Category: #IT/CYBER/TECHNOLOGY

Posted on

Policy Q&A: The Basics of the NIS Directive

In this Q&A, Danielle Kriz, senior director of Global Policy, and Fred Streefland, senior manager of Product Marketing for EMEA, cover the basics of the EU’s Network and Information Security Directive and what it might mean for organizations.

FredLet’s talk about a new cybersecurity law in the European Union, the Network and Information Security (NIS) Directive. What is it, who does it apply to, and what do they need to do?

Danielle: It’s the EU’s first law specifically focused on cybersecurity, which I blogged about in May.  Through transposition into national laws, it applies in all 28 EU member states.

The NIS Directive aims to improve the cybersecurity capabilities of the EU’s critical infrastructure by setting security and incident notification obligations across many types of organizations offering essential and digital services. The NIS Directive also requires member states to enact national cybersecurity strategies and engage in EU cross-border cooperation, among other measures.

The requirements on industry outlined in the NIS Directive are applicable to two categories of entities: operators of essential services and digital service providers. Although the directive outlines generally what is in these categories, each member state is responsible for identifying the OES established in their territories that are in scope.

  • Operator of Essential Services (OES): Sectors covered include energy (e.g., electricity, oil and gas companies), transportation (including air, rail, water and roads), healthcare (like hospitals and clinics), certain banking and finance (such as credit) institutions, suppliers and distributors of drinking water, and digital infrastructure (like internet exchange points).
  • Digital Service Provider (DSP): There are three categories: online marketplaces, online search engines and cloud computing services. The Directive has some small company exceptions for DSPs.

The directive sets security and incident notification obligations on these organizations. They must:

  • Take appropriate and proportionate technical and organizational measures to manage risks to the security of their network and information systems, and these measures must “have regard to the state of the art.”
  • Take appropriate measures to prevent incidents affecting the security of their network and information systems.
  • Notify competent national authorities of security incidents of particular magnitudes.

These requirements are related to the networks and information systems used to provide the covered essential or digital services. The requirements also apply whether the OES or DSP manages its own network and information systems or outsources them.

The EU’s Agency for Network and Information Security (ENISA) has details on the directive.

Fred: How is the NIS Directive rolling out? 

Danielle: The NIS Directive sets out objectives and policies to be attained through legislation at an EU member state level. All 28 EU countries were required to put the directive into national law by May 2018 (although the reality is that as of August 2018, some still were behind).

The impact will vary based on how each country previously regulated companies for cybersecurity.  Some member states will make big changes and introduce new laws. Other member states might have existing laws into which they will need to integrate NIS requirements.

ENISA has issued non-binding guidelines for NIS so companies may want to look there. But many member states are expected to issue their own requirements. The European Commission has published a useful “state-of-play” of member states’ implementation of the NIS Directive.

Fred: Do non-EU headquartered companies need to worry about NIS?

Danielle: Yes, if they offer any of the covered essential or digital services in one or more EU countries.  Regardless of whether a company is headquartered in the EU or not, companies covered under NIS must follow the law in the EU country where they have their main establishment.  In fact, even companies providing digital services in the EU with no physical presence in the EU at all may be affected by the NIS Directive.

Therefore, we recommend that organizations operating in EU countries should do research and obtain legal advice on whether NIS applies to them and the exact details of what they must do.

DanielleNow, let me ask you some questions, Fred. Assuming you are responsible for the security of an organization that needs to comply with the EU Network and Information Security Directive, what does this mean to you and the organization? As a former CISO, what would you do and how would you approach this?

Fred: Every operator of essential services or digital service provider in the EU needs to comply with this NIS Directive (with some small company DSP exceptions). You mentioned the requirements: they need to take measures that have regard to state-of-the-art technologies to manage the risks of their network and information systems. They must take appropriate security measures to prevent and minimize the impact of security incidents. Besides this, they also have the obligation to report security incidents of a certain magnitude to their national authority.

As a responsible person for information security, you need to become “in control” of the risks of your network and information systems. So, I would focus on what matters and start with getting visibility into the security of your network and information systems.

This means understanding:

– Which networks and information systems support the covered services and how they are currently secured.

– Whether the products and services you use to protect those networks/systems account for the state of the art.

–  What measures you are taking to prevent and minimize the impact of incidents on those networks and systems.

–  If you are able to track and identify the impact of incidents that may occur so that you are able to notify authorities as needed.

I also recommend reading a recent blog by Greg Day, our CSO for EMEA, that explains how CISOs can view the NIS Directive as a positive opportunity for change.

Danielle: Again, from the CISO perspective, what is the final takeaway you’d like to share?

Fred: It is imperative to get proper visibility into your networks, information systems and data. In my opinion, that’s a prerequisite for effective security and compliance.

Palo Alto Networks is committed to assisting our customers on their road towards NIS Directive compliance. If you want to know how we can help, please attend our upcoming EU NISD webinar.

 

For more information on the NIS Directive, download our paper What Is the NIS Directive?

The information provided in this blog, concerning technical legal or professional subject matters, is for general awareness only, may be subject to change, and does not constitute legal or professional advice, nor warranty of fitness for a particular purpose or compliance with applicable laws. Always consult a qualified lawyer on any specific legal problem or matter.

 and 

[Palo Alto Networks Research Center]

Posted on

Five Keys for Adaptive IT Compliance

The fluid technology and regulatory landscape calls on IT compliance professionals to be more flexible and proactive than in the past to remain effective, according to Ralph Villanueva’s session on “How to Design and Implement an Adaptive IT Compliance Function,” Monday at the 2018 GRC Conference in Nashville, Tennessee, USA.

The IT compliance function serves as an important bridge between the audit and IT departments, in addition to articulating business-related IT and security initiatives to management, and recommending and implementing appropriate compliance frameworks.

Business model changes, legal considerations, government requirements and evolving industry regulations are among the common reasons that organizations may need to more frequently explore switching their frameworks than in the past. Villanueva, IT security and compliance analyst with Diamond Resorts, referenced the General Data Protection Regulation (GDPR), which became enforceable in May, as an example of a recent regulatory shift that could have significant compliance ramifications. Additionally, he cited industries such as banking, healthcare and gaming as having special requirements calling for the use of compliance frameworks.

While acknowledging that the need to explore new or additional frameworks can cause “compliance anxiety” and organizational resistance, considering the corresponding investments in time and resources, Villanueva said effective use of people, processes and technology can make the process worthwhile in the long-run. Given the increasing need to implement different frameworks to deal with a growing set of compliance complexities, Villanueva laid out five steps to be actively compliant across several frameworks while remaining in line with budget realities:

  1. Understanding beats memorizing. Compliance professionals who truly understand the intent of the framework are best positioned to adapt them to their organizations.
  2. Know your organization. Having a clear handle on the organization’s business model, mission and array of information and technology resources allows for more strategic compliance.
  3. Anticipate how today’s trends will influence what you do tomorrow. Variables such as the need to incorporate more mobile device security and use of emerging technologies such as artificial intelligence (AI) and machine learning may call for recalibrating compliance processes.
  4. Know that some fundamentals never change. Despite the volatile landscape, Villanueva said there still needs to be focus on established compliance priorities such as application controls and segregation of duties.
  5. Keep learning. Investing in personal development and prioritizing networking are some of the best ways to keep current and “future-proof” career paths.

Villanueva cited COBIT 5, NIST 800-53, ISO 27001:2013 and PCI-DSS 3.2 as examples of useful frameworks for compliance professionals, and said identifying commonalities among different frameworks can make for a more efficient approach. Villanueva recommended IT compliance frameworks because they:

  • Simplify compliance;
  • Reduce the likelihood of missing compliance requirements;
  • Maximize everyone’s time;
  • Allow for clearly understood expectations;
  • Are commonly accepted by control stakeholders.

The importance of compliance professionals should not be overlooked. Aside from potential legal ramifications resulting from inadequate compliance, Villanueva said having strong compliance programs in place is critical to deter corruption and costly illegalities.

“We’re here to make sure that crime doesn’t pay,” Villanueva said.

[ISACA Now Blog]

Posted on

An Overlooked Upside to Cybersecurity Roles – They’re Fun!

Recent surveys and studies have emerged that show interest in cybersecurity as a potential career field at uncomfortable lows. In fact, a recent ProtectWise report showed that only 9 percent of millennials indicate cybersecurity is a career they are interested in pursuing at some point in their lives. This disturbing finding has far-reaching potential consequences in a field that desperately needs a stronger workforce.

To understand these findings, the study posits several factors that could be to blame for the low level of interest, from lack of exposure to cybersecurity in school curricula, to lack of personal connections, such as relatives, in the relatively new field of cybersecurity. However, another element, often hushed, and rarely acknowledged, lurks throughout the field’s perception – lack of fun. Sadly, many people don’t consider cybersecurity as a “fun” field – and that’s a false assumption, as there are multiple elements that make cybersecurity an enjoyable career path. Considering the level of engagement cybersecurity professionals enjoy, the evolving nature of the profession, its constant relevance, growth rate, and pay, cybersecurity can be a fun field, as long as individuals give it a chance.

One of the most enjoyable aspects of cybersecurity is the level of engagement it requires of an individual. Many jobs are comprised of the day-to-day grind of waking up, performing the same task several times, eating lunch, performing the same task, and going home. Little-to-no engagement occurs in these job roles, resulting in a bored and ineffective workforce. However, cybersecurity is quite the opposite. As seen in several reports, including ISACA’s 2018 State of Cybersecurity research, cyber-attacks are constant and growing in frequency. As a result, many incident responders and cyber teams find themselves immersed in their job, engaged in the dissection, analysis, and evaluation of attacks to better protect their organization. Oftentimes, this takes the full attention of these individuals, who lose track of time and realize they’ve been actively engaged in their work all day, resulting in very little boredom.

These growing attacks also are constantly evolving. Many of the day-to-day attacks against an organization vary in shape, size, and composition, and require an engaged workforce to actively combat them. These individuals act as live guardians in a digital world, identifying each potential attacker and assailant by cross-referencing them against previous attacks and exploitation. Oftentimes, this can be the hardest part of the job, as attack mechanisms such as worms and viruses are like hydras, with two different variants appearing once one variant is killed. In fact, one such type of attack, a polymorphic virus, makes slightly different copies of itself each time it infects a system in an effort to throw scanners off of its trail. Hunting these changing malicious codes and actors often brings a smile to the face of cyber professionals, as each time an attack changes and the responder stops it, the responder becomes that much stronger and more experienced.

These constant attacks also contribute to another element that makes cybersecurity fun: its relevance.  Since new attacks and attack vectors are always emerging, cybersecurity professionals must stay up to date on all the potential exploitations that are discovered to meet their responsibilities of protecting the business operations of an organization. This, in turn, makes cybersecurity professionals incredibly relevant to the business and the field overall. Relevance in an organization oftentimes translates to respect and recognition. This is reinforced by the rise of the CISO and CIO roles in Fortune 500 companies. No longer are these individuals relegated to the back row by other executives; instead, they are more commonly brought to board of directors meetings to discuss the organization’s security stance.

While the relevance of the cybersecurity field is important, it does not amount to much if there is nobody to staff the workforce. As seen in the 2018 State of Cybersecurity research, there are not nearly enough cybersecurity professionals in the field to keep up with the explosive growth and need. As a result, cybersecurity professionals are valuable diamonds to be cherished and cultivated within the organization. Thanks to this growth, cybersecurity professionals enjoy the fruits of a seller’s market – and that can be pretty fun.

Finally, something which all millennials should consider as they chart their future careers: pay.  Everybody wants a career that will pay well, and cybersecurity offers that opportunity. The Robert Walters Salary Survey of 2018 indicated that cybersecurity pay will rise by an additional 7 percent around the world in 2018, outpacing all information technology roles, which on average will see about a 2 percent increase. Although having an engaging, evolving, relevant job in a growing field is fun, knowing that it pays well is another cause to smile.

Everyone is different and defines job fulfillment through their own personal lens. However, if finding a job enjoyable, engaging, and fun is a top priority, it’s worth considering cybersecurity as a potential career. On the outside, it may seem bland, but taking a closer look reveals that working in cybersecurity can be much more fun than most people think.

Editor’s note: For more of Frank Downs’ thoughts on the fun side of cybersecurity and relevant industry trends, listen to the recent ISACA Podcast, The State of Cybersecurity.

Frank Downs, Director and SME, ISACA Cyber Security Practice

[ISACA Now Blog]

Posted on

Tech Docs: Five New Features in the Traps Management Service

That’s right! The August release of the Traps management services introduces five new features designed to simplify endpoint management and security event investigation:

1. Clickable Dashboard—From the Dashboard you can now jump to a filtered list of endpoints that share any of the following characteristics:

  • Platform operating system
  • License status (to view a list of all licensed endpoints)
  • Content update status (latest or outdated)

For security events, you can also jump to filtered lists of unresolved events by severity. The Dashboard quick links enable you to quickly identify endpoints for which administrative action may be required.

2. Enhanced Endpoint Filters—To refine the number of endpoints on the Endpoints page, you can now apply new endpoint search filters:

  • Agent Version—Filters all endpoints for specific agent versions. Using this filter you can quickly identify all endpoints running older Traps versions and upgrade them to the latest Traps version thus ensuring the endpoint takes advantage of the latest security policy and Traps features.
  • Content Version—Filters all endpoints for specific content update versions. This filter provides visibility into which endpoints are using older content versions.

 

3. Security Event Search by Event ID—If you already know the unique event ID for a security event, you can now use that ID to quickly locate a security event. To filter security events for an Event ID you must enter the complete ID value.

 

4. Hash Exceptions Search      —To quickly locate a hash exception, you can now search hash exceptions using the complete SHA256 value.

5. Process Exceptions Assignment Enhancement—To quickly configure process exceptions for select endpoints, you can now assign process exceptions to endpoint groups, AD groups, and AD organizational units (OU). Process exceptions will apply only to the platform type specified in the exception. In addition, in the case of AD objects that specify users and endpoints, a process exception will apply only on endpoints.

For more details on the new features, please refer to the following resources:

Happy reading!
Your friendly Technical Documentation team

Have questions? Contact us at documentation@paloaltonetworks.com.

[Palo Alto Networks Research Center]
Posted on

Lessons from the Reddit Breach

An attacker gained access in June to Reddit users’ data, including usernames, passwords, email addresses and private messages from 2005-2007. The attacker also gained access to more recent data, including current usernames and emails.

This data allows hackers to try to break into sites where users might still be using the same passwords. Although the compromised passwords were encrypted, they are likely crackable using today’s tools.

Because the email digests also include current usernames and emails, this linkage could allow attackers to determine the actual identity of users. If those users have been receiving content or engaged in posts that could be embarrassing, this may lead to blackmail; hackers might threaten to make private messages public or share them with family or friends.

Reddit users should ensure that, across platforms, they are not still using any passwords from the breached timeframe. Users should also consider passwords that are in line with NIST’s recent guidance.

What your organization can do to prevent a similar breach
Periodic password changes and secure password choices are good practices for Reddit users and non-users alike. Additionally, there are system-wide changes that organizations can make to protect against breaches.

Employees with access to sensitive systems or with powerful privileges, like admin accounts, represent a high-value target for attackers, so organizations should pay particular attention to the security of such accounts.

One way to improve account security is the implementation of strong multifactor authentication. SMS is often used for consumer user account two-factor authentication, but can be compromised with some effort by attackers as occurred with the admin accounts in the Reddit breach.

A  cryptographic token system is a more secure alternative to the SMS two-factor authentication method that was compromised in the Reddit breach. Tokens take more effort to implement than SMS two-factor authentication, but they are also difficult to spoof. Authentication tokens are generated cryptographically and often have limited lifetimes: sometimes, as little as one or two minutes.

Many organizations have been using strong authentication based on physical or software tokens for decades. For particularly sensitive accounts like admin accounts, this has long made sense and is hardly a new idea.

Other detection tools your organization should use for breach prevention
Organizations should also use auditing and intrusion detection tools to quickly alert them to a situation when such an account is engaged in abnormal behavior.

Since admin accounts are very powerful, the information security team and IT auditors should carefully review the protection for these types of accounts, including the use of multifactor authentication, and determine if audit trails and intrusion detection tools can be turned off or tampered with by the admin accounts in question. Otherwise, attackers who breach such admin accounts will have the ability to simply bypass the monitoring. In many cases, the underlying operation system or application does not provide tamper-proof audit trails and intrusion detection; third-party tools will need to be implemented.

Organizations should also discover and find old files that contain personally identifying information, like email addresses, usernames or encrypted passwords. These files should be securely deleted or protected in some fashion. In many cases, it is older files that were not well protected, copied and then forgotten about, often due to employee turnover, that potentially pose regulatory compliance risks.

Proactive data governance measures are more important than ever in today’s landscape, as the Reddit breach and countless others attest.

Rob Clyde, ISACA board chair, executive chair of the board of directors for White Cloud Security and independent board director for Titus

[ISACA Now Blog]

English
English
Exit mobile version