Technology has evolved and is evolving faster than ever before.
My enterprise is facing unknown competitive threats.
After considering these statements, how would you answer the question of whether your business will be competitive in 10 years?
With the countless factors that exist across every sector, the question is very difficult to answer. The pace of positive, negative and unclassified technological advancements is exponentially greater than ever before. How will your enterprise and IT governance structure survive these exciting times?
Consider Your Enterprise’s Risk Appetite
Information technology is now a core component in achieving business objectives. So if we look at it from a business growth point of view while anticipating current trends, your strategy may have to shift to focus on digital channels. What this means for your business is that you need a digital footprint that is both secure and user-friendly. With every new strategy you may have new risks, so your company’s risk appetite has to be considered.
What type of IT service and infrastructure would you need to deal with multiple types of digital connections that deliver standard functionality across these channels? How would this impact your resources and IT management options? Do you need to move to the cloud? Broadening the enterprise’s digital footprint can create the possibility of multiple connections to your services via numerous known hardware (e.g., tablet, watches, laptops, cell phones), along with anything that can be digitized. Your traditional business structures are now expanded with newer delivery options, so supporting demand now requires a rethinking of traditional network structure to handle the new scales. This can become an issue for many enterprises.
The security aspect of the future cannot be overlooked because you now have a wider attack surface and crippling ransomware to deal with. If your security fails, this affects customer perception, and you will not be able to honor the confidentiality and integrity of the user experience. Ransomware is quite destructive because not only does it affect the availability of the infected data, you also have to pay hefty sums to get back access to your data if there is no mitigation plan in place. Can your enterprise continue to meet the current industry regulations and maintain a secure infrastructure into the future?
GEIT Can Get You There
Within the next 10 years your enterprise will face the growing Internet of Things (IoT) landscape, with faster, more convenient delivery methods, harboring both increased risk and lucrative opportunities.
With a flexible governance of enterprise IT (GEIT) model, you could construct a relevant framework that looks at how the enterprise’s strategic plans and IT work together. You could look at continuous improvement actions and keep this alive within the enterprise. You could ensure IT risk management is aligned with the enterprise’s risk appetite and that security is considered at all points. You could consider various means to optimize your IT resources and capabilities required, as all these are key to helping your enterprise adapt and remain relevant in the future landscape.
Ammett Williams CCIE, CGEIT, Telecommunication Team Leader – First Citizens, TT
Why would an employer pay its tech workers extra cash for a skill or certification if they’re already getting a salary and annual bonus?
There are a dozen good reasons why, and they all share one thing in common: None would be necessary if the company’s compensation structure and pay practices were agile enough to successfully compete for talent in volatile labor markets. The nature of the tech labor marketplace is exactly that, where the market value of a job or skill can move like a roller coaster depending on what’s hot and what’s not at any given moment. If your employer doesn’t have built-in flexibility to react quickly and correctly, it will struggle to find and keep people to execute tech-enabled business strategies.
Who Needs Skills Pay and Why How do you know if your employer is a victim? Say, for instance, your company doesn’t normally have trouble retaining tech talent and suddenly the best people start walking out the door. Most likely your company wasn’t able to match competing salary offers. Then to make matters worse, it’s soon discovered that the competing offers were actually realistic average local market salaries for these positions – so your employer was underpaying these people from the start. It’s called ‘salary compression,’ when market-driven pay for talent is growing at a faster rate than the annual salary increases employers are able to offer their workers.
Compression is a widespread systemic reality that tends to be much worse in the tech workforce because of the rapid evolution of technology, skills and jobs. Every employer must decide whether to fix it permanently (very difficult) or patch it occasionally (less difficult and more practical).
If there is little leeway in the incumbent’s salary range to sweeten the pot on a counter-offer, and a promotion is not a viable option, paying workers extra cash for critical skills and certifications can be the perfect solution. That is especially true when workers possess the very hot certified or noncertified tech skills that other employers are aggressively targeting. The trick is to tie this extra cash directly to current market value for the hot skill or certification and guarantee that premium for some period of time, usually one year or more. When time’s up, the employer can check whether market value has changed and decide if it makes sense to continue to pay the skills premium and how much to pay, or to switch it out for another hot skill that has become more valuable to the organization.
What is the current cash market value for certifications? Extra pay awarded to 69,900 U.S. and Canadian IT professionals for 880 certified and noncertified IT and business skills – also known as skills pay premiums – has been tracked and updated quarterly since 1999 in the IT Skills and Certifications Pay Index™(ITSCPI). About 3,000 private and public sector employers currently provide this data to Foote Partners, covering a total of 255,600 IT professionals at these companies.
ISACA certifications are doing extremely well. As a group they’ve gained 15.3 percent in cash market value in the last six months compared to nearly 8 percent growth in pay across all 80 security-related certifications in the ITSCPI. The Certified in Risk and Information Systems Control (CRISC) and Certified in the Governance of Enterprise IT (CGEIT) are the top gainers. The CSX Practitioner (CSXP) certification appeared for the first time in the latest ITSCPI, earning an average pay premium equivalent to 12 percent of base salary – a very strong number for a new certification.
The following security certifications are earning the highest pay premiums right now. They’re paying median cash premiums equivalent to 13 percent to 19 percent of base salary, typically paid out each pay period as a cash bonus in addition to salary, and are shown below in descending rank order of market value including ties, arranged alphabetically within each rank.
(Tie) Certified Information Security Manager (CISM)
Certified Information Systems Security Professional Certified in Risk and Information Systems Control (CRISC)
EC-Council Licensed Penetration Tester
InfoSys Security Engineering Professional (ISSEP/CISSP)
Market values for 412 tech certifications in the most recent ITSCPI data update are averaging the equivalent of a 7.7 percent of base salary and as a group recorded gains in 14 consecutive calendar quarters, unprecedented in the 18 years Foote Partners has been tracking and reporting compensation for certifications. Figuring prominently in this growth has been info/cyber security certifications.
Market values for 80 info/cyber security certifications have been on a slow and steady upward path for four years, up 10.7 percent in average cash value as a group in just the past 12 months and 15 percent during the past two years – the largest gain among all certification categories reported. Strong performing security certifications so far in 2016 cut a wide swath: cybersecurity, forensics, penetration testing, perimeter protection and enterprise defense, security analysis, risk and security software programming.
Editor’s note: Registration is open for the first testing window of 2017 for ISACA’s core certifications.
Exams for CISA, CISM, CGEIT and CRISC will be offered in 2017 at PSI testing locations worldwide during three, eight-week testing windows. The first testing window will be 1 May-30 June, with 28 February marking the early registration deadline. Exam registration via the ISACA website is available at www.isaca.org/examreg.
David Foote, Chief Analyst and co-founder, Foote Partners, LLC
Taiwan has been a regular target of cyber espionage threat actors for a number of years. Reasons for Taiwan being targeted range from being one of the sovereign states of the disputed South China Sea region to its emerging economy and growth with Taiwan being one of the most innovative countries in the High-Tech industry in Asia.
In early August, Unit 42 identified two attacks using similar techniques. The more interesting one was a targeted attack towards the Secretary General of Taiwan’s Government office – Executive Yuan. The Executive Yuan has several individual boards which are formed to enforce different executing functions of the government. The Executive Yuan Council evaluates statutory and budgetary bills and bills concerning martial law, amnesty, declaration of war, conclusion of peace and treaties, and other important affairs. Given the important functions undertaken by the Executive Yuan office, it is not a surprise that they were targeted. The second attack was against an energy sector company also located in Taiwan.
The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware, but the other attack deployed the widely available Poison Ivy RAT. This confirms the actors are using Poison Ivy as part of their toolkit, something speculated in the original Trend Micro report but not confirmed by them. Further analysis uncovered a handful of ties indicating the actors may also be using the PCShare malware family, which has not been previously tied to the group.
Figure 1 shows the spear phishing email which was sent to the Secretary General of Executive Yuan. The email is spoofed so that it appears as though it was sent from a staff member at the Democratic Progressive Party (DPP).
Figure 1. Spear-phishing email with malicious attachment.
The document attached to this e-mail exploits CVE-2012-0158, a Microsoft Office vulnerability. This process is described in the Malware Analysis section later in this report, but one interesting aspect of this malicious was the decoy document the attacker chose to deploy.
Decoy Document
As we have noted in many earlier reports, attackers commonly use decoy files to trick victims into thinking a malicious document is actually legitimate. After infecting the computer, the display a clean document to the victim that contains content that is relevant to them.
The decoy document used in this case is a spreadsheet with four tabs, respectively titled “example,” “0720,” “0721,” and “1041109 full update”. All of the text uses Traditional Chinese, in contrast to Simplified Chinese, which is the official written language of the People’s Republic of China. Traditional Chinese is used in Taiwan, Hong Kong, Macau, and many overseas Chinese communities. The overarching theme of the spreadsheet is documenting protestor activity and/or progressive reform attempts in progress across Taiwan and the tone of the spreadsheet suggests it was compiled by progressive supporters. Because we were unable to find the spreadsheet online, and there is specific persona data included related to these movements and protests, we are not including any screen shots except for the one below.
Figure 2. The four tabs in the decoy spreadsheet.
The “example” spreadsheet tab is exactly as described – it contains the headers and suggested information within two of the remaining three tabs. The headers themselves translate, from left to right, to “responsible department,” “issue,” “developments this week,” “political situation judgment,” and “related information.” The tab labeled 0721 only has the matching headers and no additional information. None of the information in the spreadsheet relates to activities past 2015, and there are references made to the then upcoming January 16, 2016 elections in Taiwan. In that election the DPP won, displacing the Chinese Nationalist Party (KMT) for only the second time in history, and with Taiwan’s first female President.
The spreadsheet labeled 0720 refers to the Anti-Black Box Movement, which was a protest by Taiwanese high school students against certain proposed curriculum changes. The use of “black box” by the protestors is in reference to former Taiwanese President Ma Ying-Jeou’s government and its lack of transparency concerning government decisions. Protestors occupied Taiwan’s Ministry of Education last July. A resolution passed by Taiwan’s legislature and approved by the Executive Yuan in May of this year delayed implementing that curriculum until 2020 to allow time for the act to be amended.
The Anti-Black Box Movement is related to the Sunflower Student Movement, a coalition of both student groups and other civic organizations that protested the Cross-Strait Trade Agreement between Taiwan and the PRC, feeling it would hurt Taiwan’s economy and increase the PRC’s sway over the island. On March 17 2014, the KMT, the ruling party at the time, tried to force a vote without a previously agreed clause by clause review with the DPP. The following evening protesters occupied the Legislative Yuan, the first time that had occurred Taiwan’s history. On March 23 of the same year, after then President Ma re-affirmed he supported the pact and would not alter or drop it, protestors occupied the Executive Yuan where over 150 were injured and 61 arrested.
The final tab contains the most information of the three and has different headers. From left to right, the headers are titled “responsible person(s),” “summary of issues and major groups,” “crisis simulation, political judgment, and recommendations,” “degree of tension,” and “participating members.”
Information related to the November 2015 “Autumn Struggle” protest, which is an annual protest first done in 2013.
Information on a Taichung City government development proposal being protested largely on environmental impact grounds, and protestor demands.
Army 1st Special Forces veterans attempt to receive compensation for alleged illegal extension of forced military service
The recently settled case where toll workers forced into unemployment by the Taiwanese government’s agreement with the Far Eastern Electronic Toll Collection Company to create a national electronic toll collection system ended up resulting in the 2013 layoffs of hundreds, who have since protested for new jobs as well as lost severance and pension.
Kaohsiung refinery closing and protestor demands, also largely related to environmental effects and necessary cleanup; the refinery officially closed at the end of December 2015
Closely watching any trade agreements between the Malaysian government and Taiwan
Potential environmental and current residential issues related to the development of the Aerotropolis around Taoyuan International Airport, which is intended to create a major transportation hub and industry center for Asia with infrastructure for corporate research and development, conference centers, and other facilities.
The Puyu Development Plan, which is part of Taiwan’s Knowledge-based Economy plan
Taiwan’s 12-year compulsory education plan
Anti-Black Box Movement demands and recent activity
Improving working conditions for Taiwanese firefighters
Pension reforms
The Nest Movement, which started in 2014 and is related to the older “Shell-less Snail Movement,” focused on affordable housing, neighborhood and urban development, ending forced demolition and relocation, property tax reform, and related housing issues
The Environmental Impact Assessment (EIA) voted on by the Environmental Protection Bureau (EPB) for the Dongshi-Fengyuan Expressway, part of the National Highway #4 Project and anti-eviction efforts
Kaohsiung water quality issues and related projects
Same sex marriage legalization
Protecting old trees in Kaohsiung amidst construction for a new “green” library; most of the designated “precious trees” are rare exotic species
Indigenous peoples in Kaohsiung land return
Activities against the Miramar Resort Village, including the revocation of the EIA, forcing development to halt
Lowering the voting age in Taiwan from 20 to 18
Malware Analysis
The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158, which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors. This matches with known Tactics, Techniques, and Procedures (TTPs) for Tropic Trooper, targeting both government institutions and also the energy industry in Taiwan.
The delivery document uses the XLSX extension typically used by OpenXML documents, but the file itself is actually an OLE (XLS) document. The file extension to file type discrepancy was caused by the actor using Excel’s built-in encryption capability, which stores XLSX ciphertext and the information needed for decryption in an OLE document.
Filename: 進步議題工作圈議題控管表.xlsx
MD5: a89b1ce793f41f3c35396b054dbdb749
SHA1: f45e2342e40100b770d73dd06f5d9b79bfce4a72
SHA256: 2baa76c9aa3834548d82a36e150d329e3268417b3f12b8f72d209d51bbacf671
Type: CDF V2 Document, No summary info
Size: 327128 bytes
Table 1. Details of the malicious document attached to the e-mail.
The embedded shellcode enumerates open handles for a file with a size greater than 0xa6f0 (Decimal – 42736) bytes. It will then set the file pointer to 0xa6e8 (Decimal – 42728) and starts looking for the following delimiter:
GfCv\xef\xfe\xec\xce
If it finds this delimiter, the shellcode knows it is working with the correct file and continues by reading 0x600 (decimal 1536) bytes following this delimiter. The shellcode then decrypts the first 0xc0 (decimal 192) DWORDs of the data read from the file using an XOR algorithm that decrypts one DWORD of ciphertext at a time with 0x29f7c592. The resulting cleartext is a second piece of shellcode that continues carrying out further functionality.
The secondary shellcode starts by resolving the following API functions using a ROT13 hashing algorithm:
Immediately following these API functions there are three DWORDS; one used to locate the payload embedded within the exploit file, one for the size of the payload, and one for the size of decoy document. The two size values are added together to get the length of the ciphertext that the shellcode will decrypt. In the sample we analyzed, the following values were present, showing that the payload is at offset 0xabc0 and has a size of 0x45218:
The shellcode then creates a string that it uses to create a registry key to automatically run the final payload each time the system starts. It then opens the registry key ‘Software\Microsoft\Windows NT\CurrentVersion\Winlogon’ and sets the value to the “Shell” subkey to the previously created string. Ultimately, the following registry key is created for persistence:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell:
“explorer.exe,rundll32.exe “C:\Documents and Settings\Administrator\Application
Data\Identities\Identities.ocx” SSSS”
It then uses the “offset_toPayload” value as an offset that it will read 283160 (45218h) bytes from the XLS file. The shellcode then enters a decryption loop to convert the embedded payload from ciphertext to cleartext. The algorithm uses the length of the ciphertext negated as the initial encryption key, which it bit rotates right by 1 to adjust the key for each of decryption. It will use this key to decrypt four bytes of the ciphertext with the XOR operation until all the ciphertext is decrypted. During each iteration of the decryption process, the algorithm will check to make sure the four bytes of ciphertext are not equal to the key or equal to zero before decrypting the ciphertext. The following table contains the first five rounds of the algorithm to explain the decryption process:
Key
Ciphertext
Cleartext
0
~0x45218 = 0xFFFBADE8 >> 1 = 0x7FFDD6F4
0x7F6D8CB9
0x00905a4d = MZ\x90\x00
1
0x7FFDD6F4 >> 1 = 0x3FFEEB7A
0x3FFEEB79
0x03 = \x03\x00\x00\x00
2
0x3FFEEB7A >> 1 = 0x1FFF75BD
0x1FFF75B9
0x04 = \x04\x00\x00\x00
3
0x1FFF75BD >> 1 = 0x8FFFBADE
0x8FFF4521
0xFFFF = \xff\xff\x00\x00
4
0x8FFFBADE >> 1 = 0x47FFDD6F
0x47FFDDD7
0xB8 = \xb8\x00\x00\x00
5
0x47FFDD6F >> 1 = 0xA3FFEEB7
0x00000000
0x00000000 = \x00\x00\x00\x00
6
0xA3FFEEB7 >> 1 = 0xD1FFF75B
0xD1FFF71B
0x40 = \x40\x00\x00\x00
7
0xD1FFF75B >> 1 = 0xE8FFFBAD
0x00000000
0x00000000 = \x00\x00\x00\x00
8
0xE8FFFBAD >> 1 = 0xF47FFDD6
0x00000000
0x00000000 = \x00\x00\x00\x00
9
0xF47FFDD6 >> 1 = 0x7A3FFEEB
0x00000000
0x00000000 = \x00\x00\x00\x00
10
0x7A3FFEEB >> 1 = 0xBD1FFF75
0x00000000
0x00000000 = \x00\x00\x00\x00
11
0xBD1FFF75 >> 1 = 0xDE8FFFBA
0x00000000
0x00000000 = \x00\x00\x00\x00
12
0xDE8FFFBA >> 1 = 0x6F47FFDD
0x00000000
0x00000000 = \x00\x00\x00\x00
13
0x6F47FFDD >> 1 = 0xB7A3FFEE
0x00000000
0x00000000 = \x00\x00\x00\x00
14
0xB7A3FFEE >> 1 = 0x5BD1FFF7
0x00000000
0x00000000 = \x00\x00\x00\x00
15
0x5BD1FFF7 >> 1 = 0xADE8FFFB
0xADE8FEF3
0x108 = \x08\x01\x00\x00
16
0xADE8FFFB >> 1 = 0xD6F47FFD
0xD84E60F3
0xEBA1F0E = \x0e\x1f\xba\x0e
17
0xD6F47FFD >> 1 = 0xEB7A3FFE
0x26738BFE
0xCD09B400 = \x00\xb4\x09\xcd
18
0xEB7A3FFE >> 1 = 0x75BD1FFF
0x39BCA7DE
0x4C01B821 = \x21\xb8\x01\x4c
19
0x75BD1FFF >> 1 = 0xBADE8FFF
0xD28AAE32
0x685421CD = \xcd!Th
20
0xBADE8FFF >> 1 = 0xDD6F47FF
0xAD4F3496
0x70207369 = is p
21
0xDD6F47FF >> 1 = 0xEEB7A3FF
0x9CD0CC8D
0x72676F72 = rogr
22
0xEEB7A3FF >> 1 = 0xF75BD1FF
0x947BBC9E
0x63206D61 = am c
23
0xF75BD1FF >> 1 = 0xFBADE8FF
0x94C3869E
0x6F6E6E61 = anno
24
0xFBADE8FF >> 1 = 0xFDD6F47F
0x98B4D40B
0x65622074 = t be
25
0xFDD6F47F >> 1 = 0xFEEB7A3F
0x909E081F
0x6E757220 = run
Table 2. Decrypting the payload
As you can see from the table above, the algorithm decrypts what is an embedded portable executable that acts as the payload in this attack. The embedded payload is written to %APPDATA\Identities\Identities.ocx and has the following attributes:
The shellcode will move the decoy document to the location of the originally executed XLSX file and will create the following command:
cmd /c start excel /e “<path to original XLSX file, now decoy
document>”
Before running the above command to open the decoy document, the shellcode enumerates the running processes on the system, specifically looking for processes created for an executable with a filename that starts with “avp.”, presumably in an attempt to find Kaspersky’s antivirus process. If the process is found, the shellcode will not open the decoy document and exits.
The shellcode does not launch the payload, rather it relies on the registry key it created for persistence to execute the payload when the user reboots the system, meaning during dynamic analysis the execution of the payload may be missed.
Delivered Payload – Poison Ivy
When the system starts up, the persistence registry key will launch the Identities.ocx payload and call its “SSSS” exported function. The “SSSS” function checks to make sure that the DLL is running within the context of a “rundll32.exe” process and then begins piecing 0x141B bytes of data together in the correct order to build the shellcode of the Poison Ivy Trojan.
We found and parsed the following configuration from the Poison Ivy shellcode:
Active Key registry key:Software\Microsoft\Active Setup\Installed Components\
Looking for more samples which exhibited the same file structure, encryption and obfuscation to deliver the above Poison Ivy sample yielded only two additional samples. In the other two instances the delivered payloads were respectively PCShare and Yahoyah. PCShare has not been previously associated with Tropic Trooper, but in addition to the aforementioned overlaps, the two samples have passive DNS overlap with some known Tropic Trooper infrastructure. For those reasons, we assess with limited confidence the group is also using this malware family.
Figure 3. The limited ties between C2 infrastructure used by Yahoyah samples (top) and PCShare malware samples (bottom).
The below table shows the details of the documents, payload delivered and the C2 servers used for communications.
It is interesting to see that the exploit documents we found had either low or no detections on most popular antivirus engines, showing that the threat actors behind this campaign have been having considerable success in bypassing static analysis undertaken by traditional antivirus solutions with this technique.
We further expanded our search using the AutoFocus Threat Intelligence platform on the IOCs extracted from the PIVY, PCShare and Yahoyah payloads and found 42 samples which either matched unique behaviors, the unique PIVY mutex or had common C2 infrastructure. The hashes of all the samples found are given in the appendix section at the end of this blog.
Figure 4 below shows the compilation timestamps of the payload samples found using AutoFocus. Given some of the payloads that were used in recent attacks, which were compiled months before, it shows that the threat actor group continues to reuse the payload within their exploit documents.
Figure 4. Payload Compilation Timelines
The below Maltego graph shows some of the shared infrastructure which have been used by Tropic Trooper. The complete list of indicators on the graph can also be found in the appendix section of this report.
Figure 5 Maltego graph of Tropic Trooper infrastructure
Conclusion
The Tropic Trooper threat actor group has been known to target governments and organizations in the Asia Pacific region for at least six years. In addition to using Yahoyah malware, we were able to confirm they are also using Poison Ivy and possibly PCShare malware families. They are also still exploiting CVE 2012-0158, as are many threat actors. Palo Alto Networks customers are protected from Tropic Trooper’s malicious activities by:
WildFire correctly identifies all related malware as malicious
The C2 infrastructure are classified as malicious in PAN-DB
Traps prevents exploitation of CVE-2012-0158
Autofocus customers can discover additional information on Tropic Trooper via the following AutoFocus tags:
I have just finished reading the CSX Fundamentals Study Guide, which ISACA provides for the CSX Fundamentals exam. I am impressed. When I hire entry level individuals to work for my company, I look for someone who has familiarity with the topics outlined in the guide. I don’t expect them to be an expert, but when we are tackling a subject as a team, I expect my employees to know the topic being discussed.
Over the years, my employees have been exposed to many cyber security issues, and for the most part, they understand the new ideas and are able to conduct research on them. This helps improve our company’s awareness of critical cyber security issues and what we can expect with the next issue we will have to evaluate or the next solution that we will have to implement. What I like about the CSX Fundamentals Study Guide is that it outlines those very key topics we are in the throes of working on every day.
Everything changes rapidly in technology; however, companies are not always on the cutting edge, and the subjects covered in the guide are works in progress. That means the guide and courses are preparing someone who is entertaining a cyber security career so that they can be versed in what is currently going on. I appreciate that as a hiring manager. I don’t expect an entry-level person to be certified with high-end skills or have extensive experience in a particular area. I do expect them to come on board and be able to acclimate to our environment and be part of the team working on such things as data loss prevention (DLP), mobile technologies and their use within the corporation.
I have expertise in forensics and encryption on my team; however, I need new hires to know the basics of why and how to use these technologies. The guide provides a good base of knowledge for these and other technologies where the expectation that an entry-level hire would be able to work with another team member and provide value in taking over some of the tasks.
Naturally, a new hire would need further training, that goes without saying, but the CSX Fundamentals Study Guide helps to put that person on the same page as the rest of a team in the cyber security community. I would also recommend using the guide in preparing for the exam. After instructing CISA and CISM courses for years, this guide seems to hit the fundamentals right on and would benefit the exam taker.
The CSX program is very meaningful to the cyber security field and I expect the courses ISACA is creating will boost the numbers in the profession.
The intent to enforce… something quite significant actually.
A first read and review of the news coverage around the United Kingdom’s (U.K.) new Cybersecurity Strategy earlier this month left many believing that there is little to report on cybersecurity from their new government. The initiatives articulated and the funding levels had already been publically discussed throughout the year, while any new intentions expressed in the strategy lacked detail.
My initial reaction was disappointment that Teresa May’s government did not see fit to add new funds to the £1.9 billion committed by the previous Chancellor in November last year. Given that Ms. May had been Home Secretary and her new Chancellor, Philip Hammond, Secretary of State for Defence, they clearly bring an informed view of how threats are evolving. Mr. Hammond even highlighted the elevated level of threats coming from state actors and terrorism in particular in his speech.
I have since had the chance to spend time absorbing the new strategy, and looking back to what was said in the original five-year plan, the difference is astonishing. Today, we have a narrative that reflects a much clearer understanding of the scope of the task ahead, something (ISC)² as a professional body has been working to articulate for some time. The government has also clearly laid out what it believes its job should be, and what it expects of the rest of us as professionals, businesses, innovators, and individual citizens. It is interesting that Hammond chose a technology innovation event – Microsoft’s Future Decoded conference – to announce the strategy, clearly working to reach an audience that is to be held accountable.
“Technology companies – many of whom are represented here today – must take responsibility for incorporating the best possible security measures into the design of their products.
Getting this right will be crucial to keeping Britain at the forefront of digital technology security – itself a growing business sector,” he said on the day.
The report itself details far more and specific expectations:
“Organisations and company boards are responsible for ensuring their networks are secure. They must identify critical systems and regularly assess their vulnerability against an evolving technological landscape and threat. They must invest in technology and their staff to reduce vulnerabilities in current and future systems, and in their supply chain, to maintain a level of cybersecurity proportionate to the risk. They must also have tested capabilities in place to respond if an attack happens.”
With reference to incident response, expectation is repeated again:
“It is the responsibility of organisation and company management, in both the public and private sector, to ensure their networks are secure and to exercise incident response plans.”
And again with reference to skills:
“…. employers also have a significant responsibility to clearly articulate their needs, as well as train and develop employees and young people entering the profession.”
Perhaps most crucially, the government laid out an intent to enforce what is expected. The document states unequivocally that market forces have not been and will not be enough to ensure the action required, and that government will work “in partnership with departments and regulators, who will assure whether cyber risk is being managed in their sectors to the level demanded by the national interest.” Further, the EU General Data Protection Regulation (GDPR) to be in force by May 2018 is cited as an effective lever to drive up standards and there is an intent to ensure that the industry acts and becomes “outcome” rather than “compliance” focused.
Cyber and information security professionals have been asking organisations for such a mandate for over two decades. The U.K. government has now given it to us. I encourage our membership and the cybersecurity community in general, whether they are working within the U.K. or not, to take the time to read the new U.K. Strategy; understand its intent, and take on an active role in assuring their organisations can do their part.
As I read through the document, I stopped wondering whether the Government thinks their budget commitments to cybersecurity are adequate. I don’t believe that they do. I suspect we didn’t see more funding because the government doesn’t yet know how much it will cost; because much of what they are doing should come with the evolution of the economy in a digital age; and because we need to see greater value from what has been committed to date to justify any increases in budget: There seems little justification to add to the public investment before the private sector begins to assume its role more definitively. I suspect we will see more public funds to committed this strategy, but not before fines for lack of action fuel public coffers.
By Adrian Davis, CISSP, Managing Director EMEA, (ISC)²
