Cyber Tips



Building a security posture to shield from liability

At the November annual conference, one of the break-out sessions focused on the definition of "reasonableness" that has been the foundation of cybersecurity litigation in recent cases. In the aftermath of the third circuit court's ruling in the Wyndham case, organizations are searching for standards or guidlines to follow to make sure they are doing what they can to not oly keep their data secure, but to demonstrate it to regulators, should there be an incident.

As of today there is no set of rules either from the Attorney General, the SEC nor the FTC - who are monitoring cyber activity and holding firms accountable. But steps can be taken to prove you are making a concerted effort to protect the assets for which you are responsible.

Panelist Deborah Hurley from Harvard University did recommend several items that an organization should review and consider when implementing their cybersecurity plans

(1) read the FTC best practices entitled "Start with security: a guide for business"

(2) review the ISO standard – 27018 and comply with that “code for practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.”

While there are no laws or regulations, these documents provide a baseline for cybersecurity defense. Whether it be benchmarks to keeping data secure or publishing and practicing an incident response plan, having a strategy that follows these best practices and demonstrates a prioritization in these areas can help an organization that may become a victim to cyber crime.



Cyber Exchange Forum Hosted by State Street

At the ACSC CEF this summer, thought leaders convened to discuss national threat intelligence as cybersecurity has become a national priority. Major breaches that seemed to be isolated to the private sector, i.e. Home Depot, Target, Sony, were now being reported by government offices including the White House and the Office of Personnel Management. Not just simply hackers playing games, alleged state-sponsored threat actors have been more successful in entering networks in an attempt to extract proprietary information in order to gain competitive advantage economically and politically. The government optics have been swift and well-publicized. From several executive orders to proposed legislation, national leadership is emphasizing the dire need to better fortify defenses against cyber attacks.

When building a next-generation cybersecurity strategy that integrates threat intelligence, keep these evolving principles in mind:

  • knowing how to use intelligence is the value, not just access to it
  • analyzing context of threat intelligence is key
  • compromised systems are inevitable
  • it's important to train employees on baseline cybersecurity strategies
  • cybersecurity is now about reponse




Ellen Powers, The MITRE Corporation

Ellen Powers from The MITRE Corporation this month presented outcomes from MITRE's systemized efforts to advance human defense. In addition to baseline tips to help employees become champions against cyber crime, she explained how the organization practices procedures to mitigate the attacks originating at employee emails. Designed not to be tests, these exercises are executed to incentivize employees for self-learning and engaging as frontline defenders. The expectation is that there will be an increased incidence of reporting suspicious activity. By demonstrating positive behaviors and communicating successful outcomes, MITRE has been able to positively advance its goals. The presentation included some tips for all employees at all organizations to be aware of when using their email. The mission is to eliminate the entry point for cyber attacks and to heighten human defense measures.

What to Look for in Targeted Email:
1.An attachments with specific names or topic with which you may have an association
2.Sender will not be familiar or may appear to be from a known organization
3.Message will be invitational in nature, or request information about the content in question

What to Do:
1.Do not open the attachment
2.Do not reply or respond to the sender
3.Send suspect emails to the proper channels in your organization



Larry Clinton, President and CEO, Internet Security Alliance

On December 11, 2014 the Advanced Cyber Security Center sponsored a roundtable discussion on Risk Management hosted by DLA Piper. The event featured a panel discussion focused on information governance and enterprise risks including legal risks associated with cybersecurity.

Expert panelist Larry Clinton highlighted five cybersecurity principles for enterprise board members:

  • They need to understand that cybersecurity is an enterprise-wide initiative;
  • They need to recognize the legalities of risk management;
  • They need adequate cybersecurity expertise and it needs to be on the agenda in business discussions parallel to finance and legal;
  • They need to set an expectation that senior management will build an enterprise risk management framework;
  • They need to be deciding segmentation with respect to risk – what risk will we accept or mitigate and how much risk will be bought down.


Lawrence Wilson, Information Security Lead, University of Massachusetts

Cybersecurity includes one of the fastest growing job markets with a growth rate two times faster than all IT jobs. Developing a pipeline of talented cybersecurity professionals with the required skills is the topic of the ACSC's upcoming Cyber Exchange Forum on April 14 at UMASS Lowell. What skills are actually in demand? What curriculum and programs are being developed at the university level? How do you develop the existing workforce? And how are universities and companies collaborating to meet these workforce challenges? UMASS's Information Security Lead Larry Wilson, with ACSC's Charlie Benway, have been participating in discussions with external groups including media on defining the ideal skill sets for a cybersecurity professional.

Work habits:

  • Ability to analyze technical issues along with strong analytical skills

  • Demonstrated skills in innovation, collaboration, problem solving

  • Maintain awareness of security risks and best practices for security awareness

Soft skills:

  • Excellent presentation, communications, writing skills

  • Listening, influence and negotiation skills with customers and coworkers

Technical skills:

  • Understand architecture, administration, and management of IT Infrastructure (Endpoints, Networks, Servers, databases, Mainframes)

  • General application development, programming, testing  concepts and software analytical skills

  • Understanding of Identity Governance and Access Management, security administration, privileged accounts, roles based access control (RBAC)

  • Understanding of Data Governance, information lifecycle management, data at rest, in motion, and in use

Other areas:

  • Understand current and emerging threats and how they exploit known and unknown vulnerabilities

  • Understand risk management principles and practices

  • Understand the audit process, compliance requirements, management responsibilities

  • Understand security policies, procedures, controls frameworks, standards, etc.

  • Understand Incident response and computer forensics capabilities


Michael Chertoff, Former Secretary, U.S. Department of Homeland Security, Executive Chairman and Co-Founder, The Chertoff Group

Key steps to developing a resilient organization:

  • Intelligently examine the threats faced by your company
  • Identify, monitor, assess, reduce and – where possible – eliminate security gaps on an ongoing basis
  • Train employees on the consequences management plan through regular exercises
  • Think outside the box in identifying possible future threats



Charlie Benway, Executive Director, Advanced Cyber Security Center

Benway offers security recommendations at October 8th North Shore Chamber of Commerce Breakfast.



Quinn R. Shamblin, Executive Director of Information Security, Boston University

In the U.S., we have an official process for escalating cyber security incidents from a single organization up through the various levels of an industry’s own Information Sharing and Analysis Center (ISAC), through the National Cybersecurity & Communications Integration Center (NCCIC)—part of the DHS—then through both that industry’s regulation and control groups and, if necessary, up the various levels of National response and policy until—if it is severe enough—it lands in the Situation Room of the White House, in front of the Principles Committee and the President himself.  In this way, a cyber attack could potentially lead up to the level capable of authorizing a kinetic response, if appropriate.  Understanding this process can help you understand how you and your organization might best integrate with it, to take advantages of the resources available to you and understand when it is appropriate to ask for the next level of attention.

This process is documented in the DHS National Cyber Incident Response Plan (NCIRP).  This video, recorded by Quinn Shamblin in 2013 for the Global Risk Meeting held in Brazil in 2013, will lead you through the NCIRP using a series of attacks against the finance sector as an example.  The presentation explains the various levels of escalation, what kind of activities take place at each level, the value of each, and includes examples and stories provided by Jason Healy from his experience as Director for Cyber Infrastructure Protection at the White House and provided in his book A Fierce Domain: Conflict in Cyberspace 1986 to 2012 and anecdotes relayed by Mr. Healy at BlackHat 2013.

Quinn Shamblin is the Executive Director & Information Security Officer for Boston University and holds an MBA, a CISM, CISSP, ITIL and other certifications.  Boston University is the 4th largest private university in the United States, ranked in 2013 as 41st in the U.S. by U.S. News and World Reports and 50th in the world by the Times of London.



Bob Guay, Manager, Information Security & Governance, Biogen Idec, Inc.

Cloud Vendor Security

When your organization is faced with evaluating a new cloud provider use the following guidelines to help make the process streamlined and secure:

  • Spend some time with the business to determine the requirements (if you have an internal solutions team, or architecture team involve them as well)
  • Have the security or risk team investigate the cloud provider and ask them the following:  
    • Does the cloud provider have any risk assessments, certifications or audits performed by a third party that they can share
    • If not, create a set of questions based upon NIST 800-53 that relate to your organization (such as access control, auditing, logging, contingency etc.) and create a scorecard for the vendor
    • Engage in conversations with the vendor and ask them about references
  • When completed provide the results to the organization on an easy to access portal (e.g. internal intranet site)
    • Provide the information about what the vendor does
    • Provide details about the risk assessment results and scores of the questionnaire
      • Note: this is important to provide both good and bad scores
      • This prevents duplication of services and if the vendor is suspect, you certainly do not want to put the company at risk


Jim Terwilliger, Federal Reserve National IT Services

Excerpt from SC Magazine’s Shining A “Spotlight” On: Insider Threats featuring Jim Terwilliger, Technical Manager of Cyber Defense Planning for Federal Reserve National IT Services

Team Effort

Most inside risk is of the unintentional variety. And that means training needs to be part of the solution.

Many employees simply don’t understand that they have a security role. “They may feel that they will be forced to comply with onerous procedures, or that if they do a few things, the security people will take care of the rest,” says Terwilliger. “That can be coupled with laziness on the part of system administrators who fail to follow the best practices of user-access or don’t require complex passwords along with periodic password changes.”


David Humphrey, Harvard Pilgrim Health Care

Preview of Senior Security Architect, David Humphrey's interview with SC Magazine - Evolution of Mobile Device Management (MDM) and Security Control Tips

Never has the traditional Gartner “Hype Cycle” model of analysis so accurately portrayed the evolution of a market as it has for the Mobile Device Management (MDM) technology.  At its height of the development frenzy in 2012, there were in excess of 70 different vendors in the market addressing the market of “how does the enterprise manage data on a mobile device that it does not necessarily own.”

At the time, there were choices to make (as the enterprise consumer), of whether or not to own an employee’s communication device, and therefore the control of it, or to simply support management of the device that the user owned (BYOD), at the expense of total control.  There were choices of data plan costs, of telephone costs, of features from MDM suppliers, and of how to manage communications costs most effectively.  But in the end, as Samsung, Motorola, and other device manufacturers caught up with the functionality of the Apple ‘i’-devices, and far surpassed the functionality of the Blackberry RIM devices, these choices were finally put aside in the face of a growing consumer market.  It was clear that the user demanded the flexibility to decide on their own device, leaving the enterprise to eventually embrace the benefits of “outsourcing” part of their communications infrastructure (and cost) out to their workforce.  To adopt BYOD.

As that answer began gaining acceptance by IT management, this contentious product feature receded to one that uncovered the next solution differentiator; security.  And the real challenge became – what MDM features best delivered corporate control over enterprise data on a device they did not own.  And that challenge is generally addressed by the use of “containers” - encrypted, managed software constructs on the endpoint that are remotely managed by the enterprise MDM server as the device is brought online.  This concept of “containerizing” corporate data began narrowing the vendor field quickly, as the market entered into the “trough of disillusionment” phase of product adoption.  Over the past year or so, IBM bought the MaaS360 Fiberlink solution, VMWare bought AirWatch, and Citrix bought Zenprise.  Four of the largest vendors in the space; Blackberry, Good, MobileIron, and Tangoe make up the balance of the larger independent MDM vendors.  But there is a noticeable shift; VMWare and Citrix are virtual workspace vendors.  And the Samsung Knox and Blackberry 10 systems are also “workspace” approaches to virtually separating user and corporate data on the device for external administrative control.

In summary, the MDM market is still immature, even fully containerized solutions like Good and AirWatch are likely to be overtaken by transparent workspaces on the handset that perform the same data containerization but use a more native application interface.  Enterprise outsourcing of e-mail and calendaring is pushing MDM management into the cloud, resurrecting the Blackberry market as they reposition to address that environment.  We are in the “slope of enlightenment” phase, look for the security feature-rich solution that threads an enterprise-managed certificate infrastructure into control and encryption of the data on the endpoint.

Security controls should be in place to:

  • Synch e-mail accounts while roaming
  • Encrypt iTunes backups
  • Have logical group control of devices based on A/D grouping
  • Have different profiles for different OU groups in the organization
  • Detect jailbreak/rooted devices
  • Detect IOS version and enforce
  • Detect applications and enforce policies
  • Wipe enterprise data or wide entire device
  • Force encryption via an active synch
  • Interact with AIM and LDAP?
  • Determine what encryption is supported, how it is activated and any processing requirements on the device
  • How security controls support or interact with existing HPHC Corporate Security Policies and Procedures


Andy Ellis, Akamai Technologies, Inc.

Andy Ellis, Chief Security Officer at Akamai and ACSC member, shares his company's informative video tutorials focused on cyber security. Now found on the Akamai YouTube channel, the videos drill down on important topics that even non-technical audiences can understand…with the help of some clever animations.

Ellis gives an overview of tokenization and why it exists, as well as a brief history of the credit card industry as it exists today.

Ellis gives a brief overview of security and compliance and what they mean to Akamai. Andy's overview includes common terms along with definitions and an overview of common standards and their components.

Ellis gives an overview of zero day vulnerability or negative day vulnerability.



Kenneth Montgomery, Federal Reserve Bank of Boston

In an era of escalating cyber threats, taking simple measures to manage risk – at home and at work – will help you secure your privacy. At a recent event at the Boston Economic Club, ACSC board member Ken Montgomery outlined the current state of cyber security and stressed that cyber attacks should be a top concern for all industries. He also provided several tips and reminders for everyone who engages in the virtual world.

  1. Don’t open e-mails from people you don’t know (spearfishing)

  2. Be cautious about clicking on embedded links – including on industry or topic specific sites you trust (waterhole)

  3. Keep all software up to date. Install critical updates immediately

  4. Consider a standalone PC for your financial management practices and limit your access to those specific sites

  5. Use different, log-on ID and strong passwords for each account/service


Charlie Benway, Advanced Cyber Security Center

The Paradigm Shift in Cybersecurity

This Month Charlie Benway, Executive Director of the Advanced Cyber Security Center, was interviewed by Network World for a profile on the ACSC. Charlie's tip for people managing cybersecurity for their organizations is to recognize that the focus should be on identifying threats  – not simply steps trying to keep hackers out. They are already in.

Beyond the trust issue, a big obstacle the ACSC has seen is a reluctance to adopt a new mentality regarding cybersecurity, Charlie Benway, the organization’s executive director, says.

“What’s happening from a bigger-picture perspective is there’s a shift in paradigm going on in cybersecurity, and there’s a maturity spectrum here, and some folks are still at the beginning of the maturity curve, where it’s the old philosophy of ‘I have to set up firewalls, I have to keep people out and I’ve got to do my patches, and that’s what I need to do,’” Benway says.

In the past few years, mainstream media has caught on to major cyberattacks. That publicity has led many organizations to accept the fact that they may not be able to prevent every attack, Benway says. This shift in paradigm led many CISOs to acknowledge that they may be better off gaining as much intelligence on the attackers and their methods as possible. Instead of approaching security from the perspective of vulnerabilities, the ACSC advocates focusing on the threats.

While the shift in mindset does explain the value of threat sharing, private organizations still need incentives to share their cyberthreat information. What many have come to realize, however, is that what’s good for the security community as a whole will likely benefit them individually, Benway says.

“If I’m a financial services company and I’m connected to 500 banks, and some of those banks may be small or medium-sized banks and they don’t have the type of resources I have for cybersecurity, I need to help them secure themselves, or I’ve got issues,” Benway says. “And you hear that on a regular basis now.”


Chris Harrington, EMC Corporation

EMC's Chris Harrington (far right) on a Cyber Threat panel at the 2012 ACSC Annual Conference

Back to basics. That is the phrase I have written at the top of my whiteboard. It’s a constant reminder not to lose focus on basic security concepts. Why? Over the years I have observed that many of us get wrapped up in what the latest security buzzword technology can do for us. Network Access Control, Next Generation Firewall, Data Leak Prevention, Big Data analytics….and the list goes on. Why are these so interesting to us? I believe it is because they aren’t what most would consider “basic” security. I think most of us in the security space share a couple traits. The first is we love technology and shiny new toys. A close second is that we strive to solve more challenging technology problems. Security basics certainly are not new and on the surface not technology challenges either. We tend not to want to work on problems we can’t use our new or advanced tools to solve. Our adversaries know this.

Why do we see Advanced Threat actors routinely using exploits for application vulnerabilities that have been known for years? Many organizations struggle with patching. It’s not sexy, it’s not the latest thing in security and it’s hard to do. Patching isn’t as much a technology problem as it is a people problem. These systems can’t be patched because the software doesn’t support the latest Service Pack. Those systems are in a lab network and there is no system administrator. We can’t be disrupting the users all the time with reboots. I’m sure all three of those will sound familiar. I can’t buy a security widget to address those underlying issues.

Patching is just one example. We can all think of some things in our environments that are considered basic security concepts but are not followed. A good password policy, not giving every user admin rights on their Windows system, making sure your Antivirus is up to date, restricting the use of LanMan hashes, collecting and storing logs from critical systems and not using clear text protocols like Telnet are all arguably considered basic security.  Why is this important? Advanced Threat actors won’t burn a 0day exploit if they can guess the password to an external system or hit you with a 2 year old exploit and move laterally. Paying attention to these basic concepts will make their job harder and yours easier in the long run. Following practices like these means making it harder for them and other less serious threats that eat up your valuable time.


Jim Caulfield, Federal Reserve National IT Services

Sun Tzu said: "If you know your enemy and know yourself you need not fear the results of a hundred battles."  In this, the era of total information awareness, with full time incident responders arrayed in front of real-time security monitoring systems it is reasonable to expect that the blind-spot in this equation is: “knowing the enemy.”  The reality is that true self-knowledge continues to be elusive.  One of the many things that we know about the adversary (and we really do know a fair bit these days) is that they rely on a number of perceived blind-spots in our detective capacities to enable their work.

Security monitoring is a “big data” problem.  Firewall and anti-virus systems generate hundreds of thousands, if not millions of log entries per day.  Sifting the wheat from the chaff in data created from those and other related systems is an exercise requiring near constant tuning and adaptation.  Threat sharing like that done at the ACSC is a critical input into this work.  Understanding what new vectors, behaviors and indicators to be on heightened alert against in your logs is increasingly important in the fight to hold the attackers at bay.   Underscoring this though, is the need to ensure you have the logs and detective capabilities you need to enable this effort.  For example: being able to effectively and quickly search through your anti-virus logs and quarantine folders for evidence of a specific attacker activity is important.  Being able to search your web-proxy logs to know if anyone in your enterprise has visited a malicious or infected website is critical.  Don’t take it for granted that your organization can do these things quickly and conclusively.  As you chart your business and security goals for 2013 and beyond, and before you go buy that shiny new next-gen security appliance- make sure you have access to the data that will give you true self-knowledge.  It is the foundation upon which your entire information security program relies.


James Waldo, Harvard University

Dr. James Waldo, Gordon McKay Professor of the Practice of Computer Science and Chief Technology Officer at Harvard University presented at the Annual ACSC Conference. During his session “The New England Response to Cybersecurity Grand Challenges,” Dr. Waldo recommended that industry and academia begin to share more data to forward the necessary research that will help solve our cybersecurity challenges.

“There is a different interaction we could have that’s about sharing, as opposed to transactions. The sharing that would be most interesting, I claim, especially in the cybersecurity area, is data. Industry has lots of data… Really serious attacks happen to places that have lots of money… But if as academics we could get access to that sort of data, we could do more relevant research than we can do with the generated data we have now. The problem now is that most companies don’t want to expose that data – either because it is secret or it is embarrassing. A partnership with a group like the ACSC can act as a broker between academia and industry. They could work towards getting the data from industry and making it available to the academics. And there’s already some of that happening. But it should happen more.”



Jay Carter, Harvard University

On September 10th, at the most recent Technical Exchange Meeting - where ACSC members convene to share presentations, analysis and tools that help in combating advanced cyber security threats - Jay Carter, Chief Information Security Officer, Harvard University, provided an overview of Harvard’s IS security services and the organization’s guiding principles. As security practitioners, Jay highlighted the importance of being viewed as partners: “If we continue to trade in fear and doubt we will be extinct in not long."

When asked how Harvard's IS team has become viewed as partners within the institution, Jay provided two pointed examples: "A University Information Security Policy Council was established with representation from each school and several of the larger Central Administration stakeholders.  Working groups were organized by data category type, for example, Research Data, Student Data, High Risk Confidential Information (i.e., PII) and tasked with drafting policy specific to the data category.  The resulting work product reflected input from the entire University community and is a policy that I believe everyone can see themselves in.

To better influence consistency of security practices, a long standing group, the Security Best Practices Group, consisting of school Security Officers and HUIT partners was asked to undertake the challenge to define standards for University wide common security practices.  The result of this effort will be reviewed with the CIO Council for widespread adoption."