Pérez-Llorca, one of the premier law firms in Spain, was challenged with finding a solution that prevents the loss of sensitive client information, blocks ransomware and other cyberthreats, and avoids costs associated with remediating successful attacks. On several occasions, ransomware successfully infected the firm’s computers. While there was a robust backup system in place to rebuild the individual’s machine without paying the ransom and there was no loss of data due to encryptions, every successful attack was costly in terms of lost productivity for the lawyers and drained IT time.
It was in light of these costly incidents that Aitor Lasala, Chief Technology Officer at Pérez-Llorca, decided that the antivirus solution currently deployed on the firm’s endpoints was no longer adequate. Lasala consulted with Palo Alto Networks partner Grupo Antea, a firm Pérez-Llorca often relied on to assist in technology matters, for their opinion. After assessing Pérez-Llorca’s needs, Grupo Antea recommended Palo Alto Networks Traps advanced endpoint protection.
“The POC test convinced us that the Palo Alto Networks solution met all of our needs. Traps stopped every piece of known and unknown malware that had previously infected our endpoints. At the same time, Traps recognized our critical applications and allowed them to execute unimpeded.”
– Aitor Lasala, Chief Technology Officer at Pérez-Llorca
Find out how the firm was able to prevent successful ransomware attacks by deploying Palo Alto Networks Traps advanced endpoint protection by reading the Pérez-Llorca Customer Case Study.
Editor’s note: ISACA Now recently moderated a conversation among a trio of millennials to discuss topics including professional development, networking, certification and how their generation differs from others when it comes to career priorities and workplace dynamics. The following is the first installment of the two-part conversation – edited for length and clarity – between Ashley Spangler, CISA, CISM, CRISC, SunTrust Banks, Inc., AVP Information Security; Leigh Ann Montgomery, CISA, Solutions Architect, and Mick Gomm, CISA, GWEB, PMP, Sr. Information Security Engineer and Board Member, ISACA Utah Chapter.
ISACA Now: Why did you decide to pursue certification at a relatively young age? AS: Both of my degrees are in accounting and information systems. The firm I started to work for was creating this information security and assurance services group. I originally applied for a financial audit position and was not picked. However, they liked my background in information systems so they were like ‘Hey, why don’t you come join our team?’ Of course, I was completely green and didn’t really know what I was getting into. When I first got there, they said ‘You need to start working on certifications.’ I met an individual through ISACA, which is how I got intertwined with being a volunteer board member for the Nashville location, and I just started to learn more about the different certifications which were available in the information security industry. … I didn’t like being the only person that didn’t have a certification and especially when my name and bio would be listed on a statement of qualifications for bidding on work. CISA was most prominent in the information security assurance world that I was in at that point, so I made that my target for my first certification. So, I really looked at it, one, as validation for myself and what I was doing, and secondly for helping our group’s chances of winning engagements.
LAM: I was mentored by the president at the time of the North Texas ISACA chapter … He invited me to a meeting and talked about the different certifications, and mentored me through taking the CISA certification. Through that process, I really got to know my internal audit team of my company at the time. I took the test both to grow my knowledge of that type of audit and really understand what the terms were, and how to best get the information and pull evidence. It helped me in my day-to-day job and definitely added an acronym after my name, and got me exposed to a lot of really great people and networking in the process.
MG: I started out in audit consulting, and kind of the baseline or the bar to working in that space is an audit certification, and CISA is the most recognizable and known. I think the IT audit and information security industries really just look for that, especially in the past few years. Having multiple certifications is almost a barrier to entry. That’s why I got my third certification, the CISA, because starting in consulting, they were like ‘Alright, the first thing you need to work on is getting your CISA.’ Certifications like CISA are important, but I also think the industry is headed toward requiring additional specialization in specific technologies and spaces.
ISACA Now: How does your certification help you most on a daily basis? LAM: On a day-to-day basis, part of my job is to build security programs and security awareness programs for other companies, and I always try to do that with audit principals in mind. Make a program metrics-driven, and seeing how we can improve year over year and clearly think about how, from an auditor’s perspective, how I can make my suggestions for other companies with those basic audit recommendation principles in mind. So, I go back to what I learned during my CISA certification studying. A lot of the language that I use for these types of recommendations are very similar to what I learned, so it definitely helps me communicate not only with security professionals, but audit professionals, and executives from both of those sides.
AS: It seems like there are so many moving pieces and parts within our enterprise, constantly dealing with different lines of business and their needs. I think having the CISA, CRISC and the CISM may have been most helpful in giving me those multi-faceted knowledge bases which I can leverage to solve problems for the various lines of business and segments of our bank. Overall, from a career perspective it helps solidify the knowledge that I use in solving those problems. I think people see my work in combination with the certifications as a justification of my value that I bring to the table, especially being a millennial.
ISACA Now: Can you elaborate on that? AS: I don’t know if you’ve ever heard this, but the way I’ve heard it and thought about it is a lot of Baby Boomers and Gen Xers, they kind of have a strange feeling regarding millennials and how we impact the workforce. We’re essentially change agents and we’re ambitious and we want to impact our organizations in a positive way, and ultimately some of us want to be able to change the world. We don’t necessarily climb that ‘career leader’ that older employees or Gen Xers climb; we essentially just take the elevator. We don’t like the red tape. We don’t like the bureaucratic processes. We’re always looking for bigger and better ways to do things. In my situation, being as young as I am and having the certifications but not necessarily having extensive experience, it helps stabilize my footing when I’m interacting with more seasoned professionals.
LAM: I would absolutely agree with you, Ashley. Often I’m looked at as very young in the field and therefore very inexperienced. I think having the CISA and serving on my local ISACA board have really helped to get my name out there.
MG: I totally agree. When you meet face-to-face and people realize how young you are, they’re like ‘Oh, you’re not qualified.’ But when you have certifications, people pay attention more. You have more clout in those situations, especially when you’re interacting with other companies or vendors and you introduce yourself on a phone call, and somebody asks that question ‘What credentials do you have?’, it’s always nice to be able to respond that you have multiple certifications because people in the industry know what the certifications are and what they mean. I also think the industry is leaning toward the certifications being less book knowledge and more hands-on technical knowledge, which I think is really good.
AS: I can’t agree with you more about those times where, working in a larger organization, we have a little over 33,000 employees, and I speak with a lot of people on the phone, and when I meet them in person, they always say ‘Don’t take this wrong, but you sound so old’ or ‘I can’t believe how young you are.’ I’ve had that happen quite a bit.
LAM: My company works with many global organizations and currently we’re expanding into the Asia Pacific region. Especially with my age and length of experience, I find that when I speak to audit members or different security team members in that region about having CISA certification, they’re very impressed and willing to work with me when before they might not have been as willing. So, it definitely has helped me prove myself as a consultant trying to get into those types of deals. Despite any cultural differences, I have found that having a particular certification and serving on [an ISACA chapter board] has opened up a lot of communication with people who are very different from me. Being able to gain that common ground has been really interesting and has really opened a lot of doors.
Attackers are erasing database contents and replacing them with a note demanding Bitcoin ransom payment for restoration. It also appears that victims who pay are often not getting their data back, and that multiple attackers are overwriting each other’s ransom demands. Seriously, these databases are of course important to their owners, and these attacks are clearly a headache for them. Hopefully they have backups.
Let’s explore this situation a bit more, and then step back for some analysis.
Here’s What We Know
There is no indication of a vulnerability in MongoDB; rather these systems are allowing administrative access from any IP address, and are (mis)configured for either no authentication or default credentials. There are a large number of such systems – Internet service search engines show approximately 100,000 exposed instances, and several independent security researchers have identified over 27,000 instances that have been hijacked as of January 8, a number that’s growing daily.
Putting aside the mistaken configuration that enabled access with no/weak authentication, let’s look at this from a user access and network perspective. At the risk of being too obvious, these systems are Internet-facing either intentionally or unintentionally. If intentional, their admins clearly require remote access, and therefore these systems must expose some network service.
“People are not IP addresses!”
— Jason Garbis, Vice President of Products at Cryptzone
The problem comes down to how access is restricted – and a realization that relying solely on authentication is not enough. Too many systems are either misconfigured (as appears to be the case with these MongoDB) or are subject to vulnerabilities – enterprises need to limit access at a network level. The issue is that network security tools are built around controlling access by IP address, yet the problem we need to solve is how people (identities) access these systems. And people are not IP addresses!
If these databases were unintentionally exposed to the Internet, then no remote access is required – either admins have local system access, or they’re relying on another security mechanism such as being on a LAN or accessing the network through a VPN. Yet, these systems are exposed directly to the Internet, and therefore not likely on an internal corporate network. Looking at the discovered instances on Shodan, it appears that many of them have IP addresses associated with cloud or hosting providers!
This is an interesting pattern. Because cloud network access is managed by IP addresses, users may be simply setting their cloud network security groups to permit access from anyone on the internet – much to their detriment, as this attack shows.
Clearly, misconfiguring a database to not require authentication is a problem, but there are many exploits that exist even in properly secured and properly configured systems. It’s time to realize that the bigger problem is in allowing unauthorized users to have network access to these systems in the first place. Why are there 100,000 instances of MongoDB available for a public scan? I suggest that most of these were not intended for public access.
The ability to access a service on the network is a privilege, and it must be treated as such. The principle of least privilege demands that we prevent unauthorized users from scanning, connecting to, or accessing our services. Following this principle will dramatically reduce the ability of attackers to exploit misconfigurations or vulnerabilities.
But there’s a problem. There is a disconnect between how we need to model users – as people – and our network security systems, which are centered on IP addresses. And, to repeat myself, people are not IP addresses.
Let’s Bring This Together
Organizations need to secure network access in an identity-centric way, and in a way that’s driven by automated policies so that users – who are people – get appropriate access. Network security systems must be able to do this, and allow us to easily limit user access to the minimum necessary.
The good news is that this is achievable today. The Software-Defined Perimeter (SDP) – an open specification published by the Cloud Security Alliance – defines a model where network access is controlled in an identity-centric way. Every user obtains a dynamically adjusted network perimeter that’s individualized based on their specific requirements and entitlements. The Software-Defined Perimeter is well-suited to cloud environments; network services such as MongoDB can be easily protected by SDP network gateways.
With SDP, organizations can easily define policies that control which users get access to these database instances, and prevent all unauthorized users from scanning or accessing these services – even if they’re misconfigured and don’t require authentication. And, because this access is built around users, not IP addresses, authorized users can securely access these systems from anywhere, with strong authentication enforced at the network level.
We’ll never be completely safe in our hyper-connected world, but we’re unnecessarily making things harder for ourselves, as this latest attack shows. We need to take a new, identity-centric approach to network security, and the Software-Defined Perimeter model provides exactly this. Putting this in place will go a long way towards making our systems more secure while keeping our users productive.
Jason Garbis, Vice President of Products, Cryptzone
International team of security professionals elected to lead governing body;
Wim Remes elected chair for third time in four years
Clearwater, FL, January 18, 2017 — (ISC)²® today announced the newly elected officers for its board of directors. The 13-member board provides governance and oversight for the organization, grants certifications to qualifying candidates, and enforces adherence to the (ISC)² Code of Ethics.
Effective January 14, 2017, the following individuals assumed board officer positions:
Chairperson: Wim Remes, CISSP (Belgium)
Vice Chairperson:Jennifer Minella, CISSP (USA)
Treasurer:Allison Miller, CISSP (USA)
Secretary: Dr. Kevin Charest, CISSP, HCISPP (USA)
“I would like to express my sincere gratitude to the outgoing board officers for all of their efforts to strengthen (ISC)² and for their ongoing commitment to advancing the profession,” said (ISC)² CEO David Shearer. “I also thank Greg Mazzone, Richard Nealon, Howard Schmidt and Freddy Tan, whose board terms ended in December, for their many contributions. I look forward to working with the new officers over the next year as they help us advance the organization.”
Members of the (ISC)² Board of Directors are elected each year from among the organization’s global membership. The board is comprised of (ISC)²-certified volunteers who are industry leaders from around the globe representing business, government and academia. Visit (ISC)2’s website for a complete list of current board members.
###
About (ISC)²
(ISC)²® is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, programmatic approach to security. Our membership, over 123,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the public through our charitable foundation– The Center for Cyber Safety and EducationTM. For more information about (ISC)² visit www.isc2.org, follow us on Twitter or connect with us on Facebook.
At the very end of his 2010 speech at the iPad’s debut, Steve Jobs mused on the secret to Apple’s success: “It’s in Apple’s DNA that technology alone is not enough. It’s technology married with liberal arts, married with the humanities, that yields the results that make our hearts sing.”1
Now I’m not foolish enough to even begin to compare myself to Steve Jobs, but I do know a thing or two about technology, and I have updated the CISA Review Manual for the new 2016 job practices. I also was part of a team brought together to work on the new CISA Online Review Course. Individually, we may not be Steve Jobs, but together we hoped to be inspired by his vision.
The CISA Online Review Course, which will be available later this month, prepares learners to pass the CISA exam using proven instructional design techniques and interactive activities. The online, self-paced course allows learners to prepare for the exam at a time and location that suits their needs. The course keeps track of where learners last left off, and includes a video, interactive content, downloadable workbooks and job aids, case study activities and a practice exam.
We began working on the course in April 2016. I still had my day job, so it involved some long nights and some even longer weekends. My email seemed to be constantly pinging, and once a week, I gave up my lunch break to participate in conference calls with ISACA HQ. It was hard work! But you know what? It also was great fun!
Several of the conference calls resulted in some great ideas that came about due to the intersection of our different strengths. Further, a few times, I would develop something and go to bed tired but thinking “I’ve really nailed that,” only for it to somehow inspire the more creative people in the team, who would suggest changes that only served to further enhance the course.
Becoming a Certified Information Systems Auditor is by no means easy. When studying for your CISA, it will be your turn to work late nights and weekends. It will be your turn to work hard, to learn and (hopefully) have fun. I believe the new CISA Online Review Course will help.
When you read some of the case studies, smile and remember that you read this blog. More than that, remember what you just learned while you smiled, and smile again when that question comes up in your CISA examination. Good luck in your studies!
Registration is open for the first testing window of 2017 for ISACA’s core certifications. Exams for CISA, CISM, CGEIT and CRISC will be offered in 2017 at PSI testing locations worldwide during three, eight-week testing windows. The first testing window will be 1 May-30 June, with 28 February marking the early registration deadline. Exam registration via the ISACA website is available at www.isaca.org/examreg.
