Month: January 2018

The recent Global Risks Report by the World Economic Forum offers the latest evidence that cybersecurity is rising among the top global risks. Cyberattacks are now the global risk of highest concern to business leaders in advanced economies. This reflects the inability of enterprises to keep pace with today’s challenging threat landscape, and points to an urgent need for increased prioritization of and investment in cybersecurity by executive leadership.

While a cyberattack does not qualify as a natural disaster – one of the other top risks identified in the Global Risks Report – large-scale cyberattacks are capable of devastating critical infrastructure in similar fashion. A cyberattack has the potential to disrupt many of the most essential aspects of our lives, from electric, gas and water utilities to banking and cellphone coverage.

It is evident that the status quo will not be sufficient if we are to expect a reasonable level of security in both our personal and professional lives. Society and enterprises will need to focus on resilience, both technological and human. While contending with threats may be inevitable, our ability to recover cannot be undermined. We will need to build real and virtual firebreaks to ensure critical infrastructure elements do not fall due to the domino effect of a potential collapse.

Systemic challenges and threats require systemic solutions. Enterprises must focus not just on providing the next big app or solution to customers, but also on educating customers about potential threats and actions that can be taken to prevent or address them. In this context, it was encouraging to see the World Economic Forum announce plans for a new Global Centre for Cybersecurity. Deeper collaboration between the public and private sectors – while also tapping into the knowledge base of global industry associations such as ISACA – must be part of any substantive solutions going forward.

The increasing cybersecurity challenges that accompany the expanding threat landscape also call for the constant skilling and re-skilling of the technology workforce. Enterprises must be more committed to investing in real-world training for their security teams that takes into account the most up-to-date threats and vulnerabilities. Why is it so necessary to develop a more robust, highly skilled cybersecurity and tech governance workforce? Consider several realistic possibilities that I suspect we could encounter as 2018 progresses:

• At least half the global population could become victims of privacy breaches;
• The Internet of Things will become the Internet of Threats. Smart appliances will be used to take privacy attacks to the next level. Your television, your refrigerator and your connected toothbrush will know more about you than any other human can;
• The rise of superintelligent threats, driven by AI and machine learning;
• The potential for swarm attacks by drones;
• The first bioengineered hack of the human body.

These, and other technology-driven stress points, are unprecedented challenges that demand proactive defense strategies. Disruptive technologies have the potential to power our global economy in many promising and innovative ways, but we must nurture new and more collaborative solutions to ensure these technologies are implemented effectively and securely.

While cybersecurity rising on the list of top global threats can not be construed as good news, at least the global community has begun to recognize the scope of the challenge. Now, it is time to pull together as a global community and meet this challenge together.

R.V. Raghu, CISA, CRISC, ISACA board director and director of Versatilist Consulting India Pvt. Ltd.

[ISACA Now Blog]

The purpose of the General Data Privacy Regulation (GDPR) is to harmonize the data privacy regulations that each European Union member state implemented to comply with GDPR’s predecessor. GDPR provides a single, comprehensive regulation that is compulsory for all organizations processing the personal data of individuals living within the European Union.

The regulation becomes enforceable on 25 May 2018, after a two-year grace period to allow organizations to implement GDPR. GDPR substantially increases data subjects’ rights – and with penalties of up to 4% of gross turnover, the regulation has the potential to fundamentally change the way organizations view and process personal data. That said, the purpose of this blog post is not to tell you what GDPR is, who it will impact, nor to pour more oil on the fear-mongering flames. Over the past two years, most of us have seen more than enough of these types of articles from privacy experts. I am writing today to introduce ISACA’s new GDPR guide.

Six months ago, ISACA brought together a team of information technology, information security, audit and data privacy professionals from around the world to help develop a guide that provides a pragmatic approach to implementing GDPR in organizations large and small. This guide provides a comprehensive introduction to GDPR, along with a plan to help organizations implement a data privacy program that complies with GDPR requirements.

The guide also includes the available information from the Article 29 Data Protection Working Party (WP 29), which provides clarification on various topics covered in the regulation. WP 29 guidance, where available, has been included within ISACA’s GDPR guide. At 100 pages, the guide can be easily read in a weekend. It will serve as a handy guide both during the implementation of your data privacy program, as well as a solid reference during your day-to day-activities.

The guide provides advice on topics such as identifying and classifying personal data, data governance, information security, managing compliance in your supply chain, data breaches, employee awareness and more. The guide also includes several annexes that provide specific recommendations to help practitioners implement an effective and efficient data privacy program. Annex 1 is divided into nine domains that cover 46 processes organizations should implement as part of their GDPR programs. Annex 2 provides guidance on how to set up and manage the Data Privacy Impact Assessment (DPIA) process. Annex 3 provides a sample personal data register that must be created, maintained and readily available in the event of an audit. Throughout the document, we have defined common data privacy terminology and included a glossary of terms that we suggest you ensure are correctly used within your organization to avoid confusion.

The ultimate purpose of the guide is not simply to help organizations become GDPR compliant, but also to ensure the privacy of real people. To this end, we stress that the comprehensiveness of your data privacy program should be based on the risk to the subjects’ data that you hold and not solely on the risk to your organization.

ISACA’s GDPR Working Group believes that implementing GDPR will not only reduce the risks to your organization, partners and customers, but also has the potential to improve the effectiveness of your organization through the implementation of sound policies and processes. Many of us on the working group are privacy practitioners who will use the guide to help implement GDPR in our organizations. This will allow us to see first-hand what worked well and what could be improved. Stay tuned to this space, as we will provide regular updates as we count down to 25 May. Once we’ve received sufficient feedback, we will review and update the guide. In the meantime, we hope this guide is beneficial to you and your organization.

Scott Rosenmeier, CISA, CISM, CRISC, CGEIT, CISSP-ISSMP/ISSAP, TUEV SUED certified DPO (Germany), Senior Manager, Information Security

[ISACA Now Blog]

Account takeover attacks are a nearly invisible tactic for conducting cyber espionage. Because these breaches can take months or years to detect, we are slowly discovering that this attack vector is much more common than we thought. The more we learn about new methodologies, the more we realize just how misunderstood account takeover attacks can be. Many of the common myths about account takeover attacks are making it easier for the attackers to continue undetected, which is why we feel obligated to debunk them.

What Is an Account Takeover Attack?

Account takeover is a strategy used by attackers to silently embed themselves within an organization to slowly gain additional access or infiltrate new organizations. While ransomware and other destructive attacks immediately make the headlines, a compromised account may remain undiscovered for months, years or not at all. (See the Verizon 2017 Data Breach Report graph.)

On average we find at least one compromised account in half of our new installs, oftentimes finding that they have been there for months. We hope this blog can provide a better understanding of how they work and how to defend against them.

Scan your own account for an historical breach.

Myth 1: I’ve installed the latest antivirus software. I’m safe.

Reality: Account takeover attacks seldom use malware or malicious links.

You may have the latest patches. You might have the latest URL filters. You might have installed an MTA mail gateway to scan every message. None of these, however, would have detected the most common attacks of 2017. Few, if any, used an attachment or malicious link. Instead they relied upon convincing a user to authorize an app or share credentials via an otherwise legitimate site. Account takeover attacks do not want to infect a desktop or steal a bank account’s routing number. They seek only to gain access to a legitimate user’s account for as long as possible. Step one in their methodology is to avoid detection by the most common tools.

Myth 2: We’ve all had security training. Attacks are obvious.

Reality: User training is not enough to defend against targeted attacks.

Everyone would like to believe that they are smart enough to notice an attack before they are compromised, but even the most vigilant user would miss the more recent strategies. A CISO once called user training an “attack signature that gets updated once a year.” While you may be able to identify the traits of an older method, new, more sophisticated techniques are developed every day. It is no longer enough to look for misspelled words or bad grammar. They are now highly personalized, well timed and sent in moderation. It is easy to forget that attackers read the same best practice documents you read, and use them as their checklist of things to evade.

Myth 3: An account takeover always starts with an email.

Reality: Attackers are starting to use other collaboration tools.

As organizations are moving away from email to Slack, Teams, and Chatter for internal collaboration, so are the attackers. Your employees are naturally wary of messages that come by email, but they seldom transfer that suspicion to internal messaging tools. While only 12 percent of employees might be likely to click on a malicious email, more than half would click on the same message when it arrives via internal Slack chat from a ‘trusted’ user. While there are dozens of tools to monitor and protect user email, these internal tools typically have no phishing or malware protection at all.

Scan your own account for an historical phishing attack.

Myth 4: Account takeover always starts with a phishing message.

Reality: Hackers can get your credentials without a phishing attack.

Although phishing messages are the most common way for hackers to gain access to an account, they are far from the only method. Large, third-party data leaks like Yahoo and LinkedIn have created a market for hackers to exchange stolen passwords. Even Post-It Notes are not safe from online distribution. A breach might include passwords for one service that employees have re-used on corporate accounts. Even a breach that doesn’t include raw credentials might include the personal information (street address, high school, mother’s maiden name) that make it possible for attackers to gain temporary access by requesting a password change. The Equifax breach probably contains more personal information than the average person even knows about themself. Although anti-phishing security is important, it is only one part of the equation when it comes to defending against account takeover.

Myth 5: I would notice right away if my account was compromised.

Reality: Account takeovers are specifically designed to evade detection.

Although it may seem like you would have to be blind to not notice a second user in your email inbox, hackers have become incredibly adept at navigating and using compromised accounts without detection. Tactics like the alternate inbox method, in which the attacker uses hidden and unchecked trash folders as their inbox, can make even the most active attacker invisible to the account’s rightful owner. When your account is compromised, you will likely never notice anything out of the ordinary.

Myth 6: The hacker will log in from a suspicious location.

Reality: Hackers can appear to log in from anywhere.

If a hacker is regularly logging into your account, wouldn’t their location raise a flag? It is reasonable to assume that to detect a compromised account, you just need to keep an eye out for suspicious locations in your account history. Unfortunately, publicly available VPNS are an easy way to avoid this obvious giveaway. A competent hacker based in North Korea can appear to be from an IP address in your own town, looking as benign as a login from your local CoffeeCafe. If they’ve already compromised another victim, they could even stage their attack from a partner’s network.

Myth 7: Changing my password will get rid of them.

Reality: Hackers can continue to access your account without a password.

Many cyber-security best-practices guides will advise you to change your password if your account is compromised. The first step in most attacks, however, includes creating a secondary back door so they can avoid using the primary login. For example, they may install malicious cloud applications that provide full rights to the account. These API-based connections use their own, permanent tokens that must be individually revoked and often never get logged. Or they may create rules to forward and redirect messages through the account without the need to log in again. Even if you change your password or turn on multi-factor authentication within seconds of a breach, they may no longer have need of your password.

Scan your own account for an historical breach.

Myth 8: I’m not “important” enough to be valuable to an attacker.

Reality: Every employee’s account is useful to a hacker.

It can be comforting to think that cyber security is only a concern for executives or employees with high levels of access to sensitive company data. Typically, however, the initial account takeover breach is imprecise and opportunistic. The initial goal of the hacker is to simply get access to any internal account. Once they have access, they take advantage of internal trust relationships to move from employee to employee until they find the sensitive data they need. A user doesn’t need to be high up or have a high level of access to serve as a hub for a hacker to base their operations. In fact, lower level employees are often under less scrutiny and can serve as a better vessel to use and remain undetected.

Myth 9: Our company is not worth targeting.

Reality: Your company can be used to attack your customers and partners.

If your company has customers, their employees will likely trust yours. If your company has providers, it could serve as the attacker’s way in. Although the hacks of major financial institutions and Fortune 500 companies make the headlines, hundreds of small ‘invisible’ companies in niche industries are attacked every day. Because smaller companies typically do not have the security staff of the larger firms, they can be an easy path into a much more lucrative target.

Dylan Press, Director of Marketing, Avanan

[Cloud Security Alliance Blog]