Current Trends on Cybersecurity (Cont'd)

Week 10                                Current Trends in Cybersecurity

            As the world steadily move to IoT (Internet of Things) with driverless trucks and cars, cyber cars, the Roomba robot you just bought to help vacuum your house poses a security challenge as it can map your house and offer the information publicly to the highest bidder (smart home device manufacturers most probable). Is this an infringement on your right to privacy? iRobot end users license agreement (EULA)/ privacy notice would make this clearer. Are you planning to remodel your roof? Wait a second! Tesla can save 30 years of energy for you as its on-test launch for a new Solar Powered Roof (Crosbie, J., 2017). Similarly, the IT world is evolving from World Wide Web (Web 1.0), through Social Web (Web 2.0) to Semantic/Intelligent Web (Web 3.0). The Cyber world is not left behind; With the Siloed cyber (Cyber 1.0) start, through Integrated Cyber (Cyber 2.0), to Intelligent Cyber (Cyber 3.0) and the cloud that offers “machine learning to extract intelligence and content and machine generated signatures, accurate detection and classification of threats by fusing distinct dimensions ensuring continuous visibility and better control” as the threat environment becomes technologically more complex (Kellermann, T. TREND MICRO, 2012). Blockchain, an innovation to computing and information security (Google or Bitcoin blockchain, for example) is catching on, as well as cryptocurrencies. It is becoming popular in identity management, real estate, contracts and the energy industry. Actually, blockchain is a ledger arranged in batches (distributed design) of data or blocks that uses cryptographic hashing techniques for linkage and validation.

            What are the latest trends in ransomware and malware attacks as the world goes IoT? There has been steady growth at the rate which they spread, threat landscape and the change in targets. The IT world is increasingly experiencing malware worm spread through hub connected networks and devices causing greater infection of devices, systems and networks. Financial institutions such as banks, credit card companies, even churches, aside medical facilities and government establishments are becoming increasingly vulnerable targets for malware infection. Small organizations are not left out

The question at the back of the mind of most private and public organizations and government agencies’ decision makers, IT and information system security professional is, how can we effectively protect our critical resources? Microsoft Digital Crime unit, in collaboration with Dartmouth University, and NCMEC (National Center for Missing and Exploited Children) recently developed a crime and fraud mitigation program (Microsoft’s Photo DNA analyzer) to fight child abuse through the internet.

With increasing data breaches occurring in traditionally not-too-prone to attack organizations like churches, non-profit organizations, and some industries, mostly resulting from DDoS, the question at the back of the mind of the managers, IT and information security experts is, what can we do to provide a better security to our critical assets? First is to ensure data, file and message encryption. Strong password and internet use policy. Compliance to industry standards and government regulations. Biometrics access and authentication control system. Software and application patching and regular update. Firewall and IDS/IPS defense implementation. SETA and to effectively recover from ransomware attack, the need to ensure regular back up and agile and tested BC (Business Continuity) & DR (Disaster Recovery) program plan and team, and experienced IT and IS security team. For small businesses, the steps to ensure effective protection include: implementing multi-layered protection though endpoint and data/mobile/network device access protection; securing email servers and applications; backing up all critical information and offsite storage; education and security awareness training; patching and updating applications and software, and; protecting the cloud file sharing, hosted email, and more (Delany, R. Trend Micro, 2017)

References

Crosbie, J. Here’s How Much One of Tesla’s Amazing Solar Roofs Actually Costs.

(2017-5-8). Retrieved (2017-7-8) from https://www.inverse.com/article/35106-tesla-solar-roof-actual-price

Kellermann, T. The Evolution of Targeted Attacks in a Web 3.0 World. TREND Micro

(2012-2-7). Retrieved (2017-7-8) from https://blog.trendmicro.com/the-evolution-of-targeted-attacks-in-a-web-3-0-world/

Delany, R. Data Privacy Day 2017: Tips for Protecting Small Businesses. TREND

Micro. (2017-26-1). Retrieved (2017-7-8) from http://blog.trendmicro.com/data-privacy-day-2017-tips-protecting-small-businesses/

Current Trends on Cybersecurity

Week 9                       Reflections on Current Trends in Cybersecurity

Threat environment changes rapidly with evolving information technology and the IoT (Internet of Things). It is even difficult to keep up with methods and techniques to access and mitigate information system threats, vulnerabilities and business operations risks. However, a structured approach to threat modeling helps in the design of appropriate security architecture and control system in managing a distributed network system or any system. In implementing a resilient and responsive security control system, it is imperative to adopt multilevel and multilateral security system. After the information system security has been implemented, it is necessary to monitor and meter (audit, system evaluation and assurance) and gauge the performance of the controls as to ensure effectiveness and compliance to industry standards, government regulations, and meet business function needs.

The threat modeling process and tools used in the security analysis need be tested, evaluated, refined as to appropriately address identified IT risks and vulnerabilities that will impact organization critical assets. An Action Plan and Client Presentation to professionally present to the ERB (Executive Risk Board) security findings and recommendations to mitigate security gaps is a sine qua non. One thing I may wish to observe in the college Cybersecurity program, is an information security business management class to be able to put together an estimate, the cost-benefit (in terms of money value). The question the members of the executive risk board would have at the end of client presentation would be how much would it cost us to implement this recommendation and what is the time frame for it?

In threat modeling, one challenge to consider is the balance on trade-offs – avoiding, addressing, accepting, transferring, and ignoring risks. Another is threat modeling in technologies, cryptosystems, human factors and usability, and tricky areas, like web and cloud platforms.

In all, it is good for an information security professional to not only get the relevant certifications, but to keep abreast of the latest development, challenges and data compromises and mitigation or remediation response as to remain relevant in the ever-changing world of information security systems and business operations.

Current Trends in Cybersecurity

Week 9                       Reflections on Current Trends in Cybersecurity

Threat environment changes rapidly with evolving information technology and the IoT (Internet of Things). It is even difficult to keep up with methods and techniques to access and mitigate information system threats, vulnerabilities and business operations risks. However, a structured approach to threat modeling helps in the design of appropriate security architecture and control system in managing a distributed network system or any system. In implementing a resilient and responsive security control system, it is imperative to adopt multilevel and multilateral security system. After the information system security has been implemented, it is necessary to monitor and meter (audit, system evaluation and assurance) and gauge the performance of the controls as to ensure effectiveness and compliance to industry standards, government regulations, and meet business function needs.

The threat modeling process and tools used in the security analysis need be tested, evaluated, refined as to appropriately address identified IT risks and vulnerabilities that will impact organization critical assets. An Action Plan and Client Presentation to professionally present to the ERB (Executive Risk Board) security findings and recommendations to mitigate security gaps is a sine qua non. One thing I may wish to observe in the college Cybersecurity program, is an information security business management class to be able to put together an estimate, the cost-benefit (in terms of money value). The question the members of the executive risk board would have at the end of client presentation would be how much would it cost us to implement this recommendation and what is the time frame for it?

In threat modeling, one challenge to consider is the balance on trade-offs – avoiding, addressing, accepting, transferring, and ignoring risks. Another is threat modeling in technologies, cryptosystems, human factors and usability, and tricky areas, like web and cloud platforms.

In all, it is good for an information security professional to not only get the relevant certifications, but to keep abreast of the latest development, challenges and data compromises and mitigation or remediation response as to remain relevant in the ever-changing world of information security systems and business operations.

Cybersecurity Action Plan

Week 8

Information Security and Risk Mitigation Action Plan

            The need and importance of a regularly tested ISRM (information security and risk mitigation} action plan in an organization is underscored. This helps in ensuring a periodic review of the company’s cybersecurity strategy plan. If an organization fails to conduct regular “checkups, odds are good that today’s fast-changing threat landscape has left (it) vulnerable” (Rackspace.com, 2017). A good cybersecurity action plan combines people, processes and technology to deliver a cost-effective, responsive, and timely breach detection and risk/incident remediation program.

The action plan for cybersecurity and risk management of an organization is to help identify critical assets that are vulnerable to threat element exploitation or risk exposure, understand the likelihood of an impact to business operations, and put in place appropriate security controls to mitigate, accept, avoid or transfer the identified “risks to a level acceptable to the organization” (Lebanidze, E., 2011). It’s imperative, therefore, that the action plan be periodically updated to accommodate recent and current risk, threats and vulnerabilities that are exposed through ongoing evaluation and risk/vulnerabilities assessment as to implement appropriate, cost-effective up to date robust controls and incident response, disaster recovery and business continuity plans that would ensure assurance on CIA (Confidentiality, Integrity, and Availability) of critical organization resources. For this to be achieved, the organization needs an agile, responsive and experienced IT/IS team.

However, the cybersecurity action plan should be aligned to the business objectives, mission, operations and culture of the company. It’s also necessary to secure the commitment, involvement, interest, sponsorship and support of the board of directors, c-level managers and the compliance of all members of staff for effective organization-wide information security program. The action plan would also address and meet federal, state and local regulations, industry standards and best practices. It’s a requirement of best practices that “known and perceived risks be analyzed according to the degree and likelihood of the adverse results that are anticipated to take place” (Cantoria, S., C., 2011). The analysis, documentation and prioritization of such identified risks is embodied in the risk mitigation plan. When this is developed and integrated into its risk mitigation strategy, it is then referenced with the risk management plan. Risk management plan forms the framework for the risk mitigation plan. In essence, the risk mitigation action plan serves as a checklist of anticipated risks, degree of probability, categorized either as High, Medium, low, or Most Likely, Likely, Unlikely. Strategies to mitigate each identified threat, vulnerabilities, or risk are included in the action plan.     

References

Rackspace. (2017). Retrieved (2017-24-7) from

https://www.rackspace.com/security/lp/security-analysis?utm_medium=ppc-gen&utm_source=bing-en&utm_campaign=US_RMS-FA_B_US_Managed_Security_Replica_NonBrand_Phrase&utm_term=security_and_risk_assessment&ef_id=V3LUCQAAAPKQpTnf:20170724145627:s

 Lebanidze, E. Guide to Developing a Cyber Security and Risk Mitigation Plan. (2011).

Retrieved (2017-24-7) from https://www.smartgrid.gov/files/CyberSecurityGuideforanElectricCooperativeV11-21.pdf

Cantoria, S., C. Anticipated Risks. What Comprises a Risk Mitigation Plan? (2011-28-2).

Retrieved (2017-24-7) from http://www.brighthubpm.com/risk-management/47934-risk-mitigation-strategies-and-risk-mitigation-plan/#imgn_0

Week 7

Building an Effective Cybersecurity and Technology Risk Presentation for Your Board of Directors

By 2020, 100% of large enterprises will be asked to report to their boards of directors on cybersecurity and technology risk at least annually, which is up from today’s 40% (Proctor, E., P., Wheatman, J., McMillan, R., 2016)

Risk data regularly influences the decisions of 71% of organizations’ boards of directors (Gartner survey data, 2015)

Why would “UK banks spend more on security and suffered more fraud” (Anderson, J., R., p.228, 2008). Simple, UK bank employee became lazy and careless, a moral-hazard that led to increased fraud. Why is security budget lean in many organizations? Is security underfunded in organizations? If your answer is yes; you may want to know some of the reasons why this is so.

§  Risk and security leadership inability to provide board-relevant, business-aligned content, and abstracting out the direct technology references

§  SRM (security and risk management) leaders often use unnecessary fear, uncertainty, sometimes exaggeration and doubt in board presentations to drive home their points

§  SRM leaders use too much technology terms in board presentations, knowing that most board members are handicapped by the lack of understanding of security technology terms. This kind of limit questions from most board members

§  This result in the lack of creation of defensible connections between cybersecurity risks and business outcomes (Proctor, E., P., Wheatman, J., McMillan, R., 2016)

It is to be noted that SRM leaders are being asked more frequently to present to their boards on the state of cybersecurity controls in their enterprises. However, much of the reporting is low-quality, and has minimal benefit to the board, thereby not improving the relationship between the board and the security and risk management leaders. There are some best practices to improve on this:

ü  Communicate with your audience on their own terms

ü  Understand the board’s role and responsibilities

ü  Socialize the key messages before the presentation

ü  Road-test your presentation

ü  Use fear, uncertainty and doubt sparingly

ü  Focus on readiness

ü  Use process maturity as a proxy for risk posture

ü  Abstract out the technology

ü  Stress risk management and balancing protection with business outcomes

ü  Highlight the business value of security and risk investments

ü  Educate the board on how to influence effective security

ü  Always end with an “Ask” (Proctor, E., P., Wheatman, J., McMillan, R., 2016)

It is imperative to avoid the seven deadly presentation sins – too much technology; overly complex slides; too much FUD (avoid focusing too much on threats and theoretical risks); lack of business alignment; misleading data (avoid ROSI - return on security investment projections that you can’t defend); too many people in the process; failure to connect with board-relevant decision making, and; be prepared to address objections and personalities.

The good news is there are some tactics you may need to know:

·         Consider the perspectives you want to give the board

·         Gather intelligence

·         Be deliberate with your terminology

·         Be ready to address objections

·         Overcome apathy

·         Ask for an outcome and request the next date (Proctor, E., P., Wheatman, J., McMillan, R., 2016)

References

Proctor, E., P., Wheatman, J., McMillan, R. How to Build an Effective Cybersecurity and

Technology Risk Presentation for Your Board of Directors. (2016-3-3). Retrieved (2017-21-7) from https://www.gartner.com/document/3238219?ref=solrAll&refval=187825080&qid=4afe393c3486f20d5158fb21d4dd4d85

 Anderson, J., R. Security Engineering: A Guide to Building Dependable Distributed

          Systems. 2^nd ed. (2008) Wiley Publishing, Inc. Indianapolis

Cybersecurity news and information sources

CYBR650 Week 6

Sources of news and information on current cybersecurity trends

1.    Sources of cybersecurity information

Sources of news and information on cybersecurity is shown in the Table below.

Sources

Website

1.    Symantec  -       Symantec internet security threat report 2017 -       Website security report 2016 2.    Verizon’s data breach investigations report (DBIR) - 2017 3.    Forbes -       Top 2016 Cybersecurity reports from AT&T, Cisco, Dell, Google, IBM, McAfee, Symantec and Verizon 4.    Federal Communications Commission 5.    Health IT security – Healthcare data security    incidents in 2016 6.    John Schneier Blogs 7.    Security Wizardry Radar 8.    Homeland Security Cybersecurity 9.    CVE details -       Security vulnerability data source 10. Microsoft Service and Update Center 11. Oracle Help Center 12. Homeland Security newswire 13. Tech News World - Cybersecurity

https://www.symantec.com/security-center/threat-report https://websitesecurity.symantec.com/campaigns/16963-campaign/current/landing/assets/wstr-pt1-us.pdf http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ https://www.forbes.com/sites/stevemorgan/2016/05/09/top-2016-cybersecurity-reports-out-from-att-cisco-dell-google-ibm-mcafee-symantec-and-verizon/#12912edb1caf https://www.fcc.gov/document/att-pay-25m-settle-investigation-three-data-breaches-0 https://healthitsecurity.com/news/healthcare-data-security-incidents-second-highest-in-2016 https://www.schneier.com/ http://www.securitywizardry.com/radar.htm https://www.dhs.gov/topic/cybersecurity http://www.cvedetails.com/ https://support.microsoft.com/en-us/help/14162/windows-service-pack-and-update-center https://www.oracle.com/technetwork/topics/security/alerts-086861.html http://www.homelandsecuritynewswire.com/topics/cybersecurity http://www.technewsworld.com/perl/section/cyber-security/

2.    Additional sources of information on cybersecurity

Cox, J.A Ransomware Outbreak Is Infecting Computers Across the World Right Now. Motherboard. https://motherboard.vice.com/en_us/topic/petya?_hsenc=p2ANqtz-8EOcrlXJ84Xr7FnbLuToDRmOysn4nCA_gGpALWae2J7xPWugFbLI609b-p0deEkNnZNJBPEpfTvQ3SzpInlz-cmUvhgg&_hsmi=53617786&topic_id=5952651669d10f184d79e0af&utm_content=53617786&utm_medium=email&utm_source=hs_email

Microsoft Cyber Security. Secure and manage your digital transformation. https://www.microsoft.com/en-us/security/default.aspx?WT.srch=1&WT.mc_id=AID623240__SEM_C9HtVpRB

USA Today. https://www.usatoday.com/story/tech/columnist/2016/04/16/texting-texts-security-hacking/83118320/

3.    Some sources of cybersecurity news that may not be used:

Those sources of cyber security news and information that may not be used are those that publish unverified or untrue security news and information update

Securing Mobile App Back End

 

CYBR 650 Week 5

Mobile App Back Ends and Security

Millions of sensitive records exposed by mobile apps leaking back-end

Credentials (Constantin, L., ComputerWorld, 2015)

With evolving medical apps to mobile platform introduces the challenge of malicious attackers exploiting vulnerabilities in an unsecure back-end of mobile apps. Protecting codes on mobile apps, no doubt, possess no serious challenge to the information security profession. But, being able to provide such security in back-end apps coding has not been as successful. This security failure has resulted in mobile app compromises of “easy-to-fix server security failures” (Zumerle, D., O’Neil, M., & Wong, J., 2016). In a study conducted on apps using BaaS (Backend-as-a-Service) by researchers from Technical University along with Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, it was observed that cloud services providers like CloudMine, Amazon Web Services or Facebook Parse included their primary BaaS access keys inside their apps. This poses security challenges as mobile apps can be “reverse-engineered to extract such credentials and access their back-ends” housing millions of data in the data base server (Constantin, L., ComputerWorld, 2015).  Another interesting challenge for back-end security is the involvement of mobile apps with “API-based (Application Programming Interface-based) interactions and back end systems and third parties” (Zumerle, D., O’Neil, M., & Wong, J., 2016). This interrelationship makes it even harder to identify and eliminate vulnerabilities.

How can the challenges of back-end security for mobile apps be addressed?

§  Is to integrate security in SDL threat model before, during, or even after the app have been developed.

§  Conduct penetration (app security) investigation to expose weaknesses in the app.

§  Deploy threat detection tools and enable encryption, integrity protection and

authentication.

§  For back-end API’s, use least privilege to lock down mobile apps.

§  It’s good to use security checklists, and guidelines to ensure compliance to

standards and best practices.

§  Implement effective controls for application-level and network anomaly. For

internet-facing or consumer-facing web and some other applications, establish user-level and behavior anomaly detection control systems (Zumerle, D., O’Neil, M., & Wong, J., 2016).

Having a secure coding for back-end apps does not guarantee security, if IT administrators, staff and the security team does not implement good security basics. In a research conducted by Appthority, a mobile security company, it was discovered that more than a thousand apps exposed data because of lack of security controls on the back-end servers that housed 43 TB of user data and analytic tools used in mining and analyzing data that was collected. What was the security gap? There were no firewalls, does not require authentication, and stands the risk of public access via internet. The critical resources in question included, “PII (personally identifiable information), passwords, location, travel and payment details, corporate profile data (emails and phone numbers), and retail customer data” (Rashid, F. CSO, 2017). There had been multiple cases of unauthorized access, phishing, and ransomware.  

References

Constantin, L. Millions of sensitive records exposed by mobile apps leaking back-end

credentials. ComputerWorld. (2015-16-11). Retrieved (2017-8-7) from http://www.computerworld.com/article/3005462/security/millions-of-sensitive-records-exposed-by-mobile-apps-leaking-back-end-credentials.html

Zumerle, D., O’Neil, M., & Wong, J. Securing Mobile App. Gartner. (2016-15-11).

Retrieved (2017-8-7) from https://www.gartner.com/document/3514417?ref=solrAll&refval=187158430&qid=e6adf5f8c66bfd21cf321d9b9eaf6417

 Rashid, F. Mobile app developers: Make sure your back end is covered. CSO, (2017-

12-6). Retrieved (2017-8-7) from http://www.csoonline.com/article/3200367/application-security/mobile-app-developers-make-sure-your-back-end-is-covered.html