Every Man’s Guide to Combat Threats Within Your Organization

8/8/2019 Every Mans Guide to Combat Threats Within Your Organization

1/10illus

tration

by

pete

m

carthur/veer

Blame it on apple.The actor in the market thats changed the way C-level ofcers think

about [mobile security] is the iPhone, says Al Potter, senior consulting

analyst with ICSA Labs, an organization involved in research, intelligence

and certifcation testing o products. The iPhone, with its ability to access

the Internet and download applications, has raised users expectations or

wireless devices. It has also complicated the job o inormation security

proessionals and raised awareness o how vulnerable mobile computing

devices can be.

As these devices get smaller, more powerul and more ubiquitous,inormation security strategies must adapt. In the long term, the mobil-

ity imperative may orce a reocusing by security proessionals in their

orientation toward inormation security.

Begin at the BeginningMobile computing started with laptops; mobile security starts there, too.

The techniques used to lock down PCs and workstationsauthentica-

tion, strong password protection, corporate frewallsshould be applied

to laptops. Implement state-o-the-art security sotware, including anti-

spam, antivirus and antispyware applications. Enorce corporate security

procedures, such as patch management and aggressive Web monitoring.

And require a written security policy regarding laptops, along with regu-lar awareness training to amiliarize users with that policy.

Mie cmputig is me tha just a ted,ad that maes mie secuity me tha

just a stategy, accdig t Jh Sat.

tra m v


2/10


3/10

Since laptops are portable, they can

operate outside the corporate network.

When not connected to the network,

users should be required to interact

with corporate resources over virtualprivate networks, and all data should be

encrypted. Also, laptops must be secured

when let unattendedan eort that

should be highlighted in the corporate

security policy.

Unortunately, there are continued

cases o laptops containing coniden-

tial corporate data being let by users in

cars or at airports. Thats why hard-drive

encryption on corporate laptops is a

growing trend, with hardware vendors

oten oering it as an added eature. Also,encryption is now incorporated into

operating systems, such as FileVault on

the Mac OS and BitLocker on Windows.

Security sotware vendors oerserver-based management consoles that

can automatically update antivirus

applications on laptops, implement

encryption, monitor email and Web tra-

fc, back up and restore data, and lock out

users who arent authenticated and then

remotely wipe data o those hard drives.

Balancing Risk and RewaRdWith the prolieration o wireless devices,

mobile computing has become more than

laptops. Were trying to come to termswith how we can embrace the reduced

cost and agility and lexibility o these

platorms while balancing the risk, says

Christopher Ho, CISSP, chie security

architect at IT services vendor Unisys.

Though viruses and trojans tar-

geted at cell phones have been reported,

so ar there have been no widespread,

widely publicized attacks against mobile

phones. But that doesnt mean it cant

or wont happen. In its 2009 Emerging

Cyber Threats Report, the Georgia TechInormation Security Center predicts

an increase this year in malware aimed

at mobile phones, and an equivalent

increase in the number o bots attached

to them. Patrick Traynor, an assistant

proessor in the School o ComputerScience at Georgia Tech, writes in the

report, Malware will be injected onto

cell phones to turn them into bots. Large

cellular botnets could then be used to

perpetrate a [denial o service] attack

against the core o the cellular network.

Cellular data concerns are dier-

ent in dierent parts o the world. The

phone-thats-more-than-a-phone has

more legs in Asia-Paciic and Europe

than in the U.S., says ICSAs Potter. The

threat is propagated more there than [inthe United States]. In Japan, or example,

cell-phone phishing is a growing problem.

This is due to the countrys widespread

practice o banking over mobile phones.The corporate applications most

closely associated with PDAs and smart-

phones are e-mail and, increasingly, data

access. Unortunately, security measures

implemented at the corporate level can

be problematic or wireless devices.

To be successul in the wireless space,

its all about balancing constrained

resources, says Scott Totzke, vice presi-

dent o global security at Research In

Motion (RIM), maker o the BlackBerry.

Mobile devices, while small, incorporatelimited but increasingly powerul pro-

cessing power, communications capa-

bility and storage. Speciically, Totzke

points out that battery technology is not

evolving at the pace o Moores Law.

Thats why security measures like

antivirus applications and personal

irewalls may present problems: They

use resources that can drain battery lie.

In the Emerging Cyber Threats Report,

Traynor pointed to battery power as

a primary security hurdle in the cell-phone environment.

Not true, says Daniel Homan,

author o the book BlackJacking: Security

Threats to BlackBerry Devices, PDAs, and

Cell Phones in the Enterpriseand chie

technology ofcer at Smobile Systems,which develops mobile device security

sotware. The eect o anti-malware

sotware on cell phones is almost negli-

gible, Homan claims, i you have the

appropriate solution.

There are security systems devel-

oped speciically or wireless devices.

They oer comprehensive applications,

including antivirus, antispam and fre-

wall protection, as well as ways to control

those devices remotely, such as remote

lockdown and data wipe.This is where the BlackBerry has an

advantage over other PDAs and smart-

phones. First, RIM designed and built

the BlackBerry rom the ground up. Wewrote our own radio code, we have our

own operating system, we have our own

Java, Totzke says. Second, security ea-

tures such as encryption are hard-wired

into the device. Third, RIM oers the

BlackBerry Enterprise Server, which

provides many o the security measures

mentioned, as well as remote-control

and management capabilities, tailored

specifcally or the BlackBerry.

pRoBlem aReasWhile security problems associated with

smartphones and cell phones are simi-

lar to those or laptops, there are unique

variations. For example, cell phones are

easier to steal. Another thing or global

travelers to keep in mind, says Smobiles

Homan, is that i they pass their wire-

less devices over to uniormed ofcials

and other strangers, theyre opening

themselves up to risk. I I can get a hold

o it or less than a minute, I can pull all

the contact ino and a lot o data, he

The phe-thats-me-tha-a-phe has me egs i Asia-Pacifc adEupe tha i the U.S. The theat is ppagated me thee tha [i the UitedStates]. Al PoTTEr, ICSA lAb S


4/10


5/10

illustratio

n

by

veer

e a m l e a d e r s h i p i s

challenging, even on a good

day with a great group.

Leaders are constantly

scanning the horizon or

strategic input, work-

ing to increase customer

satisaction, dealing with

operational constraints

and handling day-to-day

personnel issues. Add in

an underperorming teamand you have a recipe or rustration

that, let unaddressed, becomes a ticking

time bomb or everyone involved.

Teams oten sabotage their own suc-

cess by creating artiicial boundaries

to include their strengths and exclude

their weaknesses. This hinders success

and oten results in a growing chasm

between the organizations goals and the

teams ability to execute.

T T scnoTeams are a unique mix o players with

various talents, including overachievers,

underachievers, extroverts, introverts,

thinkers and doers. Oten leaders have a

avorite team, one that overcame all odds

to create excellence in spite o seemingly

insurmountable obstacles. These groups

likely exhibited team intelligence, and

created team awareness as individual

members learned each others strengths

and developed strategies or success.

In this era o globalization and geo-

graphically disparate teams, leaders are

no longer aorded the luxury o creat-

ing the perect team rom a blank ros-

ter. How can they move their teams up

the perormance ladder? How can theyinspire sustained excellence? By nurtur-

ing individuals, developing an environ-

ment o trust and communication, and

enabling team intelligence.

dnng T intgncTeam intelligence is an extension o

the concept o emotional intelligence,

largely accredited to Daniel Goleman

(danielgoleman.ino/blog), who has

authored several books on the topic,

including The Emotionally IntelligentWorkplace. There are our major com-

ponents o emotional intelligence:

Self-awareness: being conscious o,

and understanding, your emotions

Self-management: controlling your

emotions and impulses in a variety o

situations

Social awareness: being conscious

o, and understanding, how emotions

aect others

Relationship management: cre-

ating and maintaining relationships

across a spectrum o social levels; the

ability to motivate others even in chal-

lenging situations.

Eective leaders begin at the indi-

vidual level and oster team awareness.This process includes an honest internal

assessment o the teams capabilities by

the individuals themselves, as well as

an external customers assessment o

the same capabilities. Combined with a

team-specic ocus inventory, a plan o

action and built-in reviews, even under-

perorming teams can achieve growth

and move toward sustained excellence.

stt stt

First, assess the teams current strengthsand weaknesses. Does the team need to

develop its communication skills? Does

it need to hone its visioning skills? Is the

team eective at customer service? Does

it have a high level o trust?

How to enhanceteam awareness, stability

and performance.

t

enablingteamintelligenceBy Scott Holbrook


6/10

Next, discuss the overall strategy

or improvement. A ocus inventory

should be introduced as one o several

perormance enhancement tools, parto a larger ramework or continuous

improvement. The ocus inventory is a

set o skills selected by the team leader

indicating the key attributes o a highly

perorming team. While the inven-

tory can change based on industry,

there are certain core skills that should

be included, such as communication,

teamwork and accountability. It might

contain rom ve to 15 skill areas; the

team should select its primary areas o

improvement based on the three or ourlowest-scoring team skills.

The next step begins with individual,

closed-door interviews with each team

member. To gather accurate data, create

an atmosphere o trust and convey to

each person that the ocus inventory data

is being considered rom a team roll-up

context. Ask them to rate each ocus area

on a scale o one to ve based on how the

team perorms in that area. This changes

the ramework rom sel-assessment to

team assessment. And keeping the ratingscale small orces members to careully

consider their choices.

Tnton pOnce the data has been collected, review

it or patterns o strength and weakness.

Consider some supporting tools to pre-

pare or a team discussion o the ocus

inventory results.

Perhaps the best tool to enhance team

communications and awareness is the

Myers-Briggs Type Indicator (MBTI)assessment. It reveals personal preer-

ences in our quadrants: introversion/

extraversion; sensing/intuition; think-

ing/eeling; and judgment/perception.

The assessment is taken individually,

and indicates each team members pre-

dilection or interacting with others and

the world around them. There are sev-

eral MBTI assessment questionnairesavailable online.

The MBTI results can be displayed

on a 4x4 grid with the type descriptor. In

each block, place the names o the team

members whose assessment matches

the MBTI type. This provides a unique

view o the team, and can be used to help

members understand and better com-

municate with each other.

Gowt p

During the growth phase, the teamevolves rom individuals to a cohesive

unit. This phase includes the ongoing

reinorcement o team awareness, and

the creation and validation o the teams

vision and goals.

Allow time to create a team vision;

getting the group to agree is usually a

lengthy and sometimes painul process.

Team buy-in to the vision is an essential

part o enabling team intelligence. Once

the team has developed its vision, make

it a stated part o daily lie. For example,begin each meeting with the vision state-

ment: Make it rote, and make sure the

team is aligned around its meaning.

rvw n Fbck CycPeriodic reviews are a key component

to keep the team moving in the same

direction. Determine early in the devel-

opment cycle how oten and what types

o eedback will be provided. One way

to gather eedback is to use Post-it

assessments. Here, each team memberis given a Post-it pad and asked to write

answers to specic questions, such as

Where are we succeeding? and Where

can we improve? Separate the answers

into related groups on a whiteboard;

brainstorm ways to celebrate success

and cultivate ideas to stimulate progress

in areas where the team has stalled. This

approach creates team alignment andgenerates momentum.

Now its time to turn the teams intel-

ligence toward solving the customers

biggest problemsthose that the team

could never have surmounted beore

the intelligence cycle. The team is now

prepared to assess customer needs and

apply its newly developed communica-

tion and visioning skills to eectively

partner with the customer.

rfctonTeam intelligence is a cyclical process

and should begin and end with refec-

tion on the teams perormance. Once

the team has completed its rst evolu-

tion o the intelligence cycle, reassess

the team goals, revise the ocus inven-

tory, determine next steps and restart

the cycle with new growth targets. The

ocus inventory is a useul tool or den-

ing core skills, and when combined with

a plan o action and a team commitment

to improve, it can serve as a baseline ocommon understanding.

Identiying strengths and weak-

nesses alone does not constitute team

intelligence but represents the rst step

on the path toward maximizing team

perormance. Developing team intel-

ligence takes work, commitment and

time on the part o the leader as well as

the team. Its important to set realistic

goals and allow enough time or changes

to yield results.

Scott C. Holbrook, PMP, CISSP, is the

manager of Information Security and

Disaster Recovery for CaridianBCT, a

global medical device manufacturing

company. He is based in Colorado.


7/10


8/10

John Sot invstigtswhth infomtionwf is sious

tht o ov-hyhysti. Cybscuity

xts off twowos of vic:

Be prepared.

The headlines last August sounded chillingly familiar, an arctic blast ofCold War anxiety: Russia Invades Georgia. But while its politics seemed like dj

vu, the conict oered an extensive look at an emergingand unsettlingorm o

combat in an increasingly online and interconnected world: inormation warare.

Georgias cyber inrastructure was under attack even beore Russian tanks

began rolling in. For several days, extensive denial-o-service (DoS) attacks ren-

dered government Websites useless. Some observers downplayed the signif-

cance o the online attacks, ascribing them to hacktivistssavvy amateurs

bent on inserting themselves into the fght. Russian ofcials have denied

direct participation in the DoS attacks against Georgia, and no one is cer-

tain exactly where they originated or who was responsible.

Still, the U.S. government and its deense agencies are taking inorma-

tion warare seriously. Several cyber warare programs have been estab-

lished, including the Air Forces Cyber Command unit. In January 2008,

President George W. Bush approved a new interagency cybersecurity eort to be run by

the Department o Homeland Security, and a Silicon Valley-based entrepreneur was tapped to head it.

How seriously should inormation security proessionals take the threat o inormation warare? More

seriously than they do now, according to many cybersecurity experts.

When, Not IfIn their eorts to address the orest o security prob-

lems, inormation security proessionals may be

ignoring a ew signifcant trees. In the (ISC) 2008

Global Inormation Security Workorce Study,

almost hal (48 percent) o (ISC) members say they

are mildly or not at all concerned about the secu-

rity threat posed by terrorists, and 38 percent say the

same thing about organized crime.

It really is a matter o semantics, says Andre

DiMino, co-ounder and director o the Shad-

owserver Foundation, a sel-unded, non-proit

organization composed o security proessionals

who track and report on the progress o malware,

botnet activity and electronic raud. DiMino points

out that one o the most important elements o in or-

mation warare is the botnet. Botnets are worldwide

networks o compromised computers; those com-

puters currently number in the millionsand that

fgure is growing (see Battling Botnets,InfoSecurity

Professional, Autumn 2008). The use o a computer

in a targeted attackthats my defnition o cyber

warare, says DiMino.

Your organization may have already been the

victim o inormation

warare, or at least an intended vi c-

tim. Phishing attacks are oten used to obtain unds or terror-

ist organizations, according to watchdog groups. At the same

time, certain nation states are interested in obtaining the intel-

lectual property o companies to exploit the technical advances

and competitive advantages represented by patented processes

and copyrighted algorithms. Internet addresses in China, or

example, have been linked to network intrusions in the U.S.,

including a well-publicized break-in last year i nto non-mili-

tary networks at the Pentagon.

So, while most companies arent likely to suer coordi-

nated, intense electronic bombardment, inormation security

proessionals can exp

see a steady increase

number and sophisticat

those attacks with which t

already amiliar: worms; T

spam; phishing; network

sions; and data thet.

GrowingCapabilities

Ultimately, when it comes to seconcerns, the who is less imp

than the how.

The inormation security proes

cant be concerned with who it is

attacking his or her network, says se

consultant Winn Schwartau. Its all abocapabilities, and capabilities keep goin

With the publication o Information W

Cyberterrorism: Protecting Your Personal Secu

the Electronic Age, he literally wrote the book o

warare. According to Schwartau, it can be d

into three areas: Class 1: Personal Inormation Warare, wh

individual is the target. We didnt call it identit

back in the day, Schwartau says. Class 2: Corporate Inormation Warare, o

rough equivalent o what we used to call industrial

nage, he says. Class 3: Government Inormation Warare. The R

Georgia conict is an example o this. Another examp

similar situation that developed in Estonia last year, whe

ormer Soviet satellites cyber inrastructure was compro

by DoS attacks over several days ater Estonian ofcial s re

a Russian war memorial rom the center o the capitol.

Businesses must be aware o all three areas o po

attack. The inormation security proessional has to u

stand the complete environment, Schwartau says.

because, or example, Class 1 inormation warareid

thetmay be coming rom a Class 2 or Class 3 sour

says, making it more dangerous. Guarding against socated phishing or malware attacks places greater empha

Web controls and PC security.

Class 2 inormation warare involves patents, copy

business dealsthat is, the real value o companies, Sc

tau says. It can be perpetrated by outsiders through ne

intrusions, but also by insiders. Thats why its importa

inormation security proessionals to work closely with

human resource departments to screen applicants or c

IT positions, including H-1B workers.

Schwartau says it has become increasingly important t

areas o securityHR, cyber security and physical secu

are integrated as closely as possible. An example is a disgr

ex-employee, the insider that becomes an outsider, as h

info

war


9/10

it. To address that scenario, part o the HR process should

be irrecoverable revocation o all assets, Schwartau says

including, perhaps especially, electronic assets.

In the U.S., Class 3 ino warare will increasingly involve

private companies because they own and operate most o the

critical inrastructure used by government and military opera-tions, such as the telecom network or the electric grid. Experts

are divided on just how vulnerable that inrastructure is, and

how aggressively its being probed. There is still speculation

that the 2002 power outage on the East Coast resulted rom

probing o the SCADA systems. While that speculation irts

with hysteria, the lesson is: Be prepared. I you have a critical

system on the Internet, chances are its going to be knocked,

says Shadowservers DiMino.

An important element to consider is the global supply

chain. Andrew Colarik, an inormation security consultant

and cybersecurity expert, says inormation security proes-

sionals must actor the possibility o regional inormation

warare conicts, like those in Estonia and Georgia, into their

business continuity plans. That means having alternatives

ready, in terms o logistics and resources, i Internet access tosupply chain partners is interrupted.

O. Sami Saydjari, president o the security consulting and

research irm Cyber Deense Agency and a ormer cyber-

security expert with the National Security Agency, says most

organizations arent taking the cyber warare threat seriously

enough, and one area he points to is outsourcing. Because

sotware coding and maintenance is oten sent to other coun-

tries, inormation security proessionals have to be aware o

the possibility o contamination in our corporate inrastruc-

ture, or applications that come back with Trojan horses and

back doors that can be exploited later on, he says.

Its a sensitive issue politically, but a risk that shouldnt beignored. In a global environment, theyre going to have to put

sotware quality assurance controls in place to deal with that

risk, Saydjari says.

Cyber ConsequencesCybersecurity experts say DoS attacksor the threat o

themare used to try to blackmail organizations. Theyre

also used by criminal organizations to demonstrate prow-

ess. Shadowservers DiMino recommends analyzing network

inrastructure or the load balancing and redundancy needed

to withstand a sustained DoS attack. We see many sites that

dont have that design built in, he says.On a proessional level, those involved in inormation

security, particularly those who work at critical inrastructure

organizations, need more training in the aspect o how to deal

with a crisis, says John Bumgarner, CTO and research director

or security technology or the U.S. Cyber Consequences Unit,

a non-proft research organization unded by the Department

o Homeland Security and other government agencies. Thisunit advises the highest levels o government on cybersecu-

rity issues, Bumgarner says.

Inormation security proessionals usually respond to

events that have already occurred, he says. The Georgian and

Estonian incidents demonstrate that security proessionals

might beneft rom training in how to respond while an attack

is taking place. A lot o agencies do not

train that way, do not train or aggressive

response, Bumgarner says.

Various types o ino warare resources

are available. The Estonian Ministry o

Deence recently posted a document titledCyber Security Strategy on its Website

(mod.gov.ee) that calls or, among other

things, the development and implemen-

tation o international cyber security policies.

The U.S. Cyber Consequences Unit oers a cybersecurity

checklist intended to provide a comprehensive survey o the

steps that corporations and other organizations should take

to reduce their vulnerability to cyber attacks. The checklist

contains 478 questions grouped into six categories: hardware,

sotware, networks, automation, humans and suppliers. It is a

baseline where we think organizations should be, Bumgarner

says. He urges inormation security proessionals to examinethe checklist and oer their input. Its not something created

in a vacuum, he says. We welcome any comments on it.

Schwartau says inormation security proessionals must

convince upper management that the threat o inormation

warare is real. Thats because its not just the security persons

problem. Too oten the ino sec guys get laden with things

they shouldnt, he says. For instance, are the costs involved in

implementing better power backup systems worth more than

a potential data loss? Thats a business decision, not a techni-

cal decision, Schwartau says.

On the other hand, the threat o inormation warare indi-

cates how critical cybersecurity issues are in the Internet age.There should be an ino sec signo on any major corporate

decision, says Schwartau.

Finally, the most important lesson o the Georgian attacks

may lie in how they compare to the Estonian attacks: While the

Estonian attacks were simplistic and scattershot, the Georgian

attacks were targeted. The level o sophistication jumped

rom ground zero to three, says Bumgarner. An inormation

security proessional should worry about this.

Schwartau is more blunt. Is it going to get nastier? he asks.

Yes, its going to get nastier.

John Soat is a freelance business and technology journalistbased in Cleveland, Ohio, USA.

Is [info wf] going to gt

nsti?Ys, its going to gt nsti.Winn Schwartau, security consultant and author


10/10

The (ISC)2 studISCope Self Assessment.

studISCope is the ofcial (ISC)2 online self-assessmenttool that gauges your knowledge of the SSCP orCISSP CBK. It analyzes your answers and presents apersonalized study plan that highlights areas whereyoure likely to perform well on a certication exam,and where you may need a little more work. For arelatively small investment, youll know exactly whereyou stand and what to do about it! Planning on earningyour certication? Visit www.isc2.org/studiscope today.

Mental processingof information.

Documents

Every Man’s Guide to Combat Threats Within Your Organization