I recently attended the Professional Security Alliance’s first Cyber Security Congress. PSA is aggressively taking a lead role in initiating an industry conversation and awareness of cyber security issues. Why PSA? The answer lies in its commitment to its owners, members, and partners to educate and position them to deliver the highest level of security to their customers. Today, that must include cyber security. Although it’s impossible to distill two days of content into a column, I thought it would be worth touching on the highlights.
That the threat is pervasive is of no doubt. David Brent of Bosch cited statistics indicating 40,000 advanced attacks in 2013 with 60,000 malware variations introduced every day. He discussed the StuxNet virus, created to cripple Iranian nuclear centrifuges through Siemens PLC’s but that subsequently escaped into the World Wide Web. It has now apparently made its way onto the International Space Station. He also mentioned REGIN, an advanced piece of malware, described by Symantec as “a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.” Among the several pieces of advice offered were:
- Create a Cyber Incident Response Team (CIRT) to respond to cyber events. CIRT is an internal multi-disciplinary team involving all potential stakeholders including executive management, IT, security, legal H.R., finance, and public relations.
- Understand prevailing privacy laws which address people’s rights and expectations of personal privacy in the workplace
- Proactively and reactively address potential, suspected, or proven insider threats with policies, audits, and personnel assessments
- Conduct regular penetration and vulnerability testing
- Invest in employee education and training, particularly with respect to social engineering
Symantec’s whitepaper on the subject may be found at http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf.
Attorney David Wilson, CISSP, discussed the very real responsibilities organizations have in terms of policies, procedures, risk and vulnerability assessment and management, data access, and incident response plans. Failure to address these issues can create not only technical vulnerability, but legal exposure, as well. Increasingly, organizations will have to show that they have taken all reasonable precautions and actions towards cyber attacks to bolster a potential legal defense.
Insider threats constitute a significant, continuing exposure for all organizations, whether they are disgruntled or terminated employees, contractors, or someone on the take. Daniel Velez of Raytheon detailed nine steps to manage insider threats. Significant among these were establishing an insider threat program and the underlying business case including audit requirements; proper staffing, arguably more important than the technical controls was getting input and buy-in for the program from stakeholders in IT, security, HR, unions, legal, and others.
An excellent resource, “Common Sense Guide to Mitigating Insider Threats”, can be downloaded from Carnegie Mellon University at http://resources.sei.cmu.edu/asset_files/TechnicalReport/2012_005_001_34033.pdf.
Charles Tendell, a certified ethical hacker and cyber security consultant, had a session on Hardware Hacking demonstrating Shodan (www.shodanhq.com), a search engine that discovers about anything connected to the Internet. In the session “Anatomy of a Cyber Breach”, Frank Hare of Red Team offered some tremendous insights into the world of a cyber breach. Check out the site map.ipviking.com, published by security company Norse that shows in real-time where cyber attacks are coming from around the world. He noted Verizon studies that show that 89 percent of all attacks would be ineffective if users were properly schooled on what to look for in e-mails and messages.
For a significant number of readers of this column, the question comes down to what value and opportunities result from an IT security-based relationship with a customer. Where do customers turn for IT security solutions? Is it IT resellers or security integrators?
Kirk Nesbit of Synnex Corporation discussed the managed services opportunities that exist in this new world of cyber threats in terms of the components of IT security. A security integrator can potentially play, starting with vulnerability assessments and penetration testing, addressing discovered gaps, and moving into ongoing managed services.
Integrators who want to take advantage of this opportunity need mindset, strategy, training, and staff. Dean Drako of Eagle Eye suggested that initial opportunities for security integrators with their customers may have to be pursued on a limited scope basis, earning credibility step by step. Integrators are well positioned, because of the diverse systems and technologies they feature and install.
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers.com and RepsForSecurity.com. Ray can be reached at [email protected], through LinkedIn at www.linkedin.com/in/raycoulombe or followed on Twitter @RayCoulombe.
