At the November annual conference, one of the break-out sessions focused on the definition of "reasonableness" that has been the foundation of cybersecurity litigation in recent cases. In the aftermath of the third circuit court's ruling in the Wyndham case, organizations are searching for standards or guidlines to follow to make sure they are doing what they can to not oly keep their data secure, but to demonstrate it to regulators, should there be an incident.
As of today there is no set of rules either from the Attorney General, the SEC nor the FTC - who are monitoring cyber activity and holding firms accountable. But steps can be taken to prove you are making a concerted effort to protect the assets for which you are responsible.
Panelist Deborah Hurley from Harvard University did recommend several items that an organization should review and consider when implementing their cybersecurity plans
(1) read the FTC best practices entitled "Start with security: a guide for business"
(2) review the ISO standard – 27018 and comply with that “code for practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.”
While there are no laws or regulations, these documents provide a baseline for cybersecurity defense. Whether it be benchmarks to keeping data secure or publishing and practicing an incident response plan, having a strategy that follows these best practices and demonstrates a prioritization in these areas can help an organization that may become a victim to cyber crime.
At the ACSC CEF this summer, thought leaders convened to discuss national threat intelligence as cybersecurity has become a national priority. Major breaches that seemed to be isolated to the private sector, i.e. Home Depot, Target, Sony, were now being reported by government offices including the White House and the Office of Personnel Management. Not just simply hackers playing games, alleged state-sponsored threat actors have been more successful in entering networks in an attempt to extract proprietary information in order to gain competitive advantage economically and politically. The government optics have been swift and well-publicized. From several executive orders to proposed legislation, national leadership is emphasizing the dire need to better fortify defenses against cyber attacks.
When building a next-generation cybersecurity strategy that integrates threat intelligence, keep these evolving principles in mind:
Ellen Powers from The MITRE Corporation this month presented outcomes from MITRE's systemized efforts to advance human defense. In addition to baseline tips to help employees become champions against cyber crime, she explained how the organization practices procedures to mitigate the attacks originating at employee emails. Designed not to be tests, these exercises are executed to incentivize employees for self-learning and engaging as frontline defenders. The expectation is that there will be an increased incidence of reporting suspicious activity. By demonstrating positive behaviors and communicating successful outcomes, MITRE has been able to positively advance its goals. The presentation included some tips for all employees at all organizations to be aware of when using their email. The mission is to eliminate the entry point for cyber attacks and to heighten human defense measures.
What to Look for in Targeted Email:
1.An attachments with specific names or topic with which you may have an association
2.Sender will not be familiar or may appear to be from a known organization
3.Message will be invitational in nature, or request information about the content in question
What to Do:
1.Do not open the attachment
2.Do not reply or respond to the sender
3.Send suspect emails to the proper channels in your organization
On December 11, 2014 the Advanced Cyber Security Center sponsored a roundtable discussion on Risk Management hosted by DLA Piper. The event featured a panel discussion focused on information governance and enterprise risks including legal risks associated with cybersecurity.
Expert panelist Larry Clinton highlighted five cybersecurity principles for enterprise board members:
Cybersecurity includes one of the fastest growing job markets with a growth rate two times faster than all IT jobs. Developing a pipeline of talented cybersecurity professionals with the required skills is the topic of the ACSC's upcoming Cyber Exchange Forum on April 14 at UMASS Lowell. What skills are actually in demand? What curriculum and programs are being developed at the university level? How do you develop the existing workforce? And how are universities and companies collaborating to meet these workforce challenges? UMASS's Information Security Lead Larry Wilson, with ACSC's Charlie Benway, have been participating in discussions with external groups including media on defining the ideal skill sets for a cybersecurity professional.
Ability to analyze technical issues along with strong analytical skills
Demonstrated skills in innovation, collaboration, problem solving
Maintain awareness of security risks and best practices for security awareness
Excellent presentation, communications, writing skills
Listening, influence and negotiation skills with customers and coworkers
Understand architecture, administration, and management of IT Infrastructure (Endpoints, Networks, Servers, databases, Mainframes)
General application development, programming, testing concepts and software analytical skills
Understanding of Identity Governance and Access Management, security administration, privileged accounts, roles based access control (RBAC)
Understanding of Data Governance, information lifecycle management, data at rest, in motion, and in use
Understand current and emerging threats and how they exploit known and unknown vulnerabilities
Understand risk management principles and practices
Understand the audit process, compliance requirements, management responsibilities
Understand security policies, procedures, controls frameworks, standards, etc.
Understand Incident response and computer forensics capabilities
Key steps to developing a resilient organization:
Benway offers security recommendations at October 8th North Shore Chamber of Commerce Breakfast.
In the U.S., we have an official process for escalating cyber security incidents from a single organization up through the various levels of an industry’s own Information Sharing and Analysis Center (ISAC), through the National Cybersecurity & Communications Integration Center (NCCIC)—part of the DHS—then through both that industry’s regulation and control groups and, if necessary, up the various levels of National response and policy until—if it is severe enough—it lands in the Situation Room of the White House, in front of the Principles Committee and the President himself. In this way, a cyber attack could potentially lead up to the level capable of authorizing a kinetic response, if appropriate. Understanding this process can help you understand how you and your organization might best integrate with it, to take advantages of the resources available to you and understand when it is appropriate to ask for the next level of attention.
This process is documented in the DHS National Cyber Incident Response Plan (NCIRP). This video, recorded by Quinn Shamblin in 2013 for the Global Risk Meeting held in Brazil in 2013, will lead you through the NCIRP using a series of attacks against the finance sector as an example. The presentation explains the various levels of escalation, what kind of activities take place at each level, the value of each, and includes examples and stories provided by Jason Healy from his experience as Director for Cyber Infrastructure Protection at the White House and provided in his book A Fierce Domain: Conflict in Cyberspace 1986 to 2012 and anecdotes relayed by Mr. Healy at BlackHat 2013.
Quinn Shamblin is the Executive Director & Information Security Officer for Boston University and holds an MBA, a CISM, CISSP, ITIL and other certifications. Boston University is the 4th largest private university in the United States, ranked in 2013 as 41st in the U.S. by U.S. News and World Reports and 50th in the world by the Times of London.
Cloud Vendor Security
When your organization is faced with evaluating a new cloud provider use the following guidelines to help make the process streamlined and secure:
Excerpt from SC Magazine’s Shining A “Spotlight” On: Insider Threats featuring Jim Terwilliger, Technical Manager of Cyber Defense Planning for Federal Reserve National IT Services
Most inside risk is of the unintentional variety. And that means training needs to be part of the solution.
Many employees simply don’t understand that they have a security role. “They may feel that they will be forced to comply with onerous procedures, or that if they do a few things, the security people will take care of the rest,” says Terwilliger. “That can be coupled with laziness on the part of system administrators who fail to follow the best practices of user-access or don’t require complex passwords along with periodic password changes.”
Preview of Senior Security Architect, David Humphrey's interview with SC Magazine - Evolution of Mobile Device Management (MDM) and Security Control Tips
Never has the traditional Gartner “Hype Cycle” model of analysis so accurately portrayed the evolution of a market as it has for the Mobile Device Management (MDM) technology. At its height of the development frenzy in 2012, there were in excess of 70 different vendors in the market addressing the market of “how does the enterprise manage data on a mobile device that it does not necessarily own.”
At the time, there were choices to make (as the enterprise consumer), of whether or not to own an employee’s communication device, and therefore the control of it, or to simply support management of the device that the user owned (BYOD), at the expense of total control. There were choices of data plan costs, of telephone costs, of features from MDM suppliers, and of how to manage communications costs most effectively. But in the end, as Samsung, Motorola, and other device manufacturers caught up with the functionality of the Apple ‘i’-devices, and far surpassed the functionality of the Blackberry RIM devices, these choices were finally put aside in the face of a growing consumer market. It was clear that the user demanded the flexibility to decide on their own device, leaving the enterprise to eventually embrace the benefits of “outsourcing” part of their communications infrastructure (and cost) out to their workforce. To adopt BYOD.
As that answer began gaining acceptance by IT management, this contentious product feature receded to one that uncovered the next solution differentiator; security. And the real challenge became – what MDM features best delivered corporate control over enterprise data on a device they did not own. And that challenge is generally addressed by the use of “containers” - encrypted, managed software constructs on the endpoint that are remotely managed by the enterprise MDM server as the device is brought online. This concept of “containerizing” corporate data began narrowing the vendor field quickly, as the market entered into the “trough of disillusionment” phase of product adoption. Over the past year or so, IBM bought the MaaS360 Fiberlink solution, VMWare bought AirWatch, and Citrix bought Zenprise. Four of the largest vendors in the space; Blackberry, Good, MobileIron, and Tangoe make up the balance of the larger independent MDM vendors. But there is a noticeable shift; VMWare and Citrix are virtual workspace vendors. And the Samsung Knox and Blackberry 10 systems are also “workspace” approaches to virtually separating user and corporate data on the device for external administrative control.
In summary, the MDM market is still immature, even fully containerized solutions like Good and AirWatch are likely to be overtaken by transparent workspaces on the handset that perform the same data containerization but use a more native application interface. Enterprise outsourcing of e-mail and calendaring is pushing MDM management into the cloud, resurrecting the Blackberry market as they reposition to address that environment. We are in the “slope of enlightenment” phase, look for the security feature-rich solution that threads an enterprise-managed certificate infrastructure into control and encryption of the data on the endpoint.
Security controls should be in place to:
Andy Ellis, Chief Security Officer at Akamai and ACSC member, shares his company's informative video tutorials focused on cyber security. Now found on the Akamai YouTube channel, the videos drill down on important topics that even non-technical audiences can understand…with the help of some clever animations.
Ellis gives an overview of tokenization and why it exists, as well as a brief history of the credit card industry as it exists today.
Ellis gives a brief overview of security and compliance and what they mean to Akamai. Andy's overview includes common terms along with definitions and an overview of common standards and their components.
Ellis gives an overview of zero day vulnerability or negative day vulnerability.
In an era of escalating cyber threats, taking simple measures to manage risk – at home and at work – will help you secure your privacy. At a recent event at the Boston Economic Club, ACSC board member Ken Montgomery outlined the current state of cyber security and stressed that cyber attacks should be a top concern for all industries. He also provided several tips and reminders for everyone who engages in the virtual world.
Don’t open e-mails from people you don’t know (spearfishing)
Be cautious about clicking on embedded links – including on industry or topic specific sites you trust (waterhole)
Keep all software up to date. Install critical updates immediately
Consider a standalone PC for your financial management practices and limit your access to those specific sites
The Paradigm Shift in Cybersecurity
This Month Charlie Benway, Executive Director of the Advanced Cyber Security Center, was interviewed by Network World for a profile on the ACSC. Charlie's tip for people managing cybersecurity for their organizations is to recognize that the focus should be on identifying threats – not simply steps trying to keep hackers out. They are already in.
Beyond the trust issue, a big obstacle the ACSC has seen is a reluctance to adopt a new mentality regarding cybersecurity, Charlie Benway, the organization’s executive director, says.
“What’s happening from a bigger-picture perspective is there’s a shift in paradigm going on in cybersecurity, and there’s a maturity spectrum here, and some folks are still at the beginning of the maturity curve, where it’s the old philosophy of ‘I have to set up firewalls, I have to keep people out and I’ve got to do my patches, and that’s what I need to do,’” Benway says.
In the past few years, mainstream media has caught on to major cyberattacks. That publicity has led many organizations to accept the fact that they may not be able to prevent every attack, Benway says. This shift in paradigm led many CISOs to acknowledge that they may be better off gaining as much intelligence on the attackers and their methods as possible. Instead of approaching security from the perspective of vulnerabilities, the ACSC advocates focusing on the threats.
While the shift in mindset does explain the value of threat sharing, private organizations still need incentives to share their cyberthreat information. What many have come to realize, however, is that what’s good for the security community as a whole will likely benefit them individually, Benway says.
“If I’m a financial services company and I’m connected to 500 banks, and some of those banks may be small or medium-sized banks and they don’t have the type of resources I have for cybersecurity, I need to help them secure themselves, or I’ve got issues,” Benway says. “And you hear that on a regular basis now.”
EMC's Chris Harrington (far right) on a Cyber Threat panel at the 2012 ACSC Annual Conference
Back to basics. That is the phrase I have written at the top of my whiteboard. It’s a constant reminder not to lose focus on basic security concepts. Why? Over the years I have observed that many of us get wrapped up in what the latest security buzzword technology can do for us. Network Access Control, Next Generation Firewall, Data Leak Prevention, Big Data analytics….and the list goes on. Why are these so interesting to us? I believe it is because they aren’t what most would consider “basic” security. I think most of us in the security space share a couple traits. The first is we love technology and shiny new toys. A close second is that we strive to solve more challenging technology problems. Security basics certainly are not new and on the surface not technology challenges either. We tend not to want to work on problems we can’t use our new or advanced tools to solve. Our adversaries know this.
Why do we see Advanced Threat actors routinely using exploits for application vulnerabilities that have been known for years? Many organizations struggle with patching. It’s not sexy, it’s not the latest thing in security and it’s hard to do. Patching isn’t as much a technology problem as it is a people problem. These systems can’t be patched because the software doesn’t support the latest Service Pack. Those systems are in a lab network and there is no system administrator. We can’t be disrupting the users all the time with reboots. I’m sure all three of those will sound familiar. I can’t buy a security widget to address those underlying issues.
Patching is just one example. We can all think of some things in our environments that are considered basic security concepts but are not followed. A good password policy, not giving every user admin rights on their Windows system, making sure your Antivirus is up to date, restricting the use of LanMan hashes, collecting and storing logs from critical systems and not using clear text protocols like Telnet are all arguably considered basic security. Why is this important? Advanced Threat actors won’t burn a 0day exploit if they can guess the password to an external system or hit you with a 2 year old exploit and move laterally. Paying attention to these basic concepts will make their job harder and yours easier in the long run. Following practices like these means making it harder for them and other less serious threats that eat up your valuable time.
Sun Tzu said: "If you know your enemy and know yourself you need not fear the results of a hundred battles." In this, the era of total information awareness, with full time incident responders arrayed in front of real-time security monitoring systems it is reasonable to expect that the blind-spot in this equation is: “knowing the enemy.” The reality is that true self-knowledge continues to be elusive. One of the many things that we know about the adversary (and we really do know a fair bit these days) is that they rely on a number of perceived blind-spots in our detective capacities to enable their work.
Security monitoring is a “big data” problem. Firewall and anti-virus systems generate hundreds of thousands, if not millions of log entries per day. Sifting the wheat from the chaff in data created from those and other related systems is an exercise requiring near constant tuning and adaptation. Threat sharing like that done at the ACSC is a critical input into this work. Understanding what new vectors, behaviors and indicators to be on heightened alert against in your logs is increasingly important in the fight to hold the attackers at bay. Underscoring this though, is the need to ensure you have the logs and detective capabilities you need to enable this effort. For example: being able to effectively and quickly search through your anti-virus logs and quarantine folders for evidence of a specific attacker activity is important. Being able to search your web-proxy logs to know if anyone in your enterprise has visited a malicious or infected website is critical. Don’t take it for granted that your organization can do these things quickly and conclusively. As you chart your business and security goals for 2013 and beyond, and before you go buy that shiny new next-gen security appliance- make sure you have access to the data that will give you true self-knowledge. It is the foundation upon which your entire information security program relies.
Dr. James Waldo, Gordon McKay Professor of the Practice of Computer Science and Chief Technology Officer at Harvard University presented at the Annual ACSC Conference. During his session “The New England Response to Cybersecurity Grand Challenges,” Dr. Waldo recommended that industry and academia begin to share more data to forward the necessary research that will help solve our cybersecurity challenges.
“There is a different interaction we could have that’s about sharing, as opposed to transactions. The sharing that would be most interesting, I claim, especially in the cybersecurity area, is data. Industry has lots of data… Really serious attacks happen to places that have lots of money… But if as academics we could get access to that sort of data, we could do more relevant research than we can do with the generated data we have now. The problem now is that most companies don’t want to expose that data – either because it is secret or it is embarrassing. A partnership with a group like the ACSC can act as a broker between academia and industry. They could work towards getting the data from industry and making it available to the academics. And there’s already some of that happening. But it should happen more.”
On September 10th, at the most recent Technical Exchange Meeting - where ACSC members convene to share presentations, analysis and tools that help in combating advanced cyber security threats - Jay Carter, Chief Information Security Officer, Harvard University, provided an overview of Harvard’s IS security services and the organization’s guiding principles. As security practitioners, Jay highlighted the importance of being viewed as partners: “If we continue to trade in fear and doubt we will be extinct in not long."
When asked how Harvard's IS team has become viewed as partners within the institution, Jay provided two pointed examples: "A University Information Security Policy Council was established with representation from each school and several of the larger Central Administration stakeholders. Working groups were organized by data category type, for example, Research Data, Student Data, High Risk Confidential Information (i.e., PII) and tasked with drafting policy specific to the data category. The resulting work product reflected input from the entire University community and is a policy that I believe everyone can see themselves in.
To better influence consistency of security practices, a long standing group, the Security Best Practices Group, consisting of school Security Officers and HUIT partners was asked to undertake the challenge to define standards for University wide common security practices. The result of this effort will be reviewed with the CIO Council for widespread adoption."