Day: December 23, 2016

Closing Date: Jan 13th, 2017

The Cloud Security Alliance would like to invite you to review and comment on 12 Domains of the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing. This document acts as a practical, actionable roadmap to individuals looking to safely and securely adopt the cloud paradigm. This is your opportunity to provide feedback and identify any critical areas that we might be missing in the document’s focus.

The Domains that are going for peer review are:

• (Draft) Domain 1: Cloud Computing Concepts and Architectures
• (Draft) Domain 3: Legal Issues, Contracts and Electronic Discovery
• (Draft) Domain 12: Identity, Entitlement, and Access Management
• (Outline) Domain 2: Governance and Enterprise Risk Management
• (Outline) Domain 4: Compliance and Audit Management
• (Outline) Domain 5: Data Governance
• (Outline) Domain 6: Management Plane and Business Continuity
• (Outline) Domain 7: Infrastructure Security
• (Outline) Domain 9: Incident Response
• (Outline) Domain 10: Application Security
• (Outline) Domain 11: Data Security and Encryption
• (Outline) Domain 13: Security as a Service

To participate, please identify specific Domains which you have expertise in and follow the link to the Google Docs. You should be able to provide your comments in the document. Please do not provide editorial comments (i.e. grammar, formatting, etc), rather focus instead on the content of the document.

The peer review for the 12 Domains start today and ends one month from now, on the 13th of January. We appreciate your assistance. Thank you in advance for your time and contribution.

CSA Research Team

research@cloudsecurityalliance.org

[Cloud Security Alliance Research News]

On Black Friday, a hacker hit San Francisco’s light rail agency with a ransomware attack. Fortunately, this story has a happy ending: the attack ended in failure. So why did it raise the hairs on the back of our collective neck? Because we fear that next time a critical infrastructure system is attacked, it could just as easily end in tragedy. But it doesn’t have to if organizations with Industrial Control Systems (ICS)  heed three key lessons from San Francisco’s ordeal.

First, let’s look at what happened: On Friday, Nov. 25, a hacker infected the San Francisco Municipal Transportation Agency’s (SMFTA) network with ransomware that encrypted data on 900 office computers, spreading through the system’s Windows operating system. As a precautionary measure, the third party that operates SMFTA’s ticketing system shut down payment kiosks to prevent the malware from spreading. Rather than stop service, SMFTA opened the gates and offered free rides for much of the weekend. The attacker demanded a 100 Bitcoin ransom, or around $73,000, to unlock the affected files. SFMTA refused to pay since it has a backup system. By Monday, most of the agency’s computers and systems were back up and running.

Here are three key lessons other ICS organizations should learn from the event, so they’re prepared to derail similar ransomware attacks as deftly:

1. Recognize you are increasingly in cybercriminals’ cross hairs. Cyberattacks on ICS systems, which control public and private infrastructure such as electrical grids, oil pipelines and water systems, are on the rise. In 2015, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 20% more cyber incidents than in 2014. And for the first time since the agency started tracking reported incidents in 2009, the critical manufacturing sector experienced more incidents than the energy sector. Critical manufacturing organizations produce products like turbines, generators, primary metals, commercial ships and rail equipment that are essential to other critical infrastructure sectors.

2. Keep your IT and OT separate. Thankfully, the San Fran Muni ransomware attack never went beyond SFMTA’s front-office systems. But, increasingly, cyber criminals are penetrating control systems through enterprise networks. An ICS-CERT report noted that while the 2015 penetration of OT systems via IT systems was low at 12 percent of reported incidents, it represented a 33 percent increase from 2014. Experts say the solution is to adopt the Purdue Model, a segmented network architecture with separate zones for enterprise, manufacturing and control systems.

3. Invest in off-site, real-time backup. SFMTA was able to recover the encrypted data without paying the ransom because it had a good backup system. That wasn’t the case with the Lansing (Michigan) Board of Water & Light. When its corporate network suffered a ransomware attack in April, the municipal utility agency paid $25,000 in ransom to unlock its accounting system, email service and phone lines.

If San Francisco’s example isn’t enough to motivate ICS organizations to take cybersecurity seriously, then Booz Allen Hamilton’s 2016 Industrial CyberSecurity Threat Briefing should do the trick. It includes dozens of cyber threats to ICS organizations.

By Laurie Kumerow, Consultant, Code42

[Cloud Security Alliance Blog]

In this digital age, with telecom service providers’ revenue per bit falling every year, network operators are clearly being forced to consider expanding their catalogue of services to something beyond basic voice connectivity. Providers need some way to unlock the full value of their investment in the network and to expand into new and profitable applications and services.

For a decade or more, Western European and North American telecommunication companies have focused on capturing growth in the consumer market, as mobile phone usage became nearly universal and telcos sold broadband, TV and other data services to users at home and on the go.

The challenge for many telecom executives is how to identify the opportunity that lies beyond the market that historically fueled their profit pool and reshape their companies and priorities to capitalize on the situation.

To win in the expanding market for business telecom and IT services, telcos will need to prioritize the B2B opportunity and embrace newer capabilities.

Cybersecurity Ventures projects $1 trillion will be spent globally on cyber security from 2017 to 2021. Cybercrime is predicted to cost the world $6 trillion annually by 2021.

Traditionally, operators had security services in B2B such as managed firewalls, intrusion and prevention systems, email security, web gateway, security information and event management, vulnerability and penetration testing solutions, risk assessment and end-point protection.

But the digital business needs something unique that can protect their organizations from cyber-attack and data breaches.

The important areas that operators need to focus on in order to generate revenue are:

1. Internet of Things
2. Software-defined networking
3. Big data and analytics
4. Cloud
5. Intelligent breach response management

A dozen cyber security startups have each raised $100 million or more in funding since 2014, according to Dow Jones VentureSource – a database that reports on companies globally that receive venture capital and private equity funding.

Hundreds of billions will be spent on securing PCs, mobile and IoT devices, corporate networks, and the cloud over the next five years.

The time has come for operators to generate revenue from these cyber security offerings, and it is up to the service provider to define strategy in developing the capabilities and targeting the market.

References

1. http://cybersecurityventures.com/
2. http://www.csoonline.com/
3. http://bcg.com

Rasool Kareem Irfan, CISM, CEH, ISO/IEC 27001, Senior Manager – Security Practice, Tata Communications Transformation Services

[ISACA Now Blog]