Breach 1.3

Copyright 2014 by Netswitch, Inc. All rights reserved.

Page 2

Breach!

Information Security

For Business Executives

By Steve King, COO and Chief Security Officer

Netswitch Technology Management, Inc.


Page 3

Table of Contents

“Information technology and business are becoming inextricably interwoven. I don't think anybody can

talk meaningfully about one without the talking about the other.”

----Bill Gates

Introduction

Chapter One: The Current Threat Landscape

Chapter Two: Next Generation Security is Different

Chapter Three: What About The Data Itself?

Chapter Four: There’s Data and Then, There’s Data

Chapter Five: Mobile Devices and BYOD

Chapter Six: Compliance is along for the Ride

Chapter Seven: Breach Remediation & Incident Response

Chapter Eight: So, What Do I Do Now?


Page 4

Introduction

“Information security is the immune system in the body of business.”

----Kevin Pietersma

The purpose of this book is

1) to explain in as simple and non-technical terms as possible, the current threat landscape related to information security that is faced by all businesses today and in the near term,

2) to try and separate fact from fiction and,

3) to identify some practical and useful things that all business executives can do to protect themselves from these threats.

If you expected something else, this is not the book you want to read. We will explain how information security works, how networks can be protected and how the relationships between data, applications, networks and operating systems work in the context of security. It won’t be very technical. Your technical guys will freak out. They will say, “He didn’t even talk about perimeter security or DHS Einstein or Secure DMZs!” They are right. He didn’t. But, if you want to learn about the current state of information security in business, an explanation of the various security holes affecting everyone’s enterprise information systems and networks and the kinds of things you need to do to protect yourself from cyber-criminals, hackers and inadvertent employee blunders, you will find all of that here. We are not trying to sell you anything. What we WANT is for you to come away with an understanding of the current security landscape, enough knowledge to be able to protect your company from data breach and cyber-attacks and an understanding that this level of protection is within your reach. We WANT you to enjoy the same protection as big companies do for a fraction of the cost. We hope you enjoy the book.


Page 5

Chapter One

The Current Threat Landscape

“Securing a computer system has traditionally been a battle of wits: the penetrator tries to find the holes, and the designer tries to close them.”

— Gosser

Fact: The most common information security threat to your business today is a data breach.

A data breach is the intentional or unintentional release of secure information to an untrusted environment.

Technical Definition "A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so."

Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. Hopefully, you won’t hear these terms used in the same sentence as “bad news” from your own IT guys.

Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), personally identifiable information (PII), trade secrets of corporations or intellectual property.

The following bubble chart illustrates the growth in volume of information records that have either been hacked or stolen at major players who regularly deal in personally identifiable information during the past three years:


Page 6

As you can see, security breaches are trending upward rapidly and badly. In case you haven’t been paying attention, here are just a few of the breaches that made headlines in 2013:

Social Media Giants Facebook, LinkedIn, Among Others, Get Hacked…Repeatedly.

In February 2013, Twitter, Pinterest and Tumblr inadvertently suffered a breach after their customer service provider, ZenDesk, got hacked. No passwords were compromised but thousands of user emails were obtained and likely would have been used in email phishing scams to get more personal information.

Let’s fast forward to late November 2013. Hackers stole usernames and passwords for nearly 2 million accounts at Facebook, Google, Yahoo, LinkedIn, Twitter and 93,000 other websites. That breach was a result of malware installed on user computers that swiped log-in credentials for thousands of sites for over a month. Facebook accounts were compromised the most, followed by Google, including Gmail and YouTube.


Page 7

Nearly 40 Million Target Customers’ Credit and Debit Card Numbers Were Stolen In Midst of Holiday Shopping Rush. Of course you have heard of this one. From right after Thanksgiving to just before Christmas 2013, cyber-thieves stole 40 million Target Stores’ shoppers’ credit card numbers and debit card PINs and compromised another 70 million accounts that included addresses and mobile numbers. Some think that this breach highlighted the United States’ use of outdated credit card security technology and lack of protective legislative reform. I think it instead highlighted a poorly implemented security protection cycle and one company’s inability to address a breach immediately when it occurred. More about this later. Target will likely continue to deal with the massive fallout throughout 2014 and beyond, including dealing with civil lawsuits from affected customers, suppliers and partners. And, in the meantime, Beth Jacobs, Target’s former CIO is available for a new assignment. Hacker Group ‘Anonymous’ Targets Twitter Accounts.

This breach compromised 250,000 user emails and passwords, following two similar attacks involving The New York Times and Wall Street Journal computer networks late in January of 2013. Adobe Breach Snowballs Into Multi-Network Security Risk.

In this October 2013 breach, Adobe reported that over 3 million customers’ credit card information was stolen. A source code leak also exposed almost 40 million user emails and passwords. We now know that the breach impact was felt well beyond Adobe’s Photoshop users. According to the Krebs on Security blog, more than 150 million Adobe username and password combinations were posted to AnonNews.org. But there’s more. The Adobe breach has tentacles into network-effect compounds. This condition is present when data in one location is linked or tied to data in another location containing additional information. Many of those users wrote password hints that tied back to their banks, home addresses and stored Social Security numbers. Those hints were now the property of the original thieves.


Page 8

System Bug Exposes 6 Million Facebook Users’ Personal Data In Yearlong Breach. Facebook said the leaks, which began in 2012, were the result of a technical glitch that was corrected in June of 2013. And, the social media site maintained that the information wasn’t abused. “We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing,” Facebook said in a blog post. Hmmm. Information surfaced in March of 2014 that much of that data was for sale on underground market sites. Upwards Of 50 Million LivingSocial User Emails And Passwords Get Stolen.

In December of 2013, the Washington, D.C.-based daily deal site assured its affected customers that their passwords were “hashed and salted”—or had an extra layer of cryptographic encryption—and supposedly harder to decode. But they also announced that as a result of the breach, they have updated their hashing security measures. It is not clear what happened to those passwords and user accounts. Evernote Resets About 50 Million Account Passwords After Data Breach.

The mobile data storage company’s security team uncovered an attempt to access its restricted corporate network in March of 2013, but failed to announce whether any information was stolen or missing. The U.S. Department Of Homeland Security Finally Corrected A Four-Year Error In The Software It Uses To Process Employees’ Background Checks.

Social Security numbers, birth dates and names were discovered to be unprotected due to third-party software vulnerability. DHS was aware of the problem since 2009 and just fixed it in May of 2013, four years later. The agency didn’t disclose how many of its almost 250,000 employees were affected during that period. But I can guess. Federal Reserve Bank Website Hacked By Anonymous.

As a part of “Operation Last Resort,” the political hacktivist group Anonymous posted a link to a third-party site where users could download the stolen contact information, including customers’ phone numbers and email addresses. The Federal


Page 9

Reserve said the hackers exposed a “temporary vulnerability in their third-party website vendor product.” But, there’s more. So, those were just a few of the breaches that made headlines in 2013 and represented only part of the increase from the reported 297 in all of last year, to the reported 431 so far this year (through July, 2014). At the present rate, the reported breaches by 2014 year-end will be close to 1,000 or more than a 300% increase in one year. Retailers are often reluctant to report breaches out of concern it could hurt their businesses. Target only acknowledged its 2013 attack after security blogger Brian Krebs reported the breach, prompting inquiries from journalists and investors. Neiman Marcus said an outside forensics firm discovered evidence on Jan. 1 that indicated the retailer had been the victim of a cyber-attack. It disclosed the breach nine days later, after another inquiry from Krebs, who was following up on reports about a surge in fraudulent charges traced to the retailer. Target and J.C. Penney Co Inc. waited more than two years to admit that they were victims in 2007 of notorious hacker Albert Gonzalez, who was accused of masterminding the theft and reselling of millions of credit cards and ATM numbers. Also, these breaches have exposed over 11 million individuals’ personal information including debit card, PIN, social security numbers, email addresses with passwords and credit card information. And here are the big ones so far in 2014:

eBay acknowledged that intruders cracked the company's data network, enabling them to access customers' personal information. Not financial data, mind you. Only names, addresses, phone numbers and passwords.

P.F. Chang’s China Bistro said last week that it is investigating a potential security breach that may have led to the theft of information from thousands of customer credit cards. The theft was first reported by Brian Krebs, who noted thousands of fresh credit cards appeared on Rescator, a so-called underground carding site that was used to sell payment data after last year’s Target network breach. Data from the magnetic strips of the latest stolen cards is selling for between $18 and $140 per card.

Michaels Stores point-of-sale systems (54 Michaels and Aaron Brothers

stores) were attacked by criminals using highly sophisticated malware


Page 10

between May 2013 and January 2014. The company said up to 2.6 million payment card numbers and expiration dates at Michaels stores and 400,000 at Aaron Brothers could have been obtained in the attack.

Montana Department of Public Health and Human Services server attacks.

The servers held names, addresses, dates of birth and Social Security numbers on roughly 1.3 million people, although the department said it has no reason to believe that any information contained on the server has been used improperly or even accessed. Of course not.

Variable Annuity Life Insurance Co. A former financial adviser at the company was found in possession of a thumb drive that contained details on 774,723 of the company’s customers. The thumb drive included full or partial Social Security numbers, but the insurance company said it didn’t believe any of the data had been used to access customer accounts. It’s not the first time the company has lost data on a thumb drive. In 2006, it concluded a lawsuit against a former financial adviser for downloading confidential customer information onto a portable flash drive.

Spec’s. A 17-month-long criminal attack on the Texas wine retailer’s network resulted in the loss of information of as many as 550,000 customers. The intrusion began in October 2012 and affected 34 of the company’s stores across the state. It continued until as late as March 20 of this year, and the company fears hackers got away with customer names, debit or credit card details, card expiration dates, card security codes, bank account information from checks and possibly driver’s license numbers.

St. Joseph Health System servers were attacked between Dec. 16 and January 18. They contained approximately 405,000 former and current patients’, employees’ and some employees’ beneficiaries’ information. This included names, Social Security numbers, dates of birth, medical information and, in some cases, addresses and bank account information. As with many other hacks, an investigation wasn’t able to determine if the data was accessed or stolen.

I won’t describe the major breaches that have occurred at data-rich technology companies in the past couple of years like Epsilon, RSA Security, Sony's PlayStation Network, Google, VeriSign, Fidelity National Information Services, etc., but will point out that these companies hosted names and e-mails of millions of customers stored in hundreds of retail stores plus several huge financial firms like CitiGroup Inc. and the non-profit educational organization, College Board. You can do the math. And of course this week (August 5, 2014), the “Russian Breach” which amassed the largest known collection of stolen Internet credentials, including 1.2 billion user


Page 11

name and password combinations and more than 500 million email addresses by injecting malicious code into at least 420,000 websites to gather the data. This event has caused worry among some in the security community who are beginning to believe that keeping personal information out of the hands of thieves is increasingly a losing battle. It is not, and I will explain why and how in the next chapter. It IS however, going to be a losing battle to continue to try and prevent the hackers from going about their business. They will always be at least one and often several steps ahead of the good guys. The best we can ever do is to know exactly when it occurs and be positioned to remediate it immediately. Some security analysts use the analogy of your local police force combined with a security service for your home. We will never have enough police to watch over every one of us and our families and homes, which of course we wouldn’t want anyway. We instead have enough police to respond to home burglaries, sometimes in progress and usually after they occur and a legal system that can pursue the bad guys and prosecute them. What we really want is traditional “high-wall” security (police and security alarm systems) combined with a non-obtrusive surveillance system that can detect anomalistic behavior and investigate it. In business, “high-wall” security translates to intrusion detection and prevention systems for known attack schemes and viral infections. We are also beginning to see “smart” protection schemes that rely on advanced probabilistic statistics and Bayesian mathematics to analyze your network traffic and establish baselines for normal behavior and detect anomalistic behavior at the earliest signs of entry. Our company has been consulting for the better part of 15 years with start-ups, mid-market and Fortune 2000 companies as they struggled with the perceived opportunities and threats created by the arrival of Internet technologies. We have consulted on application security as expert legal witnesses for the likes of SAP and Oracle as well as on Infrastructure security for Cisco and Intel. We have designed and built a lot of security systems for companies ranging from large hotel chains to major telecommunications companies to small insurance brokerages. In the past 24 months, we have evaluated over 250 separate security packages from over 60 different vendors. These have ranged from data breach protection to mobile device management. We have studied the current threat landscape thoroughly and we have developed a services-based approach to complete information security protection that addresses every point of defense and is one that every company regardless of size can implement.


Page 12

In the next chapter, I will explain the principle of Defense in Depth and describe security exposures at every layer in your IT environment in such a way as to hopefully not confuse or bore you, but will leave you with a better understanding of what you are up against and the things you can and should do to protect your company. Again, illustrations and explanations are overly simplified. There are many more layers and components and much more technology involved in threat prevention and data security than discussed here, but my objective is to provide a 10,000 foot view and understanding of the problem space, and to encourage you to adopt a Defense in Depth security strategy and implement it.


Page 13

Chapter Two

Next Generation Threats Are Different

“You cannot solve the problem with the same kind of thinking that has created the problem.”

----Albert Einstein

We have seen the trends in cyber-crime and malware attacks. With these attacks evolving at such an astounding pace, your organization needs security solutions today that address head-on every attack vector from the surface to the core, aka Defense in Depth. We believe that the principle of Defense in Depth should be the foundation strategy for any and all business security policies and approaches. Defense in Depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier. In terms of computer network defense, Defense in Depth measures should not only prevent security breaches, but will also buy an organization time to detect and respond to an attack, thereby reducing and mitigating the consequences of a breach. A well-designed strategy of this kind can also help system administrators and security personnel identify people who attempt to compromise a computer, server, proprietary network or ISP (Internet service provider). If a hacker gains access to a system, Defense in Depth minimizes the adverse impact and gives administrators and engineers time to deploy new or updated countermeasures to prevent recurrence. Components of Defense in Depth include antivirus software, smart firewalls, anti-spyware programs, hierarchical passwords, intrusion detection and prevention, behavioral analytics, remote and mobile device access control and biometric verification. In addition to electronic countermeasures, physical protection of business sites along with clear policies and comprehensive and ongoing personnel training enhances the security of vital data against compromise, theft or destruction.


Page 14

Imagine if you will, a sphere in which there are several layers surrounding a core. That core is your Data, the heart of your business, your critical information assets. The extreme outward physical layer is the Network or Perimeter Layer and is the gateway to all your applications, data and files. Most attacks start here. This is the layer from which you can control all normalized access to your digital world. The key defenses you will hear about are Next Generation Firewalls, Messaging Security (anti-virus and anti-malware) and Perimeter Intrusion Detection Systems and Intrusion Prevention Systems. We think about these things as components of an Enterprise Immune System, and you should too. Whether you are trying to keep potentially dangerous people off an airplane or potentially dangerous code out of your network, you can take one of several approaches to deciding who/what gets in or does not. Intrusion detection and prevention systems (IDPS) are focused on monitoring network or system activities, looking for malicious code or policy violations, preventing known attackers, identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies.


Page 15

IDPS’s have become a necessary addition to the security infrastructure of nearly every organization, large or small, especially in light of the non-linear trends in cyber-attacks and data breaches. Firewalls are a component of an IDPS. Firewalls and other simple boundary devices lack some degree of intelligence when it comes to observing, recognizing, and identifying attack signatures that may be present in the traffic they monitor and the log files they collect. Whereas other boundary devices may collect all the information necessary to detect (and often, to foil) attacks that may be getting started or already underway, they haven’t been programmed to inspect for and detect the kinds of traffic or network behavior patterns that match known attack signatures or that suggest potential unrecognized attacks that may be incipient or in progress. And many of these require constant programming to tune for specific environments based on web and network traffic patterns. Here is where your eyes glaze over, right? Stay with me for a minute longer. I mention firewalls here because you may have heard of attempts to reconcile an insecure network by installing a firewall. If it is a traditional firewall, it won’t help much. What you will need is a “next generation firewall” and since they are now part of all intrusion detection and prevention systems, we can pretty much skip them in our discussion. But as long as we’ve come this far, I should explain that next generation firewalls are different than traditional firewalls because they perform a more complex inspection compared to the “stateful inspection” that is performed by the earlier generation firewalls. Network packets are like IDs for programs that are trying to gain access to your network. “Stateful inspection” means that the firewall is protecting your network with simple packet inspection and filtering capabilities that did a good job of blocking unwanted programs in an era when all programs met certain “port-protocol” expectations (state). That is before anyone thought to invade a network, and/or before the Internet. Programs back then, were simple-minded and they showed up exactly as they were expected to show up. Collared shirt, rep tie, blue blazer, khaki slacks and loafers. Now they show up looking like Justin Bieber, Jay-Z or Young Thug. It’s a different world. Next Generation Firewalls go way deeper now. They inspect the payload of packets and match signatures for harmful activities such as known vulnerabilities, known exploit attacks, known viruses and malware – in other words, they anticipate certain attacks known by their “signatures” and can block them before they get in.


Page 16

This is also referred to as “Intrusion Prevention” (yes, we’re back to that) and this approach relies on libraries of “signature-based” attacks to keep them up to date. How am I doing on the simple, non-technical explanations? I was afraid you were going to say that. Back to IDPSs. By analogy, an IDPS does for a network what an antivirus software package does for files that enter a system (and more): It inspects the contents of network traffic to look for and deflect possible attacks, just as an antivirus software package inspects the contents of incoming files, e-mail attachments, active Web content, and so forth to look for virus signatures (patterns that match known malware) or for possible malicious actions (patterns of behavior that are at least suspicious, if not downright unacceptable). IDPS’s typically record information related to observed events, notify security administrators of important observed events and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g. reconfiguring a firewall) or changing the attack's content. In a passive system (detection only), the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert to whoever has been designated as the network administrator. In a reactive system, also known as an intrusion prevention system (IPS), the IPS auto-responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. The term IDPS is commonly used where this can happen automatically or at the command of an operator; systems that both "detect (alert)" and "prevent". Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within your network which is a huge source of malware intrusions emanating from mobile devices like iPhones or “thumb” drives attached to USB ports on laptops. Typically, intrusion prevention systems utilize one of three detection methods: signature-based, statistical anomaly-based and stateful protocol analysis.


Page 17

Signature-Based Detection: Signature based IDS systems monitor packets in the network and compare them with pre-determined attack patterns known as signatures. Signatures are like Blacklists for airline security. If you compiled a list of known terrorists and criminals, and checked IDs at the gate, looking for names that match your list and not allowing them to board, it would be an example of blacklist-based security and it is what is used by the airlines and Transportation Security Administration (TSA) and other law enforcement officials at most airports to prevent known terrorists from getting on planes.

Generally speaking, in network security, signature-based threat detection works like this:

o A new virus or malware variant is discovered o A new signature is created to protect against that specific piece of

malware. o The signature is tested, and then included in the IDPS software in

the form of a signature update.

Statistical anomaly-based detection: A statistical anomaly-based IDS determines a baseline for normal network activity like bandwidth, protocols, ports and devices and their relationships to each other, and what network traffic patterns constitute normal activity. Then, they alert the administrator when traffic is detected which is anomalous (not normal).

Stateful Protocol Analysis Detection: This method identifies deviations of

protocol states by comparing observed events with predetermined profiles of generally accepted definitions of benign activity. When monitoring requests and analyzing corresponding responses, the test should be that every request should have a predictable response and those responses that fall outside of expected results should be flagged and analyzed further. As you might have guessed, this approach is ripe for large volumes of false positives.

So, when you are considering an IDPS, you will need a system that uses a combination of these approaches, AND you will have to supplement it with a really good behavioral analytics system. What on earth is that? Behavioral analysis in networks is similar to stationing law enforcement personnel at various points around the airport who are trained in behavioral profiling, and can then question and observe persons who have tickets to board a flight, detaining those who act suspiciously and then deny their boarding altogether.


Page 18

Behavior-based intrusion detection techniques assume that an intrusion can be detected by observing a deviation from normal or expected behavior of the system or the users by analyzing traffic. The model of normal or valid behavior is extracted from reference information collected by various means prior to installing detection software. The intrusion detection system later compares this model with the current activity. When a deviation is observed, an alarm is generated. In other words, anything that does not correspond to a previously learned behavior is considered intrusive. The principal advantages of behavior-based approaches are that they can detect attempted attacks from new and unforeseen vulnerabilities. They can even contribute to the (partially) automatic discovery of these new attacks because they are capable of learning. They are less dependent on operating system-specific mechanisms. They also help detect 'abuse of privileges' types of attacks that do not actually involve exploiting any security vulnerability. In short, this is the paranoid approach: Everything which has not been seen previously is dangerous. As I mentioned, a high rate of false-positives is generally cited as the main drawback of behavior-based techniques because the entire scope of the behavior of an information system may not be covered during the learning phase. Also, network traffic behavior may change over time, introducing the need for periodic online retraining of the behavior profile, which results either in unavailability of the intrusion detection system or in additional false-positives. The network may undergo attacks at the same time the intrusion detection system is learning the behavior. As a result, the behavior profile contains intrusive behavior, which may not be detected as anomalous. See? Tricky. It turns out that there are now behavioral detection systems that overcome these drawbacks by using advanced mathematics and by drilling into greater granular depths to resolve apparent false-positives and dynamically adapt to changed environmental influences through continual “learning”. Really good advanced behavioral detection systems are principally designed to counter the most damaging forms of attack, such as Advanced Persistent Threats (APT), and previously undetectable threats from inside a network. An APT is a set of stealthy and continuous computer hacking processes, orchestrated to target a specific entity, like your POS system. An APT differs from a virus or from general malware in that its design and objectives are very specific. They are usually associated with “Cyber Kill Chains” which have been used recently and most famously with the attack on Target Stores.


Page 19

The stages of an advanced persistent threat like a Cyber Kill Chain are: 1. Reconnaissance 2. Weaponization 3. Delivery (Infiltration) 4. Exploit 5. Installation 6. Command & Control 7. Actions (Exfiltration) You can see that cyber kill chains are deterministic and serial in nature. That is to say that one step must be completed before another has begun. Reconnaissance can take place over weeks, months or years while specific targets are tested and identified. Then, based upon the reconnaissance, the exact weapons of infiltration are specified and staged for infiltration. This of course, is all happening programmatically and for the most part through automated, deterministic parsing. Once in place, the weapons install the exfiltration bots, begin to collect the data specified in the breach, establish a command and control center to direct the bots now infested into your software systems and begin the exfiltration process. This is usually done rapidly as it represents the tactical components of the kill chain; get the stuff and get out. In the case of Target by the way, the software system that was in use at the time (known as FireEye) did a great job of identifying the anomalistic behavior at step 4 (Exploitation) days before the malware known as BlackPOS began the actual killing at step 7 (Exfiltration). The problem was that when the alert was sent, no one acted, and the rest is history (sadly). So, advanced behavioral detection systems must become an integral component of an effective immune system. They can create a unique inside view of an organization's entire network activity at the deepest level and they are able to automatically learn from all of the information that flows through the network. Modelling patterns of life for each user and machine, they are able to detect normal and abnormal behaviors as they emerge, without already knowing what they are looking for, and then can calculate the probability of threat based on the detection of behavioral anomalies. You can think of them as a sort of intelligence-driven filter that captures the noise of an organization's internal networks and systems, amplifying the sounds that need to be heard.


Page 20

The key to their success is their ability to spot and correlate small indicators of change and compromise which allow them to detect even extremely subtle and persistent threat actors, wherever they come from and whatever their intent. They can stop Cyber Kill Chains long before they get past their initial stages (as we saw in the opportunity with Target Stores). Preventing attackers from stealthily entering your network requires behavioral intelligence and visibility into what's happening in real time, along with conventional intrusion detection and prevention and most importantly human intervention and judgment to interpret the notifications and alerts, and determine an appropriate response. The closer to the beginning of the chain you can stop an attack, the less costly and time-consuming the cleanup will be. If you don't stop the attack until it's already in your network, you'll have to fix those machines and do a whole lot of forensics work to find out what information the attackers have already made off with. You want the power and intelligence to observe and interrupt the cyber kill chain in real time. Make sure that the behavioral analytics system you choose is one of the advanced ones. A great Immune System is essential to enterprise security, but it is not a panacea. It, not unlike all the other protective mechanisms involved in Defense in Depth solutions, requires extensive human interaction, judgment and engineering. For example:

Noise can severely limit an intrusion detection system's effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate, generating lots of false-positives.

It is not uncommon for the number of real attacks to be far below the false-positive rate. Real attacks are often so far below the false-positive rate that they are often missed and ignored.

Many attacks are geared for specific versions of software that are usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to newer attack strategies.

For signature-based IDSes there will be a lag between a new threat discovery

and its signature being applied to the IDS. During this lag time the IDS will be unable to identify the threat.


Page 21

For behavioral-based systems, behavior can change over time, and the system can undergo attacks at the same time the intrusion detection system is learning the behavior. As a result, the behavior profile may contain intrusive behavior, which is not detected as anomalous.

As I have said, there is a substantial amount of human engineering that goes into any ongoing IDS/IPS solution. Data isn’t meant to just be collected—analysis is the key to guiding security priorities. You will need managed intrusion detection and vulnerability scanning services to provide ongoing insights into your threats and vulnerabilities. You can provide those yourself or you can hire an outside firm to do it for you. But without the analysis, you will have collected a lot data that will be of no use to you. You will want to monitor network traffic and analyze billions of security events using intelligent multifactor correlation and vulnerability analysis. You will want to identify incidents based on multiple inputs including intelligence available to you from within the security industry. In addition to IDS and IPS and analytics, you will want a smart log management system that collects and normalizes log data from your entire network infrastructure. Log management data are like snapshots of your network traffic that enable you to see what is happening throughout the day. There are literally millions of data points that require parsing, detection and examination. A smart log management system organizes and parses these countless pieces of log data and provides a quick, accurate notification of suspicious behavior. You will want a system and a firewall that provides three levels of protection: 1) signature-based protection against known attacks, 2) positive protection against unknown attacks by only allowing certain permitted actions, and 3) advanced behavioral analytics which operate like a watchman constantly examining your network traffic for anomalistic behavior. You will want to either staff or hire a 24×7 Security Operations Center (SOC) to monitor and validate the data, analyze and eliminate the false positives, and translate the data into actionable insight for incident response and containment. The incident response and containment is obviously the most important part of the equation. You must have a trained and equipped remediation team who is prepared to act on the alerts they receive and after sorting the wheat from the chaff, they need to be ready to execute. You don’t want to be in the situation like Target Stores found themselves, with a great intrusion detection system watching over your network and sending alerts that no one acted upon.


Page 22

Conclusion: Begin constructing your Defense in Depth strategy by choosing and implementing an IDS/IPS system with a smart firewall and log management system and supplement it with an advanced behavioral analytics system. Create your own security operations center or find vendors that provide 24x7 monitoring and alerting. Be prepared to invest in your own IT team’s training and commitment to continual tuning of the software, analysis of the collected data, and remediation of a breach. Or, find a third party who does it all.


Page 23

Chapter Three

What About The Data Itself?

“A computer lets you make more mistakes faster than any invention in human history –

with the possible exceptions of handguns and tequila.”

— Mitch Ratliff If you protect your network layer in the ways that I have described, you will have gone a long way toward beginning to establish that Defense in Depth strategy that will assure your organization that the bad guys won’t get in. Or, if they do, you will know about it in time to prevent them from robbing your information assets. But, there are other ways for thieves to get their hands on your data, and you have to prevent these as well. These relate to the File, Platform and Application layers.

I was consulting for a major US bank for several years on a project to help them reengineer a business process that would change the way their data was transferred between servers and databases. Their data (aka, your checking and savings account information) was encrypted when transferred from and to other banks, but was unencrypted when transferred internally between their own servers.


Page 24

Anyone, including yours truly, who had passed the bank’s background checks could have easily siphoned off huge chunks of that data as it made its daily run among internal severs and had their way with it. These internal servers were connected with their production network via sub-networks but in ways that left them vulnerable to any program that had been able to obtain authorization to operate on that sub-network. Which was not hard to do. And, speaking of “anyone”, your worst overall security exposure is your own employees, operating either maliciously or innocently and inadvertently by forgetting or ignoring whatever training and reminders you have provided about best practices. Most passwords are available on sticky notes found on your employees’ desktop monitors. So, we need to talk about data and database security also. Data and database security is usually concerned with the use of a broad range of information security controls to protect databases (potentially including the data, the database applications or stored functions, the database systems, the database servers and the associated network links) against compromises of their confidentiality, integrity and availability. Sometimes these compromises involve what are commonly referred to as data loss and data leaks. The terms "data loss" and "data leak" are closely related and are often used interchangeably, though they are actually different. Data loss incidents turn into data leak incidents in cases where media containing sensitive information is lost and subsequently acquired by an unauthorized party. However, a data leak is possible without the data being lost on the originating side. In data leakage incidents, sensitive data is disclosed to unauthorized personnel either by malicious intent or inadvertent mistake. Such sensitive data can come in the form of private or company information, intellectual property (IP), financial or patient information, credit-card data, and other confidential information classes depending on the business and the industry. Generally speaking, what we have talked about so far will guard computers against outsider as well as insider attacks, but as you will see, you will also need a combination of remote assessment scans, agent-based monitoring and network activity monitoring that address data and databases specifically related to leaks and loss as well as advanced security measures that employ machine learning and temporal reasoning algorithms.


Page 25

These are designed to detect abnormal access to data or abnormal email exchange, provide “honeypots” for attracting and detecting authorized personnel with malicious intentions, and employ activity-based verification methods for insuring against unauthorized (or spoofed) access. A honeypot is a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers, but is actually a trap. Spoofing is the act of masquerading as an authorized user by falsifying originating credentials like email address and passwords. Some of the causes of data loss and data leaks, and other security risks to database systems include:

Unauthorized or unintended activity or misuse by authorized database users, database administrators, or network/systems managers, or by unauthorized users or hackers (e.g. inappropriate access to sensitive data, metadata or functions within databases, or inappropriate changes to the database programs, structures or security configurations);

Malware infections causing incidents such as unauthorized access, leakage or disclosure of personal or proprietary data, deletion of or damage to the data or programs, interruption or denial of authorized access to the database, attacks on other systems and the unanticipated failure of database services;

Overloads, performance constraints and capacity issues resulting in the inability of authorized users to use databases as intended;

Physical damage to database servers caused by computer room fires or floods, overheating, lightning, accidental liquid spills, static discharge, electronic breakdowns/equipment failures and obsolescence;

Design flaws and programming bugs in databases and the associated programs and systems, creating various security vulnerabilities (e.g. unauthorized privilege escalation), data loss/corruption, performance degradation etc.;

Data corruption and/or loss caused by the entry of invalid data or commands, mistakes in database or system administration processes, sabotage/criminal damage etc.


Page 26

In addition, data and database security is rife with mistaken beliefs which cause people to design ineffective security solutions. Here are some of the most prevalent security myths: 1. Myth: Hackers cause most security breaches.

In fact, 80% of data loss is caused by insiders.

2. Myth: Encryption makes your data secure. In fact, encryption is only one approach to securing data. Security also requires access control, data integrity, system availability, and auditing.

3. Myth: Firewalls make your data secure. In fact, 40% of Internet break-ins occur in spite of a firewall being in place.

To design a security solution that truly protects data and databases, the people involved in the project must understand the specific security requirements relevant to a given site, and the scope of current threats to the data residing on that site’s servers and network. Traditionally databases have been largely secured against hackers through network security measures such as the firewalls, and network-based intrusion detection systems like those described in chapter two. While network security controls remain primarily critical in this regard, securing the database systems themselves, and the programs/functions and data within them, are becoming equally critical as networks are increasingly becoming more complex, opened to wider access, and especially to malicious or inadvertent internal threats e.g., your employees. Increasingly, system, program function and data access controls, along with the associated user identification, authentication and rights management functions, are critically important to limit and in some cases log the activities of authorized users and administrators. In other words, these are complementary approaches to database security, working from both the outside-in and the inside-out the networks as it were, to guard against both threats from insiders and those outside the firewalls. Many organizations develop their own "baseline" security standards and designs detailing basic security control measures for their database systems. This is a good idea. What you want to do is make sure that they reflect general information security requirements or obligations imposed by corporate information security policies and applicable laws and regulations (e.g. concerning privacy, financial management and reporting systems), along with generally-accepted good database security practices (such as appropriate hardening of the underlying systems) and perhaps security recommendations from the relevant database system and software vendors.


Page 27

Not only will this increase your odds against loss, leakage and theft, but it will provide you with appropriate due diligence when under audit review. The security designs for specific database systems typically specify further security administration and management functions (such as administration and reporting of user access rights, log management and analysis, database replication, synchronization and backups) along with various business-driven information security controls within the database programs and functions (e.g. data entry validation and audit trails). Furthermore, various security-related activities (manual controls) are normally incorporated into the procedures, guidelines etc. relating to the design, development, configuration, use, management and maintenance of databases. Just like hiring a good hacker will tell you a lot about your current network defense status, a good way to determine your current security condition related to databases is to perform vulnerability assessments or penetration tests against your databases. This is where testers attempt to find security vulnerabilities that could be used to defeat or bypass security controls, break into the database, compromise the system, etc. Your database administrator or security guys may for example use automated vulnerability scans to search out misconfiguration of controls along with known vulnerabilities within the database software itself. A program of continual monitoring for compliance with database security standards is another important task for mission critical database environments. Two crucial aspects of database security compliance include patch management and the review and management of permissions (especially public) granted to objects within the database. Compliance monitoring is similar to vulnerability assessment with the key difference being that the results of vulnerability assessments generally drive the security standards that lead to the continuous monitoring program. Essentially, vulnerability assessment is a preliminary procedure to determine risk where a compliance program is the process of on-going risk assessment. Ultimately, what you want to be able to do is get visibility into data usage, vulnerabilities, and access rights. You will need a combination of remote assessment scans, research, agent-based monitoring and network activity monitoring.


Page 28

This includes:

Audit. Auditing access to sensitive data by privileged and application users

Database Firewall with Alerts and Blocking. Software that will provide real-time alerts and/or block database attacks and abnormal access requests managed against pre-built security policies.

Knowledge of Known Software Vulnerabilities. Detection and virtual

patching of database software vulnerabilities based on public research on known vulnerabilities in all leading commercial database platforms.

Excessive User Privileges. You will need to be able to identify excessive and

dormant user-rights to sensitive data. Excessive user rights are just what the name implies, users who have an unusual number of privileges, and this is important to look for because hackers use access rights to impersonate users and go after sensitive data

Trained Remediation Team. Accelerated incident response and forensic

investigation by a team with prior training and a remediation plan.

All DB Platform Support. You will need a system that supports all the major database platforms including Oracle, Microsoft SQL Server, SAP Sybase, etc.

Conclusion: Pick and implement a Database Security system with a smart firewall that can send alerts in real-time and block access based on pre-defined rules, implement penetration testing to reveal your vulnerabilities, audit your database systems against known weaknesses and make sure they are all patched to currency, eliminate excessive user privileges and train and equip a 24x7 remediation team to be on standby for attacks with a pre-determined plan for action and resolution.


Page 29

Chapter Four

There’s Data and Then, There’s Data (Redaction, masking and encryption)

“Any science or technology which is sufficiently advanced is indistinguishable from magic.”

---- Arthur C. Clarke

Protecting data in databases is one thing, but protecting data that is wandering around outside of applications and in transit is another. Until you drill into it, you will be surprised at how many ways your data can end up in places where you would least expect. For example, have you engaged in external or off-shore application development? When it comes time to test against real, live data, what does your team do? Do they sit down and create a large batch of dummy data that looks just like your real stuff? My money would be on probably not. Instead, they likely pull a file of test data form a batch of real data and send that to the developers. This is known as a positive unconscious data leak. And it is only one example. Do you have a call center operation of any kind? Do you have live billing data streaming across those displays, un-redacted and in plain site? Have you done a background security check on the operators? These are two simple and common exposures that no software security solution in the world can protect against. And, that is just for structured data. There is 10 times more unstructured data residing in corporate databases than there is structured data, and it presents a unique challenge for companies concerned with protecting the contents from loss and theft. Unstructured data refers to information that either does not have a pre-defined data model (like rows and columns) or is not organized in a pre-defined manner. Examples of unstructured data would be x-rays, hotel room bills, MRI Images, PDFs, etc. Structured data is information that is ready for seamless integration into a database or a well-structured file format such as Excel or Word. It is usually found in all the standard file formats used in business, and it generally represents transactional information about sales forecasts, general ledger accounting, human resources, etc.


Page 30

Unstructured data, by contrast, is raw and unorganized. Digging through unstructured data can be cumbersome and costly. Email is a good example of unstructured data. It's indexed by date, time, sender, recipient, and subject, but the body of an email remains unstructured. Other examples of unstructured data include books, documents, 10-Ks, medical records, and social media posts. Unstructured information is typically text-heavy, but may contain formatted data such as dates, numbers, and facts as well. This results in irregularities and ambiguities that make it difficult to understand using traditional computer programs as compared to data stored in fielded form in databases or annotated (semantically tagged) in documents. The fundamental difference between structured data and unstructured data is that structured data is organized in a highly mechanized and manageable way. When you are protecting structured data, it is relatively easy for software to “know” where all of the data elements reside because they only occur in places where they are defined in a manner that is strictly anticipated – in other words, a “date” field may only contain numerals and must be represented in the format “mm/dd/yyyy” where mm is month, dd is day, etc. Computer software “knows” exactly what to do with this. Computer software isn’t so good at knowing what to do with images and unformatted thoughts, ideas, pictures and formulas. So, how do we go about securing the 90% of corporate data that shows up as unstructured data? We redact it. Data redaction is different from data masking, and I will get to that in a minute. But what follows are a couple of examples of the many ways that data can be exposed unwittingly during the course of a normal business day. Data masking was originally used for and usually refers to the process of hiding original structured data with random characters or data. The main reason for applying masking to a structured data field is to protect data that is classified as personal identifiable data, personal sensitive data or commercially sensitive data from being viewed by unauthorized employees. Masking is also used in programming where sample data is needed for the purposes of application development (as mentioned previously), building program extensions and conducting various test cycles. As I’ve said, it is common practice in enterprise computing to take data from the production systems to satisfy the test data needs required for development projects and used in these non-production environments. However, the practice is not always restricted to non-production environments. In a few organizations, data that appears on terminal screens to call center operators may have masking dynamically applied based on user security permissions, (e.g.: Preventing call center operators from viewing Credit Card Numbers in billing systems), but not in most.


Page 31

The primary concern from a corporate governance perspective is that personnel conducting work in these non-production environments are not always security cleared to operate with the information contained in the production data. This practice represents a security hole where data can be copied by unauthorized personnel and security measures associated with standard production level controls can be easily bypassed. This represents yet another access point for a data security breach. And you should think about that. So, back to “Data Redaction”. The term refers to the permanent removal of personal or sensitive information from documents and is usually applied to unstructured data; data that needs to be shared with various parties who are not allowed to see some or all of the sensitive information on a given document. Like the third party audit review of hotel bills does not need to see the names and addresses of the guests. Automated redaction usually works by processing electronic images through specialized software to convert them into a digital format. The result is usually observed as strips of black ink “marked” across the face of sensitive data like those we see in CIA movies, or names and numbers that have been replaced with fictitious names and numbers and presented in a digital format. The reason we replace the actual names and numbers with fictitious values is to allow these digital formats to be “searchable” using rules-based logic driven by clues, pattern recognition, spatial location and algorithms designed to locate sensitive information in a variety of documents without exposing the real values along the way. Data redaction and masking insure that sensitive documents are rendered unusable to thieves even in the event that the content somehow escapes the confines of a secured environment. In addition to testing and call-center data presentation, the two main security factors contributing to the necessity of a corporate data masking or redaction program are 1) the increase in the instances of cyber-security and internal security attacks and 2) the increase in law suits related to data leaks and loss. If you’re not worried about cyber-attacks, you might want to re-think your position related to internal screw-ups and the resulting law suits. A recent ComputerWorld study reported that more than 80% of the 500 businesses surveyed admitted they had lost various portable devices containing sensitive data over a 12 month period. Perhaps more staggering is the news that 64% of the companies revealed that the lost data was not either backed up or physically secure.


Page 32

According to the survey, this information contained both client data and employee info. Encrypting your data is one way to prevent this sort of loss from hurting you, but as we will see, it is both tricky and expensive. Encryption is the conversion of structured data into a form that cannot be read by a human being. Decryption is the process of converting encrypted data back into its original form, so it can be read as originally written. In order to restore the contents of encrypted data, the correct decryption key is required. The key is a reversal algorithm that undoes the work of the encryption algorithm. The more complex the encryption algorithm, the more difficult it becomes to crack without access to the keys. The encryption of data is necessary for preventing access to data in case of loss, leak or theft. Encryption plays other important security roles besides this obvious one. It strengthens full-fledged application access control and management and it helps separate personal and corporate data on mobile devices. Encryption/decryption is especially important in wireless communications. This is because wireless circuits are easier to tap than their wired network counterparts. Nevertheless, encryption/decryption is a good idea when carrying out any kind of sensitive transaction, such as a credit-card purchase online, or the discussion of a company secret between different departments in the organization. The stronger the cipher -- that is, the harder it is for unauthorized people to break it -- the better secured you should feel. So, gosh … why not just encrypt all of my data and be done with it? Great question. Here are the pros and cons: Data Encryption Pros

Data and Device Separation: Data encryption allows the data to remain separate from the device security where it is stored. Security is included with the encryption which permits administrators to store and transmit data via unsecured means.

Data Breaches Rendered Harmless: Data encryption circumvents the potential complications that accompany data breaches which provide ensured protection of intellectual property and other sensitive data.


Page 33

Security Is Right On the Data: Because the encryption is on the data itself, the data is secure regardless of how it is transmitted. An exception to the rule can be transmission tools such as email because sometimes an email account does not provide the necessary security.

Encryption Equals Confidentiality: A lot of organizations are required by

law or policy to meet specific confidentiality requirements and other associated regulations. Encrypting data means that since it can only be read by the recipient who has the key, the sender is in automatic compliance.

Hardware Solutions: Many companies provide hardware solutions to

protect your portable devices. One example is data encryption with hardware-based USB flash drives. These don’t require software installations, drivers or the assignment of administrator privileges, making it easy to move the device from computer to computer. If the drive is lost or stolen, the protection of your data is virtually guaranteed.

Data Encryption Cons

A Ton of Work: Without a doubt, data encryption is a monumental task for any IT staff. The more data encryption keys there are, the more difficult IT administrative tasks for maintaining all of the keys can be. And, if you lose the key to the encryption, you have lost the data associated with it. Look around. Do you trust your staff to keep those keys safe?

Software Solutions are Vulnerable: While software encryption solutions are very useful, they can be vulnerable to certain attacks. Equipped with the right tools, a determined hacker could break the encryption scheme and access your data. Software makes a reliable security mechanism but hardware tends to be a more efficient form of data encryption.

Hardware Solutions Can’t Cover Everything: While hardware solutions

work well and prevent hackers from cracking a software-encrypted portable drive, you would have to equip all your datacenter storage devices with encryption hardware and this is both expensive and complex.

Expense: Data encryption can prove to be quite costly because the systems that maintain data encryption must have a lot of capacity and frequent upgrades to perform such tasks. Encryption imposes severe system overhead. Without capacity, systems operations will be significantly compromised. And, it is tricky to implement. If you attempt to encrypt a lot of data, the expense could be staggering.


Page 34

Unrealistic Requirements: If an organization does not understand some of the restraints imposed by data encryption technology, it is easy to set unrealistic standards and requirements which could jeopardize the entire project and further impact overall security.

Complexity and Compatibility: Data encryption technology can be tricky

when you are layering it with existing programs and applications. This can negatively impact routine operations within your system.

Conclusion: Evaluate your data obfuscation needs based on how much program development you are doing, how much sensitive unstructured data you are handling and whether you have operational issues unique to sensitive data being observed by non-security cleared personnel. Then, if you determine you should address the issue, you should select a software solution that dynamically masks data on demand in any environment, including databases, data warehouses and large structured datasets. You should also explore solutions that “redact on the fly” for unstructured data in documents, forms and complex file images that are requested for online delivery from one organization to another – like x-ray lab image to accounting or patient, provider, etc., for example. You should also implement a solution that encrypts specified data in a form that is impervious to reverse engineering, so that you can insure absolute remediation for database files being copied, stolen or lost, by rendering that content unreadable to unauthorized users. And, you should determine whether you need to go to the extra expense of encrypting your data. If you do, you may as well go direct to hardware solutions for your portable devices and software solutions for your fixed storage and in-transit streams. And now a few words about Document Management (aka Enterprise Content Management) Systems and in particular, Microsoft’s SharePoint security challenges. It is not really surprising that interest in SharePoint as an enterprise content management system is as high as it is, given that foundation adoption rates are so high across all verticals and in all business sizes from SMBs to Fortune 100 companies. Over the past fourteen years, since the earliest releases, it has moved from being an intranet and basic collaboration platform application to something that is now used for portals, collaboration, forms processing, business intelligence, workflow, document management, business process management and content management.


Page 35

Its adoption rate is in the region of 60-70%, and with the improved functionality in SharePoint 2013 delivering more effective content management, records management and business process management capabilities, this adoption rate is only going to increase. While it has become hugely popular, it has also arrived with remarkable security considerations and challenges. Native SharePoint activity monitoring lacks an intuitive, easy-to-use interface for reporting and analytics. Without a third-party solution, businesses must first decode SharePoint’s internal representation of log data before they can access meaningful information, and no one really does that. In addition, because SharePoint lacks an aggregated, centralized system to view rights information, the SharePoint permissions for each site collection must first be extracted to an Excel spreadsheet and then combined by hand within Excel or exported to a third-party analytics platform to analyze. And since there is no web application firewall protection or automatic analysis of access activity, there is no easy way to respond with an alert or a block where appropriate. SharePoint is a Web-based system, subject to online attacks such as SQL injection and cross-site scripting. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious code is inserted into an entry field for execution (for example: transfer the contents of this database to the attacker). In a recent study, a major security software company found that the average web application received 4 attack campaigns per month, and that retailers received twice as many attacks as other industries. Cross-site scripting enables attackers to inject code into Web pages viewed by other users. This type of vulnerability may be used by attackers to bypass access controls such as the policy (same-origin) that restricts how a document loaded from one origin can interact with a resource from another origin. This is why, if you are a heavy SharePoint user, you will need a Web Application Firewall to protect against Web-based attacks, user rights management and activity monitoring to safeguard content such as files, folders and lists, and a Database Firewall to prevent unauthorized access to the Microsoft SQL database at the core of SharePoint. You will need a software solution that aggregates and consolidates user rights across SharePoint sites to provide visibility into effective SharePoint permission, so


Page 36

that you can efficiently conduct rights reviews, eliminate excess rights, and identify dormant users, all of which help ensure access is based on business need-to-know. You will also need continuous monitoring and detailed auditing of all data access activity so you will have a complete audit trail showing the “Who, What, When, Where, and How” of each data access. This will enable auditors and compliance officers and the SharePoint administrative staff to understand exactly who accessed, moved, changed or deleted data.


Page 37

Chapter Five

Mobile Devices and BYOD

A computer will do what you tell it to do, but that may be much different from what you had in mind.

-----~Joseph Weizenbaum

While smartphones and tablets could be platforms for a whole new generation of malicious functionality, the ecosystems surrounding the most popular devices generally work well to limit their exposure to malware. This layer deals with the platform and included therein is device access management.

Lost and stolen devices, insecure communications, and insecure application development affect many more users than does malware. BYOD (Bring Your Own Devices) has created a storm of personal computing devices suddenly attaching themselves to corporate networks and has given rise to a ton of new security concerns and business processes and policies designed to address these new exposures. The big issues with BYOD are securing the transfer of data to and from the enterprise, establishing efficient policies for dealing with lost or stolen devices,


Page 38

insuring that native operating system security patches are current and that appropriate employee training is in place to assure that everyone is sufficiently conscious of phishing schemes and spoofing for control of their devices and access privileges. Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to trick the user into surrendering private information that will be used for identity theft. Mobile phones and tablets are being lost or stolen on an increasing basis and the opportunity for thieves is that there are relatively easy techniques for evading some of the on-device security controls, such as bypassing a lock screen password. So, one of the key capabilities of a mobile device management system is to be able to remotely locate, lock, and then wipe the corporate data off any mobile device wherever it may be. In addition, the employee needs to understand that part of his or her device belongs to their employer and that they must report lost or stolen phones immediately. In 2013, Symantec researchers left 50 phones behind in different cities and found that 83 percent of the devices had corporate applications that could be accessed by the person finding the phone. While there is a lot less data on how often mobile users connect to open networks (like the ones found at Starbucks stores), we consider insecure connections to wireless networks a top threat. The problem is that wireless devices are often set to connect to an open network that matches one to which it had previous connected. So, a lot of people will look for a WiFi hotspot, and they won't look to see if it is secure or insecure. Once they are on an open network, it is quite easy for a bad guy to execute a man-in-the-middle attack. A man-in-the-middle attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, while the attacker actually controls the whole thing. The solution to this open network stuff is to make the mobile device management system force the user’s device to route traffic through a mobile virtual private network before connecting to any network. There are many systems that will do this and more by way of managing your mobile devices. Additionally, users who “jailbreak” their smartphones or use a third-party app store that does not have a strong policy of checking applications for malicious behavior put themselves at greater risk of compromise.


Page 39

Jailbreaking is a device hack that provides users with unrestricted access to the entire file system of their mobile devices enabling them to download additional applications, extensions, and themes that are unavailable through the official (Apple or other) app store. Some of your more enterprising (read younger) employees may do this in order to get more stuff for free. A well-secured app store, which vets each submitted application, is part of the overall ecosystem that secures a mobile device. Users who buy from a marketplace with little security put their phones at risk, and an effective mobile device management system will examine every mobile app to insure that it is fully vetted and has all of the appropriate protections and that the operating system has its security patches up to date as well. Another security exposure for smart mobile devices is proximity attacks. These attacks can result from the use of NFC technology (Near Field Communication) which is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into proximity, usually no more than a few centimeters. These transactions create an opening for proximity theft through the use of the same signals that enable the NFC transaction. All of this can be mitigated by bringing the mobile platform for all devices up to date with current security precautions through a good mobile device management system. Malware, adware, and other questionable software are additional threats, especially in the US, and particularly with privacy-invasive apps like Facebook and other social media platforms While security researchers continue to analyze mobile devices for vulnerabilities, cybercriminals are also continuously getting better at monetizing mobile-device compromises. Sophisticated malware and monetization methods are being developed and toolkits are available on the web right now specifically targeting Windows applications on mobile platforms. The solution is a mobile device management system that automatically scans all newly installed apps for malware, quarantines infected devices, filters and protects users from accessing malicious websites. What you will need to continue implementing your Defense in Depth strategy is to securely manage all of your mobile devices through a system that pinpoints individual profiles and devices and specifies access rights at the endpoint, blocking unauthorized or infected devices at both the device and port level to assure that only those people and devices that have been pre-authenticated can access the network.


Page 40

You will also want a system that automatically scans installed apps for malware, quarantines infected devices, and filters and protects users from accessing malicious websites. It should also provide policy management and system monitoring and reporting specifically targeted to mobile devices. Once your mobile devices have accessed your infrastructure and appear on your network, the system should assure that those devices only access those files to which they have pre-authorization. You should also make sure you have real-time monitoring providing alerts and notifications at the device and system/file/record level. For mobile devices, you will want “contextual security”. The system should be able to check for contextual validity by verifying the location/role/time-of-day and specific access requests against registered user profiles. The system should be context-aware and should be able to “know” not just the details about the device as it enters the network but more importantly, the details about the user. How does it do that? There are several systems on the market that look for various identification factors and then compare those with what it expects from that particular user, so that for instance, someone who normally logs in from San Francisco and is not a traveler would create an alert if their device was suddenly trying to log in from Spain. Or, in an abnormal time zone. Or trying to access the Sales History file when the user is in Human Resources. Factors like these create contextual information about the “owner” of the device. You want a system that can send immediate notification to system administrators when unauthorized access is detected, and can limit further access with warnings or deny it altogether. You ought to be able to automatically lock and/or wipe lost, stolen or even suspicious devices remotely dependent upon your predefined rules. A really good mobile access control system will support all of the dominant authentication methods, and will be able to interface with your organization’s existing authentication services (such as an LDAP, Kerberos, etc.) and should be able to handle authentication through its own built-in user database. You will want USB port security on every endpoint on your network, so that you can stop access to any USB device that hasn’t been approved by your administrators. You’ll want a web portal that allows your administrators to remotely grant or reject user access to new and existing USB devices. You should be able to record every device plugged into your system and then have that data sent back to the administrator portal, so that your administrators are able to review which users attempted to plug in the unauthorized devices.


Page 41

But, of course like everything else, your next best defense for mobile security will be for your mobile users to 1) be aware that threats exist, 2) think before they download, 3) check their sources – even Android users can and should deselect the "Unknown sources" option in their “Applications Settings”, and 4) watch their permissions (does that Sudoku app really need access to your contacts, camera function, and location information?). Training and education go a long way to help protect your enterprise from user-originated malware intrusion and security breaches. Conclusion: If you have employees who want to bring their smartphones or tablets into the workplace and use them as mobile devices to access your network, you will need to create a BYOD policy and make sure everyone understands the rules. The policy should be reasonable and should respect your employees’ privacy in equal measure to that of your corporate assets. It should provide for securing your employees’ data in the event of a remote wipe and it should insist on clean and updated operating system environments on their devices. Set up an employee training and information program that helps them understand the security threats and best practices for using their smart devices on your network. Invest in a mobile access control system that can monitor, authenticate and manage all of your mobile devices as described here. Be prepared for a lot of work in administering all of this because you will have just expanded your problem space by the number of individuals you employ multiplied by the number of smart device makers you invite onto your network.


Page 42

Chapter Six

Compliance is along for the Ride

“In the old days, people robbed stagecoaches and knocked off armored trucks. Now they're knocking off servers.”

----Richard Power

Within the last several years numerous federal, state and international regulations have been passed that require the protection of information. Many organizations are now enhancing their information security policies in response to legal and regulatory requirements. You may or may not be legally bound to follow in compliance with these regulations, but either way, it is instructive to understand what the Fed has in mind for you eventually. Make sure that you have covered all of these requirements in any system you ultimately choose to implement. In some cases, these regulations are very specific about the requirements for written security and privacy policies. In other cases, a regulation simply requires safeguards that are "appropriate" for the size and type of organization. In these cases, enforcement agencies and auditors must defer to accepted best practices or frameworks for guidance, all of which require written policies. Examples of these are the Generally Accepted Information Security Principles (GAISP), Control Objectives for Information Technology (COBIT™) and ISO/IEC 17799. The following is a partial list of security or privacy-related regulations and their specific information security policy requirements affecting US companies doing business in the US and Internationally. Where appropriate, the list includes the security policy requirements of several key frameworks used to manage compliance with various regulations.

HIPAA (Health Insurance Portability and Accountability Act of 1996) - Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart.

Sarbanes-Oxley Act, Section 404 - based on COBIT (Control Objectives for Information Technology) - Management should assume full responsibility


Page 43

for formulating, developing, documenting, promulgating and controlling policies covering general aims and directives.

New Basel Capital Accord (Basel II) - Quantitative Standards, Section 606 - Banking (International) - The bank's risk management system must be well documented. The bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which must include policies for the treatment of non-compliance issues.

Gramm-Leach-Bliley Act (GLBA) Title V - Section 501 - Interagency

Guidelines Establishing Standards For Safeguarding Customer Information - Each Bank shall implement a comprehensive written information security program with policies that includes administrative, technical and physical safeguards.

FERC Cyber Security Standard - The Responsible Entity shall create and

maintain a cyber-security policy that addresses the requirements of this standard and the governance of the cyber security controls.

Federal Information Security Management Act (FISMA) - The head of each

(Federal) agency shall delegate to the agency Chief Information Officer ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques.

ISO/IEC 17799 - Section 1.1 Information Security Policy Document - A

written policy document should be available to all employees responsible for information security.

GAISP - Generally Accepted Information Security Principles, Version 3.0 -

Section 3.1 Information Security Policy - Security Framework - Management shall ensure that policy and supporting standards, baselines, procedures, and guidelines are developed and maintained to address all aspects of information security.

PIPEDA (Bill C6) - Personal Information Protection and Electronic Document

Act - Organizations shall be open about their policies and practices with respect to the management of personal information.

PCI DSS (Payment Card Industry - Data Security Standards) - Build and

maintain a secure network - Install and maintain a firewall configuration to protect cardholder data - Protect stored cardholder data - Encrypt transmission of cardholder data across open, public networks - Maintain a


Page 44

vulnerability management program - Develop and maintain secure systems and applications - Restrict access to cardholder data by business need-to-know - Restrict physical access to cardholder data - Maintain an information security policy.

As you can see, most of these compliance requirements refer to policies and process as differentiated from automated information security controls. This is where the policy layer and the training and audit components become a part of your Defense in Depth strategy.

The purpose of this book is not to outline specific data security policies or business processes, but rather to focus on the elements of a Defense in Depth strategy and to simply identify the policy and process issues as necessary components of that strategy. Data security policies in general are based on the premise that all business owners, executives and leaders have legal and fiduciary obligations to secure data and protect the privacy of their customers' information. To safeguard your online customers you will need policies that comply with the laws on privacy, spam and electronic transfers. These policies will address the 1) privacy of customer data, 2) an operational code of conduct, and 3) your operational business procedures.


Page 45

A privacy policy should outline how your business collects and stores data, how the information can and cannot be used, and restrictions on sharing data with a third party. Ultimately, you are going to need a system whose compliance focus concerns itself with the protection and control of the

flow of information, data integrity, document and personal information security and Identity security.

Sensitive data access auditing presents a complex and costly barrier to regulatory compliance with government regulations, industry regulations and privacy acts. The specific audit requirements vary between the different regulations, but all consider data access auditing a key control that must be implemented to protect regulated data. An audit solution must provide visibility into all data access events and it has to:

Audit all types of access: Audit data access events whether the access is read-only, a data modification transaction or privileged operations.

Audit all users: Audit privileged access to data including local system access,

and non-privileged network access (i.e. application users)

Audit all data systems containing regulated data: ensure all systems hosting regulated data are in the audit scope.

Privileged user monitoring needs to be performed directly on data systems, thus it is not visible outside of the system itself. Compliance regulations including PCI DSS and SOX require that privileged users be closely monitored and their activities authorized. Identifying user behavior that deviates from normal access patterns, and alerting and blocking suspicious activities that may indicate privilege abuse is an over-arching requirement. Users performing unauthorized activities should be quarantined and their privileges should be reviewed. Audit reports and analytical tools are also needed to support forensic investigations. Changes to data objects and data system users must be properly authorized, and unauthorized activities must be thoroughly investigated and controls should be implemented to prevent future incidents. Following the principle of "separation of


Page 46

duties" (SOD), the monitoring capability should not be managed or operated by privileged users as they may alter the controls to conceal irregular activities. Hardening systems by granting access to business need know is an essential step in policy-based data breach prevention. You should review user privileges and identify highly privileged users. Verify that the privileges are necessary for the user's role and duties. Revoke excessive user rights and remove dormant users while you are at it. To effectively reconstruct data access events the audit trail must provide details about the 'Who?', 'What?', 'When?', 'Where?' and 'How?' Capturing the raw access query and system response attributes is essential for effective forensic investigation and incident response. You will need a system that includes sensitive data and privileged user monitoring as part of its automatic compliance controls and reporting. In addition, predefined compliance reports provide a starting point and help address the specific audit requirements of each regulation, while customizability supports unique technical and business needs. Your system will need real-time alerts and audit analytics tools that enable efficient and comprehensive forensic investigations and incident response. Compliance regulations also require application controls as a means to protect data confidentiality and integrity. Enterprise applications like SAP, Oracle EBS, and PeopleSoft are subject to regulatory compliance requirements focused on insider threats. In order to be in compliance, your system must protect data in all commercial database products, and provide comprehensive visibility into data usage, vulnerabilities, and access rights developing key tracking information for auditability and compliance reporting. The following application controls are imperative to satisfy all current regulatory compliance requirements, and must be part of the capabilities of any security system you implement: Protect Web Applications against Known Attacks. Compliance regulations are now specifying a smart Web Application Firewall (WAF) that automatically detects and blocks attacks before any damage can occur. One that provides continuous protection—not just after a scan, fix and test cycle—and fully satisfies PCI DSS requirement 6.6. It must also prevent the OWASP Top Ten list of Web security risks, block both known and custom application attacks, and virtually patch application-specific vulnerabilities.


Page 47

Secure and Audit Key Enterprise Applications and Data. This compliance requirement deals with sensitive financial, personal and operational data stored in enterprise application databases. Your system will need to provide secure access control, complete activity monitoring, auditing and continual vulnerability assessment in order to satisfy all of the regulatory requirements. Follow Secure Web Application Development Best Practices. Secure Web development is an important way to fortify applications and satisfy multiple federal and industry compliance regulations. Implemented in conjunction with a Web Application Firewall, a Database Firewall, vulnerability scanning, and code review, secure Web development offers a comprehensive defense in-depth strategy to protect the enterprise ecosystem while complying with Federal security regulations at the same time. The ability to demonstrate that your applications are being developed in a secure environment characterized by these protections will assure that your compliance requirements are satisfied. Apply Latest Vendor Supplied Security Patches. Your system’s ability to automatically apply security patches along with a continuing Database and Web vulnerability assessment to help discover unpatched systems and manage and prioritizes patch update will bring your organization’s enterprise in compliance with all security regulations related to patches. Provide Regular Compliance Reports. You will need security and auditing reports documenting regulatory compliance, demonstrating how application controls have been implemented, and the capability to tailor views to emerging compliance requirements. Flexible graphical reports, as well as real-time alerts and audit analytics tools, will enable your IT organization to easily understand and present security and compliance status on a continuing basis. Conclusion: If you are not now required to comply with Federal regulations, you will probably be soon. These continuing breaches will prompt Congress to start legislating security on behalf of consumers (your customers) through the CFPB (Consumer Financial Protection Bureau) and imposing regulatory compliance on every business regardless of size, public or private. In order to get out in front and because these are all good business practices anyway, you might use the regulatory guidelines above as sort of an outline for developing your own protection strategy (along with the guidance we’ve provided in this little book of course). Look for security systems that provide audit-ready compliance reporting and metrics, so you won’t have to do any additional work when the time comes. Also, look for professional services providers who can help you develop the policies and processes that will satisfy your legal and fiduciary obligations to secure data and protect the privacy of your customers' information.


Page 48

Chapter Seven

Breach Remediation & Incident Response

“It's not what happens to you, but how you react to it that matters.”

----Epictetus

We know now that cyber-attacks, hacks and data breaches are becoming increasingly sophisticated, more frequent, and their consequences more dire. We have seen global companies suffering large breaches that have caused them to spend hundreds of millions on investigation and forensic and recovery activities. But those costs were pocket-change compared with the subsequent multibillion-dollar losses in market capitalization, which were largely attributed to investors’ loss of confidence in the company’s ability to respond quickly, recover immediately and execute a plan to remediate losses while assuring protections were in place to prevent recurrence. As a result, we cannot just focus on defending the digital perimeter with intrusion detection and prevention and on the layers surrounding the applications and databases. The hackers and cyber criminals will soon be able to figure out how to bypass, work around or otherwise foil our best efforts at prevention. As a consequence, we need to do the additional work of preparing precise battle plans that prescribe the exact ways in which we will respond when the inevitable breach does occur. That is why a key component of MADROC’s Defense in Depth architecture is the Response layer and a security system that fails to develop a response layer is one that is likely to fail.


Page 49

An Incident Response and Remediation Plan (IRR) will guide the response to breaches with the

primary objective of managing a cybersecurity event or incident in a way that limits damage,

increases the confidence of all stakeholders, and reduces recovery time and costs.

You will need at the least, a team of technicians who have been trained specifically in the

remediation and response protocols your particular breach prevention scheme brings into play.

This may fall to your IT staff that needs to be prepared and available on a 24x7 basis to respond

to events as they occur and to begin the execution of the plan. You may have decided to

outsource this to a services company with whom you have worked to develop a remediation

plan.

This team should be working off a larger document that reflects the planning you have done to

prepare your response based on specific information assets at risk and the protocols involved.

For example, if the network is attacked and various ports have been breached and specific

assets have been compromised, your plan should have direct actions and roles and

responsibilities assigned for immediate response based on the value of those assets, like

shutting down specific port access and killing certain websites.

Some companies have spent so much time and money on defending the digital perimeter and

assuming the walls will hold that they haven’t even thought about remediation plans. Some

have thought about them but have put together some general and minimal guidelines as to

what to do in the event of a breach. This may have happened at Target Stores.

Our experience has been that most companies haven’t thought through what they should do in

the event of a breach or have given short shrift to the process. They don’t truly operationalize

their plans, which are ineffective due to an incomplete original design or a half-hearted

implementation, or both. We’ve observed several critical problems with plans that we have

reviewed.

Usually the specifics about what to do and how to act are generally no longer relevant and often

out of date. The guidance is often too generic and not useful for executing specific activities

following an attack.

Another common problem is that plans are not integrated across business units. Oftentimes, the

most influential or perceived valuable individual units create locally optimized response plans,

which may be useful for dealing with a targeted attack, say on the financial records but are not

effective for managing an incident in medical image history. Developing plans in individual silos

is a bad idea and creates all sorts of political issues while preventing the sharing of knowledge,

lessons-learned and best practices.

And probably the most critical problem we have observed is that operational and response

decisions are almost always based on tribal knowledge and existing “power” relationships.


Page 50

We have found that most organizations can identify one or two key people who possess the

institutional knowledge to influence and guide the organization in a time of crisis. This always

leads to a bad outcome because those “experts” may not be available at the moment a breach

occurs and/or will likely look out exclusively for their own departmental interests to the

detriment of the rest of the company

These are some of the pitfalls that you should address when you start to build out your IRR plan.

Remember, the whole purpose of an IRR plan is to quickly mitigate the effects of a breach and to

regroup the company both technically and organizationally to protect what remains, to begin

planning another defense level and to develop the messaging necessary to rapidly mitigate the

outward effects of the breach.

Eisenhower famously said once that it wasn’t the plan, but the planning that mattered, and that

meaning couldn’t be more appropriate when it comes to IRR plans. By establishing who will

have decision rights in the event of a breach, your company can quickly respond at the

appropriate scale or escalation level based on the value of the assets at stake. If you discover

that malicious code has infected your core applications, you will need someone designated who

can immediately decide to shut down network access altogether.

In an example like that one, the risk of continued data loss from your core applications will

outweigh the associated loss of revenue resulting from downtime. In addition, your IRR will have


Page 51

specified standard procedures for isolating strategic segments of your network, thereby

immediately quarantining the affected application(s).

You will need to remove the responsibility for developing an IRR plan from your IT guys. Since a breach will affect your entire organization, you will have to incorporate coordination

across all business functions, including corporate communications, regulatory affairs, legal,

compliance and audit, and business operations. And, you must assume the leadership role as an

effective IRR plan must begin at the top.

You will want to establish clear roles and responsibilities across the organization. When an event

occurs, you will want an immediate media communication explaining exactly what happened,

who was affected and what you are doing to remediate the breach. You should also include

recommendations for your customers to protect their personal information and to change their

passwords, etc. The average days elapsed from the occurrence of a breach and the public

acknowledgement of same was 210 days in 2013. That won’t be good enough in the future.

This is why you need a war room and a playbook that is well understood and rehearsed in

advance, so that you and your team can respond immediately. You won’t be able to afford

delays due to unclear responsibilities, endless meetings and debates about who should do what

and to whom.

Strong and immediate response plans also help ensure that minor events do not escalate into

major incidents. Target Stores is painfully aware of the potential damage that can be caused by

even minor delays in responsiveness.


Page 52

As you will recall, there are seven stages in a cyber-kill chain, and if you are alerted in the

delivery stage that malware or an anomalistic traffic pattern has been detected, you still have

time to respond before the threat turns entirely red. Target Stores got the alert during

“Delivery” and for whatever reason was unable to act on it and the result is history.

Specific incident responses need to be identified and cataloged by threat class so your IT

support team knows exactly what to do in each type of attack.

For example, let’s say a web-based attack is detected that was introduced via an external source

with SQL Injection tools (described in chapter four), looking for “backdoors” in your applications.

As we have said, these tools are readily available on the black market and they are intended to

easily identify specific applications of yours that are vulnerable to leaking Personally Identifiable

Information (PII). This “bad” code is especially looking for those applications that are accessed

via the internet and/or mobile devices.

Your intrusion detection system should be able to alert your incident response team who should

be able to identify the affected host and subnet, determine the target payload, temporarily re-

configure your firewall to block/drop the intruder and modify your Web Application Firewall

rules to mitigate the issues.

Then, after informing your application developer of the affected web pages and payload so that

the underlying code can be repaired, your remediation team can begin to assess the damage,

and execute the pre-defined IRR that will identify the next steps toward recovery. I know that is

way more technical than you probably want, but it needs to be spelled out as an example of the

first alert response steps your technical team will take before moving ahead with the IRR plan.

So, in terms of a general outline for an effective IRR plan, here is a reasonable table of

contents:


Page 53

The key elements to address are:

Event and Incident Topography

You might follow the incident topology defined by the National Institute of Standards and

Technology, which defines incident categories broadly as unauthorized access, malicious code,

denial of service, and inappropriate usage. Drilling down one level, you should identify specific

classes of attacks like Brute Force, Phishing, etc. Adopting a common taxonomy enables

organizations to more easily share security intelligence with one another as well as standardize

their own internal communications.

Asset Classification Structure

The best response categories are based on the value of the various types of data. In other

words, the type of data being compromised will determine response efforts and activities. For

example, a company might have one set of response processes for confidential customer data

and an entirely different set of processes for a loss of critical intellectual property.

The stakeholders are different in each case, and the resources a company chooses to allocate to

mitigation will vary. Often overlooked, this is the most critical element of a good plan. The

compromise of different types of information results in a wide array of business impacts. Clearly

defining the actions to be taken for each type of data that has been compromised will largely

determine the success of the overall response.

Roles and Operating Models

IRR plans should specify team structures, individual roles and responsibilities, escalation

processes, and war-room protocols. The operating models tie back to the data-classification

structures. For example, it is important to specify exactly when to involve executive leadership

in the decision processes, when to activate a war room, and at what threshold executives should

take decisive measures, such as isolating sections of the network or shutting down core

applications.

Planned Response Outcomes and Post-event Processes

IRR plans should lay out response objectives for each data type and each incident or event type.

For example, the planned outcome for responding to a loss of customer data could be to

identify the number of customers affected and the extent of data loss within a certain number

of hours. Usually, within a few hours, a competent security team should have a good idea of

who might be responsible for the theft and an estimate of the business impact.

Following an event, you should be able to catalog a set of lessons-learned and use it to update

and refine your IRR for future preparedness.


Page 54

Continuous improvement of a good plan is driven by the ongoing identification of potential

failure modes—that is, the ways in which the response could break down—and then making the

necessary enhancements.

Effective IRR plans should include procedural guides, such as playbook charters and checklists

for containment, eradication, and recovery, as well as guidelines for documenting the response

in governance, risk, and compliance applications. For each data type and incident type, the

playbook charter should outline the objectives and team operating models. Checklists provide

step-by-step instructions and assign roles and responsibilities to specific individuals.

You are going to need to analyze your existing business-continuity and disaster-recovery plans

to understand current response protocols. You can build a baseline understanding by

interviewing key individuals across the whole organization, including, for example, sales,

marketing, operations, IT, security, regulatory affairs, and communications. The resulting

information is critical to be able to identify, document, and categorize information assets,

vulnerabilities, and potential threats.

As part of the IRR plan, you will need to develop an impact assessment matrix that will spell out

the various categories of impact by area and the response protocols that you want your team to

follow:


Page 55

You will have to identify the information assets most critical to your business operations as a

basis for developing the data-specific actions to be taken. These information assets range from

customer data to critical intellectual property, and identifying them will require input from

business owners across the enterprise. For each asset, there should be a clear analysis of the

cyber risks involved, the business impact if the asset is compromised, and the response

required.

To successfully implement the IRR program, you should implement a comprehensive change-

management, communications, and training program to increase awareness of the new

remediation and response processes. Then you should practice execution through regular

training and practice. This will help your organization develop the muscle memory necessary to

execute smoothly when the actual time comes to do so.

An effective remediation and incident-response plan ultimately relies on executive sponsorship.

Given the impact of recent cyber breaches, we expect the issue to move higher on the executive

agenda. When a successful cyberattack occurs and the scale and impact of the breach comes to

light, the first question customers, shareholders, and regulators will ask is, “What did this

company do to prepare?” You will need to have a really good answer.


Page 56

Chapter Eight

So, What Do I Do Now?

We live in a society exquisitely dependent on science and technology, in which hardly anyone knows anything about science and technology.

----Carl Sagan

Yes, well now you know about intrusion detection and prevention. You know about next generation firewalls. You know about enterprise immune systems and advanced behavioral analytics. You understand encryption, masking and redaction, and you have built your incident response and remediation plan in your mind. You’re an expert on mobile device security and you can probably recite regulatory compliance provisions chapter and verse. Assuming you agree that your company is exposed to a data breach and that it would be bad thing, and that you want to do something about it, where do you go from here? There are essentially two ways for you to get all this done for your company. Option one: You can set about evaluating over 200 software packages from over 75 vendors all of whom contend that they have a solution for the enterprise security space. And, if you were to conduct that evaluation based on what their websites proclaim, you would want to get one of each. But in order to do an actual evaluation like that, it would take you and your team many months of head’s down intensive labor researching, studying, testing, benchmarking, talking with customers, etc., to narrow that list down to a handful that might represent each of the various security categories. The problem with that is that the categories are all over the place. There are

Firewalls Intrusion Detection and Prevention Data Security Network Security Operating Systems Wireless Security


Page 57

And,

Spam, Viruses, Netbots and Worms Identity Theft, Spyware and Adware Phishing, Malware and Spoofing Data Encryption Portable Storage Risks Data Monitoring Security Policies Mobile Device Management

And on and on. Data security as a market space is a nightmare and since it has evolved through the process of market-driven defenses in response to Internet-bred attacks and not market-driven product design or in response to the principles of Defense in Depth, it has not developed in any logical or organized way. So, we are left with lots of partial products that are each really good at one thing. But, we have no products that are really good at all things. We have no products that address every security hole in your enterprise and deliver integrated security solutions across the entire landscape, from the Web to mobile devices to remote laptops or storage facilities, or the cloud. So, as I have tried to explain through the earlier chapters, you could set out to define where your particular holes are and then identify the products that best solve for those holes. You could purchase that software and install it in your site or rent it from those vendors who allow you to do that and then figure out on your own how to configure and implement these systems. You will also want to make sure that these products operating in tandem do not cancel each other out or create new and interesting false positives for you to investigate. Your IT team will have to learn how all this works and become certified in each product. You will have to develop a remediation plan for your response when a security breach occurs and then train your IT staff to provide the remediation support in the event of a breach and then figure out how to staff for those events on a 24x7 basis. Which means somehow covering for those staffers who are on vacation, sick-leave, maternity leave or PTO, while you are praying that there is no turnover. And then you will have to find the CapEx budget for those software licenses and the annual maintenance fees. And you will also need more OpEx for the un-planned training that your staff will require.


Page 58

Or … option two would be to find a services company who has an expertise in data security and in a set of software products that solve for each of the security holes in most enterprise environments and hire them to do all this for you. And by all this, I don’t mean doing the product evaluations. I mean instead that you should find a company that has already done the evaluations, has already selected the best of breed products and has already become expert in how they all work. A company whose primary expertise is delivering security-as-a-service and does it on a subscription basis so that you don’t have to tap that capex budget and don’t have to train your team, or take them off their current projects and hope that they don’t leave for other opportunities. You should try to find a security-as-a-service provider who has a 24x7 Security Operations Center where they can watch over your network all day and all night, every day of the year and alert you when a security event occurs. Find one who can execute a remediation plan so that when something goes wrong, you aren’t dependent upon your own team in the middle of the night, but rather on a group of dedicated security experts whose job it is to monitor and respond to threats and to remediate incursions and intrusions. Also, and maybe most importantly find one who understands and is committed to helping companies develop a Defense in Depth security strategy and can help you design security policies and processes and put together a road map for implementation. Option two is fast and pretty easy and because it is all done on a subscription basis, you would not be bound to a solution that you decide for whatever reason you don’t like. One major benefit is that your solution provider is incented to always be on the forefront of the best of breed technology solutions in the space, so their product suite should be continually updated to reflect industry advances. The other major benefit is that your staff can continue to go about their current business without having to learn an entire new universe of things. Finally, you will be able to rest assured knowing that you are receiving the best possible protection available against cyber-crime and new-wave hackers and that you have executed your duty as a business leader to put your company in maximum breach-defense mode and complete compliance with both regulatory requirements and best security industry business practices, with optimum fiscal responsibility. To contact the author, email [email protected]. For information about Netswitch please go to http://www.netswitch.net.

mailto:[email protected]

http://www.netswitch.net/


Page 59

About the author: Steve King has been in the IT business for over 30 years, most of which has been focused on information security. As a co-founder of the Cambridge Systems Group, Steve led the launch of ACF2, which would become the most successful Enterprise Data Security product for IBM mainframe computers in history. As a direct result, Steve became known as the God-father of Information Security. Steve has also managed product development on UNIX, Windows and Java platforms, founded three software and services startups and raised $32m in venture capital. Steve has held a variety of executive management positions in software development, sales, and marketing for ConnectandSell, Whittman-Hart, marchFIRST, the Cambridge Systems Group, Memorex, Health Application Systems, Endymion Systems, Blackhawk Systems Group and IBM.

Documents

Breach 1.3