Segregation of duties (SoD) has been a source of guidance for audit and accounting systems for a long time; nevertheless, many IT security controls imposed by recent trends and regulations can be viewed through its lenses.
Privacy by design and privacy by default, for example, as required by the new EU regulation recently approved by the European Parliament, require that duties are well separated and roles are well defined from the beginning.
Privacy by design must be introduced in the design of processes and in the design of systems and tools. For example, a client recently asked for a solution to make service desk personnel able to reset user passwords without knowing the user’s new password and without resorting to the self-help password reset. This does not only require a supporting tool but also a sound access management process in which SoD is the central issue.
On the market side, the segregation between development and operations functions blurs with the widespread adoption of movements such as Development and Operations (DevOps), but SoD must still be achieved. This can be obtained by properly differentiating duties, e.g., responsibilities of the different environments (development, test, production).
Enforcing controls by means of the appropriate tools is an important issue, and it may lead to higher levels of segregation. For example, for a long time the common practice has been to use (masked) data from the production databases in the test environment; now, some tools are available that synthetize artificial test data to be used in the test environments. Such tools guarantee better coverage and enhanced privacy and effective segregation between environments. This helps test data and production data remain separated, and responsibilities of the test and the operations teams remain separated as well. Segregation encompasses data in addition to duties in this case.
New technologies, new regulations (e.g., EU’s data protection regulation, the ISO 25000 family of standards on data quality) and new trends such as DevOps introduce new requirements and new risk.
SoD can be used within a consistent risk assessment framework, e.g., COBIT® 5 for Risk, both as a security control and as a magnifying lens that can help spot IT risk.
Malware can be challenging to remediate because it comes in an endless number of varieties and a wide range of threats, including low-end scareware, medium-level ransomware, to high-level advanced volatile threats (AVTs) and advanced persistent threats (APTs).
Ransomware made the news recently and has become a concern. This sort of infection often starts with a single user and then expands to any drives that user has access to. Once infected, ransomware can end up overwriting very important files, especially if the user has access to a company shared drive.
For retail organizations, point of sale malware has also been very common in recent years. We have seen breaches at many major retailers and will likely continue to see breaches in the future. This sort of malware scrapes the memory of the point of sale systems looking for data that matches the pattern of credit card numbers. The credit card data is then extracted from these systems and sold or utilized in fraud.
Sophisticated APT attacks are conducted by stealthy, well-resourced, well-researched, dogged adversaries intent on gaining a foothold into an organization’s IT infrastructure.
AVTs More Potent Than APTs
Then there are AVTs, which are malware that are not written to disk. Very sophisticated attackers exploit a process or service, carry out their malicious actions in the memory space of the exploited process, and then delete themselves, leaving no forensic evidence on the hard disk. AVTs do not have to reach the victim’s hard drive to deliver their payload. Traditional antivirus solutions depend on the presence of a file on the hard drive, so no evidence of malware on the hard drive makes AVT attacks more potent than the related APTs.
Malware is a business though, and most malware authors would rather stay on your computer for an extended period of time. This means that malicious programs generally save a copy of themselves to disk so that when the computer is rebooted it can start running again. There is an interesting category of AVT malware called memory-only malware. This malware resides solely in memory, thereby evading detection by the aforementioned traditional antivirus software solutions, which scans files on disk.
Creative methods have been found to achieve persistence (restarting after reboot) in memory-only malware. The most well-known in the memory-only malware family was Poweliks. This malware stored itself in the Windows registry and had some code to reload and execute that registry entry each reboot. Other pieces of malware, such as the Linux/Cdorked, featured a modified Apache binary but stored most of its code in shared memory. Since most of its logic was stored solely in memory, it was a challenge to analyze.
Controlling Malware Threats
An in-depth security policy is your best defense, including having your network and end points protected, proper access controls and network segmentation. With all of that in place, one major aspect that is often overlooked is user education. Suspicious users can save organizations a lot of money. This could cover everything from browsing habits and being wary of advertisements, all the way to suspicion of emails and phone calls. We have seen many phishing and social engineering attacks that impersonate executives and trick employees into revealing banking details or transferring money to a fraudster. A well-educated user is going to think twice before clicking a link in their email or giving away information on a phone call.
Evolution of Threats and Controls
Organizations are plugging more and more devices in and hooking them up to the Internet. From security systems to ovens, everything is “smart” and connected now. This interconnectedness brings complexity and risk. One improperly configured device or incorrect line of code can have disastrous effects. It would not be the end of the world if someone exploited your refrigerator and mined Bitcoins on it, but when organizations start hooking up medical devices and vehicles to the Internet, careful consideration needs to be given to the implications of doing so. Organizations need to ensure that the systems being built are secure.
Note: ISACA Now is running a series of blogs on the 10 threats covered in ISACA’s Cybersecurity Nexus (CSX) Threats & Controls tool. The threats include APT, cybercrime, DDoS, insider threats, malware, mobile malware, ransomware, social engineering, unpatched systems and watering hole. To learn more about the controls for cybercrime, as well as recent examples and references, typical patterns of cybercrime and more, visit the tool here.
Douglas Goddard, Analyst, Independent Security Evaluators
We hope this blog provides an insightful dive into topics like cloud computing, managed services, products, and ways to improve your business strategy. Of course, our partners have great things to say, as well. One of those partners is AWS, and they’ve been kind enough to highlight the most popular security posts on their blog from the past year. There is some great info here; below is our take on just a few of these posts.
Privacy and Data Security Security has always been a concern for the enterprise. Initially, it was a major barrier to entry for migrating to the cloud, but over the past few years, a greater number of businesses have realized that, like us, AWS takes security very seriously. This post talks about some of the best practices of the company.
Perhaps the biggest is protecting the privacy of its customers. AWS doesn’t disclose customer information unless required to do so to comply with a legally valid and binding order. And, if they do have to disclose information, they’ll notify customers beforehand. AWS also offers strong encryption as one of many standard security features, and gives organizations the option of managing their own encryption keys. That’s one of the driving forces behind our Datapipe Access Control Model for AWS(DACMA) offering – you get to hang onto the keys to your system, and maintain complete control of your virtual infrastructure and your data. What’s more, DACMA requires two-factor authentication, and all system access and activities are tied back to unique user names, without the hassle of managing an exhaustive list of AWS users. This added layer of security and accountability ensures your business is protected and meeting compliance requirements.
Receiving Alerts It’s never a bad idea to have an extra layer of security within your infrastructure. As an AWS administrator, you can be notified of any security configuration changes. Changes are to be expected, but if anything seems out of the norm, you can make sure no changes to your AWS Identity and Access Management (IAM) configuration are made without you being made aware.
This post from AWS goes into detail on some of the steps you can take to stay in touch with all that’s going on within your AWS structure. From using CloudWatch filter patterns, to monitoring changes to IAM, to generating alarms and metrics, these are all necessary to ensure nothing gets by your watchful eye. Once everything is set up, you’ll receive an alert via email or SNS topic. The below image illustrates the process:
PCI Compliance in the AWS Cloud Payment Card Industry (PCI) compliance is important for just about any business. However, one of the more complex aspects of cloud hosting is deciding which party is responsible for PCI requirements. ThePCI Compliance workbook provides a guide on where AWS can cover compliance requirements, and which areas a business must cover itself.
There are twelve top-level PCI requirements in all, and they are quite complex. It can be easy to miss certain requirements or not stay up to date with audits. It’s important to note that you can’t just arbitrarily ignore a PCI requirement—all of them must be met. It may be possible that not all requirements apply to your business, so a PCI assessor is helpful for clarifying which do and do not apply. We were one of the first hosting providers in the world to achieve PCI DDS Level 1 service provider status—the highest, most rigorous status in the industry—and are happy to work with enterprises to ensure they’re setup and maintain their AWS environment compliance.
As a business, it’s refreshing to know your provider has your best interests in mind. For more information, check out our previous posts on AWS security.
David Lucky, Director of Product Management, Datapipe
What information security KPIs are you tracking? Are they tied specifically to your organization’s business goals? If not, consider that using predictive business performance metrics could help increase your organization’s profitability—by as much as 20% over three years, according to one Gartner study.
To help you develop more relevant security performance indicators, here are some suggestions from the experts:
Make them meaningful to executives Start by considering what matters most to executives:
Complying with regulations and contractual obligations
Managing risks
Don’t focus on cost metrics “Security guys are always talking about cost,” said Steve Durbin, managing director of the Information Security Forum (ISF), in a CIO magazine interview. “If we realign this, the security guys can now go to the business and say, ‘Look, if this is what is important to you, this is the role I can play in helping you protect that, but I don’t have the funding for a variety of reasons.’ The business can then make the call as to whether to find the funding for that problem. It’s no longer the security guy’s problem, it’s the business’s problem.”
Use leading vs. lagging metrics A lagging indicator measures actual results, our outputs, so it’s too late to make corrections or improvements. A leading indicator looks at activities necessary to achieve your goals, so they’re essentially inputs that provide information needed to intervene and change course for the better. For example, the number of viruses reported after a new software implementation is a lagging indicator, whereas the number of virus updates implemented prior to implementation shows action taken to drive launch success and improve user productivity.
Evaluate the effectiveness of your proposed metrics Thankfully, there’s a tool for that. The ASIS Foundation sponsored a major security metrics research project, and one of the outcomes was a Security Metrics Evaluation Tool that security managers can use to assess the quality of specific security metrics. The written tool helps you analyze the effectiveness of a metric against nine criteria, including its relevance to the organization’s strategic mission, how easily it can be communicated and its reliability. The tool is in the Appendix of the research report, “Persuading Senior Management with Effected, Evaluated Security Metrics.”
Leaders from Japan, Canada, France, Germany, Italy, the UK, and the US, as well as representatives of the European Union, gathered for the G7 Ise-Shima Summit in Japan May 26-27 to address major global economic and political challenges. Notably, for the first time at a G7 Summit, their discussions included cybersecurity. In fact, the “G7 Ise-Shima Leaders’ Declaration” released May 27 contains several consensus items regarding cybersecurity, captured as a standalone topic, reflecting the critical importance and geopolitical consequences of this issue in today’s world.
Among other things, the Leaders’ Declaration endorses the G7 Principles and Actions on Cyber, which promote security and stability in cyberspace as well as the digital economy, and commits the leaders “to take decisive action” regarding those Principles. Cybersecurity came up not only in this Summit, but also in an array of related G7 meetings leading up to it this spring: the G7 Foreign Ministers’ Meeting April 10-11, the G7 ICT Ministers’ Meeting April 29-30, the G7 Finance Ministers and Central Bank Governors Meeting May 20-21, and the G7 Energy Ministerial Meeting May 1-2. This consistent discussion reflects governments’ growing concerns over the malicious use of cyberspace by hackers, criminals, state actors, and terrorists, as well as emerging global trends that challenge an open and interoperable cyberspace—all of which threaten our critical infrastructure, digital economy and economic growth.
Given growing concerns over the current economic downturn in many countries, it makes sense that the Leaders focused on the economic contribution of cyberspace, and confirmed that “an accessible, open, interoperable, reliable and secure cyberspace” is an “essential foundation for economic growth and prosperity.” Indeed, cyberspace is a fundamental enabler of our digital lifestyle, although malicious actors can use it to threaten our daily lives, economies, and national or international security.
This vision of cyberspace as a foundation for progress is shared by the G7 host country, Japan, whose Cybersecurity Strategy 2015 was the first Japanese national information securitystrategy to recognize that cyberspace is also a frontier for innovation and sustainable economic growth.
We welcome the G7 Leaders’ decision to launch a new G7 working group on cyber to enhance policy coordination and practical cooperation to promote security and stability in cyberspace. The Declaration does not say who will populate the working group. While we expect the core members to be government officials, it is crucial to adopt a multi-stakeholder or “Track 1.5” approach to incorporate industry input. Governments and the private sector alike seek greater cybersecurity and resilience, and it is necessary to combine government insights about policy and national strategy with industry knowledge about technical innovation for cyber threat prevention and defense. All players must participate to ensure that the envisioned coordination and cooperation is practical and feasible.
It also is commendable that the G7 is focusing on cybersecurity in critical industry sectors dependent on cyber infrastructure, namely finance and energy. The Declaration highlights the work of the G7 Cyber Experts Group in the financial area to foster cybersecurity and enhance cooperation among G7 countries in this arena. This is important, given the ongoing trend of cybercrimes targeting the financial sector, such as the theft of $81 million from Bangladesh’s central bank in February 2016.
In the Joint Statement from the G7 Energy Ministerial Meeting earlier in May, the Ministers committed to advancing resilient energy systems including electricity, gas and oil, in order to respond effectively to emerging cyber threats and to maintain critical functions. The usefulness of this commitment is evidenced by the power outage, caused by cyber-attacks, which affected 225,000 people in Ukraine in December 2015. Such cyber sabotage against critical infrastructure can potentially disrupt medical services and other key social services, leading to the loss of lives. These areas of focus demonstrate the G7 countries’ concern about the potential damages to these sectors of critical infrastructure, which can sap competitiveness, cause a loss in business and consumer confidence, and dampen the countries’ economic strength and security.
Finally, it is meaningful that this heavy emphasis on cybersecurity was made at the series of G7 meetings hosted by Japan. We are sure that Japan played an important role in ensuring this emphasis. Japan has its own internal interests, including the security of the electric power industry in the wake of the Great East Japan Earthquake in 2011 (which led to catastrophic consequences with the cascading impacts from the Fukushima Daiichi nuclear power plant accident). As the host of the G7 Summit 2016 and the upcoming Tokyo Summer Olympic Games in 2020, Japan is expected to set an example of cybersecurity and the protection of critical infrastructure. Best practices and new partnerships will be born from the lessons.
The next steps for the G7 leaders and the new G7 cyber working group are to figure out how to overcome silos and facilitate smooth communication across borders, among key players in government and industry. While bureaucratic stove piping is not unique to cybersecurity, the repercussions can be more problematic when cyber attacks or threats affect multiple sectors, governmental agencies, and countries. Given that attackers will always try to exploit the weakest link, the scale of global Internet interconnectivity means that one country’s robust cyber defenses – or economic prosperity – may be weakened if its counterparts fail to protect themselves. This could lead to information breaches and compromised systems or networks globally.
The call for a multi-stakeholder approach to cybersecurity across borders is not new, but has been slow to gain solid footing. It could be that we have lacked clear goals or deadlines. The Tokyo Olympic Games 2020 would be a golden opportunity to create a prototype of a Track 1.5 cybersecurity dialogue and information-sharing framework. Only four years away, the event has a wide variety of stakeholders, including the G7 countries. Such a prototype can help pave the way to more efficient global cooperation on cybercrime and critical infrastructure protection.
This is the second in a series of blogs co-authored by Mihoko Matsubara and Danielle Krizaimed at introducing Japan’s cybersecurity efforts and their significance to a global audience, including governments, global industry, and other thought leaders. Subsequent blogs are expected to cover additional thoughts on the METI/IPA Cybersecurity Guidelines, Japan’s role in global cybersecurity capacity-building, cyber threat information-sharing and prospects for Japan, the cybersecurity ramifications of planning for the Tokyo Olympic Games 2020, and other topics.
