Day: December 17, 2015

Posted on

Examining E-Commerce, Governance and Applied Certifications

ISACA hosted a free live webinar on how certifications and education get applied to real world e-commerce and governance cybersecurity issues titled “Cybersecurity: e-Commerce, Governance and Applied Certifications” on Tuesday,15 December 2015. We recently spoke with presenters Michelle Mikka-Van Der Stuyf, president and CEO of BizStrat Technology Corporation, Sally Smoczynski, CISSP, managing partner of Radian Compliance, and Diana Salazar, CISM, CISA,CRISC,CGEIT, executive security advisor (ESA) of Magellan Group, about cybersecurity: e-commerce, governance and applied certifications. Read the interview below.

Q: These are some big topics. How are they impacting organizations today, and what do companies need to know?

Michelle Mikka-Van Der Stuyf (MMV):  We shared real-experience information on how we practically apply cybersecurity solutions in business and government. To help attendees focus, we started off with some shocking cybersecurity stats. We also provided insight into just how encompassing cybersecurity is, how you can get a more strategic view of your greatest risks, and where companies should apply their security resources.

Sally Smoczynski (SS):  I reviewed the root causes of cybersecurity incidents—why did they happen and what could have been done to prevent or mitigate the impact? I’ll explore why information security governance outside of IT is essential for strong policy and procedures management. I also discussed making sense of regulatory frameworks. Which ones do you use, and how can they be better managed? Finally I discussed the value of a management system.

Diana Salazar (DS):  Regulations may fall behind as people continue toward bring your own devices (BYOD) and bring your own cloud (BYOC); therefore, organizations need to use a continuous assessment process of controls and a framework for information sharing, data movement and greater interoperability among legal and privacy bodies. They should review technology challenges (application, profiling, digital education and web tracking), remove data for right to be forgotten requirements, and increase transparency on the data organizations are collecting and required controls using comprehensive frameworks.

Q: How do you apply those points to your organization?

MMV:  Cybersecurity is as much about practice as it is solutions. Our business/technology solutions always integrate risk and risk mitigation to deliver a sound, safe and secure result. Often companies want to push security to the side to save time or cost, but we believe security is a must-have and won’t break those standards to deliver a solution that is not in the best interest of our client or their industry.

Education and certifications are keys to maintaining cybersecurity. Cybersecurity information is constantly changing, so it’s critical to stay current with industry news by following breach intelligence, attending conferences and other industry events, and collaborating with CISOs and other security professionals. We apply certifications and education in every solution. By being educated on risks and solutions, including practices that give you a leg up against the inevitable breech, you’ll be serving your customers’ cybersecurity needs well.

SS:  You have to practice what you preach. In Radian’s case we’re applying a strong security awareness program and practicing good data protection habits. We are an implementer of ISO 27001 so we focus on best practices and relevant risk mitigation to support our clients’ programs. We perform internal audits to many ISO standards and identify areas of improvements to reduce the threat of cybersecurity incidents and information security incidents.

Internally, we strengthened our security posture based on what we learn in the field. Organizations need to take a holistic governance structure to protect their information assets. Tools can help detect incoming threats, but people are the biggest threat, including their social media habits.

Information security governance outside of IT is essential for strong management of policy and procedures. Governance needs to include HR, physical security, training, marketing, legal and other departments. IT plays a very important role, but not the core.

DS:  Using a continuous assessment process organizations enable defensibility and resilience. Generally review controls fit into three categories: protective/preventative which enforces acceptable behaviors, detective/audit controls which perform a monitoring activity, and reactive controls which respond to a detective control providing an alert or corrects an unacceptable situation. When there is a breach one of these simple categories, preventative, detective or reactive control is missing. Applying these categories with a framework enables an organization to reduce an adversary’s ability to do harm. Frameworks provide the ability to determine which controls apply to the organization.

[ISACA Now Blog]

Posted on

Palo Alto Networks Honors Our Wounded Warriors at Army-Navy Football Game

The Wounded Warrior Project’s purpose is to “raise awareness and enlist the public’s aid for the needs of injured service members” in our country. This past weekend, the nation watched the 116th edition of the massive football rivalry between the Cadets of the United States Military Academy and the Midshipmen of the United States Naval Academy. To celebrate that, and to support the Wounded Warrior Project, Palo Alto Networks hosted several injured veterans, and their families, in a luxury suite at the game.

Our Federal Chief Security Officer, U.S. Army Major General John Davis (Retired), and I had the opportunity to thank the brave men and women before the game; and host these Wounded Warriors, their families, and, yes, one good-looking support dog in the suite for the day. We were honored, but humbled, to have the chance to support the Wounded Warrior Project’s critical mission and ongoing work.

These injured veterans and their families have borne the burden of our past wars. They have stood up to fight for the things they believe. Army Chaplain Matthew Pawlikowski, in his opening prayer before the game, said it best:

“Gathered on this gridiron, we are grateful for such rough and rugged souls as these cadets and midshipmen, strong in spirit and in sinew. We are especially mindful of our first-class cadets and midshipmen, bristling on the brink of becoming soldiers, sailors, marines, ready today to happily visit violence on each other, and if need be, some day, sometime soon, on the enemies of the world, so that our citizens, our ally citizens, indeed the same citizens of all countries, can sleep safe and sound in peace.

For those of us who have fought, who can fight, who will fight, our country’s wars pray for peace more than those who have never served can ever know, for we willingly face the horrors from which others are thankfully spared.

But if peace on earth be not granted us in this season of our lives,
then we pray, almighty god, that on these fields of friendly strife,
be sown the seeds that on other fields on other days will bear the fruits of victory.  

Amen.”

Our injured veterans know this story all too well. You can support them and the Wounded Warrior Project by getting involved. Learn how by visiting the Wounded Warrior Project website.

[Palo Alto Networks Blog]

Posted on

2016 Prediction #10: Cyberthreat Intelligence Sharing Goes Mainstream

This is the tenth in our series of cybersecurity predictions for 2016. Stay tuned for more through the end of the year.

There are few areas of cybersecurity that present more promise than the concept of sharing threat intelligence to make online communities, and the Internet as a whole, a safer place.

No single organization is capable of achieving complete visibility into the threat landscape. But by joining together and sharing threat intelligence across the industry, we can enhance our collective immune system. The challenge, as is often the case, has been around putting that into practice.

There have been pockets of innovation, such as the Information Sharing and Analysis Centers (ISACs) or security vendors sharing intelligence between their customers. But as attackers continue to conduct successful cyberattacks around the world, this is clearly not enough. Current efforts provide value, but they are often cumbersome and only accessible to larger and more sophisticated security operations teams. There is essentially a high “barrier to entry,” with manual analysis required to consume, verify, analyze and implement any changes to an organization’s policy, even with adequately shared intelligence.

This requirement has limited the number of organizations who share intelligence, meaning we have less of it available than we should. Now, imagine a world where every security team can turn their network into a sensor and automatically implement protections for new attacks as they happen. This puts malicious actors at a disadvantage, requiring them to spend immense resources to discover new exploits, construct new malware, and employ new techniques.

The past year has shown us early indicators that 2016 will be the year organizations truly embrace – and reap the benefits of – shared threat intelligence. We will see this change the way both security vendors and the security community at large operate. I anticipate three specific changes:

1. Threat intelligence is not intellectual property

Organizations have historically been hesitant to share data on threats. From a security vendor side, this stems from a common belief that their product differentiation is dependent on keeping this intelligence a closely guarded secret.

From a user perspective, many organizations have also operated under the assumption that sharing intelligence with their competitors could expose sensitive information or put them at a competitive disadvantage. But, in 2016, we will see more vendors come to the realization that their users, and the community, have come to expect more from them. In order to offer the best protections possible, vendors will begin to share intelligence with each other on a wider scale.

2. Public and private data sharing

There has never been more focus from the United States government on the sharing of threat intelligence, with President Obama directing the Department of Homeland Security (DHS) to lead the charge to enable public and private entities to share intelligence with each other inExecutive Order 13691.

This coming year will see the result of these efforts formalized and put into practice, withInformation Sharing and Analysis Organizations (ISAOs) being established and intelligence shared across private, non-profit and government agencies. Spurred by this innovation, we will see governments beyond the U.S. adopt similar policies.

3. Campaigns, not samples

We will see an evolution in what is being shared, with a move toward more adversary- and campaign-oriented intelligence. Traditional efforts have been focused on indicators such as hash values, which provide minimal actionable value to the organizations receiving them. Instead, we will see more effort around malware family and adversary attribution, which provide the context needed to understand the threat and develop relevant protections against them. Simply sharing data will no longer be good enough; we have to share the right intelligence, with actionable recommendations.

The coming year represents the fruition of the great promise in threat intelligence sharing. The world is changing, and both vendors and users must adopt a more proactive stance to sharing, lest they risk being left in the dust by those who do.

We have a responsibility as a security community to do everything in our power to prevent cyberattacks, which includes sharing as much intelligence as possible. While there is a great deal of momentum in 2016, we can do more to reap the benefits of this trend. Ask yourself how your organization can integrate and contribute to keeping our community safe online.

Want to explore more of our top 2016 cybersecurity predictions? Register now for Ignite 2016.

 

[Palo Alto Networks Blog]

English
English
Exit mobile version