
The cliché “being compliant doesn’t mean you are secure” is repeated in countless articles, blogs, and interviews but it’s rarely followed by any useful advice. There are tangible benefits to being compliant with relevant cybersecurity requirements like NIST 800-171, PCI-DSS, ISO, HIPAA, and many others. Each one represents an opportunity to do more than just achieving compliance.
Compliance should be at the foundation of your cybersecurity program because it’s easy to explain and measure. The same can’t be said for malware, advanced persistent threats, digital forensics, or how the security information and event management platform works. Too often security teams are mired in explaining the highly technical operational elements of their program to a non-technical audience of executives and rarely is the audience more enlightened at the end of the briefing. Compliance, on the other hand, could be understood by any business and executives with little explanation. Leverage that understanding to win support for the program that you are building. Here is how:
Consolidate all of your security compliance requirements into one framework against which you can measure yourself. Avoid one-off conversations with the business around specific compliance requirements and instead create a security program grounded in a framework that allows you to “measure once and comply many”. NIST 800-53 is a great framework for this purpose in that it is broad, granular, and flexible enough to be tailored to your specific needs.
Once you have selected the single framework against which you will assess yourself and report out compliance, it’s time to get your baseline measurement. This is an often overthought step in the process because there is no authoritative source or standard on how to do this. Our advice is to find a vendor you trust, make sure you understand how they will measure you, and the deliverables you will get at the end of the assessment. Avoid complexity and methodologies that seem too precise or mathematically exact when trying to measure something as variable as cyber security.
After your initial assessment, you will have a laundry list of items that require investment and improvement, get started. Explain your efforts to improve incident response, vulnerability management, and anything else in terms of compliance. Map initiatives like privileged account management back to specific business compliance requirements rather than explaining how pass the hash works.
Compliance in cybersecurity is an underutilized tool in getting executive support for your program and ultimately a missed opportunity. When leveraged appropriately compliance can produce tangible security benefits and ultimately security.
In August and December 2015, the Defense Federal Acquisition Register Supplement (DFARS) received updates that are crucial for the 10,000-plus defense contractors. If you have been following our blog, we first reported on the changes back in January. It is important to understand these changes and how they will affect your organization. If you haven’t read last week’s post, you can do that here.
This week’s post will discuss what these changes mean for your organization. If you haven’t read the first two posts, do so now, as this will try to un-muddy the waters and bring a little more clarity to the overall process. DFARS compliance is important for contractors, as the federal government requires your organization to safeguard covered defense information. If you missed it, covered defense information is a catch-all term that refers to Controlled Unclassified Information, Controlled technical information, operational support activity and a variety of other informational categories. Contractors must show the government how they are compliant with these safeguard requirements.
What Do These Changes Mean?
If your organization does business and holds contracts with the Department of Defense (DoD), you could be required to meet the DFARS clause 252.204-7012 information security requirements. As long as you process, store and transmit any information that falls under that Covered Defense Information umbrella, you will be required to protect that information. With the most recent changes to the DFARS clause as of August 2015, contractors use NIST 800-171 as a guide to implementing security controls around the following control families:
Contractors who are not currently compliant with these requirements are given time to implement the controls. However, it is a long process, and if an organization has minimal controls in place, it can seem like a daunting task to bring controls into compliance.
With the expanded definitions and the umbrella Covered Defense Information, your organization will have to have a better understanding of where such information resides within the environment. Protecting a portion of your network that contains the information in question is a potential solution, where you can apply additional safeguards and controls that meet DFARS clause 252.204-7012 is a cost-effective way to meet compliance without redesigning your entire security program. Contractors should really look at how they categorize their information. Establishing a categorization scheme will help control access to the information because you can easily define roles that need access. As you can see in the table above, access control is a control family covered under NIST 800-171.
Flow down to Subcontractors
Another change that needs further explanation is the flow-down requirement. While the basic mechanics of the flow down requirement haven’t changed, meaning the same DFARS requirements for Prime Contractors apply to Subcontractors when in performance of the subcontract, handling, processing, storing, and transmitting covered defense information. Additionally, all subcontracts must include DFARS clause 252.204-7012. The only major change that will affect subcontractors is reporting. When reporting a cyber incident as defined in clause 252.204-7012, they must report directly to the DIBnet. In order to report to the DIBnet, subcontractors are required to obtain a Medium Assurance Certificate to access the reporting module on the DIBnet. According to the DFARS clause 252.204-7012, all cyber incidents must be reported within 72 hours from discovery. This is a quick response time and under the new DFARS regulations, is termed “rapid response.” Having a strong security program will help with this requirement, as tools designed to protect the environment.
Alternative Security Measures
Contractors may, and upon approval of the DoD CIO, propose to deviate from any of the NIST 800-171 security requirements. The explanation must be written and answer the following:
- Why a particular security requirement is not applicable; or
- How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and to achieve equivalent protection.
Approval of the alternative security measure is granted after a DoD CIO authorized representative provides an assessment of the proposed deviation. While this seems like a lot, it is actually a little more flexible under the new DFARS regime. Flexibility for security is key to success. Organizations might not want to rip out existing security programs to satisfy requirements. Having the option to work with what is currently in place could potentially save a lot of money in the long run.
How Your Organization will be Impacted?
If you do business with the Department of Defense, your organization will be impacted in some way, whether you flow down the requirements to your subs, or you handle covered defense information, your organization and Subcontractor will have to protect the data. If you are like many organizations and don’t understand where you fall with DFARS compliance, there are some things you can do now to prepare to meet the requirements.
First, conduct a compliance assessment. A third party can evaluate your security controls by talking to individuals, observing your security tools at work and analyzing your implementation of the control. Second, prioritize what is important. Meeting compliance should be the priority, but not all security requirements are created equal. Some tools and processes may be able to satisfy multiple controls, while others may take significant investment. A third party can help you prioritize based on industry standards and best practices. Lastly, ensure your management team is well aware of what is at stake. Not being compliant with DFARS means not being able to bid on and win contracts with the DoD. Management should understand this and a compliance assessment will be the roadmap you need to get the security funding necessary to meet compliance requirements.
RSA Charge 2015 is almost here! This exclusive user event brings together industry thought-leaders, experts, and security professionals to share their experiences and lessons-learned. CyberSheath and other RSA Charge speakers will educate attendees on best practices, as well as tips to proactively avoid security threats and safeguard your organization’s digital assets. To help get you started, review the infographic below depicting our 7 step process to transform your organization’s GRC approach from tactical to strategic.
The debate over the placement of the Chief Information Security Officer on the org chart continues, and the information security community seems to agree on the premise that separation of duties should ensure an information security function can operate autonomously, with a separate mission than an IT function. The opposing argument is also made since successful information security programs exist today within the ranks of IT. However, there is little conclusion about common factors that contribute to the success of an information security program as it relates to the organizational location of the CISO. So what might these success factors be?
1: Management Direction and Support
A common concept is a need for management buy-in to an information security program. More than just buying in, the executive team should be thoroughly involved as a stakeholder and a governance participant for an information security program. A CISO must have the autonomy, visibility, and decision-making authority to set strategy, drive change and have influence throughout the business. Reporting through the IT function without these can constrain the abilities of an information security function by forcing alignment with a mission that is narrow and contradictory to that of an information security program, limiting the exposure necessary to articulate information security initiatives upward.
To be fully effective, a CISO must have the means to garner executive support. To accomplish this, a CISO should be in a position to directly engage executive management, by appropriate reporting structure, or through an executive council or committee.
2: Delivering Security Awareness Upward
Beyond end-user awareness initiatives, the CISO should have responsibility for educating the executive team on information security matters that are specifically relevant to executives. This highlights the need for the CISO to have access to and visibility at the highest management levels. Delivery of valuable and informative content via metrics, reports, dashboards and executive presentations should articulate and educate on IT and information security risk, to foster sound business decisions, and gain support for information security initiatives. Ultimately, an upward approach to information security awareness should prevent information security from becoming an afterthought of the executive team by providing relevant, actionable and measurable information on a consistent basis.
Reporting through an IT function has the potential to break or limit these communication channels, which can be compounded by conflict of interest between a CISO and IT management, especially when situations arise where information reported by a CISO has potential to highlight deficiencies in IT processes and capabilities.
The driving force behind information security needs to first come from educated and thoughtful decisions of an executive team that understands the executives themselves are accountable for information security.
As security incidents become increasingly visible to the public, there is a greater tendency for incidents to shift toward crisis management processes for reputational damage control. An unfortunate aspect of a reactionary industry like information security is that it takes an impactful event, like a breach, to drive meaningful change. The reality is that publicized information security events expose the disconnect that often exists between the executive office and an organizationally buried CISO.
Placement, or misplacement of the CISO role, under an IT function, as a continued example, can come from one of two things, intelligent decision-making based on careful assessment, or negligent disregard and a lack of accountability at the executive level for a function that seems vitally more important with every public breach. The CISO role may make sense to report through IT operations in some cases, where an IT function leader is well versed in information security and can provide enough executive access, autonomy, and authority to a CISO to avoid conflicts of interest. However, the executive team must be cognizant of the challenges and risks associated with remaining disconnected from an information security program for which they are accountable. The success of the CISO deserves the attention and support of the highest organizational levels.
Some may contend that one way is better than another for the organizational placement of the CISO, and in many ways, some concepts can be better than others. There is no definitive right answer, but there are factors that can contribute to a CISO’s success and effectiveness. As breaches continue to make headlines, executives need to consider how their CISO best fits into their business construct, so the role can not only be an effective leader of an information security program but a resource that provides necessary interfacing and awareness to the C-Suite.
That’s an ambitious title so please, stay with me. Yesterday Tom Brady won his court case and effectively had his four-game suspension lifted, at least while the appeals process takes place. Good for him; I’m a Patriots fan so I’m biased, but the whole sordid affair got me thinking about how hard it is to deliver information security when security is usually treated like a practice squad player and not a starting quarterback. And I do mean deliver because almost every company treats it as a service that is to be delivered to the business rather than the team sport that it is.
Tom Brady is an elite athlete who tinkers with mechanics and variables that ultimately make him the elite, once in a lifetime player that he is. In contrast, most security organizations are underfunded, misunderstood, struggling to get the basics right and organizationally buried in the “IT Department.” They aren’t tweaking widely accepted best practices, instead, they are distracted by the CIO’s pet projects and hoping they address fundamentals like Privileged Account Management, Vulnerability Management, and merging compliance with operations. Deflategate was a reminder of just how bad things are and how much better they could be. Security needs to be elevated to a place in every business where they are treated like the mission-critical function and business enabler that they are.
I’ve changed my mind on this over the years, security should not report to the CIO. When I was a global CISO reporting to the CIO I had the benefit of an amazing board that acted aggressively and had visibility at the board level that I now realize is uncommon. Years later having shifted to delivering services for CISO’s, I recognize the luxury I enjoyed. Most CISO’s fight corporate politics and bureaucracy every single day just to try and get the basics done. Their bosses, usually CIO’s, have immense pressure to deliver availability and affordability that always trump decisions around security. Their bonuses are rarely anchored in delivering security initiatives, improvements, or anything that doesn’t reduce cost and increase availability. It’s a conflict that makes “achieving” security highly unlikely. Security needs to report wherever they can deliver an unvarnished view of what they need to do and avoid the political and bureaucratic obstacles in the way of the mission.
Don’t believe me? Read the Verizon Data Breach report which highlights year over year the fundamental missing security practices that lead to a breach. It’s largely a re-read every year, but instead of tinkering with mechanics and variables to deliver “championship” security most organizations are chasing new technologies and investing in products rather that people and processes. CyberSheath works with security organizations to establish an effective and formal process to conduct strategic planning. Our operational strategy and budgeting plans aggressively drive security organizations towards pursuing higher levels of performance, focused on areas that are most important to meet and exceed your business requirements.
I started running and biking a lot in 2003. I do it to have fun, but also to stay healthy. Back then I worked with some other cyclists, one of whom was an Excel guru that loved collecting workout data. I started tracking my workouts, too, on his amazing spreadsheet with 11 tabs, pivot charts, and macros. Every day I was logging my miles, activities, and other workout information. I even tracked stuff like the weather conditions, what running shoes I wore, and personal bests on a specific route. This data will make me a better runner, I thought, and healthier.
But invariably, I’d miss a day of data entry. Whether I was on vacation and away from my computer, or busy, or lazy, a missed day would turn into two, then five. I’d forget what I did for workouts and not enter data. Over time the data had such holes that it became unreliable and, eventually, meaningless. The manual data collection and entry was painful, and I began to actually dislike working out because I didn’t like entering the data.
In 2011 I bought a FitBit Force (I have a Charge HR now) and my views on workout data tracking changed significantly. No more spreadsheets and keeping track of workout data manually. Everything I do while wearing my FitBit on my wrist is collected automatically and synced to the web and my phone. FitBit tracks my steps, miles, calories, active minutes, and stairs climbed. Those might not be all of the metrics one might need to track their fitness if they were an elite athlete, but they are really good indicators of my activity level for the day, which can help me see a picture of my overall fitness. And the important thing is, it’s effortless to track. No remembering, spreadsheets, or guessing. Automated data collection lets me concentrate on other things like enjoying the ride, and watching my progress over time.
Why the FitBit Technology Makes Sense in Regard to Information Security
The information security metrics we collect first in an organization have to be automated to be effective. The key performance indicators of a security organization flow from the audit logs and events of the critical security functions and can’t rely on manual efforts. The tracking of privileged account usage, vulnerabilities, and malware alerts need to flow automatically without “pulling” information from people. Like my first efforts with the spreadsheet, manual security metric collection of critical baseline data will fail due to our human propensity for error.
Once we reach a level of maturity in which we are automatically collecting our key metrics reliably, we can begin to bring in other data, correlating information that augments our visibility into our security posture and adds new value. I currently sync cycling data from an app on my phone to FitBit to add more detailed context to my bike workouts. I also bring in mapping data from my runs from an app that can show road elevation profiles against my heart rate. Those are also automated and they help me get more meaning from my base FitBit data. In the realm of information security, we can pull data from our configuration compliance scans to supplement our asset inventory. Or we can associate vulnerabilities scan results with attack info in our incident response tool, and start to see the why of the attacks. We’re using data from multiple automated sources to add to the complete sight picture of what’s happening in our environment.
Only the final level of metrics collection might find us bringing in data manually. When we have the resources to collect other sources of data that cannot be automated, and if that data is actionable, it might be worth collecting and adding to our catalog of metrics. Right now I use the MyFitnessPal app to manually track what I eat and it gives me information on my macronutrients and calorie intake. I also manually input my weight and how much water I drink. The key here is that I have time for that data collection, and I find it to be meaningful and actionable. When I stop finding it meaningful, I’ll stop entering it.
Perhaps your security organization is at this level of metrics maturity, polling the security team for performance data on projects and other efforts whose collection can’t be automated. If that data adds to the visibility a CISO needs to evaluate the maturity and performance of the security organization, and you have the people and time to collect it, that’s outstanding.
How the FitBit Analogy Relates to Your Organization
If you have to start somewhere on your security metrics journey, start with what’s already being generated effortlessly. Digest it, learn from it, and use it to drive improvement. Acknowledge that you can’t rely on manual collection at the outset, and work towards bringing in other data to correlate later. It’s an interesting and exciting process that will result in security programs that are healthy and strong.
Now if you will excuse me, I need to go run. I still have 3500 steps to do today.
Note: This is the first in a series of blog posts in which CyberSheath GRC consultants specifically describe how the RSA Archer GRC Solution can assist with the adoption of the Critical Security Controls for Effective Cyber Defense. Each post of this series will focus on one of the 20 Critical Security Controls.
CyberSheath has worked with countless customers who are just beginning their GRC journey. As security consultants first, the initial steps we take when building out GRC efforts for any organization align with the Critical Security Controls for Effective Cyber Defense. These controls, formerly known as the SANS 20 Critical Security Controls, focus on prioritizing actionable and pragmatic security functions that are effective against advanced attacks.
20 Critical Security Controls
Control 1: Inventory of Authorized and Unauthorized Devices
The first Critical Control, Inventory of Authorized and Unauthorized Devices, tells us that organizations should “Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.” To accomplish this, companies need to maintain an asset inventory of all systems connected to the network, preferably deploying an automated asset inventory system to gather the data. The idea behind this control is that we can’t protect what we don’t know we have and therefore, having an accurate asset inventory is always the first step in both mature security and GRC projects.
Many organizations today have a CMDB or other asset inventory methods but they often use manual spreadsheets that are not automated, and the information isn’t accessible enough to be actionable. That information is also usually just a list of computer names, IP Addresses, and possibly some operating system info but that’s usually where it ends. Additionally, the responsibility for maintaining this repository is often not clear and the data isn’t tied into any other security processes, such as incident response or vulnerability management.
When we use RSA Archer to manage our asset inventory, we can satisfy the security objectives of this control with a best-in-class asset inventory system. Utilizing Archer’s Enterprise Management module, and specifically the “Devices” application, we can import all our known asset information from multiple sources. Archer accepts information from many different databases and other sources of asset data utilizing the data feed capability. Organizations can, for example, import asset information from their CMDB, vulnerability scanners, configuration compliance tools, and any other source. Then use the different feeds to augment, edit, and improve the inventory so that it becomes the “master list” of all devices. No other product collects and rationalizes asset data like Archer.
Managing asset inventory is just the beginning, tying the data into other parts of Archer is where we start to see real GRC context and meaning. Mapping assets to the employees that own them, the facilities they reside in, and the business units they belong to can help us visualize our IT infrastructure like no other tool can. Digging deeper, we can map our servers to applications and those applications to business processes. When we then conduct Business Impact Analyses against those business processes, the criticality of the assets (servers) becomes quantified and all of this is measurable with reports and metrics.
It’s no coincidence that the first step in building a secure organization is also the first step conducted when beginning a GRC journey. When we combine these efforts we accomplish both goals for far less than the cost of what separate projects would cost, and security organizations are able to show real value from their Archer deployment as we begin to address the Critical Controls and stop attacks. Download our GRC datasheet to learn more about how we can assist your organization on your GRC journey.
Watch for our next post as we discuss how Archer can assist with the second Critical Control, Inventory of Authorized and Unauthorized Software, coming soon.
The Federal Bureau of Investigation recently announced that nine people were charged in the largest known computer hacking in a securities fraud scheme. In this case, more than 150,000 press releases were stolen over a period of five years using malware and phishing attacks to get logon credentials. While any data breach or intellectual property theft is concerning, this breach involved press releases about upcoming announcements by public companies concerning earnings, gross margins, revenues, and other confidential and financial information. The hackers, in conjunction with other traders and known accomplices, traded stocks ahead of more than 800 stolen press releases.
The Significance of this Case
What makes this case different from other data breaches in the past is that it shows that cybercriminals are seeking new avenues of exploitation and becoming more sophisticated. Over the last two years, hackers have targeted major retailers and US government personnel. According to media sources, this criminal case “marks the first US prosecution alleging a securities fraud scheme using hacked inside information.”
Be Proactive: 3 Reasons to have an Information Security Assessment
Now is the time for companies that haven’t given information security enough attention to take a proactive stance to improve their cyber defense capabilities. Typically by way of an information security assessment, to identify and address areas of weakness before they are exploited. A lack of information security or cyber defense resources is no excuse for a failed understanding of a company’s technology and security risks.
2: Unbiased Assessment
Independent information security consulting firms can serve as a great way to get an unbiased assessment of information security programs maturity and identify gaps that should be addressed by application of security controls. These assessments often provide significant value and can also identify where there is an excess of security tools, or where a company lacks staffing resources to use their tools operationally.
3: Valuable Tool
If you haven’t already, check out this blog post on why security assessments are a valuable tool. Independent information security consulting firms like CyberSheath Services can review your security program, assess the posture of your cyber defense capabilities, and help protect your organization from these kinds of threats.
Last week I had the opportunity to attend the CyberArk 2015 Americas Summit in Boston Massachusetts where CyberSheath was recognized as the “2015 Newcomer Partner of the Year”. We were honored by the award and inspired by the event itself as it was refreshing to be in a venue with nearly five hundred like-minded security professionals focused on one of the most important aspects of security, privileged account management.
Privileged account management is a lot like exercise in that it’s a “pay now” or “pay later” equation.
Privileged account management is a lot like exercise in that it’s a “pay now” or “pay later” equation. You can enjoy a high carb, low exercise lifestyle right up until you can’t. The can’t, or “pay later”, comes when you’ve been breached and suddenly have to account for a decade of nonexistent or bad privileged account policy. Promiscuously granted admin rights and never changing service account passwords are a treasure trove for advanced attackers and are a common theme in nearly every publicized high profile attack.
Having led an organization that reactively addressed privileged accounts (domain admin, local admin, service accounts, etc.) for more than 40,000 employees in the midst of a breach I’ve lived the “pay later” scenario and I’d encourage you to avoid it at all costs. Privileged accounts should be something that you are executing on now and not on that “to do” list on your whiteboard.
How Can CyberSheath Help Your Organization?
CyberSheath’s engineers are well versed in fine-tuning the configuration of the Privileged Account Management suite; providing an automated, monitored, and controlled elevated privileged access. You can learn more about our approach by viewing our Privileged Access Management service area.
“99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.”
In the most recent Verizon Data Breach Investigation Report, they found that “99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.” Let that sink in, 99.9% of the exploited vulnerabilities could have been potentially avoided had these organizations maintained a vulnerability management program. If I’m a CISO, those are metrics that matter. Security as a whole is notoriously difficult to measure, VM however, should be an easy sell.
The 3 Entities That Drive Successful VM Programs
Processes aren’t any good if you don’t have the people for implementation and people are useless when they have no direction. Security should work with the business to build a process with realistic expectations and goals. Don’t set yourself up for failure by being overzealous. Establish a process with the organization and work to mature it over time.
That maturity of the organization’s process will take people, dedicated people. Maybe it’s one, or maybe it’s ten. There is no magic number, but I do emphasize the word “dedicated”. The Security Analyst, George, who monitors the SIEM and manages the IDS sensors can’t also be your sole VM resource. You have to staff appropriately.
The technology piece maybe the easiest of all three drivers. There is a slew of vendors and tools available, you just have to research and pick the one that fits your environment (and budget) the best.
How Can CyberSheath Help Your Organization?
Ultimately, these three entities work in unison and fail when any of the three go missing, but VM isn’t a lost cause. While we continuously see organizations that have failed in the past, those same organizations are now asking what they need to do to be successful in the future. While there’s no overnight, turnkey solution that fixes years of neglect, CyberSheath has successfully helped numerous organizations, both large and small, implement a successful VM program that produces meaningful metrics and helps reduce risk within the environment. Whether it’s vendor/tool selection, policy or process, and procedure documentation, or just assistance in providing those dedicated bodies in the form of a managed service, CyberSheath has experience in it all.
News broke recently that the an investment advisory firm agreed to pay $75,000 to settle U.S. Securities and Exchange Commission charges, that it failed to have a cybersecurity policy in place before a breach compromised 100,000 individuals’ personal information. This is the latest example of regulatory and compliance enforcement by a federal agency and companies of all sizes should be paying attention. While the amount of the settlement isn’t headline grabbing, the actual enforcement of standards of care relative to cybersecurity is.
Regulatory compliance isn’t nearly as appealing as stories about large data breaches or Chinese hackers, but it generally highlights the kinds of fundamental blocking and tackling activities that lay the foundation for better security. Buying tools is easy, creating and implementing the policies and processes that will measure their effectiveness and ensure full deployment and optimization is not. Policy doesn’t stop attacks but it does force an organization to be thoughtful about what they will do and what they won’t do against the reality of their appetite for risk and more importantly their budget.
I recently had dinner with an accomplished CISO leading a multi-national corporation who bemoaned the focus on tool purchases and tactical day to day threats. As a former military officer he inherently knew preparing a concept of operations for the mission is the first step in organizing for victory. This means focusing on the “boring” things like strategy, capability, process, and logistics so that you optimize your chances for winning the war.
It’s hard to put a focus on policy and process when you’re trying to run a business but this latest action by the SEC highlights the importance and cost of doing nothing. CyberSheath can provide your organization with an integrated view of all information security activities that enable you to reduce risk, demonstrate business value, and optimize your people, processes, and technology. Our certified consultants are experts in Compliance and can arm your organization with information and guidance needed to avoid an unnecessary lawsuit, as described above.
How Can CyberSheath Help Your Organization?
To learn more, visit our Governance, Risk and Compliance service area where you can download a datasheet detailing our unique GRC approach. CyberSheath will also be attending the RSA Charge Conference Oct 21-23, where industry experts will be meeting to discuss the strategies and tools that will armor your organization for the security battle you fight every day. CyberSheath is a proud Gold Sponsor for this event, for more details on how CyberSheath will be contributing click here.