Year: 2017

It is a terrible time for privacy in the United States. There are very few institutions that we entrust to hold nearly all our financial records, and one of them, Equifax, admits to losing them.

The full impact of the breach will be felt over time, and right now nothing has changed in our lives besides a new worry and uncertainty. Perhaps, like with other breaches such as Anthem and Yahoo, we will have to live in fear for decades with not yet having felt the direct impact.

However, I would argue that Equifax has a potential to be the most impactful breach to its victims. The repositories of data that include personal, financial and confidential information will not dissipate easily over time. Unlike with many medical conditions, or simply stolen passwords, victims of financial and personal information theft do not get better. We can’t escape our credit history and financial situation, so the abusers of the stolen data will be able to pursue us through the years.

How did it happen? We do not have all the details, but one may argue that an organization charged with holding this type of data would not fall to an attack vector that was a known problem for half a year prior. Even with that vulnerability, a breach of a single website should not lead to any stolen data. There must be safeguards.

Let’s say a web server was not patched, but it is the job of intrusion prevention systems to detect an exploit. When hackers were roaming free within a compromised server and its databases, where were the security safeguards identifying the abuse? Further, consider that hackers reportedly stole gigabytes, if not terabytes of data. This type of unusual activity should be noticed by the network traffic monitors, and defensive tools.

Yet, Equifax infrastructure allowed for the data theft without much of an alert. And for us, the victims, what’s the recourse? One year of free credit protection from TrustedID service, owned by Equifax? There is something to be said about a company offering protection against identity theft that could not protect its own data. And what happens after one year? Would hackers delete the stolen data, or would they keep abusing the accounts while the victims resort to paying Equifax for a protection service from the loss that it caused?

There is a lot of angst, and confusion, and too many questions that we do not know how to answer. The scariest thing is that we do not know what is coming and how badly this will impact the victims.

The big question still remains: who do we trust with our data? Do we, the consumers, have any say or choice? Should there be government sanctions for these types of events?

As a security professional, I see another lesson in not-so-good security practice. What could have been done to prevent this? What could have been done during the incident response and investigation?

Time will tell if this is the most impactful breach for us, or if this is a scary event from which the stolen data never sees large-scale abuse. Stay tuned.

Editor’s note: Alex Holden will be presenting on optimizing defenses against invisible threats at CSX North America, to be held 2-4 October in Washington, D.C.

Alex Holden, President and CISO, Hold Security, LLC

[ISACA Now Blog]

Most of us have heard the phrase “What you don’t know can’t hurt you.” While this may hold true for some circumstances, in the case of an audit, the opposite is true.

A large part of an auditor’s job is to discover and know about exposures and gaps that could hurt the organizations for which they work. An auditor’s remit includes finding, analyzing and documenting an ever-increasing list of things that organizations don’t know about but have the potential to cause damage.

This task can be harder than it sounds, particularly when it comes to an organization’s use of technology.  Why? One reason is that auditors need to be alert to the specific risks, threats, issues and other problem areas that can arise related to the specific technologies in use. One area that is particularly challenging is the assessment of cryptographic systems: modules, software, and application components that employ cryptography, and the use of cryptography generally throughout the organization.

Several factors make assessing cryptographic systems more difficult than other technologies.  First, it’s ubiquitous – almost every organization (whether it’s known or not) makes extensive use of cryptography to secure everything from data transmissions to employee remote access. Cryptography is used for authentication, to securely store data, and to prove the integrity of that stored data. But despite its ubiquity, it’s a little like the plumbing in our homes: there when we need it, but not something we stop to think about unless something goes terribly, terribly wrong.

Second, cryptographic assessment is not a skill set in which all auditors have extensive experience.  Many seasoned auditors know the fundamentals of how cryptography works, but implementation details, i.e., the mathematics underpinning its operation and the engineering aspects of authoring a library, toolkit, or component, aren’t generally at the top of an auditor’s tool box.

Because many auditors aren’t deep crypto experts and there are few general assessment guides for audit of these systems, cryptographic assessment may get short shrift during audits. This is a potential security concern, because poorly implemented, ill-used, broken, insufficient, or other operationally deficient use of cryptography can represent significant risk to an organization.

Now, this doesn’t mean that every auditor needs to be the next Alan Turing – just like they don’t need to be Brian Kernighan to assess a business application written in C! But many could benefit from having a guide that explains the basics of cryptographic system assessment to help them find and identify potential risk areas; for example, potential implementation issues, best practices, known weak configurations, etc.

To help address this, ISACA has authored Assessing Cryptographic Systems. This free resource provides information to the IT audit community about commonly occurring issues in cryptographic systems as well as one possible methodology to assess the use of cryptography in an organization. As a companion piece, ISACA released a sample security policy, “Sample Policy on the Use of Cryptographic Controls,” that can be adapted by an organization to supplement or refine its existing policy on this important topic.

Please take a look at these resources, and let us know if they helped you with your audit work by leaving a comment on this post.

Diana Kelley, Chief Security Advisor, SecurityCurve

[ISACA Now Blog]

In the wake of major disasters, companies often retrench to their board rooms and ask questions about the state of their own resilience. These questions follow one of two tracks: First is a retrospective post-mortem of their own company, or preferably an affected competitor. It starts with a question like, “How would we be affected or react if this happened to us?”

In the wake of the Equifax consumer data breach, many of the stories in the past days share well-articulated insights that are nonetheless written with that full 20/20 hindsight in play. There even is evidence that Equifax itself took this path two years ago in the wake of the Experian data breach. While well-intentioned, this hindsight-driven approach is fundamentally flawed.

When penning an article or responding to a board question post-mortem, we are afforded luxuries that our disaster-distressed selves would not be afforded in a real scenario. For example, compare your mental state now versus in a true disaster – the shock and suddenness (then) vs. the quiet reflectiveness (now). One of the greatest underestimations of post-mortems is the effect of imperfect and often conflicting information during a live, unfolding crisis. To illustrate this, consider the following three fictitiously timed statements:

If your blood pressure progressively elevated from “slight nuisance” to “we may lose our company,” then you’re likely in good company with Equifax’s executives as they gleaned more information about the incident from the initial discovery until today. It is much easier to think about your actions for Day 0 when you know what Day 20 looks like, but we almost never do.

Anyone who has read a post-mortem report, though, will attest that it is unlikely that the report captures the nuances of timing and progressive urgency. Instead, the report highlights the diseased final state and what the company should have done to protect itself in the first place, often forgetting about all the other possible infections that could be acquired.

So, if studying Equifax and gleaning lessons learned, even in light of the little we know, is an easy but relatively unproductive sport for our own resilience, what is the alternative?

The second track is the one that we advocate for in our trainings with executives and boards. This track makes a much more natural supposition about the state of risk in cyber security. Instead of assuming perfect hindsight about random one-off events, let’s instead suppose that Equifax treated cyber risk much the way weather risk is accounted for by a large farming cooperative. Our assumptions regarding cyber threats would instantly shift from being unknown and one-off to mitigatable risks.

Figure 1—Cyber risk is an influencer to traditional enterprise risk categories

Farmers understand that crops are their most important assets. They understand and monitor any threats, from weather to insects to hungry predators that might affect those crop assets. They also know the vulnerabilities that their particular crops, in their particular locations, have compared to those of other farmers in other locations, and they have people at the ready to mitigate the impact to their farms, should disaster strike.

The Equifax breach will likely change many upcoming boardroom agendas and spur more communications about cyber breaches among senior executives. Executives, security professionals, and the public at large should then take this opportunity to think about what their most important crops are, what true vulnerabilities exist in them, and learn better how to mitigate against those risks.

Amjed Saffarini, CEO of CyberVista

[ISACA Now Blog]

(ISC)² webcasts are a great source for insight into all areas of security. From the Internet of Things to malware and compliance, the topics vary. Here are the top 10 (ISC)² webcasts for 2017 so far as ranked by cybersecurity professionals:

1. Part 1: Future of SIEM – Why Static Correlation Fails Insider Threat Detection
   Hackers stealing credentials and operating in your corporate network…disgruntled employees collecting customer lists and design materials for a competitor…malware sending identity information back to random domains…these common threats have been with us for years and are only getting worse. Most organizations have invested large amounts in security intelligence, yet these solutions have fallen short. Simply put, security intelligence and management, in the form of legacy SIEM technologies, have failed to keep up with complex threats. Sponsored by Exabeam.
2. Visibility and Security – Two sides of the Same Coin
   You can’t secure what you can’t see and not knowing what’s on your network can be damaging. While security is about proactively detecting and mitigating threats before they cause damage, it is also about gaining deep visibility into today’s complex networks, which may include diverse platforms and architectures. A truly enterprise grade DNS, DHCP and IPAM (DDI) platform can provide that visibility because of where it sits in networks. On the downside, DNS is a top threat vector, but can be used as strategic control points to block malicious activity and data exfiltration. Sponsored by Infoblox.
3. Scaling Up Network Security: Shifting Control Back to the Defenders
   Network threats and data breaches continue to grow in number, sophistication and speed, overwhelming current defensive capabilities. Security teams, limited in staff, resources and time, suffer from diminished effectiveness and enterprise protection. To stay ahead, organizations must create an adaptive ecosystem of network defenses; much like the body leverages its immune system. A Defense Lifecycle Model speeds threat identification and mitigation by incorporating machine learning and artificial intelligence into these security processes. Sponsored by Gigamon.
4. GDPR – Now’s the Time to Plan for Compliance
   The EU’s new General Data Protection Regulation (GDPR) is around the corner, and it’s time to prepare for it. The GDPR, specified in an 88-page document, can be confusing and tedious to put into practice. Understanding and complying is critically important, however, as non-compliance carries significant risk, with stipulated penalties exceeding $20M. This webcast will examine why the GDPR should be a priority – now; discuss the global and technological implications of GDPR, and review how technology can address some of the GDPR data security requirements. Sponsored by Imperva.
5. Cross Talk: How Network & Security Tools Can Communicate for Better Security
   Working in silos, while never a good idea, is a reality in many organizations today. Security and network operations teams have different priorities, processes and systems. Security teams use various controls and tools to mitigate different kinds of threats which provides them with thousands of alerts on a daily basis. They often find it difficult to prioritize the threats to address first. What they may not know is that there is a whole piece of the puzzle they could be missing – core network services like DNS, DHCP and IPAM. These can provide a wealth of information and context on threats, which can help prioritize response based on actual risk and ease compliance. Sponsored by Infoblox.
6. Future of SIEM – Remediate Malware & Spear Phishing w/Automated Playbooks
   It’s not uncommon for security teams to see upwards of 17,000 malware alerts per week and only investigate a third of them. Each incident detected requires investigation and eventually remediation before it can be laid to rest. Unfortunately, the security talent capable of performing these tasks is scarce, which leaves most security operations teams spread thin, a symptom of sparse coverage compounded by the drain of low fidelity security alerts and false positives. Sponsored by Exabeam.
7. CA Briefings Part 5 – Trends and Predictions
   2016 was a blockbuster year for cybersecurity – from a hacker influenced national election to a landmark breach into the Internet of Things that caused the largest botnet attacks in history. What’s in store for 2017? Join CA Technologies’ Nick Nickols, Security CTO, as he examines what you can expect in 2017. In this webcast, Nick will discuss: key areas to focus your attention and investment – from access governance to threat analytics to IDaaS; the changing landscape of regulations and consumer behavior; technology transformations and new innovations that will influence the way you prepare for 2017. Sponsored by CA Technologies.
8. Briefing on Demand – Getting it Right – Security & the Internet of Things
   The Internet of Things (IoT) is the interconnection of uniquely identifiable embedded computing devices within an existing internet infrastructure. However, securing it can be difficult. Join Gemalto and (ISC)² for a discussion on the Internet of Things and how it will play a role in your future and what changes will be happening in security. Sponsored by Gemalto.
9. Building a Blueprint for an Insider Threat Program
   While infosecurity teams are playing defense against external threats, they cannot lose sight of the threat that insiders at their organization pose. Employees, contractors and business associates can all have accounts which provide them legitimate access to systems within the enterprise, but that access can carry significant risk. Detecting, monitoring and preventing such unauthorized access and exfiltration is critical. Building an insider threat program to manage such functions can help an organization get visibility into the problem and streamline these efforts. But where does an organization start when building such a program? What underpinnings need to be in place in order to have success with a program? Get the inside scoop on what it is really like to build and run these types of programs; what are insiders really doing and what are they stealing. Join Code42 and (ISC)² for a discussion on how to construct an effective insider threat program. Sponsored by Code42.
10. Reimagine Your Identity Strategy
    First offered at the RSA Conference this past February, RSA and (ISC)² offer our members an exclusive opportunity to hear from the identity and access assurance experts at RSA to learn what it takes to manage identity at the speed of business and deliver convenient and secure access.  In this webcast, we’ll examine how to deliver access to the modern workforce, addressing the identity risk factor and future-proofing your identity, and access management program. Sponsored by Sophos.

Sign up for more (ISC)² webcasts by visiting https://www.isc2.org/News-and-Events/Webinars/ThinkTank. What topics would you like to learn more about on the (ISC)² Blog? Let us know!

[(ISC)² Blog]