Cybersecurity Quarterly
Winter 2018
A Publication from
Experts Predict What Attacks We'll be Talking About in 2019 Protecting Your Identity from the Consequences of Consumer Data Breaches Getting Perspective on a Tumultuous Year in Cybersecurity Defending Against the Vulnerabilities That Keep Causing Major Data Breaches
2018: A Retrospective We saw major data breaches that affected millions, continued threats from infamous malware, and heightened fears around the nation's midterm elections. What can we learn from this year to better protect ourselves moving forward into 2019?
Kroll’s experienced leaders help clients make confident decisions about people, assets, and operations across the globe.
INVESTIGATIONS AND RISK MANAGEMENT SOLUTIONS Cyber Security & Incident Response
Business Intelligence & Due Diligence
Fraud & Corruption Investigations
AML & ABC Compliance
Asset Search & Recovery
Third-Party Screening
Dispute Advisory & Litigation Support
Security Risk Management
kroll.com
Cybersecurity Quarterly
Contents
Featured Articles
Quarterly Regulars
Winter 2018
Defending Against the Most Dangerous Attack Techniques of 2019 A look back at the threats of 2018 and making predictions for the coming year
8
The Increasing Burden on Consumers to Protect Their Identity As data breaches become more ubiquitous, how can consumers better safeguard themselves against identity theft?
14
Breaking the Cycle of Cyber Breaches The same vulnerabilities keep being responsible for major data breaches. How can organizations defend against them more effectively?
16
Quarterly Update with John Gilligan
4
News Bits & Bytes
6
Threat of the Quarter
10
Cyber Tips & Tricks
18
Cyberside Chat
20
MS-ISAC Update
22
Calendar
24
Confidence in the Connected World Winter 2018 Volume 2 Issue 4 Founded MMXVII Editor-in-Chief Michael Mineconzo Copy Editor Shannon McClain
Staff Contributors Sean Atkinson Molly Gifford Paul Hoffman Shannon McClain Joshua Palsgraf Ryan Spelman
Cybersecurity Quarterly is published and distributed in March, June, September, and December. Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518 266.3460 Copyright Š 2018 Center for Internet Security. All rights reserved
3
Cybersecurity Quarterly
Quarterly Update
with John Gilligan
“CIS is a very unique organization...
much of the critical value we provide is generated from you”
I
t is my pleasure to introduce the final issue of Cybersecurity Quarterly for 2018 and to share some perspectives as the new CEO of CIS. While new to the CEO position, I have been a member of the CIS Board of Directors for almost 13 years. During this time, I have had the opportunity to witness CIS take on a series of new challenges, as well as to observe the tremendous growth in size and breadth of CIS capabilities.
some great perspectives on the year from our own CISO, Sean Atkinson, as well as a prospective view on possible new cyber-attacks from our partners at SANS. In addition, ID Shield shares some good insights on credit freezing, something everyone should think about as a prudent response to the continuing pattern of data breaches, CIS is a very unique organization with a critical global and Akamai has mission. No other organization serves as both an provided a great operational component protecting a major element article on, among of the United States critical infrastructure and as a other items, the home to internationally-recognized cybersecurity impact of “Agile” on DevOps and security. As more best practices. organizations focus in on “Agile” development Furthermore, much (CIS included), it is important to add a security of the critical value perspective to the role it plays in organizations. that we provide is generated from you: As the new CEO for CIS, let me thank you again for our members and being a reader of Cybersecurity Quarterly, and the volunteers. You share first to wish you a prosperous and secure 2019. your knowledge and skills in collaboration with the greater CIS community to collectively help us improve the cybersecurity posture of all organizations. Cybersecurity Quarterly is a key vehicle for sharing information regarding security best practices, gaining insights from global thought leaders, as well getting updates on CIS activities. One of the goals of this issue is to give you, the reader, the opportunity to take a quiet moment and reflect on the quarter, and 2018 as a whole, and contemplate on how you can better position your organization in 2019. Among the articles found in this issue, you will find
4
John M. Gilligan Chief Executive Officer Center for Internet Security
Winter 2018
What’s your organization’s cybersecurity risk/control balance? CIS RAM helps organizations implement and assess their security posture against the cybersecurity best practices recommendations of CIS Controls.™
CIS RAM (Center for Internet Security Risk Assessment Method) is an information security risk assessment method that helps organizations design and evaluate their implementation of the CIS Controls. CIS RAM provides instructions, examples, templates, and exercises for conducting risk assessments so they meet the requirements of established information security risk assessment standards, legal authorities, and regulators. Because information risks vary from one organization to the next, CIS RAM helps model “reasonable” uses of the CIS Controls to address the mission, objectives, and obligations of each environment. Developed by HALOCK Security Labs in partnership with CIS, CIS RAM provides three separate security approaches to support different levels of organizational capability. New to risk analysis? You can use CIS RAM’s instructions for modeling foreseeable threats against the CIS Controls as your organization applies them. Experienced with cybersecurity? Follow instructions for modeling threats against information assets to determine how the CIS Controls should be configured to protect them. Cyber risk expert? Use CIS RAM’s instructions for analyzing risks based on “attack paths” using CIS’ Community Attack Model.
→ Download CIS RAM free at https://learn.cisecurity.org/cis-ram → Join the CIS RAM Workbench Collaborative Community to connect with other cybersecurity professionals working with CIS RAM https://workbench.cisecurity.org/.
Cybersecurity Quarterly
News Bits & Bytes The SANS Winter Buy Window is now open. From now until January 31st, 2019, all state, local, tribal, and territorial (SLTT) government organizations, as well as related nonprofits and public organizations, can take advantage of the group purchasing discounts available through our partnership with SANS and receive up to 70% off the regular price on popular SANS training programs and courses. To learn more about our partnership program, to get a quote, or to purchase, visit www.sans.org/partnership/cis. The 2017 Nationwide Cybersecurity Review (NCSR) Summary Report is now available. Each year, the Multi-State Information Sharing & Analysis Center® (MSISAC) offers this annual free cybersecurity assessment resource for state, local, tribal, and territorial (SLTT) governments. The NCSR encapsulates the findings of an extensive national survey that measures the gaps and capabilities of SLTT governments’ cybersecurity programs. The results of the 2017 report are based on participation from 476 SLTT entities from 45 states, 129 locals (representing 39 states), 5 tribes, and 297 state agencies. To view the report, visit https:// www.cisecurity.org/white-papers/2017-ncsr/. CIS Hardened Images for Red Hat Enterprise Linux are now available in the Microsoft Azure Marketplace. CIS released CIS Hardened Images™ for Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 6 into the Microsoft Azure Marketplace this past September. CIS Hardened Images are virtual machines preconfigured according to the security recommendations of the CIS Benchmarks™. In the past year, CIS has released a total of 18 CIS Hardened Images for various
6
operating systems into the Azure Marketplace and the Azure Government Marketplace. CIS has released CIS-CAT™ Pro Assessor v4, which now includes remote assessment capabilities. The updated assessment tool is available to all CIS SecureSuite Members and includes a number of new features, including remote assessment, single server installation, report integration with CISCAT Pro Dashboard, and secure content support. This robust update to CIS-CAT Pro is available to download via CIS WorkBench at https:// workbench.cisecurity.org. CIS CyberMarket vendor Skyhigh Networks has finalized its acquisition by McAfee, one of the world's largest and well-known cybersecurity companies. Closed earlier this year, the acquisition will combine Skyhigh's leadership in cloud security with McAfee's existing security portfolio. As part of McAfee, Skyhigh's product line will be known as McAfee MVISION Cloud and complement the company's other cloud security management offerings. Learn more on the McAfee website. CIS has launched its first Hardened Container Image, now available on the new Amazon Web Services Marketplace for Containers. CIS made the announcement in conjunction with AWS re:Invent 2018 in Las Vegas. The CIS Hardened Container Image reflects baseline requirements in accordance with applicable CIS Benchmarks to optimize systems running containers. AWS customers can now use the Amazon Elastic Container Service (Amazon ECS) console and AWS Marketplace for Containers website to discover, produce, and deploy container solutions – including the CIS Hardened Images. CIS is initially offering an Ubuntu® 16.04 LTS Server Container Image, which is available now on AWS.
The Most Trusted Source for Information Security Training, Certification, and Research Winter 2018
CIS & SANS Institute
Information Security Training Partnership SANS Institute partners with the Center for Internet Security to provide its top-rated information security training and awareness programs to State, Local, Tribal, and Territorial Government organizations at significantly reduced costs. Leverage this special partnership to ensure that your employees have the skills and experience necessary to protect your critical organization from cyber threats. Program participants may purchase:
More than 35 of SANS most popular hands-on courses are available OnDemand, or live, online in the evenings via vLive.
Use SANS Security Awareness to train and test non-technical staff on email, file storage, digital access, and general data security.
Purchase training during the Winter Aggregate Buy window to receive the best pricing of the year. Discounts are available now through January 31, 2019.
Contact partnership@sans.org, or visit www.sans.org/partnership/cis for more information.
7
Cybersecurity Quarterly
Defending Against the Most Dangerous New Attack Techniques of 2019 Experts from the SANS Institute look back at the prevalent threats of 2018 and forward to what will likely be the biggest threats for the coming year By Tanya Van Kirk Each year, at the RSA Conference in San Francisco, a team of experts from the SANS Institute, led and moderated by SANS Founder and Director of Research Alan Paller, present a keynote to the event's attendees discussing their predictions of the most dangerous new attack techniques for the upcoming year. At the upcoming 2019 conference, Alan and the panelists from SANS will once again walk us through their forecasted threats for the year with new data and predictions. Prior to the keynote at RSA, Alan and his team held a December 5th webcast on the topic to update information security professionals on the state of attacks from 2018 and prepare them for the possibilities ahead. In this webcast, SANS instructors Ed Skoudis, Heather Mahalik, and Johannes Ullrich joined Alan to preview the keynote material, detailing the status of five dangerous attack techniques predicted to make waves in 2019 and ways to defend against them now. Some of the attack techniques discussed are perennial problems, including Ed’s warning about cloud storage vulnerabilities. Ed, one of the resident penetration testing and incident response experts at SANS, recommended specific monitoring and threat detection tools, and Google’s Data Loss Prevention API to control the risk associated with cloud data storage. He also recommended that
8
Some of the attack techniques discussed are perennial problems, including Ed’s warning about cloud storage vulnerabilities. information security professionals deepen their skills in Open Source Intelligence (OSINT) and data analytics to mitigate the weaponization of personal and professional data. In the webcast, Ed referenced a number of additional tools that can catch more attacks and protect organizations' information. Next, Johannes Ullrich, founder and director of the SANS Internet Storm Center, presented an update on the world of cryptomining and hardware vulnerabilities. This included details about the return to Internet of Things (IoT) mining, and patching issues that can contribute to substantial losses. Johannes advised that hardware maintenance and awareness of patch activities and security incidents can relieve some pressure on Security Information and Event Management (SIEM) solutions, but these are not always predictable as operating systems update. Keeping a watchful eye towards alert programs, like the Internet Storm Center or the MS-ISAC, can help. Mobile device forensics expert Heather Mahalik wrapped up the dangerous attack techniques
Winter 2018
update with a discussion about mobile device data leaks. A relatively easy target, smartphones and other mobile devices routinely collect and leverage user data, including location, cloud access, passwords, and more. That data can be snatched through a multitude of weak entry points, including vulnerable applications, unsecured Wi-Fi, disabled security features, out-of-date software, malicious USB connections, and even social media posts. Scrutinizing devices and the software and applications associated with them can help to control the risks they introduce. To hear the group’s full, hour-long presentation on these attack topics for 2018/2019, visit www.sans. org/5 for a direct link to the archived webcast. Then, watch that same page in March for the new 2019 RSA keynote, to hear updated predictions about threats that may be more common, effective, or damaging in the coming year. A second webcast about emerging security trends for 2019 occurred two days later, and is also available for viewing now on the SANS website. SANS Director of Emerging Security Trends John Pescatore, joined by SANS Senior Instructors John Strand and Jake Williams, presented “Gearing up for 2019 - Best Practices to Consider,” featuring a twohour discussion about key trends driving security improvements in 2019, which attacks are occurring and will continue to occur, and best practices to employ to make attackers’ lives more difficult in the new year. In this webcast, the group reminded attendees
In the webcast, the group from SANS reminded attendees that basic security hygiene, and use of the CIS Controls, is the first step to reducing an organization’s risk. that basic security hygiene, and use of the CIS Controls, is the first step to reducing an organization’s risk. While the quantity of data breaches may have been down in 2018, the cost per attack increased. Attackers are more targeted and efficient, so the need for organizations to employ smart people who use smart tools and processes to stay ahead of them is growing. Other key topics covered in the webcast included the adoption of the European model of data privacy, security opportunities in organizations' DevOps activities, and the use of platforms and tools like MailSniper for penetration testing and O365 Cloud App Security for alerts of suspicious activity. Additionally, details about using a Collection Management Framework properly and how that relates to an organization's SIEM were also discussed both during Jake’s presentation and during the Q&A session at the end of the webcast. Listening in on webcasts like these now is an excellent way to prepare for a year of proactive defense in 2019. By arming yourself with the best predictions for what to expect in 2019, your organization can better protect itself in the coming year and stay one step ahead of cyber criminals. Tanya Van Kirk is the Director of Brand Marketing for the SANS Institute, the most trusted provider of information security training, certification, and research in the world. She is an experienced marketing executive with over 20 years of branding and strategy experience. Before her position at SANS, Tanya managed marketing planning and development for AIMMS, a Dutch software platform provider. Prior to that, Tanya served as marketing and circulation lead at a number of regional lifestyle magazines and industry trade publications, as well as started, developed, managed, and sold a successful events and marketing consulting business.
9
Cybersecurity Quarterly
Threat of the Quarter This Quarter’s Threat: Emotet Malware
Emotet was one of the most costly and destructive variants of malware affecting state, local, tribal, and territorial (SLTT) governments in 2018 and will likely continue to be in 2019. Emotet is an advanced, modular banking trojan that primarily functions as a downloader or dropper of other banking trojans and types of malware. Once Emotet infects the initial system, it uses its worm-like abilities to infect the network and drop other types of malware across the network.
nature allows it to evade typical signature-based detection and it is virtual machine (VM) aware, allowing it to generate false indicators if run in a virtual environment. It has several methods for maintaining persistence, including auto-start registry keys and services. Furthermore, the trojan uses modular Dynamic Link Libraries (DLL) to continuously evolve and update its capabilities.
How It Works
Emotet is highly infectious, due to its worm-like features, making it difficult to combat and costing SLTT governments up to $1 million per incident to remediate. This is because, generally, when the MS-ISAC sees an Emotet infection, most of the network has been compromised with Emotet, sometimes infecting up to 90% of all systems. At that infection level, it is very difficult to remove the infection and often requires creating a separate, clean network to add the cleaned computers to – an expensive and time-consuming process. For the past year, Emotet appeared on the MS-ISAC’s monthly Top Ten Malware list every month and has helped other types of malware stay or make it onto the list. Additionally, Emotet’s polymorphic
Emotet is highly infectious, making it difficult to combat and costing SLTT governments up to $1 million per incident to remediate. Generally, when the MS-ISAC sees an Emotet infection, most of the network has been compromised with Emotet, sometimes infecting up to 90% of all systems. 10
Emotet is disseminated through malspam (emails containing malicious attachments or links) and imitates third parties familiar to the recipient. The usual SLTT government-focused campaign imitates PayPal receipts, shipping notifications, or “past-due” invoices purportedly from the MS-ISAC. More recently, however, there was a Thanksgiving campaign. As shown above, it was an email that imitated the MS-ISAC with a Thanksgiving card attached. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macroenabled Microsoft Word document included in the malspam. To gain and maintain persistence, Emotet injects code into various processes, collecting various types of sensitive information. As information is collected, the trojan communicates with a command and
Winter 2018
Emotet’s persistence relies on its ability to constantly evolve and be updated control server (C2) to send it to “Mealybug,”the malicious actors behind Emotet as identified by Symantec. Connecting to the C2 also allows the trojan to receive configuration data, as well as download and run files. Emotet also creates randomly named files in the system root directories that are run as window services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares. Emotet’s persistence also relies on its ability to constantly evolve and be updated through communication with the C2 server. For instance, according to a report by Kryptos Logic, an Emotet infection could now mean a data breach, because it has added email exfiltration to its arsenal. The trojan is now able to exfiltrate the body and subject of emails going back 180 days in the mail history. Previously, Emotet has only been able to scrape the email accounts contact list. In addition, the trojan attempts to propagate the local network through incorporated spreader modules. The five known spreader modules are: NetPass.exe: a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user or in the credentials file of external drives. Outlook scraper: a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts.
Gmail and passes them to the credential enumerator module. Credential enumerator: a self-extracting RAR file containing two components — a bypass and a service component. The bypass component is used for enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk. Access to SMB can result in entire domains (servers and clients) becoming infected. Emotet's ability to download or drop additional pieces of malware intensifies the consequences of infection, and as the trojan propagates through the local network, it drops and downloads other malware. The ability to drop other types of malware can lead to other infections, most often other banking trojans, which increases the cost of recovery further. For instance, Emotet is capable of damaging the integrity of the overall network by dropping malware, such as Trickbot or AZORult, with a Remote Access Trojan (RAT). Emotet is so successful with dropping malware that it has helped Trickbot and AZORult, a banking trojan and infostealer, make it onto this September’s Top Ten Malware list. In September, as shown in the chart, Emotet was number one on the MS-ISAC’s Top Ten Malware list, making up 29% of infections seen, while Trickbot and AZORult made up 2% and 3% respectively. Essentially, Emotet is responsible for 34% of all infections during the month of September. Emotet
WebBrowserPassView: a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module. Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and
11
Cybersecurity Quarterly
has consistently been at the top of the list, coming in at number one in October and two in November on the MS-ISAC’s Top Ten Malware list. To illustrate how destructive Emotet is, recently, an organization reached out to the MS-ISAC for assistance regarding an Emotet infection that affected their entire network. The organization found the presence of Grandcrab on their machines. After further investigation by the MS-ISAC, it was determined that the ransomware was dropped by Trickbot and Emotet was the origin. At that point, workstations and servers, as well as the domain controller server, had been infected. The organization took their network offline because of the rapid propagation of Emotet, as well as Trickbot. They had to reimage all systems and reset all passwords.
Recommendations SLTT governments should adhere to the following best practices to limit the effect and risk the organization has from being infected by Emotet. Use Group Policy to set a Windows Firewall rule to restrict SMB inbound communication between client systems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing custom modifications for the control of client-to-client SMB communication. At a minimum, SLTT governments should create a Group Policy Object that restricts inbound SMB connections to clients originating from clients. Furthermore, SLTT governments should routinely apply patches to all systems after the appropriate testing takes place and maintain up-to-date antivirus programs on clients and servers with automatic updates of signatures and software. To reduce organizational contact with malspam, Emotet’s vector, policies, and procedures should be implemented. Implement filters at the email gateway to filter out emails with known malspam indicators, like known malicious subject lines, or file attachments associated with malware, such as .zip files. Have a policy regarding all suspicious emails that specify employees report them to the security and/or IT departments. Additionally, organizations should mark external emails with a banner denoting it is from an external source, which
12
will assist employees in detecting spoofed emails. The implementation of Domain-Based Message Authentication, Reporting, and Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures, can also assist in reducing malspam. Furthermore, organizations should prioritize training to help employees recognize malspam. Training should emphasize that employees not open suspicious emails, click links contained in such emails, post sensitive information online, and never provide usernames, passwords, or personal information to any unsolicited request. In the unlikely case a malicious email is opened and/ or an infection is believed to exist, we recommend running an antivirus scan and act based on the results to isolate the infected computer. If an infection has occurred, the compromised network may need to be taken offline to ensure no additional malware gains access. This will help with performing identification, preventing reinfections, and stopping the spread of malware. Do not login to the systems using domain or shared local admin accounts, as it will further spread the infection. After reviewing systems for Emotet indicators, move clean systems to a containment VLAN, segregated from the infected network and reimage the infected machines. Lastly, issue password resets for domain, local credentials, and possibly other credentials, as Emotet can scrape from additional applications. After credentials are reset, review log files and the Outlook mailbox rules associated with the user account to ensure further compromises have not occurred. It is possible that the Outlook account may now have rules to auto forward all emails to an external email address, which could result in a data breach.
Winter 2018
Affordable Legal and Identity Theft Protection Have you ever had a dispute with a creditor, neighbor or landlord? Have you ever received a traffic ticket or signed a contract? Have you ever been a victim of a data breach? Used public Wi-Fi or ever lost your wallet? Get the legal and identity theft protection you and your family deserve with LegalShield and IDShield. Through a nationwide network of provider law firms, LegalShield provides every member direct access to a dedicated law firm. And IDShield is the only identity theft protection plan armed with a team of licensed private investigators, ensuring that if your identity is stolen it will be fully restored.
LegalShield Benefits:* IDShield Plan Benefits:* • Legal consultation and advice
• Identity consultation and advice
• Dedicated law firm
• Dedicated licensed private investigators
• Legal document review (up to 15 pages each)
• Child monitoring (family plan only)*
• Access to legal forms/contracts
• Identity and credit monitoring
• Letters and phone calls made on your behalf
• Identity threat and credit inquiry alerts
• Speeding ticket assistance • Will preparation • 24/7 emergency legal access • Mobile app • And more!
• Social media monitoring
• Complete identity restoration • Monthly credit score tracker • Password manager
We have an app for that! With the LegalShield and IDShield mobile apps, you can easily begin your Will preparation, track your alerts and have on-the-go access, 24/7 for emergency situations!
• 24/7 emergency access • Mobile app • And more!
AFFORDABLE PROTECTION
Starting at $8.95 a month For more information visit: www.legalshield.com/info/centersecurity *This is a general overview of the legal and identity theft protection plans available from LegalShield for illustration purposes only. See plan details or plan contract for specific state of residence for complete terms, coverage, amounts, conditions and exclusions. Google Play and the Google Play logo are trademarks of Google Inc. Apple, the Apple logo, and iPhone are trademarks of Apple Inc., registered in 13 the U.S. and other countries. App Store is a service mark of Apple Inc., registered in the U.S. and other countries.
Cybersecurity Quarterly
The Increasing Burden on Consumers to Protect Their Identity With major data breaches being reported regularly and more and more of our sensitive data being put at risk, how can consumers best safeguard their personal information? By Joel Barnehama The constant drumbeat of data breaches in the news is a stark reminder that more people than ever are vulnerable to being victimized by computer hackers as online transactions become the norm. Last year, the Equifax breach affected about 148 million Americans, or 40 percent of the U.S. population. Earlier this year, the personal data of millions of citizens were exposed at the marketing firm Exactis. Earlier this month, 500 million records were compromised from the data breach of Marriott's Starwood reservation system, which could potentially be the second biggest data breach of all time. Even LifeLock showed a vulnerability of its own when it exposed members’ email addresses through a third-party marketing site. These episodes, and many others, point to the growing dangers of the Dark Web, as well as the severe damage its purveyors can cause both individuals and families.
In today’s post-digital age, all sensitive information is becoming increasingly vulnerable to the threat of exposure. Identity protection has become a personal responsibility. 14
In today’s post-digital age, all sensitive information—which includes Social Security numbers, driver’s license numbers, financial and medical data, and more—is becoming increasingly vulnerable to the threat of exposure. Identity protection has become a personal responsibility, akin to purchasing automotive, life, or health insurance, and consumers must take preemptive action. But buyers beware. Following the Equifax breach, the news media delivered a flood of mostly confusing information about how consumers can protect themselves from identity theft. Chief among these recommendations was for people to immediately freeze their credit portfolio. Earlier this year, President Donald Trump signed new legislation that allowed consumers to “freeze” and “thaw” their credit files for free. While this new policy offers customers an inexpensive option to safeguard their information, it does not necessarily make it the best option. It is also generally misunderstood among most consumers. A credit freeze is a block against the opening of any new accounts in your name. That could be fine, unless you want to borrow money for a car or house, or take advantage of a purchase discount
Winter 2018
offered by a retailer if you apply for its credit card. There are benefits to freezing one’s credit, such as minimizing the risk of credit identity theft, but severe limitations as well. A freeze does not prevent fraud involving existing bank or credit accounts. For many people, the sheer inconvenience of remembering passwords and PINs is enough to turn them off. Additionally, it can be cumbersome and annoying to unfreeze your credit when needed. Credit freezes tend to give people an inflated sense of security, causing them to neglect other important precautions, such as reviewing bank statements. A credit freeze is also a moot point for those who have already had their personal information compromised and are currently undertaking steps to restore their identity. Most importantly, credit freezes do not prevent identity theft; thieves can still use stolen Social Security numbers to secure employment and commit tax fraud. What would better serve customers is if companies educated them about credit and identity monitoring – important details that are ultimately the backbone of many identity theft protection products. The key for consumers is to understand that monitoring does not prevent identity theft, but rather notifies them when activity is detected. Identity monitoring is an alert system. It tells consumers when a crime is being committed or has recently been committed. There is a growing onus on consumers to take initiative and research how different monitoring services work. There are several excellent options on the market, but the best protection plans are those that not only monitor your identity, but
What would better serve customers is if companies educated them about credit and identity monitoring – important details that are ultimately the backbone of many identity theft protection products. also restore your identity for you through credit reports, criminal and court records, and other public databases, as well as offer support services after fraudulent activity has been detected, such as emergency assistance and consultations with licensed investigators and legal professionals. Even better if the service also monitors Dark Web sites, internet relay chat (IRC) channels, chat rooms, peer-to-peer sharing networks, and social feeds for its members’ personally identifiable information (PII). The ideal protection plan should hit as many of these items as possible and provide comprehensive monitoring and response. As hackers continue to stay a few steps ahead of algorithms designed to thwart attacks, identity protection products are essential for living in a post-digital age without fear of having one’s life upended. Joel Barnehama is Executive Director and Independent Associate for LegalShield and IDShield, North America’s leading provider of legal safeguards and one of the leading providers of identity theft protection, for individuals, families, and small businesses. Prior to LegalShield, Joel spent nine years in management consulting, working with small to mid-sized businesses. Prior to that, Joel spent 20 years as Vice President and Chief Executive Officer of ISC Transport, an international freight forwarding company specializing in logistics and transport of military and aerospace products. His areas of expertise include business planning, financial reporting, sales and marketing, and security issues.
15
Cybersecurity Quarterly
Breaking the Cycle of Cyber Breaches Finding the right mix of security tools involves being flexible and focusing on outcomes By Patrick Sullivan When we look back at cybersecurity breach reports compiled by leading vendors over the past several years, we see many of the same trends repeating themselves, which highlights the need for new security strategies. At some point in a successful breach, there is easy lateral movement on the part of the attacker across an internal network. One effective way to break that cycle is by shifting to a zero-trust model, which removes trust and security from the network level. Zero trust is an architectural change that involves basing security decisions on a user’s identity, strong authentication of that user, and a keen understanding of his or her role. Based on these criteria, security teams can limit access to applications to the minimum required to perform the duties associated with the role. There are many other innovative tools and strategies available for agencies to implement in their security procedures to help stop a breach. Unfortunately,
Agencies should consider picking tools they have the resources to run or can quickly develop sustainable expertise in maintaining. 16
they often require a great deal of expertise and time to configure properly and then continue to fine-tune. That consumption gap can be a challenge for agencies, which is why it’s often best to give consideration to ease of use when choosing new tools. In other words, agencies should consider picking tools they have the resources to run or can quickly develop sustainable expertise in maintaining.
Agile, Automated Security Conversely, some security analysts say the model of continually buying the latest security appliance from a vendor without ensuring that the customer
Winter 2018
DevOps or a similar agile method is becoming mandatory if agencies want to stay ahead of adversaries. has the expertise to keep it operating efficiently has probably reached its conclusion. Now we’ll see more agencies and private-sector entities buying products along with the expertise to run them as a managed service. In terms of internal development, DevOps or a similar agile method is becoming mandatory if agencies want to stay ahead of adversaries. At Akamai, we see attackers scan on a massive scale for the existence of vulnerabilities — often within an hour of a vulnerability being revealed. Using DevOps could help agencies win the race to eliminate vulnerabilities before an adversary can exploit them. Under a waterfall development model, it could take agencies several months to issue a fix. That is simply too long. Agencies need to be extremely agile to stay ahead of vulnerabilities, and as they move to models that are heavily based on automation and DevOps, their security tool updates also need to be automated. If developers must exit their workflow to manually update a security solution, it undermines the agency’s ability to be fast, efficient, and innovative and could expose it to new vulnerabilities.
Going Beyond the AI Hype There is a great deal of hype about artificial intelligence (AI) and machine learning, and in some ways that hype overshadows the value of those solutions. For agencies, narrowing machine learning down to focus on a very specific problem can be extremely beneficial. For example, the technology could support agencies’ security efforts by examining data that is often overlooked. The typical agency has reams of data making its way to a security information and event management system or a log graveyard. Better inspection of all that data by a machine learning algorithm could
offer unexpected insights and free highly trained security experts for higher-level activities. Ultimately, emerging cybersecurity approaches are about choosing tools that fit into an agency’s automation flow, buying an outcome rather than just an appliance, and using flexible approaches to help agencies respond more quickly to a continual flood of new vulnerabilities. Patrick Sullivan is Akamai’s Senior Director of Global Security Strategy. In his 12 years at Akamai, Patrick has held a number of leadership positions, including leading the Enterprise Security Architect team. Patrick and his team work with customers when they come under attack and designs security architectures to protect them from threats. In the course of helping to fend off so many attacks, he has gained unique visibility into attacks targeting many of the top enterprises. With his unique ability to see security issues as a critical component of a client’s business strategy, Patrick often speaks at security events and with clients around the world. Patrick holds a variety of security certifications including CISSP, GSLC, GCIH, and GWAPT. Patrick holds an Electrical Engineering degree from Virginia Tech and holds a graduate degree from George Mason University and a Graduate Certificate from Stanford University. Prior to Akamai, Patrick held various leadership positions at DISA, AT&T, Savvis, and Cable and Wireless.
17
Cybersecurity Quarterly
Cyber Tips & Tricks This Quarter’s Tip: Making New Year's Resolutions by Joshua Palsgraf, Cyber Intelligence Analyst, MS-ISAC The end of the year is a great time to start laying out a plan for the new year and create your cybersecurity resolutions. This year, I have chosen three New Year’s resolutions: password management, privacy management, and staying relevant within the field. Password management can easily fall by the wayside, but with the right preparation, can be easy. It is incredibly important as it can protect your accounts if one is compromised and will make it difficult for malicious actors to guess your password with a brute force attack. Ideally, you should follow the National Institute of Standards and Technology’s (NIST) password recommendations. If you're unable to follow NIST, the MS-ISAC recommends that you at least change all default passwords to better secure your accounts. You should create passwords that are long and complex, using upper and lower-case letters, numbers, and special characters. Also, every account should have a unique password. This can be difficult, especially when we all have so many accounts and passwords. One simple way to do this is to use a password manager, which can safely store and manage all your passwords. By doing this, you only have to remember one password – the one for the password manager. Password managers may store passwords either in the cloud or locally on your device, both of which have drawbacks. With cloud storage, you’re trusting the password manager to keep your data safe; with local storage, while you have complete control over your data, your device could be lost or damaged. Another good technique to assist in building strong, unique passwords is to choose a repeatable pattern for your password. Lots of websites can provide advice on easy methods to help you do this. I’m also focusing on privacy management because it’s something we all would like to do well, but
18
sometimes is not at the forefront of our thoughts. This is especially true when you want to visit a certain webpage, access a popular application, or connect your latest gadget to your network. One simple strategy is to make sure your web browser privacy settings are adjusted to meet your personal security preferences. Certain privacy settings allow you to control who can track your browsing traffic or send notifications to your computer. When using an app or signing into one website via the login of another, make sure you know what information the application wants access to and only give it the minimum requirements. For this upcoming holiday, some of us might be hoping to receive the latest gadgets as gifts – I know I am! Unfortunately, these gadgets don’t always have security built in or the security that is there is set to default. Online guides can help you change the settings to be more secure and make sure only secure gadgets have access to your network. I found this fun website that shows you various gadgets and how creepy they can be when it comes to privacy. The third thing I’m resolving to do is stay relevant in my field, which is not only easy to do, but enjoyable. This can easily become part of your routine by using a news aggregator and signing up for notifications or email lists. Every morning, while I sit down at my kitchen table, I have a cup of coffee and sign on to my news aggregator account, where I can stay relevant while reading articles that I enjoy. I actually came across the above linked article while going through my news aggregator account one morning. Making New Year’s resolutions is easy; sticking to them, not so much. That’s why picking ones you can stick to is important. Password management, privacy management, and staying relevant are my cybersecurity resolutions. What will yours be?
Winter 2018
SECURITY THREATS MAY CHANGE, BUT AKAMAI’S ABILITY TO STOP THEM DOES NOT.
Cyber security in a hyper-connected world requires enterprise protection at the Network, Application and Data Center. Come see why the majority of the cabinet-level departments and all branches of the US Military trust the Akamai Threat Intelligence platform at carahsoft.com/innovation/Akamai-cyber.
19
Cybersecurity Quarterly
Cyberside Chat This Quarter's Topic: 2018: A Year in Review by Sean Atkinson, Chief Information Security Officer, CIS
As we draw close to the end of 2018, I would like to take this time to review some of the highlights in cybersecurity over that last twelve months. The list of data breaches and critical cybersecurity events continues year over year to increase. This gives rise to the lack of technical controls and management of the greater levels of expectations in cybersecurity. I often review new vulnerabilities as they are identified and the last counts as of the writing of this article, 2018 had the highest number of vulnerabilities discovered, 15,354 Common Vulnerabilities and Exposures (CVE), compared to 14,714 in 2017. This points to an increasing level of research and discovery to find potential exploitation in the underlying systems and applications that we are so very dependent upon.
As of the writing of this article, 2018 had the highest number of vulnerabilities discovered, 15,354 CVEs, compared to 14,714 in 2017. If we correlate the increase in known vulnerabilities and the ever-expanding attack surface, it leads to an increase in the threat landscape. As we introduce more devices and services to online access and management, the attack methods are evolving to incorporate such technologies into the Tactics, Techniques, and Procedures (TTP) cyber adversaries utilize to undermine security and increase risk. A review of 2018 wouldn’t be complete without mentioning the added utility of Artificial Intelligence (AI) and Machine Learning (ML). The insights and integrations of such technologies have become a marketing delight to those vendors able to introduce these capabilities into their offerings. Given the amount of data and the requirement
20
for analysis to identify attack vectors and breach metrics, these technologies have found a home within the cybersecurity domain. Hopefully, 2019 will see the utilization of such technologies and provide metrics of thwarted attacks using predictive and adaptive technologies to counter the attacking adversary. We have also seen the manifestation of data privacy as an enabler of legislation. General Data Protection Regulation (GDPR) in the EU has set a regulation that holds those who process and control personal data implicitly responsible for the protection of that data. Even with such requirements for impact studies and protection plans, we continue to see data breaches across multiple industries. 2018 has also seen a desensitization towards such news. It seems commonplace that breaches are inevitable and personal data is posted, sold, and exchanged on the ‘Dark Web’. This perspective has been enforced by the lack of holding organizations responsible for their data control and security management practices. It is important that we remain vigilant as digital citizens to understand the risks of providing personal information to access services and products.
CIS® Continues to Grow In 2018, CIS introduced the following products: CIS Controls™ Version 7 were released, providing industry-leading cybersecurity guidance. CIS RAM (Center for Internet Security® Risk Assessment Method) was introduced as a methodology to apply the CIS Controls to cyber risk management. The ability to assess the controls and their impact on risk and burden assists organizations
Winter 2018
in making more effective risk treatment decisions. CIS-CAT Pro Assessor v4 was released with remote assessment for endpoints; a major new benefit for CIS SecureSuite® Members. This configuration assessment tool compares a target system’s configuration settings to consensus-developed CIS Benchmark recommendations. Expansion in the cloud arena has seen a boost in the utilization of CIS Hardened Images for controlled infrastructure and the use of CIS Benchmarks™ to confirm secure configurations are in place. More recently, we developed the Hardened Container Image – allowing other technologies to utilize CIS’ configuration best practices in a containerized environment. Another major initiative in 2018 was the establishment of the Elections Infrastructure - Information Sharing and Analysis Center (EI-
ISAC). The EI-ISAC welcomed over 1,400 new members in its first year. Using the Elections Security Infrastructure Handbook and the Elections Infrastructure Assessment Tool (EIAT), elections officials are able to understand the security control requirements regarding this critical infrastructure element.
What’s Ahead? 2019 may not be the year of flying cars, but it’ll be certain to bring new advancements in technologies. Likewise, this year will bring new cyber attacks and vulnerabilities. Preparing for cyber threats is a shared responsibility that takes planning and cooperation – but it is a task worth doing. From protecting the systems that help run elections to implementing secure configurations, there’s a lot to defend. By working together to implement security best practices, we can help make the internet a safer place for all.
21
Cybersecurity Quarterly
MS-ISAC Update The MS-ISAC & EI-ISAC Membership Continue Their Exponential Growth
2017 Nationwide Cybersecurity Review Summary Report Released
The final quarter of 2018 has seen continued recruitment success for both the MS-ISAC and EIISAC, continuing our banner year of strong growth among both entities' memberships. Through thousands of miles of travel, countless phone calls, and untold speaking engagements and exhibit spaces, the team has continued to foster incredible growth and help strengthen the cybersecurity defenses of the state, local, tribal, and territorial (SLTT) community.
The MS-ISAC is excited to share the 2017 Nationwide Cybersecurity Review (NCSR) Summary Report. This 38-page NCSR Summary Report encapsulates the findings of an extensive national survey that measures the gaps and capabilities of SLTT governments’ cybersecurity programs.
With the completion of the 2018 midterms, EI-ISAC membership has increased to 1,427 separate election entities across the country. The MS-ISAC has also seen significant growth in the K-12 sector, with over 100 local school districts becoming members this quarter alone. Since our inception in 2010, we have steadily grown ISAC membership and our commitment to local governments is paying very big dividends. As we expand our reach into more diverse sectors, we are providing a truly valuable service to the nation. Thank you to all of our current members for your efforts on our behalf and for touting the benefits of membership to the greater community. Without your efforts on our behalf, we would not have achieved this goal.
The 2017 report is based on participation from 476 SLTT entities, broken down into 45 states, 129 locals (representing 39 states), five tribes, and 297 state agencies. To access the report, visit: https://www. cisecurity.org/white-papers/2017-ncsr/ Additionally, the 2018 NCSR self-assessment is available through December 31st, 2018. We encourage everyone to participate by registering at https://www.cisecurity.org/ms-isac/services/ncsr/. Benefits of participating in the NCSR include: Utilize the NCSR to fulfill your justification requirement for cybersecurity investments under the Homeland Security Grant Program Gain metrics specific to your organization that can be used to identify gaps in your security program Access to informative references that can assist in managing cybersecurity risk Anonymously measure your results against your peers Translate your NCSR scores to the HIPAA Security Rule scores for an automatic self-assessment tool Develop a benchmark to gauge annual progress National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) lists the NCSR as a risk management resource for SLTTs.
22
Winter 2018
Gallagher at a Glance Gallagher has been designing solutions to meet our clients’ unique needs for 90 years. Founded in 1927 by Arthur J. Gallagher, we pioneered many of the innovations in risk management used by businesses in all industries today. We believe that the best environment for learning and growing is one that remembers the past and invents the future. A global corporation with more than 710 offices in 33 countries, Gallagher is a company with 24,700+ family members driven by our strong heritage and culture.
Gallagher’s Cyber Liability Practice Gallagher’s Cyber Liability Insurance professionals are dedicated to a holistic philosophy of approaching cyber risk. Our practice provides innovative insurance policy solutions and also offers comprehensive cyber risk management services. Our robust risk management services platform includes: • Proprietary Cyber Insurance • Best Practices (policies, articles, Limits Modeling / Third-Party white papers, and webinars) • Incident Response Planning Benchmarking / Cost of a Breach • Complimentary Preventive Services Calculator / Quantitative Cyber • Strategic Vendor Relationships Analysis • Insurance Coverage Gap Analysis • Insurance Policy Design and / Broker Table Top Exercises / Implementation • Contract Analysis Insurance Policy On-Boarding • On-line Network Assessments
Gallagher’s CIS Value Added Cyber Enhancement Amendatory Gallagher has taken the opportunity to negotiate an exclusive CIS enhancement amendatory endorsement that expands the insurance terms provided by Everest Insurance® for CIS SecureSuite® membership. This endorsement will be provided to CIS SecureSuite® Members exclusively through Gallagher. This industry leading cyber insurance amendatory provides broad enhancements to the existing Everest policy language. CIS SecureSuite® Members may be eligible for a 10% discount and the Gallagher CIS Amendatory upon submitting a completed application (Everest Cyber Elevation Application - CIS Version) to SecureSuiteSubmissions@everestre.com with a carbon copy to Aimee_McNulty@ajg.com.
Learn more at AJG.com/Cyber Ethical disclaimer: “Arthur J. Gallagher & Co. has been recognized as one of the “World’s Most Ethical Companies” in 2012, 2013, 2014, 2015, 2016, 2017 and 2018. “World’s Most Ethical Companies” and “Ethisphere” names and marks are registered trademarks of Ethisphere LLC. Gallagher Disclaimer: The information contained herein is offered as insurance industry guidance and provided as an overview of current market risks and available coverages and is intended for discussion purposes only. This publication is not intended to offer legal advice or client-specific risk management advice. Any description of insurance coverages is not meant to interpret specific coverages that your company may already have in place or that may be generally available. General insurance descriptions contained herein do not include complete insurance policy definitions, terms, and/or conditions, and should not be relied on for coverage interpretation. Actual insurance policies must always be consulted for full coverage details and analysis. Insurance brokerage and related services to be provided by Arthur J. Gallagher Risk Management Services, Inc. (License No. 0D69293) and/or its affiliate Arthur J. Gallagher & Co. Insurance Brokers of California, Inc. (License No. 0726293).
23
Cybersecurity Quarterly
Upcoming Events January January 2nd - 4th The Maryland Association of Counties (MACo) will be holding the MACo Winter Conference at the Hyatt Regency Chesapeake Bay Hotel in Cambridge, Maryland. The event will bring together the state's government leaders and legislators to build new relationships and discuss what's in store for Maryland in the upcoming year, with a particular focus on how the new legislative session affects local governments. January 24th Cyber Security Summit: Silicon Valley will take place at The DoubleTree by Hilton Hotel San Jose, bringing together executives, business leaders, and cybersecurity professionals learn about the latest threats from industry thought leaders. CIS Senior Director of Business Development Ryan Spelman will be a featured panelist at the event, speaking on insider threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. January 24th The Federal Business Council will be holding its CyberUSA 2019 Conference at the University of Maryland Samuel Riggs Alumni Hall in College Park, Maryland. This one-day event will bring the cyber community together to collaborate on the mission purpose of establishing innovation, education, workforce development, enhanced cyber readiness, and resilience. January 29th - 31st Cyber Defense & Network Security (CDANS) 2019 will take place at the Hilton London Canary Wharf in London, United Kingdom. The event will focus on defending the most vulnerable component of cyber operations: the human operator, as well as examining new weaknesses uncovered by the rapid growth of social media, the connected world, and new offensive capabilities. CIS Senior VP Tony
24
Sager will be a featured speaker, discussing the CIS Controls and their role in building cybersecurity through collaboration in the defense industry.
February February 6th – 9th The South Carolina Association of Registration and Election Officials (SCARE) will hold the SCARE Annual Conference in Myrtle Beach, South Carolina. The event will bring together the state's election officials to network and learn about the latest trends, best practices, and threats facing our elections. MS-ISAC Senior Account Management Specialist Kateri Gill will lead a session on leveraging EI-ISAC services. February 9th – 12th The National Sheriff's Association (NSA) will be holding its 2019 NSA Winter Legislative and Technology Conference at the J.W. Marriott Washington, D.C. The event will bring together high-level leadership from federal agencies, members of Congress, and sheriffs and law enforcement leaders from around the country to explore current legislation and trending technologies and products. MS-ISAC Director of Cyber Intelligence Stacey Wright will be a featured speaker at the event. February 13th Cyber Security Summit: Atlanta will take place at The Grand Hyatt Atlanta in Buckhead, bringing together executives, business leaders, and cybersecurity professionals learn about the latest cybersecurity threats from industry thought leaders. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. February 13th - 14th The 3rd Next Generation Cyber Security for Utilities Conference will take place at the DoubleTree by Hilton Hotel Denver. The event will
Winter 2018
bring together utility company leaders to network with their peers and learn about the current cybersecurity threats facing the nation's utilities from leading experts in the field. CIS Senior Director Ryan Spelman will be a featured panelist at the event, speaking on measuring and maintaining an effective cybersecurity strategy.
March March 2nd - 6th The National Association of Counties (NACo) will hold the 2019 NACo Legislative Conference at the Washington Hilton in Washington, D.C. The event will bring together over 1,500 county officials to focus on federal policy issues that impact counties and their residents. Attendees have the opportunity to engage in second-to-none policy and educational sessions, interact with federal officials and participate in congressional briefings and meetings. March 4th - 8th RSA Conference 2019 will take place at the Moscone Center in San Francisco. One of the premiere events of the cybersecurity industry, the event is about bringing all cybersecurity professionals together and empowering the collective “we� in the industry. Attendees will learn about the latest developments in expert-led sessions, inspiring keynotes, and in-depth seminars. Attendees will also demo innovative products and solutions, network with infosec insiders and peers, and help move the industry forward as part of an engaged and empowered global community. March 11th The Techno Security & Digital Forensics Conference will take place at the Hilton La Jolla Torrey Pines in San Diego. Blending digital forensics and cybersecurity, the event will raise awareness of developments, teaching, training, responsibilities, and ethics in the fields. CIS Senior Director of Business Development Ryan Spelman will lead a breakout session at the event on making security a competitive advantage. March 21st The Association for Federal Information Resources Management (AFFIRM) and the US Cyber Challenge
(USCC), a program of CIS, will hold their 6th Annual Cybersecurity Summit in Arlington, Virginia. The half-day summit will feature discussions about the challenges in cybersecurity from CIOs, CISOs, and other thought leaders from government and industry, exploring growing threats and innovative approaches to attract and retain the best cyber talent. The event is also a significant booster of both the AFFIRM scholarship program, which helps students focused on IT skills, and USCC's cybersecurity summer camp program.
April April 1st – 3rd The MIS Training Institute (MISTI) will be holding the 25th Annual InfoSecWorld Conference & Expo at Disney's Contemporary Resort in Lake Buena Vista, Florida. Information security professionals from every field of study, hailing from more than 100 nations around the world, will come together to learn from the industry's leading experts on being both a business partner and enabler in their organizations, and having the technical expertise to prevent, detect, and respond to security challenges. CIS Senior VP Tony Sager will be a featured speaker at the event, leading a session on cyber maturity for businesses. April 4th Cyber Security Summit: Denver will take place, bringing together executives, business leaders, and cybersecurity professionals learn about the latest cybersecurity threats from industry thought leaders . Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. April 9th - 12th The Alliance for Innovation will hold its annual Transforming Local Government Conference at the Silver Legacy Resort Casino in Reno, Nevada. The event will bring together local government professionals to learn new and innovative ways to better serve their communities. The conference will allow local government professionals to participate in highly interactive conversations, to network directly with the presenters, and to establish new and long lasting peer-to-peer contacts.
25
Confidence in the Connected World
Copyright Š 2018 Center for Internet Security, All rights reserved.
CIS CyberMarket Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.880.0699