Improving Metrics in Cyber Resiliency: A Study from CSA

With the growth in cloud computing, businesses rely on the network to access information about operational assets being stored away from the local server. Decoupling information assets from other operational assets could result in poor operational resiliency if the cloud is compromised. Therefore, to keep the operational resiliency unaffected, it is essential to bolster information asset resiliency in the cloud.

To study the resiliency of cloud computing, the CSA formed a research team consisting of members from both private and public sectors within the Incident Management and Forensics Working Group and the Cloud Cyber Incident Sharing Center.

To measure cyber resiliency, the team leveraged a model developed to measure the resiliency of a community after an earthquake. Expanding this model to cybersecurity introduced two new variables that could be used to improve cyber resiliency.

  • Elapsed Time to Identify Failure (ETIF)
  • Elapsed Time to Identify Threat (ETIT)

Measuring these and developing processes to lower the values of ETIF and ETIT can improve the resiliency of an information system.

The study also looked at recent cyberattacks and measured ETIF for each of the attacks. The result showed that the forensic analysis process is not standard across all industries and, as such, the data in the public domain are not comparable. Therefore, to improve cyber resiliency, the team recommends that the calculation and publication of ETIF be transferred to an independent body (such as companies in IDS space) from the companies that experienced cyberattacks. A technical framework and appropriate regulatory framework need to be created to enable the measurement and reporting of ETIF and ETIT.

Download the full study.

Dr. Senthil Arul, Lead Author, Improving Metrics in Cyber Resiliency

[Cloud Security Alliance Blog]

Spending Analysis Reflects Information Security’s Rising Profile

Analyst firm Gartner projects that worldwide spending on IT security products and services will grow 7 percent, year over year, to reach a total of US $86.4 billion in 2017.

Historically, organizations have had a tough time allocating security expense budgets because:

  • The concept of security was vague and unclear
  • There is no methodology to assess the exact requirement and the resultant benefits, thus creating difficulty in establishing a sound business case
  • No regulatory compulsion
  • The evolution of technology, and its associated threats and digital perils, were slower.

In addition, in the absence of established norms on security spending metrics, many organizations adopted a magical figure of 4% of the total IT budget as the acceptable to spend on information.

Later, in line with the changing times, ISACA rightly clarified that security is a business enabler, and any spend on it needs to be monitored as an investment in line with the tenets of IT governance.

Now, with the current technological tsunami and the accelerated business initiatives struggling to keep pace, on top of regulatory pressure, information security – unsurprisingly – has become the number one priority. Gartner analysis further substantiates this by emphasizing the facts and figures through its analysis. The firm’s significant points include:

  • More opportunity for security startups for offering specialist B2B services
  • Growing demand for application security testing
  • Growth in interactive application security testing projected through 2021
  • The fastest-growing segment will be security services, especially IT outsourcing, consulting and implementation services
  • The European Union’s General Data Protection Regulation, which is due to come into force in May 2018, projected to drive 65 percent of data loss prevention buying decisions through 2018
  • A big rise in the bundling of security services and broader IT outsourcing (ITO) projects, with managed security service (MSS), to rise from 20 percent currently to 40 percent by 2020
  • Organizations should be doubling down on “basic security and risk-related hygiene elements,” such as threat-centric vulnerability management, centralized log management, internal network segmentation, backups and system hardening.

All in all, this is a great news for the security profession. However, why should any organization spend millions of dollars on anything without a solid cost justification? Security costs, like any other costs, should be justified, for after all, more funding does not necessarily mean better security.

Investments in security controls do not directly contribute to revenue, but they prevent losses and safeguard reputation. Hence, security professionals should be able to help their organizations by using suitable security ROI metrics to choose the most economical and technically acceptable solution.

This will surely set in motion a strong, win-win relationship between the security profession and business leaders for the coming years, and establish security practitioners as a trustworthy partner to clients worldwide.

Ravikumar Ramachandran, CISA, CISM, CGEIT, CRISC, CISSP-ISSAP, SSCP, CAP, PMP, CIA, CRMA, CFE, FCMA, CFA, CEH, ECSA, CHFI, COBIT-5 Implementer, Certified COBIT Assessor,  ITIL-Expert, Account Security Officer, DXC Technology, India

[ISACA Now Blog]

Privacy Has Had Its Chernobyl Moment

Privacy has had its Chernobyl moment.

Maybe it was when a foreign power stole everything every American had submitted for a clearance form from the Office of Personnel Management. Maybe it was when an insurer lost control of the health records of millions of Americans. Maybe it was when the United Kingdom spilled its child benefit data. Maybe it was when India created a biometric ID system and sort of forgot about controls.

However you want to define a privacy Chernobyl, it, or something like it, has happened.

We exist in a world where our expectation of privacy has been shattered, diminished and demeaned, and yet privacy invasions still outrage us. What we haven’t done is built a cap, and certainly not a sarcophagus that’s designed to protect the radioactive slag for an appropriately long time.

Privacy failures still make the news. Failures on the part of firms who have promised to take it seriously still result in 20-year consent decrees. (Recall that 20 years ago, in 1997, Alta Vista was still the dominant search engine, the Motorola flip phone was dominant amongst those weirdos who bothered with a cellphone, and 56k was pretty good internet connectivity through your phone line. Will word choices that seem agreeable today be sensible after 20 more years of technological acceleration?)

I want to encourage you to use Implementing a Privacy Protection Program: Using COBIT 5 Enablers With the ISACA Privacy Principles as a way for you to realize that personal data is radioactive, and you want to start treating it as such. If you accumulate too much, you risk a meltdown, but even when you have it in small doses, you want to be intentional about it.  You want to know why it’s here, how you’re protecting it, and how to get rid of it when the risk exceeds the reward.

You should be thinking of ISACA’s new privacy protection guidance as an important move forward in your privacy journey. It’s a necessary step, and going through the steps will help you understand if there’s more that you need to do.

Editor’s note: Additional privacy-related guidance can be found in ISACA’s new white paper, Adopting GDPR Using COBIT 5.

About Adam Shostack: Adam is a consultant, entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board, and helped found the CVE and many other things. He’s currently helping a variety of organizations improve their security, and advising and mentoring startups as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the “Elevation of Privilege” game. Adam is the author of “Threat Modeling: Designing for Security,” and the co-author of “The New School of Information Security.”

Adam Shostack, Consultant and Author

[ISACA Now Blog]

NIST Password Guidance Should Be Well-Received

Many of us are creatures of habit, and changing our ways can be difficult. It is much easier to do so, however, when the new way is more convenient – not to mention more secure – than the old method.

That’s just the case with the new password guidance from NIST, released in June. The guidance calls for longer phrases that are easier to remember, as opposed to use of special characters, blends of uppercase and lowercase letters, and frequent password resets – all hallmarks of NIST’s previous, well-entrenched password guidance.

This move toward improved usability was not done at the cost of sound security. In fact, the creator of NIST’s previous direction on passwords, Bill Burr, acknowledged to The Wall Street Journal that the older guidance was “barking up the wrong tree,” and not based on the caliber of data that he would have preferred. The new password guidance will make for passwords that are actually more difficult to hack.

While NIST’s new guidance figures to be well-received, raising awareness is the short-term challenge.

An ISACA micro-poll, conducted just after NIST’s announcement, showed that the majority of the respondents – audit and security professionals at organizations with more than 5,000 employees – were unaware of the new guidance, and consequently unsure how quickly it could be implemented. While those results are no surprise given how fresh the guidance is, it reinforces that there is much awareness-spreading to be done – including at ISACA. We have a range of opportunities to support NIST’s guidance by updating the training and education materials we offer our professional community, as well as reinforcing the change at ISACA conferences and through our exam procedures.

At the enterprise level, changing password policies is a necessary first step before implementation. Otherwise, enterprises will be implementing password procedures that may contradict existing policies, which could cause headaches when external auditors flag the disconnect.

Emphasizing multifactor authentication is another important piece of the puzzle. The majority of respondents to ISACA’s poll indicated that less than half of their applications require two or multifactor authentication – a practice that should be adopted more widely and is strongly advocated by NIST. Multifactor authentication should be more accessible than ever given the advancement of fingerprint and facial recognition technology. Even when multifactor authentication is in use, NIST’s new password guidance remains relevant, since passwords often are among the factors being used.

We are in the early stages of what will be a major course correction on passwords. NIST’s previous guidance is heavily entrenched, with 95% of respondents to ISACA’s poll indicating their enterprise adheres to practices such as frequently causing passwords to expire and requiring passwords to contain lower and uppercase letters, numbers or special symbols. Users on the other hand, have frequently complained about the difficulty of remembering complex passwords and having to cope with expired passwords. Chances are they will welcome this more user-friendly NIST guidance.

The level of buy-in for the previous NIST password guidance did not happen overnight, and it will not be the case this time, either. But given the opportunity to simultaneously improve security and alleviate password frustrations of the status quo, it only is a matter of time before NIST’s new guidance gains widespread momentum.

Editor’s note: For additional ISACA resources related to NIST’s new password guidance, see our analysis brief and a related PowerPoint deck.

Robert Clyde, CISM, Vice-Chair of ISACA’s Board of Directors, Managing Director of Clyde Consulting LLC

[ISACA Now Blog]

Cybersecurity Workforce Development: Takeaways From a NIST Workshop

I had the opportunity to serve as a panelist at the NIST Workshop on Cybersecurity Workforce Development held in Chicago earlier this month. Based on the day’s conversations, there is still much work to be done.

Representatives from academia, associations, private industry and government converged for discussions on this critical topic, and there remains broad consensus that several steps are critical to make progress on narrowing the cyber skills gap:

  1. A shift to skills-based training. Much of the conversation at the NIST workshop addressed the need for hands-on training that demonstrates real skill. ISACA has committed to helping enterprises, academia and individuals through its skills-based training courses and the CSX Practitioner (CSXP) credential.
  2. Retraining programs to make more progress in the near term. Look to programs like one in the UK, in which people from a number of fields (bartenders, morticians, barbers) were trained in cyber security positions. About half of the trainees now work in cyber security jobs.
  3. Inspiring an interest in tech among K-12 students to help solve the problem in the long term (with solutions on how to reach all schools, including rural schools that may not have the equipment they need to run strong technology programs). Engage mentors from the tech industry to teach courses that teachers may not have the necessary skill sets to teach.
  4. Creating a culture that increases cyber awareness and encourages diversity of those choosing to pursue cyber security professionally.
  5. More public-private partnerships. Too many organizations are operating in silos. Partnerships and strategic investment will make efforts more scalable and effective.

The good news is that discussions are taking place; the not-so-good news is that the required actions are not happening fast enough.

Government, nonprofits and industry need to make significant strategic investments to ensure scalable programs that begin to make a measurable difference in closing the skills gap.

ISACA looks forward to being an enabler of solutions. Over the next year, you’ll see us make significant progress in the following areas:

  1. Helping organizations assess and advance their cyber capabilities
  2. Bringing skills-based training to academic settings
  3. Equipping enterprises with on-demand, constantly updated skills-based cyber security training
  4. Building relationships with government institutions and industry partners to reach a wide audience with our cyber security training and guidance
  5. Building public will to invest in other worthwhile programs

The only solution is to work collaboratively and collectively for impact.

Matt Loeb, CGEIT, CAE, FASAE, Chief Executive Officer, ISACA

[ISACA Now Blog]

English
Exit mobile version