blog.unix-security.net

For this example let us presume that the business has stipulated that users must use digital certificates to authenticate to their application. One of the main functions of a CA is to verify the identity of the entity requesting a new certificate. If how this verification occurs is not covered in a security policy and the CA issues certificates to whoever requests them there is a risk that a rogue employee will obtain a certificate. Also a PKI is based on a trust model.  How will the business have confidence in the identity of the entity presenting the certificate when it becomes wildly known that there is no proper validation process in place to verify the identity of the certificate owner? I know that the application has to be configured to accept the certificate but the rogue employee is already half way there by obtaining a client side certificate.
Another example of how a lack of a PKI policy can be a disservice to your organisation is where a service owner requires a user or an application to present a Client Side digital certificate to authenticate to their service. We will use the certificate example above. In most scenarios an application will make three basic checks before authenticating the end user or service. It will check that the certificate has not expired, it will check that the common name (CN) is allowed to authenticate, and it will check the identity of the CN by verifying it has an entry for the issuer CN in its trust store. You might have applications that can check more fields but the example I have given you is considered the bare minimum. For this example let us presume that the application that is being configured to use Client Side certificates for authentication is not controlled by security policy. Let us say for example the developer leaves out the check for the CN of the user presenting the certificate. It only checks that the certificate has not expired and that it is issued by a trusted CA.  The end result of this would be that any certificate (with the right key usages) that has been signed by My Root CA can authenticate to this service.  This would give the business a false sense of security in relation to who can access this service. You could argue that how an application is configured to authenticate certificates should be part of an application security checklist and if so this checklist should be at least referenced in the PKI security policy.
Other things that should be considered in your security policy would be minimum key length, key usages, enhanced key usages etc.  This is by no means complete as the main aim of this blog is to demonstrate the importance of having a PKI security policy so that you can provide assurance to the business that the services that the PKI is supposed to secure does just that.
I hope you found this blog interesting. As this is my very first time writing a blog for anything I would be grateful for any feedback that will help me make my next one better. Thank you for reading this far.

By W. Hord Tipton, CISSP-ISSEP, CAP, CISA, Executive Director, (ISC)²

Last September, we held our first annual (ISC)² Security Congress event in Orlando, and the feedback we received from our members is that it was a great learning and networking experience, and that they love having an event to call their own.  As we look forward to this year’s Security Congress, set to take place in Philadelphia, Pa., U.S.A. September 10 – 13, 2012, we can expect more of the top-notch information security education given to all levels of professionals, as well as exciting sessions addressing the intersection of traditional and information security.

Once again, Congress will be colocated with the ASIS International 58th Annual Seminar and Exhibits (ASIS 2012). The two events will bring together more than 20,000 information and physical security practitioners for what promises to be a great event.  And as it did last year, the colocated events allow both (ISC)² and ASIS to better serve the entire security community by strategically aligning our organizational resources and providing access to core knowledge and best practices across the full spectrum of traditional and information security disciplines to all of our members.

With that said, a conference can only be great as its participants, speakers, and attendees.  For that reason, I would like to encourage everyone to participate in the Call for Speakers announced last month.  Speaking at Congress is not only a great way to add value and present innovative ideas that will reverberate throughout the industry, but it’s also a great way to connect with your peers.  (ISC)² is currently accepting speaker submissions for all levels of experience – from fundamental, to intermediate, to advanced information security tracks focused on:

• Compliance, Regulation & Governance
• Threats - Inside and Out
• Cloud Security
• Swiss Army Knife
• Application Security
• Mobile Security/Social Networking
• Software Assurance
• Malware
• Government Security

To submit a proposal in one of the categories above, please visit https://www.isc2.org/Congress2012/call-for-speakers.aspx. (ISC)² will accept submissions until February 27, 2012.

Registered attendees can attend any of more than 150 conference sessions throughout 22 education tracks or mingle with more than 700 exhibitors, as well as sit in on keynote addresses, to be announced at a later date. Registration is now open, and (ISC)2 members can enjoy a significant discount off of the regular conference registration price at www.isc2.org/congress2012.

Bringing together IT professionals from a wide variety of disciplines for a conference of this magnitude no doubt has an invaluable and positive effect on the future of our field. As the world’s largest information security professional community, we are excited to bring our members together with other security pros from around the globe and aim to make Congress 2012 THE event of the year once again!

By Julie Peeler, (ISC)2 Foundation Director

Tomorrow marks Data Privacy Day and while it may not be a national holiday, it’s a great opportunity to take a step back and evaluate our personal data privacy and security measures.   Over the last year, we’ve heard about a lot of companies and organizations getting hacked and customer information being compromised.  And while it’s imperative that we do our best to ensure that we’re working with companies with sound security policies in place, it’s also incredibly important that we make sure we are doing everything we can at home to keep our information private.

In the last few years, I’ve heard an overwhelming number of stories about adults and kids, yes kids, having their identities stolen and their lives ruined because of simple, avoidable mistakes.   At Safe & Secure Online we’ve dedicated ourselves to keeping parents and children educated about how to stay safe on the Internet. Given the theme of day, I’d like to offer some tricks to be mindful of and some tips for keep you and your family safe year-round!

• If your information has been compromised, flag everyone’s social security number (SSN). Most of us are smart enough to flag our SSNs with credit bureaus if we know that a piece of our information has been compromised to avoid a potentially situation of identity theft.  But what many of us don’t realize is that hackers are smart and they go after the SSNs of children, which are often stored alongside their parents’.  They do this for two reasons:  First, parents don’t normally think to flag the SSNs of their children and second, when a child’s identity is stolen,  can go undetected for years until the child applies for a college loan, their first credit card, or attempts to buy their first home.  It’s a tough mess to untangle.
• Keep private information private.  Many times, we give away information about ourselves and our children completely unwittingly.  This is especially prevalent with the tendency to “overshare” on social networking sites.  Much like announcing your three-week vacation can attract burglars, providing seemingly innocent information related to private matters like health conditions, for example, can also come back to haunt you or your kids.  Remember, the Internet is forever and search engines are able to search social media sites better than ever. 
• Keep software up to date:  It may seem like a chore, but making sure you’re downloading security updates for your operating system and keeping your security software complete up to date make all the difference in keeping your family safe online.  Also, making sure your firewalls and other security precautions are at their highest level is incredibly important to keep the bad guys away from your private information.

In the coming week, Safe & Secure Online will be launching a robust how-to guide discussing how to configure your security settings on everyday devices like mobile phones, your web browser, your social media, and more.  Be sure to check back soon at https://cyberexchange.isc2.org/safe-secure.aspx , and in the meantime, start thinking about ways you can keep your family’s private information, private!

Talking of customers, CSO´s, engineers and other IT security people could give me some insights of what companies are looking for in 2012 in terms of overall IT security.

Far from a reality or a survey, this is more my personal view of how things will gonna be this year:

 

Top Challenges

• Mobile Devices - How to secure so many different devices? How to define borders in a borderless network?
• Identify Management - How to ensure the proper identity management process and tools when too many systems are moving to outside the organization?
• Cloud Computing - How to securely take full advantage of it?
• Incident Response - Some attacks cannot be prevented. How can I detect it earlier and act properly?
• Log Management - How to proper handle all these logs and how to extract useful information from it?

 

Top Projects

• Deployment of Advanced Anti Malware Technologies
• Deployment of Next Generation Security Devices (Firewall/IPS)
• Deployment of Endpoint/Network DLP
• Push for content Encryption
• Move applications securely to the Cloud

 

Top Technologies

• SIEM
• Intrusion Prevention
• Secure Communication
• Anti Malware
• Strong Authentication Systems

 

What do you think? Agree, Disagree?

Le me know your thoughts and comments.

 

Best Regards and whishes of a great 2012!

3.        Background

   In the years since I took my first IT security position in 1999, the cyber security landscape has changed vastly.   Fortunately, there has been an awakening within the entire information technology security community in the years since 9-11 and passage of the “Patriot Act".   We are all just now beginning to realize the true power of the internet and just how interconnected we are on a global scale (public, private, and infrastructure (SCADA) networks).  In today’s dynamic environment it is critical that we have full participation and information exchange between the USG and USBUS in order to quickly and accurately communicate with each other as securely as possible in response to Cyber attacks and threats. 

 “The tragic events of September 11, 2001, demonstrated that the United States needed greater integration across the Intelligence Community and improved information sharing to respond to evolving threats and to support new homeland security customers. The new threat environment we face is dynamic: The players and their motivations and methods emerge and evolve rapidly. Advances in technology are accelerating and are spreading through globalization. Commercial products featuring state-of-the-art technology are available globally at favorable prices. Our adversaries achieve technological advantage through the rapid assimilation and adaptation of commercial information and telecommunication products. They freely communicate, obtain training, share information on tactics, gather intelligence on potential targets, spread propaganda, and proselytize. In this post-9/11 world, intelligence must move faster and leverage all sources of intelligence information “. (Intelligence Community Information Sharing Strategy, February 22, 2008) http://www.dni.gov/reports/IC_Information_Sharing_Strategy.pdf

   The constantly changing Cyber Security landscape and the APT’s that US Information Systems are barraged with on an hourly basis has been “one of the driving factors that has brought about a change of thought within the IC”.  In addition to USIC failures leading up to 9-11 that plagued the Bush administration and led up to the events that hastened the 2003 Invasion of Iraq.  The lines between Strategic and Tactical, Intelligence and Operations have become blurred in this ever-changing Cyber environment.  This constantly evolving environment is the impetus for change within the IC and demonstrates the need to improve information sharing and integration within the IC. 

   We now need to dig deeper as a nation and expound upon the lessons learned by the USIC and CND communities and begin to integrate them in to the private sector BI and CND communities and incorporate key private sector entities into our overall National Security strategy.  In doing so we will have to carefully navigate many issues including privacy, and other legal issues.  Meeting these needs will require us to develop a culture that values sharing information with those who need it, and providing them with the training, policies, laws and processes necessary to distribute and share knowledge.  We are now at a critical juncture at which we must be absolutely resolute in keeping the US in control of the internet, despite international pressure to relinquish control.  The US must remain in control of the Internet in order to maintain both strategic, and tactical dominance; not only militarily but, economically as well. 

 4.        The Threat

  USBUS and academia’s Research and Development (R&D) efforts are the motors of industry that drive our economy and has historically kept the US in its position as an economic powerhouse and global leader.  The success or, failure of our economy are a large part of our national security - the two are intertwined.  Our adversaries (most notably China, followed closely by Russia and Iran) have been targeting and successfully compromising the Department of Defense (DoD) for years.  They have also been busy targeting the Defense Industrial Base (DIB).  The Unclassified corporate networks of Defense Contractors and US Private sector businesses, as well as the R&D programs of US Colleges and Universities.  This is by no means a coincidence.  Google the following “cover terms” that can be found conducting “Open Source” research:

• Moonlight Maze
• Titan Rain
• Byzantine Hades

“As noted in the Office of the National Counterintelligence Executive’s “Annual Report to Congress on Foreign Economic Collection and Industrial Espionage,” the threat to the United States from foreign economic intelligence collection and industrial espionage has continued unabated and foreign entities continue to try to illegally acquire U.S. technology, trade secrets, and proprietary information”. (DSS - Targeting U.S. Technologies: A Trend Analysis of Reporting from Defense Industry 2010)

  The Advanced persistent threat (APT):  is a term commonly used to refer to “State Sponsored” (foreign nation) cyber threats from states with well established and very capable Computer Network Attack (CNA) programs (most notably China, Iran,  and Russia).  APT actors are usually a group who has the resources, capability, intent, and ability to maintain persistence on a system and / or network that has been successfully exploited and compromised.  These APTs have enabled our economic and technologic adversaries to leap-frog technologically, especially in the military arena.  Just take a look at China’s new stealth fighter, Iran and China’s missile an UAV programs. 

Dr. Eric Cole (SANS notoriety) Once said in a class I attended long ago and I am Paraphrasing here: The only way to truly secure a computer system is to:

1. 1.        Dig a 12’ x 12’ hole
2. 2.        Unplug the CPU from its power source
3. 3.        Place the CPU in the hole
4. 4.        Fill the hole with concrete.
5. 5.        Computer Secured

  In my fourteen years of experience in the Information Technology (IT) world I have found this statement to be an un-deniable fact.  To the best of my knowledge there is no Operating System (OS) Network, or TCP/IP protocol that is invincible.  Those that made claims of invincibility in the past , and that their network, Operating System (OS), or program was “Secure” were quickly compromised as soon as the “Black Hat” community got wind of the “challenge”.  There is NOTHING that cannot be hacked!  Just ask Rivest, Shamir, and Adleman (RSA).  Despite all of the emphasis and attention placed on cyber-security, many people would be shocked to learn the breadth and scope of the threats that we are facing.  We currently have so many inter-connected devices that we ALL tend to forget that they are connected to a network and expose us to an attack.  Due to the rapid expansion and integration of networked devices into our lives, information assurance and cyber security are often an afterthought.  This is especially true of less tech-savvy users or, the small business owner who in many cases does have neither the time nor resources necessary to secure their Information Systems and network.  

5. The Problem

  In the past, on the USG side of the house each organization’s network defenders had to rely almost exclusively on their own computer / network centric cyber intelligence section, if they even had an established (CI) capability for attribution and assistance in the creation detection signatures (indicators) of malicious activities.  This lack of intelligence, in many ways, handicapped the CND community because they (network defenders) had very little, if any knowledge, of new, emerging, or Advanced Persistent Threats (APT) they were facing.  They did not have the “Big Picture” and we still don’t (to a lesser degree).  This lack of sharing and collaboration within the IC has also obviously had a tremendous impact the Computer Network Defense (CND) communities.  Today we are seeing much more information sharing and cooperation among USGA’s.   So much so we are now seeing redundant or overlapping reporting.  However, more often than not, we are seeing more inter-agency collaborations which are now becoming common place within the IC.  On example of this new collaborative effort within the IC is the National Cyber Investigative Joint Task Force (NCIJTF).

[Comment: Let me add a cautionary note here.  With these convergent and collaborative IC/CND efforts there have been and, will continue to be some growing pains within and between these two communities with very different missions.  We are now [I hope] in the infancy of a new Information Sharing era between the USG and USBUS.  In the future, I believe we will see much more participation from many other  Public sector organizations.  One example of this new detente are the USBUS members who are a participating members of the Defense Industrial Base Collaborative Information Sharing Environment (DCISE)].   (http://dc3.mil/dcise/dciseAbout.php)

  In the past few years DHS has made tremendous strides in areas of information sharing and dissemination.  However, they have thus far fallen short in getting the message out to a wider audience and “buy in” from the vast majority USBUS.  Noticed by the limited use, access, and reach of their main point of access used to serve the US public.  The US-CERT portal.  I would venture to say that on a comparative level only a handful of private sector companies have actual “Portal” access.  Even less actually visit this website.  Outside of the CND community few even know about the site and the resources that are available to them from the website.  I also believe that the USG should have in place a minimalistic monitoring capability (IP address, Port and Timestamp) in place at all ingress and egress Network Access Points (NAP) regardless, of ownership (if the backbone is owned by Verizon, ATT, or any other provider).  This should be a government mandate placed upon any ISP that is providing carrier backbone service within the US.  This implementation should be a mirror implementation of the US-CERT Einstein Program.  The good news is that a few public sector organizations have begun to reach out to the FBI, NSA, and others and requested technical assistance in identifying,  investigating, and eliminating network threats and compromises.  For example:

“Google Asks NSA to Help Secure Its Network - Google is teaming up with the National Security Agency to investigate the recent hack attack against its network in a bid to prevent another assault, according to The Washington Post.” ( http://www.wired.com/threatlevel/2010/02/google-seeks-nsa-help/)

  We are moving the right direction with the passage of H.R 2096, Cybersecurity Enhancement Act of 2011.  H.R. 2096 (http://www.gpo.gov/fdsys/pkg/BILLS-112hr2096ih/pdf/BILLS-112hr2096ih.pdf ).  However, in my opinion, we need to continue in this direction have stronger more clearly defined wording, and aggressively implement proactive measures that must be adopted by the USG.  US private sector companies should be required to adhere to and implement a uniform Certification and Accreditation (C&A) process that is compliant with National Information Assurance Certification and Accreditation Process (NIACAP).  These standards could be tailored to the specific area of industry.  However, this is a “grey area” in that it may be seen as yet another form of government meddling in the private sector.  It is essential the private sector realize that we are all connected and their protection is an essential element of our National Security.  The IC must continue to break down the barriers regarding information sharing within the IC and take things a step further by sharing the bare minimum outside of USG channels.  It is entirely possible to strip down a classified report to let’s say; strictly an IP address, filename, MD5 hash etc without any attribution that could compromise any ongoing investigation and share this information with the USBUS community.  Conversely, US Businesses (USBUS) must be willing to share their data with the USG without fear of being singled out or becoming the target of an investigation if their network is compromised or Personally Identifiable Information (PII) is stolen. 

  DHS has the lead for the federal government in ALL things security, including Cyber Security.  Their mission is to secure federal, civilian, and executive branch IS and to work with private sector in order to defend privately-owned and operated critical infrastructure.  They also work with state and local governments to secure their information systems.  We need to pass legislation that would require US utility companies (ie. Excelon and Constellation Energy) as well as  state and local utilities  (water & sewer, subway-metro, etc) to be more pro-active in protecting their Supervisory Control and Data Acquisition (SCADA) and Control Systems (CS) networks via a standardized C&A process and employing real-time IDS solutions.  Even today, many believe that SCADA and CS are not vulnerable.  At some point even these systems connect with a system that is connected to the internet.  Also, we cannot dismiss one of the biggest and most often overlooked threats to our networks the “insider”.  We are now at the beginning of a convergence in worlds of USG CND and the US Intelligence / Counterintelligence (Cyber) communities.  We are now entering a crucial stage in our nation’s history.  We are standing on the precipice of either continuing to be a global economic and technological powerhouse or falling into mediocrity.  So, we must do some serious self examination in regards to our Cyber Security policy and how it relates to our National Security.  We need to seriously consider joint public/private collaborations.  I believe that we in the cyber community are missing out on a whole lot of actionable Intel that is just sitting out in cyberspace on many USBUS’ networks. We need to begin including the USBUS Business Intelligence (BI) communities.  Traditionally, there has been an inherent lack of trust between the private sector and the USG.  The reasons for this distrust are many and would be a book unto itself to go into the reasons why.  Thus far, the lack of trust between public and private has been detrimental to our overall National Security.  However, a movement of collaboration and Information Sharing has been underway in the years since 9/11 that has been slowly gaining progress.  The Department of Homeland Security (DHS) and the other United States Government Agencies (USGA) have made huge strides in information sharing with each other and the private sector to a lesser degree.   However, there is much more work to be done. 

6.        Recent Compromises

  Both, public and private sector US networks have long been the target of Chinese hackers both “State Sponsored” and the so called “Patriotic Hackers”.  These Patriotic Hackers appear to operate with a fair amount of autonomy granted to them by the Chinese government.  That is as long as they do not attack other Chinese systems.  Below you will find a short list of some of the more recent or, notable exploits perpetrated by China.  

Comment: Notice the diversity of their targets, ranging in everything from Banking to the DIB, to mining companies.

• Morgan Stanley experienced a “very sensitive” break-in to its network by the same China-based hackers who attacked Google Inc.’s computers more than a year ago, according to e-mails stolen from a cyber-security company working for the bank.( http://www.bloomberg.com/news/2011-02-28/morgan-stanley-network-hacked-in-same-china-based-attacks-that-hit-google.html)

• A hack attack that targeted Google in December also hit 33 other companies, including financial institutions and defense contractors, and was aimed at stealing source code from the companies, say security researchers at iDefense. (http://www.banktech.com/blog/227101119)

• Chinese 'Spying' Rattles Australia - Australia has tightened its security control on communication with Beijing after Chinese spies reportedly hacked the phone and computer of Australian Prime Minister Kevin Rudd during his trip to China, and targeted Rio Tinto in the early stage of Chinalco’s bid. (http://www.forbes.com/2009/04/03/china-spies-scare-markets-equity-rio.html)

• Hacking watch: Google, Gmail and China; defense contractors; Sony update - A day after Google wrote in a blog post that hundreds of Gmail accounts belonging had been hacked in attacks that originated in China, the United States announced today that it is investigating the matter. The phishing attacks seemed aimed at spying on people including senior U.S. officials, Chinese political activists, journalists and others.  (http://blogs.siliconvalley.com/gmsv/2011/06/hacking-watch-google-gmail-and-china-defense-contractors-sony-update.html)

• China denies involvement in Renault EV spy case; over $841k found in secret bank accounts? The industrial espionage case involving three top Renault execs and electric vehicle secrets (and maybe China) continues, as the French carmaker has officially filed an accusation against a foreign private company. The company involved was not made public, but the filing does not cite a foreign power, according to Jean-Claude Marin, a Paris prosecutor, in Reuters. In fact, the French government began stepping away from rumors that China is involved with this industrial espionage case. Even still, a member of the conservative UMP party told France-Info radio that, "There are in effect several sources that are typically thought to be serious who consider that a Chinese buyer is in fact behind this operation." That buyer might be a Chinese power company, which French newspaper Le Figaro reported laundered at least 630,000 Euros (around $841,800 U.S.) into bank accounts in Switzerland and Liechtenstein opened by the executives. For its part, China has denied any involvement. (http://green.autoblog.com/2011/01/14/china-denies-involvement-in-renault-ev-spy-case-over-841k-foun/)

• Google Hack Attack Was Ultra Sophisticated, New Details Show - Hackers seeking source code from Google, Adobe and dozens of other high-profile companies used unprecedented tactics that combined encryption, stealth programming and an unknown hole in Internet Explorer, according to new details released by the anti-virus firm McAfee.  Google announced Tuesday that it had been the target of a “highly sophisticated” and coordinated hack attack against its corporate network. It said the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists. The attack originated from China, the company said.( http://www.wired.com/threatlevel/2010/01/operation-aurora/)

• NSA to Investigate Nasdaq Hack - The National Security Agency has been called in to help investigate recent hack attacks against the company that runs the Nasdaq stock market, according to a news report.  “By bringing in the NSA, that means they think they’re either dealing with a state-sponsored attack, or it’s an extraordinarily capable criminal organization,” Joel Brenner, former head of U.S. counterintelligence in the Bush and Obama administrations, told the publication. He added that the agency rarely gets involved in investigations of company breaches.  (http://www.wired.com/threatlevel/2011/03/nsa-investigates-nasdaq-hack/)

Additionally, we cannot forget about all of the other threats that we are faced with on a daily basis. Listed below are just a few:

• The Russian Business Network (RBN) - http://en.wikipedia.org/wiki/Russian_Business_Network
• Iranian Hackers Suspected in Recent Security Breach- http://bits.blogs.nytimes.com/2011/03/24/iranian-hackers-suspected-in-recent-security-breach/
• Pakistani hackers attack U.S. government site-http://www.usatoday.com/tech/news/2001/10/26/hack-attack.htm
• Cyber Jihadist - http://news.bbc.co.uk/2/hi/americas/7191248.stm
• Narco Hackers - http://insightcrime.org/insight-latest-news/item/1251-are-mexico-drug-gangs-drafting-hackers

7.        Conclusions and Recommendations:

In my opinion the USG does not realize that it is wasting a vast pool of talented Intel and CND personnel that currently working the private sector.  The USG needs to exploit (for lack of a better term) this vast talent pool.  We really need to start looking at the private and public sectors holistically (as the same).  We can no longer afford to stand back “individually” as organizations with a reactive approach to Information Security. 

1. Maintain U.S. control and ownership and control of the internet
2. The USG and USBUS need to take a “holistic” view to Cyber Security.  We need to take a less “individualized” view of Cyber Security and look at as a “whole”.
3. The United States needs to take a Machiavellian approach CND and Cyber Operations
4. We must consider every organization from the smallest USBUS that has an internet presence, to the largest USGA as integral part of our critical infrastructure and national security. 
5. Advertise and expand upon US-CERT’s role
6. Establish a “National Cyber Security Think Tank”.  I believe that we should create a National Cyber Security Think Tank (NCSTT) would act as a national clearing house to provide Cyber Security guidance, recommendations and solutions to every segment of the American population.  This body would merely take in information and make educated and feasible recommendations based on current intelligence, new and emerging threats, and best practices in order to guide lawmakers in constructing new legislation. 
7. The US needs to view ALL U.S. based information Systems that have been attacked or compromised as being a national IT asset.  Or, establish a criticality hierarchy
8. Draft and pass legislation that will allow for easier rules for the US public and “private Sectors “ to establish and maintain collaborative information sharing efforts in both CND, and Cyber Intelligence.
9. USIC should work with USBUS in order to establish a cyber “Most Wanted” list of IP addresses, file hashes etc.  Provide guidance to USBUS that reports suspicious activity on their networks.
10. Have “No Fear” in taking retaliatory actions when there is a preponderance of evidence.
11. Be more aggressive in “Red Team” and CNA operations in both public and private sectors and collaborate on targets of opportunity and Interest.
12. Allow for the formation of “Patriotic Hacking” teams that have guidance and direction (handlers)
13. Seek out youth while in High School or College who have demonstrated Cyber “ninja” skills and utilize those skills for doing good.
14. The USG must develop a required minimum system security baseline requirements program for all USBUS
15. USBUS should be required to adhere to and implement a nationally uniform Certification and Accreditation (C&A) process
16. USG needs to develop a cyber security educational assistance program implemented via DHS and the Small Business Administration (SBA) for less tech-savvy small business owner
17. Above all, the privacy of the citizen/customer must be protected at all times by all parties.  It is imperative for USG and USBUS to establish ‘trust relationships’ and information sharing agreements.  Our adversaries have been kicking down our doors for years now.  We all realize that almost all systems are somehow inter-connected today and need to be secured and defended. 

  We are currently moving in the right direction however, there is much more work to be done.  Now, is the time for the US to be Unified and resolute in defending our National Security interest on the Cyber front.  We need a unified and cooperative approach from the US Government and US private sector organizations working together for the Common Defense.  Yes, these suggestions are daunting and perhaps extreme.  However, in considering how much we have already lost can we afford to lose much more? 

By:

Larry P. Bunch CISSP, CEH

http://mysite.verizon.net/vze18ez5m/id3.html 

Twitter: https://twitter.com/#!/bunchlarryp  

 

 

Preface

 

  This article was originally intended to be a light reading OP/ED piece.  However, it has slowly evolved into a hybrid OP/ED – Whitepaper dealing with Cyber Intelligence and Network Security.  The opinions in this article do not represent the United States government or my employer (VortechX LLC.).  This article is intended to generate discussion, collaboration, and interaction within the Intelligence and Network Defense communities of both the Public and Private sectors of the United States.  The ideas and recommendations presented here reflect only my own opinions and may NOT be entirely feasible legally or technologically.  Nonetheless, we really need to reevaluate the current state of how the United States views and handles Cyber-Security.  This is a condensed version of the paper. The paper can be viewed in its entirety at my website listed above.  Enjoy and please feel free to provide feedback.

 

“Recent attacks on U.S. corporations such as Google Inc, the NASDAQ stock exchange, Lockheed Martin Corp, and RSA, the security division of EMC Corp, Amazon.com and ITunes and U.S. government and military websites including the Department of Defense, Department of Justice, FBI and numerous law enforcement agencies has sparked a sense of urgency to address threats to U.S. computer networks.” (http://www.examiner.com/homeland-security-in-chicago/u-s-military-chief-we-re-under-constant-attack-every-day)  

 

   In today’s networked environments of both the United States Government and Private Business networks, the Intelligence/counterintelligence and network security communities are intertwined in a complex and (at times) convoluted relationship.  One of the main points that I touch on is expanding the Information Sharing paradigm that the Intelligence Community (IC) has implemented across the entire IC.  Another point that I expound on is a radical idea, which for numerous reasons may not be possible.  That point would be this: The Intelligence Community has a vast pool of untapped talent available to them working in the Private Sector.  These Business Intelligence and Network Defense analyst working in the Private sector could act as an additional “set of eyes” to the IC if leveraged properly (ethically and legally).  That is, if frank and open discussions take place between the two communities and a framework could be established.  We are now entering a crucial stage in our nation’s history.  We are standing on the precipice of either continuing to be a global economic and technological powerhouse, falling into mediocrity or, even second nation status.  Therefore, we must do some serious self-examination in regards to our Cyber Security policy and how it relates to our National Security.  

 

“Both military intelligence and national intelligence will be treated more holistically”  (http://www.afcea.org/signal/articles/templates/Signal_Article_Template.asp?articleid=2805&zoneid=333)

 

  The USG needs to employ “Machiavellian intelligence” (also known as political intelligence or social intelligence) capacity of an entity to be in a successful political engagement with social groups”.  Or, in this case, the US Private Sector.  The USG needs to exercise a Machiavellian approach and implementation especially when it comes to Information Assurance (IA), Network Defense, and conducting Cyber Operations against our adversaries. 

 

  I realize that there would be tremendous obstacles to overcome.  In regards’ to constitutionality, individual / corporate rights, and privacy issues.  However, I believe that the time has come for us to seriously consider joint Public/Private collaborations.  I believe that we in the Cyber community are missing out on a whole lot of actionable Intelligence that is just sitting out there in Cyberspace on many USBUS’ networks.  Towards the end of writing this paper, I have discovered that I may not be alone in some of my radical thoughts and concepts that I am proposing.  See example below:

 

  While speaking at a security forum in London earlier this week, General Martin Dempsey, Chairman of the Joint Chiefs of Staff, warned that the constant barrage of cyber attacks against critical systems will require a unified effort by government and the private sector to improve security.  Dempsey reiterated what many experts have been saying for years - that cyber-based espionage operations are a major threat to proprietary information and ultimately the economy as a whole.  The report, titled Foreign spies Stealing U.S. Economic Secrets in Cyberspace, boldly suggests that state-sponsored entities in both China and Russia are systematically targeting US government and private sector networks in an effort to pilfer valuable information that has tremendous economic value”.

 

 

The Bottom Line Up-Front (BLUF) 

 

 

  The United States Intelligence Community (USIC) and Computer Network Defense Communities (CND) must figure out a SECURE way to integrate United States Business (USBUS) Business Intelligence (BI) and CND efforts into the Intelligence Community (IC) information sharing paradigm and the US Government CND communities at the lowest classification level.  Of course selected USBUS personnel can be read on or, (granted access to classified material if absolutely necessary) if possible.  This is entirely feasible and within the realm of possibility with proper vetting of USBUS personnel of course.   The United States Government (USG) must sit down draft legislation, policies, and implementation procedures to facilitate this goal  Although the IC has made tremendous strides in successful collection efforts in developing and presenting a clear, actionable Intel picture.  However, we still do not have enough eyes “in the wild” so to speak.  Compounding this problem, there is currently a severe shortage of properly trained federal agents, state, and local law enforcement officers who possess the knowledge or training in conducting cyber investigations.  The USG has a vast pool of untapped talent in the private sector that can leveraged and be utilized in Intel collection / operations, and US CND efforts.  The private sector BI and CND communities would probably be more than willing to be utilized for the common defense.  Given the right set of circumstances and proper direction and guidance (legally, ethically, and morally), mutually beneficial Information Sharing agreements can be implemented.   

 

[Comment: It is entirely possible (in my opinion) to implement an Information Sharing paradigm without compromising our National Security or, any ongoing investigations. 

 

  The United States (as a whole) must take a “Holistic” view and a “Machiavellian approach in the implementation of US Cyber Security / Network Defense strategy.  We must develop and implement stronger and more stringent goals, strategies, and policies concerning our offensive, defensive, and retaliatory responses.  Especially when it involves a “foreign” or, state sponsored entity..  We must vehemently defend “our” internet and national infrastructure from our adversaries.   

 

  The US has to be far more aggressive and act far more decisively in our response to foreign adversaries who threaten and continue to conduct Computer Network Attack (CNA) operations against us.  For far too long we have been idly standing by while our networks and electronic resources have been under attack.  Our adversaries (much like childhood bullies) will continue “raping and pillaging” our Defense, Business, Research and Development (R&D), and Supervisory Control and Data Acquisition (SCADA) (“aka” infrastructure networks).  For far too long we have been letting Advanced Persistent Threat (APT) actors especially those from China; wreak havoc on our networks.  In order to better defend the National Security Interest of the United States we (the US) need to take a serious look at how we are currently dealing with all of the APT’s and emerging threats that we are facing.  In addition, the United States as a whole; must do a better job in developing inter and intra  organizational relationships (working groups), information sharing, and collaborative projects (both classified and Un-classified) in order to better defend and secure ALL of our Information Systems.  We need to bring the Public and Private Sectors together and get on the same sheet of music so, to say.  Private Sector industries are the engines that drive our economy and must be defended just as fanatically DoD assets.

 

 “But just as we failed in the past to invest in our physical infrastructure – our roads, our bridges and rails – we've failed to invest in the security of our digital infrastructure… This status quo is no longer acceptable – not when there's so much at stake. We can and we must do better”. – President Obama, May 29, 2009 http://www.whitehouse.gov/the-press-office/2011/05/12/fact-sheet-cybersecurity-legislative-proposal 

 

  The world’s economies have become more globalized and each country’s governments and businesses attempt to gain a completive edge on the United States.  The United States Government Agencies (USGA) (aka “Public Sector”) and US Businesses (USBUS) (“Private Sector “) must establish, enhance, and maintain emerging collaborative efforts in both CND, information sharing , and to a limited degree Cyber Intelligence.   The onus is on the USG, namely the Department of Homeland Security (DHS), to establish and foster an atmosphere of trust between all of the entities in both private and public sectors.  DHS must be pro-active and aggressively pursue and build these relationships. 

 

  The USIC / CND and USBUS’s BI / CND analysts and collectors must establish relationships and national dialogue in order to defend all of our networks.  In many cases the analyst and collectors from both communities share the same duties and responsibilities and at times do work together.  Obviously they play on different playing fields.  However, our adversaries have the resources and capabilities to “spread the field” in each of these communities (public and private Sectors) and have the ability and resources to field two equally talented teams on these separate playing fields.  Conversely, the US currently does not have the necessary resources to stand up to the onslaught from the numerous APT’s we are facing.  We (the United States the USIC in particular) currently does not have the means in place to leverage (legally or otherwise) the vast pool of untapped talent and resources that we have available in the Private Sector to successfully defend all of our networked resources (we do but, we don’t. I will elaborate on this later).  APT actors are targeting and stealing data from both USBUS and the USG that is oftentimes related for example; defense contractors networks.  APT actors are targeting specific personnel and documentation from the defense contractors network concerning their targeted program.  They are simultaneous targeting the DoD networks involved with the targeted program.  On numerous occasions APT actors will utilize compromised USBUS hosts or networks as a CNA staging point or repository for malicious activity.  We are currently facing a diverse group of opponents each with varying degrees of skills, capabilities, and resources.

 

  However, at the end of the day the levels of sophistication and/or complexity of these programs does not matter.  If an attack is successful and data is lost we still bleed just the same.  The USG needs to establish a framework and model for cooperation and participation.   Both private and public sector Intel and CND communities must have the means available and a system available to them to better coordinate information sharing and possibly conduct joint operations with each other.  In doing so, we will be better able to put all of the pieces together (share information) from numerous intelligence sources to develop the big picture.  Information that is deemed as having an intelligence value must be shared without compromising any ongoing investigations or any spillage of classified information.  We must always keep the privacy of U.S. citizens foremost in approaching this new paradigm.  Let us face the facts.  Most of the folks in the public sector do not have a need for (or, in many cases want) a security clearance.  Nevertheless, these private sector employees are a valuable, yet untapped resource.   These individuals could be utilized by the IC to provide relevant and actionable intelligence when there are any indicators of malicious activity on the network(s) of the USBUS in question.  The USIC then has the responsibility to share the intelligence with the CND community as soon as possible.  In addition, this must be a two way street.  That is any intelligence derived from data provided to the USIC by a USBUS must be shared with the USBUS providing the data as soon as possible.  The goal is to effectively stop the attacks, eliminate the threat, and implement new security measures to protect the public and private sectors. 

 

  The public and private sectors MUST sit down together to conduct an in depth examination and reevaluation our current laws, regulations, and each other’s organizational policies, procedures, and guidelines, in order to develop and implement a common and “legally” operational framework and working environment.  We must ensure the preservation of the privacy and civil liberties of US citizens in addition to the protection and integrity of Personally Identifiable Information (PII).  We need to establish a “holistic” Cyber Defense/Security framework that will better serve and defend both US public and private sector computing assets and network infrastructure as a whole.  We must continue to, effectively ensure and protect the privacy of every US citizen, business, and organization.  I believe that it is possible to establish an atmosphere of trust between the USG and private sector organizations working together towards the common defense. 

 

Part 2 is coming next week.

By W. Hord Tipton, CISSP-ISSEP, CAP, CISA, Executive Director, (ISC)²

A few weeks ago, I was at my doctor’s office, and the topic of the cloud came up.  You may think this is a strange topic of conversation between a man and his doctor, but given my background in security and recent pressures from the Federal Government for doctors to switch from paper to electronic records (a requirement he and his colleagues are less than thrilled about), it turned out to be a very timely and interesting discussion.

The reason I found it timely is that last month, I had several in-depth conversations with people about information security trends for 2011, and I kept finding myself coming back to the topic of cloud computing. Almost every industry is upgrading to the cloud for their data management needs, with the exception of one industry - healthcare, which is purposefully lagging behind because of their many uncertainties with the security and privacy of the cloud. Healthcare providers have control over massive amounts of data in patient records, which some may say is the most sensitive data of any industry. Hospitals and medical offices need to feel assured that there is adequate security coverage for their records. Currently, they are skeptical – hence, both their reluctance and displeasure in complying with digital regulations.  Fortunately, cyber security education can help.

To begin, I’ll elaborate on the main concern healthcare providers have about upgrading to the cloud.  Not surprisingly, their main hesitation stems from the age-old debate between electronic and paper records. Most think that with all the recent security breaches, paper records are the safer alternative to electronic records. This is not the case. In fact, patient records are far safer in a secure cloud than lying around in paper format.   But again, understanding this relies on having adequate cyber security education.

Let’s look at this controversy from a patient’s point of view. Patients see news stories about massive security breaches in Fortune 500 networks every day. But how often do we hear that a patient’s records are left out on a table, printer or fax machine in a doctor’s office and stolen or copied? The fact is that we don’t hear those stories nearly as often. This phenomenon demonstrates how public opinion is formed. Numerous patients are against the transformation to electronic records because the risks of paper records are not as apparent. The risk is equally high, but patients just don’t hear about that. However, we must acknowledge it is much easier to steal 100,000 digital records on a flash drive than to steal the same 100,000 paper records in 1,000 different locations and off-load in a semi-tractor trailer.

There are some valid concerns surrounding medical devices, however, and healthcare providers should be educated about them.  Small devices, like insulin pumps, for example, are miniaturized and do not have room for robust security measures like encryption.  The security risk, however, is far less than the benefits, and as an industry, we’re already getting better at developing technologies that can better handle these limitations.

Over the next few years, between incentives for Electronic Health Record (EHR) implementations, HIPAA security and privacy guidelines and the computerization of most medical devices, health care providers will have to find a way to digitalize their information and ensure the security of their patients records, many of them through the cloud. Making the transition as smooth as possible by pushing cyber education is the job of the security professionals around the country and the responsibility of healthcare providers, be they doctors or staff, to understand.

Here are a few tips on what every healthcare provider should know and do before moving to the cloud:

• Educate yourself on your cloud provider and its security measures.
• Ensure that all members of the healthcare team, from doctors to nurses to office managers and receptionists, are educated on security measures surrounding patient data in the cloud. 
• When engaging a cloud provider, involve the appropriate legal, procurement, and contracts teams within your organization. The standard terms of service may not address compliance needs, and would need to be negotiated.1
• Obtain professional assistance to help select the appropriate provider. It is too much to expect doctors and healthcare workers to understand the complexity and danger of cyberspace.
• Make sure you have adequate and complete provisions in the contract(s). This will be a very comprehensive document.
• Be careful in your hiring practices. In the rush to fill positions in your office, perform adequate background checks and check references to try and prevent hiring a malicious insider.
• New security controls are needed in your new “digitized” office as well as your cloud provider. Do you have an IT security plan and policies to govern and monitor your digital environment?
• When using electronic devices, ensure they are equipped with the most up-to-date software and security updates. 

 

The fact of the matter is that some healthcare providers are simply not looking forward to scanning their paper documents into the cloud, and that is understandable.  But with an initial time investment, healthcare providers can soon learn that secure electronic records via the cloud can in fact improve their businesses and allow them to help more patients in a single day.  Believe it or not, healthcare and the cloud are beginning to form a great partnership. But you have to “get it right”.

 

1 ©2011 Cloud Security Alliance. Securing Guidance for Critical Areas of Focus in Cloud Computing V3.0. https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf

By Mano Paul, CSSLP, CISSP, ECSA, AMBCI, MCSD, MCAD, CompTIA Network +

On our flight to Austin, back from Orlando, on the 22nd September 2011, our five year old son, Reuben, asked me “Are you famous, dada?” Before I tell you how I answered him, let me first tell you the reason for his question.

The previous evening, we were gathered at the Peabody Hotel in Orlando, Florida for the inaugural (ISC)2 Americas Information Security Leadership Awards (ISLA) ceremony. As a finalist in the ISLA practitioner category, my emotions were a roller coaster, as I eagerly awaited the announcement of the winner with both excitement and anxiety. I was excited by the prospect of being the first ever recipient of the honorable Americas ISLA as a practitioner and anxious at the possibility of being there amongst family and peers, having made it to the final lap, and not winning. The evening was made even more special to me because Sangeetha, my beloved wife, and Reuben, our cherished son, were present with me to share in this experience. After the welcome address and the keynote speech, Hord Tipton, the Executive Director of (ISC)2, called to attention the people who had gathered in the room, stating that it was time to recognize the winners of the first Americas ISLAs.

The ISLAs are given to leaders in their profession for their outstanding achievements and leadership in the information security industry/workforce. As the sound of my name as the winner and the applause from all who had gathered resounded in my ears, I was euphoric. The look of happiness and joy in the faces of my family superseded every other emotion that I had thus far experienced. Getting up and buttoning my suit, I walked up to receive this honor and then gave my note of thanks.

I was nominated for my advocacy and efforts to raise awareness for the problems resulting from insecure software. In the 2011 (ISC)² Global Information Security Workforce Study, 72% of over 10,000 information security professionals identified application vulnerabilities as the number one threat they’re facing. With a background in software development and strong experience in information security program management and leadership, I am extremely passionate about this area. Earlier this year, the first edition of my book entitled The Official (ISC)2 Guide to the CSSLP, the only guide of its kind, was published. Readers have informed me that it serves as an excellent resource to build security in to the software development lifecycle (SLDC), while serving as a guide to the CSSLP certification as one aims to advance their career.

This award means a lot to me. The very thought of having been recognized as the winner of the first ever Americas ISLA in the practitioner category, gives me a great sense of accomplishment and humbles me to realize that there are many like myself who are working extremely hard and diligently to protect their organizations. I commend (ISC)2 for having taken the time to recognize practitioners in the field - practitioners who get their hands dirty and their feet wet in the trenches but who often get overlooked.

With that said, awareness of the threats around us and the role cyber security plays in our lives is the first critical step toward increasing the security posture of communities, governments and businesses worldwide. It’s for that reason that during my acceptance speech at the Americas ISLA ceremony, I dedicated my award to the (ISC)2 Safe and Secure Online Program. Safe and Secure Online aims to educate and arm our children with information security knowledge so that they can become responsible digital citizens and have a secure and bright future. My personal take on leadership is that “effective leaders do not create followers but instead they create other leaders”. Our children today are the leaders of tomorrow. By dedicating my award to this program, I was expressing that the practitioners in the future would also have a forum to be recognized in like manner and strive to create more leaders so we can all have a more secure future.

And so, as I attempted to answer my son’s inquisitive question, “Are you famous, dada?” my wife wisely answered him for me. She said, “What you get, like awards and recognition, are momentary, forgotten over time, but what you give to someone is what really matters.” So am I famous? Who cares? It is what I can give to the discipline of software security, the information security community and my local community that really matters.

By Julie Peeler, (ISC)2 Foundation Director

When I was a kid, all I wanted was a 10-speed bike for Christmas. Back then, my bike came with a lock so I could keep it safe forever.  Nowadays, kids don’t always want a bike.  Instead, they’ve put tablets, smart phones, online gaming systems, and every other electronic gadget around on their long Christmas lists so they can be constantly connected.  Their electronic requests come with locks too – in the form of passwords – but like anything else, our cyber-connected world comes with positives and negatives.  With that said, as the holiday season approaches and your kids continue clamoring for the latest Web-connected techno-gizmo, take some time to educate yourself on the security features of your new gadget before handing it over to your kids on Christmas morning.

Studies show four out of five children cannot tell when they are talking to an adult posing as a child on the Internet.  Another study out of the London School of Economics revealed that 50 percent of 10-12 year olds spent time online after 10pm, some even as late as 1am (no wonder they’re falling asleep in class!).  These are scary statistics, but they’re also crucial to helping us understand how to keep your children safe online.

Some basic safety tips will help you and your child gain control over your Internet safety:

• Use strong passwords and never share them. Make sure your child chooses a safe password that does not include their name, initials, age or hometown, and does combine capital and lower case letters with numbers and symbols. Make sure your child knows never share to their password with anyone, including their closest friends.  You’re the only one who should know it besides them.
• Protect the family’s laptops, tablets, PCs and other mobile devices. Be sure you have installed some basic computer protection software to help keep your systems safe from viruses, spam, spyware and other threats.  Ensure that you have downloaded the proper security updates and patches to keep your system current. Additionally, you can download security apps for your mobile device from trusted app stores.
• Monitor what your child is doing and what “cool apps” they are downloading. There are many Internet predators lurking on the web that your child may come in contact with while surfing the web or playing on Facebook. Be vigilant and watch what sites your child is visiting and what activities are occurring.  Monitor who their Facebook “friends” are as well. Also, there are plenty of apps on Androids, iPhones and other devices that are ridden with malware that can steal sensitive data. Be sure your child is only downloading apps from trusted sites and that you aware of their downloads.
• Educate, Educate, Educate. Teaching your children early on about the serious risks associated with their favorite gadgets will help them keep their eyes open and ultimately protect them from any threat that comes their way.

Continuing on the topic of education, an interesting fact that may surprise you is that it takes 104 clicks to fully secure your Facebook page to ensure strangers can’t see photos of your children. Download our step-by-step guide and be sure your child makes you their “friend,” so you can see who they’re talking to.

With that said, another major security danger is geotagging. Geotagging is the process of adding geographical information to a photo posted on the Internet. Many users do not realize how geotagging can compromise their personal security, leading criminals right to their home. Turning off this feature is different on every device, so make sure you read the instructions before handing the gadget over.

These are just a couple of the risks associated with cyber security and children.  To learn even more, please visit our Website and request a (ISC)2 Safe and Secure Online cyber security presentation at your child’s school delivered by a certified cyber security expert, free of charge.  While you’re there, ask for our new presentation tailored to parents and teachers to be sure your cyber security skills are up to date.

Here’s wishing you a Cyber Safe Holiday Season and New Year!

By W. Hord Tipton, CISSP-ISSEP, CAP, CISA, Executive Director, (ISC)²

The first annual ASIS and (ISC)² Security Congress event was held in Orlando in September, and for those who attended, it was a major success. Our members made the most of the time with their traditional security counterparts at ASIS, and formally recognized that the physical and logical sides of the enterprise have much in common.

In practice, however, the integration of physical and logical security still has a long way to go. That’s one of the things you told us in a survey conducted before the Congress: “Perceptions of the Intersection of Traditional and Information Security.” As you recall, this survey focused on assessing where traditional and information security intersect, the issues our global members are facing in this context, which skills are in demand as a result and where you see the future of the security industry headed.

More than 1,000 professionals answered the survey, and your participation is greatly appreciated. We thought you might be interested to see the results, as well as some of the conclusions we drew from the data as we look ahead to next year’s Congress – and beyond.

• Integration of physical and logical security is still a work in progress. In most cases, only about a third of you said that traditional security and IT security organizations are sharing responsibility for protecting key elements of the enterprise such as property (31.9%), supply chains (34.5%), executives (32.2%), or brands (36.0%).  But there is some progress being made: the majority of you said that the protection of people (52.4%) and information (55.9%) is shared between the two organizations. A majority (51.2%) said that physical and logical organizations work together to some degree, and nearly a third (31.6%) report that the two groups are working together to a great degree.
• Risk management efforts are still highly fragmented.  While members listed data breaches (83.9%) and compliance (60.1%) as their most critical security-related concerns, only about half of respondents (51.1%) said that their organizations have an enterprise-wide view of risk that addresses these concerns. Almost half (47.5%) said risks are identified, assessed, and addressed independently within individual reporting structures, while only 42.5% said they have cross-functional teams that work to address critical risks. In most cases, however, the IT organization is the key driver behind the risk management function: 91.1% of respondents said the IT department plays a key role in assessing and mitigating risk, and nearly 87% said their enterprise-wide assessments of risk are led by the CISO or CSO.
• The CISSP is one of the top three credentials employers seek for traditional and logical security practitioners.  55.9% of you said that the credential most recommended for those working at the intersection of these fields was the CSC, followed by the Certified Facility Manager (CFM) – 55.8%, with 54.6 of you suggesting the CISSP.

In all three cases, the message is clear: security organizations, practices and people are all under construction.  While great progress has been made in integrating traditional and logical security functions, building an enterprise-wide risk management process, and broadening the skills of the security professional, there remains much work to be done.

At (ISC)2, we look forward to the opportunity to help our members in all three of these endeavors, and will always consider your feedback on how we can improve our efforts.  As we begin our planning for the coming year and for the 2012 Security Congress, we look forward to your continued input, community, and participation in all of our endeavors. Thanks for making (ISC)2 the best it can be!

To see the full (ISC)² results of the study, please visit the (ISC)2 member home page.  

 

Mr. Tipton is the Executive Director for (ISC)², the largest not-for-profit membership body of certified information security professionals worldwide, with over 80,000 members in more than 135 countries.  In his current role, he is responsible for overseeing the management team and guiding the organization’s strategic direction in accordance with the (ISC)2 Board of Directors. Before joining (ISC)², he served for five years as the Chief Information Officer (CIO) for the U.S. Department of the Interior, and received the Distinguished Rank Award from the President of the United States, the highest lifetime award attainable by a federal civil servant.

I recently found an article that outlined a study about cyber security and small businesses.  In the study, by Newtek Business Services’ Small Business Authority, it was discovered that “just 27 percent of small business owners have had an outside party test their computer systems to ensure that they are hacker-proof…”  I found this to be a relatively shocking number, but one that is believable in today’s tough economy.  It would seem that most small organizations would be watching every penny and often during that type of number crunching, Information Technology and I.T. Security budgets are often the first to get cut.  Security has always been one of those items that, to most organizations, has been a hard sell to upper management, particularly if that organization has never experienced any sort of security or data breach.  Security budgets are often looked upon as, “Why are we spending so much money on something that may happen.”  Until an organization is hit, it is often a tough sell for many to pass a decent security budget.

This same article also highlights a recent study by PwC that “found 43 percent of global companies think they have an effective information security strategy in place and are proactively executing their plans.”  Another interesting finding in this report was the number of respondents that have “confidence” in their plans.  “Seventy-two percent of the more than 9,600 security executives…report confidence in the effectiveness of their organization’s information security activities… (a number that) has declined markedly since 2006.”  This figure, in my opinion, shows that even the large organizations, as much as they may feel prepared, really are not too confident in their security preparations.

Maybe their lack of confidence comes from the large number of data and security breaches that are reported every day.  In addition to these breaches are numbers that are behind them.  Another study from the Ponemon Institute, sponsored by Symantec, found “that the average cost of a data breach increased by seven percent to $7.2million in 2010-with the most expensive data breach jumping 15 percent over the previous high to a whopping $35.3 million.”  In addition, the study calculated that “the average data breach cost per individual compromised record is $214.”  This is a staggering figure when you look at many of the breaches that have been reported, in most there are hundreds of thousand s of records lost each time.  Multiply these numbers by $214 and the fines and associated fees per breach will climb quickly. 

With these numbers in mind, this goes back to my original point, that only 27 percent of small business owners value security enough to have an outside company come in a test their security.  Taking into account that many small organizations may not have the capital available for such security or “penetration” tests, it also begs the question, “Will they have enough capital to cover the fines and other fees associated with a data breach ($7.2million in 2010)?”   

The latest annual security survey of 649 Canadian organizations by Telus and the Rotman School of Management indicates that organizations which ban social media at work suffer more - not less -  infosec incidents than those which permit it.

According to an article about the survey (cited in the RISKS newsletter): "It might seem counterintuitive, but the survey results confirm what we have been tracking over the last two years," said Rafael Etges, director of security and risk consulting with Telus.  "No social networking policies are actually forcing users to access non-trusted sites and use tech devices that are not monitored or controlled by the company security program."

What's the betting that restricting personal email use at work would stimulate a similar adverse and counterproductive reaction from (some) employees?  Yet this is the knee-jerk reaction by some naive information security pros and managers.

Sir Isaac Newton's third law of motion is the one about action and reaction - equal and opposing forces, the reason that rocket engines make rockets fly.  Autocratic managers blankly telling members of staff they cannot do something that, to them, seems entirely innocuous is the action: a common reaction, it seems, is to find ways around the ban.  Being successful in this venture may even prompt employees to become more reactionary or subversive, a bit like naughty children pushing the boundaries of parental control (a classic illustration of social engineering).

Being a security awareness wonk, and I suppose a liberal by nature, I would argue that raising employees' awareness of the security issues associated with social media, email, personal IT devices etc., along with their options for dealing with the risks, is a more effective way of improving security than simply banning them outright.  I'm certainly not claiming that awareness will prevent all incidents but an effective awareness program (meaning one that motivates and so achieves more secure - and less insecure - behaviours) can certainly help, for example by helping employees understand, recognize and respond appropriately to the associated threats. If they can be led to appreciate that information security is in their own as well as the company's best interests, that's a more persuasive argument than "Don't do that, or else!".  Self-interest is a powerful driver for most people, especially in todays cut-throat me-me-me world. 

On the other hand, who knows: maybe combining effective security awareness with a ban on social media, personal webmail or whatever would be even more effective than either part alone?  Personally I doubt it but your mileage may vary.  Either way, this situation is worth bearing in mind when you are developing security policies and practices on almost any topic.  It's relatively easy to write a policy banning bad stuff but takes a bit more thought, effort and creativity to achieve the desired aim with the cooperation of employees rather than strong-arming them into submission.  Isn't it better to get employees to think up better ways to acheive a common aim than to spend their lunchtimes plotting revenge against an overbearing management wielding the big stick?

Regards,
Gary Hinson  NoticeBored

It’s hard to believe we’re almost through November and that National Cyber Security Awareness Month (NCSAM) (October) has come and gone. As we enter the busiest online shopping season of the year, however, I challenge you to reflect on the message of NCSAM – STOP.THINK.CONNECT. – and to help us treat EVERY month as cyber security awareness month.

Did you know it takes 105 clicks to secure a Facebook account? As the largest body of information security experts in the world, our members are working to reverse statistics on attacks on kids related to social networking, cyber bullying, identity theft, online reputation damage and other threats kids and other vulnerable groups face every day. Our member volunteers have educated nearly 70,000 children to date – 7,000 during NCSAM 2011 alone - on how to protect themselves online through our Safe and Secure Online program, which places certified cyber security experts into schools free of charge to help kids become educated, conscientious, responsible digital citizens.

Safe and Secure Online volunteer and (ISC)² member Gary Alu, CISSP, won the Executive Women’s Forum Cyber Security Schools Challenge award for his efforts in helping students learn how to protect themselves online. Gary volunteered his personal time over an eight month period, reaching more than 5,300 students in his hometown of Las Vegas, NV, more than any other individual Challenge participant. Educating children on issues like social networking, cyber bullying, viral e-mails, “sexting,” malware, spam, and identity theft is crucial to the future of cyber security. Gary and our other Safe and Secure Online volunteers are making a real impact in kids’ lives year-round by empowering them with critical knowledge.

Volunteers like Gary are quick to share how rewarding it is to participate in the program. You can volunteer anytime as often as you like. To learn more or to sign up, please visit https://cyberexchange.isc2.org/safe-secure.aspx .

We also recognized the recipients of this year’s U.S. Government Information Security Leadership Awards (GISLA) during the Month in the categories of Community Awareness, Federal Contractor, Process/Policy Improvement, Technology Improvement and Workforce Improvement. Our global awards program is another way in which we aim to keep cyber security awareness on our minds throughout the year.

Cyber security awareness should be an ongoing campaign. Cyber predators and other criminals never rest – why should we?

While most of the people likely to read this blog will have some familiarity with that avalanche of acronyms, here's a quick explanation for anyone who doesn't:

• DNSSEC (Domain Name System Security Extension) is an initiative intended to enhance the security of DNS, the hierarchical naming system primarily intended to ensure that internet services translate human-friendly domain names to the numeric identifiers that computers understand. DNS was created in a more innocent age where the current scale and divergence of internet usage, and its inevitable misuse by criminals and worse, were not generally anticipated. Part of the rationale behind DNSSEC is to retrofit security to the system so as to mitigate (perhaps eliminate is too much to hope for) the problems caused by redirection of user traffic to malicious and fraudulent web sites.
• SOPA, known to its friends as HR 3261 or the Stop Online Piracy Act, and PIPA, otherwise known as S.968 or the PROTECT IP Act (Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property), are obviously aimed at preventing piracy and breaches of intellectual property. And, given the number of times my own work has been plundered, I've no issues with that aim.

However, a great many people and organizations have expressed serious concerns about the current forms of SOPA and PIPA, suggesting that not only will they be ineffective in their own right, but they will also reduce or obviate the effectiveness of other attempts to make the internet safer.

 "Father of the Internet" Vint Cerf told Politico Pro that:

The bill themselves won’t solve the problem, but they visit upon a lot of third parties what appear to be a variety of liabilities that are very hard to cope with.

Back in May 2011, security heavyweights like David Dagon, Dan Kaminsky, and Paul Vixie pointed out in a paper called Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill that:

The site redirection envisioned in Section 3(d)(II)(A)(ii) is inconsistent with security extensions to the DNS that are known as DNSSEC. The U.S. Government and private industry have identified DNSSEC as a key part of a wider cyber security strategy, and many private, military, and governmental networks have invested in DNSSEC technologies.

(Of course, there's a lot more to the paper than that, and I recommend that you read the whole thing.)

My colleague at ESET, Stephen Cobb, compared the proposed DNS filtering to the actions of the DNSchanger malware and asserted that:

These bills would require DNS server operators in the US to replace the correct IP address for a website with an alternate address provided by the Attorney General's office, if the website was "infringing"...While the FBI and other law enforcement are working hard to stop the bad guys making millions by infecting our computers and subverting DNS it seems unwise to give private companies the ability to go ahead and change DNS armed only with court orders.

ESET CEO Andrew Lee went further and published an open letter to Congress in which he stated that:

...these bills will be devastating to the Internet and America's leadership in the global digital economy. They will undermine plans to make the Internet more secure and needlessly complicate the fight against cybercrime.

Google Chairman Eric Schmidt has described the measures as draconian and recommended an alternative strategy based on "tracing payments spent at websites offering illegal materials." However, the concerns go far beyond Google. 

A letter to prominent members of the Committee on the Judiciary expresses concern that they pose a risk to innovation, job creation, and cyber-security, and notes that they would undermine the "safe harbour" provisions of the Digital Millennium Copyright Act. The signatories are AOL, eBay, Facebook, Google, LinkedIn, Mozilla, Twitter, Yahoo! and Zynga. Most of these have a very clear interest in sharing where many of the lobbyists behind SOPA and PIPA have an equally clear interest in controlling the distribution of intellectual property. But don't look on this as a simple battle of conflicting interests. The signatories to the letter also have a strong interest in preserving their own IP and that of their customers: it seems to me that this is not an "either/or" conflict, but a clear case of needing to find a mutual accommodation of interests. And where so many security and internet infrastructure heavyweights have stepped up to point out the problems, it behoves the legislators to think long and hard about why they've done so.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

As we approach the opening of the elections for the 2012 (ISC)² Board of Directors, I want to encourage all (ISC)² members to vote! Log in to the member Website between 8 a.m. ET 16 Nov. and 5 p.m. ET 30 Nov. 2011 to cast your vote. All members in good standing as of 16 July 2011 AND as of the date the election starts are eligible to vote. The election process is a great way to ensure your voice is heard and that we are delivering the kinds of programs and services that are important to you.
 
We are a membership organization, which means we exist by you and for you, and the Board is here to listen to and represent you. If you’re not able to attend a member reception or Town Hall session but want to share your ideas or feedback, you can bring your thoughts, feedback and concerns to the Board’s attention at any time by sending a message to any of us:  www.isc2.org/board-of-directors.aspx#Contact

Over the last year, the Board has worked hard to support your career development needs and to move the information security profession forward. We’ve been focused on:

• Introducing a Chapter program to give our members worldwide the chance to form and interact with local communities of like-minded professionals;
• Migrating our exams to computer-based testing, a platform that offers enhanced convenience and security;
• Launching the (ISC)² Foundation to dedicate resources to our goodwill programs that make the cyber world a safer place for all;
• Expanding our scholarship program to offer US$140,000 in grants and creating new grant opportunities for women and undergraduate students;
• Expanding our global awards program to broaden the recognition of professionals through the Americas Information Security Leadership Awards (ISLA);
• Launching an advisory board for Latin America to ensure we understand and are meeting the needs of professionals in that region; and
• Kicking off the first (ISC)² Security Congress – an event dedicated to meeting the continuing education, networking and professional growth needs of our members. I particularly enjoyed the Town Hall session at Congress this year, because it gave Board members like me a chance to hear what’s important to you and how we can work together to make good things happen for the (ISC)² membership and the profession.

Through these and our existing programs, we’re hoping to reach more information security professionals than ever before.

I am proud to say that we have strong diverse regional representation on the Board. In fact, for the first time, this year’s Board officers are all from outside the U.S. Be sure to vote to ensure that the folks you want representing you are at the table in 2012. There are seven candidates on the ballot and four seats available. Please take the time to learn about each of the candidates by logging in to the member Website and reviewing the official ballot. The candidates are as follows:

Daniel D. Houser, CISSP-ISSAP, CISM
Eamonn McCoy, CISSP
William Murray, CISSP
Wim Remes, CISSP
Randolph Sanovic, CISSP-ISSMP, ISSAP
Jill Slay, CISSP
Greg Thompson, CISSP

In addition to casting your annual vote for the Board members, I encourage you to get involved with (ISC)²! There are so many ways to participate and influence the direction of the programs and of the organization (with the exception of voting, all of these activities are CPE-eligible activities):

1. Petition to get on the ballot. The petition process is detailed several months preceding the election, and several members over the years have had successful petitions.
2. Participate in the Job Task Analysis (JTA) survey for your credential. We conduct these annually in most cases, and this process is an important step in the credential examination development process and in ensuring your credential remains the relevant, gold standard it is today.  Participation by our members representing various geographic regions, ethnicities, practice settings and years of experience is critical to ensuring that the content of the exam adequately represents the field. The final outcome of each JTA is an updated Detailed Content Outline (DCO) for the examination. By participating in the JTA, you will influence the outcome of the DCO that will be used to define the content of the examination for the next three years. You can also earn five CPE credits for participating in the JTA survey and completing it. We conduct JTAs nearly annually for all our credentials and completed them for the CISSP, SSCP and CAP earlier this year. Our upcoming JTAs are scheduled as follows.
- 1 – 29 February 2012: ISSAP
- 1 – 31 March 2012: CSSLP
Watch your inbox for details on how to participate! 
3. Be an item writer for an (ISC)² credential examination. To participate, you must hold the credential for which you plan to write exam items. Multiple credential holders may participate and write items for any credential exam they hold. Do not worry if you feel you don’t have enough experience. Professional psychometricians will guide you through the item writing process. You may earn up to 22 CPEs for participating in an (ISC)² exam writing workshop.
4. Help shape our education program by writing content for our education exam forms, such as our studISCope certification exam simulator. A note of caution: those who are involved in examination item writing or development cannot contribute content to education materials, and vice versa. We offer free training for item writing, and you can both obtain the training and write items remotely by using our item writing tool.  You can earn 0.5 CPE credits for every question that is approved for use in one of our education exam forms.
5. Volunteer with (ISC)² to proctor examinations locally. We still offer paper and pencil examinations throughout the world. If you can spare your weekends, you can begin volunteering by being a proctor and facilitating an exam. You can later move on to becoming a supervisor of a test center.
6. Start an (ISC)² Chapter. (ISC)² Chapters provide members with the opportunity to build a local community of peers to network, share knowledge, exchange resources, collaborate on projects, and create new ways to earn CPE credits!
7. Become a blogger or speaker for (ISC)². If you are an accomplished writer or speaker, we need you! We offer the (ISC)² blog and speaking opportunities through our Security Leadership Series (live and virtual events held around the world) and are always looking for subject matter experts to write and speak on a wide variety of topics.
8. Become a Safe and Secure Online volunteer. (ISC)² members in Canada, Hong Kong, the UK and US have taught more than 66,000 children in those countries to protect themselves online. This program, which is free to schools, is a wonderful way for you to share your expertise and knowledge with a very vulnerable group of Internet users. Read more about the program and sign up here: https://cyberexchange.isc2.org/safe-secure.aspx.
9. Serve in a focus or Web usability group. We regularly need feedback on new credentials, programs or services we’re exploring and to improve our current processes/systems for our members. If you sign up for these activities, we’ll reach out to you during the project evaluation phase, and you can participate as often as you like.

Regular input from you through channels like these helps us stay connected with you and ensures that we are supporting your work, your professional growth and the information security profession at large in the ways that you want us to. The bottom line is that we always want to hear from you – what’s important to you and whether we’re doing things that matter to you. All you have to do is let your voice be heard!

To participate in any of these activities, please send an email to volunteer@isc2.org and indicate in the subject line which activity you’d like to participate in. You won’t regret it! You’ll receive a response within three business days.

As always, thank you for all you do for (ISC)², the information security community and society every day.

I had the opportunity to visit several companies over the years and in many cases I could verify that their network and security teams suffered of a lack of network visibility, which let them unable to answer some important questions, per example:

 

What's the average traffic in the network?

What's the most used applications?

Who are the top talkers?

There are unknown applications running in the network?

Why there are non HTTP traffic on TCP port 80 going out of the network?

 

Many teams don't know the answers from the questions above and certainly, this make them blind to what's going on in their networks.

The landscape has changed. We can't simply rely on our traditional security tools to track it for us. Because they focus on the known. And many threats are far from it.

They're small. Targeted. Hard to detect. Well developed.

 

I'll ask you a simple question:

 

How many viruses were sent to your users today? By any means. 1, 10, 100?

Can you measure that?

Probably yes, you'll say. I can generate a report from my anti virus solutions and show it to you.

And what about the viruses that your solutions aren't aware of?

 

Tough question...

Hard answer...

 

The first step to answer it is to admit one thing.

Our security solutions are pretty good. They really are. But they can't protect us from every single exploit/malware/virus and other kind of attacks.

 

So, we must assume that we are under attack, we were attacked or will be.

And if we can't prevent every attack to reach our network, we shall respond to it. Quickly.

 

How to do that?

 

Focusing on everything.

 

Understanding how our network works, and them look for the strange behaviors.

Why there are so many network activity after work hours?

Why do we have outgoing traffic going out to uncommon countries or sites?

Why people is downloading pdf with flash content embebbed?

 

Those questions are just the beginning, and if you know the answers for them, congratulations. You're doing great!

 

If not, it's time to look for them.

 

Best Regards