In the movie The Untouchables, a hit man pulls a knife to stab Sean Connery, then Connery pulls a shotgun on the hit man. The lesson from this scene is do not bring a knife to a gunfight.
A lot of corporate IT security staff must not have seen this movie. They are bringing knives to the data security fight while hackers bring guns, cannons, tanks and jet fighters.
With increasingly clever malware and phishing tactics, hackers are snagging users login credentials at a frightening pace and gaining access to networks. It can be as easy as exploiting a security hole in a web browser while the user is surfing the web to seize credentials and access privileged services.
While hackers poke, prod and probe networks every hour of the day looking for weaknesses, most corporate IT staff only review access privileges semiannually, quarterly or, if they are particularly diligent, monthly. The reviews are often perfunctory affairs that do not offer much in the way of detection or prevention.
That is not even bringing a knife to a gun fight; that is like remaining at the scene of the crime until the police arrive. Hackers have little fear of getting caught. The hacker who infiltrated Anthem’s customer database was not caught at all; Anthem did not detect the theft until 7 months later.
All of this responsibility does not necessarily have to fall to the corporate IT function. They are doing the best they can with what they have. If IT had to constantly examine and recertify user access with their current access management systems, they would not have time to do anything else. Their systems are typically a patchwork of manual or minimally automated security functions native to individual applications and databases. They do not exist in an integrated data security framework that enables IT to monitor usage of all key resources.
IT does not stand a chance of preventing more Anthem-level data losses until companies automate and analyze. Automating data extraction and cleansing provides a constant stream of user data. Analytical applications spot orphan accounts and irregular usage as they occur, not 7 or more months later. Arming IT with this kind of access management systems mean they are not going into the gunfight with a knife. It means they are ending the fight because the other side knows it cannot win.
Read Chris Sullivan’s recent ISACA Journal article:
“Accelerating Access Management to the Speed of Hacks,” ISACA Journal, volume 5, 2015.
Gary Lieberman, Ph.D., CISSP
I was recently invited to participate in a panel discussion at a cybersecurity conference. The overall focus of the panel was on best practices for network security, specifically preparing for a cyberattack. We were given 5 focus areas to consider, mostly the usual topics such as zero-day attacks and bring your own device (BYOD). The 5th focus area was deploying a successful disaster recovery (DR) plan with regard to cybersecurity.
In addition to myself, the panel was staffed by 2 chief information security officers (CISOs), a chief executive officer (CEO) and the panel was moderated by a 3rd CISO. When the topic of DR came up for discussion on the preparation conference call, 1 of the participants summarily dismissed it as being old hat and played. He said that topic has been discussed to death and there has been nothing new in that area in years. One person after another agreed with him, and the moderator said “Ok. We will cut that topic out of the discussion.” I disagreed and chimed in with a brief overview of my recent Journal article. Afterwards, they all agreed to keep the topic, and someone even suggested that we move the topic up to be the 1st subject of discussion. They said that they had never looked at DR from the perspective of preparing the C-suite for a cyberbreach.
A few weeks ago, I had lunch with a chief information officer (CIO) friend of mine, and the subject of my article came up. I asked him if he and the CISO, who reported to him would consider presenting the idea of the C-suite participating in a cyberbreach preparedness exercise to the company president and the board of directors (BoD). He laughed and said they wanted no involvement in the design and execution of cybersecurity. All they want is to be told the firm is safe and that the Sarbanes-Oxley (SOX) audit will pass. Apparently appearing safe is just as good as being safe to some executives.
So why do some C-suite executives react this way? I think it is evolutionary in nature. Twenty years ago, only 3 out of 10 companies had DR plans. Now everyone has one. It took a few disasters and an act of the US Congress to garner the wide acceptance we see today. I think the same evolutionary set of baby steps will naturally happen before a wide acceptance of cyberbreach preparation in the C-suite will be seen. It would be interesting to gather some empirical data on how many companies are prepared and practiced now and then monitor the growth over the next few years. I suspect the high impact of cyberbreaches will move the evolution of cyberbreach preparedness along a lot faster than that of the DR plan.
Read Gary Lieberman’s recent ISACA Journal article:
“Preparing for a Cyberattack by Extending BCM Into the C-suite,” ISACA Journal, volume 5, 2015.
Omar Y. Sharkasi, CBCP, CFE, CRP
It seems like every day there is a new data breach or heist. Hackers break into corporate or government computers and swipe names, addresses, birth dates and those all-important US Social Security numbers. Consider these recent breaches:
My recent Journal article focuses on Windows computers with an emphasis on all nonserver Windows computers. This includes Windows end-user devices, such as workstations, desktops, laptops, hybrids and tablets. Workstations are just as important to the security of an organization as servers. Of course, an insecure workstation only directly impacts one user (in most cases), while a server can impact thousands. But all of the biggest breaches in recent times have started with a compromised workstation, not a server. Even though servers and workstations run essentially the same Windows operating system, securing workstations is very different than servers.
The key differences that impact security include:
Hardening servers is primarily about reducing the attack surface and keeping remote users from viewing more than the resources and services they are supposed to access. Hardening workstations, on the other hand, is very much about protecting end users from themselves. And there are usually many more applications installed on workstations than the typical server. Workstation security is actually more complex than server security.
As defenders, it is essential to understand these hacking tools and techniques. The idea of enforcing security policies at the workstation level and the use of active directory permissions to safely delegate administrative authority in a large enterprise offers the best strategy to cope with cybersecurity threats and other advanced attacks. Additionally, by providing corporate directors and government officials with meaningful intelligence on a regular basis, security professionals garner high-level support for building robust security systems and adopting processes and policies necessary to protect data.
Read Omar Y. Sharkasi’s ISACA Journal article:
Curator ISACA ISG Nosov V. V. prepared a thesis about use of the term "risk of scenarios" for GIS ATS ukraine in the context of system approach COBIT®5