Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Security professionals were largely blindsided by Shellshock. Was there a process by which it could have been more easily found? Yes, 3 lessons can help business and IT leaders help their security teams get ahead—and protect the public from the attack of the high tech toaster oven.
Shellshock is a popular name for a new security exploit in the UNIX Bash shell (first released in 1989). One meaning of “Bash” is “Bourne again shell” where “Bourne” refers to the shell created by Steven Bourne in 1977 to replace an earlier shell. A “shell” provides a way—originally a command line—for a person to access operating system functions.
Lesson #1: Be “old school,” use what you know to ask “how?” and “why?”
Tech-savvy business and even IT leaders can feel intimidated by new tech. Yet, old school often helps. Shellshock attacks a code gap that seems to be over a decade old. Further, many people forgot that a key feature of the Bourne shell was scripting—similar to scripts for automating simple tasks in word processing and spreadsheet documents.
Scripting should ring a bell as one of the first tools used by hackers. That is why black hat newbies are called “script kiddies.” Script kiddies wanting to do damage with other scripting languages will easily find this group of scripting tools, even in dusty IT books.
The black hat systematic search for knowledge must be answered by your systematic race to find that knowledge first. Controls are the wrong tool for the job.
Lesson #2: Shell games and war games
“Shall we play a game?” You might have been puzzled by this question from Black Widow to Captain America in Captain America: The Winter Soldier (2014). If you are a film buff, you would remember the question in War Games (1983) posed by the nuclear missile computer to a young gamer played by Matthew Broderick.
The world was saved because Broderick’s character grasped how the code worked. This reminds us to know “how it works,” confirm old code is good code, and war game our way to prevention with the systems-aware 5+2 Risk Management Cycle. For more film lessons see, Managing Risk in Reel Time.
Lesson #3: Evaluate your environment and capabilities
Step 1 in the 5+2 Risk Management Cycle is “Evaluating Environment and Enterprise Capabilities.” Business leaders often say “Know your business!” For IT pros, it is “know your code,” including the environment variable.
Shellshock amplifies its power from how Bash can be tricked through the environment variable and a bit of scripting—black hats knew the system better than white hats.
The error in so many risk management processes is they skip steps—failing to use the 5+2 Risk Management Cycle to be systematic. This was a key point in the recent workshop at the ISACA San Francisco Chapter.
The 5 continual steps of the 5+2 Risk Management Cycle are:
Evaluate the environment and enterprise capabilities—“Know the business.”
Seek scenarios—rigorously ask, “What if?”—the heart of managing risk
Watch for warnings
Prioritize
Improve position in environment and/or capabilities
The “+2” are about reacting to warning signs and recovering.
The 5+2 Risk Management Cycle applies to business strategy and product management as well as cyber war. Thus, business leaders can use a familiar approach to guide their IT teams.
Offers Preventative Approach to Stop Cyber Threats at the Endpoint
Palo Alto Networks Santa Clara, CA , Sep 30, 2014 at 5:00:00 AMSanta Clara, Calif., September 30, 2014 – Palo Alto Networks® (NYSE: PANW), the leader in enterprise security, today announced the availability of Traps, a revolutionary and unique Advanced Endpoint Protection offering designed to prevent sophisticated cyber attacks on endpoints, sparing IT security teams from cumbersome remediation, patching, and often futile recovery scrambles.
Despite major advances in network security, endpoints remain vulnerable to many advanced attacks, especially as increasingly mobile workforces move outside protected enterprise networks. Legacy endpoint security products require prior knowledge of a threat in order to prevent it, or worse, use an approach that only identifies a new threat after it has compromised the endpoint.
This reactive model results in a never-ending chase after the thousands of new malware attacks that emerge each day, as well as the expanding number of software vulnerabilities that can be used to exploit an endpoint. These approaches offer little hope or possibility of recovering data that has already been hijacked by an attacker. Putting an end to the reactive run around, Traps proactively prevents attacks on the endpoint, including unknown malware and zero-day exploits, before they do any damage.
QUOTES
“The key differentiator with Traps is its ability to automate the process of protecting the endpoint. Most of the products in the industry today largely deal with informing us that there’s a problem and little more; that leaves us to manually deal with the effort of remediating the endpoint, takes time and leaves us vulnerable. With Traps, that is done automatically and it is done nearly instantaneously, which is a major win.”
— Golan Ben-Oni, CSO and SVP Network Architecture, IDT
“The proven effectiveness of the Traps endpoint capability over other heuristic and signature-based approaches, together with Palo Alto Networks WildFire and next-generation firewall, makes the secure enablement of our entire business possible.”
— Dr. Andres Rohr of RWE Supply & Trading
“With the introduction of Traps, we are redefining the endpoint security market much like we did the network security market with our next-generation firewall. Traps and our platform as a whole are designed to revolutionize enterprise security by putting prevention front and center, closing the door on cyber threats before they can get in and cause damage.”
— Lee Klarich, senior vice president of Product Management at Palo Alto Networks
Since the acquisition of Cyvera and the technology behind Traps, Palo Alto Networks has expanded global support and services operations to meet enterprise customer needs, and completed several key enhancements, including:
Integration with Palo Alto Networks WildFire– Traps blocks malware by leveraging the full knowledge of Palo Alto Networks Threat Intelligence Cloud;
Added exploitation and malware prevention modules – extends Traps support to include the latest attack techniques; and
Enhanced forensics – provides a rich set of reporting for better visibility and understanding of attacks that were prevented.
The integration of Traps with the Palo Alto Networks Threat Intelligence Cloud brings security of the network and endpoint together under a single common architecture, known as the Palo Alto Networksenterprise security platform, and delivers unparalleled enterprise-wide security and automated threat prevention capabilities, reducing risk across an organization at every stage in the attack kill chain. It also eliminates management complexity and myopic point product-related security silos that can leave gaping holes in an organization’s security posture.
Availability
Traps Advanced Endpoint Protection, offered as a subscription service, is available now from authorized Palo Alto Networks channel partners. The offering is inclusive of all functionality including exploit prevention, malware prevention through WildFire integration, forensics, and premium support.
To learn more about Traps Advanced Endpoint Protection from Palo Alto Networks, visit:
Palo Alto Networks is leading a new era in cybersecurity by protecting thousands of enterprise, government, and service provider networks from cyber threats. Unlike fragmented legacy products, our security platform safely enables business operations and delivers protection based on what matters most in today’s dynamic computing environments: applications, users, and content. Find out more atwww.paloaltonetworks.com.
Palo Alto Networks and the Palo Alto Networks Logo are trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners.
Media Contacts:
Jennifer Jasper Smith
Head of Corporate Communications
Palo Alto Networks
408-638-3280 jjsmith@paloaltonetworks.com
It’s not often a company has an opportunity to disrupt an entire industry…. twice. When we introduced the first next-generation firewall back in 2007 we set out on a path to redefine the network security market. Today, over 19,000 organizations rely on Palo Alto Networks to protect their networks against the most sophisticated, targeted attacks.
We take our responsibility to those organizations very seriously, and today we’re announcing an important next step: Advanced Endpoint Protection. If we’ve learned anything from the recent round of breaches, it’s that endpoints remain highly vulnerable to attacks. Even the most advanced network security architectures can’t protect against every threat vector. And legacy endpoint security approaches that rely on prior knowledge of the threat, or active scanning, are simply ill equipped to protect organizations from this new era of attacks.
Today marks the official launch of Traps, an Advanced Endpoint Protection solution that truly tears the covers off traditional approaches and exposes them for what they are: misguided attempts at addressing a very real problem. This isn’t just a product launch. This is the beginning of a new market: a market defined by its ability to turn the tides and rebuild lost confidence, and a market grounded on the principle that attacks can be prevented.
This new Advanced Endpoint Protection market will be defined by solutions that can deliver on the following:
Must be able to prevent all exploits, including those utilizing unknown zero-day vulnerabilities
Must be able to prevent all malware, without requiring any prior knowledge
Must provide detailed forensics against prevented attacks to strengthen all areas of the organization by pinpointing the target and techniques used
Must be highly scalable and lightweight to seamlessly integrate into existing operations with minimal to no disruption
Must integrate closely with network and cloud security for quick data exchange and cross-organization protection
Carry this list in your back pocket. As you consider the different approaches to endpoint security we hope you evaluate the underlying technology against these five criteria. And of course we hope you take the time to evaluate Traps and see for yourself how we’ve delivered not only one of the most advanced approaches in the market, but also one that integrates natively into our Enterprise Security Platform.
Diligence may not be the most exciting items on our to-do lists, but it is a time-honored practice and should be a staple. This thought rises to the top as we read news reports about the security vulnerability in the Bourne Again Shell (Bash), which is now being referred to by many as Shellshock.
Some experts counsel that the impact of this vulnerability will only be moderate and that patches will be applied appropriately. At the same time, the potential severity of this vulnerability is high—it could allow hackers to take control of affected systems, thus allowing unauthorized disclosure of information, unauthorized modification and disruption. In addition, its severity is ranked as 10, while its complexity is considered low, which might not make it a “perfect” storm but at least a “close-to-perfect” storm.
I think we all agree that our future will contain many more vulnerabilities, bugs and other incidents with varying repercussions. Human error, changing times and needs, updates to technology and the ever-present desire in some people to cause havoc will ensure that we are all kept on our toes. A combination of planning, reviewing, monitoring and ongoing diligence is needed so we can be both proactive and prepared for rapid response when needed.
Diligence includes frequently reinforcing that processes and techniques must be in place to ensure that systems are appropriately patched and upgraded. This needs to be extended to the supply chain, including vendors and partners. We need to monitor complex interconnected environments to ensure that devices in manufacturing lines and elsewhere are maintained. Penetration testing is critical and should be regularly undertaken to ensure entry points to the organization are secure and monitored. Security awareness programs should be reviewed to ensure they are thorough, updated and—even more important—exist.
The fact remains that we will never be able to entirely prevent cyber incidents. The only secure machine is the one in the box not yet connected to a network. And even then it is subject to physical theft. If steps aren’t taken, though, the impact is potentially catastrophic—harm to people, compromised systems, lost data/intellectual property/revenue and perhaps even an end to the business. This is one reason ISACA offers the Cybersecurity Nexus (CSX), which provides cybersecurity guidance, career development, education and community for professionals at every stage of their careers.
There was a time, not that many years ago, that security was not a primary issue. Many programs and systems were vulnerable to hacking, and it was still assumed that they were still safe. We now know better.
Robert E Stroud, CGEIT, CRISC International President of ISACA
Ever since Snowden made his first revelations over a year ago, ‘privacy’ has become a bit of a buzzword. Once the prerogative of royals and stars (whose computers and online accounts continue to be among hackers’ favourite targets) in the information age the average consumer struggles to reconcile the benefits of personalised services and tailored advertising with the apprehension of not knowing what personal information about them is held by whom, where it is stored, and how it is used. Forrester calls this the ‘privacy-personalisation paradox’.
Equally, companies and public bodies face a difficult challenge: to paraphrase Voltaire, with big data must come big responsibilities. Get privacy right, and you have gained a competitive advantage. Get it wrong and—well, you’re in trouble. Target’s former CEO and its board of directors know this well. At stake: financial and reputational damages.
Add to the picture the fact that one of the global pillars of privacy legislation, the European Union’s Data Protection Directive 1995, is currently undergoing a substantial overhaul, and recent developments such as the May ruling of the Court of Justice of the EU on the so-called ‘right to be forgotten’, and the scenario becomes even more complicated.
So where to start? Many companies have appointed chief privacy officers (CPOs)—in Europe, data protection officers (DPOs)—whose focus is solely on privacy and data protection. In 2006, Harriet Pearson, then-CPO for IBM, said: ‘A good CPO must do more than just ensure that companies comply with the present-day law. They must also attempt to second-guess future innovation and design company security policies and procedures accordingly’.
Her words are still very contemporary and, as technology and innovation have evolved over the past eight years, so has the role of CPOs and DPOs, who went from almost invisible magicians behind the curtains of compliance to highly sophisticated professionals whose function has consistently been climbing up corporate hierarchies.
In Europe, the current draft of the General Data Protection Regulation, which will replace the outdated 1995 Data Protection Directive, requires the mandatory appointment of DPOs for public-sector entities processing personal data and for private-sector enterprises processing the data of more than 5,000 data subjects in a year. By the way, you may be interested to know that the draft Regulation also introduces fines of up to 1million euro or 2 percent of a company’s global annual turnover, and stipulates that personal data breaches should be notified ‘without undue delay’ to the relevant supervisory authority and, if the breach ‘is likely to adversely affect’ them, also to the data subjects.
Mind you, the Regulation is not yet law, and its text is likely to undergo some changes before it is finalised, but European leaders have made no secret of their intention to make the data protection rights of their citizens a top priority.
Now, if the major data breaches that dominated the headlines in the past years have taught us anything, it is that you can have the best policies and the tightest security measures in place, but nothing can be done against human error. Or can it?
The UK Information Commissioner’s Office released some statistics on data breaches in August 2013 and the data is unequivocal: ‘More than half of the 335 data breach incidents we looked at in the first quarter [of 2013] fall into the ‘disclosed in error’ category’, read an ICO blog post. ‘That covers everything from emails being sent to the wrong people to information erroneously included in freedom of information responses, but invariably they can be described as careless’.
Let’s face it: at any point in time, in any given organisation or public office, data is processed (accessed, shared, managed and transformed) by hundreds or even thousands of employees. These employees can be sitting in any department, and at any point in their career: they can be product developers designing a new product, sales and marketing managers trying to sell it, or human resources professionals handling employee data.
Clearly, the need for privacy training and awareness extends beyond the ‘core’ privacy team (the office of the CPO or DPO) to the entire office or corporation. Investing in privacy training for employees is a fundamental component when managing the risks associated to our data-driven economy. Marketing professionals look at privacy training and awareness through the lens of transparency: ensuring openness and customer control of their own data. Information security professionals, CTOs and CIOs know too well what a difference a robust data governance strategy that aligns security and privacy can make.
Any employee touching data in a significant way poses a risk; yet your biggest assets are your employees. How can you afford not to invest in privacy training?
All statistics are based upon personal verification. Please use it at your own risk for reference only. Total number may be different from public list of The Open Group since it includes active, inactive, and suspended & also certification holders who are both local & overseas Vietnamese. If you are a Vietnamese (local & overseas) TOGAF and your name is not in this list, or you claim for wrong information, pls help to contact me. Thank you so much.
Avatar
ID
Name & Contact
Date Certified
#TOGAF-8
NGUYEN ANH DUNG – NGUYỄN ANH DŨNG Current: IT Specialist at IBM Vietnam (Hanoi, Vietnam) contact info
27-MAY-2009
#TOGAF-9.1
NGUYEN TIEN DUONG – NGUYỄN TIẾN DƯƠNG Current: contact info
MAY-2012
#TOGAF-9.1
NGUYEN MANH CUONG – NGUYỄN MẠNH CƯỜNG Current: Managed Service Division Director at FPT Information System Services (Hanoi, Vietnam)
03-OCT-2012
#TOGAF-9.1 #108552
NGUYEN TRONG CONG – NGUYỄN TRỌNG CÔNG Current: Network Security Consultant at FPT Information System Services (Hanoi, Vietnam) contact info
