Day: March 25, 2016

During this exciting time of technological advancements, when there is an app for every facet of our lives, from letting you know the right time to take a bathroom break during a movie to how to build a space shuttle, why am I continually disappointed?  We have become a generation addicted to our apps and having the latest and greatest technologies, but that comes with a steep price. We have to continually ask ourselves with every purchase and click, what is my data and privacy worth if and when it is leaked, breached or stolen?

George Santayana wrote: “Those who cannot remember the past are condemned to repeat it.”  (The Life of Reason, 1905)

With all the massive security breaches that happen daily around the globe, why are we not learning from them and from each other? Why are we not taking the necessary precautionary steps as consumers and manufacturers? Maybe a better term for “Internet of Things” should be “Anyone Can Control my Things?”

Just because it is convenient to connect all your devices doesn’t mean you should.  The price for convenience can cost our privacy, our reputation, our livelihood, and even our lives. To the average user, a connected smart thermostat is just a thermostat. We would never imagine that it could be a fully equipped, connected and functioning computer that is able to influence the physical world. Through these in-home devices, an entry point is established to enter your home, access all of your connected devices, and ultimately your entire digital DNA. Over 70% of these devices are vulnerable to cyber-attacks, due to loopholes and backdoors that were left in the hardware and software and being exploited daily by anyone.

We, the consumers, need to band together to push these security threats back onto the responsibility of the companies that create them.  The best way to do that is by voting with our feet, our wallets and through legislation. We need to demand that companies build in security.  Not just in the beginning with the initial discovery phase when they are researching new products and services, but also carry it out all through the software/hardware development life cycle (SDLC) to include support and maintenance.

What can I do as a consumer?

1. Research before you buy, and vote with your wallets. Read the EULA, security features and the privacy policies. Install patches, software updates and product upgrades when available.
2. Don’t buy the first or beta version of the product. Let someone else test it out and wait for the manufacturer to rev the product.
3. Become active with legislation to help create or change privacy laws for public and private companies to become more accountable for their products and services they bring to the market.
4. Stop connecting everything. Don’t give up security for convenience.
5. Use strong passwords and two factor authentication.

What can I do as an employee/manufacturer?

1. Adopt a security focused approach, build and design security in, create use cases and test cases, write security related requirements through out every iteration. Develop threat models, pen testing and offensive security plans to test potential attacks. Ensure your Business Analysts, Project Managers, QA Engineers, Developers, Architects and Managers are measured on quality and security. Don’t be afraid to speak up if the product does not use proper encryption or privacy controls to secure user data and network services properly.
2. Stop collecting so much user data, provide consumers with more choices to opt-out of data collection.
3. Build in a line item into your budget just for security, and that does not mean buy more hardware and software. Invest in your employees, get them trained, cross trained or certified.
4. Purchase and partner with key manufacturers for the memory, chips, sensors and processors who you trust, don’t pass the buck onto the consumers to pay for your laziness or cheapness.
5. Don’t create backdoors or leave them open. Harden and secure endpoints.
6. Listen to your customers, put quality first. Take the lead on creating a secure product line.
7. Invest in systems that automate the detection of malicious activity so that it can be contained and remediated before data is lost or damage is done. Your network has to be configured to automatically prevent or detect these nefarious behaviors.
8. Secure the data. Most data is unprotected in the cloud; personally identifiable information (PII) is open to anyone who wants it. The protection needs to start from the sensors and go all the way up to where the data is stored to cover data at rest and data in transit. Companies need to have and enforce a strict data retention policy and make sure they maintain a high level of security compliance.

I often get asked by friends and family, whose responsibility is security, isn’t it the companies that make it? The answer is a resounding, “no,” it is ours. It is our data, we own it and we should protect it. We need to become educated and aware of all the risks that come with surrounding ourselves with IoT connected devices. Companies are not good at securing their products or even their own infrastructures. They are starting to see and feel the effects of these poor decisions and security breaches by firing C-level executives or paying out millions in fines for lost consumer data. Security is every human’s responsibility to ensure that they are taking the necessary precautions to protect their own data. Do not rely on companies to do this on your behalf. As long as being first to market (quickly and cheaply) is their main driver, then security will most likely continue to be an afterthought and a reactionary gesture.

There is good news through all these breaches; the knowledge, experience and awareness is already here, we just need to learn from it. Listen and adapt to fit the constraints of IoT devices into our lives properly. Technology will continue to advance at a rapid pace and get better over time, but so will the bad actors.

Change your passwords frequently, install anti-malware, set up firewalls for your home networks, and most of all, never stop learning and educating yourself on security. Take control of your data and your lives, it is your responsibility. – – Wesley Simpson, COO, (ISC)²

[(ISC)² Blog]

Editor’s note: ISACA Now recently sat down with Frank Downs, ISACA’s senior manager cyber/information security, to discuss CyberSecurity Nexus’ (CSX) new CSX Practitioner Boot Camp.

What is CSX Practitioner Boot Camp?
CSX Practitioner Boot Camp is a great opportunity for cybersecurity professionals looking for a more thorough mastery of the hands-on, complex and advanced technical skills they need to protect and defend their enterprises and advance their careers.

The five-day, intensive cybersecurity course will help attendees make significant gains in their training and prepare them for the CSX Practitioner (CSXP) certification exam. It provides an environment to discuss and practice methods implemented by cybersecurity professionals in key areas aligned with global cybersecurity frameworks. The CSXP was recently named Best Professional Certification Program by the 2016 SC Magazine Awards. Becoming CSXP certified is a testament to an individual’s real-life skills and shows employers that he or she has the knowledge and technical ability to walk into an organization and do the job from day one. CSXP Boot Camp is also a great opportunity for organizations that want to develop their cyber workforces.The immersive training will prepare students for five key cybersecurity responsibilities:

• Identify:  Identification, assessment and remediation of threats and vulnerabilities in internal and external frameworks
• Protect:  Implementation of cybersecurity controls to protect a system for identified threats
• Detect:  Detection of network and system incidents, events and compromise indicators and assessment of potential damage
• Respond:  Execution of comprehensive incident response plans and mitigation of cyber incidents
• Recover:  Recovery from incidents and disasters, including post-incident response documentation and implementation of continuity plans

What sets it apart from other cybersecurity training?
What really sets CSXP Boot Camp apart—and what makes it so exciting and innovative—is that it is conducted in an adaptive, live, hands-on cyber lab environment, which enables students to build their critical technical skills by learning complex concepts and applying industry-leading methods. Participants will use the latest open-source tools on actual, real-world scenarios. Attendees receive a complimentary 6-month subscription to the virtual cyber lab environment where they can continue practicing and building technical skills.

Another differentiating factor is the use of PerformanScore^®, a learning and development tool that measures a professional’s ability to perform specific cybersecurity job tasks. PerformanScore recognizes that there are multiple ways to respond to cybersecurity threats, so it measures performance skills across the entire solution set of possibilities. It compares a professional’s actions to grading criteria, and then references those actions against an adaptive scoring rubric in real-time, allowing instructors to give immediate feedback and helping professionals to better learn and understand more efficient cybersecurity techniques.

Why should a cybersecurity professional make the investment in CSXP Boot Camp training?
Eighty-one percent of respondents to ISACA’s 2016 Cybersecurity Snapshot survey said they would be more likely to hire a candidate with a performance-based certification, so obviously a cybersecurity certification is critical to anyone interested in a cybersecurity career. The Boot Camp positions cybersecurity professionals very well for the CSXP certification exam, which is exactly what cybersecurity hiring managers are looking for. Upon completion of the course students will be prepared to serve as workforce-ready cybersecurity professionals.

Who should attend the Boot Camp?
It is for professionals with up to five years of experience in a cybersecurity role and an intermediate technical skill set. If you are interested in registering for CSXP Boot Camp, you should already demonstrate proficiency in the following areas:

• Network scanning
• Specialized port scans
• Network topologies
• Network log analysis
• Centralized monitoring
• Hotfix distribution
• Vulnerability scanning
• Traffic monitoring
• Compromise indicators
• False positive identification
• Packet analysis

When/where does the Boot Camp take place?
The expert-led Boot Camp courses will be offered at five US locations in 2016:

• Chicago, Illinois (4-8 April)
• Washington, D.C. (11-15 April)
• New York, New York (16-20 May)
• Denver, Colorado (13-17 June)
• San Francisco, California (20-24 June)

How Do I Register?
To register for the CSXP Boot Camp, please click here.

Frank Downs, Senior Manager Cyber/Information Security, ISACA

[ISACA Now Blog]