Month: May 2016

With countless organizations falling victim to cyber breaches, it seems that security groups are often unprepared to defend against attacks. Being prepared means understanding which types of attacks to expect and being able to detect and withstand an attack.

Many organizations have implemented cyber controls, but they lack evidence their controls work. Implementing controls does assure that network or security operations can detect malicious attempts as they are launched, but controls cannot effectively block the attempts. Penetration testing, or pen testing, is effective for detecting cyberattacks, stopping malicious activities and initiating response activities as soon as possible.

Pen Testing is Offensive
Pen testers mimic cyber attackers in a controlled manner, using commonly available tools to gain information about networks, systems and applications. The tools provide a launching pad to circumvent controls or exploit vulnerabilities. The objective of pen testing—whether technical or social engineering—is to demonstrate that systems can be compromised and sensitive, confidential resources are at risk. While it provides information on the effectiveness of cyber defenses, pen testing is offensive.

Pen testing should be part of every cyber defense program because it demonstrates that system defenses can be defeated. It shows what effort is required to complete an attack, the attacker’s level of sophistication, the complexity of methods needed and the time required. Pen testing helps enterprises understand if security or network operations personnel are able to detect attacks and the level of noise required before an attack is evident.

These tests provide teachable moments when reviewing the techniques used in a simulated attack. System administrators who believe their protection mechanisms cannot be breached are often surprised when the mechanics of an attack are laid out to show how intruders moved from system to system, exploiting permissions on each hop, until they essentially owned the network.

Snapshots of Defenses
Pen testing, however, does not address the full range of activities required for an effective cyber defense. It provides useful, but limited, insights and should be considered within the context of a holistic approach to cyber defense. Like any testing, pen tests are snapshots of defenses that are limited by the tester’s capability, tools, methods and time. An ineffective attack method today may be more effective on another system or at another time. Effective defenses today may be ineffective tomorrow because of administrative errors or other factors.

Unlike attackers, pen testers work within the confines of an agreed-to scope, client budget, laws and ethics. Persistent, advanced attacks by nation-states, organized criminal bands and hacktivists don’t have those limitations. Effective cybersecurity programs must be able to identify the environment being protected, protect assets, detect anomalies and threatening events, respond to incidents as soon as possible, and finally recover.

Essential to Cyber Security
Pen testing—while still an essential part of an effective cybersecurity program— identifies the environment from a technical perspective only within the scope of the examination. It tests the ability to protect a system but does not determine security failure root causes. Operations and system administrators may learn from the tests to determine what should have been detected, but this is not often part of the scope.

It also does not help cyber incident response or recovery. Attackers have the time and opportunity to plan and launch multi-element attacks. They only have to find one method that works. Cyber defenders must be prepared for all attacks, all the time, and have 100 percent effective detection and deterrence mechanisms.

The NIST Cybersecurity Framework, however, does offer a holistic protection program that includes identification, protection, detection, response and recovery. As part of creating a cyber program, CISOs need to ensure those who build, deploy and manage technical infrastructure have the knowledge and tools to be part of this holistic, effective defense solution.

If there are sufficient resources, pen testers can be part of the security staff providing ongoing assurance of technical controls. Where resources are more limited, pen testing can still be part of an ongoing cyber-assurance program. All organizations should recognize that while pen testing has value, they must embrace the more holistic model of defense. This provides the stable, attack-resistant infrastructures the digital age demands.

Hale will present Blockchain: Ensuring Confidence in Digital Transactions at the EuroCACS Conference 30 May-1 June 2016 in Dublin

Ron Hale Ph.D., CISM, ISACA, Chief Knowledge Officer

[ISACA Now Blog]

ISACA Now recently interviewed David Rowan, editor of WIRED magazine and keynote speaker atEuroCACS 2016. He discussed the future of audit, governance and risk management, as well as what can be done to stop cybercriminals once and for all.

ISACA Now: What are some of the changes/innovations audit, governance and risk management professionals should expect in the next 5-10 years?
Rowan:  We are in a networked world of ever increasing transparency, as well as increasing vulnerability to data breaches. Starting with transparency, the recent breaches of client confidentiality over Panamanian accounts, and the Snowden disclosures before that, are a stark reminder that every professional’s decisions could tomorrow be scrutinized on the front page of the New York Times. If you’re an auditor or a risk management professional, are you comfortable with your advice, your private emails, your entire work life being exposed to the twittersphere? I hope so. At the same time, we’ll find foreign states and criminal gangs investing ever greater efforts in breaching supposedly secure corporate networks to transfer funds or steal proprietary data. How well defended are you against these real and growing risks? Is your CEO taking personal responsibility?

ISACA Now:  Will the technology of cybersecurity ever catch up to or surpass the technology used by cybercriminals?
Rowan:  The single biggest worry I have today is our growing reliance on networked connections to keep our economy moving—the satellites empowering communications, the servers running our utilities, the corporate decisions being made on supposedly safe internal networks. The bad guys are terrific innovators; they understand psychology as well as technology, so whether they’re spoofing the GPS signal of a satellite to put it out of orbit or hijacking your home computer with ransomware, they’re delivering nicely rising profits at our expense. I’m not sure we’ve seen the political will or the corporate education to confront these criminals with well-resourced defense systems that can scale and can keep up with the bad guys’ rate of innovation. They, after all, have a great incentive:  you used to rob a bank because that was where the money was; today the money is all over the network.

ISACA Now:  You’ve interviewed many global influencers over the years. What key characteristics have allowed them to be so influential? Any examples?
Rowan:  When it comes to entrepreneurs who really build something huge—the Facebooks, the WhatsApps, the Kickstarters—there tend to be a few common characteristics in many cases. Often they are motivated to solve a big problem, something that really makes a difference and not simply make money. That motivation keeps them going through the tough bits. They’re often very resilient personalities who don’t take it personally when things go wrong, so they can get up and push past the problem. They’re often outsiders in some way who don’t see the rules other people rely on:  maybe they had dyslexia at school, or were immigrants who didn’t easily fit in, or were misfits in some other way. They have tremendous self-belief, which lets them motivate their teams as well as attract investors and the media. And often I’ve found they had difficult relationships with their father—I can’t prove this scientifically, but perhaps it’s something that leads them to be driven beyond reason to prove themselves…

ISACA Now:  You will be speaking at the EuroCACS conference 30 May-1 June 2016 in Dublin. Give us a brief preview of what you’ll discuss and what attendees will take away.
Rowan:  My life is spent travelling to meet the start-ups transforming industries and the investors betting big on them, as well as the research labs designing the way we will interact in the future with technology. So I’ll translate what I’m seeing in real fast-growth businesses to how it will impact successful existing businesses in the next five years—and how consumer behavior is being transformed by everything from mobile screens to virtual-reality headsets. The bottom line is the world will never move this slowly again, as exponential technologies create massive new opportunities to build businesses that could never have existed a couple of years ago. So there’s a risk that delegates will go back to the office with a rather big to-do list of urgent things they need to do to become as innovative as the start-ups…

David Rowan, Editor, WIRED

[ISACA Now Blog]

If you’re among the 28 percent of enterprises that still haven’t implemented a planned endpoint backup system, here are 5 key attributes to look for in a system, to help drive adoption and success. These recommendations are courtesy of Laura DuBois, program vice president at IDC, a global market intelligence provider with 1,500 highly mobile, knowledge-driven employees:

1. Supports Productivity
Look for a lightweight system that doesn’t put a drag on memory, so employees can access data and collaborate quickly. If the system slows people down, they won’t use it.

2. Increases Security
While some people think of endpoint backup primarily for disaster recovery, you should think of it as a data loss prevention tool, too. A good endpoint backup system offers a multi-layered security model that includes transmission security, account security, password security, encryption security (both in transit and at rest) and secure messaging.

3. Offers Intuitive Self-Service
Employees don’t want to wait for IT to recapture lost data. Having an easy-to-use, self-service interface allows employees to locate and retrieve their own data. Not only does this help increase adoption, it also cuts down on calls to the IT Help Desk to save administrative time and money. A survey of Code42 customers found that 36 percent had fewer restore support tickets after installing the CrashPlan endpoint backup system, and 49 percent reduced IT hours spent on data restores.

In fact, for CISOs looking to make the case for an endpoint backup system, DuBois suggests compiling Help Desk volume data and the productivity associated with it.

4. Supports Heterogeneity
DuBois’ research showed that the average corporate employee uses 2.5 devices for work, some company issued and some not. Your endpoint backup system has to accommodate today’s diversity in devices, platforms and network connectivity.

5. Handles the Added Traffic
Some endpoint backup systems can get bogged down with lots of users and not enough network bandwidth. Look for a system that backups up almost continuously, so the processing is spread out vs. taxing the system all at once and slowing it down.

To learn more, see DuBois’ webinar, “5 Expert Tips to Drive User Adoption in Endpoint Backup Deployments.”

Susan Richardson, Manager/Content Strategy, Code42

[Cloud Security Alliance Research News]

There is an imbalance between technical issues and process aspects related to security information and event management (SIEM). This gap is the root cause of some skepticism with and disappointment in SIEM.

Be aware that before implementing SIEM, it is necessary to establish the basis of the information security management system (ISMS), which includes considering the global management commitment, asset inventory and categorization, and risk assessment.

The SIEM process consists of following 5-step cycle:

• SIEM policy establishment
• SIEM infrastructure provision
• Event treatment
• Checking
• Correction

This SIEM approach is based on the plan-do-check-act (PDCA) cycle. Consider the first step, “SIEM Policy Establishment.” Upper management should demonstrate a commitment to the ISMS, including SIEM, by ensuring the SIEM policy is established and is compatible with the business direction, context and risk approach. Usually, the chief information security officer (CISO) prepares this internal policy and obtains the approval of all stakeholders. This policy should be mapped with existing internal policies, such as defining detailed event lists into standard and baselines for servers and network tools.

The SIEM policy should contain these basic components:

• Purpose of the policy
• Scope of the SIEM infrastructure
• Responsibilities of involved individuals
• Compliance

The SIEM has become the core of an ISMS and security operation centers (SOC), but it is unwise to rely on just the technical aspects of SIEM. The SIEM policy is essential for ensuring effective SIEM within an ISMS. The time used for SIEM policy development is worthwhile; it will save effort in future steps.

Read Aleksandr Kuznetcov’s recent Journal article:
“Security Information and Event Management Policy,” ISACA Journal, volume 3, 2016.

Aleksandr Kuznetcov, CISM

[ISACA Journal Author Blog]