Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
The number and severity of cyber threats in the United States are on the rise, and a new voluntary program aims to increase cooperation among government entities and private-sector organizations looking to reduce these damaging cyber events.
New US legislation promotes and encourages the private sector and the US government to exchange cyber threat information. The legislation also authorizes the information to be shared amongst several US federal agencies, including the Department of Commerce, the Department of Defense, the Department of Energy, the Department of Homeland Security, the Department of Justice, the Department of the Treasury, and the Office of the Director of National Intelligence.
The legislation had a long incubation period, and similar bills were introduced in previous sessions of Congress. The idea was jumpstarted again about a year ago when US President Barack Obama called for cybersecurity legislation in his 2015 State of the Union address. In late April 2015, the House of Representatives passed two separate versions of the legislation, and in October 2015, the Senate followed suit by passing its own version of the bill. A conference committee was convened to hammer out a compromise version, and the bill was tacked onto to a large omnibus spending bill in order to make to the respective chambers for a vote. President Obama signed the measure into law on 18 December 2015.
Under the new law, the sharing of information is completely voluntary on the part of private entities. Shared information must not include personally identifiably information unless that information is directly related to the threat being reported. For those that do share information, legal liability protections are provided so long as the information shared is in accordance with the procedures outlined in the Act.
Most of the specific rules are not initially detailed in the Act. Instead, the Secretary of Homeland Security and the US Attorney General will develop and issue regulations for the requirements and procedures to be followed. Thus, much of the practical effect of the legislation is still unclear.
What is also unclear is how forthcoming the private sector will be in sharing cyber threat information. Prior to the enactment of the legislation, many companies expressed that liability protections were a minimum necessary requirement before they consider sharing information.
Reaction to the legislation was mixed. Some industry leaders welcomed the measure. Several high-profile tech companies along with privacy advocates, however, are not in favor of the legislation, with some worrying that it is a “surveillance act” disguised as a cybersecurity act.
Read a Special Report on the legislation from ISACA’s Cybersecurity Nexus (CSX) for background on the act, as well as survey results on opinions about the Act and whether companies are likely to voluntarily share information.
Montana Williams Senior Manager of Cybersecurity Practices, ISACA
Managers are obsolete. Mentors are a thing – or should be!
Fortune magazine suggests that companies retire the term ”manager.” It is there in black and white on page 52 of a recent issue, in the Growth Guru article titled, “5 Key Trends to Master in 2016.”
According to Fortune, Zappos CEO Tony Hsieh eliminated all of his company’s managers. The author of the article notes that most people are better supervised by their phones than by bosses (something to ponder) and goes on to say that by morphing managers into coaches and having them spend an hour of individual quality time each week with up to 40 employees, companies will get better overall performance than they will from teams with a manager and eight to 10 employees.
Cool idea. The sticking point: Converting managers into mentors and coaches. That is potentially a tough sell to professionals who have fought hard to become a “manager” and for younger professionals who are striving for that first manager title.
Rewarding Achievement Management gurus and innovative companies suggest that growth and innovation come from developing leadership at all levels and flattening hierarchies. You reward achievement, in contrast to the traditional career trajectory that rewards advancement. With the advancement model, companies overtly or indirectly push people to aim for roles that may not suit their passion or skills because that is the only way to earn more and be recognized. When you flatten organizations and reward achievement, achievers thrive, as does innovation.
Mentors and coaches are critical in achievement-driven companies because they assist employees in developing the skill sets that allow them to achieve, inspire and lead others. The essential knowledge being transmitted by the mentor is the understanding of the enterprise, culture, protocol, perspective of senior management, strategy vs. tactics, and the synthesis of all those elements, which can take years of work and experience with a company to digest, assimilate and fully understand. Not that mentors are spoon-feeding mentees, but the best of them offer the boiled-down essence of what one needs to know to progress. The information empowers mentees to be more creative, think outside the box and take more (and appropriate) risks. These actions benefit the enterprise and accelerate careers in a positive direction.
Everyone Benefits from Mentoring Process The exciting thing about mentoring is that it works well in both directions: experienced people mentoring more junior staff and more junior staff offering their expertise (particularly with IT) to senior professionals. The concept of ”reverse mentoring,” pioneered at GE, has been driving knowledge transfer and improved collaboration across companies large and small.
As we start thinking about career and life goals for 2016, put mentoring on your personal development agenda. Have two goals:
Find a mentor who will help you further develop your institutional and business savvy.
Look for someone junior who you can mentor.
Research has shown that those who receive mentoring build their careers faster and are more satisfied with the direction their career is going. Research also shows that those who mentor others are recognized as leaders and are more positively perceived within their organizations. This is a win-win no matter what kind of company you work for, and you will find yourself ahead of the curve as the mentor/coach leader paradigm (gradually) becomes a dominant business model—which it will.
Resolve to Get Involved in 2016 Finally, you have to know the power of mentoring. Social scientists at Harvard, UC Berkeley, Stanford and other major research universities are finding important links between happiness and gratitude. Mentoring is a dynamic process that engages us in receiving a gift of wisdom from another, for which we feel grateful and happy. When we mentor, we pay it forward and help someone who will benefit from our knowledge. This is a powerful cycle that generates happiness, effectiveness and job satisfaction. If you make only one career resolution in 2016, make it this one: get involved in mentoring.
For more about mentoring—the process, how to find a mentor, how to be a good mentee, how to mentor effectively, and more—join us for ISACA’s webinar on mentoring, 12PM (EST) / 17:00 (UTC), Wednesday, 20 January 2016. Click here for more details.
As 2015 draws to a close, I want to share with you some reflections on what has been a busy and engaging first full year for me as your CEO. I am inspired by what I have observed, the conversations I have had and, most importantly, the warm welcome from the many of you whom I have been fortunate enough to meet.
I have traveled extensively this year to meet with ISACA members, certification holders, volunteers, chapter leaders, and business and government leaders from around the globe. No matter where I was—from the European Parliament and the White House Summit on Cybersecurity, to meetings with government leaders in Africa, India, Israel and elsewhere—one theme was constant: ISACA has growing visibility, influence and impact, and is increasingly being recognized for the role we play as a professional community in supporting and enabling global economic prosperity.
With insights obtained from these meetings, as well as our investment in environmental scanning and market research, the ISACA Board of Directors, under the leadership of International President Christos Dimitriadis, is placing its finishing touches on a refined strategy that will be shared with our chapter leaders at the Global Leadership Summit in April 2016. This strategy will focus on increasing ISACA’s reach, relevance and advocacy to make us a stronger voice for our professions. We will develop new robust products and services for all of our core technical areas—assurance, cybersecurity, risk, governance and more. There will be further investment in extending our global reach by engaging with you locally in more areas of the world than ever before (for example, the first Africa CACS will take place in 2016).
As business enablers, your roles are being shaped by changes in technology. With technology now the lynchpin of innovation and economic value, ISACA professionals have both the opportunity and the responsibility to use your technology-based knowledge and expertise to help transform your organizations. This includes playing a leadership role in keeping your organizations and its people safe from the increasing pressures of cyberattacks. Cybersecurity continues to grow as a matter of global economic security and a public safety issue. To support your efforts, we continue the build-out of ISACA’s Cybersecurity Nexus (CSX), having launched our inaugural CSX conference and our first performance-based CSX Practitioner certification during the second half of 2015.
You are an important part of ISACA’s global community of over 140,000 professionals. As we transition into the new year, I encourage you to leverage both ISACA’s products/services and the power of our community on a local, national and global level to reinforce the value that you deliver to your organization. May 2016 be your most successful year yet!
On behalf of the ISACA Board of Directors and its employees, it has been a privilege to serve you this past year. We all wish you a very happy, healthy, prosperous and safe new year.
Palo Alto Networks was recently credited with discovery of two new vulnerabilities affecting Adobe Flash Player.
Researcher Hui Gao discovered critical vulnerabilities CVE-2015-8443 and CVE-2015-8444. Descriptions of each, as well as details on affected versions and products, are included in anAdobe Security Bulletin dated December 8, 2015. Adobe has released security updates for Adobe Flash Player.
Palo Alto Networks is an active contributor to vulnerability research, including regular discoveries of critical vulnerabilities affecting Adobe Flash, Adobe Shockwave and Microsoft Internet Explorer. By proactively identifying vulnerabilities, developing protections for our customers, and sharing them with Adobe, Microsoft and others for patching, we are removing weapons used by attackers to compromise enterprise, government and service provider networks.
App-ID is a critical feature of our next-generation firewall. It’s one of the features, in fact, that lead to the market’s acceptance of next-generation firewalls and established Palo Alto Networks as a clear leader. This post will provide a few use cases to highlight App-ID’s purpose and power and why it’s foundational to our prevention-based approach to security.
Single Pass Parallel Processing is what allows Palo Alto Networks to maintain performance while using all of the firewall’s available features. User-ID integrates identities into the platform giving administrators the ability to create security policies with a source attribute of users and groups in addition to the typical IP address. User-ID also enables administrators to quickly identify who is doing what in an environment during an investigation. Many other features, including Content-ID and SSL Decryption, help make Palo Alto Networks the next-generation security platform that it is.
App-ID provides visibility into the applications being used in the environment regardless of the port. Once visibility is available, control can be achieved. App-ID uses all of the information provided by a stream of network traffic and uses a combination of IP addresses, ports, transaction characteristics, protocol decoders, heuristics, decryption, and more to identify the application.
Safe Application Enablement
Today’s widespread acceptance of SaaS applications is a challenge for IT because those applications are managed by a third party and the data is being stored in that third party’s data center.
One way to manage this type of SaaS while still providing users with the flexibility they want is to choose a cloud-based file collaboration solution that allows for identity directory integration. Microsoft OneDrive, Google Drive, and several other solutions offer identity integration.
Take Box.com as the example. When a user is added to the directory server they are also enabled with a Box.com account. When a user leaves an organization for whatever reason and directory accounts are disabled, so is the user’s access to all of those files in the Box.com cloud. Furthermore the IT administrator can change the password and gain access to the files.
The residual challenge is that even though the organization has standardized on Box.com there is nothing preventing users from uploading corporate data to other SaaS solutions.
This is one of many places where App-ID can help. A security policy can be implemented to allow access to Box.com with the source of all authenticated users. In the same policy we will then decrypt the SSL traffic. We can see whether people are uploading, downloading or both, as well as determine if known or unknown threats are being transmitted, and block them. This is all configured in a single policy.
People also use cloud-based file collaboration tools for personal data. We don’t want to stop them from listening to their music or sharing pictures of their family vacation – we want to safely enable them to do those things. As a second security policy we would permit all users to the application sub-category filesharing. However, we will decrypt the SSL traffic to gain visibility into what is happening in the sessions. If they are downloading non-malicious files, we are OK with that. If they download something malicious it will be blocked. And we can add a File Blocking profile that only permits downloads and not uploads.
The result? People can use the applications they have become accustomed to, and the organization prevents malware from getting into the network and data from going to unmanaged and undesirable destinations.
Operational Efficiency
Compared to the way traditional firewalls work, App-ID can drastically reduce the amount of security policies needed.
Most routers, switches, SANs and network security, among other network infrastructure technologies, have dedicated management interfaces. These products run a standard service like a web server but do so on various ports: 80, 8080, 8888, 7000, the list goes on.
With a legacy firewall a security policy will need to be implemented with both a source network of the LAN and the destination network of the management network. Each of the ports would then need to be configured as a custom object and added to the destination services to permit the traffic. This is a cumbersome and outdated way of doing things. And it could also lead to undesirable traffic.
Because App-ID doesn’t rely exclusively on ports, this rule could be consolidated to include just a single application — web browsing — rather than each of those ports individually. When permitting the application web browsing from the LAN into the management network you have the option to use the default port (80) or any port. By using any port the Palo Alto Networks appliance will determine if this really is regular web-browsing to a web server and if so permit the traffic. As in the previous example, you could also decrypt the SSL if it is enabled, prevent anything known to be malicious, and control uploads and downloads.
Preventing Malicious Activity
Users and malicious actors misuse or exploit regular TCP and UDP services to bypass security controls.
For example, regular users may want to get to a website that is prohibited by the security infrastructure. They will find or setup an HTTP proxy server of their own outside of the firewall. They configure their browser to point to their HTTP proxy server so that all requests will be sent over HTTP to their proxy server. The security infrastructure will simply see HTTP requests to some random destination on the Internet, the proxy server, and permit it. The proxy server then makes the connection to the desired website and then responds with that data to the user from the proxy server. The security infrastructure typically only sees HTTP requests.
A malicious user or malicious piece of software will eventually want to exfiltrate data. In many cases attackers will have an FTP server in the attacker network to which to dump data. If the FTP protocol is not permitted out of the compromised network, the attacker will find a service that is permitted, such as DNS, HTTP, or SSL. From there, attackers can easily change the port number on their FTP server to something that is allowed out of the compromised network and the data can be transferred.
Using App-ID prevents both of these issues. When the application web-browsing is permitted, App-ID can tell the difference between visiting a normal website and when HTTP is being used to wrap and proxy traffic to a different destination. There is an http-proxy application that could be used if there is a legitimate proxy server in the environment. Likewise, when an attacker attempts to use DNS (UDP/TCP port 53) to disguise FTP traffic, App-ID will identify this and the traffic will not be permitted unless it is actual DNS.
Application firewalling is a critical component of any network infrastructure today, but it’s just one piece of the puzzle. User-based security policies, visibility into encrypted traffic, prevention of known and unknown malicious behavior, and the ability to architect the same solution everywhere are also part what make Palo Alto Networks a true platform that can go well beyond the outmoded approaches provided by stateful inspection firewalls, endpoint products and UTM appliances.
Look out for future posts where we take a deeper dive and provide examples of how other components support the platform.