Don’t Put Off Till Tomorrow What You Should Start Today (Part 1)

For some, the upcoming EU legislative changes (the General Data Protection Regulation, referred to as GDPR, and the Network and Information Security Directive, referred to as the NIS Directive) may have seemed like they are a long time in coming, since early discussions started back in 2013. Yet as is often the case with such processes, it becomes all too easy to keep holding off from preparing, especially when details are still to be finalized. From current speculation, it seems that both will be documented in the Official Journal of the EU shortly, which – for those who haven’t already started preparing – should be the final call to action, and implementation will officially start.

The question for many now becomes: Are they at the right place on the journey? Human nature drives us to want to compare ourselves with our neighbors to ensure we are doing the right things, and where there are time deadlines, that we are on track to achieve them.

From a recent webinar run with the industry group ISACA, I took the chance to poll the attendees to gather more insight on organizations’ state of preparation in terms of their cyber security strategies.

With any legislative requirements, the first objective is to be clear on what needs to be done. In this instance both pieces of legislation use the term “State of the Art”, which aligns to the requirement to have security by design and default. Specifically with the GDPR, that requires regard for this to be relevant to the risk.

In the last 12 months, exactly what “State of the Art” means has seemed to be one of the most common questions, as many security practitioners and leaders are typically more confident with granular requirements. But in polling the 1400+ people who registered for the recent webinar, it was found that 64 percent of those who responded now claimed to know what “State of the Art” is.   Unlike some other industry regulatory requirements, GDPR and the NIS Directive will likely remain in force for a while. As such, it would be virtually impossible to define detailed requirements; the term is more a placeholder requiring organizations to ensure they keep educated on cutting-edge cybersecurity capabilities and processes.

I have found myself having numerous discussions with other industry experts around how we would be sure that each of our interpretations of “State of the Art” would stand up to an auditor or another company. As such, my guidance would be that whilst we often look at the technical aspects of legislation, it’s important to engage with the business and legal teams in your company to ensure there is consensus on your interpretation of the requirement. Whether we like it or not, we should be prepared to qualify our adherence, be that to an auditor or to an authority, when responding to an incident.

Although it’s great to see that many are comfortable with the concept, there are others who are still getting their heads around the additional responsibility. I suspect more broadly that while the first goal will be to validate and achieve the relevant regard for “State of the Art”, very quickly cyber security leaders will also need to qualify just how long the current interpretation remains the case, as (it’s not a one-off goal, but an iterative requirement). As such, processes that continue to validate and subsequently apply ”State of the Art” must become part of the normal cyber strategy.

The challenge for many is that while we look to prepare for these legislative changes, we still have a day job. Therefore the question becomes: Where does it sit in the priority stack? Here the poll showed that there was a split in views. Thirty-six percent had this in their top 10, and an additional 21percent had it in their top three. Yet 20 percent were only planning to look at these legislative requirements in 2017, and a further 16 percent were planning to wait until the requirements come into effect in 2018. It would be interesting to see the industry breakdowns here, as I could speculate that those that are already more heavily regulated may be more proactive, as they are used to the process. But from my own experiences, I also have seen regional perceptions of legislation enforcements, especially when the historical variance in enforcement of data protection requirements could be a factor. The goal of harmonization, which was one of the key drivers of GDPR reform, aims to ensure we all abide by the same rules and enforcement guidelines.

My personal guidance here would be that if you haven’t already started to prepare, you should do so now. It takes time to validate the gap analysis (again for those that are already heavily regulated, this may be much smaller than those that are not today), but agreeing on a budget, validating solutions and deploying and testing capabilities all take time.

At an executive level, the natural first question when discussing the proposed new legislation is: What impact does that have on our business? Here the replies to the poll were very broad. Many were still unclear, while others focused on either the brand damage concerns that would likely come from public disclosure of an incident, or concerns around the new penalties for data breaches that have been defined in the GDPR. The very broad scope of responses, I would suggest, should be our biggest concern. If the impact to businesses cannot be clearly defined, how can they be expected to support their cybersecurity teams in investing time and resources to achieve compliance? As such, while it seems confidence is growing when it comes to some of the terminology, such as “State of the Art”, there is still a need to be clearer on the impact of these new regulations. For me this highlights why many are still holding off in terms of making it a priority for 2016.

[Palo Alto Networks Research Center]

DoD Updates Government Security Requirements for Cloud, But What Does That Really Mean?

IT officials from the Department of Defense (DoD) have released an update to the Cloud Computing Security Requirements Guide (CC SRG), which establishes security requirements and other criteria for commercial and non-Defense Department cloud providers to operate within DoD. These kinds of updates are not uncommon. In fact, they are encouraged through an interesting use of a DevOps type methodology – as the DoD explains:

DoD Cloud computing policy and the CC SRG is constantly evolving based on lessons learned with respect to the authorization of Cloud Service Offerings and their use by DoD Components. As such the CC SRG is following an “Agile Policy Development” strategy and will be updated quickly when necessary.

The DoD offers a continuous public review option and accepts comments on the current version of the CC SRG at all times, moving to update the document quickly and regularly to address the constantly changing concerns of an evolving technology like public and private cloud infrastructure. The most recent update includes administrative changes and corrections and some expanded guidance on previously instated requirements, with the main focus on the updates being to clarify standards set in version one and alleviate confusion and any potential inaccuracy.

If you are interested, you can read through the entire CC SRG revision history online.

What is particularly interesting here is the DoD’s acknowledgment that management of cloud environments is constantly evolving, security requirements and best practices need to be iterative, and updates need to be made regularly to ensure relevancy. It’s also important to note that the CC SRG is only one of many government policies put in place to help government agencies securely and effectively implement cloud infrastructures. There are also guidelines like NIST SP 800-37 Risk Management, NIST 800-53, FISMA and FedRAMP to consider. All of these provide a knowledge base for cloud computing security authorization processes and security requirements for government agencies.

What the DoD’s updates to the CC SRG should reinforce for agencies is that they need to have a clear cloud strategy in place in order to ensure compliance and success in the cloud. Determining the best implementation of these guidelines for your needs is difficult in and of itself. Add to that the ongoing management and updates required to keep up with ever-evolving guidelines and an IT team can find itself struggling.

By partnering with systems integrators and software vendors, or working directly with a managed service provider, like Datapipe, government agencies can more easily develop a long-term cloud strategy to architect, deploy, and manage high-security and high-performance cloud and hosted solutions, and stay on top of evolving government policies and guidelines.

For example, Microsoft Azure recently announced new accreditation for their Government Cloud, Amazon AWS has an isolated AWS region designed to host sensitive data and regulated workloads called AWS GovCloud, and you can learn more about our new Federal Community Cloud Platform (FCCP), which meets all FISMA controls and FedRAMP requirements, and all of our specific government cloud solutions on the Datapipe Government Solutions section of our site.

Brian Burns, Bid Response Manager/Government Affairs, Datapipe

[Cloud Security Alliance Blog]

Bucbi Ransomware Is Back With a Ukrainian Makeover

The Bucbi ransomware family, which dates back to early 2014, has received a significant update. In a recently observed attack, we also noted new tactics used to infect systems. The malware has historically been delivered via an HTTP download, most likely via an exploit kit or phishing email. However, in recent weeks, Palo Alto Networks researchers have observed attackers brute-forcing RDP accounts on Internet-facing Windows servers to deliver their malware. Additionally, the malware itself has been modified to no longer require an Internet connection.

Recent ransom notes left on infected systems identify the malware as belonging to the “Ukrainian Right Sector,” a far-right Ukrainian nationalist political party with paramilitary operations that opposes Russia but operate outside of the Ukrainian government’s authority. However, there are a number of Russian identifiers in the recent attacks. Consequently, it is unclear if the claims of responsibility by the “Ukrainian Right Sector” are accurate, and if so, what the reason behind and significance of the Russian identifiers.

Infiltration

Unlike many other ransomware families, this particular variant of Bucbi was delivered via a RDP brute force attack. The following five IP addresses were observed attacking the victim machine starting in late March 2016:

  • 184.197.69
  • 44.191.251
  • 117.151.236
  • 161.40.11
  • 101.31.126

Many common usernames were used in attempted logins in this brute force attack, including a number of point of sale (PoS) specific usernames. It is likely that this attack originally began with the attackers seeking out PoS devices, and after a successful compromise, changed their tactics once they discovered that the compromised device did not process financial transactions. A truncated list of the usernames used in attempted logins can be found below.

  • Administrator
  • Aloha
  • Admin
  • BPOS
  • FuturePos
  • HelpAssistant
  • KahalaPOS
  • Oracle
  • POS
  • SALES
  • SERVER
  • Sqladmin
  • Staff
  • Администратор [‘Administrator’ in Russian]

Once the attackers successfully compromised this specific machine, they dropped an executable file that contains the following PDB string:

C:\inetpub\restartprm\Present\Перед запуском софта\dotNetFx45_Full_setup.exe

The Russian string above roughly translates to ‘Before running software’. Researching the filename above leads us to a number of Russian language forums that are discussing an RDP brute force utility named ‘RDP Brute (Coded by z668)’. While not confirmed, there is a possibility that this tool was used to gain access to the victim machine originally. A screenshot of this utility can be found below:

Figure 1 RDP brute force utility

Malware Analysis

The following sample was discovered on an attempted breach in early April 2016:

MD5: 410E395600C291C59D8C9B93FA82A7F3
SHA1: 2E385E8B8CEB01C9E638F8A95889B571D31AEF41
SHA256: 26F2BF1FC3EE321D48DCE649FAE9951220F0F640C69D5433850B469115C144FE
Timestamp: 2016-04-02 16:40:13 UTC

This particular sample is configured to take one of the following two command-line (CLI) arguments. Should no argument be provided, it will attempt to start a service it expects to exist, named ‘FileService’.

  • /install
  • /uninstall

When provided a CLI argument of ‘/install’, the malware will proceed to create a service with the following properties.

Service Name: FileService
Display Name: File Service
Startup: Auto
Path: [path of malware]

After the service has been successfully created, the malware outputs a printf statement of ‘Installation OK’.

When give a CLI argument of ‘/uninstall’, the malware will remove the previously created service and output a printf statement of ‘Uninstallation OK’.

When the service is run, the malware will generate a number of debugging statements that are written to a randomly named file with an extension of ‘.log’ in the %ALLUSERSPROFILE% directory. An example of this log file is below.

Figure 2 Log file written by malware

The malware begins by seeking out a file in the victim’s %ALLUSERSPROFILE% directory. The filename is generated by a unique algorithm that uses the victim’s volume serial number in conjunction with two 4-byte seeds provided to generate a unique 8-byte sequence. This sequence then has a search/replace performed on it in order to convert it into an alphabetic string. This function is represented below.

The algorithm above makes use of the GOST block cipher to generate a unique filename. GOST is fairly obscure, as it was developed in the 1970s by the Soviet government. It was declassified to the public in 1994. This particular technique for generating a unique filename looks to be specific to Bucbi, as no other malware families have been discovered using it.

The algorithm is used to determine if a key file is present on the victim. If this particular file is not present, the malware proceeds to generate one. Two files are created—one 580 bytes in size, and one 1060 bytes in size. Both files begin with a DWORD of 0x60000, as shown in the screenshot below.

Figure 3 Example key file written by malware

The cryptography used by Bucbi is still being researched by Palo Alto Networks. After the key files are generated, the malware will spawn a new thread that is responsible for encrypting network resources.

A call to WNetOpenEnum is made to enumerate all network disk resources available. Should a network disk be identified, the encryption routine will be run against this resource. The malware will ignore the following directories, but otherwise will encrypt every file it encounters.

  • C:\WINDOWS
  • C:\Windows
  • C:\Program Files
  • C:\Program Files (x86)

No file type blacklisting results in this particular malware being very inefficient, often taking several minutes before encryption is complete.

Files are overwritten, leaving them with the same filename that was originally present. Unlike other more popular ransomware families, Bucbi does not use a specific file extension for files that are encrypted.

It’s also important to note that the key files that were originally created are not removed. Additionally, the malware includes a decryption routine, which, while never called by the malware, exists and can be used with a simple binary modification to the sample. This would allow victims to recover their files without resorting to paying the ransom.

Once encryption completes, a README.txt file is placed on the victim’s desktop. This file contains the following information:

Figure 4 Ransom message dropped by malware

The BitCoin address mentioned in the above screenshot has a single payment of 0.00896 BTC at the time of writing. This payment, being so low in value, was likely a test transaction used. The email address of ‘dopomoga.rs@gmail.com’ has ties with the Ukrainian Right Sector in a number of external publications, as noted in the following examples.

Figure 5 Facebook post from November 4, 2015

Figure 6 Translated post from sectorpravdy.com

However, as mentioned earlier, there are a number of indications that the actor is of Russian origin or speaks the Russian language, such as the existence of Russian PE resources within the malware executable, as well as the Russian-related files discovered in the attack.

Similarities and Differences With Older Versions of Bucbi

As mentioned earlier, the Bucbi malware family is quite old, dating back to January 2014. Very little public information about Bucbi is available, other than an entry by Microsoft in mid-2014.

When comparing the newly discovered Ukrainian variant of Bucbi to an older sample, we see a number of similarities. Certainly one of the most noticeable similarities comes in the form of a debug string present in both samples:

Ukrainian Variant: C:\Users\admin\Desktop\FileService\FileCrypt\Release\payload.pdb
Older Bucbi Sample: C:\FileCrypt\Release\FileCrypt.pdb

The original filename of ‘FileCrypt’ is present in all observed Bucbi samples. Another glaring similarity comes in the form of how filenames are generated. All samples observed use the same GOST block cipher function mentioned in the malware analysis section. This function has only been observed in Bucbi samples to date.

Additionally, the key files used across samples is consistent, in both size and the leading 0x60000 DWORD value. Coding style between samples is consistent as well between all observed instances of Bucbi.

While these similarities are present, a number of changes have been observed as well. Most notably is the service installation method, as well as the command-line arguments of ‘/install’ and ‘/uninstall’. While the older Bucbi sample also took a command-line argument, it instead searched for the existence of the ‘-e’ parameter.

The implementation of a network-resource encrypt function looks to be new in the Ukrainian variant of Bucbi. Conversely, the use of an HTTP command and control (C2) channel looks to have been removed from this variant. Previous versions of Bucbi, seen as recently as June 2015, made use of a remote server, where victim information and the generated key information was uploaded.

Finally, we also observe a change in ransom notes. The following ransom page is presented to the victim in this older version of Bucbi:

Figure 7 Original Bucbi ransom page

Conclusion

Overall, this proved to be a curious attack, as the attackers originally gained access using techniques common to those of attacks seen against point of sale devices. It appears that once access was acquired, the attackers shifted gears to deploy a new variant of the fairly old Bucbi ransomware family. This particular variant purports to belong to the ‘Ukrainian Right Sector’, a far-right Ukrainian national political party. If true, this would indicate that this particular national political party has entered the ransomware space, potentially to fund their cause. However, various Russian-related strings and references leave doubt as to who exactly is behind this attack. Attribution of this particular attack is difficult as there simply isn’t enough evidence to conclusively determine who is behind it. Various conflicting evidence make it impossible to say for sure. However, what is clear is that attackers are shifting tactics in how ransomware is deployed, and ensuring their malware is constantly being updated to deter defenders.

Palo Alto Networks customers are protected against this threat in the following ways:

  • WildFire correctly identifies all Bucbi samples as malicious
  • A Bucbi AutoFocus tag has been created in order to track this malware family has been created in order to track this malware family
  • All domains/IPs used in this attack have been flagged as malicious.

Indicators of Compromise

SHA256 Hashes – Ukrainian Variant

26f2bf1fc3ee321d48dce649fae9951220f0f640c69d5433850b469115c144fe
4c698f5a005a74570a10a69a82317b0c87207934fe82907ee7df3348096cd66c

SHA256 Hashes – Original Bucbi

ad16c5246675b807cd04c33f5186f26c1c677e7b2f3baea3305b23e7cac34f8e
be63b6a01e57a7a409647bdf221a37a0be0d470d488136228a4c1d1defbd05f4
98e901f362641ae1fc6527215f496c9fd5de2d7f69b136ac610e453469831d07
2f8597a18c24d9c7ee4442f607b518c065bfef376c554ea80b303875bb0f5c4f
713413ee1a008b91a6afb29c52d2beda829778b8072c5ba5171bb50277104ebc
8577216183fc19767788e3d078eaeb754d18141c80c2554f9c3c359cc470c4f6
feb6eccc9d254fb0e1c818be50ec183a472ed064d4071f380ac131c262da0689
0ed72a28ba5bac7f44f9e4519db5f8c8d94076d85a929c2004da1cba99559610
ea7896c06595a261b140f1ce192230e0fc0bdb9213023db0a5d1b07eb91f7af3
27ba82a72339fef306ef6ce83c055c35caa7bf7116eea0edad22966d297661f3
70d59a3f1f508668b1ae214022a140fb96f90c221a192443b87a1fbe621cee0b
feecc0baccecabeddc8f0e07b3a7aa54d7f13d60e232b7a538b10cd773b4c5e5
766b3a58b5ff86b1070c186b72854c69fff6fc11ce384d70c71db66f6c18a8c8
a65293abd10e7c4a306ddfae94c67df2db411c4a29ca71a1ca8169ee640a8ed3
62f199dedfffef4eb71c33bdf22f4a9b3276f8a831999788059163fae43db48e
8988f592efb88b4998b54c9736898339811bda3578b27e0a4a03ed9a4c5ca363
60fb4c67f4fade5b00d1f57810ec379df3c39b546ead0865296a077e6a8b2f42
ce122be2e52159c3e441c43b81a334b49b7763cf6a2265768d8e2df45478fc6a
30645cdf85546f51862c7dc4750016f872683bc060cc34e4b462e01445a8abfd
9b1b25ab5a6e5291a509c4ad94ab16c25925feaf9e6e8b217494596f76888202
558d32c77167d08ab8594c5df99dd162ae975d8ceb1d169108fe0d70ac8df11a
6e279ea746bc4692ff32acb697da0147ec056700fc095f8ff248317548bcbdcb
56da464cd45f17bacf52b6497396e2c801625bd4068790d9d9515a087584f630
14ff3948a11b7469882bda4e8fcf89600aaaf84d5d5b4bfcea1896acc4ed2ca5
63492d05b5bd0fd132dbb92142f6c8911325899c7a1cd9a462edf720ce27d47c
697266cac58ba555fb3d7dd6e0afd08ecfc57702f3e3a9df96e9e4eef8b722d6
b561b91cce444e9dc768bd93e0404e67f79900598ef03f175a10887c7b94c30c
06fee4e154ad90945be70aae671aeefd103fa0947d957fdc973848221ada635c
b497c79c027bab2b9a30c613b2c603296bcb29d63c8f30c27864c860955b3ebd
a1dc73eaaaa11ef3585bf389fcc3301c20c0636a144778d3ffb657110d911d1b
d65593e94ef433a2597cf01591e96067180e548cd418327476931c642e01bdff
4ec6ee80323c2365dfd4cfeba9a64f043df026a98b026ecb1e757c9df532f064
cc7c24dd062e8538984a9d640600b91ff6c3a0404a5caf4f174c513c7f16fba4
5d753520b6c97bace23dbbece93ecd9eb9ac3cea1d8c9b4ccf6dfca43dc47556
f51719dfeac4f52a90d52188c3b3e9145d77f612da784510c968564aa0d46e9e
907d245b8854a8277379fb59d65102c2fd440c0bf850939e2a775a3bebb4cb1d
0957912344ff93cba65088c4aed2bd2631e8a5788604520955104e05dcfb4b0c
7cc35bbd4327a4212069eab5747944c5e8dedb82f02f695b0248d026a733f0c6
56485d996b50610b3c0ab86d7136bde215401c2f30154e818b4b18d3a4457eea
11cc17e5e06f7d5e7c52979b5e7b75ea083e46a59e73ea245872e72084f44099
dfb355d874db6f2d141c2789a041ccfa91775508fae2fedd86c48f0089abe00a
15608834007b61eb4426bf034e8923733100fccf872ffebe2e05aea3d9f63fef
26f2bf1fc3ee321d48dce649fae9951220f0f640c69d5433850b469115c144fe
6edf7c043348efe02d94c97a4d06ec735fb90a77ea290509e03991edadb24716
4c5a0fd976f04c63faa32e1a74edd59c5c39ce0e143e69d464f95872b8357e8e
59e06b077b8ac0472cb95401bf5d99301e0e807ed74d698a3953bc96c0eb568e

Command and Control Servers – Original Bucbi

bbb.bth.in[.]ua
shalunishka12[.]org
ceckiforeftukreksyxomoa[.]org
87.249.215[.]196
chultolsylrytseewooketh[.]biz

Attacker IP Addresses

31.184.197.69
31.44.191.251
79.117.151.236
46.161.40.11
191.101.31.126

and

[Palo Alto Networks Research Center]

State and Local Government: 3 Network Security Priorities That Are Getting Lots of Buzz (and 3 More That Should)

I’ve been traveling a lot this spring and talking to provincial and state government leaders both in the United States and abroad about the priorities they have for network security in the next year. We’ve all heard about a number of recent high-profile public sector security breaches. The U.S. National Association of State Chief Information Officers (NASCIO) announced in January that cybersecurity is their #1 priority for the second year in a row. There’s a growing consensus that governments of all sizes are being targeted. State and municipal governments are increasingly concerned about their lack of visibility into zero-day attacks. As they move more services online, governments are investing in cybersecurity efforts to protect citizen information and provide continuous access to services.

While different agencies have many different projects underway, there are several trends that keep coming up in conversation. Here are the top six security priorities I hear from provincial and state governments: three that are generating lots of press, and three more that are flying under the radar.

1. Securing the cloud.

With both the UK and US federal governments adopting a cloud-first strategy, other governments are exploring how they can use the cloud to be more responsive to citizens while reducing overhead. Offloading backups and storage, websites and other citizen-facing applications seem to be common starting points. Many cities are exploring hybrid cloud architectures. However, these convenient services bring with them a host of security questions, by far the largest concern for state and local governments moving to cloud solutions. And although the cloud provider shoulders the responsibility for securing the data at rest, data in transit is often at risk. Encryption is one answer, but there’s concern that encryption could be used to hide data exfiltration or targeted attacks from security sniffers. A good plan for SSL decryption is necessary.

2. Securing SaaS applications.

SaaS is getting a lot of buzz, and government security and IT teams are nervous about the security of these environments. They have no visibility into sanctioned applications, such as Office 365, or unsanctioned SaaS applications, such as Dropbox, that are now commonly used by their employees. Malicious insiders or careless employees can easily use unsanctioned SaaS applications to exfiltrate sensitive data or introduce threats. Often we find malware located within the SaaS environment.

SaaS is a major focus, but it’s also important to note that data center applications are not going away. State and local government invest in special-purpose legacy applications and HR and accounting software still need protection from zero-day threats and other cybersecurity risks. Many commercial organizations are using virtual segmentation to protect data in their data centers, but governments seem behind in this effort.

3. Harnessing security analytics to prevent successful breaches.

It seems every day more security functions are added to networks, which generates more and more data. What to do with the volumes of data and how best to act on it is a key area of focus for 2016. Many provincial and state governments have network security groups with multi-jurisdictional authority; these groups are looking at how to harness analytics to aggregate security event management, intrusion prevention, and threat intelligence across agencies to improve their overall posture. Smaller municipal governments are looking to outsource these functions to Managed Security Service Providers (MSSPs).

The irony is that many government security organizations feel overworked and understaffed, yet their threat intelligence solutions require precious staff resources to analyze data that does not ultimately prevent threats. The number one objective of threat intelligence—and the best use of talented people—is to prevent attacks on your network immediately, not 24-48 hours after analysis. When we analyze zero-day attacks, our sensors prevent further attacks from that malware within 5 minutes. So the technology is there – it’s important to harness it.

In addition to the three priorities above, public sector leaders are also diligently working on solving some large issues that do not get as much attention or ink:

4. Protecting against incidents caused by insiders.

While outsider attacks get all the press, it’s a poorly kept secret that most public sector security incidents stem from errors or deliberate or unintentional misuse of information by employees or contractors. According to the Verizon 2015 Data Breach Investigations Report, Public Sector, actions by staff were responsible for the majority (63%) of security incidents. But the public sector is not alone, as the 2015 Information Security Breaches Survey commissioned by the UK government revealed that 75% of large organizations—with 500 employees or more—suffered staff-related security breaches in the last year.

5. Securing SCADA.

Teams are rightfully concerned about securing their SCADA infrastructure—especially as they move to more sensors and interoperability across IT and OT. Utilities, traffic controls, emergency services, rail/transportation, and more have operational networks that must be secured. These networks are often running older operating systems that cannot be patched. Virtually segmenting these networks and using anti-exploit technology on the unpatched systems is critical. Some governments are further ahead on this front than others. Relationships between IT and OT teams have improved since I first started engaging the OT side of critical infrastructure, with many teams reporting into the same organization, which improves communication and cooperation. Others have put in place formal communication plans and share a sense of responsibility to the security of the organization’s networks.

6. Fractured Outsourcing.

When teams have limited resources, it makes sense to outsource to a trusted provider, with the emphasis on ‘a’. Government security teams despair over the alphabet soup of providers that own this or that piece of the network. The teams lack visibility and control, and often feel that their leaders don’t understand the grave risk this creates for their networks. Fractured outsourcing also means they cannot take advantage of today’s security technology. Modern security technology helps protect networks by sharing insights across security functions, providing vast improvements to an organization’s threat profile and swifter time to prevention.

If you’re concerned about these or other security concerns, I recommend immediate action on two fronts:

  • Get visibility to what applications are being used on your network, and by what users. With better visibility comes better insight into where you may be vulnerable. Remember, attackers are going to use the path of least resistance and look for your weakest links. This is an important starting point before embracing public or hybrid clouds, SaaS applications, virtualizing your data centers, or other technology initiatives that will impact how you secure your network.
  • Use the Lockheed Martin Cyber Kill Chain® or the Gartner Cyber Attack Chain to evaluate where else you may be vulnerable. These frameworks can help an organization understand their risk profile relative to each step attackers use to get into and move across networks today. With this view, you can make senior leaders aware of gaps in security and begin improving your risk posture.

Palo Alto Networks can help with both of these steps. We recommend a zero-trust approach to your networks that focuses on safely enabling key business functions, such as limiting certain SaaS applications to certain users or departments. With a solid security foundation to build upon, you can confidently embrace today’s newest technologies—such as SaaS, mobility, and even public clouds—to improve citizen services and increase operational efficiency.

Learn more about what we’re doing for governments by visiting the Palo Alto Networks Government resources page.

[Palo Alto Networks Research Center]

Corporate Governance: Evaluating and Directing Value Creation

Organizations are contending with increasingly dynamic and demanding external and internal environments by making good corporate governance accessible and fit for application through the adoption of governance practices that sustain value creation. Governance and management systems are being designed to reinforce and govern a holistic, interrelated set of arrangements that can be understood and implemented in an integrated manner using organizational structures, processes, practices and ethical, conscious behavior.

Governance and Management
Corporate governance is the system that a governing body exercises ethical and effective leadership to establish:

  1. An ethical culture
  2. Sustainable performance and value creation
  3. Adequate and effective control by the governing body
  4. Trust in the organization, its reputation and its legitimacy

Putting corporate governance into practice requires a holistic and integrated set of arrangements that can be evaluated and directed to create the value stakeholders expect.

Organizations often use a wide variety of resources and governance mechanisms to achieve their purpose, strategic goals and to fulfill stakeholder needs. Leveraging resources requires the establishment of accountability, assignment of responsibility, and transparency and fairness in how work gets done.

The implementation of corporate governance starts with an examination of the roles and responsibilities for decision-making processes, specifically those that impact the achievement of strategic goals. This will reveal who is accountable and who is responsible for the practices and governance mechanisms required to achieve governance outcomes. A governance and management system institutionalizes the organizational structures, processes and ethical, conscious behavior.

Technology and Information Governance
While governing bodies are expected to be proactive in ensuring that information assets are leveraged for growth, there are few tools actually available that provide governing bodies with sufficient oversight. A governance and management system provides an integrated solution that brings the governors and the managers together and provides a holistic approach for them to effectively govern and manage the current and future use of technology and information.

Such a system provides the means to institutionalize the enablers of good corporate governance. People, process, technology and information come together in an integrated governance and management system that enables value creation and supports the achievement of strategic goals.

An organization’s capability to govern and manage is developed within a governance and management system and enhanced through the use of a suitable mix of enablers:

  • Principles, policies and frameworks
  • Processes, practices and activities
  • Organizational structures, roles and responsibilities
  • Skills and competencies
  • Culture and behavior
  • Service delivery components
  • Information management

Orchestration and Choreographing the Practices
Corporate governance is not accessible or actionable if the application of the underlying practices cannot be influenced. To achieve the organization’s purpose and strategic goals and deliver value to the stakeholders, the governing body and executive managers must evaluate and direct the regular and ad hoc daily activities of internal and external parties.

Leadership and organizational structures are of little benefit if they cannot influence the organization’s processes and practices, direct the alignment and prioritization of value delivery, govern risk management, optimize resource usage and track performance.

A governance and management system provides the functionality required to orchestrate those responsible and choreograph the implemented practices how the governing body and management want to direct operations, effectively manage risk, consume resources and comply with regulatory obligations.

Being fit for purpose is paramount. Every governance and management system should be crafted in accordance with size, available resources, and complexity of strategic objectives and operations so that it suits the organization and sustains value creation.

Maintaining a Framework for Governance
Regardless of any technical and organizational arrangements deployed by management, these arrangements will be fundamentally undermined if operated outside an effective risk management and governance regime. It is essential that the implemented corporate governance framework ensures procedures, personnel, physical, technical and organizational arrangements, and that controls:

  • Remain effective throughout the lifetime of service delivery and value creation
  • Are responsive to changes in the services and value delivery propositions, and
  • Change in accordance with threat and technology developments

A documented governance and management system ensures that corporate governance is understood and communicates which practices are required to support service delivery, performance standards, value creation, regulatory compliance and internal controls. Records of assigned responsibilities, current status, analysis, evaluation and completion demonstrate compliance with the selected principles, policies, frameworks, standards, and legal and regulatory requirements applicable to the practices assigned.

The governance and management system incorporates the priority, status, sequence and timing of actions; enables the monitoring of capability, progress and outcomes achieved; and coordinates continuous improvement.

Peter Hill will speak on Governance & Management at EuroCACS in Dublin 30 May-June 1 2016.

Peter Hill, CISA, CISM, CGEIT, IT Governance Network

[ISACA Now Blog]

English
Exit mobile version