Cloud Security Solutions With BYOD

For most organizations, bring your own device (BYOD) is a fact of life or soon becoming one. People want to use the same mobile device(s) for both their work and personal lives and have some freedom of choice as to the devices they use. The more competition an organization faces in recruiting and retaining employees, the more likely a company is to allow some form of BYOD. It can also increase productivity and communication for employees, since they are likely to be always connected.

However, BYOD also brings some interesting security challenges. Most of the challenges arise from the potential of sensitive information being stored on mobile devices. ISACA has a set of guidelines that can be helpful for securing mobile devices. Organizations could require that BYOD users follow suchguidelines. In addition, BYOD users frequently connect to the cloud as a way to get their work email or share files and this poses some specific challenges.

For example, consider BYOD and the use of Dropbox or similar cloud file-sharing services for business purposes. Many organizations use Dropbox as a way to easily share files, even sensitive files, between users. The files are stored in Dropbox’s cloud and are encrypted using 256-bit AES encryption (both at rest and in transit), which is decent enough encryption for most corporate use. Generally, the files are also automatically synced with the mobile device. This may not be a concern for devices owned by the organization, but with BYOD, the employee now has a copy of a potentially sensitive file on his or her own device. If the device was then lost or stolen, it is possible that the sensitive data could be compromised, resulting in a data breach.

If this is a concern, organizations can mandate by policy that BYOD users only access the shared files on demand and not download local copies. This is fairly straightforward with Dropbox. Similar policies could be enabled for email use when the organization is using a cloud-based email service, such as Gmail. For example, the policy might only allow the use of email from a browser or app, rather than allowing local copies of messages and attachments to be stored on the device.

If local storage of potentially sensitive files and email is allowed, there are additional precautions that could be taken. Local data encryption, particularly on notebooks, is an option. Smartphones, tablets and, with additional software, even notebooks often have a remote-wipe capability that can be triggered if the device is lost. Ideally, this remote wipe should be something that not only the BYOD users but also their IT departments can trigger on the device. In addition, PINs, passwords, two-step verification or biometrics must always be used to protect access to the device. Devices that do not have such authentication should be prohibited from accessing the company network or cloud.

Of course, the security policy should also mandate that the sharing of personal work files should be kept separate. In the case of Dropbox, use a separate Dropbox for each one. Otherwise, an employee wanting to share sensitive information may inadvertently share work information with friends and family.

Since BYOD is a fact of life and is likely being used in conjunction with work in the cloud, organizations need to review and update their security policies and security awareness training to ensure that sensitive data remains secure.

Rob Clyde, CISM
CEO of Adaptive Computing
ISACA International Vice President

[Source: ISACA]

Industrial Cybersecurity in Our Society

Information technology (IT) has a main role in our society and economy. It is known that most of the essential services, public and private, mass media, security forces and, of course, enterprises, depend on IT for the normal, everyday activities. But, it is not so widely known that every one of those essential services and IT assets depend more and more on industrial control systems (ICSs). ICSs are responsible for the control and management of physical security systems in data centers, as well as refrigeration towers and electric generators providing energy to the fire extinguish systems, among many other aspects.

ICSs are the bases of the main critical infrastructures and essential services in our nations and, therefore, their security and protection rests in them. This has made ICSs a target for cyberterrorism, advanced persistent threat attacks and cyberwar.

This fact, besides a lack of security requirements in their design, deployment and operation, has allowed the development of real cyberweapons whose objective is to exploit the existing vulnerabilities in these systems.

Therefore, our society and economy are vulnerable. Stuxnet, Duqu, Anonymous, Flame, Shamoo, Careto, botnets or denial of service attacks are words and concepts appearing more and more in the media, trying to explain information leaks, service outages, electrical blackouts and other incidents that affect our essential services.

In a global market with more competitiveness and complex and growing threats, this situation is unsustainable. It is necessary to employ large amounts of work, develop plans, implement measures and, of course, provide important economic resources to decrease the gap of vulnerability to the attackers, and increase the level of protection of our industrial and critical infrastructures.

This new area, called industrial cybersecurity, addresses these issues. It is the set of practices, processes and technologies designed to manage the risk of cyberspace when using, processing, storing and transmitting information in industrial infrastructures and organizations, and focuses on the people, processes and technologies involved. In this increasingly complex world, many disciplines need to team up to reduce the risks related to cyberterrorism and protect our critical assets.

Samuel Linares
Director, Industrial Cybersecurity Center (CCI)

[Source: ISACA]

Next-gen Cybersecurity Means Anticipating Threats

The recent announcement of a forward-looking cyberthreat tool from the Georgia Tech Research Institute (GTRI) is an example of a developing trend in security of using broad-based data that bad guys themselves put out to try and get ahead of threats. It’s also a tacit admission that security solely based on reacting to threats is not, and will not, work.

The GTRI tool, called BlackForest, collects information from the public Internet such as hacker forums and other places those said bad guys gather to swap information and details about the malware they write and sell. It then relates that information to past activities, and uses all of that collated intelligence to warn organizations of potential threats against them – and once attacks have happened, how to make their security better.

Ryan Spanier, the head of GTRI’s Threat Intelligence Branch, said the intention is give organizations some kind of predictive ability so that, if they see certain things happening, they’ll know they may need to take action to protect their networks.

These and similar tools are badly needed. The CyberEdge Group, in its 2014 Cyberthreat Defense Report, found that more than a quarter of the organizations it surveyed had no effective foundation for threat defense. Overall, investment in those next-generation tools that could be most effective against advanced threats is still “fairly low.”

In addition, it said, because of the speed at which threats are deployed these days, the relative security and confidence of today can be gone tomorrow, and IT security teams can only make educated guesses at what attackers will try next, and where they will try it. The bottom line, it said, is that maintaining effective cyberthreat defenses not only requires constant vigilance, “but also an eye on the road ahead.”

It’s something both government and industry organizations are starting to push with more urgency. Greg Garcia, the former head of cybersecurity and communications at the Department of Homeland Security, recently said he expects to see more investment in tools that will help banks and financial institutions anticipate emerging risks. As the new executive director at the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security, he knows how important that will be for an industry that is a primary target for cyberattacks.

The National Institute of Standards and Technology is also trying to push government agencies in that direction. In the first iteration of a cybersecurity framework it published in February this year, NIST listed four levels at which the framework could be implemented and which would “provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.”

The highest level, Tier 4, is labeled Adaptive and describes an organization that “actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner” and has “continuous awareness of activities on their systems and networks.” Though NIST takes pains to say that the tiers don’t represent actually maturity of cybersecurity defenses, it also says agencies should be “encouraged” to move to higher levels.

The methodology GTRI uses for BlackForest is not that new to the security field, at least in broad terms. Security companies have for years trawled global networks to identify threats and develop defenses against them, and that’s the basis for the regular update of antivirus signatures they send to their customers. As CyberEye recently pointed out, however, those techniques are become less effective and are all but useless against the most sophisticated, and most damaging, kinds of malware.

Success for organizations in the future will not be based on how many attackers it can keep out of their networks and systems, but how fast and how effectively they can detect and respond to attacks that are already on the inside. That’s the understanding for a rush to big data analytics, which organizations are betting on will enable that kind of timely response. Gartner believes that, by 2016, fully 25 percent of large companies around the world will have adopted big data analytics for that purpose.

Whether or not BlackForest and similar tools provide the level of security their developers say they will is still to be seen. After all, the attackers have proven they are just as intelligent and creative as defenders. But these tools merely indicate the direction security needs to go, because the regular way of doing things just ain’t working.

[Source: GCN]

Global ISACA study: Organizations not prepared for advanced cyberthreats

Only 15 percent of organizations worldwide believe their enterprise is very prepared for an advanced persistent threat (APT) attack, and big gaps in employee education and mobile security remain. These findings come from ISACA’s new 2014 Advanced Persistent Threat Awareness Study, which published today.

The study also found that one in 5 organizations (21 percent) have experienced an APT attack, and 66 percent believe it’s only a matter of time before their enterprise is hit by an APT. Among the companies that have been attacked, only one in three could determine the source.

APTs are stealthy, relentless and single-minded, and their aim is to take information such as valuable research, intellectual property or government data. In other words, enterprises cannot afford to be anything less than very prepared—and that preparation requires more than just the traditional technical controls.

However, the majority of responding organizations still say their primary APT defense is technical controls such as firewalls, access lists and anti-virus, which are critical for defending against traditional treats, but not sufficient for preventing APT attacks. Nearly 40 percent of enterprises report that they are not using user security training and controls to defend against APTs—a critical component of a successful cybersecurity plan. Worse yet, more than 70 percent are not using mobile controls, even though 88 percent of respondents recognize that employees’ mobile devices are often the gateway to an APT attack.

While more enterprises report that they are adjusting vendor management practices (23 percent) and incident response plans (56 percent) to address APTs this year, the numbers still need significant improvement.

The good news is that more enterprises are attempting to better prepare for APTs this year. The bad news is that there is still a big knowledge gap regarding APTs and how to defend against them—and more security training is critically needed.

As part of our new Cybersecurity Nexus (CSX) program, we will offer some of that training through events such as free webinars. We recently kicked off a six-part cybersecurity webinar series, and the third webinar will be all about APTs. I encourage you to attend and learn more about this important topic.

And tell me—do any of these survey findings surprise you? Are they in line with what’s happening at your organization? Respond below or tweet me at @RobertEStroud or @ISACANews.

 

Robert E Stroud, CGEIT, CRISC

ISACA International President

[Source: ISACA]

How the Role of the CSO is Fundamentally Changing, Part 3

In part 1 and part 2 of this series, we examined the history of the CSO and various arguments as to where the CSO role should sit in the organization. Now let’s talk about how the “new” CSO plays a much bigger role in the overall C-suite and what skills a CSO requires.

Is the C-suite ready to welcome a CSO?

Some large companies have the CSO listed as part of the company’s leadership team (Cisco and Oracle to name two) but this is not the norm in most organizations. To me, that implies that the company does not consider security essential to the business and the C-level governance of that business. Legal is essential. HR is essential. Finance, Marketing, and Sales are all essential. So why isn’t security?

It is interesting to note that business leaders run out as fast as they can to hire a CSO/CISO as soon as they get hit by a significant breach: RSA, Sony, Adobe and Target all followed this pattern. Obviously, this is a little backwards. But these kinds of events are causing business leaders to rethink how important security is to their business. I predict that they will eventually lead to the elevation of the CSO to the leadership team as a best practice.

What every CSO should have

I still believe the CSO should come up from the technical ranks. Today’s world is so complicated technically that if you do not have that background, you can be completely overwhelmed by the latest security trend. The true CSO skill that has to be learned, though, is how to translate that technical knowledge into something that a business leader will understand or care about.

Let’s look at the Heartbleed incident as an example. That vulnerability exposed many companies to a non-traditional hack-attack pattern. Without an understanding of the potential risk to that attack pattern, security people could not possibly translate the business risk to the company leadership.

In other words, the CEO does not care about how many machines have to be patched with the latest Microsoft Patch Tuesday release. He does care if the Microsoft Patch Tuesday release affects a key revenue-generating component to his business and should consider re-directing resources to this component in order to reduce the risk sooner than later. This business translation is often hard for techies. But it can and it must be done, and the CSO is the ideal person to do it.

Evangelizing Security

In any organization, the security state evolves over time. There are security controls already in place that mitigate certain threats and there is a plan to implement other security controls to mitigate other threats.

For internal evangelism, I have found that it makes sense to explain the controls to the average employee at a very high level, explain what could happen if the control was not in place and demonstrate where the control was successful in preventing that scenario. That discussion makes it real and is not some abstract idea where the security guys make the employees do stuff for no apparent reason

For external evangelism, it behooves all security practitioners to participate in the community sharing best practices that work and even things that have been tried but failed to produce the desired result. When you are trying to break new ground on a new security idea in your organization, it helps very much to say that other folks in the security community have also tried it with some success.

What should be required of a CSO in 2014 and over the next few years? Leave a comment below and let me know what you think. 

English
Exit mobile version