Month: March 2016

Not many organizations are using their often substantial marketing budgets to protect their brands.  Brand protection must include the protection of corporate web sites, as the incidence of watering hole attacks continues to climb thus compromising web sites and leveraging brands against the very constituencies of enterprises.

Last year we saw a 148 percent increase in watering hole attacks, according to a Trend Micro report. They have become more common as the cyber world is inundated with the Big Five exploit kits, including Sweet Orange, Angler, Magnitude, Rig and Nuclear. Here is how ISACA defines watering hole attacks:

The term “watering hole” denotes a technique whereby end users visiting a certain web site are covertly redirected to another web site that will deliver malware to the user IT environment. First identified in 2012 by RSA, a watering hole attack typically requires considerable effort in intelligence gathering and preparation.

Given the amount of preparation required to deploy a successful attack, watering holes are often directed against larger organizations and their end users, with the intent of luring as many users as possible to the watering hole. Their comparatively expensive preparation phase means that watering holes are not normally directed against individuals or the general public.
From ISACA’s Threats and Controls Tool

When a web site is compromised it hurts the brand. No longer is the issue simply about security; it is about brand protection. To protect the brand, work must be done to insulate it from watering hole attacks. That means investing the time and money required before a web site goes live to ensure the brand is protected. This can be a spendy proposition, though it pales in comparison to many marketing department budgets. The cost is substantially lower, however, than the bill to repair a damaged brand and corporate reputation.

Unfortunately, not many companies are allocating marketing dollars toward cybersecurity with the goal of protecting their brands and web sites. What has to happen—at every enterprise—is the chief marketing officer (CMO) needs to have a conversation with the chief information security officer (CISO) about what they both will do to maintain and secure their web site to keep it from becoming a watering hole.

Both need to understand critical details around protecting the web site and the brand. Who owns the web pages? Who owns any WordPress pages? Is a contractor involved in creating or maintaining the pages? Are patches being installed? Are we instituting regular updates? Have we tested for the top OWASP vulnerabilities before the site has gone live? Do we have an incident response plan for when it turns into a watering hole? Will we need to take down part or all of our web site after an attack?

These are important questions that will require contributions from CMOs and CISOs working together to address this potentially catastrophic issue. The CMO brings substantial financial resources, along with in depth knowledge of brand management, the company’s brand and its web pages. The CISO, of course, brings IT and cybersecurity knowledge.

Timely software updates, web application testing, network traffic detection and using big data analytics to correlate well-known advanced persistent threat (APT) activities can help prevent or limit watering hole attacks, but ultimately what needs to happen in organizations around the world is CMOs need to wake up to reality and collaborate with their CISOs.

Note: ISACA Now is running a series of blogs on the 10 threats covered in ISACA’s Cybersecurity Nexus (CSX) Threats & Controls tool. The threats include APT, cybercrime, DDoS, insider threats, malware, mobile malware, ransomware, social engineering, unpatched systems and watering hole. To learn more about the controls for cybercrime, as well as recent examples and references, typical patterns of cybercrime and more, visit the tool here.

Tom Kellermann, CISM, CEO, Strategic Cyber Ventures

[ISACA Now Blog]

Who is winning the cyber war—the criminals and hackers or network and system defenders?  ISACA and RSA Conference wanted to answer this question so we conducted the second annual State of Cybersecurity study, which was released today at the RSA Conference.

The data shows us that the answer is a bit unclear. Cyber attacks are still pervasive. We are still experiencing many of the same attack types that have plagued organizations for years. And it is increasingly difficult to hire fully capable cyber-practitioners and others who are part of the enterprise assurance and risk management network. The good news is that executives and board members are very concerned. They recognize that cyber threats are harming the bottom line and that—if they want to deploy leading-edge technologies and offer new technology-based services and products—they need to ensure that security is designed in and that personal information is protected.

One-third of the 461 cyber and information security specialists who participated in the study reported that their organization was a cyber-victim in 2016. While this is a high number in itself, an additional 20 percent did not know if their organization had been a victim. When asked about the frequency of attacks, the largest number (23 percent) reported experiencing cyber-attacks at least quarterly. The most frequent attacks were phishing, malicious code incidents, physical loss of computing or mobile devices, and hacking. As you might expect, the experience of attacks on a daily, weekly or monthly basis were reported less frequently. An alarming trend is that 54 percent of study participants did not know how frequently they experience cyber-incidents. While 73 percent believed they were able to detect and to respond to incidents, 42 percent felt they could only do so for simple attacks. In an era of increasingly sophisticated and persistent attacks, being able to identify and respond to attacks is imperative.

Board and executive concern and support for cyber activities are increasing. Eighty-two percent of security executives and practitioners participating reported that boards are concerned or very concerned about cybersecurity. This is not surprising given the higher level of awareness about cyber in general and the number of high profile attacks that we have recently seen. Executive support for cyber is essential. We find that executive support for enforcing security policy (66 percent) and providing needed funding (63 percent). The challenge is that less than half of executives follow good security practices themselves (43 percent) or mandate cyber awareness (59 percent). Cyber is not only a technical problem. Many attacks target the weakest link, executives who do not follow good practices, and employees who are security unaware.

Technical solutions to address cyber threats are getting better. We have all witnessed how technology vendors are enhancing current products. New startup companies are bringing very exciting products to the market. These however will not solve the problem alone. More important is the need to address the critical shortage of skilled cyber practitioners. Security executives are finding this difficult. The majority (54 percent) reported that it takes from three to six months to find a candidate. Less than half of these candidates (59 percent) are fully qualified on hire. Slightly more than 60 percent lack the required technical skills. Three quarters do not have the necessary understanding of the business to be effective. Slightly more than 60 percent do not have needed communication skills. Security will never be effective if new practitioners don’t have a strong technical understanding, the ability to address cyber-risks in business language, and if they cannot clearly and concisely communicate security issues.

While technology will help us meet cyber-challenges, it is also creating new opportunities for compromise. Cyber specialists are concerned about the rapid development of artificial intelligence products as well as the Internet of Things (IoT). We have all seen reports of advanced technologies, including medical devices and self-driving cars being hacked. More than half of those participating in the study are concerned or very concerned about the risk associated with the IoT. Forty-two percent believe that cyber risk associated with artificial intelligence will increase in the short term and 62 percent believe that risk will increase in the long term.

So, are we winning the cyber war? Not yet. We win some battles, but we are still plagued by attack types that have been long standing problems. We may not always be aware that we are being attacked, so we are too often late in responding. We are building our capabilities by deploying good technologies, but we don’t have sufficient skilled staff to bring to the battle. We still have too many leaders who say they support cybersecurity but do not consistently follow best practices or encourage cyber awareness in the enterprise.

To further complicate things, advanced technologies are expected to gain wide acceptance when we are still unsure about the risk they represent. The good news is that the challenges we are experiencing can be solved. We see increased attention to cyber by governments, research institutes and enterprise decision makers. Public awareness is increasing. Programs are being offered to solve the skill shortage. With skills-based training and performance-based testing, we are building the front line defenders and responders capable of engineering strong defenses and aggressive response plans.

Note: For the full survey report and related graphic, visit www.isaca.org/state-of-cybersecurity-2016. Hale will present a webinar on the study results and their implications on 8 March. Registration is open here.

[ISACA Now Blog]

The current stand-off between Apple and the FBI highlights a growing problem: How do we balance privacy rights with the current patchwork of legislation that has failed to keep pace with the technological advances changing business and society?

For anyone following current events, the ongoing debate displays the need for comprehensive legislation.  Will Apple continue to defy the court order and, in essence, prevent the government from gaining information from a corporate owned device used by a dead terrorist? Is the government prepared to set a precedent and force Apple and other companies to knowingly provide code to make it easier for both US and foreign governments to gain access to corporate or personal data?  The answers to these questions are vitally important to the future of encryption.  As a U.S. citizen, I respect the loss of life and the need to hold those responsible for such horrific acts.  However, as general counsel for an international company, the implications of punching holes in encryption, even to help law enforcement, would be precedent setting.

Now more than ever, consumers are concerned with how their information may be used and collected.  Smartphones carry more information about a person’s life than ever before.  It may contain private conversations, financial accounts, credit cards, health data and even the location of your friends and family.  Smartphones have made it easy to access information quickly and consumers want to ensure that this information is properly protected from unwanted eyes.

Consumers need to have trust in the public and private sectors.  The private sector recognized this need and in response created an ecosystem where individuals hold the key to their data.  This helped reestablish trust that businesses were not collecting and gathering information without their knowledge.   However, governments have been slow to modernize legislation, and now face the question on how to gather information from these encrypted devices when it satisfies certain legal requirements.

We cannot fall back to a time without encryption.  Recent data breaches demonstrate the need to secure information.  Encryption helps businesses secure their data on-site or in the cloud, and it protects the public utility infrastructure we use every day.  Private and public sector entities need the technology to protect data against bad actors.

As technology advances, there will be increased public discussion around privacy, encryption and the state’s right to access information.  Both the public and private sector need to further this dialogue to find a middle ground that provides everyone the necessary protection and ability to gather information when needed.  Without this agreement, and proper legislation, the questions being debated will only become more complex.

As a leader in certifying cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes comprehensive legislation is needed to help educate and certify the next generation of security professionals.  This is a real opportunity to learn, and build laws and regulations for the future.  We call on legislators to work with industry, professional bodies, interested parties and law enforcement to define these processes and frameworks so that no organization, individual or law enforcement agency has to repeat this in the future. — Graham Jackson, (ISC)² General Counsel

[(ISC)² Blog]