The first step that self-help books suggest when a person wants to change is to perform a self- assessment.  By honestly looking at yourself – the good, the bad, and the ugly – you can gain the knowledge on what direction you need to travel as you attempt to maximize the program you wish to pursue.  Self-knowledge is a tool to aid you in focusing on exactly what needs to be changed and ultimately to be effective in your efforts.

Improving an organization’s information security posture requires the implementation of a similar self-assessment approach.  An appraisal of the existing situation allows for the development, or improvement of the enterprise information security program so that the ensuing security controls can be implemented to meet the following goals:

1. Ensure fiscal responsibility, that is to only spend on what is absolutely necessarily
2. Provide value to the business through the ability to support needed business innovation
3. Address organizational risk

There are some rules that should be followed when beginning the process of assessing your organizations information security practices.  The foremost is to not to start conversations by criticizing and telling people where they have done things wrong.  Just as a counselor would do when helping you as you begin a journey of self-discovery, you need to take the time to understand and listen.  Talk to your business and technical leaders.  In most cases they can explain what the business case is behind a decision.  It is imperative that the needs of the business be taken into consideration where possible.   It is important to understand the decisions and their reasoning if you are to bring change to the organization’s information security posture.  When you take this approach it will be easier to approach senior leadership should high risk issues be uncovered that require immediate attention.  

Go it Alone or Solicit Help?

When conducting an assessment there are two paths to follow.  The first is to bring in a third party to accomplish this activity and the second is to perform the task with an internal team.

Third Party Assessments:

• Third party assessments allow for an outside and therefore objective view into your organization’s business and technical processes.
• It is hoped that the third party assessor will we well versed in the assessment methodology thus being able to conduct the review in a timely manner, have a deep understanding of the most recent policies and security issues facing companies, and build off of their experience in offering suggestions for improvements.  
• By bringing in a third party you are attempting to bring in an un-biased observer with the goal of reducing organizational infighting and discovering missed organizational deficiencies.  This type of assessment can also be used to moderate differences in opinion between internal organizations, such as between IT operations and the information security group.

Internal Assessments:

An internal assessments focus can vary based on the needs of the organization:

• If an organization is conducting its first assessment the primary goal of the review is to determine the scope of needed change within an organization and to ascertain the potential need to bring in a third party for a deeper follow-up assessment.
• If an organization does not require a third-party assessment and if the organization has the skills to complete an information security assessment the organization can choose to execute its own assessment activities.

My Experience – The Hybrid Approach

Based on my experience it is best to combine the concepts of external and internal assessments into a hybrid assessment approach. Below are the high level activities you would implement to achieve a hybrid information security assessment.

A. Conduct an Initial Internal Assessment

1. This assessment should address issues not just in the IT organization but also the larger organization’s business scope.

i. Interview IT and Business leaders

ii. Interview Subject Matter experts

iii. Conduct necessary technical testing and document reviews.

iv. Document findings

v. Brief leadership on both deficiencies and organizational successes

 2. Based on the outcome of the initial assessment conduct a third-party assessment to dig deeper and remove bias.

B. Conduct a Third-Party Assessment

1. Work with subject matter experts, business, and IT leaders to discuss the goals of the assessment. Ensure that the team understands

i. The purpose of the assessment is to build a risk based, prioritized roadmap and plan.

ii. The purpose of this assessment is not to find fault and affix blame for issues that will be discovered.

2. Work with senior leadership to get their agreement and buy-in for the assessment. This will help to ensure that the assessment will be given priority and support.

3. Ensure that the assessment is well planned and that the required resources are available for interviews, testing, or review.

4. Execute the assessment and deliver the findings to the organization.

5. Triage and resolve the identified deficiencies.

Continuous Process

Developing an assessment strategy does not end once you have initially assessed your organization and have executed a plan to close discovered deficiencies. As part of continuous monitoring it is recommended that you continue the hybrid approach mentioned above. In operation this approach looks a little different than when you are in the processes of initially triaging an organization.

From an internal assessment perspective, you will want to continuously monitor your environment to ensure that implemented security controls stay implemented and that new vulnerabilities are not introduced into the environment. You will want to at least annually have a third-party assessor examine your environment to ensure that you are not overlooking deficiencies and to ensure that implemented controls implement the desired security functionality.

By having a good approach to security assessments initially in your security program development and throughout your organization’s lifecycle can help to ensure that you are engaging in the necessary activities to properly safeguard and foster a resilient organization.

The post Conducting Organizational Information Security Assessments appeared first on Security Current.

While cybersecurity is dynamic, there are things that are constant. These are the skills that every CISO must have to be successful, whatever the organization and industry, today and in the foreseeable future.

In this latest Security Current/ CISOs Connect report, ASRC Federal’s CISO Darren Death combines previous research and his own findings to provide practical advice on how CISOs can use ten must-have skills in daily corporate settings to do their jobs better and secure their environments.

The skills range from communication and presentation, policy development and administration, political skills, knowledge and understanding of the business and its mission, collaboration and conflict management, planning and strategic management, supervisory skills, incident management, knowledge of regulation and compliance with standards, to risk assessment and management.

Implementation will differ based on the CISO’s background and personality, and on the needs and appetites of the organization and its leaders. Still, these ten top skills ensure a high likelihood of achieving security goals.

The post Must-Have Skills for CISOs: A CISOs Connect Report appeared first on Security Current.

I was part of a conversation recently where someone stated that they were tired of all this cyber $%^t. It wasn’t the first time I heard such a sentiment expressed. It’s quite common to hear complaints about the importance placed on cybersecurity today.

Unfortunately, those views ignore the rapid changes occurring in our society which are being supported through the adoption of digital technologies. The reality is that most critical/ sensitive information held by organizations is digital. The sad fact is that information has never been so readily accessible by criminals while being so incredibly unprotected. 

There was a time when the things you really cared about were not on the network. Then, it was easier to argue that you did not need cyber protection.

But recent developments have highlighted the need for change related to organizations’ cyber practices. We have seen many large and small breaches in the public and private sector lately. These breaches are a symptom of under-planning /under-costing of the actual scope of a system.

IT Modernization and Cybersecurity

IT modernization and cybersecurity are absolutely tied together. Do not make the mistake of taking on technical debt during this crucial stage in your organization’s development. Modernize your expensive legacy infrastructures while ensuring resilience and security for your organization.

The reality is that an information system costs more in many cases than those who want the system are willing to accept. The cost of properly securing a system is the cost of building a system in our modern era.

As a leader, when you defer important decisions related to your program or information system, you incur technical debt in your environment. Saving money now through inaction or poor decision-making will result in increased costs with interest in the future – when the results of those poor decisions or inaction become a reality.

Cyber Requirements Do Not Exist.

What? Cyber requirements are simply functional requirements that need to be integrated into information systems, tested for effectiveness, and managed throughout the systems life cycle.

As a result, funds must be planned and secured to build your information systems. Since the security of your system is a foundational /functional requirement, the cost of cyber should be built into the system.

When cyber is not accounted for in the planning of an information system, then you have not fully planned for the system.

The reality is that most of the cyber activities you are dealing with are foundational ones, and not the “gold-plated” add-ons that your information security professionals would like to implement.

If you have authority in your organization (Director+, GS15+, etc.) the concepts of cyber are there to protect you and your organization. Use cybersecurity as a tool to improve your organization and ensure that it has resilience.

We Are All in This Together

National security is a shared responsibility. Most of us look at this as something that “they” in government do to protect “us” the citizens.

While that statement is certainly true, we must shift our mindset to see national security as something where we are all doing our part to support the mission of keeping our country strong and reducing the number of weak links in the chain.

We all must insist on secure coding practices, well-patched systems, strong security baselines and so on.

Remember: We have very real and present problems, from the home PC to the largest public or private information systems. The focus on cyber is a response to the incredible and rapid changes that are going on around us every day.

The post The costs of deferring important cyber decisions appeared first on Security Current.

It is standard business practice for organizations to have a contingency plan after acknowledging the various threats and risks that it faces.

Having a plan in place, however, is not enough. The organization must periodically update the plan, test how well it works, communicate it to stakeholders, and ensure that people have the capability to implement in the event it needs to be set in motion.

The risks

The common first step is to identify potential risks. A typical manufacturing company, for instance, likely faces the following risks:

• Information systems vulnerabilities. Hackers will use vulnerabilities in enterprise information systems to gain unauthorized access to the system. A manufacturing company’s crown jewel in terms of data, for instance, would likely be in the form of design specifications, product pricing information, customer data and employee data.
• Malware. Viruses, Trojans and Worms can cause information system destruction, data exfiltration and extortion. Hackers use custom-developed software which exploit vulnerabilities and misconfigurations.
• Legal risks. Does the company do considerable business in other places – in EU, for instance, with stringent rules? The likelihood and severity of the risk are high, especially since fines and other sanctions for violators could be damaging to the firm’s ability to conduct business in a certain area.
• Natural Disasters. Data stored on enterprise information systems are always at risk in the event of earthquakes, wildfires, tornadoes and flooding. Likelihood of occurrence may be low but the impact, should it happen, is severe and potentially life changing.
• Manufacturing uncertainties. There are times when raw materials needed for the manufacture of equipment are not available. This adversely affects assembly line operations.
• Power loss. Power loss may come from scheduled outages, accidental damage or force of nature. Do the company’s data centers have access issues to reliable power?
• Cloud services misconfigurations. This is a risk that is dependent on the human factor – specifically, internal technical staff members and external contractors tasked to configuring the company’s cloud resources.
• Equipment loss/ theft. Loss or theft can result in the exposure of sensitive business intellectual property. Employees and contractors may lose resources, and criminals may target such assets. IT equipment is always an attractive target. And should the sensitive intellectual property be exposed, the company stands to be less competitive.

The BCP

Notwithstanding the safeguards that have been put in anticipation of these risks, the possibility of a disaster cannot be fully discounted. A BCP Team – a composite of the business’ stakeholders – has the primary responsibility of putting in place a business continuity plan so that the company could continue to function after a contingency event, and revert to normal operations at the soonest possible time.

The BCP should:

• Support the current risk decisions of the company;
• Not introduce new risks;
• Provide options for relocation or telework in the event of disasters;
• Establish a succession plan such that there is no confusion on who takes key executive leadership roles if team members or leaders become unavailable or incapacitated;
• Identify the source of funds with which to execute contingency measures;
• Determine the roles and hierarchy for the implementation of the plan, from a technical (not organizational) perspective.

A living document

While the BCP is developed prior to any contingency event and lays down what who will do in such situations, it is never a static document that is bound and kept on drawers, only to be pulled out in the case of a contingency event.

Instead, the BCP must contain guidelines on its own periodic update, based on changes due to deficiencies discovered or to newly implemented technology.

The plan should be periodically tested to ensure it takes necessary and current business concerns into account. Along with the testing come fault discovery and mitigation. A repeatable change control process ensures that BCP errors are corrected and new systems changes are properly documented.

Finally, the plan should also establish how it will be communicated among various stakeholders so that everyone knows his or her role.

The crafting process

The most important thing in developing a BCP is involving the stakeholders in determining the kind of plan you want to develop. Is it something at the enterprise level, or something at the individual information system? If it is the former, then it is absolutely necessary to involve your senior leaders for their perspective on what would spell disaster for the business, and what is critical to keep it running in the event of disaster.

Once senior leadership has defined what it means to keep the organization running, the plans for each business unit should also be developed.

You go through tabletop exercises when validating the steps in the plan you are making with the various units, until you get a functioning continuity program. Once you have that, you make sure that everyone who has a role in the plan understands his role. You give proper training so everyone has the tools he needs to carry out the plan in appropriate places.

Just as important is working with your finance units so you can make sure that in the aftermath of a disaster, there will be funds available. If there is something you need to buy, or to keep the business running, contingency funds would be there. You have to have a figure – with X number of dollars, the company would still continue to function.

For the information side, you have to determine support, restoration, evaluation and testing to ensure that your plan would be workable even if one of your locations becomes non-functional.
Your worst enemy

Still, a plan is just that – a plan, and the challenge is making it work in the unfortunate event that a disaster actually strikes.

In the course of my career I have been involved in implementing continuity plans, and what I have learned to be universally true is that problems arise when people panic and end up not following the plan altogether.

Remember, if you think you have done a good job at having a sound business continuity plan, then your best bet is to follow the steps you developed when you were not panicking. Bear in mind that the plan you now have was well thought out and was successfully tested and verified. You know that it works.

The worst I have seen is when people panicked, didn’t follow the plan they worked so hard at developing, and believed they could just sort of wing it. So my advice is, don’t even think you can wing it – stick to the plan, and you should be fine.

The post Darren Death: Developing a business continuity plan – and sticking to it appeared first on Security Current.

What might the most damaging attacks of the future look like? The answer to the question may lie somewhere between the known patterns that attackers have established over the years, and signs that we are starting to see today.

A look back

It started with the sun and the moon.

Solar Sunrise was discovered in February 1998 as part of a detected compromise of a US military computer at Andrews Air Force Base in Maryland. It was found that it had also infiltrated many other military installations in the US. Initially the Computer Emergency Response Team believed that the attacks came from US and Israel universities, but they eventually determined that these were just being used as pivot points and that the attackers were in other locations.

The culprit? Two teenage boys in California who were being mentored by Ehud Tenenbaum, an experienced hacker. Tenenbaum was sentenced to eight years in prison.

Just a month after Solar Sunrise, Moonlight Maze was carried out against US cyber infrastructure. The attack, detected a year later, expanded the footprint from government systems, universities and research laboratories. The goal appeared to be exfiltration of data from unprotected computer systems.

Authorities suspected the Russian government even though full responsibility was not established. Two key lessons were learned from this episode:
Strong encryption could have saved the day. If this were in place, the stolen data would have been useless to the attackers.
Attribution of the attack to a single actor can be difficult.

Code Red Worm came in 2001. In a very short period, this worm infected 350,000 web servers – at that time, a high number. The worm took advantage of vulnerabilities in the Microsoft Internet Information Service software. From Day 1-19, infected systems performed network scanning to spread the worm further. From Day 20 to 27, these infected systems performed denial of service attacks against other internet service government agencies.

Nine years later, a more aggressive worm surfaced – the Stuxnet Worm. This worm targeted Siemens software that eventually destroyed Iran’s uranium-enrichment capability. It caused the centrifuges to accelerate and decelerate at a rapid and unsupported speed, causing the centrifuges to fail.

The worm came into contact with the facility physically – not through the Internet. This was social engineering at work – an unsuspecting employee introduced the worm, that was in a USB drive, to the Iranian facility. This was the first time a cybersecurity attack crossed over to the physical world to create real and significant damage.

The Stuxnet worm destroyed a military target, a feat on par with a conventional bombing attack. It was determined that this level of engineering could only have been carried out by nation state actors.

Finally, in December 2015, hackers massively disrupted the Ukrainian power supply by deploying a trojan that allowed attackers to gain command of the organization’s industrial control systems. The attack resulted in widespread blackouts in Ukraine.

This was the first known example of cyberwarfare against civilian infrastructure.

Not your usual malware

From these examples we know that advanced persistent threats (APTs) differ from typical malware in five ways:

1. They use advanced technical tools that are not available to the public. This includes sophisticated zero-day vulnerabilities that require significant resources to discover.

2. They exploit social engineering. Humans are said to be the weakest link in cybersecurity. APTs use humans to embed technical tools, as shown in the Stuxnet worm example.

3. They have clearly-defined objectives. They know what they want to achieve and how they can achieve it.

4. They have solid funding. APTs are supported by nation states. They can pay talented cybersecurity experts to render their expertise.

5. They have a high level of organization. APTs are resource intensive and highly disciplined.

Looking ahead

Successful attacks in the future will likely take advantage of the Internet and manipulate human resources in targeting an organization or facility. Nobody else would be able to combine these two vectors in launching a critical infrastructure attack better than the nation state.

Nation states will have access to hardware and software needed to test the attack tools. They can afford to hire skilled researchers with the ability for reverse engineering. They boast of intelligence apparatuses to target the right technology and people, and they have a high degree of organization to put together multiple attacks using physical and logical access to systems.

Why the Internet? Vulnerable information systems on the public Internet are the ideal initial modes of entry.

And why human resources? More and more, advanced social engineering techniques allow attackers to access organization’s internal networks. Carefully crafted emails to selected employees will try to get those employees to launch the malware unknowingly.

Moreover, it appears that attackers of the future will continue to use the same methods and patterns, but at an exponentially faster pace through the help of artificial intelligence.

They will be able to work at high speed in attacking information systems and exploit the information brought back from vulnerability scanners and network scanners. Humans simply cannot do this – at least not at this rate. It is machines that will be running these attacks.

As a result, defenders will also have to rely on machine learning to counter and prevent these attacks. This is where analytics comes in.

Soon we will see AI analytics integrated into everything – for example, endpoint solutions. Over the next five years, we will see the SIEM software going more into providing more of an AI analytics component versus a rule set and basic machine learning.

The challenge for us CISOs is how to elevate this conversation to business leaders and show them that these are business risks rather than just cybersecurity problems. This is best done through showing evidence of how cybersecurity breaches have affected other organizations and what could have been done to prevent these.

From a training perspective, cybersecurity professionals should focus on educating the user population about phishing attacks, and on conducting testing that is in no way punitive.

Elevating, teaching and testing – these three are components of a strong cybersecurity program.

The post The Attacks of the Future appeared first on Security Current.

RSA provides great opportunities for the CISO to learn in a compressed and diverse way to help further the implementation and management of their IT Security Programs.

My goal this year was to look for guidance that didn’t focus on the old view of aligning the IT Security Program with the business.

Mostly this message had the IT Security Program engaging in technical security with a goal of not upsetting business leaders. I was looking for sessions that focused on the IT Security Program as a true part of the business.

By this I mean that the IT Security Program is part of delivering on the goals of the company. In this way, the IT Security Program would provide enterprise services that support and enhance the company’s ability to meet its mission and remain profitable.

Two great examples where the below tracks:

• SEM-M02 Surviving as a Security Leader 

• SEM-M03 Advancing Information Risk Practices Seminar 

These two sessions consumed most of the day on Monday and were worth the time. The presenters provided real world and highly actionable security program guidance. They had knowledge to impart about technical security; however, that was not their focus.

Most of the instruction given had to do with understanding your company’s goals, making sure that your IT Security Program is delivering on these goals, and ensuring that the listener had examples of accurately articulating the IT Security Programs success to the business.

My advice to CISOs attending in the future: 

Take advantage of one-on-one meeting opportunities with vendors that align with your mission. Vendors send large portions of their management and technical leadership to RSA. This allows you to have the people you really need in the room to get questions answered. Also, if a vendor wants you to meet their CISO or CIO take advantage of it. This gives you an opportunity to ask the — what worked for you questions.

Take advantage of the CISO roundtable sessions when they become available. I participated in two separate after-hour sessions: one covered endpoint protection and the other addressed third party risk management.

Both sessions where delivered in a very professional manner and the content came from the interaction with other CISO’s rather than speakers at the front of a room. This was valuable due to the diversity of the industry’s that were in attendance.

It is also valuable to hit the expo floor and visit the vendors. RSA gives a great opportunity to visit vendor booths and hear about new technologies. You could easily spend all week on the expo floor if you are not careful.

Make sure you have a plan and know where the vendors you want to visit are located. This will enable you to make the most of your vendor engagement while still taking advantage of the rest of the conference.

The post RSA Conference 2016 Highlights – IT Security as a True Part of the Business appeared first on Security Current.