As a follow-up to our recent ISACA Journal article, “NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk,” we wanted to provide some additional thoughts on the password dictionary concepts. As our article suggests, organizations should place appropriate controls around the establishment and maintenance of the password dictionary. Under the passphrase approach advocated by the latest US National Institute of Standards and Technology (NIST) guidelines, the dictionary becomes the primary tool for enforcing complexity and uniqueness in user authentication credentials. As such, it is integral to ensuring secure access to IT resources.
With respect to initially establishing the password dictionary, it can be difficult to build a comprehensive and highly secure dictionary from scratch. Enterprises should remember:
- Open-source lists of bad and commonly used passwords are publicly available and may provide a sound starting place. Commercial services have spent considerable time and resources researching and compiling password dictionaries and may be worth the investment.
- Implementing a standard dictionary alone is not really enough. It would not include prohibitions specific to the organization and its context. Involve organization leaders and/or interested users in contributing names and terms associated with the organization, its brand image, close affiliations, products, lines of business and people. Be sure to block known (or suspect) compromised credentials and consider using the dictionary to also block use of employee-specific information (such as names and usernames).
It is important to note that a password dictionary should not be considered a “one-shot and done” task. Organizations and the environment they operate in are dynamic, and the password dictionary will become obsolete over time. Organizations should consider the following:
- Regularly refresh the standard dictionary as lists of bad and commonly used passwords evolve. Customized dictionaries of prohibited words and phrases need to be reevaluated, augmented, and updated periodically.
- If a breach occurs (or is suspected), the password dictionary should be quickly updated to prevent the potential use of compromised phrases.
Maintenance of the dictionary should become a routine and continuous process for the organization. Establish an appropriate owner of the dictionary maintenance process (for example, a leader in the IT security or compliance functions), and put controls in place to ensure periodic and ad-hoc maintenance of the dictionary. In highly sensitive applications, consider a periodic independent audit of the dictionary and its use. The organization needs assurance that the effectiveness and robustness of the dictionary does not erode over time.
Read Bachman Fulmer, Melissa Walters and Bill Arnold’s recent Journal article:
“NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk,” ISACA Journal, volume 1, 2019.
In the wake of the high-profile information security breaches that have made headlines over the past few years, leaders in the security field have been coaching organizations to make 2 fundamental changes in the way they have traditionally handled breaches. First, instead of focusing solely on impenetrability, organizations should accept that breaches are going to happen and place greater focus on detection and management. Second, organizations should be prompt and transparent when it comes to notifying impacted stakeholders about the impact of a breach instead of, well, doing the opposite.
These 2 pieces of organization-level advice can, and should, also be applied to individuals in the context of security awareness training, which was the topic of our recent Journal article.
In a 2017 blog post for NS Tech, Steven J. Murdoch and Angela Sasse write, “Companies often tell employees not to click on links or open attachments in suspicious emails. The problem with this advice is that…for many employees their job consists almost entirely of opening attachments from strangers, and clicking on links in emails. Even a moderately well targeted phishing email will almost certainly succeed in getting some employees to click on it.”
From a training perspective, of course organizations should educate their employees to help them avoid risky behaviors that could threaten security. But organizations should also reassure their employees that they understand that employees cannot do their jobs without encountering some type of security risk. Assuring employees that the organization expects them to encounter threats sooner or later empowers employees to take the appropriate action when that time comes.
Read Randy Pierson, Kevin Alvero, and Wade Cassels’ recent Journal article:
“A Heightened Sense of Awareness: What the Internal Auditor Should Know About Information Security Awareness Training,” ISACA Journal, volume 6, 2018.
The cyberworkforce gap is well documented. When we look at it from a macro level, it seems straightforward. Studies show between 1-3 million job openings over the next few years, unfilled due to a lack of talent. As schools pump out new cyber grads and push them into the workforce, our prayers are answered, right?
When we look closer at the problem, we see how woefully inadequate the macro view really is. The uncomfortable truth is this: We cannot close that gap by throwing bodies at it. The speed of change in the cyberarena means that new skill gaps are created daily, even on established cyberteams. In other words, every day our teams are not learning and applying new skills, they are a little less prepared for what may come at them.
This perspective shifts the arms race from buying the most talented cyberstaff to creating programs and cultures that foster development, teamwork, and a focus on continuous and persistent learning.
Success in such an environment requires a level of discipline many organizations are not used to. But something must change if we, as an industry, want to overcome the challenges in front of us. Here are just a few of the key strategies to prepare a cyberteam to be mission-ready at all times:
- Today’s tech workers are looking for growth opportunities, but this does not always mean moving into management. Mapping roles within the team and the skills and capabilities required from each position give a clear picture of what individuals need to develop to get ahead, both technically and professionally.
- With knowledge, skills and abilities defined, arm your teams with consistent development opportunities so the staff have adequate training to achieve peak performance. The training must be highly relevant to both the organizational environment and to the threats facing the organization.
- Put the skills to the test with cyberchallenges that push the limits of what the team can do. It is better to challenge cyberteams to respond to threats simulated on your own terms than to expect them to fend off a real attack without firsthand experience.
- Recruit for those who have a lifetime love of learning, a passion for the industry and belief in what they are defending. The technical skills can be learned and honed, but passion cannot be taught.
Discipline around workforce development can be daunting, but those that embrace the culture of learning and growth will outperform in recruiting, retention, and ultimately performance against the threats to come.
Read Philip Casesa’s recent Journal article:
“Growing a Cybersecurity Career: Five Questions for the Next Job Interview,” ISACA Journal, volume 6, 2018.
Healthcare has many parallels with information security since both are based on prevention, monitoring, diagnosis and correction to avoid negative results. If medical success, however, were measured only by prevention of death, doctors would be the worst professionals in the world. After all, we are all going to die one day.
Moreover, if we take that same rationale for information security and measure its success or failure only through incident prevention, we will see some successes, but, eventually, there may be failures, perhaps catastrophic. Does this sound familiar?
Instead of waiting for these extreme results, we must track indicators (or risk factors) that can positively affect our situation. AS in healthcare, there are risk factors beyond our control, such as gender, age and family history, and behavioral factors that can have a significant impact on our health, including diet, physical activity level and use of tobacco products.
Some decisions about which risk factors to address have already been made in your organization—if not scientifically, at least through common sense. The decisions to implement any defensive technology such as firewalls, antivirus software or web filtering were made based on the risk factors inherent to your business—in most cases, to act on something that you cannot control (threats).
So, what should you measure to improve the health of your information security? Although the evidence may not be as conclusive as in the case of healthcare, there are many good sources of good practice provided by ISACA® and groups such as SANS, the US National Institute for Standards and Technology (NIST) and the International Organization for Standardization (ISO). The most important thing is to pay special attention to the factors you can control: the processes in place and, in particular, the management of the technologies you have already implemented.
To continue the analogy with healthcare, this can be compared to physical exercise and heart disease: It may not be easy to get off the couch, but the risk of not doing so is high and the benefits are proven. However, measuring these indicators alone will not protect you. We need to cultivate good behaviors—in other words, choosing to "get off the couch" and apply good security management practices (factors that you can control) will have a dramatic effect on your organization and your health as well.
Read Julio Pontes’ recent Journal article:
“Automation, Governance and Security in a Software-Defined World,” ISACA® Journal, volume 6, 2019.
The amount of data accumulated by 2020 worldwide is predicted to exceed 44 zettabytes (or 44 trillion gigabytes), and the data growth rate is about 1.7 megabytes per second for every human being. To manage and understand it, artificial intelligence (AI) was developed, and its use has been increasing at an rapid rate. We see this in the products that are coming to market.
This new technology is affecting us in many ways:
- How we live (e.g., digital home assistants such as Apple’s Siri and Amazon’s Alexa)
- How information is obtained (e.g., sensors, chatbots, automated data searching)
- How we communicate (e.g., language translation)
- How we react to security and privacy attacks (e.g., network anomaly detection, fraud detection)
- How we get around (e.g., driverless vehicles)
- How we detect and prevent crimes
In my recent Journal article, we look at where the data come from (e.g., sensors, data files, audio and video information), how AI is used, the software technology behind it (e.g., machine learning, virtual agents), the areas of knowledge needed to apply it (e.g., mathematics, computer science principles and techniques, software programming, analytical skills) and where we can get the training (e.g., online, college, universities). Once we have this understanding, we review the current job market, the AI position descriptions (e.g., business intelligence developer, software engineer, data scientist, solution architect) and associated salaries.
The intent of this article is to enlighten the reader about personal AI skills and requirements and additionally to provide guidance on how to go forward with this knowledge if you are interested in becoming someone who molds our future. From the information I have gathered, it has become clear that AI technology can be a benefit to auditors (e.g., when finding internal instances of fraud), aid information security in detecting and responding to cyberattacks, and help privacy professionals look for data breaches.
I encourage you to read the article and share any insights and knowledge you may have on AI as a career path.
Read Larry Wlosinski’s recent Journal article:
“Is Artificial Intelligence a Career Path for You?,” ISACA Journal, volume 6, 2018.
At this period of time where IT driving “business transformation” is the order of the day, ensuring IT security is not in conflict with business is a very critical concern. Instead, IT should enable the business in realizing value without compromising the expected level of security. This is of paramount importance. Any compromise in IT security citing operational efficiency could result in legal implications to the business, including damage to the enterprise’s reputation, revenues and profits, and even imprisonment.
One area to look at very closely is special access (also called privileged access) that few identified IT operations stakeholders have in making sure required IT systems are operated seamlessly, enabling business to realize its intended value. It is critical for management to have confidence in whomever has special access carries out the activities in line with the expected intent in a transparent manner.
Management can have trust in privileged access policies if:
- Only intended people have privileged access
- Special access is used in accordance with the expectations of the enterprise
But again, in the name of ensuring assurance, IT should not impede business efficiency; rather, applying common sense and avoiding rigid approaches to privileged access benefits IT and, thereby, the organization holistically.
My recent Journal article touches upon a few best practices I have explored and successfully implemented in my work, helping my organization realize greater value.
Read Sundaresan Ramaseshan’s recent Journal article:
“Effective Interactive Privileged Access Review,” ISACA Journal, volume 5, 2018.
Cyberincidents involving ransomware are a common occurrence lately. Hardly a week goes by without hearing about an incident in the news. Some involve an organization paying a ransom to get access to files, and others involve enterprises deciding not to pay and dealing with sometimes costly and protracted recovery processes. Paying a ransom, as tempting as it might be to regain access to files, creates a societal negative externality.
Negative externality is a term used by economists to describe a condition in which a third party suffers a cost as a result of a transaction. One common example is a factory dumping toxic waste into a river: A third party, people who live downstream from the river, are harmed from the economic exchange between factory owners and those who buy the goods the factory produces. A technology example, and the primary focus of my ISACA Journal article, titled “The Downstream Effects of Cyberextortion,” is paying ransomware. There are 2 parties in the transaction—the cybercriminal and the victim, and every time a victim pays a ransomware demand, cybercriminals are emboldened, enriched and encouraged. Paying the ransom creates more future victims, therefore creating a negative externality.
Common advice is often “Never pay!” This might be good guidance if one wishes to improve the overall computer security ecosystem, but is this good advice for the small community hospital that does not have good backups and where lives may be at stake? This is the question—and decision—that I analyze in the article. Thinking about this problem as a series of decisions helps frame the problem, identify risk and identify opportunities in which cybersecurity professionals can disrupt or influence the decision. If one is faced with this kind of problem, the decision flow can be broken down into these 3 high-level steps:
- Restore from system backups; if backups do not exist, follow step 2.
- Obtain assistance to decrypt the files without paying the ransom (e.g., security consulting firm, the No More Ransomware Project); if unsuccessful, follow step 3.
- Decide whether to pay the ransom or deal with data loss.
I also briefly touch on the nudge theory. Nudge theory has been explored in the field of behavioral economics and describes ways that actors can be nudged into good decisions without government interference, coercion, etc. I believe the nudge theory can be very effective in helping solve the ransomware problem. Some possibilities are:
- Helping smaller firms with preventative measures, such as patching and other security basics
- Pro bono or low-cost response assistance: negotiating with cybercriminals, forensics, data restoration
- Encouraging projects that develop decrypter kits such as the No More Ransomware project. It might be worthwhile to set up a bug bounty pool, funded by corporate donations, that pays independent security researchers to develop countermeasures to ransomware strains.
Let us continue the discussion in the comments section. Do you find this type of decision analysis useful? Can it help solve common cybersecurity problems? How would you nudge people to make better decisions?
Read Tony Martin-Vegue’s recent Journal article:
“The Downstream Effects of Cyberextortion,” ISACA Journal, volume 4, 2018
With so many compromises leading to data breaches, one common concern is even after so much investment going into technology, people and processes, why are breaches occurring? Are we “barking up the wrong tree”?
Perhaps, yes. Today there is a different challenge that security professionals are faced with: where to focus and what to protect. The traditional approach of protecting everything is failing; focus and effort should be on critical assets.
Knowing what to protect is extremely relevant for deciding the level of security protection required. The asset could either be raw data or processed information along with the ecosystem (e.g., operating system, application, web, data or application programming interface [API]). Lack of visibility to this key and critical piece of information leads to:
- Excess security focus on irrelevant assets
- Deficient security focus on critical assets
- No security focus on critical assets
Is there a well-designed and sustainable approach to identify and protect assets based their criticality and risk exposure?
The solution is to analyze the end-to-end (creation, storage, transmission, access and archival/destruction) data flow once the activity is completed a create a detailed blueprint of the data life cycle, including information on:
- Gateways (entry and exist)
- User roles and access rights
- Upstream and downstream information flow
- Upstream and downstream interface protocols
- Internal and external connectivity
- System and platform
- Implemented security controls
- Storage location and type (transient or permanent)
The previously mentioned information will help in aligning the required focus and effort for designing, implementing and monitoring security measures. This approach can easily be adopted for blueprinting all existing data/information assets. Having a data life cycle blueprint will be beneficial for:
- Providing a clear visibility on data assets for faster design decisions and having a clear overview of all impacted components
- Providing a quick overview of controls to be added due to a changing threat environment, regulation or incident
- Enabling investigators with required information at a glance during an incident
- Providing field-level information along building blocks
Read Sridhar Govardhan’s recent Journal article:
“Data Spill Lessons From the Oil Industry,” ISACA Journal, volume 4, 2018.
In the last few years, SWIFT has become a favorite target for hackers across the globe. The frequency of SWIFT-targeted cyberattacks is a good indicator of the same. In most of these SWIFT-targeted attacks, the network perimeter was compromised before the core SWIFT platform was touched. It is first important to ensure that we have a foolproof network perimeter built around SWIFT infrastructure with appropriate security solutions in a defense-in-depth manner.
Data confidentiality in SWIFT can be achieved through the encryption of all payment-related data and having all links controlled by SWIFT using strong encryption algorithms. Access to SWIFT payment data should be protected by means of one-time passwords (OTP). Controls such as unique sequencing of all messages, dual storage, real-time acknowledgement to the user, and message authentication procedure between the sender and receiver also help ensure SWIFT data integrity by protecting from fraudulent modification of SWIFT data, which was the technique used by hackers in many recent SWIFT-targeted attacks. Availability of SWIFT infrastructure can be achieved using several measures, many of which are built into organizations in the form of continuity planning, duplication, and, in some cases, triplication of equipment, extensive recovery schemes and automatic rerouting of payments in the event of failure of some network nodes.
In addition to the confidentiality, integrity and availability-related controls mentioned previously, having controls, such as well-defined segregation of duties, logical access controls, control of paper output and timely validation of error reports, helps protect the SWIFT infrastructure across the Cyber Kill Chain.
An assurance that an optimum level of SWIFT security has been achieved needs to be provided by execution of well-defined internal and external audit programs on a periodic basis.
Read Vimal Mani’s recent Journal article:
“Securing the SWIFT Infrastructure Across the Cyber Kill Chain,” ISACA Journal, volume 4, 2018.
When faced with an obstacle, how do you take the first step? I have found it helps to follow the steps outlined in Lisa Avellan’s article “Five Simple Steps When You Don’t Know Where to Start”:
- Breathe and relax
- Make the best decision
- Act immediately
Today’s obstacles in business are typically around managing information security and the growing cyberthreats. As you are faced with security obstacles, these 5 steps can help:
- Breathe and relax—The scope and complexity of an assessment can seem stressful and overwhelming at first. Take a breath, relax and begin to tackle it step by step. You will find the actual process to be less agonizing then at first assumed.
- Prioritize—I recommend that you start by conducting an assessment. Assessing the risk and gaps in your information security structure will help you identify what type of information is stored, how it is transmitted and accessed, and determine what risk poses possible threats to the information. The risk assessment enables you to identify hazards and risk factors that could cause harm, analyze and evaluate these hazards, and determine the best course of action to mediate the harms and risk.
- Make the best decision for your organization—As I outline in my recent Journal article, every organization has different needs—some may need a complete overhaul, while others just need a tune-up. There are a number of different approaches to assessing the security needs of your organization. A risk assessment helps you to determine your security needs to mitigate risk. A gap analysis helps you to find the holes. A security audit is an extensive overview of an organization’s security systems and processes and helps you determine specific security needs.
- Act immediately—No need to panic! Since the assessment precedes your proactive security efforts, it is important that you first take inventory. An effective risk assessment is the foundation of an effective risk management program. Regular assessments are important to the success of any business and form the foundation of an effective IT risk management program. If you are looking to improve your security posture and boost your compliance, risk assessments and gap assessments are the key to continuous improvement and well-informed leadership decisions.
- Evaluate—Think of an assessment as a way to evaluate where you are. For example, a risk assessment is about gathering data, determining threats, analyzing risk factors and prioritizing to determine mitigation.
When it comes to managing information security, I would add a sixth step to Avellan’s list: breathe and repeat. Repeated assessments and tests allow for continuous, targeted improvements that allow for optimal risk mitigation over the long term.
Read Tyler Hardison’s recent Journal article:
“Building a Strong Security Posture Begins With Assessment,” ISACA Journal, volume 3, 2018.