Year: 2017

Recent and widely publicized cyber attacks must be the impetus for a renewed and more concerted and coordinated global commitment to strengthen cyber security capabilities.

In May, the WannaCry ransomware attacks struck, underscoring the potentially disastrous consequences for health care facilities and their patients when medical records and medical devices are compromised. June brought yet another major attack in Petya, originally characterized as another widespread ransomware attack, but later revealed to draw upon a form of malware that does not steal data but, in fact, destroys it.

These types of attacks, and those that will follow, accentuate the increasing concerns about the continued escalation of the global cyber security crisis. It’s no longer just about stealing money and data, but one that’s now placing human lives at risk. While health care has been a primary target this time around, more threats loom on the potential for breaches or compromised access to industrial control systems that could result in penetration of critical infrastructure systems such as electric utilities, oil and gas facilities, or nuclear energy plants. This shines a spotlight on the need for a unified global response now.

Amidst the challenges of the current threat landscape, there are promising signs that an increasing number of enterprise leaders and boards of directors are making the defense of their organization against ransomware and other cyber threats a top priority. ISACA’s State of Cyber Security 2017 research showed the percentage of organizations with Chief Information Security Officers (CISOs) is up to 65 percent, a 15-point rise over the year before. And in a micro-poll of the ISACA professional community in the immediate aftermath of the Petya incident, half of respondents indicated they took action after WannaCry to bolster their defenses – in case something like Petya showed up.

Additionally, half of the post-Petya poll respondents indicated their organizations provide ransomware awareness training to their staff, and more than half of organizations are applying software patches within the first week that they are available. That’s a good start. Promoting cyber security awareness and adhering to basic cyber security fundamentals needs to be as common in the global digital economy as seatbelts are in cars. We have a long way to go to make this the reality.

While the past several months have created an aura of inevitability around major attacks, more than 4 in 5 respondents to our micro-poll indicate they expect ransomware attacks will be even more prevalent in the second half of 2017.We cannot accept this level of havoc as a ‘new normal.’ Putting in place a viable incident response plan is critical, but what’s worthy of further investment is protection before an attack happens. Every organization should proactively employ cyber security awareness for all staff, performance-based cyber security skills training, timely hardware and software updates, and the hiring of the most highly skilled staff to ensure preparedness for the next attack, ransomware or otherwise. Start with an assumption that your organization will be the next target of a cyber attack.

Governments need to exhibit bold leadership and do more, too. This includes a commitment from G20 nations to expand cyber security research and training, and standardize some of the measures that individual nations are putting in place. G20 nations also should consider providing cyber security resources and support to nations that are not equipped to invest in themselves, as the connectivity of the global digital economy means all of us are in this together. This can help amplify the reach of encouraging efforts that are unfolding at national levels, such as the UK’s National Cyber Security Strategy and the recent executive order on cyber security in the US. Expanding public-private cyber security partnerships, while leveraging the resources of industry associations and academia, also should be part of the solution.

As a global community, we remain vulnerable to the cyber threats that already are here today, as well as the ones that will surface tomorrow. We cannot fall victim to cyber attack ‘fatigue’; attacks like the WannaCrys and Petyas cannot become “business as usual.” Cyber security is everybody’s business. Cyber security is more than pickpocketing; it’s a matter of public safety. Awareness must translate into resolve, not resignation. Only then will we make even greater leaps toward a more safe and secure future.

Editor’s note: This blog post by ISACA CEO Matt Loeb originally appeared in CSO.

Matt Loeb, CGEIT, CAE, FASAE, Chief Executive Officer, ISACA

[ISACA Now Blog]

ATMs, HBO, democracy … what can’t be hacked? Here are the top security headlines for the week of July 31, 2017:

• IOActive hacked at ATM at Black Hat. I guess drinks are on them?
• Espionage was just a red herring. Apparently hackers in North Korea are looking for cash, not secrets.
• DefCon attendees shredded voting machines – some still being used in U.S. elections. Don’t worry, it’s for research.
• “If all your friends were downloading torrents, then would you too?” It seems like everyone is doing it, but even downloading just the BitTorrent clients (the software needed to run them) can make your device and data vulnerable to infection.
• Inspired by DefCon, Naked Security took a deep dive into Dark Data and found that digital breadcrumbs are often giving away your identity.
• 1.5 terabytes?! That’s how much content hackers say they grabbed from HBO. A Game of Thrones script has already leaked and more is said to be coming.
• In “Yes, cyber is still everyone’s problem” news, 35% of execs say cybersecurity concerns have squashed a merger or acquisition.

[(ISC)² Blog]

Editor’s note: Jared Cohen, CEO of Jigsaw (the successor of Google Ideas), will deliver the opening keynote address at CSX North America 2017, which will take place 2-4 October in Washington D.C. Cohen, co-author of the New York Times best-selling book “The New Digital Age,” recently visited with ISACA Now about the cyber security skills gap, advancements in machine learning and his extensive world travels. The following is an edited transcript:

ISACA Now: How did Jigsaw come to be?
I was hired to Google in 2010 to build out a new division of the company called Google Ideas. I had gotten to know the CEO while I was still advising Hillary Clinton and we took a trip to Iraq together. It was a transformative trip because we both realized that the vast majority of future Internet users still had not yet come online, and companies like Google needed to be better prepared for that ubiquitous moment. I ran it as a think tank for many years and then a product organization. When the company restructured to become Alphabet, Jigsaw became the letter “J” in the Alphabet suite of companies. We are an engineering organization working on the cutting edge of AI, cyber security, and tackling some of the toughest global challenges with technology.

ISACA Now: What type of reaction have you received to The New Digital Age?
The New Digital Age captures the last mile of an access revolution that has been playing out for the past decade and a half. It is a book about the advent of technology and how it will impact war, terrorism, interactions between states, and so many other geopolitical trends. So much of what we wrote about and predicted in that book has happened faster than expected. So, I suppose the most common reaction I get from people is whether or not I’m surprised that the predictions came true as quickly as they did. I am.

ISACA Now: Which emerging technologies do you foresee being most impactful in the next 3-5 years?
This is a clear answer. The advancements in machine learning are going to be the most important innovation that defines the next decade. We are entering a ubiquitous moment where technology is everywhere and we are all mass producing data at record speed and volume. The combination of data and even bigger data, coupled with the ability to process that data through multiple machines and build deep neural nets, means that we will be able to build machine learning models to tackle challenges never before possible. Eventually we will reach something called inventive AI, where we train a machine on a particular type of data that enables it to tackle a broader set of challenges. This will have a profound impact on everything from security to health.

ISACA Now: The cyber security skills gap is well-documented. What are your thoughts on the best ways to influence more young people to pursue careers in cyber security?
Young people are ambitious and often want to work on the next zeitgeist. It doesn’t get more of the next zeitgeist than cyber security. It is a barren field that is ripe for innovation. It is also a field that bridges the technical and non-technical disciplines. It’s a skill set that will be desired by every sector, discipline and company. If every country in the future is also a technology company, then it is only as good as its security.

ISACA Now: You’ve traveled to more than 110 countries in your role advising two US Secretaries of State. How has all that travel influenced your view of the transformative potential of technology, from a global perspective?
I’ve seen first-hand how technology is transforming every society around the world, from the most connected to literally the least connected. What I’ve also learned is that the physical world shapes the digital world and vice versa. Every technology we build today has global implications. It expands the digital topography that complements the physical world we know. If all people are splitting their time between both worlds, it also means that the challenges of the physical world are spilling over online. In order to build technology responsibly and in a way that will have impact, we need to make sure we don’t lose the human intelligence side of things. For me, this means showing up places and asking questions, meeting people, and going to countries and places I haven’t visited.

[ISACA Now Blog]

In February 2017, a vulnerability in Slack was discovered which had the potential to expose the data of the company’s reported four million daily active users. Another breach in February on CloudFlare, a content delivery network, leaked sensitive customer data stored by millions of websites powered by the company. On March 7, the Wikileaks CIA Vault 7 exposed 8,761 documents on alleged agency hacking operations. On June 19, Deep Root Analytics, a conservative data firm, misconfigured an Amazon S3 Server that housed information on 198 million U.S. voters. On July 12, Verizon had the same issue and announced a misconfigured Amazon S3 data repository at a third-party vendor that exposed the data of more than 14 million U.S. customers.

That’s at least five-major cloud application and infrastructure data breach incidents for 2017, and we’re only in July. Add in the number of ransomeware and other attacks during the first half of this year and it’s clear the cloud has a real security problem.

By now, most everyone recognizes the benefits of the cloud; bringing new applications and infrastructure online quickly and scaling it to meet ever changing business demands. Although highly valuable for the business side, when security teams lose control over how and where new services are implemented, the network is at risk and subsequently, so is their data. The balance of allowing businesses to move at the speed of the cloud and maintain the needed security controls is becoming increasingly difficult. With the spike in data exposures and breaches, it shows that security teams are struggling to secure cloud use.

The Slack breach is a great example at the application-level. Slack is simple to use and implement, which has driven the application’s record-breaking growth. Departments, teams, and small groups can easily spin up Slack without IT approval or support, and instances of the application can spread quickly across an organization. Although Slack patched the vulnerability identified in February before any known exposure occurred, if it were hacked, the attacker could have had full access and control over four million user accounts.

In the Verizon situation, a lack of control at the infrastructure level is what caused so many of their customers to be exposed this month. When servers can be brought online so easily and configured remotely by third-party partners, the right security protocols can be missed or ignored.

As more businesses move to the cloud and as cloud services continue to grow, organizations must establish a unified set of cloud security and governance controls for business-critical SaaS applications and IaaS resources. In most cases, cloud providers will have stronger security than any individual company can maintain and manage on-premise. However, each new service comes with it’s own security capabilities, which can increase risks because of feature gaps or human error during configuration. Adding additional encryption and policy controls independently of the vendor, is a proven way for organizations to fully entrust their data to a cloud provider without giving up complete control over who can access it while also making sure employees are compliant when using SaaS applications. These controls allow businesses to move at the speed of the cloud without placing their data at risk.

The reality is that threats are increasing in frequency and severity. The people behind attacks are far more sophisticated and their intentions far more sinister. We, as individuals and businesses, entrust a mind-boggling amount of data to the cloud but there doesn’t exist today a way to entirely prevent hackers from getting through the door at the service, infrastructure or software provider. Remaining in control of your data that traverses all the cloud services that you use is the safest thing you can do to protect your business. Because, in the end, if they can’t read it or use it, is data really data?

Doug Lane, Vice President/Product Marketing, Vaultive

[Cloud Security Alliance Blog]