Category: #IT/CYBER/TECHNOLOGY

Posted on

2018 Predictions & Recommendations: Cyber Hygiene for Financial Institutions Found Non-Compliant with SWIFT Mandatory Security Controls

This post is part of an ongoing blog series examining predictions and recommendations for cybersecurity in 2018.

After a series of high-profile attacks against its members in 2016, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) established a Customer Security Controls Framework that includes a set of 16 mandatory controls. SWIFT requires self-attestations to be completed by the end of 2017. These will be made available to SWIFT counterparties in support of the transparent exchange of security status information. Without going out on a limb, my prediction is that some SWIFT members will not be able to comply with all mandatory controls by that deadline.

That being said, my recommendation for financial institutions is to incorporate the best practices for cyber hygiene found in the SWIFT mandatory controls into your overarching security program. Avoid the temptation to treat the SWIFT controls as “one-offs” to be addressed separately. Integrating them into your cybersecurity program will provide a more holistic approach and enable you to ensure ongoing compliance.

The SWIFT mandatory security controls can be viewed as measures of good cyber hygiene for their members. I won’t cover all 16 here, but I will highlight a few to provide some flavor for the controls.

  • SWIFT Environment Protection (1.1): Network segmentation of the local SWIFT infrastructure from the rest of the IT environment would be a major first step. This would limit access to/from the local SWIFT elements from attackers on potentially compromised endpoints and even malicious insiders.
  • Operating System Privileged Account Control (1.2) and Multi-Factor Authentication (4.2): In addition to the policy of least privileges, administrator-level accounts should be protected with multi-factor authentication (MFA). Of course, MFA should also be in place for access to critical systems, such as SWIFT. This limits the value of any credentials stolen by an attacker.
  • Internal Data Flow Security (2.1) and Logical Access Control (5.1): To ensure the integrity of communications between SWIFT-related components, obtain visibility into and control the traffic flow based on applications, users, and content. Security policies may then be defined with the context of actual application and user identity to safely enable authorized access to the data.
  • Security Updates (2.2), Malware Protection (6.1), and Software Integrity (6.2): Patching software for security vulnerabilities in a timely fashion is clearly a necessity. However, in instances where this is not possible due to software past end-of-support or other extenuating circumstances, advanced endpoint protection from both malware and exploits is an alternative to maintain the integrity of the production environment. In general, advanced endpoint protection is superior to legacy antivirus and anti-malware solutions.
  • Logging and Monitoring (6.4): With the local SWIFT infrastructure protected by network segmentation, those firewalls will have significant information on both normal and unexpected data flows into and out of the environment. Those firewall logs should be reviewed for anomalies in traffic patterns as these may signal undesired activity.

The two most recently publicized attacks on SWIFT members occurred in October 2017 (Taiwan and Nepal). Prior to these, there was an attack in December 2016 (Turkey).  Although one could say the pace of attacks against SWIFT members has slowed from the peak seen in mid-2016, it would not be prudent to ignore the recommended security controls. Whether or not you are a SWIFT customer, ensuring that basic cyber hygiene is part of your overall security program is well worth the time and effort.

[Palo Alto Networks Research Center]

Posted on

Five Areas to Consider When Testing Cyber Threat Intelligence Effectiveness

According to the ISACA State of Cyber Security 2017 research, 80% of respondents believe “it is either “likely” or “very likely” that they will be attacked in 2017.” In 2018 and beyond, based on current risk trends to organizations from their infrastructure, employees, supply chain and external threat actors, this figure is unlikely to drop.

Cyber threat intelligence (CTI) plays an important role in an organization’s defense-in-depth defense strategy often being leveraged by other cyber security functions, such as security event monitoring, incident response and forensic investigations.

To derive value from CTI, raw or processed data feeds must be analyzed and applied within the context of the organization to improve, among other capabilities, the ability to detect threats and respond to incidents.

Visibility into the design and operating effectiveness of CTI processes can provide some assurance to management and potentially support funding requests for further investment in this area. Based on that premise, below are five areas to consider when conducting a review of your organization’s CTI capabilities.

Alignment with your organization’s threat model
Commonalities exist in the threats to organizations operating in the same industry sector. However, because no two businesses are exactly alike, there is a high likelihood that each one will have a slightly different threat model.

Threat modeling is a necessary risk management step to ensure that resources are directed at controls that address the real threats to the organization. Therefore, to ensure that CTI sourced by an organization is effective, it must support an existing threat model.

A key initial part of your review should involve checking whether your organization maintains a threat model, whether the CTI sourcing strategy adds more visibility to that model and whether the combination of both supports effective decision-making when managing risk.

Quality of threat intelligence
Threat and vulnerability information originates from a variety of internal and external sources and is often ingested manually or through automation by the user organization.

Externally, sources include commercial CTI vendors, industry/community collaboration forums, and security product/vendor intelligence feeds. Internal sources include proactive vulnerability scanning, network monitoring and behavioral analysis tools.

Whether derived internally or externally, the quality of CTI is critical for it to effectively contribute toward improving an organization’s cyber security posture.

According to leading threat intelligence expert Sergio Caltagirone, the quality of threat intelligence is determined by four factors: completeness, accuracy, relevance and timeliness. Each of these factors is described briefly below:

  • Completeness – Visibility of the organization’s threat model could provide a view on the completeness of CTI. Threat models will help the organization to ask the right questions of CTI data.
  • Accuracy – A high number of false positives in an intelligence report infers poor quality CTI. A consistent trend of false positives may require further investigation.
  • Relevance – The more organizational and industry context that is available within CTI, the more useful it is. More weight should be given to internally sourced CTI which reflects the nuances of an organization over externally sourced CTI which may be generic and may lack context.
  • Timeliness – CTI is only effective if it can be applied in an operational context to address current threats facing an organization.

Start by obtaining a list of your organization’s internal and external sources and reviewing them against each of these factors.

Integration with security monitoring
There are many use cases for CTI. According to the 2017 SANS Institute Cyber Threat Intelligence report, the top use case for CTI was in security operations, as 72% of respondents say they use CTI information when detecting potential cyber security events and locating sources and/or blocking malicious activities or threats.

An effective security monitoring strategy is one which correlates and analyzes data from multiple sources to detect threats before they can cause harm to the organization. Leveraging available CTI is one way to ensure the optimal use of security operations resources by focusing monitoring efforts on indicators of compromise that pose the highest risk.

Conduct a review of security monitoring procedures to determine how much CTI influences monitoring strategies.

Integration with incident response
Improving visibility into threats and attack methodologies is vital to an organization’s ability to respond to incidents. Effective CTI provides insight into the intent, opportunity and capability of a cyber-attacker. It is this insight which gives an organization some assurance that it can deploy appropriate defense mechanisms to prevent a successful attack.

As part of your review, assess the degree to which CTI is integrated with the steps in your organization’s incident response approach, including preparation, detection, analysis, containment, eradication and recovery.

Measuring the impact of incidents
A post-mortem review of security incidents could give an organization insight into what worked well (and what did not) during incident detection and response and help to identify improvement opportunities.

It is worth reviewing security incidents to determine whether the use of CTI in security monitoring and incident response played a significant role in areas such as detecting unknown threats, reducing time to identify and respond to threats, and preventing significant damage to systems and data.

An assessment of the relevance of CTI to reducing the impact of security incidents could provide a view on which intelligence sources provide the best value to the organization and deserve continued investment.

Summary
The value of CTI to any organization is in its ability to support timely decision-making by stakeholders including executive management, corporate security, security operations and risk teams.

Regardless of which cyber security functions it is applied to, this is the key consideration to remember when conducting a review of the design and operating effectiveness of CTI processes.

Editor’s note: For more insights on threat intelligence, download ISACA’s threat intelligence tech brief.

Omo Osagiede, Director, Borderless-I Consulting

[ISACA Now Blog]

Posted on

Five Mistakes to Avoid When Deploying Emerging Technology

When I finished my proof-of-concept presentation to the CIO of a prospective client at a recent meeting, he was more than surprised – he was upset. He almost yelled at me: “How did you do it?”

For my demo, my client had to complete a paper application form used by his company’s sales force. He needed to do this by hand, as would any customer, but using a digital pen equipped not only with an ordinary ink cartridge, but also with a micro-camera that captured each trace of the pen on the paper. When he had finished the application, he checked one box at the end of it that read “Transmit.” While explaining the features of the digital pen, I opened my laptop and remotely connected to our demo server. From there, just a few seconds after he had completed the application, I could show to him not only a high-quality scan of the completed application, but also all the data already translated into usable fields: numbers, dates, addresses, ready for ERP integration. He stood up in astonishment and asked: “How did you do it? How??”

This appears to be a nice example of a presentation that went so well that I took my audience completely by surprise with an emerging, unexpectedly beautiful technology. But the truth is, less than two years after launching our work with digital writing, we had to completely write off two years of work and investment put in an offering that appeared to be “The Next Big Thing.”

Talking about our digital transformation successes is always nice, but I would like to share these five innovation facts that, from my experience, should be understood to avoid failing in this era where all of us are at the brink of launching The Next Big Thing, whether on top of blockchain or IoT or AI or machine learning technologies.

1. “Innovation Chasm” does exist. I am sure that many of you have seen the Technology Adoption Lifecycle graph that describes the Innovators, Early Adopters, etc. Well, in that graph, there is a chasm between being loved by technology fans and getting a growing majority of users that will make your product the next iPhone. In the case I described, we could not convince owners of the intellectual property in a timely fashion to simplify the pricing model to accelerate the creation of a minimum user base. Check your business model for scenarios where the chasm is bigger than anticipated.

2. Platforms and ecosystems matter. The possibilities of emerging technologies are immense but decisions need to be made in relation to the platform or ecosystem you want to belong to or create for others. No one cares for a solution that cannot integrate and evolve for future needs. Our digital writing offering did use industry standards like XML or GMS but relied heavily on proprietary technology within the core product.

3. The “Innovator’s Dilemma” is real. Professor Clayton Christensen has said that companies are designed for the status quo and innovation efforts are killed by design. This is, although companies may not say it, they do not really want to disrupt themselves. So, your presentation to whoever approves your innovation effort needs to avoid a collision trajectory and rather explain the complementary nature of business and customer bases that you are bringing to the table.

4. Being a maverick is cool, but … In the end, a successful launch of an emerging technology needs to be on good terms with the leading powers that will put your product in front of users. It needs to integrate seamlessly with dominant social platforms as well as with online and app stores, and be designed to quickly open its features to the newcomers that will play a dominant role in your marketplace. That is why you see such collaboration among companies that otherwise would be rivals to create the future ecosystems for blockchain, machine learning, etc.

5. ITBMS! I have a blog post called It’s the Business Model, Stupid. We have seen for several years that, in the end, all successful technology companies have managed to build a credible business model that will turn around years of losses (sorry, capital investments) by creating value for an ever-growing number of users. So, be bold in pursuing your dreams for a better world, but keep close your friends that can make sense of it in terms of a sustainable, long-term business model.

Author’s note: Jose Angel Arias has started and led several technology and business consulting companies over his 30-year career. In addition to having been an angel investor himself, as head of Grupo Consult, he participated in TechBA’s business acceleration programs in Austin and Madrid. He transitioned his career to lead the Global Innovation Group in Softtek for four years. He is currently technology audit director with a global financial services company. He has been a member of ISACA and a Certified Information Systems Auditor (CISA) since 2003.

Jose Angel Arias, CISA, Technology Audit Director

[ISACA Now Blog]

Posted on

Cybersecurity and Human Factors: Why Cybersecurity Is a Human Issue Rather Than a Technical Problem

I recently had a discussion with Japanese business executives on cybersecurity challenges during which one of them asked me about the biggest difference between Japan and other countries regarding their approach to cybersecurity. I answered, “Each country and sector are different; but if I compare Japan and the United States, the Japanese tend to think cybersecurity is a technical problem, whereas the Americans tend to believe cybersecurity is a human issue, based on previous interactions and feedback from my peers and industry experts in the United States.”

This answer surprised him and brought home the point that cybersecurity touches upon various aspects of human nature and activities, rather than just technical problems. Only humans can do the cybersecurity risk assessment and management because this requires decision-making and resource allocation. People are essential for solving challenges around cybersecurity.

The IBM Security Services 2014 – Cyber Security Intelligence Index shows that more than 95 percent of the cyber incidents that IBM investigated occurred due to human errors, such as system misconfiguration and poor patch management. People are the weakest link in cybersecurity because every single person makes mistakes. That is why social engineering works to trick people into doing something they are not supposed to do, and employers encourage their employees not to open suspicious attachments or click URLs from unsolicited senders.

Of course, cybersecurity includes technical elements. Technology is crucial to address cybersecurity challenges because offerings like firewalls and endpoint protection are needed to prevent malicious actors from achieving their goals by cyber means. Technical knowledge is required to innovate, choose and use those products, as well as to analyze malware.

However, it is equally important to analyze and understand human factors behind cyberattacks and risks because these are the biggest trigger of cybersecurity incidents. Since today’s business environment cannot survive without IT, both IT and cybersecurity should be regarded as business enablers rather than cost centers. That is why the Japanese Ministry of Economy, Trade and Industry (METI) and Information-Technology Promotion Agency (IPA) pointed out in their Cybersecurity Guidelines for Business Leadership Ver 1.1 in December 2016, cyberattacks are an unavoidable business risk in today’s business environment, where IT is part of the infrastructure.

To manage risks, acceptance, avoidance, mitigation, or transfer is needed. If a cybersecurity risk is low or moderate, an organization can decide to accept and not take any cybersecurity action to mitigate it. If a potential cybersecurity risk seems to be unacceptable, the organization may decide to take an action to eliminate the basis of the risk, such as a specific activity or technology. If the organization has resources to shift risk liabilities and responsibilities to the others, who have better expertise, the organization can transfer the risk, such as cyber insurance. If the risk is not acceptable, avoidable, or transferrable, the organization should take cybersecurity approaches to reduce the risk, such as authentication, encryption, or firewall installation.

Investment in risk management is also needed. Yet, information technology (IT) was introduced to business operations mainly to cut costs. Because cybersecurity has traditionally been considered part of IT, it is challenging for companies to realize that it is an area to invest in as a business enabler.

In fact, IPA’s Survey of cyber risk management in companies in 2015 in June 2015 showed that less than 50 percent of even major Japanese companies assess their business risks. Only 49.2 percent of the business leadership of even major companies (their annual sales being over 1 billion yen) answered that they do business risk assessment. The ratio is 28.2 percent at medium-sized companies (their annual sales being between 100 million and 1 billion yen) and 14.9 percent at small companies (their annual sales being under 100 million yen).

Japanese companies are behind American and European companies in this regard. According to IPA’s survey about Chief Information Officers (CIO) and Chief Information Security Officers (CISO) in companies in 2017, 34.6 percent of Japanese companies said that risk visualization is challenging or insufficient. The ratio is higher in Japanese companies than in American (32.4%) or European companies (27.9%). Unless business risks are assessed or visualized, it is impossible for business leadership to determine how much in the way of resources to invest in to accept, avoid, mitigate, or transfer each of their business risks. Resources that are limited in quantity will be wasted.

An Indian folk tale about six blind men and an elephant is applicable to cybersecurity and business risk management. The six men touched different parts of an elephant and pictured the elephant is like a wall, snake, spear, huge fan, cow, or rope. None of them obtained a whole picture of the huge animal because they did not have complete information about it. Luckily, the animal they were touching was a gentle elephant. Were it a lion, touching would not have been a good idea.

What actions, then, should business executives, especially in Japan, take now?

  • Review your business risks and understand what kinds of risks your organization currently faces.
  • Talk to your CISO and his or her team to share cyber risk findings and decide on which actions to take, whether from the stance of acceptance, avoidance, mitigation, or transfer.
  • Prioritize business risks that require immediate action to avoid, transfer, or mitigate them and decide on how much in the way of resources should be spent on each risk.
  • Since C-suites need to balance between usability, security, and budgets, consider applying automation, such as defense and the integration of cyberthreat intelligence, to maximize efficiency and effectiveness.
  • Review your business strategy and revise it to reflect the cyber risk findings to maximize business value for your organization, customers, and partners.

It is indispensable to have a whole picture of business risks to optimize the use of limited resources to manage them. Every organization needs to have good decision-making on business risk management, and only people can do it. This step is a great opportunity to increase your business value.

[Palo Alto Networks Research Center]

Posted on

Enterprise Leaders Should Steer Organizations on Path to Digital Transformation

Employees are at their best when they are encouraged to take calculated risks, rather than becoming complacent with what they know and what has become comfortable. The same holds true for enterprises.

Some of the best risks enterprises can take in our technology-driven business landscape involve deploying transformative technologies that allow them to connect with customers in new and innovative ways. Yet, in many cases, organizations are failing to capitalize on the widening array of opportunities.

ISACA’s new Digital Transformation Barometer research shows that only 31% of organizations frequently evaluate opportunities arising from emerging technology. Given the swift pace with which technology is introduced and refined, this shows that most enterprises are undercutting their ability to seize marketplace opportunities and better serve their customers.

Boards of directors and the C-suite should be challenging their operational teams to research, pilot and ultimately become experts in emerging technologies capable of transforming their enterprises. Big data, artificial intelligence, Internet of Things devices and blockchain are just a few examples of technologies capable of delivering transformational change. To lead effectively, senior leaders have to be able to articulate the future vision for their companies in the context of the technologies that will get them there.

There isn’t a board chair or CEO on the planet who would not be thrilled to open new revenue streams or reach new customers – some of the top motivators for pursuing digital transformation. So, what is holding so many organizations back? A shortage of digitally fluent leaders is one impediment. Only a little more than half of survey respondents expressed confidence that their organizations’ leaders have a solid understanding of technology and its related benefits and risks. ISACA’s research shows that those organizations lacking digitally fluent leadership are less likely to evaluate technology opportunities.

Even those organizations that perform their due diligence in vetting new technologies often develop reservations once more is learned about the associated risks. A whopping 96% of survey respondents believe there is high or medium risk in deploying IoT devices, and more than 9 in 10 respondents also categorized public cloud and AI/machine learning/cognitive technology as posing medium to high risk.

The reality is every new technology introduced expands the attack surfaces and presents new risks. Organizations must move beyond that inherent discomfort and devote the necessary resources to mitigate risk to acceptable levels. Enterprises with effective information and technology governance programs can deliver better customer experiences, innovate more, and improve their business performance and profitability. Investing in well-trained, highly skilled professionals in areas such as audit, risk, governance and cyber security can provide enterprises the confidence they need to effectively and securely leverage their technology. Organizations should also resist the urge to take shortcuts in pilot testing or research and development when evaluating new technologies.

It’s important to have realistic expectations about digital transformation. Not every turn of the wheel on an enterprise’s journey can be a smashing success, and organizational leaders must give their team members the freedom to take a well-reasoned risk that may – or may not – yield the anticipated results. Those failures can provide unparalleled learning opportunities.

Organizations that remain committed to digital transformation can reap great rewards. From telecommunications giant Sprint tapping into big data, to a town in North Carolina, USA, shedding the yoke of legacy applications, there is no shortage of examples of enterprise large and small successfully harnessing digital transformation.

As the Latin proverb goes, fortune favors the bold. Enterprise leaders should embrace that mindset and make digital transformation a centerpiece of their organizations’ roadmaps toward a prosperous future.

Matt Loeb, CGEIT, CAE, FASAE, Chief Executive Officer, ISACA

[ISACA Now Blog]

English
English
Exit mobile version