Cybersecurity Quarterly
Winter 2017
A Publication from
The Exploit Giving Hackers the Keys to Every Unpatched Wi-Fi Network The Strongest Defense Against a Cyber Attack? The Right People with the Right Skills East-West Traffic Logging: Monitoring Your Globetrotting Data The Best Prevention Against a Breach: Knowing Your Biggest Weaknesses
The Global Campaign to Stop Cyber Attacks How a Nonprofit is Uniting a Global Community and Leading the International Effort to Eradicate Systemic Cyber Risks for Good
Kroll’s experienced leaders help clients make confident decisions about people, assets, and operations across the globe.
INVESTIGATIONS AND RISK MANAGEMENT SOLUTIONS Cyber Security & Incident Response
Business Intelligence & Due Diligence
Fraud & Corruption Investigations
AML & ABC Compliance
Asset Search & Recovery
Third-Party Screening
Dispute Advisory & Litigation Support
Security Risk Management
kroll.com/CIS
Cybersecurity Quarterly
Contents
Featured Articles
Quarterly Regulars
Confidence in the Connected World Winter 2017 Volume 1 Issue 3 Founded MMXVII Editor-in-Chief Michael Mineconzo Copy Editor Shannon McClain
Staff Contributors Freisi Alfonseca Paul Hoffman Ryan Spelman Jessica Williams Stacey Wright
Winter 2017
The Global Cyber Alliance's CrossSector Campaign to Prevent Cyber Attacks How GCA is confronting systemic cyber risk and helping others to do the same
8
Staffing & Maintaining a HighPerforming Security Organization Why hiring and keeping the right people with the right skills should be a priority
14
State Government Cyber Resiliency: A Call to Action The best way to prevent a cyber attack is knowing your network's vulnerabilities
16
Go with the Flow: Shared Benefits of East-West Traffic Logging Keeping your data secure means knowing which information is flowing where
18
Quarterly Update with Steve Spano
4
News Bits & Bytes
6
Threat of the Quarter
10
Cyber Tips & Tricks
20
MS-ISAC Update
22
Calendar
23
Cybersecurity Quarterly is published and distributed in March, June, September, and December. Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518 266.3460 Copyright Š 2017 Center for Internet Security All rights reserved
3
Cybersecurity Quarterly
Quarterly Update
with Steve Spano
“Start secure, stay secure” How often have you purchased a laptop or other device and the minute you unwrapped the cellophane and turned it on the first time, you had to download patches and install antivirus software? It almost took the excitement out of having a new device. Security out-of-the-box has long been desired by users, but has been far too illusive for industry to meet. At CIS, our tag line is “Start secure, stay secure.” Security configurations are one of the foundational parts of good cybersecurity hygiene and are an integral part of CIS – be it on prem or in the cloud. Secure configurations are unfortunately a stumbling block for many organizations. Even if an organization’s network is set up securely at the start, patch updates, network changes, and business demands all require changes to the configuration. Unfortunately, and unintentionally, these changes create holes in the network that hackers love to exploit. Much like how good physical health requires regular exercise, secure configurations require a good change management process. This is not always an easy practice to undertake, as many organizations are loath to add the additional costs that new requirements often bring. At CIS, we have a change review board that oversees our change management process. Made up of our Director of IT, CISO, and our VP of Operations, they review all requests to initiate changes to our network. Even in a security-focused organization like ours, there are occasional grumblings with this process, especially when we mandate the person requesting the change to present it in detail to the board. However, we know this process is crucial to
4
helping identify and mitigate potential risks to our network. Speed and agility matter in almost every business. While taking prudent steps to ensure proper configuration may add some friction to a business cadence, the alternative is far worse. It’s a tough, but necessary, line to walk. I invite anyone who wants to learn more about how CIS handles the process to reach out to us to discuss. If your organization has also walked this line and found unique ways to balance mission and security, we would love to hear about them. We may even feature them in a new section we’re launching next quarter called “SQL: Security Quotes and Letters from Our Readers”. You can send your submission via email to us at info@cisalliance.org Throughout this issue, we talk about secure configurations, why they matter, and how they can be implemented, as well as our usual roundup of quality content. Thanks as always for reading, and I hope you consider sharing your thoughts for inclusion in our “SQL” section in our next issue.
Steve J. Spano, Brig. Gen., USAF (Ret.) President & Chief Operating Officer Center for Internet Security
Winter 2017
Where cloud images meet proven security.
Start Secure. Stay Secure. Combine the cost- and time-savings of virtual machines with the power of CIS Benchmarks, our best-practice cybersecurity guidelines. CIS Hardened Images reduce system vulnerabilities to protect against common cyber threats such as denial of service, unauthorized data access, insufficient authorization, and others. CIS Hardened Images are one of the easiest and most affordable ways to stay secure when working in the cloud. Available 24x7 on the Amazon Web Services’® AWS Marketplace®, AWS Marketplace for the IC, Google Cloud Platform™ (GCP) Service, and Microsoft Azure.
CIS is a nonprofit committed to securing the connected world against cyber threats.
Confidence in the Connected World
→ Protect yourself with CIS Hardened Images www.cisecurity.org/services/hardened-virtual-images/
Cybersecurity Quarterly
News Bits & Bytes In October, CIS announced the development of a best practices handbook for elections infrastructure to complement the U.S. Department of Homeland Security’s (DHS), National Institute of Standards and Technology's (NIST), and the Elections Assistance Commission’s (EAC) initiatives to improve the nation’s elections systems. This initiative is meant to bring interested groups together to collaborate in identifying best practices for the nation's election infrastructure, meeting an urgent need in securing elections systems from the threat of cyber attack. In October, CIS and the University of Maryland (UMD) School of Public Policy announced a multidisciplinary partnership for cybersecurity research. Through the partnership, CIS and UMD will pursue joint research initiatives and projects that leverage each other's strengths and infrastructure; increase inter-institutional engagement of research centers, faculty, staff and students; share research facilities and equipment; enhance the availability of technical training and continuing education; develop curriculum for joint activities; and create opportunities for student engagement through internships, graduate assistantships, and experiential learning. On December 1st, the Global Cyber Alliance (GCA) began its 90 Days to DMARC: A Global Cyber Alliance Challenge. Following the directive announced by the U.S. Department of Homeland Security requiring all federal agencies to implement DMARC protocol within 90 days, GCA is challenging other industries to do the same. Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a simple, trusted solution that brings together email authentication protocols, and adds reporting and compliance to protect organizations against email fraud. Until February 28th, GCA and its partners will offer resources and guidance to
6
help organizations implement DMARC. More information on the challenge can be found at https://dmarc.globalcyberalliance.org/. CIS Hardened Images are now available in the Microsoft Azure Marketplace. The CIS Hardened Images in the Azure Marketplace support multiple Microsoft Windows and Linux operating systems. They are a flexible, on-demand computing solution that can be quickly deployed to costeffectively perform routine computing operations. They are configured based on the CIS Benchmarks, a set of internationally-recognized secure configuration recommendations collaboratively developed by our volunteer consensus community and used by thousands of organizations worldwide. In September, CIS released an Implementation Guide for Small and Medium-Sized Enterprises (SMEs) for the CIS Controls, providing guidance for SMEs to implement the CIS Controls, a prioritized list of actions organizations can take to protect their networks and a leading cybersecurity approach referenced in the NIST Cybersecurity Framework. Developed by security experts who understand the unique issues facing SMEs, the guide outlines a variety of free or low-cost tools, and steps that can be implemented to improve cybersecurity and empower owners of SMEs to protect their businesses. The full guide can be downloaded at https://www.cisecurity.org/whitepapers/cis-controls-sme-guide. As of December 1st, the SANS Winter Buy Window is officially open. Until January 31st, state, local, tribal, and territorial (SLTT) governments, nonprofit organizations, and public education and healthcare institutions can purchase industry-leading cybersecurity training programs from SANS for up to 70% off the regular price. Visit www.sans.org/ partnership/cis for more information.
Winter 2017
7
Cybersecurity Quarterly
The Global Cyber Alliance's Cross-Sector Campaign to Prevent Cyber Attacks How the nonprofit's efforts are confronting, addressing, and preventing malicious cyber activities and its new resources available for other organizations looking to do the same By Aimée Larsen Kirkpatrick Disclaimer: CIS is one of the founding organizations of the Global Cyber Alliance (GCA) and maintains a strategic partnership with the organization. As the end of the year approaches, it's a good time to take stock of what has happened in the world of cybersecurity over the course of 2017. It was a busy year for cyber crime. WannaCry and Petya led the charge for ransomware attacks affecting organizations around the globe – governments, healthcare companies, shipping companies, and financial institutions, just to name a few. It was also a banner year for data breaches. According to Gemalto, more than two billion records were lost or stolen worldwide in the first half of 2017, an increase of 164% from the previous six months.1 While cyber crime may be on the rise, the Global Cyber Alliance (GCA) has been busy working on solutions to help reduce the risk of breach. GCA’s solutions are free for you to use – there is no cost or requirement, and we do not collect any information
More than two billion records were lost or stolen worldwide in the first half of 2017, an increase of 164% from the previous six months. 8
about you. We currently have two solutions that offer protection against phishing and malicious web domains, some of the most prominent and prevalent types of cyber attacks of recent years. Again and again, research has shown that more than 90% of attacks begin with a phishing email. To us, it made sense to work on solutions to mitigate this systemic risk. Our solutions to help protect against and reduce the prevalence of these types of attacks: 1. Promote global implementation of Domainbased Message Authentication, Reporting, and Conformance (DMARC), an email authentication protocol that allows senders and receivers to streamline the analysis process by coordinating the verification efforts, thereby improving their protection against fraudulent email. 2. Build a platform that leverages the power of DNS to block known malicious domains and protect against the most common cyber threats, resulting in the creation of Quad9.
DMARC Starting in 2011 as an idea from a group of likeminded organizations, DMARC was formed as an effort to combat fraudulent email. Organization http://money.cnn.com/2017/09/29/technology/business/ equifax-hack-2017-cyberattacks/index.html 1
Winter 2017
leaders wanted to enable email senders to create and archive policies on unauthenticated email while providing reporting on authentication infrastructure. The tool started as a result of experience during “loose collaborations between some of the founding senders and receivers” who landed on an agreement in regards to how to interpret emails from domains supporting DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). Last year, we launched our DMARC Setup Guide to guide organizations through the process of creating a DMARC policy, as well as policies for SPF and DKIM, and have seen a tremendous response. We’ve been working with organizations like the FS-ISAC, NH-ISAC, and MS-ISAC to encourage adoption of DMARC across the financial, health, and government sectors respectively. On October 16th, 2017, the Assistant Secretary for Cybersecurity and Communication for the U.S. Department of Homeland Security (DHS) announced Binding Operational Directive (BOD) 18-01, which requires all federal agencies to implement DMARC across all federal email domains within 90 days. Federal agencies have until January 16th, 2018 to adopt DMARC and be at a minimum of policy level “none.” GCA applauds the federal government for their initiative, and we are challenging industry and state and local governments to follow suit. Taking a cue from the federal government’s timeline, GCA launched the “90 Days to DMARC” campaign on December 1st. We encourage any and all organizations to take the challenge and make a commitment that 2018 will be the year your organization implements DMARC. If you’ve already implemented DMARC, we ask you to encourage your vendors, members, colleagues, and others in your industry to make the change. Every step of the way, GCA will assist with resources (webinars, instructional videos, fact sheets, and articles), a media kit (videos, graphics, and info sheets), and guidance. Visit dmarc. globalcyberalliance.org to learn more about DMARC and the campaign.
Quad9 On November 16th, 2017, GCA, in collaboration with IBM and Packet Clearing House (PCH), announced the release of Quad9. Quad9 is the global anycast DNS infrastructure that GCA has been piloting for the past year. It provides a real-time security threat feed that blocks access to millions of bad and malicious domains, preserves privacy, and for many, improves performance. It is simple to set up and free to use. Consumers, businesses, and governments – any organization – can use Quad9 as an effective measure of protection with minimal configuration changes. Quad9 makes using security threat intelligence a hands-off effort and gives users “automated immunity” from known internet threats by automatically blocking access to known malicious websites. Threat intelligence is provided from 19 different public and private sources, including Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure, IBM X-Force, mnemonic, 360Netlab, Hybrid Analysis GmbH, Proofpoint, RiskIQ, and ThreatSTOP. We encourage anyone who is interested in learning more on how to use Quad9 at home or for their business to visit quad9.net. To stay informed about all things GCA, join our mailing list to get the latest updates on our efforts on combating systemic cyber risk. Aimée Larsen Kirkpatrick is the Global Communications Officer for the Global Cyber Alliance (GCA). Prior to GCA, she was President of ALK Strategies, a communication and public affairs consulting practice focused on start-ups and nonprofits. Aimée was formerly with the National Cyber Security Alliance (NCSA). As the Partnership Engagement & Strategic Initiatives Director for the NCSA, Aimée established strategies and programs to engage and broaden NCSA’s stakeholder base and expand its audiences. Aimée was a 2012 Executive Women’s Forum Women of Influence Award recipient. She also currently sits on the Board of Trustees for the EU chapter of Anti-Phishing Working Group (APWG).
9
Cybersecurity Quarterly
Threat of the Quarter This Quarter’s Threats: KRACK and ROCA
KRACK (CVE-2017-13077 through CVE-2017-13088) The Key Reinstallation Attacks (KRACK) exist due to a series of weaknesses in the Wi-Fi Protected Access 2 (WPA2) protocol handshakes, which allows a man-in-the-middle (MITM) attacker to perform one of a series of related attacks. The attacks focus on reinstalling an alreadyWPA2 is the current in-use key by exploiting a weakness in step 3 of the standard protocol 4-way handshake. This used to secure weakness is in the WPA2 communications standard, not particular between wireless implementations, and access points (WAPs) extends to messages in and client devices other components such as the WPA2 Four-way, Group Key, Fast Basic Service Set (BSS) Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless Network Management (WNM) Sleep Mode handshakes. The attacker can manipulate these handshakes to compromise the aforementioned system’s cryptographic security and such attacks are successful against any implementation of WPA2, including those used by Windows, Linux, Apple, Android, and OpenBSD. Details on exactly how the attacks work are available on the KRACK Attacks website, in this University of Leuven (Belgium) research paper, and in the MS-ISAC CyberSecurity Advisory 2017-098.
Why does this matter to me? Successful exploitation of this weakness, depending on the network environment, could allow for an attacker to decrypt Wi-Fi traffic, perform content injection, or hijack TCP connections to obtain
10
sensitive information, such as financial data, employee records, passwords, and emails. This information can allow an attacker to perform additional attacks on a network, as well as compromise the confidentiality, integrity, or availability of sensitive information. To summarize, data transmitted or received via unpatched WPA2 secured networks should not be trusted. This includes any implementation of WPA2, including connections used by phones, tablets, handhelds, laptops, desktops, point-of-sale devices, and Industrial Control System (ICS) sensors.
Are there mitigating factors? All of the KRACK Attacks require the attacker to assume a man-in-the-middle position during a WPA2 session. This requires the attacker to be within sniffing range of the Wi-Fi connection. A proof of concept demonstration at DEFCON, in 2015, showed that under ideal conditions it was possible to sniff Wi-Fi traffic from 20 miles away.1 While not yet demonstrated, it might be possible to compromise another Wi-Fi enabled device within range of the target Wi-Fi connection and use that device to sniff the WPA2 traffic and enable the KRACK Attacks. But again, this remains a more sophisticated attack scenario that is an unlikely threat to the majority of Wi-Fi users. The use of Wired Equivalent Protocol (WEP) or WPA (a.k.a. WPA1) also mitigates these attacks. However, WEP was completely cracked in 2001 and WPA was partially cracked in 2008, and fully cracked in 2009, https://www.networkworld.com/article/2968233/hackersshow-off-longdistance-wifi-radio-proxy-at-def-con.html 1
Winter 2017
The WPA2 4-Way Handshake How KRACK Infiltrates WPA2 Protocol • Targets 4-way handshake of WPA2 Protocol • Man-in-the-Middle attack • Forces nonce and session key reuse in WPA2 • Weaknesses are in the Wi-Fi standard, not individual implementations • Android and Linux can be tricked into using an all zero encryption key so neither should be considered effective or safe wireless security protocols.
does not simply rely on the WPA2 protocol for security.
What now?
ROCA
There are several steps you can take to further mitigate these concerns within your network.
(CVE-2017-15361)
If you have not done so already, apply the appropriate patches offered by vendors immediately after testing. Most vendors have issued patches at this time, which will prevent the successful use of these attacks. The key to implementing this recommendation is knowing all the authorized and unauthorized devices that are on your network (CIS Control 1), and ensuring that every device on the network is patched (CIS Control 4). Along these lines, employ procedures to detect and remove rogue access points or evil twin devices to mitigate against the potential for man-in-the-middle attacks. Ideally, your environment will also segment guest wireless networks from business networks, as well as limit the range of wireless networks, to prevent unpatched guest devices from affecting business assets. Secondly, use this as an opportunity to conduct risk analysis and data classification exercises. Make sure that sensitive data, regardless of what it is and what device it is transmitted from or to, is encrypted through a known-good encryption algorithm and
On the same day the KRACK Attacks were released, a vulnerability was identified in an implementation of RSA key generation due to a fault in a code library developed by Infineon Technologies. This vulnerability is referred to as the Return of Coopersmith’s Attack, or ROCA. The Coopersmith Infineon Technologies method targets RSA is an industry leader encryption where partial in the production of knowledge of the smartcards, security secret key is available. tokens, and secure The ROCA vulnerability hardware chips, is present because Infineon Technologies which are used to used a method to secure many forms of generate prime technology, including numbers for its RSA hardware chips, encryption that does authentication tokens, not use true random software packages, numbers. This allows for the private keys, electronic documents, corresponding to the TLS/HTTPS keys, and freely availably public PGP. keys, to be determined
11
Cybersecurity Quarterly
via prime factorization within a practical amount of time. More information is available in the following Centre for Research on Cryptography and Security (CRoCS) research paper and the MS-ISAC CyberSecurity Advisory 2017-100.
Why does this matter to me? Successful exploitation of this vulnerability results in an attacker being able to derive a private key from the public key, using prime factorization, within a practical time frame. This puts confidentiality and non-repudiation at risk for anything using the Infineon Technologies code library. For instance, if a private key can be determined, it would be possible to impersonate the owner of the private key, thereby allowing the decryption of material secured by the public key. As asymmetric encryption is also relied on to provide non-repudiation in uses such as digital signatures, generation of the private key could allow an attacker to sign documents impersonating the legitimate owner of the private key.
Are there mitigating factors? This vulnerability does not affect the RSA encryption algorithm itself, and only affects the implementation of the RSA encryption by Infineon Technologies. This means that, while a large number of smartcards, security tokens, and secure hardware chips are vulnerable, not all of them are. Additionally, the practical amount of time caveat is very important for ROCA. Although ROCA affects every instance of RSA encryption used by Infineon Technologies since 2012, it is particularly damaging for keys 2048-bits and under, as longer keys cannot be derived in a practical amount of time. According to the CRoCS, a practical amount of time to factorize an encryption key is less than 1000 CPU years, which can be distributed among multiple threads to decease the actual number of hours necessary to perform the work. In the most severe case, the CPU years to decrypt a 2048-bit key vulnerable to ROCA is about 141 years divided by the number of threads available for processing. With the availability of cloud resources, an attacker can decrease the time to break a 2048-bit key to a matter of months.
12
A shorter key length, such as a 512-bit key, only requires 2 CPU hours to calculate. Finally, the public key must be available to the attacker for this attack to work. If the public key has not been widely disseminated or is kept secure, it is less likely that an attacker will be able to gain access to it. However, as many public keys are widely disseminated and/or not secured, this mitigation may not apply.
What now? There are several steps you can take to further mitigate these concerns within your network. Awareness of all of the authorized and unauthorized devices (CIS Control 1) and software (CIS Control 2) and data classification efforts within your organization are key to implementing this protection. A thorough inventory should allow a network administrator to quickly identify devices or software that may use the Infineon Technologies libraries, while data classification should aid in identifying data that should be encrypted. The CRoCS website also contains a series of tools that can aid network administrators in testing public keys, PGP encrypted emails, and Python/Java/C++ applications. If you determine that a vulnerable key pair is in use, apply the appropriate patches by affected vendors immediately after testing. It is also possible to use a different encryption algorithm, replace the device with one that does not use the vulnerable library, or generate a secure RSA key pair via another source and import it to the device. Increasing key lengths above 2048-bits may be an effective mitigation, as the CPU hours required to derive the keys are not practical in most instances. When implementing this mitigation, it is important to note that the time to derive the longer keys may become practical if the attack evolves or processor speed increases. In addition, if implementing this recommendation, it is important to determine the data secrecy level, as this will determine key length and some advanced attackers may have the ability to derive keys over 2048-bits in length.
Cybersecurity Quarterly
Staffing & Maintaining a High-Performing Security Organization The best defense against a security incident isn't cutting-edge hardware or complex algorithms; it's hiring the right people and ensuring they have the right skills By Dennis Scandrett A slow or incomplete response to a security incident can leave your organization exposed, or worse, crippled. There is work involved, but a substantial payoff can be found in one solution to this threat. A high-performing security team that properly plans, trains, and prepares for incidents can protect you and your organization from a loss of operation or revenue. What is meant by “high-performing security team” is a team of diversely-skilled professionals who follow standards and practices with oversight by a competent Security Operations Center (SOC) manager. Using such guides as the CIS Controls, a SOC will proactively engage in defensive operations that support both security and business goals.
Step 1: Hire with Intention People are the strongest wall of defense in your organization, as long as they possess the right skills. If they do not possess the right skills, they can become your point of failure. Alan Paller, Director of Research for SANS Institute, says, “the key in the business of providing security services is to find the bad guys either on their way in or when they’ve already entered. Without people that have competent skill in threat intrusion detection, incident handling, and SIEM operations, organizations are blind.”
14
"The key in the business of providing security services is to find the bad guys either on their way in or when they’ve already entered. Without people that have competent skill in threat intrusion detection, incident handling, and SIEM operations, organizations are blind." So, before you can begin to execute towards a security plan, you need to determine the number and type of professionals required to perform the hands-on work involved in securing your particular organization and its network. The unique set of requirements that you use should be based on the size of your organization and the value of the assets that are at risk. The requirements should also always include a set of professionals with the baseline skills necessary to act on administrative defense tasks, a set of monitoring and detection professionals to watch for an intrusion anomaly, and managers to oversee the standards, implementation, and response. Most operations should also include vulnerability testing and forensics professionals to ensure that
Winter 2017
quick and responsive action can be taken when a threat is detected, or to correct a vulnerability before it even poses a threat. Consider your organization's size, distribution, structure, and true risk carefully as you design your security team.
Step 2: Implement the Right Processes SANS Instructor Justin Henderson says that “there are multiple ways to store and process large amounts of operational data without any real emphasis on gaining insight into the information collected. Add to that an infinite list of systems from which one could collect logs, and it is easy to get lost in the perils of data saturation. Most security teams need to shift from the typical churn and burn log systems, to a process that achieves actionable intelligence and develops a tactical security operations center.” Once you have the required skilled and ready professionals on your team, they can root out correlations using free community tools, such as the SOF-ELK VM appliance (https://github.com/ philhagen/sof-elk), which helps professionals to ingest, manipulate, and report on log data. After improving their monitoring and discovery capabilities, skilled staff can then automate and analyze their processes for capturing more credible data. With proper support from leadership, these people, tools, and techniques become a powerful defense that is custom-designed for your organization’s particular needs. Building a set plan for continuous analysis and improvement of the tools and processes that your SOC is utilizing, and communicating that plan within
"There are multiple ways to store and process large amounts of operational data without any real emphasis on gaining insight into the information collected. Add to that an infinite list of systems from which one could collect logs, and it is easy to get lost in the perils of data saturation." your security team and beyond will ensure the successful adoption of your organization's security program.
Step 3: Connect Security Management to Business Needs To ensure that there is executive support for the needs of a SOC, organizations must embrace an alignment between cybersecurity and business operations. To do this, security leaders need to be equipped with both technical acumen and business savvy. By demonstrating an awareness of the relationship between information security operations and business needs, security managers gain the trust of organization leadership and can direct implementation of effective, non-disruptive security measures. Design requirements, deployment considerations, staff roles, and operational scenarios become necessary and interdependent with business operations when communicated with proper organizational intention and scope. Even existing and complex security operations programs can benefit from practical organizing principles like these. Dennis Scandrett is the Curriculum Director for the SANS Institute’s Cyber Defense, Security Management, and Secure Development courses. He oversees the development and delivery of instructors and content in these topic areas, which train thousands of information security professionals each year.
15
Cybersecurity Quarterly
State Government Cyber Resiliency: A Call to Action Knowing your organization's cyber risk is the first and most crucial step to recognizing your network's weaknesses and creating a plan to prevent their exploitation By Jennifer Rothstein & Keith Wojcieszek State government activities affect millions of lives every day, and central to all that activity is the collection, use, and storage of vast amounts and types of data. Protecting this data takes a herculean effort, but rather than planning strategically for cyber resilience, too often governments find themselves playing defense after a breach, data loss, or discovery of a critical vulnerability.
in a number of ways, including through policy changes and the establishment of and adoption of regulatory guidelines and frameworks. These organizations are also collaborating with other government bodies, as well as with the private sector, to incorporate and implement effective data security best practices and cutting-edge technology solutions.
Certainly, this reactive stance is not unique or limited to state governments; many organizations in the private sector primarily focus their time and resources on responding to attacks already in progress. However, consumer demands – as well as escalating remediation expenses and reputational damage – are driving both private and public sector organizations to proactively manage their cyber risk.
Cyber Risk Assessments Create A Foundation for Building Cyber Resiliency
Some state governments have started to heighten cybersecurity awareness throughout their constituent agencies and among stakeholders
Rather than planning strategically for cyber resilience, too often governments find themselves playing defense after a breach, data loss, or discovery of a critical vulnerability. 16
Conducting a comprehensive cyber risk assessment is a proven best practice that is designed to prevent or mitigate attacks before they happen. However, many organizations, including state governments, struggle with knowing where to start and what to encompass in the assessment. In these cases, leveraging cyber-specific controls based on global standards and industry-recognized best practices can create an assessment framework that is robust, agile, and sustainable. For example, the CIS Controls are proven set of recommended actions that are continuously refined and informed by a global community of experienced IT and security professionals. The 20 CIS Controls are designed to systematically lead organizations through key activities that will help them prioritize
Winter 2017
their assessment strategy and resource allocation. The first five controls work to help the organization inventory their cyber assets, assess current network health, and concurrently address the most common cyber vulnerabilities. The remaining controls focus on further building resiliency by concentrating on policies, procedures, and technology-based solutions that work to remedy vulnerabilities, establish security best practices, and continuously protect systems and data. These range from email and web browser protections, to limitation and control of network ports, to malware defenses and data recovery capabilities, to controlled access based on need to know.
Cybersecurity that is mainly defensive in nature is not only ineffective, it is ultimately unsustainable.
Conducting a cyber risk assessment can be a great place to start. How a state government implements the cyber risk assessment can take many forms, from the completion of detailed questionnaires to working through real-life scenarios via tabletop exercises facilitated by cyber experts. Tabletop exercises can be particularly helpful in that they often reveal areas of vulnerability, including points of failure, gaps in security, or confusion about individual responsibilities.
With millions of citizens counting on state governments every day for critical infrastructure and services, protecting the data driving these activities is imperative. However, cybersecurity that is mainly defensive in nature is not only ineffective, it is ultimately unsustainable. Taking a proactive approach to cybersecurity – starting with a cyber risk assessment – will help state governments safeguard lives and resources with long-term resiliency and strength.
Among the many benefits of conducting a cyber risk assessment is the opportunity to build a tactical team comprising of managers, support personnel, and other internal and external experts. For example, the team can draw members from internal departments such as IT, general counsel, risk management, human resources, and public affairs. Additionally, bringing in outside counsel and independent consultants who are experienced in cyber matters can also provide valuable guidance and insight.
Jennifer Rothstein is a Senior Director for Kroll's Cyber Security practice. She joined Kroll after a distinguished career in professional liability program management, e-discovery product development, and intellectual property ownership rights management. Jennifer co-created the insurance market's first e-Discovery services endorsement and co-developed an exclusive patent liability defense program. She is an board member for the New York Metro InfraGard chapter and previously was an instructor at Columbia University's CLM Litigation Management Institute.
Organization-wide input, collaboration, and buyin are especially critical to help ensure the state understands exactly what data it currently has and collects, where data is stored on its networks, and how the data is used. The more state governments are armed with this knowledge, the more likely they will be able to apply, expand, or customize effective cybersecurity solutions.
Keith Wojcieszek is Associate Managing Director for Kroll's Cyber Security and Investigations practice. Previously, Keith led the U.S. Secret Service Cyber Intelligence Section, Criminal Investigation Division and the USSS Cyber Incident Operations Center, leading investigations that apprehended cyber criminals responsible for over $1 billion in financial losses, and led several domestic and global investigations for the U.S. Department of Justice Computer Crime and Intellectual Property Section (CCIPS) and Office of International Affairs (OIA).
Regardless of the format used, the cyber risk assessment must be a dynamic process that goes
beyond yes/no questions. Ideally, the assessment should provide a road map for conducting more in-depth inquiries into the state’s cybersecurity posture. By implementing a framework such as the CIS Controls or an internally driven risk-based scoring system, the state can use the results of its inquiries to prioritize and direct investments where they will have the most positive effect.
17
Cybersecurity Quarterly
Go with the Flow: Shared Benefits from East-West Traffic Logging Monitoring the flow of data on your network is crucial to quickly identifying significant threats to your organization By Bryan E. Hurd
Today’s leaders for IT and security need to collaborate very closely on their strategies for management, visibility, performance, security, and logging of east-west traffic, also called data flow. Companies achieving significant business efficiencies through vendor, supply chain, and IoT integration are also facing increased risks of threats getting past traditional perimeter security strategies. Even inside some of today’s most established companies, which have vast security budgets and robust security tools in place, significant threats still exist from malware, external adversaries, or insiders. One effective analogy I have used is to compare flow data with the motion sensors of a home security system. If an adversary or insider does not trigger a perimeter sensor (door, window, etc.), then they can walk about the house, stealing valuables for far too long (called “dwell time”).
Even inside some of today’s most established companies, which have vast security budgets and robust security tools in place, significant threats still exist from malware, external adversaries, or insiders. 18
Some of today’s leading organizations in the financial, retail, manufacturing, and entertainment industries are implementing prioritized strategies to increase east/west visibility and security as soon as possible. Many of these projects will take months or even years to implement; here are some ideas to shorten the timeline and reduce friction.
CISOs and CIOs need to talk to each other The evolution in data center and cloud architectures are increasing the importance of closer alignment for the CISO with network architecture discussions. Ensuring the business agility, performance, and security of your organization in the coming years will require continuing and closer support of security executives to the network strategy. Engage directly with the next few strategic architecture changes of your organization and have specific requirements for excess capacity, network segmentation, secure architecture, and logging factored in during the planning and budget stages. Focus on the business. Increased vigilance is required for behavioral and adversary detection around virtualization, cloud services, storage replication, and critical data backups because these often offer condensed sets of core business data to
Winter 2017
an adversary or insider. Identify multiple uses among the CISO, CIO, and business executives for the same logging data and align on enterprise analytics and machine learning capabilities that bring “capture once, secure it correctly, and use it many times” benefits across the boardroom stakeholders.
To detect adversaries today, and tomorrow, the focus must morph from trying to always know the tactics of the adversary to understanding the appropriate flow of data and activities of the business.
Talk to your regulatory and audit stakeholders about the best retention policies for your organization proprietary sensors into your network. – balancing data security, data privacy, resource constraints, and costs. Are so-called “black box” solutions that claim to use AI or machine learning, but can’t tell you exactly Retention – “You can’t seriously want to what or why it is better.
keep all of that, do you?”
After collaboratively deciding on collection of flow data, retention and processing are core additions. When considering retention, start with a graduated strategy focused on whether the entire packet content is needed, or just the traffic flow metadata. Consider a tiered approach to retention to support your business, network, and security needs. Possibly look at full-packet capture (with the ability for security-controlled decryption) for an immediate period of approximately two weeks to 30 days, a few months to a year for longer-term metadata, and, finally, the longest period for summarized or aggregated data.
Selecting solutions that are right for you When choosing the solutions needed to implement your data collection and retention strategies, pick storage, processing capabilities, and analytic tools that serve many parts of the business. Avoid technologies that: Lock your data into a proprietary format. Someday, you will want to change technologies. Do not let anyone hold you hostage for your own data. Charge you by how much you store or analyze your own data on your own systems (Cloud storage or virtual machine processing a different story). Require you to deploy little drone armies of their
That force unneeded duplication of data, or only support analytics for one stakeholder group (i.e. Security gets support, but CIO personnel can’t re-use data or tables for capacity planning, etc.). To detect adversaries today, and tomorrow, the focus must morph from trying to always know the tactics of the adversary to understanding the appropriate flow of data and activities of the business and alerting on activities and behaviors that are nefarious (without drowning in false positives). There are some great solutions on the market, and some whose promise and flashy front-end user interfaces draw in unsuspecting buyers. Ask very direct questions to fellow professionals you trust and have actually used the technology for a significant period to differentiate between game-changing innovation and hype. Bryan E. Hurd is the Senior Executive for Security Strategy at a Seattle-based artificial intelligence company. Previously, he was the first Director of Intelligence of the Digital Crimes Unit at Microsoft’s Global Cybercrime Center, founded the U.S. Navy’s first cyber counterintelligence program, led innovation for the U.S. watch listing system as the Chief of Operations, Director of Terrorist Identities at the National Counterterrorism Center (NCTC), and established the global computer forensics program for EDS (now HP). He speaks globally and serves on a number of corporate and nonprofit advisory boards.
19
Cybersecurity Quarterly
Cyber Tips & Tricks This Quarter’s Tip: Stay Informed, Stay Relevant by Freisi M. Alfonseca, Cyber Intelligence Analyst, MS-ISAC All throughout my academic education, my teachers and professors routinely walked into the classroom with haphazardly folded newspapers, which were thoroughly underlined, highlighted, and clipped. One of my favorite professors often began his lessons with a clipping in hand that would launch a thousand thoughts across the room. This more than anything taught me the value of being “in the know.” Professionally, I’ve recreated this exercise by sharing new found bits of knowledge with my fellow coworkers. I’ll take the time to mention something I’ve read while waiting for a meeting to begin or casually during lunch. These often spur in depth discussions that make their way into our daily work.
Signing up for professional journals, newsletters, or mailing lists that are disseminated on a routine basis is another excellent way to stay well informed of what is happening in your industry. Receiving them via email and designating a folder for them within your inbox will save you the trouble of having more piles of papers around your desk. Explore an even more hands-off approach by requesting flash news briefs on your smart home device, if you own one, and tailoring them to your personal preferences.
Live by the rule of three – If I can find three separate sources that support the same piece of information, Staying informed helps you stay relevant, which I am more likely to accept it as truth. This can be translates into the ability to provide additional value tricky, as one can fall into the circular reporting to your organization. It also has the added benefit of loop, where multiple sources reference the same making you a decent dinner companion! one piece of news. It is essential to verify the trustworthiness of your sources. Here are a few guiding lights that can help you in your efforts of developing an awareness regiment. Embrace the power of bookmarking – Have you ever read an article and failed to recall it fully? Do Make staying up-to-date convenient – My RSS feeds, yourself a favor and bookmark the articles you podcast subscriptions, and alerts make it convenient want to keep on your browser. You can sort them to consume information. We’re lucky enough to into folders for organization. Most mobile news have many options for receiving information, so apps also allow you to bookmark articles. It’s also if written articles aren’t your thing, try listening convenient to email yourself articles to save to a to podcasts during your drive to work. You don’t searchable folder. necessarily need to find new time to stay current, just include it into some of your other daily activities. Become a messenger – Share a summary of informative articles with your colleagues, by giving Instead of searching for news, have it come to them the bottom line up front (BLUF). Who knows? you. Push notification apps allow users to receive They might start sharing articles with you. messages or alerts to their mobile devices, alerting them of breaking news or news based on preset Reading one article won’t make you an expert, but preferences. RSS feed management websites are similar to the way in which steady drops eventually also highly convenient, as they greatly reduce the fill a bucket, taking a daily 15 minutes to stay number of websites you need to visit for news. informed will add up and it’ll feel like no trouble at all.
20
Winter 2017
Gartner’s #1 Security Technology is Cloud Access Security Broker (CASB)
Unleash the power of the cloud with Skyhigh Security CloudTM Approved for the CIS CyberMarket
Contact: Jim Bergen (jbergen@skyhighnetworks.com) www.skyhighnetworks.com
AUTHORIZED
21
Cybersecurity Quarterly
MS-ISAC Update MS-ISAC Membership Growth
2017 has been a banner year for the MS-ISAC Stakeholder Engagement team! Through hard work, thousands of miles of travel, countless phone calls and untold speaking engagements, the team has fostered incredible growth and helped strengthen the state, local, tribal, and territorial (SLTT) community’s cybersecurity defenses. The Stakeholder Engagement team is happy to have brought nearly 500 new state and local government members on board to the MS-ISAC this year. Every day, the MS-ISAC community continues to grow larger and stronger, and we are completely confident that 2018 will bring even more success! Stakeholder Engagement is the recruitment arm of the MS-ISAC, but the team also functions as the concierge for our members. Whatever issue our members face, the Stakeholder Engagement team of Andrew Dolan, Kateri Gill, Dawn Hoffman, Paul Hoffman, and Eugene Kipness are happy to help. We are truly the face of the MS-ISAC and we are proud to be at your service! Membership growth + great customer service = stronger cybersecurity for the SLTT community. Let your peers know, we are here for you!
2018 MS-ISAC Annual Meeting
The 2018 MS-ISAC Annual Meeting will be taking place next year from Sunday, April 8th to Wednesday, April 11th at the InterContinental Hotel in New Orleans, Louisiana. We are very excited to again hold this annual event for our members and hope to have it be our largest MS-ISAC Annual Meeting yet. We are welcoming MS-ISAC members from all 56 states and territories, as well as many local government, tribal, and fusion center representatives from across the country to join us in New Orleans for the opportunity to learn from and network with their peers in state, local, tribal, and territorial (SLTT) government. The theme for the 2018 MS-ISAC Annual Meeting is “Embracing Change and Staying Secure.” We look forward to providing a number of educational keynote and breakout sessions geared toward our MS-ISAC members and the challenges that they face on a daily basis, as well as valuable networking opportunities for all of the attendees on site. If anyone has any questions regarding the 2018 MSISAC Annual Meeting, please feel free to contact the MS-ISAC team at info@msisac.org.
22
Winter 2017
Upcoming Events January January 1st - 31st Continuing on from December, until the end of the month, the SANS Winter Buy Window is open. During the window, state, local, tribal, and territorial (SLTT) governments, nonprofits, and public education and healthcare institutions can purchase leading cybersecurity training programs from SANS at up to 70% off the regular price. For more information on the programs available and how to purchase, visit www.sans.org/partnership/cis. January 15th - 17th The University of Michigan's Archimedes Medical Device Security Research Center will host its 2nd Annual Medical Device Security 101 Conference at Disney's Contemporary Resort in Lake Buena Vista, Florida. At the conference, healthcare providers, medical device manufacturers, and industry regulators will learn and discuss the latest medical device security threats and solutions. CIS Senior VP Tony Sager will address attendees from the main stage on using the CIS Controls to secure medical devices.
admission to the event. Contact the CIS CyberMarket team for more details. February 18th The Greater Washington, D.C. Chapter of ISACA will be holding its IT Audit in Civilian & DoD Environment Conference, which will bring together IT audit and security professionals from around the nation's capital to discuss some of the biggest challenges facing their field. CIS Senior VP Tony Sager will be speaking on auditing throught the lens of a vulnerability management professional. February 28th Cyber Security Summit: Atlanta will take place at the RItz-Carlton Buckhead, bringing together senior executives, business leaders, and senior cybersecurity professionals to network and learn about the latest cyber threats from industry leaders. Through our partnership, SLTT organizations can receive free admission to the event. Contact the CIS CyberMarket team for more details.
January 17th The Lincoln Network will be hosting Campaign Cybersecurity: Protecting Your Data from Bad Actors, a webinar discussing data security best practices for nonprofits and advocacy groups. Sponsored by Crowdpac, a nonpartisan political campaign crowdfunding platform, the webinar will feature CIS Executive VP Curtis Dukes and CEO of PKC Security Becker Polverini. More information can be found on the Lincoln Network's website.
March March 19th - 21st The MIS Training Institute (MISTI) is holding its annual InfoSec World Conference & Expo at Disney's Contemporary Resort in Lake Buena Vista, Florida. For more than 20 years, InfoSec World has been MISTI's premiere event for information security professionals to come together and discuss the "business of security." CIS Senior VP Tony Sager will be leading a breakout session on the value of a community approach to developing cybersecurity best practices.
February February 13th The inaugural Cyber Security Summit: Silicon Valley will take place at the DoubleTree by Hilton Hotel San Jose, bringing together senior executives, business leaders, and senior cybersecurity professionals to network and learn about the latest cyber threats from industry leaders. Through our partnership, SLTT institutions can receive free
March 22nd Cyber Security Summit: Denver will take place at the Hyatt Regency Denver, bringing together senior executives, business leaders, and senior cybersecurity professionals to network and learn about the latest threats from industry leaders. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.
23
Confidence in the Connected World
Copyright Š 2017 Center for Internet Security, All rights reserved.
CIS CyberMarket Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.880.0699