Year: 2015

Posted on

To (ISC)² Global Academic Program (GAP) Instructor John Sands, the Next Generation is Everything

To GAP instructor John Sands, the next generation is everything. He has dedicated his career to teaching and creating programs that fill the cybersecurity education gap that persists today. His work has propelled the cybersecurity field forward by decades.

In addition to his role as GAP instructor, Sands is also the department chair for Computer Integrated Technologies at Moraine Valley Community College and co-founder for the National Center for Systems Security and Information Assurance (CSSIA), a GAP member since 2014. Early in his career, he recognized that schools and universities were lacking cybersecurity programs, let alone offering programs that could produce students who are equipped to meet the dynamic cybersecurity needs of the real world.

Nearly 20 years ago, Sands and his colleagues conducted studies to find out what was preventing schools from adopting security programs. They applied those findings to the curriculum at CSSIA and implemented hands-on labs throughout the program, and today, over 250 schools have duplicated their model. “To see the impact of our program is profound,” he reflects.

Despite all his impressive strategic work at the program level, he still loves teaching.  “I love watching the first time students recognize what can be done with the tools (such as penetration testing) to their systems. Most people have no idea as to the level of risk we’re actually at. To take over a machine and interpret the data and do forensics helps students appreciate the seriousness of the situation. Once students grasp that, their whole approach to the class changes.”

A vocal ambassador for experiential learning, Sands has made it a priority to incorporate this element into his programs. He is a believer in the blended education-certification approach and talks to students constantly about the benefits of this holistic view. His is also a big advocate of outside measures that validate skills and of common benchmarks that students must live up to. He feels these things better prepare students for real jobs and gives them an advantage in the workplace.”

Regarding advice for the next generation, Sands teaches an orientation course in which he exposes students to all of the kinds of jobs that exist and the requirements for each, and he believes this kind of introduction to the field is essential. Most organizations want practitioners who can hit the ground running, so he counsels students to get experience in their classes. He says, “You need to be able to do things – not just talk about them. You also need to be able to demonstrate your knowledge.”

At CSSIA, they conduct a third-year student survey, and many students report that the key to their success is the amount of hands-on experience they leave the program with.

Sands asserts, “This is an extremely important field to get into. This is an important message to get out, especially to high school students. The opportunities in this field are just as good as in the medical and legal fields, and while there are many more lawyers than jobs, information security is suffering from a dire shortage of qualified professionals. We need bright minds to help protect our critical assets.”

So, what’s left for someone so driven and accomplished to do? A member of the U.S. Navy for six years, John is passionate about reaching out to underrepresented groups in the industry, especially veterans. He has created a one-year intensive program for veterans returning from Iraq and Afghanistan. They work with local companies, such as Cisco and Linux, who offer free vouchers for exams and guarantee jobs after veterans complete the program.

Sands comments, “If we just invest in veterans, the profession will benefit immensely. They bring so much to the table. I am amazed by how quickly we’ve been able to bring them through advanced training. We work closely with the Illinois Department of Veterans Affairs, which provides additional services to help veterans transition to a civilian career. It’s my favorite project.”

Through the Global Academic Program (GAP), (ISC)²® collaborates with an ever-expanding network of university partners to establish a joint framework for delivering essential skills to support the growth of a qualified information security workforce. For more information on the (ISC)2 Global Academic Program, please visit https://www.isc2.org/global-academic-program/default.aspx.

(ISC)² Management

[(ISC)² Blog]

Posted on

Tip of the Iceberg: FDA’s Alert to Unplug Hospira’s Drug Infusion Pumps from Clinical Networks

On July 31, the FDA issued an alert advising healthcare facilities to stop using Hospira’s Symbiq drug infusion pump due to a security vulnerability.  Infusion pumps are used by medical facilities to automatically administer doses of medication to patients based on the amount specified by the caretaker. The vulnerability allows an attacker to change the doses of prescribed medicine and impact patient safety.

Multiple Hospira products have been in the hot seat this year due to similar security vulnerabilities.  The US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued four different alerts for Hospira products this year, including their Symbiq, MedNet, Lifecare PCA, Plum A+ devices. 

According to Billy Rios, the security researcher who discovered the vulnerability in one of Hospira’s devices, the pumps connect to the hospital network to download drug libraries used to control the upper and lower limits that the machine can safely deliver.  The design flaw is rooted in the fact that the pump does not authenticate communications sent to it.  This means that anyone with access to the same hospital network could potentially change the libraries and change the effective doses of medicine administered to the patient.

The ICS-CERT team has advised facilities to perform a risk assessment to determine the impact, and then mitigate the issue by either unplugging the impacted devices or, if they are absolutely necessary, change the default passwords on the devices and use a firewall to selectively monitor and/or block access.

Discoveries like these raise the question of what other medical devices that connect to hospital networks — and patients — are vulnerable to similar attacks. Is the firmware on all those devices up to date?  Often medical devices are delivered to hospitals with accompanying vendor-provided Windows machines. Are those all up to date with security patches?  Who is managing them?  Many hospitals have thousands of medical devices and are now realizing that no one is keeping them up to date.

C-level leadership at healthcare organizations should ask their teams to develop shorter-term tactical and longer-term strategic plans to address the cyber security risks that medical devices present.  Strong patch management processes that include medical devices, and network segmentation are the two core elements to the solution.  A network segment that is dedicated specifically to medical devices can mitigate the risk of vulnerabilities and zero-days that have not been discovered yet.

Healthcare providers should focus on the following steps to address the cybersecurity risks that medical devices present:

  1. Inventory all medical devices
    • Build an inventory of all medical devices
    • Determine which medical device connect to the network (wired or wirelessly)
    • Determine the business and IT owners for each medical device, and if they’re “unowned,” assign owners
  2. Determine the patch management plan for medical devices
    • Decide which team is on point to update the medical devices (internal IT vs. a vendor)
  3. Assess network architecture for medical devices
    • Create a dedicated medical device segment
    • Ensure the medical device segment is configured to block both inbound and outbound connections (unless specifically allowed)
  4. Develop a plan to migrate medical devices to the medical device segment

This four-step plan could take months to execute, given the size and breadth of many healthcare organizations that have thousands of medical devices across many departments. But the most dangerous risks are those that we don’t yet know about or understand.

Healthcare providers: Assign some staff to wrap their heads around the security risks of medical devices in your environment and develop a plan to mitigate. Your patients will thank you.

Read more about how Palo Alto Networks can help protect healthcare organizations.

[Palo Alto Networks Blog]

Posted on

Stay Up-to-Date with the Cybersecurity Canon

Want to keep up with the latest details of the Cybersecurity Canon? Follow @CyberSecCanon on Twitter and “like” the Canon Facebook page to read book reviews, find out what books are nominated, see what our committee members are up to, and more!

Also, don’t forget, we want to hear from you. Click here for more information on how you can be involved with the Canon and nominate your favorite cybersecurity book for inclusion in the candidate list.

Questions about the Canon? Read the full set of blog posts to learn more, and check out the committee members for 2016.

[Palo Alto Networks Blog]

Posted on

Securely Enabling Business in the Cloud

Most security vendors talk about how their products are “business enablers,” rather than simply a line item in the budget. This is an admirable goal, but making claims is easy – delivering on them is what counts. The Palo Alto Networks customer count continues to soar to a large extent because of the business value that our solution delivers. Many customers prefer not to publically discuss which products and services they deploy, and that is sometimes the case with cloud providers as well. One such example of how the Palo Alto Networks Security Platform truly serves as a business enabler is worth noting because it is such a great illustration of the value we bring to the cloud.

A regional service provider in Asia Pacific asked for help enabling a new cloud services business they were launching. They had been providing traditional premises-based services, network connectivity, unified communications and hosting to their mid-market customer base. They had a strategic goal to become a cloud-based integrator. This would make their customers’ networks and operations more effective, improve performance, lower costs, and decrease the time to market for more products and services. In short, it would drive new revenue streams by improving business efficiencies for their customers. It would keep them competitive.

Security was a critical success factor for the initiative. Customers are understandably cautious about moving business-critical functions to a cloud service because of security concerns. They have plenty of questions and need lots of assurance. One of the main differentiators that our platform offered was the in-depth visibility and control the provider could offer their customers. This became a big selling point – customers would actually get a higher level of security by moving over to the cloud than they had with their legacy premises-based products.

The other key differentiator, that was a huge business benefit to both the Service Provider and their customers, was the ability to offer complete security services (e.g., URL, threat prevention, and remote access VPN), and the ability to use Panorama to onboard customers quickly and efficiently. Time to revenue is key in this business and our platform and management framework excelled in that respect.

The Bottom Line

Palo Alto Networks delivered everything the customer had hoped for when it made us a key element of their cloud business. In the words of the customer, “We got a complete platform in Palo Alto Networks, which is strategically very important to us, and it’s delivered in all the areas needed.  We’ve gotten visibility into threats at the app level, and to see what users are doing. The fact that everything is integrated into one platform with one reporting interface – and that we can scale and onboard customers without any impact on performance, or the need for more overhead – is simply fantastic.”

That says it all.

[Palo Alto Networks Blog]

Posted on

Guiding Auditors in an SAP Environment

Enterprise resource planning (ERP) systems automate and integrate the majority of a company’s business processes, producing consistency. They do this by sharing common data and practices across an organization, leveraging one-time data entry, and providing access to information in real time. To help in this working environment, ISACA recently released a go-to reference book for auditors that they can dog-ear with sticky note flags sticking out of the top and return to year after year.

Since the 1990s, businesses have been managing their operations with ERPs, which have enabled centralized control over operations by implementing a common data model and integrated business processes. SAP has been a leader in ERP systems from the beginning and uses a process-driven approach to match business processes with application processes.

SAP’s core product is SAP ERP (also called Enterprise Core Component [ECC] 6.0). SAP ERP is configurable and integrated across modules. This creates a system that is flexible but also complex. Because of the complexity and variability of configuration across industries, many companies are starting to use automated tools to assist in tracking and monitoring compliance. Systems such as SAP Governance, Risk, and Compliance (GRC) are common in large organizations to monitor and manage on-going compliance. Information technology auditors are also finding that it takes an SAP-specific skillset to audit these systems. This knowledge is required to understand the risks and the controls that mitigate those risks.

The ISACA Security, Audit and Controls Features of SAP ERP 4th Edition brings together detailed information related to SAP ERP-specific risks, controls, and testing procedures. The handbook is separated into modules that cover the risk and controls, followed by testing procedures for both configuration and security. The book was designed as a long-term reference guide for auditors working in an SAP environment—a handbook written by auditors for auditors.

The 4th Edition provides an update of previous sections and adds sections for Finance, Controlling, Human Resources, and Security with a focus on SAP ECC 6.0. The handbook walks through each of these new sections in detail with the same methodology used to cover the other areas (risk, mitigating controls, and testing procedures). In addition, this latest version also comes with downloadable audit plans that are COBIT 5 compliant. It is nearly a completely new book!

The 4th edition was a great opportunity for Deloitte Advisory and ISACA work jointly to rewrite and build upon a great foundation to produce a new edition that refreshes and expands the scope of the original book.

Ben Fitts
Deloitte Advisory

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP.
Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

[ISACA]

English
English
Exit mobile version