CIO vs CSO: Allies or Enemies

Whenever a breach occurs it reveals weaknesses in how an organization approached security.  Compromises are a great way to reveal the hidden sins organizations are committing.  In the case of the Target breach, it is a gift that keeps on giving.  While the initial breach report came out in December, it seems every week there are new “interesting” details that are revealed.  One of the more recent items is the fact that Target did not have a CSO and all security responsibilities were buried under the CIO.

The first question that people ask is whether the CIO should have been held responsible for the breach.  The bottom line is when a major event like this occurs; someone needs to be held responsible for the negligence.  Therefore it is not surprising that someone was blamed for the breach.  What was surprising is that security was a responsibility of the CIO.  The fact that a large organization did not have a separate CSO that is a peer with the CIO, is what is most concerning about the story.  Clearly many things went wrong during the breach and whoever had the responsibility of security needs to be held accountable.  However, it was not fair that the executives structured the company in this manner.  Running the IT infrastructure (typically a role of the CIO) and protecting the information (typically a role of the CSO) are two different roles and it is unfair to have one person expected to do both effectively.  These roles while at times can be complementary, they are often at odds.  Having security buried under the CIO, puts that person in a conflict of interest situation.

First and foremost, organizations of any size, especially one the size of Target needs to have an executive that is responsible for security.  With the large interdependence organizations have on a digital infrastructure, security needs to have a seat at the table in the boardroom.  If security gets buried under IT, whose primary responsibility is running a reliable infrastructure, bad decisions will be made and breaches will happen. 

Not having a CSO today is like a football team not having a quarterback.  You can have the best playbook in the world, but if you do not have someone on the field calling the plays, you are not going to win many games.  In order for organizations to be successful, they must have a reliable infrastructure and proper protection of information.  If an organization only has a CIO and no CSO, no one is focusing in on security and the results are pretty obvious.  If there is no one focusing in on security, bad things will happen.  Lack of a CSO, means lack of security.  It is almost a guarantee that Target had an amazing security team and they were screaming and yelling about all of the security issues, but there was no advocate who was listening to them and fighting their cause with the executives.  From the engineers, their needs to be a communication path to the CEO and the CSO is that channel.  Without a CSO, the proper security communication does not make it to the executives.  Therefore if the executives received the proper information about security, my guess is they would have made different decisions and this story would potentially have a happy ending.

The CIO and CSO need to be peers.  IT and security need to have equal representation in the board room, making sure the executives have accurate information.  Typically the CIO will report to the COO and the CSO will report to CFO.  The COO and CFO directly report to the executive.  However an organization decides to structure it, the CIO and CSO must have a different reporting structure.

In order for the CIO and CSO’s to have an effective working relationship, they must have clear boundaries of responsibility.  Typically what works best is for the CSO to define the proper level of security, the CIO to implement the security and the auditor to validate that the security is being done correctly.  The security that is defined by the CSO should be based off of metrics that are used as a reporting structure to the executives, so they can understand the proper level of risk to accept for the organization.  Metrics based security is key to success.  With metrics there are clear guidelines of what must be done and an easy way to measure compliance.

Organizations in this day and age must have a CSO.  Every day that passes, with more breaches becoming public, it becomes easy to convince the executives that they need a CSO.  The problem is many CIO’s do not want to have a CSO, because it is easier for them to accomplish their jobs if they control all aspects of the IT infrastructure.  Therefore the CIO will not usually lobby for a CSO.  There needs to be another advocate convincing the CEO.  The simple question to sell the CEO is “are you comfortable with the level of security at your organization and are you receiving the proper security metrics to make the decisions?”  The problem today is many CEO’s want to create a position of a CSO, but the CIO convinces them they do not need one.  While they have good intentions, it is often the CIO that lobbies against a CSO, since a CSO will cause them to give up control and potentially make their job more difficult.  For example, when a CSO comes in they often disclose all of the security problems, which show that security was not being properly addressed within the organization.

Defending Against the APT

Advanced Persistent Threat (APT)

APT, formerly known as the Advanced Persistent Threat, is the buzz word that everyone is using. Companies are concerned about it, the government is being compromised by it and consultants are using it in every presentation they give.   One of the main reasons organizations are broken into today is because they are fixing the wrong vulnerabilities.  If you fix the threats of 3 years ago, you will lose.  APT allows organizations to focus on the real threats that exist today.

While APT is important, we need to clear the smoke and hype, focusing on why it is important and what it means to you.  Instead of just using it as a buzz word, if we understand the core components of APT, we can use it to improve our security.  In APT, threat drives the risk calculation.  Only by understanding the offensive threat will an organization be able to fix the appropriate vulnerabilities. 

What is APT?
APT is the new way attackers are breaking into systems.  APT is a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will.  The following are the important things to remember:

1)      APT focuses on any organization, both government and non-government organizations.  Some people make the mistake of thinking that the APT is only focused on Department of Defense (DoD) sites.  When it comes to the Internet the lines between government and commercial are blurring and anything that could cause harm to a country will be targeted.

2)      While the threat is advanced once it gets into a network, the entry point with many attacks is focusing on convincing a user to click on a link.  However, once the APT breaks into a system, it is very sophisticated in what it does and how it works.  Signature analysis will be ineffective in protecting against it.  Advanced attacks are always changing, recompiling on the fly and utilizing encryption to avoid detection.

3)      Many organizations make the mistake of thinking of attacks like the weather.  There will be some stormy days and there will be some sunny days.  However, on the Internet you are always in a storm.  In the past, attackers would periodically attack an organization.  Today attacks are nonstop.  The attackers are persistent, and if an organization lets their guard down for any period of time, the chance of a compromise is very high.

4)      Attackers want to take advantage of economy of scales and break into as many sites as possible as quickly as possible.  Therefore the tool of choice of an attacker is automation.  Automation is not only what causes the persistent nature of the threat, but it is also what allows attackers to break into sites very quickly.

5)      Old school attacks were about giving the victim some visible indication of a compromise.  Today it is all about not getting caught.  Stealth and being covert are the main goals of today’s attacks.  APT‘s goal is to look as close {if not identical} to legitimate traffic.  The difference is so minor that many security devices cannot differentiate between them.

6)      The driver of APT is to provide some significant benefit to the attacker, the benefit being either economic or financial gain.  Therefore the focus will be all about the data.  Anything that has value to an organization means it will have value to an attacker.  Since data has become so portable, and with cloud computing increasing in popularity, data is now available from the Internet, via many sources.

7)      Attackers do not just want to get in and leave, they want long term access.  If someone is going to spend effort breaking into a site, they will make sure they can keep that access for a long period of time.  Stealing data once has value, but stealing data for 9 months gives the attacker even more payoff.

Putting all of this together means that you will be constantly attacked and compromised, making it necessary for an organization to always be in battle mode.  This is a never ending battle.  Since the APT is meant to be extremely stealthy, there is a good chance that an organization might be compromised and not know about it for several months.  Before you discount this, if you were compromised and the attacker was not doing any visible damage, how would you know? 

How to Defend Against the APT?
Prevention is ideal, but detection is a must.  Most organizations focus solely on preventive measures but the problem with the APT is that it enters a network and looks just like legitimate traffic and users.  Therefore, there is little to prevent.  Only after the packets are in the network do they start doing harm and breaking in.

Based on the new threat vectors of the APT, the following are key things organizations can do to prevent against the threat:

1)      Control the user and raise awareness – the general rule is you cannot stop stupid, but you can control stupid.  Many threats enter a network by tricking the user into clicking a link that they shouldn’t.  Limiting the actions a user are allowed to do with proper awareness sessions can go a long way to reduce the overall exposure.

2)      Perform reputation ranking on behavior – traditional security tries to go in and classify something either as good or bad, allow or block.  However with advanced attacks, this classification does not scale.  Many attackers start off looking like legitimate traffic, which means they would be allowed into the network, and then once they are in they turn bad.  Therefore, since the goal of attackers is to blend in, you need to track what the behavior is and rank the confidence level of whether it is looking more like a legitimate user or more like evil.

3)      Focus on outbound traffic – Inbound traffic is often what is used to prevent and stop attackers from entering a network.  While it will catch some attacks and is still important to do, with the APT it is the outbound traffic that is more damaging.  If the intent is to stop exfiltration of data and information, looking at the outbound traffic is how you detect anomalous behavior, which is tied to damage to an organization. 

4)      Understand the changing threat – it is hard to defend against something you do not know about.  Therefore, the only way to be good at the defense is to understand and know how the offense operates.  If organizations do not continue to understand the new techniques and tactics of the attackers, they will not be able to effectively tune their defensive measures to work correctly.

5)      Manage the endpoint – while attackers might break into a network as the entry point, they ultimately want to steal information that exists on endpoints.  If you want to limit the damage, controlling and locking down the endpoint will go a long way to protect an organization.

While the current threat is advanced, persistent, stealthy, and data focused, organizations can implement effective measures to protect their sites.

APT is only going to increase in intensity over the next year, not go away.  Ignoring this problem just means there will be harm caused to your organization.  The key theme of dealing with APT is “Know thy system/network.”  The more an organization can understand about network traffic and services, the better they can spot/identify anomalies through clipping levels, which is the better way to defend against the APT.  The ultimate way to make sure an organization is properly protected is to run simulated attacks (i.e. penetration testing, red teaming, ethical hacking) and see how vulnerable an organization is, and most importantly how quickly you detected it.  The key to making this successful is to 1) always get explicit approval 2) run benign attacks 3) make sure the people running the test are of equal expertise to the true attacker; and 4) fix any vulnerabilities in a timely manner.  The good news is, by focusing in on understanding the threats and an organization’s vulnerabilities, you can properly defend against the APT. 

Companies are Really Using Intrusion Prevention Systems

With cloud sharing gaining great popularity the need for the use of an intrusion prevention system is increasing. Many companies especially those involved in e-commerce are working hard to ensure their customers' privacy. Because technology is changing so much, so quickly companies large and small are taking cautionary measures. Intrusion prevention systems are very helpful in preventing/curbing hacker access to important information. They are an extra barrier alongside your firewall protection.

What does it do?
Intrusion prevention systems monitor networks and systems for malicious activity. The main job of intrusion prevention systems is to identify malicious activity, make note of it and then try to block or discontinue the action. Once that is done the activity is then reported. Being able to identify the intrusion also helps the company to figure where there are leaks and how their system can be improved. Without this system you can leave your company susceptible to all kinds of risks.

What types are available?
Intrusion prevention systems do come in different types such as network-based, wireless, network behavior analysis and host-based intrusion prevention. They all serve the same purpose, but may go about it a little differently or just work on different systems. Network-based oversees the whole network for malicious activity. Wireless monitors a wireless network for malicious traffic. Network- behavior analysis observes network traffic to find red flags that change traffic activity. Host-based is a software package that you can install. It monitors one host for malicious or unusual traffic activity.

Tips for Small Businesses from a Cyber Security Expert

The Internet offers small businesses a competitive advantage in a tough market thanks to the exposure they receive online. However, while they can compete with larger businesses online in terms of marketing and visibility, their IT budgets and security efforts simply can't keep up. Cybercriminals realize that small businesses are easy targets because they are less likely to have a security plan in place. Here are tips for small businesses from a cyber security expert whose personal mission is to secure organizations by creating solutions to unique and complex computer problems.

Create an Internet Policy
One of the best ways to keep critical data protected is by establishing guidelines and boundaries for employees, no matter how small the organization may be. An Internet use policy lets employees know what software and files are okay to download, how to create strong passwords, and which websites cannot be viewed while surfing the Web. Any security expert would agree that letting employees know their responsibilities when it comes to using the Internet is the first step towards a comprehensive security plan.

Install the Latest Anti-Virus Software
Most new computers come with anti-virus and anti-malware programs installed. However, an experienced cyber security expert recommends going above and beyond these basic software packages by purchasing a comprehensive security suite. Not only do they detect threats, but they automatically repair the system every time viruses or malware is detected. According to a computer security specialist, increasing the protection of critical data by paying for additional safety features is worth the investment because it brings small business owners the peace of mind they need.

Secure Wireless Connections
Some business owners do not secure their wireless connections because they don't realize how important this step is when it comes to protecting the company's information. If they had the same knowledge and experience as a trained cyber security expert, they would realize just how serious this threat is. Here are a few simple steps business owners can take to secure these connections:
• Change passwords regularly
• Add a VPN service
• Limit access to the network

Security Expert Advice: Choosing Strong Passwords

So far, 2011 has been a big year for cyber-attacks. American businesses and the United States government were the targets of hackers who stole credit card information, took down websites, and deleted military files. These attacks sent companies and government agencies scrambling to explain how their data was stolen, compromised, or lost. It also forced them to examine their computer security practices. As they attempt to pick up the pieces, security experts are using these events to emphasize the importance of good risk management – namely preventing targeted attacks against companies before it's too late. One way of increasing cyber security is by creating strong passwords. Here are tips for protecting your personal or professional digital identity, straight from a computer security specialist.

• Use a combination of letters and numbers – never use only one or the other.
• Stay away from using names of spouses, children, or pets.
• Use a bizarre combination of words that only you would remember.
• Don't use your phone number or birthday – these are considered "weak" passwords.

Just about everyone has at least one password; some people have upwards of ten. According to technology writer Clive Thompson, "the truth is we humans are pretty bad at remembering characters that make for a really strong password." For people who need multiple passwords, remembering just one would be easier but such a shortcut is also dangerous. As difficult as it may be, the importance of choosing a unique and complex combination of letters and numbers cannot be emphasized enough. Any experienced security expert will tell you that weak and non-existent passwords are partly to blame for online security breaches, so your safety depends on generating a strong password for each different account.

Tips for Using an Expert Witness Effectively

In our culture we are urged to "trust the expert" – even in a court of law. The simple fact that the testimony of an expert witness is admissible in a trial shows how much we value the opinions of people who are considered authorities in their fields. This can have a very persuasive effect on a case, as long as the experts are carefully chosen and thoroughly prepared. Here are some tips for using an expert witness successfully.

• Examine the case and determine what kind of expert you need.
• Search trade organizations, referrals, and the Internet for expert witness options.
• Analyze potential experts based on the following: reputation, experience, qualifications, scholarly work
• Choose as many as necessary, and make sure to fully understand their opinions.
• Help the expert witness become familiar with the case.
• Work with the expert on his or her report through guidance, but it should reflect his or her own opinions.
• Prepare the witness for examination.

From selection to a successful testimony at trail, there is a lot of research and preparation that goes into finding the best expert witness. Just because a person has a lot of experience in his or her field doesn't necessarily mean he or she has what it takes to deliver a successful expert witness testimony. Interview every option and spend time talking with them to find experts who have pleasing yet firm personalities and perform well under the highest degree of pressure.

Travel Tips from a Security Expert

Most businesses recognize the critical need to implement security measures in the office. Now that people can connect to wireless networks through their mobile devices, new technologies are breaking down office walls. And according to any security expert, this raises serious concerns. Businesses whose employees travel, work from home, or simply view important documents on their laptops or smartphones anywhere they go are exposing critical data to hackers, cybercriminals, and other security breaches. Here we will focus on tips for staying protected while traveling, straight from a computer security specialist.

Backup your mobile devices – including laptops and cell phones – before taking that important business trip. If you have any important information stored on them that you won't need during the trip – don't bring it with you. When you return you will be able to put any and all of this data back onto your devices if necessary.

Any security expert will tell you to make sure your anti-virus software is current. This will prevent your devices from being infected by dangerous viruses and malware that can damage your system and affect important data files. It is important to have this software enabled during the entire trip. Taking a vacation from your anti-virus security software is a mistake that can cost you critical information, or worse – your job.

Use a hard-wired connection whenever you can. Sure wireless networks are convenient, but they carry a higher risk of security breaches. Many hotels come equipped with a cable you can use, but if you don't see one in the room, ask the front desk. If you must use a wireless connection, either at the hotel or in the airport, only use encrypted hotspots for maximum protection.

Converted by Ritesh Sanap | Sponsored by Powered by Giant Themes