Upload
stympytinus
View
220
Download
0
Embed Size (px)
Citation preview
8/8/2019 Every Mans Guide to Combat Threats Within Your Organization
1/10illus
tration
by
pete
m
carthur/veer
Blame it on apple.The actor in the market thats changed the way C-level ofcers think
about [mobile security] is the iPhone, says Al Potter, senior consulting
analyst with ICSA Labs, an organization involved in research, intelligence
and certifcation testing o products. The iPhone, with its ability to access
the Internet and download applications, has raised users expectations or
wireless devices. It has also complicated the job o inormation security
proessionals and raised awareness o how vulnerable mobile computing
devices can be.
As these devices get smaller, more powerul and more ubiquitous,inormation security strategies must adapt. In the long term, the mobil-
ity imperative may orce a reocusing by security proessionals in their
orientation toward inormation security.
Begin at the BeginningMobile computing started with laptops; mobile security starts there, too.
The techniques used to lock down PCs and workstationsauthentica-
tion, strong password protection, corporate frewallsshould be applied
to laptops. Implement state-o-the-art security sotware, including anti-
spam, antivirus and antispyware applications. Enorce corporate security
procedures, such as patch management and aggressive Web monitoring.
And require a written security policy regarding laptops, along with regu-lar awareness training to amiliarize users with that policy.
Mie cmputig is me tha just a ted,ad that maes mie secuity me tha
just a stategy, accdig t Jh Sat.
tra m v
8/8/2019 Every Mans Guide to Combat Threats Within Your Organization
2/10
8/8/2019 Every Mans Guide to Combat Threats Within Your Organization
3/10
Since laptops are portable, they can
operate outside the corporate network.
When not connected to the network,
users should be required to interact
with corporate resources over virtualprivate networks, and all data should be
encrypted. Also, laptops must be secured
when let unattendedan eort that
should be highlighted in the corporate
security policy.
Unortunately, there are continued
cases o laptops containing coniden-
tial corporate data being let by users in
cars or at airports. Thats why hard-drive
encryption on corporate laptops is a
growing trend, with hardware vendors
oten oering it as an added eature. Also,encryption is now incorporated into
operating systems, such as FileVault on
the Mac OS and BitLocker on Windows.
Security sotware vendors oerserver-based management consoles that
can automatically update antivirus
applications on laptops, implement
encryption, monitor email and Web tra-
fc, back up and restore data, and lock out
users who arent authenticated and then
remotely wipe data o those hard drives.
Balancing Risk and RewaRdWith the prolieration o wireless devices,
mobile computing has become more than
laptops. Were trying to come to termswith how we can embrace the reduced
cost and agility and lexibility o these
platorms while balancing the risk, says
Christopher Ho, CISSP, chie security
architect at IT services vendor Unisys.
Though viruses and trojans tar-
geted at cell phones have been reported,
so ar there have been no widespread,
widely publicized attacks against mobile
phones. But that doesnt mean it cant
or wont happen. In its 2009 Emerging
Cyber Threats Report, the Georgia TechInormation Security Center predicts
an increase this year in malware aimed
at mobile phones, and an equivalent
increase in the number o bots attached
to them. Patrick Traynor, an assistant
proessor in the School o ComputerScience at Georgia Tech, writes in the
report, Malware will be injected onto
cell phones to turn them into bots. Large
cellular botnets could then be used to
perpetrate a [denial o service] attack
against the core o the cellular network.
Cellular data concerns are dier-
ent in dierent parts o the world. The
phone-thats-more-than-a-phone has
more legs in Asia-Paciic and Europe
than in the U.S., says ICSAs Potter. The
threat is propagated more there than [inthe United States]. In Japan, or example,
cell-phone phishing is a growing problem.
This is due to the countrys widespread
practice o banking over mobile phones.The corporate applications most
closely associated with PDAs and smart-
phones are e-mail and, increasingly, data
access. Unortunately, security measures
implemented at the corporate level can
be problematic or wireless devices.
To be successul in the wireless space,
its all about balancing constrained
resources, says Scott Totzke, vice presi-
dent o global security at Research In
Motion (RIM), maker o the BlackBerry.
Mobile devices, while small, incorporatelimited but increasingly powerul pro-
cessing power, communications capa-
bility and storage. Speciically, Totzke
points out that battery technology is not
evolving at the pace o Moores Law.
Thats why security measures like
antivirus applications and personal
irewalls may present problems: They
use resources that can drain battery lie.
In the Emerging Cyber Threats Report,
Traynor pointed to battery power as
a primary security hurdle in the cell-phone environment.
Not true, says Daniel Homan,
author o the book BlackJacking: Security
Threats to BlackBerry Devices, PDAs, and
Cell Phones in the Enterpriseand chie
technology ofcer at Smobile Systems,which develops mobile device security
sotware. The eect o anti-malware
sotware on cell phones is almost negli-
gible, Homan claims, i you have the
appropriate solution.
There are security systems devel-
oped speciically or wireless devices.
They oer comprehensive applications,
including antivirus, antispam and fre-
wall protection, as well as ways to control
those devices remotely, such as remote
lockdown and data wipe.This is where the BlackBerry has an
advantage over other PDAs and smart-
phones. First, RIM designed and built
the BlackBerry rom the ground up. Wewrote our own radio code, we have our
own operating system, we have our own
Java, Totzke says. Second, security ea-
tures such as encryption are hard-wired
into the device. Third, RIM oers the
BlackBerry Enterprise Server, which
provides many o the security measures
mentioned, as well as remote-control
and management capabilities, tailored
specifcally or the BlackBerry.
pRoBlem aReasWhile security problems associated with
smartphones and cell phones are simi-
lar to those or laptops, there are unique
variations. For example, cell phones are
easier to steal. Another thing or global
travelers to keep in mind, says Smobiles
Homan, is that i they pass their wire-
less devices over to uniormed ofcials
and other strangers, theyre opening
themselves up to risk. I I can get a hold
o it or less than a minute, I can pull all
the contact ino and a lot o data, he
The phe-thats-me-tha-a-phe has me egs i Asia-Pacifc adEupe tha i the U.S. The theat is ppagated me thee tha [i the UitedStates]. Al PoTTEr, ICSA lAb S
8/8/2019 Every Mans Guide to Combat Threats Within Your Organization
4/10
8/8/2019 Every Mans Guide to Combat Threats Within Your Organization
5/10
illustratio
n
by
veer
e a m l e a d e r s h i p i s
challenging, even on a good
day with a great group.
Leaders are constantly
scanning the horizon or
strategic input, work-
ing to increase customer
satisaction, dealing with
operational constraints
and handling day-to-day
personnel issues. Add in
an underperorming teamand you have a recipe or rustration
that, let unaddressed, becomes a ticking
time bomb or everyone involved.
Teams oten sabotage their own suc-
cess by creating artiicial boundaries
to include their strengths and exclude
their weaknesses. This hinders success
and oten results in a growing chasm
between the organizations goals and the
teams ability to execute.
T T scnoTeams are a unique mix o players with
various talents, including overachievers,
underachievers, extroverts, introverts,
thinkers and doers. Oten leaders have a
avorite team, one that overcame all odds
to create excellence in spite o seemingly
insurmountable obstacles. These groups
likely exhibited team intelligence, and
created team awareness as individual
members learned each others strengths
and developed strategies or success.
In this era o globalization and geo-
graphically disparate teams, leaders are
no longer aorded the luxury o creat-
ing the perect team rom a blank ros-
ter. How can they move their teams up
the perormance ladder? How can theyinspire sustained excellence? By nurtur-
ing individuals, developing an environ-
ment o trust and communication, and
enabling team intelligence.
dnng T intgncTeam intelligence is an extension o
the concept o emotional intelligence,
largely accredited to Daniel Goleman
(danielgoleman.ino/blog), who has
authored several books on the topic,
including The Emotionally IntelligentWorkplace. There are our major com-
ponents o emotional intelligence:
Self-awareness: being conscious o,
and understanding, your emotions
Self-management: controlling your
emotions and impulses in a variety o
situations
Social awareness: being conscious
o, and understanding, how emotions
aect others
Relationship management: cre-
ating and maintaining relationships
across a spectrum o social levels; the
ability to motivate others even in chal-
lenging situations.
Eective leaders begin at the indi-
vidual level and oster team awareness.This process includes an honest internal
assessment o the teams capabilities by
the individuals themselves, as well as
an external customers assessment o
the same capabilities. Combined with a
team-specic ocus inventory, a plan o
action and built-in reviews, even under-
perorming teams can achieve growth
and move toward sustained excellence.
stt stt
First, assess the teams current strengthsand weaknesses. Does the team need to
develop its communication skills? Does
it need to hone its visioning skills? Is the
team eective at customer service? Does
it have a high level o trust?
How to enhanceteam awareness, stability
and performance.
t
enablingteamintelligenceBy Scott Holbrook
8/8/2019 Every Mans Guide to Combat Threats Within Your Organization
6/10
Next, discuss the overall strategy
or improvement. A ocus inventory
should be introduced as one o several
perormance enhancement tools, parto a larger ramework or continuous
improvement. The ocus inventory is a
set o skills selected by the team leader
indicating the key attributes o a highly
perorming team. While the inven-
tory can change based on industry,
there are certain core skills that should
be included, such as communication,
teamwork and accountability. It might
contain rom ve to 15 skill areas; the
team should select its primary areas o
improvement based on the three or ourlowest-scoring team skills.
The next step begins with individual,
closed-door interviews with each team
member. To gather accurate data, create
an atmosphere o trust and convey to
each person that the ocus inventory data
is being considered rom a team roll-up
context. Ask them to rate each ocus area
on a scale o one to ve based on how the
team perorms in that area. This changes
the ramework rom sel-assessment to
team assessment. And keeping the ratingscale small orces members to careully
consider their choices.
Tnton pOnce the data has been collected, review
it or patterns o strength and weakness.
Consider some supporting tools to pre-
pare or a team discussion o the ocus
inventory results.
Perhaps the best tool to enhance team
communications and awareness is the
Myers-Briggs Type Indicator (MBTI)assessment. It reveals personal preer-
ences in our quadrants: introversion/
extraversion; sensing/intuition; think-
ing/eeling; and judgment/perception.
The assessment is taken individually,
and indicates each team members pre-
dilection or interacting with others and
the world around them. There are sev-
eral MBTI assessment questionnairesavailable online.
The MBTI results can be displayed
on a 4x4 grid with the type descriptor. In
each block, place the names o the team
members whose assessment matches
the MBTI type. This provides a unique
view o the team, and can be used to help
members understand and better com-
municate with each other.
Gowt p
During the growth phase, the teamevolves rom individuals to a cohesive
unit. This phase includes the ongoing
reinorcement o team awareness, and
the creation and validation o the teams
vision and goals.
Allow time to create a team vision;
getting the group to agree is usually a
lengthy and sometimes painul process.
Team buy-in to the vision is an essential
part o enabling team intelligence. Once
the team has developed its vision, make
it a stated part o daily lie. For example,begin each meeting with the vision state-
ment: Make it rote, and make sure the
team is aligned around its meaning.
rvw n Fbck CycPeriodic reviews are a key component
to keep the team moving in the same
direction. Determine early in the devel-
opment cycle how oten and what types
o eedback will be provided. One way
to gather eedback is to use Post-it
assessments. Here, each team memberis given a Post-it pad and asked to write
answers to specic questions, such as
Where are we succeeding? and Where
can we improve? Separate the answers
into related groups on a whiteboard;
brainstorm ways to celebrate success
and cultivate ideas to stimulate progress
in areas where the team has stalled. This
approach creates team alignment andgenerates momentum.
Now its time to turn the teams intel-
ligence toward solving the customers
biggest problemsthose that the team
could never have surmounted beore
the intelligence cycle. The team is now
prepared to assess customer needs and
apply its newly developed communica-
tion and visioning skills to eectively
partner with the customer.
rfctonTeam intelligence is a cyclical process
and should begin and end with refec-
tion on the teams perormance. Once
the team has completed its rst evolu-
tion o the intelligence cycle, reassess
the team goals, revise the ocus inven-
tory, determine next steps and restart
the cycle with new growth targets. The
ocus inventory is a useul tool or den-
ing core skills, and when combined with
a plan o action and a team commitment
to improve, it can serve as a baseline ocommon understanding.
Identiying strengths and weak-
nesses alone does not constitute team
intelligence but represents the rst step
on the path toward maximizing team
perormance. Developing team intel-
ligence takes work, commitment and
time on the part o the leader as well as
the team. Its important to set realistic
goals and allow enough time or changes
to yield results.
Scott C. Holbrook, PMP, CISSP, is the
manager of Information Security and
Disaster Recovery for CaridianBCT, a
global medical device manufacturing
company. He is based in Colorado.
8/8/2019 Every Mans Guide to Combat Threats Within Your Organization
7/10
8/8/2019 Every Mans Guide to Combat Threats Within Your Organization
8/10
John Sot invstigtswhth infomtionwf is sious
tht o ov-hyhysti. Cybscuity
xts off twowos of vic:
Be prepared.
The headlines last August sounded chillingly familiar, an arctic blast ofCold War anxiety: Russia Invades Georgia. But while its politics seemed like dj
vu, the conict oered an extensive look at an emergingand unsettlingorm o
combat in an increasingly online and interconnected world: inormation warare.
Georgias cyber inrastructure was under attack even beore Russian tanks
began rolling in. For several days, extensive denial-o-service (DoS) attacks ren-
dered government Websites useless. Some observers downplayed the signif-
cance o the online attacks, ascribing them to hacktivistssavvy amateurs
bent on inserting themselves into the fght. Russian ofcials have denied
direct participation in the DoS attacks against Georgia, and no one is cer-
tain exactly where they originated or who was responsible.
Still, the U.S. government and its deense agencies are taking inorma-
tion warare seriously. Several cyber warare programs have been estab-
lished, including the Air Forces Cyber Command unit. In January 2008,
President George W. Bush approved a new interagency cybersecurity eort to be run by
the Department o Homeland Security, and a Silicon Valley-based entrepreneur was tapped to head it.
How seriously should inormation security proessionals take the threat o inormation warare? More
seriously than they do now, according to many cybersecurity experts.
When, Not IfIn their eorts to address the orest o security prob-
lems, inormation security proessionals may be
ignoring a ew signifcant trees. In the (ISC) 2008
Global Inormation Security Workorce Study,
almost hal (48 percent) o (ISC) members say they
are mildly or not at all concerned about the secu-
rity threat posed by terrorists, and 38 percent say the
same thing about organized crime.
It really is a matter o semantics, says Andre
DiMino, co-ounder and director o the Shad-
owserver Foundation, a sel-unded, non-proit
organization composed o security proessionals
who track and report on the progress o malware,
botnet activity and electronic raud. DiMino points
out that one o the most important elements o in or-
mation warare is the botnet. Botnets are worldwide
networks o compromised computers; those com-
puters currently number in the millionsand that
fgure is growing (see Battling Botnets,InfoSecurity
Professional, Autumn 2008). The use o a computer
in a targeted attackthats my defnition o cyber
warare, says DiMino.
Your organization may have already been the
victim o inormation
warare, or at least an intended vi c-
tim. Phishing attacks are oten used to obtain unds or terror-
ist organizations, according to watchdog groups. At the same
time, certain nation states are interested in obtaining the intel-
lectual property o companies to exploit the technical advances
and competitive advantages represented by patented processes
and copyrighted algorithms. Internet addresses in China, or
example, have been linked to network intrusions in the U.S.,
including a well-publicized break-in last year i nto non-mili-
tary networks at the Pentagon.
So, while most companies arent likely to suer coordi-
nated, intense electronic bombardment, inormation security
proessionals can exp
see a steady increase
number and sophisticat
those attacks with which t
already amiliar: worms; T
spam; phishing; network
sions; and data thet.
GrowingCapabilities
Ultimately, when it comes to seconcerns, the who is less imp
than the how.
The inormation security proes
cant be concerned with who it is
attacking his or her network, says se
consultant Winn Schwartau. Its all abocapabilities, and capabilities keep goin
With the publication o Information W
Cyberterrorism: Protecting Your Personal Secu
the Electronic Age, he literally wrote the book o
warare. According to Schwartau, it can be d
into three areas: Class 1: Personal Inormation Warare, wh
individual is the target. We didnt call it identit
back in the day, Schwartau says. Class 2: Corporate Inormation Warare, o
rough equivalent o what we used to call industrial
nage, he says. Class 3: Government Inormation Warare. The R
Georgia conict is an example o this. Another examp
similar situation that developed in Estonia last year, whe
ormer Soviet satellites cyber inrastructure was compro
by DoS attacks over several days ater Estonian ofcial s re
a Russian war memorial rom the center o the capitol.
Businesses must be aware o all three areas o po
attack. The inormation security proessional has to u
stand the complete environment, Schwartau says.
because, or example, Class 1 inormation warareid
thetmay be coming rom a Class 2 or Class 3 sour
says, making it more dangerous. Guarding against socated phishing or malware attacks places greater empha
Web controls and PC security.
Class 2 inormation warare involves patents, copy
business dealsthat is, the real value o companies, Sc
tau says. It can be perpetrated by outsiders through ne
intrusions, but also by insiders. Thats why its importa
inormation security proessionals to work closely with
human resource departments to screen applicants or c
IT positions, including H-1B workers.
Schwartau says it has become increasingly important t
areas o securityHR, cyber security and physical secu
are integrated as closely as possible. An example is a disgr
ex-employee, the insider that becomes an outsider, as h
info
war
8/8/2019 Every Mans Guide to Combat Threats Within Your Organization
9/10
it. To address that scenario, part o the HR process should
be irrecoverable revocation o all assets, Schwartau says
including, perhaps especially, electronic assets.
In the U.S., Class 3 ino warare will increasingly involve
private companies because they own and operate most o the
critical inrastructure used by government and military opera-tions, such as the telecom network or the electric grid. Experts
are divided on just how vulnerable that inrastructure is, and
how aggressively its being probed. There is still speculation
that the 2002 power outage on the East Coast resulted rom
probing o the SCADA systems. While that speculation irts
with hysteria, the lesson is: Be prepared. I you have a critical
system on the Internet, chances are its going to be knocked,
says Shadowservers DiMino.
An important element to consider is the global supply
chain. Andrew Colarik, an inormation security consultant
and cybersecurity expert, says inormation security proes-
sionals must actor the possibility o regional inormation
warare conicts, like those in Estonia and Georgia, into their
business continuity plans. That means having alternatives
ready, in terms o logistics and resources, i Internet access tosupply chain partners is interrupted.
O. Sami Saydjari, president o the security consulting and
research irm Cyber Deense Agency and a ormer cyber-
security expert with the National Security Agency, says most
organizations arent taking the cyber warare threat seriously
enough, and one area he points to is outsourcing. Because
sotware coding and maintenance is oten sent to other coun-
tries, inormation security proessionals have to be aware o
the possibility o contamination in our corporate inrastruc-
ture, or applications that come back with Trojan horses and
back doors that can be exploited later on, he says.
Its a sensitive issue politically, but a risk that shouldnt beignored. In a global environment, theyre going to have to put
sotware quality assurance controls in place to deal with that
risk, Saydjari says.
Cyber ConsequencesCybersecurity experts say DoS attacksor the threat o
themare used to try to blackmail organizations. Theyre
also used by criminal organizations to demonstrate prow-
ess. Shadowservers DiMino recommends analyzing network
inrastructure or the load balancing and redundancy needed
to withstand a sustained DoS attack. We see many sites that
dont have that design built in, he says.On a proessional level, those involved in inormation
security, particularly those who work at critical inrastructure
organizations, need more training in the aspect o how to deal
with a crisis, says John Bumgarner, CTO and research director
or security technology or the U.S. Cyber Consequences Unit,
a non-proft research organization unded by the Department
o Homeland Security and other government agencies. Thisunit advises the highest levels o government on cybersecu-
rity issues, Bumgarner says.
Inormation security proessionals usually respond to
events that have already occurred, he says. The Georgian and
Estonian incidents demonstrate that security proessionals
might beneft rom training in how to respond while an attack
is taking place. A lot o agencies do not
train that way, do not train or aggressive
response, Bumgarner says.
Various types o ino warare resources
are available. The Estonian Ministry o
Deence recently posted a document titledCyber Security Strategy on its Website
(mod.gov.ee) that calls or, among other
things, the development and implemen-
tation o international cyber security policies.
The U.S. Cyber Consequences Unit oers a cybersecurity
checklist intended to provide a comprehensive survey o the
steps that corporations and other organizations should take
to reduce their vulnerability to cyber attacks. The checklist
contains 478 questions grouped into six categories: hardware,
sotware, networks, automation, humans and suppliers. It is a
baseline where we think organizations should be, Bumgarner
says. He urges inormation security proessionals to examinethe checklist and oer their input. Its not something created
in a vacuum, he says. We welcome any comments on it.
Schwartau says inormation security proessionals must
convince upper management that the threat o inormation
warare is real. Thats because its not just the security persons
problem. Too oten the ino sec guys get laden with things
they shouldnt, he says. For instance, are the costs involved in
implementing better power backup systems worth more than
a potential data loss? Thats a business decision, not a techni-
cal decision, Schwartau says.
On the other hand, the threat o inormation warare indi-
cates how critical cybersecurity issues are in the Internet age.There should be an ino sec signo on any major corporate
decision, says Schwartau.
Finally, the most important lesson o the Georgian attacks
may lie in how they compare to the Estonian attacks: While the
Estonian attacks were simplistic and scattershot, the Georgian
attacks were targeted. The level o sophistication jumped
rom ground zero to three, says Bumgarner. An inormation
security proessional should worry about this.
Schwartau is more blunt. Is it going to get nastier? he asks.
Yes, its going to get nastier.
John Soat is a freelance business and technology journalistbased in Cleveland, Ohio, USA.
Is [info wf] going to gt
nsti?Ys, its going to gt nsti.Winn Schwartau, security consultant and author
8/8/2019 Every Mans Guide to Combat Threats Within Your Organization
10/10
The (ISC)2 studISCope Self Assessment.
studISCope is the ofcial (ISC)2 online self-assessmenttool that gauges your knowledge of the SSCP orCISSP CBK. It analyzes your answers and presents apersonalized study plan that highlights areas whereyoure likely to perform well on a certication exam,and where you may need a little more work. For arelatively small investment, youll know exactly whereyou stand and what to do about it! Planning on earningyour certication? Visit www.isc2.org/studiscope today.
Mental processingof information.