Year: 2016

Posted on

Building a Security Culture has Its Benefits

Since I created the Security Culture Framework in 2012 and open sourced it in 2013, the interest in security culture has exploded worldwide. When I first started in the industry, security culture professionals were but a small group of specialists in the US and Europe, discussing how we, based on our experience, built functional security cultures in organizations around the world.

Today, only a few years later, the interest in security culture is truly global, with a large number of organizations applying the principles of the framework to build and improve their security culture.

In my opinion it is important to accept the fact that all organizations have a security culture—whether they acknowledge it or not. This means that a poor security culture may have a negative impact on your organization, opening the organization up to external and internal risk and data breaches. A security culture can (and should) be improved, thus making the improvement a potential benefit.

Security culture is defined as the ideas, customs and social behavior of a group (organization) that keeps it secure. To be secure is one clear benefit of a security culture. What being secure really boils down to are the risk assessment, risk acceptance and risk mitigation strategies of the organization. No two organizations are the same in this respect. A risk-focused approach to security culture is a very good idea, as it allows you to direct your efforts to where they will make most sense for the organization.

An organization with a high risk appetite may choose to focus less on security culture than an organization with a low appetite. As long as they understand the short- and long-term outcomes of such a strategy, I have no problem with such a choice being made. The challenge arises when an organization finds itself in the blind—believing they are doing the right things, while waking up brutally one morning with all their data records being leaked to the press, and then, upon closer inspection, discovering that their awareness training programs worked very well to check a box once a year, but did very little, if anything, to build and improve their security culture.

Making informed choices is part of a security culture. Understanding the threat landscape, the risk strategy, and then transforming this into a security culture program is the way to build and improve security culture.

I plan to write future blogs that will discuss the principles of the security culture framework and my experiences building security cultures around the world. I will also take questions and provide answers to your security culture questions.

What is your experience building and improving a security culture? Do you see any settings where an organization could accept a lesser security culture? If so, why?

Editor’s note:  Roer’s latest book, Build a Security Culture, is available for purchase at ISACA’s Bookstore.

Kai Roer, Security Culture Coach/Author, The Roer Group

[ISACA Now Blog]

Posted on

Are the Security Issues Facing the Industrial IoT Over-Hyped?

At BlackHat last week, the good folks at CyberTECH invited me to participate in a panel discussion on securing the industrial internet of things, or IIoT. By now, we’ve all heard about the security concerns the manufacturing space has regarding the IIoT: millions of connected devices connecting to a corporate network every day to upload customer data could give cyber adversaries the entry point they need to compromise a network and wreak havoc.

As the panel conversation moved into the audience Q&A, it became apparent to me that most of the security experts in attendance viewed securing the IIoT as the responsibility of the OEMs building IIoT-enabled industrial equipment. This argument was usually followed by a complaint that those same OEMs don’t know anything about cybersecurity, so securing the IoT won’t be possible in the foreseeable future.

This discussion was very spirited. It was also, in my humble opinion, riddled with FUD and assumptions about securing the IIoT that are either inaccurate or simply not true. Securing the IIoT is possible, and it won’t require new gains in security technology to do so. Next-generation security solutions like the Palo Alto Next-Generation Security Platform are perfectly capable of securing the IIoT. The real challenge is getting the security industry to understand that.

Now, the IIoT will enable many devices that have been previously “dumb” to become “smart”; in other words, become equipped with sensors that gather data and connect to the internet so that data can be shared to enable new business models and opportunities. But I think it’s unreasonable to expect the engineers who design those devices to suddenly become experts in cybersecurity. It would be like me expecting my threat research team to become experts in industrial control solutions if they intend to provide threat intelligence to industrial customers.

At the end of the day, data on the IIoT is no different from data on the regular internet; it uses IP packets just like any other internet traffic. And malware delivered via the IIoT doesn’t present any new or unique threat that would require defenses beyond those used to stop malware delivered via more common means, like a spear phishing attack. If your security architecture uses a zero trust model and policy controls that enable the proper use of applications and data, it will still be able to identify malware as it moves through the various steps in the attack lifecycle and stop it.

To sum up, just because an attack on your network is coming from an IIoT-enabled HVAC system, and not a compromised laptop, that doesn’t mean your security architecture can’t stop it, provided it’s a next-generation security architecture designed to combat the methodologies used by today’s more advanced cyberattackers. So the next time the topic of IIoT cybersecurity comes up, everyone just take a deep breath and relax. With the right next-generation security platform in place, embracing the IIoT becomes a much less scary proposition.

[Palo Alto Networks Research Center]

Posted on

Blockchain, a Technology Innovation That Can Change Everything

Sometimes a technology intended to fill one purpose is found to have much greater potential filling a different purpose; a potential so impactful that it could literally change everything. Blockchain, the underlying technology behind bitcoin, has that potential.

While changing everything is perhaps an overstatement, blockchain is seen as a technological solution to the centuries old problem of how to create a secure and open ledger system of transactions.

Bitcoin is a cryptocurrency, which means it is a digital currency that uses encryption techniques to regulate the generation of currency units and verify fund transfers, all independent of a central bank. It exists completely outside of the government-controlled global monetary system in the world of bits and bytes, not as a physical entity.

Acceptance Growing
While bitcoin is an intangible that lives in the virtual world of the Internet, bitcoins have value and are used for commercial transactions and as an avenue for currency speculation. Technology giant Microsoft accepts bitcoins for purchases of apps, games and videos from Windows phones and Xbox platforms. Dell, in collaboration with Coinbase, accepts bitcoins, as do merchants such as Overstock.com, TigerDirect and French retailer Monoprix. Bitcoins can even be used to purchase gift cards, and some physical stores are beginning to accept bitcoin as a form of payment.

As of June 4th there were 15,617,825 mined bitcoins with a current value of $581.76 per coin, making the global value of bitcoins worth over $9 billion. Bitcoin represents a value greater than the national domestic product of many countries.

Ledger the Real Innovation
While bitcoin is a potential game changer, the real innovation is the technology behind bitcoin that creates the ledger of all coin transactions from the first coin created to the latest bitcoin transfer.

Blockchain is an open, public and secure digital ledger that uses cryptography to create ledger entries unique to each individual that are free from intentional or accidental change that forms the basis of bitcoin. For example, when an individual buys, sells or trades bitcoins they present ledger entries representing value to complete a transaction that in turn is recorded as a blockchain entry. The up-to-date, transparent ledger is visible to all parties and shows the most recent transactions as well as the history of transactions.

Though it was first applied to bitcoin trading, bitcoin has been found to be an enabling technology that can be used for a variety of applications with a number of advantages. Traditional ledger systems often depend on a third party, such as a clearing corporation, which matches buyers and sellers. Blockchain takes this “middle man” out of the equation, making the transaction more profitable by reducing the cost, while ensuring the transaction is legitimate and accurate.

Blockchain can be used wherever there is a ledger system to track transactions involving anything of value that needs to be traded securely. Applications could range across supply chain management, manufacturing, corporate treasury and trade finance. In the food industry, for example, blockchain could be used to ensure the integrity of the product throughout the supply chain. Banks may even transition to digital currency alone using the technology.

Enabling Micropayments
It also has implications for the “unbanked.” By enabling micropayment capabilities (to the millionth of a cent), blockchain can enable people to make transactions that previously were impossible, due to the monetary units involved.

Of all the emerging technologies we’re currently seeing, blockchain has the potential to have the biggest impact on businesses and society at large. Enterprises are increasingly looking at how they can adopt this technology and revolutionize how they deliver products and services. As such, audit and risk professionals need to ensure they can bring knowledge and perspective to that conversation.

Editor’s note: Hale will present a session titled What Is Blockchain and What Are the GRC Implications at the 2016 Governance, Risk and Control Conference 22-24 August in Fort Lauderdale, FL, USA. For more information click here.

Ron Hale Ph.D., CISM, ISACA Chief Knowledge Officer

[ISACA Now Blog]

Posted on

Traps v3.4: New Features Help Prevent Cyberattacks on Banks

In recent months, reports of several breaches at SWIFT (Society for Worldwide Interbank Financial Telecommunications) member banks have come to light. Across these incidents, local security was compromised, and valid credentials were stolen and used to initiate fraudulent transfers.

These attacks bear the hallmarks of an account takeover (ATO), in which a cybercriminal impersonates a valid customer. Some of the best practices to combat ATO include patching security vulnerabilities, network segmentation, and multi-factor authentication. Among financial institutions – especially the larger ones — timely software patching has been a challenge due to rigorous testing requirements, limited change windows, and the sheer quantity and geographically dispersed nature of the laptops, desktops and servers. Although there is growing interest in network segmentation for cybersecurity, actual implementations are rare as most institutions still have flat networks. Multi-factor authentication is common for remote access to the corporate network but is atypical inside the perimeter.

Combating ATO Attacks

Since some of the best practices to address ATO tactics are not in place at many financial institutions, another approach is to use advanced endpoint protection on the laptops, desktops and servers themselves. These devices are the focus of at least two phases of the typical cyberattack lifecycle. End users and their devices are targeted by spear-phishing, drive-by downloads and social engineering. Exploits and malware are introduced to compromise the endpoint. The cybercriminal then uses this as a beachhead to hunt for valuable information or compromise other vulnerable systems (servers) within the network. In financial institutions, antivirus solutions have been a staple for many years on endpoint devices but have proven to be ineffective in protecting them as security breaches are still on the rise.

Multi-Method Prevention

Thanks to recent enhancements, Traps (version 3.4) now uses a multi-method prevention approach that combines the most effective, purpose-built malware and exploit prevention methods to protect endpoints from known and unknown threats. As financial institutions continue to be a favorite target for cyberattacks, improving advanced endpoint protection is well worthwhile. Traps prevents end users from inadvertently running malware or exploits that compromise their systems.

Traps multi-method prevention for malware includes the following five techniques.

  1. Static Analysis via Machine Learning: This method delivers an instantaneous verdict on any unknown executable file before it is allowed to run. By examining hundreds of the file’s characteristics in a fraction of a second, this method determines if it is likely to be malicious or benign without reliance on signatures, scanning or behavioral analysis.
  2. WildFire Inspection and Analysis. Traps works in concert with WildFire to determine whether an executable file is malicious. WildFire can eliminate the threat of the unknown by transforming it into known, in about 5 minutes. The automatic reprogramming of Traps, and conversion of threat intelligence into prevention, all but eliminates the opportunity for an attacker to use unknown and advanced malware to infect a system.
  3. Trusted Publisher Execution Restrictions: This method allows organizations to identify executable files that are among the “unknown good” because they are published and digitally signed by entities that Palo Alto Networks recognizes as reputable software publishers.
  4. Policy-Based Execution Restrictions: Organizations can easily define policies to restrict specific execution scenarios, thereby reducing the attack surface of any environment. An example would be to prevent the execution of a particular file type directly from a USB drive.
  5. Admin Override Policies: This method allows organizations to define policies, based on the hash of an executable file, to control what is allowed to run in any environment and what is not.

For multi-method exploit prevention, Traps provides the following approaches:

  1. Memory Corruption/Manipulation Prevention: Memory corruption is a category of exploitation techniques where the exploit manipulates the operating system’s normal memory management mechanisms for the application opening the weaponized data file that contains the exploit. This prevention method recognizes and stops these exploitation techniques before they have a chance to subvert the application.
  2. Logic Flaw Prevention: Logic flaw is a category of exploitation techniques that allow the exploit to manipulate the operating system’s normal processes, which are used to support and execute the target application opening the weaponized data file. For example, the exploit may alter the location where dynamic link libraries (DLLs) are loaded from into an application’s execution environment so that the exploit’s malicious DLLs can replace legitimate ones. This prevention method recognizes these exploitation techniques and stops them before they succeed.
  3. Malicious Code Execution Prevention: In most cases, the end goal of an exploit is to execute some arbitrary code — the attacker’s commands that are embedded in the exploit data file. This prevention method recognizes the exploitation techniques that allow the attacker’s malicious code to execute and blocks them before they succeed.

Additionally, Traps is now able to quarantine malicious executable files to stop any further propagation, and allows organizations to prevent non-malicious but otherwise undesirable software (e.g., adware) from executing.

In Lieu of Patch Management

As stated earlier, software patch management of endpoints is an ongoing challenge for financial institutions. This is further exacerbated by the sheer volume of ATMs that also need to be patched. Although efforts were launched to upgrade or replace ATMs based on Windows XP, which has been unsupported since April 2014, it would not be surprising to see some of these ATMs still in service today. (As of April 2015, an estimated 75%, or 2.2 million, of the world’s ATMs still ran Windows XP.) To protect those ATMs that have yet to or won’t be upgraded, Traps can be installed as a compensating control to prevent the exploitation of both known and unknown vulnerabilities. Traps would also provide the same benefit to other systems that are behind in or no longer eligible for software patching.

In Lieu of or Addition to Network Segmentation

In many financial institutions, ATMs are not truly segmented from the rest of the corporate network. As mentioned earlier, many financial institutions still have flat and open internal networks. Network segmentation is highly recommended and would certainly help limit the exposure in the event of a compromise. However, yet another layer of defense is advanced endpoint protection for the laptops, desktops and servers. Traps, with its multi-method prevention approach, stops the techniques at the core of these attacks, instead of focusing on the millions of unique malware and exploit samples themselves. Consequently, Traps prevents sophisticated, targeted and never-before-seen attacks from compromising an endpoint. At the end of the day, the endpoints hold the resources (e.g., confidential data, customer PII, and financial transactions) that are most interesting to the cyber attackers. Protecting the endpoints from compromise is a foundation of a sound cybersecurity policy and a cornerstone of the Palo Alto Networks Next-Generation Security Platform.

Secure Your Endpoints

By bridging the communication gap between the endpoint and the network, and by integrating with the WildFire unknown malware analysis environment to increase visibility, Traps prevents new threats from compromising an endpoint. Traps integration with the Palo Alto Networks Next-Generation Security Platform allows organizations to continuously share the growing threat intelligence gained from thousands of enterprise customers, across both their networks and endpoints, to coordinate prevention and response. So whether your financial institution has implemented one or more of the best practices to address ATO attacks, give some further consideration to the ability of Traps to prevent endpoint cyber breaches by blocking both known and unknown threats.

Learn more:

[Palo Alto Networks Research Center]

Posted on

Opportunity for Young People

In recent years, many young people have felt disenfranchised and robbed of opportunities to pursue career ambitions. This sits in contrast to the fast-developing field of cybersecurity, where hiring managers regularly report staff shortages and lead times of over six months to fill positions.

Cybersecurity is fundamental to the digital economy, but the (ISC)2 Global Information Security Workforce Study forecasts a growing workforce shortage of 1.5 million by 2020. As cybersecurity is a relatively new discipline, most organisations look for a minimum of three to five years’ experience, as well as a good understanding of cybersecurity concepts for the roles they are creating. Newcomers struggle to get these roles as employers find it difficult to judge their instincts. Often only the largest employers can consider entry-level or graduate training, which only goes so far in meeting the needs of a growing digital economy. There are few opportunities for young people or the uninitiated to step into this career opportunity and meet the need.

Directed by our EMEA Advisory Council, we have been working with universities across the United Kingdom to both inspire interest in and improve access to our field. We take, as our model, established professions such as engineering, that support the development of three and four-year university courses. These not only teach fundamentals, but also serve as a filter for people who have the right instincts. Graduates move into a workplace that has a level of confidence in them, whilst the professional community supports their ongoing development. Our aim is to mature cybersecurity in this same manner.

Working with the Council of Professors and Heads of Computing (CPHC), our efforts brought industry, academia, professional bodies and several government departments together to define Principles and Learning Outcomes for undergraduate computing science degrees (published in June 2015). Realising their importance, BCS, the Chartered Institute for IT, a key participant, immediately included the Principles within their degree accreditation guidelines. Cybersecurity is now a mandatory component of most computing science degrees in the U.K., affecting 20,000 new graduates a year.

Publication was followed by a curriculum development roadshow this year supported by the U.K. Office of Cyber Security and Information Assurance (Cabinet Office), where a real will to champion and embed cybersecurity concepts more comprehensively was expressed by 60 of the approximately 100 U.K. universities that teach computing science. Not everyone who pursues a computing science degree will choose a career in cybersecurity.  This effort aims to address a breadth of need and motivate the development of a cyber-competent society, including interested and skilled individuals who will be able to secure it. It will also boost employer confidence in graduates with inherent instincts for security as they pursue careers in IT.

The ambition doesn’t stop with computing science: there is now interest in integrating cybersecurity in business degrees. Knowing the fundamentals of our field is becoming critical to nearly every professional vocation.

By Dr. Adrian Davis, CISSP, Managing Director, EMEA, (ISC)²

[(ISC)² Blog]

English
English
Exit mobile version