William Saito: Industry 4.0, IoT and Security By Design

During the World Economic Forum’s Annual Meeting of the New Champions, taking place this week in Tianjin, China, about 1,500 policy makers and experts from more than 90 countries are gathering to discuss Industry 4.0.

William Saito, Vice Chairman, Japan, for Palo Alto Networks, explains in his latest column for the World Economic Forum that the potential for Industry 4.0 — specifically how technologies such as cloud computing and big data join with the Internet of Things and algorithms from machine learning to govern new processes — requires preventive security by design, not as an add-on. 

“It’s worth remembering,” notes William, “that cloud services, big data, IoT, block chain, AI, fin tech and all the other buzzwords are possible not only because of the Internet, but because of security.”

Read the full article for William’s thoughts and check out more of his regular contributions to theWorld Economic Forum and Forbes.

[Palo Alto Networks Research Center]

June’s COBIT 5 Poster Details Process Capability

The June edition of the monthly COBIT 5 poster series features a graphic summary of the six levels of process capability and their related attributes. These capability levels attributes are aligned with ISO/IEC 15504.

The poster charts the six levels of capability that a process can achieve, from an incomplete process that is not implemented or fails, to an optimized process.

Each capability level can only be achieved after the previous level has been fully met. For example, before assessing a process as an established process (process capability level 3) attributes of a managed process (level 2) must first be fully achieved.

Achieving level 1 differs from higher capability levels in that it is at least partially achieved once there is evidence that the process simply exists and has only one process capability attribute to assess. Each higher level adds different attributes so enterprises can choose a target level based on cost-benefit and feasibility. Rarely will enterprises choose the highest process level (level 5), which is a predictable process that is continuously improved to meet current and projected business goals.

The six process capability levels include:

  • 0 Incomplete
  • 1 Performed
  • 2 Managed
  • 3 Established
  • 4 Predictable
  • 5 Optimizing

Previous COBIT 5 posters of the month include:

May 2016: COBIT 5—Process Reference Model
April 2016: COBIT 5—Governance and Management Key Areas
March 2016: COBIT 5—Enterprise Enablers
February 2016: Roles, Activities and Relationships
January 2016: Goals Cascade
December 2015: Governance Objective: Value Creation
November 2015: COBIT 5 Principles

For more information on COBIT 5 click here, and to see/download all of the COBIT 5 posters, click here .

Peter Tessin, Technical Research Manager, ISACA

[ISACA Now Blog]

In Cybersecurity, Professional Practice Transcends Politics

As Europe absorbs the news that the United Kingdom (UK) has voted to leave the European Union (EU), questions inevitably rise around the impact this decision will have on our profession. During the campaign running up to the vote, I fielded several queries from journalists on the relevance of pending European regulation, and whether the UK would undermine its ability to face cyber threat if voters chose to leave.

In or out, I believed, our professional challenges would be unaffected by the result. Earlier this month, as the referendum debates headed into the final weeks, these thoughts were reinforced as London played host to Infosecurity Europe, our region’s largest information security event. This year, the show attracted nearly 14,000 delegates from 80 different countries.

On the (ISC)2 stand, we heard from (ISC)2 members and other delegates alike that it seemed particularly vibrant this year, with many of the largest stands on the exhibition floor having been the start-ups featured in the innovators section not so long ago. The sessions reflected very current concerns that were being debated around the world. The many sessions that were focussed on European issues were very well attended, including one on the last day presented by the president of our (ISC)2 Germany Chapter Rainer Rehm.

Now that the referendum results are in, I believe the Brexit vote will serve to highlight our profession’s value as that vibrant international community. Our challenges and (therefore) inherent instincts have motivated levels of co-operation that already transcend national boundaries and politics. There is no reason to believe that this will come to an end, or even be significantly interrupted by the UK’s political decision to leave the European Union.

Practicing professionals in the UK and across Europe have at least two years ahead of them to understand the practicalities that will affect their day-to-day job. Also, there’s a good chance that quite a lot of what was anticipated over this time will not change. The need in the UK to comply with the EU’s General Data Protection Regulation (GDPR), for example, will remain the same, as we can expect UK businesses to continue handling EU citizen data. The march of technical innovation will continue to shape the challenges we face on the front lines. Indeed, we all understand that threats and attacks are international. We as a community have evolved to become incredibly influential in raising the profile of key developments and risks, the shaping of standards, and organizing events and forums that bring this community together at national, regional and international levels.

Looking again to Infosecurity Europe, we have observed that this show has become an important forum for our members to meet. We know of nearly 1,000 who made themselves known at registration and anticipate there were many, many more.

Day two referred to as ‘Member Day’ by the (ISC)2 EMEA team played host to a meeting of chapter leaders and our EMEA Advisory Council members, who had travelled from Switzerland, Algeria, Kuwait, France, Croatia, Germany and various corners of the UK. The discussions covered our members’ readiness to manage GDPR, gaps in the existing security discussion around IoT and proposals to enhance our ability to share experience across our region’s network of 32 chapters. Our member reception later that day featured an interactive Town Hall discussion with about 200 attendees where our CEO David Shearer discussed new tools, programmes and benefits to help our global membership develop their skills, elevate the discussions we have with business, and serve as ambassadors to society.

Information security is appreciated as an international concern. The way we behave and the work we do as a profession already ensures that the standards and practices required to face these concerns account for differences in markets and regulatory expectations. I’m confident that, as a community, information security professionals right across Europe will continue to work together.

–Dr. Adrian Davis, CISSP, managing director, EMEA, (ISC)²

[(ISC)² Blog]

Do ISACA Certifications Benefit Employers, Professionals?

ISACA’s website states that “membership sets you apart from other IT professionals by signifying that you are:

  1. Dedicated to best practices and successful results
  2. Committed to professional growth and advancement
  3. Helping to advance your profession
  4. A seeker of professional knowledge and a problem solver
  5. Serious about continuing education
  6. Connected with a highly regarded organization
  7. Part of a global network of peers”I wanted to see if this was true in the UK.

My reason is that CISA and CISM are widely known—more so than ISACA itself. Many organizations know COBIT and many additional firms use the framework but may not know it comes from ISACA. CGEIT and CRISC are not quite as well known, in comparison, but as a professional organization we have an opportunity to promote these as a substantial solution to better manage cyber-security threats, which have finally hit the board agenda.

ISACA certifications provide a virtuous circle. By getting the governance framework right, it is easier to identify the risks to implement solutions, many based on security controls, and provide value-added assurance from executives and auditors.

The ISACA London Chapter works with Hays, a recruiting firm, to connect professionals and employers. Their UK IT job websiteshows CISA, CISM and ITIL are ‘must haves.’

This means ISACA reason #3 is true, but do employers recognize the rest?

I asked Hays staff what they thought. They see the expectation for IT audit and security employees at all levels to possess relevant certification. The weighting of certifications depends on several factors:

  • Internal audit divisions expect CISA or CISM of their IT auditors to ensure teams have sufficient IT-related knowledge to hold useful conversations with auditees.
  • More stress is placed on certifications if the team is lean, but…
  • … less if the role is senior management, where others skills and experiences come into play.
  • The certifications requested often reflect those held by the hiring manager.
  • CRISC is becoming important for second line of defense roles, but…
  • CSX is not as well known yet since it is early days

It also seems that, in the UK, salaries are related to the role, not the certification. Certifications provide opportunities to obtain roles rather than salary increases. A variation on this is that a strong candidate for a junior role, without certification, may be encouraged to study for one through company sponsorship in lieu of a lower salary. A lapsed certification counts for nothing and is seen as not being committed to the industry. It is worse than not having had it.

An interesting UK trend is an increasing demand for focused, technical knowledge mixed with interpersonal and business knowledge. A range of certifications help here, as IT auditors grapple with complex security controls, for example, or go beyond efficiency in ‘value-for-money’ reviews, such as safety, quality and relevance. In banking, this trend happens at a junior level because the regulatory environment demands assurance and compliance. Outside that industry, a mix of management, professional and business skills happens at a more senior level.

COBIT is well-loved but sometimes treated as a teddy bear—there when you need it and tragic if lost. Thus, the explicit need to show COBIT qualifications is rarely part of the job spec. But it turns out that COBIT is the de facto standard, so deeply entrenched in corporate assurance that there is no need to shout about it. That means experienced IT auditors are expected to be well-versed in COBIT.

Globally, recognition and employer demand for globally recognized certifications seems greater than in the UK. This may be cultural or due to regulatory requirements. In some cases, if opportunities to gain relevant experience are limited, certification is proof of knowledge not obtainable elsewhere.
All well and good, but this is a recruiter’s view. I wanted the employer’s view, which I found at a CISO meeting in London. They said that having no certifications would not automatically exclude a candidate. The choice of certification, and how many, came down to the individual, their aspirations and complementary skillsets.

Slightly contradictory was the expectation that staff with four years’ experience have certifications. They expected less experienced staff not to have them – no time or experience to obtain them – but expected junior staff to study for certifications. More senior roles required broader and/or deeper skillsets. For management, MBAs and professional management programs can help broaden skillsets. The issue was those remaining in technical roles – what professional qualifications were there outside a master’s or doctorate? There seemed to be a gap in the ‘professional training’ market for experienced staff.

The CISOs said the increasing integration between IT and non-IT activity has narrowed so most IT professionals need to understand business and develop interpersonal and communication skills. Knowing how the business runs—being able to have conversations between IT and non-IT—help get IT right.

It comes down to keeping up to date with trends. Employers look for knowledgeable, experienced professionals who keep abreast of daily organizational IT changes and challenges. Continuing professional education, which is demanded of certification holders, provides comfort to employers. Their staff not only stays up to date, but also have many resources to apply within the organization. ISACA membership benefits support this. We should take full advantage of them.

Editor’s note:  As part of ISACA’s celebration of Women in Technology Month this June ISACA is seeking women in tech to guest blog on the subject of their choice. If you are interested in learning more, please contact news@isaca.org.

Sue Milton, Managing Director, SSM Governance Associates, and Past President, ISACA London Chapter

[ISACA Now Blog]

Tracking Elirks Variants in Japan: Similarities to Previous Attacks

A recent, well-publicized attack on a Japanese business involved two malware families, PlugX and Elirks, that were found during the investigation. PlugX has been used in a number of attacks since first being discovered in 2012, and we have published several articles related to its use, including an analysis of an attack campaign targeting Japanese companies.

Elirks, less widely known than PlugX, is a basic backdoor Trojan, first discovered in 2010, that is primarily used to steal information from compromised systems. We mostly observe attacks using Elirks occurring in East Asia. One of the unique features of the malware is that it retrieves its C2 address by accessing a pre-determined microblog service or SNS. Attackers create accounts on those services and post encoded IP addresses or the domain names of real C2 servers in advance of distributing the backdoor. We have seen multiple Elirks variants using Japanese blog services for the last couple of years. Figure 1 shows embedded URL in an Elirks sample found in early 2016.

Figure 1 Embedded URLs in Elirks variant

In another sample found in 2014, an attacker used a Japanese blog service. The relevant account still exists at the time of writing this article (Figure 2).

Figure 2 Blog account created by the attacker in 2014

Link to previous attack campaign

Unit 42 previously identified an Elirks variant during our analysis of the attack campaign calledScarlet Mimic. It is years-long campaign targeting minority rights activists and governments. The malware primarily used in this series of attacks was FakeM. Our researchers described the threat sharing infrastructure with Elirks in the report.

As of this writing, we can note similarities between previously seen Elirks attacks and this recent case in Japan.

Spear Phishing Email with PDF attachment

Figure 3 shows an email which was sent to a ministry of Taiwan in May 2012.

Figure 3 Spear Phishing Email sent to a ministry of Taiwan

The email characteristics were bit similar to the recent case (Table 1).

2012 2016
Email Sender Masquerades as an existing bank in Taiwan Masquerade as an existing aviation company in Japan
Email Recipient Representative email address of a ministry of Taiwan, which is publicly available. Representative email address of a subsidiary company, which is publicly available.
Subject “Bank credit card statement” in Chinese “Airline E-Ticket” in Japanese
Attachment PDF file named “Electronic Billing1015” in Chinese File named “E-TKT” in Japanese with PDF icon

Table 1 Email characteristics

When a user opened the attached PDF file, the following message is displayed. It exploits a vulnerability in Adobe Flash, CVE-2012-0611 embedded in the PDF and installs Elirks malware on the system.

Figure 4 opening malicious PDF attachment

Airline E-Ticket

Attackers choose a suitable file name to lure targeted individual or organization. In the recent case, the malicious attachment name in the email was reported as “E-TKT”. We found similar file name in the previous attack in Taiwan in August 2012 (Figure 5).

Figure 5 Elirks executable file masquerade as folder of E-Ticket

When opening the file, Elirks executes itself on the computer and creates ticket.doc to deceive users (Figure 6).

Figure 6 doc file created by Elirks

We’ve also seen another file name related to aviation at Taiwan in March 2012. Figure 7 shows PDF file named “Airline Reservation Numbers (updated version).pdf”. When opening the PDF file, it displays the exactly same message with the Figure4, exploits CVE-2011-0611 and installs Elirks.

Figure 7 PDF named “Airline Reservation Number”

Conclusion

Currently, we have found no reliable evidence to indicate the same adversary attacked a company in Japan in 2016 and multiple organizations in Taiwan in 2012. However, we can see some resemblances between the two attacks. In both cases, attackers used the same malware family, crafted spear phishing emails in a similar manner, and seem to be interested in some areas related to aviation. We have been seeing multiple Elirks variants targeting Japan in the last few years, potentially indicating an ongoing cyber espionage campaign. We will keep an eye on the threat actors.

Palo Alto Networks customers are protected from Elirks variant and can gather additional information using the following tools:

  • WildFire detects all known Elirks samples as malicious
  • All known C2s are classified as malicious in PAN-DB
  • AutoFocus tags have been created: Elirks

Indicators:

Executable File:

8587e3a0312a6c4374989cbcca48dc54ddcd3fbd54b48833afda991a6a2dfdea

0e317e0fee4eb6c6e81b2a41029a9573d34cebeabab6d661709115c64526bf95

f18ddcacfe4a98fb3dd9eaffd0feee5385ffc7f81deac100fdbbabf64233dc68

Delivery PDF:

755138308bbaa9fcb9c60f0b089032ed4fa1cece830a954ad574bd0c2fe1f104

200a4708afe812989451f5947aed2f30b8e9b8e609a91533984ffa55d02e60a2

[Palo Alto Networks Research Center]

English
Exit mobile version