Monday, July 24, 2017

Cybersecurity Action Plan


Week 8

Information Security and Risk Mitigation Action Plan

            The need and importance of a regularly tested ISRM (information security and risk mitigation} action plan in an organization is underscored. This helps in ensuring a periodic review of the company’s cybersecurity strategy plan. If an organization fails to conduct regular “checkups, odds are good that today’s fast-changing threat landscape has left (it) vulnerable” (Rackspace.com, 2017). A good cybersecurity action plan combines people, processes and technology to deliver a cost-effective, responsive, and timely breach detection and risk/incident remediation program.

The action plan for cybersecurity and risk management of an organization is to help identify critical assets that are vulnerable to threat element exploitation or risk exposure, understand the likelihood of an impact to business operations, and put in place appropriate security controls to mitigate, accept, avoid or transfer the identified “risks to a level acceptable to the organization” (Lebanidze, E., 2011). It’s imperative, therefore, that the action plan be periodically updated to accommodate recent and current risk, threats and vulnerabilities that are exposed through ongoing evaluation and risk/vulnerabilities assessment as to implement appropriate, cost-effective up to date robust controls and incident response, disaster recovery and business continuity plans that would ensure assurance on CIA (Confidentiality, Integrity, and Availability) of critical organization resources. For this to be achieved, the organization needs an agile, responsive and experienced IT/IS team.

However, the cybersecurity action plan should be aligned to the business objectives, mission, operations and culture of the company. It’s also necessary to secure the commitment, involvement, interest, sponsorship and support of the board of directors, c-level managers and the compliance of all members of staff for effective organization-wide information security program. The action plan would also address and meet federal, state and local regulations, industry standards and best practices. It’s a requirement of best practices that “known and perceived risks be analyzed according to the degree and likelihood of the adverse results that are anticipated to take place” (Cantoria, S., C., 2011). The analysis, documentation and prioritization of such identified risks is embodied in the risk mitigation plan. When this is developed and integrated into its risk mitigation strategy, it is then referenced with the risk management plan. Risk management plan forms the framework for the risk mitigation plan. In essence, the risk mitigation action plan serves as a checklist of anticipated risks, degree of probability, categorized either as High, Medium, low, or Most Likely, Likely, Unlikely. Strategies to mitigate each identified threat, vulnerabilities, or risk are included in the action plan.     

References

Rackspace. (2017). Retrieved (2017-24-7) from


 Lebanidze, E. Guide to Developing a Cyber Security and Risk Mitigation Plan. (2011).


Cantoria, S., C. Anticipated Risks. What Comprises a Risk Mitigation Plan? (2011-28-2).

Posted by at No comments:

Friday, July 21, 2017


Week 7

Building an Effective Cybersecurity and Technology Risk Presentation for Your Board of Directors

By 2020, 100% of large enterprises will be asked to report to their boards of directors on cybersecurity and technology risk at least annually, which is up from today’s 40% (Proctor, E., P., Wheatman, J., McMillan, R., 2016)

Risk data regularly influences the decisions of 71% of organizations’ boards of directors (Gartner survey data, 2015)

Why would “UK banks spend more on security and suffered more fraud” (Anderson, J., R., p.228, 2008). Simple, UK bank employee became lazy and careless, a moral-hazard that led to increased fraud. Why is security budget lean in many organizations? Is security underfunded in organizations? If your answer is yes; you may want to know some of the reasons why this is so.

§  Risk and security leadership inability to provide board-relevant, business-aligned content, and abstracting out the direct technology references

§  SRM (security and risk management) leaders often use unnecessary fear, uncertainty, sometimes exaggeration and doubt in board presentations to drive home their points

§  SRM leaders use too much technology terms in board presentations, knowing that most board members are handicapped by the lack of understanding of security technology terms. This kind of limit questions from most board members

§  This result in the lack of creation of defensible connections between cybersecurity risks and business outcomes (Proctor, E., P., Wheatman, J., McMillan, R., 2016)

It is to be noted that SRM leaders are being asked more frequently to present to their boards on the state of cybersecurity controls in their enterprises. However, much of the reporting is low-quality, and has minimal benefit to the board, thereby not improving the relationship between the board and the security and risk management leaders. There are some best practices to improve on this:

ü  Communicate with your audience on their own terms

ü  Understand the board’s role and responsibilities

ü  Socialize the key messages before the presentation

ü  Road-test your presentation

ü  Use fear, uncertainty and doubt sparingly

ü  Focus on readiness

ü  Use process maturity as a proxy for risk posture

ü  Abstract out the technology

ü  Stress risk management and balancing protection with business outcomes

ü  Highlight the business value of security and risk investments

ü  Educate the board on how to influence effective security

ü  Always end with an “Ask” (Proctor, E., P., Wheatman, J., McMillan, R., 2016)

It is imperative to avoid the seven deadly presentation sins – too much technology; overly complex slides; too much FUD (avoid focusing too much on threats and theoretical risks); lack of business alignment; misleading data (avoid ROSI - return on security investment projections that you can’t defend); too many people in the process; failure to connect with board-relevant decision making, and; be prepared to address objections and personalities.

The good news is there are some tactics you may need to know:

·         Consider the perspectives you want to give the board

·         Gather intelligence

·         Be deliberate with your terminology

·         Be ready to address objections

·         Overcome apathy

·         Ask for an outcome and request the next date (Proctor, E., P., Wheatman, J., McMillan, R., 2016)

References

Proctor, E., P., Wheatman, J., McMillan, R. How to Build an Effective Cybersecurity and

Technology Risk Presentation for Your Board of Directors. (2016-3-3). Retrieved (2017-21-7) from https://www.gartner.com/document/3238219?ref=solrAll&refval=187825080&qid=4afe393c3486f20d5158fb21d4dd4d85

 Anderson, J., R. Security Engineering: A Guide to Building Dependable Distributed
          Systems. 2nd ed. (2008) Wiley Publishing, Inc. Indianapolis
Posted by at No comments:

Wednesday, July 12, 2017

Cybersecurity news and information sources


CYBR650 Week 6

Sources of news and information on current cybersecurity trends

1.    Sources of cybersecurity information

Sources of news and information on cybersecurity is shown in the Table below.

Sources
Website
1.    Symantec 
-       Symantec internet security threat report 2017
-       Website security report 2016
2.    Verizon’s data breach investigations report (DBIR) - 2017
3.    Forbes
-       Top 2016 Cybersecurity reports from AT&T, Cisco, Dell, Google, IBM, McAfee, Symantec and Verizon
4.    Federal Communications Commission
5.    Health IT security
– Healthcare data security
   incidents in 2016
6.    John Schneier Blogs
7.    Security Wizardry Radar
8.    Homeland Security Cybersecurity
9.    CVE details
-       Security vulnerability data source
10. Microsoft Service and Update Center
11. Oracle Help Center
12. Homeland Security newswire
13. Tech News World
- Cybersecurity



http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/














http://www.technewsworld.com/perl/section/cyber-security/

2.    Additional sources of information on cybersecurity


Microsoft Cyber Security. Secure and manage your digital transformation. https://www.microsoft.com/en-us/security/default.aspx?WT.srch=1&WT.mc_id=AID623240__SEM_C9HtVpRB


3.    Some sources of cybersecurity news that may not be used:

Those sources of cyber security news and information that may not be used are those that publish unverified or untrue security news and information update
Posted by at No comments:

Saturday, July 8, 2017

Securing Mobile App Back End

 
CYBR 650 Week 5

Mobile App Back Ends and Security

Millions of sensitive records exposed by mobile apps leaking back-end

Credentials (Constantin, L., ComputerWorld, 2015)

With evolving medical apps to mobile platform introduces the challenge of malicious attackers exploiting vulnerabilities in an unsecure back-end of mobile apps. Protecting codes on mobile apps, no doubt, possess no serious challenge to the information security profession. But, being able to provide such security in back-end apps coding has not been as successful. This security failure has resulted in mobile app compromises of “easy-to-fix server security failures” (Zumerle, D., O’Neil, M., & Wong, J., 2016). In a study conducted on apps using BaaS (Backend-as-a-Service) by researchers from Technical University along with Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, it was observed that cloud services providers like CloudMine, Amazon Web Services or Facebook Parse included their primary BaaS access keys inside their apps. This poses security challenges as mobile apps can be “reverse-engineered to extract such credentials and access their back-ends” housing millions of data in the data base server (Constantin, L., ComputerWorld, 2015).  Another interesting challenge for back-end security is the involvement of mobile apps with “API-based (Application Programming Interface-based) interactions and back end systems and third parties” (Zumerle, D., O’Neil, M., & Wong, J., 2016). This interrelationship makes it even harder to identify and eliminate vulnerabilities.

How can the challenges of back-end security for mobile apps be addressed?

§  Is to integrate security in SDL threat model before, during, or even after the app have been developed.

§  Conduct penetration (app security) investigation to expose weaknesses in the app.

§  Deploy threat detection tools and enable encryption, integrity protection and

authentication.

§  For back-end API’s, use least privilege to lock down mobile apps.

§  It’s good to use security checklists, and guidelines to ensure compliance to

standards and best practices.

§  Implement effective controls for application-level and network anomaly. For

internet-facing or consumer-facing web and some other applications, establish user-level and behavior anomaly detection control systems (Zumerle, D., O’Neil, M., & Wong, J., 2016).

Having a secure coding for back-end apps does not guarantee security, if IT administrators, staff and the security team does not implement good security basics. In a research conducted by Appthority, a mobile security company, it was discovered that more than a thousand apps exposed data because of lack of security controls on the back-end servers that housed 43 TB of user data and analytic tools used in mining and analyzing data that was collected. What was the security gap? There were no firewalls, does not require authentication, and stands the risk of public access via internet. The critical resources in question included, “PII (personally identifiable information), passwords, location, travel and payment details, corporate profile data (emails and phone numbers), and retail customer data” (Rashid, F. CSO, 2017). There had been multiple cases of unauthorized access, phishing, and ransomware.  

References

Constantin, L. Millions of sensitive records exposed by mobile apps leaking back-end


Zumerle, D., O’Neil, M., & Wong, J. Securing Mobile App. Gartner. (2016-15-11).


 Rashid, F. Mobile app developers: Make sure your back end is covered. CSO, (2017-

Posted by at No comments:
Subscribe to: Posts (Atom)