The cloud computing market is growing ever so rapidly. Affordable, efficient, and scalable, cloud computing remains the best solution for most businesses, and it is heartening to see the number of customers deploying cloud services continue to grow.
From the beginning of cloud’s existence, cloud service security has been among the top concerns of deployment. In order to deal with this, various organizations have invested huge efforts on cloud service security standards and researching best practices development and enforcement. Thanks to the efforts of cloud service providers (CSPs), cloud service security has reached an acceptable level. But from the cloud customers’ perspective, it is still somewhat lacking in best practices on how to secure their cloud services. The availability of such guidelines can be especially helpful for small and medium enterprises (SMEs) that constantly face shortages of professional security manpower. With this in mind, the Cloud Security Services Management (CSSM) Working Group developed the “Guideline on Effectively Managing Security Service in the Cloud” that applies to various cloud deployment models, from private, public, hybrid to community cloud.
The shared security responsibility model is no stranger to the cloud security community. Every leading CSP has published whitepapers or statements on shared security responsibility, explaining their roles and responsibilities in cloud provisioning. In other words, there are certain security responsibilities that are left to the cloud customers and are written down in cloud service agreements. The complexity is that in reality, given the same concept of shared responsibility, there are different interpretations and implementations among different CSPs. In many cases, it is challenging for cloud customers to clearly understand and bear their responsibilities in practice.
Cloud service security: A how-to
The Guideline provides an easy-to-understand guidance to cloud customers on how to design, deploy, and operate a secure cloud service with respect to different cloud service models, namely IaaS, PaaS, and SaaS, helping them ensure the secure running of service systems. With a distinct separation of responsibilities, cloud customers can clearly understand security responsibilities of their own and of CSPs, what security assurance features should be provided to bear these security responsibilities, existing gaps, and how to develop related capabilities to address such gaps.
Additionally, the Guideline provides guidance for CSPs in building cloud platform security assurance systems which can also be used by cloud service security integrators.
Not forgetting third-party security service providers that play important roles in securing cloud services, although according to the shared security responsibility model, they will have no responsibilities in cloud, these providers can leverage on the Guideline to better fit their services to CSPs and/or cloud customers.
The CSSM WG hopes that this effort allows for better understanding of cloud security responsibilities from both customers and CSPs, and through this create a more immaculate cloud security ecosystem.
Even as more organizations migrate to the cloud, there’s still a concern as to how well those cloud services are being secured. According to an article by Forbes “66% of IT professionals say security is their greatest concern in adopting a cloud computing strategy.”
As you embark on your quest to fill this skills gap, you may benefit from learning how other professionals have used certificates to expand and validate their cloud knowledge. In this blog we are going to explore how Certificate of Cloud Security Knowledge (CCSK) is being used in the wild. As the first step into this exploration we surveyed current holders to ask them how their certificate impacted their job, career and overall professional development. A summary of findings from the survey, job board postings and testimonials is shared below.
Topics we’ll discuss in this blog:
Survey Findings
CCSK in Job Postings
Overview of Testimonials
Survey Findings
Of the individuals who had successfully passed the exam, over 40 percent reported that the CCSK helped directly progress their career- either via a salary increase, promotion, or new job/role.
In some cases CCSK holders were given new responsibilities and moved from a more generic security role into a cloud-focused position. Specialization is a key, whether it be through a certification or other learning program. Mike Rosa, Sr. Director Public Sector Security at Salesforce affirmed this saying, “The CCSK sets me apart as an expert in Cloud Security, not a security generalist. The world is moving to cloud, and my resume should reflect this change.”
Another common way the certificate helped was building credibility with clients, and helping individuals work within more specialized roles. Since it offered proof of knowledge and established trust, respondents reported being able to better serve their clients’ needs.
One of the more tangible benefits of a certificate is the possibility of a salary increase. Taking a look at those who reported a salary increase, we saw that 15.61 percent saw an increase between 8 percent to 10 percent. Below you can see the distribution of individuals who received an increase in salary of some kind.
Types of Jobs
What types of jobs do a CCSK holders have? We found that 22 percent of the people who received a promotion were promoted into a managerial, VP/Director, or Executive role. Titles varied, but the graphic below lists the top keywords listed in respondent’s job titles.
Complementary Certifications
What types of complementary certificates did they hold or pursue? Of the people who took our survey, 52.46 percent also have their CISSP. Certificates and certifications focus on a select area of knowledge, and earning complementary certificates can be valuable. Below are some of the other certifications commonly held.
The flipside of this question also yielded interesting results. When asked which other certifications peopleintend to pursue we received mixed results. The percent interested in earning their CCSP was over 30 percent compared to the 15 percent who already held their CCSP when they took the exam.
As you may already be aware, one year of experience for the CCSP is covered by earning your CCSK since the two certificates complements each other. Whereas the CCSK is more tactical, the CCSP has more of a strategic focus. You’re free to draw your own conclusions, but if you’re interested in learning more about the differences between the two, you can read CCSK vs CCSP: An Unbiased Comparison.
Job Board Searches
A question we often get is whether or not employers are looking for the CCSK and how frequently it shows up in job boards. For job postings, HPE recently conducted a search of posts listing cloud certifications as a credential. They conducted the search for the CCSS, CCSP, PCSM and several other cloud certifications on the market. Below is a summary the results they gleaned for the CCSK.
February 2018 Job Search
Certificate
SimplyHired
Indeed
LinkedIn
LinkUp
Total
CCSK
180
224
145
132
681
These results vary depending on location and time of year, however, it gives a good estimate of what to expect. In an informal search during October, we discovered the following results for the United States.
October 2018 Job Search
Certificate
SimplyHired
Indeed
LinkedIn
LinkUp
Total
CCSK
89
321
231
258
899
The amount of postings went up, but the actual number of listings varies throughout the year. As with all things, it is best to do your own research before determining if the CCSK is right for you. Job titles listed included: Network Security Engineer, Security Consultant, Information Security Cloud Governance Engineer, Cloud Security Architect and Sr. Security Engineer, to name a few.
Overview of Testimonials
Last but not least we collected written feedback on how earning the cloud certificate specifically helped in people’s jobs or career. To make it easier we grouped the responses into the following categories.
Survey Testimonials Revealed
How their career progressed
How CCSK helped build credibility with clients
What makes the CCSK unique from other certificates.
How it helped them on the job
Benefits of a vendor-neutral certificate
In following blog posts we will be exploring some of these topics more in-depth. For now we’ve listed snippets from testimonials we received that give you an idea of what people said.
How has the CCSK helped progress your career?
Whether or not you opt for a cloud certification there are plenty of ways to learn more about cloud security. A couple of free resources that CSA has available for you to use include: CloudBytes webinars, research artifacts and the CCSK Prep-Kit.
Interested in going deeper? Learn how to earn your Certificate in Cloud Security Knowledge by visiting our website.
The Dark Web is the part of the internet that is inaccessible by conventional search engines and requires special anonymizing software to access.
In colloquial terms, these are the darkest corners of the internet, where a widespan of nefarious activity takes place, as highlighted in the graphic below.
The Dark Web raises many questions, even among security professionals. Here are some answers to some of the questions that surface most frequently:
How can I check to see if my information has been stolen?
You can check to see if your email address has been compromised by using https://haveibeenpwned.com” target. If your information is present here, it is likely available on the Dark Web as well.
What are some examples of Dark Web, or The Onion Router (TOR), sites?
The Dark Web features marketplaces, forums, search engines, paste sites, social media sites, and chat rooms.
What actors use the Dark Web?
Six categories of threat actors exist on the Dark Web:
Nation-states that utilize Advanced Persistent Threat (APT) tactics use the Dark Web for reconnaissance and espionage purposes.
Cybercriminals often use marketplaces in order to achieve monetary benefit.
Hacktivists attempt to establish a social or political cause across all different types of platforms.
Terrorists seek to spread propaganda and recruitment.
Insiders are motivated by a variety of factors, but oftentimes leak sensitive data onto the Dark Web for reprisal against their employer or for financial gain.
Lastly, there are curious threat intelligence analysts who want to learn more from the Dark Web, assist in bug bounty programs, or enhance their technical skillsets.
What are some case studies of Dark Web sites?
Various data is stolen and sold on the Dark Web. Below are just a few examples:
Financial information: Credit and debit cards are sold across many forums and marketplaces. Stolen cards come from all countries and data breaches. Oftentimes, they are sold for as little as $1. Tax data, including W-2 forms, are also popularly sold on the Dark Web. Please see the image below of popular “carding” forum, Joker’s Stash.
Personal Information: Everything from names, addresses, Social Security Numbers (SSN), dates of birth, and even an associated Starbucks account, is sold on the Dark Web. When this information is compiled together and sold in a transaction, these data dumps are called “fullz” because they contain all of a person’s identifiable information.
Health records: Although health records are harder to find, they are becoming more available by the day. This is a growing concern and a vulnerability for the future.
Miscellaneous: Drugs are everywhere on the Dark Web – you can purchase virtually any prohibited item imaginable. Moreover, you can purchase or simply download information that can be damaging to an individual – such as stolen information from the extramarital dating website Ashley Madison. You can also purchase a hacker or exploit to carry out an attack against an organization of your choosing. The possibilities are limitless.
Anything else you would like to add about the Dark Web?
I want to note that the underground criminal community has expanded to encompass anything you can imagine – goods, hitmen, even “hacker clothes.” Most of the websites have an Amazon-type feel to them, in which buyers provide seller feedback and note the authenticity of the stolen goods/services/information. The majority of transactions are handled in cryptocurrency (usually bitcoin), mail forwards, and electronic gift cards. I don’t encourage anyone to do their Christmas shopping here, though.
About the author: Wanda Archy is a cyber threat intelligence specialist focused on Dark Web investigations. Currently, Wanda is a Supervisor in RSM’s Security, Privacy, and Risk services. She received her Master’s degree in Security Studies and Bachelor’s degree in Science, Technology, and International Affairs from Georgetown University. Wanda has her CISSP, CEH, and Security+ certifications, and speaks Russian.
This is the second post in a series, where we’ll discuss cloud service vulnerability and risk management trends in relation to the Common Vulnerability and Exposures (CVE) system. In the first blog post, we wrote about the Inclusion Rule 3 (INC3) and how it affects the counting of cloud service vulnerabilities. Here, we will delve deeper into how the exclusion of cloud service vulnerabilities impacts enterprise vulnerability and risk management.
Traditional vulnerability and risk management
CVE identifiers are the linchpin of traditional vulnerability management processes. Besides being an identifier for vulnerabilities, the CVE system allows different services and business processes to interoperate, making enterprise IT environments more secure. For example, a network vulnerability scanner can identify whether a vulnerability (e.g. CVE-2018-1234) is present in a deployed system by querying said system.
The queries can be conducted in many ways, such as via a banner grab, querying the system for what software is installed, or even via proof of concept exploits that have been de-weaponized. Such queries confirm the existence of the vulnerability, after which risk management and vulnerability remediation can take place.
Once the existence of the vulnerability is confirmed, enterprises must conduct risk management activities. Enterprises might first prioritize vulnerability remediation according to the criticality of the vulnerabilities. The Common Vulnerability Scoring System (CVSS) is one way on which the triaging of vulnerabilities is based. The system gives each vulnerability a score according to how critical it is, and from there enterprises can prioritize and remediate the more critical ones. Like other vulnerability information, CVSS scores are normally associated to CVE IDs.
Next, mitigating actions can be taken to remediate the vulnerabilities. This could refer to implementing patches, workarounds, or applying security controls. How the organization chooses to address the vulnerability is an exercise of risk management. They have to carefully balance their resources in relation to their risk appetite. But generally, organizations choose risk avoidance/rejection, risk acceptance, or risk mitigation.
Risk avoidance and rejection is fairly straightforward. Here, the organization doesn’t want to mitigate the vulnerability. At the same time, based on information available, the organization determines that the risk the vulnerability poses is above their risk threshold, and they stop using the vulnerable software.
Risk acceptance refers to when the organization, based on information available, determines that the risk posed is below their risk threshold and decides to accept the risk.
Lastly, in risk mitigation, the organization chooses to take mitigating actions and implement security controls that will reduce the risk. In traditional environments, such mitigating actions are possible because the organization generally owns and controls the infrastructure that provisions the IT service. For example, to mitigate a vulnerability, organizations are able to implement firewalls, intrusion detection systems, conduct system hardening activities, deactivate a service, change the configuration of a service, and many other options.
Thus, in traditional IT environments, organizations are able to take many mitigating actions because they own and control the stack. Furthermore, organizations have access to vulnerability information with which to make informed risk management decisions.
Cloud service customer challenges
Compared to traditional IT environments, the situation is markedly different for external cloud environments. The differences all stem from organizations not owning and controlling the infrastructure that provisions the cloud service, as well as not having access to vulnerability data of cloud native services.
Enterprise users don’t have ready access to cloud native vulnerabilities because there is no way to officially associate the data to cloud native vulnerabilities as CVE IDs are not generally assigned to them. Consequently, it’s difficult for enterprises to make an informed, risk-based decision regarding a vulnerable cloud service. For example, when should an enterprise customer reject the risk and stop using the service or accept the risk and continue using the service.
Furthermore, even if CVE IDs are assigned to cloud native vulnerabilities, the differences between traditional and cloud environments are so vast that vulnerability data which is normally associated to a CVE in a traditional environment is inadequate when dealing with cloud service vulnerabilities. For example, in a traditional IT environment, CVEs are linked to the version of a software. An enterprise customer can verify that a vulnerable version of a software is running by checking the software version. In cloud services, the versioning of the software (if there is one!) is usually only known to the cloud service provider and is not made public. Additionally, the enterprise user is unable to apply security controls or other mitigations to address the risk of a vulnerability.
This is not saying that CVEs and the associated vulnerability data are useless for cloud services. Instead, we should consider including vulnerability data that is useful in the context of a cloud service. In particular, cloud service vulnerability data should help enterprise cloud customers make the important risk-based decision of when to continue or stop using the service.
Thus, just as enterprise customers must trust cloud service providers with their sensitive data, they must also trust, blindly, that the cloud service providers are properly remediating the vulnerabilities in their environment in a timely manner.
The CVE gap
With the increasing global adoption and proliferation of cloud services, the exclusion of service vulnerabilities from the CVE system and the impacts of said exclusion have left a growing gap that the cloud services industry should address. This gap not only impacts enterprise vulnerability and risk management but also other key stakeholders in the cloud services industry.
In the next post, we’ll explore how other key stakeholders are affected by the shortcomings of cloud service vulnerability management.
Please let us know what you think about the INC3’s impacts on cloud service vulnerability and risk management in the comment section below, or you can also email us.
Victor Chin, Research Analyst, Cloud Security Alliance, and Kurt Seifried, Director of IT, Cloud Security Alliance
Stakes are increasing when it comes to leveraging technology to define and deliver new value. The CEO and the executive team leaders are reeling with the challenges of identifying and implementing new digital business models while also wrestling with making smart capital investments to develop and mature organizational capabilities that enable agility and rapid response to new market opportunities. At the same time, board directors are in a quandary, attempting to make sense of the digital landscape, and to obtain assurance that their CEO and executive team leaders are enabling the right culture, acquiring and nurturing the right talent, validating that the technology investments are prudent and reasonable, and effectively capitalizing on business opportunities while mitigating security concerns that pose significant risks to the company’s financial position and reputation.
Many refer to this point of time as the era of “digital disruption” for “digital transformation.” For me, these phrases seem somewhat of a misnomer. Taking a more macro and holistic look at this period, and reflecting on past history as a means to understand where we are and where we are headed, perhaps what we’re really witnessing is a revival of classic laissez faire economics. Market forces are being reshaped by technology in ways never previously imaginable. The pace of technology-driven innovation is far exceeding the ability of government and regulatory entities to put corresponding consumer protections in place, even as organizations struggle to recalibrate their information and technology governance and security to adjust to business opportunities appearing and vanishing in much shorter cycles. What’s really at stake today is the longer-term survivability of enterprises as we know them, coupled with the coming of inconceivable shifts in jobs and how people will work. And we find ourselves merely at the tip of the digital economy iceberg.
Dr. Peter Weill, director of MIT’s Center for Information Systems Research in Cambridge, Mass., says that, “in a digital economy, the whole company is responsible for generating value from digital investments.” To address this challenge, his research identified three key components on which enterprises must focus. First, there is the strategic, which is envisioning how the company will operate in the future. Second, there is oversight, which is making sure the major investments and organizational change is on track. Third, and of critical importance, is the defensive, which is effectively meeting the challenges of security, privacy, and compliance on an ongoing basis.
Key to meeting the aforementioned challenges? People, of course. No wonder that in Gartner’s recently released list of barriers to becoming a successful digital business, talent emerges as among the most significant. Not surprisingly, many organizations still follow the same hiring protocols they did 10 years ago. While arguably some criteria for new hires haven’t change, such as having a strong work ethic, a knack for problem-solving, good time management skills, and a thirst for continuous learning, there needs to be increased focus on recruiting those who demonstrate that they are digitally savvy or are grasping the need to prioritize growing their skills in this area. This means understanding how new and emerging technologies can be deployed, how to harness big data and statistical analysis to shape new approaches to product development and deployment, and applied knowledge of technologies that are or will shape the future of business, including the likes of cloud computing, AI and machine learning, blockchain, augmented reality, and perhaps even the promise of quantum computing. These attributes, along with a propensity to be comfortable with risk and uncertainty, should most importantly enable hiring managers to see whether candidates exhibit the right chemistry to fit into the corporate culture. Simply stated, traditional organizational hiring practices must be modernized to cultivate the right talent in order to successfully meet the challenges of the digital economy.
So, let’s not be fooled into thinking we’re okay because our company ship has yet to hit that digital economy iceberg. This iceberg runs long and spikes just beneath the surface. Navigating around it calls for “all hands on deck.” Traversing these choppy seas without incident means establishing and maturing the capabilities our organizations will need to turn on the dime when things matter most. The only way the CEO and executive teams can become confident is if the right talent is in place. Similarly, the only way for boards to obtain the assurance that the corporate ships are in good hands is to be convinced that the CEO and executive teams have established the right culture with the right people, and that they are effectively addressing the strategic, oversight and defensive components necessary to generate value from digital investments. As Peter Weill notes, “How good are you at each of these will predict your likely success in the digital economy.” I could not agree more. We find ourselves in exciting times—perhaps just as exciting as those who were paving the way of laissez faire economics back in the 18th century.
Editor’s note:This article originally published in CSO.
Matt Loeb, CGEIT, CAE, FASAE, Chief Executive Officer, ISACA
