Embed Size (px)
Citation preview
January 2017Volume 15 Issue 1
Machine Learning: A Primer for SecurityEnterprise Security Architecture: Key for Aligning
Security Goals with Business GoalsThe Role of the Adjunct in Educating the Security Practitioner
Fragmentation in Mobile DevicesGaining Confidence in the Cloud
Crypto Wars II
The Best Articles of 2016
Table of ContentsDEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
Articles22 Enterprise Security Architecture: Key for
Aligning Security Goals with Business GoalsBy Seetharaman JeganathanIn this article, the author shares his insights about why security architecture is critical for organizations and how it can be developed using a practical framework-based approach.
30 The Role of the Adjunct in Educating the Security PractitionerBy Karen Quagliata – ISSA member, St. Louis ChapterThe cybersecurity industry faces a shortage of qualified professionals. Part of the solution is to better deliver cybersecurity education in colleges and universities. The purpose of this article is to equip cybersecurity professionals working as adjunct instructors with resources to deliver a more efficient and effective class.
Also in this Issue3 From the President4 [email protected] Sabett’s Brief
(Not) The Best of Cybersecurity, 2016 Version6 Herding Cats
Sweat the Small Stuff7 Open Forum
Executive Juris Doctor: Rewarding and Influential Career Path
8 Security in the News9 Security Awareness
Security in the News in 201610 Crypto Corner
A Feeble Attempt at Humor12 Association News
Feature 14 Machine Learning: A Primer for Security
By Stephan Jou – ISSA member, Toronto ChapterThe author examines how machine learning can be leveraged to address the practical challenges of delivering lower-cost security by resolving more threats faster, with fewer resources. It will focus on machine learning security techniques that work at typical levels of data volumes, from those operating with “small data” to those implementing data lakes.
©2017 Information Systems Security Association, Inc. (ISSA)
The ISSA Journal (1949-0550) is published monthly by Information Systems Security Association
11130 Sunrise Valley Drive, Suite 350, Reston, Virginia 20191 703.234.4095 (Direct) • +1 703.437.4377 (National/International)
35 Fragmentation in Mobile DevicesBy Ken SmithThe purpose of this article is to explore the threat to consumers posed by mobile device fragmentation. The author categorizes mobile device fragmentation by operating systems, manufacturer, and carrier, exploring the vulnerabilities at each level.
39 Gaining Confidence in the CloudBy Phillip Griffin – ISSA Fellow, Raleigh Chapter and Jeff Stapleton – ISSA member, Fort Worth ChapterCan cloud-based technologies, such as the blockchain, play a role in providing cloud subscribers assurance their data is being properly managed and that their cloud service provider is in compliance with established security policies and practices?
44 Crypto Wars IIBy Luther Martin – ISSA member, Silicon Valley Chapter and Amy VostersThe debate over whether or not to give US law enforcement officials the ability to decrypt encrypted messaging has recently been revisited after a twenty-year break. The results may be surprising.
Article of the Year
2 – ISSA Journal | January 2017
From the President
January 2017 | ISSA Journal – 3
International Board OfficersPresident
Andrea C. Hoy, CISM, CISSP, MBA, Distinguished Fellow
Vice PresidentJustin White
Secretary/Director of OperationsAnne M. Rogers
CISSP, FellowTreasurer/Chief Financial Officer
Pamela Fusco Distinguished Fellow
Board of DirectorsDebbie Christofferson, CISM, CISSP,
CIPP/IT, Distinguished FellowMary Ann Davidson Distinguished Fellow
Rhonda Farrell, FellowGeoff Harris, CISSP, ITPC, BSc, DipEE,
CEng, CLAS, FellowDJ McArthur, CISSP, HiTrust CCSFP,
EnCE, GCIH, CEH, CPT Shawn Murray, C|CISO, CISSP, CRISC,
FITSP-A, C|EI, Senior MemberAlex Wood, Senior Member
Keyaan Williams, FellowStefano Zanero, PhD, Fellow
The Information Systems Security Asso-ciation, Inc. (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications and peer interaction opportunities that en-hance the knowledge, skill and professional growth of its members.With active participation from individuals and chapters all over the world, the ISSA is the largest international, not-for-profit association specifically for security pro-fessionals. Members include practitioners at all levels of the security field in a broad range of industries, such as communica-tions, education, healthcare, manufactur-ing, financial, and government.The ISSA International Board consists of some of the most influential people in the security industry. With an internation-al communications network developed throughout the industry, the ISSA is fo-cused on maintaining its position as the preeminent trusted global information se-curity community.The primary goal of the ISSA is to promote management practices that will ensure the confidentiality, integrity and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global informa-tion systems security and for the profes-sionals involved.
From a cybersecurity profession-al’s perspective, we probably can relate to the differentiation
of having a “good” year versus a “hap-py” one. Many of us remember notable events in 2016 that probably did not make anyone “happy.” Those in our Healthcare SIG might recall cancer-care service provider 21st Century Oncol-ogy’s announcement that 2.2 million patients may have had their personal information affected by a breach in Oc-tober 2015: hackers had access to patient names, Social Security numbers, doc-tors, diagnosis and treatment informa-tion, along with insurance information. Even the loss of one password-protected laptop led to 200,000 patients’ sensitive information being exposed in the Pre-miere Healthcare case. Maybe it was the Yahoo breach announcements of 500 million accounts being stolen by a state-sponsored actor, then later in De-cember one billion accounts!Meanwhile it was a “good year” from the perspective of heightened awareness of cybersecurity and privacy issues by the average person on the street. As well, leading companies—and more impor-tantly their boards—have been address-ing and providing better protection of sensitive personal and company infor-mation. In 2016, with consumers embracing the Internet of Things, hackers brought us Mirai, causing possibly the largest DDoS attack known to date, delivering 665 Gigabits per second and 143 million packets per second of unwanted traffic via hijacked IoT devices to the Krebs on Security blog.The increase in regulations, as well as privacy concerns, meant an increase in regulatory compliance, leading many companies to address information se-
curity budget in-creases. In the first six months of 2016, even the US federal government had hired 3,000+ new cybersecurity/IT professionals as part of its first Federal Cybersecurity Workforce Strategy. And the president’s 2017 budget contains a proposed $3.1 billion to overhaul diffi-cult-to-secure systems.So looking forward, ISSA aims to con-tinue providing timely and thought-pro-voking information and educational resources. And more importantly, we want to provide the peer/industry net-working necessary to give you a global helping hand. Our global Special Interest Groups (SIGS) are ready to ring in the new year with exciting webinars and meetings. We had two very successful joint events in December, one the IEEE Women in Engineering Internet of Things World Forum, the other with SANS Connect. ISSA members can look forward to more of these events throughout 2017.For CISOs, our excellent CISO Execu-tive Forum is set up by a committee of your peers and overseen by CISO Exec-utive Forum chair and International di-rector Debbie Christofferson. This year’s with be at RSA; in partnership with the IAPP conference in Washington, DC; at Black Hat in Las Vegas; and the ISSA International Conference in San Diego.And be sure to join us January 24 for this year’s first ISSA web conference where we discuss more of what to expect in 2017!To our ISSA members across the globe: have a Happy and Good New Year!Moving forward,
Happy New Year! Bonne annee’! Szczesliwego Nowego Roku! Feliz año nuevo! Manigong Bagong Taon! Felice
Anno Nuovo or Buon anno! Mutlu Yillar! Ein glückliches neues Jahr! Hauoli Makahiki hou! And Shanah tovah
u’metuka (הקותמו הבוט הנש) or hopes for a good and sweet year!
Andrea Hoy, International President
The information and articles in this mag-azine have not been subjected to any formal testing by Information Systems Security Association, Inc. The implemen-tation, use and/or selection of software, hardware, or procedures presented within this publication and the results obtained from such selection or imple-mentation, is the responsibility of the reader.
Articles and information will be present-ed as technically correct as possible, to
the best knowledge of the author and editors. If the reader intends to make use of any of the information presented in this publication, please verify and test any and all procedures selected. Techni-cal inaccuracies may arise from printing errors, new developments in the indus-try, and/or changes/enhancements to hardware or software components.
The opinions expressed by the authors who contribute to the ISSA Journal are their own and do not necessarily reflect
the official policy of ISSA. Articles may be submitted by members of ISSA. The articles should be within the scope of in-formation systems security, and should be a subject of interest to the members and based on the author’s experience. Please call or write for more information. Upon publication, all letters, stories, and articles become the property of ISSA and may be distributed to, and used by, all of its members.
ISSA is a not-for-profit, independent cor-
poration and is not owned in whole or in part by any manufacturer of software or hardware. All corporate information se-curity professionals are welcome to join ISSA. For information on joining ISSA and for membership rates, see www.issa.org.
All product names and visual represen-tations published in this magazine are the trademarks/registered trademarks of their respective manufacturers.
4 – ISSA Journal | January 2017
The Best Articles of 2016Thom Barrie – Editor, the ISSA Journal Editor: Thom Barrie
Advertising: [email protected]
866 349 5818 +1 206 388 4584
Editorial Advisory BoardPhillip Griffin, Fellow
Michael Grimaila, Fellow
John Jordan, Senior Member
Mollie Krehnke, Fellow
Joe Malec, Fellow
Donn Parker, Distinguished Fellow
Kris Tanaka
Joel Weise – Chairman, Distinguished Fellow
Branden Williams, Distinguished Fellow
Services DirectoryWebsite
866 349 5818 +1 206 388 4584
Chapter [email protected]
866 349 5818 +1 206 388 4584
Member [email protected]
866 349 5818 +1 206 388 4584
Executive [email protected]
866 349 5818 +1 206 388 4584
Advertising and [email protected]
866 349 5818 +1 206 388 4584
We’d like to ac-knowl-
edge the passing of 2016, not with reminiscing the breaches, malware, privacy invasions,
legislations—Andrea, Geordie, and Randy help us out with that—but by cel-ebrating the articles the Editorial Advi-sory Board deemed the best of the year.
The 2016 Article of the Year“Machine Learning: A Primer for Se-curity” by Stephan Jou [Toronto Chap-ter]. Stephan lays out the workings of machine learning and artificial intel-ligence, painting a clear picture of this growing technology that some argue is still not ready for prime time. But the promise of combining big data and ma-chine learning—whether for analyzing unimaginably huge amounts of data for business processes or picking up on the bad actors knocking, poking, and prod-ding our infrastructures—has me excit-ed to see how 2017 plays out in this field.
The Best of 2016“Enterprise Security Architecture: Key for Aligning Security Goals with Busi-ness Goals,” by Seetharaman Jegana-than—Seetharaman deserves an hon-orable mention as his article was a very close runner up.“The Role of the Adjunct in Educating the Security Practitioner,” by Karen Quagliata [St. Louis Chapter].
“Fragmentation in Mobile Devices,” by Ken Smith.“Gaining Confidence in the Cloud,” by Phillip Griffin [Raleigh Chapter] and Jeff Stapleton [Fort Worth Chapter].“Crypto Wars II,” by Luther Martin [Sil-icon Valley Chapter] and Amy Vosters.Congratulations to our best authors of the year! A number are already plan-ning to submit further works in the up-coming year.
Readers’ Choice for 2016So, these are the board’s choices. Do you concur? Please take a look through the year and let us know your top three or four selections. We’d love to have a Readers’ Choice. Some of my favorites not mentioned are “Impact of Social Media on Cybersecurity Employment and How to Use It to Improve Your Ca-reer,” Tim Howard [South Texas Chap-ter]; “Stop Delivery of Phishing Emails,” Gary Landau [Los Angeles Chapter]; “Beware the Blockchain,” Karen Mar-tin; “The Race against Cyber Crime Is Lost without Artificial Intelligence,” Keith Moore [Capitol of Texas Chapter]; and “Why Information Security Teams Fail,” Jason Lang. Let me know at [email protected]’s been a great year in the ISSA Journal. Here’s looking forward to an even bet-ter year. Do you have an article to share. Bring it on.—Thom
Sabett’s Brief
By Randy V. Sabett – ISSA Senior Member, Northern Virginia Chapter
(Not) The Best of Cybersecurity, 2016 Version
So how many cybersecurity “Best of 2016” lists have you seen over the past few weeks? Well, this won’t be
one of those lists, because as I’ve done in prior years, I’m going to cover events that I think were notable but that weren’t necessarily “best of.” And, as in past years, my wife thinks that this is a silly approach, but here goes anyway…First off, the Internet has survived an-other year. Despite all of the predictions of gloom and doom that have been pos-ited over the past decade or more, we’re still plugging away with the same basic infrastructure we’ve had for several de-cades. To some extent, this survival is a testament to its original design—adapt-able to changing conditions and attacks.Turning to a legislative event from very early in the year, the passage of the Con-solidated Appropriations Act of 2016 included the Cybersecurity Information Sharing Act (CISA). CISA created a vol-untary process for sharing cybersecu-rity information without legal barriers or threats of litigation. DHS and DOJ released additional guidance on infor-mation sharing under CISA in February and June. Based on personal experience in 2016, I find CISA has influenced a number of decisions to share informa-tion, including B2B, B2G, and G2B.Continuing for a moment on the gov-ernment side of things, in February the Administration released the Cyberse-curity National Action Plan (“CNAP”). The CNAP provides a combination of near-term tactical actions and lon-ger-term strategy components intended to “enhance cybersecurity awareness and protections, protect privacy, main-tain public safety as well as economic and national security, and empower Americans to take better control of their
digital security.”1 Good stuff, but proper implementation will be critical.On the commercial side, businesses continued to be subjected to a variety of ever-evolving threats, including the incredible rise in both frequency and insidiousness of ransomware. 2016 saw ransomware evolve from phish-ing-based attacks on individual ma-chines into an attack mechanism that threatened entire networks. In particu-lar, SamSam (which exploits unpatched servers, moves laterally to any machine it finds, and then encrypts the entire network) proved to be particularly over-whelming. Only robust patching and diligent backups offer resiliency.In 2016, we saw cybersecurity become an integral part of the due diligence process for most M&A transactions (and personal experience bore this out). In fact, according to a recent survey, 85 percent of public company directors and officers say that an M&A transaction in which they were involved would likely or very likely be affected by “major se-curity vulnerabilities.” In addition, 22 percent say that they wouldn’t acquire a company that had a high-profile data breach, while 52 percent said they would still go through with the transaction but only at a significantly reduced value.2 This interest in cybersecurity diligence is not just theoretical: in the midst of an October M&A transaction involv-ing Verizon and Yahoo!, news broke of a Yahoo! breach that had occurred ap-proximately two years earlier. This event raised speculation around what it might do to the deal. To me, the bigger question will be how the overall scope of the due
1 https://www.whitehouse.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan.
2 https://www.nyse.com/publicdocs/Cybersecurity_and_the_M_and_A_Due_Diligence_Process.pdf.
diligence process will be influenced by cybersecurity in future deals.To round out the year, I will end on a hopefully positive note. In December, the findings of the Commission on En-hancing National Cybersecurity were released.3 The Commission had been tasked with developing recommenda-tions for ways to strengthen cybersecu-rity across both the federal government and the private sector. In a statement, President Obama stated that “[t]he Commission’s recommendations...make clear that there is much more to do and the next administration, Congress, the private sector, and the general public need to build on this progress.” Amen to that—all stakeholders must meaningfully participate and address cybersecurity so that everyone benefits. Let’s hope that 2017 sees that partici-pation increase. With that, I hope that your holiday season has been enjoyable and that your new year is off to a great start. Now I’m headed off to the refrig-erator to come up with a top 10 list of leftovers for my wife. Looking forward to hearing from you in 2017!
About the AuthorRandy V. Sabett, J.D., CISSP, is Vice Chair of the Privacy & Data Protection practice group at Cooley LLP, and a member of the Boards of Directors of ISSA NOVA, MissionLink, and the Georgetown Cy-bersecurity Law Institute. He was named the ISSA Professional of the Year for 2013, and chosen as a Best Cybersecurity Lawyer by Washingtonian Magazine for 2015-2016. He can be reached at [email protected].
3 https://www.nist.gov/cybercommission.
January 2017 | ISSA Journal – 5
If you are going to be at RSA Conference this
year, or perhaps you picked up a print
copy and are reading this in the shad-ow of one of the expo halls, take a mo-ment to think about all the vendors on the floor who are selling amazing kit. If you have not walked the floor yet, be sure to allocate a few hours to do so. I like to start at the edges because that’s often where some of the best new stuff is. But remember, buyer beware. Snake oil salesmen work everywhere!As you speak to these vendors and un-derstand how their products work, you might get caught up in the excitement of new kit and new capabilities, so much that you lose rational thought for a mo-ment. I mean, how else do you end up with three timeshares at the end of a lav-ish Las Vegas weekend? Before you sign on the dotted line, think about the prob-lem that the kit is trying to solve and see if you have already solved it elsewhere (or should solve it elsewhere).Sometimes we forget our roots, but that’s understandable as our industry has grown from nothing to what you see around you in the expo halls over the last twenty years. Those of us who have been around that long certainly remem-ber security as something one of the IT guys did, that and building tools to help us manage our growing infrastructure on a small scale—often times in the same manner that the big vendors do to-day. Before you run to your finance guy for budget, let’s look at a couple basic things we all need to master first.
How’s your logging?PCI DSS may have been the first step in forcing companies to capture good and
usable logging information, but DevOps is the new darling on the block. Compa-nies I work with tend to check the box for PCI to close that nagging require-ment but have expanded their informa-tion generation capabilities dramatical-ly to gain extremely important insight into their infrastructure as it runs. Getting rich logging information to do both user behavior analysis and to gain valuable insights into your infrastruc-ture in real time will power your intel-ligence-gathering capabilities. Many of the products you will see on the fringe this year are going to make the case to shift from SIEM (security information event management) to UEBA (user and entity behavior analytics). If you don’t have solid—and I mean really solid—logging capabilities baked into every layer of your infrastructure, these tools won’t work as advertised. In fact, any tool you see that promises to look for trends, to do machine learning to alert you on anomalies, or to just make you more efficient will struggle to work if you are terrible at logging.
Show me machine learning!I was at an expo a few months ago and had a string of vendors tell me about their machine learning capabilities. They show a graph with fifty bars on it, all of which are under a value of, say, ten except for one that is at a thousand. Then they point to it and say MACHINE LEARNING! For the record, that is anomaly detection. My godson who is almost three can do the exact same thing and make you laugh when he does it. Machine learning would be pointing to one of the small bars and telling an analyst to look at that one. Challenge your vendors to go beyond the glitz and buzzwords. Vaporware is just as present today as it has ever been. Machine learn-
ing is a fantastic tool, but be sure you are covering your anomaly detection basics first.
How’s your debt?Technical debt exists everywhere. It’s that patch you decided to leave off the list, or that coding workaround you built to solve a latency issue, or a default password you left in an application to make support easier. Good companies know exactly how far in debt they are and work to pay this debt back. No com-pany will always be debt free, but man-aging this debt will help you understand how to deploy your limited resourc-es. Sometimes it’s a system that has a known flaw in it, but it takes an attacker twenty minutes to compromise. Sounds like that virtual resource will only exist for ten to fifteen minutes at a time until you can address the root cause!This year’s RSA Conference is geared up to be the biggest ever. Tweet me at @BrandenWilliams with a comment about the article before February 18, 2017, and you could be the lucky winner of a $25 Amazon gift card! Look for me around the expo, in a session, or decom-pressing in the airport lounge on Friday as I hurry home for the weekend!
About the AuthorBranden R. Williams, DBA, CISSP, CISM, is a seasoned infosec and pay-ments executive, ISSA Distinguished Fellow, and regularly assists top global firms with their information security and technology initiatives. Read his blog, buy his books, or reach him directly at http://www.brandenwilliams.com/.
Sweat the Small StuffBy Branden R. Williams – ISSA Distinguished Fellow, North Texas Chapter
Herding Cats
6 – ISSA Journal | January 2017
Open Forum
Executive Juris Doctor: Rewarding and Influential Career Path
I wanted to write in support of Randy V. Sabett’s column, “Who’s Ready for a JD?,” in the October issue of
the ISSA Journal. I agree we need more people with legal education in the secu-rity profession, although I will take the position that one does not need to be a full-blown, bar-certified Juris Doctor (JD). I was told while in law school that 70 percent of JDs don’t practice law. So, if you don’t have the desire to be bar-cer-tified and practice law, a JD may not be the best option for you.In late 2005, I looked at the future of the security industry and saw that every-thing we do in security would have an ever-increasing legal implication. Be-cause of that, I decided I needed a better legal education. I did not have any inter-est in practicing law, so I did not want to go the JD route. I was looking for a Master’s in legal studies, but at that time none existed (there are several Master’s of legal studies degrees today). I came across an Executive Juris Doctor (EJD) degree distance learning program.As I describe it, it’s a law degree for peo-ple who want the same legal education that lawyers get but who have no inter-est in practicing law. You take courses in the same substantive courses JD stu-dents take (e.g., torts, contracts, crimi-nal law, and civil procedure to name a few), but because it is not bar eligible, you don’t take the full course load a JD student would take like wills and trusts or corporations, and there is flexibly to specialize. In my case, I specialized in law and technology and took courses in cyberlaw and intellectual property.
I have reaped huge rewards for having this legal education as a security profes-sional. I have published and presented on legal topics in security since 2009. I was twice published in the ISSA Journal, one on e-discovery, the other on social media policy. Being able to take a law and translate it into business processes or technical controls is very hard to do if you do not understand how to read law, how courts will interpret the law, or even understanding rulings coming down from the courts. And laws per-meate our entire profession—CFAA, ECPA, HIPAA (which are actually reg-ulations effectuated by legislation), etc.But, there are other advantages for hav-ing a legal education. Much like we in the security industry have our own vo-cabulary, so too do lawyers; being able to speak to lawyers in a language they understand is very important today. For example, I explain to people that the word “risk” means nothing to a lawyer, but when you use the term “liability,” you can get a lawyer’s attention. As a security professional, when I speak to lawyers using their lexicon, most law-yers light up and become very interested in what I have to say and become very willing to help me.Getting a lawyer’s attention and support has another advantage—that of stake-holder in security. Rather than trying to futilely drive security initiatives with finance, marketing, or technology de-partments or even executive manage-ment, I use the legal department as my driving stakeholder. Their job is to pro-tect the organization from liability and
lawsuits, and they usually have the ear of the CEO and the board. So, if they are aware of security issues that are creating liability for the organization, they can be your biggest advocate for advancing change.But, I would warn you not to jump into a legal education lightly. There is a tre-mendous amount of reading and a good bit of writing that goes with a legal edu-cation. Also, I pursued my legal educa-tion going to school full time and work-ing full time, so I slept about four hours a night for the first nine months I was in school. Be prepared for the amount of time that will be required from you. That being said, I can say having a legal education has been very advantageous in my career as a security professional, and it is something I am glad I pursued.
About the AuthorDr. Jon J. Banks, EJD, GPEN, CEH, OSWP, CISSP is a Sr. Security Architect at Link Technologies with 19 years of ex-perience building information security architectures and programs. Since 2009, Dr. Banks has used his legal education to give back to our profession by publishing, presenting, and teaching on various top-ics in law and information security. He can be reached at [email protected].
By Jon J. Banks – ISSA member, Denver Chapter
The Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies, legislation, standards, and other topics of interest to the ISSA community. The views expressed in this column are the author’s and do not reflect the position of the ISSA, the ISSA Journal, or the Editorial Advisory Board.
January 2017 | ISSA Journal – 7
Security in the NewsNews That You Can Use…Compiled by Joel Weise – ISSA Distinguished Fellow, Vancouver, BC, Chapter and Kris Tanaka – ISSA member, Portland Chapter
It’s Time to Pull Out Your Crystal BallWhat do you think is going to happen with security and technology in 2017? Will things be better, worse, or will they remain status quo? Here is an assortment of forecast articles for your consideration. To me, these predic-tions are less about the future and more about a replay of 2016. What do we have to look forward to according to security experts? More of the same: The Internet of Things, more viruses and APTs, cloud everything, DoS attacks, ransomware, etc. My personal favorite? Dronejacking. I previously mentioned this to friends at an unnamed online retailer, but in spite of demonstrated attack scenarios they thought it was not possible. As always, it might be fun to hold on to these links and revisit them in December to see how accurate they really were. Here’s to the future and keeping cybersafe in 2017! Cheers!
http://www.forbes.com/sites/gilpress/2016/12/12/2017-predictions-for-ai-big-data-iot-cybersecurity-and-jobs-from-se-nior-tech-executives/ - 5ff851ee62e9
http://www.usatoday.com/story/money/columnist/2016/12/17/think-cyberthreats-bad-now-theyll-get-worse-2017-spear-phishing-etc/95262574/
http://www.infosecisland.com/blogview/24860-Top-10-Cloud-and-Security-Predictions-for-2017.html
https://blog.radware.com/security/2016/12/cyber-security-predictions-2017/
http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2017.pdf
http://www.csoonline.com/article/3150997/security/what-2017-has-in-store-for-cybersecurity.html
https://www.scmagazine.com/gazing-ahead-security-predictions-part-2/article/578976/
Biggest Data Breaches and Hacks of 2016: Yahoo Data Breach, DNC Hacking, and Morehttp://www.techtimes.com/articles/190021/20161225/biggest-data-breaches-and-hacks-of-2016-yahoo-data-breach-dnc-hacking-and-more.htm
In addition to looking forward, the new year is also a time of reflection and taking stock of what transpired over the past year. Here’s a quick look at some of the biggest data breaches and hacks that took place in 2016.And just in case you haven’t seen it before, check out this frequently updated, interactive infographic from In-formation is Beautiful. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Major Cyberattacks on Health Care Grew 63 Percent in 2016http://www.darkreading.com/attacks-breaches/major-cyberattacks-on-healthcare-grew-63--in-2016/d/d-id/1327779
The Internet of Things continues to open up new attack vectors, particularly in the healthcare industry as secu-rity experts reported a surge in medical device hijacking in 2016. The industry will continue to face challenges in 2017, thanks to predictions of unprecedented levels of ransomware and the increasing ability of hackers to launch multiple attacks at once.
Cybersecurity Confidence Gets a C-. How to Improve Your Grade in 2017http://www.csoonline.com/article/3151078/security/cybersecurity-confidence-gets-a-c-how-to-improve-your-grade-in-2017.html
How do you feel about detecting and mitigating cyber threats in your organization? If your answer is “not very confident,” you are in good company. According to a new survey, global confidence in cybersecurity is dropping, while challenges, such as the expanding threat environment, are increasing. Although it is easy to get discour-aged, especially when we continue to see article after article revealing new breaches and cyberattacks, there are ways we can improve.
Five Ways Cybersecurity Is Nothing Like the Way Hollywood Portrays Ithttp://www.networkworld.com/article/3151064/security/five-ways-cybersecurity-is-nothing-like-the-way-hollywood-por-trays-it.html
Cybersecurity is cool. Just take a look at how many television shows and movies have woven it into their scripts and storylines. But just how accurate is their portrayal of the industry? Yes, Hollywood usually tends to glam-orize things. We all know our day-to-day work lives rarely involve fist-fights and elaborate stunts found in action movies. But the increasing popularity around cybersecurity, even in fictional form, is a good thing. Awareness is one of the best weapons in the fight against the “bad guys.”
Increasing the Cybersecurity Workforce Won’t Solve Everythinghttp://www.csoonline.com/article/3153079/security/increasing-the-cybersecurity-workforce-wont-solve-everything.html
The word is out—we all need to focus on cybersecurity, improving our security posture and infrastructure. Even the US government is receiving recommendations and guidelines on how to make this goal a reality. Unfortunate-ly, many of the proposed plans will take time and additional resources. What can you do while you are waiting for these “new” solutions to make an impact? Increase security awareness at all levels in your organization. As you have heard many times before, all it takes is just one click. Make sure the humans on your network are prepared to make the right choices.
8 – ISSA Journal | January 2017
It’s been a huge year for information security in the public eye. It seemed like security was constantly in the
news for massive corporate security breaches, election email leaks, or draco-nian new cyber laws.
We had Apple vs. the FBI. Tempers flared. People got hysterical. And that was just the FBI’s legal team. Not all the commentary was credible. The well-known encryption experts the National Sheriffs’ Association stated that Apple was “putting profit over safety” and this had “nothing to do with privacy.” Aww bless. Yahoo announced yet another huge breach. It’s sad to see the once mighty Internet giant slowly transitioning from respected Internet pioneer to a honey-pot experiment with live customer data. The official line was that Yahoo had been the victim of “state-sponsored” attacks. That sounds a lot better than being re-peatedly caught out with obsolete se-curity controls like MD5 encryption to protect customer passwords. To be fair, MD5 encryption can be considered very strong. But only if your threat model is focused on Russian cryptographers attacking through a star gate from the 1990s.
James Clapper announced his resigna-tion. The man who with a straight face denied to the US Congress that data was being collected on millions of Amer-icans is leaving the building. His exit interview would have been a hoot. Have
you held anything back? Is there any clas-sified information that you’ve failed to return? Um, “Not wittingly.” Under Clapper’s direc-tion, national security objectives have pros-pered. However, tech-nologies we all depend on have been weak-ened, exposing us to risk from cyber crim-inals and repressive regimes. The profits of
US companies have suffered as they’ve struggled to convince global customers that their data is safe with a US com-pany. If you’re a US citizen, you might think the national security trade off was worth it. However, if you live anywhere else in the world, or you’re a US com-pany who has lost customers, then you might have a different view. In November the most intrusive pow-ers ever proposed for the UK intelli-gence services were made law in the UK. Critics protested that the new law gave too many government agencies access to people’s browsing history without the need for a warrant. In fact, the list of agencies that can access browsing data without a warrant is so large that it might have been quicker just to list those that can’t. On the plus side we can all sleep safely knowing that the Welsh Ambulance Services National Health Service Trust knows what we’re doing online. Privacy activists took the UK government to the European Court of
Justice, which ruled in December that government agen-cies needed inde-pendent judicial oversight and that access had to be in response to serious crime. If you swap “web history” with “that special bedroom drawer,” then the judgment is entirely consistent with re-al-world privacy. There were persisting concerns about the security weaknesses of voting ma-chines in the US elections. We should be grateful that the winner of this part-ly automated vote count wasn’t Select *. The FBI learned that Hillary Clinton’s campaign chief John Podesta’s email had been compromised. Unfortunately all their agents were busy ogling An-thony Weiner’s laptop, so they just left a message with Podesta’s IT helpdesk. It’s a mystery why Weiner’s laptop deserved thousands of hours of agent time and the compromise of Podesta’s email by a foreign power didn’t merit an agency visit. 2016 was also the year that the burgeon-ing Internet of trash really started to stink. Brian Kreb’s website was hit with the largest distributed denial of service attack ever: a great amorphous pudding of hijacked IP-enabled household appli-ances. People started waking up to the risks. Some even asked, what’s the point of a rice cooker having an IP address?Here’s to 2017.
About the AuthorGeordie Stewart, MSc, CISSP, is the Principle Security Consultant at Risk Intelligence and is a regular speaker and writer on the topic of security awareness. His blog is available at www.risk-intelli-gence.co.uk/blog, and he may be reached at [email protected].
Security Awareness
Security in the News in 2016By Geordie Stewart – ISSA member, UK Chapter
Image used with permission
January 2017 | ISSA Journal – 9
Crypto Corner
A Feeble Attempt at HumorBy Luther Martin – ISSA member, Silicon Valley Chapter
some hiring manager thought that be-ing able to understand and laugh at this particular joke was a good criterion to use for selecting employees. Really.Here is the joke, reproduced as well as my memory allows. This one requires more thought than the first one. You should not feel bad if you do not under-stand it right away. But even if you do understand it, you might want to feel lucky that you did not end up working for this particular company.
Three cryptographers walk into a bar.The bartender says, “Are you all hav-ing beer tonight?”“Hmm,” says the first cryptographer, “I don’t know.”“Hmm,” says the second cryptogra-pher, “I don’t know.”“Yes,” says the third cryptographer.
I’m not sure where explaining this joke ranks compared to other pointless in-terview questions, like asking how many ping-pong balls it would take to fill a school bus or asking why manhole cov-ers are round, but it seems to me like it is roughly just as useful.This joke actually made me laugh. It also made me wonder exactly how the discus-sion went among the people doing inter-views that led to this particular element being added to their interview process. I assume that nobody starts with the goal of making a bad decision, but using this as part of an interview seemed as good an example of something resulting from a bad decision as anything I have ever seen.The third and final example of humor is another one that I had the dubious hon-or of creating. It is even harder to un-derstand than the previous joke—unless
I n f o r m a t i o n security pro-fessionals in
general, and cryp-tographers in partic-
ular, are not known for their senses of humor. This could be because the most common personality type in informa-tion security is MBTI type INTJ. People of type INTJ tend to be very competent but coldly rational. The characters Greg House from the TV show House and Sherlock Holmes from the TV show Sherlock are examples of how INTJs may come across to most people. But this does not mean that we do not appreciate humor when we see it. Every ten years or so, I come across examples of humor that seem to appeal to some security professionals and to almost all cryptographers. Here are three exam-ples.The word “rogue” is often misspelled as “rouge.” I first noticed this back in the dot-com era when a discussion started on a mailing list about how to handle “rouge CAs.” After other list members exchanged a few messages, I could not help asking what these “rouge CAs” were. I asked if they were described in some document that I had not “red,” but suggested that they were probably real, rather than something that someone would just “makeup.”Only one other list member seemed to understand my attempt at humor, while many others tried to provide serious answers to my obviously (at least to me) flippant questions. This might have been when I first suspected that humor might be quite rare in some parts of the securi-ty industry. It also might not have been as funny as I thought it was at the time.Several years later, I heard a joke in a rather unusual context. Apparently
you spent time in college studying the theory of computation, of course.Several years ago I had to give a talk in Pittsburgh one morning, and then drive to Cincinnati that afternoon for a meet-ing the next day. The roads through that part of the US are notoriously bumpy and busy, and when I finally made it to Cincinnati that evening, I was very tired. When I went to check in at my ho-tel, I was greeted by an enthusiastic and cheerful young woman.
“How are you today?” she asked.“I’m tired,” I replied, perhaps a bit too truthfully.Not realizing that I was a cryptogra-pher, she misattributed another pro-fession to me.“Being a traveling salesman can be tough,” she said.“Yes,” I said, “it can be. And the worst part is how NP-hard the car seats can get.”“What?”“Never mind.”
What have I learned from my many years of experience in the security in-dustry? Apparently not enough. I still have a bad habit of starting talks with a joke, no matter how many times it ends up failing miserably. But isn’t that what we should expect from an INTJ?
About the authorLuther Martin is a Distinguished Tech-nologist at Hewlett Packard Enterprise and the author of the first attempt at hu-mor published in the ISSA Journal (“The Information Security Life Cycle,” March 2008). You can reach him at [email protected].
10 – ISSA Journal | January 2017
SECURE ANY CLOUD WITH ARMOR ANYWHERE
Start Your Secure Cloud Journey Here
Armor Anywhere is a managed, scalable security solution
designed for data within public, private, hybrid or on-premise
cloud environments. Installed at the OS level and managed by a
team of experienced security experts, it prevents data breaches
so you can realize your multi-cloud strategy.
How it works: cut along the dotted line and apply to your hosting infrastructure responsible for sensitive and regulated data.
Managed Security for any cloud. Anywhere.
armor.com | (US) 1 877 262 3473 | (UK) 800 500 3167
Association News
Through January 13, 2017 – For information: www.issa.org/events/EventDetails.aspx?id=712365&group=
T he second research report from the groundbreaking global study of cybersecurity professionals by ISSA and independent industry analyst firm Enterprise
Strategy Group (ESG) has been released.In aggregate 54 percent of cybersecurity professionals sur-veyed admitted that their organizations experienced at least one type of security event over the past year. Yet, surprisingly, none of the top contributors to these cyber attacks and data breaches are related to cyber technology. Rather they point to human issues such as a lack of enough cybersecurity staff members as well as a lack of employee training and board-room prioritization. Further supporting this finding, 69 percent of cybersecurity professionals say the global cybersecurity skills shortage has had an impact on the organization they work for leading to excessive workloads, inappropriate skill levels, high turnover and an acute shortage especially in the areas of security ana-lytics, application security, and cloud security. In this time with fluid world events, such as the US presiden-tial transition, cybersecurity professionals surveyed also send a strong message to national government: the vast majority believe that their nation’s critical infrastructure is extreme-ly vulnerable or vulnerable to some type of significant cyber attack and want government more involved in cybersecurity strategies and defenses. Going further they recommend spe-cific actions government should take, leading with providing better ways to share security information with the private sector, incentives to organizations that improve cybersecu-rity, and funding for cybersecurity training and education. “There’s lots of research indicating a global cybersecurity skills shortage, but there was almost nothing that looked at the associated ramifications. Based upon the two ESG/ISSA reports, we now know that beyond the personnel shortage
alone, cybersecu-rity professionals aren’t receiving appropriate lev-els of training, face an increas-ing workload, and don’t always receive adequate support from the business,” said Jon Oltsik, ESG senior prin-cipal analyst. “Simply stated, these findings represent an exis-tential threat. How can we expect cybersecurity professionals to mitigate risk and stay ahead of cyber threats when they are understaffed, underskilled, and burned-out?” Based upon the data collected from the first global survey to capture the voice of cybersecurity professionals on the state of their profession, this final report of the two-part series, ti-tled “Through the Eyes of Cybersecurity Professionals: An-nual Research Report (Part II),” concludes: • The clear majority (92 percent) believe that an average or-
ganization is vulnerable to some type of cyber attack or data breach
• People and organizational issues contribute to the on-slaught of security incidents
• Most organizations are feeling the effect of the global cy-bersecurity skills shortage
• Cybersecurity professionals have several suggestions to help improve the current situation
• Sixty-two percent believe critical infrastructure is very vulnerable to cyber attacks
• Sixty-six percent believe government cybersecurity strate-gy tends to be incoherent and incomplete
• Eighty-nine percent of cybersecurity professionals want more help from their governments
“The results gleaned from this research are both alarming and enlightening. Alarming in the sense that if we don’t collectively pay attention to the cries for help, we will put businesses unnecessarily at risk. Enlightening in that orga-nizations need to be willing to invest in their cybersecurity professionals, with clearly defined career paths and skills de-velopment in order to hire and retain qualified employees,” said Candy Alexander, cybersecurity consultant and chair of ISSA’s Cybersecurity Career Lifecycle. “This research data will help ISSA and other professional groups to clearly define career paths for our profession.”
The Voice of Cybersecurity Professionals (Part II)
Research Reveals “Human” Issues as Top Cybersecurity and Business Risk
Figure 1 – Impact of cybersecurity skills shortage
Has the global cybersecurity skills shortage impacted your organization over the past few years?
12 – ISSA Journal | January 2017
CSCL Pre-Professional Virtual Meet-UpsISSA.org => Learn => Web Events => CSCL Meet-Ups
So, you think you want to work in cyberse-curity? Not sure which way to go? Not sure if you’re doing all you need to do to be suc-
cessful? Check out Pre-Professional Virtual Meet-Ups to help guide you through the maze of cybersecurity. January 19, 2017: 2:00 p.m. – 3:30 p.m. EDT. Future Chal-lenges: Are You Ready?This discussion will look at the history of security and tech-nology in order to identify what has changed and what hasn’t as well as lessons learned from our past to help prepare for our future. We will review methodologies, technologies, and business practices. Are the challenges really all that different?
2016 Security Review and Predictions for 2017
2-Hour live event Tuesday, January 24, 20179 a.m. US-Pacific/ 12 p.m. US-Eastern/ 5 p.m. London
2016 was a monumental year in cybersecurity: from email hacking impacting the US political world to the October DNS attacks and the ongoing rise of ransomware and IoT concerns. “Cyber” is huge right now. How will this growing spotlight on security translate in terms of media and regulatory attention? And what kinds of threats will dominate the 2017 landscape? Join us, make notes, and then check back in a year to see how we did!
Generously sponsored by
For more information on this or other webinars:ISSA.org => Web Events => International Web Conferences
ISSA.org => Learn => CISO Executive Forum
T he CISO Executive Forum is a peer-to-peer event. The unique strength of this event is that members can feel free to share concerns, successes, and feedback in a
peer-only environment. Membership is by invitation only and subject to approval. Membership criteria will act as a guideline for approval. The 2017 venues will be the following:San Francisco, CA
Innovation and Technology February 11-12, 2017
Washington DCInformation Security, Privacy, and Legal Collaboration April 20-21, 2017
Las Vegas, NVSecurity Awareness and Training—Enlisting Your Entire Workforce into Your Security Team July 23-24, 2017
San Diego, CAPayment Str ategies: The Game Has Changed October 11-12, 2017
For information on sponsorship opportunities, contact Joe Cavarretta, [email protected].
ISSA CISO Virtual Mentoring Series
L EARN FROM THE EXPERTS! If you’re seeking a career in cybersecurity and are on the path to becom-ing a CISO, check out the 19 webinars from April 2015
through December 2016!ISSA.org => Learn => Web Events => CISO Mentoring We-binar Series
ISSA.org => Career => Career Center
Looking to Begin or Advance Your Career?
T he ISSA Career Center offers a listing of current job openings in the infosec, assurance, privacy, and risk fields. Visit the Career Center to look for
a new opportunity, post your resume, or post an open-ing.Questions? Email Monique dela Cruz at [email protected].
The report also lays out the “Top 5 Research Implications” as a guideline for cybersecurity professionals and the organiza-tions they work for. “Assume your organization will experi-ence one or several cyber attacks or data breaches and take the cybersecurity skills shortage into account as part of every initiative and decision. Push for more all inclusive cybersecu-rity training and, as importantly, get involved in educating and lobbying business executives and government legislators alike,” recommended Oltsik.Leslie Kesselring, ISSA Public Relations Consultant—“Through the Eyes of Cybersecurity Professionals: Annual
Research Report (Part I)”: http://www.issa.org/esgsurvey/.—“Through the Eyes of Cybersecurity Professionals: Annual
Research Report (Part II)”: https://www.issa.org/page/is-saesg_survey_P2.
January 2017 | ISSA Journal – 13
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
Machine Learning: A Primer for Security
By Stephan Jou – ISSA member, Toronto Chapter
“Machine learning is revolutionizing the security landscape.”
The author examines how machine learning can be leveraged to address the practical challenges of delivering lower-cost security by resolving more threats faster, with fewer resources. It will focus on machine learning security techniques that work at typical levels of data volumes, from those operating with “small data” to those implementing data lakes.
Popular responses to that statement are all over the map. Some say machine learning is vastly over hyped in our market, while others contend it is the combi-
nation of machine learning with access to more data that is the main reason to be optimistic about security in the future. In the day-to-day world of data security, analytics practi-tioners who have embraced machine learning are regularly catching bad actors, such as externally compromised ac-counts or malicious insiders. We do this by using machine learning and analytics to detect indicators of compromise and predict which employees or associates are likely to leave with stolen data. We succeed when we define what is normal, then determine anomalies using machine learning. Machines are simply faster at repetitive tasks like finding inconsisten-cies in the patterns of data usage, and machines do not tire from scouring through billions of data events per day. At present, the cybersecurity industry is still behind the curve in demonstrating the kind of success that machine learning has achieved in some other industries. But with rapidly grow-ing volumes of data and better behavioral monitoring aimed
at leveraging data, big data, and data lakes, machine learning and security clearly will achieve more breakthroughs together.There are two good reasons why machine learning is useful to security. First, it can reduce the cost of standing up and maintaining a security system. In this industry, we’ve spent billions, yet we clearly need better tools to protect our data. The bad guys still have better tools than the good guys, and it still costs too much to investigate and respond to security incidents. The nature of defense is that it simply takes time to build up resistance, only to have a new attack render that de-fense ineffective or obsolete. This leads to the second reason that machine learning is important: it can reduce the time required to detect and respond to a breach once the inevitable occurs. Proper use of machine learning can have a measur-able impact on deployment time and cost, as well as dwell time from incident to response. In this article, I will examine how we leverage machine learning to address the practical challenges of delivering low-er-cost security by resolving more threats faster, with fewer resources. I will focus on machine learning security tech-
2016 Article of the Year
14 – ISSA Journal | January 2017
niques that work at typical levels of data volumes, from those operating with “small data” to those of us implementing data lakes. My purpose is to empower security teams to make use of machine learning to automate what skilled experts can do: prioritize risks so that experts can focus attention on those high-threat anomalies that signify targeted attacks, compro-mised accounts, and insider threats.
Automate and learn: What machine learning does best The concept of machine learning is based on the idea that we can use software to automate the building of analytical models and have them iteratively learn, without requiring constant tuning and configuring. Machine learning, if im-plemented properly, learns by observing your company’s par-ticular data. It should not require rules, tool kits, or a team of data scientists and integrators to endlessly examine the datasets in order to become operational. Similarly, the soft-ware should not require a team with system administration or DevOps skills to architect a big data infrastructure. Many companies’ experiences with analytics date back to when sci-entists and integrators had to spend months, or even years, to understand the business and how every aspect of the dataset intersected with users and machines. This is no longer the case. Modern machine learning works with the data in your organization, observing it persistently through continuous user, file, and machine monitoring.Further, machine learning can react automatically to typical business changes by detecting and reacting appropriately to shifting behavior. This is often a surprise to companies ac-customed to bringing in teams of consultants and having to re-engage them when a new business unit is created or a merger occurs. It is expected that if there are new behaviors;
the old software must be configured; rules constantly rewrit-ten; new thresholds created. But if done correctly, machine learning can learn—then automatically continue to learn—based on updated data flowing through the system. Just as a teacher doesn’t have to tell an equa-tion how to compute the average grade score for the population of a class, the same equation for com-puting averages will work in class-rooms everywhere—or when class-es are added or removed. Math is magical, but not magic. The fact is, math cannot do any-thing that a human can’t do, given enough time and persistence. Math simply expresses what is happen-ing in an automated fashion using equations. In machine learning, such equations are imple-mented as software algorithms that can run continuously and tirelessly. There is plenty of mystique around the seemingly limitless capabilities of “magical” algorithms that are, in real-ity, far less responsible for what machine learning can do for security than the data itself. In fact, connecting the data to the math (a process known as feature engineering) and then implementing the math at scale (using appropriate big data technologies) is where the real magic of machine learning for security lies.
Cost and time essentialsOne way to understand how machine learning can have an impact on cost is to look at the steps required to install and use an analytical product. We all know there is fixed time associated with installation and configuration, but it is the
Automatic means no rules must be fine-tuned, no thresholds must be tweaked, no maintenance must be performed when your business shifts.
January 2017 | ISSA Journal – 15
Machine Learning: A Primer for Security | Stephan Jou
pendent on the capabilities of the analytics. The real cost dis-parity emerges when we ask questions such as:
• Do I need to set thresholds? • Will we have to write rules? • Am I paying service fees for these capabilities? • How easy is it?
To get value from the system, you obviously want to ask the essential question: How long before we can actually learn something about a breach? By asking and answering this, we can know time to value. To obtain the answer, we need to focus on how machine learning extracts value. It’s popular to focus attention on the algorithm, most likely because recently algorithms such as Deep Learning have been achieving exciting successes in the news. And it’s naturally easy to get lost in that excitement! However, more important than the algorithm is a focus on the right data and correspondent use case appropriate for your particular organization. Getting the right datasets for the job and applying the right principles will trump any giv-en algorithm, every time. With this approach, we can allow machine learning to do what it does best: find evidence, and connect the dots between pieces of evidence, to create a true picture of what is happening. This “connecting of dots” is important because it allows us to show corroboration across datasets. When security profes-sionals talk about alert fatigue, they are really referring to the need for better corroboration so they can reduce the number of results the system fires. Simply put, when we have alert fa-tigue, the math is not helping us compress the results that the system is finding. But math can help compress billions of events per day into dozens of incidents by effectively scor-ing all events, and then corroborating multiple-scored events together. A machine learning implementation further means that this approach to reduce false positives and alert fatigue can be done automatically, to give us the reduced cost and fast-er time to value we’re looking for. But how does that work?
The value of a score: Probabilistic methods vs. rules and thresholdsOne important machine-learning technique is using probabi-listic statistical methods1 to score events for risky indicators, rather than to rely on rules with thresholds that either fire or do not fire.When we talk about scoring an event, we are simply talking about computing a number, for example, between zero and 100. This contrasts with relying on rules that issue a Bool-ean alert. Boolean alerts either fire or do not fire, based on parameters and thresholds the operator has set. The problem with this approach is that since alerts either fire or do not fire, as the alerts accumulate (in your SIEM, for example), the best we can do is count them. Having 10 alerts, all with lim-
1 For a good overview of probabilistic and statistical methods as it applies to machine learning, see: Murphy, K. P. 2012. Machine Learning: A Probabilistic Approach, Cambridge, Massachusetts: MIT Press.
tuning and training of the analytics that has been historically costly. There are many steps involved in the process between decid-ing to start to build a security analytics-enabled process, to receiving valid analytics that can detect and respond to inci-dents. Choosing the right approach can significantly reduce the time and the cost between the project start and when val-ue can be provided. Specifically, choosing a proper machine learning-based approach that does not require manual tun-ing, customization, building of rules, etc., can greatly accel-erate the time to value (figure 1).Whether total deployment time is fast (a couple of hours or few days) or painfully slow (as long as a year!) is largely de-
Figure 1 – Time to value: Security analytics using rules, versus security analytics using machine learning
Don’t Miss This Web Conference2016 Security Review and
Predictions for 20172-Hour live event Tuesday, January 24, 2017
9 a.m. US-Pacific/ 12 p.m. US-Eastern/ 5 p.m. London
2016 was a monumental year in cybersecurity: from email hacking impacting the US political world to the October DNS attacks and the ongoing rise of ransomware and IoT concerns. “Cyber” is huge right now. How will this growing spotlight on security translate in terms of media and regulatory attention? And what kinds of threats will dominate the 2017 landscape? Join us, make notes, and then check back in a year to see how we did!
Generously sponsored by
For more information on this or other webinars:ISSA.org => Web Events => International Web Conferences
16 – ISSA Journal | January 2017
Machine Learning: A Primer for Security | Stephan Jou
are trained to look for—bad or at least “weird” things happening to their data. Finally, we can collect and score all of the events and compute their likelihood of causing us problems. In this way, we cre-ate a system that can learn automatically.This automatic learning is an important component of why the machine learning approach works. Automatic means no rules must be fine-tuned, no thresholds must be tweaked, no maintenance must
ited severity information and context, delivers little information that is helpful. When we score events for risk, we can as-sign them meaning—for example, 0% is no risk, while 100% is the most extreme risk—and then more smartly aggregate risk values to get a combined picture of the risks associated. Risk scores can give additional context by being associated with not only a particular activity, but also with the assets, people, and ma-chines involved. Mathematical weight-ing helps us tune and train our model for specific activities, people, assets, and end points on a per-behavior pattern basis. Aggregating scores, rather than simply counting alerts, is more effective because we can define a weighted representation of how risky behavior is. In contrast, if all you have is an alert, you can only say that “X” things happened. While it’s true that we can label events, labeling things either good or bad does not help. In fact, it can be risky. It quickly becomes easy to ignore low probability events or trick the system into ignoring them. You can see why it is possible to get 10,000 alerts when the threshold is set too low, for example. In a typical medium-size business environment, it is quite likely to have the data present us with billions of “events”—multiple bits of evidence of what is happening to the data. Machine learning can work quickly to distill these billions of events to tell the difference between low- and incredibly high-risk events, and then connect them together for a picture, or handful of pictures, that can tell us what is going on. Here, math helps us compress the results, so instead of having alert fatigue or a group of pat-terns with arbitrary values, we have a clear picture using statistics of what is anomalous.In addition to using scoring, effective machine learning in data security lets us use probabilistic math rather than thresholds. Probabilistic methods are better than thresholds because they tell us not just about badness, but the prob-ability or degree of badness. We can compute all of the events, not just those arbitrarily deemed likely to be interest-ing. We can much more accurately assess the overall risk posture of any entity and actually measure what security experts
be performed when your business shifts. But how does machine learning pull off this trick?
How machines learnMachines don’t learn in a vacuum; ma-chines learn by continually observing data. Given enough data, machines can turn data into patterns. Observation of patterns can lead to generalizations, a process accomplished by taking exam-
January 2017 | ISSA Journal – 17
Machine Learning: A Primer for Security | Stephan Jou
As a human, when given a set of observations that look like figure 2, you might eventually conclude (or learn) that cats generally have longer tails and whiskers than dogs.There are two broad classes of machine learning: supervised learning and unsupervised learning.In supervised learning, we are given the answers. In our cat and dog example, suppose that whenever we are given a whis-ker length and tail length, we are also told whether the animal is a cat or a dog; this is an example of supervised learning. Rather than simply asking us to “find me dogs and cats,” the data told us what these animals are. Since we, in turn, advised the algorithm about whisker and tail length, this class of al-gorithm is known as supervised learning. It requires accurate examples. The model, represented visually by the dotted line (figure 3), states that if the tail and whisker length is to the left of the dotted line, declare the animal to be a dog. If it’s on the right, call it a cat.Using the learned model shown in figure 3, we can start to make predictions. When we see animal X, and measure its tail and whisker length, we would predict that it’s a cat, since it is to the right of the dotted line (figure 4). X’s long whiskers and long tail give it away!In unsupervised learning, we hope that a grouping (or cluster-ing) pattern emerges based solely on the input data, without any output labels (figure 5). The data tells the story, self-or-ganizing into clusters. In general, unsupervised learning is a much harder problem than when output labels are available.
ples and creating general statements or truths. This learning process is true not just of machines, but of humans. Machine learning is nothing more than algorithms2 that automate this same learning process that we as humans do naturally.Consider that when we as humans see something, we know what we probably saw because it is most similar to what we’ve seen before. This is actually an example of a machine learning algorithm known as “nearest neighbor” (or k-nearest neigh-bors, for the picky). Here is an example of applying machine learning to deter-mine whether an animal is a cat or a dog. By fitting points to a line we can observe that when we see an animal and it has long whiskers (cats) and longer tails (also cats), it is more like-ly to be a cat than a dog. The more examples we see, the more generalizations prove the rule. While it’s true that sometimes a cat has a short tail and occasionally a dog has really long whiskers, it is mostly not the case. Clusters emerge showing cats and dogs. Children quickly recognize by this method what is a cat and what is a dog. Algorithms, when given ex-amples, can be created to do the same thing, using math to automate this process.Suppose we go around our neighborhood and measure the whisker lengths and tail lengths, in inches, for the first 14 pets we see. We may end up with a set of data points like the fol-lowing (table 1):
Whisker Length (input)
Tail Length (input)
Cat or Dog? (output)
5 6 Cat
5.7 11 Cat
4.3 9.5 Cat
4.2 7 Cat
6.4 8 Cat
5.9 10 Cat
5.2 9 Cat
2.3 5 Dog
2.5 3 Dog
4 9.5 Cat
2.1 7 Dog
1.3 9 Dog
3.4 7.5 Dog
Table 1 – Whisker and tail lengths of sample pets
2 There are many good books that introduce the concepts of machine learning. The following book is short and very readable, and does not require a deep math background: Adriaans, P. and Zantinge D., 1996. Data Mining, England: Addison-Wesley Longman. The following is a great reference for those more comfortable with mathematical notation. Tan, P.-N.; Kumar, V. and Steinbach, M. 2006. Introduction to Data Mining, Boston: Addison-Wesley Longman. For the coders, try: Conway, D. and White, J. M. 2012. Machine Learning for Hackers, O’Reilly.
Figure 2 – A plot of neighborhood dogs and cats, and their tail and whisker lengths, in inches.
Figure 3 – A simple model that distinguishes between dogs and cats,
based on tail and whisker length.
Figure 4 – Predicting with a model Figure 5 – Data points without labels
18 – ISSA Journal | January 2017
Machine Learning: A Primer for Security | Stephan Jou
But how do we determine the right features? Selecting fea-tures requires knowledge. For example, we might include our historical experience or studies from industry organizations such as CERT, academic research, or our own brainstorming. This type of knowledge is the reason we need experts who can take what is in their heads and ask machines to automate it. Creating good features is a far better use of people skills and money, anyone would agree, than hiring expensive hunters to sift through a sea of alerts. Machine learning simply allows us to automate typical patterns so that our highly qualified hunters can focus on the edge cases specific to the company and the business.
Online vs. offline learning There are two modes of machine learning: online and offline.Offline learning is when models learn based on a static data-set that does not change. Once the models have complet-ed their learning on the static dataset, we can then deploy those models to create scores on real-time data. Traditional credit-card fraud detection is an example of offline learning. Credit card companies can take a year of credit card trans-actions and have models learn what patterns of fraud look like. The learning can take many days or weeks to actually complete. Once completed, those models can be applied in real time as credit-card transactions occur, to flag potentially fraudulent transactions. But the learning part was done off–line from a static dataset. Online learning occurs when we take a live dataset and si-multaneously learn from it as the data comes in, while si-multaneously deploying models to score activity in real time. This process is quite a bit harder, since we are taking data as it comes in, using live data to get smarter and run models at the same time. This is the nature of modern, machine learn-ing-based, credit card fraud detection. It notices what you personally do or do not do. It involves individualized data, simultaneously scoring activity. We use machine learning online to learn and react at the same time.This distinction is important because, for security, many of our use cases require learning new patterns as quickly as pos-sible. We do not always have the luxury of using offline ma-chine learning to collect months and years of data. Instead, it is often more desirable to have models that learn as quickly as possible, as data comes in, and also react as quickly as possi-ble, as data changes.Historically, much of the machine learning we have done is offline because it has been hard to move and analyze data fast enough to run at scale. But now, with big data technologies such as Hadoop,3 HBase,4 Kafka,5 Spark,6 and others, we are able to learn and score as data streams into our system. The speed and volume of our data feeds are so much greater than ever before. Online learning (building the models) and scor-
3 Hadoop – http://hadoop.apache.org.4 HBase – https://hbase.apache.org.5 Kafka – http://kafka.apache.org.6 Spark – http://spark.apache.org.
Unsupervised learning means we do not have any “labels,” so we are not told the “answers.” In other words, we observe a set of whisker and tail lengths from 14 animals, but we do not know which are cats and which are dogs. Instead, all we might know (if we’re lucky!) is that there are exactly two types of animals. We might still arrive at a good model to distin-guish between dogs and cats (such as the one illustrated in Figure 4), but this is clearly a harder problem!In general, security use cases require a mix of supervised and unsupervised learning because datasets sometimes have la-bels, and sometimes have not. An example of datasets where we have a lot of labels is malware: we have many examples of malware in the wild, so for many malware use cases, we can use supervised learning to learn by example. An example of datasets where we have little to no labels is anything related to insider threat or APT; there is generally not enough data available to rely on supervised learning methods.
The importance of the inputThe input that you give your machine learning model matters significantly. In trying to distinguish cats from dogs, know-ing to focus on whisker and tail lengths allowed our machine learning to be successful. If we had chosen less meaningful inputs—such as trying to distinguish cats from dogs by the number of legs—we would have been less successful.The process of picking and designing the right inputs for a model is critically important to succeeding with analytics. For security use cases, research and experience must guide the feature engineering process so that the right model inputs are chosen. For example, we know from CERT, Mandiant, and others that good indicators of insider threat and lateral movement are related to unusually high volumes of traffic. Our own research has discovered that the ratio of an individ-ual’s writes to and reads from an intellectual property reposi-tory—something we affectionately call the “mooch ratio”—is a valuable, predictable input as well. By observing such indi-cators, an effective machine-learning system can predict who might be getting ready to steal data.As you can see, the most important part of data science is selecting the inputs to feed the algorithm. It’s an important enough process to have its own special name: feature engi-neering. Feature engineering, not algorithm selection, is where data scientists spend most of their time and energy. This process involves taking data—for example, raw firewall, source code, application logs, or app logs—understanding the semantics of the dataset, and picking the right columns or calculated columns that will help surface interesting stories related to our use case. A feature is little more than a column that feeds the algorithm. Picking the right column or features gets us 90 percent of the way to an effective model, while picking the algorithm only gets us the remaining 10 percent. Why? If we are trying to distinguish between cats and dogs, and all we have as inputs are the number of legs, the fanciest algorithm in the world is still going to fail.
January 2017 | ISSA Journal – 19
Machine Learning: A Primer for Security | Stephan Jou
to search, for example, on terabytes of data per day. And for this, we have widely available big data-suitable technologies like Solr7 and Elasticsearch.8 Such technology lets us scalably index across all analyses from all detected threats, from all datasets in the data lake. Technologies like Kibana are now readily available to give us a friendly UI and API to search and visualize our results. However, visualizing big data is hard. You can imagine how a pie chart of a thousand users, in which each bar corresponds to one person, leads to a sea of color (figure 6). Visualization in the data lake is obviously an enormous field for research involving the challenge of how to take huge amounts of data and convey meaning. It requires under-standing, aggregating, summarizing, and the ability to drill down into different levels of detail. Techniques from visual-ization research—like focus-and-context visualization or an understanding of visual cognition and biological precepts—all come into play here. In other words, visualization is more than just the drawing of the picture; the analytics underneath the picture is equally important.In figure 7, we can see the result of processing more than 45 billion events. We can see that the most important events happened in February and March. Visualization on a large amount of data must tell us a story. By using machine learn-ing and visualization tools, we see the end of a pipeline of analytics using computed risk scores to generate this picture from the raw data. As we learned, math using machine learn-ing is behind the tail end of a picture that shows risk over time. The “matrix” visualization at the top represents 45 billion events. However, the underlying machine learning analysis has processed the events to 7,535 “stories,” each with varying levels of risk, which appears in the visualization as areas oc-cupied by squares. Notice how quickly you see that two of the highest risk time periods occurred in mid-to-late February. Additional interactivity allows the user to zoom in and focus on that specific time region for more detail.
7 Solr – http://lucene.apache.org/solr/.8 Elasticsearch – https://www.elastic.co/products/elasticsearch.
ing (running the models) on terabytes of data a day is now technically possible, whereas it would have been impossible a decade ago.
Leveraging the data lake A final reason that machine learning is more important to se-curity now than ever becomes clear when we consider its use with data lakes. Data lakes matter because they can be input sources for the storage of data logs, as well a repository of an organization’s intellectual property around which we build protection. Clearly, we need big data analytics and automated methods in order to see what threats are happening in this realm. Increasingly, big data lakes are giving us the oppor-tunity to analyze, detect, and predict threats—beyond seeing what has happened—for compliance and forensics purposes.This trend has occurred, in part, because data has gotten too big to store in a SIEM. As we know, most SIEMs can practical-ly store only a few months of data; anything older is dropped or stored where it is not available for analysis. Increasingly, organizations have focused on Hadoop and related technolo-gies as a more cost-effective way to act as the system of record for log files. But how can we better detect threats once we are storing data (e.g., log files) in our Hadoop data lake?
Search, visualize, detect, predict—and repeat As with any data, we want to be able to search, visualize, detect, and predict threats. With ma-chine learning, we want to combine human ex-pertise with automated analyses for faster, more accurate results. All of these tasks are harder on big data, which requires newer technologies to be capable of handling them at scale. Data lakes let us search across and join all our datasets into a single query. We want to be able
Figure 6 – A pie chart showing the top 100 most active tweeters. Source: http://chandoo.org/wp/2009/08/28/nightmarish-pie-charts/
Figure 7 – A big data interactive visualization from Interset
20 – ISSA Journal | January 2017
Machine Learning: A Primer for Security | Stephan Jou
moves. It turns out that the combination of humans and com-puters together produces stronger chess play than either hu-mans alone or computers alone. Why is the combination of humans with computers so pow-erful for playing chess? It turns out that computers are gener-ally better at calculating lots of moves, of being consistently tactical, and not making mistakes. Humans, however, tend to have a better holistic feel for the game. They see broad themes and are better able to identify an edge, excelling in strategic play.What is perhaps best, of course, is humans and computers working together. Why spend time looking at log files and billions of events when computers are so good at these tasks? Why look to an algorithm for a strategy on use cases? A skilled cyber hunter fed with amazing data sources and machine learning will save time, because the math never gets tired and rarely, if ever, makes a mistake. This leaves our experts far more free to focus on edge cases and provide feedback and guidance back to the system on new models and features.Better together, the human expert with proper machine learn-ing tools is the winning combination that makes the future of security analytics so optimistic, compelling, and powerful.
References—Adriaans, P. and Zantinge D., 1996. Data Mining, En-
gland: Addison-Wesley Longman—Conway, D. and White, J. M. 2012. Machine Learning for
Hackers, Cambridge: O’Reilly Press.—Guyon, I.; Gunn, S.; Nikravesh, M. and Zadeh, L. A. 2006.
Feature Extraction: Foundations and Applications, Nether-lands: Springer.
—Marz, N. and Warren, J. 2015. Big Data: Principles and Best Practices of scalable Real-Time Data Systems, NY: Manning Publications.
—Murphy, K. P. 2012. Machine Learning: A Probabilistic Approach, Cambridge, Massachusetts: MIT Press.
—O’Neil, C. and Schutt, R. 2013. Doing Data Science: Straight Talk from the Frontline, Cambridge: O’Reilly Press.
—Tan, P.-N.; Kumar, V. and Steinbach, M. 2006. Introduc-tion to Data Mining, Boston: Addison-Wesley Longman.
—Tufte, E. R. 1983. The Visual Display of Quantitative Infor-mation, Connecticut: Graphics Press.
—Zumel, N. and Mount, J. 2014. Practical Data Science with R, NY: Manning Publications.
About the AuthorStephan Jou is CTO at Interset. He was pre-viously with IBM and Cognos and holds an M.Sc. in Computational Neuroscience and Biomedical Engineering and a dual B.Sc. in Computer Science and Human Physiology from the University of Toronto. He may be reached at [email protected].
Here, every visualization supports large amounts of data, with machine learning and the analytics working behind the scenes to surface and compresses billions of events into dozens of stories we can understand. Further, these visual-izations can be interactive, provided you have the right tech-nology to support that interactivity with filtering done using, for example, fast search.
Taming big dataJust as we need big data tools to search and visualize, we need tools to detect and predict that are suited to the data lake realm. It’s still important to allow humans to inject business context and priorities, as well as human intuition, into the process. But clearly, standard rules engines may struggle to keep up with the volumes and velocities of the data lake. They are simply not going to scale to the size volume and velocity of a big data engine. Fortunately, just as with search and vi-sualization, there are technologies to support rules engines at scale. Kafka, Spark, and Storm are good examples of technol-ogies which understand how to move data at scale, process patterns at scale, and trigger rules. We also use different math because small-data math does not apply to big datasets. To illustrate, remember how in high school statistics we would always have to make sure our sam-ple size was large enough to be statistically significant? A typ-ical rule was to make sure you had at least a sample size of 20! Back then, it was hard to get data, but that is no longer true. Standard frequentist methods are sometimes not appropriate for large datasets, where a Bayesian approach may be better at dealing with large, messy, data. We also had to invent ways of compressing large amounts of data into small, actionable results that we could visualize, investigate, and plug into workflow. This is best done using math and statistics, and not counting, because as covered earlier, simply adding up scores tells us little that is meaningful. We must use statistical ways of computing and comparing use-principled math and statis-tics. These are essential technology tools for the data lake. But what about our human experts? Where do we fit in?
Humans and machines: Better together With big data and data lakes, machine learning can be far more automated than ever before and as unsupervised as we allow, while still accepting feedback such as in a semi-super-vised system. Because data is simply becoming bigger, it is safe to argue that the data lake is inevitable. With machine learning to help us automate and learn—and with the right technologies to help us search, visualize, and detect threats—our human experts take on a new, more expert and guiding role.Here is how I think the security professional is evolving. Ad-vanced chess,9 sometimes called Centaur chess, is a form of chess where the players are actually teams of humans with computer programs. The human players are fully in con-trol but use chess programs to analyze and explore possible
9 Centaur Chess – https://en.wikipedia.org/wiki/Advanced_Chess.
January 2017 | ISSA Journal – 21
Machine Learning: A Primer for Security | Stephan Jou
In this article, the author shares his insights about why security architecture is critical for organizations and how it can be developed using a practical framework-based approach.
By Seetharaman Jeganathan
Enterprise Security Architecture: Key for Aligning Security Goals with Business Goals
22 – ISSA Journal | January 2017
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
AbstractEnterprise security architecture is an essential process that aims to integrate security as a part of business and technolo-gy initiatives handled by any organization. When the security goals and objectives are aligned with organizational business goals and objectives, any organization can make informed decisions about business ventures and protect organizational assets from ever-emerging security threats and risks. In this article, the author shares his insights about why security ar-chitecture is critical for organizations and how it can be de-veloped using a practical framework-based approach.
Introduction
Enterprise security architecture (ESA) is a design pro-cess where the current state of enterprise security is analyzed, gaps are identified based on effective risk
management processes, and the identified gaps are fulfilled by applying cost-effective security controls. It is a life-cycle process that enables any organization to protect itself from advanced security threats. Until recently, ESA was a major technology effort wherein the IT technical team owned the definition, implementation, and operation of security pro-cesses and controls. However, this model has created a vac-uum with respect to business involvement and has failed to
align the IT security functions with the organizational goals and objectives [11].
Security goals and objectivesTraditionally, information security functions have been pro-viding confidentiality, integrity, availability, and accountabil-ity services to information systems and infrastructure. These services are often referred to as primary goals for informa-tion security functions. The primary objective is to secure the overall IT system and business functions as well as support growth of the underlying business. ESA is a key enabling factor to ensure that the security goals and objectives are achieved as per the expectations of the senior management [11].
Why security architecture?• Security architecture is a key in aligning security func-
tions with the organization’s business functions• Without a clearly defined architecture, security solutions
cannot be balanced between over protection and under protection
• Security architecture functions enable accountability and help obtain support and commitment from senior man-agement
Even though the proposed security architecture framework is a part of the enterprise architecture, it can also be rolled out separately as a new initiative for organizations that are not matured yet with respect to enterprise architecture. In the sections below, the author shares his practical experienc-es in implementing the proposed framework with several of his industry customers. The primary goal of the framework is to provide an organization-wide security architecture review process to ensure that security is an integral part of all busi-ness critical systems and processes [2][7].Note: Since this article focuses on security architecture in general rather than information security architecture specifically, it will be appropriate to include corporate security, personnel security, and physical security aspects in this exercise.
People factorThis area focuses on several actors (people) who must operate together to effectively roll out the proposed framework. The enterprise security architecture group (ESAG) or enterprise security review board (ESRB) is a governance body that must be formed if not available already, as an initial step. The effec-tiveness of the framework will be dependent vis-a-vis the in-volvement and participation of the identified team members. They must fulfill their required roles and responsibilities as effectively as possible. Human resources being expensive as-sets for organizations, it is indispensable to get adequate sup-port and commitment from the senior management to effec-tively utilize human resources to protect the interests of the stakeholders. Senior management support can be obtained by developing a charter of this proposed ESA group by identi-fying key roles and responsibilities of the group members. It is important to map the goals and objectives of this group to the overall organizational business goals and objectives and portray how this group will enable or support the growth of the underlying business functions [1].Figure 2 depicts the proposed people factor top-down ap-proach model to form the ESA group.
• Security architecture functions support IT functions during changes in the business processes
• Security architecture provides a snapshot of an organiza-tion’s security posture at any point of time [9]
Enterprise security architecture frameworkFigure 1 shows the proposed enterprise security architecture framework discussed throughout this paper. The framework begins with defining the security strategy, based on risk profile of the organization. An organization’s security requirements are derived mainly from security threats and risks faced by the organization [4]. These require-ments are analyzed in the framework to clearly define a se-curity strategy for the organization. The framework leverag-es three major factors; people, processes, and technology to implement the defined strategy across the organization. It is supported by other essential elements such as organizational governance, risk management, and IT governance bodies to effectively achieve total security of the organization. The au-thor has referenced “The Business Model for Information Se-curity” (BMIS) model and designed this article with exclusive focus on the security architecture function. The BMIS model was originally created by Dr. Laree Kiely and Terry Benzel at the USC Marshall School of Business Institute for Critical Information Infrastructure Protection. Later in 2008, ISA-CA adopted this model and has been promoting its concepts globally.
Figure 1 – Enterprise security architecture framework
TOTAL SECURITY
Organizational GovernanceExecutives, Board of Directors, Stakeholders
Enterprise Risk ManagementChief Risk O�cer, Risk management Group
Enterprise IT / Security GovernanceCIO, CISO, CSO, etc.
Enterprise ArchitectureEnterprise Architects
Enterprise Security ArchitectureFramework
Security Strategy
Company Assets
Information Security
Corporate Security
Physical Security
Organizational Entities
ITFunctions
BusinessUnits
BusinessPartners Customers
EnterpriseSecurity
ArchitectureGroup
EnterpriseSecurity
GovernanceBoard
SeniorManagement
• Board Members• Stakeholders
• Chief Risk O�cer• Chief Security O�cer• Corporate Security Head• Chief Information Security O�cer
• BU Heads• Security Architec ts• Information Risk Manager(s)• Information Security Manager(s)• Corporate Security Group Members
Figure 2 – People factor (top-down approach) model
January 2017 | ISSA Journal – 23
Enterprise Security Architecture: Key for Aligning Security Goals with Business Goals | Seetharaman Jeganathan
The ESA group must consist of people representing all busi-ness units of the organization such as HR, finance, R&D, IT, products, manufacturing, etc. It is important to note that the focus of this group is not only securing the information sys-tems but also securing the organization with a holistic ap-proach. Business insights and guidance are essential to derive a holistic “organization wide” security approach. A top-down approach will provide necessary commitment and oversight from senior management; also, when there is a disagreement between business groups, senior management can liaise and resolve critical issues. It is extremely important for this group to cascade the architectural functions and decisions to the entire organization below and/or above them. The head of this group or its representatives must conduct regular “con-nect meetings” with the business units to provide security architecture oversights and guidance for all their technology and business initiatives [1]One of the primary expectations and outcomes of this work-ing group should be developing security policies and stan-dards for all organizational functions wherein security is a key requirement. Security policies are directions by the se-nior management to the organization on what is allowed and what is not allowed from the security standpoint. Security standards are guidelines developed to substantiate/support each policy and set directions for business units on how to adhere to the required policies [8]. Note: The author is highly inspired by the series of books, In-formation Security Policies Made Simple, by Charles Cresson Wood and recommends them as reference material(s) to create relevant security policies by any organization. However, the samples provided in the book should be used as an inspira-tion and must not be adopted directly without careful review. The teams working on defining the policies must also take into consideration industry regulations, country-specific laws, and compliance requirements before defining the policies.
Process factorThis area focuses on how the security architecture review process should work in real time at any given organization. The need for an organization-wide risk management pro-cess is now more than ever because information systems and technology are widely used for business functions across the world. Information systems are subject to serious security threats. Threat agents exploit known and unknown vulner-abilities and cause damages to information systems. This will impact the confidentiality, integrity, availability, and accountability goals of security functions. Security breach-es even cause permanent damage to organizations and can make them go out of business. Recent laws and compliance requirements make senior management personally account-able for any negligence in securing their customer’s personal-ly identifiable information (PII), financial data, and personal health information (PHI) in the healthcare industry. There-fore, it is critical and of utmost importance that the senior management, mid-level, and lower-level employees of an organization understand their roles and responsibilities in
protecting organization’s resources effectively from security risks [1].Enterprise risk management is focused on managing risks faced by the organization. Security risks are one among sev-eral others risks faced, but security risks are more severe than the others. Organizations generally follow widely known risk management frameworks (NIST, ISACA, etc.) or cus-tom-made frameworks specific to the organization based on its culture, laws, and compliance requirements. The author discusses and illustrates this article based on the NIST (SP 800-39) risk management process, which suggests that risk management is carried out as a holistic, organization-wide activity that addresses risk from the strategic level to the tac-tical level. This enables organizations to make informed deci-sions about their security activities based on the outcome of the risk management process already in place [10].Figure 3 depicts the NIST risk management process and multi-tiered organization-wide risk management approach.Note: As the scope of this paper is not to detail the NIST risk management process, readers are encouraged to read the NIST SP 800-39 document to understand the risk management framework.An important discussion in SP 800-39 is that information security architecture is an integral part of an organization’s enterprise architecture. However, the author from his experi-ence suggests that organizations that do not have a matured enterprise architecture yet must also roll out the security ar-chitecture processes in their IT program initiatives. The pri-mary purpose of the security architecture review process is to ensure that specific security requirements are reviewed and cost-effective security solutions (management, operational, and technical) are suggested/designed for qualified risks that must be mitigated as per the risk management strategy. Or-ganizational security requirements could also arise from oth-er factors such as policies, standards, laws, and compliance regulations among others. These requirements must also flow
Figure 3 – NIST risk management process
Strategic Risk
Tactical RiskMultitiered Organization-Wide Risk Management
Risk Management Process
Tier 1Organization
Tier 2Mission / Business
Processes
Tier 3Information
Systems
Assess
Frame
Monitor Respond
24 – ISSA Journal | January 2017
Enterprise Security Architecture: Key for Aligning Security Goals with Business Goals | Seetharaman Jeganathan
More than 60% of companies recently surveyed had a data breach involving printers.1 Has yours? Only HP printers can stop an attack before it starts, with real-time threat detection, automated monitoring and built-in software validation that no one else offers.2
Reduce your risk with HP printers. See how at hp.com/go/ReinventSecurity
1 Ponemon Institute, “Insecurity of Network-Connected Printers,” October 2015.2 Based on HP review of 2016 published security features of competitive in-class printers. Only HP offers a combination of security features that can monitor to detect and automatically stop an attack, then self-validate software integrity in a reboot. For a list of printers, visit: www.hp.com/go/PrintersThatProtect. For more information: www.hp.com/go/printersecurityclaims.© Copyright 2017 HP Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Reinvent security
After security design recommendations are submitted to the implementation team, it is vital for security architects to pro-vide required support throughout the implementation pro-cess and ensure that the proposed design recommendations are implemented as per the suggestions made in the design review. This process is referred to as the security implementa-tion review. Post implementation of a security control, quality assurance testing must be done thoroughly to ensure whether the security control is mitigating the underlying risk(s) as per the requirements. If there is still any gap in risk mitigation, then the whole process must be repeated until the underlying risk is mitigated to the acceptable level. This way, the enter-prise security review process could also be aligned with the organization’s SDLC process being followed in the informa-tion systems project implementation [8]. Figure 5 describes the proposed review process flow from the beginning to end.
Technology factorThis area focuses on the technology aspects of the informa-tion systems layer supporting the business functions. The
into the security architecture review process as depicted in figure 4 and be addressed properly [10].
Enterprise security architecture review processAn enterprise security architecture review process is primar-ily conducted to derive the most appropriate security solu-tion(s) for the qualified requirements. Enterprise security ar-chitecture review board members should meet and review the security requirements and brainstorm possible cost-effective solutions that could be management, operational, technical, or combination of these controls to mitigate risks to an ac-ceptable level. These steps are referred to as a security require-ments review and security controls review. Once a cost-effec-tive security control is identified, a security design review is conducted for functional and non-functional requirements, depending on the type of the security control(s) identified [8].A high-level summary of the security design review process for each control type is briefed in table 1; this is not an exten-sive list of design review steps but suggestions to kick start the process [8].
Security Control Types Design Review
Management
•Conductcurrent-stateassessmentandidentifygaps•Reviewtheassociatedsecuritypoliciesandstandards• Ifrequired,createnewsecuritypolicies/stan-dardsormodifytheexistingpoliciestomeetthesecurityrequirements
•Documentandsubmittherecommendations
Operational
•Conductcurrent-stateassessmentandidentifygaps•Suggestneworamendmentstotheoperationalmodel/processtomeetthesecurityrequirements•Documentandsubmittherecommendations
Technical
•Conductcurrent-stateassessmentandidentifygaps•Suggestnewcontrolsorchangestotheexistingtechnicalcontroltomeetthesecurityrequirements•Conductcost-benefitanalysis,securityreturnofinvestment(SROI)analysistoprovethecosteffectivenessofthesolutions•Providefunctionaldesigninputs•Providenon-functionaldesigninputs•Documentandsubmittherecommendations
Table 1 – Security controls design review (high-level summary)
Figure 4 –Enterprise security architecture process drivers
Figure 5 – Enterprise security architecture process flow
No
Start
Security Requirements Review
Security Controls Review
Decision
Management Operational Technical
Security Design Review
Security Implementation Support
Security Post-Implementation Review
Risk Mitigation ?
Yes
Stop
OtherDrivers
Risk Management
Framework
Enterprise Security Architecture Review Process
SecurityRequirements
SecurityRequirements
26 – ISSA Journal | January 2017
Enterprise Security Architecture: Key for Aligning Security Goals with Business Goals | Seetharaman Jeganathan
ate a detailed inventory of the current state of information security controls in place at the physical, network, infrastruc-ture, and application levels [3].There are several possible approaches in assessing the cur-rent-state security controls of physical, network, infrastruc-ture, and application layer components; one such approach is creating a 3X3 matrix of current security controls classified into types such as preventive, detective, and corrective con-trols (table 2) [8].After completing the above exercise at all the levels, the cur-rent security posture (“as-is”) of the organization would be created successfully. The next critical steps are:a) Conduct a gap analysis of current-state security b) Conduct a risk analysis of critical information systemsAn effective risk management process is a key here to find out the gaps in the current state and the residual risk on the business critical information systems. The architecture team must review the gap analysis and risk analysis reports to derive the requirements for the desired (“to-be”) state ar-chitecture to adequately protect the identified assets. The requirements must be presented to the senior management, governance board, etc., for approval, funding, and adequate support for implementation. It is extremely important to map the goals of the security architecture with business goals and
process begins with creating a blueprint(s) of the current state (“as-is”) of the information systems layer (logical and technical) in the primary and secondary data center(s) of the organization. Figure 6 provides a high-level logical view of the primary data center. After a high-level blueprint is created, the team has to move on to creating more focused blueprints about the following areas but not limited to: 1. Detailed blueprints about the network segments such as
the DMZ layer, internal network layers (intranet), and external networks such as partner networks, Internet, VPN networks, etc.
2. Detailed blueprints about the infrastructure layer such as servers, databases, mail servers, file servers, etc.
3. Request the individual application teams (mission criti-cal and all others) to derive their application-specific ar-chitecture diagrams if not already available [4]
Figure 7 depicts a high-level logical and physical deployment sample architecture blueprint of an e-commerce application in a financial services company.After completion of above mentioned exercise, the architec-ture team would have relevant information to review and cre-
Preventive Detective Corrective
Administrative •Acceptableusagepolicy•Changemanagementpolicy• Effectivechangemanagementprocess
Technical
•Dataencryption•SSL/TLStransportencryption•Secureconfiguration•Accesscontrol
•Vulnerabilityscanning•Securecoding/review
•Effectiveincidentresponse
Physical •Application-specificcontrol(s)ifany •Application-specificcontrol(s)ifany •Application-specificcontrol(s)ifany
Table 2 –Sample controls review matrix (e-commerce application)
Figure 6 – Organization data center – logical view
Figure 7 – Sample e-commerce application – logical/deployment architecture
January 2017 | ISSA Journal – 27
Enterprise Security Architecture: Key for Aligning Security Goals with Business Goals | Seetharaman Jeganathan
• US Department of Defense architectural framework, and much more
Organizations can leverage these frameworks and custom-ize them to meet security architecture requirements. As the scope of this paper is not to review these frameworks in detail, the author notes that organizations must choose an architec-ture framework that is flexible enough to support business growth and adapt for changes in the business environment and processes [5].
ConclusionThe enterprise security architecture process streamlines se-curity functions of an organization to achieve effective total security. In this article, the author proposed an enterprise se-curity architecture framework and detailed the pillars (peo-ple, process, and technology) of the framework. Whether adopting this framework or an industry-recognized frame-work is a decision to be made by the organization, depending on the culture, business environment, and industry com-pliance requirements. Any framework will be effective only when adequate support is given. In order to obtain desired outcomes of an architecture framework, it must be under-stood and supported by the senior management. In today’s economy-centric business environments, a security architec-ture framework must be increasingly business oriented rather than a technology-centric framework to obtain expected re-turns on security investments.
References1. Architecture Compliance. (n.d.), The Open Group. Re-
trieved November 09, 2016, from http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap48.html.
2. Breithaupt, J., & Merkow, M. S. Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility, Information Security Prin-ciples of Success, Pearson IT Certification (2014, July 4). Retrieved from http://www.pearsonitcertification.com/articles/article.aspx?p=2218577&seqNum=12.
3. Building an e-commerce Solution Architecture, Dami-con. Retrieved November 9, 2016, from http://www.dam-icon.com/resources/Architecture_Practices.pdf.
objectives to garner the support from management and board of directors [5].As the technology environment is ever changing due to sev-eral factors such as changes in the business processes, en-vironment, technology adoption, automation, etc., security architecture must always be a live and vigilant group in any organization in order to adopt the changes and support the business to function without disruptions. It is essential to remember that IT and security functions must be business enablers rather than creating road blocks for business func-tions.Note: Organizations that are matured in information securi-ty processes have adopted one or more industry frameworks listed below to implement the minimum required security controls and desired security architecture for effective infor-mation security: • ISO 27001:2013 Information Security Standard • NIST Cybersecurity Framework• ISACA COBIT 5 Information Security • SANS Critical Security Controls, etc. [5]
Incorporating security architecture in enterprise architectureMIT Sloan School’s Center for Information Systems Research (CISR) defines enterprise architecture as “the organizing log-ic for business process and IT infrastructure reflecting the integration and standardization requirements of the firm’s operating model. The enterprise architecture provides a long-term view of a company’s processes, systems, and technol-ogies so that individual projects can build capabilities—not just fulfill the immediate needs” [12]. In simple terms, enterprise architecture provides a logical view of the enterprise business layer (functions and process-es), the IT infrastructure layer, the data layer, and the applica-tions layer. As enterprise architecture is not the focus of this article, the author would emphasize that security architecture could be part of the enterprise architecture and provide ad-equate security for all the architecture functions. Figure 8 depicts a security-enabled enterprise architecture view of an organization [13].
Security architecture frameworksThere are several industry frameworks that provide architec-tural approaches for meeting security requirements. Some of them to be noted are: • SABSA comprehensive framework for enterprise security
architecture and management• Zachman framework of IBM• The Open Group architecture framework• The Open Security architecture group framework• UK Ministry of Defense architecture framework
Enterprise Architecture
Business Architecture
InformationArchitecture
Technology Architecture
SECURITY
SECURITY
Figure 8 – Security enabled enterprise architecture view
28 – ISSA Journal | January 2017
Enterprise Security Architecture: Key for Aligning Security Goals with Business Goals | Seetharaman Jeganathan
4. Gunnar Peterson, Security Architecture Blueprint, Arctec Group LLC, 2007.
5. ISACA. CISM Review Manual 2015, ISACA (November 1, 2014).
6. ISACA. An Introduction to the Business Model for In-formation Security. Rolling Meadows IL: ISACA, 2006 – http://www.isaca.org/knowledge-center/research/re-searchdeliverables/pages/an-introduction-to-the-busi-ness-model-for-information-security.aspx.
7. Kreizman, G. (2011, October 4). An Introduction to In-formation Security Architecture. Retrieved from http://gartnerinfo.com/futureofit2011/MEX38L_D2 mex38l_d2.pdf.
8. Landoll, D. J. (2016). Information Security Policies, Pro-cedures, and Standards: A Practitioner’s Reference. Boca Raton: CRC Press, Taylor & Francis Group.
9. Olzak, T. (2010, September). Build an Enterprise Securi-ty Architcture-based Framework. Retrieved January 16, 2011, from CBS Interactive/TechRepublic: http://www.techrepublic.com/downloads/build-an-enterprise-archi-tecture-base-framework/2212421.
10. Publication: SP 800-39. Managing Information Security Risk: Organization, Mission, and Information System View, National Institute of Standards & Technology –http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecial-publication800-39.pdf.
11. Ritchot, B. 2013. An Enterprise Security Program and Architecture to Support Business Drivers. Technology Innovation Management Review, 3(8): 25-33. http://tim-review.ca/article/713.
12. Ross, J. W., Weill, P., & Robertson, D. Enterprise Archi-tecture as Strategy: Creating a Foundation for Business Execution. Boston, MA: Harvard Business School Press (2006).
13. Security Architecture: A New Hype for Specialists, or a Useful Means of Communication? Retrieved November 9, 2016, from https://www.pvib.nl/down-load/?id=11542823.
About the AuthorSeetharaman Jeganathan, CISSP, has more than 14 years of experience in IT technolo-gy security consulting and program man-agement. He mainly focuses on information systems risk assessments, identity and access management (IAM) solution strategy defini-tion, architecture definition, and design and implementation of IAM security solutions. He also specializes in cloud-based applications security consulting and implementation of IAM solutions in cloud. He may be reached at [email protected].
[email protected] • WWW.ISSA.ORG
ISSA Journal 2017 CalendarJANUARY
Best of 2016
FEBRUARYLegal, Privacy, Regulation, Ethics
Editorial Deadline 1/6/17
MARCHInternet of Things
Editorial Deadline 1/22/17
APRILNew Technologies in Security
Editorial Deadline 2/22/17
MAYThe Cloud
Editorial Deadline 3/22/17
JUNEBig Data/Machine Learning/Adaptive Systems
Editorial Deadline 4/22/17
JULYCybersecurity in World Politics
Editorial Deadline 5/22/17
AUGUSTDisruptive Technologies
Editorial Deadline 6/22/17
SEPTEMBERHealth Care
Editorial Deadline 7/22/17
OCTOBERAddressing MalwareEditorial Deadline 8/22/17
NOVEMBERCryptography and Quantum Computing
Editorial Deadline 9/22/17
DECEMBERSocial Media, Gaming, and Security
Editorial Deadline 10/22/17
March 2016Volume 14 Issue 3
Crypto Wars IIFragmentation in Mobile Devices
Mobile Application SecurityMobile App Testing for the Enterprise
Crypto Wars II
MOBILE APPS
May 2016Volume 14 Issue 5
Do Data Breaches Matter? A Review of Breach Data and What to Do NextFedRAMP’s Database Scanning Requirement:
The Letter and SpiritSmart Practices in Managing an Identity Auditing Project
On the Costs of Bitcoin Connectivity
★ ★ ★ ISSA ★ ★ ELECTION ★ ★ 2016 ★ ★ ★
Do Data Breaches Matter?A Review of Breach Data and What to Do Next
BREACH REPORTS:COMPARE/CONTRAST
You are invited to share your expertise with the association and submit an article. Published authors are eligible
for CPE credits. For theme descriptions, visit www.issa.org/?CallforArticles.
January 2017 | ISSA Journal – 29
Enterprise Security Architecture: Key for Aligning Security Goals with Business Goals | Seetharaman Jeganathan
AbstractThe cybersecurity industry faces a shortage of qualified professionals. Part of the solution is to better deliver cyber-security education in colleges and universities. While other professionals have addressed the issue by proposing a for-mal university curriculum, this article approaches the sub-ject from the perspective of professional security personnel teaching as adjunct instructors. The purpose of this article is to equip cybersecurity professionals working as adjunct instructors with resources to deliver a more efficient and ef-fective class.
A key battle in the cybersecurity war today is not being fought with firewalls and encryption. It is not be-ing fought between cybersecurity professionals and
cybercriminals. And it is not being fought in corporate net-works and the Internet. No, this struggle is between academia and the information security profession. It is being fought in the classroom.
ChallengesThe cybersecurity industry continues to fall short of qualified professionals. Prominent information security organizations have stated that the shortage is real. For example, (ISC)2 pre-dicts that the cyber world will be short 1.5 million cybersecu-rity professionals by 2020.1 Furthermore, Enterprise Strategy Group (ESG)2 research shows that 28 percent of organizations
1 Jon Oltsik, “Creating a Cybersecurity Center of Excellence,” Network World (2015) – http://www.networkworld.com/article/3016593/security/creating-a-cybersecurity-center-of-excellence.html.
2 Enterprise Strategy Group - http://www.esg-global.com/.
have a “problematic shortage” of IT security skills.3 Mean-while, as a society we are living in the world of the Internet of Things and ransomware. The threats are numerous, the crim-inals are resilient, and the rewards are rich. The US Bureau of Labor Statistics projects great growth in the computer and mathematical occupations, which include cybersecurity.4 In fact, they project that this group of indus-tries will produce more than 1.3 million job openings with-in the next six years. This equates to an 18 percent increase, which they label as faster than average. For information se-curity analysts, the outlook is even better. It is expected that this occupation will grow at a rate of 36.5 percent. The bureau attributes this fast growth to the increased use of electronic medical records and mobile technology. However, some of the greatest growth areas come with high-er educational requirements as illustrated in table 1. The bu-reau reports that the fastest growing occupations within the business and financial operations sectors will require at least a Bachelor’s degree. For the computer and mathematical oc-cupations the educational requirements are even higher. As seen in table 2, the bureau projects that most of the new jobs occurring in this group will require a master’s degree.
SolutionsThe shortage of qualified cybersecurity professionals is a complex problem, which means there is no easy answer. One of the issues that must be addressed is properly educating a cybersecurity workforce. In their 2014 article, “Application of Pedagogical Fundamentals for the Holistic Development of
3 Jon Oltsik, “Creating a Cybersecurity Center of Excellence,” Network World (2015) – http://www.networkworld.com/article/3016593/security/creating-a-cybersecurity-center-of-excellence.html.
4 Bureau of Labor Statistics – http://www.bls.gov/opub/mlr/2013/article/occupational-employment-projections-to-2022.htm.
The Role of the Adjunct in Educating the Security PractitionerBy Karen Quagliata – ISSA member, St. Louis Chapter
The cybersecurity industry faces a shortage of qualified professionals. Part of the solution is to better deliver cybersecurity education in colleges and universities. The purpose of this article is to equip cybersecurity professionals working as adjunct instructors with resources to deliver a more efficient and effective class.
30 – ISSA Journal | January 2017
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
As seen in figure 2, the KBP model is a multi-dis-cipline approach to information assurance. Mul-tiple schools within the university play a role in educating the security professional. They include the business school, the IT school, and the law school.7
Education transformationSuch formal approaches to education delivery as the KBP model are vital to the cybersecu-rity workforce. However, they rely on a more traditional education delivery model. What is becoming more evident, though, is that higher education is undergoing a transformation. That transformation is a move from a staff of tenured professors with degrees in education to the use of adjunct instructors who are often profession-als working in the industry. For a multitude of reasons, colleges and universities are now rely-ing more heavily on adjunct instructors. In fact, in 2014 adjuncts made up more than 70 percent of all college and university faculty.8 Adjunct in-structors teach classes on a contract basis. Often a master’s degree in the subject that they will teach and professional experience are the main
requirements. They can be trained teachers, but many are in-dividuals who work in a given profession full-time and teach part-time. It is the latter category where the cybersecurity world must focus. It is the responsibility of cybersecurity professionals to teach cybersecurity courses in an effective and efficient manner. Part of the problem, though, is that often a cybersecurity ad-junct is handed only a course name, brief course description, and textbook name along with his/her contract. In some cas-es another teacher who previously taught the class will share
7 Ibid.8 J. Fruscione, “When a College Contracts ‘Adjunctivitis,’ It’s the Students Who Lose,”
PBS Newshour - http://www.pbs.org/newshour/making-sense/when-a-college-contracts-adjunctivitis-its-the-students-who-lose/.
Cybersecurity Professionals,” authors Barbara Endicott-Pop-ovsky and Viatcheslav Popovsky provide a wealth of informa-tion for universities looking to develop a formal curriculum for information assurance education.5 Figure 1 illustrates the Kuzmina-Bespalko-Popovsky (KBP) Pedagogical Model de-veloped at the Center for Information Assurance and Cyber-security (CIAC) at the University of Washington.6 The model takes into consideration such influences on education as the current job market as well as technical, economic, cultural and political trends.
5 Barbara Endicott-Popovsky and Viatcheslav Popovsky, “Application of Pedagogical Fundamentals for the Holistic Development of Cybersecurity Professionals,” ACM Inroads (2014 March) – https://niccs.us-cert.gov/sites/default/files/documents/files/p57-endicott-popovsky.pdf?trackDocs=p57-endicott-popovsky.pdf.
6 Ibid.
Education levelEmployment Projected change, 2012-2022
2012 2022 Number Percent
Bachelor’sdegree 2,893.1 3,415.2 522.1 18.0
Somecollege,nodegree 547.7 658.5 110.8 20.2
Associate’sdegree 316.1 356.6 40.6 12.8
Master’sdegree 31.1 39.2 8.2 26.3
Doctoralorprofessionaldegree 26.7 30.8 4.1 15.3Source:USBureauofLaborStatistics
Table 2 – Computer and mathematical occupations employment by educational requirement, 2012 and projected 2022 (employment in thousands)
Education levelEmployment Projected change, 2012-2022
2012 2022 Number Percent
Bachelor’sdegree 5,344.3 6,131.4 787.1 14.7
Highschooldiplomaorequivalent 1,809.7 1,921.4 111.7 6.2
Postsecondarynondegreeaward 13.5 12.8 –0.7 –5.3Source:USBureauofLaborStatistics
Table 1 – Business and financial operations occupations employment by educational requirement, 2012 and projected 2022 (employment in thousands)
Figure 1 - The KBP Pedagogical Model: CIAC as a pedagogical system
KBP Pedagogical Model for Information Assurance Curriculum Development
IA ProfessionalsNew Students
Dynamic Social / Professional Context
Teachers
Students
Goals
ContentDidatic
Processes
Trends: Technological, Economic, Cultural, Political
Job Market
Figure 2 – Multi-disciplinary approach to information assurance
Business School–ITiSchoolEvans SchoolLaw SchoolTech Comm-Eng
Business School–ITiSchoolEvans School–Internet CenterLaw School—Shidler Center
Business School–ITiSchoolTech Comm-Eng
Goal of System
Policy
Procedures & Practices
Mechanisms
Security AwarenessTraining
Secure System
iSchoolComputer ScienceElect Engr
IA Audit Feedback
January 2017 | ISSA Journal – 31
The Role of the Adjunct in Educating the Security Practitioner | Karen Quagliata
his or her syllabus and notes with the cybersecurity adjunct. Predictably, the results can be varying degrees of class quality.
RecommendationsCybersecurity professionals teaching as adjuncts need a strong support system of resources in the form of profession-al organizations, industry research and publications, and assistance from experienced cybersecurity adjuncts. Figure 3 shows the suggested model needed to produce an effective adjunct-led cybersecurity classroom.
Figure 3 – Adjunct-led cybersecurity classroom model
The following are some recommendations for cybersecurity professionals who are entering the world of adjunct teaching.
Topics Be sure to cover the key topics and pain points of the security industry today. Sure, the (ISC)2 Common Body of Knowledge (CBK)9 is a great foundation to build the class, but do not stop there. Go beyond the CBK basics—address the reality of im-plementing security in a corporate setting, address the strug-gle of trying to implement a security culture when senior leadership is lukewarm (at best) to the idea, address funding and threat landscapes specific to industries. • Be sure to address the sometimes forgotten risk areas such
as third-party vendor management. Data breaches that can be attributed to third-party vendors are still occurring. For example, a 2015 study by the Ponemon Institute shows that 39 percent of respondents attributed their healthcare organization’s data breach to a third-party issue.10
• Adjunct instructors should certainly discuss any recent data breaches in their classes, but they should do so in an analytical manner. For example, compare three major data breaches and identify any similar aspects (compro-mised credentials, third-party backdoors, unpatched sys-tems, etc.)
• Adjunct instructors should use industry resources to ad-dress key aspects of cybersecurity, such as the Verizon
9 (ISC)2 Common Body of Knowledge –https://www.isc2.org/cbk/default.aspx.10 Ponemon Institute, Fifth Annual Benchmark Study on Privacy & Security of
Healthcare Data Report – https://iapp.org/media/pdf/resource_center/Ponemon_Privacy_Security_Healthcare_Data.pdf.
Data Breach Investigations Report11 and Ponemon Insti-tute’s Cost of a Data Breach Report.12 These two free re-sources will not only help the adjunct address causes of breaches, but also how much they will cost an organiza-tion.
• Adjunct instructors owe it to their students to address certifications. Students of higher education are painfully aware of the cost of a degree. Some may question whether it is better to forgo the degree and just pursue the certifi-cation route. Share a list of some of the more in-demand security certifications and what is required to obtain them. Go the extra mile and study the want ads to see what certi-fications employers want their candidates to have.
Tests Strongly consider using standardized tests for introductory security classes only. It can be assumed that at higher course levels the students already have a firm grasp of basic secu-rity topics, such as bios, authentication methods, basics of encryption, etc. At the higher level courses adjunct instruc-tors should be looking for analytical skills in their students. Writing in a clear, concise, analytical manner is vital to any industry, including information security.
Assignments Adjuncts should make their assignments as realistic as possi-ble. The goal of education is to expand the mind, but it should also prepare students for the real world. A good way to make realistic assignments is to draw upon actual work experienc-es, or use prewritten case studies. One approach is to pro-pose a business problem that must be solved by IT. Ask the students to research and propose a solution, complete with a cost summary and risk assessment. Adjuncts can expand upon that assignment by instructing the students to present the solution both to a technical audience and a business au-dience. Another possible assignment is to have students on a weekly basis choose a topic in security news and write a summary. While not an overly complex assignment, it forc-es students to get into the habit of staying abreast of current issues and topics in the industry. It also helps students hone their writing skills.
Textbooks If the university does not already have a textbook in mind for the class, then the adjunct should consider using certifica-tion study guides. These resources lend themselves to a good foundation because of the breadth and depth of the material they cover.
Professional organizationsThe classroom is also a good platform for encouraging stu-dents to consider how professional organizations, such as ISSA, can help them at any stage of their careers. The adjunct
11 Verizon Data Breach Report – http://news.verizonenterprise.com/2016/04/2016-data-breach-report-info/.
12 Ponemon Institute’s Cost of a Data Breach Report – http://www-03.ibm.com/security/data-breach/.
ExperienceCase StudiesAssignments
SpeakersProfessional
Organizations
O�site LearingField Trips
Formal TestsBooks, Professional
Organizations
Adjunct-LedCybersecurity Classroom
32 – ISSA Journal | January 2017
The Role of the Adjunct in Educating the Security Practitioner | Karen Quagliata
SecureWorld conferences provide more resources and facilitate more connections than any other cybersecurity event in North America. Our regional events are designed to equip and inspire those defending the digital frontier.
Join like-minded security professionals in your local community for high-quality, affordable training and education. Attend featured keynotes, panel discussions and breakout sessions, and learn from nationally-recognized experts. Network with fellow practitioners, thought leaders, associations and solution vendors.
Don’t go it alone. Register for a SecureWorld conference near you.
See Globally. Defend Locally.
Announcing our 2017 conference schedule. In addition to our lineup of 14 regional events, we’re excited to introduce two new markets:
Chicago and Twin Cities. Mark your calendars and make plans to attend!
*Dates subject to change
Fall:Cincinnati, OH - September 7Detroit, MI - September 13-14
St. Louis, MO - September 20-21 Denver, CO - October 4-5
Twin Cities, MN - October 12*Dallas, TX - October 18-19*Bay Area, CA - October 26*Seattle, WA - November 8-9
Spring:Charlotte, NC – March 2
Boston, MA – March 22-23Philadelphia, PA – April 5-6
Portland, OR – April 20Kansas City, KS – May 3Houston, TX – May 18
Atlanta, GA – May 31-June 1Chicago, IL – June 7
www.secureworldexpo.com
should provide a list of website links to pertinent organiza-tions. The adjunct can also invite presidents of local chap-ters to speak during a class, or ask permission for students to come to a future event on a trial basis.
InnovationAdjuncts should try to go beyond the typical lecture. Infor-mation security is a vibrant, constantly changing industry. Traditional lectures do not do it justice. While it is not always possible to avoid a lecture while speaking about the vulner-abilities of a kernel, there are other opportunities to educate without producing glazed stares. • Field trips – Adjuncts should take the education outside
of the classroom. Even professionals working in the indus-try welcome a field trip. Reach out to local law enforce-ment to see if the class can visit a forensics lab, or if a local company will allow students to view its network monitor-ing system.
• Guest speakers – Guest speakers can also provide an in-novative way to impart knowledge. No matter how excit-ing an adjunct may be as a speaker, students always seem to pay more attention to a guest speaker. Adjuncts can use a guest speaker to reinforce the topic of the day. For exam-ple, if the class discussion is authentication, the adjunct can bring in an expert on biometrics. Sources for speak-ers are abundant. Adjuncts can use professional organi-zations and/or colleagues as a source for speakers. Local law enforcement can be another source. Finally, with web conferencing there is no geographical boundary.
• Video – Adjuncts should not be afraid to incorporate vid-eo into their lectures. YouTube provides a plethora of se-curity-related videos and instructions that will go beyond the typical lecture. There are also plenty of free webinars available from vendors and professional organizations. Along those lines, the adjunct can have students play free interactive phishing games available online.
Implications for professional security organizationsThe changing dynamics of the information security indus-try and the higher education system are providing a perfect storm for professional security organizations to play a greater role in promoting and supporting the profession. Profession-al security organizations, such as ISSA, can play a vital role in helping to ensure the level of quality delivered by security professionals teaching in an adjunct capacity. Professional se-curity organizations can be a repository of resources to help the new—or established—adjunct instructor. Some of the possible ways that organizations can help include:• Classroom material – Professional security organiza-
tions can solicit their members to submit case studies, test questions, and project ideas to their local chapters to help establish a repository of classroom material. Participation can be counted toward CPEs.
• Speaker’s bureau – Professional security organizations contain a wealth of experience. Organizations can estab-lish a speaker’s bureau to help bring some of that expe-rience to the classroom. The local chapter can establish a repository of speakers based on their area of expertise and availability. Participation can be counted toward CPEs.
• Mentoring program – Almost certainly there will be members of a professional security organization who are already working as adjunct instructors. Organizations can establish a mentoring program where experienced ad-juncts can help new adjuncts with lesson plans, tips, and effective teaching strategies. Participation can be counted toward CPEs.
• Textbook recommendations – Professional security orga-nization members can also provide support to the adjunct community by recommending potential textbooks or sup-plemental reading material for cybersecurity classes.
ConclusionThe growing cybersecurity field is expecting its personnel to have terminal degrees. At the same time colleges and univer-sities are relying upon adjunct instructors to help supplement their staff of tenured professors. The result is that cyberse-curity programs at colleges and universities are turning to cybersecurity professional to fill adjunct instructor roles. Often cybersecurity adjunct instructors are thrown into the classroom with little support. To help ensure a consistent lev-el of quality of cybersecurity classes, cybersecurity adjunct instructors should follow guidelines outlined in this article. Furthermore, professional security organizations should act as a support system by providing classroom material and ex-perienced professionals.
About the AuthorKaren Quagliata, PhD, PMP, CISA, CISSP, is an information security analyst working in risk management and governance. She is also an adjunct instructor for multiple uni-versities and colleges. Karen can be reached at [email protected].
ISSA Journal Back Issues – 2016Past Issues – digital versions: click the download link:
ISSA.org => Learn => Journal
Securing the Cloud Mobile Apps Big Data / Data Mining & Analytics
Malware Threat Evolution Breach Reports – Compare/Contrast
Legal, Privacy, Regulation Social Media Impact Internet of Things Payment Security
Cybersecurity Careers & Guidance Practical Application and Use of Cryptography
34 – ISSA Journal | January 2017
The Role of the Adjunct in Educating the Security Practitioner | Karen Quagliata
Fragmentation by OSApple’s success in this area is primarily due to the company’s control over both the hardware and software components of the iOS line of devices. With all mobile hardware, there are three primary stake-holders, aside from the end user. The de-velopers create the operating system. Device manufacturers, of course, are responsible for actually building or assembling phones, tablets, and additional hardware. And carriers sup-ply the means through which the devices communicate with the world. Apple comprises two of these three stakeholders, a position the tech giant has been able to leverage to limit carri-er incursions into its operating system and hardware. Device fragmentation among Android and Windows mobile devices, on the other hand, is significantly more complicated (figure 1).Due in large part to the open nature of the Android oper-ating system, there are hundreds of Android-compatible de-vice manufacturers from the well-known Samsung to smaller companies like Blu Dash2 (figure 2). Each manufacturer is able to make alterations to the operating system itself, which can include useful features such as Samsung or HTC’s fin-gerprint scanners (which were not natively supported by An-droid until recently) or proprietary front ends like Samsung’s
2 OpenSignal. “Android Fragmentation Visualization.” Aug. 2015. Web. 19 Jan. 2016 - http://opensignal.com/reports/2015/08/android-fragmentation/.
T hirty seconds and a USB cable are all it takes to compromise an iPhone 4.
Through the execution of an “SSH Ram Disk” attack, a malicious at-tacker can achieve root access on a victim device without jailbreak-ing or causing permanent changes to the hardware or operating sys-tem. The vulnerability responsible for this exposure can be found at the hardware level, and as a result of device fragmentation, it is unlikely that Apple will ever be able to directly address the problem for affected con-sumers.Mobile device fragmentation is a phenomenon that occurs at a point in time when groups of mobile users are running various versions of an operating system across a variety of hardware platforms. As mobile devices age, software develop-ers and hardware manufacturers cease to provide updates for older devices, leaving users, often times unknowingly, with a wide range of potential problems ranging from minor bugs to compromise-level security flaws.Device fragmentation happens naturally over time as new hardware is released that includes additional features or sys-tem requirements that cannot be supported by older models. Of the three major kings of the mobile market, Apple iOS de-vices fare far better than their Android and Windows phone counterparts when it comes to device fragmentation. As of August 2015, iOS 8 had been adopted by 85 percent of Apple device users; Android Lollipop, Google’s latest release at the time, had only an 18 percent adoption rate despite there only being a two-month difference in their release times.1
1 Whitney, Lance. “iOS 8 Hits 85% Adoption Rate; Android Lollipop Only at 18%.” 5 Aug. 2015. Web. 24 Feb. 2016 – http://www.cnet.com/news/ios-8-hits-85-adoption-rate-android-lollipop-only-at-18/.
The purpose of this article is to explore the threat to consumers posed by mobile device fragmentation. The author categorizes mobile device fragmentation by operating systems, manufacturer, and carrier, exploring the vulnerabilities at each level.
By Ken Smith
Fragmentation in Mobile Devices
Figure 1 – OS and Android Versions on the Market in 2015 (OpenSignal, 2015)
January 2017 | ISSA Journal – 35
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
TouchWiz. Additionally, carriers such as Verizon, AT&T, and T-Mobile are able to leverage their control of the airwaves to drop proprietary third-party software onto many Android devices before they hit the market. The NFL Mobile applica-tion and Verizon’s line of in-house applications are examples of such installations. These applications cannot normally be removed by the user without gaining root access to the phone or tablet, which, of course, creates additional security prob-lems and exposures.Microsoft controls a much smaller portion of the mobile mar-ket; according to the International Data Corporation (IDC), in Q2 2015, a mere 2.6 percent of the world’s mobile users were on Windows-powered phones.3 Nevertheless, Windows mobile devices, specifically Windows phones, have historical-ly been subjected to significant device fragmentation (though it is not as big as a problem as it is with Android) due in large part to a lack of support from carrier brands. When Micro-soft’s Denim update for Windows Phones was first released in September 2014, it took months for T-Mobile and AT&T to push the update to compatible phones. Verizon was quicker to respond, but only after it had continuously refused to push the previously available update, Cyan, to compatible devices.4 In response to these kinds of problems, in the spring of 2015 Microsoft announced that it would be taking over updates for all Windows 8 devices, assuring customers with compatible devices that they would receive an upgrade to Windows 10 in a timely manner.5 Unfortunately, at the time of the an-nouncement there were still many users on Windows 7 devic-es, many of which would not be able to make the upgrade. In November 2014, nearly 17 percent of Windows phones on the market were running Windows 7, and a large portion of those
3 IDC. “Smartphone OS Market Share.” International Data Corporation. 2015. Web. 10 Feb. 2016 – http://www.idc.com/prodserv/smartphone-os-market-share.jsp.
4 Murphy, David. “Microsoft Going after Smartphone Fragmentation in Windows 10 Mobile.” PC Magazine. 16 May 2015. Web. 10 Feb. 2016 – http://www.pcmag.com/article2/0,2817,2484312,00.asp.
5 Bott, Ed. “Microsoft Says It’s Taking Over Updates for Windows 10 Mobile Devices.” ZDNet, 25 May 2015. Web. 10 Feb 2016 – http://www.zdnet.com/article/microsoft-says-its-taking-over-updates-for-windows-10-mobile-devices/.
devices had already been unable to make the jump to Windows 8/8.16 (figure 3). This has subsequently left a significant portion of the Windows Phone customer base unsupported, necessitating an upgrade to newer hardware.
Consumer vulnerabilitiesIt goes without saying that device fragmentation presents a number of serious problems for consumers. First-party ap-plications and changes to the underlying operating system introduced by device manufacturers can put users at serious risk. Ryan Welton, a security researcher with NowSecure, re-vealed at BlackHat 2015 that Samsung’s update process for its customized version of the Swift keyboard application could be exploited to create a man-in-the-middle scenario through which remote code execution could be achieved. According to a 2015 report by Dan Goodin for Ars Technica:7
Attackers in a man-in-the-middle position can imperson-ate the [update] server and send a response that includes a malicious payload that’s injected into a language pack update. Because Samsung phones grant extraordinarily elevated privileges to the updates, the malicious payload is able to bypass protections built into Google’s Android op-erating system that normally limit the access third-party apps have over the device.
Welton successfully demonstrated the attack at the confer-ence, compromising a variety of Samsung phones attached to Verizon, Sprint, and AT&T carrier networks.8 The vulnera-bility was quickly patched by Samsung, but carrier networks were slow to push the update to affected devices.Often times, very serious vulnerabilities are discovered and problems arise when patches must be written, tested, mod-ified, and verified across a variety of devices, operating sys-tem versions, and carrier or manufacturer builds. On July 27, 2015, Joshua Drake of Zimperium announced that he had
6 Kumar, Ramesh. “Microsoft Hopes 0% Windows Phone 8.x OS fragmentation; Windows 10 Is the Future.” Inferse, 15 Nov 2014. Web. 10 Feb 2016 – http://www.inferse.com/19397/microsoft-hopes-0-windows-phone-8-x-os-fragmentation-windows-10-future/.
7 Goodin, Dan. “New Exploit Turns Samsung Galaxy Phones into Remote Bugging Devices.” Ars Technica. 16 Jun 2015. Web. 10 Feb. 2016 – http://arstechnica.com/security/2015/06/new-exploit-turns-samsung-galaxy-phones-into-remote-bugging-devices/.
8 Welton, Ryan. “Remote Code Execution as System User on Samsung Phones.” NowSecure Blogs. NowSecure, 15 June 2015. Web. 19 Jan. 2016 – https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/.
Figure 2 – Android Market Shares by Manufacturer (OpenSignal, 2015)
Figure 3 – Q4 2014, Windows Phone OS Distribution (Kumar, 2014)
36 – ISSA Journal | January 2017
Fragmentation in Mobile Devices | Ken Smith
discovered a variety of Android vulnerabilities that are now collectively known as “Stagefright.” The Stagefright bug af-fected Android version 2.2 (“Froyo”) and newer. When ex-ploited successfully, the vulnerability allowed for an attacker to perform remote code execution and privilege-escalation attacks against affected devices. Zimperium estimated that, at the time of the initial announcement, a successful exploit could be triggered on roughly fifty percent of affected devic-es without any user interaction.9 Aside from the seriousness of the vulnerability itself, most concerns about Stagefright stemmed from the hurdles to patching presented by device fragmentation. In spite of the fact that Google fixed the prob-lem in its code base days after being notified in April 2015, it took months for major manufacturers and carrier networks to push the patches out to affected devices. Even worse, cer-tain older devices may never be patched for Stagefright.10 To cap off the crisis, the slow release of patches and updates was complicated when a second round of Stage-fright vulnerabilities was discovered and publicly released in early October of that same year.11
Logo for the Stagefright vulnerability (Rundle, 2015)
Often times, vulnerabilities are discovered in specific mod-els of hardware, but manufacturers opt not to issue a fix in favor of promoting new versions of the devices. In 2010, an independent researcher discovered a technique for gaining root access to iOS devices (iPhone 4 and older) without the need for a jailbreak (the “SSH Ram Disk” attack described at the beginning of the article).12 At the time of this writing, the iPhone 4 is still vulnerable to this particular attack, and as these devices are no longer officially supported by Apple (and the fact that the exposure is hardware-based), there will likely never be a security update that resolves the issue. Similarly, in 2013, independent security researchers discovered two lock-screen bypasses for the Samsung Galaxy S3. Both require lit-tle technical knowledge or time to execute successfully. At the time of the discovery, Samsung neglected to patch the vul-nerabilities in favor of releasing the Galaxy S4. According to a study by OpenSignal, the Samsung Galaxy S III was still the most widely owned Android phone in the United States as of Q4 2014.13
Future of mobile technologiesGiven the current state of the mobile landscape, device frag-mentation is likely to remain a big part of the future of mo-bile technologies. Fortunately, there are steps consumers can take to protect themselves and their devices. For those users
9 Z Team. “How to Protect from Stagefright Vulnerability.” Zimperium. 30 Jul. 2015. Web. 10 Feb. 2016 – http://blog.zimperium.com/how-to-protect-from-stagefright-vulnerability/.
10 Rundle, Michael. “‘Stagefright’ Android Bug Is the ‘Worst Ever Discovered.’” Wired Magazine. 27 Jul. 2015. Web. 10 Feb. 2016 – http://www.wired.co.uk/news/archive/2015-07/27/stagefight-android-bug.
11 Mimoso, Michael. “Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices.” ThreatPost. 01 Oct. 2015. Web. 10 Feb. 2016 – https://threatpost.com/stagefright-2-0-vulnerabilities-affect-1-billion-android-devices/114863/.
12 “Working iPhone Recovery Ramdisk with SSH;-).”16 May 2010. 19 Jan. 2016 – http://msftguy.blogspot.com/2010/05/working-ramdisk-with-ssh.html.
13 OpenSignal (2015).
January 2017 | ISSA Journal – 37
Fragmentation in Mobile Devices | Ken Smith
IT’S GOOD FOR BUSINESS
Why Advertise in theISSA Journal?
Contact Joe Cavarretta [email protected]
Learn More Today
Access nearly 11,000 ISSA members, of which 74 percent are CISO/Security Leaders, Senior
Executives, and Mid-Career Professionals either making decisions or highly influencing decisions on
products and services to evaluate or purchase.
Place your advertising strategically to surround our monthly themes with your organization’s products and services...
JANUARY 2017Best of 2016FEBRUARY
Legal, Privacy, Regulation, EthicsMARCH
Internet of ThingsAPRIL
New Technologies in SecurityMAY
The CloudJUNE
Big Data/Machine Learning/Adaptive Systems
JULYCybersecurity in World Politics
AUGUSTDisruptive Technologies
SEPTEMBERHealth CareOCTOBER
Addressing MalwareNOVEMBER
Cryptography and Quantum ComputingDECEMBER
Social Media, Gaming, and Security
of mobile device manufacturers. Earlier this year, a Dutch consumer group issued a lawsuit against Samsung over what they perceived to be the manufacturer’s slow security update policy. According to a January 2016 Neowin report by Andy Weir:
The [consumer group] cites a survey that it carried out, which it says shows that “82% of the Samsung phones ex-amined had not been provided with the latest Android version in the two years after being introduced.” Indeed, it’s worth noting that Samsung isn’t exactly known for delivering updates with any great sense of urgency, as its record with the newest major version of Android shows.15
The group ultimately wants Samsung to provide a full two years of updates for its devices starting on the day that the de-vice is sold (as opposed to the date of its initial release or even manufacturing). While these demands may be overzealous, and keeping in mind that the case has yet to be decided, it is the first time such action has taken place: consumers break-ing new security ground in the mobile device market.
ConclusionThis means that users are likely, at least a small extent, to have more positive control over the security of their devices of choice from the very beginning. And that’s a crucial step in the growth and maturity of the mobile device market. And as that market continues to expand, all stakeholders, includ-ing consumers, have a responsibility to ensure that issues like device fragmentation do not seriously impact the security posture of the market at large, thus ensuring that all mobile devices are as secure as possible from initial release to end-of-life.
About the AuthorKen Smith works for SecureState, a global management consulting firm specializing in information security. Ken works primarily on wireless and physical assessments as well as in mobile device and application security. He enjoys presenting and regularly speaks at industry conferences. Reach Ken via email at [email protected] or call 216.927.8200.
15 Weir, Andy. “Samsung Sued by Dutch Consumer Group over ‘Poor Software Update Policy for Android Phones.’” Neowin. 20 Jan. 2016. Web. 10 Feb. 2016 – http://www.neowin.net/news/samsung-sued-by-dutch-consumer-group-over-poor-software-update-policy-for-android-phones.
whose primary concern is device fragmentation, iOS is the best option of the “big three.” Consumers with a preference for Android or Windows devices should purchase the newest technologies whenever possible and stick to the more well-known manufacturers. These companies are the most likely to maintain the resources that will allow them to continue to support future versions of Android or Windows on legacy hardware. Additionally, the devices of those manufacturers with larger portions of the market (Google, Samsung, HTC, and LG) typically receive security updates faster and more frequently than the lesser-known manufacturers. Application developers can also help alleviate the sting of de-vice fragmentation. While the latest hardware can be allur-ing, responsible developers should continue to support lega-cy hardware for as long as possible. A significant portion of the smartphone market is comprised of outdated hardware.14 Dropping support for those devices that still see regular use can place large portions of the market at risk. Whenever pos-sible, developers should seek to support at least two gener-ations of hardware. Businesses and organizations, including those with bring-your-own-device (BYOD) policies, should consider the implementation of a mobile-device-manage-ment (MDM) solution. Though not perfect, MDM solutions like AirWatch and MobileIron offer a variety of benefits in the mobile security space:
• Automatically update corporate-relevant applications and services
• Flag jailbroken or rooted devices and disconnect them from corporate resources
• Group devices together logically for ease of control and monitoring
• Prevent vulnerable or unsupported devices from be-ing connected to corporate networks and resources
• Push corporate mobile policies to all employee devic-es
Finally, consumers also have a responsibility to protect them-selves. Users should avoid jailbreaking or rooting their phones and tablets. Doing so can significantly amplify the fallout of a successful exploit, giving attackers complete control over the contents of compromised devices. There may also be emerg-ing methods through which customers can force the hands
14 Ibid.
38 – ISSA Journal | January 2017
Fragmentation in Mobile Devices | Ken Smith
ISSA Special Interest Groups
Special Interest Groups — Join Today! — It’s Free!ISSA.org => Learn => Special Interest Groups
Security AwarenessSharing knowledge, experience, and methodologies regarding IT security education, awareness and training programs.
Women in SecurityConnecting the world, one cybersecurity practitioner at a time; developing women leaders globally; building a stronger cybersecurity community fabric.
Health CareDriving collaborative thought and knowledge-sharing for information security leaders within healthcare organizations.
FinancialPromoting knowledge sharing and collaboration between information security professionals and leaders within financial industry organizations.
has physical control over the data—whether within a virtual environment or the cloud—the organization remains respon-sible for ensuring it can meet legal and regulatory control requirements. For the financial services industry, the X9.125 standard for cloud compliance is being developed to address requirements and compliance between a cloud subscriber and its CSP. Some background might help clarify how X9.125 fits into fi-nancial and cloud services. As shown in figure 1, the Ameri-can National Standards Institute3 (ANSI) is the United States’ representative to the International Standards Organization4 (ISO) among others. However, ANSI does not develop stan-dards; rather, they accredit other organizations as indus-try-specific standards developers and technical advisory groups (TAG) to ISO technical committees. The Accredited Standards Committee X95 (ASC X9 or just X9) is one such organization designated by ANSI to perform the following roles:
• Develop ANSI standards for the financial services in-dustry
3 www.ansi.org. 4 www.iso.org. 5 www.x9.org.
AbstractThe Cloud offers organizations faster, cheaper, richer, and some-times more secure application deployments than they them-selves can orchestrate. However, organizations remain re-sponsible for ensuring the security of their data, even when they transfer its physical control to a cloud service provider (CSP). What information does an organization require from a CSP to gain confidence they are meeting their data gover-nance obligations? Can cloud-based technologies, such as the blockchain, play a role in providing cloud subscribers assur-ance their data is being properly managed and that their CSP is in compliance with established security policies and prac-tices? For the financial service industry the X9.125 standard is under development to define requirements and provide a compliance model using blockchain technology.
Introduction
As organizations embrace the Cloud and migration or deploy applications and invariably data, they trans-fer control from internal processes to a cloud service
provider (CSP). However, organizations (subscribers) remain responsible for industry information security compliance despite the delegation to the CSP. Healthcare1 data and pay-ment2 data notwithstanding, organizations must ensure they exert adequate governance over how their data is protected. Regardless of where their data is located and who actually
1 http://www.hhs.gov/ocr/privacy/index.html. 2 https://www.pcisecuritystandards.org/.
Gaining Confidence in the CloudBy Phillip Griffin – ISSA Fellow, Raleigh Chapter and Jeff Stapleton – ISSA member, Fort Worth Chapter
In cloud deployments organizations remain responsible for ensuring the security of their data. Can cloud-based technologies, such as the blockchain, play a role in providing cloud subscribers assurance their data is being properly managed and that their cloud service provider is in compliance with established security policies and practices?
Figure 1 – Standards overview
January 2017 | ISSA Journal – 39
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
Figure 2 – Controls overview
• Represent the United States as the TAG to ISO technical committee 68 Financial Services (TC68)
• Manage TC68 and as the official secretariat
Consequently, many X9 standards are sub-mitted to ISO for international standardization. Further, X9 often initiates ISO work items, adopts ISO financial stan-dards, and retires ANSI standards in favor of its ISO version. Sometimes the US markets are uniquely distinct that a do-mestic X9 standard is needed in absence or parallel with an ISO standard. The cloud security work item is assigned to the X9F4 cryptographic protocols and application security work group; Jeff Stapleton is the X9F4 chair, and Phil Griffin is the X9.125 editor. One of the first X9F4 actions was to review the existing body of work including special publications from the National Institute of Standards and Technology (NIST),6 Federal Fi-nancial Institutions Examination Council (FFIEC)7 cloud computing recommendations, Central Intelligence Agency (CIA) views on cloud computing, and the Cloud Security Al-liance (CSA) research on comparable audit programs. These materials were digested to formulate a core set of security requirements for managing and securing information in the cloud, whether this information is located in a private cloud completely under control of the organization, or managed in a hybrid or public cloud environment. Regardless of the cloud service type or environment, these basic questions were iden-tified: 1. What security controls does the cloud subscriber (the
consumer of the cloud services) need to protect the confi-dentiality and integrity of its data?
2. What security controls does the cloud service provider offer to protect the confidentiality and integrity of its sub-scriber’s data?
3. What security controls provided by the cloud service pro-vider can be monitored by the cloud subscriber to verify compliance?
While the development of X9.125 is still work in progress and has undergone several redesigns, cloud services and its adoption in the financial industry have continued to evolve. Thus the X9.125 standard is attempting to hit a moving tar-get. X9 standards provide requirements (“shall”) and recom-mendations (“should”) that are practical and verifiable. Thus, as shown in figure 2, the standard needs to address security controls and interoperability between the cloud service pro-vider and the cloud subscriber, in addition transparency of any service sub-providers. Cloud service providers, like any organization relying on in-formation technology (IT), need to have their security con-trols documented in policy (why), practices (what), and pro-
6 http://csrc.nist.gov/publications/PubsSPs.html. 7 http://ithandbook.ffiec.gov/media/153119/06-28-12_-_external_cloud_
computing_-_public_statement.pdf
cedures (who). They also need to securely manage resources, including people, places, and processes. IT controls include network, systems, and applications addressing authentica-tion, authorization, and accountability (AAA). Data must also be managed across its life cycle including creation, dis-tribution, storage, and termination. When cryptography is used, the keys must be managed in a secure manner. How the controls are deployed and managed depends on the re-lationship between the CSP and the subscriber is depicted in figure 2: • The topmost solid arrow shows the case when controls are
provided solely by the CSP to the subscriber. For example, the CSP might encrypt the subscriber’s data in storage us-ing cryptographic keys managed solely by the CSP.
• The middle arrows show cases when controls are mutually managed by both the CSP and the subscriber. For exam-ple, data in transit is encrypted using a session key that is dynamically established, based on an exchange of public key certificates between the CSP and the subscriber.
• The bottommost dotted arrow shows the case when con-trols are provided solely by the subscriber. For example, the subscriber might encrypt or tokenize data before it is sent to the CSP for storage or processing.
• The dotted arrow between the CSP and its service sub-pro-vider shows the case when controls are provided indirect-ly to the subscriber by the sub-provider. For example, the sub-provider might be a tokenization service used by the CSP to protect the subscriber’s data in storage.
While the X9.125 is still work in progress, another major as-pect is to develop a reporting model such that a cloud sub-scriber can verify a CSP’s compliance. Compliance might be to the CSP policy and practices aligned with the subscriber, or preferably the security requirements being defined in the X9.125 standard adopted by both parties. Regardless, this im-plies that the CSP provides compliance information that is reliable and verifiable. One method for a digital ledger might be blockchain technology, more contemporarily known be-cause of Bitcoin.
BlockchainsBlockchains have been around for decades. Notably Merkle trees were addressed in a US Patent [2] issued in 1982; so the technology is well vetted. While the Bitcoin blockchain is used as a general ledger for Bitcoin transactions, any in-formation can be encapsulated within a blockchain that can provide data integrity. Incorporating timestamps within the blockchain (as does Bitcoin) also provides a historical record
40 – ISSA Journal | January 2017
Gaining Confidence in the Cloud | Phillip Griffin and Jeff Stapleton
of what happened when and by whom. Consider figure 3 as an example. The blocks are number sequentially: Block 0, 1…to N. There is always an initial block conventionally numbered “0” to indi-cate its special nature. There is always a last block (N) which is the most current addition to the blockchain. Each block con-tains data, in this example a cloud service provider’s policy numbered accordingly to its block number: P0, P1…PN and so on. In this example, each block contains a hash (H) of its own policy data, essentially a link to itself, so Block 0 contains H(P0), Block 1 contains H(P1), and Block N contains H(PN). Additionally, each block contains a hash of its processor, so Block 1 contains H(P0) as a link to Block 0, and Block N con-tains H(PN-1) as a link to Block N-1. Note that Block 0 does not contain a previous link since Block 0 is the blockchain origin. At this point one might think that the blockchain is completely reliable, but it turns out that simple links based on a hash of just the data in the previous block is unreliable. Consider an attacker that takes some intermediary Block K which links to Block K-1 and has Block K+1 linked to it. The attacker makes a replica of Block K, which we will call Block J, modifies the data so it contains PJ and no longer PK, and pub-lishes it as the real Block K. The attacker then updates Block K+1 to link to Block J instead of Block K. Thus, the blockchain has been compromised but yet still appears to be valid since all of the links are valid. Without some method of either ver-ifying the publisher or the whole blockchain, a simple substi-tution attack is possible. Replacing the previous link as a sim-ple hash of the previous data with a digital signature would prevent the substitution attack; however, this would require the support of a public key infrastructure (PKI) with certif-icates, private key storage, certificate authorities, revocation lists, and the like. Alternatively, replacing the previous link with a hash chain achieves the same anti-substitution control without the PKI overhead. Referring back to figure 3, we have provided another chain field where each block contains a chain numbered by its block number: C0, C1…CN. Each chain is a link to all of the pre-vious blocks, which is a hash of two elements: the previous chain and a hash of its own data. Thus, Block N contains a hash of CN-1 and a hash of its own data H(PN), that is H(CN-1, H(PN)). Likewise, Block 1 contains a hash of C0 and a hash of its own data H(P1), namely H(C0, H(P1)). Block 0 only con-tains a hash of a hash of its own data H(H(P0)) because there
Figure 3 – Simple blockchain
is no previous chain. In this manner an attacker cannot re-place any of the published blocks without updating the whole chain, which is the basis of the Bitcoin blockchain security. The presumption is that it is cheaper to be honest than dis-honest.
If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. We will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added. [3]
Much of the media discussion around Bitcoin has focused on its role as a crypto currency. Bitcoin provides a means for achieving efficient, anonymous financial transactions. In this context, Bitcoin is sometimes described as a disruptive technology, one that facilitates the activities of drug deal-ers and terrorists, one that threatens to disintermediate and undermine the existing financial services industry, or one that presents banks who serve Bitcoin industry players with heightened “Bank Secrecy Act (BSA)/Anti-Money Launder-ing (AML) Act compliance risks” [1]. On the other hand, Bitcoin has seen adoption by e-commerce stalwarts such as PayPal, Overstock, Dish Network, and Dell Computers, as well as “many community-driven organiza-tions” that “allow anonymous donations using Bitcoin” [6]. Despite any negative aspects associated with Bitcoin, “there remain many legitimate uses for Bitcoin and businesses that facilitate these legitimate transactions” [7]. There is also growing interest in leveraging the blockchain technology that underpins Bitcoin to both reduce transaction costs and strengthen financial services security. To this end, more gen-eral purpose applications of the blockchain that are far re-moved from the use of Bitcoin to facilitate financial services transactions are being considered. For example, blockchains might be used to evaluate, monitor, assess, or even audit a cloud services provider: • The CSP might publish its information security policy and
practices in a blockchain providing an historical record of versions and changes. In this manner, new subscribers can evaluate the CSP, existing subscribers can monitor chang-es, internal audit can assess the CSP, and professionals can perform independent audits of the CSP.
January 2017 | ISSA Journal – 41
Gaining Confidence in the Cloud | Phillip Griffin and Jeff Stapleton
• The CSP might distribute information security news in a blockchain providing notifications or alerts to its subscrib-ers about incidents or events about new vulnerabilities in a reliable manner. Today, this information is typically pro-vided via emails or blogs.
• The CSP might issue information security details in a blockchain providing real-time data about its controls. In this manner, existing subscribers can monitor the CSP for its dependability, consistency, and overall trustworthi-ness. Another name for this would be compliance.
Hence, the concept of using blockchains to record and ver-ify CSP compliance data is not as farfetched as might have been initially considered. For cloud subscribers to gain such assurance, and to exercise due diligence in the conduct of their governance and risk management responsibilities, they need some insight into what goes on under the covers at their CSP. Cloud subscribers need the same types of operational evidence of compliance from their CSP that they would ex-pect their internal IT departments to provide. Whether an organization’s data is inside its firewall or floating around in the cloud, informed information security management prac-tices still depend on access to the basics: vulnerability scan results, penetration test results, system logs, application logs, analytical results, security alerts, and summarized informa-tion. Compliance evidence must have origin authenticity, data integrity, and often confidentiality safeguards that pro-hibit access by attackers and other unauthorized individuals. The attractiveness of the Bitcoin blockchain includes its de-centralization. Bitcoin spenders submit their transactions (signature, inputs, outputs) to multiple Bitcoin nodes such that the transaction gets published in the next block that is originated by the next miner to solve the hash solution. The idea is that the amount of work to perpetrate fraud far ex-ceeds the work factor for mining. Sometimes a race condition creates a bifurcated blockchain generated by two different Bitcoin nodes; however, consensus processing will eventually prune the blockchain to only one authentic version. There is no central authority that provides a processing choke point, a single point of failure, or a single point of attack. However, blockchain management is not without its prob-lems. There are orphaned blocks, which are valid but did not make it into the main Bitcoin chain. There are always uncon-firmed transactions waiting for the next block, which might get lost during the bifurcation and pruning process. There are double spends, transactions where the same Bitcoin fractions get spent by the same entity to two different receivers. There are strange transactions, where the syntax or semantics are invalid. And there are outright rejected transactions dropped by Bitcoin nodes that never get included in the chain. Some of these might be processing errors due to software bugs, Bit-coin versions, or rules issues. Alternatively, some transactions might be fraudulent in nature. Bitcoin fraud management is relatively nascent, and without a central authority there are no arbitration or adjudication programs available.
Bitcoin information is publicly accessible by definition. Hash algorithms provide the links between blocks and transac-tions, and digital signatures provide transaction integrity and authentication. Non-repudiation is not feasible as Bitcoin identifiers support anonymity, and the lack of arbitration does not meet legal needs discussed in the Digital Signature Guide-lines [4] and the PKI Assessment Guideline [5]. Further, the Bitcoin blockchain does not offer data confidentiality. Some of the cloud server provider’s information security manage-ment data is sensitive such that it might need to be encrypted, but only accessible by authorized clients or regulatory bodies. Thus, key management schemes need to be considered. There is also growing interest in cloud data confidentiali-ty and user anonymity. In a paper presented at the Security Standardization Research (SSR) 20158 conference held re-cently in Tokyo, Japan, researchers McCorry, Shahandashti, Clarke, and Hao proposed a new category of Authenticated Key Exchange (AKE) protocols. These new protocols, which “bootstrap trust entirely from the blockchain,” are identi-fied by the authors as “Bitcoin-based AKE” [6]. The SSR 2015 paper describes two new protocols, one with a guarantee of forward secrecy and offers proof-of-concept prototypes with experimental results to demonstrate their practical feasibil-ity. Both protocols provide greater anonymity than can be achieved using digital certificate- or password-based AKE. Following the guidance of international security standards can help ensure that the same information security policies used to manage risk when information systems reside in traditional non-cloud environments are also applied in the cloud. Recently, the big three international security standard-ization bodies published Recommendation ITU-T X.1631 | ISO/IEC 27017 Code of practice for information security con-trols based on ISO/IEC 27002 for cloud services.9 This standard builds on selected parts of the familiar ISO/IEC 27002 Code of practice for information security management10 but adds additional cloud-specific recommendations and guidance. Although ITU-T X.1631 | ISO/IEC 27017 provides import-ant recommendations and guidance, it contains no actual requirements. Conversely, the draft X9.125 standard hardens the ISO, IEC, and ITU-T recommendations and guidance into a set of specific information security management re-quirements. Where ITU-T X.1631 | ISO/IEC 27017 relies on clauses 5 through 18 of the ISO/IEC 27002 Code of Practice, X9.125 defines requirements based on comparable clauses in the ISO/IEC 27001 Information security management systems – Requirements.11
ConclusionsBlockchains, a decades old cryptographic technology, has become a creature of the Cloud. Its adoption and use carry many of the same security concerns as other cloud-based ap-
8 http://www.ssr2015.com/. 9 http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.
htm?csnumber=43757. 10 http://www.iso.org/iso/catalogue_detail?csnumber=54533. 11 https://en.wikipedia.org/wiki/ISO/IEC_27001:2013.
42 – ISSA Journal | January 2017
Gaining Confidence in the Cloud | Phillip Griffin and Jeff Stapleton
plications and services. But for blockchains to be trusted in the current financial services regulatory environment, and for it to be widely adopted, blockchain-based systems must comply with an organization’s existing security policy and practices. Many of the policies needed to manage blockchains and other cloud-based deployments are the same as those used to manage security risk within an organization. Organi-zations must continue to manage risk and fully exercise their information security governance responsibilities regardless of where their data and applications roam. Cloud subscribers need the ability to verify that their cloud service providers are securing information in a compliant manner with established requirements. ASC X9 is currently developing the X9.125 standard with the option of the United States submitting the work to ISO for in-ternational standardization. Once the cloud security require-ments have been completed, the corresponding compliance data might be encapsulated in a publicly available or privately provided blockchain. Cloud subscribers, internal or external auditors, regulators, or any independent third-party assessor should be able to validate the CSP by verifying its informa-tion security blockchain. This article is also a call for participation. Cloud service pro-viders, cloud subscribers, or organizations that are interested in the development of the X9.125 standard are encouraged to contact the ASC X9 or the X9F4 work group chair. Par-ticipation by any X9 member is welcomed. Once the X9.125 standard is approved as a new ANSI standard, the possibility of its being submitted to ISO as a USA offering is something that will be seriously considered with the appropriate organi-zations’ support.
References1. King, Douglas. (2015). Banking Bitcoin-Related Businesses:
A Primer for Managing BSA/AML Risks. Federal Reserve Bank of Atlanta. Retrieved November 19, 2015, from https://www.frbatlanta.org/-/media/Documents/rprf/rprf_pubs/2015/banking-Bitcoin-related-businesses.pdf.
2. Merkle, R. C. (1988). “A Digital Signature Based on a Conventional Encryption Function.” Advances in Cryptol-ogy — CRYPTO ‘87. Lecture Notes in Computer Science 293. p. 369. doi:10.1007/3-540-48184-2_32 ISBN 978-3-540-18796-7. US Patent 4309569, Method of Providing Digital Signatures, Ralph C. Merkle, January 5, 1982.
3. Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System, Bitcoin.org, retrieved 31 October 2008, https://bit-coin.org/bitcoin.pdf.
4. ISC, Digital Signature Guidelines, Legal Infrastructure for Certification Authorities and Secure Electronic Commerce, Information Security Committee (ISC), Electronic Com-merce and Information Technology Division, Section of Science and Technology, American Bar Association (ABA), ISBN 1-57073-250-7, August 1996.
5. ISC, PKI Assessment Guideline (PAG), Information Security Committee (ISC), Electronic Commerce Division, Section of Science & Technology Law, American Bar Association (ABA), ISBN 1-57073-943-9, June 2001.
6. Patrick McCorry, Siamak F. Shahandashti, Dylan Clarke, Affiliated with School of Computing Science, Newcastle
UniversityFeng Hao, Authenticated Key Exchange over Bitcoin, Security Standardisation Research, Volume 9497, Lecture Notes in Computer Science, pp 3-20, December 9, 2015 – retrieved November 8, 2015, from http://eprint.iacr.org/2015/308.pdf.
7. Douglas King, Retail Payments Risk Forum Working Paper, Federal Reserve Bank of Atlanta, October 2015.
About the AuthorsPhillip H. Griffin, CISM, has over 20 years experience in the development of commer-cial, national, and international security standards and cryptographic messaging pro-tocols. Phil has a Master’s of Information Technology, Information Assurance and Se-curity degree, and he has been awarded nine US patents at the intersection of biometrics, radio frequency identification (RFID), and information security management. He may be reached at [email protected]. Jeff Stapleton has been an ISSA member and participated in X9 for over twenty years; he has contributed to the development of over three dozen X9 and ISO security standards, and has been the chair of the X9F4 work group for over 15 years. The X9F4 work group’s pro-gram of work includes the five-year review of two published standards (X9.73, X9.84) and development of three new standards (X9.112, X9.122, X9.125) in addition to supporting ISO standard efforts. He may be reached at [email protected].
Easy and Convenient!
Place Your Order Today: ISSA Store!
www.issa.org/store/default.asp
Computer Bags • Short-Sleeve Shirt Long-Sleeve Shirt • Padfolio
Travel Mug • Baseball Cap • Fleece BlanketProud Member Ribbon
January 2017 | ISSA Journal – 43
Gaining Confidence in the Cloud | Phillip Griffin and Jeff Stapleton
T here is now a political battle going on in Washington, DC, the outcome of which could have a significant impact on the future of how encryption is used. In
the US, law enforcement agencies currently have the ability to easily intercept phone calls, and they would like to extend this ability to give them easy access to forms of secure com-munication like encrypted email and text messaging. Privacy advocates seem to think that this is a very bad idea. Law enforcement agencies argue that the world is “going dark” for them because the use of encryption is reducing their ability to investigate and prosecute criminals. Privacy advocates argue that adding a backdoor to products that use encryption is inherently dangerous because it also creates a way for hackers to bypass the encryption. They also argue that enough information is contained in messaging metadata for law enforcement agencies to use to investigate and prosecute criminals, and because of this, law enforce-ment agencies do not need the content of encrypted messages to do their job.Here we look at the facts that might or might not support each of these claims, but before doing that, it is probably helpful to put the current debate into some context. A debate that was very similar to the current one took place in the years just be-fore the dot-com boom, right before the Internet transformed the way that we both conduct business and live our daily lives.
Who is driving the debate?It seems clear that the goal of law enforcement officials in gaining the ability to decrypt encrypted messages is to in-vestigate and prosecute criminals. The goals of the average citizen are probably more varied. Their opinions probably range from complete support for the goals of law enforcement officials to complete opposition to them, as well as to more
moderate positions in between. This is what Alan Westin’s 1967 book Privacy and Freedom1 tells us to expect, because people tend to fall into three general categories when it comes to valuing their privacy: privacy fundamentalists, the privacy unconcerned, and privacy pragmatists.About 25 percent of people can be classified as privacy funda-mentalists. They place a very high value on their privacy and tend to favor strict government regulations supporting priva-cy. About 16 percent of people can be classified as the privacy unconcerned. They are generally not concerned much about privacy at all and tend to not support strict government regu-lations supporting privacy. The remaining 59 percent of peo-ple have only moderate concerns about privacy and believe that trade-offs between privacy and something else of value are acceptable, and they tend to favor using the existing set of laws and regulations to ensure that fair practices are enforced when this happens. Because each of these groups has a very different approach to privacy, it seems unlikely that any single way to address pri-vacy concerns will appeal to them all. In particular, it might be the case that the point of view that the use of encryption should be a fundamental right that governments should not interfere with might be the belief held only by a small fraction of the population, while a significant majority might find the trade-off between personal privacy and law enforcement of-ficials getting the ability to decrypt encrypted messages to be an acceptable one. But because this majority also tends not to get overly involved in the political processes, their opinions are typically not heard in debates like the current one. Yet in a democracy, where governing by consensus is usually a good idea, learn-
1 Westin, Alan F. Privacy and Freedom. New York: Athenum. 1967.
The debate over whether or not to give US law enforcement officials the ability to decrypt encrypted messaging has recently been revisited after a twenty-year break. This is an emotionally charged issue, but an important one, so it might be useful to attempt an unbiased and impartial look at the facts and see how well they correspond to the main talking points of the supporters of each side of the debate. The results may be surprising. To learn more, read on.
By Luther Martin – ISSA member, Silicon Valley Chapter and Amy Vosters
Crypto Wars II
44 – ISSA Journal | January 2017
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
ing exactly what the consensus is, is probably a good first step towards finding a good solution.
The Clinton years: Crypto Wars ITo give some historical perspective to the current debate, it is probably useful to recall what happened during the Clinton administration. During the early 1990s, the US government enacted legislation that gave law enforcement officials un-precedented access to telecommunications traffic in the US—this was accomplished by the Communications Assistance to Law Enforcement Act (CALEA) of 1994.2 CALEA required manufacturers of telecommunication equipment to include features in their products that made it very easy for law enforcement officials to intercept telecom-munications traffic and required telecommunications carri-ers to use equipment with these features. Although CALEA carefully distinguished between telecommunications ser-vices (which it applied to) and information services (which it did not apply to), this distinction has become somewhat blurred recently, particularly after recent FCC rule making3 extended CALEA to facilities-based broadband Internet ac-cess providers and providers of interconnected voice-over-in-ternet-protocol (VoIP) services.But while the government was successful in implementing laws that made it easy for them to intercept telecommunica-tions traffic, they were much less successful in implementing laws that would give them access to encrypted traffic. They attempted to do this by restricting the export from the US any strong encryption (providing greater than 40 bits of
2 Public Law No. 103-414, 108 Stat. 4279 (1994), 47 USC 1001-1010. Available at ftp://ftp.fcc.gov/pub/Bureaus/OSEC/library/legislative_histories/1743.pdf.
3 “Communications Assistance for Law Enforcement Act and Broadband Access and Services,” 47 CFR Part 1, ET Docket No. 04-295; FCC 06-56 (2006). Available at https://apps.fcc.gov/edocs_public/attachmatch/FCC-06-56A1.pdf.
cryptographic strength) that did not implement a form of key escrow, in which two different government agencies would independently hold information that could be combined to recover any encryption key that the escrowed encryption scheme used. In April 1993, the Clinton White House announced the “Clipper Chip,” 4 technology that would be used to implement the government’s plan for key escrow. In February 1994, the Department of Commerce published the Escrowed Encryp-tion Standard5 (FIPS 185) to support this initiative. Attorney General Janet Reno then announced that NIST and the De-partment of the Treasury would be the escrow agents for the government’s escrowed encryption program and published the procedures for releasing escrowed keys to law enforce-ment officials for use under approved wiretap orders. Every-thing seemed ready to go. But a significant number of Americans were firmly against the government’s plan for escrowed encryption and believed that their need for privacy was more important than the gov-ernment’s need to be able to read some encrypted messag-es. In the face of strong public pressure, the US government eventually abandoned their plans for escrowed encryption, leaving FIPS 185 looking much like the Eighteenth Amend-ment to the US Constitution that banned the production, transport, and sale of alcoholic beverages starting in 1920—something that might have made sense at the time but that looks like a very poorly considered idea from a safe distance into the future. (And if FIPS 185 is analogous to Prohibition, its eventual withdrawal in 2015 is almost certainly analogous to the passage of the Twenty-first Amendment in 1933.)
4 http://www.cryptomuseum.com/crypto/usa/clipper.htm.5 http://csrc.nist.gov/publications/fips/fips185/fips185.pdf.
A Wealth of Resources for the Information Security Professional – www.ISSA.org
When TLS Reads “Totally Lost Security”2-Hour Event Recorded Live: November 15, 2016How to Recruit and Retain Cybersecurity Professionals2-Hour Event Recorded Live: October 25, 2016Security Architecture & Network Situational Awareness2-Hour Event Recorded Live: September 27, 2016IoT: The Information Ecosystem of the Future--And Its Issues2-Hour Event Recorded Live:August 23, 2016Hacking the Social Grid: Gullible People at 670 Million Miles per Hour2-Hour Event Recorded Live: July 26, 2016Legislative Impact: When Privacy Hides the Guilty Party2-Hour Event Recorded Live: June 28, 2016
Breach Report Analysis – SWOT or SWAT?2-Hour Event Recorded Live: May 24, 2016The Sky Is Falling... CVE-2016-9999(nth)?2-Hour Event Recorded Live: April 26, 2016Security Software Supply Chain: Is What You See What You Get?2-Hour Event Recorded Live: March 22, 2016 Mobile App Security (Angry Birds Hacked My Phone) 2-Hour Event Recorded Live: February 23, 20162015 Security Review & Predictions for 2016 2-Hour Event Recorded Live: January 26, 2016Forensics: Tracking the Hacker2-Hour Event Recorded Live: November 17, 2015
Click here for On-Demand Conferenceswww.issa.org/?OnDemandWebConf
January 2017 | ISSA Journal – 45
Crypto Wars II | Luther Martin and Amy Vosters
ment agencies, so they may be more likely to use encryption than the average person is. But is this really happening?Fortunately, there is lots of data available on the use of wire-taps by US state and federal law enforcement agencies, and it is collected and summarized in the US federal court’s annu-al Wiretap Report. Since 2000, these reports have listed how many court-authorized intercepts were unable to be read by law enforcement officials because of the use of encryption. This data does not include wiretaps authorized for some na-tional security reasons, but it is the best data that is available on the subject. The data from the 2000 through 2014 Wiretap Reports is summarized in table 1.Note that in the year 2013, in which the largest number of wiretaps were thwarted by the use of encryption, the num-ber of wiretaps that law enforcement were unable to read was only about 0.4 percent of the total number of intercepts that were installed that year. In fact, in 2013, the worst year for law enforcement ever in this particular area, they were still able to read over 99.5 per-cent of intercepts. That is indeed less than the 100 percent that they were able to read in most other years, but it is still a significant fraction and it certainly looks like law enforce-ment officials are having very little trouble in reading what they get from their wiretaps. So using the best available data, the claim that the world is “going dark” for law enforcement because of the growing use of encryption seems to be false.
Backdoors mean weak securityPrivacy advocates claim that if law enforcement had the abil-ity to decrypt any encrypted messages, then hackers could also take advantage of the same capability, and this would cause the security provided by the encryption to be reduced by an unacceptable level. This certainly sounds reasonable, but is it true?The use of encryption in some form is very common in the business world. This can cause lots of regulatory and com-pliance issues if it is done carelessly because if you lose the key that was used to encrypt important business information, then you also lose the information that was encrypted with it. This is an unacceptable situation to almost all businesses. To avoid this situation, most enterprise software that uses encryption also has the capability to recover lost keys. It is very common to control access and use of an encryption key through some form of authentication, most commonly a password. And when users forget their password, they will need to get another copy of this key. This is a necessary capability of enterprise software that uses encryption, but it is also the very sort of backdoor that privacy advocates claim will introduce serious vulnerabilities into the software that hackers can exploit. But this seems to have not occurred—enterprise software that implements key recover does not seem to have serious vulnerabilities that hackers are able to exploit. So it seems that this particular claim may not be as accurate as we may first think it is.
So at the end of the Clinton administration it might have looked like law enforcement officials had a significant victory in CALEA, and privacy advocates had a significant victory in the defeat of the government’s plans for escrowed encryption. Over two decades later, law enforcement officials decided to revisit the idea of extending the scope of CALEA to include things that might be considered information services. This was successful in 2006, when the scope of CALEA was ex-panded to include some broadband Internet and VoIP ser-vices. Today, from the point of view of law enforcement officials, extending the scope of existing laws to give them the ability to read encrypted messaging probably seems like a reason-able thing to do. From their point of view, this is probably just an incremental change, particularly when compared to the significant capabilities that they already have to intercept communications.
Going darkLaw enforcement agencies now claim that they need the abili-ty to decrypt encrypted communications because the world is “going dark” for them. There is no precise definition for “go-ing dark,” but the FBI has described this phenomenon as “a growing gap between the existing statutory authority of law enforcement to intercept communications pursuant to court order and the practical ability to do so.” 6
This certainly sounds plausible. After all, criminals probably want to hide their intentions and actions from law enforce-
6 Congressman Peter T. King, “Remembering the Lessons of 9/11: Preserving Tools and Authorities in the Fight Against Terrorism,” Journal of Legislation, Vol. 41, No. 2 (2015). Available at http://scholarship.law.nd.edu/jleg/vol41/iss2/1.
Year Intercepts installed Intercepts unread due to encryption
2000 1,139 0
2001 1,405 0
2002 1,273 0
2003 1,367 0
2004 1,633 0
2005 1,694 0
2006 1,714 0
2007 2,119 0
2008 1,809 0
2009 1,764 0
2010 2,311 0
2011 2,189 0
2012 2,501 4
2013 2,331 10
2014 2,433 4
Table 1 – Number of intercepts installed per year and how many of these were unreadable because of the use of encryption (Source: US courts Wiretap Reports, 2000-2014) www.uscourts.gov/statistics-reports/analysis-reports/wiretap-reports
46 – ISSA Journal | January 2017
Crypto Wars II | Luther Martin and Amy Vosters
It might also be useful to note that because of CALEA, all telecommunications equipment used within the US contain a backdoor, but the existence of these backdoors does not seem to have compromised the security of the US telecommunica-tions networks. Carelessly implemented key recovery can almost certainly in-troduce weaknesses that hackers can exploit, but there seems to be little evidence that deployed enterprise software prod-ucts that include the ability to implement key recovery are actually vulnerable in this way. In light of this, the general claim that backdoors are inherently a dangerous security vul-nerability seems to be false.
Metadata is enoughMetadata, or data about data, is typically transmitted in an unencrypted form, even for encrypted messages. Metadata about an email message includes information like the “to” and “from” addresses, and this information needs to be avail-able to the applications that get an encrypted message from sender to recipient, even though the encrypted message body does not. And because metadata is not encrypted, it is readily available to law enforcement officials. Some privacy advocates claim that the information in meta-data is just as valuable to law enforcement officials as the encrypted message is, so that by collecting and analyzing metadata they should be able to investigate and prosecute criminals without access to any encrypted messages at all. The information in metadata can easily characterize you and how you live your life. It can tell where you live and work, and it can tell who you communicate with and about what. So the claim that law enforcement officials can do their jobs just as well with just messaging metadata instead of the content of the corresponding messages sounds like it might be plausible. There have been two recent careful studies of this issue, both of which focused on the US government’s use of metadata to identify terrorist activity. One was created in the recent case of Klayman v. Obama7 (Klayman). In Judge Leon’s 2013 ruling in Klayman, he summarized how effective the government’s metadata collection programs had been, and noted that there was no evidence at all that any government agency had been able to identify and investigate imminent threats faster with access to metadata that they were able to without metadata, despite the claims by both the FBI8 and the NSA9 that meta-data is an important tool in their investigations.In the second study, The President’s Review Group on Intel-ligence and Communications Technologies made a similar finding.10 In particular, when discussing the effectiveness of the NSA’s metadata collection program, it noted that there
7 Klayman v. Obama, 957 F. Supp. 2d 1, 29 (D.D.C. 2013).8 http://www.clearinghouse.net/chDocs/public/NS-DC-0007-0014.pdf.9 http://www.clearinghouse.net/chDocs/public/NS-DC-0007-0016.pdf.10 The President’s Review Group on Intelligence and Communications Technologies,
“Liberty and Security in a Changing World: Report and Recommendations of The President’s Review Group on Intelligence and Communications Technologies,” December 2013. Available at https://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf
had been no instance in which the NSA could say with confi-dence that the outcome of any investigation would have been different without the program. So from the point of view of learning about and preventing terrorist attacks, metadata appears to be of limited value. And while it is possible that a different pattern might be present in metadata when it is used in other types of investigations, it seems reasonable to expect that the same pattern would also be present, and that metadata would also essentially be of limited value to other investigations. Because of this, the claim that metadata is an adequate replacement for the con-tents of messages in criminal investigations seems to be false.
SummaryIt should not be too surprising that both sides in political de-bates may make claims that are not strictly based on facts. The current debate over giving US law enforcement officials the ability to decrypt encrypted messages seems to be no ex-ception to this rule, and all of the main arguments on both sides of the issue seem to essentially be false. The claim that the use of encryption is making the world “go dark” for law enforcement seems to be false. The claim that backdoors are inherently bad because they create a weakness that hackers can exploit seems to be false. And the claim that messaging metadata is an adequate replacement for the text of encrypted messages seems to be false. The debate over whether or not to give US law enforcement officials the ability to decrypt encrypted communications is very important because it will dramatically affect the privacy of hundreds of millions of people. The decision on whether or not to do this should be based on the best available facts, not on arguments that are excellent examples of why English has the word “specious,” indicating something that is superficial-ly plausible but actually wrong. On the other hand, psychologists tell us that we tend to not base most decisions on facts; instead we tend to have emo-tional reactions that we then try to rationalize. So a more im-portant aspect of this debate may really be whether or not we feel that the government can be trusted to not abuse their ability to decrypt encrypted messages if they had it. But that is something that is beyond the scope of what we can easily discuss here.
About the authorsLuther Martin is a Dis-tinguished Technologist at Hewlett Packard Enterprise. You can reach him at [email protected]. Amy Vosters is a marketing manager at SOASTA. You can reach her at [email protected].
January 2017 | ISSA Journal – 47
Crypto Wars II | Luther Martin and Amy Vosters
#ISSAConf
ISSA 2017 INTERNATIONAL CONFERENCE
DIGITAL DANGER ZONE
October 10-11, 2017 San Diego, California
Sponsorship information: Joe Cavarretta – [email protected]
![ISSA CYBERSECURITY LEADERS GLOBALLY DEVELOPING AND ... · beginning to use artificial intelligence and machine learning (AI/ML), and cyber defenses will have to keep up [8]. Ma-chine](https://img.dokumen.tips/doc/110x75/603ce69a646f8a13c37ac30b/issa-cybersecurity-leaders-globally-developing-and-beginning-to-use-artificial.jpg)
