Trial Before the Fire: How to Test Your Incident Response Plan to Ensure Consistency and Repeatability

While many organizations go to great lengths to set up effective security operations incident response plans, few proactively test their processes to ascertain how they will work when faced with a real threat.

Fifty-nine percent of incident response (IR) professionals admit that their organizations follow a reactive approach, according to a report from Carbon Black. Essentially, teams assume their processes work reasonably well to address the incident at hand … until they don’t. While organizations must have IR plans in place, it’s even more important that they a) work consistently and b) are updated and improved over time.

Testing incident response processes within the security operations center (SOC) should yield two important results: a clear understanding of whether your plan is likely to work and a list of gaps that should be addressed. There is no point testing them if the findings will play no role in optimizing your processes.

Lessons learned from your tests must be properly documented for them to have real, lasting value for your security operations team. Plus, you don’t want to find out your emergency plans don’t work when disaster strikes. What makes sense on paper or the whiteboard often doesn’t work as planned when put into practice.

Schools run fire drills, so everyone knows what to do when the bells go off. So, why aren’t we applying this logic more broadly in cybersecurity?

What is incident response?

IR refers to the systematic response to and management of events following a cyberattack or data breach. It involves a series of actions and activities aimed at reducing the impact of such an event.

A typical IR plan includes six phases which help the affected organization recover from an incident or simply contain it once it occurs: preparation, identification, containment, eradication, recovery and lessons learned.

When building an effective IR plan, security teams should determine the following:

  • The purpose of the plan.
  • Details on how to use the plan.
  • Your ability to respond to different incident types – including unauthorized access, malicious code, denial of service and inappropriate usage – and whether your information assets would be affected by such events.
  • Event handling protocols for each incident type and how to respond. This should include a checklist of which playbook needs to be triggered in the event of a cyberattack or breach. (A playbook, also known as a runbook, is common to the SOC and defines the flow of activities associated with a specific security issue and subsequent investigation and response. The goal is to build a consistent set of activities followed in every case, no matter the analyst assigned to it.)
  • Your ability to set up a “war room” for critical decision makers to receive and share information across the organization.
Testing the waters

Once you have a clear, documented plan in place, you should periodically test it through simulations to assess effectiveness and make continuous improvements. So, how can you put your processes to the test? Most security operations teams today use three methods:

1)     Paper tests

The most theoretical and likely the first step for security operations teams who don’t have well-documented processes. However, paper tests leave too much room for error and should only be used to look for small process changes.

2)     Tabletop exercises

These scenarios consist of company stakeholders sitting around a, you guessed it, table and running through a mock security event. While these exercises may appear informal, you should prepare well in advance, make sure the right individuals participate from across the organization and that the scenario is as real as possible. Allow for up to half a day to put key processes through their paces and troubleshoot as you go.

3)     Simulated attacks

The most effective way to pressure test your processes is to simulate a real-world attack to see how your organization will respond.[…] Read more »

 

 

 

 

What Indicators Can I Reference to Gauge My Organization’s Security Posture?

Understanding an organization’s security posture will help to create a clear and present representation of what the cybersecurity capabilities of your organization are. Any information security program is evaluated on the integrity, availability, and confidentiality of the data within a designated secured environment. Several indicators can help to gauge where your organization belongs within the risk management structure, which can help to identify your organization’s security posture and what security challenges the business must confront.

Many cybersecurity information risk management programs suggest businesses should adopt the InfoSec security standards and implement cybersecurity as a key driver of business decision making. The scope of InfoSec is wide-ranging, but the aim is to continuously improve your organization’s information security, year after year.

What exactly should you look for? What are the indicators that will help describe your organization’s security posture? The following information will help you determine what your new approach to cyber risk management should be.

Is there a set budget for infosec?

Understanding if there has been a budget allocated for information security helps to identify if an organization is serious about cybersecurity. In-house cybersecurity can work out to be incredibly expensive; hiring highly-skilled, ethical security personnel is not easy. SecOps engineers are highly sought-after personnel and salary expectations are usually very high. The purchasing of software licenses and security hardware appliances is another considerable cost to consider.

Many organizations realize that the OpEx costs can be high, and many choose to outsource to a reputable cybersecurity service provider who can call upon teams of SecOps architects, engineers, and consultants when needed to install, manage, and maintain any purchased security infrastructure service.

Companies need a pragmatic approach for monitoring and assessing their cybersecurity landscape, and a security program that delivers a return on the security investment (ROSI). Security expenditure needs to be justified by successfully completing external audits that validate security processes are in place, such as:

  • Conducting external vulnerability scans
  • Planning for disaster recovery & incident response tests
  • Conducting phishing and social engineering tests
  • Conducting external penetration testing

Without a realistic security budget, there is a significant risk that an organization may fall short on these scenarios. This can lead to significant gaps and weaknesses in your organization’s cybersecurity policy.

The frequency and sophistication of employee training

Cybersecurity training should be made available to all employees. This is a key area to look for, as training is absolutely essential. Cybersecurity is a highly technical industry where relevant, important security information needs to filter down to every single employee. Security training strengthens employee’s knowledge and understanding of cybersecurity risk management putting each employee in the best position to uphold your organization’s cybersecurity policy.

Collaborating with a skilled cybersecurity vendor will ensure training compliance and improve team understanding of the latest risks and trends in cybersecurity, as well as knowing what the best practices are to reduce the risk.

Cybersecurity training in many industries, such as the financial sector, is mandatory and enforceable by the regulator. There are huge benefits of having teams who are aware of the latest cybersecurity trends and able to spot phishing, scam phone calls, malware and virus attachments.

Technical red flags

You may be surprised by the number of issues that are discovered with organizations that are missing even the most basic technical safeguards to protect the integrity, availability, and confidentiality of data. Reviewing the results of your malware scans is not enough, businesses need to be proactive in providing the basic security requirements:

  • Secure Networking – The network is the first line of defense in cybersecurity. Strong network authentication, encryption, restricting public internet traffic, and blocking common ports on the firewall are the first steps to improving security. Furthermore, network analysis and scanning using Intrusion prevention systems, content filters, email scanning tools, and isolating network assets should all be in place
  • Asset Management – It is important to identify all pieces of equipment owned by the business. An asset list will catalog servers, laptops, tablets and any other infrastructure device. Good asset management reduces waste, capital expenditure and above all else acts as a baseline for the support teams who will know what equipment is available and where it is located.
  • Patch Management – A regular patching schedule is the first step to securing software and operating systems. Vendors publish security patches that prevent exposure to the latest software vulnerabilities and exploits
  • Passwords – Securing a network using unique and complex passwords that are enforced company-wide will help to provide an immediate level of protection. Taking this further and testing user accounts and system accounts for weaknesses using penetration testing software such as Nessus or Backtrack will proactively scan for weakness and non-compliance. Processes can be drawn up to harden password policies or maybe offer training to the worse offenders

There are many further technical safeguards that can be implemented, but these basic first steps will help to prevent misconfiguration and backdoors into your environment. Credible cybersecurity providers recommend an annual internal audit and roadmap check-up is performed. This process will review existing technical safeguards, identify weaknesses, and then suggest recommendations based on industry best practice, as well as a roadmap on the best way to implement the changes […] Read more »

 

 

AR and VR: How Immersive Technology Is Bringing Cybersecurity Scenarios to Life

A PwC survey on corporate digital IQs found that there’s a disconnect between the skills and technologies that companies say matter most and what they’re investing in. With the rapid increase in emerging technologies disrupting every industry, enterprise leaders are feeling immense pressure to fill the resulting glaring void with employees who can pick up the skills necessary to implement this technology into everyday enterprise tasks. Aside from finding the right people, companies also need to ensure that proper training is in place. However, it’s no secret that a lack of engagement exists between employees and the less-than-awe-inspiring learning programs in use.

Just as I was finishing my tenure as the CSO of Dell, we introduced “Gamification” into our security and ethics training and noticed an uptick in the engagement it engendered amongst our millennials. Given what had been my 20-year “uphill” battle in the space of awareness training, this offered a welcomed glimmer of hope. Now add to that what augmented reality (AR) and virtual reality (VR) bring to the field and the prospects get even brighter.

When the phrases AR and VR started being tossed around, many of us could not even fathom how these technologies would impact our lives. Fast forward to today, and these technologies are right in the palms of our hands. AR and VR have opened new doors for innovation and created a more immersive user experience, especially for IT and security teams. While perhaps not the earliest adopters of these technologies, companies are beginning to use AR and VR to their advantage when it comes to providing cybersecurity training to their employees.

How exactly does AR training work? First, let’s break down what AR is in a broader sense. AR allows the user to see the real world with virtual objects superimposed or composited with their reality. Essentially, users can interact with on-screen digital objects within the scope of the physical world they see on a daily basis. Now imagine the use of AR in a corporate training environment. Not only does AR provide employees with a more interactive platform, but one that can be customized to accommodate unique learning needs.

For companies with a multigenerational workforce, this creates a profound opportunity to present their employees with training that is both more relevant and realistic. This is extremely valuable in high-touch industries like the cybersecurity sector, where the skills gap is already an area of concern. With AR, a new employee could be sitting at their desk and have a training system present various cyber threat scenarios through AR glasses, prompting them to identify the issue and solve the problem. It is interactive programs like this that will help employees remain more engaged in their training and generate better results overall.

And it doesn’t stop there. Companies like Inspired eLearning have made it their mission to provide training around security, cybersecurity and compliance with the help of VR. Called Security First Solutions, their product takes data from a multitude of tests and simulations to deliver an immersive training program on the latest and most popular cyber threats like phishing and SMiShing, all behind a VR headset. What’s more, immersive technology is also opening the eyes of young minds and showing them what a career in cybersecurity could entail […] Read more »….

.

Managed Services and Risk: Mitigation or Inherent Acceptance?

With the evolution of cybersecurity over the last decade, it’s easy to forget what security is; the art of dealing with risk. The flood of funding into the space has created a host of marketing buzzwords that pollute the board room and pull the attention from the “why?” of security. What is the reason cybersecurity exists? What is the problem we’re trying to solve?

Control-based vs risk-based

The conversation around security has shifted, and not for the better. Historically, security teams built programs around assessing risk and deciding on how best to deal with it. However, today’s world of endless frameworks focus more on technologies, and less on the risks they’re implemented to address. This controls-oriented program development has led to the emergence of security leadership that show pause at the mention of a “risk register”. This isn’t to say that risk isn’t considered, but more that it isn’t properly enumerated at a level that gives the security team flexibility in addressing the risk.

Security frameworks like NIST, SANS, ISO, etc. are great lists of controls to consider for a security program but are built with a one-size-fits-all approach. By starting with a comprehensive audit, and developing controls that mitigate specific threats, many organizations can move to an acceptable risk posture without many of the “checkbox” controls contained in most frameworks.

Risky decisions

Common risks exist across different organizations, but how those risks are addressed is a business decision the security team develops their strategy around. When handling risk, there are three options:

  • Accept – The risk does not represent itself as a threat worth investing resources to lessen. Accepted risks should be entered into a risk register, naming the business owner that accepted the risk and note why they’ve accepted it; usually due to low probability or low impact.
  • Mitigate – These risks are not accepted and pose enough threat to a business that resource investment is warranted to prevent the risk from coming to fruition, or at least lessening the probability or impact to an acceptable amount.
  • Transfer – The risk is not accepted, but the business will not mitigate on its own. Leveraging third parties, the risks are contractually moved from the business to the provider. Common forms of cyber security risk transference include Cyber Security Insurance and Managed Security Services.
Risks worth transferring

There’s an existential problem in security right now. The problem isn’t new attacker tactics, techniques, and procedures (TTPs), new malware, or the speed of malware to get to market; rather, there are products to identify these threats, but not enough skilled headcount to properly implement the products, and investigate and respond to the alerts! This headcount shortage is an industry epidemic leaving security teams scrambling just to perform basic tasks, forcing most organizations to ignore alerts generated from the implemented security products, assuming the products were properly implemented and configured in the first place.

Alert triage and response

Looking at the tasks security teams perform to achieve risk equilibrium, many require deep knowledge of the organization and continuous communication and participation in meetings like change-control. However, the tasks of identifying a false-positive for a wrongly flagged graphics card driver requires little knowledge of the organization.

Transferring the risk of alert triage and response can free organization resources to focus on security responsibilities that are best kept in-house like GRC, vulnerability management, and policy creation. This transference also lessens the probability or impact of the departure of a single person being a significant detriment to the security team.

The most common cause of shelf-ware (technology that is being paid for, but is no longer, or was never used) is the sole-owner or user of that technology leaving the organization. Regarding incident detection, triage, and response, employee churn presents a much larger threat than underutilized budget. This risk is magnified by the litany of false-positives generated by security products making the required headcount necessary to triage every security alert unattainable.

Leveraging a service provider for certain functions will provide the level of expertise necessary to implement, maintain, and utilize the technology. The shift also transfers the burden of hiring and maintaining the staff necessary to perform these functions to the service provider; ideally removing the shelf-ware dilemma.

Transferring risk to a service provider

Ignoring alerts and foregoing security expertise is not a risk most organizations choose to accept and handling it in-house is often difficult or cost-prohibitive, so it makes sense security service providers (MSSPs), including managed detection and response (MDR), are gaining in popularity. The difficulty comes in choosing the right MDR, and ensuring they’re mitigating risk, rather than accepting it.

The false-positive dilemma

As mentioned earlier, the problem of false-positives and the impacts they have on security teams is significant, but why does this problem exist?

Defining the terms:

  • False-positive – An alert that was generated based on an event that was not malicious.
  • False-negative – An event that was malicious but did not generate an alert.

From a product-manufacturer perspective, a false-negative is brand damaging, but a false-positive is just assumed. Endpoint and network detection technologies are attempting to identify everything an attacker could do to perform malicious activity in an environment. With the skill of attackers improving, products have had to create looser detection rules that allow them to be effective at detecting potentially malicious activity, thus avoiding false-negatives. For an effective, detection-oriented, security product, false-positives are almost necessity. With this understanding, how do service providers, who are providing services for potentially millions of endpoints, profitably scale a service?

The Techniques
  • Build a Bigger Army – This is not scalable or profitable, but it is pursued by some service providers. This approach typically results in sub-par service that provides little value and leads to a frustrated customer that has essentially purchased a different source of alert fatigue.
  • Attack the Source of Alerts – Is a particular detection rule being too noisy? Shut it off! The alert fatigue problem is solved, but it also diminishes the effectiveness of the product.
  • Set an Arbitrary Investigation Threshold – Too many Critical, High, and Medium alerts to investigate? Just look at the Critical and High. Still too many? Critical-only should be fine (if we forget the retail breach was a medium alert).
  • Turn Alerts into Incidents –Rolling up multiple alerts into a single incident is a great way to make, what looks like, a high-fidelity alert, but could also be a group of false-positives. The danger here is creating incidents that take much longer to investigate.
Machine Learning!

Another technique that’s becoming increasingly popular is the use of machine learning to weed through false-positives. Moving past the animosity towards marketing teams for taking real technology and turning it into a glorified way to describe statistics; machine learning can be broken into two main concepts:

  • Supervised – Using a set of training data, an algorithm can be created to determine the relationship between a new piece of data matches and data used for training. This methodology is commonly leveraged in security to identify malware. While useful in scenarios where training data is properly labeled and available, those prerequisites somewhat limit the usefulness in identifying malicious behavior.
  • Unsupervised – Developing a baseline of “normal”, unsupervised machine learning identifies deviations from the baseline. Unsupervised machine learning technically doesn’t generate false-positives, because it is alerting on anomalies, but given all anomalies aren’t necessarily malicious, this technique is usually paired up with cumulative risk scoring to drive anomalous activity past a threshold, where it will generate an alert hopefully more relevant to security.
Inherent risk

Given the available approaches to dealing with false-positives, it’s clear that there is some necessary risk-acceptance that must happen to get the alert count to a level that allows security teams to efficiently deal with the “high-priority” alerts. This acceptance is not based on the organization’s risk tolerance, but instead on the limitation of resources to mitigate, which places an inflated cost on the risk […] Read more »..

Small and Medium-sized Financial Institutions: The Security Challenges They Face Each Day

It’s no secret that financial institutions are in criminals’ crosshairs. This has been the story ever since people and organizations started putting their cash in the care of others. But unlike the good ol’ days of dramatic ski-masks-over-face, gun-in-hand heists, the majority of today’s banking crimes are digital, and thus, involve far less bravado and derring-do.

While cybercrime and fraud affect all financial institutions, each sector has its own specific concerns. The concerns of large institutions generally take center stage due to their high profiles and the large stakes involved, but often, concerns specific to small and medium-sized institutions go overlooked. In this article, we will examine the issues that cause the most distress to IT and security teams at small and medium-sized financial institutions.

Why Cyber Criminals Love Small and Medium-sized Financial Institutions

Small and medium-sized financial institutions are often seen by cyber criminals as low-hanging fruit — sure, they could go after JPMorgan Chase or Goldman Sachs for a huge payoff — but a heist of that nature requires boatloads of planning and effort. For an attack of that scale, an assailant must have incredibly powerful tools as well as a flawless plan, which could take months and even years to orchestrate.

Add to that the immense challenge of evading the law once the attack has been executed. High profile attacks on banks make great news fodder and criminals can expect to be hotly pursued and tried for their misdeeds.

Unfortunately, this is not typically the case with smaller targets. It doesn’t take quite as much planning or effort to hit smaller players and since these crimes are not as high profile, it may be easier for the attacker to get away with them. All in all, small and medium-sized financial institutions are a wise choice for attackers looking for a relatively easy swindle.

The Security Challenges that Keep Small and Medium-sized Financial Institutions CISOs Up at Night

There are many cyber security issues that plague small and medium-sized financial firms, ranging from structural issues to out-and-out threats. While each organization is unique, security leaders at most, if not all, small and medium-sized financial services firms must overcome these structural challenges.

Lack of Buy-in/Understanding from C-Suite/Leadership

Each financial services firm has its own business drivers, those issues that are integral to the success and advancement of the business model. While issues like customer satisfaction and regulatory compliance generally top execs’ lists, the issue of cybersecurity doesn’t always show up on their radar.

There are a few reasons that cyber security may not be the first thing on many leaders’ minds. To start with, it can be very difficult to prove the return on investment for security-centered projects. In the words of security expert Bruce Schneier, “Security is about loss prevention, not about earnings.” Proving how much a company saves by preventing a breach does not produce the same tangible benchmarks as do other, more concrete investments.

Moreover, leaders may not have sufficient IT and/or security knowledge to grasp the full severity of weak or inadequate defenses. While some decision makers certainly are well versed in technology, it’s often not a part of their job requirements and they simply may not grasp the importance of investing in new solutions as they become available. Likewise, they may not understand the full legal and operational ramifications of falling prey to a breach.

Lastly, according to ChiefExecutive.net, leaders at smaller firms are often convinced that their firm is not worth the attacker’s time or effort. This leads to a dangerous stance of security complacency, an attitude that nothing further is required to protect the firm, based on their own erroneous assessment of limited risk.

Limited Budgets

As mentioned above, small and medium-sized financial institutions typically have much more limited cyber security budgets than larger institutions. A recent survey by Untangle found – shockingly! — that of 350 small and medium-sized businesses polled, 50 percent had annual security budgets of less than $5,000 US and of those, 50 percent had budgets of less than $1,000 US.

In light of these numbers, it comes as no surprise that at many smaller FinServs, there is no one specific person or team tasked with cybersecurity – it’s just another aspect of IT’s responsibilities. Moreover, their tools are nowhere near as comprehensive as those found at larger institutions. This increases the chances of breaches and extends time to detection (TTD) and time to respond (TTR) in the face of incidents.

At the same time, small and medium-sized financial firms still have conveniences like customer-facing apps and websites, which are necessary to compete with the big guys. But as with the rest of their technology stack, these applications may be less robust and secure than those developed by banks with more money to allocate to security. This makes these less secure applications prime pickings for attackers.

Dependence on Third Party Vendors

Small and medium-sized financial institutions are heavily reliant on integrations with third party suppliers. As with businesses of any size, these firms need to share information with partners and contractors to remain relevant and agile in an increasingly connected world.

But granting access to third parties can come with great risks — by making your network accessible to third parties, you allow their vulnerabilities to become your vulnerabilities, their liability to become your liability. This was clearly demonstrated in the infamous Target hack of 2013, when the behemoth saw their point of sale system breached due to an integration with an HVAC vendor whose credentials were stolen.

In the typical integration, external partners can access the company’s networks without adequate monitoring and limitations. This allows them access to far more resources than needed to do their jobs, making the organization a sitting duck. And as third-party vendors are often also small and medium-sized businesses, there is a very real chance that they may have less-than-adequate security, which compounds the risk. Further, the decision of which vendor to use is often made with little regard to vendor security practices and how those may affect the institution and its networks.

The Threats that Nightmares are Made Of

While budget limitations, support from top brass and third-party vendors are ongoing headaches for security officers, threats that commonly target financial service businesses are the night terrors that bolt them awake in a cold sweat.

The Many Flavors of Insider Threats

Insider threats take many forms and affect all businesses, from the largest enterprises to shoestring operations. And while all businesses suffer when an employee goes rogue or an ex-staffer decides to spill the company beans, small businesses experience damage from insiders more often than their larger counterparts. This is especially true in finance, where the stakes are inherently much higher than for most other businesses. In fact, according to the 2019 Verizon Data Breach Investigations Report, the threat actors in 36 percent of breaches of financial institutions were insiders.

One reason small and medium-sized financial firms fall prey to insiders is that they often lack proper protocols for revoking access after an employee has been terminated. Smaller financial firms tend to have less robust IT standard operating procedures and thus when an employee is asked to leave, it may take days or weeks before his or her access to critical resources is revoked. This leaves the ex-staffer with plenty of time to collect whatever data he or she wants, which can then be given to competing banks — or worse, such as nation state adversaries and cyber-criminal syndicates.

Similarly, smaller firms also tend to engender feelings of trust and familiarity among employees. While this is great for the general work ethic, there is risk in trusting your employees too much. Large institutions often have tiered Identity Access Management (IAM) solutions in place to prevent employees from seeing information which is beyond the scope of their requirements. Once again, due to less sophisticated IT infrastructure and because of that cozy, feel-good atmosphere, smaller institutions may not have the same precautionary measures in place, allowing employees access to data far beyond their actual data needs.

Then there is the insider who, although not necessarily malicious in intent, is simply impervious to training. This is the employee who routinely clicks suspicious links or fails to notice clues indicating that he or she is being phished or scammed. Scary but true: According to Verizon’s 2019 DBIR, three percent of people will click on any given phishing campaign. And these well-meaning employees can cause just as much damage as those with ill intentions: In a small and medium-sized bank, the means or understanding to track just which employee is “that guy” may simply not exist — thus, the risk goes unmitigated.

Business Email Compromise (BEC) Scams

According to a report by security firm IronScales, 95 percent of successful cyber-attacks include an element of social engineering. Humans are easily manipulated and attackers are adept at creating all kinds of compelling scams to help victims and their money or data part ways. According to the Verizon 2019 DBIR, financially motivated social engineering attacks target financial services institutions disproportionately vis a vis other industries.

In recent years, BEC, or Business Email Compromise, has become one of the most potent phishing methods, generating losses of $676 million US in 2017. According to HSBC, small and medium-sized businesses are harder hit than larger enterprises.

In the typical BEC scam, the scammer impersonates someone in a position of power within the organization, perhaps the CEO or a senior member of the IT team. The scammer sends an urgent email to a lower ranking employee, demanding funds to be transferred. This perfectly crafted email is almost indiscernible from an authentic one and implies that the recipient must see to it that the funds are transferred immediately – or face repercussions. If things go according to the attacker’s plan, the employee sends the request off to the organization’s bank, where an unwitting bank employee complies with the email’s instructions and transfers the funds.

BEC scams cause damage to all kinds of businesses, as well as banks.  But no matter the industry, they affect banks because they are the ones through which financial transfers take place. In smaller institutions, standard operating procedure for transfers may not be clearly outlined and thus there is a greater danger that someone within the bank may authorize such fraudulent transfers.

Browser-Based Threats

Like all businesses, small and medium-sized financial institutions need to use the Internet for tasks such as researching loan applicants and corresponding with customers. So, every employee needs web access. But the risk that comes with open connectivity, namely, the fact that browser-borne malware can easily spread laterally throughout networks, cannot be tolerated in such a sensitive arena.

Browser-based malware is always morphing to ensure that it evades traditional security methods, but some attack elements remain the same; Cross-site scripting (XSS) and SQL injection (SQLi) attacks are some of the most common web-based attack methods and can potentially come from any website that has been infected — even those that have been deemed secure. These complex attacks can easily exfiltrate data off employee’s browsers. Moreover, browser-based threats are difficult to detect, which puts critical assets directly in harm’s way.

Many IT admins turn to whitelisting pre-approved web applications and websites to help keep out browser-based threats. But whitelisting has significant drawbacks — it leads to reduced productivity and agility as employees cannot always access the resources they need when they need them. It’s also not completely effective, as once-good sites can become infected with malware and in turn, pass that infection on to your network.

Small and Medium-sized Banks Have to Level Up to Survive

Beyond the threats themselves, small and medium-sized FinServs have to consider the costly fallout that comes along with successful cyber security attacks. Understandably, in the wake of an attack, customers may lose confidence and jump ship. And while larger financial institutions can absorb the costs of many, if not most, attacks, smaller ones cannot, which may lead to closures […] Read more »..

A New Framework for Preventing Cyber Attacks

The scale of data theft is staggering. In 2018, data breaches compromised 450 million records, while 2019 has already uncovered the biggest data breach in history, with nearly 773 million passwords and email addresses stolen from thousands of sources and uploaded to one database.

Current cyber defense tactics simply aren’t enough, a new model of defense is needed. In research published recently in Future Generations Computer Systems, my co-researchers and I propose a framework harnessing the power of machine learning to accurately predict attacks and identify perpetrators.

Outdated Tactics

The current manual security models are quickly becoming obsolete for a number of reasons. For one, there is simply too much data for human analysts to manually sift through. Hail-a-TAXII, a repository of Open Source Cyber Threat Intelligence feeds, provides more than one million threat indicators. IBM X-Force reports thousands of malware weekly. Verizon’s Data Breach Investigations Report details millions of incidents. These are just a few of the many data sources analysts have at their fingertips.

Another problem is that current cyber threat intelligence (CTI) tactics look only at low-level indicators, small attack signatures such as IP addresses, domain names and file hashes. Low-level indicators are easy for companies to block by plugging them into firewalls and security devices. Unfortunately, they’re also easy for hackers to change. Using only low-level indicators to stop a cyberattack is a little like trying to prevent thieves from robbing your home by enforcing only one window. The thief will just find another window.

The glut of data and preoccupation with low-level indicators contribute to a serious lag in identifying threats. The median time for an organization to determine it is under attack is 46 days. Attacks can go undetected for much longer, the massive data breach at Equifax in 2017, involving nearly 150 million pieces of personal data, went undetected for 76 days.

Relying on low-level indicators simply doesn’t make sense given what we now know about hackers: They use common patterns of attack that can be identified by looking at high-level indicators, otherwise known as Tactics, Techniques and Procedures (TTPs).

Examples of tactics common to certain threat groups involving the compromise of victims’ credentials include:

  • the exploitation of the victim’s remote access tools and the network’s endpoint management platforms by threat group TG-1314.
  • employing key loggers and publicly available credential dumper toolkits by TG-3390.
  • spear phishing using URL shortened links pointing to malicious websites by TG-4127, which targets government and military networks for espionage and cyber warfare.

Typically, hackers will specialize in one attack tactic and gradually evolve the tactic over time. Consider what’s happened with RAM scrapers: malware that enters servers and combs through the memory to find a distinctive code pattern, such as a credit card’s 16 digits. A RAM scraper was behind the 2013 Target data breach that compromised 40 million credit cards, as well as the 2018 Marriott and Hyatt breaches and many others in between.

While the tactic has remained the same, what has changed is how the malware transfers data to the attacker, advancing from FTP to the web protocol and finally to encrypting the information and moving on its own, no longer reliant on a human to copy and transfer the data. Fifty different families of RAM scrapers for stealing personal data currently exist.

The cyber intelligence community already maintains databases detailing high-level indicators. More than 130 adversary technique documents exist. As of late 2018, there were 45 known threat actors and 123 known software tools included in the ATT&CK taxonomy, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK taxonomy shows that the number of TTPs used in threat incidents range from one to 34, with an average of six.

If so much is known about TTPs, why aren’t analysts relying on them for cyber defense? Again, the problem is the massive amounts of data. Manually searching for correlated TTPs is tedious, error-prone and a nearly impossible task. That there is no commonly used vocabulary to describe attacks and attack tactics compounds the problem. TTPs are mostly reported as unstructured textural descriptions, which makes it difficult to correlate attack incidents of the same threat group based on similar TTPs due to synonyms and polysemous words. The same style of attack can be labeled one thing in one database and something completely different in another.

Building a New Framework

The framework we propose in Future Generations Computer Systems is based on our knowledge of TTPs and the problems plaguing the cyber intelligence community, too much data and no automated way to rely on more effective high-level indicators.

The framework creates a network of Threats, TTPs and Detection (TTD) mechanisms. To accomplish this, data was collected from related cyber breach incidents and reliable source threats in the public domain.

In total, more than 327 unstructured documents from about two dozen sources were used. Although machines will likely one day be able to deal with all the nuances of human language, we’re not there yet. This means the data had to be curated and semantically correlated before it could be analyzed by machines: we used ATT&CK […] Read more »..

Talent Acquisition, Retention Leading Diversity Initiatives in Cybersecurity Jobs

Talent acquisition and retention is the leading operational reason that companies have been ramping up their diversity initiatives, according to (32 percent) of respondents in the (ISC)²study.

Nearly one in three (29 percent) added that diversity is important to their organization because the workforce should represent the demographics in society:

  • Nearly three quarters of organizations surveyed (74 percent) instituted a stated diversity value or program in the last 2-5 years. On top of this, a further 16 percent have followed suit in the last 12 months.
  • Overall, 40 percent of survey respondents stated that the HR department is the primary driver of diversity and inclusivity efforts, including measuring employee diversity goals. This compares to just under one quarter (23 percent) who said it was the senior management team and just 10 percent that said it was the C-suite driving diversity initiatives.
  • 60 percent said that up to 20 percent of the current vacancies in their organizations are IT and/or cybersecurity-based. A further quarter (26 percent) said these roles constituted between 21-50 percent of their workforce.

Hiring Cyber Roles:

  • 77 percent of respondents said that cybersecurity roles were recruited for in their organizations in the last 12 months. The number of roles filled ranged from 1 to 31 across the responses, although nearly 55 percent of the respondents said that up to 10 cybersecurity personnel were hired by their organization over the last 12 months. 18 percent said that between 11 and 30 roles were hired in the last year.
  • 37 percent say just 6-20 percent of their IT department employees are aged 18-21, while 35 percent say none of their IT department employees are aged 18-21. This indicates a struggle to bring enough new talent into the department that can learn from their experienced peers[…] Read more »..

The role and the focus of a CISO with Tim Swope

Apex sat down with Tim Swope, Chief Information Security Officer at Catholic Health Services of Long Island to discuss his role and experience as a CISO. With extensive experience in the industry, Tim shares his advice and the value of an IT Risk Management Program being the cornerstone for all cyber security work.

Q: What is IT security doing to support innovation in the enterprise?

A: In addition to training the IT Security Staff, we all attend many seminars outlining new and innovative technologies and with our Proactive Risk Management model we are able to determine what GAPS those technologies will close in our organizations.

Q: What is the single most important thing CISOs should be focusing on today?

A: While many security leaders focus on the technical side of cybersecurity, a key focus of mine is risk management. Risk management is the overriding element for successful cybersecurity programs.  We need to know what cyber risks and 3rd party vendor risk that my affect our organizations, assign a risk level and then focus our remediation and management on the top tier risks first.

Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?

A: The CIO and I work very closely together on the overall information strategy for the organizations.  That being said, while the CIO might push for technology solutions that will make access to information easier…..I ensure that we can effectively manage and monitor that technology.  In the Healthcare space, innovation has moved faster than our ability to secure it. I remind the CIO we are FIRST in the patient privacy and safety business..not the convenience business!!

Q: How have you searched for and found the best vendors for your organization?

A: We have a very strict due diligence process for our vendors, especially those that will be working with PHI. However, we are constantly looking and evaluating vendors that may be able to save us cost, have greater automation and solve our needs better.

Q: What is the biggest challenge for a CISO today?

A: In the Healthcare industry, changing regulations, the need to expose patient data to outside entities and ensuring that the same IT security posture remains in place in the face of this change.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: When coming into a new organization as a CISO leader, I strongly believe in conducting an internal assessment to get an understanding of what controls and technologies are in place. While some CISOs may rely on an outside firm to conduct these, I choose to do an initial assessment myself, putting myself in an outside auditor’s shoes. Rather than looking at somebody else to do it for me, I’ll do it myself and I think that’s the key thing a CISO should do, is understand his or her landscape and do their own personal assessment and only then can you see what you really have.

Q: What is the importance of an IT risk Management Program in today’s cyber security landscape?

A: In order to deliver value to our customers, patients, employees, communities and shareholders, we at Catholic Health Services and other Healthcare organizations must understand and manage the risks faced across our entire organization. Risks are inherent in our business activities and can relate to strategic threats, operational issues, compliance with laws, and reporting obligations.  As part of the overall IT risk management process Information Security, Governance and Risk (ISGR) departments are responsible for various activities that are important to regulatory compliance, information security, data protection and risk management. This group has the authority and responsibility to investigate and assess compliance in all activities relevant to the Security Governance Program and to report on compliance status to IS Management.

The “Framework” that encompasses their Risk Management Program has the primary functions to:

  • Determine categorization of IT risks
  • Define the common framework used to identify and manage potential events that may affect information within the IT infrastructure
  • Define accountability for IT risk management
  • Determine the governance and oversight of IT  risk management activities

Internal and external events affecting our ability to achieve our security and operational objectives are identified at various points in the business cycle. During strategic and business planning and review processes, business unit management assesses the market and competitive environment to identify risks and opportunities facing their business. The various risk management functions within or assigned to that business unit provide expertise, support and input into the process. Each of the risk management functions is represented on applicable management committees to enable effective risk identification and business partnership.

Throughout the year, risk assessments, scans and surveys are performed by the ISGR team to identify internal and external events that might affect the achievement of the Company’s objectives. Additionally, the various risk management functions scan the external environment for risk indicators through analysis of applicable business intelligence, including trends in external health authority and other government inspections and enforcement, legislative changes, and shifts in market, payer and consumer models, as well as relationships with external subject matter experts.

Finally, risk management functions review the output from internal monitoring and assurance activities to identify gaps and emerging risk areas. Risks are analyzed, considering likelihood and impact of a given outcome, to determine how they should be managed.

If we can take a way one lesson from the need for a risk management program it is the following:

Risk Management is the number one process for Identifying potential risks and creating a plan to eradicate or manage them!!

We don’t accept Risk, we continually Manage it!

 

Tim Swope

CISO

Catholic Health Services of LI

Mr. Timothy Swope is currently the CISO of Catholic Health Services, an 18,000 employee hospital group in Long Island, NY. He is an Information Security and IT Risk Management professional who partners with Chief Information Security Officers and IT Governance, Risk and Compliance executives to assess and deliver IT Security and Risk Management programs to Health Care and Insurance, Pharmaceutical and government agencies. After spending over 2 decades assisting clients implement secure enterprise BI, EHR, Meaningful Use and other data science systems, Tim knows and understands the requirements and components that create a secure information security posture. A key area of his expertise centers around interpreting and applying Federal, State and Industry regulations such as: DSRIP, HITRUST, HIPAA, NIST SP 800-53, 21 CFR Part 11, Health Insurance Reform: Security Standards, FISMA (Federal Information Security Management Act) and locally the Zadroga Act to name a few.

He also supported cyber security requirements for Medicaid’s Delivery System Reform Incentive Payment (DSRIP) Program at 2 of New York’s largest PPS’s (Performing Provider Systems) Northwell Health and NYC Health and Hospitals.

He has supported the IT Risk Management and IS Security initiatives of organizations that include Excellus BCBS, Medimmune/ Astra Zeneca, MERCK, ENDO Pharmaceuticals, Novo Nordisk, Daiichi-Sankyo Solutions, Johnson and Johnson, District of Columbia Government office of the Chief Financial Officer, District of Columbia Water and Sewer Authority, City of Richmond, Virginia Department of Public Utilities.

Ohio Implements Data Protection Act

The state of Ohio has implemented its Data Protection Act to encourage businesses to voluntarily adopt strong cybersecurity controls to protect consumer data.

Senate Bill 220, the Data Protection Act, was sponsored by State Senators Bob Hackett (R-London) and Kevin Bacon (R-Westerville) and was signed into law in late 2018.

Senate Bill 220 provides different industry-recognized cybersecurity frameworks which a business can follow when creating its own cybersecurity program. In order to receive the benefit of the safe harbor, a business must create its own cybersecurity program.

The legislation provides an affirmative defense to a lawsuit which alleges a data breach that was caused by a business’ failure to implement reasonable information security controls.

Businesses are only required to incorporate one of the frameworks into the business’ cybersecurity program[…] Read more ».

Philadelphia University’s Cybersecurity Program Receives “Top Curriculum” in the US

OnlineMasters.com, an industry-leading educational research organization, has named La Salle University’s Master of Science in Cybersecurity a top 25 internet security program for 2019, and also awarded the program “best curriculum.”

OnlineMasters.com analyzed every online master’s program in internet security in the nation with a team of 43 industry experts, hiring managers, current students and alumni.

According to OnlineMasters.com, the study leveraged “an exclusive data set comprised of interviews and surveys from current students and alumni in addition to insights gained from human resources professionals.” Their methodology weighted academic quality (academic metrics, online programming, and faculty training and credentials) at 40 percent, student success (graduate reputation, student engagement, and student services and technology) at 40 percent, and affordability (average net cost, percent of students with loans, and default rate) at 20 percent. The study incorporated current data from the Integrated Postsecondary Education Data System (IPEDS) and statistical data from the National Center for Education Statistics. Only programs from accredited nonprofit institutions were eligible.

“We are honored to be recognized as a top 25 internet security master’s program, with a special nod to our curriculum,” says Peggy McCoey, assistant professor and graduate director for La Salle’s M.S. in Cybersecurity. “We have developed a flexible, rigorous, and highly relevant program to ensure today’s students develop competencies in cybersecurity management as well as breach detection, mitigation and prevention. The Program balances both theoretical and practical aspects and draws key learnings from industry practitioners to ensure attention to ethical principles and changes related to cybersecurity.”

La Salle’s M.S. in Cybersecurity is a 100 percent online asynchronous program with three start dates and eight-week courses so students can complete two courses per semester. OnlineMasters.com noted its “engaging courses in cyberwarfare, cybercrime and digital forensics” in support of its “best curriculum” designation[…] Read more ».