With exploit kits readily available to attackers, even ‘good’ applications can go ‘bad.’ Many endpoint security approaches begin by trusting everything, and monitoring for patterns or malicious behaviors, while others attempt to whitelist trusted applications and block the rest. The “Zero Trust model” of information security, coined by Forrester, has traditionally been applied to network communications, but today’s advanced cyber threats warrant a new approach in which the Zero Trust model is extended to endpoints; on the OS, on connected devices, and in memory.
This is particularly important as most resources an attacker might be interested in – data and applications – will live on the endpoint. This webinar, hosted by Sebastian Goodwin, examines how an organization can, and why they should, extend a “never trust, always verify” philosophy to their endpoint security.
The CISM examination is difficult. Not only is there a lot of material to know and revise, but the exam is long—at four hours, it is much longer than many of us will have experienced during our formal education. Here are some tips from my own experience to help you through the ISACA exam process for all certifications.
Revision
Start with the practice exam in the CISM review book. You will find it to be hard work. I had to force myself to read each question carefully towards the end. Self-marking this exam identifies the areas for improvement in revision. Going through these questions will help you to understand the question format on the exam. These questions are not actual or even retired questions from an exam.
Revising effectively consists of three stages:
Reviewing the practice exam—was that wrong answer a careless mistake or a lack of knowledge?
Tailoring the revision—ISACA’s resources and other security publications are extremely useful. Make sure you learn ISACA’s preferred terminology.
The questions in the review book explain the correct answer and why the other options are false. This ensures both your knowledge and reasoning are sound. In hindsight, this was the most valuable part of my revision programme.
With the real exam nearing, re-take the practice test. I felt less tired and more in control this time around. I improved my score significantly, with consistent results across all the knowledge domains. Make sure to review incorrect answers and learn from them. However, do not be over confident if you pass these practice exams. They are used for review and are not reflective of the questions being tested on the exam.
The Exam
Read all the provided information about the exam administration—specifically the Candidates Guide, and take everything you need (particularly suitable ID) with you!
Most people will need to travel to the exam venue. Try to stay in a local hotel the night before as stress from delays or traffic will not help your chances of success. A good night’s rest is an excellent investment.
Once you arrive for the exam, after registration you will enter the exam room itself (often it will be rows of school desks). Relax. If you suffer from pre-exam nerves, try to delay your registration a little to minimise the time you spend waiting at your desk.
With a few hundred people in the room, it is quiet, but not silent. There will be a background of rustling paper, coughing and creaking chairs. Earplugs are provided, but you are not allowed to bring your own or noise-cancelling headphones.
A good exam technique is the method I was taught many years ago:
Answer quick wins on a first pass.
Spend longer on more difficult questions, but do not be afraid to move on.
Revisit remaining questions, using reasonable methods to find an answer.
What’s Reasonable? You could:
Identify wrong answers. This is why it is important to know not only why an answer is correct, but also why the other three are false.
Use facts from other questions. If you are stuck on “What type of control is a firewall?” another question might ask “Preventive controls such as firewalls are useful in which scenarios?” You’ve been given the answer—thanks ISACA!
Finally, copy your answers to the answer sheet. Having learnt from previous mistakes, I now use this method:
Copy the question book answers onto the answer sheet
Ensure the correct dots are filled for each question
Ensure exactly 200 dots are filled (as a final check)
If you have finished early, you can put your hand up and you can leave once an invigilator has collected your papers. You will be tired afterwards, so plan to relax, get some fresh air, some lunch and move about a bit. Nobody wants to finish their exam day with an accident caused through tiredness.
Now, wait a few weeks for your results email… Good luck!
Darren Hampton, CISM
Head of Information Security at the University of Southampton
It’s no secret that attackers use trusted applications to stealthily launch threats into organizations.
A recent example is the November 2014 attack on Forbes.com where the attacker used two chained zero-day Adobe Flash and Internet Explorer (IE) vulnerabilities hosted on the Forbes.com website to create a watering hole targeting users in financial services industries. Visitors to the exploited page using IE 9+ browsers with the Flash plugin enabled inadvertently downloaded a malicious .SWF file, which allowed attackers to gain control over the victim’s machine. The attack was discovered by Invincea’s threat research team.
Another example, discovered by Alien Vault Labs, occurred in August 2014. Attackers used what was likely a cross-site scripting (XSS) vulnerability on an industrial company’s web site to load Scanbox on to victims’ machines to collect information about what software the machines were running and sent that information back to the attacker.
In the examples above, three different applications were leveraged: Adobe Flash, Internet Explorer, and a web application (web page). These aren’t just occasional occurrences, either. Sujata Ramamoorthy, Cisco’s Director of Information Security, estimated that more than 70 percent of attacks leverage application vulnerabilities.
Thought Experiment: An App-Perfect World
For a second let’s imagine a world where all applications were 100 percent secure all of the time. What would this mean for the world of cybercrime? For starters, it would mean that cybercriminals would be much more hard-pressed in finding ways to attack users and organizations, drastically decreasing not only the ways in which a profit could be earned through cyber crime, but also the amount of profit gained from a successful attack. The extra work involved to find a way to compromise the application would have a negative impact on the criminal organization’s bottom line, which could lead to cuts in funding for attack research and staff.
Making it more difficult (and thus more expensive) to launch a successful attack means fewer attackers and fewer attacks. At the end of the day, hackers have to pay the bills, too. Sure, there would still be armies of nation-state hackers and guys who won’t accept defeat and opt to spend their free time hammering out new attack methods, but the threat landscape would change — drastically, and for the better.
Back to Reality
Of course, I know a world with totally secure applications is just a fantasy. However, that doesn’t mean we are helpless to better protect ourselves against application-borne threats. So, how do you make the applications you’re using or creating more secure and resilient?
Use secure coding practices and stringent security testing procedures throughout the software development lifecycle to ensure that your application cannot be used maliciously…
This means making sure applications are architected with security as a priority, right next to functionality, and testing every version or iteration of the software during development, QA, staging, and production. It sounds exhausting, but it’s less exhausting than having to scramble after hemorrhaging customers due to an unpatched production vulnerability that led to a security incident or data breach.
…and taking additional precautions even after the code goes live through patching and tools like web application firewalls and intrusion prevention systems.
Even after thorough testing procedures, a web application firewall or intrusion prevention system can help to block potential evil-doers from combing through applications for attack vectors by alerting on or blocking host sweeps and port scans. In addition to ensuring that your applications aren’t serving up easily-exploited vulnerabilities, these tools also help identify and thwart internal and external users who attempt to access restricted resources or search for potential vulnerabilities.
Architect your network so that all traffic and applications on all ports and protocols — including those that use SSL encryption — are visible and void of threats, and data remains secure.
This has to do more with the Zero Trust methodology. Make it incredibly time-consuming and expensive for cybercriminals to target you. Know which applications are being used and what kinds of risks they introduce, and then try to reduce the impact of those risks by limiting the use of unsecured features within those applications, controlling which of your users has access to those application features, and segmenting and securing data to which those applications have access.
Gaining complete visibility into the applications traversing your network and controlling the way users are able to interact with them is paramount to preventing threats that leverage them to access the network. This is a large part of the premise behind the multitude of “next-generation” security products currently on the market: that they can identify traffic and classify it within the context of applications. If you can tie traffic to applications and allow only certain applications onto the network, then you’ve reduced your security risk. If you can then focus on securing potential attack vectors within those applications, real prevention becomes possible.
Companies pay a high price for assuming existing safeguards will prevent a data breach. According to a CB Insights article, Cybersecurity Startups Have Raised $7.3 Billion Over 1,028 Deals, a litany of high-profile security breaches impacting both the private and public sector have made cybersecurity start-ups an increasingly hot area for investment. Since 2010, deals and dollars increased steadily growing by more than 100 percent in both areas. Funding in 2014 broke the US $2 billion barrier for the first time, while deals continued their steady ascent, growing 4.3 percent from 2013 to 269 deals.
The importance of online security and the necessity of companies and individuals to avoid business practices that leave their information vulnerable are in the news several times a week, if not daily. Apple’s Tim Cook, the CEO of the first US company in the world to reach a market capitalization of US $700 billion, spoke recently at the White House Summit on Cybersecurity and Consumer Protection at Stanford University, highlighting that this problem is a concern for even some of the largest players in the market.
The rise of the mobile workforce and the movement to cloud technologies open up more opportunities than ever for hackers, competitors and other potential criminals to access sensitive data surreptitiously. In 2013, more than 13 million Americans were victims of identity theft, now one of America’s fastest growing crimes. The average annualized cost of cybercrime for U.S. companies was US $12.7 million in 2014, up from US $11.6 million the year before, according to the Ponemon Institute.
What should be of particular concern to company CFOs is that the hackers are becoming as skilled as the employees whose job it is to safeguard precious information. They are doing everything they can do to breach virtual protections in place and utilize the gathered data for illegal gains. Cyberattacks happen across all industries and to companies of all sizes, making it important for every organization to create and implement an effective risk strategy.
CFOs can apply a simple yet effective, three-step approach to digital risk mitigation, as noted in Armanino’s recent article. By creating strong internal controls, maintaining open communication across departments and investing in cyberinsurance, CFOs will be well-positioned to adapt to new threats and reduce their company’s digital risk on an ongoing basis.
It is the CFO’s responsibility to keep cybersecurity issues top-of-mind for the executive team, which is always dealing with several priorities vying for the same resources. It is imperative to ensure your company does not lose sight of the fact that digital risk needs to be addressed on an ongoing basis, lest they become part of the growing cost of managing the unfortunate outcome. Keeping in mind hackers’ growing sophistication, the key to warding off their unwelcomed infiltration is to create a culture where cybersecurity is a consistent part of the boardroom discussion.
Jeremy Sucharski, CISA, CRISC
Partner-in-Charge of Armanino’s Governance, Risk and Compliance (GRC) Practice
Thanks for following along during an action-packed opening day at Ignite 2015!
Today’s kickoff general session featured members of our executive team discussing the importance of an enterprise security platform and many of the ways we’re expanding and enhancing what Palo Alto Networks can offer. Watch below to hear from our executives and Ignite attendees about today’s announcements and what they mean for our partners and customers:
Advanced threats are prevalent, growing in volume and sophistication. And cyber criminals have easier, cheaper access to the tools of the cyber crime trade. That means legacy security technologies can no longer keep up, and that organizations need to think beyond detection and remediation to a security posture focused on prevention.
“We need to increase the cost of an attack to the point where an attack can only be successful once,” said Mark McLaughlin, Palo Alto Networks President and CEO. “It is impossible to keep up with the threat if the only answer is to clean up after the fact.”
Here’s a look at today’s announcements:
AutoFocus: Actionable Cyber Threat Intelligence Like You’ve Never Seen Before
There’s much more to come as we head into the final day of Ignite. Watch this space and keep track of our social channels for real-time updates and scenes from the session rooms and exhibit halls. We will also continue to add to our official Ignite 2015 Facebook gallery, which you can view here. And if you haven’t had a chance, check out our official contests and get in the game!
Below are more scenes and social discussion from the scene here in Las Vegas, including Mark McLaughlin, Palo Alto Networks founder and CTO Nir Zuk, and Palo Alto Networks CSO Rick Howard, who presented Cybesecurity Canon honors to Brian Krebs, Kim Zetter and Rich Baich.
