Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Editor’s note: Vicki Gavin, CRISC, MBCI, is compliance director, and head of business continuity, cyber security and data privacy for The Economist. Gavin, based in London, recently visited with ISACA Now to discuss how her areas of expertise are being affected by the fast-changing technology and regulatory landscape. The following is an edited transcript.
ISACA Now: At InfoSec Europe last month, you were part of a panel that discussed building an agile team for the future. What were the major takeaways for you?
For me, the most significant takeaway was the need to do things differently. Current hiring processes are designed to exclude candidates. We need to get smarter about including candidates from a variety of backgrounds by systematically removing bias from role profiles, job descriptions and advertisements, screening and interviewing.
ISACA Now: How critical is it for organizations to have tech-savvy boards in terms of fostering strong governance?
I do not think the board needs to be tech-savvy. Tech awareness is sufficient. Security professionals need to become more business aware to communicate effectively with the board.
ISACA Now: What are some shortcuts that organizations tend to take in their governance that often come back to haunt them?
I think one of the biggest IT governance mistakes made by technology professionals is the assumption that risk is to be eliminated. Risk is to be managed; the key is to determine what level of risk your organization is willing to accept.
ISACA Now: What are the biggest keys to successful business continuity planning? The value in planning is the process, not the plan. As Mike Tyson said, “Everybody has a plan until they get punched in the face.” The same is true for BCPs. The process, on the other hand, done properly, ensures a common risk appetite and approach to recovery when the time comes.
ISACA Now: Which emerging technologies present the greatest challenges from a compliance standpoint?
All of them. All change is disruptive. The challenge is to balance the risks and benefits of compliance.
ISACA Now: As we move closer to GDPR taking effect next year, are you sensing a greater sense of calm or of anxiety from your peers?
From my peers, anxiety. From my business, calm. We started on our GDPR journey about a year ago and will be ready by November 2017, giving us plenty of time to bed in new processes.
In today’s competitive environment, enterprises are under enormous pressure to focus valuable resources on initiatives that provide value. The inherent issue with most approaches is that the methods used to determine organizational priorities are often flawed by focusing on compliance as a primary navigation aid. A “compliance only” focused program can have a huge effect on performance. Of course, compliance is crucial for business survival, but it’s not always the only guidance system to use for value creation.
A solution to this narrow approach is to prioritize efforts using multiple perspectives to offer a balanced approach to determining priorities, allocating resources and, ultimately, providing value. As in travel, you need to have a good fix on your coordinates – location, altitude, heading and speed – before determining future moves. Where most companies go wrong is in choosing only one of these perspectives. Just like using a GPS to help you navigate, you should use more than one guidance system to help you focus efforts.
Having tools available that offer pinpoint accuracy to where you need to focus efforts in an organization is crucial – hence, the GPS analogy. GPS satellites help locate a position on the ground based on their time and position. The GPS receiver communicates with multiple satellites, and therefore determines a precise location on the ground. Decisions around funding, assurance, improvements and compliance are all areas in an enterprise that require resources, and should not be determined with only one signal. The more ‘GPS’ signals you have looking into your ecosystem, the more accurate you can be at focusing your efforts.
Using these multiple guidance systems will drastically improve your chances of success. These four GPS signals can include: 1) Goals cascading, 2) risk scenarios, 3) pain points, and 4) regulatory and compliance (see figure 1).
Figure 1—Using Multiple Perspectives to Prioritize Efforts
Guidance System 1: Cascading goals
I believe that one of the best-kept secrets in our industry today is the goals cascade. The model begins with stakeholder drivers that influence stakeholder needs. Stakeholder needs can be literally mapped to enterprise goals, IT-related goals and enabler goals. The enabler level is a more holistic view of the ingredients required to govern and manage enterprise IT. For example, if you know that a particular enterprise goal is the most important goal for the next year, then you can map that goal through the cascade and determine which processes are critical to its success. The model is already done for you in COBIT, where there is a set of tables that map each of these levels.
Guidance System 2: Risk scenarios
An IT risk scenario describes IT-related events that could lead to a business impact. COBIT 5 for Risk contains a set of generic IT risk scenarios and can serve as inputs to risk analysis activities and their effects on overall business objectives. This process results in the risk register and provides valuable information for informed decision-making. Use the results of this “GPS signal” to come up with the most critical risk scenarios that could hinder enterprise objectives, determine pain points or guide mitigation responses.
Guidance System 3: Pain points
Pain points are those areas that need little effort to identify. Use pain points as perspectives from which efforts toward the governance of enterprise IT initiatives are chartered. This can have a positive effect on the buy-in of your business case and create a sense of urgency and support. The COBIT 5 Implementation Guide identifies some common pain points associated with enterprise IT and maps these pain points to specific processes in COBIT.
Guidance System 4: Legal/regulatory/compliance requirements
No organization can be 100 percent compliant with everything. Synchronize this with your risk management process to determine the right response to each requirement. Some requirements are legally required and must be adhered to, but what level of adherence is the most appropriate?
Aligning your satellites
Each of these guidance systems should result in a very clear list of high-interest areas. Devise a prioritization scheme for each of these lists and normalize them into a single list. Now that the most important areas have been identified, compared and analyzed, more focused efforts can be identified. These results can assist in scoping assurance activities, allocating and prioritizing resources, and ensuring business/IT alignment.
The enterprise exists to create value for its stakeholders. Realizing benefits while optimizing risks and resources requires more than one perspective, or ‘guidance system,’ to fully understand what is required. This post has identified four potential perspectives that worked for one organization. Yours might have more, but should never have less.
One of the most common cyber security questions I get is: How do attackers plan/carry out their attacks? I thought this would be a great topic to address since we are always asked to explain the risk of any audit observation we make. So, what is risk anyway? In a cyber security context, think of risk as the overall probability of our systems or data being compromised by a malicious individual.
Attackers (which could be insiders) make up one piece of our risk equation, the other piece being vulnerabilities. If one piece of the risk equation does not exist (attackers or vulnerabilities), then there would be no risk to our systems and/or data. Why? Because if the world was full of attackers, but our systems/data were not vulnerable to any attack, then the attackers could not steal our data. In a similar way, if we ran a system full of vulnerabilities (think Windows XP, which is no longer supported by Microsoft), but attackers simply did not exist, then there would not be a risk of our systems or data being compromised.
So, how do attackers operate? Here are some common techniques:
1. Attackers perform reconnaissance activities on the targeted organization and can gather data from the following:
Websites
Forums
Job boards
Social networking sites, such as LinkedIn, Facebook, Twitter, Google+
Employees (e.g., sales, human resources, executives)
2. The data uncovered during reconnaissance allows the attacker to identify who/what to target within your organization. Next, the attacker prepares and delivers the exploit to your organization. The following are common methods of delivery:
Watering hole attacks are used to infect websites that your users/members of your group are known to visit.
Spear phishing attacks are used to trick specific users into infecting their system.
3. Once on your network, the attacker will attempt to compromise additional systems and exfiltrate your data. They do this by exploiting known/unknown system vulnerabilities via command and control.
There you have it – those are the basic steps of an attack. I recommend you watch this video produced by Cisco that illustrates an attack better than I can. Here are some recommendations that can be acted upon:
Ensure your organization has an adequate cyber security awareness program in place.
Ensure your organization conducts spear phishing exercises on all employees.
Work with human resources to avoid including too much detail in job ads.
Monitor social media use/review public posts made about your company.
Educate your employees on what information should not be disclosed to anyone in normal day-to-day conversations.
Ensure adequate malware prevention capabilities are in place.
Ensure adequate intrusion detection/incident-handling capabilities are in place.
Editor’s note: Jesse Fernandez presented on auditing cyber security at North America CACS 2017. For highlights and key takeaways from the North America CACS and EuroCACS conferences, read the CACS 2017 Conference Report.
Astrum is a relatively old exploit kit (EK) that is also known as Stegano EK. We noted in January 2017 how Stegano/Astrum had reappeared in recent months and talked about how Traps protects against it.
Since then, researchers have seen Astrum updated with new specific countermeasures that target security products and seek to evade detection, making it one of the most evolved threats out there today.
How Does It Work?
Astrum is currently being used as part of the AdGholas malvertising campaign. The AdGholas campaign uses malicious scripts in banner ads on legitimate websites. The malicious scripts direct users to an Astrum exploit kit server behind the scenes which then attacks the user’s system.
Astrum uses malicious Adobe Flash files that attempt to exploit vulnerabilities in Adobe Flash Player (CVE-2015-8651, CVE-2016-1019 and CVE-2016-4117) and Microsoft Internet Explorer (CVE‑2016‑0189). While these vulnerabilities have been patched, users with older versions of Flash and missing Microsoft patches are still at risk of successful attacks against them.
If the malicious Flash file is successful, it will download the payload onto the victim’s machine. Astrum has been known to deliver banking Trojans, including Ursnif. However, recent payloads include ransomware and other malware. Most recently, researchers have seen Astrum spreading the Mole ransomware.
Why Is It Unique?
Since March 2017, researchers have seen Astrum updated with tactics that specifically target detection and analysis.
Astrum exploits an information disclosure vulnerability (CVE-2017-0022) to identify and evade antivirus products. Astrum also utilizes Diffie-Hellman key exchange to incorporate an anti-replay feature to prevent security researchers from reviewing and diverting malicious network activity. Further adding to the challenge of detecting and analyzing Astrum is its use of HTTPS to encrypt its traffic.
And finally, Astrum encrypts the malicious Flash file so that the bulk of the malicious content is encrypted and only a small decryption stub is unencrypted. Astrum takes additional steps to defeat decryption in a sandbox environment by making the ability to decrypt the malicious Flash file machine-specific: the file cannot be decrypted anywhere but on the targeted system.
How Do You Stop It?
Taken all together, these recent updates to Astrum result in it thwarting most security protections. Its use of HTTPS challenges firewall-based protections. Its use of encryption for the malicious payload bypasses most traditional signature-based antivirus solutions. And the machine-specific decryption countermeasure thwarts the sandboxing found on many more advanced security products.
With the advanced evasion techniques Astrum utilizes, endpoint security needs real-time protections to stop Astrum on the target system after the malicious Flash file is decrypted but before it successfully executes.
Palo Alto Networks Traps advanced endpoint protection offers DLL security to prevent access to crucial DLL metadata from untrusted code locations. Traps also offers JIT mitigation to prevent JIT code from calling out-of-the-norm operating system functions. Traps offers unique protections against advanced exploitation capabilities, successfully preventing Astrum and exploit kits of its like.
Attackers will try to evade sandboxes and traditional signature-based antivirus in many unique ways, one of which is described above. However, the attacker cannot disguise the actual malicious activity he is trying to deploy. Traps is anti-evasive and not based on signatures and stops the malicious activity itself, which cannot be hidden or replaced.