Category Archives: compliance

NBlog Dec 14 – choosing ISO27k products


On ISO27k Forum today, a new member asked for advice on whether a 'complete package' would help the organization achieve ISO/IEC 27001 certification.

It's hard to answer without knowing more about the organization and its people (especially the management and specialists), their experience and maturity in respect of information risk and security, and ISO management systems, and the business context.  For example:
  • A small engineering company is in a different position to, say, a large charity, a government department or a multinational: its complexity, information risks, information security controls and other factors vary;
  • A company in a heavily-regulated industry such as healthcare, finance or defense is probably more compliance-driven, its management and workforce more comfortable with structured and systematic ways of working than, say, a retailer or farmers' cooperative;
  • An organization that is 'surrounded' or owned by ISO27k-certified organizations may be under more pressure to implement than a pioneer, especially if there are commercial pressures or contractual/regulatory obligations in this area (e.g. for privacy reasons);
  • A patently insecure organization that has suffered one or more serious infosec incidents, breaches, compliance failures etc. is likely to be under more intense pressure to reform and 'get secure' than one which is (or believes itself to be) relatively secure, doing OK at the moment but maybe looking into ISO27k as a strategic opportunity, supporting other initiatives and complementing other management systems maybe;
  • A mature, specialized, narrowly-focused, relatively simple and stable organization (such as a steel mill) probably needs far less flexibility in its ISMS than one which is highly dynamic, growing fast, chasing different markets and proactively innovating (such as manufacturer of IoT things).

Also, despite the additional wording in the original query, I'm not at all sure what a 'complete package' is. That might mean any of the following, alone or in combination:
  • Documentation e.g.:
    • Sets of ISO27k and possibly other standards (the core set of ISO/IEC 27000, 27001, 27002, 27003 and 27005 are almost universally recommended);
    • Generic template/skeleton ISMS documentation such as scope, SoA, RTP etc.;
    • Generic infosec policies and procedures etc.;
    • Generic project/program plans, frameworks etc.;
    • Generic, structured methods/approaches etc.;
    • Tailored documentation to suit the general type/size of business, industry etc.;
    • Bespoke or heavily customized documentation, competently tailored to suit a particular organization;
  • ISMS-related consultancy-type services of various kinds e.g.:
    • Training and awareness services for individuals, teams or the entire organization;
    • Help with the program and project governance and management aspects e.g. planning, resourcing, metrics, targets, project risk management;
    • Mentoring, guidance and advice for the CISO/ISM, ISMS implementation project manager/team and perhaps others e.g. senior management, risk management, IT audit, IT, Facilities, HR, Operations, Privacy ...;
    • All manner of gap analyses, reviews, audits, benchmarks etc. to assess and report on the current situation and help determine future directions, priorities etc.;
    • Full-time hands-on ISMS project and program management leading to permanent ISM and CISO roles;
    • Part-time local and/or remote support, advice, mentoring etc. for the permanent on-site team - including perhaps assistance with the recruitment and training of such a team;
    • Business development consultancy e.g. help to re-position and market the organization as an ISO27k-certified secure, trustworthy, reliable supplier or whatever;
  • Something else!

Some of those options above are much more valuable than others (note: 'valuable' is not the same as 'expensive': some are free!). Comprehensive materials and support services might suit your organization (if you can afford them, and if they cover all your requirements!), but you might be better off with an appropriate selection and combination of point-solutions addressing more specific weak-points and needs, complementing and reinforcing the organization's existing resources and capabilities.

Lastly, I'll throw-in another important factor to consider: the nature, quality and value of the products (both goods and services) depends heavily on the suppliers or sources - their competence, experience, expertise (both depth and breadth), quality assurance, creativity and so forth. Are they new to the market, full of brash enthusiasm and bright ideas but short on history and perhaps credibility? Are they old, established, set-in-their-ways maybe? Are they ISO27k specialists (e.g. they ONLY offer ISO27k training courses), broader ISO27k and infosec suppliers (e.g. they provide training plus consulting plus systems) or generalists (e.g. the auditing/accounting/business consultancies)? Are they well-known and highly respected in the field with glowing customer references, or relatively unknown with dubious credentials? Oh and are you certain the products on offer are what will actually be delivered (avoiding the old bait-n-switch scam)?  

I hope this general advice helps. I appreciate that it raises far more issues than it answers ... but hopefully those questions and considerations are a lot more useful than the alternative "Well, it all depends!"

Overcoming the Cloud Security Compliance Conundrum

The growing demand for increased business agility and cost reductions in relation to IT infrastructure and applications is not a new agenda item for C-level executives. It has, however, remained a priority topic in 2018.

Compliance with various regulations and cloud security requirements has expanded as technology and cloud uptake advance — albeit not at a similar pace, leaving organizations with a challenging conundrum to solve. This is particularly relevant when executives consider cloud security and business transformations.

Balance the Costs and Benefits of Cloud Migration

The partnership between IBM and Red Hat announced earlier this year highlights a strategic vision to deliver transformational change to clients and meet cloud security demand. We’ve also seen record-breaking technological advancements and a growing number of data and application migrations to the cloud.

In general, these migrations follow either a hybrid or multicloud strategy. Hybrid cloud is defined as a combination of cloud services that are deployed both on-premises and in the cloud. Multicloud means using multiple cloud computing service providers across a single heterogeneous environment for applications, software or infrastructure.

Whatever the strategy, cloud migrations involve transitioning and managing extensive processing and workloads outside of traditional IT infrastructure while addressing cloud security and compliance challenges. The main industries that are seeing an increased focus, volume and complexity of regulations are banking and financial services. In these sectors, many are pursuing innovative business strategies that drive requirements for critical infrastructure and applications to the cloud.

The regulatory compliance challenge for such innovation poses both an opportunity and a concern for the C-suite and boardroom. Financial institutions must confront the reality of dramatically increasing costs while also keeping pace with the legislative and regulatory changes arising from numerous regulatory bodies. Global organizations have the added burden of even more international and nation-specific regulations.

The cost of compliance is often high, but any effort to reduce staff without demonstrable and measurable improvements in compliance processes and technology could be viewed negatively by regulatory bodies, investors and shareholders.

Meet Cloud Security Compliance Requirements Head-On

One of the most common misconceptions we hear from clients is that moving to the cloud with data held by multiple third parties on shared systems will be a complex undertaking. Our view is that cloud services can be extremely secure and often a more stable option than utilizing existing internal IT infrastructure. However, there are a some activities that need to be considered to meet regulatory compliance requirements, such as:

  • Deploying continuous monitoring of both technical and nontechnical cloud compliance requirements. This should also include corporate governance, cybersecurity and regulatory compliance controls;
  • Maintaining a unified source or framework of governance, risk and compliance information for how cloud services are utilized;
  • Developing executive and operational dashboards to provide visibility into cloud compliance statuses;
  • Implementing real-time alerting mechanisms for control failures with defined playbooks on how to respond to compliance failures from third-party providers; and
  • Ensuring that you can continuously synchronize new cloud services and capabilities with regulatory compliance requirements.

These cloud security to-dos can help your organization take on the seemingly daunting task of cloud migration while remaining secure and compliant.

The post Overcoming the Cloud Security Compliance Conundrum appeared first on Security Intelligence.

SecurityWeek RSS Feed: Rhode Island Sues Alphabet Over Google+ Security Incidents

A government organization in Rhode Island announced on Wednesday that it has filed a lawsuit against Google’s parent company, Alphabet Inc., over the recent security incidents involving the Google+ social network.

read more



SecurityWeek RSS Feed

Continuous Compliance Eases Cloud Adoption for Financial Services Firms

Last month, I spoke during the Innovation Showcase at the Financial Services Information Sharing and Analysis Center (FS-ISAC) Fall Summit. The goal was to update this group of high-level security professionals on a continuous compliance managed services solution that helps solve the cloud compliance dilemma — and on the solution’s first successful implementation. In a consortium of more than 30 financial services firms building an industry-standard cloud control framework, almost all reported regulatory compliance as a major hurdle to cloud adoption.

Overcome the Challenges of Cloud Compliance

Financial institutions are eager to use the hybrid cloud as a productive workplace to achieve strategic goals. But as reported in our white paper, “Turning Regulatory Challenges of the Cloud Into Competitive Advantage,” firms must overcome three major cloud adoption challenges.

First, companies face different regulatory obligations in various geographies. Multinational organizations must map regulatory obligations to 26 different countries and jurisdictions as far-flung as Singapore, London and New York.

Second, cloud service providers (CSPs) often provide different levels of control in the cloud than in the data center. That leaves financial services firms to build the right controls to address how they store and use data and who can access it — wherever it is. Regulators express concern over the amount of sensitive information CSPs maintain, often without being subject to the stringent regulations that govern banks, according to Business Insider.

Third, financial services firms and CSPs need a common security framework. A major accomplishment was reaching a consensus among the consortium members on the Cloud Security Alliance (CSA) open source framework. Modifications make it possible to build a single framework that is fully integrated with risk management and cybersecurity controls.

Lay the Groundwork for Continuous Compliance

Our managed services solution helps answer these challenges with continuous compliance to meet requirements for workloads running on public clouds — not only for regulations impacting the cloud, but for the General Data Protection Regulation (GDPR), Financial Industry Regulatory Authority (FINRA), U.S. Securities and Exchange Commission (SEC) and other regulatory bodies. The solution was developed in three stages.

1. Build a Regulatory Database for All Geographies

A continuous compliance database maps to every regulatory authority around the world. The database also defines GDPR and other cybersecurity obligations. The service monitors changes and makes timely updates to an industry-standard cloud control framework and regulatory database.

2. Map All of the Regulations and Controls to Each CSP

Mapping to CSPs is critical to achieve a standard level of control and to meet or exceed controls financial services firms might use within their own firewalls. Our solution maps a standard set of controls to every CSP, whether it’s Amazon, Google, Microsoft or IBM.

3. Adapt the Solution to the Individual Financial Services Firm

Each financial services firm already maintains in-house controls. The managed services solution requires an adapter to map the standardized framework to the existing framework for each firm’s individual policies, standards and procedures.

Continuous Compliance in Action

One of the largest investment firms in the world recently implemented the continuous compliance managed services solution with impressive success. A team of back-office personnel previously spent each day combing the internet for new and changing legislation and determining the impacts on current controls. The employees made updates manually.

The work was painstaking, tedious, and labor- and time-intensive, but these compliance employees formed the firm’s frontline defense against regulatory risk. Our managed services solution will help enable the firm to reduce its staff while saving substantially on compliance and reducing the risk of regulatory fines and reputational damage.

Automate Compliance With Cognitive Computing

Compliance is not a one-time event, but rather an ongoing process of monitoring and maintaining. Automation and cognitive computing — including artificial intelligence (AI) and machine learning — are the engines behind better, more efficient cloud governance.

In the future, the continuous compliance service will use Watson for RegTech. Watson will initially ingest existing regulations. Then, Watson will not only identify changes and update regulations, but also revise the controls that correspond with each regulation. Once Watson is fully trained, the time to add a new regulation or update an existing one will shrink exponentially.

Transfer to Other Obligations, Technologies and Domains

Financial services firms ultimately need to be in complete, real-time alignment with their regulatory obligations worldwide. Firms can access the industry-standard database to consume and adapt to updates for policies, requirements and controls while still maintaining their own firm-specific controls and processes. Our managed services solution mainly covers financial services regulations for cloud computing. Going forward, look for the scope to extend to regulations covering myriad technologies and domains to help financial institutions of all stripes overcome their greater cloud adoption challenges.

Read the white paper: Turning the regulatory challenges of cloud into competitive advantage

The post Continuous Compliance Eases Cloud Adoption for Financial Services Firms appeared first on Security Intelligence.

The State of Security: Achieve Security Through Compliance in the Cloud

Digging through my cupboards recently, I came across my old collection of 3½ floppy disks. It’s been quite some time since I’ve had a need to plug in my trusty USB floppy drive, so upon making this great archaeology discovery, I was left simply to ponder about their content and whether I’d really intended to […]… Read More

The post Achieve Security Through Compliance in the Cloud appeared first on The State of Security.



The State of Security

Achieve Security Through Compliance in the Cloud

Digging through my cupboards recently, I came across my old collection of 3½ floppy disks. It’s been quite some time since I’ve had a need to plug in my trusty USB floppy drive, so upon making this great archaeology discovery, I was left simply to ponder about their content and whether I’d really intended to […]… Read More

The post Achieve Security Through Compliance in the Cloud appeared first on The State of Security.

Not all data collection is evil: Don’t let privacy scandals stall cybersecurity

Facebook continues to be criticized for its data collection practices. The media is hammering Google over how it handles data. JPMorgan Chase & Company was vilified for using Palantir software to allegedly invade the privacy of employees. This past June marked the five-year anniversary of The Guardian’s first story about NSA mass surveillance operations. These incidents and many others have led to an era where the world is more heavily focused on privacy and trust. … More

The post Not all data collection is evil: Don’t let privacy scandals stall cybersecurity appeared first on Help Net Security.

NBlog Dec 8 – bashing tick-n-bash


Auditing compliance with rules defined in policies, standards, laws and regulations is just one audit approach, commonly and disparagingly known as tick-n-bash auditing.
  

The rule says X
but you do Y
……. BASH!

It is like being rapped over the knuckles as a kid or zapping a trainee sheep dog through its radio-controlled shock collar. It's a technique that may work in the short term but it is crude and simplistic. The trainee/auditee is hurt and ends up resentful. Strong negative emotions persist long after the tears have dried and the bruising has gone down, making it counterproductive. It’s best reserved as a last resort, in my considered opinion.*

Certification audits are ultimately compliance audits but even they can be performed in a more sympathetic manner. The trick is to combine bashing (where justified) with explaining the requirements and encouraging compliance. It means motivating not just dragging people, and a lot more listening and observing to understand why things are the way they are.

Sometimesthere are genuine, legitimate reasons for noncompliance, like for example finding better ways to do things or competing priorities. Sometimesnoncompliance achieves a better outcome for the organization and other stakeholders. Actively looking for and exploring such situations turns the audit into a more positive exercise, even if it turns out that noncompliance was indeed unjustified and problematic: the investigation will often turn up root causes that deserve to be addressed, enabling us to treat the disease, not just ameliorate the symptoms. 

Competent, experienced auditors appreciate the value of downgrading relatively minor findings to ‘minor non-conformance’ status, or even on occasions ‘letting things ride’ with informal comments and motivational words of encouragement to the auditees. That then makes any remaining major issues stand out, focusing everyone’s attention on the Stuff That Really Matters – matters to the organization and other stakeholders, for legitimate business reasons. It’s no longer just a matter of “The rule says X”: there are reasons why rule X exists, reasons that deserve attention. Rule X is simply a means to an end, not an end in itself.

From there, it’s but a small step towards effectiveness and efficiency-based auditing, a more sophisticated and intelligent approach than crude compliance auditing. The idea is to identify sub-optimal activities that might usefully be adjusted to improve the outcomes, ultimately achieving business objectives and success. The approach focuses on the positives, on finding creative solutions that most benefit the organization (and, by the way, the individual auditees: more carrot = less stick!). The very premise that some activities might be ‘sub-optimal’ implies a deeper level of understanding about what ‘optimal’ actually means in that context, and a wider appreciation of good practises and alternatives. Being able to recite the rules verbatim, and carry a big stick, is no longer the mark of a good auditor!

In the ISO27k context, the information security controls recommended by ISO/IEC 27002 are intended to address specified control objectives. However, they aren't guaranteed always to achieve those objectives in any given situation, nor are those objectives necessarily relevant and sufficient. Both the control objectives and the controls are generic - general advice intended to suit most organizations. Both need to be interpreted in the specific context of a particular organization. Both may need to be supplemented, extended modified or ignored in various circumstances. That complexity makes it too tough for straightforward compliance auditors, apparently, demonstrating a fundamental limitation of the tick-n-bash approach. That's why an ISO/IEC 27001 compliance certificate confirms the presence of a 'management system' for information risk and security, rather than a secure organization with all the appropriate information security controls in place.

ISO/IEC 27001 specifies that internal audits must be performed on the Information Security Management System but does a poor job of explaining them, in particular it uses the word 'conforms', a synonym for 'complies' with the unfortunate implication that auditing is compliance auditing:





Taking my own medicine, I ask myself "Why? Why does the standard equate auditing with compliance auditing?" The answer lies with the experts responsible for the ISO27k standards, in their biases and prejudices about auditing ... which in turn reflects their experience of auditing ... which I presume is largely compliance auditing ... and so the loop continues. 

Breaking the committee out of that vicious cycle is an objective I have thus far failed to achieve but the current round of standards revision presents another opportunity, a chance to explain, persuade and hopefully convince. Not bash, oh no. 

Longer term, I'd like to push ISO27k further into the realms of assurance and accountability, and beef-up its advice on governance, information risk management, business continuity, and business for that matter. The business context and objectives for information security would be fascinating to explore and elaborate further on. One day maybe. I've learnt to pick my battles though: it takes a winning strategy to succeed in war.


* PS  I have the same philosophy in security awareness and training. To me, security awareness and training works best as a positive, motivational and inspirational technique. Dire warnings and penalties may be necessary to curb inappropriate behaviors and instill discipline but that's a last resort, best reserved for when other techniques have failed. Clearly, I'm no sadist.

Protect the Keys to Your Kingdom With Privileged Access Management

The importance of implementing privileged access management (PAM) is undeniable. A user with privileged access holds the keys to the kingdom, access to the highly valuable and confidential information that is often targeted by cybercriminals and malicious insiders. In fact, Gartner listed PAM as the No. 1 project for security teams to explore in 2018.

“This project is intended to make it harder for attackers to access privileged accounts and should allow security teams to monitor behaviors for unusual access,” Gartner advises.

PAM tools are critically important and must work together with identity governance, authentication, and application, network and cloud security. But how are organizations doing with actually implementing PAM solutions?

Thycotic, a PAM provider and partner of IBM Security, released its “2018 Global State of Privileged Access Management Risk and Compliance” report earlier this year. The report revealed that privileged credentials are at great risk due to inadequate policies, poorly executed process and insufficient controls. There are major risk and compliance gaps in how organizations manage and secure their privileged accounts and access to sensitive systems, infrastructure and data. While most organizations acknowledge the important role PAM plays in their cybersecurity posture, a shocking 70 percent of organizations would fail an access controls audit, putting their privileged credentials at high risk.

Establish Consistent Access Control Processes

Organizations must develop consistent processes when granting access for employees to handle privileged accounts and passwords securely. This ensures that access is gained properly for privileged users. Without implementing consistent, repeatable access control processes, such as rotating passwords, enabling and revoking access, and making it easier to create risk and compliance reports, the organization is at risk.

As stated in the Thycotic report, 70 percent of organizations fail to fully discover privileged accounts, and 40 percent do nothing at all to discover these accounts. You cannot secure and manage what you do not know you have. Privileged accounts are often unknown, unmanaged and unprotected due to manual processes or error. There must be an established privileged account discovery process in place.

Audit and Track User Behavior

As Gartner noted, security teams should be able to monitor user behavior for unusual access. This is crucial, especially when it comes to privileged access. According to the Thycotic report, 63 percent of organizations do not track and alert on failed login attempts for privileged accounts.

All critical systems should have full audit logs to track logins and activities. Access to audit logs should be restricted, and they should be checked regularly and monitored for changes. Without auditing and tracking, there is no accountability for who is using these accounts and no way to properly analyze an incident and mitigate its damage.

Take Control of Your Privileged Access Management

Don’t get left in the dust. Build a proactive PAM program that doesn’t fall short on policies, processes and controls. A leading privileged access management solution should protect privileged accounts from cybercriminals and insider threats, help ensure compliance with evolving regulations, and give authorized employees access to the tools and information they need to drive productivity. Lastly, it should protect privileged accounts from misuse and enable organizations to enforce least privilege policies and control applications to reduce their attack surface.

Download the report

The post Protect the Keys to Your Kingdom With Privileged Access Management appeared first on Security Intelligence.

NBlog Dec 7 – who owns the silos?


Michael Rasmussen has published an interesting, thought-provoking piece about the common ground linking specialist areas such as risk, security and compliance, breaking down the silos.

“Achieving operational resiliency requires a connected view of risk to see the big picture of how risk interconnects and impacts the organization and its processes. A key aspect of this is the close relationship between operational risk management (ORM) and business continuity management (BCM). It baffles me how these two functions operate independently in most organizations when they have so much synergy.”

While Michael’s perspective makes sense, connecting, integrating or simply seeking alignment between diverse specialist functions is, let's say, challenging. Nevertheless, I personally would much rather collaborate with colleagues across the organization to find and jointly achieve shared goals that benefit the business than perpetuate today's blinkered silos and turf wars. At the very least, I'd like to understand what drives and constrains, inspires and concerns the rest of the organization, outside my little silo.

Once you start looking, there are lots of overlaps, common ground, points of mutual interest and concern. Here are a few illustrative examples:
  • Information risk, information security, information technology: the link is glaringly obvious, and yet usually the second words are emphasized leaving the first woefully neglected;
  • Risk and reward, challenge and opportunity: these are flip sides of the same coin that all parts of the business should appreciate. Management is all about both minimizing the former and maximizing the latter. Business is not a zero-sum game: it is meant to achieve objectives, typically profit and other forms of successful outcomes. And yes, that includes information security!
  • Business continuity involves achieving resilience for critical business functions, activities, systems, information flows, supplies, services etc., often by mitigating risks through suitable controls. The overlap between BCM, [information] risk management and [information] security is substantial, starting with the underlying issue of what 'critical' actually means to the organization;
  • Human Resources, Training, Health and Safety and Information Risk and Security are all concerned with people, as indeed is Management. People are tricky to direct and control. People have their own internal drivers and constraints, their biases and prejudices, aims and objectives. Taming the people without destroying the sparks of creativity and innovation that set us apart from the robots is a common challenge ... and, before long, taming those robots will be the next common challenge.

Dig deeper still and you'll also find points of mutual disinterest and conflicts within the organization. Marketing, for instance, yearns to obtain and exploit all the information it can possibly obtain on prospective customers, causing sleepless nights for the Privacy Officer. Operations find it convenient or necessary to use shared accounts on shop-floor IT systems in the interest of speed, efficiency, safety etc. whereas Information Risk and Security point out that they are prohibited under corporate-wide security policies for accountability and control reasons.

You could view the organization as a multi-dimensional framework of interconnections and tensions between its constituent parts, all heading towards roughly the same goal/s (hopefully!) but on occasions pulling any which way at different speeds to get there. To make matters still more complex, the web of influence extends beyond the organization through its proximal contacts to The World At Large. That takes us into the realm of chaos theory, global politics and sociology. 'Nuff said.

All the organization's activities fall under the umbrella of corporate governance, senior managers clarifying the organization's grand objectives and optimizing the organization's overall performance by  establishing and monitoring the corporate structures, hierarchies, strategies, policies and other directives, information flows, relationships, systems, management arrangements etc. necessary to achieve them. Driving alignment and reducing conflicts is part of the governance art. Silos are governance failures.

Measuring privacy operations: Use of technology on the rise

Critical privacy program activities such as creating data inventories, conducting data protection impact assessments (DPIA), and managing data subject access rights requests (DSAR) are now well established in large and small organizations in both Europe and the United States, according to TrustArc and the International Association of Privacy Professionals (IAPP). “Among our thousands of members, we know that privacy teams are now reporting on a regular basis to company leadership, and consequently they need to … More

The post Measuring privacy operations: Use of technology on the rise appeared first on Help Net Security.

Researchers: GDPR Already Having Positive Effect on Cybersecurity in EU

The General Data Privacy Regulation (GDPR) seems to already be having a positive effect on the state of cybersecurity in Europe less than seven months after it was enacted, showing that policy indeed can have a direct effect on organizations' security practices, security researchers said.

The post Researchers: GDPR Already Having Positive Effect...

Read the whole entry... »

Related Stories

Advancing Security Operations Through the Power of a SIEM Platform

The 2018 Gartner Magic Quadrant for Security Information and Event Management (SIEM) has recently been published, and in reading it, it seemed like a good time to reflect upon the latest trends in this well-established yet continuously evolving market. In its early days, the SIEM market was primarily driven by audit and compliance needs. But, as the threat landscape evolved and attackers became more sophisticated, SIEM solutions have had to keep up. A technology that was initially meant for compliance evolved into threat detection, and now, in many cases, it sits at the epicenter of the security operations center (SOC).

While not all SIEM providers have survived this decade of transition, the leading vendors have evolved to help security teams keep up with today’s constant barrage of threats, better defend new environments from advanced and targeted attacks, and effectively address threats despite a growing cybersecurity skills shortage. While some SIEMs did die, the old adage of “SIEM is dead” is certainly not true.

Read the full report

3 Key Trends in SIEM Evolution

When I look back at the last 12 to 18 months, three key trends have had a major impact on the next phase of SIEM evolution.

First, adversaries continue to use tactics such as well-crafted spear phishing emails to exploit users, compromise credentials and use insider access to steal critical enterprise data. As these threats increasingly become signature-less, defenders need new ways to identify not just known threats, but also symptoms of unknown threats. As this need has grown, so have technologies such as machine learning and advanced historical analysis, which help detect anomalous behaviors and enable defenders to respond faster so they can stop attackers before damage is done.

Second, the adoption of new technologies, such as cloud infrastructure and the Internet of Things (IoT), has increased the attack surface and, in many cases, created new blind spots. While these new systems and environments can help create new business advantages, they can also create new risks. As a result, more than ever before, security teams are looking to SIEM solutions to gain a comprehensive, centralized view into cloud environments, on-premises environments, and network and user activity to increase their situational awareness and enable them to better manage cybersecurity risks.

Third, thanks to a growing cybersecurity skills shortage, organizations are demanding solutions that are easier to deploy, manage and maintain. Modern threat detection capabilities require an ever-growing number of data sources, and the addition of those data sources can require significant integration and tuning effort. Resource-constrained teams simply don’t have the luxury of allocating this much time or effort to managing a solution. Instead, they demand ongoing assistance to continuously improve detection and investigation processes — without needing to dedicate expensive in-house experts or buy months of professional services.

Security Teams Need a More Advanced SIEM Solution

In the past year, the leading SIEM vendors recognized the above three market trends and invested significant effort into evolving their solutions to address the challenges. Through developing open app-based ecosystems, vendors are now able to easily deliver prebuilt integrations, security use cases and reports that can be easily consumed. As a result, customers are able to address what matters most in their unique environments without introducing unnecessary complexity or requiring major system upgrades.

For example, to address more sophisticated attackers, security teams should be able to leverage prebuilt, fully integrated analytics for targeted use cases, such as detecting endpoint threats, compromised user credentials and data exfiltration over the Domain Name System (DNS). This approach can help security teams leverage their vendor’s expertise to outpace attackers — without having to become experts in each and every technology themselves.

To better address the rapid adoption of new technologies such as infrastructure-as-a-service (IaaS), security teams should be able to easily integrate their SIEM platform with cloud environments such as AWS, Azure and Google Cloud to gain centralized visibility into misconfigurations and emerging threats such as cryptocurrency mining.

Lastly, to help address the challenges associated with the cybersecurity skill shortage, organizations can look to solutions that provide built-in automation and intelligence. Unique offerings such as cognitive assistants are available to provide intelligent insights into the root cause, scope, severity and attack stage of a threat, helping security analysts punch above their cybersecurity weight class. Additional expertise can be provided with built-in guidance to help analysts address new use cases and more easily tune systems. As a result of these innovations, security teams can become more effective despite having limited resources and budgets.

Leading the Way With New SIEM Platform Innovations

As the landscape continues to evolve, cybersecurity teams can no longer rely on closed, complex solutions for threat detection and investigation. Instead, they need to be able to rely on a proven, flexible SIEM platform that offers open ecosystems packed with out-of-the-box integrations, security use cases and reports to address a variety of needs — ranging from compliance to advanced threat detection — across on-premises and cloud-based environments.

This year, we’re proud that IBM was named a Leader in the 2018 Gartner Magic Quadrant for SIEM, marking our 10th consecutive year in the “Leaders” Quadrant. But we’re even prouder that organizations continue to choose IBM QRadar day in and day out because of our demonstrated commitment to their evolving needs.

Read the full report

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Advancing Security Operations Through the Power of a SIEM Platform appeared first on Security Intelligence.

A New Privacy Frontier: Protect Your Organization’s Gold With These 5 Data Risk Management Tips

This is the third and final blog in a series about the new digital frontier for data risk management. For the full picture, be sure to read part 1 and part 2.

Mining customer information for valuable nuggets that enable new business opportunities gets riskier by the day — not only because cyberthieves constantly find new ways to steal that gold, but also due to the growing number of privacy regulations for corporations that handle increasingly valuable data.

The enactment of the European Union (EU)’s General Data Protection Regulation (GDPR) in May of this year was just the start. Beginning in early 2020, the California Consumer Privacy Act of 2018 (CCPA) will fundamentally change the way businesses manage the personal information they collect from California residents. Among other changes, organizations will find a much broader definition of personal information in the CCPA compared to other state data breach regulations. Pundits expect this legislation to be followed by a wave of additional data privacy laws aimed at shoring up consumers’ online privacy.

One major factor behind these new regulations is the widely perceived mishandling of personal information, whether intentionally or unintentionally as a result of a serious data breach perpetrated by cybercriminals or malicious insiders.

Taming the Wild West With New Privacy Laws

The first GDPR enforcement action happened in September, when the U.K. Information Commissioner’s Office charged Canadian data analytics firm AggregateIQ with violating the GDPR in its handling of personal data for U.K. political organizations. This action highlights the consequences that come with GDPR enforcement beyond the regulation’s potential penalty of up to 20 million euros, or 4 percent of a company’s annual revenues worldwide, whichever is higher. It can also require the violator to cease processing the personal information of affected EU citizens.

Although the CCPA does not take effect until January 2020, companies that handle the personal information of Californians will need to begin keeping records no later than January 2019 to comply with the new mandate, thanks to a 12-month look-back requirement. The act calls for new transparency and disclosure processes to address consumer rights, including the ability to opt in and out, access and erase personal data, and prevent its sale. It applies to most organizations that handle the data of California residents, even if the business does not reside in the state, and greatly expands the definition of personal information to include IP addresses, geolocation data, internet activity, households, devices and more.

While it’s called the Consumer Privacy Act, it really applies to any resident, whether they are a consumer, employee or business contact. There may still be corrections or clarifications to come for the CCPA — possibly including some exclusions for smaller organizations as well as health and financial information — but the basic tenants are expected to hold.

Watch the on-demand webinar to learn more

Potential Civil Lawsuits and Statutory Penalties

The operational impact of these new regulations will be significant for businesses. For example, unlike other regulations, companies will be required to give consumers a “do not sell” button at the point of collecting personal information. Companies will also be required to include at least two methods to submit requests, including a toll-free number, in their privacy statements.

The cost of failure to comply with data privacy regulations is steep. Organizations could face the prospect of civil penalties levied by the attorney general, from $2,500 for each unintentional violation up to $7,500 for each intentional violation, with no upper limit. Consumers can also sue organizations that fail to implement and maintain reasonable security procedures and practices and receive statutory payments between $100 and $750 per California resident and incident or actual damages, whichever is greater. As one of the most populous states in the nation, representing the fifth-largest economy in the world, a major breach affecting California residents could be disastrous.

5 Tips to Help Protect Your Claim

The need to comply with data privacy regulations has obviously taken on greater urgency. To do it effectively requires a holistic approach, rather than one-off efforts aimed at each specific set of regulations. Organizations need a comprehensive program that spans multiple units, disciplines and departments. Creating such a program can be a daunting, multiyear effort for larger organizations, one that requires leadership from the executive suite to be successful. The following five tips can help guide a coordinated effort to comply with data privacy regulations.

1. Locate All Personal and Sensitive Data

This information is not just locked up in a well-secured, centralized database. It exists in a variety of formats, endpoints and applications as both structured and unstructured data. It is handled in a range of systems, from human resources (HR) to customer relationship management (CRM), and even in transactional systems if they contain personally identifiable data.

Determining where this information exists and its usage, purpose and business context will require the help of the owners or custodians of the sensitive data. This phase can take a significant amount of time to complete, so take advantage of available tools to help discover sensitive data.

2. Assess Your Security Controls

Once personal data is identified, stakeholders involved in creating a risk management program must assess the security controls applied to that data to learn whether they are adequate and up-to-date. As part of this activity, it is crucial to proactively conduct threshold assessments to determine whether the business and operating units are under the purview of the CCPA.

At the same time, it’s important to assess how personal information is handled and by whom to determine whether processes for manipulating the data need to change and whether the access rights of data handlers are appropriate.

3. Collaborate Across the Enterprise

Managing data risk is a team effort that requires collaboration across multiple groups within the organization. The tasks listed here require the involvement of data owners, line-of-business managers, IT operations and security professionals, top executives, legal, HR, marketing, and even finance teams. Coordination is required between data owners and custodians, who must establish appropriate policies for who can access data, how it should be handled, the legal basis for processing, where it should be stored, and how IT security professionals should be responsible for enforcing those policies.

4. Communicate With Business Leaders

Effectively communicating data risk, including whether existing controls are adequate or require additional resources and how effectively the organization is protecting customer and other sensitive data, requires a common language that can be understood by business executives. Traditional IT security performance metrics, such as block rates, vulnerabilities patched and so on, don’t convey what the real business risks are to C-level executives or board members. It’s critical to use the language of risk and convey data security metrics in the context of the business.

5. Develop a Remediation Plan

Once the business’s compliance posture with the CCPA is assessed, organizations should develop risk remediation plans that account for all the processes that need to change and all the relevant stakeholders involved in executing the plan.

Such a plan should include a map of all relevant personal information that takes into account where the data is stored, how it is used and what controls around that data need to be updated. It should also describe how the organization will safely enable access, deletion and portability requests of California residents, as well as process opt-out requests for sharing their data.

Automate Your Data Risk Management Program

Thankfully, there are tools available to help automate some of the steps required in developing and maintaining a holistic data risk management initiative. Useful data from security information and event management (SIEM), data loss prevention (DLP), application security, and other IT tools can be combined with advanced integration platforms to streamline efforts.

Privacy mandates such as the GDPR and the CCPA are just the start; a California-style gold rush of data privacy regulations is on the horizon. Countries such as Brazil and India are already at work on new data privacy laws. A comprehensive data risk management program established before more regulations go into effect is well worth its weight in gold.

Watch the on-demand webinar

The post A New Privacy Frontier: Protect Your Organization’s Gold With These 5 Data Risk Management Tips appeared first on Security Intelligence.

California IoT Security Law: A Nearsighted, Toothless Guard Dog or a Wolf in Sheep’s Clothing?

With three new sections added to the California Civil Code, California became the first U.S. state with a cybersecurity law specifically for internet-connected devices on September 28, 2018. The new Security of Connected Devices law will take effect on January 1, 2020. The Basics The new law requires manufacturers of connected devices to equip the […]… Read More

The post California IoT Security Law: A Nearsighted, Toothless Guard Dog or a Wolf in Sheep’s Clothing? appeared first on The State of Security.

SecurityWeek RSS Feed: Kaspersky’s U.S. Government Ban Upheld by Appeals Court

The U.S. government’s ban on software made by Russia-based cybersecurity firm Kaspersky Lab remains in place, a federal appeals court in Washington, DC, ruled on Friday.

The court said Kaspersky had failed to demonstrate that the ban was an unconstitutional legislative punishment.

read more



SecurityWeek RSS Feed

Kaspersky’s U.S. Government Ban Upheld by Appeals Court

The U.S. government’s ban on software made by Russia-based cybersecurity firm Kaspersky Lab remains in place, a federal appeals court in Washington, DC, ruled on Friday.

The court said Kaspersky had failed to demonstrate that the ban was an unconstitutional legislative punishment.

read more

NBlog Dec 1 – security awareness on ‘oversight’

We bring the year to a close with an awareness and training module on a universal control that is applicable and valuable in virtually all situations in some form or other.  Oversight blends monitoring and watching-over with directing, supervising and guiding, a uniquely powerful combination.
The diversity and flexibility of the risk and control principles behind oversight are applied naturally by default, and can be substantially strengthened where appropriate. Understanding the fundamentals is the first step towards making oversight more effective, hence this is a cracker of an awareness topic with broad relevance to information risk and security, compliance, governance, safety and all that jazz.
It’s hard to conceive of a security awareness and training program that would not cover oversight, but for most it is implicit, lurking quietly in the background.  NoticeBored draws it out, putting it front and center.  
In the most general sense, very few activities would benefit from not being overseen in some fashion, either by the people and machines performing them or by third parties.
To a large extent, management is the practical application of oversight.  It’s also fundamental to governance, compliance and many controls, including most of those in information risk and security. 
Imagine if you can a world without any form of oversight where:
  • People and organizations were free to do exactly as they wish without fear of anyone spotting and reacting to their activities;
  • Machines operated totally autonomously, with nobody monitoring or controlling them;
  • Organizations, groups and individuals acted with impunity, doing whatever they felt like without any guidance, direction or limits, nobody checking up on them or telling them what to do or not to do;
  • Compliance was optional at best, and governance was conspicuously absent. 
Such a world may be utopia for anarchists, egocentrics and despots but a nightmare scenario for information risk and security professionals, and for any civilized society!

Read more about December's NoticeBored security awareness and training module then get in touch to subscribe.

Keeping data swamps clean for ongoing GDPR compliance

The increased affordability and accessibility of data storage over recent years can be both a benefit and a challenge for businesses. While the ability to stockpile huge volumes and varieties of data can deliver previously unattainable intelligence and insight, it can also result in ‘data sprawl’, with businesses unclear of exactly what information is being stored, where it’s being held, and how it’s being accessed. The introduction of the General Data Protection Regulation (GDPR) in … More

The post Keeping data swamps clean for ongoing GDPR compliance appeared first on Help Net Security.

Serbia Enacts New Data Protection Law

On November 9, 2018, Serbia’s National Assembly enacted a new data protection law. The Personal Data Protection Law, which becomes effective on August 21, 2019, is modeled after the EU General Data Protection Regulation (“GDPR”).

As reported by Karanovic & Partners, key features of the new Serbian law include:

  • Scope – the Personal Data Protection Law applies not only to data controllers and processors in Serbia but also those outside of Serbia who process the personal data of Serbian citizens.
  • Database registration – the Personal Data Protection Law eliminates the previous requirement for data controllers to register personal databases with the Serbian data protection authority (“DPA”), though they will be required to appoint a data protection officer (“DPO”) to communicate with the DPA on data protection issues.
  • Data subject rights – the new law expands the rights of data subjects to access their personal data, gives subjects the right of data portability, and imposes additional burdens on data controllers when a data subject requests the deletion of their personal data.
  • Consent – the Personal Data Protection Law introduces new forms of valid consent for data processing (including oral and electronic) and clarifies that the consent must be unambiguous and informed. The prior Serbian data protection law only recognized handwritten consents as valid.
  • Data security – the new law requires data controllers to implement and maintain safeguards designed to ensure the security of personal data.
  • Privacy by Design – the new law obligates data controllers to implement privacy by design when developing new products and services and to conduct data protection impact assessments for certain types of data processing.
  • Data transfers – the Personal Data Protection Law expands the ways in which personal data may be legally transferred from Serbia. Previously, data controllers were required to obtain the approval of the Serbian DPA for any transfers of personal data to non-EU countries. The new law permits personal data transfers based on standard contractual clauses and binding corporate rules approved by the Serbian DPA. Organizations can also transfer personal data to countries deemed to provide an adequate level of data protection by the EU or the Serbian DPA or when the data subject consents to the transfer.
  • Data breaches – like the GDPR, the new law requires data controllers to notify the Serbian DPA within 72 hours of a data breach and will require them to notify individuals if the data breach is likely to result in a high risk to the rights and freedoms of individuals. Data processors must also notify the relevant data controllers in the event of a data breach.

The new law also imposes penalties for noncompliance, but these are significantly lower than those contained in the GDPR. The maximum fines in the new Serbian law are only 17,000 Euros, while the maximum fines in the GDPR can reach up to 20 million Euros or 4% of an organization’s annual global turnover.

In 2012, Lisa Sotto, partner and chair of the Privacy and Cybersecurity practice at Hunton Andrews Kurth, advised the Serbian government on steps to enhance Serbia’s data protection framework.

Why Is the Retail Industry Still Lacking Security?

As another busy shopping season kicks into high gear, many of us will head to online retail sites and apps to check items off their holiday gift list. Security leaders should be mindful that if users do their shopping while at work, they are putting sensitive data — and possibly even the corporate network — at risk. That’s because retail industry sites and systems are too often poorly secured.

A recent survey from third-party risk management firm SecurityScorecard found that retail is among the lowest-ranked industries in terms of its security stance. The report looked at 1,444 domains in the industry with an IP footprint of at least 100 and found that retail had the second-lowest app security performance among major sectors, outperforming only the entertainment industry. What are retailers doing wrong?

Why Can’t Retailers Make the Grade?

“This year the retail industry’s security posture fell lower than in years past, both in application security and social engineering,” Fouad Khalil, head of compliance at SecurityScorecard, said in a press release. “To remain competitive, retailers are adopting new payment and digital technologies, exposing them as prime targets for cybercriminals.”

Despite the establishment of the Payment Card Industry Data Security Standard (PCI DSS) in 2004, SecurityScorecard found that many retailers are largely ignoring it. More than 90 percent of the retail domains analyzed indicated noncompliance with the regulation. Retailers in violation of PCI compliance face steep financial penalties if they are breached.

“As organizations assess their compliance with PCI DSS, they must be able to detect, remediate and recover from any threats or vulnerabilities adding risk to unauthorized access to CDE,” said Khalil in response to the findings.

Listen to the podcast: Examining the State of Retail Security

The Customer Experience Trumps Retail Security

Convenience and the user experience have always contributed to poor retail app security, noted Ron Schlecht, managing partner at cybersecurity consulting firm BTB Security.

“The focus is so much on how technology fills or creates business value, that security is oftentimes an afterthought,” he said. “The only true way to get ahead of this issue in this industry and to protect itself from an increasing level of sophistication in attacks is executive buy-in to the issue, as well as a cohesive security strategy at each organization to make this a priority.”

In an extremely competitive sales landscape, retailers still place precedence on what users want, and front-end ease of transaction wins over back-end retail app security. As a result, according to Mike Wilson, chief technology officer (CTO) of PasswordPing, merchants are reluctant to implement security measures that could get in the way of making a sale.

“Any ‘fraud-proof’ e-commence solution would need to include so many obstacles to block bad actors that real customers would find it practically impossible to complete a transaction,” said Wilson. “Many industries are able to apply security solutions that add some friction to their user experience in exchange for better security, but the retail industry knows that their consumers will go elsewhere if it’s not a seamless experience.”

Attackers Exploit Poor Security Awareness in Retail

Retailers have historically displayed little awareness about security. Despite numerous high-profile breaches over the years that have impacted major merchants, that dearth of understanding continues to cause problems.

The SecurityScorecard report noted that social engineering scams that target retailers are on the rise and ranked the industry last in security against such threats. As retail becomes increasingly digital, this trend could become even worse.

“The way we shop has changed drastically in the last few years,” said Migo Kedem, senior director of product at SentinelOne. “Retail is traditionally a low-tech business. The new technology brings new security challenges, and these ‘digital shoplifters’ can’t be simply scared away using security sensors. The current way of life requires a different security approach that can protect your assets from cyberthreats.”

Scott Swenka, an IT security specialist working for a large grocery chain, believes a lack of security-minded leadership is causing the industry to fall behind others when it comes to risk mitigation.

“They lag behind because most public retail organizations have boards that are built out of retailed-based leaders and simply do not have an understanding of technology and how it affects them,” he said.

How Can Retailers Catch Up?

While PCI does not appear to have improved security in retail, regulations that target point-of-sale (POS) systems have the potential to make a measurable impact in the future, said Jim Barkdoll, CEO at security vendor TITUS.

“Regulation will force the necessary cultural shift in how retailers approach security,” he predicted. “Even those that have had a breach tend to relax their focus on security practices after the public attention around their breach wanes, driving long-term security investments lower on their list of priorities. Regulation changes that and will force a continued and consistent adherence to security policies and practices.”

Security leaders at retail organizations can address this problem by practicing secure development and operations (DevSecOps) and monitoring emerging threats in the digital landscape. If developers build retail apps with security baked in from the beginning of the development process, retail systems will gradually become more secure from the ground up.

Data should be encrypted during system communication and storage, and apps should employ authentication between the app and its servers. Apps should also require customer authentication via factors such as one-time passwords (OTP) and biometrics.

As is the case in many industries, most retail organizations prioritize innovation and customer retention before security. But as consumers become more concerned about their own digital security and privacy, retailers must invest in new security technologies and practices and lean on industry experts to help build secure systems.

Listen to the podcast: Examining the State of Retail Security

The post Why Is the Retail Industry Still Lacking Security? appeared first on Security Intelligence.

Why compliance is never enough

Organizations are well aware of the security risks inherent in our hyper-connected world. However, many are making the mistake of focusing their attention on being compliant rather than on ensuring that their security strategy is effective and efficient. As the threat landscape continues to evolve this type of compliance-driven, checkbox mentality is setting many organizations up for a potentially disastrous fall (or breach). Being in compliance does not guarantee that a company has a comprehensive … More

The post Why compliance is never enough appeared first on Help Net Security.

GDPR’s impact: The first six months

GDPR is now six months old – it’s time to take an assessment of the regulation’s impact so far. At first blush it would appear very little has changed. There are no well-publicized actions being taken against offenders. No large fines levied. So does this mean its yet another regulation that will be ignored? Actually nothing could be farther from the truth. The day GDPR came into law complaints were filed by data subjects against … More

The post GDPR’s impact: The first six months appeared first on Help Net Security.

NBlog Nov 22 – SEC begets better BEC sec

According to an article on CFO.com by Howard Scheck, a former chief accountant of the US Securities and Exchange Commission’s Division of Enforcement: 
"Public companies must assess and calibrate internal accounting controls for the risk of cyber frauds. Companies are now on notice that they must consider cyber threats when devising and maintaining a system of internal accounting controls."

A series of Business Email Compromise frauds (successful social engineering attacks) against US companies evidently prompted the SEC to act. Specifically, according to Howard:
"The commission made it clear that public companies subject to Section 13(b)(2)(B) of the Securities Exchange Act — the federal securities law provision covering internal controls — have an obligation to assess and calibrate internal accounting controls for the risk of cyber frauds and adjust policies and procedures accordingly."
I wonder how the lawyers will interpret that obligation to 'assess and calibrate' the internal accounting controls? I am not a lawyer but 'assessing' typically involves checking or comparing something against specified requirements or specifications (compliance assessments), while 'calibration' may simply mean measuring the amount of discrepancy. 'Adjusting' accounting-related policies and procedures may help reduce the BEC risk, but what about other policies and procedures? What about the technical and physical controls such as user authentication and access controls on the computer systems? What about awareness and training on the 'adjusted' policies and procedures? Aside from 'adjusting', how about instituting entirely new policies and procedures to plug various gaps in the internal controls framework? Taking that part of the CFO article at face value, the SEC appears (to this non-lawyer) very narrowly focused, perhaps even a little misguided. 

Turns out there's more to this:
"As the report warns, companies should be proactive and take steps to consider cyber scams. Specific measures should include:
  • Identify enterprise-wide cybersecurity policies and how they intersect with federal securities laws compliance
  • Update risk assessments for cyber-breach scenarios
  • Identify key controls designed to prevent illegitimate disbursements, or accounting errors from cyber frauds, and understand how they could be circumvented or overridden. Attention should be given to controls for payment requests, payment authorizations, and disbursements approvals — especially those for purported “time-sensitive” and foreign transactions — and to controls involving changes to vendor disbursement data.
  • Evaluate the design and test the operating effectiveness of these key controls
  • Implement necessary control enhancements, including training of personnel
  • Monitor activities, potentially with data analytic tools, for potential illegitimate disbursements
While it’s not addressed in the report, companies could be at risk for disclosure failures after a cyber incident, and CEOs and CFOs are in the SEC’s cross-hairs due to representations in Section 302 Certifications. Therefore, companies should also consider disclosure controls for cyber-breaches."
The Securities Exchange Act became law way back in 1934, well before the Internet or email were invented ... although fraud has been around for millennia. In just 31 pages, the Act led to the formation of the SEC itself and remains a foundation for the oversight and control of US stock exchanges, albeit supported and extended by a raft of related laws and regulations. Todays system of controls has come a long way already and is still evolving.

Security vs. Compliance: What’s the Difference?

Security and compliance are often said in the same breath as if they are two sides of the same coin, two members of the same team or two great tastes that go great together. As much as I would like to see auditors and developers (or Security Analysts) living in harmony like a delicious Reese’s […]… Read More

The post Security vs. Compliance: What’s the Difference? appeared first on The State of Security.

Privacy laws do not understand human error

In a world of increasingly punitive regulations like GDPR, the combination of unstructured data and human error represents one of the greatest risks an organization faces. Understanding the differences between unstructured and structured data – and the different approaches needed to secure it – is critical to achieve compliance with the many data privacy regulations that businesses in the U.S. now face. Structured data is comprised of individual elements of information organized to be accessible, … More

The post Privacy laws do not understand human error appeared first on Help Net Security.

NBlog Nov 20 – go ahead, make my day


What can be done about the semi-literate reprobates spewing forth this sort of technobabble nonsense via email? 
"hello, my prey.
I write you since I attached a trojan on the web site with porn which you have visited.My malware captured all your private data and switched on your camera which recorded the act of your wank. Just after that the malware saved your contact list.I will erase the compromising video records and data if you pay me 350 EURO in bitcoin. This is wallet address for payment : [string redacted]
I give you 30h after you view my message for making the transaction.As soon as you read the message I'll know it immediately.It is not necessary to tell me that you have paid to me. This wallet address is connected to you, my system will delete everything automatically after transfer confirmation.If you need 48h just Open the calculator on your desktop and press +++If you don't pay, I'll send dirt to all your contacts.      Let me remind you-I see what you're doing!You can visit the police office but anyone can't help you.
If you try to cheat me , I'll see it immediately!
I don't live in your country. So anyone can not track my location even for 9 months.Goodbye for now. Don't forget about the disgrace and to ignore, Your life can be destroyed."

It's straightforward blackmail - a crime in New Zealand and elsewhere - but the perpetrators are of course lurking in the shadows, hoping to fleece their more naive and vulnerable victims then cash-out anonymously via Bitcoin. Identifying them is hard enough in the first place without the added burden of having to gather sufficient forensic evidence to build a case, then persuade the authorities to prosecute.



So instead I'm fighting back through awareness. If you receive vacuous threats of this nature, simply laugh at their ineptitude and bin them. Go ahead, bin them all. Train your spam filters to bin them automatically. Bin them without hesitation or concern. 



Then, please help me pass the word about these ridiculous scams. Let your friends and family (especially the most vulnerable) know. Share this blog with your classmates and work colleagues. Send journalists and reporters the URL. Hold a bin-the-blackmail party. 

By all means call your national CERT or the authorities if that makes you feel better. Just don't expect much in the way of a response beyond "We're inundated! Sorry, this is not a priority. We simply don't have the resources."

If enough of us call their bluff, these pathetic social engineering attacks will not earn enough to offset the scammers' risks of being caught ... and who knows, we might just draw some of them into the open in the process. Let's find out just how confident their are of their security, their untraceability and invincibility. 

Recite after me: "Go ahead, make my day ..."

OPM Security Improves, But Many Issues Still Unresolved: GAO

The U.S. Office of Personnel Management (OPM) has improved its security posture since the data breaches disclosed in 2015, but many issues are still unresolved, according to a report published this week by the Government Accountability Office (GAO).

read more

What’s keeping Europe’s top infosec pros awake at night?

As the world adapts to GDPR and puts more attention on personal privacy and security, Europe’s top information security professionals still have doubts about the industry’s ability to protect critical infrastructure, corporate networks, and personal information. Black Hat Europe’s new research report entitled, Europe’s Cybersecurity Challenges, details the thoughts that are keeping Europe’s top information security professionals awake at night. The report includes new insights directly from more than 130 survey respondents and spans topics … More

The post What’s keeping Europe’s top infosec pros awake at night? appeared first on Help Net Security.

NBlog Nov 13 – what to ask in a security gap assessment (reprise)

Today on the ISO27k Forum, a newly-appointed Information Security Officer asked us for "a suitable set of questions ... to conduct security reviews internally to departments".

I pointed him at "What to ask in a gap assessment" ... and made the point that if I were him, I wouldn't actually start with ISO/IEC 27002's security controls as he implied. I'd start two steps back from there:
  1. One step back from the information security controls controls are the information risks. The controls help address the risks by avoiding, reducing or limiting the number and severity of incidents affecting or involving information: but what information needs to be protected, and against what kinds of incident? Without knowing that, I don't see how you can decide which controls are or are not appropriate, nor evaluate the controls in place.
  2. Two steps back takes us to the organizational or business context for information and the associated risks. Contrast, say, a commercial airline company against a government department: some of their information is used for similar purposes (i.e. general business administration and employee comms) but some is quite different (e.g. the airline is heavily reliant on customer and engineering information that few government departments would use if at all). Risks and controls for the latter would obviously differ ... but less obviously there are probably differences even in the former - different business priorities and concerns, different vulnerabilities and threats. The risks, and hence the controls needed, depend on the situation.
I recommend several parallel activities for a new info sec pro, ISO, ISM or CISO – a stack of homework to get started:
  • First, I find it helps to start any new role deliberately and consciously “on receivei.e. actively listening for the first few weeks at least, making contacts with your colleagues and sources and finding out what matters to them.  Try not to comment or criticize or commit to anything much at this stage, although that makes it an interesting challenge to get people to open up!  Keep rough notes as things fall into place.  Mind-mapping may help here.
  • Explore the information risks of most obvious concern to your business. Examples:
    • A manufacturing company typically cares most about its manufacturing/factory production processes, systems and data, plus its critical supplies and customers;
    • A services company typically cares most about customer service, plus privacy;
    • A government department typically cares most about ‘not embarrassing the minister’ i.e. compliance with laws, regs and internal policies & procedures;
    • A healthcare company typically cares most about privacy, integrity and availability of patient/client data;
    • Any company cares about strategy, finance, internal comms, HR, supply chains and so on – general business information – as well as compliance with laws, regs and contracts imposed on it - but which ones, specifically, and to what extent?;
    • Any [sensible!] company in a highly competitive field of business cares intensely about protecting its business information from competitors, and most commercial organizations actively gather, assess and exploit information on or from competitors, suppliers, partners and customers, plus industry regulators, owners and authorities;
    • Not-for-profit organizations care about their core missions, of course, plus finances and people and more (they are business-like, albeit often run on a shoestring);
    • A mature organization is likely to have structured and stable processes and systems (which may or may not be secure!) whereas a new greenfield or immature organization is likely to be more fluid, less regimented (and probably insecure!);
  • Keep an eye out for improvement opportunities - a polite way of saying there are information risks of concern, plus ways to increase efficiency and effectiveness – but don’t just assume that you need to fix all the security issues instantly: it’s more a matter of first figuring out you and your organization’s priorities. Being information risk-aligned suits the structured ISO27k approach. It doesn’t hurt to mention them to the relevant people and chat about them, but be clear that you are ‘just exploring options’ not ‘making plans’ at this stage: watch their reactions and body language closely and think on;
  • Consider the broader historical and organizational context, as well as the specifics. For instance:
    • How did things end up the way they are today? What most influenced or determined things? Are there any stand-out issues or incidents, or current and future challenges, that come up often and resonate with people?
    • Where are things headed? Is there an appetite to ‘sort this mess out’ or conversely a reluctance or intense fear of doing anything that might rock the boat? Are there particular drivers or imperatives or opportunities, such as business changes or compliance obligations? Are there any ongoing initiatives that do, could or should have an infosec element to them?
    • Is the organization generally resilient and strong, or fragile and weak? Look for examples of each, comparing and contrasting. A SWOT or PEST analysis generally works for me. This has a bearing on the safe or reckless acceptance of information and other risks;
    • Is information risk and security an alien concept, something best left to the grunts deep within IT, or a broad business issue? Is it an imposed imperative or a business opportunity, a budget black hole (cost centre) or an investment (profit centre)? Does it support and enable the business, or constrain and prevent it?
    • Notice the power and status of managers, departments and functions. Who are the movers and shakers? Who are the blockers and naysayers? Who are the best-connected, the most influential, the bright stars? Who is getting stuff done, and who isn’t? Why is that?
    • How would you characterize and describe the corporate culture? What are its features, its high and low points? What elements or aspects of that might you exploit to further your objectives? What needs to change, and why? (How will come later!)
  • Dig out and study any available risk, security and audit reports, metrics, reviews, consultancy engagements, post-incident reports, strategies, plans (departmental and projects/initiatives), budget requests, project outlines, corporate and departmental mission statements etc. There are lots of data here and plenty of clues that you should find useful in building up a picture of What Needs To Be Done. Competent business continuity planning, for example, is also business-risk-aligned, hence you can’t go far wrong by emphasizing information risks to the identified critical business activities. At the very least, obtaining and discussing the documentation is an excellent excuse to work your way systematically around the business, meeting knowledgeable and influential people, learning and absorbing info like a dry sponge.
  • Build your team. It may seem like you’re a team of 1 but most organizations have other professionals or people with an interest in information risk and security etc. What about IT, HR, legal/compliance, sales & marketing, production/operations, research & development etc.? Risk Management, Business Continuity Management, Privacy and IT Audit pro’s generally share many of your/our objectives, at least there is substantial overlap (they have other priorities too). Look out for opportunities to help each other (give and take). Watch out also for things, people, departments, phrases or whatever to avoid, at least for now.
  • Meanwhile, depending partly on your background, it may help to read up on the ISO27k and other infosec standards plus your corporate strategies, policies, procedures etc., not just infosec. Consider attending an ISO27k lead implementer and/or lead auditor training course, CISM or similar.  There’s also the ISO27k FAQ, ISO27k Toolkit and other info from ISO27001security.com, plus the ISO27k Forum archive (worth searching for guidance on specific issues, or browsing for general advice).  If you are to become the organization’s centre of excellence for information risk and security matters, it’s important that you are well connected externally, a knowledgeable expert in the field. ISSA, InfraGard, ISACA and other such bodies, plus infosec seminars, conferences and social media groups are all potentially useful resources, or a massive waste of time: your call. 
Yes, I know, I know, that’s a ton of work, and I appreciate that it’s not quite what was asked for i.e. questions to ask departments about their infosec controls. My suggestion, though, is to tackle this at a different level: the security controls in place today are less important than the security controls that the organization needs now and tomorrow. Understanding the information risks is key to figuring out the latter.

As a relative newcomer, doing your homework and building the bigger picture will give you an interesting and potentially valuable insight into the organization, not just on the information risk and security stuff … which helps when it comes to proposing and discussing strategies, projects, changes, budgets etcHowyou go about doing that is just as important as what it is that you are proposing to do. In some organizations, significant changes happen only by verbal discussion and consensus among a core/clique (possibly just one all-powerful person), whereas in some others nothing gets done without the proper paperwork, in triplicate, signed by all the right people in the correct colours of ink! The nature, significance and rapidity of change all vary, as do the mechanisms or methods.

So, in summary, there's rather more to do than assess the security controls against 27002. 



PS  For the more cynical among us, there’s always the classic three envelope approach.

CNIL Publishes DPIA Guidelines and List of Processing Operations Subject To DPIA

On November 6, 2018, the French Data Protection Authority (the “CNIL”) published its own guidelines on data protection impact assessments (the “Guidelines”) and a list of processing operations that require a data protection impact assessment (“DPIA”). Read the guidelines and list of processing operations (in French).

CNIL’s Guidelines

The Guidelines aim to complement guidelines on DPIA adopted by the Article 29 Working Party on October 4, 2017, and endorsed by the European Data Protection Board (“EDPB”) on May 25, 2018. The CNIL crafted its own Guidelines to specify the following:

  • Scope of the obligation to carry out a DPIA. The Guidelines describe the three examples of processing operations requiring a DPIA  provided by Article 35(3) of the EU General Data Protection Regulation (“GDPR”). The Guidelines also list nine criteria the Article 29 Working Party identified as useful in determining whether a processing operation requires a DPIA, if that processing does not correspond to one of the three examples provided by the GDPR. In the CNIL’s view, as a general rule a processing operation meeting at least two of the nine criteria requires a DPIA. If the data controller considers that processing meeting two criteria is not likely to result in a high risk to the rights and freedoms of individuals, and therefore does not require a DPIA, the data controller should explain and document its decision for not carrying out a DPIA and include in that documentation the views of the data protection officer (“DPO”), if appointed. The Guidelines make clear that a DPIA should be carried out if the data controller is uncertain. The Guidelines also state that processing operations lawfully implemented prior to May 25, 2018 (e.g., processing operations registered with the CNIL, exempt from registration or recorded in the register held by the DPO under the previous regime) do not require a DPIA within a period of 3 years from May 25, 2018, unless there has been a substantial change in the processing since its implementation.
  • Conditions in which a DPIA is to be carried out. The Guidelines state that DPIAs should be reviewed regularly—at minimum, every three years—to ensure that the level of risk to individuals’ rights and freedoms remains acceptable. This corresponds to the three-year period mentioned in the draft guidelines on DPIAs adopted by the Article 29 Working Party on April 4, 2017.
  • Situations in which a DPIA must be provided to the CNIL. The Guidelines specify that data controllers may rely on the CNIL’s sectoral guidelines (“Referentials”) to determine whether the CNIL must be consulted. If the data processing complies with a Referential, the data controller may take the position that there is no high residual risk and no need to seek prior consultation for the processing from the CNIL. If the data processing does not fully comply with the Referential, the data controller should assess the level of residual risk and the need to consult the CNIL. The Guidelines note that the CNIL may request DPIAs in case of inspections.

CNIL’s List of Processing Operations Requiring a DPIA

The CNIL previously submitted a draft list of processing operations requiring a DPIA to the EDPB for its opinion. The CNIL adopted its final list on October 11, 2018, based on that opinion. The final list includes 14 types of processing operations for which a DPIA is mandatory. The CNIL provided concrete examples for each type of processing operation, including:

  • processing operations for the purpose of systematically monitoring the employees’ activities, such as the implementation of data loss prevention tools, CCTV systems recording employees handling money, CCTV systems recording a warehouse stocking valuable items in which handlers are working, digital tachograph installed in road freight transport vehicles, etc.;
  • processing operations for the purpose of reporting professional concerns, such as the implementation of a whistleblowing hotline;
    processing operations involving profiling of individuals that may lead to their exclusion from the benefit of a contract or to the contract suspension or termination, such as processing to combat fraud of (non-cash) means of payment;
  • profiling that involves data coming from external sources, such as a combination of data operated by data brokers and processing to customize online ads;
  • processing of location data on a large scale, such as a mobile app that enables to collect users’ geolocation data, etc.

The CNIL’s list is non-exhaustive and may be regularly reviewed, depending on the CNIL’s assessment of the “high risks” posed by certain processing operations.

Next steps

The CNIL is expected to soon publish its list of processing operations for which a DPIA is not required.

How Can Companies Move the Needle on Enterprise Cloud Security Risks and Compliance?

More than ever, customers understand their right to data privacy. As major brands continue to lose sensitive data to cybercriminals in high-profile cloud security failures, customer trust in companies across industries is fading. Only 25 percent of consumers believe most companies handle their data responsibly, according to PricewaterhouseCoopers (PwC). As a result, secure, transparent data handling practices are more imperative than ever.

New regulations signal that governing bodies are also taking the enterprise’s responsibility for data privacy very seriously. The Brazil Privacy Act and the California Consumer Privacy Act support the consumer’s right to understand how their data is collected and used, and the New York Department of Financial Services (NYDFS) requirements are among the first regulations to address cloud security risks. Proposed rules require financial institutions to conduct vulnerability assessments and practice data classification and safe data management, whether the data resides on-premises or in the cloud.

Misconfigurations Cause Database Security Mayhem

Despite increased pressure to protect customer data, security teams are still struggling to address database security risks. Misconfigured servers, networked backup incidents and other system misconfigurations resulted in the exposure of 2 billion data records in 2017, according to the “IBM X-Force Threat Intelligence Index 2018” — that’s a 424 percent increase in such data breaches over last year’s total.

Cybercriminals are innovating quickly to take advantage of enterprise cloud security challenges. Many are using and creating open source tools to scan the web for unprotected cloud storage and, in some cases, locking these systems for ransom. Results from a Threat Stack study indicated that the majority of cloud databases are unprotected or otherwise misconfigured. Researchers attributed the prevalence of misconfigurations to employee negligence and insufficient IT policies.

Why the Enterprise Cloud Is Vulnerable

Still, it would be unfair to blame the current state of enterprise cloud security on employee negligence — at least, not entirely. Critical misconfigurations are technically the result of inadvertent insider error, but the reality is a bit more complex. Correcting configurations and compliance risks is difficult because security teams lack actionable visibility into cloud risks. There’s a glut of security risk to deal with, and traditional approaches to assessing risk result in an abundance of data with little actionable intelligence.

The enterprise cloud environment is complex and difficult to capture with vulnerability assessment tools designed for physical network and endpoint risk assessments. The unstructured, NoSQL landscape of the big data on cloud evolves on a near-daily basis to accommodate new forms of unstructured data. It’s no wonder that trying to assess database security risk across heterogeneous environments is often compared to finding a needle in a haystack.

Layered vulnerability assessments are crucial to protect against cloud security and compliance risks. Under some recent regulatory requirements, in fact, vulnerability assessments are mandatory. However, the enterprise needs vulnerability solutions that can support the scale of cloud database-as-a-service (DBaaS), traditional on-premises databases, warehouses and big data environments in a meaningful way.

Advanced analytics are necessary to sort through complex event data to correlate patterns and find true outliers that are associated with meaningful risk of data loss or advanced threats. The sheer volume and variety of data in the enterprise cloud requires proactive vulnerability assessment. A vulnerability assessment solution should automate risk prioritization, recommend remediation and simplify complex compliance requirements.

How to Achieve Real-Time Security and Compliance in Cloud or Hybrid Environments

Reducing risk requires visibility and control with an adaptive, real-time approach to understanding exposure. In a database environment, assessments should actively examine privileges, authentication, configuration, versioning and patching. Finding and remediating advanced threats from insiders, ransomware and data breaches requires advanced analytics. Your vulnerability assessment solution should rank risks based on the importance of data and breach likelihood and recommend remediation actions.

Security and risk are convening in the enterprise, and vulnerability tools should deliver risk intelligence that can be shared with the chief information officer (CIO), chief security officer (CSO) and chief risk officer (CRO). Enterprise cloud environments are complex, but a vulnerability assessment tool can provide a consolidated and actionable view into risk, remediation, compliance and policy. To drive continued value, however, a vulnerability assessment solution must scale to new services as new applications, databases and cloud services are deployed over time.

The cloud has shifted the landscape and created the need for a new approach to assessing risks. If understanding compliance and configurations feels like finding needles in a haystack, it may be time to automate. Data privacy is now a compliance and customer imperative, and understanding the state of your databases is critical, so aim to scale your security assessments with a solution designed for the complexities of the enterprise cloud environment.

Learn more about vulnerability assessment for cloud databases

The post How Can Companies Move the Needle on Enterprise Cloud Security Risks and Compliance? appeared first on Security Intelligence.

CNIL Details Rules On Audience and Traffic Measuring In Publicly Accessible Areas

On October 17, 2018, the French data protection authority (the “CNIL”) published a press release detailing the rules applicable to devices that compile aggregated and anonymous statistics from personal data—for example, mobile phone identifiers (i.e., media access control or “MAC” address) —for purposes such as measuring advertising audience in a given space and analyzing flow in shopping malls and other public areas. Read the press release (in French).

The CNIL observed that more and more companies use such devices. In shopping malls, these devices can (1) compile traffic statistics and determine how many individuals have visited a shopping mall over a limited time range; (2) model the routes that individuals take through the shopping mall; and/or (3) calculate the rate of repeating visitors. In public areas, they can (1) determine how many individuals walked past an audience measuring device (e.g., an advertising panel); (2) determine the routes taken by these individuals from one advertising panel to another; (3) estimate the amount of time individuals stand in line; (4) assess the number of vehicles driving on a road, etc.

Against that background, the CNIL identified the three following scenarios:

Scenario 1 – When data is anonymized at short notice (i.e., within minutes of collecting the data)

The CNIL defines anonymization as a specific data processing operation which renders individuals no longer identifiable. (Such processing must comply with various criteria set forth in Opinion 05/2014 of the former Article 29 Working Party on anonymization techniques. According to the CNIL, this includes ensuring a high collision rate between several individuals—for instance, in the context of MAC-based audience measurement devices, the processing must allow multiple MAC addresses to match the result of single-identifier processing.)

In this scenario, anonymization must be performed promptly, i.e., within minutes of collecting the data. In the CNIL’s view, this reduces the risk that an individual would be able to access identifying data. To that end, CNIL recommends anonymizing the data within 5 minutes. After that period, no identifying data should be retained.

The CNIL noted that data controllers may rely on their legitimate interest as a legal basis for the processing under the EU General Data Protection Regulation (“GDPR”). The CNIL recommended, however, that data controllers provide notice to individuals, using a layered approach in accordance with the guidelines of the former Article 29 Working Party on transparency under the GDPR. The CNIL provided an example of a notice that would generally satisfy the first layer of a layered privacy notice, though emphasized that notice should be tailored to the processing—particularly with respect to the individuals’ data protection rights. Since the data is anonymized, individuals cannot exercise their rights of access to and rectification of their personal data, and restriction to the processing of their data. Therefore, the notice does not have to mention these rights. However, individuals must be able to object to the collection of their data, and the notice should refer to that right of (prior) objection.

Scenario 2 – When data is immediately pseudonymized and then anonymized or deleted within 24 hours

In this second scenario, data controllers may rely on their legitimate interest as a legal basis for the processing provided that they:

  • Provide prior notice to individuals;
  • Implement mechanisms to allow individuals to object to the collection of their data (i.e., prior objection to the processing). These mechanisms should be accessible, functional, easy to use and realistic;
  • Set up procedures to allow individuals to exercise their rights of access, rectification and objection after data has been collected; and
  • Implement appropriate technical measures to protect the data, including a reliable pseudonymization process of MAC addresses (with the deletion of the raw data and the use of a salt or key). The pseudonymized data must be anonymized or deleted at the end of the day.

Further, the CNIL recommended using multiple modalities to provide notice to individuals, such as posting a privacy notice at entry and exit points of the shopping mall, on Wi-Fi access points, on every advertising device (e.g., on every advertising panel when the processing is carried out on the street), on the website of the shopping mall, or through a specific marketing campaign.

With respect to the individuals’ data protection rights, the CNIL made it clear that individuals who pass audience measuring devices must be able to object to the collection and further processing of their personal data. Companies wishing to install such a device must implement technical solutions that allow individuals to easily exercise this right of objection both a priori and a posteriori: these solutions must not only allow individuals to obtain the deletion of the data already collected (i.e., to exercise their right of objection a posteriori) but also prevent any further collection of their personal data (prior objection). In the CNIL’s view, the right of objection can be exercised using one of the following means:

  • Through a dedicated website or app on which individuals enter their MAC address to object to the processing. (The data controller is responsible for explaining to individuals how to obtain their MAC address so that they can effectively object to the processing of their data.) If an individual exercises his/her right of objection via this site or app, the data controller must delete all the data already collected and must no longer collect any data associated with that MAC address; or
  • Through a dedicated Wi-Fi network that allows the automatic collection of the devices’ MAC address for the purposes of objecting to the processing. If an individual exercises his/her right of objection via this network, the data controller must delete all the data that has been already pseudonymized and must not further collect the MAC address. The CNIL recommended using a clear and explicit name for that network such as “wifi_tracking_optout”.

According to the CNIL, data controllers should not recommend that individuals turn off the Wi-Fi feature of their phone to avoid being tracked. Such a recommendation is inadequate for purposes of enabling individuals to exercise of their right of objection.

Scenario 3 – All other cases

In the CNIL’s view, if the device implemented by the data controller does not strictly comply with the conditions listed in the two previous scenarios, the processing may only be implemented with the individuals’ consent. The CNIL stated that individuals must be able to withdraw consent, and that withdrawing consent should be as simple as granting consent. Individuals should also be able to exercise all the other GDPR data protection rights. In terms of notice, the CNIL recommended providing notice using multiple modalities (as in the second scenario).

Data Protection Impact Assessment and CNIL’s Authorization

The CNIL also reported that, in all the above scenarios, the processing will require a data protection impact assessment to be carried out prior to the implementation of the audience/traffic measuring devices, in so far as such devices assist in the systematic monitoring of individuals through an innovative technical solution.

Additionally, the CNIL’s prior authorization may be required in certain cases.

NBlog Sept 23 – what’s the best development method for security?

In answer to someone on CISSPforum asking for advice about the impact of various software development lifecycles, methods or (as if we need another ology) methodologies, I asserted that the SDLC method affects the way or the manner in which infosec is achieved (spec'd, built, confirmed, delivered, used, managed, monitored, maintained ...) more than how effective it ends up being.

There are pros and cons to all the methods - different strengths and weaknesses, different purposes, opportunities, risks and constraints. Software or systems development involves a load of trade-off and compromises. For example, if information risks absolutely must be minimized, formal methods are a good way to achieve that ... at huge cost in terms of both the investment of money and time for the development, and the functionality and rigidity of the developed system. However, an even better way to minimize the risk is to avoid using software, sidestepping the whole issue!

In most circumstances, I would argue that other factors are more significant in relation to the information security achieved in the developed system than the choice of development method e.g.:
  • Governance, management and compliance arrangements, especially around the extended dev team and the key stakeholders;
  • Strategies (e.g. business drivers for information security), priorities, resources available (including maturity, skills and competence on infosec matters - not just $$$);
  • Policies and standards, especially good security practices embedding sound principles such as:
    • Don't bolt it on - build security in;
    • Be information risk-driven;
    • Address CIA and other security, privacy, compliance and related matters;
    • Secure the whole system, not just the software;
    • Focus on important security requirements and controls, taking additional care, increasing both strength and assurance over those;
    • Later security, in anticipation of layers being breached: make it harder and more costly for adversaries and incidents to occur;
    • Trust but verify;
    • Accept that perfect or absolute security is literally unachievable, and security maturity is more quest than goal, hence provide for resilience, recovery and contingency as well as incident management and continuous improvement.
  • Well-defined critical decision points, sometimes known as hurdles, stage gates etc., plus the associated criteria and assurance requirements, plus the associated management processes to measure progress, handle issues, re-prioritize ...;
  • Corporate culture, attitudes towards information risk, infosec, cybersec, IT, compliance etc., among management, the intended system users, IT and the dev team, plus awareness and training;
  • Documentation: more than simply red tape, good quality documentation on information risk and security indicates a mature, considered, rational approach, facilitates wider involvement plus review and authorization, captures good practices and helps those not closely involved with the project appreciate what is being developed, how and why;
  • Systems thinking: alongside people, hardware, networks and other system, and dynamics, the software is just part of the bigger thing being developed;
  • Team working: high performance teamwork can achieve more, better security and higher quality products with the same resources, especially if the extended team includes a wide range of experts, users, administrators, managers and more;
  • Suitable metrics, such that 'more, better security and higher quality products' is more than just a hand-waving notion, becoming criteria, measures and drivers;
  • Risk and change management practices and attitudes, maturity, support, drive etc.;
  • Most of all, the deep understanding that underpins sound requirements specs, planning and execution, and leadership: infosec is an integral part not a bolt-on, ideally to the point that it is taken for granted by all concerned that It Will Be Done Properly.
I would love an opportunity to try out dev-races, where two or more development teams set out in parallel to build and deliver whatever it is, in friendly competition with each other.  They will all have the same fixed specs for some aspects of the delivery, but latitude to innovate in other respects e.g. methods/approaches.  At the appropriate points during the project, the 'losers' admit defeat and either depart or join the 'winners', pushing through the final, toughest activities together on the home straight.  At first glance, it sounds like it will double the costs ... but that's only for the early stages, and has the advantages of improving both motivation and the end product.  Personally, from both the security and business perspectives, I see more investment in the early stages as an opportunity more than a cost!

NBlog Sept 8 – chew before swallowing

The Global State of Online Digital Trust is a typical vendor-sponsored piece, a white paper (= marketing promotion in the guise of a 'survey') prepared by Frost & Sullivan for CA Technologies.

I say 'typical' in that they have disclosed hardly any information about the survey method and sample. press release instructs us to see the report for "Full survey methodology details" but unless I'm blind, it looks to me as if someone either 'forgot' to write the materials-and-methods section or casually neglected to incorporate it in the published report.  Oh dear.

A CA marketing VP called it "a survey of 1,000 consumers, 350 cybersecurity professionals and 325 business executives from all over the world" whereas the press release referred to it as "The global online survey of 990 consumers, 336 security professionals and 324 business executives across 10 countries". 

We can only guess at how they might have assigned respondents between the three categories e.g. who would not qualify as a 'consumer'? Wouldn't a CISO fall into all three groups? In the report, numbers next to the graphs appear to indicate the sample sizes up to about 990

Last time I checked, there were rather more than 10 countries in the world aside from USA BRA UK FRA GER ITA AUS IND JPN and CHN as listed the report. If I'm interpreting those abbreviations correctly, that's well short of "all over the world".

If indeed the survey was online, that rather suggests the sample only consisted of people from the ten countries who were happy to answer an online survey - which itself implies a degree of trust in online security as well as a willingness to respond to a vendor-sponsored survey. 

It is unclear whether or how the report's conclusions relate to the survey findings ... and they are somewhat predictable given the report sponsor's commercial interests:
"CULTIVATE A CULTURE OF SECURITY Implement data protection policies that are in accordance with the world’s strictest data privacy regulations. Ensure company-wide familiarity with security policies, including among non-technical staff to reduce the risk of data breaches. 
START AT THE TOP Too many business executives see security initiatives as a negative return on investment. Alert the C-Suite to the tangible business impacts of a breach and a loss of consumer trust. 
COVER YOUR BASES Consumers consider both social and technical factors when determining whether to trust an organization; be sure that your organization has the technical foundation in place to mitigate attacks and have a response team ready to minimize damage to consumer trust in the event of a breach. 
KEEP IT SIMPLE Clear communication from organizations around policies and data handling practices is critical for building trust. Far too many organizations overestimate the degree to which consumers can easily manage their personal data online. Present your policies in simple language, and provide important details without overwhelming the consumer."
So they evidently equate "a culture of security" with data protection, data privacy and data breaches. Spot the common factor. A similar bias towards privacy law compliance and the protection of "customer data" is evident in all four paragraphs. That is an important issue, I agree, along with "cybersecurity" (an undefined term ... but I guess they mean IT security) but what about all the rest of information security: trade secrets, intellectual property, business continuity, physical and procedural security, information integrity, blah blah blah?

I freely admit to being heavily prejudiced in favour of both cultural development and management-level security awareness but their emphasis on breach impacts and consumer trust once again betrays a myopic focus on privacy breach incidents, while the conclusion about return on investment seems very suspect to me. I wonder if the survey question/s in that area were unambiguous enough to be interpreted in the same way by all the respondents? Or are the reported differences between the groups of respondents merely indicative of their distinct perspectives and assumptions? Did they even face the same questions? We can't tell since they choose not to disclose the survey questions.

The report introduces the term "Digital trust index". Sounds great, right? A metric concerning trust in, errr, digits? A percentage value relative to, um, what exactly? Oh let me guess, relative to the score conjured out of the air for this, the first report. And unfortunately for the sponsors, the term "Digital Trust Index" is already in use elsewhere.

Overall, a disappointing and essentially pointless read, like most other commercially-sponsored and heavily-promoted "survey" I have read in my career with few exceptions. 

Clearly, I'm a slow learner, stubborn as an old boot. Venting my spleen through this blog is immensely helpful though, along with the vain hope that you might perhaps be persuaded to take a more critical look at the next "survey" that plops onto your screen. Chew it over rather than swallowing whole.

Information Security and the Zero-Sum Game

A zero-sum game is a mathematical representation of a situation in which each participant’s gain or loss is exactly balanced by the losses or gains of the other participant. In Information Security a zero-sum game usually references the trade-off between being secure and having privacy. However, there is another zero-sum game often played with Information […]

Measure Security Performance, Not Policy Compliance

I started my security (post-sysadmin) career heavily focused on security policy frameworks. It took me down many roads, but everything always came back to a few simple notions, such as that policies were a means of articulating security direction, that you had to prescriptively articulate desired behaviors, and that the more detail you could put into the guidance (such as in standards, baselines, and guidelines), the better off the organization would be. Except, of course, that in the real world nobody ever took time to read the more detailed documents, Ops and Dev teams really didn't like being told how to do their jobs, and, at the end of the day, I was frequently reminded that publishing a policy document didn't translate to implementation.

Subsequently, I've spent the past 10+ years thinking about better ways to tackle policies, eventually reaching the point where I believe "less is more" and that anything written and published in a place and format that isn't "work as usual" will rarely, if ever, get implemented without a lot of downward force applied. I've seen both good and bad policy frameworks within organizations. Often they cycle around between good and bad. Someone will build a nice policy framework, it'll get implemented in a number of key places, and then it will languish from neglect and inadequate upkeep until it's irrelevant and ignored. This is not a recipe for lasting success.

Thinking about it further this week, it occurred to me that part of the problem is thinking in the old "compliance" mindset. Policies are really to blame for driving us down the checkbox-compliance path. Sure, we can easily stand back and try to dictate rules, but without the adequate authority to enforce them, and without the resources needed to continually update them, they're doomed to obsolescence. Instead, we need to move to that "security as code" mentality and find ways to directly codify requirements in ways that are naturally adapted and maintained.

End Dusty Tomes and (most) Out-of-Band Guidance

The first daunting challenge of security policy framework reform is to throw away the old, broken approach with as much gusto and finality as possible. Yes, there will always be a need for certain formally documented policies, but overall an organization Does. Not. Need. large amounts of dusty tomes providing out-of-band guidance to a non-existent audience.

Now, note a couple things here. First, there is a time and a place for providing out-of-band guidance, such as via direct training programs. However, it should be the minority of guidance, and wherever possible you should seek to codify security requirements directly into systems, applications, and environments. For a significant subset of security practices, it turns out we do not need to repeatedly consider whether or not something should be done, but can instead make the decision once and then roll it out everywhere as necessary and appropriate.

Second, we have to realize and accept that traditional policy (and related) documents only serve a formal purpose, not a practical or pragmatic purpose. Essentially, the reason you put something into writing is because a) you're required to do so (such as by regulations), or b) you're driven to do so due to ongoing infractions or the inability to directly codify requirements (for example, requirements on human behavior). What this leaves you with are requirements that can be directly implemented and that are thus easily measurable.

KPIs as Policies (et al.)

If the old ways aren't working, then it's time to take a step back and think about why that might be and what might be better going forward. I'm convinced the answer to this query lies in stretching the "security as code" notion a step further by focusing on security performance metrics for everything and everyone instead of security policies. Specifically, if you think of policies as requirements, then you should be able to recast those as metrics and key performance indicators (KPIs) that are easily measured, and in turn are easily integrated into dashboards. Moreover, going down this path takes us into a much healthier sense of quantitative reasoning, which can pay dividends for improved information risk awareness, measurement, and management.

Applied, this approach scales very nicely across the organization. Businesses already operate on a KPI model, and converting security requirements (née policies) into specific measurables at various levels of the organization means ditching the ineffective, out-of-band approach previously favored for directly specifying, measuring, and achieving desired performance objectives. Simply put, we no longer have to go out of our way to argue for people to conform to policies, but instead simply start measuring their performance and incentivize them to improve to meet performance objectives. It's then a short step to integrating security KPIs into all roles, even going so far as to establish departmental, if not whole-business, security performance objectives that are then factored into overall performance evaluations.

Examples of security policies-become-KPIs might include metrics around vulnerability and patch management, code defect reduction and remediation, and possibly even phishing-related metrics that are rolled up to the department or enterprise level. When creating security KPIs, think about the policy requirements as they're written and take time to truly understand the objectives they're trying to achieve. Convert those objectives into measurable items, and there you are on the path to KPIs as policies. For more on thoughts on security metrics, I recommend checking out the CIS Benchmarks as a starting point.

Better Reporting and the Path to Accountability

Converting policies into KPIs means that nearly everything is natively built for reporting, which in turn enables executives to have better insight into the security and information risk of the organization. Moreover, shifting the focus to specific measurables means that we get away from the out-of-band dusty tomes, instead moving toward achieving actual results. We can now look at how different teams, projects, applications, platforms, etc., are performing and make better-informed decisions about where to focus investments for improvements.

This notion also potentially sparks an interesting future for current GRC-ish products. If policies go away (mostly), then we don't really need repositories for them. Instead, GRC products can shift to being true performance monitoring dashboards, allowing those products to broaden their scope while continuing to adapt other capabilities, such as those related to the so-called "SOAR" market (Security Orchestration, Automation, and Response). If GRC products are to survive, I suspect it will be by either heading further down the information risk management path, pulling in security KPIs in lieu of traditional policies and compliance, or it will drive more toward SOAR+dashboards with a more tactical performance focus (or some combination of the two). Suffice to say, I think GRC as it was once known and defined is in its final days of usefulness.

There's one other potentially interesting tie-in here, and that's to overall data analytics, which I've noticed slowly creeping into organizations. A lot of the focus has been on using data lakes, mining, and analytics in lieu of traditional SIEM and log management, but I think there's also a potentially interesting confluence with security KPIs, too. In fact, thinking about pulling in SOAR capabilities and other monitoring and assessment capabilities and data, it's not unreasonable to think that KPIs become the tweakable dials CISOs (and up) use to balance out risk vs reward in helping provide strategic guidance for address information risk within the enterprise. At any rate, this is all very speculative and unclear right now, but something to nonetheless watch. But I have digressed...

---
The bottom line here is this: traditional policy frameworks have generally outlived their usefulness. We cannot afford to continue writing and publishing security requirements in a format that isn't easily accessible in a "work as usual" format. In an Agile/DevOps world, "security as code" is imperative, and that includes converting security requirements into KPIs.

Compliance and Security Seals from a Different Perspective


Compliance attestations. Quality seals like “Hacker Safe!” All of these things bother most security people I know because to us, these provide very little insight into the security of anything in a tangible way. Or do they? I saw this reply to my blog post on compliance vs. security which made an interesting point. A point, I dare say, I had not really put front-of-mind but probably should have.

Ron Parker was of course correct…and he touched on a much bigger point that this comment was a part of. Much of the time compliance and ‘security badges, aka “security seals” on websites, aren’t done for the sake of making the website or product actually more secure … they’re done to assure the customer that the site or entity is worthy of their trust and business. This is contrary to conventional thinking in the security community.

Think about that for a second.

With that frame of reference, all the push to compliance and all the silly little “Hacker Safe!” security seals on websites make sense. Maybe they’re not secure, or maybe they are, but the point isn’t to demonstrate some level of absolute security. The point is to reassure you, the user, that you are doing business with someone who thought about your interests. Well…at least they pretended to. Whether it’s privacy, security, or both… the proprietors of this website or that store want to give you some way to feel safe doing business with them.

All this starts to bend the brain a bit, around the idea of why we really do security things. We need to earn someone’s business, through his or her trust. The risks we take on the road to earn their business …well that’s up to us to worry about. Who do you suppose is more qualified to make the assessment of ‘appropriate risk level’ – you or your customers? With some notable exception the answer won’t be your customers.

Realistically you don’t want your customers trying to decide for themselves what is or isn’t appropriate levels of security. Frankly, I wouldn’t be comfortable with this either. The reality behind this thinking is that the customer simply doesn’t know any better, typically, and would likely make the wrong decision given the chance. So it’s up to you to decide, and that’s fair. Of course, this makes the assumption that you as the proprietor have the customer’s interests in mind, and have some clue on how to do risk assessments and balance risk/reward. Lots to assume, I know. Also, you know what happens when you ass-u-me, right?

So let’s wind back to my point now. Compliance and security seals are a good thing. Before you pick up that rock to throw at me, think about this again. The problem isn’t that compliance and “security seals” exist but that I think we’re mis-understanding their utility. The answer isn’t to throw these tools away and create something else, because that something else will likely be just as complicated (or useless) and needlessly waste resources on solving a problem that already is somewhat on its way. Instead, let’s look to make compliance and security seals more useful to the end customer so you can focus on making that risk equation balance in your favor. I don’t quite know what that solution would look like, yet, but I’m going to investigate it with some smart people. I think ultimately there needs to be some way to convey the level security ‘effort’ by the proprietor, which becomes binding and the owner can be held liable for providing false information, or stretching the truth.

With this perspective I think we could take these various compliance regulations and align them with expectations that customers have, while tying them to some security and risk goals. This makes more sense than what I see being adopted today. The goal isn’t to be compliant, well, I mean, it is … but it’s not to be compliant and call that security. It’s to be compliant as a result of being more secure. Remembering that the compliance thing and security seal is for your customers is liberating and lets you focus on the bigger picture of balancing risk/reward for your business.


What do you think? Am I totally off my rocker?

Harmonizing Compliance and Security for the Enterprise – The Introduction

Pursuit of compliance in the enterprise is proving to be a staggeringly bad security investment, if you ask nearly any enterprise security professional. And yet, we continue to see companies who get breached fall back on the same press releases: "We were PCI-DSS compliant! It's not our fault we were breached!"

I ask myself why, every time it happens. I still don't have a good answer.


Sure "management just doesn't get it" sounds right but it's getting old and tired. At some point, complaining about management becomes old hat, and you have to start asking yourself if this is somehow your fault? Breaches are becoming a fact of life in the enterprise, whether you like it or not - whether your board and CEO like it or not - so it's just time to deal with it.


Compliance ~ Security

The truth is good security leads to good compliance. The converse is absolutely not true. Good compliance is just ... compliance and speaks very little about actual security. So again, why is it so many enterprise security programs base their models around compliance goals? I'll try and answer that in just a minute...

If strong security and business-relevant security drives good behaviors which naturally lead to more ready compliance - why aren't we following this path? I think there is some magic here still, which is why this isn't an openly and easily adopted technique. I think it's still difficult to produce legitimate data (ultimately everything else is black magic and voodoo) which proves that because of security measure A costing you $100,000 you filled compliance regulations B, C, and D which each would have independently cost the organization $80,000 - thus saving your enterprise $140,000.

There is much to this, of course. You have to be able to demonstrate first and foremost that security measure A actually accomplishes some goal (beyond saving you on compliance) - which requires you to be able to measure the positive impact of your security investment ...again largely black magic in any enterprise I've had personal experience with. Then you have to successfully draw linkage between security measure A and compliance regulation B, C and D - again largely black magic out there.

What I'm saying is that it's a completely do-able thing. Doing security right, by aligning it to the business and then letting compliance regulations naturally follow as side-effects. The reason we are not seeing this is that it's not something many people are good at. What we are good at is hearing "APT" and immediately thinking "Ooh, my sales rep says FireEye solves that problem, I must buy it". FUD sells. You know it. I know it. Marketing departments at every security products vendors out there know it. (I can speak from experience here...)


My Guess

The fact of the matter is, I think, that organizations feel that the risk of being non-compliant in some manner is higher than being breached. This is the only thing that makes sense to me. If I had a finite pool of capital, say, $250,000 for a round number, and I had to either meet as many compliance regulations as I could or implement security protocols in accordance with our security strategy - it might make sense to pursue the compliance stuff. What could possibly make me think this insane way? Lawyers.

People like to sue, this is America after all. If you as the corporate victim of a successful breach give even the slightest hint that you didn't do all the stuff some regulatory body set aside for you - it's like a papercut in a shark tank. You're about to be torn to pieces and devoured.

Tell me I'm wrong... law suits by individuals, class-action suits and the like are gaining ground and while they haven't broadly been successful yet it only takes one to set that crazy precedent we all fear. It takes just one company to successfully be sued for being non-PCI-DSS compliant when they experienced their massive credit-card-stealing breach for the FTC or some regulatory body to admonish them publicly. Now we have our blood in the water and lawyers start foaming at the mouth... you're toast.


Now What?

So. Now what? I hate articles which lay out problems and don't offer any meaningful crack at a solution. So here goes... I'll offer my suggestions in a convenient 5-step program. It doesn't come in a rack-mountable 2U chassis, and it doesn't have a compliance guarantee... and you may not even be comfortable with this. I don't blame you, it's not easy stepping away from the mainstream herd mentality.

  1. Draw it out - Step 1 is to take a giant whiteboard (or an equivalent) and draw out your security program goals on one side of a whiteboard. (I'm assuming you have program goals... if you don't stop now, and make some, and then have your business approve them.) On the other, draw up the compliance requirements. In the middle write down the business goals for your enterprise/organization/whatever. Now map the relationships between them... this is going to be harder than you think.
  2. Discard the junk - Now that you've got things nice and neat, look for obvious patterns. Some security initiatives will have many lines coming from them to something in the middle (the business goals). Same goals for the compliance side to business goals. The items with the highest levels of connectedness (most lines connected to them) are your highest priorities from the right and left sides. If anything has no connected lines, throw it away. Now re-order the items in order of connected importance and throw away things that appear to be insignificant. You're going to have to pick things that you think are important, but your objective data analysis is telling you otherwise. Yes this will sting a bit, potentially.
  3. Make the case - Now that you know what security measures serve the most business goals, and which of those meet the most amount of compliance regulations make a business case for this approach. I think you can handle writing up a business case based on this approach, so I'll leave you to it.
  4. Define measurements - Now that you've written your business case, and the business has overwhelmingly shown you support (well, maybe not quite that dramatically), you need to define how you're going to define and measure success. What does success look like? How does the stuff on the far left (the security measures) look when it's going well? Hint: start with operational metrics around detection and response... prevention is a fool's errand. Then demonstrate that your security measures really are creating a better climate of compliance - generally this means that there is less time wasted when the auditors announce their imminent arrival.
  5. Execute - Now that you know what security measures impact the most business goals, and turn the crank on the most compliance requirements - get it done. Execute with great care, making sure to measure as you go so you have a baseline from where you started, and then incrementally measure gains and losses because let's face it no one gets it right every time, all the time.
Now you'll hopefully have a data-backed (evidence is so compelling when it's real) strategy that's either working, or it's not. Either way you can adjust. You're doing things to improve security, and you're making compliance less of a headache.

I call that a win.

Virtual Directory as Database Security

I've written plenty of posts about the various use-cases for virtual directory technology over the years. But, I came across another today that I thought was pretty interesting.

Think about enterprise security from the viewpoint of the CISO. There are numerous layers of overlapping security technologies that work together to reduce risk to a point that's comfortable. Network security, endpoint security, identity management, encryption, DLP, SIEM, etc. But even when these solutions are implemented according to plan, I still see two common gaps that need to be taken more seriously.

One is control over unstructured data (file systems, SharePoint, etc.). The other is back door access to application databases. There is a ton of sensitive information exposed through those two avenues that aren't protected by the likes of SIEM solutions or IAM suites. Even DLP solutions tend to focus on perimeter defense rather than who has access. STEALTHbits has solutions to fill the gaps for unstructured data and for Microsoft SQL Server so I spend a fair amount of time talking to CISOs and their teams about these issues.

While reading through some IAM industry materials today, I found an interesting write-up on how Oracle is using its virtual directory technology to solve the problem for Oracle database customers. Oracle's IAM suite leverages Oracle Virtual Directory (OVD) as an integration point with an Oracle database feature called Enterprise User Security (EUS). EUS enables database access management through an enterprise LDAP directory (as opposed to managing a spaghetti mapping of users to database accounts and the associated permissions.)

By placing OVD in front of EUS, you get instant LDAP-style management (and IAM integration) without a long, complicated migration process. Pretty compelling use-case. If you can't control direct database permissions, your application-side access controls seem less important. Essentially, you've locked the front door but left the back window wide open. Something to think about.