Category: Cyber Security

The European Cybersecurity Act, proposed in 2017 by the European Commission, is the most recent of several policy documents adopted and/or proposed by governments around the world, each with the intent (among other objectives) to bring clarity to cybersecurity certifications for various products and services.

The reason why cybersecurity, and most recently privacy, certifications are so important is pretty obvious: They represent a vehicle of trust and serve the purpose of providing assurance about the level of cybersecurity a solution could provide. They represent, at least in theory, a simple mechanism through which organizations and individuals can make quick, risk-based decisions without the need to fully understand the technical specifications of the service or product they are purchasing.

What’s in a certification?

Most of us struggle to keep pace with technological innovations, and so we often find ourselves buying services and products without sufficient levels of education and awareness of the potential side effects these technologies can bring. We don’t fully understand the possible implications of adopting a new service, and sometimes we don’t even ask ourselves the most basic questions about the inherent risks of certain technologies.

In this landscape, certifications, compliance audits, trust marks and seals are mechanisms that help improve market conditions by providing a high-level representation of the level of cybersecurity a solution could offer.

Certifications are typically performed by a trusted third party (an auditor or a lab) who evaluates and assesses a solution against a set of requirements and criteria that are in turn part of a set of standards, best practices, or regulations. In the case of a positive assessment, the evaluator issues a certification or statement of compliance that is typically valid for a set length of time.

One of the problems with certifications under the current market condition is that they have a tendency to proliferate, which is to say that for the same product or service more than one certification exists. The example of cloud services is pretty illustrative of this issue. More than 20 different schemes exist to certify the level of security of cloud services, ranging from international standards to national accreditation systems to sectorial attestation of compliance.

Such a proliferation of certifications can serve to produce the exact opposite result that a certification was built for. Rather than supporting and streamlining the decision-making process, they could create confusion, and rather than increasing trust, they favor uncertainty. It should be noted, however, that such a proliferation isn’t always a bad thing. Sometimes, it’s the result of the need to accommodate important nuances of various security requirements.

Crafting the ideal certification

CSA has been a leader in cloud assurance, transparency and compliance for many years now, supporting the effort to improve the certification landscape. Our goal has been—and still is—to make the cloud and IoT technology environment more secure, transparent, trustworthy, effective and efficient by developing innovative solutions for compliance and certification.

It’s in this context that we are surveying our community and the market at-large to understand what both subject matter experts and laypersons see as the essential features and characteristics of the ideal certification scheme or meta-framework.

Our call to action?

Tell us—in a paragraph, a sentence or a word—what you think a cybersecurity and privacy certification should look like. Tell us what the scope should be (security/privacy, product /processes /people, cloud/IoT, global/regional/national), what’s the level of assurance offered, which guarantees and liabilities are expected, what’s the tradeoff between cost and value, how it should be proposed/communicated to be understood and valuable for the community at large.

Tell us, but do it before July 2 because that’s when the survey closes.

Daniele Catteddu, CTO, Cloud Security Alliance

[Cloud Security Alliance Blog]

SEATTLE, WA and LONDON – JUNE 5, 2018 – InfoSecurity Europe Conference – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today released the CSA Code of Conduct (CoC) Self-Assessment. An essential tool for those charged with General Data Privacy Requirements (GDPR) compliance, the CSA CoC Self-Assessment provides a transparent means for standardizing compliance initiatives.

“The CSA Code of Conduct for GDPR Compliance is a comprehensive and complete resource for supporting cloud providers’ compliance and fostering accountability and transparency in the market. Today, with the release of the CSA CoC Self Assessment, we are offering cloud service providers the opportunity to openly demonstrate to business partners and regulators evidence of their adherence to the GDPR requirements. The CSA CoC Self Assessment acts as the assurance and transparency component of the STAR Program,” said Daniele Catteddu, CSA Chief Technology Officer, lead outside counsel and Privacy Level Agreement (PLA) Working Group co-chair. “We believe it will go a long way toward providing the industry with a standard for accurate compliance with the GDPR.”

“The release of the CSA CoC Self Assessment serves two purposes,” said Paolo Balboni, European ICT, privacy and data protection lawyer, and co-chair of the PLA Working Group. “First, to afford cloud service providers (CSP) a means to demonstrate, in a structured way, the level of personal data protection they offer, and second, to provide cloud customers and potential customers a tool to evaluate and compare the level of personal data protection offered by various CSPs. And while the CSA CoC Self-Assessment is not verified by a qualified third-party, it does offer transparency regarding the level of protection offered by a cloud service provider.”

CSPs and cloud customers that would like to adhere to the CSA CoC for GDPR should submit the CoC Statement of Adherence and PLA Code of Practice (CoP) Template – Annex 1 using the STAR submission form found here. CSA will then verify that a “good faith” effort has been made to thoroughly address the entire Code of Conduct and then will publish the Self Assessment on STAR. The applicant will receive a self-attestation compliance mark once all the necessary conditions are satisfied.

Those interested in learning more about the CSA Code of Conduct for GDPR Compliance should visit the CSA GDPR Resource Center, a community-driven website with tools and resources to help educate cloud service providers and enterprises on the new European data protection regulation.

The CSA PLA Working Group is comprised of independent privacy and data protection subject matter experts, privacy officers, and representatives from data protection authorities. It was formed in 2012 to help transpose the Art. 29 WP and EU National Data Protection Regulators’ recommendations on cloud computing into an easy-to-use outline for CSPs to follow when disclosing personal data-handling practices. The scope and objective of the PLA initiative were previously presented to the European Parliament as part of discussions on the potential effect of the proposed General Data Protection Regulation on cloud computing. Since then, the PLA Working Group engages in defining a structured method for communicating the level of privacy that a CSP agrees to maintain.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

Many analyses of cybersecurity include consideration of the field’s constant state of flux and change. As the battlefield of the internet evolves, typically, so do the attack strategies, weapons, defense mechanisms and actors. However, according to ISACA’s 2018 State of Cybersecurity research, two elements that remain relatively constant are the types of attackers and the type of attack leveraged.

Specifically, based upon the input of respondents, the report noted that while attacks are increasing, outside of certain niche variants, the types of attacks have remained constant, with monetary theft as the main aim of most attackers. These trends identify that while certain cybersecurity considerations change, proven attackers, victims and attack processes will never go out of style.

Deeper examination of the report provides a greater understanding of the static trend of attack types by malicious actors. Survey respondents indicate that the three main attack mechanisms leveraged against their organizations are phishing, malware and social engineering. When compared to the 2017 report, this trend remains mostly static, with minimal variation.  Additionally, the cybercriminal attacker profile remained steady as the attacker type.

While the main attack vectors and actors remain primarily static, the number of attacks are increasing dramatically, with the majority of respondents indicating that the number of attacks they are experiencing are increasing year over year. This trend could be due to multiple considerations. For example, as artificial intelligence (AI) enables business processes, malicious agents can also leverage AI to streamline attacks. This increase in efficiency allows an attacker to conduct more attacks with less infrastructure. Additionally, greater accessibility to the growing dark web allows attackers to work together more easily than in the past.

Though attackers might leverage certain tools to increase their operational efficiency, and thus their attack capability, others have found themselves largely relegated to the dustbin. Specifically, the report identified a substantive decrease, nearly 20%, in ransomware attacks. This might seem shocking considering high-profile ransomware incidents such as the one that recently hit the city of Atlanta in the United States, wherein many city operations remained crippled for more than a week. However, deeper analysis identifies that most organizations now have a response plan inclusive of a potential ransomware attack and are less willing to pay the ransom requested by attackers.

The decrease in ransomware attacks, coupled with the steady state of phishing, malware and social engineering, hint at one of the basic truisms of cybersecurity – the greatest weakness in organizations is often its individuals. When considering ransomware response, it’s easy to identify that proper backup policies and procedures can render an organization relatively ransomware-proof. If an attack occurs, cybersecurity response teams can commence mitigation by rolling out the most recent proven backup image to the impacted machines while hardening them from subsequent attack. This action is relatively independent of individual sentiment and discernment. However, phishing and social engineering are still reliant, primarily, upon the discernment of an individual expected to implement proper cybersecurity hygiene in his or her daily activities.

Although attacks are on the rise, it is important to remember that efforts to combat them are increasing as well. Indeed, based upon analysis of the report, the defense mechanisms and policies established by organizations can act as indicators as to why ransomware attacks are declining. Yet, while certain niche attacks might change over time, proven attack tools, such as phishing, social engineering, and malware, are here for the long-haul. As long as individuals do not practice appropriate cybersecurity hygiene, they will remain the main attack methods for malicious actors who are attempting to defraud organizations.

Frank Downs, Director and SME, Cyber Security Practice, ISACA

[ISACA Now Blog]

For businesses that have a lot of resources tied up in logistics and inventory, enterprise resource planning (ERP) systems can be a lifesaver. However, you should never invest in an ERP system blindly. With so much valuable data filtering through such a system, you must pay attention to cybersecurity.

Understanding the Need for ERP Security
The goal of ERP software is to help organizations manage the day-to-day business activities they face – such as project management, manufacturing, and accounting – with minimal friction and seamless oversight. Modern ERP systems truly are remarkable in their functionality and utility.

One of the key principles of ERP is the central collection of data for broad distribution across the organization. Instead of having a bunch of individual databases storing fragmented data, everything is organized into a single data reservoir where the appropriate parties push and pull the information they need to perform their job functions properly.

In 99.99 percent of situations, ERP systems improve functionality for businesses and allow them to accomplish tasks more efficiently and effectively. But any time you have so much data funneling through a single system, there’s always the risk that it could become compromised – especially in today’s hostile cyber environment.

According to a 2017 report published by Crowd Research Partners, 89 percent of security experts anticipate more attacks against ERP systems in the near future, while 30 percent expect a significant increase in the number of attacks.

How to Enhance ERP Security
If leading security experts are worried about ERP security, you should be too. Without data integrity, ERP systems collapse. The question is, what can be done to improve security and mitigate threats?

1. Move to the Cloud…Now!
   There’s a common belief that transitioning to a cloud ERP solution takes a lot of time and energy that businesses don’t have – but this is nothing more than a myth. You have to transition as soon as possible.

   “Making critical decisions based on old data and legacy software is like driving a business forward while looking in the rear-view mirror,” ACCEO ERP explains in a recent blog post. “In truth, as your business grows, entering data and synchronizing your systems will consume even more of your time. Contrary to older systems, the modern ERP offers speed and adaptability, with extensive and scalable development applications that can be installed as your business evolves.”

2. Control Access to Your ERP System
   With each person you give access to your ERP system, you’re opening up another possible entry point for an attack. By controlling access, you reduce risk.

   “One simple tactic to help control access to your ERP system is to make sure that all users have good password management habits,” Thriveon explains in a blog post. “That includes using two factor authentication when possible, [using] strong passwords that are changed regularly, and [avoiding] sharing user names and passwords amongst multiple people.”

3. Have a Response Plan in Place
   One of the most troubling things about ERP security is that most businesses don’t have any sort of plan in place. In fact, the majority of companies don’t even know who’s in charge. According to research, 43 percent think the CIO is responsible, while 28 percent believe it’s the duty of the CISO.

   If you stand any chance of protecting your data, you need a response plan in place. You can’t afford to be pointing fingers and figuring out duties on the fly.

Protect Your Data and Your Business
It’s impossible to be serious about ERP in 2018 and beyond without prioritizing data integrity and cybersecurity. Cybercriminals see your company’s ERP system as the “Holy Grail” and will come after it with great intensity. Now’s the time to be proactive and defend your data.

Larry Alton, Writer, LarryAlton.com

[ISACA Now Blog]

The proliferation of Internet of Things devices is well-documented, with the potential for more than 20 billion connected things by 2020. Installations of connected devices are spanning virtually all industries and cover just about any use case that can be imagined.

With such an enormous volume of connected devices and minimal regulation, it comes as little surprise that many of them have been programmed incorrectly and are supplying users with false or misleading information.

“So, how do you look at scenarios like that?,” said ISACA board director R.V. Raghu during Wednesday’s session on IoT audits at EuroCACS in Edinburgh, Scotland. “It can become very dangerous.”

IoT audits should align with enterprise needs and ensure a compliance approach is factored in from the outset. Auditing IoT can help address a wide array of important questions, including each of the following:

• How will the device be used from a business perspective, and what business value is expected?
• What threats are anticipated, and how will they be mitigated?
• Who will have access to the device, and how will their identities be established and proven?
• What is the process for updating the device in the event of an attack or vulnerability?
• Who is responsible for monitoring new attacks or vulnerabilities pertaining to the device?
• With whom will the data be shared?

In the case of IoT, the answers to these questions can have urgent implications. Raghu used a nuclear plant as an example, saying that the capacity to interpret accurate data in timely fashion can guard against potentially damaging irregularities at the plant.

“We want to be able to pick up the data at the right point and then tell you, this is what we need to do,” Raghu said.

Privacy considerations need to be taken into account by IoT device manufacturers, given the enormous capacity to gather data. Encryption might need to be built into devices to protect potentially sensitive information, such as with medical devices used by hospitals.

“Do we need to get greedy and collect everything that is possible, or do we only collect the data that makes sense to us?” Raghu said. “And, in the post-GDPR world, that is a very important question to ask.”

Raghu also expressed concern that regulation of IoT devices is lagging behind the surging usage, meaning there is little standardization on the IoT landscape.

That puts even more of a premium on strong risk management and robust controls. Among the baseline controls that should be put in place for IoT devices are identity and access management, malware protection, transmission confidentiality and time-stamping. Raghu also highlighted “Level 2” controls, such as patching, vulnerability management and log management, saying many organizations do a subpar job with their log management.

“People don’t want to do the log analysis, and if you don’t do the log analysis, you don’t understand how the device is behaving, and you could have a serious problem on your hands at some point,” Raghu said.

Whether affecting security in homes, in hospitals, in cities’ critical infrastructure or just about any other setting of today’s society, the ramifications of insufficient IoT security can be serious. Raghu said IoT audits should emphasize the importance of continuous monitoring, as prescribing fixes months after the fact can be far too late.

“You don’t have that kind of luxury here,” Raghu said. “You might need to fix it on an ongoing basis, on the fly, so it becomes very important you have a real-time status on this.”

[ISACA Now]