Five Ways Firewalls Keep Getting Better

Firewalls have been a mainstay for cybersecurity for many years, but they aren’t perfect tools. Despite advances in internet and device technology, basic firewalls haven’t changed much since their inception. But researchers and IT experts are working tirelessly to improve the foundational model and provide a better layer of protection for firewall users.

The firewall basics
Firewalls aren’t especially complicated, but they can work in a few different ways. All firewalls can be customized with specific criteria, allowing certain types of data to pass through while stopping others from passing into the network. Packet-based firewalls allow or deny specific packets entry to the network based on those protocols. Other types of firewalls retrieve the packets themselves as a kind of poison tester, before passing them onto the network. Most firewalls exist as an appliance or application, used in conjunction with your network.

How firewalls are evolving
So, how is this basic model starting to evolve?

  1. FWaaS. One major development in the firewall space has been the popularization of firewall as a service (FWaaS). FWaaS is cloud-based.Working much like a cloud storage system or similar cloud platform, FWaaS provides a layer of firewall protection to your network, no matter how remotely located it is or how many new links you add to the network. According to Cato Networks, this is advantageous because it means the firewall is more reliable, and covers a wider distance. In most cases, it’s more cost-effective as well. Plus, cloud-based firewalls are often updated automatically by providers, allowing for a mode of constant improvement.
  2. Lower costs. Firewalls are also getting less expensive. The tools necessary to create and maintain firewalls are becoming open-source and more available, and firewall management is becoming more intuitive thanks to better user interfaces. Overall, this means companies have to spend less time managing firewalls and less money getting the physical accessories necessary to maintain it.
  3. Higher throughput speeds. Throughput speeds are getting faster, which is good, because internet speeds are getting faster, and users won’t tolerate a slowdown just because the firewall needs extra time to kick in. Because the firewall takes action on data packets before passing them along (no matter what type of firewall is in effect), the time between requesting and receiving data is increased significantly under normal circumstances. Modern firewalls are becoming more advanced, enabling them to complete this process faster, and reduce lag in retrieving information.
  4. Awareness of users and applications. Traditional firewalls operate almost exclusively in layers 2 and 3 of the OSI model, in the network and data link, dealing with packets and frames. But modern firewalls are taking things a step further, according to findings by NSS Labs, improving awareness of applications and users. This gives firewalls more options in terms of blocking and allowing access to data, and gives organizations a wider berth of coverage to protect their systems. For organizations with hundreds of users and dozens of core applications, this functionality is indispensable.
  5. Third-party and multi-factor authentication systems. Authentication is a pivotal step for most firewalls, verifying that data has come from a trusted source and that the users attempting to access that data have the authorization to do so. Newer firewalls have more advanced means of authenticating; for example, they might partner with third-party authentication systems to define and/or allow certain groups of users access to specific information, while denying others. Multi-factor authentication can also use multiple protocols to ensure the validity of a given user (or packet of information).

Your cybersecurity should be one of your biggest priorities, so your firewall demands your attention and investment. Despite advances in other areas of cybersecurity, your firewall is still the first line of defense you have against the cybercriminals who would compromise your data, and the malware that could otherwise infiltrate your systems. Pay attention to these keystone developments, and make sure your firewall is upgraded enough to provide the best protection.

Anna Johannson, Writer

[ISACA Now Blog]

CSA Summit Returns to Infosecurity Europe 2018

Seattle, WA – May 9, 2018 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the agenda for the second annual CSA Summit at Infosecurity Europe 2018. The full-day event will be held Tuesday, June 5, as part of Infosecurity Europe 2018 (London, June 5-7).

The event will bring together leading security experts and cloud providers from around the world to discuss global governance, the latest trends in technology, the threat landscape, security innovations, and best practices, in order to help organizations fully understand the capabilities of cloud and how to properly protect themselves from its potential risks. Attendees will also have the opportunity to take advantage of Certificate of Cloud Security Knowledge (CCSK) exam training and a workshop – Achieving General Data Protection Regulations (GDPR) Compliance with the CSA Code of Conduct.

“Today, cloud adoption encompasses a wide range of mission-critical business functions. Some organizations, such as those in the financial and government sectors, have made significant steps thanks to regulatory mandates, requiring a change in technology security as well as the mindset of security professionals,” said Jim Reavis, CEO of the Cloud Security Alliance. “This year’s Summit will examine these advancements and others as we look to provide companies with actionable advice on how they can best apply these technologies to their unique business needs.”

The CSA Summit at Infosecurity Europe 2018 will feature keynote presentations from some of the industry’s most notable thought leaders in cloud, who will speak on such topics as:

  • Security as a Service: Work Where Your Engineers Live. Julia Knecht, Adobe Experience Cloud’s manager of Security & Privacy Architecture, will explain how Adobe leveraged existing software development processes to enable their engineers to get security work done when and where it needs to get done —without the overhead of constantly trying to reinforce security-specific processes.
  • Confessions of a Cloud Security Convert. In this talk, Michael Farnum, solutions architect manager/South Texas for Set Solutions, Inc., will share what he has learned as he transitioned from a career in network and application security to one in cloud security and take attendees through his journey of converting to the cloud.
  • Quantum-Safe Cloud Security. ID Quantique’s Quantum Safe Product Manager Bruno Huttner will discuss quantum-safe security and the recent work of the CSA Quantum-Safe Security Working Group.
  • Threat Modeling: The Ultimate DevSecOps. Learn how to take DevSecOps to the next level using threat modeling in this session from Fraser Scott, senior cloud security & DevSecOps engineer, with Capital One. He will walk the audience through a threat model of a cloud-based service using the Open Web Application Security Project (OWASP) Cloud Security project, looking at it from the perspective of development, operations and security. Attendees will walk away with an understanding of how threat modeling can dramatically improve the security of services by identifying and addressing threats, and will have the basic tools and techniques they need to get started threat modeling their own cloud services.
  • Secure by Design IoT. In this session, Matthew Theobald, a Cloud Security Architect with Schneider Electric, will show how to significantly reduce an Internet of Things (IoT) device’s attack surface using an alternative approach for bi-directional data flows to arrive at an IoT solution that is secure by design. The session will include a demonstration of an IoT device which sends telemetry to the cloud and responds to commands from a web application to perform actions on the board. The demonstration will include a network scan to show the device does not have an addressable server endpoint.

Also on the agenda is the EMEA Chapters Panel, during which time attendees will have the chance to provide feedback on cloud issues that are specific to Europe, as well as:

  • Discover what is going on in their country;
  • Understand what research is being undertaken within Europe; and
  • Learn of various projects’ progress and how they can contribute to areas of their own areas of interest.

Additional Training

CCSK v4 at Infosecurity Europe 2018. Attendees who are thinking of taking the CCSK exam or who simply want to deepen their knowledge of cloud security controls and implementation will want to register for this 1-day training workshop on June 7. Taught by Peter HJ van Eijk, an authorized CSA training partner and noted cloud computing expert, the provides students a comprehensive 1- day review of cloud security fundamentals and prepares them to take the CSA CCSK certificate exam.

Starting with a detailed description of cloud computing, the course covers all major domains in the Guidance document from the Cloud Security Alliance, the CSA Cloud Control Matrix (CCM), and the recommendations from the European Network and Information Security Agency (ENISA). Participants are encouraged to take advantage of some of the online training that is provided in advance of the course in ordered to maximize the training’s benefit. Students receive an exam token as part of the course fee.

Achieving GDPR Compliance with the CSA Code of ConductThis workshop on June 7 (10 a.m. – 1 p.m.) provides a brief overview of the European General Data Protection Regulations (GDPR) requirements. It explains the key role of the principles of accountability and transparency within the scope of the law and finally introduces the CSA Code of Conduct for GDPR compliance. During the workshop, representatives from CSA, the auditing community (ICT Legal and EY Certify Point) and a cloud service provider will walk-through a real-world scenario of how they can adopt the Code of Conduct for their organizations. Attendees of this workshop will walk away understanding:
which are the GDPR requirements for data controller and processors in the cloud.
what the CSA Code of Conduct for GDPR compliance is and how to integrate the CSA Code within their existing security program.

the importance of transparency and accountability from both the cloud service providers and customer perspective.
Presenters include Daniele Catteddu, CTO, Cloud Security Alliance; Paolo Balboni, founder of ICT Legal Consulting and chair of the CSA Privacy Level Agreement Working Group; Mayank Joshi, Manager, Ernst & Young Certify Point; and a representative from a cloud service provider.

To register or learn more, visit csacongress.org.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact


Kari Walker for the CSA 
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

The Importance of Securing Your Cloud

One of the biggest misconceptions regarding the cloud is that you can rely on the cloud provider service to protect your business, your data and everything else your firm holds dear.

Take a minute to think about your own home security system. Do you just lock the doors with the key and head off to work, fully secure that your valuables will still be there when you get back? Not likely. Many of us have at least a simple alarm system in place on doors and windows. More and more people are heading toward the latest trends in home security: motion sensors, 24-hour video cameras, remote door answering, etc.

Why does securing your cloud matter? Three enormous reasons:

  • Your cloud provider is only managing part of your security.
  • Cloud security lowers the risk of data breaches.
  • The minimum level of security compliance should never be enough.

Your security vs. cloud security
Let’s talk about your security against the cloud service provider’s security. The provider has specific language in any contract it signs with you concerning what it is and isn’t responsible for if there is a security breach. In its 2016 “Cloud Adoption & Risk Report,” SkyHigh Networks reported that the average user in an organization employed 36 different cloud services at work. That’s 36 potential security breach points into your cloud and 36 ways for information to leak out. By introducing all of the apps you need to make your business run to your cloud environment, you must take on the responsibility of ensuring that they are only serving their necessary capacity when analyzing and manipulating the data stored in your cloud.

It is integral that you manage all of your cloud-based applications and treat them all as security risks until the day you can scratch them off that list. The old days of hiring a third-party app to plug-and-play into your network are long gone. Your best way forward should be with a Security-as-a-Service (SECaaS) solution. Just like your infrastructure, software and your share of the cloud itself, SECaaS is the scalable solution that can handle your growth but also downgrade in the event your business shrinks. Even an in-person, onsite IT expert is not available 24 hours a day, 7 days a week, but a SECaaS is. The service can deploy solutions instantaneously when problems or suspicious activities arise, unlike in a traditional setting where everyone is waiting around for the IT professional to respond to a call for help.

The high price of data breaches
As for breaches, a 2016 study showed that the estimated cost of a data breach for a company is US $4 million. If your company has an extra $4 million lying around, by all means don’t fret about your cloud security. That figure might seem high at first glance, but there’s far more at work here than merely a loss of data or intellectual property. When you take a public data breach, word travels fast. Your best employees will be more receptive to offers from competitors. Your recruitment will suffer as those entering the workforce and those seeking to switch employers will take a lot harder look at what sort of company gets breached and what kind of company they’re looking to work for. And last but not least is the impact your data breach will have on your company’s public perception. The public has an incredibly long memory when it comes to embarrassing incidents for public companies. Don’t believe it? Fast-food giant Jack in the Box had a scare with mislabeled meat in 1981, and 37 years later, it’s still one of the top Google results for the restaurant chain.

Nobody wants the minimum
You didn’t get into business to do the bare minimum when it comes to protecting your assets and your customers’ information. No salesman has ever told a customer that he’d do the absolute least amount of work he could to get the customer’s business. The same excellence you strive for in taking command of your market and maximizing your profits should be applied to keeping your cloud secure.

To ensure the security of your cloud, consider adding dimensions such as multifactor security, where even if an employee’s login name and password are stolen or compromised, the party that took it still cannot access your cloud without an additional layer of security. Simple steps like this can be the difference between a secure cloud system and one just waiting to be picked apart by hackers.

Marty Puranik, CEO, Atlantic.Net

[ISACA Now Blog]

What the Skills Shortage Means for Existing Cybersecurity Practitioners

By now, most practitioners have heard (probably from a few different sources) that organizations struggle when it comes to finding, hiring and retaining the right resources for information security and/or cybersecurity professionals. There has been quite a bit written about this trend: the impact that it has on security efforts within enterprise, advice and guidance about how to staff and manage your security team in light of the talent challenges, strategies for working around it, etc. However, there is another potential angle that is comparatively less analyzed: the impact to existing practitioners – both in the short and long term – in light of the shortage.

Understanding this is important for practitioners as preparation now translates directly to continued success down the road. In knowing what we do about the workforce dynamics, we can make sure that we’re optimally positioned when the time comes for us to change jobs and continue to be in demand down the line.

Skills gap characteristics
The first thing to note is that the skills gap has characteristics that can be measured. We know that it exists from numerous research reports and surveys, specifically findings citing the lengths of time required to fill open positions, perceived difficulty in finding qualified candidates and challenges in retaining existing staff. ISACA’s 2018 State of Cybersecurity research was no exception in pointing this out. Findings from previous years of ISACA research, as well as studies from other organizations, suggest that these challenges are persistent.

However, the actual areas of need have been comparatively less thoroughly analyzed, including which positions are most problematic to staff and retain, which skills are in more demand, where the most hiring activity occurs, etc. Much like the skills gap itself can be measured, so, too, can these other characteristics. This year, we attempted to gather more information about these secondary characteristics of the skills gap.

What we learned was that individual contributors are in higher demand than managers. We also learned that there is a higher demand for technical resources, relative to non-technical ones. While that may not be a complete surprise to anyone who has tried to staff a security team, it is an interesting data point because it informs organizational staffing and retention strategies. The report data can also be useful for practitioners – i.e., those on the other end of the staffing equation. Meaning, individuals wishing to position themselves optimally for their future career growth can use this information as part of the “career strategy.”

Career “Future Proofing”
We as practitioners can maximize our competitiveness in the short term and ensure that we continue to be marketable over the long term by taking this information into account. For example, the information indicating that technical resources are harder to find relative to non-technical ones can help motivate us to stand out in the workforce by taking active measures to invest in our personal technical acumen. There are a number of ways to do this, of course, but ensuring that we remain abreast of new technologies, that we diversify the set of technologies with which we are conversant and keeping abreast of new attack methods is a good way to start.

In fact, there are many resources available to ISACA members to assist; for example, our partnership with Wapack Labs can help ensure that members stay abreast of attacker tradecraft; ISACA webinars (particularly those of a technical nature) and publications like the ISACA Journal can keep technical skills honed; and chapter activities can provide opportunities to learn new technical skills. This is potentially advantageous even for those that are more senior in their careers. For example, if a hiring decision came down to two resources – if all other things are equal, but one is more “current” in their technical understanding – who would you hire? See what I mean?

Over the long term, this information about the skills gap is likewise important for practitioners as it can inform their future career planning. Why? Because logic dictates that the dynamics will change over time in a few specific ways. For those with a decade or more before retirement, planning accordingly is valuable.

First, current challenges in obtaining qualified technical staff mean that it is most likely that organizations (and, in fact, the market at large) are likely to innovate toward automation strategies for technical work being done by human analysts today. Will this mean the existing workforce will be left high and dry? Not necessarily …  but it does mean that technical acumen, while useful to help differentiate you among candidates in the short to intermediate term, isn’t a guaranteed way to future-proof your career over the long haul. This in turn means that establishing a diverse set of skills – as well as building a strong professional network – are important in the long term, in addition to building technical skills.

Second, the fact that there is increased demand for individual contributors relative to managers means that (again, thinking long-term), those who desire to move into manager positions should be looking to differentiate themselves as well from a competitive point of view. They might, for example, consider taking on management responsibilities now to give them skills that, down the road, will be important to their overall competitiveness.

As with most things, there’s no “one-size-fits-all” advice – there are as many viable career tracks as there are practitioners themselves. That said, one thing that’s probably universally true is that having a “career plan” that accounts for both near-term and longer-term changes is a good idea. The findings from this research can help accomplish that.

Ed Moyle, Director of Thought Leadership and Research, ISACA

[ISACA Now Blog]

Two Steps to a Robust Security Culture

By Kwinton Scarbrough, CISSP

In the midst of the business and technology merge, organizations of all industries have started their journey into the cognitive era of cybersecurity. In this era, it is essential for a business to have an IT security strategy to govern how the organization will protect itself from internal and external cyber threats. However, what commonly fails to align to IT security strategy is the organization’s overall security culture. IT security strategy can only be effective if there is a strong security culture embedded into the very fabric of the company’s operations. Today, I will cover the two core components for building a robust security culture, to maximize the effectiveness of the IT security strategy.

An organization’s security culture is comprised of the mindset and habits of employees, as it relates to IT security. Habits that are intended to prevent and protect against internal and external threats are, unfortunately, not always unified for the greater good of the organization. Many times, different siloed habits are formed within individual business units based on the easiest route to achieve the task at hand (e.g.: using shared accounts, instead of unique individual accounts or using privileged accounts to perform simplistic tasks). Within an organization that lacks a mature IT security strategy, employees are more likely to naturally learn and follow what is perceived to be the path of least resistance to accomplish a task. They then continue to pass these learned, non-compliant, methods on to other employees within that business unit. Eventually, it becomes the mindset of that business unit as the only way to accomplish that task because – as I’m sure you’ve heard before – “ that’s the way we’ve always done it.” Building a strong security culture will encourage employees to question the norm if something doesn’t seem quite right.

Every organization is unique and will have its own security culture. Throughout my consulting experience I’ve come to find the state of the security culture depends on two factors: (1) well defined security policies, processes and procedures; and (2) exceptional communication about the adoption of those security policies, processes and procedures. To have a strong security culture, these two factors must be coordinated and implemented together as one has little to no lasting effect without the other.

Define a Security Policy

A security culture begins with a well-defined and properly enforced security policy. The development and enforcement of a security policy starts at the very top of the leadership pyramid and reflects down to the junior level employee. In defining a security policy, the first step is to understand the business environment and its threat landscape. An organization’s security policy should

  • Define the baseline security requirements
  • Define the requirements that meet or exceed the industry and regulations requirements
  • Align to the risk appetite of the organization

While a well-defined security policy should be clear and strictly enforced, it should not, however, dictate how each business unit must operate to comply with the requirements. Meaning the policy should be separate from the procedures. While the security requirements should be clearly defined, a strong security culture will allow for each individual business unit to determine an optimal method for incorporating these requirements into their own business operations. The ideal security policy should be seamlessly integrated into employee day-to-day thinking and decision making to ensure a secure mode of operations for all business units. The security culture should unify the organization by allowing all business units to work together, while operating in loosely-coupled coordination to provide an optimal level of protection against internal and external threats. For an organization as a whole, the goal is to create centralized policies that can be incorporated into the daily process and procedures for all business units within an organization. An organization with a strong security culture has employees that understand cybersecurity and the importance of making the necessary operation adjustments to comply with defined security requirements.

Communicate and Train Secure Habits

The communication of security requirements and security awareness go hand and hand in building a strong security culture. More communication brings more awareness and with more security awareness, individual employees are more likely to incorporate security into their day-to-day thinking and decision making. As a result, security becomes thoroughly embedded into the mindset and work habits of each employee therefore creating a strong security culture.

However, communicating the security requirement is not as straightforward as defining the security policy. To effectively communicate security policies, the communication tactics should be tailored to the target audience based on analyzed behavior, their current security understanding and preferred communication style. The goal is to effectively communicate, to each business unit, why it is necessary to follow the organization’s security policies. Better communication of the purpose and reasoning for security policies, will help to build a strong security culture through the elimination of decentralized execution of centralized policies. To take security maturity one step further, organization should also provide security awareness training. This training should serve the purpose of eliminating nonconformist habits, by bringing awareness and competence to better, more secure habits.

Conclusion

Clearly defined and communicated centralized security policies will allow an organization to enforce organization-wide security requirements. Each business unit will understand the importance of security, while having the freedom to create and establish optimal operations within well-defined boundaries.

[(ISC)² Blog]

English
Exit mobile version