Secure Digital Solutions, LLC
11 Apr 2017

Quest for Excellence in Cybersecurity Management

April 10th, 2017
Adam Stone, Principal, Secure Digital Solutions

Baldrige’s recently-published framework raises the bar for information security leaders by tying cybersecurity program management to performance excellence.

The Baldrige Performance Excellence Program, the venerable organization behind the national award for Performance Excellence® and quality for U.S. firms, released the final version of the Baldrige Cybersecurity Excellence Builder v1.0 (BCEB) self-assessment tool following their annual summit last week in Baltimore. Initiated in response to Executive Order 13636, the BCEB blends two NIST products (the Cybersecurity Framework and the Baldrige Excellence Framework) into a single assessment methodology. The goal of the BCEB is to help security leaders assess the effectiveness of their approach to cybersecurity, as determined by the unique needs, goals, and capabilities of their firm. Organized by seven categories (leadership, strategy, customers, measurement, operations, customers, and results), the BCEB uses process maturity as the key metric for communicating the strengths and weaknesses of an organization’s cybersecurity program.

Process Maturity: The New Standard for Cybersecurity Performance Excellence

The maturity-focused cybersecurity management approach is a paradigm shift that threatens the deeply-entrenched risk- and compliance-focused assessments familiar to most in the industry. We have observed disagreement among security professionals about the what the word maturity actually represents. Some use the word to describe the effectiveness of security controls, while others use maturity to understand their firms’ ability to minimize cyber risk. Authoritative bodies, such as the Federal Financial Institutions Examination Council (FFIEC), appear to be adding to the confusion by blending the notion of process maturity with risk preparedness in the Cybersecurity Assessment Tool. In the end however, the FFIEC approach, along with similar assessment tools, still focus on more traditional controls-based risk management instead of performance excellence and quality.

What is often missed in traditional risk and compliance assessments is a clear understanding of the value that cybersecurity provides to the business. When security leaders communicate in the language of compliance or risk (two inherently negative topics), they miss the opportunity to demonstrate to executives the ways in which mature cybersecurity processes can help enable business growth and sustainability. An emphasis on business enablement – expressed as a function of performance excellence and quality – is what sets the BCEB apart from the traditional cybersecurity assessment tools.

Cybersecurity risk traditionalists will be pleased to know that we do not suggest that process maturity metrics replace established risk formulations. Quite the opposite! We need to understand risk in order to set clear goals and effectively respond to the ever-changing threat landscape for their firms. When communicating the value of cybersecurity to executives however, security leaders will likely find that the BCEB tool kit provides a better picture of the organization’s capacity to identify opportunities and leverage the benefits of effective cybersecurity management.

For Secure Digital Solutions (SDS), the emergence of the Baldrige Cybersecurity Excellence Builder validates the power of the cybersecurity assessment methodology embedded in our TrustMAPP® platform. Both the BCEB and TrustMAPP use process maturity to express the degree to which an organization achieves consistent quality and performance excellence. With clear alignment to the firm’s mission, values and objectives, TrustMAPP helps security leaders bridge the gap between security operations (risk focused) and process maturity (business focused).

To learn more on how cloud-based TrustMAPP® can help you maximize the benefits of the Baldrige Cybersecurity Excellence Builder, ask for your free trial today.

TrustMAPP® is a registered trademark of Secure Digital Solutions, LLC. All rights reserved.

BALDRIGE EXCELLENCE FRAMEWORK™ is a trademark, and BALDRIGE PERFORMANCE EXCELLENCE PROGRAM and Design®, MALCOLM BALDRIGE NATIONAL QUALITY AWARD®, and PERFORMANCE EXCELLENCE® are federally registered trademarks, of the U.S. Department of Commerce, National Institute of Standards and Technology.

19 Oct 2016

Cyber Security Services Catalog Enables Strategy

October 19th, 2016
Mike Edlund, Solutions Manager

Cyber Security Service Catalog Enables Strategy

Creating a Security Services Catalog for a larger security team begins to drive value across the business. A security service catalog enables strategy by clearly articulating to the business customer the type of services the security team provides and the level of service and responsible parties for each area identified.

Customer Request

A customer requested Secure Digital Solutions (SDS) to develop security plans and procedures to consistently manage their information security program. SDS collaborated with the security team to document and improve the current and desired security activities and plans. Our security consulting client had two challenges:

  • Procedures and plans to deliver the security program activities were not formally documented, leading to poorly-defined program actions and responsibilities.
  • Roles and responsibilities defined in newly minted procedures and plans were not aligned with the team set up to do these activities.

The customer engaged SDS to conduct in a collaborative environment development of cyber security plans and procedures for the cyber security program and supporting team members. Along the way, SDS discovered a gap in roles and responsibilities that led to a further surprise benefit to assist the security program.

SDS Solution

Over a period of months, SDS partnered with customer security leadership to define desired security program procedures and plans. The documents included a number of areas such as threat and vulnerability management, training and awareness, risk management as well as policy and standards management.

servicescatalogSDS began creating a number of documents that laid out areas within the security program. Plans to define how these areas would be strategically delivered were designed and offered for further feedback, input and iteration from the security team and leadership to reach a final draft status. The SDS team developed the content leveraging both industry best practice and
actual approach by the customer’s security team.

Plans and procedures included sections to define roles and responsibilities as to who is responsible to deliver the security program processes and related service levels. SDS also noted that missing formal responsibilities for the security team were leading to more firefighting and less strategic, planned activities. This conversation and discovery identified the need to coalesce security team processes into a centralized service catalog.

Consulting with customer’s security team lead to the creation of a services catalog that defined the required activities and assigned team personnel requirements to these activities.  As a result not only did the security team have a clear understanding of priorities and responsibilities, the business customers also understood the scope of the internal security services team.  Business teams now understand how to engage and who to speak with regarding various projects and customer engagements.

Impact on the Client’s Business

Along the way, leadership of the security team changed. The security catalog took on a whole new meaning with a surprising additional benefit. With the catalog’s estimates for FTEs required for duties to properly cover the entire security program, the new security leadership leveraged the security service catalog as the means to forecast and request additional resources to executive stakeholders.

With the change in security program leadership, the plans and procedures also offered insights and a standard approach from which the new leadership could understand how the program is managed.

18 Jul 2016

Steps to Take Following Approval of EU Privacy Shield

Adam Stone, Privacy Officer
July 17th, 2016

 

Image Courtesy US Department of Commerce
Image Courtesy US Department of Commerce

After political wrangling and delays, the US Department of Commerce announced the adoption the EU-US Privacy Shield framework on July 12, 2016. For data privacy professionals serving organizations that conduct business in the European Economic Area (EEA), this announcement is an important one. The Safe Harbor inadequacy decision handed down by the European Court of Justice in late 2015 sent many US organizations – reliant on the venerable Safe Harbor self-certification program to attest adequate protections for cross-border data flows – into a mild panic. Privacy leaders were left with few attractive options to fill the vacuum left by the inadequacy decision.

Now that the Privacy Shield program is active, many are eager to assess their privacy programs in preparation for the August 1 registration opening. Though the process for Privacy Shield self-certification is similar to Safe Harbor, registrants will find a more robust set of requirements to meet based on a slightly revised set of guiding principles:

Privacy Shield (New Framework) Safe Harbor (Old Framework)
Notice Notice
Choice Choice
Accountability for Onward Transfer Onward Transfer
Security Security
Data Integrity and Purpose Limitation Data Integrity
Access Access
Recourse, Enforcement and Liability Enforcement

How can Secure Digital Solutions (SDS) help you?

Organizations planning to self-certify to the Privacy Shield framework (and take advantage of the grace period for early registrants) can benefit from an objective, third-party review of their data privacy programs. Secure Digital Solutions offers seasoned, IAPP-certified privacy professionals ready to provide effective and cost-efficient program assessments. SDS’ professionals guide privacy leaders with the data needed to make strategic decisions and operationalize privacy controls and processes.

Short on in-house data privacy experts? Contact SDS today to learn about our CPO-for-hire program. We provide executive-level data privacy resources at a fraction of the cost of retaining a large consulting or law firm.

09 Jun 2016

Breaking Down Barriers to Effective Information Security

June 9, 2016
Mike-Edlund-Large
By Mike Edlund, CISM

A recent survey* was conducted by PricewaterhouseCoopers (PwC) and asked 9600 C-level leaders about obstacles to effective cybersecurity. The barriers identified in PwC’s study include:

  • Insufficient funding for capital expenditures
  • Lack of or ineffective CEO leadership
  • Absence or shortage of in-house technical expertise
  • Insufficient funding for operating expenditures
  • Lack of an effective information security strategy
  • Lack of an actionable cybersecurity vision or understanding
  • Lack of or ineffective CIO leadership
  • Poorly integrated or overly complex information/IT systems
  • Lack of or ineffective Security Chief (CISO or others) leadership

PwC found that sometimes different C-levels have diverging views on how strong a barrier is. For example, one item, Absence or shortage of in-house technical expertise, was viewed more strongly as an obstacle by CEOs and CIOs, but the CFO did not view as strongly.

Let’s look at breaking down these barriers – we’ll group some to address collectively.

  • Lack of an effective information security strategy
  • Lack of an actionable cybersecurity vision or understanding

We’ve found that having a common language to discuss and create strategy and vision for cybersecurity or information security at the company’s executive levels breaks down these barriers. For all C-level and senior leadership, conduct strategy sessions that revolve around the information security processes and use the process lens just like the rest of the business looks at its operations. Looking at how well processes are running (as-is) and how they can be improved (to-be) will let all parties assist with and provide input on good strategy and goal setting, just like the rest of the business. Looking at information security processes from this perspective lets information security become and be understood as a business enabler, not the classic department of “No!” from the past.

  • Lack of or ineffective CEO leadership
  • Lack of or ineffective CIO leadership
  • Lack of or ineffective Security Chief (CISO or others) leadership

Using the above common language approach (viewing cybersecurity through the process lens) should provide all three leaders with language and understanding that can help them have an equal understanding. When each has common understanding about and a language through which to view information security and its strategy, leadership easily begins speaking the same language and addressing the most important decisions collectively.

  • Insufficient funding for capital expenditures
  • Insufficient funding for operating expenditures

Conducting a risk assessment, compliance assessment and capability assessment by competent internal or external parties helps to provide this supporting information for investments. Regardless of whether results and gaps are viewed through a risk, compliance or capability lens, gaps or findings with priorities for improvements should include funding for new technology, new staff efforts or ongoing efforts appropriately captured assists C-level leadership understand needs for information security investments. A strong review during an assessment, whether conducted internally or by a third-party, should include findings that include costs for addressing information security program gaps.

  • TrustMAPP-ExecutivePlanningAbsence or shortage of in-house technical expertise

A solid team capability assessment will review cybersecurity team member responsibilities and roles for any of the assessments mentioned previously (risk, compliance or process-based). Findings will lead to leadership understanding where there are gaps in addressing the cybersecurity program’s needs through its people. As mentioned above, solid assessment results should provide funding estimates for additional training or personnel to meet developing or ongoing requirements of the security program. As mentioned above, review of cybersecurity expertise, whether conducted internally or by a third-party, should include findings that include costs for addressing cybersecurity program personnel gaps.

  • Poorly integrated or overly complex information/IT systems

This one may require review from various perspectives to reduce complexity or improve integration. Integration may be improved through the above approach using process as a common language between cybersecurity and the C-level. Understanding what is needed between information security and the business should improve through this common language approach. Further review through risk, compliance or process-based assessment should tease out issues around this barrier. Risk may find that poorly integrate systems show frequent downtime or failures, increasing risks due to unavailability of systems. Compliance may find that poor sharing of compliance-specific information between systems or high costs related to complying with a regulation due to system complexity show where improvements will be needed.

To break down these barriers for your information security program, look at what SDS’ Maturity Assessment, Profile, and Plan (MAPP) approach can provide for you.

*Survey: http://www.pwc.com/us/en/view/issue-15/cybersecurity-business-priority.html

16 May 2016

How much information security is enough?

By Chad Boeckmann & Adam Stone
May 16th, 2016

Let’s talk about benchmarking. It’s a question our team receives from clients both large and small. When discussing our information security-focused MAPP methodology and our TrustMAPP (formerly, Accliviti) platform, our clients (and their board members) want to know how they stack up, maturity-wise, to their peers. The common belief among this audience is that benchmarking data will help answer the question “how much information security is enough?”

This approach makes sense at a certain level; knowing how mature your organization’s security program is relative to your peers seems, on its face, to suggest that you are meeting (or not meeting) the standard defined by your industry. Like many statistics however, context plays an important role in deciphering benchmarking data. And it probably wouldn’t surprise the reader that without the benefit of context, the value of benchmark data diminishes. This is especially true for a topic such as information security program maturity.iStock_000019293901_Small

How much information security is enough? When do we find confidence that the organization has invested the right amount of time and resources to reasonably safeguard our information assets? Fair questions. Based on our experience over the last ten years, knowing your maturity benchmark provides an incomplete answer. The reason is simple: each organization is different. The diversity of organizational cultures and risk appetites within a given industry – even in highly-regulated sectors – virtually guarantees that the results of a maturity assessment will yield an interpretation unique to the organization under review.

Looking at this from a practical view, consider Bank A and Bank B (organization size doesn’t matter in this case). Let’s say that Bank A conducted an assessment that yielded an average information security program maturity score of 3 (out of a scale of 1 Low – 5 High). Bank B underwent a similar assessment that returned a score of 3.75. Benchmarking one against the other, it appears that Bank B is more mature than Bank A. Does this mean that Bank A needs to invest into security more to catch up to Bank B?

Not necessarily. Though these two scores provide some information about the effectiveness of each organization’s information security program, the scores provide little insight into the culture and capacity that drives process maturity. This leads us to the core question: does knowing the maturity of your peers provide meaningful, actionable information with which a security leader can leverage? Our answer is a resounding “maybe.”

We recommend that companies look inward versus outward. Instead of focusing on the comparison of your security maturity to your peers, consider a more introspective approach. What is your company’s security program maturity goals? What drives these goals? How does our organization’s culture impact our ability to achieve these goals? What does it mean to score a maturity level of 3 versus 4 or 2?

Since many organizations have yet to conduct an information security program maturity assessment, we suggest that you use the results of your first assessment to set a baseline for your organization. Communicate the baseline to your executives and board members. Ask this audience to draw a line in the sand based on, of course, an understanding of organizational culture and capacity. Work to improve information security program maturity based on the goals defined by these key stakeholders. Doing so, security leaders will find that, despite the constantly shifting business priorities, focusing on your own maturity goals will produce far greater dividends than worrying about your peer’s security maturity.

To learn more about information security program maturity, you can request a copy of our popular white paper on MAPP (Maturity Assessment, Profile and Plan).

 

02 May 2016

Process Maturity Assessments for Information Security

Adam Stone, CISSP, CIPP, HCISPP, CHPS
May 2, 2016

Over the past few weeks, SDS received lots of positive feedback from a recent post, Elevate Cybersecurity Communication to Improve Executive Understanding. What we took away from responses to this and a related post is that there is great interest in unifying and elevating the security discussion by shifting the focus to business processes. It is important to note that process maturity assessments for information security are unique in outcome and value. Not surprisingly, there is still confusion about the differences between an information security process maturity assessment and the other types of security assessments traditionally employed (namely, risk-, controls- and compliance-focused assessments). We can empathize. Measuring and communicating process maturity is a relatively new approach that is picking up steam across business sectors. It will take some time to see the industry understand, adopt and operationalize. That said, business leaders should understand that each information security assessment type has its own unique objectives, goals and benefits. The simple table below to highlight these differences:

 

Assessment Type Objectives Goals Benefits
Audit Comply with prevailing reporting requirements. Seek evidence that an organization implements and adheres to its internal policies and controls. Provide assurances by aligning business practices with internal policies and controls requirements.
Compliance Assessment Comply with prevailing legal and regulatory obligations. Seek evidence that an organization implements and adheres to its legal and regulatory obligations. Reduce exposure by aligning business practices with compliance requirements.
Risk Assessment Manage risk to an acceptable level. Identify and prioritize risks based on an analysis of threats, vulnerabilities and mitigating controls factored against the likelihood that a threat actor will exploit a given vulnerability. Enable organizations to predict and prepare security defenses for future loss events.
Maturity Assessment Manage organizational culture to improve effectiveness. Measure the capacity to effectively and efficiently manage an information security program. Enable organizations to improve security-related business processes by motivating a culture of security throughout.

 

assessment_relationshipOf these four assessment approaches, only the process maturity approach explicitly aims to elevate the language of information security by recognizing that organizational culture (enabled by people, processes and tools) plays a significant role in the lasting success of an information security program. Through the lens of culture, the maturity assessment identifies, quantifies and recommends strategies to raise the organization’s capacity to “get security done” in a manner that emphasizes process efficiency and effectiveness. Unlike the other assessment types (which sometimes view security in a vacuum), the maturity assessment emphasizes the fact that security is a critical business function that exists to help companies grow revenue and minimize costs.

Now before you risk and compliance assessment purists pick up your pitchforks, let’s be clear: we are not suggesting that maturity assessments replace commonly-employed information security assessments. In fact, we believe that the results of maturity assessments complement and inform audits, compliance and risk assessments…and vice versa. At the end of the day, the assessment approach you use depends on the folks who will consume the results and recommendations. If you anticipate that this audience will be senior executives and the board, using the language of process maturity will improve the force and clarity of your message.

Secure Digital Solutions’ TrustMAPP™ platform, powered by our MAPP™ methodology, uses a process maturity assessments for information security approach to enable organizations with clear understanding of security posture. This security posture is based on maturity levels, including trending analysis, planning (resources hours) and budgeting (capital costs), with built-in support for multiple security frameworks and regulations. With Accliviti’s SaaS delivery model, scoring, tracking improvements and communicating performance of a cybersecurity program happens in weeks, instead of months, using built-in analytics. Accliviti helps security leaders create and communicate a strategic roadmap to guide the organization’s security activities.

By leveraging the best-practice MAPP model (Maturity Assessment, Profile, and Plan) using an automated tool like TrustMAPP, security leaders can now focus more time and interactions towards security strategy and advisor roles for the business.

11 Apr 2016

Elevate Cybersecurity Communication to Improve Executive Understanding

By Adam Stone, Secure Digital Solutions
April 11, 2016

A few weeks ago, my colleague, Tennelle Anderson, argued the need for a common language that explains cybersecurity issues in a clear, consistent manner. The thrust of Anderson’s post is that business leaders hear different narratives about the state of cybersecurity depending on who is delivering the message. Ask an auditor about security and the response often focuses on controls. A corporate lawyer may communicate security in terms of compliance. Invite a security professional’s view about the state of security and the answer is often couched in risk mitigation. It is time we begin to Elevate Cybersecurity Communication to Improve Executive Understanding.

Not surprisingly, top managers are confused. According to a recent CNBC report, “more than 90 percent of corporate executives said they cannot read a cybersecurity report” and as a result, “are not prepared to handle a major attack.” Ouch.

As we can see, the real problem facing today’s cybersecurity leaders is less about blocking and tackling security threats and more about successfully communicating program effectiveness (without overselling) to the folks that matter. Without a clear understanding of the value security brings to the business, the natural reaction of executives and board members is to gloss over the issue or worse, underinvest in the security function.

There are new methodologies and solutions rising to the cybersecurity communications challenge. Of these, measuring and communicating cybersecurity issues in terms of process maturity is gaining the most traction. Distinct from the outputs of audits, compliance reviews and risk assessments, focusing on process maturity provides a new narrative; describing in measurable terms an organization’s capacity to effectively and efficiently manage the myriad business processes that comprise a cybersecurity program. Process maturity tablet-2-FPOenables organizations to think strategically about cybersecurity challenges by elevating the discussion beyond controls-based management

Secure Digital Solutions’ Accliviti™ tool, powered by our MAPP™ methodology, empowers organizations with a clear picture of security posture based on ma
turity levels, including trending analysis, planning and budgeting, and built-in support for multiple security frameworks and regulations. With Accliviti’s SaaS delivery model, scoring, tracking improvements and communicating performance of a cybersecurity program happens in weeks, instead of months, using built-in analytics. Accliviti helps security leaders create and communicate a strategic roadmap to guide the organization’s security activities.

By leveraging the best-practice MAPP model (Maturity Assessment, Profile, and Plan) using an automated tool like Accliviti, security leaders can now focus more time and interactions towards security strategy and advisor roles for the business.

30 Mar 2016

Five Takeaways to save your Healthcare Organization $1.5M

By Chad Boeckmann, Secure Digital Solutions
March 29th, 2016

The recent outcome at North Memorial Healthcare in Minneapolis, MN should be a stark reminder to all companies the importance of secure and practical end-point provisioning processes.

Let’s take a look at what just occurred with the North Memorial Healthcare case1. North Memorial Healthcare was recently fined $1.5M because a third-party consultant lost a laptop provisioned by North Memorial that contained Protected Health Information (PHI) on an unencrypted hard drive. So what went wrong?

Lessons Learned from North Memorial Healthcare

First, there are five best practices that we can use as key takeaways from this million-dollar lesson.

  1. Ensure all third-party’s accessing any electronic system have a Business Associate Agreement in place. In the case of North Memorial Healthcare this did not occur between Accretive, third-party who lost the assigned laptop, and North Memorial Healthcare according to Federal Regulators. A Business Associate Agreement is a requirement within the HIPAA Final Rule.
  2. Only redistribute end-point devices to others by first wiping the hard disk of any existing/residual data. In many instances, healthcare particularly, IT teams are short staffed, have not been trained and have not taken time to assess all processes supporting asset distribution and asset management. To ensure compliance with HIPAA and data security of PHI it is an industry best practice to wipe all end point devices before provisioning to another person or entity.privacy
  3. Encrypt the hard drive. With the numerous data breaches it seems as though everyone understands the importance of encryption. There is still a disconnect between principal and practice.
  4. Restrict PHI from leaving the protected network. This includes any endpoint that has the ability to leave the building. Sound unreasonable? If you think so then you may want to assess current processes that allow PHI to be saved to hard drives, mobile devices and the like. By omitting PHI from devices that leave the protected environment you reduce the opportunity for data theft and compromise and thus decrease the risk substantially of a data loss event occurring.
  5. Assess third-party risk today. Vendor risk assessments are an increasing trend and something not many organizations even considered performing five years ago. With pressure to adapt using online medical record systems introduces a higher than normal acceptance of risk during this season of change as new processes are created and new users are trained. A major component to make these changes include engaging with third-parties at an exponential rate when compared to historical levels of third-party vendors in healthcare. Introducing additional vendors to the mixture automatically requires a look at the risk landscape. How many U.S.-based data breaches is a result of third-party relationships in the past five years? Too many, reduce risk and be vigilant with third-party risk assessments.

 

Combatting Data Loss

Over the last several years and as a result of the Affordable Care Act, healthcare has been under immense change. These changes have primarily taken the form of reduced margins (competitive pricing models) and large investment of new technology (Electronic Medical Record systems). The pressure to change (or adapt) introduces a higher than normal acceptance of risk during this season of change. In addition now we have PHI in electronic format and everyone wants to pursue the golden arrow of the perfect report. Drafting new business intelligence through multiple database queries to harvest information of the patient community and create trending reports for the Chief Medical Officer. Wait; did anyone consider security or privacy (access control, encryption of data in transit and at rest, storage of PHI-reports on endpoints, etc.) as an integral design requirement of this new business intelligence capability? I’m simply raising the challenges that those of you in the healthcare space know all too well and are constantly chasing as a result of EMR’s introduction. I’ll revert back to my simple rule: prevent PHI from leaving the premises (your controlled environment) to truly manage the security and privacy of the data. Many solutions are available to implement this type of control and monitoring. Other healthcare organizations have done exactly this approach and so far have been successful at keeping their name off of the main page of the latest news post.

 

Summary

Two key items to note about this example given to us by North Memorial Healthcare. If the laptop employed full disk encryption this incident would not have turned into a data loss event. Also, once more if the laptop did not contain PHI the stolen laptop would have not made a headline in the Business Journal or ignited the necessity to write about it in this blog.

Learn more about assessing current IT and business processes and the security of those processes by reading about the MAPP methodology here.

 

1 http://www.bizjournals.com/twincities/morning_roundup/2016/03/lost-laptop-costs-north-memorial-health-care-1-5.html?ana=RSS&s=article_search

 

14 Mar 2016

Incident Response – Minimize Damage from Ransomware

By: Corey Tower, Information Security Consultant, CISM, CPPM

Malware is like fashion – almost everything you are dealing with today or what seems popular was likely “popular” only a short time ago. Humans have very short memories regarding malware much as they have short memories of fashion.

Ransomware is what Vogue or GQ would call “currently in style” or “Winter 2016’s Hot New Look!” Both old and new ransomware such as CryptoWall and .Locky are very dangerous malware that you absolutely do not want to deal with. What is interesting about most of these malware are that they are nothing more than a phishing attempt with a macro embedded malware. Talk about revolutionary stuff here, no? Yet most companies still struggle against these attacks.

Less than 10% of malware are detected by signature based defenses. Monitoring and awareness have become more and more critical to stopping criminals from being successful. But there is a psychological aspect you just can’t plan for.

 Jane from accounting is tired. Its 7:45 am, her newborn was up all night, coffee hasn’t kicked in, invoices are late and she really doesn’t want to be there in the first place. An email finally arrives with the invoice she has been expecting and – “wait – what’s going on? What’s encrypted??? Who’d this email come from? Oh no….”

Prepare a response and recovery plan.
Prepare a response and recovery plan.

The Clock Starts

A client of mine recently experienced something similar to Jane as well as many more people around the globe with the recent hit of the .Locky ransomware. Here is how we kept a bad day from turning catastrophic.

  1. Awareness. The individual who was hit with .Locky had the conscious to report it immediately. For anyone who isn’t familiar with .Locky it has the capability to spread through any authorized shared network drive, even if the drive is not mapped to a drive letter. The key word is any. A shared drive does not need to be mapped to the host for .Lockey to infect it. So if your defense is “ah, they don’t even know they have access!!” think twice.
  2. Containment. Because the incident was reported quickly, tech-ops was capable of containing the incident before it spread to five additional network drives. Five! Fixing a desktop of ransomware can usually be a small task, especially if the information is backed up. Losing five network drives that may not be backed up would be catastrophic.
  3. Communicate. It is critical to notify your workforce of a present, real attack on the company. It can be the difference between dealing with one case of .Locky or dealing with six or ten. Awareness is always your most affordable, practical, effective control for your weakest link: Humans.
  4. Ensure.  .Locky’s encryption spreads fast and is very intelligent. Once the malware is discovered and contained, search the network for further damage or any other sign of the malware. Depending on the situation, you may want a forensics expert to take a look to ensure no data loss, etc.
  5. Deescalate. Take yourself off Red Alert mode. Inform your team and outside audience that the situation is contained. Take a walk, enjoy a break, take lunch and most importantly tell those who deserve it “Good Job”.
  6. Lessons Learned. The next day, talk about how you got into the mess, how you got out, and how it could have been prevented in the first place. Establish policy and procedure to prevent it from happening again. People should be rewarded for preventing problems first, solving problems second. Again, malware is like fashion. Ensure the next time ransomware is popular that you made the proper adjustments to prevent another incident.

 

Questions to Ask Today

Are your shared network drives designed around least privileged?

Can anyone open a document with macros?

What non-signature based detections have you enabled?

Is your workforce aware to not open just any attachment?

Is your workforce aware that spoofing can occur posing as a legitimate source?

Would a workforce member know who to contact and feel safe reporting an incident?

 

Conducting Tabletop Exercises

If your team has not yet conducted an incident response tabletop exercise I highly suggest coordinating this activity. At Secure Digital Solutions we work with teams to kickstart these exercises from end-point scenario compromise to full data breach response activities. The amount of knowledge gain that team members take away can be astounding even new knowledge about how the business operates is often uncovered for certain individuals that are not always involved with various aspects of business processes. To learn more visit our table top exercise page at Incident Response Tabletop Exercise Services

 

15 Nov 2015

Processes Are for Managers

A Holistic Approach to Information Security

By Chad Boeckmann, CISA, CISSP (CEO, Secure Digital Solutions)

In my previous blog, “Controls are for Auditors” I wrote about how we as security leaders need to move away from managing security controls in the weeds like an auditor. This article describes a better “processes are for managers” approach. It aims to align security management with the business in order to communicate and manage information security effectively.

CISOs are tasked to achieve challenging outcomes and need to also communicate the state of their progress, the state of the information security program, to other executives and the board of directors. We speak with CISO’s from Fortune 500 companies and many mid-market companies. They are all challenged with the same dilemma: Presenting effectively to an audience that does not necessarily understand the complexities of information security.

To address this challenge consider looking at the information security program as a business process. Frameworks and legal or industry data protection requirements often overlap and these requirements can be combined to establish a core process as a requirement of the security program. For example ISO27002, HIPAA Security Rule and GLBA all require Access Control. If we look at access control for a moment:

Processes-Are-For-Managers

Let’s say we want to measure the process called Access Control. Access Control Management is a requirement of many data protection laws and is also highlighted in both ISO27001 and NIST Cyber Security Framework. Instead of managing control verbiage from a regulation or framework we can measure the effectiveness of Access Control Management generally from a process perspective but do so specifically using maturity attributes from COBIT. So for Access Control Management we want to understand the level of performance of this process across the six major attributes described in COBIT 4.1 using a standard maturity scale of 1 through 5.

  1. What is our level of maturity of Awareness for Access Control Management across our environment?
  2. What is our level of maturity for Policy & Procedures for Access Control Management across our environment?
  3. What is our level of maturity of Expertise for Access Control Management across our environment?
  4. What is our level of maturity of Accountability for Access Control Management across our environment?
  5. What is our level of maturity of Automation for Access Control Management across our environment?
  6. What is our level of maturity of Measurability for Access Control Management across our environment?

If the business is performing well in Awareness, Policy and Procedure and Accountability (relative to our process in question) then focus can be applied to improving the process towards Automation (tools) and Metrics for Access Control Management. This approach provides a much more holistic method to repeatedly understand attributes of a control process that applies to internal policies and external regulations.

This is how to create alignment with the business while still meeting control objectives and focusing resources on the areas of greatest impact. Let your internal and external auditors measure the effectiveness of the control in place, you will know the answer before the audit starts by measuring and improving upon attributes of each process. Therefore we can leave controls to auditors and adopt a “process for managers” approach to manage security programs. To see this methodology in action, take a look at a 2-minute video demonstrating Accliviti, a platform we developed to holistically manage information security.