CYBER SECURITY FOR THE
C-SUITE
An eBook by Learning Tree
Training You Can Trust
1-800-843-8733 • LEARNINGTREE.COM
CYBER SECURITY FOR THE
C-SUITE
TABLE OF CONTENTS ABOUT THE AUTHORS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 INTRODUCTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4 ROOT CAUSES OF CYBER SECURITY FAILURES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 HOW TO INSTILL CYBER SECURITY ACROSS THE ORGANIZATION . . . . . . . . . . . . . . . . . . 7 THE MOST IMPORTANT CYBER SECURITY AWARENESS MESSAGE . . . . . . . . . . . . . . . . . 8 HOW CAN WE HELP USERS IMPROVE SECURITY? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 THE USE OF INDIVIDUAL DEVELOPMENT PLANS (IDPS) FOR YOUR IT STAFF. . . . . 10 CYBER SECURITY FOR MANAGEMENT AND THE BOARDROOM . . . . . . . . . . . . . . . . . . . . . . 11 ENHANCE YOUR ORGANIZATION’S CYBER SECURITY WITH LEARNING TREE’S COURSES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2
CYBER SECURITY FOR THE C-SUITE • EBOOK
Training You Can Trust
ABOUT THE AUTHORS RICHARD A. SPIRES Before becoming the CEO of Learning Tree, Mr. Spires was appointed and served as the U.S. Department of Homeland Security’s Chief Information Officer from 2009-2013. Mr. Spires also served as the Vice-Chairman of the Federal Government CIO Council and the Co-Chairman of the Committee for National Security Systems (CNSS), the committee that sets standards for the U.S. Government’s classified systems. He has held a number of positions at the Internal Revenue Service (IRS) from 2004 through 2008, including Deputy Commissioner for Operations Support and CIO.
JOHN MCDERMOTT Mr. McDermott has been a course author and instructor for more than 30 years, contributing to Learning Tree’s cyber security, UNIX/Linux, C/C++ programming, software development, and IP networking courses.
BOB CROMWELL Bob has been a course author and instructor at Learning Tree for more than 20 years. His courses specialize in cloud security essentials; Linux/UNIX Security; Linux servers and virtualization; UNIX/Linux optimization and troubleshooting.
Training You Can Trust
1-800-843-8733 • LEARNINGTREE.COM
3
INTRODUCTION Richard Spires It seems like we can’t go but a week or two without hearing about or reading on the front page of the newspaper that another major company or government organization has been hacked. Significant losses and reputational harm occur for companies with major breaches and, all too often, senior executives are being fired for not having taken the appropriate steps to properly protect the organization. Losses on a worldwide basis from hacks are estimated in the hundreds of billions of dollars. And if that is not bad enough, there is a lack of talent to begin to address the problem. A quote from Network World estimates that, by next year, there will be a worldwide shortage of 2 million cyber security professionals. While there are no “magic bullets,” the implementation of a comprehensive cyber security risk management process should be demanded by boards of directors, with CEOs being personally involved in making key, risk-based decisions regarding the proper level and type of cyber security protection. There is no perfect security, but organizations can go a long way to minimizing the likelihood of a breach and the extent of damage in cases of a breach.
THIS BRINGS US TO THREE KEY QUESTIONS:
How do CEOs and board members ensure they are doing the right thing?
What should be done and how much is enough?
What does it really mean to have an effective Cyber Security Risk Management Process in place?
We’ve collected the wisdom of some of Learning Tree’s most accomplished cyber security experts in this eBook to help you and your organization navigate the ever-increasing complexities of cyber security to help you answer these questions for yourself — and most importantly, for your organization.
4
CYBER SECURITY FOR THE C-SUITE • EBOOK
Training You Can Trust
4 ROOT CAUSES OF CYBER SECURITY FAILURES Richard Spires This is a summary of my testimony for the Senate Appropriations Subcommittee on Financial Services and General Government on the 2017 Office of Personnel Management (OPM) data breaches. Four primary root causes have led to the massive data breaches and compromises of core mission IT systems in multiple government agencies and many private sector firms as well:
1. L ACK OF IT MANAGEMENT BEST PRACTICES During the decades of the 1970s and 1980s, organizations could build and deploy IT systems with little regard to security issues. This was not necessarily a management failure since there were very few concerning security issues prior to the broad use of the internet and the rise of the ubiquitous data networks. However, beginning in the 1990s and up to the present, many organizations — government and private sector alike — have failed to effectively adapt with the changes in IT and the evolving cyber security threat. When I served at IRS and then at DHS, we would all-too-routinely discover IT systems outside of the IT organizations’ purview that had been developed and deployed without the proper IT security testing and accreditation. This highly distributed approach to IT management has led to a situation in which many organizations struggle with managing and maintaining a dispersed infrastructure and disparate systems. In far too many instances, hardware and software assets are not systematically tracked, software is not routinely updated and patched, and critical hardware and software has reached end-of-life; and in some cases, no longer even supported by the vendors.
2. MISGUIDED IT SECURITY PRACTICES While well intentioned and appropriate for its time, the Federal Information Security Management Act (FISMA) skewed the approach for government IT information security. Originally passed in 2002, it set a course for how IT security effectiveness has been measured in government. While there are some good components of the law, the unintended consequence is that it forced CISOs to look at the controls for individual systems, when in reality, IT systems across the government were already becoming more interconnected, and viewing systems in isolation hid the impact on the larger enterprise security posture. Additionally, based on OMB guidance, FISMA was implemented during a period when the cyber threat was still emerging and the evolution of technology hadn’t yet recognized the necessity of a security development life cycle. In fact, until very recently, systems would be certified and accredited based on a three-year cycle, which, while perhaps manageable, is comical when looking at the rapid evolution of technology and the cyber threat environment. The law required the generation of paper-based reports, which diverted time, resources, and personnel from effective security efforts. At both the IRS and then DHS, I was consistently reluctant to put my confidence in the yearly FISMA report since it did not reflect the reality of the true security posture of our overall IT environment. That can only be done by proper use of tools that continuously monitor the IT environment and are able to react and mitigate threats in near-real time. See next page to continue article.
Training You Can Trust
1-800-843-8733 • LEARNINGTREE.COM
5
4 ROOT CAUSES OF CYBER SECURITY FAILURES (CONTINUED) 3. SLOW AND CUMBERSOME ACQUISITION PROCESS Government and even some large private sector organizations can be ponderously slow and make it difficult to buy commercial solutions that help address vulnerabilities. When I was at DHS, I was a proponent of the Continuous Diagnostics and Mitigation (CDM) program, but it was dismaying to see how long it took — two plus years — to implement Phase 1 and for agencies to go through an additional competitive process within the CDM program itself to obtain capabilities. I am all for fair competition, but with sophisticated adversaries that will exploit any and all vulnerabilities, the government is even more vulnerable when it takes many months, if not years, to be able to deploy new IT security capabilities.
4. SHORTAGE OF TALENTED CYBER SECURITY PROFESSIONALS Even the best cyber security tools in the world require talented people who know how to use them. The shortage of cyber security professionals across the country continues to be significant problem, making it difficult for IT organizations to have the skills in place to implement a robust and effective cyber security program.
6
CYBER SECURITY FOR THE C-SUITE • EBOOK
Training You Can Trust
HOW TO INSTILL CYBER SECURITY ACROSS THE ORGANIZATION Bob Cromwell “A chain is only as strong as its weakest link.” “What a cliché!” you say. Well, it became a cliché for a reason. People keep saying that because it does describe many situations. It’s a useful way of thinking about the world. In cyber security, we have a crucial security chain with links forged from technical systems — firewalls, intrusion detection systems, complex access control rules on file servers, Kerberos, and many more. But all of the people in your organization form another crucial security chain.
1. THE CHAIN OF PEOPLE Every employee, from CEO to entry-level, plays an essential role in protecting your organization’s data and systems. Imagine that your sensitive data is all printed on paper and stored at the center of a large building. We use traditional brass keys to lock and unlock doors. The executives park in reserved spaces and enter through the formal lobby. Most of the engineers come in through the side doors so they can stop by the break room and get coffee. The workers who unload and load supplies and products come in through the shipping doors in the back of the building. Yes, the executives control the company and we think of the valuable data as their responsibility. But you don’t have to march in through the fancy lobby to get into the building and access the data. Any door will get the intruder into the building. Slip in through the loading dock, walk through the building, and now you can read (or modify, or remove) the sensitive papers.
2. HORIZONTAL MOVEMENT
In cyberspace, it’s “Oh, that connection is from another host on our internal trusted network, it must be legitimate.” Any form of access can be a risk, so they must all be protected. You will often hear people say something about “reducing the attack surface.” This is what they’re referencing.
3. E VERY PERSON MUST CONTRIBUTE Networked information systems are complex, and what you think is a minor risk in an unimportant system might lead through some horizontal steps to valuable information. Every staff member must do what’s needed to protect their personal accounts and data. Learning Tree’s System and Network Security Introduction course introduces these concepts of securing various cyber avenues of access. The course also provides some ideas on how to communicate cyber security best practices to co-workers, suggesting ways they can also do their part.
In cyber security, we talk about horizontal movement: breaking into a weak platform as a first step and then moving from there to access sensitive data on nearby systems. Internal systems will generally be more trusting of each other. In the physical world you might say “Oh, that person just walked out of the storage room, they must work in this building.”
Training You Can Trust
1-800-843-8733 • LEARNINGTREE.COM
7
THE MOST IMPORTANT CYBER SECURITY AWARENESS MESSAGE John McDermott The core message for cyber security awareness is the WIIFM – What’s In It For Me. A big part of the reason employees are slack when it comes to cyber security is that they haven’t internalized how day-to-day safe practices impact the organization and its mission. Whether it’s writing down passwords (instead of using a password manager) or clicking on a link in an email that just might be a phishing attack, people often overlook the potential danger. That’s where awareness training comes into play. You can list good practices and bad ones until you are blue in the face, but unless folks really grasp the impact of their actions, they are less likely to comply with cyber security initiatives and policies. I’m not a fan of most generic posters that portent to promote good cyber security practices because they fail to emphasize the impact. We need more reminders along the lines of “Loose Lips Sink Ships,” although even that lacks specificity. (To be fair, at the time almost everyone knew that there may be spies hiding in every bush and the poster was just a reminder.) If you need specifics, Cloudmark reported that “300 firms in the US and UK reported that 38% of cyber attacks in the past 12 months came from spear phishing”. You can easily find more using your favorite search engine. Training, posters, articles, and other awareness efforts are doomed to failure if people don’t see the WIIFM. Managers, executives, board members, and the C-Suite need to take it upon themselves to help every member in the organization understand the tactical importance of cyber security best practices.
8
CYBER SECURITY FOR THE C-SUITE • EBOOK
Training You Can Trust
HOW CAN WE HELP USERS IMPROVE SECURITY? Bob Cromwell
1. WE MUST STOP BLAMING USERS One huge problem with cyber security is the trend of blaming users for being in unwinnable situations. Many systems frustrate users with horrible interfaces and unsatisfiable requirements.
!
The policy requires long and complex passwords everywhere. “You must use at least two special characters”, the system says. “Oh, except not that special character!” Other systems have different fussy rules about which special characters are allowed. Some systems complain about where they appear within the password. “Use one, but don’t start with one!” Having finally satisfied one system’s requirements, it’s on to the next. Every online identity must have a unique password. Why? Because so many sites inappropriately store passwords as plaintext. We users don’t know which sites, or when they will be hacked, so we must limit risk exposure through unique passwords. And, of course, every password must be changed frequently. Oh, and you only get three chances to type it. If you forget or mistype, you will be locked out. There is no way that users can deal with this. Maybe the users discover KeePassX, but they are immediately told, “That is free and open-source software, and so you must not use it!”
Training You Can Trust
So, the users start writing down all those complex passwords. Then a physical inspection finds the notes and puts a stop to that. Now the cyber security system has carried out a complete denial-of-service attack against the users. Project managers complain that their programmers can’t work because they’re always locked out. The cyber security staff puts on their most serious face to talk about the CIA Triad being the crucial protection against the Russian mob and the Chinese military. If those users quit complaining and applied their fear of nation-state attacks to their memorization work, we might have a chance. There must be a better way!
2. WE HAVE TRAINED USERS TO BE INSECURE For many people, e-mail is little more than a mechanism for forwarding attachments and web page links. No one wants to type literal content. That’s a lot of work! Besides, Microsoft Office can make really pretty documents. Beautiful fonts, colors, background patterns, clip art, etc. Users have been trained to always open the attachments and click on the links because that’s where the information resides. And when they click on hostile content and links? “Those sloppy users shouldn’t do that!”
3. HOW CAN WE HELP THE USERS TO BE MORE SECURE? We must do exactly that. Help the users. In terms of actions, this means: • I nsisting on better user interfaces. I’m seeing a lot of discussion of UI/UX, the User Interface, and the User Experience. System design must support cyber security through improved UI/UX. •H elping users in a way that they recognize as help. Quit creating policies that punish users for being humans. •C ommunicating in non-threatening ways. “We want to help you to protect your data,” instead of “You have to be careful or else our system will be attacked.” •D escribing the importance of cyber security in terms everyone can understand. Most people won’t intuitively understand how their actions can affect the security of the organization, especially those who are not in the IT department, but instead in customer-facing roles. Everyone in the organization plays a part in keeping the organization secure. Taking time to help everyone understand their role in cyber security is integral to an effective cyber security strategy — so everyone understand what to do and why.
1-800-843-8733 • LEARNINGTREE.COM
9
THE USE OF INDIVIDUAL DEVELOPMENT PLANS FOR YOUR IT STAFF Richard Spires Making non-technical employees more aware of their role in cyber security is only part of the battle, of course. Many IT staff are woefully undertrained in cyber security, in part because it is an ever-evolving field. Continuing education and development for IT staff is a critical part of an organization’s cyber security. If your organization already does formal skills assessments (or is thinking about doing them), it can provide management with significant insight to the overall state of your IT workforce. But it also creates an expectation in your workforce regarding properly leveraging that information, both for the individual’s and the organization’s benefit. My experience has shown that the creation of Individual Development Plans (IDPs) is an effective means to capture the current state of an individual’s Knowledge, Skills, and Abilities (KSAs), and document appropriate actions over multiple years for an individual to reach a set of professional career objectives. To protect your organization from attacks, cyber security knowledge and skills benchmarks should be included in these IDPs. The employee should take charge of creating an IDP, with the first question being, “Where do I want to be in terms of my KSAs and my position in five years’ time?” By having an employee answer this question by developing and documenting a set of actions to advance year by year, the manager and employee can have an in-depth discussion about the employee, their role in the organization moving forward, and support the organization can provide for the employee in obtaining their five-year objectives. This can be a powerful motivator for the employee, and to the degree the organization is supportive, can be a retention tool for the organization. IDPs need not be long (recommend under one page), with the focus first on the employee describing their five-year objectives, along with a year-by-year set of tasks to meeting such objectives. These sets of tasks will generally fall into the following categories: 1. FORMAL EDUCATION – Certainly obtaining an undergraduate or advanced degree in one’s chosen field is a prerequisite for success in some areas of IT and IT management. If part of an IDP, the employee should not only be specific regarding what degree, but what classes will be taken to directly support increased knowledge that can be used on the job.
3. MENTORING – I have become a big proponent of mentoring, as it has helped me immensely in my career. Having a couple of individuals that can help a younger professional with difficult situations can be invaluable, not just in dealing with that current situation, but providing the framework by which a younger employee can learn to deal with complex interpersonal situations going forward.
2. FORMAL TRAINING AND CERTIFICATIONS – In many IT disciplines (including management disciplines), one can leverage specific training that can support professional objectives. This can be particularly valuable for someone learning a new technology, or being in a new role in which they need to develop new skills. While certifications themselves do not demonstrate mastery, they are an important component of a level of capability in many different areas of IT today.
4. ON-THE-JOB ASSIGNMENTS – While sometimes difficult to define precisely over five years, it can be invaluable for an employee and manager to discuss the possibilities of job assignments over a number of years that can support an employee’s objectives, yet still fit in with what an organization needs from the employee. A key point, however, is that to make it clear to the employee that they need to progress appropriately in obtaining KSAs to earn the right to on-the-job assignments, particularly ones that they are not currently qualified to do.
Once an employee develops an IDP, it can then become a living tool that can be reviewed and updated by the employee each year. It also becomes a key part of the performance review discussion with one’s manager, both in terms of reviewing performance against the past year’s tasks, and also fostering the review of future development over the next five years.
10
CYBER SECURITY FOR THE C-SUITE • EBOOK
Training You Can Trust
CYBER SECURITY FOR MANAGEMENT & THE BOARDROOM - COURSE 2050 Richard Spires As former CIO of the U.S. Department of Homeland Security, experienced board member, and now CEO of Learning Tree, I leveraged my experiences and collaborated with Greg Adams, a cyber security expert and Chief Strategy Officer of Learning Tree, to create a course that helps C-Suites and Boards of Directors champion effective cyber security strategies in their organizations. \ And while dealing with a highly technical subject, this course is oriented for non-technical executives that need to make key decisions regarding the largest threat most organizations face today — a massive cyber security breach. As an instructor of this course myself, I hope to see you in one of our upcoming events soon!
Training You Can Trust
This ½-Day Course, Designed With The C-Suite In Mind, Will Help You: • Gain an understanding of the responsibilities of executives in cyber security strategy • Implement an effective cyber security risk management process • Evaluate the maturity of an organization’s existing security processes Click here for full course details
1-800-843-8733 • LEARNINGTREE.COM
11
ENHANCE YOUR ORGANIZATION’S CYBER SECURITY WITH LEARNING TREE’S COURSES Established in 1974, Learning Tree International is a leading provider of individual, team and organization-wide IT training and management training to business and government organizations worldwide.
We also go beyond training with Workforce Optimization Solutions – a modern approach that improves the adoption of skills, and accelerates the implementation of technical and business processes required to improve IT service delivery.
Over 2.4 million professionals have enhanced their skills through Learning Tree’s extensive courses.
To support both business and government organizations in their workforce optimization efforts, we develop structured learning paths prior to training, and provide implementation services that extend the value of training long after a training event has concluded.
Learning Tree’s comprehensive cyber security training curriculum includes specialized IT security training and general cyber security courses for all levels of your organization including the C-suite. Learn security best practices, support IT security programs and policy with the NIST framework, or earn CISSP, CompTIA Security+, CASP, CEH certifications and more! Learning Tree offers training online as well as in-person and on-site.
THESE CUSTOM SERVICES INCLUDE: • Needs assessments • Skill gaps analyses • Blended learning solutions • Project acceleration and process implementation workshops
LEARN MORE AT: LEARNINGTREE.COM/CYBER OR CALL 1-800-843-8733
12
CYBER SECURITY FOR THE C-SUITE • EBOOK
Training You Can Trust