Category: Uncategorized

If you think of assurance as a guarantee your cyber security is fit for purpose and working perfectly then there are a few other things you’re going to need: governance, risk management, policies, operational procedures, audit trails, personnel, effective training and awareness, security testing, oh and not forgetting the software and hardware underneath all that. In fact that’s a very concise and condensed list which doesn’t begin to cover everything but I’m trying to give the overall picture here not send you to sleep or bamboozle you.

First question: how do all these different items work together to give you that warm fuzzy feeling of assurance about your cyber security?

To have governance, just like government, you need someone or something in control to maintain oversight of the cohesive efforts being made. This person or persons will of necessity be senior personnel who have the understanding and viewpoint required to see what’s happening across the business, to make decisions and the authority to have those decisions acted upon.

We’re talking operational risk management specifically, a concept I’ve heard described as an emotional process – a statement I do understand and have some sympathy with as it’s a discipline requiring a lot of subjective thinking. Many people view operational risk management as a potential minefield inside a nightmare, but it’s not that hard to do and there are sources of information out there which can help you, although some are so badly written they can fry your brain if you’re not careful. For the moment I’ll just pare it down to bite-sized chunks of bare essentials for you by outlining an easy way I’ve used in the past to tackle it. … For the next stage you need to look at what makes these threats more or less likely to happen. Here’s an example: there’s a threat that some malcontent might break a window in your office, climb in and steal something, but if you have bars over the windows then this is less likely to happen. Ah, so they can’t come through a window but how strong are the doors? You need to consider all possible – or at the very least all you can think of – ways the vulnerabilities in the situation could turn the threats into reality. On to stage three where you’ll look at what the impact would be if something happened. Say you had strong doors and barred windows except for one which only allowed access to that old storeroom with nothing in it; that would have a lower impact than if it allowed access to the computer room. Along with the impact remember to think about the value of whatever could get lost or destroyed; that’s not just the capital cost by the way, it should also encompass the value of your brand, your reputation and anything else it’ll be expensive to get back, these are your company’s assets. … The next stage is to look at what you can do to reduce the likelihood and the cost of that incident. In many cases it can be something very simple such as putting in place a procedure to ensure the last person to leave shuts and locks all the windows; it doesn’t need to be a monstrously expensive piece of software that will automatically seal off the building at 6pm sharp. … Of course someone will need to define what the acceptable level is but we know whose job that is, governance. Last stage now, where the risk is not acceptable you’ll need to come up with a plan on how to deal with it. This might be further investment in equipment or staff, or it may be possible to devise a plan that removes the risk entirely, for example by moving valuable assets to another more secure location. These plans will be reported up to the governance level whose role is to agree to them, provide what you need to get them done and to monitor progress.

You’d be surprised how many organisations are completely missing the two items described above, although most have all the rest but they’re not much good on their own.

They don’t have to be long and wordy, in fact the shorter and punchier they are the better; they need to have impact.

Unlike policies these need to have more detail in there, they need to cater for when things go wrong as well as right and how to deal with that. They show the governance layer that procedures are being followed correctly and can be used in the risk management process to identify potential issues. If your organisation undergoes audits you’ll know auditors love nothing more than evidence; it’s the only thing that proves you’re doing what you say you do.

It’s a natural human attribute to be helpful and friendly, I’ll just see if that stranger over there needs help with carrying that suspiciously large box down to his van (that’s based on a true incident folks). It’s not easy to measure if all this investment in security is working; until someone tries to break it you’ll never know if it works or not. … The idea is you pay another company a load of money to test your security and they produce a nice big report for you in return. … Some tests need specialist skills and equipment so those you are stuck with coughing up for, but many tests can be conducted by you or your friends and colleagues. Go round the building and check doors are locked, no confidential paperwork is left out on a desk, PCs aren’t left logged in. Get a friend to see if they can get inside past reception without an appointment, tell them to carry a box and say they’ve got equipment to install in the computer room. … All these tests will go towards proving the governance is in place and working, the risks are being managed effectively and the policies are being adhered to. The only caveat to this advice is where you’ll be audited and the results of the tests are offered as evidence; I find auditors aren’t keen to accept a handwritten note from uncle Joe saying he tried but he couldn’t break in as sufficient for their needs.

They’re still important and getting the right tool will save you a lot of pain and sorrow further down the road but don’t think they’re the whole answer.

Security should be seen as a continuous circle where the outputs are constantly fed back as input and the circle revolves again, each time improving and refining the process; you need all the spokes of the wheel in place if your organisation is going to successfully move forward with a mature and effective security stance.

Link: http://www.daftblogger.com/assurance-does-not-come-in-a-box/

Identify areas of intensive data analysis and look for strategic alignments with context-aware devices that can increase reaction times without reducing effectiveness

Thinking back to the origin of the phrase contextual computing, it is important also that these actions be put into the most appropriate human context. It should be a specialist security team or officer running these processes and they need to be made in context – while thinking holistically about the overall needs of the business.

It may well be that more security technology, context-aware or not, is not the biggest requirement for some companies.

Sometimes it is the human context that needs to be improved, from a social-engineering perspective. After all, the supplemental information the software will be looking for is founded on human behavior patterns, from information user behavior and tasks to location, infrastructure and physical conditions.

Link: http://www.computerweekly.com/opinion/Security-Think-Tank-Context-aware-security-saves-time?utm_medium=EM&asrc=EM_ERU_20999938&utm_campaign=20130318_ERU%20Transmission%20for%2003/18/2013%20(UserUniverse:%20635390)_myka-reports@techtarget.com&utm_source=ERU&src=5114873

Several weeks prior their client-facing website/application had been “hijacked” and was redirecting clients from certain geographic regions to an overseas site. … Best guess would be a drive-by malware site, although the geographic discrimination is an unusual twist that would have been interesting to understand. In order to ensure that any traces of the compromise were eradicated, the client rebuilt the site at a different hoisting provider on a fresh Content Management System (CMS) install with updated modules/templates. That being said, we had several good data points: an overseas IP address attempting to hit the admin page of the app and the fact that the hacker had signed his website defacement.

One thing many people don’t know about TOR is that it can also be used to connect to “hidden services” on the internet – sometimes referred to as the “darknet”. … It’s not for the faint of heart – and despite the “anonymity” that is provided by TOR, you still find yourself looking over your shoulder when you’re on it.

Part of our client’s continuous improvement process is adding TOR/darknet knowledge to their Computer Security Incident Response Team (CSIRT). Hopefully, they won’t have to exercise the plan anytime soon – but if they have a security incident to respond to their Incident Response Plan now includes a trip to the dark side.

Link: http://www.pivotpointsecurity.com/risky-business/does-your-incident-response-plan-include-the-dark-side-of-the-internet

In a paper (PDF) released late last year, “Proactive Defense for Evolving Cyber Threats,” Sandia researchers Richard Colbaugh and Kristin Glass outline a computer model that they claim can monitor the Internet to identify volatile situations weeks before they go south—with “perfect accuracy.” While that information may be enough for a retailer to bet that the “steampunk” look will be the next hipster fashion, it’s what spymasters call “non-actionable intel.”

They start by tracking how many times a specific phrase turns up, using a website that tracks memes daily—sort of an early early warning system. … Their approach works, Colbaugh says, because it’s a blend of social science (the power people have to influence others) and computer science (the power of Big Data).

Intelligence agencies, embarrassed by the unforeseen events that lead to the Arab Spring and historic changes in the region, have been working on open source tools (PDF) that will make them more prescient about world events.

The research, Colbaugh points out, is in the public domain and it wouldn’t be difficult for a large corporation concerned about cyber attacks, say in financial services, to modify the model for its use. Encouraging as the research appears, it is not designed to replace existing cyber security tools or traditional methods of intelligence gathering. It is best used to zero in on public chatter on the Web—not the modus operandi of your lone cyber criminal or a state-sponsored pro because, as John Pescatore, director of emerging security technologies for SANS Institute, points out: “They’re not going to yak about it on social media.”

Link: http://www.businessweek.com/articles/2013-03-04/this-research-paper-explains-how-to-predict-the-next-arab-spring-and-cyber-attacks#r=pol-s

By understanding the needs of the industry and keeping on top of new technologies and threats, good CSOs can identify the special skills and expertise (such as analytics expertise or a specialty in malware) needed in their new hires on both the information- and physical-security fronts, says Young.

Tom Verzuh, president of recruiting firm SCW Consulting, is seeing great demand for physical-security professionals who are fluent in technology, especially digital-video software management and analytics.

“The way to increase your value as a physical security professional is to invest in learning the world of IP networking and Microsoft server technologies and data analytics solutions,” says Charles Foley, chairman and CEO of Watchful Software. “Security pros that know these two areas will be able to spearhead their companies efforts to streamline costs, increase value delivered, and will literally sell information collected to the rest of the organization.”

Information-protection skills are in great demand, according to Foley –in particular, knowledge of data-centric technologies such as enterprise rights management, multilevel security models, data classification techniques and biometrics.

This understanding is also important for recognizing where potential vulnerabilities might lie within the organization, such as with outsourced services or data, or lines of business that are popular targets for cyberattacks.

CSOs that have an advanced business degree such as an MBA are always going to be that much more desirable than those who do not, according to Jerry Irvine, CIO of IT outsourcing company Prescient Solutions and a member of the National Cyber Security Task Force. Not only must CSOs make complex security issues understandable to the enterprise at large, they must also make it clear how important security risk, particularly digital risk management, is to the executive suite’s agenda. David Luzzi, executive director of Northeastern University’s Strategic Security Initiative, adds logical reasoning and the ability to inspect ideas as important skills to build on the foundation of excellent verbal and written communication skills.

Link: http://www.cso.com.au/article/455664/hot_security_skills_2013/

For example, the vast majority of these academic legal scholars would require the United States ensure that malicious software attack only combatant systems and legitimate military targets, and not affect any other systems.

While code can be targeted to a specific military system, that is no guarantee it will be limited because of the dual use of information technology.

The legal perception of cyber is based on an assumption that actors are either civilian or military, but there is no such clear distinction in the militarized and contested digital world.

In cyberspace, universities, municipal utilities, communication companies and other actors are a part of the war-fighting effort without clear boundaries to being civilian or military. If the U.S. became engaged in a cyber conflict with Hezbollah in southern Lebanon, an organization that is a mix of crude arms manufacturing, terrorism training and soup kitchens for the poor, there is no way to ensure that a counter cyber attack would not affect the soup kitchens. But there is no territorial or international cyberspace as long as attribution is unsolved — and even with attribution solved, the answer to where, when and by whom is troublesome to answer.

Applying laws of war that have origins in the 1800s, when massive armies fought on a field in broad daylight, in an abundance of object permanence, is not relevant to cyber when the contested space is changed, lost, created, reborn and redesigned in real time.

Link: http://www.defensenews.com/article/20130217/DEFFEAT05/302170016/Offensive-Cyber-Superiority-Stuck-Legal-Hurdles-