in a crisis - SC Magazine

Transcription

FEBRUARY 2015 •  WWW.SCMAGAZINE.COM 
REVIEWED IN OUR GROUP TEST
Centripetal P40
Merges cyber threat
intelligence and stack
management
COOL
IN A CRISIS
FEATURES:
How you communicate during an attack
is as important as your response, says
Ron Green, CISO, MasterCard. P20
Canada’s internet
voting problem
Many Canadian municipal officials
are elected via the internet, even as
agencies prohibit the practice. PC1
Unifying principle
Is the time right for national data
breach legislation? There are signs
that this may be the year. P24
Norse P43
Cadillac of cyberthreat intelligence
does everything
Recorded Futures P45
Technically oriented,
open source intelligence
service
VOLUME 26 NO. 2 • February 2015 • WEBSITE WWW.SCMAGAZINE.COM • EMAIL [email protected]
We see the threats that others might miss.
You might have missed the predator lying in wait, but AT&T wouldn’t.
That’s because we built and manage a highly secure global network
that serves every one of the Fortune 1000. This unparalleled visibility
means we’re uniquely placed to help protect your entire enterprise,
leaving you free to mobilize your business with confidence.
AT&T Security Services. We see the full picture. att.com/security
REGULARS
PRODUCT REVIEWS
4 Editorial It’s going to take savvier
38
Product section
preparation.
We are increasing the number and
the space of emerging products.
8 Threat report Russia was the top
39
Emerging products:
producer of zombie IP addresses
Threat intelligence
Solid intelligence analysis can
go a long way toward protecting
against the ravages of a Sony-style
compromise.
10 Threat stats There were 8,311,693
attacks in the U.S.
12 Update In Canada, Bill C-51 widens
government surveillance powers.
13 Debate Mobile malware is mobile
security’s biggest threat.
14 Two minutes on…Tidal waves of
spoofed traffic: DDoS attacks.
T:10.5”
B:11.25”
S:10”
15 Me and my job Kristi Carrier,
quality auditor, Nuspire Networks.
16 From the CSO’s desk Breach
response, by ViJay Viswanathan, CISO,
HD Supply.
17 Opinion Are mobile apps risky
business?, by Rich Boyer, NTT Com
Security.
18 Letters From the online mailbag.
19 Analysis Usability as a protection
feature, by Ian Hamilton, CTO, Signiant.
49 Calendar A guide to upcoming IT
security shows, events and courses.
50 Last word The security model is
broken, by Craig Shumard, principal,
Shumard and Associates.
Ron Green, EVP and CISO, MasterCard P20
FEATURES
20 COOL IN A CRISIS:
Breach response
How you communicate during an attack
is as important as your response, says
Ron Green, CISO, MasterCard.
C1 Canada’s internet voting
problem
Many Canadian municipal officials
are elected via the internet, even as
agencies prohibit the practice.
24 Unifying principle:
Data breach legislation
Is the time right for national data
breach legislation?
28 Defense from the top: FISMA 2.0
The DHS will gain more control when a
FISMA update is passed.
30 On air: Case study
A radio network made certain its cloud
was defended.
33 Help wanted: Hiring crisis
Recruiters say that corporations need
to rethink their defenses to address
critical talent shortages.
36 Making the grade: Case study
Kristi Carrier P15
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks
contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.
Craig Shumard P50
Recorded Futures P45
A Chicago-area high school found a
solution to broaden its internet pipeline
and maintain compliance.
Cover photo by David Torrence Photography
SurfWatch Labs P47
SC Magazine™ (ISSN No. 1096-7974) is published monthly,
10 times a year, with combined December/January and July/
August issues, by Haymarket Media Inc., 114 West 26th Street,
4th Floor, New York, NY 10001 U.S.A.; phone 646-638-6000; fax
646-638-6110. Periodicals postage paid at New York, NY 10001 and
additional mailing offices. POSTMASTER: Send address changes
to SC Magazine, P.O. Box 316, Congers, NY 10920-0316. © 2015
by Haymarket Media Inc. All rights reserved. Annual subscription
rates: United States: $98; Canada and Mexico: $110; other foreign
distribution: $208 (air service). Two-year subscription: United
States: $175; Canada and Mexico: $195; other foreign distribution:
$375 (air service). Single copy price: United States: $20; Canada,
Mexico, other foreign: $30. Website: www.scmagazine.com.
Haymarket Media uses only U.S. printing plants and U.S. paper
mills in the production of its magazines, journals and digests which
have earned Chain of Custody certification from FSC® (Forest
Stewardship Council®), SFI (Sustainable Forestry Initiative) and
from PEFC (Programme for the Endorsement of Forest Certification
Schemes), all of which are third party certified forest sustainability
standards.
www.facebook.com/SCMag
www.scmagazine.com/linkedin
www.twitter.com/scmagazine
Editorial
It’s going to take savvier preparation
P
utting aside the continuous debate on
attribution of the Sony breach and, now,
the discourse on possible regulatory and
legislative outcomes quickly glomming onto
the massive media attention this incident garnered, I think it’s important to look at a few
other practical takeaways from this headlinegrabbing attack.
I’m not at all minimizing the importance of
keeping a close watch on federal government
and congressional leaders’ use of the Sony hack
to push whatever specific agendas they may
have – such as resurrecting a range of measures
that could give government bodies the legal
means to access private data about individuals without search warrants; exempt them
from citizen-protecting oversight measures,
like Freedom of Information Act requests; arm
them with the ability to furnish any entity that
shares desirable data with them immunity from
prosecution; and more. Indeed, the political,
philosophical, privacy-right, U.S./nation staterelation and other potential ramifications of
this breach must be monitored closely.
Putting all these concerns aside, though,
a key realization for cybersecurity pros and
their executive leaders alike should be to
acknowledge the need for a well-practiced
crisis management plan and an examination
and investment in security analytics/threat
intelligence gathering solutions and procedures. As we highlight in this edition’s cover
story and our Emerging Products reviews,
these areas are vital to helping organizations
deal with the intensifying threat landscape
that hallmarked last year and will continue to
be the major characteristic of this one.
It’s because of this fact that analyst firms
like Gartner call out as a major technology
trend for 2015 more thorough, well-planned
data analytics and security initiatives that
give organizations’ CISOs and their
teams actionable security intelligence
to battle known and unknown threats.
This data, in turn, not only might help
prevent attacks, but also aid them in
mitigating the impacts of a breach
when it does happen. Reducing the
time it takes to detect a network
infiltration should help security teams
reduce the damage it may cause and
more handily implement and adhere
to that crisis/business continuity
management plan we discuss in our
feature pages.
The complexities of cyberattacks likely will grow,
impacting companies, private
citizens, government agencies and the U.S.’s relations with other nations in
ways we’ve yet to imagine.
The imaginable, meantime,
reveals that there are areas for
most companies to improve
upon, lessons to be had from
the many organizations victimized so far, and steps and supporting technologies to implement
that will enable all the preparations needed to best manage and
endure the calamity of the now
inescapable breach.
WILL hurt you
It’s time to better educate
yourself on all the latest in
cybersecurity.
Visit our Whitepaper Library
and learn more about what you
WILL need to know.
Illena Armstrong is VP, editorial of
SC Magazine.
...a major technology trend
for 2015: more thorough data
analytics...”
4 SC • February 2015 • www.scmagazine.com
What you don’t know
whitepapers.scmagazineus.com
SC CONGRESS 24/7
SC Magazine has created a free virtual
environment that is open year-round.
Each month we host online events
focused on subjects that you – as an
IT security professional – face on a
regular basis.
FEB. 12
SIEM
Deploying and managing security
information and event management
systems can tax the brain and
12 budget. However, if done right,
these solutions can be a huge
benefit to the overall security stance of
an organization, providing insight into
what’s happening on the entire network
and enabling security teams to focus on
the most pressing priorities. We explore
the many challenges organizations face
when deploying SIEM and offer remedies that can optimize their use.
UPCOMING
WEB APPLICATION SECURITY
We talk to experts about the trials of
safeguarding web apps, finding out
practical steps for protecting this entré
into business networks.
PCI COMPLIANCE
The implementation of chip-and-PIN
technologies should alleviate some
threats presented by magnetic-strip
technologies, but will it be enough to
prevent further data breaches?
FOR MORE INFO
For information on SCWC 24/7 events,
please contact Jourdan Davis:
[email protected].
For sponsorship opportunities,
email Mike Alessie at mike.alessie@
haymarketmedia.com or phone him at
(646) 638-6002. Or visit scmagazine.
com/sc-congress-247-whats-new/
section/1223/.
SC MAGAZINE EDITORIAL ADVISORY BOARD 2015
Rich Baich, chief information security officer,
Wells Fargo & Co.
Greg Bell, global information protection and
security lead partner, KPMG
Christopher Burgess, CEO/president, Prevendra
Jaime Chanaga, managing director,
CSO Board Consulting
Rufus Connell, research director,
information technology, Frost & Sullivan
Dave Cullinane, CEO, Security Starfish;
former chief information security officer, eBay
Mary Ann Davidson, chief security officer, Oracle
Dennis Devlin, chief information security officer,
chief privacy officer and senior vice president of privacy
practice, SAVANTURE
Gerhard Eschelbeck, chief technology officer and
senior vice president, Sophos
Gene Fredriksen, global information security officer,
PSCU
Maurice Hampton, director, field operations, Qualys
Paul Kurtz, partner and chief operating officer,
Good Harbor Consulting
Kris Lovejoy, general manager, IBM Security
Services
Tim Mather, chief security officer, Apigee
Stephen Northcutt, director, The SANS Institute
Randy Sanovic, owner RNS Consulting; former
general director, information security, General Motors
* Howard Schmidt, partner, Ridge-Schmidt Cyber
Ariel Silverstone, chief security officer adviser,
GNN; former chief information security officer, Expedia
Justin Somaini, chief trust officer, Box; former chief
information security officer, Yahoo
Craig Spiezle, executive director and president,
Online Trust Alliance; former director, online safety
technologies, Microsoft
Amit Yoran, senior vice president, RSA, the security
division of EMC
* emeritus
WHO’S WHO AT SC MAGAZINE
EDITORIAL
U.S. SALES
VP, EDITORIAL Illena Armstrong
[email protected]
VP, SALES David Steifman (646) 638-6008
[email protected]
ASSOCIATE EDITOR Teri Robinson
[email protected]
EAST COAST SALES DIRECTOR Mike Shemesh
(646) 638-6016 [email protected]
MANAGING EDITOR Greg Masters
[email protected]
WEST COAST SALES DIRECTOR Matthew Allington
ONLINE EDITOR Marcos Colón
[email protected]
EVENT SALES DIRECTOR Mike Alessie
SENIOR REPORTER Danielle Walker
[email protected]
ACCOUNT EXECUTIVE Ife Banner
REPORTER Adam Greenberg
[email protected]
ACCOUNT EXECUTIVE Gabby Brown
646-638-6101 [email protected]
ACCOUNT EXECUTIVE Jessica Andreozzi
SALES ASSISTANT Kelli Trapnell
MARKETING DIRECTOR Karen Koza
[email protected]
EDITORIAL ASSISTANT Ashley Carman
SC LAB
TECHNOLOGY EDITOR Peter Stephenson
[email protected]
SC LAB MANAGER John Aitken
[email protected]
LEAD REVIEWER Jim Hanlon
[email protected]
PROGRAM MANAGER Judy Traub
[email protected]
REGULAR CONTRIBUTORS
James Hale, Karen Epper Hoffman,
Stephen Lawton, Jim Romeo
MARKETING MANAGER Rochelle Turner
[email protected]
LEAD GENERATION CAMPAIGN MANAGER
Jennifer Brous [email protected]
SC MAGAZINE LIST RENTAL
REACH MARKETING
VP, MARKETING SOLUTIONS Wayne Nagrowski
DESIGN AND PRODUCTION
CIRCULATION
ART DIRECTOR Michael Strong
[email protected]
AUDIENCE DEVELOPMENT MANAGER
Richard Scalise (646) 638-6190
[email protected]
PRODUCTION MANAGER Krassi Varbanov
[email protected]
SC EVENTS
PROGRAM DIRECTOR, SC CONGRESS
Eric Green [email protected]
EVENTS DIRECTOR Adele Durham
[email protected]
EVENTS MANAGER Maggie Keller
[email protected]
ASSOCIATE MANAGER, VIRTUAL EVENTS
Jourdan Davis [email protected]
SENIOR MARKETING MANAGER
Edelyn Sellitto (646) 638-6107
[email protected]
SUBSCRIPTION INQUIRIES
CUSTOMER SERVICE: (800) 558-1703
EMAIL: [email protected]
WEB: www.scmagazine.com/subscribe
MANAGEMENT
CEO, HAYMARKET MEDIA Lee Maniscalco
COO John Crewe
You’
re
invited!
2015 SC Awards
Tuesday, April 21, 2015
InterContinental San Francisco
Visit awards.scmagazine.com
to view the finalists and book tickets.
DataBank
ThreatReport
Cybercriminal activity across the globe, plus a roundup of security-related news
ONTARIO, CANADA – It seemed
ST. LOUIS – St. Louis Parking
Company announced that customer credit and debit card information was compromised. Customers
who used its public parking lot at
Union Station between Oct. 6 and
Oct. 31 may have been impacted.
The affected server was identified
and isolated to avoid any additional
data from being compromised.
MEXICO – Government and academic
websites in Mexico were taken down
or defaced, or were redirecting visitors
to another webpage. The attacks were
reportedly carried out by members of
Anonymous protesting how the government handled the abduction of 43
students.
that Ontario government websites were
hacked, but in actuality the third-party
domain routing service that routes traffic
to the government’s site was compromised. No personal information or any
government data was compromised.
MASSACHUSETTS – TD Bank
agreed to pay a $625,000 settlement in the aftermath of a March
2012 data breach that occurred when
two unencrypted backup tapes went
missing during a courier run between
its offices in Haverhill and Springfield,
Mass. The breach impacted more
than a quarter of a million consumers
across the country, including more
than 90,000 in Massachusetts.
Colored dots on the map show levels of spam delivered via compromised computers
(spam zombies). Activity is based on the frequency with which spam messaging
corresponding with IP addresses is received by Symantec’s network of two million
probes with a statistical reach of more than 300 million mailboxes worldwide.
HIGH-LEVEL ACTIVITIES
MEDIUM-LEVEL ACTIVITIES
LOW-LEVEL ACTIVITIES
RUSSIA – Group-IB and Fox-IT jointly
released a report on Anunak, a group of
hackers targeting banks and ATMs, payment providers, retailers and news, media
and PR companies. The average theft in
Russia and Commonwealth of Independent States (CIS) for Anunak is $2 million
per incident.
IRAN – Security company Cylance
identified a hacker group out of Iran that
has been steadily amassing information
from infrastructure-related companies,
possibly in preparation for an attack. The
group is believed to have infiltrated more
than 50 organizations in 15 industries in
16 countries.
SOUTH KOREA – Researchers with
Trend Micro identified a wave of banking trojans targeting several banks in
South Korea that use Pinterest as their
command-and-control channel. Users
in South Korea were observed becoming infected by visiting compromised
websites leading to exploit kits.
AUSTRALIA – New ransomware with
China top producer of zombie IP addresses
For the period reported, the EMEA region (Europe,
Middle East, Africa) was the leading source of all
zombie IP addresses. Of the countries making up the
EMEA, Russia was the top-producing country. For the
other regions the top producers were Argentina in
South America, the U.S. in North America and China
in the Asia-Pacific region. Source: Symantec
the name ‘CryptoLocker’ – with a low
detection rate on VirusTotal – is being
delivered via emails that purport to come
from the State Debt and Recovery Office
in Australia. The email claims that the
recipient was caught driving in excess of
the speed limit and must pay a fine.
www.scmagazine.com • February 2015 • SC 9
DataBank
ThreatStats
Zombie IPs Global distribution
11/25/14
12/2/14
12/9/14
12/16/14
12/23/14
Source: Fortinet
Iran
Vietnam
Top countries By attack volume
Asia Pacific 4.2B
6.5
6.0
5.5
5.0
4.5
4.0
3.5
3.0
2.5
2.0
1.5
1.0
09/14
10/14
11/14
12/14
The index queries information security industry professionals monthly to gauge their perceived risk to the corporate, industrial and governmental information infrastructure from a spectrum of cyber security threats. A higher index value indicates a perception of increasing risk, while a lower index value indicates the opposite.
Source: ICS, www.cybersecurityindex.com
United States 74%
UK 9%
Africa & Middle East 1.4B
North America
08/14
5. Bugat/Cridex/Feodo trojan (goes by all three names)
SMS spam Volume by month for each region
South America
07/14
Argentina
There were 8,311,693 attacks in the United States last month, primarily
originating from New York; Atlanta; Ashburn, Va.; Dallas; Redmond, Wash.
There were 22,577,795 foreign attacks last month, primarily originating
from Amsterdam; Tokyo; Moscow; London; and Sao Paulo.
Source: Dell SecureWorks
Source: Privacy Rights Clearinghouse (data from a service provided by DataLossDB.org, hosted by the Open Security Foundation)
04/14 05/14 06/14
Taiwan
Europe 2.9B
Rate of change
(continuously compounded)
03/14
Russia
(as of Jan. 15)
Index value
01/14 02/14
China
Zombie IP addresses are recorded in CYREN’s database as having sent
spam in the past 24 hours. These are infected computers (zombies) that
are unknowingly sending spam. Based on the IP address, the company can
determine the country of the spam-zombie and then sums up the spamzombies per country.
Source: CYREN (formerly Commtouch Software Online Labs)
Index of cyber security Perceived risk
2,550
2,450
2,350
2,250
2,150
2,050
1,950
1,850
1,750
1,650
1,550
1,450
3. Rerdom trojan
4. Allaple.A worm
India
47
2. Butterfly bot
3.3%
11/18/14
Top 5 attacks used by foreign hackers
3.7%
11/11/14
5. Allaple.A worm
1. ZeroAccess trojan
TOTAL number of records containing sensitive personal information involved in breaches
in the U.S. since January 2005:
932,729,111
4. Asprox/Danmec trojan (trojan goes by both names)
3.8%
WellCare
Residents were notified by WellCare Health that some of their
Health Plans
personal information was exposed when their Medicare reMonroe County, N.Y. cords were “mishandled” by a sub-contractor for the insurer.
3. ZeroAccess trojan
3.9%
55,000
12.3%
Highlands-Cashier hospital in North Carolina informed
patients of a data breach to its servers that contained patient data. The disclosure of the data was due to an error
by one of their third-party vendors, TruBridge, a subsidiary
of Computer Programs and Systems, when they were contracted to complete some specialized computer services.
2. Rerdom trojan
12.6
HighlandsCashier
Hospital
Highlands, N.C.
10.6
Millions
1. Upatre Downloader trojan
7.5%
A group calling itself “LizardSquad” hacked both gaming
networks on Christmas Day. According to Krebs on Security,
the attack prevented millions of users from playing the past
holiday season.
8.1
Sony Play
Station,
Microsoft
xBox Networks
8.0%
949,528
936,675
924,629
916,577
906,268
896,589
Type of breach
7.2%
December
average of daily Android samples
971,416
November
average of daily
Android samples
1,335
Number
of records
Name
6.4%
mobile malware
10.7%
Top breaches in December Data loss
Monthly evolution of
1,328
10.1%
Upatre Downloader trojan was the leading attack used by U.S. hackers
Top 5 attacks used by U.S. hackers
Nov.
Dec.
The U.S accounted for nearly
75% of attack volume in
November 2014, followed by
the U.K., Canada and
South Africa.
Canada 4%
892.9M
South Africa 3%
852.2M
0
1B
2B
3B
4B
5B
6B
0%
20%
40%
60%
Source: Cloudmark
80%
Source: RSA Monthly Fraud Report
Internet dangers Top 10 threats
Name
Movement
First observed
Type
Last month
Months on list
p
12/03/10
virus
10
5
Same
09/17/14
downloader
2
2
1.
RAMNIT.I
2.
OGIMANT.GEN!C
3.
ELKERN.B
p
05/16/12
virus
6
12
4.
PICSYS.C
p
01/08/11
worm
1
14
5.
TUGSPAY.A
p
07/07/14
downloader
5
7
6.
LMIR.AAV
p
02/14/11
passwordstealer
0
0
7.
SOLTERN.L
01/08/11
worm
12
1
8.
RAMNIT.J
p
12/07/10
virus
0
0
9.
GUPBOOT.B
p
01/31/13
bot
1
17
10.
LORING
p
02.06/11
downloader
9
19
Source: Motive Security Labs (formerly Alcatel-Lucent Kindsight Security Labs)
Update
2 minutes on...
Tidal waves of
spoofed traffic
P14
Me and my job
Reviewing the
efforts of security
engineers P15
NEWS BRIEFS
Information security
analyst in healthcare
P15
Under attack
» The Canadian government
has introduced Bill C-51, an ‘antiterror’ bill that will broaden the
surveillance powers of government
agencies.
The law, which is the largest revision of Canada’s security laws since
it responded to the 9/11 attacks,
revises several other pieces of
legislation, including the CSIS Act
that governs the country’s national
intelligence service. Among the
measures introduced are the right
to force ISPs to remove information
deemed to be promoting terrorism.
The bill also enacts two new laws:
the Security of Canada Information Sharing Act and the Secure Air
Travel Act.
The former empowers Canada’s
government institutions to share
information on Canadians. These
agencies range from the domestic
CSIS intelligence agency and the
Communications Security Establishment (CSE) foreign-focused spy
agency, through to the RCMP, the
Canadian Border Services Agency
and the Department of Foreign
Affairs.
Canada’s Privacy Commissioner
Daniel Therrien responded
negatively to the bill’s informationsharing provisions. “It is not clear
that this would be a proportional
measure that respects the privacy
rights of Canadians,” he said.
Therrien added that the privacy
problems created by the information sharing measures could be
exacerbated by gaps in the national
security oversight regime.
“Three national security agencies in Canada are subject to
Skills in demand
A third of security professionals polled believed that a loss of intellectual
property had caused a lack of competitive advantage.
dedicated independent oversight
of all of their activities,” he said in a
statement. “However, most of the
organizations that would receive
and use more personal information
THE QUOTE
...the breach
at Sony may
have been led
by former Sony
employee(s)...”
– Eric Chiu, president
and cofounder, HyTrust
under the legislation introduced
today are not.”
»One of Canada’s intelligence
agencies has been secretly monitoring file downloads across the
world for years, it was revealed last
month. The Communications
Security Establishment (CSE)
has been analyzing metadata on
10-15 million downloads from filesharing sites each day.
The top secret initiative, called
LEVITATION, targets 102 filesharing sites, in a bid to discover
people linking documents to terrorist activity. Of the downloads
discovered, it finds about 350
“interesting” downloads each
month from around 2,200 URLs,
said the report.
CSE analysts would gather infor-
Canada’s companies
are ill-prepared to
meet modern cybersecurity challenges,
according to a survey
by the Ponemon Institute. Only one in four
believe that they are
winning the cybersecurity war, said the
survey of 623 IT and
security practitioners
commissioned by IT
services firm Scalar
Decisions. Almost
half of all respondents
experienced an attack
in the last year that
exposed sensitive
information.
mation including the downloader’s
IP address and the browser and
operating system that they were
using. They would also correlate
other data with the IP address
to gain social media IDs. It would
result in an ordered list of suspects
that would then be delivered to a
third party.
Successes from the project
included determining an Al-Qaeda
group’s hostage strategy, said a
leaked Powerpoint presentation, in
addition to finding a hostage video
from a previously unknown target.
Details of the campaign came
from The Intercept, an online publication designed as a platform to
leak information from the Edward
Snowden documents, edited by
journalist Glenn Greenwald, one
of his original contacts.
Debate» Mobile malware is a real threat to mobile security.
FOR
Mobile devices are spreading at
phenomenal rates, with more
than 90 percent of people using
a mobile phone and 2.3 billion
accessing the web from mobile
devices. However, they are very
attractive targets for criminals
Aaron Cockerill – mobile malware grew 20 perVP of enterprise
product, Lookout
cent last year.
Mobile devices are the weakest point in the
enterprise IT ecosystem, providing a means
for app-, device- and network-based attacks.
In fact, mobile devices are the least secured
aspects of cloud-based APIs. Because the flood
of smartphones and tablets employees are
bringing to work are typically personal, IT does
not get to manage them. Employees use the
devices to access confidential documents one
minute and untrustworthy social apps the next.
Mobile devices are tied to the individual, making spear phishing and other targeted malware
attacks particularly frightening: If attackers
want to get data from a company’s Salesforce.
com account, their easiest avenue of attack is to
target the phone of the head of sales. Mobile is
becoming the dominant platform for access to
cloud-based computing and it requires specific
protection that traditional security solutions
simply don’t address.
AGAINST Enterprises continue to produce
more web applications in order
to drive their businesses. Yet
their inability to scale current
application security programs
means only business-critical
applications are audited for
Chris Wysopal security. This leaves a significant
co-founder, CTO and
CISO, Veracode
number of web applications
vulnerable, creating long-term security threats
as cybercriminals attack the path of least resistance into an IT infrastructure, without regard
to whether the application is business critical or
a little-used website. While mobile devices can
leak data, they don’t put bulk data and infrastructure at risk. Because of this, mobile isn’t
the biggest threat to enterprise security – web
applications are.
Research shows that in 2015 enterprises will
leave up to 70 percent of internally developed
web and mobile applications unaudited for
common vulnerabilities such as SQL injection.
While enterprises will produce both mobile
and web applications, it is unchecked or forgotten web applications that provide a breach
path to sensitive data like corporate IP or
customer information. Security testing of all
web applications should be the number one
security priority.
THE SC MAGAZINE POLL
No
62%
Yes
38%
To take our latest weekly poll, visit www.scmagazine.com
Compromise, Exfil,
Wipe, Repeat
What is it?
The recent Sony breach
has shown us a new
potential future for attacks
on computer networks
that results in an organization being compromised,
massive data exfiltration
and finally systems being
disabled.
How does it work?
What is different is what
attackers do once they get
a foothold in your environment. For example making
the goal to get Domain
Admin credentials in a
Windows environment for
complete compromise vs.
just hunting out the SQL
server that stores sensitive
data.
Dec. 14
Should I be worried?
You should be worried
in the context that most
existing compromises
related to cybercrime
result in a level of access
that such exfil and wipe
scenarios could also have
happened.
Dec. 22
How can I prevent it?
Once attackers break in
you must raise the bar to
detect them earlier on vs.
make their job easier by
storing password after
password in plaintext readable files.
THE STATS
Is it the media’s duty to inform the public of
the contents of documents leaked by hackers?
THREAT OF
THE MONTH
Sony litigator David Boies
demands media delete
stolen information provided
by hackers Guardians of
Peace.
Thousands of emails are
stolen from Sony Pictures
CEO Michael Lynton and
released by Guardians of
Peace.
— Marc Maiffret, chief technology
officer, Beyond Trust
Update
2 MINUTES ON...
Tidal waves of spoofed traffic
W
hile massive retail
breaches dominated
headlines in 2014,
with hacks involving statesponsored threats coming in
a strong second, distributed
denial-of-service (DDoS)
attacks continued to increase,
both in the volume of malicious traffic generated and
the size of the organizations
falling victim.
Recently, both the Sony
PlayStation and Xbox Live
gaming networks were taken
down by Lizard Squad, a
hacking group which is adding to the threat landscape by
offering for sale a DDoS tool
to launch attacks.
The Sony and Xbox takedowns proved that no matter how large the entity and
network, they can be knocked
Briefs
offline. Even organizations
with the proper resources in
place to combat these attacks
can fall victim. But looking
ahead, how large could these
attacks become?
According to the “Verisign
Distributed Denial of Service
Trends Report,” covering
the third quarter of 2014,
the media and entertainment
industries were the most targeted during the quarter, and
the average attack size was
40 percent larger than those
in Q2.
A majority of these insidious
attacks target the application
layer, something the industry
should be prepared to see
more of in 2015, says Matthew Prince, CEO of CloudFlare, a website performance
firm that battled a massive
DDoS attack on Spamhaus
early last year.
Of all the types of DDoS
attacks, there’s only one Price
describes as the “nastiest.”
And, according to the “DNS
Security Survey,” commissioned by security firm Cloudmark, more than 75 percent
of companies in the U.S. and
U.K. experienced at least one
DNS attack. Which specific
attack leads that category?
You guessed it. “What is by
50%
of all DDoS attacks
targeted media and
entertainment
Source: Verisign
far the most evil of the attacks
we’ve seen…[are] the rise of
massive-scale DNS reflection
attacks,” Prince said.
By using a DNS infrastructure to attack someone else,
these cyber assaults put pressure on DNS resolver networks, which many websites
depend on when it comes to
their upstream internet service providers (ISP).
Believing these attacks
are assaults on their own
network, many ISPs block
sites in order to protect themselves, thus achieving the
attacker’s goal, Prince said.
By doing so “we effectively
balkanize the internet.”
As a result, more and more
of the resolvers themselves
will be provided by large
organizations, like Google,
OpenDNS or others, says
Prince.
That in itself could lead to
an entirely different issue:
Consolidating the internet.
– Marcos Colón
JOBS MARKET
Me and my job
Kristi Carrier
quality auditor, Nuspire Networks
How do you describe your
job to average people?
I’m a quality auditor at Nuspire Networks, a managed
security service provider. In
my role, I’m responsible for
reviewing the performance
of our security engineers
to ensure network security
events are being diagnosed
and acted upon in a timely
manner that supports best
practice and adheres to established guidelines.
What was one of your
biggest challenges?
Overcoming the general lack
of education and concern
regarding the need for network security. The aftermath
of a security breach isn’t
pretty and it’s paramount
for organizations to not only
understand network and
security vulnerabilities, but
also implement the necessary
safeguards to mitigate such
risks.
What keeps you up at
night?
Knowing the threat landscape is radically progressing
and attacks are becoming
increasingly difficult to predict and anticipate.
Why did you get into IT
security?
It’s a space where you must
stay one step ahead of
offenders who are constantly
employing more sophisticated threats – meaning
there’s always a new problem
to solve. While challenging, I
immensely enjoy developing
solutions to address evolving
threats. Not to mention, it’s
very rewarding to be involved
in the creation of an effective
security solution.
What makes you most
proud?
I’m most proud to work in
a field that enables others
to securely utilize the many
advantages offered by technology.
How would you use a
magic IT security wand?
I’d use it to enlighten others
of the need for implementation of effective network
security safeguards. Specifically, pairing security
information and event management (SIEM) with an
effective security operations
center (SOC) can be the most
effective line of defense for
network security.
Skills in demand
An information security
analyst in a healthcare environment is responsible for
vulnerability assessments,
developing and managing
information systems security
– including disaster recovery,
network protection and identity access management.
What it takes
In-depth experience with
healthcare systems and a
strong knowledge of HIPAA
regulations and overall IT
system security, including
infrastructure, software, apps,
audit and compliance. It is also
critical to communicate well
with the highest levels.
Compensation
Base compensation will range
from $90K-$120K, often with
additional incentives.
– Domini Clark, principal, executive and
technical recruitment, Blackmere
Company news
»
Rick Wescott has joined
Redwood City, Calif.-based
ThreatStream, a SaaS-based
cybersecurity threat intelligence
platform, as vice president of
worldwide sales. W. Todd
Helfrich also has joined the
company as director of federal
sales. Wescott will be responsible for making sure the sales
organization meets its goals and
also for sales enablement, sales
forescasting and strengthening
the sales purchasing process.
Helfrich will build the federal
business and help identify and
Rick Wescott, vice president of
worldwide sales, ThreatStream
close new federal opportunities.
Both men have extensive experience in the security field, with
Wescott most recently working
at ArcSight and Helfrich most
recently working at HP on the
Department of Homeland Security account.
work on its core threat exposure
management portfolio.
»Rapid7, a Boston-based
based provider of website security and PCI compliance, has
partnered with GlobalSign,
the security division of GMO
Internet Group. GlobalSign,
a identity services provider,
will bundle SiteLock’s website
security products with solutions
for customers who purchase
specific SSL certificated in
certain markets, including Latin
America.
security analytics software and
services provider, has secured
$30 million in additional funding
from its investors, Bain Capital
and Technology Crossover
Ventures. The investment will
help Rapid7 maximize on growth
opportunities and build better
enterprise security programs.
The company will also continue to
12 patents, with 12 more pending, Curry comes to Arbor from
MicroStrategy and RSA. He
will lead Arbor’s product strategy
and innovation roadmap.
»SiteLock, a Scottsdale, Ariz-
»Brandon Hoffman has
Sam Curry, CTO and CSO,
Arbor Networks
»Arbor Networks has
appointed Sam Curry as its
new CTO and CSO. A well-regarded industry technologist holding
joined Somerset, N.J.- based
Lumeta, a network situational
awareness platform provider, as
CTO. Hoffman will focus on business development and strategic
relationships with technology integration partners, consulting/advisory firms, cloud service providers,
managed security providers and
federal systems integrators and
channel partners. He will report to
CEO Pat Donnellan, Previous to
joining Lumeta, Hoffman worked
as the federal CTO at RedSeal,
where he helped define solutions
and strategies to serve top government priorities.
»iSIGHT Partners, a Dallasbased provider of cyberthreat
intelligence for global enterprises, has closed a $30 million
Series C equity-financing round
with Bessemer Venture
Partners, which has helped
finance eight other cybersecurity firms. The investment
will allow iSIGHT to expand its
advanced threat intelligence to
fight against cyberattacks. The
funding also will aid in developing new integration partnerships
and buildup the company’s sales
and marketing engine.
Follow us on Facebook,
LinkedIn and Twitter
Opinion
From the CSO’s desk
Breach response: Are you prepared?
Jonathan Lewis
director, product marketing,
SSH Communications Security
B
ViJay Viswanathan
I
t’s not a question of if but
rather when a breach will
occur. The number of U.S.
data breaches tracked in 2014
reached a record high of 783,
according to a recent report
released by the Identity Theft
Resource Center. While the
larger incidents received a lot
of spotlight, the fact remains
that exposure of a single
record still constitutes a data
breach. With a 27.5 percent
increase in incidents since
the year previous, it’s imperative for organizations of any
size to develop a functional
breach response plan (BRP).
The best place to start:
Your existing incident
response plan. How do
you manage and address a
malware infection or how do
you address unauthorized
or elevated role privileges?
Streamline your incident plan
with clear IT security operational definitions, develop a
detailed inventory of every
asset within your network
and establish network entry
and exit points. All these
should ideally exist, but you
firm that not only has specific
experience but also the necessary scale and operational
dimension to support parameters of your organization.
Most importantly, establish
a retainer and leverage the
retainer for a possible annual
BRP exercise.
A strong crisis management team will be a crucial
differentiator during an
active incident. This team
would ideally include your
internal and external communications team along with
other stakeholders from the
breach response team. Timely, precise and appropriate
communication could alter
the perception of a breach
incident in any direction.
Finally, cyber insurance
coverage may be appropriate
for your organization and
will also provide additional
benefits, such as pen tests
and access to a breach coach
based on your vendor and
coverage. The only right
thing about a breach is the
fact that you are prepared for
it. Practicing these exercises
makes it perfect.
also want to look at it from a
different viewpoint: Indicators of compromise (IOC).
As a start, establish IOCs
for high value targets (HVT)
and build your inventory
and focus on keeping it up
to date.
Before you can actually
draft your plan, you need to
consider a breach response
team. Develop a discussion
platform to specifically talk
about breach management
with key constituents within
the organization – legal,
information security, IT,
risk management, privacy
and compliance and other
relevant stakeholders.
One of the key aspects
of the BRP is to identify an
external legal counsel who
will partner with you effectively during an active incident. Consider a legal counsel
with experience as breach
coach with strong exposure
to handling different types
of security incidents and who
can engage collaboratively
with state attorneys general
and federal regulators.
Next, engage a forensics
ig Data is arguably one of the killer apps to emerge over
the past decade. The technology originated from a technique developed by Google called MapReduce, which
uses parallel processing to generate analytics from massive
amounts of data. An open source version of MapReduce, called
Hadoop, has effectively “democratized” the availability of Big
Data. With this easy-to-use platform, enterprises are finding
new ways to solve problems and extract value from data.
However, Big Data analytics often involve access to data that
should be protected, such as medical records, tax information
and personally identifiable information (PII). Security and
compliance professionals need to ensure Big Data deployments do not violate access control policies with respect to this
information.
Within a Hadoop infrastructure there are several levels of
authorization, including access to the Hadoop cluster, intercluster communications and access to the data sources. Many of
these authorizations are based on Secure Shell (SSH) because
the authentication protocol is considered secure and has good
W
Rich Boyer
senior information security
architect, NTT Com Security
30seconds on...
»Breach plan
The first step in creating a
breach management strategy is to organize a breach
management team before
developing a plan, says ViJay
Viswanathan.
»Hire the right help
The next step is to identify an
external counsel and a breach
coach, says Viswanathan. Following that, retain a forensic
firm that can scale as needed,
he says.
»The CISO runs with it
Structure your crisis management team, he advises. And, he
says that the company’s CISO
should drive breach management exercises to optimize the
plan regularly.
»Get functioning
As well, establish a time-boxed
approach to create a functional
breach response plan that
can be exercised similar to a
disaster recovery or business
continuity plan, he says.
support for automated machine-to-machine (M2M) communication. The access control issues are straightforward:
First, who sets up the authorizations to run Big Data analytics? Next, we need to ask how are those authorizations and credentials managed and what happens when there are personnel
changes? As well, we must determine whether authorizations
are based on “need to know” security principles.
To protect sensitive information accessed by Big Data analytics, the following best practices are recommended:
• Discover: Take an inventory of the authorizations and identities within the Big Data environment.
• Monitor: Track the use of those identities. Find out which
identities are not needed and can be removed.
• Manage: Establish centralized control over identity management in the Big Data environment.
Big Data has opened up new access to business-critical
data. Organizations need to keep pace with resulting security
concerns and bring Big Data under a sound identity and access
management umbrella.
Are mobile apps risky business?
Photo by Chris Volpe/zuma
CISO, HD Supply
Information privacy & Big Data
...businesses
must stay one
step ahead of
hackers.”
hile the enterprise software market
is predicted to grow to $4.5 billion
by 2016, the increasing prevalence of
mobile applications is exposing new security
holes for businesses. Having an app for everything brings many benefits, but also entices
hackers to target apps as gateways to valuable
data. Businesses must meet the associated
security challenges head-on with structured
approaches.
Both mobile and enterprise technology are
exciting, well-funded IT sectors. But it’s where
mobile and enterprise meet that we find the
most profitable sector of all: mobile apps.
The rise of mobile has fuelled the trend
towards BYOD (bring-your-own-device) as
well as in-house developed applications. Apps
help enterprises build identity and engage customers, as well as increase efficiency. But just
as the web brought new IT security challenges,
applications present fresh risks to business.
Collaborative app development poses
threats to unencrypted code which could
unlock login details of cloud services – and
ultimately corporate networks. Development
risks must be managed in the context of commercial objectives, but businesses must stay
one step ahead of hackers.
Over a defined lifecycle, businesses must:
review corporate architecture to address
all vulnerabilities; understand compliance
requirements and ensure security is built-in
from the very start; use best practices and
tested secure modules wherever possible; test
and test again in-line with emerging threats;
and perform configuration management to
maintain consistent application performance.
It’s inevitable that hackers will target intellectual property stored during app development. By addressing these complex risks,
businesses will create secure applications with
confidence. As a result, they’ll benefit from
innovative ways to interact, without worries
over unlocked back doors.
Analysis
Letters
Got something to say?
Send your comments, praise or criticisms
to [email protected].
We reserve the right to edit letters.
From the online mailbag
In response to a Nov. 24
Opinion: PCI 3.0: The good,
the changes and why it’s not
ugly, by Greg Rosenberg,
security engineer, Trustwave
The part I don’t understand:
Do they [third-party service
providers, online retailers
and merchants] keep the
credit cards numbers in clear
text to start with? Even some
simple encryption would help
limiting the exposure. Even
better, when the card system
does the authorization for
the repeated use (such as an
automatic bill pay), it should
be fairly easy to generate a
hash that includes both the
number of the credit card and
the merchant ID and use it for
any future transaction. It’s
like issuing a one-time credit
card that can be used only by
this particular merchant.
Sergey Babkin
In response to a Nov. 14 news
story, U.S. spy program
targeting Americans’ mobile
phones, report says:
Professor Hayes is naïve in
his comment: “Ultimately,
the FBI and similar agencies
have no inclination or even
the resources to analyze the
general public’s communications and are only interested
in finding criminal suspects.”
He has left specific groups
and people who are not
criminals that members of
the U.S. government want to
target, such as the abuses by
the IRS reported over the last
couple of years, as well as the
more recent revelations that
the White House was illegally
receiving confidential tax
return information from the
IRS.
Dirk Bell
Ok...Tell me something I didn’t
know. You would have to be
naïve to think that the government is not tracking your
cellular data, location and
anything else they can glean
from the electronic leash
that most of us carry. And
don’t get me started on the
new driver’s license/ID card
systems in place since 9/11.
Everything about you has
been declared “open season,”
and your only choices are: a)
get rid of everything and fall
off the grid; or b) get used
to it.
Philip Scott
In response to a Nov. 20
news story, USPS draws ire
of Congress over data breach
response:
If Congressman Stephen
Lynch [D.-Mass.] is so concerned about the U.S. Postal
Service employees, then why
doesn’t he get the “postal
reform” bill passed? # just
saying
Chuck Roche
In response to the November
Debate: Should you pay a
cyber ransom?:
Paying $500 is often less
costly than losing business
and serves as a reminder that
security practices need to be
kept up to date. Investing in
prevention is different than
paying for resolving the issue.
Sergio Galindo
Completely disregarding
the option of paying ransom
does not take into account
that many organizations with
ransomware infections are
confronted with backup that
turn out not to work, and lose
weeks, months (or more) of
work. Paying $500 to get your
files back is a business decision that’s not hard to make
in a situation like that. It also
serves as a shot across the
bow to get your best practices
truly applied, which means
step your users through
effective security awareness
training so that future ransomware infections are much
less likely.
Stu Sjouwerman
story, Mobile fraud report
notes reliance on OTPs as
top concern:
OTPs are generally run on
tokens or phones, which are
easily lost, stolen and abused.
Then the password would be
the last resort. It should be
strongly emphasized that a
truly reliable two-factor solution requires the use of the
most reliable password.
At the root of the password
headache is the cognitive
phenomena called “interfer-
ence of memory,” by which
we cannot, on average, firmly
remember more than five text
passwords. What worries us
is not the password, but the
textual password. The textual
memory is only a small part
of what we remember. We
could think of making use
of the larger part of our
memory that is less subject
to interference of memory.
More attention could be paid
to the efforts of expanding the
password system to include
images, particularly known
images, as well as conventional texts.
Hitoshi Anatomi
story, ‘DoubleDirect’ MitM
attack affects iOS, Android
and OS X users:
“...traffic from Google, Facebook, Twitter, Hotmail, Live.
com, and Naver (a Korean
internet company) was
detected as being redirected
using the technique.”
All those domains implement HTTPS, rendering the
attack useless.
Antoun Beyrouthy
story, Slew of black marketplaces, including Silk Road
2.0, go dark in Fed sweep:
I love that [Homeland
Security Investigations, an
investigative arm of the U.S.
Department of Homeland
Security] used social engineering to gain access.
Robert Emmons
The opinions expressed in
these letters are not necessarily those of SC Magazine.
Usability as a protection feature
Usability as well
as security must
be factored into
the equation, says
Signiant CTO Ian
Hamilton.
P
sychological acceptability may not sound
like a term that’ll hold
much significance for the
future of secure file sharing.
But don’t sell it short. The
term refers to the concept
that a system should be as
easy to use in a secure state
as in an insecure state – or
users will default to the
insecure state.
In this era of cloud
services, where users have a
plethora of ready-to-use SaaS
options, the psychological
acceptability principle can be
extended to say that secure
services must be as easy to
use as insecure services or
users will gravitate to the
insecure alternative.
What should IT do about
this problem? It can resort
to the “big stick” approach
of enforcing which tools can
and can’t be used. But this is
becoming less and less effective as teams are increasingly
distributed and empowered
by SaaS options. Information
security leaders are finding
that they have more success
substituting “carrots” for
sticks to guide users to the
right solutions by choosing
those that are easy for their
constituents to use.
Another corollary of the
psychological acceptability principle is that human
interfaces for security
features must be easy to use
so users don’t make mistakes
in applying security features.
If the user has to map their
mental image of their protection goals into a convoluted
technical model, they likely
will either forgo protection
or make mistakes applying it.
File system access control
(ACLs) are a classic example
of exposing a flexible
technical model without any
abstraction. As a result, users
simply don’t use file system
ACLs – and if they do, they
often don’t apply them correctly. Privacy controls in
social media have attempted
to address this by translating
technical ACLs into plain
English options that capture
the resource being protected
and the access right being
given to a trustee. For example, choosing an
option like “my contacts can
see my contacts” makes your
“list of contacts” (resource)
“readable” (access right) to
everyone in “your contact
list” (trustee), rather than presenting it in some underlying
highly flexible but also highly
technical-based ACL model.
Role-based access control approaches attempt to
simplify underlying fine
grain access controls through
abstraction, but they often
don’t address the fundamental problem of mapping the
user’s mental image of the
protection goals onto available options.
Another related secure
design principle is “secure
by default.” One approach to
making systems more usable
is to disable security features
in the default configuration.
...secure
services
must be as
easy to use
as insecure
services...”
To make the system secure,
users must then enable specific security features. Often
this allows a vendor to claim
that the system is both secure
and usable without investing
in making security functions
intuitive and easy to use. As the name implies, the
“secure by default” design
principle states that a system
should default to the most
secure state possible. That
said, the definition is complex and needs to take into
account user behavior when
interacting with features.
When users are forced to
create complex passwords
on a regular basis for every
system they use, they often
resort to reusing passwords
and writing passwords down.
Offering web-based single
sign-on using an external
identity provider as the
default authentication option
can be a more effective method of addressing password
fatigue issues in infrequently
accessed systems.
Carrots work better than
sticks. The time has come to
fully embrace usability as an
important aspect of security.
By doing so, we can advance
the security agenda and also
make users happier and more
productive at the same time.
Ian Hamilton is chief technology officer of Signiant, a
provider of technology solutions with U.S. headquarters
in Burlington, Mass.
COOL
Breach response
IN A CRISIS
Ron Green, CISO,
MasterCard
How you communicate during an attack is as important
as your response, says Ron Green, CISO, MasterCard.
Larry Jaffee reports.
D
ata on 70 million customers stolen, 76 million accounts affected, 44 lawsuits filed, 1.1 million customers exposed, 7
million business accounts compromised. That’s just some of
the alarming damage done by data breaches at Target, Home Depot,
Nieman-Marcus and JPMorgan Chase in 2014.
derailed the company’s operations for a full week
that eclipsed other major hacks, and served as a
lesson to Corporate America on how not to handle
crisis communications by bungling relations with
key stakeholders (e.g., employees, former employees,
creative talent, theater owners) and damaging
reputation nearly every step of the way (see sidebar,
page 23).
“How to communicate publicly is as important
or more important in crisis situations,” says
Jim Haggerty, CEO of Crisis Response Pro,
a web-based entity for crisis and litigation
Photo by David Torrence Photography
And the fallout didn’t stop at those numbers.
The year that can be viewed as the one where IT
security finally got taken much more seriously
by upper management was also characterized by
C-suite shake-ups, security department reorganizations, lawsuits, high-level pink slips, disappointing
financials and plummeting customer confidence. In
other words, data breaches caught the attention of,
well, the world – as did the way they were (and were
not) handled.
But it was the revelation before Thanksgiving
when Sony Pictures was crippled by a breach that
OUR EXPERTS:
Handling the situation
Daniel Fetterman, partner,
Kasowitz Benson Torres & Friedman
Ron Green, executive vice president and
CISO, MasterCard
Steven Grimes, partner, Winston & Strawn
Jim Haggerty, CEO, Crisis Response Pro
Tom Kellerman, chief cybersecurity officer,
Trend Micro
John Otero, security consultant; former
lead, New York City Police Department’s
computer crime squad
Eric Warbasse, senior director, financial
services, LifeLock
Breach response
...we know we had a breach.”
communications whose clients include
several financial firms that have had
breaches in the past year. “There’s
– Davia Temin, CEO, Temin and Company
a sense in crisis situations that
communications is the icing on the cake,
it’s what you do after everything else.
My view is communication is the cake.”
when something happens.”
Warbasse, senior director, financial
Ron Green, MasterCard’s executive
Davia Temin, a marketing, media and
services for LifeLock, a Tempe,
vice president and CISO, agrees.
reputation strategist, crisis manager
Ariz.-based provider of identity theft
“Communications is usually the
and CEO of Temin and Company, a
protection.
last thing that you’ve
boutique management consultancy
Further, public
thought of,” he says. “But
focused on reputation and crisis
statements should not
it’s the first thing the
management, says technology experts
speculate as to the
public – your customers,
often urge delaying the initial announceresponsible party. Hacked
your clients and your
ment until the security folks have had
companies with potential
investors – are going to
time to learn more and maybe try to
regulatory enforcement
see. You have to prepare
trace the culprit. “But that’s at odds with
exposure especially “need
and engage not just
the public wanting to know the minute
to be extremely careful
what you’re going to do
that their information may have been
about what they say and
from the security side;
compromised,” she says, adding that
ensure what they issue
you have to know what
the public has an expectation to know
publicly is accurate,”
you’re going to do from
as soon as possible so they can change
points
out
attorney
the communications
Davia Temin, CEO,
Temin and Company
passwords, etc. Temin advises clients
Daniel Fetterman, a New
side, and have prepared
to communicate that: “We don’t know
York-based partner with
messaging.”
the total parameters yet, but we know
Kasowitz Benson Torres & Friedman,
Typically, an organization’s IT
we had a breach. We’re
a national law firm
security staff will handle incident
doing everything humanly
primarily focusing on
response, but the responsibility and
possible to close it and
complex commercial
effort can’t just lie with that team,
understand the magnitude
litigation, and a former
Green points out. “Security for a
of it. And we’ll be in
federal prosecutor and
company is not just the security team,
continual contact with
trial lawyer.
it’s the whole company,” he says. When
you.” In this day of social
“In the rush to publicly
it comes to executing that crisis plan,
media and immediacy,
get out a positive,
people must be sure what their role and
if you wait, it looks like
reassuring story to make
their position is, and what they should
you’re stonewalling the
stakeholders feel better,
be doing, he adds. “You should always
truth, she says.
companies should proceed
prepare like [a breach is] inevitable.”
MasterCard’s Green
cautiously and be careful
Security consultant John Otero,
agrees. “If you’re not
not to get it wrong,” says
who formerly led the New York City
Steven Grimes, partner,
confident about the
Fetterman.
Police Department’s computer crime
Winston & Strawn
information you’re going
The consensus of our
squad, cites the reverberations felt by
to present, you shouldn’t present it. Let
experts it that it behooves organizatop management everywhere following
tions to have top management, legal,
the Target CEO losing his job after
everyone know you’re aware of it and are
IT security and PR work together on a
mismanaging the retail chain’s breach
working diligently on it,” he says.
message that strikes the proper balance.
and the “black eye” the retailer
As far as the legal ramifications,
“You need to reassure the public that
suffered.
there’s quite a difference of opinion
you have control of the situation,” says
In the wake of siphoned employee
about whether a breached company
Haggerty at Crisis Response Pro. “Data
personally identifiable information
must follow law enforcement’s lead on
breaches are becoming so common that
(PII) and customer credit card numbers
when information can be released to the
they resemble product recalls in the auto public.
or passwords, companies need to be
industry, whereby a system or structure
prepared with credit monitoring or
Tom Kellerman, chief cybersecurity
comes into play for proper notification
identity protection services, notes Eric
officer of Trend Micro, a developer
of security solutions, advises breach
victims to ask the FBI and Secret
Service, based on the stage of their
investigation, when to notify the public.
Not all experts agree with that strategy.
Jonathan L. Bernstein, president of
Bernstein Crisis Management, says
waiting for the FBI or Secret Service
before saying anything publicly doesn’t
make sense. “I’ve worked on a lot of
these,” he explains. “The FBI will always
make that request, but the FBI is not
responsible for protecting the reputation
of the organization. The FBI doesn’t
particularly care about the reputation of
the organization. So the FBI’s request is
the same as a lawyer who says, ‘don’t say
anything because you’re risking liability.’
You have to look where is the biggest
liability: court of law or court of public
opinion.”
Attorney Steven Grimes, a partner
with the Chicago law firm Winston &
Strawn, says it’s a case by case determina-
...you have to think about what
you’re going to provide.”
– Ron Green, EVP and CISO, MasterCard
tion whether a hacked company will
wait to hear from the authorities before
telling the public anything. Litigation, he
adds, is a very likely outcome.
Hacked companies need to keep in
mind various legal ramifications, such
as the Federal Trade Commission (FTC)
and states’ attorneys general bringing
lawsuits, respectively, for their failure
to provide adequate security measures
and failure to report in a timely fashion
in violation of data breach notification
laws, Grimes points out.
Ideally, attacked companies are
working with a proper crisis response
plan. “That doesn’t always happen,” he
admits, noting that many companies
TROUBLE FOR SONY:
New poster child for breach crisis
I
n a Nov. 25 statement, Sony Pictures Entertainment announced
it was investigating “an IT matter.” Since then, the hack has
proven that fact can be stranger than fiction – even in Hollywood.
That Sony Pictures did not anticipate vulnerabilities after
producing a movie – The Interview – antagonistic to a volatile
government should cause all organizations to pause and reassess
whether they’re prepared for such a worst-case scenario.
Obviously, Sony’s biggest failure was not protecting its intellectual property (including unreleased movies) and personal data
(including employee PII and health records), especially in face of
don’t reach out for outside legal help
experienced in this area until later in
the game, while in-house counsel didn’t
have the required level of coordination.
MasterCard’s Green adds that
listening to the authorities makes sense
so as not to say anything that’s going
to upset or derail their investigation.
“When you make your notification, you
have to think about what you’re going to
provide,” he says.
Temin knows a CEO of a retailer
who, after a hack, considered his biggest
mistake was not that he didn’t get better
systems or pay attention to vulnerabilities more closely early on. It was that he
didn’t come out quickly enough. n
a 2011 hack of its PlayStation Network affecting consumer data of
77 million users. As class-action lawsuits pile up, a source familiar
with Sony says its insurance would cover losses associated with
“incidents like this.”
Only time will tell whether the company will be able to defend
itself given the assertion by Mandiant CEO Kevin Mandia, “This
was an unparalleled and well-planned crime, carried out by an organized group, for which neither Sony Pictures Entertainment nor
other companies could have been fully prepared.”
That Sony was so unprepared is curious considering that Sony
Corp. general counsel Nicole Seligman – in charge of the company’s information security – has sat on the advisory board of the
Council on CyberSecurity since 2013.
It wasn’t until Dec. 15 that Sony Pictures posted a message on
its website for current and former employees and dependents that
the company had learned on Dec. 1 that their health PII may have
been compromised.
“[Sony] was slow in communicating, and it didn’t reflect an
adequate level of compassion for the people who were the victims,”
says crisis manager Jonathan Bernstein. “This is Crisis Management 101.”
Bernstein considers Sony to be the biggest example of corporate
incompetence in terms of reputation management. “If they were
being graded, I’d give them an F in the crisis prevention category.
And crisis response was mediocre at best.” – Larry Jaffee
Electronic elections
CANADA’S
INTERNET
VOTING PROBLEM
Many municipal officials are elected using the internet,
even as some agencies prohibit the practice as insecure,
reports Danny Bradbury.
I
n Canada, over two million voters had
the option of voting for their mayors
and local councilors via the internet
last October. Next October, none of
them will be allowed to vote for their
MPs that way.
Elections Canada, the organization
that oversees the electoral process there,
had originally planned for an internet
voting trial in a by-election sometime
between 2008-13. In 2012, it changed
track, citing budget cuts and security
issues.
“Current internet voting systems
carry with them serious, valid concerns
about system security, user authentication, adequate procedural transparency
and preserving the secrecy of the vote,”
the group said in an April 2013 report
exploring new voting models.
There have been no moves toward
internet voting at the provincial level,
either. “The provincial governments
would have to decide to move forward,”
says Nicole Goodman, assistant
professor of political science in the
University of Toronto’s Munk School of
Global Affairs.
Goodman predicts that if any
provinces move forward with such an
initiative, Ontario
might be first.
Currently,
though,
Ontario has
misgivings.
“In short,
this is
because we
have not yet
identified a
viable method
of network voting
that meets our criteria
and protects the integrity and
security of the electoral process,”
says Elections Ontario spokesperson
Andrew Willis.
Willis lists several issues that would
prevent the province from adopting
internet voting. Security breaches could
jeopardize vote integrity, he says, as
could the lack of secure digital authentication mechanisms. The absence of a
paper trail is another issue with internet
voting, he says, because it means that
the vote isn’t transparent.
Barbara Simons is a strong critic of
internet voting. A former president
of the Association of Computing
C1 SC • February 2015 • www.scmagazine.com
Machinery, she
has spent over
a decade
exploring the
validity of
electronic
and online
voting
systems.
Co-author
of the book
Broken Ballots,
she also participated in President
Clinton’s National Workshop on
Internet Voting in 2001, and conducted
a security peer review that shut down
the U.S. Department of Defense’s own
voting system, called SERVE.
Simons agrees with Willis on the
paper trail issue. “There’s no way to do
a recount,” she said, because there are
no paper ballots to reference. “There’s
no way to verify that the winners won
and the losers lost. There’s no way to
check that if I voted for candidate A on
my computer, that this is what was sent
out over the internet.”
Other provinces are equally
concerned about the security of
internet voting. “At this time, and
with the current state of technological
development, there are simply too many
vulnerabilities and threats that have
been identified to such systems that
could compromise the integrity of the
electoral system as we know it,” says
Tim Kidd, senior director of outreach,
policy and communications, Elections
Saskatchewan.
The province of BC, too, recently
issued a report on internet voting,
in which it recommended that the
technology not be used, arguing that
the risk to the accuracy of the voting
process remain substantial.
This hasn’t stopped municipalities from giving internet voting a try,
though. Ontario and Nova Scotia have
both experimented with the technology,
with Ontario being the larger adopter.
In the most recent municipal elections
in October, 97 of the province’s 414
municipalities used the technology.
Goodman created the governmentfunded Internet Voting Project, which
has produced a report exploring
attitudes to internet voting among voters
using these services, election officials,
and candidates in Ontario. It explores
attitudes to voting and experiences from
users, rather than the technical aspects
of voting security.
Municipal authorities – who will
likely express a high level of satisfaction with Goodman’s report – stand
by the security of the internet voting
process. “Extensive testing of [city of]
Markham’s processes and technology
is completed prior to every election,”
said Kimberley Kitteringham, city clerk
for that municipality in Ontario, via a
spokesperson.
She cited security and integrity
measures – including a mock election
designed to test the system, a third-party
security audit, and a city invitation to
all candidates to review the technology.
The municipality also includes
anti-malware protection on its own
computers, she added.
ACM’s Simons protests that
...there is a level of tradeoff
against convenience.”
—Dean Smith president, Intelivote
protecting election officials’ computers
is only part of the challenge. “There’s
something that none of those systems
can deal with, and that’s the computer
of the voter,” she says. “There’s no way
to protect that computer from malware
that can change that person’s vote.”
The security of voter clients was one
of several issued raised by experts at
Concordia and Western University, who
reviewed the online voting system used
by Markham along with several others
in a separate evaluation for the city of
Toronto. The reviewers recommended
that Toronto not proceed with internet
voting in municipal elections because
none of the solutions provided adequate
protection against the inherent risks.
Dean Smith is president and founder
of Nova Scotia-based Intelivote. “I’d be
lying to everybody if I said that it was
as secure, but there is a level of tradeoff
against convenience,” he said.
He admits that there are risks
OUR EXPERTS:
Internet voting
Nicole Goodman, assistant professor of political science in the University
of Toronto’s Munk School of Global
Affairs
Tim Kidd, senior director of outreach,
policy and communications, Elections
Saskatchewan
Kimberley Kitteringham, city clerk,
Markham, Ontario
Barbara Simons, former president of
the Association of Computing Machinery
Dean Smith, president and founder,
Intelivote
Andrew Willis, spokesperson,
Elections Ontario
associated with internet voting, but
urges voters to compare them with
other methods, specifically the vote-bymail systems that many internet voting
systems are designed to complement.
“When vote-by-mail comes back, you
never know whether your vote has come
through,” he says, arguing that ballots
returned by mail will often arrive late
and won’t be counted.
Regardless, Smith remains convinced
that in spite of the risks associated
with internet voting, it’s worthwhile
as it increases the level of convenience
for voters. “Electoral authorities are
prepared to assume that level of risk,”
he says.
Who gets to supervise that decision?
Municipal election guidelines are
laid out in each province’s Municipal
Elections Act, which must be worded to
allow for alternative election procedures
at the local level, says Goodman.
Perhaps one of the most worrying
aspects of the move to internet voting
in Canada is the lack of standards
governing how this technology is
implemented. Canada has the highest
number of internet voting-enabled
municipal elections in the world, but
there are no regulations explaining how
to choose the systems that run them, or
how they should be implemented.
“One of the things that is important
moving forward is to develop some
standards, with respect to legal,
operational and technical. And when I
say technical, that would relate to the
security component,” Goodman says.
In the meantime, the stable door is
open. With no regulations in play, and
with some municipalities having run
three sets of elections on the internet
already, the horse may already have
bolted. n
www.scmagazine.com • February 2015 • SC C2
Breach law
I would welcome comprehensive
federal legislation...”
UNIFYING
PRINCIPLE
Is the time right for
national data breach
legislation? There
are signs that this
may be the year,
reports
Steve Zurier.
C
ould a national data breach law be just around the
corner? President Obama’s call for a Personal Data
Notification and Protection Act during his State
of the Union (SOTU) may be just the kick the 114th
Congress needs to hammer out legislation by midyear.
Addressing the Federal Trade
Commission (FTC), the agency that has
aggressively pursued companies that
it feels have not properly safeguarded
customer data, a week before delivering
the SOTU, the President envisioned
a national law that would clarify and
strengthen “the obligations companies
have to notify customers when their
personal information has been
exposed.” A key part of that law would
be “a 30-day notification requirement
from the discovery of a breach.”
National data breach legislation
would set a federal standard for defining
the parameters of a breach and the
timeframe in which companies must
report a breach to law enforcement
– George Jepsen, attorney general, state of Connecticut
authorities and consumers. The hope
among many business groups is that
Nyswander Thomas, vice president
or financial account number, such as a
a national law would also preempt an
of government affairs for the Direct
bank card or credit card.
unmanageable patchwork of 47 state
Marketing Association, one of the trade
Unfortunately, that’s where the
laws and instead replace them with a
groups leading the charge for national
agreement stops. While the Direct
uniform set of statutes that companies
legislation for the past decade. “With
Marketing Association (DMA), National
would have to follow.
all the cases of new breaches in the
Retail Federation (NRF) and various
If the national law is enacted,
news, it has become clear that both
business groups are pushing hard for
companies will benefit from “the
consumers and businesses have become
a clause that would preempt the 47
certainty of a single, national standard,”
victims. Plus, companies are global let
state statues on the books, attorneys
the White House said.
alone national.” She adds that the need
general have expressed concern that a
“We support a national data breach
for a national standard
national law could inhibit state efforts to
bill so companies can
would reduce some of the
effectively respond to breaches.
respond to breaches in
complexity.
“I’ve found that the state attorneys
a consistent manner,”
Dave Frymier, chief
general are not crazy about a national
says Tiffany Jones, senior
information security officer
law,” says Jonathan Spruill, managing
vice president and chief
at Unisys Corp., a global
consultant, incident response - U.S., at
revenue officer at iSIGHT
information technology
Trustwave, who adds that states can’t
Partners, a Dallas-based
company based in Blue
just wait around for a national law to
security firm.
Bell, Penn., says the Sony
pass, plus they are concerned that any
Jones, who has testified
hack may be a taste of
national law would be watered down
before Congress on the
what’s ahead. Lost in the
and ineffective.
growing malware threat
uproar over the release of
George Jepsen, the state of Connectilandscape and the need
Tiffany Jones, iSIGHT Partners
the movie The Interview
cut’s attorney general, for example,
for national data breach
were the hacks into Sony’s
favors national legislation, but remains
legislation, says companies
corporate offices and intellectual
concerned about preemption. “I would
can spend millions of dollars complying
property.
welcome strong and comprehenwith all the state laws. Tack on the cost
“In the past we’ve had to worry
sive federal legislation in this area,
of a breach, the cost for cleanup, lost
about nation-states stealing intellectual
particularly given the national scope
revenue and lost market share, and
property or organized crime groups that
of some of the data breaches we have
Jones says there’s very strong sentiment
were in it for the money, but the Sony
seen and, unfortunately, are likely to see
in the business community to finally get
hack was different,” he says. “This was
again,” Jepsen says. “However, it would
something done this year.
a case of disruption of operations for
be a critical mistake for federal law to
Lobbyists from groups such as the
political or ideological purposes.”
supplant state enforcement authority.
Direct Marketing Association and
It would be counterproductive to
National Retail Federation would love
reduce the number and effectiveness
to get a bill done this year, but they
Some consensus
of regulators who can combat data
are realistic. Officials from these trade
On the optimistic side, those who
breaches.”
groups readily acknowledge that they’ve
argue for a national law point to general
States are vital, experienced and
been building coalitions to support
agreement at both the state and national
active participants in responding
national breach legislation for nearly 10
level as to what constitutes a breach.
to these breaches and other privacy
years now, but some say following the
Just about every state law and the many
violations, he adds. “There is enough
high-profile Target, Home Depot and
competing national bills define a breach
enforcement work to go around, and
Sony hacks of the past year, this time
as when a person’s name is compromised
we can be most effective by working as
could be different.
electronically along with one or more
partners among the states and between
“It’s become very complicated for
of the following pieces of personally
the states and the federal government.”
companies to comply with all the
identifiable information: a Social
One bill that many believe has
different state laws,” says Rachel
Security number, driver’s license number
Breach law
What Sony really needed was
better security.”
some legs is the bipartisan legislation
developed by Sen. Tom Carper (D-Del.)
and Senator Roy Blunt (R-Mo.). Known
as the Data Security Act, if enacted
into law it would require companies to
– Dave Frymier, CISO, Unisys Corp.
notify federal agencies and consumers
of a breach that affects more than 5,000
Which leads to another unresolved
we wait to act, the greater the risk of
consumers.
issue: which branch of government
damage to Americans and American
Senator Carper says that while
businesses. I hope that a new year brings should be notified? For example, should
Congress waits, the frequency and
companies first notify the FBI or the
a new focus on this issue that will allow
severity of the attacks grows. In a
Department of Homeland Security? On
us to move forward on
statement prepared for
the other hand, the Secret Service has
smart legislation that will
SC Magazine, Carper says
been given a great deal of responsibility
offer greater protection for
that he and Sen. Blunt
to investigate hacking attacks and it’s
companies and consumers
have proposed legislation
still unclear what their role would be.
alike.”
during several consecutive
The Carper-Blunt bill just says that the
While many agree with
Congresses that would
regulating agency will determine which
the general parameters
update and streamline
law enforcement agency needs to be
of the bill, the proposed
the nation’s standards for
informed. Clearly, some of these issues
Carper-Blunt law would
protecting Americans from
need to be sorted out.
give the FTC rule-making
fraud and identity theft.
Obama’s proposal advocates a 30-day
authority while the trade
“As hackers and their
reporting deadline but is otherwise
and business groups want
operations become
short on details. Ken Westin, senior
all specifications written
more sophisticated, our
Sen. Tom Carper (D-Del.)
security analyst with Tripwire, hailed
into the law. In some ways,
security measures must
the president’s efforts in comments
that may make sense.
evolve as well,” points out Sen. Carper.
sent to SC Magazine, but cited trust and
Some issues yet to be worked out
“The approach Sen. Blunt and I take,
privacy challenges of private industry
include the timeframe companies
which has bipartisan support, would
collaborating with law enforcement.
are required to report a breach. The
ensure that businesses and government
“When a breach has occurred
Carper-Blunt bill does not specify
agencies manage personal and financial
companies may think twice before
a timeframe and leaves it up to the
information more securely and that
contacting law enforcement when there
specific regulator overseeing the
they respond quickly and effectively if
is a compromise, at least delaying their
institution where the breach occurs.
and when a breach occurs. The longer
STATE BREACH LAWS:
Are there too many?
Law firm Baker and Hostetler, which has 14 offices nationally,
keeps a running chart of all the state data breach statutes. While
state laws vary on the need for a risk of harm analysis and requirements to notify the state attorney general, here’s a quick look at
how a sampling of state laws are all over the map when it comes to
notification.
California: Under the state’s Medical Information Specific Breach
Notification Statute, for the vast majority of licensed clinics, health
facilities, home health agencies and hospices, the law requires
licensees to notify both affected patients and the California Department of Health Services no later than 15 business days after the
unauthorized access, use or disclosure has been detected by the
licensed medical facility.
Connecticut: All entities licensed and registered with the Connecticut Insurance Department are required to notify the agency
of any information security incident which affects any Connecticut
residents as soon as the incident is identified, but no later than five
calendar days after the incident is identified.
Maine: If after the completion of an investigation notification is
required, the notification may be delayed for no longer than seven
business days after a law enforcement agency determines that the
notification will not compromise a criminal investigation.
Vermont: Notice of the security breach to a consumer shall be
made in the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery.
Wisconsin: Notice shall be provided within a reasonable time, not to
exceed 45 days after the entity learns of the acquisition of personal
information. A determination as to reasonableness shall include
consideration of the number of notices that an entitymust provide
and the methods of communication available to the entity.
response to law enforcement due to the
new notification requirements,” he says.
“If they reach out to law enforcement
for assistance in investigating a breach,
would the ‘30 day shot clock’ for breach
notification kick in at that point? Would
there be a line of communication with
law enforcement where information can
be exchanged in confidence?”
Noting that companies may have
good reason not to notify within 30
days, Westin says, “These are all items I
believe that will need to be hashed out
before this is rolled out.”
Besides the point?
Still, there are those who say that a
national data breach law is besides
the point. “The problem I have with
a national data breach law is that the
horse is out of the barn by the time a
company does a breach notification,”
says Frymier of Unisys.
“The Sony hack is a good example
of why breach legislation primarily
oriented toward notification alone can’t
be the answer,” Frymier says. “The goal
of the Sony hack wasn’t monetary; it
was to embarrass. No notification was
needed because it was already out there.
What Sony really needed was better
security.”
That’s why Mike Brown, VP and GM
of the global public sector at security
company RSA, says national data
breach legislation is merely one piece
of the puzzle. First, both the House
and Senate passed – and President
Obama signed into law – the Cybersecurity Enhancement Act of 2014, which
authorizes the National Institute for
Standards and Technology to develop
voluntary guidelines for cybersecurity.
The new law promotes cybersecurity research, private/public sector
collaboration on cybersecurity, and
education and awareness of technical
standards. T
Along with the Cybersecurity Enhancement Act, Congress also
passed – and President Obama signed
into law – an update to the Federal
Information Security Management Act,
better known as FISMA. The update
gives the Department of Homeland
Security a clear oversight role in federal
cyber efforts, as well as authorizes
federal agencies to deploy
automated security tools to
fight cyber attacks.
“I know it’s easy to be
cynical – and Congress
certainly doesn’t have a
strong recent track record
– but our progress at the
end of the year gave me
some cause for optimism,”
says Brown.
He says he’s hopeful
Mike Brown, RSA
that the end-of-the-year
success could lead to what
he views as four important pieces of
IT security legislation. The first two,
the Cybersecurity Enhancement Act and
FISMA are in place. Next up for 2015
is data breach and information-sharing
legislation. Diane Feinstein (D-Cal.) was
quoted in the press at the end of the year
saying that she plans to re-introduce the
Cybersecurity Information Sharing Act
when the new session convenes, and
Senators Lindsey Graham (R-S.C.) and
John McCain (R-Ariz.) have expressed
support for another law that would
encourage companies and federal
always possible that cybersecurity could
become the political football that net
neutrality deteriorated into last year.
First things first. On national data
breach legislation, the Direct Marketing
Association’s Thomas
says much has changed.
Number one, people have
the benefit and experience
of having worked on this
issue for 10 years. Number
two, especially with all the
news around the Sony hack,
there’s finally a chance
that business interests
can align with privacy
advocates on identity
theft and get something
done for the country. And
finally, as RSA’s Brown points out,
national data breach legislation is part
of a comprehensive effort by lawmakers
to pass a series of common sense laws
around cybersecurity.
Add to that Obama throwing in
support to kickstart the legislative
process and this Congress may be
able to do what the 113th Congress
and others before it could not: pass a
reasonable, bipartisan national data
breach law.
While the consensus for action
builds, many in the security industry,
... our progress...gave me some
cause for optimism.”
– Mike Brown, VP & GM of the global public sector, RSA
agencies to share information about
cyber attacks.
So what’s going on here? Can it be that
Republicans and Democrats will actually
put their partisan differences aside and
do what’s best for the country when it
comes to cybersecurity? It’s possible
that there’s enough consensus that the
problem is severe enough that something
has to be done. On the other hand, it’s
government and private sector are
hoping that leaders will stay proactive
and cybersecurity remain bipartisan and
not another opportunity to score talking
points in the daily news cycle. If that
happens, the Sony hack really will be the
beginning of a dangerous new escalation
of cyber attacks – and business and
government still won’t have a uniform
way to respond. n
Federal law
E
S
N
E
F
E THE TOP
DFROM
The DHS will gain more
control – and federal
cybersecurity likely will be
improved – when a FISMA
update is passed, reports
Lee Sustar.
A
fter years of proposed changes,
FISMA is finally morphing.
What entered the legislative
record in 2002 as the Federal
Information Systems Management Act
is almost certain to become the Federal
Information Systems Modernization Act
under the new Congress, following
passage by its predecessor in December.
The name change highlights a major
shift, says Maria Horton, who was
CIO for the National Naval Medical
Center as FISMA made its way into law.
“By modernization, Congress and the
president are looking how to modernize
in order to protect our security,” says
Horton, currently founder and CEO of
EmeSec, a Reston, Va.-based consultancy
with federal government clients. Under
FISMA 2.0, as it is commonly known,
“agencies themselves must be prepared
to report on a breach, how large it is,
how many people are effected, and the
circumstances surrounding it,” she says.
FISMA 2.0 would replace what has
typically been federal agencies’ triennial
cybersecurity compliance assessment.
More frequent reports, with a strict
deadline to report data breaches, would
supplant the older system. It further
calls for “automated security tools to
continuously diagnose and improve
security.” The Department of Homeland
Security, which played a coordinating
role for compliance with little authority
under the original legislation, would
play a more formal and central role
under the proposed legislation, with the
department’s $6 billion “Continuous
Diagnostics and Mitigation” contract
providing federal departments and
agencies with a range of choices for
cybersecurity products and services.
To appreciate the impact of the changes,
it’s useful to step back and look at the
history, says Juanita Koilpillai, CEO and
president of Waverley Labs, a Waterford,
Va.-based consultancy that often works
with clients in the federal government.
“With the current FISMA evaluation, it is
hard for implementations to be consistent
across the board,” she says. “Systems
that are in compliance are not secure and
vice versa. Even checking for four of the
20 critical controls proposed by SANS
Institute is an expensive exercise.”
FISMA: The next generation
Critics of the original FISMA implementation acknowledge that its complexity
and shortcomings are the result of its
rapid rollout amid a major political
and bureaucratic transformation. At its
outset, FISMA was essentially a post-9/11
mobilization of the feds’ IT teams to
systematize and generalize cybersecurity practices and performance across
disparate federal agencies. The armed
forces and national intelligences agencies
were carved out of the new law and given
their presumed IT security proficiency
and requirements for ultra-secrecy.
But every other federal entity – from
the sprawling array of agencies and
bureaus to the massive Department of
Veteran Affairs (VA) – had to get on
board. Inspectors general were charged
with issuing letter-grade reports to be
filed with the Office of Management
and Budget (OMB). The then-new
Department of Homeland Security
(DHS) was subsequently designated to
oversee the process, but the department
lacked administrative authority – and,
initially, at least – the technical expertise
to do so.
In the decade-plus of FISMA’s
existence, critics have complained that
agencies had an interest in dumbing
down their compliance reports, says
Larry Ponemon chairman and founder of
the Ponemon Institute, a North Traverse
City, Mich.-based firm that conducts
research on privacy, data protection and
information security policy. “Historically,
a lot of organizations would do poorly
on this, with a letter grade of C- or D,”
Ponemon says. “The lower the grade,
the more money you would get from
Congress. If you get an A, Congress
would say, ‘we don’t have to fund you.’”
But FISMA’s critics often lose sight of
the fact that the act was originally under
the umbrella of the General Services
Administration before DHS was created,
says information security veteran Karen
Evans, who oversaw its initial implementation as administrator of the Office of
Electronic Government and Information
Technology at the Office of Management
and Budget. Another problem: the
requirement that compliance grades had
to be completed at least every three years.
The three-year reporting timeline
may appear to some as evidence of
bureaucratic inefficiencies. But, in
fact, most agencies had a difficult time
securing the IT and IT security talent
and resources to perform a complex
and time-consuming task, says Richard
Schaeffer, who heads Riverbank
Associates, a Severna Park, Md.-based
cybersecurity consultancy and was
a former senior executive with the
National Security Agency (NSA).
“I think actually the grading was
incredibly uneven, not because of FISMA,
but because of people implementing it,”
he said. “Very few federal agencies had
a good idea of what their infrastructure
looked like, how it was configured and
how access control and so forth was really
done,” he says.
DHS takes charge
The need for a FISMA overhaul was
voiced more frequently with every
documented vulnerability and data
breach involving federal agencies. But
as the Bush era gave way to the Obama
years, the effort was stalled. Some of the
delay was due to general Washington
gridlock, but there was an intense debate
specific to FISMA over how to both
boost DHS’s authority over implementation while preserving OMB’s ultimate
authority, says Evans.
FISMA 2.0 resolves the long-running
dispute by giving DHS meaningful
operational oversight while tasking OMB
with charting progress in compliance,
governance, risk and compliance at
MetricStream, a Palo Alto, Calif.-based
service provider. That, she adds, points
toward the increasing use of analytics to
help agencies move from basic FISMA
compliance to risk assessment and
reduced incident response times.
Federal agencies should beware of
FISMA 2.0 solutions that may constrict
their ability to defend against evolving
threats, says Suni Munshani, CEO at
Protegrity, a Stamford, Conn.-based
provider of data security solutions. “The
first question is about transparency,” he
says. “Is this something I can change
without being beholden to some black
box technology?”
One of the biggest obstacles to data
security improvements in civilian federal
agencies is the reluctance to collaborate
across bureaucratic lines, says David
Monahan, research director, risk and
security management at Enterprise
Management Associates, a Boulder,
Colo.-based industry analyst and
consulting firm. “Security people are
notoriously bad at sharing information,
mainly out of fear or arrogance,”
FISMA 2.0 wants to get to
insights and agility.”
—Yo Delmar, VP for GRC, MetricStream
Evans says. “It allows [OMB], with
variants, to measure incremental
improvements from year to year. That is
the key change.”
To meet those more stringent FISMA
2.0 requirements – including reports
to Congressional committees – federal
agencies are expected to go shoppingfor technical hardware and software
information security solutions.”
Leading information security
providers say they’re ready. “FISMA
2.0 wants to get to insights and agility,”
says Yo Delmar, vice president for
he says. “The government agencies
have traditionally been well into the
arrogance and fear part of the equation.”
FISMA 2.0, with its rigorous
monitoring and reporting requirements,
just might change that. “With their
collective resources and the right
tools, they have the capability to share
information to vastly improve their overall
defense posture,” Monahan says. “Even if
one falls victim to a particular attack, the
others can use the shared information to
prevent – or at least limit – the scope of
their own compromises.” n
Case study
W
ith the assortment of today’s communication
technologies, even major radio stations supplement their broadcasts over the air with tweets,
posts to Facebook and other social media venues to help
promote their programming and, thus, grab the attention
of their audience – however they’re staying connected.
ON AIR
To avoid brand damage,
a radio network made certain its cloud was
defended against unauthorized access.
Greg Masters reports.
While these new avenues are efficient
in shooting out up-to-the-minute
messages to increase awareness and
help the audience become engaged,
for security personnel the use of social
media opens up a whole new can of
worms.
Rocklin, Calif.-based EMF Broadcasting owns and operates the K-LOVE and
Air1 radio networks, which combined
have more than 700 radio and broadcasting stations spread throughout 45 states
across the United States.
With the phenomenal growth of
social media, EMF needed visibility
and control over social networking
applications used by its personnel.
The challenge for Juan Walker,
principal security strategist at EMF
Broadcasting, and his 40-member
IT team, was to manage the radio
network’s approximately 500 employees
by protecting cloud applications from
unauthorized access and account takeover
attacks. “For example, if a radio personality had their social media account
compromised this could create a public
PROTECTION:
Covering the bases
The goal when implementing a solution
from Skyfence, says Juan Walker, principal
security strategist at EMF Broadcasting,
was to protect:
High-profile employees, such as
CEOs and official spokespeople, who will
attract more attention than most. Their
role requires extra guidance.
Officially recognized channels,
such as the company’s Twitter feed and
“Skyfence is a proxy-based solution
that provides cloud app discovery/risk
scoring, analytics and protection,” says
Frank Cabri, vice president of marketing
for Skyfence. “It does not require any
endpoint software.”
The solution uncovers cloud apps by
inspecting and aggregating data in user
access logs from enterprise web-proxies
and firewalls, Cabri explains. An app
discovery report is generated using
relations crisis for EMF,” Walker says.
a locally executable tool that scans
The prospect of a hacker hijacking a
existing logs files (from firewalls or web
staff member’s social media account and
proxy systems) either manually or on an
posting inappropriate content attributed
automatic schedule. The process does
to the organization could have disastrous
not require any installation of agents or
effects on the network’s reputation and
changes to applications.
relationship with its donors, he says.
Skyfence automates the process of
“Social media challenges EMF
determining which cloud
in many exciting and
apps users are accessing
unexpected ways,” Walker
and details the number of
says. “A small percentage
users, activity level, traffic
of companies have a
volume and usage hours
documented social media
for each app.
policy and EMF is one
Further, it performs
of them. We want added
a risk assessment and
protection when engaging
categorizes each cloud app
with listeners and donors
as high, medium or low
through social media
risk. Risk metrics, such
platforms.”
as the status of service
A search began for a
Frank Cabri, VP of marketing,
provider audits (e.g.,
technology solution to
Skyfence
SSAE-16), compliance
assist. When he and his IT
requirements (e.g., PCI attestation of
team were introduced to SkyFence, they
compliance) and many other critical
thought its cloud-protection capabilities
criteria are consolidated and measured
would fit into their social media protection
so organizations can use the risk
strategy. “The cost per user really made
score of each app to prioritize their
the solution attractive,” he says.
risk migration efforts. In addition,
the advanced risk metrics feature lets
Facebook page. These channels require
organizations customize risk weightings
more guidance, and should be used only by
so app metrics can be adjusted to
designated people.
reflect the risk to their specific business
Privileged information of any sort, inoperations, Cabri says.
cluding customer or patient identification.
Enterprise financials.
High-profile topics, such as safety,
product recalls, mergers and acquisitions,
and compliance. Natural disasters or political events that can affect the company.
Dramatic events that affect the organization’s brand, competitors or the industry
as a whole.
Seamless integration
Skyfence, he adds, delivers a complete
picture of cloud app risks and operational
intelligence through detailed analytics of
cloud app usage. “It aggregates the output
of multiple app scans and app risk metrics
with detailed monitoring and analytics
of user, app and endpoint usage,”
Case study
Hiring crisis
The solution generates consistent
user activity logs for IT staff...”
Cabri says. The solution also generates
consistent user activity logs for IT staff
across the entire cloud environment –
critical for effective risk management
and for correlation with existing SIEM
environments. Additionally, Skyfence
– Frank Cabri, VP of marketing, Skyfence
has built-in enterprise integrations that
blind spot for us, Walker admits. “We
cate users performing higher risk activity
make it simple to integrate with enterprise
lacked both the visibility into what cloud
while automatically enforcing security
directories and market leading SIEM
applications our employees were using
policies across all their cloud services.”
solutions from Arcsight, Splunk and Q1
and the ability to monitor activity and
Additionally, Skyfence provides a
Labs, adds Cabri.
unauthorized access.” But, the implemenvariety of deployment options – whether
The implementation at EMF went
tation of Skyfence provided the ability
cloud, on-premise virtual or physical
smoothly, says Walker. “We used the
to automatically identify managed and
appliance inline and non-inline). No
Skyfence cloud deployment option so
unmanaged mobile devices
agents are required on endpoints and
there was no on-premises
accessing cloud apps and
there is comprehensive support for any
equipment required and
to enforce specific access
application. Further, it provides contextusupport was seamless.”
policies based on whether a
al user information from AD, and not just
And, it’s very easy to
device is managed by IT or
IP addresses. Too, it fingerprints each
manage, he says, since
not, he explains.
users’ unique identity and behavior to
it does not have any
profile how they access cloud applications
API dependencies and
in order to automatically look for atypical
does not use any agents.
A detailed profile
behavior indicative of compromised
“It provides seamless
The solution includes
credentials or a malicious employee.
interoperability with
dynamic user and device
Skyfence Cloud Gateway is available
single sign-on vendors
fingerprinting technology
as a cloud service, on-premise appliance
for easy integration. Also,
to quickly establish a
Juan Walker, principal security
or virtual appliance, and as a managed
because it is application
complete and detailed
strategist, EMF Broadcasting
service. When using the gateway
agnostic, Skyfence can
profile of behavior based
on-premise, inline and offline configurasupport any current and future cloud
on the normal patterns of use for each
tions are supported. Updates (including
applications that EMF implements.”
user, department and device, says Cabri.
new features and new risk information)
An added value is that the offering
“Any access that fails the fingerprint
are made automatically via the internet.
does not store payment card information
test can be configured to immediately
The cloud is no longer a future
in the cloud, so there are no compliance
alert, block or require two-factor identity
technology, says Cabri. “For many
requirements at this time.
verification in real-time, giving IT staff
organizations, the move from on-premise
The Skyfence tool currently reaches
at EMF the ability to strongly authentito software-as-a-service (SaaS) applications
across EMF’s entire network supporting
– such as Office365, Salesforce.com,
all cloud applications and users at EMF.
HANDS-ON:
Google Apps, Dropbox, NetSuite and
The radio network plans to enforce
Insight
others – can result in significant cost
the same levels of security monitoring
savings and increased flexibility.” But, he
and protection across all cloud
According to Frank Cabri, vice president
points out, it also introduces business and
applications so it will expand its use
of marketing for Skyfence, the tool’s
security risks as SaaS applications create
of Skyfence to new users, apps and
analytics provide critical insight and
“blind spots” that cannot be addressed
endpoint devices as they are introduced
intelligence into:
by traditional on-premise monitoring and
into its environment.
Data usage: Who performed actions,
security solutions.
“Our policies have changed to focus
viewed or modified what, when, and
“While cloud apps and services are
on extending the same security measures
how often;
changing
the computing environment,
we use in the datacenter to cloud apps,”
Privileged user monitoring:
IT
requirements
for safe and productive
says Walker. “Skyfence helps us ensure
Including data access, configuration
use
of
resources
have
not changed. With
that the same security best practices
and user permission modifications;
Skyfence,
users
get
the
apps they want
used in our on-premise datacenter are
API activity: Cloud app and services
and
IT
gets
the
visibility
and control
being applied to our cloud environment.
data accessed via APIs.
they need. n
Cloud app usage had created a security
Recruiters say that corporations and
government need to rethink their
defenses to address critical
talent shortages, reports
Larry Jaffee.
HELP
WANTED
T
he continuing jobs crisis regarding the
availability of quality IT security professionals can be summed up with an old adage:
Penny wise, pound foolish. That’s because workers
in the field are in greater demand than ever before,
but companies often don’t invest in
them until after a crisis strikes.
Hiring crisis
Companies don’t understand the
value of talent and the resource.”
According to specialized recruiters,
the talent dearth lies with a general
failure to make security an utmost
priority to develop and retain skilled
experts charged to protect the family
– Jeff Snyder, president, SecurityRecruiter.com
jewels. Unfortunately, corporations
information security.
Besides revamping upper-and-lower
usually wait until they’re hacked and
In order to satiate the more immediate
education, Adam Malanaphy, managing
then overpay for outside consultants,
need, Malanaphy advises making
director of Montclair, N.J.-based IT
rather than prepare proactively in-house
available more certifications at U.S.
recruitment firm Glenmont Group,
for the real possibility – or more
colleges and universities, with special
believes solving the
accurately, inevitability –
emphasis on guidance departments
shortage will take
they might be a target for
to understand the viability of the job
a change in public
a major breach. Experts
market. “Internal recruiters should focus
perception of the
by and large concur
their time on key universities offering
information security job
that better recruitment
advanced degrees,” Malanaphy says. He
market. “One way to
at the university level
admits that at his firm the focus is not
bring this issue into the
may improve the future
on recent grads, but on candidates who
limelight is to pressure
situation, which these
are currently working in these positions.
politicians to highlight
days increasingly includes
Education and experience are not equal
the demand for skills in
going overseas for
in the real world.
information security,”
qualified candidates.
“When a society becomes too
he says. Introducing
Moreover, it behooves
Adam Malanaphy, managing
focused on passing a test, as opposed
specialized courses at
the industry to promote
director, Glenmont Group
to actually doing stuff, then you have
STEM high schools is
IT security as a hot,
a real problem,” says Lee Kushner,
an initial step that will pay off in the
well-paying career to young computer/
president of LJ Kushner & Associates,
future, says Malanaphy, whose firm is
mobile enthusiasts before they even
a Freehold, N.J.-based executive search
actively working on around 125 open
graduate high school and, ideally,
firm specializing in the information
positions, of which about
instill that philosophy within education
security industry. “Information
20 percent are in
curricula as early as possible.
security is more of a learned
skill. Certified is not qualified.
That is really the wrong way of
VIEWPOINTS:
looking at this problem.” Kushner
Value of certs
squarely places the blame on HR
departments that historically have
We talked to two security experts at Veriwhich is why I’m going
not
given information security the
zon Enterprise Solutions and while each
for a master’s in busi2
respect
it deserves – and absolutely
earned a CISSP certification from (ISC) ,
ness information technology at
requires
at this juncture. He’s seeing
they both had a slightly different take on
DePaul University in Chicago.”
HR
departments
combining roles –
the value of certifications.
Maureen Kaplan, managing director and
choosing
from
applications,
security,
“People in my area are working on very
chief operating officer, global security at
engineering,
development
and
architecVerizon Enterprise Solutions, agrees for
practical day-to-day security skills,” says
ture
–
into
one
position.
the most part with her colleage, but has
Fawaz Rasheed, managing director, global
“The people capable of doing all those
a slightly different perspective. “What I
security solutions engineering at Verizon
things
generally outstrip compensahave found is that taking a different course
Enterprise Solutions. “So I would say if
tion,”
he
says. “They’re in high demand.
that may not be directly related to the job
they are looking at adding on a certification
Talented
people have a lot of choices.”
may give you an opportunity to uncover
they pick just a couple of very targeted
Instead,
corporations should be
emerging technologies and look at your
certifications such as the hands-on trainpatient
when
recruiting talent in
company’s security in a different light and
ing from GIAC or the CISM or CISA from
the
same
way
corporate leadership
then be able to relate to our customers in a
ISACCA. Of course, as you get into the
programs
recruit
MBAs from grad
different way.”
second level and move into management,
schools,
Kushner
advises. Corporations
– Steve Zurier
the security certifications tend to level off,
recruiting for information security need
salaries will never rise above the level of
to put grads into a path that earn X, then
that focus on a job candidate’s aptitude
a security professional’s peers in IT.”
18 months later 20 percent more, and
and talent rather than focusing on a
Jeff Combs, principal of J. Combs
in 36 months plus, another 20 percent.
job candidate’s particular skills at the
Search Advisors, which recruits
“And they should be
moment,” Snyder says.
information security and IT risk
telling the new hires ‘we’re
“Education supports
management pros, believes that higher
going to train you in a
experience. Education
salaries may not be the overriding factor
whole bunch of different
without experience is not
in finding and keeping talented security
disciplines with security
of great value.” Too, upper
people. “Money is only part of the
compliance and regulation
management must be
equation,” he says. “Companies need to
and stuff like that, and
alerted to – and address
provide a security-supportive culture, an
you’re going to become a
the need – of compensatopportunity to do meaningful work and
fabric of our company,’”
ing security talent, which
career growth opportunities.”
he says.
will ultimately help the
The ramifications of such skills
Such a pitch would
organization’s bottom line.
shortage
can impact the nation’s critical
be enticing to somebody
“What
needs
to
Jeff Snyder, president,
infrastructure, Combs believes. “It
seeing that kind of runway, SecurityRecruiter.com
happen first is that
means that U.S. companies will always
says Kushner. But, he
critical infrastructure
be playing catch up when it comes to
cautions, treating IT security professioncompanies need to step into the current
the global technology arms race. Lack
als the same way they do lawyers or
century and recognize that they need
of a supported, well-staffed security
accountants could upset the internal HR
to devote budget to information
applecart. “Companies don’t understand
the value of talent and the resource,”
he says. “They put IT security into
general HR buckets. That’s the problem.
Companies don’t have the mechanism to
– Lee Kushner, president, LJ Kushner & Associates
get out of that kind of thinking.”
Jeff Snyder, president of SecurityRecruiter.com, of Woodland Park, Colo.,
program, which includes recruiting
security,” Snyder says. “Only after senior
agrees with Kushner that companies
efforts, will lead to more companies
executives recognize the need to support
are going to have to build talent from
and their customers being affected by
information security strategy, can talent
within. “This means that they need more
significant security breaches, brand risk
be addressed. As long as information
strategic talent acquisition programs
and loss of intellectual property. n
security is thought of as a piece of IT,
Certified is not qualified.”
GET THEM YOUNG:
Filling IT positions
Nearly all IT security recruiters agree that one way to
tackle the lack of qualified professionals is to find and
nurture talent at a young age. So we asked a recently
retired high school teacher what he thought about the
prospects of getting whiz kids to think about computer
careers other than programming video games. Chuck
Goodman, who taught computer science at the Manhattan Center for Science and Mathematics, believes it’s a
great idea to offer a computer course focusing on security. His
former East Harlem school, once beset by drugs and dropouts,
within four years of its creation was considered one of the public
school system’s best turnaround examples. Goodman would open
the school’s four computer laboratories at 7 a.m. and it would
remain packed into the evening.
“We don’t allow games on the computers, games don’t get you into
college,” Goodman told The New
York Times in 1986. Today, the
need for skilled computer technicians is even greater, he believes,
because of the sophistication of
hackers, who clearly have an understanding of the inner workings
of computers. “That’s how these
bad guys get in. They know where the
holes are,” says Goodman, who wrote
the NYC Board of Education’s first treatise on
computer viruses 20 years ago. Recent high-profile hacks, such as
those hitting Target and Home Depot, should be enough incentive
for today’s bright high school students to realize that there are wellpaying IT security jobs ahead, he adds.
Case study
MAKING THE GRADE
A Chicago-area high school found a solution
to broaden its internet pipeline and maintain
compliance, reports Greg Masters.
Y
oung students are more sophisticated in their use of computers
than we may be willing to admit.
They have, after all, been plugged in
since birth, perhaps more comfortable
with remote controls and game consoles
than their parents. So, it’s no surprise
that they can easily find ways to circumvent restrictions put in place to prevent
their accessing inappropriate material on
their school computers.
One high school in the Chicago area
put a technology solution in place to
both broaden its network capacity and
restrict the dissemination of inapproprite
material to savvy computer users.
Minooka Community High School
(MCHS), comprised of about 2,500
students, is situated southwest of Chicago.
Its central campus is located in Minooka,
a south campus is in Channahon and its
administrative offices are in Shorewood.
Les Kern, director of technology at
OUR EXPERTS:
Safe port
Les Kern, director of technology,
Minooka Community High School
Bob Walters, president and CEO,
Untangle
solution and it recommended a network
appliance called Internet Content (IC)
Control from Untangle.
“Sentinel recommended Untangle’s
IC Control specifically because of its
ability to do a full SSL decrypt and
re-crypt,” says Kern. They informed him
MCHS, had become frustrated with
that the tool has a patented technology,
the school’s legacy web filter because it
called Anonymous Proxy Guard, that
couldn’t stop web filter avoidance by his
ensures all ports and protocols would
students using SSL connections.
be examined and handled
Although with this
appropriately based on the
system in place he
school’s filtering policies.
hadn’t encountered any
“IC Control helps
serious issues, he began
network administrators
a search for a solution
diagnose and resolve
– as students were able
internet traffic problems
to access inappropriate
– such as bottlenecks,
content jeopardizing the
over-saturation of
school’s compliance to
recreational traffic,
The Children’s Internet
application performance,
Protection Act (CIPA) and
optimization of hosted
putting subsidy funding at
and cloud services, and
risk. Of course, the school Bob Walters, president and CEO,
Untangle
prioritization of critical
had to be in compliance
traffic – ensuring network
with CIPA, which
performance, reliability and stability,”
addresses concerns about children’s
says Bob Walters, president and CEO of
access to inappropriate material over
Sunnyvale, Calif.-based Untangle.
the internet. The act levies a number of
The tool, he says, is available to
requirements on schools and libraries
customers on network appliances and
which, through an E-rate program,
offers a single-interface, turnkey internet
receive discounts for internet access or
management solution that includes
internal connections.
network monitoring, internet traffic
Kern was responsible for reviewing
analytics, bandwidth management and
and choosing a solution. He, along
traffic shaping, application prioritization,
with his five-person IT team – an IT
cloud optimization and web filtering. “It
specialist, two technology assistants and
a technology aid – asked their IT services is a highly scalable solution appropriate
for large organizations with bandwidth
partner, Sentinel Technologies, for a
up to 10 Gbps,” he says.
The solution is intended for medium
to large organizations in all vertical
markets that need a purpose-built,
highly scalable appliance which can be
run as a transparent bridge to provide
granular, dynamic reporting, he says. “It
gives immediate insight into where and
how network problems occur – resulting
in improved internet performance and
lower bandwidth costs.”
Deployment of the Untangle tool
went smoothly, says Kern, and his
team is pleased with the deployment.
“It’s very easy and quick to diagnose
and solve internet-related issues,” he
says. “The appliance saves me time in
managing the internet connection to
handle the school’s bandwidth, and
it definitely gives me peace of mind.
Since filter avoidance is no longer a
problem, the school’s network remains
The appliance saves me time...”
—Les Kern, Minooka Community High School
CIPA compliant. Because of IC Control,
our students can’t use SSL or other
techniques to access restricted content.”
Untangle IC Control reaches across
the district’s network of 1,100 devices –
including desktops, laptops and iPads
– in its three locations.
“IC Control’s real-time, rich data
reporting gives network administrators
an unprecedented view of layer 7 traffic,”
says Untangle’s Walters. “This gives
them insight into what data is flowing
over their network at any given moment
so they can set policies that make sense.”
Customers of the offering can opt
into software updates as they become
available, he adds. All of the security
databases (like virus definitions and URL
categorization) are updated in real-time.
One other reason Kern and his team
chose the tool is that it can handle the
school’s anticipated future growth, and
the evolution of both the internet and
the students’ technological sophistication, he says. “IC Control provides
historical data for long-term diagnostics
of traffic and bandwidth use for the
district.” n
Product Section
iSIGHT Partners
Silobreaker
Adds a lot of
value to your
stack P42
Solid open
source intelligence
gathering P46
Threat intelligence emerges
W
ith this issue we are starting a bit of a
makeover for the emerging products.
We listen to what you tell us and you
tell us that for these products you want more
depth. Done. We are reducing the number of
emerging products groups to two per year and
increasing the number of products. Most important, though, we are increasing the space we are
giving the products. So now you get a full page.
Our group this month is threat intelligence.
This is a truly emerging market space. It’s looking for its wings and
customers across all verticals are starting to realize the value of actionable intelligence and cybersituational awareness. There are lots of ways
to skin this cat and we had the opportunity to see and play with most of
them.
A word about ratings. As a general rule we don’t give star ratings, Best
Buy or Recommended designations for emerging products. That won’t
change as we move forward. However, sometimes we run into a special
product or service and we want it in our lab. For that we give the SC Lab
Approved rating. We will move that into the emerging products issues
because some products we see are pretty spectacular.
It’s a new year and with the new year we have new projects. So here
are some things to keep your eyes open for. There will be more content
on our website, scmagazine.com, perhaps including my blog, Threat
Hunter.Also, we’ll be leveraging the site to nimbly add small emerging
product reviews throughout the year when we think a particular sector
is appropriate to cover. This will allow us to stay current with the rapidly
evolving marketspace and keep you better informed. Even though some
emerging product types have, as yet, just a few players, if they are worth
your time they’re worth our space.
As well, I invite you to follow me on Twitter – @nuciso – where I am
keeping followers up to date on current technical issues in the worlds of
digital forensics, cyber threats and other rather geeky stuff – pointers to
good, solid, useful technical articles, often in SC Magazine.
So, welcome to a new year here in the products section of SC Magazine
and to SC Labs. After well over 20 years writing for SC, I really am looking forward to some of the things we have on tap for you in 2015.
– Peter Stephenson, technology editor
SurfWatch Labs
Provides a view
of cyber threat
intelligence P47
Emerging products: Threat intelligence
Having the right products to provide solid intelligence analysis can go a long way toward
protecting you against the ravages of a Sony-style compromise, says Peter Stephenson.
How we test and score the products
SOMETHING NEW
Our testing team includes SC Labs staff, as well as external experts
who are respected industry-wide. In our Group Tests, we look at
several products around a common theme based on a predetermined set of SC Labs standards (Performance, Ease of use,
Features, Documentation, Support, and Value for money). There
are roughly 50 individual criteria in the general test process. These
criteria were developed by the lab in cooperation with the Center
for Regional and National Security at Eastern Michigan University.
We developed the second set of standards specifically for the
group under test and use the Common Criteria (ISO 1548) as a
basis for the test plan. Group Test reviews focus on operational
characteristics and are considered at evaluation assurance level
(EAL) 1 (functionally tested) or, in some cases, EAL 2 (structurally
tested) in Common Criteria-speak.
Our final conclusions and ratings are subject to the judgment
and interpretation of the tester and are validated by the technology editor.
All reviews are vetted for consistency, correctness and completeness by the technology editor prior to being submitted for
publication. Prices quoted are in American dollars.
Twice a year,
Technology Editor
Peter Stephenson
and his team
EMERGING at the SC Lab
PRODUCTS address emerging
technologies and markets. The purpose is to look at segments in the
information assurance space that
represent new technologies, needs
and capabilities. In those emerging
areas there always are new entries
and old pros that want to expand
into the space. We will be looking at
both – and bringing you the companies, products and services that we
believe will shape the future.
What the stars mean
Our star ratings, which may include fractions, indicate how well
the product has performed against our test criteria.
★★★★★ Outstanding. An “A” on the product’s report card.
★★★★ Carries out all basic functions very well. A “B” on the
product’s report card.
★★★ Carries out all basic functions to a satisfactory level.
A “C” on the product’s report card.
★★ Fails to complete certain basic functions. A “D” on the
product’s report card.
★ Seriously deficient. An “F” on the product’s report card.
LAB APPROVED
What the recognition means
Best Buy goes to products the SC Lab rates as outstanding.
Recommended means the product has shone in a specific area.
Lab Approved is awarded to extraordinary standouts that fit into
the SC Labs environment, and which will be used subsequently in
our test bench for the coming year.
R
egardless of who or
what you believe
hacked Sony, it was a
massive cybercrime. Was it
an act of cyberwar? That’s
not for us to determine, but
regardless, laws were broken
and the attacks came via
cyberspace. So we have, at
the least, a very serious and
rather complex cybercrime.
Why does this lack of
distinction matter? First, it
matters because there is an
emerging pattern of attack:
whether nation-state, substate, criminal enterprise or
individual, criminal hackers are the executors. That
pattern is characterized by
Lockheed Martin as the
cyber kill chain. The term
gives us a clear way to visualize what really goes on in a
cybercampaign.
One of the things that we
especially like about the kill
chain is that it gives a concise,
no-nonsense definition of
advanced persistent threats,
particularly “threat.” We
tend to confuse threats with
malware. So if we are hunting
threats we are hunting malware. While it certainly is true
that malware may be involved,
Lockheed says – and we agree
– that a threat is a person or
persons with intent, opportunity and capability.
That sounds a lot like the
motive, method and oppor-
tunity that defines the likely
perpetrator of a crime. And
that is exactly what it is. At
the end of the day we must
start to think of cyberattack
campaigns as crimes carried
out by people – not machines
– with motive, method and
opportunity. Understanding who these people are
through their attacks is a
sort of Holy Grail for cyberanalysts and investigators.
Without that there is no
attribution. And, as a challenge, attribution is about as
difficult as it gets.
Understanding the kill
chain for a particular type
of campaign is a huge step
toward protecting and
responding. And that is where
cyberthreat intelligence comes
in. Cyberthreat intelligence
is the meat and potatoes of
this month’s emerging products group. This likely is the
newest product classification
in our field and it certainly
has become one of the most
important in its short lifetime.
Strangely, several of the
companies we are looking at
this month have been around
a while doing something
that relates to what they are
doing now. The leadership
in most of these companies
comes from some sort of intelligence background. And,
importantly, these intel folks
have teamed up with – or
are themselves – some pretty
impressive software development talent.
There is a concept called
crime assessment that says
look at the crime, understand
it and from that understand
the criminal who committed it. We look at the crime
scene and we ask: Why would
someone do this? Do we have
a starting point for attribution? And so on.
A lot of these questions
can be addressed – if not
always answered completely
– through solid intelligence
analysis. And if all goes well
and you have the right products, knowing these answers
in advance can go a long
way toward protecting you
against the ravages of a Sonystyle compromise.
What is even more interesting is that organizations
are finally coming around
to the fact that without
cybersituational awareness
they are in very treacherous
waters. Still, this is not a
journey for the faint-hearted.
Having data is not even
close to having enough of
the tools needed to break
the kill chain. You have to
understand the data in the
context of the overall threatscape. That is a lot easier to
say than it is to do, but this
month’s offerings are a solid
step in that direction.
EMERGING PRODUCTS Threat intelligence
EMERGING
PRODUCTS
DETAILS
Product Network Protection System
v2.1
Company Centripetal Networks
http: www.centripetalnetworks.com/
Price Starts at $60,000.
What it does Active network defense
merging cyber threat intelligence and
security stack management.
OUR BOTTOM LINE
This is an industrial-strength integration of cyber threat intelligence with
system management. It plays well
with other network security tools
because it was designed from the
ground up to do exactly that. As well,
it consumes threat intelligence and
converts that into actionable intelligence that can be applied to a SIEM
or other tool. It is easy to configure
and has a rich feature set at the
executive, system operator and
analyst levels.
There is a lot to do and see here,
and the complexity of the threatspace is reflected somewhat in the
system and its tools.
So, our bottom line here is this is a
notable tool and certainly one of the
best integrations of intelligence and
security stack management we’ve
seen. However, it is not for the fainthearted. But then, playing in today’s
threatscape isn’t either.
EMERGING
PRODUCTS
Centripetal Networks
FireEye
Network Protection System v2.1
Threat Intelligence
T
F
his is an interesting product. It collects threat intelligence data from
a variety of sources, including its
own organization, and applies that intelligence to manage network protection at the
enterprise. By partnering with a number
of threat intelligence providers and several
technology vendors, Centripetal’s Network
Protection System (NPS) provides what
the company refers to as Active Network
Defense.
NPS operates in such a way as to provide
support for analysts, systems operators,
CxOs and executive management. That
means that it produces the sorts of outputs
that are uniquely useful to each of these
groups. Because the difference between
actionable intelligence and the flow of
threat data from internet sensors is noise,
the object is to get rid of the noise so that
the actionable data is exposed. That is an
important layer of NPS functionality.
In each of the cases above, NPS not only
provides the unique kind of data needed
by the particular audience, it focuses that
data in the ways most useful at that level.
So, for example, for the analyst, NPS
focuses on the data, matching the analysis
to the expected analyst workflow. For the
system operator, the focus is on managing
the security stack. And for the executive,
NPS provides situational awareness and
presents data in the form of effective use
of resources and budget. These varying
perspectives result in a completely unique
approach to actionable cyberthreat intelligence.
The heart of the NPS is the RuleGate
threat intelligence security layer. This is
an appliance that manages five million
threat indicators at wire speeds up to
10Gbps. It is policy driven and enforces its
policies across the enterprise correlating
internal hosts and external threats. It is
not intended to be a standalone solution to
the security challenges of the enterprise.
Rather, NPS works with other network
security components to improve its overall
security posture.
There are some intelligence feeds from
external sources, including open source
and Centripetal’s own, but you can purchase commercial feeds through the platform itself. Those feeds integrate into the
system, which consumes, integrates and
correlates the data as part of QuickThreat.
Rule sets are easy to use and the user
interface is comprehensive. The system
looks at both inbound and outbound data
flows and tracks TOR exit nodes. The UI
is web technology, but it is a custom implementation that uses a wrapper for browser
compatibility. This is a serious system built
from the ground up – no customized offthe-shelf appliances here – by Centripetal
in the United States
ireEye Threat Intelligence is part of
the overall FireEye suite of security
products. It is, in fact, the primary
intelligence component and is used to help
drive other FireEye products providing
active blocking at networks, endpoints
and mobile devices. The service – available as a subscription – has three available
levels: Dynamic Threat Intelligence (DTI),
Advanced Threat Intelligence (ATI) and
Advanced Threat Intelligence Plus (ATI+).
The differences among these three services
are largely based on the level of detail in
the reports you receive and the number of
included services. In addition to proactive
notifications and alerts, there is a portal
from which users can access significant
threat intelligence and conduct their own
research.
The resources are prodigious. The
system conducts more than 50 billion
virtual machine analyses per day, including 400,000 unique malware samples and
more than one billion non-malware events.
This all is possible due to FireEye’s deep
insertion into the global threatscape. We
liked that it updates every hour. With the
speed at which cybercrime is moving, that
level of update frequency is not, by any
means, overkill.
The relationships of the three levels of
service to each other is part of the strength
of the threat intelligence suite. DTI largely
DETAILS
Product Threat Intelligence
is a machine-to-machine connection that
enables detection and response when connected to the FireEye products. By adding
ATI, you add context.
Users access the Threat Intelligence system through the FireEye Intel Center. This
is a way to get direct intelligence from FireEye and gives users the ability to document,
manage and share their own intelligence
with other users. In the Intel Center users
can look at current threats and drill down
for more information.
The primary focus of the FireEye system
is malware and that is, in today’s threatscape, appropriate. However, the company
does collect considerable data on non-malware-based attacks and exploits. By combining these two attack types users can get
a comprehensive view of the threatscape
as it applies to them. Tying the threatscape
to the user’s enterprise infrastructure is a
powerful step in proactively protecting the
enterprise data.
As users interact with the portal a lot
of things go on under the covers. For
example, as new threats, malwares and
hostile addresses, URLs and domains
are researched, the FireEye system creates encyclopedia entries. This adds to
the knowledge base and gives the analyst
more to work with. Malware that the user
discovers can be submitted to the FireEye
sandbox for analysis.
Company FireEye
https://www.fireeye.com/
Price Depends on services ordered.
What it does Cyber threat intelligence and proactive threat-based
management of FireEye network
security tools.
OUR BOTTOM LINE
FireEye is a venerable player in the
threat analysis and response space.
With its acquisition of Mandiant they
have added materially to their knowledge base, and users of the Threat
Intelligence system benefit by that.
We had the impression that the
availability of ATI and ATI+ depended
on having the rest of the FireEye
network protection system in place
since those modules include DTI.
This is an extremely powerful system for gathering, analyzing and acting on cyberthreat intelligence. The
wealth of available data is impressive
and FireEye is an experienced player
with a heavy recorded history of data
going back 10 years or more. We do
wish, however, that this wealth of
analytical power was readily available
as a standalone service for threat
analysts who are not necessarily part
of a network defense team.
EMERGING
PRODUCTS
DETAILS
Product ThreatScape
Company iSIGHT Partners
http://www.isightpartners.com
Price Varies depending on deployment.
What it does Adds a lot of value to
your security stack by applying threat
intelligence. Provides a prodigious
amount of extremely useful research,
much of it from analysts around the
globe.
OUR BOTTOM LINE
This is a really competent add-in for
your existing security stack, as well
as a very good analyst’s tool in itself.
The reporting is rich and its ability
to add value to the elements of your
security stack are impressive. We
liked the extensive reporting.
We would like to have some sort of
indexing or way that we could teach
it to go for the explicit issues that
interest us. Perhaps there is a way to
do this but we did not see it.
This is a tool that you absolutely
need to look at. In the fast-moving
world of cyberintelligence you never
can have too many – or, perhaps,
enough – good tools. This one adds
real value to your analysis and to
your security stack.
EMERGING
PRODUCTS
iSIGHT Partners
Norse
ThreatScape
DarkWatch
T
his is a company that, starting in
2007, decided that it could make
the security stack better and more
responsive to risks by integrating intelligence into the security management process. This is not to say that iSight has not
addressed the cyber threat intelligence
analyst. Simply, it has done that and more.
There are two aspects to the iSight product: the portal and the API.
The entire process – through the portal
or via the API – originates in the ThreatScape Intelligence Platform (TIP). This
platform feeds the cloud and provides the
data that users access one way or another.
iSight employs a large global research
team so that intelligence comes from,
among other places, boots on the ground
in the various locales where cyberthreats
are originating. To do that, the company
has more than 200 experts in 16 countries
working in 24 languages. These operatives follow cyber crime, cyber espionage,
hacktivism, threats to the enterprise and
critical infrastructure, and vulnerabilities
and exploits.
ThreatScape deliverables include
reports, direct access to the cloud
through the MySight Portal, and dedicated client support. If you deploy the
API, you also get a good number of outof-the-box integrations with such tools as
CheckPoint, ArcSight, Palantir and RSA
Archer eGRC.
The MySight portal provides categorized information on the classifications
above and allows drill-down for greater
details. There are about 100 available
reports per day so finding that which
could impact your organization likely is a
given. These more detailed classifications
are viewed in the context of three basic
types of intelligence: threats, malware
and vulnerabilities. These classifications
are what the company calls ThreatScapes.
One ThreatScape particularly addresses
such things as fraud and underground
marketplaces – think Silk Road. For an
organization such as a financial services
company, the Cyber Crime ThreatScape is
very important. The other ThreatScapes
are equally detailed and focused.
The API provides threat intelligence
input into other threat analysis tools, as
well as tools that in one way or another
manage the security stack. For example,
connecting to Splunk provides additional information about addresses and
domains that are recognized by Splunk
as it collects security information on the
enterprise. That additional information
appears directly on the Splunk desktop.
For other tools, the API provides the
ability to block or alert, help prioritize
patch management and support incident
analysis.
T
hese guys are really interesting. We
first came across them some time
ago when we needed an impressive
way to open a talk on cybersecurity. We
found their attack map and started digging
into what they had. If you think the map is
cool, consider data centers in 140 countries
and tens of terabytes per day of data that
they are analyzing. All of this is focused in
the Norse DarkMatter Platform. DarkMatter collects data from sensors, geolocation, open source and a wide variety of
other sources. It then uses advanced Big
Data analytics to make sense of the massive amounts of data and then makes the
analyses available to Norse customers in a
variety of ways.
The deeper we dug into the Norse DarkWatch product the more impressed we
were. Of course we expected honeypots.
And Norse does use low interaction honeypots, but they account for only about 20
percent of the total data gathered. Additionally, using a tool it calls Anon-Proxy,
Norse is watching somewhere around
200,000 TOR exit nodes on a daily basis.
If you need a lot of cyber threat intelligence, this is a good way to get it.
Access to Norse data is through the
firm’s API or through its portal. The Norse
DarkWatch appliance is a pretty impressive tool itself. It updates from the same
DarkMatter fire hose every five seconds
DETAILS
Product DarkWatch
and can alert or block. The dashboard for
DarkWatch is straightforward and typical
of dashboards we all are used to seeing.
It is pretty plain but clearly laid out, and
drill-down can get you just about anything
you need.
Of course the key to ease of use is the
drill-down capability. Drilling down
from the main interface you can get to a
lot of data, smartly arranged and nicely
categorized. Finding malicious sites,
crawling for new malware and developing
analyses is an ongoing task and with the
frequent updates to the device all of that
is available to the user. An interesting
example of this is capture of domains created using domain-generation algorithms
sometimes thought of as polymorphic
URL algorithms.
DarkWatch is a policy-driven device.
That means that users can develop or
modify policies that are created and delivered by the policy engine. DarkWatch’s
policy engine is easy to use and very flexible. Setting up a policy is a matter of a
few mouse clicks to define what you want
to do, to what you want to do it and when
you want the policy to kick in. A single
web page on the web interface has everything you need. Actions can be blocked,
alerts can be sent or simple notification is
available if that is all you want for a particular event.
Company Norse
http://norse-corp.com
Price $50,000.
What it does Threat intelligence appliance that ties the Norse DarkMatter
infrastructure to your network.
OUR BOTTOM LINE
This is the Cadillac of cyberthreat
assessment tools. It is big, complete
and it does just about everything
you could want. Its user interface is
well-organized and its data sources
are extensive. DarkWatch comes as
an appliance or as a virtual appliance
but beware: the virtual appliance is
power-hungry.
This is one you should take very
seriously. Typically we look for warts.
In this case, though, we found none.
The Norse product suite is, as a
whole, a sort of benchmark if there is
such a thing in this product space –
and it is well worth your attention.
DarkWatch, DarkViking and
DarkList all add to the benefits that
Norse customers can take advantage
of but they all have in common the
DarkMatter Platform. That is the
secret sauce and pretty tasty it is,
at that. The IPViking attack map is
pretty cool, too.
EMERGING
PRODUCTS
DETAILS
Product Investigate
Company OpenDNS
http://www.opendns.com
Price Starts at $150K per year based
on use and volume.
What it does Threat intelligence
derived from more than one billion
DNS requests per day through the
OpenDNS system.
OUR BOTTOM LINE
Investigate is a must-have for your
threat analysis toolkit. Our technique
of pivoting off of the suspect domain
to uncover a potentially malicious
architecture is greatly enhanced by
Investigate. It provides the context
for a solid analysis of a potential
threat.
However, unless you really like
playing with it, and we do, you are far
better off to deploy the API.
You need this tool but it really belongs in your data protection
workflow where it can automate the
process of hunting and can dig deeply
through large suspicious networks of
just about any ilk. So we recommend
the API. Of course, it wouldn’t hurt
to get a license or two of the manual
version for the geeks who really like
to dig into threat analysis.
EMERGING
PRODUCTS
OpenDNS
Recorded Future
Investigate
Cyber
O
penDNS is an interesting concept.
It offers two choices for users: nocost for personal use and a paid version for commercial use. The idea behind
OpenDNS is that the company provides an
assured, independent, secure set of domain
name servers. When top-level domain servers are compromised by attacks such as
cache poisoning, OpenDNS servers can
be relied on to provide safe
domain name service.
As a result, engineers at
OpenDNS have developed
LAB APPROVED
tools they use to manage, monitor and investigate potential cyberthreats,
especially those that impact name servers
directly. One of those tools is Investigate.
The purpose for Investigate is simple,
although its use can become complicated
and tedious depending on what you want
to know and whether you are running the
tool manually or from the API. But, we
are getting a bit ahead of ourselves and
giving, perhaps, the impression that this is
an incomplete or poorly thought-out tool.
In fact, nothing could be further from the
truth.
To apply Investigate in its manual mode,
we start with a known address. Let’s be specific. Recently we received four IP addresses that had appeared at the gateway of one
of our industry partners. Associated with
those addresses was a persistent vulnerabil-
ity scanning effort. Rather than simply the
expected knob-twisting we all experience
daily, this appeared to be a concerted effort
to find a weakness and it appeared to be
automated. What to do?
We took the first of the four addresses
and fed it to Investigate. No threats reported. OK…on to the next. We went through
three before we hit pay dirt. This showed
that it was a fast flux network. Scrolling
down a bit we found hundreds of IPs that
were part of the network. DNS checks on
several of these IPs gave back nothing. Traceroute gave back nothing. It looked like a
fast flux botnet. Its URL suggested use of a
domain-generating algorithm.
Next we looked at the domains hosted
under this IP. There were six. Each one
was also a fast flux with huge numbers of
unidentifiable addresses attached. Our
conclusion was that this posed a potential
problem and we told our partner not to
bother blocking the IPs. Rather, block the
domains. We gave them a domain list and
that ended the problem.
All of this took about two hours using
Investigate only – and only in its manual
mode. We manually mapped out a suspected botnet architecture. Deployed as an
API we would have had the task finished in
seconds. This is a threat analyst’s tool par
excellence. We designate OpenDNS Investigate with an SC Lab Approved rating.
T
his is one of the open source intelligence services that really fits well
into the cyberpicture. Open source
intelligence takes several forms, from websites to blogs, research papers and other
publically available sources. Recorded
Future’s strength decidedly is its deep
reach into the cyberworld.
Recorded Future accesses more than
600,000 sources and the firm
adds new ones regularly. One
of the unique aspects of this
company is that rather than
LAB APPROVED
depending on users to access
and pull down data, they push it so that
users are receiving what is needed when
needed. The company has several mechanisms for this. One that we have been using
here in the labs is its Cyber Daily report.
Cyber Daily recognizes the 80/20 rule:
80 percent of what you need is in the
top 20 percent of what you read. It gives
me just three things: Top suspicious IP
addresses, top exploited vulnerabilities (in
CVE and other formats), and top vulnerabilities in CVE format. The top vulnerabilities, as reported across the internet,
may not be the same as the top exploited
vulnerabilities. Having both lets us prepare for the near future and respond to
something that may hit us now.
Tying these two categories back to suspicious IPs lets you apply intelligence where
DETAILS
Product Cyber
you need it, only where you need it and
right now. We collect the IPs, for example,
and follow them for trending. As we see
relationships between IPs and vulnerabilities in the form of specific exploits that we
get elsewhere we can begin to build up a
threat architecture. We start to know what
we need to block.
The Recorded Future threat dashboard
is reminiscent of vulnerability and risk
dashboards that we all are used to seeing.
It contains excellent filters, good visualization and multiple ways of representing,
parsing and displaying the threatscape.
Drill-downs let you develop your own
reports on such things as the technical
indicators for a particular malware or
attack campaign. You can develop graphical representations of the evolution of an
exploit kit across the internet over time,
watching the periodic spikes of activity.
Recorded Future follows more than
100 specific event types and is available
in seven languages, including Arabic and
Chinese. This means that exploit discussions in these languages now are accessible
to speakers of other languages.
Recorded Future is a SaaS offering with
more than 300 virtual machines in its
cloud. The classification system is based on
a sophisticated ontology and the emphasis
on the technical aspects of cybercampaigns is clear and put to excellent use.
Company Recorded Future
https://www.recordedfuture.com/
Price Varies by configuration and
number of seats.
What it does Open source cyber
intelligence focusing on the technical
aspects of the cyberthreatscape over
the web.
OUR BOTTOM LINE
This is a solid, technically oriented
open source intelligence service. It
has the advantage of pushing critical
data to you and is easily configurable
to get to where you need to be on a
custom level.
Given the types of technical information it collects, it is not too far a
stretch to take that information and
apply it directly to the infrastructure
to assist in blocking rogue domains.
This is a first-rate, technically
focused open source intelligence tool
that plucks the wheat from the chaff.
However, we believe there is a huge
opportunity here to take the first
steps toward proactive automation of
the security configuration as an intelligence management system (think
patch management in the vulnerability space and translate that into the
threatscape). We like this one enough
to grant it SC Lab Approved.
EMERGING
PRODUCTS
DETAILS
Product Silobreaker
Company Silobreaker
http://www.silobreaker.com
Price Company subscriptions start at
$25,000 per year.
What it does Solid open source
intelligence gathering and analysis
tool that brings non-cyber context to
cyber threat intelligence analysis.
OUR BOTTOM LINE
This is a general open source intelligence tool with a solid, though
not extensive, focus on cyberintelligence. It is, however, extremely
strong in providing context between
cyber and non-cyber issues.
It ties cyber intelligence to
non-cyber intelligence. It has a lot
of internet resources, the ability to
build custom dashboards quickly and
relatively easily, and it is a fine tool if
you are a bit creative.
We believe that increasing focus
on cyberissues is an important next
step, especially in this marketplace
where the focus on cyberintelligence
is important. Just as important in our
view, though, is the ability to glean
context from non-cyber issues that
impact cyberattacks. These issues,
such as politics and economics, play
significantly but not always obviously
in the cyberworld.
EMERGING
PRODUCTS
Silobreaker
SurfWatch Labs
Silobreaker
C-Suite
T
his is another open source intelligence tool with its own twist.
We like the twist enough for us to
designate them SC Labs Approved. The
twist? Silobreaker started life looking at
an open source intelligence landscape
that had little or nothing to do with
cyberthreats. A UK company, it built its
focus on general open source intelligence
gathering over the internet and became
a solid service with significant reach and
analytical capability. It is a real
workhorse in our intelligence
analysis tasks.
LAB APPROVED
The biggest benefit that Silobreaker gives us is that it is not cyberspecific. The biggest issue in applying open
source intelligence is context. Silobreaker
helps provide context. It is a cloud-based
service and is accessed via a web interface.
The interface is straightforward and configuration, while not exactly intuitive, isn’t
all that difficult.
The tool has a lot of resources that it uses
to gather information. Its 400,000-plus
sources include blogs, web pages, social
media, research reports and quite a few
other types. One unique feature of the tool
is its ability to create custom dashboards
extremely quickly. You can create dashboards that are the basis for ongoing monitoring or you can create dashboards on the
fly to answer a particular question.
For example, we needed to get a quick
understanding of a particular botnet from
which we were beginning to see activity. Within less than 10 minutes we had a
dashboard that gave both an historical and
a current trending view of the important
factors in the problem. Because Silobreaker explicitly follows well over 200
specific hacker groups, context is fairly
simple to develop for any given problem
that revolves around hacking, ops or other
types of cyberattack campaigns.
There are several widgets that you can
use to create dashboards and you can
develop your own core data sets as well.
For example, you can create a list – for the
project mentioned, we created a list of all
of the prevalent exploit kits. We can play
that against a list of malware that Silobreaker maintains.
So if we are looking at exploit kits and
malware, and a particular exploit kit uses
a particular malware that connection will
show up on the network. You can then
drill down all the way to the indexed
source documents.
A big benefit of the tool is its ability to
track trends. We can look at a list and see
what elements of the list are trending hot
or cold (increase or decrease in hits over
the internet) in a sliding one-day or sevenday window. We also can see the specific
number of hits in those two windows.
T
his is, perhaps, the most unusual
of the products we looked at this
month. While we certainly do characterize this tool as a threat intelligence
tool – and a very good one at that – it has
a special capability, as one might guess
from the name: SurfWatch C-Suite. This
tool was born and bred to provide the
types of cyber threat intelligence that
executives need in a format they can use.
The C-Suite portal is the front-end for
an impressive intelligence gathering and
analysis framework.
This orientation is obvious. Fom the
moment you fire up the SurfWatch portal you are shown the types of questions
that executive leadership needs to have
answered: What is the cyber risk to my
industry sector? What cyber risks are
trending? Who’s being affected? How
does my cyber defense strategy align with
the leading risks to my industry? What is
the full picture of cyber risk to my industry? And are there breaking events for my
sector that I should pay attention to right
now? This approach is not surprising since
the founders came from the intelligence
community and are focused on actionable
intelligence at various levels within the
organization.
The upshot of the tool’s simplicity is
that executive users need to consume all
of the critical information and none of
DETAILS
Product C-Suite
the chaff in a brief scan of resources. In
short, they need to be equipped to ask the
right questions of the right people in their
organizations. C-Suite admirably provides
that level of knowledge. One of the important keys in executive boardrooms is that
one size does not fit all. Some leadership
may be sufficiently technical and interested enough to dig a bit deeper than the
surface. Some may prefer the 40,000-foot
level. C-Suite offers both extremes and a
lot in the middle.
Drill-downs are the key element of a
system that is sort of self-customizable.
By that we mean that the user can set the
level of detail deciding how deep a dive
they want to take. It is not necessary to call
the IT department just to slightly alter a
dashboard.
The process starts with the development
of your profile. That means information
about your business, what industry you are
in, who your customers and end-users are,
and the role of brand recognition. Once
that is done the tool starts to gather information that is useful to you. One of those
is the Cyberfact Timeline. This shows
what is happening – relative to your profile
– as events on a timeline. Besides showing
clearly when activity is happening, this
timeline allows you to drill down and see
details, such as the top 10 related actors,
targets or effects.
Company SurfWatch Labs
https://www.surfwatchlabs.com/
Price Starts at $10,000 for a single license based on annual subscriptions.
What it does Provides a distilled view
of cyber threat intelligence in a format
useful to executive management.
OUR BOTTOM LINE
This is a very good threat intelligence
tool where almost all of the threat
sources and analytics are under the
covers. It is particularly designed for
executive management and contains
only the types of information and
risks that these folks need to make
important decisions. Addressing
such things as budgets relative to
cyber risk is the core of what top
executives need to be able to do. I
If you need to communicate key
indicators of cyber risk to management in a way that not only makes
sense at the executive level but allows managers to tune what they get
to suit their own needs, take a long
look at C-Suite. We were tempted to
look for a bit more technical depth
until we realized that SurfWatch has
done a good job of keeping all of that
hidden – which, of course, does not
mean it’s not there.
Events Seminars
FEBRUARY
DFIRCON West 2015
Feb. 23-28
This Digital Forensics and Incident Response (DFIR) themed
training event brings SANS’s
forensic courses, instructors and
bonus seminars together.
Venue: Monterey, Calif.
Contact: sans.org/info/167347
»
MARCH
APRIL
Feb. 16-21
SANS is bringing its top IT security courses back to Arizona.
Venue: Scottsdale, Ariz.
EMERGING
PRODUCTS
DETAILS
Product Optic Platform
Company ThreatStream
http://threatstream.com/platform
Price Starts at $50,000.
What it does Acts as the middle of
the overall threat-managed security in
an enterprise. It collects threat intelligence and uses it to manage security
devices on the enterprise.
OUR BOTTOM LINE
This is a solid integration of lots of
threat sources and enterprise security tools. It takes threat intelligence
and uses it to configure, manage and
alert. The founder of ThreatStream
came from ArcSight so there is a
solid history behind this two year-old
company.
This is a worthwhile system to
explore. While it runs pretty much on
its own steam, so to speak, keeping
new threat streams feeding into
it requires some dedication from
analysts and security engineers.
When the threatscape changes
as rapidly as what we are used to
seeing today, having ThreatStream
is a first-rate proactive defense.
However, in such a changing environment it would be a mistake to “set
and forget.”
ThreatStream
Optic Platform
T
hreatStream’s Optic is a cyberthreat intelligence platform that
manages the lifecycle of threat
intelligence via integration across an
enterprise’s security infrastructure. It’s a
SaaS-based platform that users access via a
web-based portal. Adding OpticLink,
a software package that can be optionally
installed on customers’ premises, automates the process to operationalize riskscored and actionable threat intelligence
into the existing security infrastructure.
ThreatStream has a lot of neat functionality beyond the obvious benefits of a
direct intelligence-to-infrastructure connection. For example, partners can create
connectors that are provided through
ThreatStream’s Alliance Preferred Partner
(APP) store. The organization pioneered
the use of the modern honeynet network.
OpticLink goes on devices on which
users want to take advantage of intelligence feeds from ThreatStream. The architecture is interesting in that it constitutes
a set of connectors that can consume intelligence data from a number of suppliers.
Also, it can apply its analytics to devices,
also from a number of suppliers. The intelligence platform tracks about four million
indicators and it uses 50 factors to determine the applicability of an indicator to
the user’s infrastructure.
ThreatStream does not stop with IPs
or malware, either. There is a significant
threat analysis capability that reaches past
malware to such things as ops from organizations such as Anonymous.
Sometimes, threats are of a sort that
is particularly applicable to an organization because of who they are, what they
do or the business or government sector
in which they operate. In that case, it is
convenient to track certain types of threat
intelligence on an ongoing basis and, perhaps, share that with others in the organization. ThreatStream has a tool called TIP
– Threat Intelligence Package – for that.
You can create your own TIP and share it
with trusted circles.
For example, you might be part of an
Information Sharing and Analysis Center
(ISAC) and want to share your TIP with
other members since it might apply to
all of them. You can classify your TIP as
public, private or trusted circles. Further,
as in many similar products, ThreatStream has a powerful sandbox. We
were impressed by the level of detail its
sandbox produces. Finally, there are more
than 100 threat streams available out of
the box, but you can add your own feeds.
ThreatStream will do the connection so
you can be sure that everything matches
your platform. Reporting is comprehensive and you have sole control over what
is in the reports.
»
Boston SecureWorld
March 4-5
This gathering offers two days
of cybersecurity education.
Earn 12-16 CPE credits, network
with industry peers and partake
in 60+ educational elements.
There will be four keynote
speakers – including William
Evans, police commissioner of
the Boston Police Department
– industry expert panels, plus a
variety of security vendors and
solutions.
Venue: Boston
Contact: secureworldexpo.com/
boston/home
»SANS Scottsdale 2015
»Cyber Guardian 2015
March 2-7
The fifth annual SANS Cyber
Guardian event features two
Cyber Guardian Baseline courses
and a Blue Team course.
Venue: Baltimore
»
SC Congress London
March 3
SC Congress returns to London for
another exciting one-day program.
We’re bringing together leaders in
the information security industry
in both the public and private
domains, particularly based in the
U.K. and EU. You will have a chance
to walk our expo floor exploring
the latest trends and products
best suited for your company,
as well as sit in on keynote and
breakout sessions. Don’t miss this
opportunity to network with other
information security professionals, and better equip yourself to
stay ahead of the pack.
Venue: London
Contact: congress.scmagazine.com/page.cfm/link=94
»
INTERPOL World 2015
April 14-16
INTERPOL World is a new international security event that will
showcase innovation, potential
and joint achievements among
the public and private sectors in
the security arena. It will address
the rising demand for technology
and capacity building to meet real
global security challenges. It will
focus on cybersecurity, border
management, safe cities and supply chain security.
Venue: Singapore
Contact: cloudsecurityalliance.
org/events/#_industry
»
RSA Conference
April 20-24
This year’s gathering is dedicated
to leading-edge information
security topics, including data
breaches, threats, compliance,
social engineering, cloud, risk
management, applications,
mobile, governance, data, legislation, policy, law, cryptography
and identity management.
Venue: San Francisco
Contact: rsaconference.com
Start here for a calendar of events.
To have your event included, contact
[email protected]
MAY
»SANS Security West 2015
May 4-12, 2015
SANS Security West 2015 will
focus on emerging trends and
will feature related evening talks
and a star-studded, interactive
panel discussion on the future of
cybersecurity. Attendees will have
the opportunity to take courses
from top SANS instructors and
real-world practitioners who can
ensure you not only learn the
material, but that you can apply it
immediately when you return to
the office.
Venue: San Diego
JUNE
»
Infosecurity Europe
2015
June 2-4
Infosecurity Europe addresses
the latest challenges in information security to provide attendees with business critical insight,
best practice and practical case
studies. Speakers include information security thought-leaders
from public and private sector
end-users, policy-makers and
government, analysts, industry
experts, service providers and
vendors. More than 345 exhibitors will be on the expo floor and
more than 100 hours of free
education offered.
Venue: London
Contact: infosec.co.uk
»
SC Congress Toronto
June 10-11
SC Congress Toronto returns
for another exciting two-day
program. We’re bringing
together leaders in the information security industry in both
the public and private domains,
particularly based in Canada.
You will have a chance to walk
our expo floor exploring the
latest trends and products
best suited for your company,
as well as sit in on keynote
and breakout sessions. Don’t
miss this opportunity to earn
nine CPE credits, network with
other information security
professionals, and better equip
yourself to stay ahead of the
pack.
Venue: Toronto
Contact: congress.scmagazine.com/page.cfm/link=10
»
Portland SecureWorld
June 17
This gathering offers a full day of
cybersecurity education. Attendees can earn six-to-eight CPE
credits, network with industry
peers, partake in any of 30+ educational elements. Also on offer,
keynote speakers, industry expert
panels, plus a variety of security
vendors and solutions.
Venue: Portland, Ore.
Contact: secureworldexpo.com/
portland/home
ADVERTISER INDEX
Company
AT&T
Page
URL
Inside Front Cover
att.com
SC Awards
7
awards.scmagazine.com
SC Congress
51
congress.scmagazine.com
SC Magazine White Paper Library
5 whitepapers.scmagazineus.com
SC Magazine
Inside Back Cover
scmagazine.com
LastWord
The security model is broken
Every enterprise
is susceptible to
a breach, unless...,
by Craig Shumard.
O
ur security model is
broken and needs
to be revamped. If
JP Morgan – with a budget
of $250 million and 1,000
security professionals – cannot stop or detect a major
security breach, there is little
hope for the rest of us. Unless
something changes.
We need granular encryption of personal information at rest and in transit
everywhere; second-factor
authentication, including
system administrators; better
privilege-access controls;
continuous vulnerability
monitoring; and prescriptive
security regulations. Now!
There have been a slew of
high-profile security breaches
recently, including the
JPMorgan Chase security
breach. The financial institution has more than 1,000
security pros on staff. If JP
Morgan can be breached,
then what does that mean for
the rest of the enterprises in
the U.S.? It means that everyone is susceptible to major
breaches, no one is safe.
Why! Because our security
model is broken. Too often,
critical baseline security safeguards are not implemented.
And, of course, risk-based
regulations are not helping.
We must change our business security model. Specifically, all known security
breaches either exploit some
vulnerability to install malware and/or obtain escalated
user access privileges to
gain access to sensitive data.
A breach occurs and goes
undetected because critical
security safeguards are not
in place to mitigate these
breaches.
Preventive security
safeguards that should have
been implemented yesterday
need to be deployed today
– without debate about risk
since we know the results of
that approach.
Specifically, second-factor
authentication, something
you know and have or are,
needs to be utilized both
over external and internal
networks for all staff, vendors and customers. We all
know that password-based
authentication was obsolete
10 years ago.
Sensitive data encryption
at rest needs to be pervasively
implement at a granular
level so that all data access is
limited, even for privileged
users. Too often, encryption
is implemented at the disc or
database level, not at the field
level.
As well, privileged access
monitoring and controls need
to be in place to effectively
limit usage to minimum and
monitored or review usage of
privilege accounts.
And, continuous vulnerability monitoring should
be occurring over the whole
network, not at arbitrary
intervals on some network
segment.
These critical controls
should be in place wherever sensitive information is
stored and processed.
Safeguards
that should
have been
implemented
yesterday need
to be deployed
today.”
We need better and
prescriptive security regulations. Current regulations
are interpretative, based on
judgmental risk assessments
by the enterprise, and many
rely on self-compliance.
Security risk assessments
are often performed by
unqualified individuals and
often used to justify not
doing anything because “it
never happened before,” or
“I will assume the risk,” etc.
Too many enterprises do
the minimum necessary to
comply with regulations.
We need security regulations that specifically
prescribe necessary technical
controls and remove ambiguities.
Finally, compliance to
security regulations should
be enforced and have monetory consequences if not
complied with, similar to
consumer product protection
safeguards regulated by state
and federal agencies.
If the dimensions and
the frequency of security
breaches, whether driven by
cybercriminals or government-sponsored, is to subside, we need a new security
model. We need to deploy
technical security safeguards
that address today’s threats
and we need more prescriptive security regulations.
Unprecedented Networking Opportunities * Innovative Content * Best in Class Exhibition Hall * CPE Credits
Craig Shumard is principal
of Shumard and Associates, a
security consulting firm.
Visit Congress.SCMagazine.com for more information
Cyber security thought leaders
will be there...
Will you?
March 3, 2015
June 17-18, 2015
Mark your calendars!
BROADBRAND
SC Magazine, the source for IT security pros, delivers the content you need
in a myriad of ways. Receive the latest industry news, analysis, whitepapers,
ebooks and product reviews on your phone, computer, tablet or via the print
magazine. You get the picture…
scmagazine.com

in a crisis - SC Magazine

Transcription

Similar documents

ENCORE: Studio: When State Actors and Cybercriminals Join Hands

2014 Health Industry Threat Landscape Briefing

eq power point - desmarais - ATD SF East Bay

customer intelligence through new eyes through

Through a Scanner Darkly Adventures in the land of the spooks

a risk based approach to cyber security

EQ Power Intro Powerful8 e v1_05052013

Organization is half the battle.

PDF Brochure

mania dc2