Unpatched systems represent a very serious IT security threat with potentially extremely important consequences, as documented in a large number of high-profile breaches that exploited known unpatched vulnerabilities. Since these vulnerabilities are known, not just to attackers, but also to system administrators, and since patches exist, it is on first look surprising that unpatched systems even exist. The reality, however, is that patching is not that simple: Because of interdependencies, it must be verified that the patch is compatible with everything else in the system, e.g., an operating system patch must be compatible with the applications and databases running on top of the operating system. Sometimes, they are not, as manifested, for instance, in the recent Spectre and Meltdown vulnerability, where some application providers explicitly warned against patching. Verifications mean testing by other vendors, and this may not be a high priority for the application vendor, with an answer or full solution sometimes coming with the next release. Today’s organizations typically employ a large number of systems and applications, and making sure all of them are patched promptly is not automatic.
In light of this situation, organizations need to bolster the first line of defense, i.e., do everything possible to ensure prompt patching and, in addition, prepare a second line of defense to deal with systems that cannot or will not be patched in a reasonable time frame. Such a strategy could entail:
- Involve high-level management who need to be aware of the risk and attempt to obtain contractual guarantees of prompt addressing of patch issues, whether in their system or application or in other systems their own systems depend on. Evaluate vendors in this respect.
- Establish a clear line of ultimate responsibility for patching. This involves appointing someone to monitor and assess the patching risk and empower that person to carry out this task. This involves, among others, an architectural map of the systems, their function, criticality and exposure (e.g., Internet-facing) plus interconnections, as well as a monitoring tool carrying out regular scans with respect to patching.
- Contact the vendors regarding patch testing, compatibility and availability, and possibly carry out tests internally if necessary.
- Propose blacklisting irresponsive vendors.
- Propose and implement (in cooperation with relevant company units) alternative mitigating measures in case patching is not possible in a reasonable time frame. Such measures could involving agents in the unpatched systems to block exploits (although unlikely to be accepted by the vendor), putting patched intermediate servers in the path to the Internet to inspect incoming traffic, and using web application firewalls (WAFs) or sandboxing-type solutions, always taking into account possible performance issues.
- Especially if one must live with unpatched systems, monitoring and responding to rogue activities gains importance.
Read Spiros Alexiou’s recent Journal article:
“Practical Patch Management and Mitigation,” ISACA Journal, volume 3, 2019.
The nature of risk management has changed over the past 2 decades. Previously isolated IT infrastructures are more connected with the outside world, and organizations face an ever-expanding threat landscape. Most organizations operate in a reactive mode, typically driven by an outside-in fear and avoidance approach where priorities are based on the latest known threat or new regulation. The challenge with this approach, in addition to it being reactionary and driven by outside forces, is that it promotes a keep-the-lights-on mentality, results in an inefficient use of resources and distracts from the priority of protecting an organization’s most critical data assets.
The motivation is primarily the fear of fines and reputational risk. For a security program to succeed and reduce information technology risk, a focus on driving business value by effectively mitigating risk wherever it may live is preferred.
The Risk IT Framework developed by ISACA includes the following core principle: Make IT risk management a continuous process and a part of daily activities.
This tenet is prescient because today’s threat landscape never sleeps. Digital transformation, SensorNet, cloud and DevOps are creating dramatically expanding attack surfaces. Attackers are constantly looking for a way in, and employees are finding new ways to accidentally expose sensitive information. Annual penetration tests or security reviews do not cut it. Regulatory-focused security programs cannot keep up. So how can organizations move from a reactionary approach to a proactive, risk-centric program?
- Know your business—Understand what information is most important to the organization. Understand what information assets drive the business and need more protection. One-size-fits-all security is not effective and can add substantial costs when it is not warranted. Talk to internal department leaders and get to know how security programs can add value to their lines of business.
- Conduct a comprehensive risk assessment—Doing so will uncover where gaps in your existing programs are against appropriate regulations, standards and best practices. An assessment will provide a risk model to help identify the most likely attackers, assets they are most likely to go after and the overall impact to the organization in case of an incident.
- Do not stop at a checklist—While a thorough assessment will provide a list of items to be addressed, move beyond a simple checklist. Each identified gap should be surrounded by control, planning and continuous risk monitoring.
Information security and risk management are not easy fields in which to succeed. These 3 basic steps can help you start transforming your organization’s approach to cybersecurity. The benefits of doing so include reducing security technology clutter, minimizing operational expenditures, and creating a program that is business aligned and more effective at reducing risk.
Read Brian Golumbeck’s recent Journal article:
“Moving Risk Management From Fear and Avoidance to Performance and Value,” ISACA Journal, volume 3, 2019.
Managing cyberrisk is critically important for organizations. Interconnectedness, digitization, the focus on utilizing data and providing enhanced client experiences expand the attack surface and expose an organization to increased cyberrisk. I cannot think of a worse experience for a board member than to be told (or to read in a newspaper) that the organization’s client database has been leaked online, that a significant amount of money was stolen or that the organization cannot operate because all the servers have been locked up with ransomware. No organization can be 100% secure, and bad events will happen. There are, however, practical steps that can be taken to reduce the risk of a cyberevent happening and, when it does happen, to recover the organization to the same state as before the event.
The difficult question is where to start managing cyberrisk, especially if the organization is not yet focused on cyber. I would advise against just jumping in and start implementing cyberactions. The most important task to start with in my view is to create a cyberresilience program with executive support. This task can be quite difficult, but without executive support, a vehicle for all the tasks that must be done and a report to keep the board informed of the cyberjourney, cyberrisk management will be dead in the water, and the organization will just be waiting to become a victim of a cyberattack. This becomes more difficult especially in organizations that have not experienced a cyberevent. I will not be surprised if there are many organizations where the extent of cyberrisk management is a technical team buried in the IT department that focuses on hardware and security settings.
Although I mention it in my Journal article, I recommend doing a current-state cyberrisk assessment first. Procure the services of a respectable external consulting firm to do the assessment. Openness, transparency and honesty are the keywords for this step. The cyberpractitioner will know many of the things that are not in place in the organization and should provide that information to the assessment team. Once the attention and commitment of the board has been obtained with an external report, the next step is to create a cyberresilience program. In this step, focus on ranking the items discussed in my article over a period of 2 or 3 years. It will not be possible to do everything in year 1 as it will be too expensive, and the resources will not be immediately available to address everything in one go.
It is very important that the board understand cyberrisk; therefore, implementing board reporting and promoting executive awareness should be high in priority of the 3-year plan. It does not matter if the first report has lots of red items. The more informed the board is—especially board members from the business lines and, more importantly, if they understand the impact that a cyberevent can have on their organizations—the greater the chance will be of obtaining resources to implement the cyberplan. The board report is probably one of the most important tools a cyberpractitioner has and should be utilized effectively to manage cyberrisk and to describe the cyberjourney to the board. I am of the opinion that an organization should not attempt to describe the end-goal for cyber, but rather to describe the journey and that the right actions are being taken along the journey to reduce cyberrisk. The next step is to adopt a cybermaturity framework against which to measure the organization internally. Armed with these tools, the other steps in my article can be mapped out and implemented, e.g., identifying the crown jewels, threat modelling, determining if controls are adequate to protect critical points along the kill chain, red team testing, etc., and each item that is implemented will improve the organization’s cybermaturity.
Read Jaco Cloete’s recent Journal article:
“Practical Cyberrisk Management,” ISACA Journal, volume 3, 2019.
Cybersecurity is an endless process of chasing and preventing known attacks; anticipating attacks; and monitoring, alerting, patching, remediating and implementing solutions. It is becoming a maintenance function that trails hackers and other bad actors.
Cyberresilience refers to the ability to constantly deliver intended outcomes despite negative cyberevents. It is keeping business intact through the ability to effectively restore normal operations in the areas of information systems, business functions and supply chain management. In simple terms, it is the return to a normal state.
Cyberresiliency is the ability to prevent, detect and correct any impact that incidents have on the information required to do business. Examples of the enterprise cyberresiliency goals are:
- Anticipate—Stay informed and ready to expect compromises from adversary attacks.
- Withstand—Continue the enterprise’s mission-critical business operations despite a successful attack by an adversary.
- Recover—Restore mission-critical business operations to pre-attack levels to the maximum extent possible.
- Evolve—Change missions/business functions and/or the supporting cybercapabilities to minimize adverse impacts from actual or predicted adversary attacks; change cybercapabilities for mission-critical business operations to minimize impacts from the actual or predicted adversary attacks.
Cyberresiliency has progressed to enable enterprises to withstand and rapidly recover from cyberattacks that have a criminal intent to induce harm, cripple and extort enterprises. Cyberresiliency is a board-level responsibility with high business content. It is based on initiatives under the auspices of corporate governance, enterprise cyberprograms and supply chain network.
The trend and severity of serious cyberbreaches underscores the fact that enterprises will face a serious breach with intent to harm. The organization and its board of directors (BoD) ought to, in anticipation of such an attack, plan how to withstand it, rapidly recover from it, and how to evolve to reengineer its business and cybersecurity processes.
It is the enterprise’s responsibility to evaluate and measure its current state of cyberresiliency and how to transform itself to strengthen its cyberenvironment to withstand serious cyberthreats.
A methodology was developed to build a cyberresiliency decision model (CRDM). It quantifies and compares the degree of impact of each proposed cyberresiliency initiative on any of the enterprise-stated goals and objectives and develops a road map to the containment of the threats.
Determining the portfolio of cyberresiliency investment and the realized value of such initiatives is highly correlated with an organization’s willingness to articulate the following:
- The risk of potential costs of security incidents that the enterprise is willing to bear
- The level of risk that the enterprise is willing to accept when running its business
- The enterprise’s recognition that investment in cyberresiliency ought to be mapped and prioritized to the desired outcome and types of threats.
Read Robert Putrus’ recent Journal article:
“Enterprise Transformation to Cyberresiliency,” ISACA Journal, volume 3, 2019.
In the past 5 years, the cybersecurity agenda has been raised and discussed and in many forums because cyberattacks have been developed for various purposes, and the number of cybersecurity incidents or data breaches have increased dramatically every year. After major incidents around the world in the past few years, cyberattacks have caused several impacts on public services, business, people and even the accusation of the cybercrime from others. Therefore, many countries, such the United Kingdom, German, Estonia, Australia, Canada and Singapore, have developed and issued laws to take action on cybersecurity, such as the national strategy, guidelines of implementation and reporting. Generally, all cybersecurity acts are focusing on industries identified as critical infrastructure (CI) or critical information infrastructure (CII) of the nations, such as national security, financial, telecommunication, public transportation and logistics, healthcare and energy sectors. These sectors are always the first primary target of cyberattacks and cause the biggest business disruption or impact nationwide.
The Thai government will soon issue the first cybersecurity bill, which aims to level up the cybersecurity safeguard, minimize or control cyberrisk and create cyberresilience in CII organizations. According to the bill, the law will focus on the incidents or crises of CII that have impact on public services or could even cause death or injury, rather than individual computer crimes or monitoring behavior on the Internet. The CII has been categorized into at least 7 groups, which are: national security, public service, financial service, information technology and telecommunication, supply chain and logistics, public utility and energy, and healthcare.
The new cybersecurity agency created by the bill will be responsible for enforcing, cooperating with other regulators and international organizations, supporting, responding to cyberincidents and regulating the CII organizations. The law contains the obligations and several penalties for noncompliance. In addition, the law also contains details of how CII can be compliant with this law, which relates to risk base management concept and 5 functions of the US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) version 1.1 (i.e., identify, protect, detect, response, recover). Therefore, all CII enterprises are now facing the challenge of complying with the law and other coming regulations, which will provide more implementation details for the bill, especially the operation technology (OT) and public services. The OT is claimed to be in the closed network system (no external or Internet connection) for a long time, while public services sometimes focus on the service and avoid the security issues due to the service volume. These areas must be improved as fast as we can by using the NIST framework as the implementation guideline or other IT security standards, such as International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 or European Union Agency for Network and Information Security (ENISA) guidelines. The area of the cybersecurity development or improvement in the organization must be covered all aspects of people, process and technology.
Last but not least, for the implementors or compliance, ISACA has published the Implementing the NIST Cybersecurity Framework to enable practitioners and enterprises to gain an understanding of the CSF and its implementation.
Read Nipon Nachin, Chatpong Tangmanee and Krerk Piromsopa’s recent Journal article:
“How to Increase Cybersecurity Awareness,” ISACA Journal, volume 2, 2019.
Organizations have diverse understandings of what digital security is and is not. As a consequence, they wrestle with who is responsible and who is accountable for digital security. This further complicates the question of whether the chief information security officer (CISO) position ought to be considered and instituted. CISO positions and responsibilities are greatly unsettled because digital security crosses many aspects of enterprise transactions, challenging if it is even possible to place boundaries on the responsibilities of the role.
Do organizations expect the CISO to be a technology wizard, business savvy or a hybrid of both? Do organizations expect the CISO to be the responsible and accountable person in securing the computing environment and informational assets in the enterprise? Should the CISO be part of the executive team, or should the role be confined within the IT group?
The subject of digital security within an organization creates a dilemma within the executive team with regard to defining the CISO role within the organization. There are several key gaps between what senior management may want or expect from the cybersecurity function and how far-reaching the responsibility of the CISO role ought to be that can be identified, and it is important to understand how to bridge and mitigate those gaps.
The CISO can be involved in a wide spectrum of responsibilities depending on the organization’s size and/or the lens the executive team looks through for digital security.
In my recent Journal article, I stated several gaps of understanding by CISO professionals as to how they perceive their role and what is the experience expected of them. The following are a few critical gaps:
- Gap 1: Should the CISO transform from having technical focus to a business focus?
- Gap 2: To whom should the CISO report?
- Gap 3: How does the CISO justify a digital security portfolio?
- Gap 4: Do organizations fully understand digital security functions?
- Gap 5: Is the CISO an IT function?
- Gap 6: Do the cloud and mobility present challenges?
Since the CISO position is being promoted to report higher in the organization chart, a greater emphasis is being placed on the CISO role and the expected skill level of those filling the role. It has moved the skill of the CISO from technical implementer of technology to one of business focus and the ability to oversee digital security as a vital business unit to justify its relevance and demonstrate the return on investment to the enterprise’s bottom line.
Additionally, enterprises are evolving to become risk-based organizations. This requires transformation of the enterprise culture to a risk-based culture, where digital security is the responsibility of all the employees of the enterprise.
However, such cultural transformation has put greater pressure on the CISO to be a trusted advisor who operates as the integrator of the enterprise business units and a relationship builder. Digital security is becoming the bridge to integrate the enterprise products and services with the enterprise business functions.
Read Robert Putrus’ recent Journal article:
“The Role of the CISO and the Digital Security Landscape,” ISACA Journal, volume 2, 2019.
According to the Ponemon Institute/Accenture Ninth Annual Cost of Cybercrime Study, the number of cyberattacks each enterprise has seen has increased, and these incidents take more time to resolve while the cost of cybercrime continues to rise. In the last year, the report notes, there have been many stealthy, sophisticated and targeted cyberattacks against public and private sector organizations. Combined with the expanding threat landscape, organizations are seeing a steady rise in the number of security breaches—from 130 in 2017 to 145 in 2018. Indeed, there has been a 67% increase in the number of security breaches in the last 5 years.
At the same time, ISACA’s State of Cybersecurity 2019 Report—Current Trends in Workforce Development notes that technically proficient cybersecurity professionals continue to be in short supply and difficult to find. This fact is compounded when coupled with the realization that the greatest skill needed in the field is business acumen. Currently, the most-prized hire in a cybersecurity team is a technically proficient individual who also understands business operations and how cybersecurity fits into the greater needs of the enterprise.
So, what can be done? In my opinion, we in the audit profession need to step up. We have the required business skills, but we need to develop complementary cybersecurity auditing skills. I discuss how to perform a cybersecurity audit including the tools, training and resources that ISACA has made available in my recent ISACA® Journal column, “Auditing Cybersecurity.”
Read Ian Cooke’s recent Journal article:
“IS Audit Basics: Auditing Cybersecurity,” ISACA Journal, volume 2, 2019.
As a follow-up to our recent ISACA Journal article, “NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk,” we wanted to provide some additional thoughts on the password dictionary concepts. As our article suggests, organizations should place appropriate controls around the establishment and maintenance of the password dictionary. Under the passphrase approach advocated by the latest US National Institute of Standards and Technology (NIST) guidelines, the dictionary becomes the primary tool for enforcing complexity and uniqueness in user authentication credentials. As such, it is integral to ensuring secure access to IT resources.
With respect to initially establishing the password dictionary, it can be difficult to build a comprehensive and highly secure dictionary from scratch. Enterprises should remember:
- Open-source lists of bad and commonly used passwords are publicly available and may provide a sound starting place. Commercial services have spent considerable time and resources researching and compiling password dictionaries and may be worth the investment.
- Implementing a standard dictionary alone is not really enough. It would not include prohibitions specific to the organization and its context. Involve organization leaders and/or interested users in contributing names and terms associated with the organization, its brand image, close affiliations, products, lines of business and people. Be sure to block known (or suspect) compromised credentials and consider using the dictionary to also block use of employee-specific information (such as names and usernames).
It is important to note that a password dictionary should not be considered a “one-shot and done” task. Organizations and the environment they operate in are dynamic, and the password dictionary will become obsolete over time. Organizations should consider the following:
- Regularly refresh the standard dictionary as lists of bad and commonly used passwords evolve. Customized dictionaries of prohibited words and phrases need to be reevaluated, augmented, and updated periodically.
- If a breach occurs (or is suspected), the password dictionary should be quickly updated to prevent the potential use of compromised phrases.
Maintenance of the dictionary should become a routine and continuous process for the organization. Establish an appropriate owner of the dictionary maintenance process (for example, a leader in the IT security or compliance functions), and put controls in place to ensure periodic and ad-hoc maintenance of the dictionary. In highly sensitive applications, consider a periodic independent audit of the dictionary and its use. The organization needs assurance that the effectiveness and robustness of the dictionary does not erode over time.
Read Bachman Fulmer, Melissa Walters and Bill Arnold’s recent Journal article:
“NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk,” ISACA Journal, volume 1, 2019.
In the wake of the high-profile information security breaches that have made headlines over the past few years, leaders in the security field have been coaching organizations to make 2 fundamental changes in the way they have traditionally handled breaches. First, instead of focusing solely on impenetrability, organizations should accept that breaches are going to happen and place greater focus on detection and management. Second, organizations should be prompt and transparent when it comes to notifying impacted stakeholders about the impact of a breach instead of, well, doing the opposite.
These 2 pieces of organization-level advice can, and should, also be applied to individuals in the context of security awareness training, which was the topic of our recent Journal article.
In a 2017 blog post for NS Tech, Steven J. Murdoch and Angela Sasse write, “Companies often tell employees not to click on links or open attachments in suspicious emails. The problem with this advice is that…for many employees their job consists almost entirely of opening attachments from strangers, and clicking on links in emails. Even a moderately well targeted phishing email will almost certainly succeed in getting some employees to click on it.”
From a training perspective, of course organizations should educate their employees to help them avoid risky behaviors that could threaten security. But organizations should also reassure their employees that they understand that employees cannot do their jobs without encountering some type of security risk. Assuring employees that the organization expects them to encounter threats sooner or later empowers employees to take the appropriate action when that time comes.
Read Randy Pierson, Kevin Alvero, and Wade Cassels’ recent Journal article:
“A Heightened Sense of Awareness: What the Internal Auditor Should Know About Information Security Awareness Training,” ISACA Journal, volume 6, 2018.
The cyberworkforce gap is well documented. When we look at it from a macro level, it seems straightforward. Studies show between 1-3 million job openings over the next few years, unfilled due to a lack of talent. As schools pump out new cyber grads and push them into the workforce, our prayers are answered, right?
When we look closer at the problem, we see how woefully inadequate the macro view really is. The uncomfortable truth is this: We cannot close that gap by throwing bodies at it. The speed of change in the cyberarena means that new skill gaps are created daily, even on established cyberteams. In other words, every day our teams are not learning and applying new skills, they are a little less prepared for what may come at them.
This perspective shifts the arms race from buying the most talented cyberstaff to creating programs and cultures that foster development, teamwork, and a focus on continuous and persistent learning.
Success in such an environment requires a level of discipline many organizations are not used to. But something must change if we, as an industry, want to overcome the challenges in front of us. Here are just a few of the key strategies to prepare a cyberteam to be mission-ready at all times:
- Today’s tech workers are looking for growth opportunities, but this does not always mean moving into management. Mapping roles within the team and the skills and capabilities required from each position give a clear picture of what individuals need to develop to get ahead, both technically and professionally.
- With knowledge, skills and abilities defined, arm your teams with consistent development opportunities so the staff have adequate training to achieve peak performance. The training must be highly relevant to both the organizational environment and to the threats facing the organization.
- Put the skills to the test with cyberchallenges that push the limits of what the team can do. It is better to challenge cyberteams to respond to threats simulated on your own terms than to expect them to fend off a real attack without firsthand experience.
- Recruit for those who have a lifetime love of learning, a passion for the industry and belief in what they are defending. The technical skills can be learned and honed, but passion cannot be taught.
Discipline around workforce development can be daunting, but those that embrace the culture of learning and growth will outperform in recruiting, retention, and ultimately performance against the threats to come.
Read Philip Casesa’s recent Journal article:
“Growing a Cybersecurity Career: Five Questions for the Next Job Interview,” ISACA Journal, volume 6, 2018.