Saturday, 30 December 2017

Has Science Fiction Become Reality?

I’m one of those speakers that every year presents a topic that has the same title. I wonder if people at some point ask themselves ‘Is she presenting this topic again?!’. I started this in 2010 and have been repeating it every year since then. What’s this miraculous topic that never gets old you wonder? The topic is Security Trends and Threats in the Middle East.

Now, as you can imagine (if you work in security or even if you’re remotely aware of security), although the title is the same the content never is. We live in a world where the security realm changes so fast and so frequently that a slide deck I have prepared in March, would be obsolete by June. For me to keep the content updated, I have to read all the latest security research documents (or at least as many as is humanly possible to read and ingest) and summarize the interesting and relevant information into a 30-minute presentation deck.

This year it was different. Once I started researching about the latest security threats, I had to go into strategic and tactical threat intelligence topics which naturally took me into Security Artificial Intelligence, Machine Learning, Security Analytics, Cognitive Security Operations - to name a few of the terms that just a few years ago sounded like science fiction, but right now they’ve arrived to our daily conversations. All of this gave me pause. I wondered if next year, instead of me standing up to present the latest security threats, there would be a computer doing it. Looking at the solutions available in the market today, Watson Security Advisor, Project Havyn, Einstein, and others, I wondered if next year, someone from the audience would ask ’Watson, what are the latest security threats in the Middle East?’ and Watson would be presenting in my stead. As AI and Cognitive solutions come into our daily security operations, I wonder whether humans are set to become obsolete or will they have more time to concentrate on more advanced decision taking activities? Will I still be presenting with a richer content because of AI input or will I myself become obsolete?

I don’t want to go into theories of Rise of the Machines and I seriously doubt that it would come to that. I think that the more realistic prediction of the future would be that humans would reach to a degree where they can differentiate and understand what AI would be best in and what humans would be best in and find that balance.

One thing is for sure, we (in security) need all the help we can get to stay ahead of these threats that seem to be coming at us with higher velocity and causing larger impacts. Who would refuse a smart and structured partner such as AI) to help forge the path forward towards a more secure world?

Friday, 29 December 2017

The Accidental Security Threat: Insiders

Security Threat, ISC2 Guides, ISC2 Tutorials and Materials, ISC2 Learning

Insider threats can be malicious; but more commonly, they are accidental.  The weakest point in any security program is people.  They can have ill intent, they can also be manipulated or exploited, and they can simply make a mistake and email a spreadsheet full of client information to the wrong email address.  These types of incidents are real and happen every day.  They can lead to disastrous results on par with any major external cyberattack.   Traditionally, these threats are overlooked by most businesses as they are more concerned with the unknown malicious actor than the known staff member or business partner.  Organizations are sometimes reluctant to take the steps necessary to mitigate these threats and share important data through a trusted relationship, with little else as a security control.

Let’s look at what defines an “insider.”  An insider is any individual who has authorized access to corporate networks, systems or data.  This may include employees, contractors, business partners, auditors or other personnel with a valid reason to access these systems.  Since we are increasingly operating in a connected fashion, businesses are more susceptible to insider threats than ever before.  The volume of critical data in organizations is exploding, causing more information to be available to more staff.  While this can boost productivity and help to get work done, it comes with inherent risks that need to be considered and mitigated, lest that privileged access be used against the organization.

There are a number of ways that insiders can cause damage.  In some cases, they are coerced by an outsider to extract data.  This is common when organized crime is involved.  In other cases, legitimate user access is used to extract data, but the user’s credentials are compromised through other means such as a phishing attack.

Security Threat, ISC2 Guides, ISC2 Tutorials and Materials, ISC2 Learning
The good news is that organizations can do more now than ever before.  Providers are responding with solutions that monitor email traffic, web usage, network traffic and behavior-based pattern recognition to help detect who in the organization is trustworthy and who may be a risk.  While this is all a little big brother sounding in nature, some organizations may find this to be an appropriate way to mitigate the risks that come from insiders.  Organizations without big security budgets still have some old-school mitigations available to them such as employee awareness programs, employee background and reference checks, and exit interviews to gather information about attitude toward the company and insight into working conditions.  All of these programs help to give teams a sense of what is happening in an organization that may prevent incidents from occurring.

Tuesday, 26 December 2017

4 Things You Need to Know about the (ISC)² CISSP CAT Exam

ISC2 Guides, ISC2 Tutorials and Materials, ISC2 CISSP, CISSP Exam

Starting December 18, 2017 all English CISSP exams will be administered in a Computer Adaptive Testing (CAT) format. But what does this actually mean for those preparing for the exam? Let’s look at 4 things to expect when you sit for the CISSP CAT exam:

1. The passing score is the same.


You still need to score 700 out of 1000 to pass the CISSP exam. The content is exactly the same as the “old” (linear-based) exam format. The questions come from the same bank, and the pass rate will be unchanged by this format update.

2. You can still take breaks.


An exam like the CISSP can be mentally exhausting, regardless of format. We understand that you may need to step away from the computer, stretch your legs and clear your mind before returning to the questions. However, it is important to understand that any amount of time spent on breaks is part of the total testing time.

3. The CISSP exam takes half the time.


You’ll need to manage your time wisely – just as before – as the time limit for the CAT format is three hours, as opposed to six with the linear exam. But don’t panic! Instead of 250 items, the CAT format is down to 150 – at the most. And if you really know your stuff, you could pass the exam in as little as 100 questions. . Hopefully, cutting down the exam length means you’ll be celebrating earlier!

4. Take it one question at a time.


CISSP CAT is a more precise and efficient evaluation of your competency. Following your response to an item, the CAT scoring algorithm will re-estimate your ability based on the difficulty of all items presented to you and all the previous answers provided for those items. Because the CISSP CAT exam is a variable-length computerized adaptive examination and the difficulty of items presented to you is based on your previous responses, item review is not permitted. Once you finalize an answer, it may not be reviewed or changed.

So why did (ISC)² make the change from linear to CISSP CAT? The CAT format is a more precise way of measuring whether you will pass the exam. After each answer, an algorithm for scoring re-estimates your ability, based on the difficulty and accuracy of previous answers. Everyone’s path through the exam – from question 1 to 100 (or 150) – will be slightly different. We know how busy you are, and we hope this change puts you on the path to certification just a little bit quicker.

Thursday, 21 December 2017

IT Security essentials for small and medium enterprises

IT Security, ISC2 Tutorials and Materials, ISC2 Certifications, ISC2 Learning

Since I first published the free eBook "Improve your security" dedicated to end users, I've been asked many times to give advises for small and medium enterprises. At first, I thought that this is a very different topic than what I wrote before. However, after some thinking, I realized, that difference between the behavior of end-users at home and in the office of a small to medium companies, doesn't differ that much.

After all, it is no secret that the cyber criminals are where the money are. If the targets are easy to breach, it is even better since this improves the ratio effort/outcome for them. Usually, small to medium size companies are preferred targets because they fit in this category: they do have money, more than the private users, and are very easy to infiltrate. The tips below help these companies not only to survive in the cyber world, but also keep the attackers away.

1. Make the employees understand and care about security. Teach them how to act and react.

There are multiple aspects to the people problem: attitude and usability of security.

First, is that the common attitude in companies: „security is IT department's business“. IT tries to do their best, but there is no security solution that can fully protect you against what is happening in the wild. End users are easy targets; attackers are compromising their systems and gaining access to corporate networks and digital assets using techniques like:

◉ Malvertising attacks which infect victims in the course of their normal Internet browsing, without even clicking on the advertisement
◉ Spam and phishing emails incorporating social-engineering techniques so that they appear to be sent by well-known companies or other ‘trusted’ sources but contain links to malicious sites
◉ Third-party applications that are malicious or good and bundled with malware and downloaded from popular online marketplaces. We have here all kind of marketplaces, targeting all possible platforms and devices:

– Mobile appstores like Apple's, Microsoft's, Google's, Amazon’s, etc.

– Browser Extensions for popular browsers like Chrome, IE, Firefox, Opera

◉ “Watering hole” attacks targeting specific industry-related websites to deliver malware

While new technologies are created constantly, all security solutions are at least one step behind the threats out there, simply because there is no usable way to completely protect people against threats such as those mentioned above.

Second, people just want to have their jobs done. This is the reason why they see security as something that comes in their way and slows them down to have their job done.To have their job done faster, they are willing to stop or deactivate security programs (and infecting their computer), use different Internet connections that go around the company's defenses (and infecting their computer), take documents so that they can work at home (and lose them on the way), bring devices in the company (and infecting everyone else).

If companies invest more in making people understand what the risks and consequences are, they will see this problem differently. But this is a long topic which will be addressed in details in another article.

2. Install security software on all devices


Security software is not the solutions to all problems, as no software is able to 100% protect users against everything. But, in this case also 90% or more is better than nothing. The most attacked operating system is Windows, no question about that. But even if you are a Mac user, you should not think that you are safe. Also on Mac there is plenty of malicious software(especially trojans) and the amount of malware and exploitable vulnerabilities is increasing. With the increase of the attacks on mobile platforms and with the adoption of the browser as the new „operating system“, there are specific threats that apply to these platforms. As mentioned above, there are threats for smartphones and tablets running iOS and Android and malicious browser extensions everywhere. Fortunately, there are also plenty of security solutions to protect against these threats and the good news is that the majority of them are completely free. So, there is no excuse to let your device and browser unprotected.

3. Keep all programs up to date


Vulnerable programs are these days the most common place to attack victims and steal personal data. Mass media is doing a great job in disclosing any vulnerability found (sometimes even only assumed vulnerability) in the most used software around. All known cyber weapons like Uroburos, Stuxnet, Duqu and Flame have used known exploits in software. Also, major vulnerabilities in server software such as Poodle (in SSL) and Hearbleed (in OpenSSL) have been exploited and in these cases it is not even known how long they were used and how much private information has been stolen. The most vulnerable products are those that are considered system utilities, even though they are nothing else than commodities: Adobe Shockwave and Flash Player, Apple iTunes and QuickTime and Oracle Java. Yes, it is possible to live without them, but it is not always easy. The best thing is to deactivate them if you don't need them - especially Java but also Shockwave and Flash.

4. Filter the web traffic, block suspicious websites 


Filtering means not only restricting access to various websites, but especially making sure that the traffic if cleaned up before it reaches the users. An important factor which shows the importance of web filtering is the fact that the websites that the users are visiting might be of a very good reputation and still infecting their visitors. This can happen by showing 3rd party advertisements which can exploit vulnerabilities in browsers or, most common, in Flash Player, Silverlight and other web technologies. Other attack vectors with websites as delivery mechanism are drive-by downloads and malicious javascript injection, iframes , phishing websites and, most dangerous, spear-phishing websites. The web filtering solution should ideally be installed on the gateway. If your company is too small for this, then install a security suite on each computer connected to the internet. Note that all computers should have a security solution installed (with a real-time scanner), but depending on their purpose, the coverage of the security solution can include a web filter, mail filter, firewall and so on.

5. Make backups the right way and keep them secure 


There are only few things in life that we can be sure that they will happen: one of them is that hard drives fail. It is just a matter of time until a catastrophic hard drive failure happens. Drives have a  mean time of good functioning and they are statistically known for each type of drive. So, better be prepared for this unpleasant event.  The biggest mistake that many companies do is to keep backups on the same machine (on another hard drive) and in the same room/data center. This approach is definitely better than no backup at all, but it doesn't help in case of electric surges or spikes (the entire computer gets damaged, including all components inside), fire, flood or theft in the data center. The backups are to be stored always in another place than the data backedup. Always store the data encrypted because you never know who gets access to the drives or tapes in future. Using a cloud based backup service is another possibility to mitigate these risks. The most important thing to do before using such a service is to encrypt the data. Never forget that in the moment data is leaving the computer, it is no longer belonging to those who created it. It belongs to all those entities that are traversed between computer and storage server. This means that anyone can intercept the data in transit (even if it is transferred over SSL) and while it resides on storage. The biggest problem is that most online backup services do not easily support encrypting data on the client side (before upload). If you read in the SLA (Service Level Agreement) or EULA of the provider that they encrypt data, it means that they keep the data encrypted on storage. While this mitigates the situation when a hardware gets stolen from the datacenter of the company, it doesn't mitigate the risk when an insider (employee or hacker) gets access to the private key used by the company to encrypt the data on storage. The best thing is to send the data already encrypted to the online storage.

6. Protect and encrypt devices and storage


The biggest data leakages happen for two reasons:

– careless employee take with them confidential data on devices which they lose

– hackers obtain access to company's infrastructure.

While the second is a very complex topic to address, the first one has simple solutions. First of all, no confidential data and especially PII (Personally Identifiable Information) should leave the company. Even in the company, there should be defenses in place in order to not allow just anyone to access it. But, this is in theory. In real like, employees want to optimize things and take work at home. Yes, even if this contains sensitive data. Since this happens anyway, better be prepared for the inevitable: laptops, memory sticks and smartphones get lost or stolen. In these cases, the value of the device is not even comparable with the value of the data on it. In order to make it impossible to the one that gets the device to access the data, the storage or the data must be encrypted. The user-friendlies solution is to encrypt the entire storage with special software like Bitkeeper and alike.

Laptops should have ideally a power-on password and a user to login in the operating system. The BIOS of the computer should be password protected in order to prevent attackers to overwrite security measures and disable TPM chips. Here you can find tips how to create good passwords. Smartphones are nowadays powerful computers with quad-core processors and a lot of gigabytes of storage. Without password/PIN protection and the entire storage encrypted (internal and external micro SD cards) any attacker can obtain access to emails, VPN access and other interesting data available there.

Tuesday, 19 December 2017

The Cybersecurity Skills Shortage Impacts Security Operations

The Cybersecurity Skills, Cybersecurity Guides, Cybersecurity Certifications

According to ESG research, 45% of organizations report having a problematic shortage of cybersecurity skills in 2017. Of course, this applies to all areas of cybersecurity but recent ESG research shows that the skills shortage has a direct impact on security analytics and operations. The research reveals that:

The Cybersecurity Skills, Cybersecurity Guides, Cybersecurity Certifications

◈ 54% of organizations say they don’t have the appropriate security operations skills for an organization of their size.
◈ 57% of organizations say they don’t have appropriate security operations staffing for an organization of their size.

Based upon this data, it is safe to assume that many organizations are understaffed and lack the right security operations skills – a double cybersecurity whammy!

The research also reveals some of the ramifications of these cybersecurity skills shortages. When asked to identify their top security operations weaknesses, cybersecurity professionals pointed to things like:

◈ Threat hunting. Many organizations simply lack the advanced skills necessary for threat hunting, while others are too busy responding to incidents to establish more proactive practices.
◈ Assessing and prioritizing alerts. CISOs have added lots of threat detection tools and services over the past few years, producing a tsunami of additional security alerts. These technology investments may be for naught, however, as the research indicates that SOC teams can’t keep up with all the noise generated by the growing volume of alerts.
◈ Computer forensics. When security operations teams respond to security events, they tend to put out obvious fires but often fail to proceed to the next step – seeking out the root cause of the blaze. Once again, they are either too busy or lack the advanced forensic skills necessary for this task.
◈ Security incident lifecycle management. In a perfect world, all security incidents are tracked from discovery, through investigations, and on to remediation. This tracking requires formal documented processes and a case management system that captures data and analysts’ notes, manages workflows, assigns tasks, and issues reports on what’s open and what’s closed. Alas, too many organizations rely on email, spreadsheets, and informal processes, making incident lifecycle management a chaotic affair at best.

Sadly, most organizations are in a position where there is too much work and not enough people to do it. Even when bodies are available, some of the chores at hand require advanced skills.

I’ve said it before and I’ll say it again, the cybersecurity skills shortage is an existential threat as it impacts everything we do to safeguard digital assets. In this case, the ESG data reveals that the cybersecurity skills shortage has a direct effect on security operations and our ability to prevent, detect, and respond to security incidents.

It is worth mentioning that ESG is about to publish a new research report in conjunction with the Information Systems Security Association (ISSA) that looks at the ramifications of the cybersecurity skills shortage in depth. Stay tuned!

Saturday, 16 December 2017

Cloud Security: Still a Work in Progress

Cloud Security, ISC2 Tutorials and Materials, ISC2 Certifications

A few years ago, ESG (and other) research indicated that security concerns posed the biggest impediment for more pervasive use of cloud computing. What happened next? Business executives and CIOs found that cloud agility, flexibility, and potential cost savings were too good to pass up, creating a “cloud or bust” mentality. Naturally, CISOs had to do their best and go along for the ride whether they were ready or not.

So, how’s cloud security going at this point? ESG research indicates it is still a work in progress. As part of a recent survey, cybersecurity professionals were presented with a series of statements about cloud security and asked whether they agreed or disagreed with each one. Here are some of the results:

◈ 69% of cybersecurity professionals strongly agree or agree with the statement: “My organization is still learning how to apply its security policies to public/private cloud infrastructure.”
◈ 62% of cybersecurity professionals strongly agree or agree with the statement: “It is difficult to get the same level of visibility into cloud-based workloads as we have on our physical network.”
◈ 56% of cybersecurity professionals strongly agree or agree with the statement: “My organization’s current network security operations and processes lacks the right level of automation and orchestration needed for the cloud.”
◈ 52% of cybersecurity professionals strongly agree or agree with the statement: “The security team does not have the appropriate staff level to manage network security operations for cloud infrastructure.”

Taken together, there are still wide cloud security gaps associated with people, processes, and technologies.

What can CISOs do to bridge these gaps? Based upon lots of qualitative and quantitative research, here are a few tips:

1. Get training. Many of the deficits described above are a consequence of on-the-job cloud security training. Yes, cybersecurity professionals will pick things up but by the time security pros figure things out, cloud security will lag way behind where it should be. Since cloud computing demands a new attitude and skill set, it’s worthwhile to invest in appropriate hands-on security education up front. Ambitious members of the cybersecurity staff will recognize the career opportunity and pursue cloud security training with gusto.

2. Use cloud security as an organizational change agent. CISOs have long lamented about their desire to drive information security closer to the business. Well, cloud computing provides a perfect opportunity to force this change. Cloud security policies, controls, and even application security can be far more effective if they are integrated into early stages of business planning and application development lifecycles. ESG has found this to be true in practice – cloud computing leaders tend to have security baked into disciplines like DevOps and data center operations rather than bolting on security controls once cloud-based workloads are already deployed.

3. Consider cloud security as a tabula rasa. ESG has noted that organizations tend to struggle when they try to force fit traditional security controls into cloud computing. Often, they end up wasting time, scrapping these efforts, replacing traditional controls with cloud-centric controls, and then struggle to catch up with cloud proliferation. Yes, it’s worthwhile to try to emulate existing best practices with cloud security but smart CISOs will approach this with an open mind and look for the best security controls that gracefully support the nuances of cloud security out-of-the-box.

4. Look for help. While the cloud is still new and scary to a lot of cybersecurity professionals, cloud popularity has produced a growing population of cloud security specialists. CISOs should do a lot of background checks on their vendors by grilling management, field engineering, and reference accounts. With the right level of due diligence, you’ll be able to separate the helpful and real cloud security specialists from a long line of posers. 

Thursday, 14 December 2017

The New McAfee

The New McAfee, ISC2 Tutorials and Materials, ISC2 Guides

I’ve worked with McAfee for a long time – from its independent days, during the Network Associates timeframe, through financial issues, back to McAfee and the go-go Dave DeWalt era, and finally as Intel Security.

To be honest, Intel’s acquisition of McAfee was always a head scratcher for me. The 20-somethings on Wall Street crowed about Intel cramming McAfee security in its chip set but this made no sense to me – Intel had long added security (and other) functionality into its processors with lukewarm market reception. The two cultures were a mismatch as well. Ultimately it seems that Intel came to a similar conclusion and recently spun out McAfee in a private equity stew.

The New McAfee, ISC2 Tutorials and Materials, ISC2 GuidesSo, what are the prospects for McAfee this time around? Like comedy, timing is everything when it comes to financial markets, customer demand, and market opportunity. The new McAfee starts its comeback in a robust $100 billion+ cybersecurity market where customers want help, vision, and leadership from their cybersecurity vendors. McAfee has a few real strengths it can deliver to this hungry market including:

1. A strong integration story. While the whole concept of a cybersecurity technology architecture seems relatively new to most vendors, McAfee has invested in product integration for several years. Rather than glue its products together with some monolithic code, McAfee integration is anchored by cybersecurity middleware like its Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL). McAfee even offers an open source flavor called open DXL as security middleware for non-customers. Armed with its middleware, McAfee can pull its own or 3rd party products together to build an enterprise-class security operations and analytics platform architecture (SOAPA) and add value for customers as they integrate point tools into a common architecture over time.

2. An anchor product. McAfee ePolicy Orchestrator (ePO) has been a cybersecurity professional staple for a number of years with its ability to aggregate policy management, operations, and reporting for endpoint security. Sure, ePO has taken its lumps over the past few years but the installed base remains, creating an opportunity for McAfee to reach out to customers and upsell additional integrated products beyond the endpoint alone.

3. A comprehensive product portfolio. Yes, McAfee jettisoned its firewall business a few years ago, but its remaining products cover a wide spectrum of security needs including endpoint security, IDS/IPS, email security, web security, vulnerability scanning, SIEM, etc. Furthermore, McAfee still has its Security Innovation Alliance (SIA) partners who can plug into TIE and DXL and fill any remaining product gaps.

4. A marquis brand. Fortunately for the company, cybersecurity professionals have long relationships and generally positive feelings about the McAfee brand. Yup, McAfee is still equated with cybersecurity leadership rather than erratic and troublesome behavior in Belize by company founder John McAfee.   

McAfee is well positioned to become a cybersecurity architecture nexus at the right time. According to soon-to-be-published ESG research, 64% of enterprise organizations (i.e., more than 1,000 employees) are consolidating the number of vendors they do business with. This gives McAfee the opportunity to leverage its strengths, expand its footprint with existing customers, and pitch an architecture to prospects.

I do believe McAfee could capitalize on its market opportunity but there is still plenty of work ahead to achieve this position. McAfee lost a lot of good people (and market momentum) during the Intel years as it focused on internal operations rather than market-facing strategy. To rebound, McAfee must:

1. Regain its leadership moniker in endpoint security. While McAfee took its eye off the market, an army of aggressive next-generation endpoint security vendors swooped in, castigating McAfee as a legacy signature-based AV player. The company has updated its product suite but few customers know this. To protect and even grow its base, McAfee must push back with aggressive marketing communications, channel programs, and customer incentives.

2. Sell C-level solutions rather than the product Du Jour. The Intel years were especially unkind to the McAfee sales organization – there was massive attrition and channel partner churn which resulted in limited customer facetime. Furthermore, the old McAfee salesforce was coin operated, pitching whatever product the customer had budget for at the time. This won’t work when the salesforce is asked to sell a SOAPA story that involves longer-term project planning for increasing ROI and security efficacy through project phases. McAfee must invest in senior sales reps and engineers who can work with CISOs and technicians on step-by-step SOAPA rollouts, customized for business process and industry needs.

3. Own the small enterprise market. While McAfee has some remaining work before its SOAPA architecture appeals to Fortune 50 companies, its story could really resonate with smaller organizations with limited cybersecurity skills and staff. This massive market opportunity should be a priority for McAfee in the short-term.

4. Invest in cloud security initiatives. McAfee has some cloud security products but it is late to the party. It needs to be extremely aggressive here to establish a base before it’s too late. ESG sees cloud and software-defined security controls eating away at traditional security products and sales so McAfee’s existing base is in play.

5. Double-down of services. McAfee is one of the largest cybersecurity vendors, but others at the top of the pyramid (Cisco, IBM, Symantec, etc.) offer broader and deeper managed and professional security services. Why? Because customers need help. McAfee should look for an acquisition here soon.

Finally, McAfee must hit the road and visit its biggest customers who felt neglected at times during the Intel years. CISOs at these companies need some schmoozing and details about McAfee’s vision, innovation, and investments for the future. McAfee will also need to communicate clear 6, 12, and 18 month goals and then report to the market on progress. If McAfee can meet or exceed its goals, the sky is the limit.

Tuesday, 12 December 2017

New Research Confirms the Cybersecurity Skills Shortage Is an Existential Threat

CyberSecurity Skill, Cybersecurity Guides
I’ve been writing about the cybersecurity skills shortage for 7 years, clucking like a digital "chicken little" to anyone who would listen. If you’ve followed my blogs, you probably know that ESG research from early 2017 indicated that 45% of organizations said they have a problematic shortage of cybersecurity skills. This data represents large and small organizations across all geographic regions so the cybersecurity skills shortage can be considered a pervasive global issue.

I’ve noticed that most people interpret the ESG (and other) data about the cybersecurity skills shortage from a jobs perspective. In other words, they view the skills shortage as a situation where there are more cybersecurity jobs available than there are people to fill them.

CyberSecurity Skill, Cybersecurity Guides

While this is true, it minimizes the scope of the problem at hand. Rather than simply focus on the jobs deficit, we need to understand the wide-ranging ramifications the cybersecurity skills shortage is having on the cybersecurity community, the organizations they work for, and society at large.

ESG set out to look at these issues through a research project conducted in collaboration with the Information Systems Security Association (ISSA). For starters, we asked 343 cybersecurity professionals (and ISSA members) whether the cybersecurity skills shortage has had any impact on the organizations they work for. Twenty-seven percent of survey respondents say that the skills shortage has had a significant impact on their organization while another 43% say that the cybersecurity skills shortage has had somewhat of an impact.

Taken together, 70% of organizations were affected by the cybersecurity skills shortage, but what is the real impact here? Here’s how cybersecurity professionals answered this question:

63% say that the cybersecurity skills shortage has led to increasing workload on the existing staff. No surprise here but think about the consequences like an overwhelmed cybersecurity team, high burnout rates, human error, and the Peter principle at work.

41% say that they’ve had to hire and train junior employees rather than hire people with the appropriate level of skills needed. This is an admirable and creative effort but it also translates to a lengthy skills gap time frame while junior employees get up to speed. In the meantime, risk increases, attacks go undetected, and problems go unresolved.

41% say that the cybersecurity staff is forced to spend a disproportional amount of time on high-priority issues and incident response with limited time spent on planning, strategy, or training. Think of the cybersecurity team as firefighters with new blazes constantly starting across IT. It would be difficult for anyone to maintain this pace for long. Meanwhile, organizations have no time for proactive measures to improve cybersecurity efficacy, streamline operations, or mitigate risk. This means they aren’t prepared for emerging threats and continue to rely on a culture of emergency response.

 39% say that the cybersecurity staff has limited time to work with business units to align cybersecurity with business processes. You’ve heard the rhetoric that "cybersecurity is a boardroom issue"? The ESG/ISSA research says that this is far from universally true. To this day, too many business leaders opt for "good enough" security and don’t work collaboratively with the cybersecurity team. Oh, and this research suggests that the cybersecurity skills shortage only exacerbates the infosec/business gap.

 39% say that the cybersecurity skills shortage has led to a situation where cybersecurity professionals are unable to learn and/or fully utilize their security technologies to their full potential. This indicates that organizations are purchasing new security technology and then are too busy to use them correctly. Hmm, not much ROI here.

To summarize, the cybersecurity skills shortage is having an impact on people (i.e., overwhelming workload, limited time for training, etc.), processes (i.e., limited proactive planning, limited time to work with business units, etc.) and technology (i.e., limited time to customize or tune security controls, etc.). In aggregate, all of us are being protected by an understaffed and under-skilled workforce and the data suggests that things are only getting worse.

I’ve said it before but allow me to assume the role of "cyber chicken little" again: The cybersecurity skills shortage represents an existential threat to our national security. As an industry, society, and community, we must stop pussyfooting around this issue and work together toward some real solutions.

The ESG/ISSA report is available for free download here. We’ve made the report free for download because we truly believe that these issues need more attention and it is our goal to use this research to facilitate a broader discussion. I’ll also be blogging religiously about this data for a while.

Friday, 8 December 2017

Phased Process for Cloud Security

Cloud Security, CyberSecurity, ISC2 Certifications

What we’ve noticed is that many organizations tend to track through a pattern of actions as their organization embraces public cloud computing. The sequence goes through the following order:

1. The pushback phase. During this period, CISOs resist cloud computing, claiming that workloads won’t be adequately protected in the public cloud. This behavior may still occur for late-comers or very conservative firms but the cloud computing ship has definitely sailed at most large enterprises. In other words, CISOs aren’t given an out clause--rather, they must figure out how to secure cloud-based workloads whether they like it or not.

2. The traditional security phase. When organizations toe-dip with public cloud computing, security teams tend to try and secure cloud-based workloads using the same security monitoring and enforcement tools they use internally – firewalls, proxies, AV software, network analytics, etc. According to ESG research from 2016, 92% of enterprise organizations use their existing security tools for cloud security to some extent. The problem here is obvious – traditional security technologies were designed for physical devices, on-premises logs, system-centric software, and ingress/egress network traffic, rather than the ephemeral constructs of public cloud computing. This mismatch generally results in outright failure – 32% of enterprises have abandoned traditional security technologies because they couldn’t be used effectively for cloud security.

3. The cloud monitoring phase. Once organizations move beyond cloud security experiments with existing controls, they tend to retreat and embrace that old management maxim, ‘you can’t manage what you can’t measure.’ During this phase, security teams deploy monitoring tools to get a complete picture of cloud-based applications, data, and workloads, as well as the connections amongst all cloud-based assets. This can be quite enlightening, as few organizations have a clear, concise, and complete understanding on what’s running in the cloud at all.

4. The cloud affinity phase. Armed with a map of all cloud-based assets, smart security teams make sure that further security actions align with cloud computing “owners” – software developers, DevOps staff, and data center operations. The goal? Coordinate security technologies with development models, provisioning, and orchestration tools like Chef and Puppet so security can keep up with the pace and dynamic nature of cloud computing. Note that this phase is a bit of a detour from pure cloud security monitoring and policy enforcement but leading organizations claim it is a worthwhile diversion for establishing collaboration and security best practices.

5. The cloud security controls phase. Security groups then work with cloud developers and operations in order to include security controls into provisioning and operations. Security tends to start with workload segmentation and move on to more advanced controls (host-based security, threat detection, deception, etc.). It is worth noting that some innovative cloud security tools are bridging the controls phase and the monitoring phase. They monitor the cloud, profile all assets, and then suggest policies based upon application type, data sensitivity, or logical connections. This bridge can really help accelerate cloud security policy management.

6. The central policy phase. We’ve only seen this from leading edge organizations but it’s likely a sign of things to come. Once organizations get accustomed to the flexibility and dynamic nature of software-defined cloud security technologies, they move on to:

A. Aggregating cloud security tools. For example, they may choose one tool (rather than two specialty tools) for micro-segmentation and host-based controls. This reduces complexity and provides central policy and control.

B. Replace traditional tools with software-defined tools. For example, we’ve seen organizations abandon traditional firewalls within data centers in favor of software-defined micro-segmentation tools. This strategy can lead to millions of dollars in capital cost savings while centralizing all segmentation policies. I’ve seen a few enterprise network segmentation projects with the goal of using software-defined micro-segmentation to replace firewall rules, switch-based ACLs, etc. Ambitious? Yes, but successful projects could simplify security operations and save lots of dough.

A few final pointers based upon what we’ve learned: Enterprise organizations would be wise to avoid dead ends and skip directly to phase 3. This could save months of frustration and help security teams catch up to cloud owners quickly. For technology providers, the goal should be a consolidated cloud security technology portfolio with strong, enterprise-class central management capabilities. 

Tuesday, 5 December 2017

The Problem with Collecting, Processing, and Analyzing More Security Data

Security teams collect a heck of a lot of data today. ESG research indicates that 38% of organizations collect, process, and analyze more than 10 terabytes of data as part of security operations each month. What types of data? The research indicates that the biggest data sources include firewall logs, log data from other types of security devices, log data from networking devices, data generated by AV tools, user activity logs, application logs, etc.

Securitu Data, Processing and Analyzing, ISC2 Tutorials and Materials, ISC2 Certifications

It’s also worth mentioning that the amount of security data collected continues to grow on an annual basis. In fact, 28% of organizations say they collect, process, and analyze substantially more data today than two years ago, while another 49% of organizations collect, process, and analyze somewhat more data today than two years ago.

Overall, this obsession with security data is a good thing. Somewhere within a growing haystack of data there exist needles of value. In theory then, more data equates to more needles.

Unfortunately, more data comes with a lot of baggage as well. Someone or something must sort through all the data, interpret it, make sense of it, and put it to use. There’s also a fundamental storage challenge here. Do I keep all this data or define some taxonomy of value, keep the valuable data, and throw everything else out? Do I centralize the data or distribute it? Do I store the data on my network or in the cloud? Oh, and how do I manage all this data: RDBMS? Elastic search? Hadoop? SIEM?

Let’s face it, security is a big data application so it’s time that the security industry and cybersecurity professionals come together, think through security data problems, and come up with some communal solutions.

Allow me to make some suggestions along these lines:

1. We need to double down on data normalization. Yes, we have some standard formats from organizations like MITRE (i.e., STIX, TAXII, the CVE list, etc.) but the common complaint is that these standards are complex and mostly used in the US Federal Government. We need to create simple standard data envelopes that can be used on most if not all security data. As an example, look no further than Splunk, one of the leading SIEM platforms. If you want to maximize your return on Splunk, the company recommends that you normalize all data using the Common Information Model (CIM) standard. This makes it easier to search, contextualize, and correlate data elements from disparate systems. What we need as an industry is for all security data to adhere to a model like CIM out of the box, making things easier for everyone.

2. All security data should be available through standard APIs. Aside from a common format, all analytics tools, SaaS offerings, and data repositories should provide functionality for data import/export through standard APIs. Here’s a use case of what I’m thinking of: I have SIEM and network analytics tools on my network but I outsource EDR and threat intelligence analytics to SaaS providers. When my SOC team detects a security incident, they should be able to analyze all data from all sources instantly through any tool (or multiple tools) they want to use. We need real-time data import/export through standard APIs to make it easy to ingest data as necessary in real time.

3. Enterprises need a distributed security data management service. In today’s security operations environment, the same data is collected and processed multiple times in different analytics tools.  This is extremely wasteful. To bolster the efficiency and effectiveness of security data, all security telemetry should be collected, processed, normalized, and made available through a distributed data management services. To be clear, the data isn’t analyzed here. Instead, it is presented to all types of analytics tools through standard interfaces in a common format. This security data management service should also take care of base level maintenance and security activities like backup/restore, archiving, data compression, encryption, etc. It’s likely that a distributed security data management service would store some data on-premises and then automatically age and archive other data to cheaper storage (tape, cloud, etc.). Note that a distributed security data management services is a one of the layers of ESG’s SOAPA

4. CISOs must embrace artificial intelligence and machine learning. Given the growth of security data volume, the number of humans who know what the data is, where to get it, what it means, and how to piece it all together is exceedingly small and getting smaller. You could postulate that we’ve actually crossed the line where no human can do this effectively anymore and it would be hard to argue otherwise. It’s time that we let machines do a lot of the multi-layer data analysis, summarize the data for human consumption, and then let people make the difficult choices on what to do next. The good news is that there is a lot of innovation around AI for security and many solutions have reached a point in their evolution where they can be quite useful. The bad news is that there is way too much hype in the market (thanks to the phat cats on Sand Hill Rd.). Recommendation for CISOs: Caveat Emptor for sure, but put ample resources into research, RFIs/RFPs, and proof-of-concept projects.

5. Automate whatever you are comfortable with--and more. Anything that can be automated should be automated. This includes data collection, data normalization, data distribution, data analysis, and automated remediation. Humans should be relegated to the very back-end of the security data cycle, focusing on problematic investigations and decision making.

Let’s face it, well-intentioned security teams are being buried by data today. They go through heroic efforts and do what they can but there is an obvious and logical outcome here: As security data volume grows, security professionals will only be able to derive an incremental amount of value. You could even theorize that additional operational overhead from more security data could actually decrease the value of more data – I see this happening in enterprises today.

To make this data more powerful, we need to make it easier to consume, analyze, and operationalize. It will take the security industry and cybersecurity professionals working collectively to make this happen.

Thursday, 30 November 2017

(ISC)² Endorsement Demystified

Following the jubilant moment of finding out you have achieved a passing score on your (ISC)² exam, you’re now ready for the endorsement process – but what does that actually mean? First, believe us when we say that the hard part is over! You’ve already passed the exam, and there’s no reason to be anxious or delay your endorsement. Especially if you’ve heard any of the endorsement myths below we are about to bust.

(ISC)² Endorsement Demystified

1. Endorsement isn’t important


It sure is! Becoming a certified member of (ISC)² is more than simply passing an exam, no matter how rigorous and challenging that exam may be. Earning your certification requires a certain amount of verifiable work experience – unless you’re an Associate of (ISC)² working toward full certification. Endorsement verifies the work experience you have listed is accurate and relevant. The endorser also confirms that you are a professional in good standing within the industry and will be able to uphold the (ISC)² Code of Ethics.

2. Endorsement requires a lot of paperwork


Nope! Beginning in August of 2016, the endorsement process is completely paperless! We took your feedback to heart and long gone are the days of faxing or mailing resumes and letters. Now you can do the entire process directly through isc2.org.

3. Endorsement takes forever


Not so fast! The process only takes six weeks! Once your endorsement application is received by (ISC)², the review process is completed in less than two months. You’ll be notified as soon as it’s complete and can shout your fully certified membership status from the rooftops.

4. You need to know a member to endorse you


We can help you there! If you don’t know any (ISC)² members in good standing, getting endorsed may feel like a challenge, but it doesn’t have to be. (ISC)² – yes, the organization itself – can act as your endorser. You’ll be able to choose this selection in your online endorsement form. If you do know a member you’d like to endorse you, you’ll need to provide their last name and member number.

5. If you don’t pass the endorsement process, you have to retake the exam


Another myth busted! When you start the endorsement process, you’ll be able to choose if you’re pursuing Associate of (ISC)² status, or to be fully certified. If you select fully certified, but don’t have the required experience to pass the endorsement process, you will still be able to become an Associate. At that time, you’ll have several years – the number depends on the certification – to earn the required experience and submit your endorsement again. Don’t worry, your passed exam remains valid during this time.

The endorsement process is easy, especially in comparison to the challenge you’ve just overcome in passing an (ISC)² exam! Once you pass, you have nine months to complete the endorsement process to become either fully certified or an Associate of (ISC)². We will always communicate any updates during the process with you via the primary email address in your (ISC)² profile.

Thursday, 23 November 2017

SSCP Spotlight: Marco Fernandes

SSCP Spotlight: Marco Fernandes

How did you decide upon a career in cybersecurity?


I grew up with a love of technology and cybersecurity, along with a curiosity for business. So when I got to college, I wasn’t sure what I should major in. My brilliant brother, Roger Fernandes, encouraged me to pursue a degree in Business Computer Information Systems (BCIS). After seeing news of so many hacks and data breaches, I knew our country needed more security professionals, thus I decided to become one. I started out as an IT analyst in the defense industry, and now I design enterprise level security solutions for clients.

Why did you get your SSCP®?


Leadership had challenged my department to obtain this credential. It was one of our annual performance goals. I was the first and only person on the team to achieve the SSCP, and I did this six months ahead of our deadline, which not only proved my knowledge, but also that I was willing to go above and beyond in meeting any goals given to me.

What is a typical day like for you? 


As Lead Security Architect, I design security solutions for corporations and governments. Every day is different, but a typical day involves analyzing and responding to requests from clients and internal teams, meetings with clients and business partners, designing the right solutions based on requirements and compliances, and ultimately presenting and getting approval from C-Level executives and decision makers.

Can you tell us about a personal career highlight? 


A personal career highlight for me was when I traveled to New York and California for business trips. It was early in my career, and management had chosen me to go out to these sites to improve relations and close some business deals. It was a fantastic experience working and bonding with the team, and getting to use my knowledge and skills to truly make a difference with major corporations.

How has the SSCP certification helped you in your career?


The SSCP has helped me better understand how certain aspects of information security, processes, and different roles come together in an organization. It’s given me knowledge that is applicable in so many different ways career wise, and I’m able to leverage that, especially when dealing with clients.

What is the most useful advice you have for other information security professionals?


My advice is to be patient, as security is an extremely broad topic and it is constantly evolving with new technologies and threats. You won’t become an expert overnight. Such things will only come through many years of professional experience. Working in information security can be quite stressful at times, so I think it’s very important to relax and take some leisure time as it helps reduce stress and relax the mind, thus enabling you to focus and innovate better after recharging your batteries. In my free time, I enjoy watching WWE wrestling, watching Gotham, and playing card games.

As passionate as I am about information security, I also care deeply about what’s happening in our world and especially my community. I’ve done a lot of community service, mentored youth, etc., I plan on running for public office someday.

CISO vs. CIO: Turf War Casts Shadow Cybersecurity

While I certainly applaud any effort to create an inclusive cybersecurity culture – and Matt has some great suggestions on how to do so – I believe most organizations simply are not ready. To build on Matt’s seatbelt analogy, we’re buckling ourselves into a car seat that’s not yet bolted to the frame.

(ISC)², CISO vs CIO, Cybersecurity, Cybersecurity Career, IaaS, ICT, IT, IT Security, IT Security Career, IT/ICT, PaaS,

Let me explain. We still have a great deal of work to do at the operational levels of most organizations that stems from a fair of amount of US vs. THEM within IT/ICT and cybersecurity teams often fueled from top-level conflict between CIOs, CTOs and CISOs.

There I said it. I don’t draw attention to it easily or carelessly. I say this based on my own experience and the experience of those I have mentored over the years. In far too many organizations, cybersecurity remains a poorly defined discipline with unclear boundaries and areas of responsibility. Despite these organizational headwinds, IT/ICT and cybersecurity professionals are doing their best every day to keep businesses moving, minimize risk and secure their data. I like to call this unofficial collaboration at the operational levels Shadow Cybersecurity.

While the concept of Shadow IT is by and large interpreted negatively, I view Shadow Cybersecurity in a positive light. Throughout my career in IT leadership positions, I was no stranger to hunting down rouge IT efforts in the shadows of the organization that ran counter to our enterprise architecture, policies, standards and procedures. These Shadow IT challenges remain today, and frequently occur when IT is viewed as unresponsive or not fast enough in delivering on business and mission requirements. This is not unlike the perception that cybersecurity slows progress and too frequently says ‘no.’ IT/ICT and cybersecurity face the same challenge in that they are often viewed by others in the organization as inhibitors vs. enablers.

Admittedly, I'm a bit old school. I came up during a time when cybersecurity was under the umbrella of Information Assurance, along with information security versus the all-encompassing definition of cybersecurity that's evolving today. However, contrary to what my wife might say, I've learned to adapt to the perpetual naming convention changes. So at the risk of demonstrating unbounded hypocrisy, I'd like you to consider the concept of Shadow Cybersecurity.

Those of us who came up through the Information Resources Management (IRM), CIO and CTO ranks had some level of cyber, information, software and infrastructure security responsibilities that were inherent to our area of responsibility. Today, the IT/ICT workforce still retains what I'll refer to as collateral cybersecurity responsibilities. IT/ICT staff are still responsible in many organizations for hardening mobile devices, laptops, storage devices and servers that are on premise and in the cloud under Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) cloud deployments. IT/ICT workers may never be interested in or consider themselves cybersecurity professionals, but it's likely for the foreseeable future that IT/ICT workers will continue to be the unofficial force multiplier for the CISO function. They often turn the nuts and bolts of the organization’s cybersecurity policy, standards and procedures, whether they get credit for it or not.

For the purposes of this discussion, I'm referring to this type of workforce multiplier effect that IT/ICT can have on enterprise cybersecurity as Shadow Cybersecurity. In this case, these IT/ICT workers have not gone rogue working in the shadows without oversight. They represent a hardworking community that cannot be overlooked by CISOs. The may never work for the CISO; they may never consider a pure play cybersecurity position, but they can and often are contributing in positive ways to the overall enterprise security posture.

Providing serious education and certification opportunities for these individuals can help establish a lexicon of understanding and best practices that build bridges and can lead the operational areas of an organization toward the cybersecurity culture Matt describes. In my view, IT/ICT has and will continue to cast a long shadow. With the right leadership and unified perspective, these resources can have a very positive effect and compounding impact on securing the enterprise.

Whether you're an IT/ICT professional or pure cybersecurity professional, I believe we all hope for the cybersecurity culture that Matt describes. However, I think we tend to focus too much on getting upper management, the C-suite and the board of directors onboard. We still need to continue to actively improve the relationship between CIO and CISO functions. Granted, sometimes the CISO works for the CIO, and I have heard of arrangements that are working. More often than not, I hear there's still relationship management and turf challenges. Do we really find that surprising? Was it surprising when the CIO positions started to emerge in organizations in the 1990s and the challenges of getting the right line authority surfaced? Are we surprised that the CISO role is still often too far down the organizational chart to have the authority needed? Will the CISO ever have the type of carte blanche authority they feel they need? Arguably not; so like the evolution of the CIO, the CISO needs to build rapport and find ways to advance the organization’s cybersecurity program. It may happen in some organizations, but it's unlikely in my view that the CISO will ever have line authority over all IT/ICT resources. Consequently, the concept of Shadow Cybersecurity is one a CISO should consider embracing and leveraging. Doing so can provide for the force multiplier effect that I've described. Granted, some organizations are already on their way, but others are just scratching the surface.

That's my attempt to shine some light on the concept of Shadow Cybersecurity as an organizational dynamic that, if treated properly, can have a positive impact on an organization’s cybersecurity operational readiness and culture. Establishing a common lexicon and best practices between CISO and CIO resources is paramount. For practitioners, working in the shadows isn't always a bad thing. Sometimes it means you're providing complementary, but sometimes unrecognized contributions to something inherently bigger than self like cybersecurity. To all the IT/ICT professionals providing Shadow Cybersecurity in accordance with best practices, thanks for your contributions to a safe and secure cyber world.

Tuesday, 21 November 2017

Leadership Problem: Cybersecurity Poorly Understood by Top Management

Organizational culture typically takes shape as a result of decisions and actions by top management, who are responsible for setting vision, values and practices. When leadership doesn’t understand something, it shows in how the organization handles that particular area.

ISC2 Tutorials and Materials, ISC2 Cybersecurity, ISC2 Guides

When it comes to IT security, research by (ISC)2 reveals a tepid commitment to investing in a strong security stance, both in the areas of technology and human resources. Too often, cybersecurity teams are short-staffed, lack the resources they need to handle a cyberattack, or aren’t given the responsibility to fill a more proactive role in protecting company data and networks.

About half of participants in (ISC)2’s 2017 Global Information Security Workforce Study, consisting of IT professionals in charge of security at enterprises and government agencies, say their organization’s leadership is responsible for this situation. The study participants are the people in the front lines of their organization’s cybersecurity defenses.

Based on the results, it’s fair to say there is a leadership problem – at least in some organizations – in matters related to security. Considering the intensity and frequency of recent cyberattacks, this is a troubling state of affairs. The less leaders understand about the current threat landscape, the more likely they are to expose their organization to attack.

Hiring Practices


Leadership currently lacks a good understanding of cybersecurity requirements, according to 49% of participants in the (ISC)2 study. As a result, leaders too often ignore advice from their IT staff regarding security and don’t invest enough in training and certifications, with only 34% of employers paying in full for cybersecurity training.

Leadership’s attitude also seems to affect hiring practices. The study revealed a disconnect regarding what skills are sought vs. which are actually needed. While communications and analytical skills ranked as top skills and competencies by hiring managers, cloud security and risk assessment are what front-line professionals say their organizations need.

Asked about candidates’ qualifications, survey participants emphasized recruiting candidates with relevant security experience (93%) and knowledge of cybersecurity concepts (92%). While understandable, these hiring requirements may be somewhat unrealistic. Even experienced security professionals require constant refresh as the threat landscape rapidly evolves, with 400,000 new malware samples released daily.

No Change in Sight


Unfortunately, it doesn’t appear the attitude toward cybersecurity is about to improve in the immediate future. For instance, 40% of survey participants said they expect their amount of security training and education to remain the same over the next year. About half (42%) expect it to increase.

While only 5% said they expect it to decrease, what we need to see overall is an upward trend. If survey participants are correct that leadership needs a better understanding of cybersecurity, these numbers aren’t encouraging.

Robust cybersecurity is going to require a great investment in people and technology going forward, especially as the attack surface grows thanks to IoT. Achieving that robust stance will take stronger leadership in regards to cybersecurity.

Thursday, 16 November 2017

ISO 27001 – Between the Reality and the Myth

ISO 27001, ISC2 Tutorials and Materials, ISC2 Certifications, ISC2 Learning

It seems like yesterday, but actually it has been over 13 years, since I obtained my ISO 27001 Lead Auditor certification and started travelling from country to country around the Middle East, preaching the benefits of ISO 27001 certification and its importance to companies that are looking to secure their information assets.

I admit it was (and still is) very tough to convince organizations and their management to walk the difficult path towards ISO certification by adopting ISO 27001 security standards as company policy.

Unfortunately, people tend to be skeptical and raise the same questions over and over:

◈ How much would ISO enhance our security level?
◈ Will our company become immune against hackers and other forms of fraudsters?
◈ Is it a reality or just a myth?

People are right to be skeptical. Achieving ISO-level security standards does involve hard work and some expense; however, we cannot forget the pain suffered by organizations being hit by cyberattacks. Not a single day goes by without a new story about a cyberattack: Yahoo, Equifax - even the professionals are getting breached. Is there any cure?

Of course, there is no formula or cure all to stop the hacking activities in the world, but we cannot stand still and do nothing.

With this in mind, companies must adopt a security program based on international standards. Today I still propose ISO 27001 for the following reasons:

◈ ISO 27001 is the only auditing specification for information security management systems
◈ ISO 27001 is a process to develop and implement an information security management system (ISMS)
◈ ISO 27001 is a management tool
◈ ISO 27001 is comprehensive with 114 controls – represented as form of Annex A –spread over 12 security domains
◈ The ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization

ISO 27001, ISC2 Tutorials and Materials, ISC2 Certifications, ISC2 Learning
Organizations must adhere to the ISO’s standard to gain certification, which consists of complying with all clauses (requirements) enumerated 4 to 10 and the Annex A.

Certification is not an insignificant task. It’s worth understanding the breadth of requirement from the outset. An organization will be required to: 

◈ Devise information security policy for the organization
◈ Identify the assets
◈ Classify the assets
◈ Apply controls
◈ Operationalize process
◈ Audit process
◈ Corrective action
◈ Management review

In addition to complying with the standards clauses, there are other specific activities that need to be completed:

◈ Phase I: Initial review & gap analysis
◈ Phase II: Awareness training
◈ Phase III: Identification of assets & risk assessment
◈ Phase IV: Planning & building ISMS
◈ Phase V: Internal Audit
◈ Phase VI: Pre-certification & certification

Once you complete the rigorous review, you will then earn a certificate which is valid for a period of three years. It is worth noting that an ISO 27001 certification will be separate from any other management systems certificate. It can also be subject to suspension, cancellation or withdrawal within the three years.

After exploring the ISO 27001 security standards, do you consider the benefits they offer a reality or myth?

Tuesday, 14 November 2017

Mobile Payment Systems: Disruptive Development and Cuber Risks

Two fundamental shifts in traditional payment methods are changing the landscape of spending. Emerging blockchain-based currencies and alternative payment channels are disrupting time honored cash and credit card-based transaction service providers. Enabling cheap transactions when traditional banking services are expensive is critical for supporting business growth, especially in the developing world, where banking services are not always cheap or available. At the same time, ensuring appropriate privacy, security and confidentiality, as well as the (lack of) disclosure level that customers are demanding, mandates innovation in a very conservative industry.

ISC2 Guides, ISC2 Tutorials and Materials

The race is on! At stake is the 300 USD (present value) global financial market.  The winner will reap significant market share, and rewards, and will need to successfully balance disclosure with security, integrity with flexibility and keep up with both customer needs and a dynamic technical environment.

The existing payment structures (such as credit card, SWIFT and local EFT/Check) are showing their pale underbelly in developing markets, like Kenya, where their inability to penetrate the marketplace and develop a customer base has given alternative payment service providers a huge opportunity. Safaricom’s M-PESA (mobile payment system) has become the countrywide economic backbone. When I last visited there, I asked a colleague to pay for my airport car with M-PESA, because the driver preferred it to banknotes. As the traditional banking system did not penetrate the market, Vodafone was able to create a structure that can charge up to 3% per transaction (risk free money!) to happy customers. Traditional credit card-based payment systems also carry significant infrastructure costs that end up adding up to a 7% cost for each transaction. While presently extremely convenient and easy to use, existing payment structures are open to disruption, due to their high fees.

A completely automated accounting structure, that was both self-contained and distributed to anyone who wished it, could enable significant cost savings over any existing structure that had overhead – like our present credit card-based spending system. Does such a distributed structure exist? Of course! It’s called a peer2peer network. Within this peer2peer network, we would need to keep track of every measure of value that was in our system, as well as let the other value holders know whenever it was spent, as well as who now owned it. How might we build this distributed, internally consistent and updating database? Blockchain technologies could be the foundation. A distributed ledger node that every stakeholder could keep a copy of would be the starting point. This node could start with a finite number of a single set of value, let’s call it a Kaya. The system would start by selling a finite number of Kayas, and this initial sale would be called an Initial Kaya Offering. Each sale would need to be verified, and this is where things start getting tricky. How can we ensure that each sale is genuine? The only way is for all of the ledger holders to agree to a specific set of circumstances that they will always accept as a valid transaction. Designing a mathematically challenging proof (such as creating a hash of the existing ledger, present transaction and owner with SHA-256 and only accepting a hash that starts with a specific number of zeros) that a Kaya miner would need to complete, in order to both book the transaction, as well as gain a Kaya for itself could be an adequate Proof of Work (PoW). A completed transaction could then be sent as an update of the PoW to all distributed ledger nodes. This updated blockchain might contain both the previous transaction, as well as the new Kayas’ owner I.D. As time went by and Moore’s Law progressed and enabled faster PoW, we could make the PoW more complex (such as a SHA-256 that started with a greater number of zeros). As the complexity of the PoW increased, faster CPUs optimized for graphical calculations could enable higher profitability for the enterprises that mined Kaya. More CPUs running concurrently in close proximity might create economies of calculating scale. Size would fuel growth. Production limits and profitability could go as far as the existing physical electrical grid could fuel it. Remote areas that offered both subsidized electricity and a cool operating environment (like Mongolia and Western China) could become competitive globally at mining Kaya. As the size of the distributed ledger and number of concurrent Kaya transactions grew, the updated blockchain could start to bottleneck the system. Ledger node rich regions might have faster update times and drive demand. As more Kaya transactions were completed, they could press for a longer update blockchain that would place remote Kaya miners at a network latency/competitive disadvantage. Conversely, a longer blockchain could enable faster transactions and growth.

The challenge of predicting further growth in blockchain-based monetary systems is limited by their present limited capacity. Existing architectures are not scaled to securely carry our world’s financial markets. A good part of the world’s electrical production would be needed to support present blockchain-based structures in processing today’s global transaction load.

Emerging payment methods can enable low cost financial services and will also present new governance, security and availability challenges as they grow.

Creating the next generation blockchain that can both scale and disrupt existing monetary systems will mandate unprecedented governance, that is both integrated into its architecture and completely transparent. Counterparties will be able to make each transaction as public or as private as they wish it to be. Is there a need for financial auditors when an organization’s every transaction is completely visible? How can a government tax transactions that they don’t know about and can’t detect? Who decides whether to grow the updated blockchain size? 

Which of the stakeholders (such as the node rich regions, remote miners, coders, investors, researchers, government entities) might inspire the consensus needed to move forward?

Saturday, 11 November 2017

Introducing (ISC)² EMEA ISLA 2017 Finalist: Melanie Oldham

ISC2 Tutorials and Materials, ISC2 EMEA

This year marks the first ever (ISC)² EMEA Information Security Leadership Awards (ISLA), a chance for our community to recognise fellow information security and management professionals going the extra mile to enhance security across Europe, the Middle East and Africa.

Overall, we received a staggering number of impressive submissions, over 200, and these were shortlisted down to our finalists by our judges, members of the Europe, Middle East and Africa Advisory Council (EAC). Winners will be announced at our Secure Summit UK on 12 December 2017. In the meantime, we will be sharing their stories on the blog. Here is the third installment:

ISC2 Tutorials and Materials, ISC2 EMEAMelanie Oldham, Managing Director of Bob's Business (United Kingdom)
As founder of Bob’s Business Ltd, Melanie Oldham has gained over 10 years’ experience in the cybersecurity sector and has become a reputable and well-respected force within the industry. She also has a degree from Leeds Beckett University and previously worked in operations, event and project management at number of organisations including Mid Yorkshire Chamber of Commerce and learndirect.

Bob’s Business provides cybersecurity awareness training and phishing simulation campaigns to a broad selection of clients across multiple sectors. The organisation’s Think Before You Click campaign reduced its clients’ click rate of phishing emails by 40% in many cases; while their cybersecurity awareness training helped a number of clients to gain ISO 27001 certification. Through her work, Melanie has developed the concepts to demystify the subject of cybersecurity through the use of animation and humour - the key approach adopted in Bob’s Business’ content.

Melanie is also committed to hiring women from the local talent pool, with 40% of her employees being female. In addition, Melanie encourages collaboration with like-minded women in the cybersecurity industry through the Yorkshire Cyber Security Cluster, which Melanie founded back in 2015.

Through her passion for the local community and the wider area of Yorkshire, Melanie devotes time and resources to chair the Yorkshire Cyber Security Cluster. The Cluster is an initiative in place to encourage collaboration with like-minded information security evangelists. The aims of the Yorkshire Cyber Security Cluster are to support the members of the cluster by communicating National and International initiatives and trade opportunities, providing a networking platform to share ideas and best practice, encouraging collaboration and identifying partnership opportunities, so that small cyber security specialist businesses in Yorkshire can find new ways to grow. Additionally, it strives to support the British Government’s commitment to Cyber Security (and UK Government’s Cyber Security Strategy) by building cyber security knowledge, skills and capabilities in the region, to make businesses more resilient to cyber-attacks and for the Yorkshire region to be one of the most secure places in the world to do business.

By overseeing the growth of the Yorkshire Cyber Security Cluster, Melanie has positioned herself as the face of the human factor in Yorkshire. Monthly meetings and annual events have allowed her to connect with the local business region and communicate vital information security knowledge and campaign guidance to small businesses that may struggle for resources when it comes to security.

Thursday, 9 November 2017

Why Non-EU based Businesses may be affected by the EU General Data Protection Reguiation (GDPR)?

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

ISC2 Guides, ISC2 Tutorials and Materials, ISC2 Live

The regulation was adopted in April last year. It becomes enforceable from 25th May 2018 and, unlike a directive, it does not require national governments to pass any enabling legislation; and is thus directly binding and applicable.

Interestingly, in a recent study, PwC stated that over half of US multinationals say that GDPR is their top data protection priority, with 24% of respondents planning to spend under $1 million for GDPR preparations, while 68% also said that they will invest between $1 million and $10 million. Additionally, 9% expected to spend over $10 million to address GDPR obligations.

ISC2 Guides, ISC2 Tutorials and Materials, ISC2 Live
In fact, the main reason for this is because of the extension of the territorial scope of GDPR. In order to know if as a non-EU based business you need to be GDPR compliant, according to the Article 3 of this regulation, you have three main questions to answer:


1. Is your company established in EU?


An organisation may be established where it exercises “any real and effective activity – even a minimal one” – through “stable arrangements” in the EU. Some examples of establishment:

◉ If a company has a legal representative in the EU for the purposes of providing the company’s services or sales offices in the EU promoting their products, the data processing of these entities (inside or outside the EU) is subject to GDPR.

◉ The use of a local agent (who is responsible for local debt collection and acting as a representative in administrative and judicial proceedings), and the use of a postal address and bank account for business purposes, is considered as an establishment.

2. Is your non-EU established organisation offering goods or services to data subjects who are in the Union?


Factors such as the use of a language or a currency, generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union. Some examples of offering goods or services:

◉ A non-EU company creates a global portal, with a large catalogue of a broad range of products and services that are sourced from third parties. The catalogue is accessible worldwide, and might include European languages — and possibly a currency conversion tool to see prices in Euros — thereby presumably constituting an offering to people in the EU. If personal data is exchanged through this portal, it will be subject to GDPR.

◉ If a Turkish electronic commerce company targets Turkish-speaking data subjects residing in the EU (e.g. Germany) by giving the possibility of sending goods to the EU and its website is only written in the Turkish language, then that company will fall under the scope of the GDPR, even if the Turkish language is not one of the official languages of any of the Member States of the EU.

3. Is your non-EU established organisation monitoring the behaviour of data subjects who are in the Union?


Monitoring specifically includes the tracking of individuals online to create profiles, including when they are used to make decisions to analyse/predict personal preferences, behaviours and attitudes. Some examples of monitoring:

If for security reasons, a system analyses user behaviour on a website - not only across a website's total population, but on an individual user basis. If his or her behaviour takes place within the Union, the system must be GDPR compliant.

If an e-mail service mines the content and metadata of each email message sent and received to target advertising for data subject who are in the Union, the system falls in the GDPR scope.

Every non-EU business will have to evaluate the specific details of their data processing activities in the light of these three questions and decide on the necessary steps to take. In order to help its constituents better understand these issues, the (ISC)² EMEA Advisory Council has created a GDPR Task force and developed a number of resources, including the aforementioned workshop and a downloadable overview of the 12 Areas of Activity and their key supporting tasks. You can also join us at Secure Summit Mena in Dubai to discuss your and other members’ experiences in implementing these requirements.