Category Archives: Risk Management

Workplace Expectations and Personal Exceptions: The Social Flaws of Email Security

Even though they’ve been around for quite some time, phishing attacks continue to climb. According to Proofpoint’s 2019 “State of the Phish Report,” 83 percent of businesses experienced a phishing attack and 64 percent of security professionals encountered spear phishing threats in 2018. New vectors are also emerging: As noted by Forbes, software-as-a-service (SaaS) credential theft, messaging app attacks and malicious link embedding within shared files are all on the horizon for 2019.

The data begs the question: What’s wrong with email security? For years, thought leadership articles and information security experts alike have been recommending commonsense best practices that should curtail email attack efforts. Don’t click on unknown links. Don’t open unsolicited attachments. Use automated detection tools. And yet phishers are hauling in bigger catches than ever before, expanding their operations to include new threats and grab more data.

I believe the problem is tied to phishing’s fundamental premise: Social barriers are far easier to break than their technological counterparts. By exploiting critical social flaws — specifically, workplace expectations and personal exceptions — attackers can gain the upper hand.

Email Still Reigns Supreme

Despite recent challenges from up-and-comers such as social messaging apps and unified collaboration tools, email still reigns supreme in the workplace. As noted by CMS Wire, “There appears to be a general consensus that while social networks are useful to achieve work-related goals, email remains the undisputed communications tool in the enterprise.”

Email is timely and transparent — users can quickly send and receive information while creating a digital paper trail. Unlike some messaging apps, users can include attachments and draft longer responses and, since email exists outside of most collaboration continuums, employees can temporarily take a break from their inbox.

But that’s not the whole story. For better or worse, corporate email itself is a kind of social network. As Nathan Schneider, a professor of media studies at the University of Colorado, told The New York Times, “Email is the most resilient social network on the internet.” While it lacks the bells and whistles of social media platforms and the intimacy of face-to-face communication, email has evolved its own set of social rules around usage, etiquette and response times. For example, users are expected to create clear subject lines, reply to all emails (even if received in error), limit the amount of humor and restrict the use of punctuation such as exclamation marks, as noted by Inc.

The rise of interactive business email compromise (BEC) attacks also speaks to the social nature of email. New BECs don’t start with malicious payloads, but instead leverage short social messages to compel employee replies and create a compelling, albeit fake, interactive dialogue before dropping infected documents.

Simply put, email is the biggest, most used social network in the enterprise — and that’s not changing anytime soon.

The Psychology of Urgent Requests

The fundamentally social nature of email leads us to our first security issue: expectations.

Consider common phishing security advice that warns against emails marked “urgent” or “DO NOW.” Why the focus? Because humans are naturally conditioned to meet social norms and feel substantial pressure to conform. According to the Havard Business Review, “Throughout our careers, we are taught to conform — to the status quo, to the opinions and behaviors of others, and to information that supports our views.” What’s more, as noted by Psychology Today, this conformity is accelerated in a small group setting — such as a corporate team or enterprise department — and further enhanced, according to Psych Central, by neurotransmitters such as dopamine that are produced when humans are part of a social group.

As a result, when it comes to well-written phishing emails that are purportedly coming from CEOs or HR mangers, staff are preconditioned to reply ASAP with requested information — even if they’ve had previous security training. Social pressure almost invariably trumps learned email security.

It Won’t Happen to Me!

While socially driven email networks increase the likelihood of faux-insider messages getting through the security chain, what about outside attacks? Much time and attention has been devoted to educating employees about the telltale signs of external phishing attempts, such as emails purportedly from financial institutions, government agencies or new business contacts.

Here, another facet of human social interaction is at work: Our natural disposition to believe we’re better than everyone else. It’s called the superiority illusion and, as noted by Scientific American, causes most people to think they’re better than average at most things, such as the ability to spot and prevent phishing attacks.

Since it’s impossible for the majority of people to be above average, the result is that advanced spam and phishing campaigns that make it past initial defenses may get overlooked by overconfident employees who assume they would recognize any sign of these attacks. It’s the old “it won’t happen to me” argument: Users presume they’ve got all the knowledge they need to spot attacks and if they’re victimized, there’s no way anyone could have seen it coming.

Evolve Your Email Security Strategy

What does this mean for companies looking to prevent phishing attacks?

First, there’s no need to ditch current security training. But, as CSO Online pointed out, it’s also a good idea to educate users on how not to craft an email. Don’t be your own worst enemy by sending unexpected, hastily typed emails with “URGENT” in the subject line.

Fundamental shifts in email security, however, require a rethinking of current best practices. To handle social expectation issues, companies must adopt top-down cultural change that prioritizes safety over speed. This is easier said than done when CEOs need hard data for stakeholders or chief financial officers (CFOs) are handling financial fluctuations in real-time, but giving staff time to double-check message origins and intentions before replying goes a long way toward reducing the number of reeled-in employees.

For security professionals, this means developing the ability to present potential phishing losses as line-of-business issues. In practice, this requires leading with context: How are current security issues impacting strategic objectives such as cost savings, customer confidence and regional performance? This can help shore up the notion that time lost to double-checking email requests via phone calls, face-to-face meetings or other methods is preferable to the monetary loss associated with successful attack campaigns.

Dealing with exceptional behavior, meanwhile, starts with a layered email security approach that eliminates obvious phishing attempts before they hit inboxes. Another key component of this defensive strategy is artificial intelligence (AI). AI-based tools capable of analyzing enterprise communication patterns and spotting inconsistencies already exist. Making them applicable to “above-average” phishing finders means leveraging a kind of low-key notification process, in turn aligning with user beliefs about their own ability to recognize phishing attempts.

Address the Human Components of Phishing

Email remains the top enterprise communication method and the obvious choice for attackers looking to compromise business networks. While current email security solutions can help mitigate phishing impacts, companies must recognize the role of corporate email as a social network to address the critical human components of this risk: social expectation and the superiority exception.

The post Workplace Expectations and Personal Exceptions: The Social Flaws of Email Security appeared first on Security Intelligence.

Are You Really Covered by Your Cyber Insurance?

The whole point of IT security is to minimize risk, and risk is, ultimately, a financial reality. A well-run organization practices risk mitigation by not only using the best tools, services and methods for maximizing data security, but also increasingly by augmenting great security with the right cyber insurance.

As we know, the cyberthreat landscape is in a constant state of change. It’s a contest between evolving threats on the one side, and the security knowledge, options, resources, products and services on the other. The insurance landscape is also in a constant state of change. Yet too many organizations treat this kind of insurance as either unnecessary, or as a necessary, but generic, turn-key, set-it-and-forget-it checkbox item. In fact, it’s an important, complicated and necessary financial service that needs to be frequently reviewed, reconsidered and updated.

With new and evolving threats to your organization’s financial well-being, it’s time to rethink what you know about cyber insurance.

Why Most Companies Aren’t Covered

Cyber insurance is a relatively new phenomenon for most companies. Only 38 percent of organizations are covered by data insurance, according to Spiceworks, a social exchange for IT services. Of those covered, around 45 percent have had coverage for less than two years and only 24 percent have been covered for more than five years. Furthermore, only 11 percent of those without insurance plan to buy a policy within the next two years.

That means knowledge about and experience with insurance is understandably incomplete at most organizations. As a result, corporate leadership is often unsure about its value or about the specifics of coverage.

Unfamiliarity with the finer points of insurance is also evident in the Spiceworks survey. Of the organizations not covered, the top reasons for not yet purchasing cyber insurance are that it just isn’t a priority at the organization (41 percent), a lack of budget (40 percent), a lack of knowledge about insurance (36 percent), and it’s simply not required by regulations at the organization (34 percent).

This lack of understanding is very troublesome given the average total cost of a data breach ranges from $2.2 million to $6.9 million, according to the “2018 Cost of a Data Breach Study” from the Ponemon Insitute and IBM Security. For bigger breaches at larger companies, the cost can soar into the hundreds of millions of dollars.

A wide gap exists between the actual need for insurance and the perceived need. It’s time to change that.

Insurance Against Hacks? You Don’t Know the Half of It

Most people in the industry would say that the point of cyber insurance is to protect against the financial hit from an attack, right? This may be true, but not always.

Verizon’s “2018 Data Breach Investigations Report” investigated more than 53,000 incidents and more than 2,000 confirmed breaches. They found that around 73 percent of data breaches took place because of external attackers, while 28 percent involved employees and other insiders.

Unfortunately, insurance coverage sometimes focuses on external hacks to the exclusion of “inside jobs,” accidents, service provider errors and other non-hacking causes.

Going back to the Spiceworks report, policies can vary greatly: Liability is covered by 78 percent of cyber insurance policies, electronic data by 75 percent and legal or investigative fees by 69 percent. But only around 52 percent of those policies cover loss of income or cyber extortion losses, and only 35 percent cover damage to reputation.

In addition, according to U.K. insurance governance company Mactavish, many insurance policies contain eight major flaws:

  1. They cover attacks or hacks, but may not cover accidents and errors;
  2. They cover only costs required by law, but may not cover the total incident costs;
  3. Coverage is limited to the time of the network interruption, but may not cover business disruption;
  4. They may limit or exclude systems delivered by outsourced service providers;
  5. They may exclude software or systems in development or beta;
  6. They may not cover incidents caused by contractors;
  7. Notification requirements may be too complicated; and
  8. They may only cover insurer-appointed advisers and specialists.

When considering your options for cyber insurance, keep an eye out for these common exceptions to ensure you’re picking the plan that best fits your business needs.

How Compliance Complicates Coverage

In addition to focusing on data breaches, organizations must pay attention to a complex and evolving regulatory environment. Enterprises now face a new world of regulatory compliance around privacy, from the General Data Protection Regulation (GDPR) to the California Consumer Protection Act (CCPA), which will go into effect on Jan. 1, 2020.

It’s tempting to respond to this by saying, “We’ll just comply, of course, and all will be well.” But it’s not that simple. Fines for noncompliance could be enormous, and companies can be fined for not only violations or potential violations of user privacy, but also for how personal data is collected, stored, processed and even how the collection is communicated to the public.

All this is new, and it’s likely that in the coming years, many organizations will be slapped with hefty fines for misunderstanding the laws’ fine print, how they express and organize their privacy policies, how user data is processed, and other peripheral or secondary matters.

Bringing it back to cyber insurance, many policies will not cover fines or other costs if the violation is around the processing of data or communication of policy. Some U.S. states even ban insurance coverage for regulatory fines of any kind, and insurance companies strike that coverage in those states. Compliance is becoming an increasingly relevant aspect of insurance, but many insurance policies just don’t fully cover it.

It’s Often a Matter of Interpretation

One problem with an unsophisticated approach to insurance is that organizations can accept policies that don’t cover them. Another problem is having a different interpretation of those policies than the provider, which can be a costly misunderstanding.

One interesting example is what I call the “act of war” clause: Many policies will cover a breach, unless that breach is the result of an “act of war” by a nation state.

That sounds reasonable. The trouble is, some of the most sophisticated and damaging exploits are developed by these threat actors. Some are created by one government, modified by another, then deployed by who-knows. This could provide a loophole for insurance providers that don’t want to pay up. They can argue that a hack enabled by malware developed by a foreign government means the attack was an “act of war,” and therefore not covered under the policy.

How to Find Cyber Insurance Coverage That Fits

The important takeaway here is to not make assumptions about coverage. Read the fine print. Pay special attention to liabilities around compliance, including fines.

Ideally, the right insurance offers cyber risk mitigation that offsets some or all of the costs when recovering from a breach or other security event. The right policy will compensate for not only lost business during business or network interruption, but also lawsuits and even extortion costs.

It’s also important to understand that insurance won’t cover you if you’re not protecting yourself with great security software, systems and policies. If your company is negligent with security, the insurance companies won’t pay.

First, make sure you’ve got strong cybersecurity systems, tools and procedures in place. Then, shop around for the cyber insurance plan that works best for you — and read the fine print. Negotiate for a policy that truly and fully covers all possible financial loss for everything having to do with data — from attacks to accidents to compliance. Lastly, review your coverage regularly as cyber risks evolve.

The post Are You Really Covered by Your Cyber Insurance? appeared first on Security Intelligence.

Cybersecurity Leaders From Maersk and Westfield Insurance Discuss Digital Transformation at Major Industry Event

In June 2017, the cybersecurity world changed. As soon as NotPetya began infecting systems in Ukraine and spreading across Europe and beyond, it became clear that the intent of this worm wasn’t espionage, distributing malware or holding data for ransom. Rather, it was designed to destroy data, shut down systems and create havoc.

One of the most severely impacted organizations was global shipping giant Maersk, which transports 20 percent of the world’s trade goods. When Maersk’s systems went down, it sent shockwaves around the world and caused security observers to shudder. NotPetya was apparently a cyberweapon launched against Ukraine, but a far greater number of countries and organizations became collateral damage.

It was a wake-up call for Maersk, according to Andy Powell, who joined the company as its new chief information security officer (CISO) in June 2018, a year after the NotPetya attack.

“What Maersk was very strong at was our ability to recover,” Powell said in a fireside chat with IBM Security General Manager Mary O’Brien on Tuesday, the opening night of the 2019 IBM Think conference. “Balancing business resilience with preventative measures means that any company can address some of these high-end attacks, but you’ve got to accept that some of them are going to get through. And therefore, you need to be able to recover your business.”

While cybersecurity inevitably changed in the wake of NotPetya, it’s continuing a rapid transformation as businesses digitize and create ever more data. O’Brien and Powell discussed these profound shifts during their chat, along with Kevin Baker, CISO of Westfield Insurance, who underscored the impacts of digital transformation on data security, risk and compliance.

Watch the video from Think 2019

Lessons in Resiliency and Agile Security

In the age of cloud and connected everything, the volume of data being produced has exploded, along with opportunities for greater insights, innovation and new business models. This digital transformation has broad implications for security.

“Our clients want to know where their containers are, they want to know what part of the process is involved, they want to know information around what they’re moving,” Powell said. “We can provide that as part of the transformation.”

To secure digital innovation for clients, alongside its legacy systems, Maersk’s security team has taken an agile approach. Security is frequently seen as a roadblock to innovation, Powell said. Bringing together project teams and the security organization helps speed innovations to market by building security into the process from the beginning.

“The reality is the security people need to be working with them in those teams to actually integrate security from day one, and that’s starting to really pay off, because we’re no longer seen as the outsiders,” Powell said. “We’re seen as somebody who is prepared to adopt the culture and work with them. That teamed approach is very important.”

Focus on Data Security, Risk and Compliance

Ohio-based Westfield Insurance, with $4.9 billion in assets, has been in business since 1848. That means “a lot of data,” Baker said during the Think fireside chat.

“Because of digitization, it’s a veritable explosion of data. Our job is to know what data we have, where it is, how many copies of it we have, where it’s moving, who can access it and what the criticality of that data is so we can focus on data that has a regulatory import,” Baker said.

Baker’s team focuses on governance and risk, monitoring existing regulations like the New York Department of Financial Services (NYDFS) cybersecurity regulation. And they look to the horizon for emerging compliance risks, such as California’s data privacy law, which will take effect in January 2020.

The California Consumer Privacy Act (CCPA) follows in the footsteps of the European Union (EU)’s General Data Protection Regulation (GDPR) with strict data privacy mandates, including a “right to be forgotten,” whereby companies will be required to destroy certain types of customer data.

“‘Forget me’ is a new capability that we have to solve for,” Baker said. “So we’re looking for ways that we can tag the data, move the security control down at the data element, and use the same tagging and process in multiple ways. It’s more than data classification, but it starts there.”

How Can Digital Transformation Help Reduce Complexity?

Digital transformation in business — through the adoption of technologies such as the cloud, artificial intelligence, and mobile and smart devices — has had major implications for the security industry as well. Although security products have made strides in protecting businesses beyond the traditional firewall, complexity is a hidden cost of innovation.

“We believe the No. 1 challenge is the complexity that we — the vendors and our clients — have jointly created,” O’Brien said during her chat at the IBM Think conference, her first as IBM Security general manager. “We got here because we let the latest threat of the day or requirement drive our technology and our strategy. So every time there was a new attack, a new merger, a new regulation, we created a new tool.”

The second problem of security innovation, O’Brien added, is that these products are created, purchased and deployed in silos. They are not integrated and don’t naturally talk to each other. According to O’Brien, it’s time to eliminate this complexity to enable business innovation and transformation.

This past October, IBM Security launched IBM Security Connect, a simple, open and connected cloud platform that can automatically access security data no matter where it resides. This enables security teams to take advantage of existing investments, from IBM or other vendors, without compromising effectiveness.

“You have insights today, but not total insights,” O’Brien said. “But because Connect can tap into your existing data wherever it is, you will see the full picture of your security situation without having to migrate your data or manually integrate it.”

For his part, Baker said limiting the number of tools but integrating them across multiple vendor systems is key to making strides toward his team’s data security goals.

“We elected to use not more security tools, but fewer security tools. We chose tools that were on their own pretty powerful, things like IBM’s QRadar and Guardium. Then we integrated that with other vendors,” Baker explained. “We use these tools to create our own link and do our own analysis. Not just the net-new data, but even the legacy data, and then to analyze that data as a single unit, to track the most critical data. We know that we can’t track it all. We need to zero in on what’s important.”

The post Cybersecurity Leaders From Maersk and Westfield Insurance Discuss Digital Transformation at Major Industry Event appeared first on Security Intelligence.

What Have We Learned About Data Protection After Another Year of Breaches?

There was no shortage of talking points on data protection in 2018, from concerns over data risk and compliance requirements to the challenges of operational complexities. When we surveyed some of the most prominent trends and themes from the last year, three topics stood out among the many facets of these core cybersecurity challenges: regulatory compliance, data breach protection and risk management.

As we settle into 2019, let’s take a closer look at what we learned in the past year and explore how organizations around the world can improve their data security posture in the long term.

Navigating Your GDPR Compliance Journey

When the General Data Protection Regulation (GDPR) took effect last May, companies were seeking guidance and best practices to address their compliance challenges. Although this sense of urgency is beginning to diminish, the demand for data privacy controls will only increase as organizations across industries and geographies adjust to the post-GDPR world.

In January 2020, the California Consumer Privacy Act (CCPA) will go into effect, and Brazil’s data protection law, Lei Geral de Proteção de Dados Pessoais (LGPDP), will kick in the following month. Many of the processes and requirements — not to mention the benefits — associated with GDPR compliance will be highly relevant to organizations’ preparations for these new regulations. In the year ahead, security teams should continue to focus on:

  • GDPR readiness: Complying with GDPR can require changes across nearly every aspect of your business, from customer communications to social media interactions and data protection processes for handling and storing personal and financial information. Analyze your GDPR readiness and kick-start compliance with this five-phase GDPR action plan.
  • How to report a breach: The GDPR requires companies to report a breach within 72 hours of their becoming aware of it, where feasible — an unprecedented timeline. Be sure to understand the requirements for reporting a breach, from the root cause to the assessment of the scope and the mitigation action plan.
  • GDPR and business success: Beyond the challenges and demands of compliance, the GDPR can be good for your business. When managed appropriately, compliance can help drive the organization to a more robust and future-proof security posture.

Data Protection Is a Hot Topic as Breaches Soar

Given that 27 percent of organizations will experience a recurring material breach in the next two years — coupled with the rapid proliferation of attack vectors such as the internet of things (IoT) — it’s no surprise that data security was top of mind for security professionals in 2018. Below are some of the salient themes:

  • Avoiding breaches: Data breaches are on the rise, due in part to an increase in the number of attack vectors created by complex IT environments. Yet many of these breaches are preventable. While every organization’s challenges are different, some of the most common data security mistakes can put enterprise and customer data at serious risk.
  • Responsibility: Who is responsible for data risk management? Blamestorming — the unpleasant, often futile process of pointing fingers — often follows a breach. By determining who is ultimately accountable before a breach, the C-suite can help prevent a breach in the first place and avoid the blamestorming.
  • Maintaining control over data: With the increasing number of ransomware variants, it’s critical to augment ongoing user education with technical controls and processes for optimal protection. Yet these measures can only do so much; technologies and processes that deliver preventive protection and instant remediation can help you maintain control of your data in the face of an attack.

Gain the Upper Hand Through Risk Management

Hand in hand with concerns about breaches, organizations are proactively seeking ways to understand, reduce and mitigate the risks that lead to these breaches. The third most popular topic covered a variety of risk mitigation and management themes that can help organizations on their journey toward smarter data protection, including:

  • Formalizing processes: Proactively finding and protecting the crown jewels is the only pre-emptive advantage organizations have in the battle of the breach. Creating and deploying formal risk management processes can help organizations evaluate information assets and the vulnerabilities that threaten to compromise them.
  • Structured versus unstructured data: Both structured and unstructured data are core business assets. That’s why it’s important to understand the differences between them and key considerations for assessing the risk levels for both structured and unstructured data when building a data protection strategy.

As you grapple with today’s data privacy, protection and risk management challenges — and prepare for tomorrow’s — these lessons, best practices and expert opinions from 2018 can help guide your security strategy and improve your data protection posture in 2019 and beyond.

Learn more about data protection

The post What Have We Learned About Data Protection After Another Year of Breaches? appeared first on Security Intelligence.

Intel SGX Can Be Abused to Hide Advanced Malware: Researchers

A team of researchers has demonstrated that Intel’s SGX technology can be abused to hide an advanced and stealthy piece of malware that could allow attackers to steal data and conduct activities on the victim’s behalf. Intel says its technology works as intended and it’s not designed to block these types of attacks.

read more

Are Applications of AI in Cybersecurity Delivering What They Promised?

Many enterprises are using artificial intelligence (AI) technologies as part of their overall security strategy, but results are mixed on the post-deployment usefulness of AI in cybersecurity settings.

This trend is supported by a new white paper from Osterman Research titled “The State of AI in Cybersecurity: The Benefits, Limitations and Evolving Questions.” According to the study, which included responses from 400 organizations with more than 1,000 employees, 73 percent of organizations have implemented security products that incorporate at least some level of AI.

However, 46 percent agree that rules creation and implementation are burdensome, and 25 percent said they do not plan to implement additional AI-enabled security solutions in the future. These findings may indicate that AI is still in the early stages of practical use and its true potential is still to come.

How Effective Is AI in Cybersecurity?

“Any ITDM should approach AI for security very cautiously,” said Steve Tcherchian, chief information security officer (CISO) and director of product at XYPRO Technology. “There are a multitude of security vendors who tout AI capabilities. These make for great presentations, marketing materials and conversations filled with buzz words, but when the rubber meets the road, the advancement in technology just isn’t there in 2019 yet.”

The marketing Tcherchian refers to has certainly drummed up considerable attention, but AI may not yet be delivering enough when it comes to measurable results for security. Respondents to the Osterman Research study noted that the AI technologies they have in place do not help mitigate many of the threats faced by enterprise security teams, including zero-day and advanced threats.

Still Work to Do, but Promise for the Future

While applications of artificial intelligence must still mature for businesses to realize their full benefits, many in the industry still feel the technology offers promise for a variety of applications, such as improving the speed of processing alerts.

“AI has a great potential because security is a moving target, and fixed rule set models will always be evaded as hackers are modifying their attacks,” said Marty Puranik, CEO of Atlantic.Net. “If you have a device that can learn and adapt to new forms of attacks, it will be able to at least keep up with newer types of threats.”

Research from the Ponemon Institute predicted several benefits of AI use, including cost-savings, lower likelihood of data breaches and productivity enhancements. The research found that businesses spent on average around $3 million fighting exploits without AI in place. Those who have AI technology deployed spent an average of $814,873 on the same threats, a savings of more than $2 million.

Help for Overextended Security Teams

AI is also being considered as a potential point of relief for the cybersecurity skills shortage. Many organizations are pinched to find the help they need in security, with Cybersecurity Ventures predicting the skills shortage will increase to 3.5 million unfilled cybersecurity positions by 2021.

AI can help security teams increase efficiency by quickly making sense of all the noise from alerts. This could prove to be invaluable because at least 64 percent of alerts per day are not investigated, according to Enterprise Management Associates (EMA). AI, in tandem with meaningful analytics, can help determine which alerts analysts should investigate and discern valuable information about what is worth prioritizing, freeing security staff to focus on other, more critical tasks.

“It promises great improvements in cybersecurity-related operations, as AI releases security engineers from the necessity to perform repetitive manual processes and provides them with an opportunity and time to improve their skills, learn how to use new tools, technologies,” said Uladzislau Murashka, a certified ethical hacker (CEH) at ScienceSoft.

Note that while AI offers the potential for quicker, more efficient handling of alerts, human intervention will continue to be critical. Applications of artificial intelligence will not replace humans on the security team anytime soon.

Paving an Intelligent Path Forward

It’s important to consider another group that is investing in AI technology and using it for financial gains: cybercriminals. Along with enterprise security managers, those who make a living by exploiting sensitive data also understand the potential AI has for the future. It will be interesting to see how these capabilities play out in the future cat-and-mouse game of cybersecurity.

While AI in cybersecurity is still in the early stages of its evolution, its potential has yet to be fully realized. As security teams continue to invest in and develop AI technologies, these capabilities will someday be an integral part of cyberdefense.

The post Are Applications of AI in Cybersecurity Delivering What They Promised? appeared first on Security Intelligence.

Security roundup: February 2019

We round up interesting research and reporting about security and privacy from around the web. This month: security as a global business risk, insured vs protected, a 12-step programme, subject access requests made real, French fine for Google, and an imperfect getaway.

Risks getting riskier

Some top ten lists are not the kind you want to appear on. Data theft and cyber attacks both featured in the World Economic Forum’s Global Risks Report 2019. Only threats relating to extreme weather, climate change and natural disasters ranked above both security risks.

The report is based on a survey which asked 1,000 decision makers to rate global risks by likelihood over a 10-year horizon. As ZDNet reports, 82 per cent of those surveyed believe there’s an increased risk of cyberattacks leading to the theft of money and data. Some 80 per cent believe there’s a greater risk of cyberattacks disrupting operations.

The report also refers to the increased risk of cyberattacks against critical infrastructure, along with concerns about identity theft and decreasing privacy. The WEF’s overview includes a video of a panel discussing the risks, and the report itself is free to download.

Insuring against cyber attacks

Thinking of buying cyber risk insurance in the near future? The legal spat between Mondelez and Zurich might give pause to reconsider. The US food company sued its insurer for refusing to pay a $100 million claim for ransomware damages. NotPetya left Mondelez with 1,700 unusable servers and 24,000 permanently broken laptops. Zurich called this “a hostile or warlike action” by a government or foreign power which therefore excluded it from cover.

As InfoSecurity’s story suggests, Zurich might have been on safer ground by invoking a gross negligence clause instead, since Mondelez got hit not once but twice. And where does this leave victims? “Just because you have car insurance does not mean you won’t have a car crash. Just because you have cyber insurance does not mean you won’t have a breach,” said Brian Honan.

Lesley Carhart of Dragos Security said the case would have implications for cyber insurance sales and where CISOs spend money. “Not only is Zurich’s claim apparently that nation state adversaries can’t be insured against, but it adds the ever tenuous question of attribution to insurance claims,” she wrote.

The 12 steps to better cybersecurity

Somewhat under the radar, but no less welcome for that, Ireland’s National Cyber Security Centre has published guidance on cybersecurity for Irish businesses. It’s a high-level document that takes the form of a 12-step guide. It’s written in non-technical language, clearly intended for a wide audience. The steps include tips like getting senior management support for a cybersecurity strategy. The full report is free to download from here. We’ve taken a deep dive into the contents and you can read our thoughts here.

Fight for your right to part…ake of your data

GDPR obliges companies to cough up the personal data they hold about us on request, but what does that mean in practice? Journalist Jon Porter exercised his right to a subject access request with Apple, Amazon, Facebook, and Google. Just under 138GB of raw data later, he discovered that little of the information was in a format he could easily understand. If some of the world’s biggest tech companies are struggling with this challenge, what does that say for everyone else? It’s a fascinating story, available here.

Google grapples French fine

And speaking of all things GDPR-related, France’s data protection regulator CNIL has hit Google with a €50 million fine for violating the regulation. The CNIL claims Google didn’t make its data collection policies transparent enough and didn’t obtain sufficient, specific consent for personalising ads.

As Brian Honan wrote in the SANS Institute newsletter: “While the €50 million fine is the item grabbing the headlines, the key issue here is the finding by CNIL of the unlawfulness of Google’s approach to gathering people’s personal data. This will have bigger implications for Google, and many other organisations, in how they ensure they legally gather and use people’s personal data in line with the GDPR.”

You can run, but you can’t hide

Here’s a cautionary tale about the dangers of oversharing personal data on smart devices. UK police collared a hitman for an unsolved murder after data from his GPS watch linked him to scouting expeditions of the crime scene. Runners World covered the story and the Liverpool Echo published CCTV footage of an alleged recon trip near the victim’s home.

It’s an extreme example maybe, but the story shows how heavy our digital footprints can be (running shoes or not). Social media sharing can also be a security risk for a company’s remote workers. Trend Micro’s Bob McArdle outlined this very subject in his excellent Irisscon 2018 presentation. Social engineering expert Lisa Forte tweeted that she can gather intel about target companies from what their employees post online.

Things we liked

Protector, puzzle master, moral crusader, change agent: the many faces of a CISO. MORE

And another thing: want to be a good security leader? Learn to tell a good story first. MORE

Making the contentious case that breaches can be a good thing, and aren’t automatically bad for business. MORE

Google Chrome, used by almost two-thirds of web browsers, has a new plugin that warns users when entering a username/password combination that’s been detected in a data breach. MORE

An offer you couldn’t retweet: meeting the godfather of fake news. MORE

The Council to Secure the Digital Economy (CSDE) has published a guide to help protect the Internet from botnets. The International Anti-Botnet Guide will be updated every year. MORE

ENISA has released a study of CSIRTs and incident response capabilities in Europe to 2025. MORE

The post Security roundup: February 2019 appeared first on BH Consulting.

Supply Chain Security – Sex Appeal, Pain Avoidance and Allies

Every security professional and every privacy professional understands that supply chain security is as important as in-house security. (If you don’t understand this, stop and read Maria Korolov’s January 25, 2019 article in CSO, What is a supply chain attack? Why you should be wary of third-party providers.) So how do you marshal the resources […]… Read More

The post Supply Chain Security – Sex Appeal, Pain Avoidance and Allies appeared first on The State of Security.

Ireland’s cybersecurity watchdog publishes new guidance for businesses

Ireland’s National Cyber Security Centre has published guidance on cybersecurity for Irish businesses. It’s a welcome addition to the roster of material available to help organisations to develop or refine their security strategy. The team at BH Consulting has picked out key points from the guide, and added some more context and analysis.

The report’s non-technical language show that it’s clearly intended for a wide audience. In a move that’s doubtless designed to help spread the message widely, the document presents its 12 steps in three formats: as an infographic (see below), on a single page of text, and then as longer descriptions for each step.

Preparing for ‘when’, not ‘if’

Reading through the guide, it’s striking how it starts from the premise that attacks are already going on. As the introduction makes clear:

“Cyberattacks make headlines on a daily basis. It’s no longer a question of if your company will be breached, or even when, it’s likely to have happened already. The real question is whether you will know and are you prepared?”

This language echoes the Central Bank of Ireland’s 2016 guidance which warned about this risk in similarly stark terms. “Firms should assume that they will be subject to a successful cyber-attack or business interruption”, the bank said.

A resilient approach to security

The NCSC’s high-level document aims to make businesses more resilient to security incidents. That’s an approach we can all get behind. In several blogs from last year, we looked at this very issue through a business and risk lens. In one post, Brian Honan suggested a four-step process to improving resilience:

  • Identify key systems and services for your business
  • Look at the key risks and threats to those services
  • Based on that risk analysis, identify the key areas to address such as single points of failure, inter-reliance of systems and interdependency of systems
  • Engineer ways to mitigate the impact of any potential failure, either through cybercrime or other means.

Looking back, it’s interesting how many of the themes overlap with the NCSC guidance. As we noted at the time, this is about thinking of security as a business problem, not a technological one.

Obviously, businesses still need to put effort into preventing certain types of attacks and security incidents. But it’s arguably even more important to put measures in place to keep the business running no matter what. Resilience takes many forms: after attackers defaced the website for the Luas, the tram service kept running but it took nearly a month for the site to reopen.

The Irish National Cyber Security Centre’s 12-step activity plan.

Rather than advising a ‘big bang’ culture change to embrace security, the guide suggests using the steps as an activity plan to undertake over a 12-month period. The report spends a lot of time at a high level before getting into specific actions to take, or naming particular tools to use. In fact, the first five steps don’t look in-depth at technology. Instead, they’re about orienting a business to think about security in a systematic way.

Steps 1-4

The guide is free to download from here. Step one covers governance and organisation: that means getting senior management support for a cybersecurity plan. Next comes the step of identifying the assets that matter most. (This is a broad list, covering everything from business goals, products, and services through to people, processes technology and data infrastructure underpinning them.) The steps then follow through to identifying threats and defining risk appetite.

Steps 5-6

Interestingly, the document advises focusing on education and awareness before it covers basic technical protections. These include secure configuration, patch management, firewalls, anti-malware, removable media controls, remote access controls, and encryption.

(For organisations that prefer to skip directly to this step, the guide offers a ‘minimum baseline’ of essentials protection that includes boundary firewalls, secure configuration, patch management, malware protection, encryption and access controls.)

Steps 7-11

Step seven involves setting up the ability to monitor for suspicious activity. In another nod to the broad mix of businesses this advice applies to, the guide notes that security monitoring can range from a basic alerting system through to a more sophisticated security operations centre.

The subsequent steps cover putting in place post-incident measures. They include having a formal cyber incident management team, establishing recovery plans, and implementing extra protections to supplement the basic controls. Step 11 advises running a mocked-up exercise to test how the management would react to a security breach.

Step 12 and context

The lifecycle finishes on creating an ongoing cyber risk management lifecycle. This twelfth and final action needs to be part of ‘business as usual’, the NCSC advises. The guide strikes a fair balance between useful advice and appealing to the broadest possible audience. The ‘practical considerations’ page, which isn’t part of the 12 steps, lays out the message in simple terms. A company’s level of security will vary depending on lots of factors like the potential threats that affect it the most, the level of risk it’s prepared to accept, and the amount of budgetary and people resources it can afford to allocate.

Valerie Lyons, chief operations officer with BH Consulting, says the guide provides a really good grouping of the various areas in which to approach cyber resilience. However, she feels some areas need clarification. For example, using months as a measure could be misleading. “Identifying what matters most can take a day in a small accounting office, and take a year in a large hospital. If we take May for instance, ‘focus on education and awareness’, this should in fact be a throughout-the-year activity engrained throughout every step. However, the steps by virtue of their month-by-month presentation allow a plan to be developed,” Valerie says.

Beyond the guide: extra steps

It’s arguable that the step of creating a cyber risk management lifecycle, which the guide puts in December, should in fact be in January. “We should determine up front what the regulatory landscape looks like and the resources required to achieve it,” Valerie says.

The guide would also benefit from clear definitions of cyber resilience, and what cyber risk means to the organisation. Instead of only focusing on the threat of external attacks, businesses should weigh up the risk from their own users’ accidental or deliberate actions.

As well as the practical steps in the guide, Valerie says organisations can also run tests, red teaming exercises, and table-top scenarios to test their security. Lastly, she recommends that businesses should manage cyber risk like all other risks, and it should be led by the chief risk officer, or risk unit.

The Irish NCSC report is a welcome addition to a growing crop of business-focused security advice from trusted, independent sources. There’s a wealth of free material for businesses of all sizes that are only starting to get the security message. ENISA, the European Union agency for network and information security, regularly publishes advice which you can find here. Similarly, The UK National Cyber Security Centre also publishes excellent, easy-to-read advice. Think of it as a form of public immunisation. The more organisations are vaccinated against the most common security risks, the safer we’ll all be.

The post Ireland’s cybersecurity watchdog publishes new guidance for businesses appeared first on BH Consulting.

Cyber risk management: There’s a disconnect between business and security teams

Business managers want real-time cyber risk management metrics, but cybersecurity teams can only deliver technical data and periodic reports. That gap needs to close.A few years ago, cybersecurity professionals often

The post Cyber risk management: There’s a disconnect between business and security teams appeared first on The Cyber Security Place.

6 Steps Every New CISO Should Take to Set Their Organization Up for Success

Congrats! You’ve landed a new job as a chief information security officer (CISO). Now where do you start?

With some figures putting the typical CISO tenure at just around two years, it’s clear turnover in this role is high. According to a Ponemon Institute study sponsored by Opus, 44 percent of CISOs surveyed said they plan to make a lateral move in their organization outside of IT security, and 40 percent said they expect to change careers. All of this considered, the window of time to make a mark as an effective security leader is short — and, in turn, stressful.

What are some best practices for getting started on the path to success in a new security management position? What do you need to do, who do you need to talk to, and what are the first actions you need to take to make an immediate impact and set yourself up for future wins?

Here are six steps to help you get started in a new security executive role.

1. Take Stock of Technology

One of the most important steps you will take in the first few days is reviewing the IT infrastructure of your new company. How are firewalls and servers configured? How many different endpoints connect to the network? What other technology is in place?

According to CSO, you should start by taking stock of which incident prevention security controls are preventing and reporting on malicious activity. You should also determine which security control management consoles, security information and event management (SIEM) tools, and log management solutions are collecting logs and alerts.

Understanding your systems and defenses is priority No. 1 because knowing what your new organization has in place — and where you may need to make additions and changes — will inform the next steps in your first few months in the CISO role.

2. Assess Your Processes

After gaining a comprehensive view into the technology that is in place, it is time to review and evaluate the processes in place for security. Is there an incident response (IR) plan in place? For 77 percent of organizations, the answer is no. Is the IR plan written and tested? What about awareness training? Is it done monthly? Annually? This information will give you a clearer picture of how the company has prioritized security in the past — and an idea of where it needs to go in the future.

This is also the time to poke holes in policies and standards that do not have formal processes attached, and develop and define them to be more effective. Clear, well-defined processes minimize confusion and chaos, and ensure your organization can comply with the policies you want to enforce.

3. Build Out Your Team

Whether you are utilizing existing employees or hiring new team members, building your security team is an immediate priority for a new security leader, according to Dan Lohrmann, former CISO for the state of Michigan and current chief security officer and chief strategist at Security Mentor.

“Focus on talent and relationships,” Lohrmann wrote in an article for Government Technology. “Surround yourself with security pros that work well together and cover skill set weaknesses.”

Direct reports that you will be managing are the first employees you need to get to know. Have one-on-one meetings with each team member if time allows to understand their strengths, weaknesses and insights on where security strategy stands in the organization. These employees have the institutional knowledge you don’t yet have and have dealt with issues and problems already. This time can also be an opportunity to build a relationship of trust so that your direct reports know they can come to you with concerns and feedback going forward.

If you have the luxury of hiring, after getting to know the existing security team, now is the time to assess whether you are lacking certain skills and talent on your team and look to the external talent pool to add to your ranks. This may be easier said than done, since the cybersecurity skills gap has made hiring challenging in recent years.

4. Talk to Key Internal Stakeholders

You want to gain a deeper understanding of the business, its mission, its immediate priorities and its long-term goals as soon as you get in the door. The CISO role is about security and business enablement. You will be expected to protect the organization and contribute to strategic goals.

Start by meeting with executive management when possible, as well as heads of business units. Understand their goals, visions, pain points and objectives. Ask how security management can assist with all of these. Getting to know these stakeholders will be the start of what should be an ongoing relationship and conversation that will give security a strong voice in the organization.

5. Get to Know Customers

Equally important to understanding the executive vision of the company is having a solid comprehension of the people the company serves. Getting to know key customers and clients on the front lines will give you the advantage of grasping how the enterprise is viewed from the outside. The customer lens of the organization will be invaluable in positioning security as a business driver instead of a hindrance.

6. Start Thinking About Your Budget

Gartner predicted that companies would spend around $96 billion on security products and services in 2018. But how can CISOs prove their investments had a measurable impact on corporate risk? It is no longer enough to simply deliver security to an organization; CISOs are also expected to demonstrate return on investment (ROI) and find ways to deliver direct business benefits.

Collecting data, evidence and metrics to demonstrate the need for security investments, why they are necessary in the near future and the proof of corporate payoff is another essential step for new security management. Additionally, this needs to be positioned in a way that business leaders understand, which takes us back to the importance of the prior steps. Without investing time in getting to know executive management and understanding customers, you will be less equipped to make the case for budgetary dollars for security priorities down the road.

Start Your CISO Tenure Off on the Right Foot

Starting a new job in the CISO role can feel overwhelming. But the time for security to be seen as a key player — and to have a major business impact — has never been better. While there may be multiple challenges to address right out of the gate in a new organization, heed these suggestions to start making a positive impact on day one.

The post 6 Steps Every New CISO Should Take to Set Their Organization Up for Success appeared first on Security Intelligence.

Manage Emerging Cybersecurity Risks by Rallying Around Mutual Concerns

Global risks are intensifying but the collective will to tackle them appears to be lacking. — The World Economic Forum’s “Global Risks Report 2019”

With the start of a new calendar year, chief information security officers (CISOs) are looking for ways to set the tone for the year and have more engaged conversations with top leadership regarding cybersecurity risks. The good news is January provided such an opportunity, but it’s not what you might expect.

Every year, the world’s elite descends on Davos, Switzerland, as part of the global gathering known as the World Economic Forum (WEF). A few weeks before they hold this event, the WEF releases its “Global Risks Report,” and this year, once again, cyber risks figured prominently. The report was based on survey responses from nearly 1,000 decision-makers from the business and government sectors, academia, nongovernmental organizations (NGOs), and other international organizations.

Cybersecurity Risks Once Again in the Top 5

The report opens with its distinctive global risks landscape diagram, and cyber-related risks fall in the top-right quadrant of global risks, both in terms of likelihood and impact. When it comes to likelihood, data fraud or theft came in fourth place after three environmental risks, with cyberattacks rounding out the top five.

When ranked by impact, cyberattacks still made it into the top 10, in seventh place, followed immediately by critical information infrastructure breakdown. The fact that data fraud or theft wasn’t in the top 10 risks by impact might indicate that markets and business leaders are more confident about the global economy’s ability to detect and respond to such an event.

This is by no means the first time that technology-related risks made it to the top of the list: Cyberattacks have appeared four times in the top five risks by likelihood since 2010 (in 2012, 2014, 2018 and 2019). However, in terms of impact, the only technology-related risk to make the top five was critical information infrastructure breakdown in 2014.

Is it symptomatic of a larger disconnect that, in the last decade, global leaders only once perceived a technology-related risk as a top-five risk in terms of impact? Do top leadership and board directors at your organization share this attitude?

A Conversation Starter for CISOs and Top Leadership

Of course, the WEF report is aimed at a global audience of business and government executives, so it might not be immediately apparent how CISOs could benefit from grabbing a copy and leafing through it. However, because technology-based risks — and more specifically, cyber-related risks — feature so prominently in the report, there is a unique opportunity to engage or re-engage top leadership and boards to discuss these issues and re-evaluate the organization’s current risk appetite. Among the topics covered in the report are many areas that CISOs should be ready to engage on, including:

  • Machine learning and artificial intelligence (AI) — How, if at all, is your organization leveraging these technologies? Is the security function engaged at the earliest part of the process to implement them?
  • Regulatory changes, such as the General Data Protection Regulation (GDPR) — Is your organization now fully compliant with the GDPR? Are there other GDPR-like regulations on the horizon that need to be on your radar?
  • Interconnectedness of cybersecurity risks — Is your organization on its way to becoming cyber resilient? How often is your organization’s resilience put to the test?
  • Quantum computing and cryptography — Who, if anyone, is keeping track of developments in quantum computing? How often is this disruptive technology being discussed, both in terms of the opportunities it presents, but also the risks to traditional cryptographic methods of protecting company secrets?

Interconnectedness Versus Resilience

If there’s one section of the report that CISOs should share with top leadership, it is the portion titled “Managing in the Age of Meltdowns” (just three pages long). As the interconnectedness of technology increases the potential for cascading failures, this section reminds us of the stakes: “When something goes wrong in a complex system, problems start popping up everywhere, and it is hard to figure out what’s happening. And tight coupling means that the emerging problems quickly spiral out of control and even small errors can cascade into massive meltdowns.”

The section covers different strategies to help deal with complex, dynamic systems and provides guidance for CISOs to review and improve the effectiveness of existing processes. Strategies include encouraging healthy skepticism and recognizing the value of clear and honest lines of reporting. CISOs should also try to “imagine failure” or, better yet, simulate a breach to practice their response. The report also reminds security leaders to perform thorough root-cause analysis, as “too often, we base decisions on predictions that are overly simplistic, missing important possible outcomes.”

Find a Rallying Point

Most CISOs know they’re more likely to be heard when aligning their messages and efforts with the concerns of top leadership. In a world of increasing global risks, security leaders must engage with all levels of the organization to truly understand what cybersecurity risks are top of mind, from the board and C-suite all the way down to entry-level analysts. Organizing around mutual concerns will help maximize security at the enterprise.

The post Manage Emerging Cybersecurity Risks by Rallying Around Mutual Concerns appeared first on Security Intelligence.

How to Build a System Hardening Program From the Ground Up

Commercial and open-source system configurations such as Windows, Linux and Oracle do not always have all the necessary security measures in place to be deployed immediately into production. These configurations often have features and functionalities enabled by default, which can make them less secure, especially given the sophistication and resourcefulness of today’s cybercriminals.

A system hardening program can help address this issue by disabling or removing unnecessary features and functionalities. This enables security teams to proactively minimize vulnerabilities, enhance system maintenance, support compliance and, ultimately, reduce the system’s overall attack surface.

Unfortunately, many companies lack a formal system hardening program because they have neither an accurate IT asset inventory nor the resources to holistically maintain or even begin a program. An ideal system hardening program can successfully track, inventory and manage the various platforms and assets deployed within an IT environment throughout their life cycles. Without this information, it is nearly impossible to fully secure configurations and verify that they are hardened.

Planning and Implementing Your System Hardening Program

System hardening is more than just creating configuration standards; it also involves identifying and tracking assets in an environment, establishing a robust configuration management methodology, and configuring and maintaining system parameters to expected values. To manage and promote system hardening throughout your organization, start by initiating an enterprisewide program plan. Most companies are engaged in various stages of a plan, but suffer from inconsistent approaches and execution.

A plan builds on the premise that hardening standards will address the most common platforms, such as Windows, Linux and Oracle, and IT asset classes, such as servers, databases, network devices and workstations. These standards will generally address approximately 80 percent of the platforms and IT asset classes deployed in an environment; the remaining 20 percent may be unique and require additional research or effort to validate the most appropriate hardening standard and implementation approach. By adopting the 80/20 rule, hardening will become more consistent, provide better coverage and increase the likelihood of continued success.

Let’s take a closer look at the components of a system hardening program plan and outline the steps you can take to get started on your hardening journey, gain companywide support of your strategy and see the plan through to completion.

1. Confirm Platforms and IT Asset Classes

First thing’s first: Determine the types of platforms and IT asset classes deployed within your environment. For example, list and document the types of server versions, such as Windows 2016, Windows 2012 R2, Red Hat Enterprise Linux or Ubuntu, and the types of desktop versions, such as Windows 7 and Apple iOS. Then, list the types of database versions, such as MySQL, Oracle 12c and MongoDB. The IT asset inventory should be able to report on the data needed to create the platform and IT asset class list. However, some companies struggle to maintain an IT asset inventory that accurately accounts for, locates and tracks the IT assets in their environment.

If there isn’t an up-to-date IT asset inventory to report from, review network vulnerability scan reports to create a list of platforms and asset classes. The scan reports will help verify and validate existing platforms and IT asset classes in your environment, as well as devices that may be unique to your company or industry. Interviewing IT tower leads can also support this information-gathering exercise, as can general institutional knowledge about what is deployed.

2. Determine the Scope of Your Project

Once you’ve documented the platforms and IT asset classes, you can determine the full scope of the system hardening program. From a security perspective, all identified platforms and IT asset classes should be in scope, but if any platform or IT asset class is excluded, document a formalized rationale or justification for the exception.

Any platform or IT asset class not included in the hardening scope will likely increase the level of risk within the environment unless compensating controls or countermeasures are implemented.

3. Establish Configuration Standards

Next, develop new hardening builds or confirm existing builds for all in-scope platforms and IT asset classes. Create this documentation initially from industry-recognized, authoritative sources. The Center for Internet Security (CIS), for example, publishes hardening guides for configuring more than 140 systems, and the Security Technical Implementation Guides (STIGs) — the configuration standards for U.S. Department of Defense systems — can be universally applied. Both of these sources are free to the public. It is generally best to apply one set of hardening standards from an industry-recognized authority across all applicable platforms and IT asset classes whenever possible.

This is the step in the plan where you’ll reference the in-scope listing of all platforms and IT asset classes. For each line item on the list, there should be a corresponding hardening standard document. Start with the industry-recognized source hardening standards and customize them as necessary with the requisite stakeholders.

As an example, let’s say the Microsoft Windows Server 2008 platform needs a hardening standard and you’ve decided to leverage the CIS guides. First, download the Microsoft Windows Server 2008 guide from the CIS website. After orienting the Windows Server team to the overall program plan objectives, send the hardening guide for review in advance of scheduled meetings. Then, walk through the hardening guide with the Windows Server team to determine whether the configuration settings are appropriate.

During these discussions, the team should be able to verify which configuration settings are currently in place, what is not in place, and what may violate company policy for pre- and postproduction server images. If there are hardening guide configuration settings that are not already in place, conduct formal testing to ensure that these changes will not degrade performance, lead to outages or cause other problems within the production environment.

Let’s take the configuration setting “Cryptographic Services to Automatic,” a Microsoft Windows Server 2008 hardening standard from the CIS guide, for example. If this configuration setting is not already in place, can it be implemented? If it cannot be implemented, document the reason why it causes problems as determined through testing, whether it violates company policy or anything else that’s applicable. Note this particular configuration setting as an exception in the overall hardening standard documentation for future reference.

4. Implement Your System Hardening Standards

After you’ve established the hardening build and maintenance documentation and conducted any necessary configuration testing, implement the hardening standards accordingly. The preproduction “golden,” or base, images should be hardened initially to proactively disable or remove unnecessary features prior to deploying in production. Starting with the preproduction images should be less time- and labor-intensive because only one image per platform typically needs to be hardened, removing the need for a change management process or scheduled downtime.

Once a particular platform image is hardened, that image can be used to re-image the postproduction platforms already deployed in the environment. The hardened configuration changes can be deployed with configuration management tools, depending on the platform. For example, the Windows team can implement a vast array of configuration settings throughout the environment it manages with Group Policy. If you cannot make automated hardening changes globally for some or all platforms, you’ll need to physically visit these systems individually and manually apply the configuration changes.

5. Monitor and Maintain Your Program

An effective system hardening program requires the support of all IT and security teams throughout the company. The success of such a program has as much to do with people and processes as it does with technology. Since system hardening is inherently interdisciplinary and interdepartmental, a variety of skill sets are needed to carry it out. Hardening is a team effort that requires extensive coordination.

It’s important to appoint a hardening lead to ensure accountability and responsibility for the management and oversight of the program. This individual should possess the drive to achieve results, a knack for problem-solving, and the ability to direct others in collaboration and teamwork. The system hardening lead is ultimately responsible for the success of the program and should provide the focus, support and momentum necessary to achieve its objectives.

Still, accountability for hardening-related activities should be formally assigned to the teams best suited to ensure their completion and maintenance. The information security team should help facilitate improvements when gaps are identified and serve in a governance role by monitoring the hardening practices of all teams, challenging poor processes and approaches, and verifying compliance against hardening standards. If configuration management tools are not available, verify compliance using vulnerability scans.

All this complexity demands a great deal of synchronization. The roles and responsibilities must be clearly delineated so teams can focus their efforts on activities that truly advance the hardening program plan.

System Hardening Has Never Been So Crucial

Implementing and managing an effective system hardening program requires leadership, security knowledge and execution. Obtaining executive commitment, management support and sufficient investment for the program is also crucial. If you carefully choose a combination of easy-to-implement platforms and IT asset classes and more challenging, longer-term hardening efforts, you’ll see incremental improvements in program execution and support.

Companies everywhere and across industries face an ever-accelerating rate of change in both the threat and technology landscapes, making system hardening more crucial than ever. A hardening program isn’t built in a day, but an effective, thoughtfully constructed plan can significantly lower your company’s risk posture.

The post How to Build a System Hardening Program From the Ground Up appeared first on Security Intelligence.

More Money, More Worries About Cyber Risk

Executives at financial services companies are increasingly concerned about risks, but as technology becomes more integrated in managing financials, more executives say that cybersecurity is increasingly becoming the most important

The post More Money, More Worries About Cyber Risk appeared first on The Cyber Security Place.

Maximize Your Defenses by Fine-Tuning the Oscillation of Cybersecurity Incidents

Information security is an interesting field — or, perhaps more accurately, a constant practice. After all, we’re always practicing finding vulnerabilities, keeping threats at bay, responding to cybersecurity incidents and minimizing long-term business risks.

The thing is, it’s not an exact science. Some people believe that’s the case, but they are only fooling themselves. Some security professionals strive for perfection in terms of their documentation. Others want their users to make good decisions all the time. I’ve even had people ask if I could do my best to provide a clean vulnerability and penetration testing report when doing work for them. Scary stuff.

I believe we’ve reached this point of striving for perfection largely due to compliance. Rather than truly addressing security gaps, we’re stuck in the mindset of checking boxes so that someone, somewhere can get the impression that work is being done and all is well in IT. Striving for perfection only serves to skew expectations and set everyone involved up for failure. The reality is you’re never going to have a perfect state of security, but you can have reasonable security if you take the proper steps.

Ready, Set, Practice

To improve enterprise security, organizations must do what I refer to as fine-tuning the oscillation of their security program. What do I mean by that? Let me give you a car racing analogy.

I compete in the Spec Miata class with the Sports Car Club of America (SCCA). It’s a super-competitive class with very little room for mistakes. Everything that we do as Spec Miata racers has to be fined-tuned — that is, if we’re going to win. Everything matters, from how hard we get on the brakes to how quickly we turn the steering wheel to how we get on and off the throttle. Even the turn-in points and apexes of corners are extremely important. Each little thing we do either works in our favor or works against us.

In car racing, fine-tuning the oscillation means getting better and better at the little things over time. In other words, we minimize atypical events — the mistakes that would show up as spikes on a graph — and get more consistent the more we race. You can certainly make improvements throughout a single race, but most fine-tuning comes with experience and years of seat time.

Make Small Adjustments Over Time

Information security is no different. In the context of your overall security program, threats, vulnerabilities and subsequent cybersecurity incidents represent the oscillation. If you’re looking for a visual, fine-tuning the oscillation means minimizing the amplitude and maximizing the frequency of a sine wave to the point where you have a tiny squiggly line that represents your security events. It’s almost a straight line, but as I said before, there’s no such thing as perfection in security.

Instead of having low-hanging fruit such as missing patches and weak passwords, you’re staying on top of patch management and password policy enforcement. Instead of a lack of network visibility, you have systems and technologies in place that allow you to see things happening in real time. Instead of experiencing a security incident, you’re able to prevent or mitigate the threat. Instead of a breach, you have business as usual.

Rather than playing by the terms of malicious actors seeking to bring down your business, you are the one in control. This is all done through acknowledging your weaknesses and blind spots and making small adjustments over time.

Minimize the Impact of Cybersecurity Incidents

Start viewing your security program from this perspective by asking a few simple questions. What areas need the most attention? Do you have some quick wins that you could start with to get your momentum going? Most organizations have a handful of areas with known security gaps that are creating big exposures — things like third-party patching, unstructured (and unprotected) information scattered about networks, and user security awareness and training. Aim to quickly close the gaps that create the greatest risk so you can spend more focused time on the smaller, but more difficult, problems.

Stretching out that sine wave and fine-tuning the oscillation of impactful cybersecurity incidents should be your ultimate goal. Be it racing cars or running a security department, time, money and effort are the essential elements. If you’re going to do either one well, it’s going to require good information, solid decision-making, and intentional and disciplined practice over and over again. That’s the only way you’ll get better.

The post Maximize Your Defenses by Fine-Tuning the Oscillation of Cybersecurity Incidents appeared first on Security Intelligence.

83% of global respondents experienced phishing attacks in 2018

Proofpoint analyzed data from tens of millions of simulated phishing attacks sent over a one-year period, along with nearly 15,000 cybersecurity professional survey responses, to provide an in-depth look at state of global phishing attacks. Overall, 83 percent of global infosecurity respondents experienced phishing attacks in 2018, up from 76 percent in 2017, and nearly 60 percent saw an increase in employee detection following security awareness training. In addition, more organizations were affected by all … More

The post 83% of global respondents experienced phishing attacks in 2018 appeared first on Help Net Security.

How Secure Are Medical IoT Devices? Catherine Norcom Has Her Finger on the Pulse of the Industry

At the IBM Security Summit in 2018, X-Force Red Global Head Charles Henderson told a memorable story. A colleague frantically reached out one Friday afternoon asking him to test five medical internet of things (IoT) devices. One of the devices was to be implanted in the colleague’s body, and he wanted to make sure he chose the most secure model. Charles immediately called his hacker friends, who happily agreed to help him with the research. Within a couple days, Charles recommended a specific model to his colleague, confident the model was the least hackable.

Unlike Charles’ colleague, most patients do not have someone on hand to test their medical IoT devices prior to implantation, which is why it’s critical for device manufacturers to build security into the devices from the earliest stages of development. Patients should be able to trust that the devices in their bodies have no critical vulnerabilities that criminals could potentially exploit.

A Q and A With ‘Q’: Reviewing the FDA’s Guidance on Medical IoT Devices

On Jan. 29–30, 2019, the Food and Drug Administration (FDA) will host a public workshop to discuss medical IoT security. The discussion will focus on the recently drafted guidance titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” which aims to help strengthen cybersecurity across medical IoT devices.

Catherine Norcom, X-Force Red’s resident hardware hacker, specializes in building and testing IoT devices in the medical field. Catherine, also known as “Q,” recently joined the team after serving 10 years in the U.S. Air Force.

I chatted with Catherine about the FDA’s guidance, the top risks related to medical IoT devices and how to minimize those risks.

Question: Thank you for taking the time to chat today, Catherine. Which parts of the FDA’s guidance do you think may be most effective?

Catherine: I like the objective of the guidance. Manufacturers of medical IoT devices should be prioritizing security, especially considering the potential detrimental consequences of a breach. Specifically, I like the clause about logging people out after a period of inactivity. I also like the clause that discusses the need for rapid deployment of patches and updates.

However, that clause actually contradicts another clause in the guidance that recommends users approve any product updates before they are installed. That being said, in November 2018, the FDA provided more details on this topic, saying critical patches can and should be applied without user approval. I also think that’s an important update. After all, patient safety should not vary from user to user, simply based on whether they have the resources to process and deploy critical patches in a timely fashion. The FDA should include those details in the guidance.

I also like that the guidance promotes encrypting any information stored on devices and requires authentication of some kind before the user accesses medical information coming from the device. That way, if a user left a device on a bus, for example, someone else could not access the user’s private medical information.


Where do you think the guidance could be improved?

There are some parts that seemed like they could vary in meaning. For example, the guidance recommends assessing risk and mitigation throughout a product’s life cycle. However, manufacturers and end users can have different interpretations of what constitutes the life cycle of a product. Obviously, manufacturers will release newer versions of products, whether it’s because of their own innovations or due to external factors such as a pending update to a third-party operating system or plug-in that makes the existing product design a challenge to maintain.

When a manufacturer releases a new version of a product, they cannot continue to support all older versions of that product in the same manner they did before. But even after the manufacturer needs to end its support, the product may still work fine for some period. And even if it doesn’t work as well as it once did without manufacturer support, the user may choose to continue using and servicing it themselves. Although this is a difficult subject to address, it could be valuable if the guidance is able to spell out in more detail what the expectations are for manufacturers and users at different stages of a normal product life cycle. There are other FDA documents that include more details about this matter, but it should be spelled out in this guidance as well.

The guidance also uses buzzwords like “holistic.” Many manufacturers — and, frankly, people in general — do not know what that term means or else they could interpret it differently. Also, a part of the guidance recommends manufacturers identify vulnerabilities up front. This is both exceedingly nuanced and complex. For example, even if a manufacturer identified a vulnerability in the Wi-Fi connection, they may not know the USB port is also vulnerable. In this case, you need penetration testers to assess risk throughout the process – whether that’s hiring outside specialists or someone in-house. Penetration testers, who are hackers, understand the many different ways criminals may exploit individual vulnerabilities or chain them together to compromise a device. As such, testers can identify how criminals may exploit vulnerabilities – whether it’s one or many chained together – exposing a device and connected ecosystem.

Since X-Force Red specializes in cybersecurity, let’s pivot the conversation and discuss security risks that come with medical IoT devices.

Medical IoT devices are a top target of cybercriminals, so even if a manufacturer thinks it has developed a device with reasonable security, criminals may still find vulnerabilities. I recently read a Ponemon Institute study that said 67 percent of medical device makers believe an attack on one or more medical devices they have built is likely.

One of the most obvious points of vulnerability is if the user loses the device or the device is stolen. If criminals get physical access to the hardware, they may be able to access all of the medical data in that device. They could also potentially reverse engineer the device and in this way gain access to even more information that is stored on underlying servers. That information could aid in planning a larger attack against the device manufacturer or help criminals use patient identity in insurance fraud or other schemes.

Yes, physically stealing a device would provide the easiest pathway to compromising it. What about the risks related to the Wi-Fi connection used by most IoT devices?

Obviously, anything connected to Wi-Fi can potentially be compromised. A brute force attack is one of the more popular attack methods. The service set identifier (SSID) is the Wi-Fi network name you see when you try to connect. If a device broadcasts its SSID, for example, a criminal would see the device on the Wi-Fi network and may try every password under the sun until one grants him access. These attacks are typically automated by computers and it can take mere seconds to brute force a weak password.

Also, if the Wi-Fi connection from the device is not secured and the data stored on the device is not encrypted, a criminal could intercept the packets and access medical data as it moves from the device to the router. Essentially, a criminal could grab the device’s stored medical data as it moves through the air.

What about USB ports? Many medical IoT devices contain USB ports similar to those we use to charge our cellphones.

Yes, USB ports on medical IoT devices can be used to transfer data. If someone plugs into the device’s USB port and the stored data is unencrypted, the person could potentially access the data. It’s similar to your cellphone: If you plug a USB cable into your phone and connect it to a laptop, you can see the data on your phone and move it to your laptop.

As a rule, people should avoid connecting to any USB port they do not control. That means avoiding those in airports, airplanes, public places, etc. Behind every USB port, there can be a device reading data without explicit permission.


So, what can IoT medical device manufacturers do to strengthen the security of their products as they’re being developed?

First, developers should make sure the device’s SSID is hidden so it doesn’t show up on Wi-Fi networks. Also, IoT manufacturers will oftentimes give all their devices the same SSID. For example, devices that are meant for the kitchen will have the SSID “kitchen.” If devices have the same SSID, then a criminal can connect to them even if they are hidden. It’s crucial that devices have unique SSIDs and preferably let their owners name them to create random names that attackers won’t be able to readily look up.

Good security practices for an application programming interface (API)-enabled device include making sure a criminal doesn’t have access to the API key — which is like a password — so that he or she can’t read the private medical data that the medical device is logging.

An easy and obvious recommendation is to use encryption. Any data on the device and the connection to the wireless hotspot or cell phone should be encrypted. Encryption will disable criminals’ ability to read private data whether they steal packets or plug into a USB port. Manufacturers can also make proprietary software that only talks to the specific IoT device and enables it to securely decrypt the data on it.

It’s also critical to have a secure connection between the device and Wi-Fi access point you are using. The device should not connect to anything that doesn’t require authentication.

Finally, manufacturers must test their hardware and software as the device is being developed. Manual penetration testing can uncover unknown vulnerabilities that automated tools may not find. For example, testers can determine whether the software was programmed in a way that makes files difficult to read. As they are writing and developing the device and its software, manufacturers should consult a security expert at every step, from selecting products to testing during development, and test after the device is built.

Any last words or recommendations for the FDA as it works to finalize the guidance?

Unfortunately, hacking an IoT device, medical and nonmedical, is oftentimes not that difficult. At the DEF CON hacker conference, people with little experience were hacking IoT coffee pots and voting booths in minutes. When you allow an IoT device on your network, if the device has a vulnerability, a criminal can easily compromise your entire network. That’s why it’s critical for all IoT manufacturers to prioritize security when developing their products.

This guidance is a step in the right direction to achieving that goal. It gives some really strong recommendations and places a focus on the subject of IoT security. The FDA is inviting comments from medical device and component manufacturers, independent researchers and security firms, which will be extremely beneficial in shaping the final draft. It’s always encouraging to see the security world’s perspective being brought into the development of this kind of guidance.

Listen to the X-Force Red in Action Podcast Series

The post How Secure Are Medical IoT Devices? Catherine Norcom Has Her Finger on the Pulse of the Industry appeared first on Security Intelligence.

Security for startups: why early-stage businesses can’t neglect this risk

In the early days of a startup, it’s easy to get caught up in the buzz of building a new business. Keeping so many plates spinning – from
fundraising and hiring to shipping product – can mean security sometimes falls off the priority list. But in the face of ever-rising volumes of data breaches and security incidents, it’s a subject that early-stage companies can’t afford to ignore.

That was one of the key themes from a wide-ranging discussion at Dogpatch Labs, the tech incubator in Dublin’s docklands. The speaker was Todd Fitzgerald, an information security expert and Dogpatch member. His ‘fireside chat’, as the event organisers dubbed it, looked at why no company is too small to develop a cybersecurity strategy.

Pragmatic approach

Todd shared insights into a pragmatic approach to cybersecurity strategy and the implications of recent security and privacy breaches. “Any company that doesn’t have cybersecurity as one of their top five risks is really not addressing cybersecurity,” he said.

Recent ransomware outbreaks have shown cybercrime’s huge impact, no matter the size of the victim. FedEx and Maersk each suffered $300 million in damages from the NotPetya ransomware. Data breaches are a growing risk. In 2005, there were an estimated 55 million reported breaches in the US. Now, that figure is somewhere close to 1.4 billion. As Todd pointed out, those are only the ones we know about because victims have reported them.

Startups, in tech especially, often rely heavily on data but that brings added responsibility. “If you don’t know where your data is and you don’t know the privacy laws around it, how can you give any kind of assurance [to customers] that you’re protecting that?” asked Todd.

Strategy vs execution

The moderator asked the obvious question: why should startups care about cybersecurity when they’re concerned about getting product out the door? Financial loss due to ransomware is one reason, and there are many other common security issues a startup needs to think about. Protecting valuable intellectual property is critical. If a startup’s bright idea falls into the wrong hands, a competitor could reverse engineer the code and bring out a copycat product in another market. “It’s the same issues, just the scale is different,” Todd said.

Startup teams can change quickly while the business is still evolving, so another risk to watch is staff turnover. Without proper authentication, ex-employees could still have access to confidential files after they leave the company. Simple carelessness is another potential threat: someone might accidentally delete important code from a server. Startups need to put incident response processes in place in case the worst happens. “There is business benefit to having good security,” Todd said.

For founders with no infosecurity experience, Todd also offered advice on protecting an early-stage company on a shoestring budget. He recommended speaking to an independent consultant who can advise on a cybersecurity strategic plan that reflects the business priorities.

Starting on security

Startup founders can start to familiarise themselves with the subject by reading cybersecurity frameworks like ISO 27001. The information security standard costs around €150 to buy, is easy to read and is suitable for companies of any size. “Walk through it and ask yourself: ‘would I be protected against these cybersecurity threats?’ That will probably prompt you to do a vulnerability assessment against your environment,” he said.

Todd Fitzgerald has more than 20 years’ experience in building, leading and advising information security programmes for several Fortune 500 companies. He has contributed to security standards and regularly presents at major industry conferences. A published author, he wrote parts of his fourth and most recent book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, in Dublin.

The post Security for startups: why early-stage businesses can’t neglect this risk appeared first on BH Consulting.

Reimagining risk management to mitigate looming economic dangers

In a volatile market environment and with the edict to “do more with less,” many financial institutions are beginning efforts to reengineer their risk management programs, according to a new survey by Deloitte Global, with emerging technologies in the driver’s seat. Seventy percent of the financial services executives surveyed said their institutions have either recently completed an update of their risk management program or have one in progress, while an additional 12 percent said they … More

The post Reimagining risk management to mitigate looming economic dangers appeared first on Help Net Security.

Recorded Future Adds Third-Party Risk to Threat Intelligence Platform

Over the last few years, the supply chain has emerged as a primary attack vector for both criminal gangs and nation-state groups. Attackers are compromising often smaller and less well-defended suppliers in order to gain access to larger primary targets. This problem is getting worse with the increasing digital transformation of business around the world -- more companies are dealing electronically with each other than ever before.

read more

The Devil You Know – How Idioms Can Relate to Information Security

The Mirriam-Webster dictionary defines the idiom “better the devil you know than the devil you don't” as “it is better to deal with a difficult person or situation one knows than with a new person or situation that could be worse.”  I’d like to examine this particular idiom, investigate its meaning more deeply, and understand how it relates to information security.

read more

DHS Warns Federal Agencies of DNS Hijacking Attacks

The U.S. Department of Homeland Security (DHS) on Tuesday issued an emergency directive instructing federal agencies to prevent and respond to DNS hijacking attacks.

read more

What Does Healthcare Cybersecurity Look Like in a Future of Connected Medical Devices?

As technology continues to transform the way healthcare is delivered, the industry is burdened by the growing cybersecurity risks inherent in the expansion of connected devices. Understanding that each connected device opens another pathway for threat actors, it’s incumbent upon device manufacturers to keep security foremost throughout the development life cycle.

The question is, how can manufacturers ensure the security of the devices they create? Furthermore, what can healthcare companies do to mitigate the risks inherent in the future of healthcare cybersecurity?

Taking the Pulse of Health Care Cybersecurity Today

Because they are so often the target of cyberattacks, healthcare organizations took a beating once again in 2018. We saw some significant data breaches last year, such as the attack on Med Associates where more than 270,000 patient records were breached.

New research from Clearwater found that the three most common vulnerabilities in healthcare cybersecurity are user authentication deficiencies, endpoint leakage and excessive user permissions — which, combined, account for nearly 37 percent of all critical risk scenarios. Credential misuse continues to threaten enterprise security across all sectors, including healthcare.

“When malicious actors gain access to accounts — whether by weak passwords or phishing attacks — they are given the literal keys to the kingdom,” said Justin Jett, director of audit and compliance for Plixer.

When it comes to medical devices, however, cybersecurity is making progress. According to Leon Lerman, CEO of Cynerio, “We are currently in the increased awareness state where healthcare providers, the Food and Drug Administration (FDA), the Department of Health and Human Services (HHS) and device manufacturers are starting to be more active in the space.”

Moving Toward a More Secure Future

The good news is that healthcare providers at hospitals are starting to include cybersecurity requirements in their procurement process. In fact, some are no longer depending on the medical device manufacturers and instead actively looking for dedicated device security solutions.

According to Lerman, the FDA and Department of Homeland Security (DHS) recently launched a joint initiative to “increase coordination in dealing with threats related to medical devices.” In addition, HHS released cybersecurity best practices to help healthcare organizations manage threats and protect patients from internet of things (IoT)-based attacks and other threats.

Manufacturers have not progressed alongside hospitals, though there are more conversations about strengthening the security of their devices, taking part in cybersecurity testing and streamlining the patching process. In reality, though, it’s only been within the last decade that these conversations have been taking place, and according to Anura Fernando, chief innovation architect at UL, medical devices can take at least that long to develop and get into the market.

“If you couple that with the fact that many devices are used by hospitals for 20–25 years, you can see that there is a major legacy systems issue, with many devices lacking security controls at the device level. Based on that timing offset, it could easily be five to 10 years before we see the complete turnover of equipment in use by hospitals that didn’t even have cybersecurity considered during design,” Fernando explained.

The Challenges of Securing Connected Devices

Legacy systems present myriad cybersecurity challenges, but there are other obstacles to securing medical devices. One that is closely related to legacy equipment is that of component obsolescence.

“When you consider the lengthy development timelines associated with most devices, it can easily be the case that security-related components such as operating systems and microcontrollers cease to be supported by the component vendor soon after a medical device reaches the market,” Fernando said.

As a result, maintenance activities such as security patches are no longer feasible for hospitals. Let’s say that security patches are released by the vendors, however. The time and cost it takes to validate these updates to devices is onerous.

“Even once this validation process is complete, it can be a daunting task to manage the deployment of a patch into the highly dynamic operational life cycle phase of a device, which may be in process of performing critical functions like life support,” said Fernando.

How Health Care Organizations Can Mitigate Security Risks

You can’t protect what you can’t see, so proper visibility into connected devices and their ecosystem is critical. Once you have visibility, understand the risk that each of these devices poses and take necessary proactive measures to minimize this risk, such as network segmentation, patching and removing devices from networks.

By monitoring device behavior and understanding what devices do in the context of medical workflows, you can detect anomalies when devices behave suspiciously. And, of course, early detection enables quicker response.

Strengthening password requirements can help you reduce risk, but when malicious actors gain a foothold, organizations need network traffic analytics to understand where the attack started and determine whether it has spread.

“By looking at how credentials are used throughout the network and creating a baseline of normal usage, network and security teams can be alerted to anomalous credential use and stop attacks as they happen,” Jett said.

Furthermore, all of the different stakeholders in the healthcare value chain need to be invested in securing the future of connected healthcare. Since this is a widespread effort across the healthcare environment, industry leaders should develop guidelines and standards to evaluate whether products and devices meet cybersecurity standards.

The post What Does Healthcare Cybersecurity Look Like in a Future of Connected Medical Devices? appeared first on Security Intelligence.

Why CISOs and Boards Should Work Together to Improve Cybersecurity Disclosure

Just how well are organizations informing stakeholders about cyber risks? As 2018 drew to a close, that was the question that EY sought to answer in its “Cybersecurity Disclosure Benchmarking” report. EY looked at how Fortune 100 organizations are sharing information related to cybersecurity in their proxy statements and 10-K filings, specifically analyzing these documents for the following:

  • Information related to how the organization manages cybersecurity and security awareness and training — and whether those are part of a wider enterprise risk management (ERM) program.
  • Whether or not public filings contained statements about the importance of cybersecurity risks as strategic risks, or their potential impact on business objectives.
  • How the board is discharging its responsibility to oversee risks, focusing specifically on cybersecurity risks, including board member qualifications regarding cybersecurity as well as the structure and frequency of cyber reports from management.

Before we look at what EY’s analysis revealed, let’s take a step back and look at the environment that got us here.

Business Are Under Pressure to Disclose Cyber Risks

It’s no secret that cybersecurity has become a regular topic of discussion for boards and top leadership. But just because something is discussed every once in a while doesn’t mean that organizations are taking effective steps to deal with it. As the events of past two years have shown, cybersecurity risks are real, and publicly traded organizations that experience a cyber incident — be it a breach, ransomware attack, denial-of-service (DoS) or other digital disruption — will quickly find themselves in the spotlight with ample, but unwanted, news coverage.

The problem for many of these companies isn’t the spotlight from the press or the immediate drop in stock value — it’s the secondary but very significant impacts coming from class-action lawsuits, fines and other regulatory enforcements, and long-lasting scrutiny from regulators such as the U.S. Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC).

The SEC’s 2011 guidance reminded board directors that cybersecurity — at the time a relatively new issue rising to the board’s level — was a material issue to be addressed. The 2011 guidance specifically mentioned the need “to disclose conclusions on the effectiveness of disclosure controls and procedures,” especially since a cyber incident could impact many of the other areas in which organizations are normally required to disclose information (e.g., financial and operational risks).

However, in 2018, the SEC released updated guidance for cyber-related disclosures to not only remind organizations of their duty to have controls in place to deal with insider trading, but to, in the words of SEC Chairman Jay Clayton, “promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.” Clayton went on to say he had requested that the SEC division of corporation finance continue to carefully monitor cybersecurity disclosures.

For those wishing to learn from the mistakes of others, the SEC maintains a list of cyber enforcement actions that includes cybersecurity-related matters.

Top Findings From EY’s Cybersecurity Disclosure Study

EY’s analysis of 10-K filings and proxy statements from Fortune 100 firms found that all organizations — yes, 100 percent — included cybersecurity as a risk factor consideration. Furthermore, 84 percent mentioned cybersecurity in the risk oversight section, and nearly 7 in 8 organizations had charged at least one committee with oversight of cyber risks (though, in 70 percent of those organizations, that committee was the audit committee, whose agenda is already bursting with challenging issues).

In terms of board qualifications, 41 percent of companies reported highlighting cybersecurity expertise as an area of focus for new board directors. But when it came to interactions with management, only 34 percent of organizations mentioned the frequency of board reports, with just 11 percent reporting briefing the board annually or quarterly.

Finally, in terms of risk management, 70 percent of organizations mentioned their cybersecurity efforts and activities, such as training, personnel, refining of processes and monitoring. However, only 30 percent made any reference to incident response planning, disaster recovery or business continuity, and a tiny fraction, just 3 percent, indicated that their preparations included items such as tabletop exercises or simulations.

An Opportunity for CISOs to Play a Larger Role

As companies increasingly acknowledge cybersecurity risks as strategic risks, chief information security officers (CISOs) have an opportunity to play a larger role in the organization’s plans, investments and overall digital strategy. Instead of representing the camp of “security-as-an-IT-issue” — and with this, the simplistic view of security as an impediment to business — the CISO can help drive better conversations around cyber risks and educate top leadership and the board on emerging cybersecurity and privacy issues, including those that aren’t directly connected to cybersecurity such as artificial intelligence (AI), robotics and blockchain.

CISOs can drive progress by engaging with top leadership and the board to provide broader awareness, education and participation in matters that organizations should be more transparent about. Those cyber-related matters include incident response and emerging threats as well as gauging the organization’s readiness (e.g., tabletop exercises, simulations) and the effectiveness of its cyber risk management program.

Recommendations for Board Directors

The EY report provides several recommendations in the form of questions for boards to improve their engagement regarding cybersecurity risks. It’s worth asking the following questions of your organization:

  • Has responsibility for cybersecurity been formally assigned at management level (e.g., CISO) and on the board itself (e.g., audit committee)?
  • Is the board getting regular briefings on the organization’s strategy regarding cybersecurity risks and cyber resilience? How engaged is the board in reviewing the organization’s cyber risk management program, and security-related investments?
  • How has the organization (i.e., management) fared in recent tabletop exercises or simulations? Are directors taking part in such activities?

The report also mentioned the benefits of contracting with external advisers to provide board directors the opportunity to have a “dialogue with third-party experts whose views are independent of management.”

In 2019, it is imperative that enterprises take action to inform investors about cybersecurity risks and incidents in a timely manner — even enterprises that are subject to risks but have not yet been the target of a cyberattack. In this light, board directors, top leadership and CISOs should take another look at how well their 10-K and proxy statements satisfy the requirement to disclose material information regarding cybersecurity risks.

The post Why CISOs and Boards Should Work Together to Improve Cybersecurity Disclosure appeared first on Security Intelligence.

What Can Consumers and IT Decision-Makers Do About the Threat of Malvertising?

If you haven’t already heard of malvertising, it’s one of the latest portmanteaus you’ll hear more about in 2019. Malvertising, or malicious advertising, is a type of online attack in which threat actors hide malicious code within an advertisement as a means to infect systems with malware. It works like any other type of malware, but can be found in ads across the internet — even legitimate websites such as The New York Times and BBC.

While these attacks have been around for several years, the rate at which they’re increasing is escalating, and the threat to the enterprise is getting more challenging to diagnose.

Frank Downs, director of cybersecurity practices at the Information Systems Audit and Control Association (ISACA), recognizes malvertising as the natural evolution of malware in today’s world of higher security.

“Leveraging traditional advertising capabilities, it makes it much easier for a malicious actor to seem legitimate,” he said.

Whether you’re at home, on a mobile device or sitting at your desktop at work, discerning which ads contain malware is difficult — especially compared to attacks such as phishing, where malicious messaging may be easier to detect.

So what can be done to educate both end users and IT decision-makers? Do workable strategies to defend against malvertising exist?

Ad-Blocking Software: The Ups and Downs of the Tried and True

While it’s easy to become discouraged given the perniciously stealthy nature of malvertising, it’s important to remember that ad-blocking software can handle a great deal of these threats by ensuring that most ads are never even presented to the user.

“Solutions exist which range from simple browser plugins, such as AdBlock Plus, to advanced traffic filtering tools,” said Downs.

He went on to single out an open-source, community-led initiative that’s gained some traction among cyber enthusiasts: Pi-hole.

“These devices are cheap, easily configured, community-developed systems which run on small Raspberry Pi devices. They block over 100,000 advertising domains and have gained an avid following online, making them more effective every day,” Downs explained.

However, Pi-hole isn’t for everyone. Most enterprises only need to deploy ad-blocking software and stop users from disabling it. If a valid use case requires a user to access a specific website, the security team should be alerted so they can determine the next course of action. The downside with this option is that it’s cumbersome and not user-friendly, resulting in users calling support teams to complain about how their workflow is negatively impacted.

“The reality is, no amount of user training is going to stop the problem. Enterprise CXOs have enough to concern themselves with,” said Sherban Naum, senior vice president of corporate strategy and technology for Bromium. “Malvertising is a pain that can be easily remedied by isolating the entire session, allowing a user the freedom to surf the web without the risk of compromise.”

Naum said he is seeing more customers taking the isolation route to remove the user from the decision tree when it comes to real-time runtime security.

Where Does the Buck Stop?

This is all practical for the well-informed enterprise, but end-user awareness is critical as malvertising proliferates. As it stands, users generally lack understanding of how ads and malware work together.

While it’s easy to place the onus on ad-blocking software providers, the issue is surrounded by complexity and extends beyond ad blockers. Because legitimate webpages benefit financially from ads, they’re asking users to disable ad blockers to access their site.

“The practice of asking users to disable a security product for their own benefit is troubling,” said Naum. “Ad blocker companies are doing the right thing to block ads, but users are left with making a decision to either maintain the ad blocker or disable it, as most see legitimate, well-known categorized websites as safe.”

What users may not be aware of is that these large sites are fed by hundreds of random servers that aren’t under the control of the top-level domain provider. This leaves users, employees and consumers as the final security decision-makers, which is anything but optimal.

“What would help is if large sites didn’t prompt users to disable security tools but rather let the visitor access the site and focus more on delivering their service than earning revenue on ads,” Naum said.

Return to Security Best Practices to Deal With Malvertising

That’s obviously easier said than done. If the threat of malvertising shows no signs of slowing down, sites that run ads may face the unfortunate dilemma of having to choose between revenue or keeping visitors safe. Until that happens, it’s our responsibility to be informed and do what we can.

To accomplish this, we must come to terms with the fact that we can’t stop the unknown or trust systems that are entirely out of our control. Further, enterprises must stop relying on legacy architectures and systems to identify attacks.

“Once you have accepted that you need to isolate the untrusted, then happy clicking on malware isn’t an issue and cybercrime is less effective,” said Naum. “However, perhaps the best way of looking at this holistically is that there will always be cybercrime and the enterprise needs to focus on what they are doing to ensure their users are not a victim.”

Malvertising is one more threat that will keep your IT decision-makers up at night, but any company with a protection-first mindset should be able to remain ahead of the curve. Security awareness training for the user may yield limited results in stopping this threat, but in cases like this, a security-minded C-suite will always be ahead of the game.

The post What Can Consumers and IT Decision-Makers Do About the Threat of Malvertising? appeared first on Security Intelligence.

10 Cybersecurity Conference Trips You Should Make Time for This Year

Cybersecurity remains a top priority for chief information security officers (CISOs) worldwide, but it’s easy to get out of touch as the industry evolves at breakneck speed and attackers discover new and innovative ways to compromise corporate networks. That’s why it’s worth investing in cybersecurity conference trips to help IT professionals stay up-to-date by networking with vendors, thought leaders and colleagues.

Top Cybersecurity Conference Trips You Should Book in 2019

Not sure where to distribute your IT budgets for ideal returns? Here’s a roundup of some of the top cybersecurity conferences happening this year.

Cybertech Israel

Cybertech Israel will once again descend on Tel Aviv from Jan. 28-30. One of the premier B2B networking conferences for security professionals, Cybertech offers both a major exhibition and full conference schedule over the course of three days. This year, speakers will include Prime Minister of Israel Benjamin Netanyahu, Professor Dieter Kempf, president of the Federation of German Industries, and Dr. Sridhar Muppidi, IBM fellow and chief technology officer at IBM Security.

HIMSS 2019

Up next for the new year is HIMSS19, which will take place from Feb. 11–15 in Orlando, Florida. This year’s theme, “Champions of Health Unite,” will bring together insights from trailblazers, game-changers and strategizers to help health IT professionals set the stage for a secure and successful 2019. Topics will range from privacy and telehealth to care culture and clinician engagement. Given the critical role of technology in delivering and empowering health services, HIMSS19 promises to be a great starting point for this year’s conference lineup in the U.S.

Think 2019

IBM Think 2019, happening Feb. 12–15, is making the move this year to San Francisco. With more than 160 security-focused sessions across the conference’s dedicated Security and Resiliency Campus, there’s something for everyone. Key offerings include sessions on making security relevant to the C-suite, understanding the value of collaborative defense and transforming the role of incident response (IR) with new technologies such as IBM’s Watson.

View the Think 2019 security and resiliency curriculum roadmap

RSA Conference

One of the industry’s biggest annual conferences, RSAC is also held in San Francisco and will run from March 4–8. This year’s theme is “Better” — building better solutions, creating better connections and developing better responses. From securing robot-designed code to measuring data breach impacts and examining the value of human risk management, this massive conference (40,000+ attendees) always delivers value.

Cyphercon 4.0

Demonstrating that bigger isn’t always better, Cyphercon 4.0 will be held in Milwaukee from April 11–12. This cryptography and information security-focused offering strives to create an informal, welcoming environment that offers benefits for experts and beginners alike. All session abstracts are reviewed without speaker names attached, ensuring that only high-quality (not merely high-profile) presentations make the cut.

40th IEEE Symposium on Security and Privacy

With the General Data Protection Regulation (GDPR) now in full effect and privacy legislation a top priority for many countries, enterprises would be well served by any cybersecurity conference that tackles this increasingly complex field. The Institute of Electrical and Electronics Engineers (IEEE)’s 40th symposium will take place in San Francisco from May 20–22 and wil lbring together some of the industry’s leading researchers and practitioners to help organizations evaluate their current privacy policies and prepare for the next generation of personal data defense.

Gartner Security and Risk Management Summit

Happening in National Harbor, Maryland, from June 17–20, Gartner’s yearly conference includes sessions about emerging information security priorities such as machine learning, analytics and blockchain. More generally, the conference tackles the critical need to make security and risk top organizational priorities by offering a combination of meaningful networks, expert guidance and real-world scenarios.

Black Hat

One of two premier hacker conferences taking place in Las Vegas each summer — DEF CON is the other — Black Hat is more formal and also one of the most popular conferences every year. This year, the conference will be held from Aug. 3–8. Topics are wide-ranging; last year’s event examined the potential of voting machine compromise, and in 2015, researchers hacked a moving Jeep.


BSides, scheduled for Aug. 6–7 in Las Vegas, is a free conference that will celebrate its 10th year in 2019 and offers the benefit of small-group participation for all attendees. Walk-in passes are snapped up quickly, so if you’re in town for Black Hat or DEF CON, make sure to stop by the Tuscany Suites; this year, BSides has the entire hotel booked.


Rounding out the year is the more informal GrrCon, scheduled for Oct. 24–25 in Grand Rapids, Michigan. This conference is small — just 1,500 attendees — and focuses on creating a fun atmosphere where executives, security professionals, students and hackers can exchange ideas and uncover new insights.

Start the Year Off Strong

Less than 24 hours after the ball dropped in Times Square, this year saw its first data breach: As reported by CBR Online, more than 30,000 Australian civil servants had their data stolen. It’s a bellwether for 2019 — a not-so-subtle sign that threat actors will continue to compromise corporate data to leverage or generate profit. More importantly, it’s a reminder to start the year off strong — to revisit existing security polices, design more holistic defenses and make time for the best cybersecurity conference offerings of 2019.

The post 10 Cybersecurity Conference Trips You Should Make Time for This Year appeared first on Security Intelligence.

Risk managers see cybersecurity as the biggest threat to business

Sword GRC canvassed amost 150 risk managers from highly risk-aware organizations worldwide for their opinions. Overall, cybersecurity was seen as the biggest risk to business by a quarter of organizations. Click here

The post Risk managers see cybersecurity as the biggest threat to business appeared first on The Cyber Security Place.

Board Directors Can’t Afford to Ignore Cybersecurity Risk

As organizations rush to adopt new digital channels, big data, advanced analytics, and emerging technologies such as blockchain, artificial intelligence (AI) and quantum computing, they face new risks that may be difficult to quantify today.

The obvious challenge with emerging risk is the lack of historical perspective and measurement. Position credit risk against cyber, for example, and you’ll realize that credit professionals have the benefit of leveraging time-tested practices and numerous economic cycles as a basis for understanding risk quantification in familiar metrics. Credits that score a 6.2 (expected frequency of default) will, on average, lose a greater percentage of principle balance as compared to credits scoring 3.2, and this is a known quantity.

Now consider cyber risk in light of the imperative to embrace new technologies to remain competitive and the gradual emergence of risk mitigation strategies to match new technologies. Put simply, the unmanaged cybersecurity risk of tomorrow is the unintended consequence of today’s revolution.

Weighing the Benefits of Technology Against Cybersecurity Risk

New technology enables value creation, generates process efficiencies, and allows companies to assimilate and analyze information at an unprecedented speed. This creates numerous opportunities to drive substantive improvement for the public good. For instance, AI tools enable health care professionals to quickly and accurately assist doctors in their diagnosis and treatment of serious illnesses. Similarly, AI applications in the financial industry help mitigate bank fraud and other financial crimes and combat cyber risk.

However, cybercriminals have access to this same technology, which they use to launch attacks and breach corporate networks to steal or damage information. This, combined with the mass digitization of data, growth of internet of things (IoT) deployments and widespread adoption of AI, is straining security resources like nothing we’ve ever seen. Juniper Research forecast the number of records stolen by cybercriminals to reach 5 billion in 2020, and Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.

Continuous improvement has never been more crucial to cybersecurity risk management. The worst thing you can do is remain static or get comfortable with the status quo. The failure to reassess and invest in your strategy, evolve your practices, educate leaders and employees, and advance risk technology in lockstep with new business applications puts companies and even national economies at risk.

Cybercrime has evolved into a well-organized, well-funded industry that focuses all its attention on penetrating enterprise networks to disrupt, steal, extort and exploit sensitive data. That said, many of the incidents that have made the news have nothing to do with threat actors; instead, they are the result of human error or malicious insiders, which presents a unique type of risk management challenge.

Either way, a reactive and siloed approach to cyber risk management limits effectiveness. The increasing volume and spectrum of threats necessitates detection, management and mitigation strategies that are proactive, adaptable and offensive in nature. Most importantly, these strategies must engage all elements of senior leadership.

Part of the problem is that technology has advanced faster than risk mitigation practices and investments. In many instances, cyber risk management is compartmentalized with technology functions, not widely understood by senior leadership or overtly linked to business strategy. Confronting this new risk means that every member of the senior leadership team, board of directors and company staff must make an investment in understanding and managing cyber risk.

Do You Understand the Risks Facing Your Business?

The more aggressive a firm’s digital and data-driven business strategies are, the greater the need to ensure that cyber risk is understood at the senior executive and board levels. This is the only way to facilitate a healthy and informed dialogue about business strategies and technology deployments with the appropriate risk appetite, safety considerations and governance. Of course, this task becomes more complicated as more technologies are adopted and integrated into the IT environment.

The widespread adoption of big data and advanced analytics will make it increasingly difficult for companies to manage or govern the volume of data they are trying to utilize. This is already a problem for some regulated financial market data providers; datasets and the products derived from them have outrun firms’ ability to map, manage and quality-control the data.

Cloud is another notable example. Many firms are rushing to move workloads to a hybrid cloud environment, which introduces new risks in multiple forms and raises myriad questions, including:

  • Where is the data?
  • What controls will be provided by each cloud service provider (CSP) and what must be provided by the firm?
  • How can the firm risk-assess and performance-manage each CSP?
  • How can the firm implement an effective risk dashboard across data types and providers, both on and off premises?
  • How can the firm demonstrate regulatory compliance effectively amid rapid change in the industry?

In addition, digital channels, bots and robo-advisors are being used at an accelerating pace. Like other emerging technologies, these expose consumers to new risks, and providers face scrutiny for poor outcomes. Understandably, consumers are not ready for these risks, and they simply do not know how to protect themselves in a world of connected devices, smart appliances and mobile banking. In response to this demand for open banking, and to stimulate competition in payments, the European Union (EU) issued a new Payment Service Directive (PSD2), which requires all financial institutions to share their customer and payment data in a standardized format. This open banking era introduces new obstacles to effective implementation and meeting both regulators’ and customers’ expectations of availability and ease of use.

Finally, the IoT brings countless new endpoints — and countless new microvulnerabilities — to the enterprise. It also exponentially multiplies the volume of data to be handled, complicates operating models, and makes it hard to map concerning data and risks. Consider technologies such as smart homes, connected cars and power grids; attacks on these systems could have physical, even life-threatening consequences that go far beyond the cost of noncompliance and disruption.

The New Regulatory Landscape Demands More of Leadership

The level of regulatory scrutiny and public awareness of cyber risk is rising and, along with it, expectations that companies will appropriately address these risks. Consider the General Data Protection Regulation (GDPR), which gives consumers more control over their personal data, mandates that vendors build data protection safeguards into products and services, and places strict requirements on companies that manage EU citizens’ personal data. Failure to comply could carry fines up to 20 million euros or 4 percent of total worldwide turnover.

Another example is the New York State Department of Financial Services (NYDFS) regulation 23 NYCRR Part 500, which holds the board responsible for overseeing and certifying compliance with appropriate security standards. As mentioned above, PSD2 addressed payment systems and their security requirements for registration under a new set of conditions and other criteria enacted by member states on Jan. 13, 2018. Finally, the California Legislature recently approved the California Consumer Privacy Act (CCPA), which will take effect in 2020. This new legislation, the strictest in the U.S., gives consumers rights related to how their data is managed and sold and imposes obligations on the holders of this data.

As you can see, cybersecurity risk is a real business risk and must be managed holistically as enterprise risk rather than delegated to technical functions. Chief information security officers (CISOs), risk and compliance officers, technology managers and line-of-business leaders must own risk collectively, and it must be built into and considered a crucial component of the business strategy.

To accomplish this, top management and the board must engage in regular dialogue around cyber risks and business strategy and recognize them as inextricably linked. Investment in one necessitates investment in the other. This approach enables business and security leaders to replace defensive strategies with offensive capabilities and maintain an open, honest and direct dialogue about risk. Most importantly, it helps these leaders coordinate and prepare to play their roles when a security incident strikes.

The post Board Directors Can’t Afford to Ignore Cybersecurity Risk appeared first on Security Intelligence.

Pessimism Pervades World Economic Forum Annual Survey

The annual World Economic Forum (WEF) Global Risks Perception Survey this year again includes two cybersecurity risks in the top five perceived long-term (10-year) risks. It is the same five as last year, although the order has changed. 'Data fraud or theft' is still considered the fourth risk, but 'cyber-attacks' have dropped from third to fifth.

read more

Cyber risk management and return on deception investment

This article is fifth in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of

The post Cyber risk management and return on deception investment appeared first on The Cyber Security Place.

Cyber Security Predictions for 2019

A guest article authored by Jim Ducharme, Vice President of Engineering and Product Management at RSA

1. Prepare for IOT, the “Identity of Things”
From personal assistants, to wearables, smartphones, tablets and more, there is no shortage of connected devices. The explosion of IOT has finally reached a tipping point where the conversation of identity will start to take on a whole new meaning. The billions of new digital identities being created don’t come without risk – including new privacy and cybersecurity vulnerabilities. With businesses and consumers all in on IOT, how do we protect and securely manage the “identity” of the things? 

2. Biometrics vs. the Four-Digit Pin
Biometrics are under a lot of pressure these days to be the silver bullet of authentication. So how could a simple 4-digit pin, which has at most 10,000 possible combinations, give biometrics like FaceID with a 1 in 50 million entropy a run for its money? The industry will come to realize when 4-digit pins are combined with AI and machine learning, the four-digit pin, similar to what has been used for decades to protect access to our bank accounts, can provide a very high level of security. The ultimate goal for identity and access management is not to find the unbreakable or “unhackable” code for authentication, but rather, to layer security to create a much stronger identity assurance posture. AI and machine learning will be a game changer, allowing for intelligence-driven authentication that will open up additional options of security layers for organizations.  

3. Death of the Password?
We have long seen predictions that passwords are in their final days. But it’s time to come to grips that passwords will be here for a long time. But perhaps there is still hope that while we may be living with passwords for generations to come, they may be a lot less scary than the monster we have created. It’s time to reverse the trend of how complex passwords have become (MyKitsH8Me!) and how hard they are to manage (having to change them every 60 days) in an attempt to improve password strength. We can uncomplicate the password and unburden it from having the ultimate responsibility of security. A much more simple password coupled with additional layers of risk-based authentication, especially those factors invisible to the user like behavioral, location and device context, and even transparent biometrics can help businesses better secure access to critical resources.

4. A New Generation of Risk-based Authentication
With a seemingly endless stream of high-profile data breaches and malicious cyberattacks, the need to ramp up security and manage identities is evident. 2019 will see the beginning of a new generation of risk-based authentication, powered by machine learning and user behavior analytics. Organizations will start to uncover their own unique context and identity insights to gain a more comprehensive view of user identities including locations, behavior patterns, frequency of use and more. This new generation of risk-based authentication will allow organizations to reduce the friction on end users when accessing applications and information while strengthening the assurance that the user is who they claim to be.

Jim Ducharme, Vice President of Engineering and Product Management at RSA

    All I want for Christmas: A CISO’s Wishlist!

    As Christmas fast approaches, CISOs and cyber security experts around the world are busy putting plans in place for 2019 and reflecting on what could have been done differently this year. The high-profile data breaches have been no secret - from British Airways to Dixons Carphone to Ticketmaster - and the introduction of GDPR in May 2018 sent many IT professionals into a frenzy to ensure practices and procedures were in place to become compliant with the new regulation.

    What the introduction of GDPR did demonstrate was that organisations should no longer focus on security strategies, which protect the organisation’s network, but instead focus on Information Assurance (IA) which protects an organisation’s data. After all - if an organisation’s data is breached, not only will it face huge fallouts of reputational damage, hits to the organisation’s bottom line and future prospecting difficulties, but it will also be held accountable to regulatory fines - up to as much as €20 million, or 4% annual global turnover under GDPR. Stolen or compromised data is, therefore, an enormous risk to an organisation.

    So, with the festivities upon us and many longing to see gifts under the tree, CISOs may be thinking about what they want for Christmas this year to make sure their organisation is kept secure into the new year and beyond. Paul German, CEO, Certes Networks, outlines three things that should be at the top of the list. 

    1. Backing from the Board
    Every CISO wants buy-in from the Board; and there’s no escaping from the fact that cyber security must become a Board-level priority. However, whilst the correct security mindset must start at the top, in reality it also needs to be embedded across all practices within an organisation; extending beyond the security team to legal, finance and even marketing. The responsibility of securing the entirety of the organisation’s data sits with the CISO, but the catastrophic risks of a cybersecurity failure means that it must be given consideration by the entire Board and become a top priority in meeting business objectives. Quite simply, a Board that acknowledges the importance of having a robust, innovative and comprehensive strategy in place is a CISO’s dream come true.

    2. A Simple Approach
    A complicated security strategy is the last thing any CISO wants to manage. The industry has over-complicated network security for too long and has fundamentally failed. As organisations have layered technology on top of technology, not only has the technology stack itself become complex, but the amount of resources and operational overhead needed to manage it has contributed to mounting costs. A much more simple approach is needed, which involves starting with a security overlay with will cover the networks, independent of the infrastructure, rather than taking the narrow approach of building the strategy around the infrastructure. From a data security perspective, the network must become irrelevant, and with this flows a natural simplicity in approach.

    3. A Future-Proof Solution
    The cyber landscape is constantly evolving; with new threats introduced and technology appearing that just adds to the sophisticated tools that hackers have at their disposal. What a CISO longs for is a solution that keeps the organisation’s data secure, irrespective of new users or applications added, and regardless of location or device. By adopting a software-defined approach to data security, which centrally enforces capabilities such as software-defined application access control, data-in-motion privacy, cryptographic segmentation and a software-defined perimeter, CISOs can ensure that data is protected in its entirety on its journey across whatever network it goes across while hackers are restricted from moving laterally across the network once a breach has occurred. Furthermore, the solution can protect an organisation’s data not only in its present state, but into the future. By enforcing a solution that is software-defined, a CISO can centrally orchestrate the security policy without impacting network performance, and changes can be made to the policy without pausing the protection in place. 

    Three Simple Wishes
    High-profile data breaches won’t go away any time soon, so it is the organisations that have the correct mindset, with Board-level buy-in and a unified approach to securing data that will see the long-term advantages. Complicated, static and siloed approaches to securing an organisation’s data should be a thing of the past, so the good news is that, in reality, everything on a CISOs Christmas wish list is attainable (although not able to be wrapped), and should become a reality in the new year.

    Paul German, CEO, Certes Networks

    Nine for 2019: New Year tips for cybersecurity and privacy professionals

    A new year is almost upon us, and that means one thing: resolutions. Easily made, even more easily broken, they’re nevertheless a useful way of setting goals for the next 12 months. We asked Brian Honan, Tracy Elliott, Sarah Clarke, Valerie Lyons and David Prendergast to share their tips for information security practitioners and privacy professionals. Here’s what you can do differently or better to protect your organisation and its critical data in 2019.

    1 Attend security conferences

    The first resolution is to attend at least two cybersecurity conferences this coming year. Choose the events well, and they can be a great source of knowledge and learning to apply in the daily security role. “It’s important to pick conferences that you feel will help you learn, not a vendor event that’s about how great their products are. Look for conferences that provide independent speakers, or topics on areas of interest to you,” says Brian.

    Another reason to go to more conferences is the valuable opportunity to network with peers. “Sometimes we learn more from talking to others thanfrom training courses or reading articles,” adds Brian.

    2 Collaborate more with your peers

    Resolve to take key business leaders in your organisation out to lunch, to discuss the challenges they face and understand how security can help them to address those challenges. Those lunchtime conversations can uncover important business needs. For example, HR might have difficulty retaining staff. Devising a secure way to let certain employees work remotely, or from home, could help employee retention rates without putting sensitive data at risk. Similarly, the marketing department might need a way of exchanging large documents and files with external design houses or ad agencies. But how is this possible if the company restricts mailbox sizes and blocks file sharing platforms like Dropbox?

    These lunches can help to position the security function as a business enabler, not an obstacle to getting things done. It’s about finding workable solutions that maintain security because otherwise, people will find their own workarounds – and that introduces risk. “When you meet with your business peers, you can better understand their challenges. It becomes about how I as a security professional support that business objective while protecting the company’s key assets. Rather than ‘no”, the security practitioner says ‘yes, but’. Or better still, ‘yes and this is how we recommend you do it’,” says Brian.

    3 Rest up

    Brian’s third tip for security practitioners is to try and sleep more. By his own admission, it’s slightly tongue-in-cheek but there’sa serious point behind it. There’s a growing conversation around the high levels of fatigue and stress in the profession, leading to burnout. “To be effective, we need to look after our own personal health. It’s important to take steps to ensure we can keep ourselves in the best condition to do our jobs. It’s trying to make sure you’re compliant as well as your security programme,” Brian advises.

    4 Get Detailed on Privacy Regulations [GDPR]

    Turning to privacy, Tracy Elliott predicts 2019 will see activity around the General Data Protection Regulation [GDPR] move from theory to practice. “A lot of 2018 was about writing data protection policies and putting governance structures in place. The next 12 months will focus on training people in specific jobs in what they need to know about data protection,” she says. 

    The responsibility for training and awareness falls to an organisation’s designated data protection officer (DPO). That ranges from simple things like posters in staff canteens to help refresh people’s memory about, and awareness of, GDPR. Then DPOs should identify key roles in an organisation,who need tailored data protection training that reflects their specific job. For example, a nursing home healthcare assistant needs to know about speech privacy as part of protecting sensitive patient information.

    5 Batten down for Brexit

    Even as confusion surrounds Brexit, it’s time to plan for whatever the outcome might be. (Insert your own joke about seeing the words ‘Brexit’ and ‘plan’ in the same postcode, let alone the same sentence.)

    Sarah Clarke points out that a future adequacy agreement is not certain between the UK and the EU. It’s possible that in the event of a no-deal Brexit, the UK will become a third country outside of the EEA. That would mean all transfer of data between Ireland and the UK will be considered as international transfers.

    With this in mind, Tracy Elliott says data protection officers should review their organisation’s processing activities. They should identify what data they are transferring to the UK, and whether that includes data about EU citizens. “Consider your options of using a contract or possibly changing that supplier. If your data is hosted on servers in the UK, contact your hosting partner and find out what options are available,” she says.

    Larger international companies may already have data sharing frameworks in place, but SMEs that routinely deal with UK, or that havesubsidiaries in the UK, might not have considered this issue yet. All communication between them, even if they’re part of the same group structure, will need to becovered contractually for data sharing. “There are five mechanisms for doing this, but the simplest and quickest way to do this is to roll out model contract clauses [MCCs]. They are a set of guidelines issued by the EU,” Tracy advises.

    6 Plan for all outcomes

    Here’s where contingency planning is vital. “Use of MCCs has its own risks as they are due an update to bring them into line with GDPR,and Privacy Shield [the EU-US data transfer mechanism] is still on trial,” Sarah warns. However in the short term, MCCs fits the bill both for international transfers between legal entities in one organisation, and for transfers between different organisations. “For intra-group transfers, binding corporate rules are too burdensome to implement ‘just in case’. You can switch if the risk justifies it when there is more certainty,” she adds.

    Sarah points out that regulators won’t tolerate inactivity. That said, they may grant some leeway if an organisation decides on a particular approach and documents its reason for doing so – even if that approach needs to change later. In other words, doing nothing is not an option – a bit like the best New Year’s resolutions.

    7 Prepare beyond regulations

    Valerie Lyons writes: “If we look to the US patents office, we see the top patents of 2017 fell into cloud, AI, machine learningand big data. Privacy regulation alone will not be able to address the challenges associated with many of these technologies. Gartner agrees, highlighting Digital Ethics and Privacy as one of its top trends of 2019. Privacy practitioners should familiarise themselves with digital ethics frameworks and look not just at privacy governance but information strategy and data management.”

    8 Complete one thing

    Sometimes, working as a security or privacy professional can feel like the circus act who keeps plates spinning. There are so many things to do, and so many places in the organisation to start mitigating risks. All the time, there’s an audience of compliance officers, auditors, regulators and bosses, waiting to see if one of the plates will drop. “Stop prevaricating. Pick one initiative and get it done, rather than starting three things and finishing none. That way, you’ve achieved something tangible you can point to. And it’s one less task on the list,” says David Prendergast.

    9 Just do it

    When it comes to security awareness strategy, as a certain sportswear company might say, just do it. “Don’t wait for a big budget. You don’t need huge sacks of money to explain to people what the risks are, and why they need to change behaviour,” says David. “Security professionals can often be quite shy of talking to IT people because we think they want us to fail. They don’t. They read different press, and if you just tell them the basics, you might just win some allies.” David also agrees with Brian’s point about collaborating more during 2019. “Talk to your colleagues and talk to your peers; they’re probably struggling with the same issues you are. The only daft question is the one you didn’t ask,” he says.

    What resolutions have you made for 2019? Let us know in the comments below.

    The post Nine for 2019: New Year tips for cybersecurity and privacy professionals appeared first on BH Consulting.

    Point of View Matters

    Just a quick thought this morning as I'm reading the news on the attack against Italian oil services firm Saipem across Twitter and other news outlets. It struck me fairly quickly that much of what my security industry peers read is very one-sided, and perspective matters.

    Allow me to illustrate.

    This article shows up on most of the business wires, it's from Reuters:
    It's short and gets to the point quickly.

    • the attack on the firm will have no impact on the group's revenues
    • a cyber attack crippled over 300 computers and servers in the middle east
    Short. To the point. Leads with the big story first (no revenue impact).

    This article was retweeted a bunch on the Twitter hacker and information security feeds:
    It paints a different story.
    • uses words like "notorious", and highlights an outage
    • it focuses on the negative impact (technologically) of the attack
    • likens to Saudi Aramco attack, and "one of the most destructive cyberattacks in history"

    Saipem's own website, has this to say: and is much more frank and simple in explanation.

    Now, let's get perspective.

    Corporate leadership likely reads the short version, on Reuters, which basically says "No financial impact, some computers got broken, move on." On the security side, we see a different, more in-depth (obviously) story develop. Now when you go to your CEO or CFO and say "We need to do more to protect ourselves so we're not the next Saipem" your CFO/CEO will likely look back at you and ask why. There was no revenue impact, the risk seems to have been appropriately handled.

    Think about this, as you look at security risks to your organization.

    Beyond governance, risk and compliance: privacy, ethics and trust

    We are currently experiencing the fourth industrial revolution (FIR), characterised by a blurred fusion of all things physical, digital and genomic. Each revolution has been accompanied by a privacy legislation wave, linking its governance to the accelerating pace of change. So we find ourselves in the fourth privacy wave, where technological changes outpace regulation – causing consumer fear and digital distrust, and resulting in strong ethical arguments for aggressive improvements in organisations’ privacy practices.

    One of those arguments is consumer trust. The 2017 Edelman Trust-Barometer reveals that trust is in crisis around the world. To rebuild trust, Edelman argues that organisations must step outside their traditional roles and work towards a new, more integrated operating model that positions consumers and their trust concerns, at the centre of the organisations’ activities. Organisations should address data protection not just because legislation mandates it, but because empowering customers to control their data engenders trust, creates shared ‘value’, and wins consumer loyalty.

    “The trust dynamic between consumers and organisations is on a knife’s edge, with consumers reporting that the values of honesty and integrity have been eroded when it comes to personal data – leaving them feeling cynical and increasingly unwilling to share their data at all”     –        Whose Data Is It Anyway? CIM Survey 2016               

    Although many FIR technologies are positively transforming consumer lives, they still depend hugely on large quantities of consumer data, giving rise to increased personal data sharing. A recent study by Columbia Business School found that 75% of consumers are willing to share their data if they trust the brand and are more willing to do so in exchange for benefits, such as reward points and personalisation – but only if it’s on ethical, fair and transparent terms.

    Big data = big ethics?

    The more data consumers share, the more an organisation can leverage that data for personalisation and innovation, which leads to increased share value. However, according to Gartner, in 2018 half of business ethics violations will occur through improper use of big data analytics. The exponential growth in adblocking over recent years shows how consumers feel about improper use of their data (with Irish and Greek consumers topping the European average, at over 50%).

    Just as consumers are known to share more information when they trust an organisation, the opposite is true with distrust. Boston Consulting Group has found that consumers radically reduce data sharing when they distrust an organisation.

    Digital ethics and privacy are one of Gartner’s top ten strategic technology trends for 2019.  It writes: “any discussion on privacy must be grounded in the broader topic of digital ethics and the trust of consumers, constituents and employees. Ultimately an organisation’s position on privacy must be driven by its broader position on ethics and trust”.

    Doing rights vs doing right

    Shifting from privacy to ethics moves the conversation beyond ‘doing rights’ toward ‘doing right’ This ethical approach to data privacy recognises that feasible, useful or profitable does not equal sustainable, and emphasizes accountability over compliance with the letter-of-the-law. In the digital economy, the existence of, and compliance to regulation will no longer be enough to engender consumer trust.

    Organisations need to find ways to let their consumers know that they use consumer data in a law-abiding and ethical manner. Organisations that ethically manage data and solve the consumer-privacy-trust equation are more likely to win loyal consumers who pay a premium for their products and services. For example, Lego has placed the protection of children’s data at the heart of its information protection strategy. It limits integration with social media, shows strong corporate responsibility regarding use of customer data by suppliers and partners, and it forbids third-party cookies on websites aimed at children under 13. Apple too, mandates that any new use of its customer data requires sign-off from a committee of three “privacy czars” and a c-suite executive.

    Sustaining trust

    As data stewards, organisations should understand the dynamics and profile of their consumers and the factors that lead to their trust. Organisations can then communicate their compliance initiatives in a way that can more openly nurture and sustain the trust relationship with the consumer.

    This in turn will enable them to better design how and where they should communicate their data protection activities to maximum effect. It also results in a more socially responsible and sustainable privacy protection regime for the fourth privacy legislation wave.

    Valerie Lyons is chief operations officer at BH Consulting and IRC PhD Scholar at DCU Business School

    The post Beyond governance, risk and compliance: privacy, ethics and trust appeared first on BH Consulting.

    Forget C-I-A, Availability Is King – The Falcon’s View

    In the traditional parlance of infosec, we've been taught repeatedly that the C-I-A triad (confidentiality, integrity, availability) must be balanced in accordance with the needs of the business. This concept is foundational to all of infosec, ensconced in standards and certification exams and policies. Yet, today, it's essentially wrong, and moreover isn't a helpful starting point for a security discussion.

    The simple fact is this: availability is king, while confidentiality and integrity are secondary considerations that rarely have a default predisposition. We've reached this point thanks in large part to the cloud and the advent of utility computing. That is, we've reached a point where we assume uptime and availability will always be optimal, and thus we don't need to think about it much, if at all. And, when we do think about it, it falls under the domain of site reliability engineering (SRE) rather than being a security function. And that's a good thing!

    If you remove availability from the C-I-A triad, you're then left with confidentiality and integrity, which can be boiled down to two main questions:
    1) What are the data protection requirements for each dataset?
    2) What are the anti-corruption requirements for each dataset and environment?

    In the first case you quickly go down the data governance path (inclusive of data security), which must factor in requirements for control, retention, protection (including encryption), and masking/redaction, to name a few things. From an overall "big picture" perspective, we can then more clearly view data protection from an inforisk perspective, and interestingly enough it now makes it much easier to drill down in a quantitative risk analysis process to evaluate the overall exposure to the business.

    As for anti-corruption (integrity) requirements, this is where we can see traditional security practices entering the picture, such as through ensuring systems are reasonably hardened against compromise, as well as appsec testing (to protect the app), but then also dovetailing back into data governance considerations to determine the potential impact of data corruption on the business (whether that be fraudulent orders/transactions; or, tampering with data, like a student changing grades or an employee changing pay rates; or, even data corruption in the form of injection attacks).

    What's particularly interesting about integrity is applying it to cloud-based systems and viewing it through a cost control lens. Consider, if you will, a cloud resource being compromised in order to run cryptocurrency mining. That's a violation of system integrity, which in turn may translate into sizable opex burn due to unexpected resource utilization. This example, of course, once again highlights how you can view things through a quantitative risk assessment perspective, too.

    At the end of the day, C-I-A are still useful concepts, but we're beyond the point of thinking about them in balance. In a utility compute model, availability is assumed to approach 100%, which means it can largely be left to operations teams to own and manage. Even considerations like DDoS mitigations frequently fall to ops teams these days, rather than security. Making the shift here then allows one to more easily talk about inforisk assessment and management within each particular vertical (confidentiality and integrity), and in so doing makes it much easier to apply quantitative risk analysis, which in turn makes it much easier to articulate business exposure to executives in order to more clearly manage the risk portfolio.

    (PS: Yes, I realize business continuity is often lumped under infosec, but I would challenge people to think about this differently. In many cases, business continuity is a standalone entity that blends together a number of different areas. The overarching point here is that the traditional status quo is a failed model. We must start doing things differently, which means flipping things around to identify better approaches. SRE is a perfect example of what happens when you move to a utility computing model and then apply systems and software engineering principles. We should be looking at other ways to change our perspective rather than continuing to do the same old broken things.)

    Ground Control to Major Thom

    I recently finished a book called “Into the Black” by Roland White, charting the birth of the space shuttle from the beginnings of the space race through to it’s untimely retirement. It is a fascinating account of why “space is hard” and exemplifies the need for compromise and balance of risks in even the harshest … Read More

    Security is Not, and Should not be Treated as, a Special Flower

    My normal Wednesday lunch yesterday was rudely interrupted by my adequate friend and reasonable security advocate Javvad calling me to ask my opinion on something. This in itself was surprising enough, but the fact that I immediately gave a strong and impassioned response told me this might be something I needed to explore further… The UK … Read More