Month: November 2016

Posted on

Containerization: Why You Should Prepare Now

There are some technologies that seem to have their own “gravitational pull.” By this, I don’t just mean technologies that are interesting, compelling to the business, or likely to be considered by businesses. Instead, I’m referring to those technologies that exert a steady, near-continuous and (one might argue) irresistible pressure across multiple areas of the organization to adopt.

Cloud, mobile, and social media are all examples of technologies like this. Say “no” to the sales team’s request to use a Software as a Service (SaaS) tool today, and chances are you’ll be talking to the marketing team about a similar tool next week. These technologies, when they arise, are usually highly advantageous to the business, have a diverse potential use base, low barriers to adoption and a high degree of awareness among end-user customers.

It’s important to pay attention when new technologies like this land on the scene for a few reasons.

First, the potential for shadow adoption is high. Compelling usage, coupled with low barriers gating that usage, mean that individual business units (or individual employees) might take it upon themselves to employ it without thinking to inform or engage with technology (let alone security or assurance) teams. As a consequence, a given assurance, security or risk practitioner might not know the usage is there until after it is entrenched.

Second, adoption changes the risk dynamics of the organization. New risks are potentially introduced while old ones are potentially reduced and business value potentially increases. From a holistic risk perspective, therefore, it is imperative that practitioners evaluate these technologies and understand their risk impact even though they may have limited time to do so in light of shadow adoption.

While still relatively new, application containerization is demonstrating many of the above properties.

Application containerization represents a mechanism that allows the creation of modularized, packaged application functionality that contains the application as well as any configuration or underlying support software required for the application to run. By virtue of them being small and componentized, the containers are portable between environments; they leverage the segmentation features of the operating system on which they run to enforce segmentation between different containers on the same OS instance. The portability offered helps enable development while the comparative efficiency (relative to, for example, OS virtualization) offers potentially increased allocation density of applications per physical device.

In light of these factors, ISACA has issued a pair of white papers on application containerization. The first volume outlines what application containerization is: the business drivers causing its popularity, the value proposition for developers and datacenter managers, and a description of what the technology offers, and how it works. The second volume outlines the practitioner impact: why the security, assurance, risk, or governance practitioner should care and what they can do to help prepare for risk and control decisions that involve application containers.

It is our hope that this guidance will assist practitioners as they approach risk decisions relative to containers within their environments and assist them in evaluating usage scenarios as containers and micro-services rise in prominence. By laying out the value proposition to the business and providing a working understanding of its technical operation, as well as outlining some of the risk considerations, we hope to arm practitioners with the information they need to approach these decisions with confidence.

Ed Moyle, Director of Thought Leadership and Research, ISACA

[ISACA Now Blog]

Posted on

Ransomware Q&A With Garry Barnes

ISACA Now recently had the opportunity for a Q&A with Garry Barnes, CISA, CISM, CGEIT, CRISC, MAICD and ISACA International Vice President. Barnes is practice lead, Governance Advisory at Vital Interacts (Australia). He has more than 20 years of experience in information and IT security, IT audit and risk management, and governance, having worked in a number of New South Wales (NSW) public sector agencies and in banking and consulting.

Who is deploying ransomware?
Ransomware is developed and deployed by cybercriminals looking primarily to gain financial rewards. Some ransomware will encrypt your files preventing you from gaining access while earlier types locked your computer by displaying pornography or other images. The ransomware contains a demand payment to obtain the key to unlock your system. These payments are routed through untraceable digital currencies, via SMS, or simply using cash transfer systems.

In its Q1 2015 Threat Report, McAfee cited a new family of ransomware, CTB-Locker, leading to a rise in attacks. This malware is distributed in numerous ways, and its payload is hidden in layered zip files. According to McAfee, it was supported by an “affiliate” program, enabling it to be easily added to phishing campaigns.

Who are they targeting?
Ransomware developers are targeting the desktop and Android phone devices of both individuals and organizations in North America and Europe, where there is a higher likelihood of the ransom being paid. They use a variety of techniques to deliver their payload, including email and web pop-ups. Recently ransomware has been detected in content management systems such as Joomla! and WordPress. The SynoLocker strain of ransomware targets network storage devices.

What is an organization’s chance of suffering this type of attack?
The odds are pretty high that a ransomware attack will occur. ISACA identified ransomware as one of the Five Cyber Risk Trends for 2016, noting that the instance of victimized enterprises—most of them small businesses—agreeing to make ransomware payments increased from 2.9 percent in 2012 to 41 percent in 2015.

What can be done to prevent it?
There are a number of steps you can take to minimize your risk. Technical controls are important, and security awareness is also key. Users need to be vigilant not to click on links, remain cautious with links and attachments in unsolicited emails, avoid clicking on pop-ups on web sites, and have up-to-date antivirus software.

Desktop architecture should include:

  • Reputable A/V to scan for malicious payloads
  • Firewalls to prevent unwanted services including blocking Tor
  • Periodic back up of both data and software
  • Disconnection of the backup storage device after successful backup
  • Patching of operating systems and applications
  • Use of a web pop-up blocker to prevent clicking on infected ads
  • Use of cloud backup may also help

What should be done once your organization has been hit?
A quick response by the affected user is needed, hence the value of security awareness training. Once hit, an organization should activate its incident response process. This would include alerting the service desk so they can contain the impact and prevent others in your business from falling victim. They will need to initiate recovery of data from backup and restoration of the operation system and applications from a reliable copy.

Garry Barnes, CISA, CISM, CGEIT, CRISC, MAICD, past ISACA Board director

[ISACA Now Blog]

Posted on

Exploit Kits Exposed: Automated Attacks at Scale

Put yourself in the shoes of an attacker: Your objective is to infiltrate an organization, deploy ransomware and get paid. It is your job to launch the most effective, lowest cost attack possible, which also delivers the highest return. When adversaries balance the equation of effort versus potential reward, they are increasingly turning toward automated tools, like exploit kits (EKs), to help them achieve their malicious goals at massive scale. In short, EKs allow a malicious actor to silently exploit vulnerabilities in a browser-based application, deliver a malware payload, and operationalize the attack using rental-based EK infrastructure.

Before we look forward, it is important to understand the history of exploit kits and how they’ve become one of the most prevalent and effective methods of breaching an organization today. The popularity of EKs dates back to 2006, when the first documented case appeared; but it really took off in 2010 with the introduction of the Blackhole EK and its associated software-as-a-service (SaaS) based business model. Now, instead of setting up malicious infrastructure, compromising websites, identifying vulnerability exploits, and delivering malware, malicious actors could outsource nearly the entire attack flow to an expert. This is cyberattacking for the masses, with a modern and simple-to-use interface to match.

Over time, network defenders identify and take down prevalent exploit kits, as we saw with the disappearance of Blackhole after the arrest of its author; but there is always another one ready to take over the mantle and reap the profits. In recent years, we have seen an explosion in the scale of EK usage against organizations, especially as they have been increasingly used to deliver ransomware payloads. In fact, according to research by the Palo Alto Networks Unit 42 threat intelligence team, “Exploit kits are now, on average, about twice as expensive as they were two years ago.” We expect this trend to continue, with malicious actors continuing to leverage the automation, scale and silent malware delivery offered by exploit kits.

As organizations build their prevention infrastructure, they should consider how their security controls can identify and prevent this significant threat across the network, cloud and endpoint. Learn more about the past, present and future of exploit kits, and how to prevent them:

[Palo Alto Networks Research Center]

Posted on

Setting Expectations for Prevention Readiness: The Prevention-Posture Assessment

Our commitment to making prevention a core component of architecture is real. As such, we created a standard assessment methodology to help set expectations about prevention and create a prevention-based architecture strategy that builds alliances between IT and security professionals. Let’s talk about how to assess prevention readiness using that methodology.

The basis of our prevention posture assessment comes from two things:

  1. The cybersecurity community continues to amass a significant amount of intelligence and information about attackers. We know the tools, techniques, indicators of compromise, and vectors attackers used to successfully attack organizations. However, IT and security professionals lack the ability to actively defeat many of those things we know about the attackers and techniques.
  2. IT and security leaders tell us they’re not confident they know everything that is happening in their network.

General Sun Tzu, in 500 B.C, said the following:

Know the enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.”

The General’s words are as true today as they were in his time. In addition, they are extremely relevant in the cyber domain. You must know the enemy and yourself to prevent successful attacks. We want to work with you in a way that allows you to know yourself so you can use what we know about the enemy to prevent successful attacks.

The figure below provides a visual about how we use the prevention-posture assessment to set expectations about prevention and create a prevention based architecture strategy with customers.

Figure 1: Prevention posture assessment

First, we separate architecture into three different areas, as shown on the left-hand side of Figure 1.

  • Enterprise, mobility and SaaS
  • Data center, cloud and SaaS
  • Endpoint

In this way, we ensure the “know yourself” aspect or our methodology is consistent across all architecture. The separation of architecture is a deliberate action that ensures we distribute prevention capabilities across all architecture. In addition, the separation of architecture helps make the point that we need to work directly with both the IT architects and the security architects of an organization.

Second, we align the three different architecture areas with specific stages of the attack lifecycle. As Figure 1 shows, the colors in each area of the architecture align directly with specific stages of the attack:

Aligning the areas of architecture with stages of the attack lifecycle creates a compelling discussion about the difference a modern extensible approach to prevention makes for protecting organizations. In our approach, we drive home the need to position prevention capabilities across all three areas of architecture. In this way, we can actively defend ourselves by preventing what we know about attackers. At the same time, we maintain positive control that the enterprise is operating as intended, and we know everything happening in controlled environments.

Figure 2: Prevention posture assessment capabilities

In Figure 2, we provide a list of the prevention capabilities assessed as part of the prevention posture assessment. As you read through the list, there are interesting items to note:

  1. The capabilities are redundant across areas of the architecture and stages of the attack. This is important because we must deliver prevention capabilities from the inside out rather than the way the status-quo hardens perimeters today.
  2. We don’t assess detect/respond capabilities, like IDS, because they are not prevention-focused. This is intentional. Frankly, we shouldn’t get “prevention readiness” credit for capabilities that don’t prevent.
  3. The prevention capabilities are all part of the “system-of-systems” Palo Alto Networks platform approach that is fully integrated. We set the expectation for all customers that they need to field all these capabilities to get the full value of their investment.
  4. The prevention capabilities are as relevant for IT infrastructure professionals as they are for security infrastructure professionals. For this reason, we always perform the assessment jointly with the IT and security architects.

In practice, we typically find that existing customers continue working to improve capabilities covering the Delivery and Command and Control stages of the attack. This makes sense given that the status-quo approaches emphasize hardening the perimeter. One exception for protecting against the Delivery and Command and Control stage, is that very few customers adequately protect SSL traffic. Today, it is common knowledge that threat actors take advantage of encrypted application traffic to deliver malware and control their attack. Since the amount of SSL traffic continues to grow in enterprises, customers must move deliberately to decrypt traffic and extend protection capabilities to eliminate blind areas.

In addition, we consistently see customers with immature and non-existent prevention capabilities covering the internal stages of the attack lifecycle. The limitations of extensible prevention capabilities across an architecture leaves us all at risk, and allows known attackers to move unmitigated throughout an enterprise.

Ultimately, it is your decision. A known attack methodology or technique is not advanced, and should be defeated using modern prevention capabilities. In this section, we discussed the capabilities we assess to prevent successful attacks. In the next section, we will discuss how we measure prevention capability readiness and our ability to build confidence that we know everything happening in a controlled enterprise.

Have you received your prevention posture assessment yet? If you’re an existing customer, contact your our partner or local representative to request an assessment. If you’re a potential customer, do the assessment with on of our representatives soon. The only cost is some time for your team, but it will be time well spent, as a leader.

and

[Palo Alto Networks Research Center]

Posted on

Cultivating and Retaining IT Audit Talent

People with deep technical skills are in high demand, so internal audit needs to take extra care to ensure the profession is attracting and retaining the right people. According to PricewaterhouseCoopers’ 19th annual global CEO survey released earlier this year, 72 percent of CEOs consider the availability of key skills a threat to their organization’s growth prospects.

As we discussed in New Orleans at the IT Audit Director Forum—part of ISACA’s North America CACS conference—there are steps companies can take to ensure IT audit develops the quality workforce needed to thrive amid this evolving landscape.

Work With Universities to Strengthen Workforce
The nature of audit is becoming more real-time and continuous, and less forensic. A number of factors have impacted the speed at which universities have been able to prepare their students for the effects of technology and automation on the IT audit profession.

That is problematic as the day is fast-approaching when professionals who lack broad, technical knowledge and skills around data analysis will be unable to successfully function in the field. This is especially true because the more organizations rely upon technology, the more necessary it becomes to tap into technology when auditing them.

Universities might be receptive to weaving more data analysis, cybersecurity and technical prep into their curriculums—they may just need some additional support and guidance from alumni and business leaders to keep pace with the changing demands of the profession.

Take Compensation Seriously—and Not Just the Dollars
Organizations cannot take a knife to a gunfight when it comes to offering the competitive compensation packages needed to land talented technology professionals. As organizations seek skilled IT auditors equipped for the modern landscape—and greater demands are placed on IT audit professionals—compensation must reflect the reality that talented candidates will have plenty of options.

Additionally, HR departments need to place an emphasis on going beyond salary when attracting talent. Particularly among millennials, other perks such as flexible work schedules, the ability to work remotely and even casual workplace attire are becoming increasingly meaningful.

At PwC, a flexible dress policy was recently implemented, allowing employees to wear jeans at the office when they are not meeting with clients. In the traditionally buttoned-up world of public accounting, that’s practically a tidal wave of workplace progress, and it’s a sea change many welcome.

Find Sensible Enticements to Encourage Progress
The perception is that internal audit lacks the glamour of other fields tied to emerging technologies. Internal audit needs to overcome that stigma to pull in the tech talent needed to perform at a high level.

Internal audit affords professionals rapid and exciting opportunities to tackle major projects involving high-level influencers. Being open to the idea of quickly giving employees such major responsibilities is worth considering.

Those who enter the job with high technical IQs might soon be ready to take on more senior tasks than was the norm in the past, and recognizing that potential quickly will not go unappreciated by employees. A word of caution, though—the potential downside of giving somebody a task beyond his or her ability is substantial. These judgments are about being open-minded and require a measured, case-by-case approach.

Working across departments to identify quicker paths to promotion as circumstances justify can be another worthwhile way for your organization to retain top talent.

There never has been a more exciting time to be in IT audit. Nothing is becoming less automated or less reliant on technology, so this is a career path with permanence. Still, challenges remain in attracting and retaining quality professionals. Organizations that take inventory of the evolving state of IT audit and are responsive to the priorities of prospective employees will be best positioned to assemble the high-caliber workforces that they need.

A. Michael Smith, Partner, PricewaterhouseCoopers LLP, and Khalid Wasti, Partner,
PricewaterhouseCoopers LLP

[ISACA Now Blog]

English
English
Exit mobile version