ISACA International President: Introducing Cybersecurity Nexus

Today marks one of the most meaningful milestones of my tenure as ISACA international president. Today ISACA introduces Cybersecurity Nexus.

Developed in collaboration with chief information security officers and cybersecurity experts from leading companies around the world, Cybersecurity Nexus—CSX—fills an unmet need for a single, central location where security professionals and their enterprises can find cybersecurity research, guidance, certificates and certifications, education, mentoring and community.

This is a groundbreaking program. This is a critical time.

Several universities have good cybersecurity programs in place, but even these are not enough. With every employee and endpoint at risk of being exploited by cybercriminals, security is everyone’s business. At the root of ISACA’s new, comprehensive CSX program is the knowledge that there is a great need to make cybersecurity education and ongoing training as accessible as possible to the next generation of defenders and those already in the field.

Student interest in cybersecurity careers is strong. A recent global poll of ISACA student members found that 88 percent plan to work in a position that requires some level of cybersecurity knowledge. However, fewer than half say they will have the adequate skills and knowledge they need to do the job when they graduate. CSX aims to help address this imbalance.

CSX marks the first time in ISACA’s 45-year history that the association will offer a security-related certificate. The association’sfour certifications—including the Certified Information Security Manager (CISM) credential—require both an exam and proof of work experience. The Cybersecurity Fundamentals Certificate is different. It is ideal for recent university graduates and IT professionals seeking to change fields because it requires applicants to pass a knowledge-based exam that provides objective proof of subject mastery to potential employers. This certificate will empower young professionals while providing assurance to employers that they are hiring knowledgeable individuals.

In addition to the Cybersecurity Fundamentals Certificate, CSX includes career-development resources, frameworks, community and research guidance such as Responding to Targeted Cyberattacks and Transforming Cybersecurity Using COBIT 5. There is guidance for cybersecurity professionals at all stages of their careers.

And there are exciting offerings in the near future, including a mentoring program, a practitioner-level cybersecurity certification, SCADA guidance, training courses, implementation guidance related to the US Cybersecurity Framework developed by NIST and the EU Cybersecurity Strategy, and teaching materials for professors.

This is a comprehensive program and I am excited to be involved with it. I invite you to explore the many facets of CSX, consider ways that you can take advantage of offerings within, view related news and graphics, and share your thoughts with me in this space.

Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA
International President, ISACA and the IT Governance Institute

[Source: ISACA]

Information Security as a Business Enabler

The business landscape has changed beyond recognition since I started working, way back in 1969. Every business is now reliant on IT systems and the Internet in order to function. (Just see what happens if your email systems are unavailable for an hour!) New technologies and working practices are introduced at a prodigious rate, as globalisation and consumerisation drive transformation and innovation.

As a result of our dependence on IT systems and connectivity, information and cybersecurity are being pushed up the corporate agenda. This is a good thing. However, information security and its practitioners are still seen as risk-averse business inhibitors who stifle innovation, limit agility and slow efficiency with their strict controls and policies.

Meanwhile, information security teams grapple with the challenges of securing increasingly complex and ever-changing threat landscapes, while attempting to secure increasingly diverse and poorly-understood sets of technologies.

With heightened attention at the board-level, information security professionals have an opportunity to reimagine information security as an enabling function, supporting and adding value to the business as it transforms and innovates. The challenge for many security people is that their passion and enthusiasm can be difficult to communicate to the senior level. We are asked to present arguments in a language business leaders can understand—to remove technobabble from our presentations. Oftentimes we struggle to properly express our concerns and we fail to engage these audiences.

Our information security functions must evolve to become business-led. We must bring business knowledge to security teams and educate security practitioners about the implications of threats. The perception of risk within information security must be changed. Information security must get management/stakeholder buy-in and become fundamental to enterprises, rather than a mere compliance issue. And the language used in this process must improve to ensure effective communication of risk intelligence without instilling fear, uncertainty and doubt.

My keynote panel session at next week’s Infosecurity Europe will explore how information security practitioners can position security as an enabling function and truly support the business. We will consider:

  • How to integrate security into agile business practices
  • New strategies to enable security teams to understand enterprise objectives and speak the language of business
  • How security can help the business collaborate internally, with suppliers and with customers
  • How the security function can inform and contribute to business decision-making
  • What skills are required for an effective security professional and what this all means for the role of the CISO

Peter Wood
Chief executive officer, First Base Technologies, LLP
Member—ISACA London Chapter Security Advisory Group

[Source: ISACA]

More Than A Half-Million Servers Exposed To Heartbleed Flaw

What the newly exposed SSL/TLS threat really means for enterprises and end-users.

The newly exposed Heartbleed bug plaguing some 17 percent of SSL-secured websites as well as various VPN products has caused a massive case of Internet heartburn over the past 48 hours as companies rushed to confirm their exposure and lock down their SSL/TLS software. But just how bad is it?

Errata Security CEO Robert Graham scanned the Net for machines vulnerable to the implementation flaw in the so-called Heartbeat function of TLS, and discovered some 600,000 affected out of 28 million SSL machines. He estimates that some one-third of SSL machines had been patched with the update to the buggy OpenSSL library. Netcraft, meanwhile, says the buggy Heartbeat extension is enabled on 17.5 percent of SSL sites, which include close to a half-million digital certificates at risk of theft and spoofing from the attack.

Heartbleed may be one of the biggest Internet security events since security expert Dan Kaminsky found and helped coordinate a fix for the massive Domain Name Service (DNS) caching vulnerability in 2008. Bruce Schneiergives Heartbleed an 11 rating on an ascending scale of 1 to 10, and security companies and experts are issuing warnings of the severity of the bug. The flaw, a two-year old implementation bug in the open-source OpenSSL, has been fixed with the new OpenSSL 1.0.1g, but experts say to assume it’s already been abused by nation-states or cyber criminals given the two years it wasn’t publicly known.

Fixing Heartbleed isn’t cheap. The estimated cost to remedy the flaw is hundreds or thousands of dollars per server or application, according to Tatu Ylonen, inventor of the SSH protocol and CEO and founder of SSH Communications Security. That adds up to more than a billion dollars in overall labor and certificate renewal costs worldwide, Ylonen says.

The bug, in Versions 1.0.1 and 1.0.2 beta, leaks the contents of the memory from the server to the client and vice versa, potentially exposing passwords and other sensitive data and the SSL server’s private key. While there have been reports of Yahoo passwords exposed by the bug and massive nefarious scanning for the flaw on the Net and signs of attacks since Heartbleed was revealed late Monday, there’s still debate over just how easily exploitable the bug really is.

“Certainly, nation-states will have the best capability to quickly weaponize this vulnerability for large-scale exploitation,” Schneier says.

Carrying out an attack using this flaw is not for script kiddies, experts say.  It would take a nation-state or organized crime organization. “There are not enough skilled attackers with non-attributable networks to safely carry out large-scale collection efforts using this vulnerability,” says security expert Ralph Logan, CEO of Kiku Software, a large data analytics software firm. For example, “In order to collect mail.yahoo.com uid:pass pairs using this vulnerability, you would need a giant non-attributable network larger than TOR, but TOR won’t work in this case because we all know that it’s attributable.

“Joe Hacker/single actor in the .ru still has to have a non-attributable network to infiltrate and exfiltrate large amounts of data across the web.”

But the bad news now that the cat’s out of the bag is that proofs-of-concept are out — and some attacks are under way. Jaime Blasco, director of AlienVault Labs, says his firm has spotted scans for the flaw as well as brute-force attack attempts on some of its customers. “We have seen active attacks” in the past 48 hours, Blasco says.

Mozilla’s former director of security assurance Michael Coates, now director of product security for Shape Security and chairman of OWASP, points out that the attacker must have access to network devices “along the communication” path of a user and a website. “In order to decrypt data exchanged between a user and a website, the attacker must have access to network devices along the communication path. This attack could most easily be launched by state actors, intelligence agencies, or criminal enterprises operating with collusion from network operators,” Coates said today in a blog post.

An individual attacker could also target users on a shared WiFi hotspot with Heartbleed, he says.

As for concerns about attackers stealing a website’s digital certificate via a Heartbleed attack, Errata’s Graham contends that panic over private keys leaking is somewhat overblown. “In most [packaged] software, this cannot happen. That’s because memory containing the private key is never freed, and hence allocated heartbleed buffers can never contain it,” Graham said in a blog post today:

The upshot is this. What you can eavesdrop on with heartbleed hacks is dynamic stuff, stuff that was allocated only moments ago. What you probably can’t get is static information. Certainly, you can’t get any static information that hasn’t been freed, and you probably can’t get static information that was freed long ago, such as program startup. It’s a great way to steal passwords from recent logins, but it’s unlikely to give private keys. Certainly, there is some poorly written software that when it validates the SSL connection, copies the private key into a buffer, uses it, then frees the buffer. Thus, there certainly exists some software that reliably leaks the private key, it’s just that on most software it’s not possible.

Intranet Heartbleed
Not all SSL servers are public Internet-facing, of course: Also at risk are internal intranet SSL servers that run internal corporate applications. And VPN software such as the open-source OpenVPN software was exposed but has since been patched.

“You need to change all certificates and keys,” says Kevin Bocek, vice president, security strategy and threat intelligence, at Venafi. “What’s inside the firewall is a lot more” lucrative to an attacker, he says.

“If I’m an advanced attacker, this is just a heyday. Now I can easily punch a server. I can get the keys and certs that allow me to [move] internally, which before would have taken a lot more effort. [Heartbleed] is also an internal concern.”

Enterprises should confirm whether their servers and VPN products are vulnerable if they have not done so already, and if they are, update them and obtain new digital certificates to be safe. Once they’ve cleaned that up, then they should institute end-user password changes, experts say.

End users should change their passwords on websites that were vulnerable, but not until after they’ve been patched. “This particular vulnerability still exists in many locations, so changing your password may just mean that the new password is vulnerable,” says Matt Willems, an engineer for LogRhythm Labs. “The best advice is to follow normal best-practices for online identity information. Change your passwords regularly, and if an online service says your information may be at risk, follow their directions.”

Meanwhile, SANS Internet Storm Center is tracking software vendors that have updated their products here. And several free online scanning tools are available for testing SSL servers for the flaw, such as this and this.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, CommunicationsWeek, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at The College of William & Mary. Follow her on Twitter @kjhiggins.

[Source: DarkReading]

Heartbleed and the Internet of Things implications

Chances are good you have already seen news about the OpenSSL Heartbleed vulnerability (i.e., CVE-2014-0160). It’s a pretty significant bug, particularly since it impacts popular open-source web servers such as Apache (the most popular web server) and Nginx. This means that a combined population of up to 66 percent of the Internet is potentially impacted (based on data from Netcraft).

One significant area that has been covered less in the industry press is the impact this issue could have outside of the population of vulnerable web servers. Now clearly, the impact to web servers is a big deal. But consider for a moment what else might be impacted by this. Here’s a hint: it’s Internet of Things Day today. In other words, consider the impact on embedded systems and “special purpose” systems (like biomed or ICS).

OpenSSL has a very developer-friendly license, requiring only attribution for it to be linked against, copied/pasted or otherwise incorporated into a derivative software product. It is also free. This makes it compelling for developers to incorporate it into anything they’re building that requires SSL functionality: everything from toasters to ICS systems, medical equipment, smoke detectors, remote cameras, consumer-oriented cable routers and wireless access points. It’s literally the path of least resistance as a supporting library/toolkit when developing new software that requires SSL.

We’ve seen an analogue of this in the past. Remember the fallout from the string of ASN1 parsing vulnerabilities a few years ago (e.g., CVE-2003-0543 and CVE-2003-0544)?  Take a look at the long list of products and vendors affected by that bug in the link above. The underlying reason for the wide reach of that problem is that the code for ASN1 parsing was reused and recycled so extensively in other products. Because ASN1 parsing is hard to do, finding code that does it already and incorporating it into derivate software is a huge timesaver. Likewise, SSL functionality is complicated to write—it is advantageous to incorporate something that is already written (like OpenSSL), particularly when doing so doesn’t incur additional cost to you or lock you in to a particular operating system platform, such as with OS-specific proprietary libraries.

From a practical standpoint, there are a few ramifications to this. While a webserver can be upgraded (relatively) easily to use the fixed OpenSSL code, an embedded system is quite a bit more challenging to upgrade. Upgrading a biomedical system, for example, without careful coordination with the vendor who supplies it can (quite literally) have a life and safety impact to patients. Upgrading an ICS system, likewise, requires careful coordination and specialized testing.

Given these facts (and not to be hyperbolic about it), recovering from this issue could literally take years.

So what can organizations do about it? Patching webservers is obviously a good idea. Folks who run websites might also wish to consider getting a new certificate since it’s possible private key data might have been exposed. Everyday users might consider changing their passwords since they could have been exposed.

For the longer-term issue that could be lurking in embedded devices or specialized systems? That’s a thornier issue. One thing that could be helpful is encouraging vendors of those systems to confirm explicitly (and in writing) that they are not vulnerable to this if they provide SSL functionality (or to provide instructions on remediation if they are). By doing this, organizations with a population of these devices can get an assurance that someone at the vendor has at least evaluated the issue and how it might impact production deployments.

Ed Moyle
Director of Emerging Business and Technology, ISACA

[Source: ISACA]

Can government’s cyber defense withstand a market-driven offense?

Cybersecurity more and more resembles nothing less than old-fashioned warcraft, with both sides confident in the weaponry they have and in their ability to either penetrate or defend borders. As the threat of cyberconflicts ratchets up, the two modes of warfare seem at times to be getting chillingly similar.

The latest expression of confidence came from Defense Secretary Chuck Hagel, who on March 28 spoke to an audience at the National Security Agency headquarters to mark the retirement of Gen. Keith Alexander, the head of both the NSA and the U.S. Cyber Command.

The Pentagon is well on its way to building a modern cyberforce, he said, which will be 6,000 strong by 2016.

The force will improve the U.S. ability to “deter aggression in cyberspace, deny adversaries their objectives,” and defend the country from cyberattacks. At the same time, however, he pointed out the “proliferation of destructive malware” that is being used to constantly, and aggressively, probe and disrupt networks.

More confidence shone through in a recent report that surveyed IT and security professionals in both the military and civilian agencies. Nearly all of them, some 94 percent, rated their own agency’s cybersecurity readiness as either good or excellent, saying they feel they have the right tools, processes and policies in place.

(Well, OK the survey also found 9 percent of the respondents were unsure if there even were cyberthreats that affected their agency).

Perhaps of most interest, though, was what kinds of threats they considered the most serious. Insider threats, which until relatively recently were seen as the greatest, have fallen behind those from “external hacking,” even in the age of Wikileaks and Edward Snowden.

In fact, of the six top threats, insiders come in fifth, behind external hacking, malware, social engineering and SPAM, and just ahead of distributed denial of service.

Where do the bad guys come out in all of this? It’s no secret they’ve become much more sophisticated in their ability to get on the inside of networks, but a report from the RAND Corp., Markets for Cybercrime Tools and Stolen Data, shows also just how professionalized and extensive their ability has become.

The black and gray markets for hacking tools and services, and for the ill-gotten gains they produce, are expanding and growing in complexity, the RAND report said. What was once a varied landscape of discrete, ad hoc networks of individuals motivated by little more than ego and notoriety, it said, “has emerged as a playground of financially driven, highly organized, and sophisticated groups.”

Adding to the complexity for government defenders are the rapidly emerging and highly secretive markets for zero-day vulnerabilities, RAND said, which are available in both licit and illicit markets.

The potential impact of these market-driven tools was seen in the 2013 attack on Target stores, which were confirmed earlier this year. The malware used for that was a tailored version of the “BlackPOS” malware, which according to writer Brian Krebs was available on the black market for the low, low price of $1,800 to $2,300.

Of course, Target seems to have screwed up in so many ways in its own security. A reportfrom the Senate Committee on Commerce, Science and Transportation lays it  out in excruciating detail.

Nevertheless, it all makes a point. The business of creating malware and other tools to attack US networks and infrastructure now really is a business, with all of the profit-based energy and innovation that brings with it. Add the even more focused abilities of nation states, and the threat industry is vibrant.

Hagel and others are confident that government has the ability to withstand it. Are they right?

[Source: GCN]

English
Exit mobile version