Ten 2015 Security Risk Lessons from 2014 Breaches

During this time of year, we start to see the lists of top 10 breaches and predictions for the next year. How accurate are these predictions anyway? Did anyone predict that we would have a social media breach (Snapchat) the first week of 2014? Or that the string of breaches at major retailers such as Michaels, P.F. Changs, Urban Outfitters, Jimmy Johns, Ebay, Home Depot and others would have happened so soon after the prominent late 2013 Target breach exposed information on 110 million individuals? Or that one of the largest healthcare breaches involving 4.5 million patients across 206 hospitals would be compromised due to one of the media-highlighted vulnerabilities (Heartbleed, Bashbug, Poodle, etc.)?

As if these breaches were not enough, information stored in faraway online cloud places, such as Apple iCloud, made us pause and wonder where the right places were to store our personal data. Banking organizations are continually attacked, but who would have predicted that JP Morgan Chase, an organization that invests US $250 million annually on security and employs 1,000 security professionals, would have been breached?

Target hired a new CEO, CIO and CISO, each from outside of the company, as a result of the headline-grabbing breach. While there have been multiple retailers coming clean with announcing breaches in the aftermath, Target has been the unfortunate 2014 security-investment-conversation-starter for many organizations at the board of directors level. Target must be breathing a sigh of relief these days with the recent press surrounding the Sony Pictures breach. The focus has now shifted from a retailer attack that was compromised through a third party to nation state breaches and their prevention and/or risk reduction, freedom of speech and appropriate government response.

And let’s not forget that there were many news articles expressing concern about the February Sochi Olympics in Russia. Either we had great defenses and cyber intelligence that made this a non-event, or it was just thata non-event. Will we ever really know? The FBI regularly notifies companies of breaches. There were more than 3,000 in 2013a number that we could have predicted would increase in 2014. Did it?

Would we have predicted that, according to the Identity Theft Resource Center (ITRC), approximately 750 breaches exposing more than 81 million records (56 million attributed to Home Depot) would be reported by mid-December 2014? And what about the breaches that are not required to be reported by legislation or the cases where breaches were reported, but the numbers exposed were simply unknown? Should we expect more or less next year?

Lessons learned
While some of these questions are difficult to answer, there are some clear takeaways for CISOs, auditors and information security professionals:

  1. Information security will remain in the news as a frequent event. The breach of Sony Pictures has implications for how companies should respond to the breach (such as Sony’s pulling the release of the Interview due to the threats received), and how governments should respond to breaches. Expect political posturing and rhetoric within the US and between the US and North Korea for at least the first half of 2015. Discussions will shift to how nation state attacks should be dealt with by private enterprises and what is the cybersecurity responsibility of government.
  2. There should be an increased push for NIST Cybersecurity Framework adoption. While released in early 2014 in response to the President’s executive directive, this voluntary framework could receive an increased government desire to move the framework beyond voluntary. ISACA’s COBIT is a key information reference in this framework, and a guide existsto help you implement the NIST framework using COBIT.
  3. Vendor risk management should increase. The Target breach highlighted the importance of appropriately segregating networks and understanding vendor security practices. More attention will be placed on vendors, particularly cloud providers, with requests for SSAE16 SOC2, ISO27001 certification, or other independent assurance.
  4. Incident response is as important as prevention. While the details of how the JP Morgan Chase breach occurred are still being investigated, it is clear that significant spending goes so far, and that every organization needs to ensure that they can adequately respond to a breach in a timely manner.
  5. Public relations departments will continue to minimize the events. Unless the breach is in tens of millions of records or individuals, they will not be sustained by the news media. Expect to see these “small” breaches in the single-digit millions minimized by their respective organizations.
  6. Encrypt external storage and hold the keys. With cloud providers maintaining the data, expect to see more attacks focused on these organizations. Small Software as a Service (SaaS) providers may be particularly vulnerable.
  7. Data location will remain a top privacy issue. As countries do not trust each other with obtaining access to data without going through a lawful process, the preference for countries will be to have the data stored regionally (e.g., Canada, USA, European Union, Asia Pacific) and privacy laws will be promoted to retain information within country.
  8. Security professionals will need to embrace mobile technology. With smartphone availability becoming ubiquitous concentrated with several top players, tablet shipments surpassing desktops, and an appetite for BYOD, actions must shift from BYOD avoidance to mobile embracement and ensuring secure mobile code development and administration.
  9. Blocking and tackling has never been more important. Organizations must up the internal bar before the breach happens and invest in technologies that support COBIT 5 for security, NIST Cybersecurity Framework, ISO27001 Certification, SANS Top 20 Critical Controls, OWASP Top 10 and others. Running large organizations with one to two full-time security professionals (outside of identity and access management staff) can no longer be the model. A surprising number of large organizations run very lean with security leadership staffing. End-user behavior must be elevated with security awareness training and phishing simulations, as many of the breaches today start with malware introduced by phishing an end user.
  10. Security skills shortage will continue and recruiters will need to be creative. Some accounts have indicated a near-zero information security professional unemployment rate. Organizations may need to turn to managed security service providers and developing interested internal professionals in security practices to provide assistance. Breaches have heightened awareness of the need, which in turn reduced the supply of available talent. This is one key area that ISACA’sCybersecurity Nexus (CSX) is addressing. Through CSX, ISACA aims to help companies develop their security workforces and help individuals develop or advance a career in cybersecurity.

Next year, we will have a new list of companies that have experienced major breaches. Odds are, one or more of the top 10 takeaways listed above will be involved. As we move into 2015, each of us needs to decide for our organizations which areas we will focus on most. To reduce the risk that we will not be the result of the latest comedy of errors, in the modified words of well-known comedian Larry the Cable Guy, we need to just “Git-R-Done.” I don’t care who you are, having a breach is not funny.

Todd Fitzgerald, CISA, CISM, CRISC, CISSP, CIPP/US, CIPP/E, PMP
Global Director Information Security, Grant Thornton International, Ltd.

[ISACA]

The Coolest Hacks Of 2014

TSA baggage scanners, evil USB sticks, and smart homes were among the targets in some of the most creative — and yes, scary — hacks this year by security researchers.

It’s easy to forget some of the more innovative and eye-popping hacks by the good guys in 2014 amid the painful and unprecedented wave of cybercrime, cyber espionage, and cyber mayhem that the world has witnessed the past 12 months.

But the lessons learned from the epidemic of retailer hacks this year starting with Target, and the unprecedented destructive breach and doxing of Sony that to date has come as close to an international incident as any cyberattack, serve as a chilling reminder that any organization’s computing infrastructure is breakable by bad hackers. And that raises the stakes in the race to find new security weaknesses before the bad guys do.

The epidemic of real-world breaches this year has lent some blatant and highly tangible credence to the dangers of malicious hacking that white hat hackers for years have been warning about and demonstrating in their own research.

So yes, our annual lighthearted look back at the year’s coolest hacks by the good guys has a more profound feel to it now. Even so, kick back with some holiday cheer and have a look at some of the more memorable and creative hacks this year:

A weaponized PLC
Programmable logic controllers (PLCs), the systems that run machinery in power plants and manufacturing sites, are traditionally the target of attackers looking to disrupt or sabotage critical systems. But Digital Bond researcher Stephen Hilt earlier this year decided to rig a PLC with a low-cost hacking tool that would allow the system to shut down a process control network via a text message.

The so-called “PLCpwn” hacking tool cost Hilt about $400 and a couple of weeks to build, and lets an attacker bypass perimeter security and air gaps to wreak havoc on the plant floor. “It can cause a large disruption with a single text message,” Hilt said. “It will sweep an entire subnet with STOP CPU,” and is capable of data exfiltration and injection-style attacks, he said.

Hilt’s weaponized PLC uses attack modules previously written by Digital Bond, and is based on a 5-volt Raspberry Pi board with DualComm Tap and a DroneCell card for communications.

Cheating TSA’s carry-on baggage scanners
Turns out you can easily sneak a weapon or a banned substance past US airport security by exploiting “lame bugs” in a pervasive X-ray scanner for carryon baggage at TSA checkpoints.

That’s how renowned researcher Billy Rios described the flaws in the Rapiscan 522 B x-ray system used by the TSA at some major airports. Rios and his colleague Terry McCorkle discovered some painfully wide open holesin the scanners, including user credentials stored in plain text, the outdated Windows 98 as the underling operating system, as well as a training feature for screeners that injects .bmp images of contraband, such as a gun or knife, into a passenger carry-on in order to test the screener’s reaction during training sessions. The researchers say the weak logins could allow a bad guy to project phony images on the X-ray display.

They were able to easily bypass the login screen and see the stored user credentials sitting the database store. “These bugs are actually embarrassing. It was embarrassing to report them to DHS — the ability to bypass the login screen. These are really lame bugs,” Rios said.

Hacking satellite ground terminals by air, sea, land
Ruben Santamarta found critical design flaws in the firmware of popular satellite land equipment that could allow attackers to hijack and disrupt communications links to ships, airplanes, military operations, industrial facilities, and emergency services.

An attacker could install malicious firmware or even send an SMS text message to spoof communication to a ship, for example. Another even scarier possibility: he could wrest control over the Satellite Data Unit or SwiftBroadband Unit interface in the satellite terminals sitting on an airplane’s in-flight WiFi network via its weak password reset feature, hardcoded credentials or the insecure protocols that support the so-called AVIATOR 700 satellite terminal, as well as compromise control of the satellite link communications channel used by the pilot.

“We’re not crashing planes here,” Santamarta said of the potential danger, but some of the vulnerabilities could pose a safety risk, he said.

In many cases the attacker would need physical access to the ground equipment, as well as knowledge of the firmware and its security weaknesses.

Smart home devices not so savvy
If an attacker has physical access to your Nest Learning Thermostat or your DropCam camera, bad things can happen easily — and fast. Two groups of researchers this summer demonstrated the ease with which an attacker can turn the devices against their owners to spy on them, attack other devices on the network, or spoof their activities.

University of Central Florida researchers Grant Hernandez and Yier Jin and independent researcher Daniel Buentello showed at Black Hat USA how in less than 15 seconds a bad guy can rig a Nest with a micro USB cable and backdoor to spy on the owner, capture wireless credentials, as well as attack other home network devices. Another risk would be Nests backdoored and then returned to a store or resold on Craigslist to target a neighborhood, for example.

DropCam, the plug-and-play webcam-based video monitoring system used for watching over your house while on vacation or the on the kids at daycare, can be similarly abused. Synack researchers Patrick Wardle and Colby Moore at DEF CON this summer demonstrated holes in the WiFi security cameras, such as intercepting video and hot-miking audio for spying purposes. Wardle and Moore inserted a malware “implant” that can infect computers used to configure a DropCam camera.

“Don’t trust a camera from strangers,” Wardle said, a theme echoed by the Nest hackers on the potential for rigged smart thermostats.

Meanwhile, security researcher David Jacoby of Kaspersky Lab recently put his own smart home to the test. That’s right — he hacked his own home, specifically his smart TV, satellite receiver, DVD/Blu-ray player, network storage devices, and gaming consoles. “Before I started, I was pretty sure that my home was pretty secure. I mean, I’ve been working in the security industry for over 15 years, and I’m quite paranoid when it comes to such things as security patches,” Jacoby wrote in a blog post on Dark Reading sharing his findings.

But Jacoby quickly found flaws in his network-attached storage systems, smart TV, and in his home router, including weak default passwords, incorrect permissions in configuration files, and plain text passwords. “The DSL router used to provide wireless Internet access for all other home devices contained several hidden dangerous features that could potentially provide the Internet service provider remote access to any device in my private network. The results were shocking, to say the least,” Jacoby said.

Crashing the vehicle traffic control system
Outfitted with a backpack carrying his prototype access point to passively test access to the vehicle traffic control systems in major cities including Washington and New York, researcher Cesar Cerrudo was able to reach from a few hundred yards away traffic control equipment and access points supporting them.

Cerrudo found that hundreds of thousands of road traffic sensors and repeater equipment are at risk of attackers wreaking havoc that could result in traffic jams or even vehicle crashes. In his experiment, Cerrudo discovered the devices communicate traffic information in clear text and don’t authenticate the data, opening the door for possible sabotage.

The Sensys Networks sensors he tested detect vehicles and use that data to determine the timing of traffic lights and for issuing electronic alerts of events on the highway. “You can sniff the wireless data, learn how the system was configured, how it was working, and then just launch an attack with fake data,” Cerrudo said. The access point will accept the phony traffic data, but an attacker would need to know the where the AP, repeaters and sensors are located at an intersection he or she targets.

Sensys Networks recently updated its software, but Cerrudo said it’s difficult to confirm whether the updates fix the security flaws because the nature of the patches wasn’t public.

One bad-ass USB
Don’t trust that USB stick. Researchers Karsten Nohl and Jakob Lell created “BadUSB,” a weaponized USB stick that once plugged into a machine can wage attacks on the network. The pair basically reverse-engineered and retooled its firmware to become an attack tool that among other things steals information or installs malware.

An Android plugged into a computer could intercept all network traffic to and from that machine, for instance, and Nohl said there isn’t much you can do to prevent BadUSB attacks. Anti-malware software only scans the data on an USB stick, not the firmware, for example, he noted.

BadUSB can’t be cleaned up by reinstalling the operating system, and it can replace the computer’s BIOS by posing as a keyboard and unlocking a hidden file on the stick.

A worm in your NAS
Jacob Holcomb this fall constructed a proof-of-concept, self-replicating wormthat scans for vulnerable services running on network-attached storage devices and identifies the NAS device. If a NAS is vulnerable, the worm launches an exploit to take over the device and then spread to other NAS devices.

“I wanted to actually develop a POC myself and present it so people can understand the ramifications as my findings are being demonstrated and publicly disclosed, versus six months later when adversarial attackers are trying to exploit it for profit,” Holcomb said.

Holcomb, a security analyst at Independent Security Evaluators, has been studying flaws in NAS devices for the past year or so, and the list of vulnerable products is a who’s who of the storage market Seagate, D-Link, Lenovo, Buffalo, QNAP, Western Digital, Netgear, ZyXEL, Asustor, TRENDnet, HP, and Synology. “Pretty much everything we do relies on some form of backend storage for access,” he said of the problem.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, CommunicationsWeek, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at The College of William & Mary. Follow her on Twitter @kjhiggins.

[DarkReading]

A Forecast of the Cyberthreat Landscape in 2015


Ryan Olson, Intelligence Director, Palo Alto Networks

As I look back over the cyberthreat landscape in 2014, I’m amazed by the volume of activity handled by our community this year. From Heartbleed toWireLurker, we certainly had our hands full.

Sophisticated, targeted attacks will be the new normal in 2015 and I expect to see at least one new report each week. Here are some other trends from 2014 and predictions for the coming year that I think are significant.

Longstanding vulnerabilities revealed
In 2014 we learned about multiple major vulnerabilities in code, which in some cases had been in place for more than a decade. Heartbleed, ShellShock,POODLE and SChannel all existed in source code for years, but weren’t publicly disclosed until 2014. It’s possible that these vulnerabilities had been independently discovered by attackers who exploited them unnoticed for years. 

The discovery of these vulnerabilities started reviews of major open source repositories the community had assumed were rock solid. Those reviews are likely to bear fruit in 2015, resulting in the disclosure of more long-standing vulnerabilities.

Continued success of ransomware
Ransomware, a class of malware that extorts users into paying an attacker, has existed in various forms for years, but 2014 was when the “Locker” malware really took off. Lockers work by infecting a system, quickly finding important files on the hard drive, encrypting them and telling the user they can recover the files if they pay a ransom, normally a few hundred dollars. Lockers are distributed through many mechanisms (spam email, for example) and are often installed by other botnets as secondary payloads.

The best-known locker variant, “CryptoLocker,” was detected in late 2013. One of the reasons for this malware’s success was that its operators actually decrypted files once the ransom was paid. If word got out that victims who paid the ransom never recovered their files, nobody would pay up. But infected users trusted CryptoLocker and were willing to pay the ransom to retrieve their stolen files. Other variants of lockers discovered in 2014 included CryptoWall and CryptoDefense.

The massive success of these in 2014 impacted companies large and small and the revenue streams generated by ransom payments are unlikely to be disrupted any time soon.

Ongoing PoS attacks
Starting at the end of 2013, organizations began reporting a series of attacks on retail point-of-sale (POS) systems, which impacted tens of millions of users. These attacks used malware that infected Windows systems attached to credit card readers, and searched those systems’ memory for credit card data.

In August, the U.S. Secret Service released an advisory about one of those malware tools, known asBackOff. The advisory estimated that more than one thousand businesses were affected by BackOff. While many organizations reported PoS breaches this year, the total of publicly announced breaches was well under a thousand, indicating that many breaches may have gone unreported.

The U.S. credit card payment system is moving away from legacy magnetic stripe technologies toward chip-and- PIN systems, which are less vulnerable to these attacks. Apple released its own payment system (ApplePay) in October, which uses near field communication (NFC) for contactless payments, in part to help make in-store payments more secure.

POS attacks and new malware are likely to extend well into 2015 and beyond – depending on how quickly new security measures are adopted.

Mobile is a valuable target
In 2014 we saw multiple new attacks on Android and iOS devices, most significantly WireLurker, which attacked non-jailbroken iOS devices. As more data moves onto these devices they are becoming a valuable target for all types of attackers.

Mobile devices are ripe for attack for many reasons: They often hold user credentials for applications and websites, they’re used for out-of-band authentication, they are almost constantly connected to the internet and they have audio and video recording capabilities

For high-profile targets, these devices are a treasure-trove of information. Mobile platforms often do not receive the same level of monitoring (anti-virus, IPS, etc.) that desktop systems do. An infected phone could go unnoticed for months or longer while monitoring the user and stealing their data.

In 2015 I expect to see the discovery of significant targeted attacks against mobile devices designed to steal data.

[SC Magazine]

Why Am I a Huge Fan of COBIT?

If you’ve been thinking about looking into COBIT, but haven’t because you are not quite sure what it can do for your enterprise, now is the time to get started. As an IT professional who has used COBIT for several years, I can say without hesitation that it has more to offer than you might imagine. COBIT can help you look at your organization from the governance and management standpoints, and expands the view beyond just processes through the use of enablers. This framework is not an academic reference that grew out of the audit, risk and security areas. It is a flexible, useable tool that has completely won me over, and here are five reasons I’m a big fan:

  1. COBIT is relevant—the goal is to deliver value.
    The enterprise exists to create value for its stakeholders. This is simple in theory, but tough in real life. COBIT was created from the top down, meaning that the entire model focuses on the primary facets of providing value by realizing benefits while optimizing risks and resources. From the goals cascade to the enablers, COBIT helps you focus on value.
  2. COBIT still focuses on information.
    If an enterprise does not manage its information, it will no longer exist. COBIT focuses on the information first, and that is the right way to look at it. Without information, there is no need for the technology.
  3. COBIT is not just for the big companies.
    COBIT has escaped the “for big companies only” misconception. Whether you have a small IT organization or several hundred resources, COBIT fits any size; you just need to identify your business goals, objectives and mission to operate as a going concern. I have seen an organization with two IT staff members leverage COBIT.
  4. COBIT is a framework that looks beyond just processes.
    COBIT’s seven enablers are designed to help you get beyond just looking at processes. These enablers include 1) Principles, Polices and Frameworks, 2) Processes, 3) Organizational Structures, 4) Culture, Ethics and Behavior, 5) Information, 6) Services, Infrastructure and Applications, and 7) People, Skills and Competencies. These provide a more holistic approach to governance where changes in one enabler must be adequately assessed across all enablers.
  5. COBIT is a great reference for process owners.
    All processes should have owners. I will even take that a step further and say that all processes should have assigned roles. Within COBIT 5 there is a wealth of information regarding processes. There are 37 processes organized into five domains (one governance domain and four management domains). Within this process reference model, the biggest hitters for me include: process description and purpose, practices and activities, inputs and outputs, RACI charts, goals, and related industry standards and frameworks.

And the benefits don’t end there. See five additional reasons here.

Whether you are a board member, executive, auditor or IT operator, do yourself a favor and learn more about COBIT. Admittedly, many people find it difficult to simply thumb through the various publications and experience the “ah, I get it now” feeling. My advice to anyone who wants to learn more about it is to go to the ISACA site and download some of the key publications, or visit COBIT online. And consider joining me at the first-ever COBIT Conference, taking place in March 2015 in Orlando, Florida, USA.

Adopting a framework does not guarantee your governance success, but it sure does offer a great starting point. COBIT offers a common language that can be shared across the enterprise, but real adoption requires executive support, a desire to improve and a strong desire to achieve the governance of enterprise IT.

Mark Thomas, CGEIT, CRISC, ITIL, MOF
President of Escoute

To learn more about the COBIT Conference, visit www.isaca.org/cobitconference.

[ISACA]

Cybersecurity: No Cease Fire, Who Will Win? – Insights from North America ISRM 2014

In the cybersecurity industry, you will never feel bored due to the enormous amount of buzz words and headlines—the good, the bad and the ugly. High profile data breaches have been exposed to the public one after another. Nations escalated cybersecurity to their highest priority. New regulations and standards were developed to catch up to the trend.

ISACA’s 2014 North America Information Security and Risk Management (ISRM) conference, which will be transformed into CSX 2015 next year, provided a great platform for cybersecurity professionals to share and learn in this big context. I appreciated the opportunity to attend the conference, and especially it was my privilege to interview several conference speakers.
Here are some thoughts as I look back at ISRM 2014.

The fear of cybersecurity
It was not a surprise to me that quite a few speakers started their presentations by illustrating the current threat landscape. Enough evidence justified why everyone should consider cybersecurity a serious concern.

During his “2014 Top Security & Privacy Bloopers” presentation, Todd Fitzgerald skillfully summarized and analyzed data breaches from Target to Sochi Olympics and from EBay to JP Morgan. The number of companies notified by the US Federal Bureau of Investigation (FBI) in 2013 of breaches alarmed and reminded us that there is no place to hide in cyberspace. Regardless of the industry, the size and the type of your organization, it seems that cyberattacks can happen at any time. It brings further complexity to the table when your organization is leveraging new technology forces such as cloud, software defined networking (SDN), big data or the Internet of Things (IoT). Another critical aspect, proposed by Tim Mather, is to be aware of application programming interface ( API) , which will most likely be the next hacker target.

Joseph Ingemi’s presentation provided us a new angle: to consider cybersecurity from geographic and political views. Although Ingemi took the stance mainly from Western countries’ points of view, he proposed a valuable approach to evaluate the intention and similarities of the cyberattackers. I was also impressed by his deep analysis on the correlation of cybersecurity with recent economic and political events and efforts such as Trans-Pacific Partnership ( TPP ) and Group of Twenty ( G20).

We must accept that at some level, a cyberattack is unavoidable. We are at war, said Curtis K. S. Levinson; the cybercriminals are targeting financial gains but the cyberterrorists are targeting generating fear. The big question is: There is no cease fire in cyberspace, so who will win the battle? I think the following three themes discussed throughout the conference can help us fight against the adversaries.

New developments in regulations and standards
Based on recent developments, privacy has become the highest priority for nations across the world. According to Fitzgerald, EU parliament approved the amended EU Data Protection Legislative Framework Proposal (the “Draft Regulation”), which was intended to replace Directive 95/46/EC. The right to erase data, increased penalties, DPA approval of transfer to non-EU countries and data portability were the four major areas EU wants to improve. Canada’s Anti-Spam Legislation (CASL) became effective on 1 July 2014. Deloitte called CASL one of the toughest laws of its kind in the world. Australia’s privacy amendment with 13 privacy principles came into force. South Korea amended its Personal Information Protection Act. Brazil, Mexico and South Africa had also initiated privacy and security regulation efforts.

In terms of standards and best practices, ISO/IEC 27001:2013 and PCI DSS 3.0 became effective in January 2014. The new ISO standard focuses more on leadership and has greater emphasis on setting objectives, monitoring, performance and metrics. ISACA and National Institute of Standards and Technology (NIST) both initiated a cybersecurity program. NIST released a cybersecurity framework in February 2014 based on Executive Order 13636. ISACA launched the Cybersecurity Nexus (CSX), which offers thought leadership, certification, training and networking for all levels of the cybersecurity profession, explained ISACA International President Robert E Stroud, CGEIT, CRISC.

Practical security strategies
During his “Cybersecurity: Engaging with the Board” presentation, Adel Melek illustrated an actionable approach to transform an organization’s cyberdefense to be more secure, vigilant and resilient. The 10 key considerations for board and senior management proposed by Melek, especially the 10 questions the board should ask to evaluate the overall security maturity level, were truly insightful.

One interesting topic around privacy is how to balance employees’ privacy versus organizations’ security protection. It makes the global debate worse if the organization is an international company with employees throughout the world with various definitions of privacy. According to presenter David Melnick, cyberthreats and liability drive investment in employee control. Despite increasing risks and strong policies, organizations fail to regulate employee personal web use. At the same time, regulatory environment trends increase employee privacy rights. Melnick proposed the approach of separating personal web use and professional web use to strengthen security and reduce risk by providing employee privacy.

Dr. Lance Hayden demonstrated how the Goal, Question, Metric (GQM) framework, which I think is one of the most practical approaches so far, works well for strategic metrics.

Educated and experienced security professionals
According to Cisco, there still is a significant need for skilled professionals who can protect and defend enterprises worldwide. Obviously, experienced security professionals are key to the success of fighting against cyberadversaries. The panel from Cybersecurity Credentials Collaborative (C3), including CompTIA, GIAC, ISACA, (ISC) 2, and ISSA, discussed what organizations need from cybersecurity professionals and how to develop candidates to effectively fulfill these roles.

lso, Robin “Montana” Williams introduced the US National Initiative for Cybersecurity Education (NICE), which aims to raise national cybersecurity awareness, broaden the pool of cyberworkers through strong education programs and seeks to build a globally competitive cybersecurity workforce.

We are in era of cybersecurity, and security is everyone’s responsibility. The only way to win the battle is to inspire the whole society to work together and get things done effectively.

Alan Tang, CISA, CGEIT, CBCI, CIPP/IT, CISSP, ISO20K, ISO27K, PCIDSS, PMP, TOGAF
Director of Research – Security & Risk
Info-Tech Research Group

[ISACA]

English
Exit mobile version