Lightning may not strike twice, but cybercrime certainly does. The latest example: A year after the major hack of the U.S. Office of Personnel Management (OPM), cyber criminals are again targeting individuals impacted by the OPM breach with ransomware attacks.
In the new attack, a phishing email impersonates an OPM official, warning victims of possible fraud and asking them to review an attached document—which, of course, launches the ransomware.
OPM attack part of bigger trends in ransomware The new round of attacks could come from two sources—both are part of trends in ransomware.
The long con: The first scenario is that the same individuals that executed the original OPM hack are now launching these ransomware attacks. If this is the case, it at least alleviates some concerns that the OPM hack was state-sponsored cyberterrorism and/or a sign of a new kind of “cold war.” But the trend toward this type of “long con” is scary in its own right. Users are already more likely than ever to “click the link”—now patient cyber criminals are using hacked data to deploy extremely authentic phishing scams.
The “kick ‘em while they’re down” attack: It’s more likely that the OPM ransomware attack is just an example of enterprising cybercriminals seeing vulnerability in the already-victimized. This is another unsettlingly effective trend—like “ambulance chasing” for cybercriminals: Follow the headlines to find organizations that have recently been hit with a cyberattack (of any kind), then swoop in posing as official “help” in investigating or preventing further damage. Clever cybercriminals know they can prey on the anxiety, fear and uncertainty of users in this position.
How can you get ahead of evolving ransomware? Though we’ve said it a thousand times, it’s more true than ever: Ransomware is evolving at an incredible rate and it is overwhelming traditional data security tools. Paying the ransom becomes an appealing option to unprepared businesses, and this steady cash flow only fuels the problem.
Much of Phillimon Zongo’s youth was spent walking or running great distances barefoot, sometimes en route to school, other times scouring the township for empty cola bottles he could sell for change. Whatever the distance, Zongo was determined to find a way to afford food to fill his belly and knowledge to fill his brain.
Zongo’s first pair of shoes came when he was 12, prompting months of adjusting his steps to acclimate to the new sensation. But with or without footwear, in warm or wintry conditions, traversing the roads of rural Zimbabwe often was preferable to being home, where he and his large family lived in poverty.
His living conditions deteriorated further as a teenager. Needing affordable housing closer to his new school, Zongo moved away from his family at the age of 14 and shared a bleak, squalid structure – lacking water, electricity and with a makeshift door that would not lock – with fellow tenants who often became embroiled in jarring verbal and physical clashes with visitors.
During his youth, Zongo hid his living conditions from friends for fear of being bullied. Now that he has ascended to remarkable heights – personally and professionally – the ISACA member revisits his upbringing with pride.
“It’s not painful at all,” Zongo says. “Like so many kids, we were born into these situations. It was never our choice. My parents were loving and supportive, and I greatly appreciate that. They were also born into poverty, but they did all they could so that we would lead better lives. Would I have loved to get my first pair of shoes much earlier in life? Of course, yes, but that was beyond my control. What matters is I managed to make do with what I had, and I am here now.”
These days, here is Sydney, Australia, where Zongo is a successful cyber security consultant in the financial services industry. In October, Zongo was honored by the ISACA Sydney Chapter as Best Governance Professional of 2016, reflecting recognition from industry peers about the thought leadership he has contributed to the profession. That includes a 2016 article on managing cloud risk in the ISACA Journal; another ISACA Journal article, this one on opportunities and risks of automation, published this January.
“I have accomplished so many other things, but this is close to my heart given the importance of education to my life and how ISACA opened so many doors to me,” Zongo says. “I feel so privileged to be able to give back.”
Zongo’s life story, he says, “is not complete without ISACA.” His successful pursuit of Certified Information Systems Auditor (CISA) certification bolstered Zongo’s qualifications for his first position as an enterprise risk services consultant with Deloitte.
“Pursuing my CISA qualification was one of the most game-changing decisions I ever made,” Zongo says. “It afforded me the opportunity to work for some of the most respected global brands and connected me with a global network of highly accomplished professionals. Mostly importantly, it instilled in me high ethical standards, essential to retain the high levels of trust and confidence the society places on our profession.”
The Deloitte opportunity helped Zongo grow into a polished professional, as he quickly adjusted to corporate dress codes and navigating the etiquette of taking clients out for lunch.
“The problem is that society gives people labels, and these I have had to actively resist,” Zongo says. “If you are from the country they call you unpolished, in a way that suggests you can never attain polish. These, if left unchecked, can precipitate self-hate or undermine your confidence.”
Two years after starting with Deloitte, Zongo accepted a consultant position at PwC Australia in 2007. Zongo arrived in Australia with only $300 Australian in his pocket, but he was unfazed, having known much greater financial hardship throughout his life. The ability to anticipate a reliable paycheck outweighed the intense homesickness that marked his first several months in Australia.
Just as Zongo maintained laser focus on his education during his tumultuous youth, he did not allow his new environs to deter him from his career goals. He joined a prominent Australian financial services company as an IT risk manager in 2011 and now is a security consultant there. In recent years, Zongo has become particularly passionate about raising the profile of cyber risk among business leaders.
The resolve he summoned as a youth continues to serve him well. Zongo emphasizes that no matter how much he struggled during his youth, he never felt alone. While some acquaintances from his childhood were able to rise above their difficult circumstances, many, he says, remain “trapped in despair and hopelessness.” Securing a more fulfilling future required a tenacious desire to break the cycle of poverty that afflicted his family for generations.
“I believe we are all born with innate abilities to persevere and overcome life challenges,” Zongo says. “But passion by itself accomplishes nothing; to succeed you need a great deal of stubbornness. Especially where I grew up, you have to overcome these challenges over a long period of time. Perseverance and courage are virtues you nurture through practice.”
About a year after his move to Australia, Zongo married his fiancée from Zimbabwe. He and his wife, Fadzi, have two children – daughter Nyasha Valerie, 3, and a baby boy, Mukundi Christian. In addition to the joy he finds in his work and family commitments, Zongo likes to play golf – a largely unaffordable pastime in Zimbabwe – both for fun and for networking. He is skilled enough to have won several local club competitions, but is more proud of a golf fundraiser he organizes annually to raise money to repair dilapidated infrastructure at his old high school in Zimbabwe, pay fees for underprivileged kids and meet other special needs.
In addition to having earned the CISA, Zongo has passed the Certified Information Security Manager (CISM) exam, and remains grateful that ISACA “has helped me turn my story into one of determination, hard work and passion.”
“The odds were stacked against me, but if I made any excuses – or felt sorry for myself – I would never be speaking to you today,” Zongo says. “I had clear goals in mind, to eventually be able to live a dignified life and support my family, and nothing mattered more to me. I also was fortunate to have individuals who supported me and advocated for my success, and as I walked through the filthy township streets, I knew one thing for certain: I would never let them down.”
Editor’s note: ISACA’s family of more than 140,000 members and certification holders consists of truly outstanding individuals who are making significant contributions to the profession and the world. Watch for more stories like Phillimon’s coming soon, and contact jschwab@isaca.org if you have a member story you’d like to share. If you are not a member, consider joining our community. View the ISACA Member Advantage here.
In one month, the world will talk security at RSA Conference in San Francisco, CA. The annual information security event will be held at the Moscone Center February 13-17.
(ISC)² team members can be found on the exhibit floor in booth S-342. Stop by to pick up a copy of the March/April issue of InfoSecurity Professional magazine, printed exclusively for RSA Conference. We will also have 2017 member pins, CISSP® t-shirts, lightsabers (yes, that’s right) and more. The times and dates of demonstrations at our booth – including Vulnerability Central sessions – can be viewed online.
(ISC)² members who register for a full-conference pass can save $200 and will gain access to five days of expert-led sessions spanning 22 topics, 550 exhibitors in the Moscone Center, as well as fascinating keynote speakers. Use the code 1U7ISC2XP when registering to receive a free expo pass.
Members who attend RSA Conference can earn up to 35 CPE credits, depending on the pass they register for.
Dan Waddell, (ISC)² regional managing director, North America, will be giving the opening remarks at the CSA Summit on February 13. We are looking forward to hosting a CSA Summit at our next Security Congress in Austin, TX this September, and more details will be announced later this year.
Before the conference kicks off, join us for one of two “2-Day Crash Courses” on either the CCSP® or CISSP. These training courses are fast-paced and in-depth in order to cover all the key domains of each CBK®. Crash course attendees will receive the official (ISC)² student handbook to use during the course and throughout their studies as they prepare for the exams.
The Center for Cyber Safety and Education will also be at RSA Conference. The Center will have a booth in the CyberSafety Village, located in Moscone West, Level 2, adjacent to the classroom session areas. The Center will be hosting an overview of the Safe and Secure Online program, featuring Garfield’s Cyber Safety Adventures, on Wednesday, February 15 from 5:00-6:00 p.m. PST. To register for this session, please send an email with your name and member ID to safeandsecure@isc2.org.
Your executive staff has made a strategic decision to move to the cloud, and your team has the seemingly monumental task of executing on this new direction. The journey to the cloud introduces many unknowns, the least of which is determining the applications and data, including precious customer information, that belong in the cloud. Yet your knowledge is limited, and you have little time to immerse yourself in this vast topic.
Key topics that have been left up to you and your team include: where to start; which applications and data should (or can) be moved to the cloud; what are the risk implications; who can help you make the decision; and, more importantly, how can you make the decision process repeatable.
To help you frame a cloud-first implementation methodology, the Cloud Security Alliance will host the “Cloud First, Now What” webinar on January 17th. This webinar, sponsored by Palo Alto Networks, will walk you through the following critical topics:
Assembling the cloud team: Moving to the cloud may be an edict from the CEO, but there is a team of players who need to make it happen, from risk, compliance and legal, to IT, security and operations, to dev-ops and the business groups.
Picking the first set of applications: Which applications are the first to go? Do you start with easy, low-hanging fruit or move the challenging apps first? Do you “lift and shift,” migrating existing applications, or do you start anew?
Determining what data can move: Regulations, contractual obligations, and legacy formats are just a few of the data considerations that need to be considered when implementing a cloud-first methodology.
After the event, you should have all the data necessary to frame your own cloud-first methodology.
Today’s cyber attackers have proven themselves far more capable and committed, stopping at nothing to access the pools of valuable data that uphold the integrity and reliability of your business. To maintain a strong security posture and prevent cyber breaches, leverage User-ID™, user-based access controls, on your next-generation firewall (NGFW) to safely enable the applications and technologies required to drive your business forward. User-ID significantly improves network visibility by mapping network traffic to specific users, rather than IP address, and offer several features to protect your network and help block potential threats at every stage of the typical attack lifecycle.
Access controls can be applied to ensure that only valid, approved users can access necessary assets and data. Note, however, that legitimate users are not threat free. Threat prevention should also be applied to the network to protect systems and application vulnerabilities from exploitation.
Leverage User-ID controls to identify and block malicious command and control traffic.
In the event of an infection or data breach, control sensitive data exfiltration by ensuring every user, even infected users, can only access a small subset of the network.
Leverage user-based reports and breach forensics for a complete, accurate analysis of the breach to help with future policy implementation.
User-based access controls are steadily becoming in integral component of the network security infrastructure and threat prevention measures. However, it’s important to understand that establishing and implementing a user-based security strategy and policy is not a single team’s responsibility, and should be rooted in the business leadership team’s position on cybercrime prevention. Given the recent spate of high-profile cybercrimes, security is now being discussed at the boardroom level. Leverage the heightened security awareness to build a business case for user-based access policy with the leadership team, and work in tandem to create business policies to simplify and reinforce the implementation. The leadership team’s support will be helpful during policy roll out, and when making necessary adjustments, such as denying access to certain websites, or to help ease the minds of less-than-patient users in the face of issues that need to be ironed out.
Beyond the organization’s leadership, User-ID access policy requires coordination and buy-in from several teams to ensure a seamless adoption and execution. Here are a few examples of who should be involved in the planning and implementation of user-based access policy:
IT Architects
The IT architects know the ins and outs of accessibility. They can offer insight regarding which users log in to the network from various office locations, and whether those users require access to resources that may be safeguarded by NGFWs in other locations.
IT & Security Operations
When it’s time to roll out the new user-based access controls and policy created with User-ID, the IT & Security Operations team will be critical to the execution, helping to troubleshoot any issues associated with implementation. Make sure to provide the proper training so that they are equipped to handle the higher-than-average volume of help desk tickets and user accessibility inquiries.
IT Administrators
Administrators are vital in providing user identity information on which to frame user-based access controls and policy around:
Network Admins: As device owners, network admins can provide user identity information from Wireless LAN controllers, NAC devices or VPN gateways
Directory Admins: Work with directory admins to gain valuable user identity information from directory servers, such as Active Directory
Enterprise Services Admins: To define user-based access requirements for enterprise services, like SAP for example, security practitioners must team up with enterprise service admins
Endpoint Admins: In addition to traditional VPN remote access and secure connectivity, coordination with endpoint admins is necessary to ensure user-based access controls extend to the mobile workforce
Implementing User-ID access policy on your Palo Alto Networks NGFW, with the participation and buy-in of all appropriate groups, will aide in meeting your organization’s goal to reduce individual users’, and the entire networks’, risk of infection.
To learn more about the benefits of leveraging User-ID, user-based access controls, on your Palo Alto Networks NGFW:
