Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Earlier this week more than 100 participants gathered at the Copenhagen Marriott in Denmark for an emergency meeting on Cyber Crime, coordinated through AmCham Denmark in cooperation with the Overseas Security Advisory Council and partners Deloitte, Palo Alto Networks and Symantec.
We’re pleased to have been part of this important event, titled “Align Business and Security Now” and focused on how to move discussions of security beyond the IT department and into the board room. Along with presentations from the Danish Center for Cyber Security, the U.S. Federal Bureau of Investigation, Deloitte and Symantec, our own Stijn Rommens, systems engineering manager for Northern Europe, discussed why aligning all processes, technology and people — not just perimeter protection — is crucial to an effective security posture.
From left to right: Lars Bennetzen (moderator), Stijn Rommens (Palo Alto Networks), Janus Friis Bindslev (Deloitte), James Hanlon (Symantec), Sigurd Hellums (Palo Alto Networks) and Morten Efferbach (Symantec).
Click here to see more details and a full photo gallery from the event.
We’re pleased to announce that the PA-7050 Series was named a winner in the Enterprise Firewall category of the Information Security™ magazine and SearchSecurity.com™ 2014 Readers’ Choice Awards, presented by the editors of the two publications.
As noted in Information Security magazine and on SearchSecurity.com, “The Palo Alto Networks PA-7050 received top scores from Readers’ Choice voters for its ability to identify users via directory integration and for the company’s service and support. The firewall’s ability to block intrusions, attacks and unauthorized network traffic; its logging, monitoring and reporting capabilities –and the overall return on investment –impressed Information Securityreaders.” Read more on why the PA-7050 was 2014 Readers’ Choice Award recipient.
The 2014 Readers’ Choice Award winners were selected based on an extensive, in-depth survey of Information Security magazine and SearchSecurity.com readers that included over 1,700 information security executives and managers, who were asked to assess and rate products deployed within their organizations from a listing of more than 400 products spanning 22 product categories.
Palo Alto Networks recently announced availability of PAN-OS 6.1, the newest version of our operating system. As with all our operating system releases, there is an amazing list of new features to help our customers better secure their networks, respond more quickly to incidents and reduce operational overhead. Given my focus on cybersecurity for Industrial Control Systems, the one feature I am particularly excited about is the capability of the WildFire appliance, the WF-500, to generate threat prevention signatures on premises.
WildFire is of course a service available in our security platform that isolates suspicious payloads (e.g. executables, MS-Office documents) at the network, detonates them in our Threat Intelligence Cloud, then sends a report back to the user about the nature of a payload. Not only that, if the payload is malicious, the cloud sends threat prevention signatures (anti-virus, malicious URL, malicious DNS) back to the firewall, essentially converting the unknown threat into a known, stoppable threat.
Many of the critical infrastructure and manufacturing asset owners I work with have told me they like the idea of WildFire and the threat intelligence cloud, but faced constraints in sending files out to the public cloud. Many have general privacy concerns, some have regulatory constraints, and on occasion, they cite the unavailability of an internet connection (airgap).
We are excited to announce with the release of PAN-OS 6.1 that we can now address these concerns via the WF-500’s ability to generate on-premise malware signatures in as little as 5 minutes. This update will come in very handy in securing several perimeters and even internal zone traffic within the automation environment — assuming you have proper segmentation! – and here’s how:
Corporate-to-SCADA perimeter: Some of the traffic which you may be allowing on a limited basis from the Enterprise IT side may be file-bearing. Use the WF-500 to inspect this for malicious content.
Vendor/Partner-to-SCADA: Just because you are using a secure VPN to let your partner or vendor into your SCADA system doesn’t mean the content is secure. Implement a zero-trust model and inspect all traffic.
Operator/Engineering to Server: Files may be introduced by removable media at HMIs and Engineering workstations or via mobile laptops connected in the LAN. Use WF-500 to detect and block zero days that originate from within.
Inter-plant traffic: Yes other plants are behind the IT-OT firewall and considered trusted, but again, don’t assume anything and be vigilant of malware that may come from other sites within the organization.
Remember: one WF-500 supports multiple next-generation firewalls, essentially transforming each firewall into a sensor for detecting unknown threats in hundreds of file-bearing applications across standard and non-standard ports, with the ability to automatically prevent them as well. This is a fundamental difference from other detection-only, point solutions which require one or more application-specific sandboxing appliances at each point of inspection in the network, resulting in partial, open-loop security at high costs to you.
WildFire is of course one element of our entire solution. For more details on our complete security platform which spans network security (Next-Generation Firewall), endpoint (Traps Advanced Endpoint Protection) and the cloud (Threat Intelligence Cloud), please feel free to read our brief whitepaper on protecting critical infrastructure.
Like many people, my office tends to be airports and wherever in the world I have traveled. The advent of connected devices, wearable tech and the Internet of Things enables me to be more productive and have more contact with colleagues and friends. This is a good thing.
But at the same time, these amazing advancements are also causing disruption in our lives and workplaces. We don’t always know who has use of or control over our sensitive personal and corporate information. And since new developments are always making their way into the workplace, it is critical that we understand attitudes and actions of consumers as well as the professionals and executives on the front lines of enterprise technology.
ISACA helps build this understanding with its annual IT Risk/Reward Barometer, and the 2014 survey results show some interesting trends with significant implications. For example, 68 percent of US consumers plan to use wearable tech or connected devices at work. But despite the surge in wearable tech at work, only 11 percent of enterprises have a policy that addresses it.
Enterprises need to be aggressively proactive here, and start educating staff on the risks and the opportunities of wearable tech. Devices such as smart watches and glasses collect and transmit information that provides great value. But if this information gets into the wrong hands or is mishandled, it can be used to damage a company’s reputation, financial position, compliance activities and even its existence.
According to the latest IT Risk/Reward Barometer, “increased security threats” and “data privacy issues” are two of the biggest challenges that ISACA members list regarding the Internet of Things.
But along with the inherent risk in the Internet of Things, enterprises are also reaping benefit, such as the 29 percent that have achieved greater accessibility to information and the 26 percent that have used it to improve services. Also 22 percent have gained efficiencies and improved employee productivity. With new technology there is always the need to balance risks and rewards—and there are plenty of both in the case of the Internet of Things.
To keep tabs on evolving perceptions and trends, ISACA has fielded the IT Risk/Reward Barometer for five years. This survey is unique in that it has two components—a consumer survey and an ISACA-member survey. Globally, more than 4,200 consumers and more than 1,600 ISACA members responded this year, giving us an excellent pool of responses.
Wearable tech, connected devices and other cool advancements in the Internet of Things are making their way into every aspect of our lives. The gates are open and the tide is flowing, and we encourage you to take an “embrace and educate” approach. Having an informed and alert customer/employee/stakeholder base is a key aspect of making connected devices work for you and your enterprise.
I invite you to review the full report, infographic and news announcement for the 2014 IT Risk/Reward Barometer. I need to take off now. My smart refrigerator just told my smart watch that I need to pick up some bread on the way home from the airport.
Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President
Usually attributed to the ancient treatise The Art of War by Sun Tzu, the phrase “Know your enemy” is often repeated in military and security environments and is given as guidance to junior level staff in these environments. While it is good guidance, this article will explore why it is incomplete and why this is important. One reference gives the full quotation, rendered in modern Chinese script as “故曰:知彼知己,百戰不殆;不知彼而知己,一勝一負;不知彼,不知己,每戰必殆” complete with the English translation:
“So it is said that if you know your enemies and know yourself,
you can win a hundred battles without a single loss.
If you only know yourself, but not your opponent, you may win or may lose.
If you know neither yourself nor your enemy, you will always endanger yourself.”
The full quotation provides much fuller and richer guidance and it is important to consider the meaning and impact of the full text. Below I will examine each sentence from the English translation.
“If you know neither yourself nor your enemy, you will always endanger yourself.”
The third sentence reminds us that lack of knowledge is dangerous. If you do not know your own capabilities, structures, processes, strengths and weaknesses it is unlikely that you will be able to use your resources effectively, or be able to resist your own weaknesses being exploited. A lack of knowledge about your enemy could lead you into a false sense of security—or to overestimate the abilities of your enemy—perhaps leading you to direct defences where the attacker is weakest and the attack least likely to succeed even without your efforts. For example, you would not want to concentrate all your defences on a Windows exploit being run against a Linux server. In short, you are totally unprepared for the battle and you may well contribute to your own defeat by making incorrect decisions!
“If you only know yourself, but not your opponent, you may win or may lose.”
The second sentence reminds us that it is only slightly better to know your own strengths and weaknesses. While you will know what you have to work with, and how best to engage your resources, you will not be prepared for the actions of your opponent so it is unlikely that you will be able to effectively direct them to the best effect against the threat. Your opponent will be able to surprise you and you will thus battle to take the initiative. As you will be unlikely to be able to anticipate the actions of your enemy they will find it easier to exploit your weaknesses. Put another way, you will likely be ‘behind the game’ for much of the time and the enemy will dictate the battle.
“…know your enemies and know yourself…”
The first sentence brings this together and essentially advises that you must know yourself and your enemy. This allows you to predict the strategy and attacks of your enemy and counter them with your defences quickly and effectively. While doing this you should also be able to start active defences. For example, you can implement a honeypot to direct them away from your real assets. You may even be able to counter-attack, directing your strengths at the weak areas of your attacker. For example, you can initiate civil action against the ISP that your attacker is using to launch the attack. At the very least you will keep them guessing and they will have to divert resources from attacking you to try to predict or interpret your actions. At its most effective, this will allow you to deflect or counter most attacks quickly and effectively.
Many organisations expend time and effort conducting threat identification and analysis. This is important but only helps you understand your enemies. Technical vulnerability analysis is slightly better in that it helps you understand your weaknesses. It is equally important but less common for organisations to spend time studying themselves. Your own strengths, weaknesses and vulnerabilities contribute as much to the outcome of any battle as do those of your enemy—but you have far greater ability to know yourself—use the opportunity before an attacker does!
To help you start your journey of discovery, I have listed some recommended activities to help you “Know your enemy” and “Know yourself:”
Know your enemy
Threat identification and analysis
Future threats and trends intelligence gathering
Research hacking and attack tools
Install detection and warning systems (e.g., intrusion detection/prevention systems)
Consider implementing honeypots or honeynets
Know yourself
Conduct vulnerability scans and penetration tests.
Review and test incident process, including staff contact details.
Ensure that asset register and Configuration Management Data Base (CMDB) are current and complete.
Create baselines for normal conditions (e.g. network utilisation, normal traffic flows).
Review patching and anti-malware update process to identify any weaknesses.
Engage specialist incident management/forensic support (on retainer or pre-paid to ensure quick response when needed).
Richard Norman, CGEIT, CISA, CISM, CRISC
Head of Information Security, Risk and Compliance for the British Council
London, England
