1. FIVESECURITYINSIGHTSFROMBRIANKREBS
1. If organizations are not pen testing their users on a regular basis,
it is a near certainty that the bad guys are.
2. If a device is plugged in and it has an IP address, eventually it’s
going to be hacked (this includes toasters!).
3. Organizations need to drill their breach response in advance—or
they will likely make a bad situation worse.
4. If people are not actively working toward securing and maintaining
their privacy on a continuing basis, they don’t have privacy.
5. IoT is a national security priority—or it should be. The amount of
firepower available to attackers is tremendous.
CYBERSECURITY BY THE NUMBERS
Brett Kelsey, vice president and CTO-Americas of Intel Security, took the stage at CSX North America to discuss achieving better efficiency in
security. Kelsey shared interesting insights into current security numbers. Below is a snapshot:
26 OCTOBER 2016
CSX NORTH AMERICA
CONFERENCE REPORT
$
10 98DAYS
345 197DAYS
COST TO PURCHASE A HEALTH
RECORD ON THE DARK WEB
MEAN TIME TO DETECT A BREACH
IN THE FINANCE INDUSTRY
AVERAGE COST PER
BREACH
Note: All costs are in US dollars.
ANNUAL COST OF
CYBERCRIME GLOBALLY
KNOWN CYBERSECURITY
INCIDENTS FROM APRIL-JUNE
2016
MEAN TIME TO DETECT A BREACH
IN THE RETAIL INDUSTRY
$
$
3.79
MILLION
618.16
BILLION
2. GLOBAL CISOS SHARE PRIORITIES AT CSX
The CISO Forum at ISACA’s CSX 2016 North America Conference provided chief information security officers
the opportunity to share perspectives about many of the most pressing challenges and opportunities
shaping today’s security landscape.
The wide-ranging forum included several presentations but was largely centered on interaction among the
attendees. Among the day’s many discussion points were:
• Suggestions on how to engender support for security programs
from senior management. Leveraging audit reports, identifying
control gaps in security programs and providing timely examples
of how other organizations have been damaged by high-profile
security breaches are among the tactics that can help deliver buy-in.
• The value of industry certifications. David Foote, chief analyst
and research officer for Foote Partners LLC shared extensive data
portraying an uptick in the value of security certifications in recent
months. As a group, ISACA certifications have gained more than
15% in cash market value in the last six months, compared to
nearly 8% growth in pay across all security-related certifications.
• The need to embed security in functions throughout an organization.
• The public relations upside of having a robust security program.
When positioned properly, a well-executed security program can
help organizations differentiate themselves in an environment
when security is more commonly a source of anxiety than a point
of pride.
• How to handle various use cases regarding data management,
such as employees mishandling data, guarding against various
forms of malware and the pros and cons of relying upon
third-party services
• Striking the appropriate balance between deep technical
expertise and “soft skills”—such as communications skills and
relationship-building—in evaluating prospective hires
GAINING BOARD AND C-SUITE SUPPORT
FOR A SECURITY CULTURE
Change organizational mindsets to understand and adapt priorities,
policies and programs, now that cyber risk is a pervasive business
risk was Phillip Ferraro’s call-to-action during his CSX NA session,
“How to Gain Board and C-Suite Support for your Program.”
Ferraro, Senior Vice President and Global CISO for The Nielson Co.,
noted that mindsets and organizational alignment to a “security
culture” must shift as technology and business professionals
conduct executive education efforts, and build business cases for
initial and sustained investment in the platforms and people to
thwart cyberattacks.
Effective communications that “leave the techno-babble behind”
and turning return-on-investment questions from board members
and senior executives into “cost-avoidance conversations” are
tactics to gain attention, influence and buy-in, Ferraro said.
Among the factors Ferraro listed to calculate the cost of breach
impact were: value of actual data and IP lost, reputation and brand
damages, shareholder and stock value impact, current and ongoing
revenue lost, and regulatory fines and sanctions.
2
3. GUIDE TO
CONTAINERIZATION:
WHAT YOU NEED
TO KNOW NOW
Application containers can bring tremendous utility
and business value, albeit while posing substantial
security challenges, according to a presentation
delivered at ISACA’s CSX North America conference.
“Containerization Security: What Security Pros Need to Know,”
presented by Ed Moyle, ISACA director of Thought Leadership and
Research, and Diana Kelley, executive security advisor with IBM
Security, highlighted both the risks and rewards of containers—
mechanisms used to isolate applications from each other within
the context of a running operating system instance.
Kelley and Moyle contended that containers are redefining the
tech landscape in the data center and among development teams.
Containers are easy to update, can move from machine to machine
and can decrease development time due to migration of containers
between environments.
Several of the security challenges presented by containerization
are reminiscent of challenges that have been overcome in the world
of virtualization. Security professionals can mitigate some of the
potential risks associated with containerization on the front end by
reading guidance on the topic, including a new pair of white papers
released by ISACA.
“There are some things that security pros really should know about,
and that message really hasn’t gotten out there in terms of the
mainstream security community,” Moyle said.
FIRMWARE: THE
FORGOTTEN SECURITY
CONTROL
Firmware, or embedded software in
connected devices, is “low-hanging fruit”
for attackers, according to keynote Justine
Bone, CEO of MedSec. ISACA conducted a
study on firmware security, and the results
are presented in the infographic here. A key
finding: organizations are not sufficiently
prepared, and firmware is highly vulnerable.
3
INSIGHTS FROM JUSTINE BONE
“We are seeing more and more that firmware
security is no longer a theoretical problem. The
evidence is showing us that attackers are targeting
firmware—many breaches and vulnerability
discoveries these days can be attributed to
firmware problems. Solutions are emerging, but
most enterprise environments remain unprepared.
While it’s clear that knowledge is power in this
instance, it’s also evident from this research that
company culture and overall attitude to security is
a major contribution to vulnerability.”
4. SECURING THE INTERNET OF THINGS
Application containers can bring tremendous utility and business value, albeit while posing substantial
security challenges, according to a presentation delivered at ISACA’s CSX North America conference.
That was among the thought-provoking questions posed by
presenters Mike Krajecki, Director, Emerging Technology and Risk
Services, KMPG LLP, and Milan Patel, Program Director, IoT Security,
IBM, during the “Connecting the Risks: Securing the Internet of
Things” presentation at CSX North America.
Patel noted that as challenging as it has been to secure data and
applications in the traditional IT environment, the anticipated
proliferation of tens of billions IoT devices will call for even greater
resourcefulness from security professionals.
Among the many security risks associated with IoT are the large
number of new network endpoints, the mobility and vulnerability of
devices, the privacy and security of data generated by the devices
and compromised network access points.
The complexity of IoT security results in what Patel described as a
“protocol zoo” that poses challenges for security professionals.
The session emphasized that security and privacy must be
embedded into the strategy and design of a connected device
program and that full life-cycle protection must be emphasized.
Security specific to each category of device—including strong
authentication and access control, data privacy protection and
robust application security—also is recommended.
WHAT IS YOUR TOP TIP FOR WOMEN ENTERING
THE CYBERSECURITY FIELD?
“ Find a mentor who supports you and gives you guidance,
and be a source of information—whether it is networking
with other people or referring to various standards that
you might need for some of the work that you are doing.”
Christina Cruz, CISA
New York, NY
“ Do not get discouraged when you feel like you are in the
minority. We need women in this field. We look at things in
a different viewpoint, sometimes, than our male counter-
parts. So with that, stay focused and get to your goal.
Amanda Prince, CISM, CRISC
Tampa, FL
“ Women need to own their space and not be afraid to be
fierce and have a voice. So, if you are considering going
into cybersecurity, learn what is out there that you
can teach yourself—and be bold about it because that
is what it takes to run with a demographic where it is
10% women.”
Michelle Covert, CISA
East Lansing, MI
Connecting
Women Leaders
in Technology
ENGAGE. EMPOWER. ELEVATE.
WISDOM FROM HACKER AND INVENTOR PABLOS HOLMAN
“ You will never get anything new by reading the directions.”
“ Vision without action is a daydream. Action without vision is a nightmare.”
“ There is a really important job to do that is not being done: figuring out
how to take care of humans.”
4
5. MITIGATING MALWARE’S THREAT TO
CRITICAL INFRASTRUCTURE
The shift from isolated systems to open
protocols, the evolution of modern equipment
and ever-expanding business pressures are
creating a major cybersecurity challenge
impacting major infrastructure across the
globe.
Ed Cabrera, chief cybersecurity officer with
Trend Micro, highlighted those dynamics
during his “Malware’s Threat to Critical
Infrastructure” presentation at CSX North
America.
Citing examples of attacks aimed at the
Ukrainian electric grid and mining and rail
companies, Cabrera outlined the far-reaching
scope of threats to infrastructure.
Improved alignment between IT and
operational technology functions and a
layered defense program can help stave
off these potentially devastating attacks.
Cabrera also noted that tapping into behavior
analytics can be highly beneficial.
“Behavior analytics has to become an
accepted strategy to go from being the
hunted to the hunter, to go after and try to
find this activity on the business side and
the operational side,” Cabrera said.
He said that all aspects of an components
of an organization—including Human
Resources—has a part to play to attain
increased vigilance, and that includes
keeping closer tabs on the security risks
of employees.
“There has to be much more of a
process-oriented approach to insider
threats,” Cabrera said.
WHAT DO YOU THINK SHOULD BE THE BIGGEST CYBER SECURITY
PRIORITY FOR ORGANIZATIONS IN 2017?
“ Right now, perennially at the top of the list is APT.”
William Westwater, CISA, CGEIT, CRISC
Redmond, WA
“ I think organizations should focus on cyber resilience
more so than just the security aspect. A lot of
organizations are only focusing on the protection/
cyber security piece, and not necessarily the sustaining
piece because attacks are increasing at a significant
rate. They should focus on a resilient strategy that
looks at both protection and sustaining.”
Andrew Hoover, CISA, CRISC
Arlington, VA
“ All organizations are working on preventive security.
The reality is the weakest link within organizations is
people. So, if your security awareness programs are
not up to snuff, if they’re not robust, if they’re not
focused on people, you’re going to lose in the end.”
Scott Newman, CISA
Tacoma, WA
“ Securing the company’s data while using mobile apps
has been a challenge, and it’s going to be a bigger
challenge going forward.”
Denise Calvert, CISA, CISM
Oklahoma City, OK
CSX attendees had the opportunity to
participate in a network assessment
and network defense competition, where
they competed for control of common
resources and services. Congratulations
to the Cyber Challenge winners!
ESSENTIAL LEVEL
Annie Cheng
Bank of San Francisco
ADVANCED LEVEL
1ST PLACE
Marcelle Lee, CSXP,
Fractal Security
Group LLC
2ND PLACE
Jed Santiago,
CISA, CISSP,
Visa Inc.
3RD PLACE
Eduard Delgado
Yparraguirre,
CISA, CISM, CRISC,
CISSP, CEH, PMP,
TD Bank
CONGRATULATIONS TO THE CYBER CHALLENGE WINNERS!
5
6. SOCIAL MEDIA ROUNDUP
SECURITY FOR THE MILLENNIAL AGE
Creating a positive security culture, devising security solutions that
are as straightforward as possible and strategic prioritization of risk
appetite are key pillars of an effective security program, according to
the “Security for the Millennial Age” session at CSX North America.
Session presenter Dominic Vogel, chief security strategist at Cyber SC,
contended that relationship-building is critical on several levels – not
only between security professionals and their CIO or CISO, but also
with other employees, auditors and top business leaders.
Vogel said it is important to treat security mistakes made by
employees as a learning opportunity rather than being too
heavy-handed, or employees might not feel comfortable bringing
issues to light in the future.
Security teams sometimes make the mistake of taking a knee-jerk
approach to the “threat du jour,” rather than sticking to a holistic
approach to problem-solving and focusing on building resilience
within their people, processes and technology.
Vogel also warned against overly ambitious security programs,
saying that that the attempt to protect everything often is
counterproductive. Effective risk prioritization is critical.
Conquering complexity is another practical consideration in today’s
security landscape. If security processes are deemed too complex by
the stakeholders, chances are they will be ignored.
Vogel said the benefits to an upbeat and strategic security culture
that is embraced by all ages and levels include better collaboration,
improved business efficiency and greater value for security dollars.
6