Cyber risk, information security, privacy and compliance services to business thought leaders.
14 Mar 2016

Incident Response – Minimize Damage from Ransomware

By: Corey Tower, Information Security Consultant, CISM, CPPM

Malware is like fashion – almost everything you are dealing with today or what seems popular was likely “popular” only a short time ago. Humans have very short memories regarding malware much as they have short memories of fashion.

Ransomware is what Vogue or GQ would call “currently in style” or “Winter 2016’s Hot New Look!” Both old and new ransomware such as CryptoWall and .Locky are very dangerous malware that you absolutely do not want to deal with. What is interesting about most of these malware are that they are nothing more than a phishing attempt with a macro embedded malware. Talk about revolutionary stuff here, no? Yet most companies still struggle against these attacks.

Less than 10% of malware are detected by signature based defenses. Monitoring and awareness have become more and more critical to stopping criminals from being successful. But there is a psychological aspect you just can’t plan for.

 Jane from accounting is tired. Its 7:45 am, her newborn was up all night, coffee hasn’t kicked in, invoices are late and she really doesn’t want to be there in the first place. An email finally arrives with the invoice she has been expecting and – “wait – what’s going on? What’s encrypted??? Who’d this email come from? Oh no….”

Prepare a response and recovery plan.
Prepare a response and recovery plan.

The Clock Starts

A client of mine recently experienced something similar to Jane as well as many more people around the globe with the recent hit of the .Locky ransomware. Here is how we kept a bad day from turning catastrophic.

  1. Awareness. The individual who was hit with .Locky had the conscious to report it immediately. For anyone who isn’t familiar with .Locky it has the capability to spread through any authorized shared network drive, even if the drive is not mapped to a drive letter. The key word is any. A shared drive does not need to be mapped to the host for .Lockey to infect it. So if your defense is “ah, they don’t even know they have access!!” think twice.
  2. Containment. Because the incident was reported quickly, tech-ops was capable of containing the incident before it spread to five additional network drives. Five! Fixing a desktop of ransomware can usually be a small task, especially if the information is backed up. Losing five network drives that may not be backed up would be catastrophic.
  3. Communicate. It is critical to notify your workforce of a present, real attack on the company. It can be the difference between dealing with one case of .Locky or dealing with six or ten. Awareness is always your most affordable, practical, effective control for your weakest link: Humans.
  4. Ensure.  .Locky’s encryption spreads fast and is very intelligent. Once the malware is discovered and contained, search the network for further damage or any other sign of the malware. Depending on the situation, you may want a forensics expert to take a look to ensure no data loss, etc.
  5. Deescalate. Take yourself off Red Alert mode. Inform your team and outside audience that the situation is contained. Take a walk, enjoy a break, take lunch and most importantly tell those who deserve it “Good Job”.
  6. Lessons Learned. The next day, talk about how you got into the mess, how you got out, and how it could have been prevented in the first place. Establish policy and procedure to prevent it from happening again. People should be rewarded for preventing problems first, solving problems second. Again, malware is like fashion. Ensure the next time ransomware is popular that you made the proper adjustments to prevent another incident.

 

Questions to Ask Today

Are your shared network drives designed around least privileged?

Can anyone open a document with macros?

What non-signature based detections have you enabled?

Is your workforce aware to not open just any attachment?

Is your workforce aware that spoofing can occur posing as a legitimate source?

Would a workforce member know who to contact and feel safe reporting an incident?

 

Conducting Tabletop Exercises

If your team has not yet conducted an incident response tabletop exercise I highly suggest coordinating this activity. At Secure Digital Solutions we work with teams to kickstart these exercises from end-point scenario compromise to full data breach response activities. The amount of knowledge gain that team members take away can be astounding even new knowledge about how the business operates is often uncovered for certain individuals that are not always involved with various aspects of business processes. To learn more visit our table top exercise page at Incident Response Tabletop Exercise Services

 

27 Oct 2015

Controls Are for Auditors

An Information Management Approach

By: Chad Boeckmann, CISSP, CISA (CEO, Secure Digital Solutions)

Consider this approach to information security: Controls are for auditors; processes are for managers. As someone who has for nearly two decades provided guidance to help companies improve their information security, I’ve concluded the typical industry approach to information security (focusing on controls) is too narrow.

Often, tools are purchased as a reaction to the latest threat or worse, a socially cool trend. To truly operationalize security, information security practitioners, particularly leaders (CISO’s), must focus on how to manage the security program, both data security and cyber security, based on performance of processes. Let’s take the following excerpt described by IIA:

The Institute of Internal Auditors (IIA) defines control, the control environment, and control processes as follows:

A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Control processes are the policies, procedures (both manual and automated) and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level an organization is willing to accept. Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance that the organization will achieve its objectives.

So how can you actually begin to measure your security program and operationalize performance based on process? First there are many controls that can be harmonized into processes. You might be thinking, “There are too many processes to manage effectively. Controls are easier.” I would challenge any security program, in most use cases, to identify more than 40 processes that need to be managed to align with regulatory and internal or external policy objectives for information security. Yes, this includes regulations such as GDPR, HIPAA, PCI DSS, FFIEC and frameworks like ISO27001/2 and NIST CSF.

Many of the regulatory controls and framework controls overlap considerably. To use a golf analogy, if we raise our eyes from the rough outlining the fairway, we can see the ball and pin clearly. Taking an industry recognized IT Management and Governance framework like COBIT and marrying it with a set of consolidated processes, your life as a CISO or information security practitioner becomes easier. Easier because you have the ability to align the organization’s objectives (the pin) with metrics related to the process (the fairway) to get the ball to the pin.

This is why we’ve automated this process with TrustMAPP. This is part 1 of a 2-part blog post. In the next entry I’ll discuss how to go about measuring process level performance to align with frameworks and regulations in a simplified but meaningful way.

09 Oct 2015

Playbook for the CISO

What the COBIT Maturity Model Provides

By: Chris Cathers, Secure Digital Solutions

In this new world of cyber threats, weekly data breach news and executive stakeholder concerns we enter a phase that requires a discussion of what Information Security 2.0 should look like. With this in mind it is time to consider revising (or creating) A CISO Playbook.

In my discussions with clients across multiple industries there is one common theme: Regulatory pressures are increasing as a result of recent fraud and data breach.

It is no surprise that regulators and auditors are increasing scrutiny of information security controls. Using a control framework (e.g. NIST, ISO) as the base of recommended controls is not enough to manage information security effectively. Effective management includes understanding the maturity of the process and expertise of the people in the organization responsible for supporting the specified controls.

As an example, if DLP (Data Loss Prevention system) is implemented to prevent extraction loss of confidential information, it is not enough just to have a DLP solution, you need to have the expertise to run the solution, the appropriate reporting and decision support in place when an alert happens, the appropriate metrics delivered to the appropriate people along with policies to support this. This is how a CISO can define an effective process supporting the controls.

In order to elevate information security, we suggest adding a level of measurement above just the existence of controls and risk associated with deficiencies, and measuring your program through the lens of Awareness, Policy/Procedure, Accountability, Measurability, Expertise, and Automation.  As COBIT 4.1 suggests, these maturity attributes mentioned are critical to understanding the full breadth of capability within the information security processes that actually support the chosen control framework(s) and regulation(s).  This approach truly provides an advantage to a CISO Playbook and allows the CISO to look at all of the parts that make up the whole instead of simply a classical audit perspective of “on” or “off” relative to if a control is in place or not in place.

To learn more about how to achieve this process with significant performance and planning metrics, read more about our cloud-based platform, Accliviti.

23 Sep 2015

Seven Tips to Improve Security Audits

Achieving an Efficient, Measurable Process

By Tennelle Anderson, CISSP, CISA, CPA (Principal Security Consultant, SDS)

When I transitioned from “Internal Audit” to “Information Security” more than 10 years ago, I was immediately met with “you were an auditor, you deal with the auditors”. Once I realized no one else was going to take this disjointed and muddled (yet essential) function off my hands, I set out to turn my company’s audit scavenger hunt into an efficient and measurable process.

AUDIT

The most important thing I’ve learned during this experience is that all it takes is some consistency, organization, and proactive planning to eliminate your company’s audit scavenger hunt and make more effective use of your company’s resources. The following are some tips to improve security audit response.

“Where do I send this?”
The first phase of the scavenger hunt is identifying who will respond to the RFI once it is received in-house. A lot of time is wasted as an RFI is forwarded through a series of email inboxes. And RFI completion can be further delayed if any individual is out of the office or unable to check their individual email for an extended period of time.

1. Assign responsibility for completing these requests to a designated group of individuals. Believe it or not, there is an art to completing security questionnaires, and efficiencies can be gained by having a consistent group of individuals responding to them.

2. “Funnel” all requests to these designated individuals. Using a workflow management tool or ticketing system that end users are already familiar with provides a repeatable process that users are more likely to follow. If your organization needs a simpler solution, set up a group emailbox (e.g. SecurityInformationRequests at companyname dot com) accessible from the company’s intranet that end users can use to submit RFIs.

3. Provide education to frequently impacted groups. In my experience, security information requests often come via Sales or the Customer Relationship Managers (identify your company’s equivalent groups). Knowing this, my team of “responders” gave a short presentation at each monthly Sales new hire training meeting so that when the new Sales Reps inevitably received a questionnaire or other security request from a customer or client they would be able to forward the request quickly.

“Where do I get the answers to these questions?”
Once the request is received by the person(s) who will be responding, the next phase of the scavenger hunt will begin: where to find the information requested. I’ve found it valuable to apply the 80/20 rule to this exercise.

4. Organize and store the information you gather. The majority (80%) of security RFI’s are looking for the same core information. Once you’ve gathered this information once you can likely re-use it for subsequent requests. Organize and store this information in a place that can be accessed by the entire group of designated responders for future use.

5. Identify “Good Names to Know”. For the other 20% of information requested (e.g. information that is extremely technical or system-specific, or changes frequently) identify “Good Names to Know” (GNTK) – these are folks you can always count on to work with you to get information quickly or can tell you where to go to find it. Early in my career I was told “these people are treasures and should be treated as such” – I wholeheartedly agree and I encourage you to establish very good working relationships with these resources once you find them.
“Where do I find the documentation I need?”
The final (and often most difficult and time-consuming) phase of the audit scavenger hunt is obtaining the necessary documentation. Oftentimes this documentation already exists and is readily available – if you know where to find it.

6. Become intimately familiar with your company’s web site. Many of the documents that are repeatedly requested can be found on your company’s intranet, such as HR policies, employee code of conduct, acceptable use policy, security policies, etc.

7. Gain access to IT’s departmental procedures. After HR and Security Policies, the most commonly requested documentation includes process documentation that is typically owned by the IT organization, such as access control processes and forms, change control processes and forms, system development lifecycle processes and forms, data destruction processes and certificates of destruction, etc. Utilize your GNTK’s to obtain detailed information such as user lists, system configurations, and other report- or screen print-based evidence on a request-by-request basis.
One caveat to consider when it comes to providing documentation: some of the information may be classified as confidential and should not be shared via insecure and uncontrollable means such as email. Discuss with your Security team or Legal Counsel if you are unsure whether certain information should be shared, especially without a non-disclosure agreement.

Conclusion
It really is this simple – implementing and consistently applying the seven recommendations I’ve outlined here is the first step to turning your company’s security audit scavenger hunt into an efficient and measurable process.  If you are looking for a repeatable client security audit response try using the SIG-Lite from Shared Assessments. We will address this approach in an upcoming blog. Stay tuned.

How Secure Digital Solutions Can Help
Information Security Audit Liaison Services (Audit Liaison) can add essential clarity help to improve security audits. From audit preparation to in-audit support to post-audit assistance with management’s response – we understand information security information requests and audits because we also perform them. We can be your coach, your buffer, and your advocate — and your staff can get back to their day jobs.

09 Jun 2015

Demonstrating Value: The ISO’s Dilemma

Security Takes People and Processes, as Much as Technology

By Chris Cathers, Director of Business Development, SDS

Value. This is the quintessential problem for information security leaders. How does one effectively measure and communicate value for a business function filled with known unknowns?

In corporate culture, functions such as accounting, sales, finance, and manufacturing have the benefit of practical, structured and deeply ingrained value propositions. Business executives are fluent in the language of these organizational functions, and understand their view and objectives. In short, these corporate divisions have little problem making their current and future contributions clear to the organization as a whole, in terms of money earned and saved.

Information security leaders get few such luxuries. Historically, business leaders do not understand what is done by IT or the controls they put in place. Demonstrating real, substantive value to executive management is often difficult, if not impossible. Part of this difficulty is our own doing, as information security professionals, So many of us are just throwing point solutions at problems.

Point solutions are not enough.People, process, and technology: We need all three to achieve anything more than mediocrity.

Threats, breaches, and board involvement require organizations to take a broader look at information security beyond point solutions. For example, a recent client I was serving was asked to put in an Intrusion Detection System as part of their vendor management requirements.. Putting an IDS in place without understanding the bigger picture is a recipe for failure. I understand you can “check a box” with that installation, but does it also lull you into a false sense of security? If you haven’t considered what you aim to protect, what you are going to monitor, who is going to monitor, what the reporting structure looks like, and what comprises the best escalation process, you are missing the important pieces of “people and process.”

Speaking to business decision-makers in terms they understand requires first establishing metrics and measuring your processes and solutions against the following:

  • Automation – Does the tool do what we need it to do and speed up the process?
  • Accountability – Are process owners enabled and is a clear path of escalation defined?
  • Awareness – Are the requirements fully understood and is communication defined?
  • Policy/Procedure – Does the tool integrate with other standard tool sets and enable detection?
  • Expertise – Do we have the right skillset in place?
  • Measurability – Are we tracking the appropriate metrics?

Documenting metrics around these six critical dimensions of information security maturity—and speaking in terms of impact to the business—will not only help communicate and show value; it will help protect the assets of the company more effectively through alignment. It has been said for years, “If it can’t be measured, it can’t be managed”.

Secure Digital Solutions, along with our robust assessment platform, TrustMAPP, assists you in taking this holistic view of information security. Our blueprint shows gaps not just in point solutions, but in the people, processes, and technology that make those solutions effective. In fact, you might call our approach “front-end solutions” versus “endpoint solutions.” Tied to business values like return on investment and business impact, this is the language decision-makers need to hear if our security profession is to ever achieve the credibility we need to do our jobs.

24 Jan 2015

Privacy as Process Improvement

What, Why, and Who: The Essential Questions

By Patrick Midden, CIPP, CHPC, J.D.

Some companies see complying with privacy requirements as a roadblock; a hindrance; a problem to avoid. They think privacy regulations are too onerous, or too complex, or do not apply to them. These companies sometimes take a “stick your head in the sand” approach to privacy and hope everything just works out. But successful companies are learning that a privacy program doesn’t have to be a burden; implemented effectively, a privacy program not only reduces company risk, but it can help drive process improvements.

Most privacy regulations and frameworks provide ample room for interpretation as to how to implement an effective program.   Most of them, though, require at least asking some basic questions, including:

  • Why are you collecting and using personal information?
  • Do you need all of it?
  • Who should have access to it?

An effective privacy program will answer these questions and more. Answering these questions can help uncover inefficient processes. An effective program might uncover inefficiencies, such as:

  • Employees accessing sensitive information that is not needed to do their jobs.
  • Employees redundantly storing information in multiple systems without appropriate controls.
  • Employees manually updating information across multiple systems.

But how can a privacy program help improve these processes? Collecting less data means your employees will spend less time processing it. Giving employees access to the right data at the right time means they will spend less time looking for it. Storing less data requires less disk space, less archive space, and less processing time.

In addition, many employees do not take the time to understand what they are doing; instead, they just do what they were told to do by the last person to do their job. New requirements are layered on top of the old process without analysis, making the process more complicated and difficult to follow. Reviewing your procedures for privacy risks will help these employees understand what information is important, and what information is not. This review can lead to streamlining processes, cutting out steps that are no longer relevant, and optimizing the remaining steps.

Some examples of how a privacy program review could help include:

  1. An employee at Company A makes a daily back-up copy of sensitive data outside of the official back- up processes. No employee at Company A ever looks at these old files, nor needs them. This process is inefficient because Company A is paying the employee to spend time performing a function that is already controlled through a central process. The process is also inefficient because the employee is wasting company resources by redundantly storing data.
  2. Company B always includes a social security number on each customer record, even ancillary systems in which social security numbers are not relevant. Company B encrypts records containing a social security number. By removing social security numbers—and other sensitive data—from ancillary systems, such as customer satisfaction tracking systems, Company B can stop encrypting these databases, saving Company B time and money.
  3. Company C uses an inventory system that lists every patient who is waiting for medical supplies. Employees responsible for ordering these supplies can only determine what to order by logging into the primary care system and retrieving the appropriate patient records. By creating a daily report that lists all devices that need to be ordered, but not listing any patient information, the inventory staff can do their jobs more quickly, without accessing any patient information.

These are just some examples illustrating how integrating privacy program objectives into daily procedures can reduce the amount you need to spend on (1) data storage, (2) data processing, and (3) security. A thorough privacy review can even reduce the amount of time your employees spend performing their everyday tasks by helping streamline processes.

If you are interested in learning more please reach out to us at SDS.