DECEMBER 2016 | FUTUREOFBUSINESSANDTECH.COM
|
An Independent Supplement by Mediaplanet to San Francisco Chronicle
Business Security The human element: How businesses big and small are learning to protect themselves from risks within.
2 | FUTUREOFBUSINESSANDTECH.COM | IN THIS EDITION
A Hacker’s Advice Former hacker turned security consultant Kevin Mitnick explains how security professionals need to adapt. Page 6
MEDIAPLANET
Fighting Back Learn about the latest threats in cybercrime and what small businesses can do to proactively fight them. Page 8
Insider Threat Employees have long been championed as a company’s greatest asset. These days, they’re also its biggest risk. Page 10
The New, Nuanced Needs of Corporate Security As the world gets increasingly complex, global and fast-paced, the field of corporate security is becoming more specialized.
H
ave you ever wondered how companies prevent or respond to issues that could result in injured or killed employees, damaged or lost assets, lawsuits, regulatory fines or loss of important corporate information? The majority of the Fortune 500 companies have experienced these types of incidents and many have established a corporate security department to minimize the impact and losses from these kinds of issues. A changing landscape Business activities that managers have overseen for years have recently become more complex and potentially damaging. Corporate travel to foreign countries, with its
share of pitfalls, is becoming more common in the global economy. As technology develops, keeping others from stealing new innovations, secrets to operating success or even customer lists becomes more of a challenge. Government regulations and requirements have also become more widespread and severe. Depending on the company size and industry, corporate security can mean different things to different organizations. The Security Leadership Research Institute research has identified 20 different responsibilities that fall under a corporate security department. Some companies have elevated the security manager position to the executive level by creating a chief
Depending on the company size and industry, corporate security can mean different things to different organizations.
security officer (CSO) position. While a typical CSO position does not exist in corporate America, there are areas of security that different CSOs at different companies will be responsible for depending on the industry or sector and its risks. Moving forward There are some additional key elements in corporate security success that need to be taken into consideration and managed when implementing or upgrading a program. Corporate level organizational readiness for security — the company’s view of what security means to them and its purpose in light of business goals — will be
crucial. It will be increasingly important to develop security leadership that’s a good fit for current expectations but also has a vision of what could be. Understanding your corporate culture will help tailor security strategies to a preexisting framework. Finally, a deep and nuanced understanding of regulatory requirements will keep your business safe from fines and penalties. Finally, the best security departments work with executive management to add more value to the business. They enable the business to operate where and how they need to and provide employees a resource for their safety and security concerns. n
SOURCE: SECURITY EXECUTIVE COUNCIL
Publisher Daniel Pinkston Business Developer Jourdan Snyder Managing Director Luciana Olson Content and Production Manager Chad Hensley Senior Designer Kathleen Edison Designer Gerda Mostonaite Copy Editor Dash Lunde Production Coordinator Tiffany Kim Contributors Jennifer Demeritt, Josh Salter All photos are credited to Getty Images unless otherwise credited. This section was created by Mediaplanet and did not involve San Francisco Chronicle.
KEEP YOUR FEED FRESH. FOLLOW US @MEDIAPLANETUSA
EMAIL CONTENT INQUIRES TO EDITORIAL@MEDIAPLANET.COM
PLEASE RECYCLE AFTER READING
4 | FUTUREOFBUSINESSANDTECH.COM | INSIGHT
MEDIAPLANET
5 Tips to Enhancing Your Business’ Risk Management From financial crisis to natural disasters, cyber threats to unpredictable emerging markets, board directors and senior business leaders throughout the world have come to rely on risk management capabilities to protect their organization’s assets and reputation. As such, enterprise risk management (ERM) has gained significant traction in boardrooms across the globe. ERM allows organizations to take a look at a range of risks across the organization and evaluate them more effectively. While research (Farrell and Gallagher, 2014) supports that organizations with highly-developed ERM capabilities experienced a 25 percent increase in firm value, uncertainties about implementing such a program may cause some executives to pause. Here are five simple steps to cut your ERM anxiety: 1. Determine what ERM means to you. Each company is different. For some, value from ERM will be seen in increased market share while others might be seeking a greater social impact. 2. Identify what you’re doing right. Organizations might be surprised
PHOTO: DAVIDE CANTELLI
Enterprise risk management is a hot topic these days, but knowing how to implement it can be daunting. Here are five things to look for.
to learn that practices they already have in place could be integral to developing an ERM program. Additionally, operation managers already might be conducting their own version of a risk assessment. Information already collected will give organizations an advantage when embarking on their ERM journey. 3. Find a champion. Without support from leadership, ERM is futile. A risk management champion should be an executive
who has access to the senior most executives in the organization. This sponsorship will help facilitate the exchange of information up, down and across the organization. 4. Adapt it to your needs. The risk management process needs to be flexible, able to adapt to different operation managers. Risk practitioners have a responsibility to foster a risk-aware culture and tailor communications to each different business area. Speaking the lan-
guage of each operation manager will lead to more clarity on how an ERM effort can benefit their work. 5. Strive for continuous improvement. A risk management program is never done. New scenarios, products and advancements in technology make it a priority for organizations to constantly review their ERM programs and identify areas for improvement. Risk management — if done
right — requires time commitments from operational leaders and resources that would be impossible to acquire without support from senior executives. With everyone onboard and the risk management culture reinforced by leadership, this core business function has the power to unlock doors to understanding potential obstacles while paving the way for strategic initiatives to succeed. n By Josh Salter, Communications Manager, RIMS
ESTABLISH TRUST & BUILD LOYAL CUSTOMER RELATIONSHIPS Patented software to automate data capture and identity verification Performs over 50 forensic & biometric tests in less than 10 seconds
STREAMLINE WORKFLOWS > VERIFY IDENTITY > REDUCE RISK For more information on our Identity Verification Solutions and a special offer visit: info.acuantcorp.com/idverification
6 | FUTUREOFBUSINESSANDTECH.COM | CONVERSATION
MEDIAPLANET
Know Your Enemy: Top Tips from a Hacker World-famous hacker-turned-security expert Kevin Mitnick shares best practices for staying safe in an increasingly exploited digital universe.
A
sk Kevin Mitnick and he’ll tell you that there is a silent war happening everywhere around us. You could even be a casualty right now, and more than likely not even know it — most don’t. As he writes, “One of my team told me recently: ‘It’s almost a Cyber World War now, but barely anyone knows it, and those that do actually don’t know at any given time know who, or why they are fighting.’” In this one-on-one with Mediaplanet, the renowned computer security consultant opens up the tool kit of today’s hackers for us to better understand and stay protect against. What originally drew you into the world of hacking? Challenge — pursuit of knowledge, seduction of adventure. In high school, I met this other kid who could perform magic with the telephone. It was called “phone phreaking,” and it facilitated my other great passion: pulling pranks. As the phone company started using computers to control devices, such as phone company switches, my interest in hacking began. When I started, it was completely legal and hacking was cool. Hackers were considered the whiz kids. My favorite hack of all-time, still to this day, was when I was young, hacking the McDonald’s drive-through window. Truthfully, my passion for hacking has always remained the same. Businesses hire my company to try and break into their organizations to test their security. It’s like living in a heist movie. What’s not to love about that?
What are the biggest barriers a hacker faces when attempting to access private information? Not much. Private information is freely available if you subscribe to the right databases, typically used by information brokers. These databases allow you to query a person’s social security number, birthdate, current and past addresses, current and past phone numbers. Once this information is obtained, it’s not too difficult to obtain the target’s credit report online. As far as gaining access to enterprise information, the biggest barrier is layered security controls, meaning I would have to compromise several layers of security to break in. I travel the world and demonstrate live hacking at many conferences and speak to people of all walks of life. Lately, I’ve been showing how easy it is to steal someone’s personal identity in about 60 seconds! By accessing some databases I’ll know an individual’s mother’s maiden name, social security numbers — a whole bunch of stuff. What are some myths regarding what hackers can actually get access to? Hackers can get access to anything if they have enough time, money and resources. The myths are more about how they hack anything. Despite Hollywood’s insistence, I have never needed a skateboard to hack, and my fingers don’t move at supersonic speeds. I think the most famous myth of how hacking can be done personally happened to me. The prosecu-
tor in my case told a Federal Judge that I could dial-up a modem at NORAD and whistle into the phone and possibly launch a nuclear weapon. I almost burst out laughing in court when I heard that. But there was, and still is, so much fear built up by media and governments that the judge ignored the fact that prison officials would place me in solitary confinement so I was unable to get access to a phone in prison, just for the safety of the nation. Remember: I hadn’t stolen for profit; I just loved the thrill of hacking because of the challenge. Most importantly, I had never threatened nor had any desire to hurt anyone, yet I was made out to be the poster boy for the new evil menace: hackers. I was just a kid looking for a challenge and adventure. It wasn’t a fun year. When I started hacking, there was no legislation in place to deal with hacking. It doesn’t seem that long ago, but what seemed impossible then is a reality now. This year I showed the world the first video recording of an undetectable tap of a fiber optic cable. Concerning security, this has serious implications, for individuals, corporations and government organizations. Try to remember: If it’s important, use encryption. Possibly “air-gap” it too, meaning make sure your data is not connected the internet. How does security for mobile devices differ from that of corporate services and PCs? Most people don’t even use security on their mobile phones, such as adding a passcode. The majority of
people blindly use public Wi-Fi in public spaces. If there is one thing anyone can take away after reading this is use a Virtual Private Network (VPN) service. One thing people should consider is purchasing a VPN subscription so that they can securely connect when using public Wi-Fi. Basically, if you aren’t using a VPN, your internet traffic may be monitored, or worse, you may be hacked when using open wireless networks. Information security breaches have been a hot topic in the past couple years with Sony, Ashley Madison, NSA etc. What steps would you tell organizations to follow to improve their cyber security measures? There are two important and easy steps that will provide much, much better cybersecurity for any organization. Get tested regularly. Smart organizations are using the progressive strategy known as “red teaming.” This is a rewarding practice of using external, independent teams to challenge organizations to find ways to improve their effectiveness. The red teaming strategy encompasses and parallels the military use of simulations and war games, invoking references to competition between the attackers (the red team) and the defenders (the blue team). For cybersecurity this is known as security penetration testing, the use of third-party penetration testers to simulate attacks by real intruders against systems, infrastructure and staff. The ultimate goal is to provide
organizations with a thorough analysis of their current security. Secondly, train all your staff on what social engineering is and how to detect it. People are the weakest security link. They can be manipulated or influenced into unknowingly and innocently helping hackers break into their organization’s computers and they can be manipulated into handing over the keys the kingdom. Social engineering is a technique used by hackers and con artists that leverages your tendency to trust. Providing security awareness training for staff is absolutely crucial in light of social engineering. When our team is testing a company, we immediately target a sales individual who is willing to open any attachment, or go to any website. We booby-trap these events with malware that’s undetectable to anti-virus solutions. It’s not that hard to do. Consequently we then own the salesman’s machine and them work our way into the corporate network, and then its game over. Sometimes it only takes compromising one person to own an entire organization. Finally, I know that the “business” of cybersecurity is new and growing, and I don’t ignore the irony that I’ve been able to turn lemons into lemonade. But I do see a problem with cybersecurity business as its now becoming a modern day gold rush with its own versions of fake claims. There is no silver bullet for security; there is no such thing as absolute security, nor is there any automated tool that even comes close to the skills of a motivated hacker probing for an organization’s vulnerabilities. The truth is simple. It takes one to know one. n
Cyber crime is increasing –
Knowledge is your best defense. IT security threats are increasing and it’s not if but when your organization will be attacked by cyber criminals demanding ransomware or hackers stealing your data. Take steps to substantially reduce your risk of being held to ransom. Download our insight report to find out how. http://pages.heatsoftware.com/ransomware
HEAT Software provides software solutions to automate, manage, and secure services and all endpoints, allowing IT to empower users and enable improved business performance.
Visit us online to find out more: www.heatsoftware.com @HEAT_Software
8 | FUTUREOFBUSINESSANDTECH.COM | BIG IDEAS
Q&A
Corporate security veteran Mark Marbury tells us a little about what it’s like protecting government secrets. How did you end up working in security? What about your current role? Roger Needham, the department chair at Cambridge University and computer security pioneer inspired my early interest in computer security. After 20 years at MITRE, I became Chief Scientist of the United States Air Force, and led a team to create Air Force Cyber Vision 2025, a blueprint for cybersecurity. I returned to MITRE in 2013, as the Chief Technology Officer, and then was named Chief Security Officer. My role is to protect our seven federally funded research and development centers (FFRDCs) and direct America’s first National Cybersecurity FFRDC, where we aspire to create a stronger nation and a better world by contributing to breakthroughs in safety and security. What’s the most significant thing that has changed in the security industry since you started? In a word: cybersecurity. Increased cyber dependency of our growing digital nation and vulnerability across all sectors means cyber actors threaten business sectors such as energy, finance, transportation, and health as well as new areas such as the Internet of Things (IoT) and even our election system. Commercial industry has become a key defender and innovator, fueled by growing criminal and nation-state threats to intellectual property, systems integrity and public safety. In addition, public private partnerships have evolved to reduce risk by sharing threat and vulnerability information across sectors via information sharing and analysis organizations. What’s the biggest short-term challenge for early-career security professionals? What about long-term? Shortages of qualified cyber experts — especially when combined with growing threats, vulnerabilities and ever-increasing dependencies — remains a challenge both in the short and long term. For example, to accelerate solutions for embedded systems and IoT security, there is an incentive of $50,000 for the first company to solve an IoT identity challenge. Also, the knowledge gap between what is taught in college curriculums and what is needed in today’s market can be significant. By encouraging and rewarding the development of solutions to systems challenges, MITRE helps security professionals at all career stages to bring their expertise to the broader community. What is your definition of a thorough security plan? A robust cyber defense must be founded on established security principles such as attack surface reduction, least privilege, and imposing costs on adversaries to ensure deterrence. Any comprehensive implementation includes anticipatory threat intelligence, protecting crown jewels, attack prevention through deterrence, and resilient design and proactive response. Approaches must agilely take advantage of rapidly advancing global technology, respect privacy and continuously develop cyber professionals to stay ahead of the threat while protecting civil liberties.
MEDIAPLANET
The Role of Small Businesses in Modern Cyber Warfare As major corporations lock down their data, hackers launch attacks against smaller companies. Here’s how your business can fight back. By Jennifer Demeritt
Y
ou might think that a small company is a small target for hackers. Think again. Though corporate giants like Amazon and major banks have huge treasure troves of customer data on their networks, they also have massive, lavishly funded cybersecurity programs. As hackers shift their focus to easier prey, small and midsize companies need to get up to speed on cybersecurity. The growing danger “Nearly half of small and midsized businesses have been the victim of a cyber attack, and 71 percent of security breaches target small businesses,” says Michael Kaiser, the executive director of the National Cybersecurity Alliance. “As larger companies beef up their defenses, those who wish to steal sensitive data are taking advantage of businesses that lack the knowledge and the resources to keep their digital assets secure.” Despite this danger, only 20 percent of small and midsize companies have a cybersecurity strategy, according to a 2015 Nationwide survey. Cyber attacks aren’t only more frequent than they used to be — they’re also more devious. For example, phishing used to spam everyone in a company with an email that looks like it’s from a trusted source, then launch malware to hijack the company’s financial data. Today’s “spear-phishing” is sneakier. It
targets just one or two employees who have access to essential data — like the HR director, the CFO or even their executive assistant — and then wreak havoc. Best practices to trust The good news is that small and midsize companies can take steps to protect themselves against hackers and data thieves. Kaiser suggests following these best practices created by the National Institute of Standards and Technology: • Identify: List the “crown jewels” that would be most valuable to hackers. These could be obvious things like employee social security numbers or customer financial data. Or they could be subtler, like the email address of the CFO at a much larger company you partner with — a perfect target for that spear-phishing attack. • Protect: Determine what protective measures are needed to provide the best possible defense from a cyber incident. • Detect: Establish systems to alert you if a security breach happens. • Respond: Plan how to contain an attack and keep your business running. • Recover: Plan how to return your business back to normal after a security breach; this includes assessing your company’s legal obligations.
Getting outside help Not every small or midsize business can implement these best practices on its own. The IT director at your company might do a great job of keeping the computer network humming along. But if he’s not an expert in cybersecurity, you might need to hire a security consulting to ward off threats from hackers. Robert Herjavec, “Shark Tank” star and cybersecurity expert, advises that companies should keep a few things in mind when looking for a security provider. “True partnership. It’s important that the enterprise and service provider truly view the relationship that way — as a partnership,” says Herjavec. “This has to be a high-touch, collaborative effort, in order to ensure that a proactive model is built that best suits the enterprise’s security needs.” Agreement on the scope of work. “It’s important that the organization and provider understand the scope of the ask and the timing requirements,” Herjavec advises. This means defining the list of assets to be monitored (in other words, the “crown jewels” mentioned above); the types of cyber threats that will be tracked and reported; and all processes and procedures. Lastly, you need 24/7 support. “Security isn’t a 9 to 5 job,” Herjavec says. Monitoring of cybersecurity should be happening around the clock, year-round. n
ONE STEP AHEAD of cyber threats
Hackers constantly modify their techniques to evade detection. Check Point’s proven threat-protection performance and innovative technology keeps data, devices and networks safe and business operations continuous.
Stay one step ahead of the hackers and cybersecurity threats. Schedule your free security check up today. 800-429-4391 | www.checkpoint.com
10 | FUTUREOFBUSINESSANDTECH.COM | CHALLENGES
POP QUIZ
How Vulnerable Is Your Company to Malicious Insiders? 1. Do you know who is responsible for preemployment screening in your enterprise? 2. Do you get regular reports on pre-employment screening results? 3. Do you know the screening criteria and whether they contain the elements that would most likely indicate an insider risk? 4. Do you have a program that identifies potential violence at its earliest stages?
MEDIAPLANET
Is Your Business at Risk for Insider Threat?
5. Does your company have a behavior analytics reporting system on your key computer assets? 6. Do you track and investigate unusual access attempts to facilities, information and systems by employees and contractors? 7. Have you recently reviewed your separation of duties and responsibilities? 8. Have you asked all of your key managers what insider threat events they’re monitoring for? 9. Did they all answer appropriately, or are you confident they would if asked? 10. Have you asked all your direct reports what steps they’ve taken to reduce brand, people, property and product risk from insiders? 11. Is an assessment made of the access rights of every employee leaving the company, and appropriate actions taken to revoke those access rights?
If you answered yes to 5 or less = High Risk You need to become more involved in your risk oversight process and learn what controls the organization has in place. If you answered yes to 6-8 = Moderate Risk You are probably concerned and involved with risk management but should broaden your horizon to other areas of risk. If you answered yes to 9 or more = Low Risk You clearly have a good understanding of insider risk and the controls; or you’ve recently had insider security breaches.
Are you aware of the risks within your own company? Here’s a breakdown of the internal factors that may be a danger to your security.
I
n May of 2016, the Department of Defense published a new regulation requiring government contractors to establish and maintain an insider threat program to detect, deter and mitigate security risks from within. The fact that the U.S. government is mandating an insider threat program has gotten the attention of private business leaders and boards of directors. Many companies are now building or enhancing their insider threat program beyond classified information security. Knowing the risk Insider threat is any risk posed by current or formerly trusted individuals with access or privileged knowledge used to damage, deprive, or injure stakeholders, assets, critical processes, information, systems or brand reputation. Insider threats include any illegal,
prohibited or unauthorized conduct (both acts and omissions). Is insider threat becoming a bigger issue to companies? When asked about top risks to organizations, a practitioner poll showed that insider threat came in second place after cybercrime. However, in the same poll, only 46 percent of respondents had a formal insider threat program in place. The most often cited thing organizations were doing to address this risk was monitoring access to systems and physical assets. Preempting the threat However, leaders are looking for new tools and resources to proactively address insider threats. Newer sources of early warning indicators can consist of: information from social media, “dark web” criminal activity monitoring, real time reporting of arrests and associated information and civil court final proceedings.
This should be combined with internal corporate data including performance data and corrective actions taken. All this information has the potential to identify and communicate behaviors that could signal a troubled person or a troubling situation that could escalate to an insider threat action. The biggest organizational hurdle to combat insider threat is made apparent by the diversity of functions that manage and oversee these varied sources of information. There will never be a 100-percent prefect process to identify all risks to people and organizations proactively — there are just too many variables. However, when a unified risk oversight model that promotes the inclusion of all corporate stakeholders and possible information sources is used, the likelihood of avoiding significant losses or incidents is greatly reduced. n SOURCE: SECURITY EXECUTIVE COUNCIL
Deceive. Detect. Defend.
What’s Lurking in Your Network? Malware, advanced threats, and malicious insiders are evading your prevention and traditional detection systems. The Attivo Networks® ThreatMatrix™ Platform unmasks attackers with deception-based detection that efficiently deceives attackers into revealing themselves and provides evidence-based alerts to accelerate incident response. attivonetworks.com
SECURITY BREACHES CAN COME FROM ANYWHERE. Control, monitor and protect privileged accounts with CA Privileged Access Management. See how at ca.com/PAM
© 2016 CA