Author: Dr. Philip Cao

For most organizations, bring your own device (BYOD) is a fact of life or soon becoming one. People want to use the same mobile device(s) for both their work and personal lives and have some freedom of choice as to the devices they use. The more competition an organization faces in recruiting and retaining employees, the more likely a company is to allow some form of BYOD. It can also increase productivity and communication for employees, since they are likely to be always connected.

However, BYOD also brings some interesting security challenges. Most of the challenges arise from the potential of sensitive information being stored on mobile devices. ISACA has a set of guidelines that can be helpful for securing mobile devices. Organizations could require that BYOD users follow suchguidelines. In addition, BYOD users frequently connect to the cloud as a way to get their work email or share files and this poses some specific challenges.

For example, consider BYOD and the use of Dropbox or similar cloud file-sharing services for business purposes. Many organizations use Dropbox as a way to easily share files, even sensitive files, between users. The files are stored in Dropbox’s cloud and are encrypted using 256-bit AES encryption (both at rest and in transit), which is decent enough encryption for most corporate use. Generally, the files are also automatically synced with the mobile device. This may not be a concern for devices owned by the organization, but with BYOD, the employee now has a copy of a potentially sensitive file on his or her own device. If the device was then lost or stolen, it is possible that the sensitive data could be compromised, resulting in a data breach.

If this is a concern, organizations can mandate by policy that BYOD users only access the shared files on demand and not download local copies. This is fairly straightforward with Dropbox. Similar policies could be enabled for email use when the organization is using a cloud-based email service, such as Gmail. For example, the policy might only allow the use of email from a browser or app, rather than allowing local copies of messages and attachments to be stored on the device.

If local storage of potentially sensitive files and email is allowed, there are additional precautions that could be taken. Local data encryption, particularly on notebooks, is an option. Smartphones, tablets and, with additional software, even notebooks often have a remote-wipe capability that can be triggered if the device is lost. Ideally, this remote wipe should be something that not only the BYOD users but also their IT departments can trigger on the device. In addition, PINs, passwords, two-step verification or biometrics must always be used to protect access to the device. Devices that do not have such authentication should be prohibited from accessing the company network or cloud.

Of course, the security policy should also mandate that the sharing of personal work files should be kept separate. In the case of Dropbox, use a separate Dropbox for each one. Otherwise, an employee wanting to share sensitive information may inadvertently share work information with friends and family.

Since BYOD is a fact of life and is likely being used in conjunction with work in the cloud, organizations need to review and update their security policies and security awareness training to ensure that sensitive data remains secure.

Rob Clyde, CISM
CEO of Adaptive Computing
ISACA International Vice President

[Source: ISACA]

Information technology (IT) has a main role in our society and economy. It is known that most of the essential services, public and private, mass media, security forces and, of course, enterprises, depend on IT for the normal, everyday activities. But, it is not so widely known that every one of those essential services and IT assets depend more and more on industrial control systems (ICSs). ICSs are responsible for the control and management of physical security systems in data centers, as well as refrigeration towers and electric generators providing energy to the fire extinguish systems, among many other aspects.

ICSs are the bases of the main critical infrastructures and essential services in our nations and, therefore, their security and protection rests in them. This has made ICSs a target for cyberterrorism, advanced persistent threat attacks and cyberwar.

This fact, besides a lack of security requirements in their design, deployment and operation, has allowed the development of real cyberweapons whose objective is to exploit the existing vulnerabilities in these systems.

Therefore, our society and economy are vulnerable. Stuxnet, Duqu, Anonymous, Flame, Shamoo, Careto, botnets or denial of service attacks are words and concepts appearing more and more in the media, trying to explain information leaks, service outages, electrical blackouts and other incidents that affect our essential services.

In a global market with more competitiveness and complex and growing threats, this situation is unsustainable. It is necessary to employ large amounts of work, develop plans, implement measures and, of course, provide important economic resources to decrease the gap of vulnerability to the attackers, and increase the level of protection of our industrial and critical infrastructures.

This new area, called industrial cybersecurity, addresses these issues. It is the set of practices, processes and technologies designed to manage the risk of cyberspace when using, processing, storing and transmitting information in industrial infrastructures and organizations, and focuses on the people, processes and technologies involved. In this increasingly complex world, many disciplines need to team up to reduce the risks related to cyberterrorism and protect our critical assets.

Samuel Linares
Director, Industrial Cybersecurity Center (CCI)

[Source: ISACA]

The recent announcement of a forward-looking cyberthreat tool from the Georgia Tech Research Institute (GTRI) is an example of a developing trend in security of using broad-based data that bad guys themselves put out to try and get ahead of threats. It’s also a tacit admission that security solely based on reacting to threats is not, and will not, work.

The GTRI tool, called BlackForest, collects information from the public Internet such as hacker forums and other places those said bad guys gather to swap information and details about the malware they write and sell. It then relates that information to past activities, and uses all of that collated intelligence to warn organizations of potential threats against them – and once attacks have happened, how to make their security better.

Ryan Spanier, the head of GTRI’s Threat Intelligence Branch, said the intention is give organizations some kind of predictive ability so that, if they see certain things happening, they’ll know they may need to take action to protect their networks.

These and similar tools are badly needed. The CyberEdge Group, in its 2014 Cyberthreat Defense Report, found that more than a quarter of the organizations it surveyed had no effective foundation for threat defense. Overall, investment in those next-generation tools that could be most effective against advanced threats is still “fairly low.”

In addition, it said, because of the speed at which threats are deployed these days, the relative security and confidence of today can be gone tomorrow, and IT security teams can only make educated guesses at what attackers will try next, and where they will try it. The bottom line, it said, is that maintaining effective cyberthreat defenses not only requires constant vigilance, “but also an eye on the road ahead.”

It’s something both government and industry organizations are starting to push with more urgency. Greg Garcia, the former head of cybersecurity and communications at the Department of Homeland Security, recently said he expects to see more investment in tools that will help banks and financial institutions anticipate emerging risks. As the new executive director at the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security, he knows how important that will be for an industry that is a primary target for cyberattacks.

The National Institute of Standards and Technology is also trying to push government agencies in that direction. In the first iteration of a cybersecurity framework it published in February this year, NIST listed four levels at which the framework could be implemented and which would “provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.”

The highest level, Tier 4, is labeled Adaptive and describes an organization that “actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner” and has “continuous awareness of activities on their systems and networks.” Though NIST takes pains to say that the tiers don’t represent actually maturity of cybersecurity defenses, it also says agencies should be “encouraged” to move to higher levels.

The methodology GTRI uses for BlackForest is not that new to the security field, at least in broad terms. Security companies have for years trawled global networks to identify threats and develop defenses against them, and that’s the basis for the regular update of antivirus signatures they send to their customers. As CyberEye recently pointed out, however, those techniques are become less effective and are all but useless against the most sophisticated, and most damaging, kinds of malware.

Success for organizations in the future will not be based on how many attackers it can keep out of their networks and systems, but how fast and how effectively they can detect and respond to attacks that are already on the inside. That’s the understanding for a rush to big data analytics, which organizations are betting on will enable that kind of timely response. Gartner believes that, by 2016, fully 25 percent of large companies around the world will have adopted big data analytics for that purpose.

Whether or not BlackForest and similar tools provide the level of security their developers say they will is still to be seen. After all, the attackers have proven they are just as intelligent and creative as defenders. But these tools merely indicate the direction security needs to go, because the regular way of doing things just ain’t working.

[Source: GCN]