Cyber risk, information security, privacy and compliance services to business thought leaders.
17 May 2019

Managing Third-Party IoT Cybersecurity Risks

Adam Stone, CPO, VP Consulting Services
May 16th, 2019

Managing Third-Party IoT Cybersecurity Risks

Lessons-Learned from Shared Assessments/Ponemon Institute’s Survey Results

The Ponemon Institute recently published the results of its Third Annual Study on Third Party IoT Risks(sponsored by Shared Assessments) and the results will surprise few security leaders already grappling with the explosion of third-party Internet-connected devices on their networks. As the cost of deploying IoT (Internet-of-Things) drops and fresh ideas for monetizing these Internet-connected devices emerge in the marketplace, businesses of all sizes are reaching out to third-party specialists for solutions. Business executives are drawn to the promise of IoTas the answer to business problems ranging from manufacturing efficienciesand improved logistics, to attracting new audiences and providing more personalization for consumers.

Naturally, there are downsides to this apparent panacea. Most profoundly, cybersecurity experts are having a difficult time keeping up with the chaotic pace of change and the new risks IoT introduces to organizations. Exacerbating the challenge is a persistent culture – among IoT vendors – that prioritizes speed-to-market over reliability and sustainability. This is merely the latest iteration of a technology development attitude that treats security as too costly and a hinderance to innovation and convenience.

Customers of IoT (both businesses and individuals) also contribute to the insecurity of these internet-connected devices. Users expect these nascent technologies to have reliable cybersecurity built-in but are unwilling to pay the premium necessary to encourage semiconductor (and related) manufacturers to do so. Thus, with few market or regulatory incentives to adopt cybersecurity-by-design into IoT solutions, manufacturers appear to accept certain security risksassociated with IoT. This in turn puts the onus on customers to mitigate against the security risks of IoT devices in their networks.

The 2019 Ponemon study emphasizes the fact that organizations suffer from significant blind spots when addressing IoT-related risks. According to the survey data, firms struggle to understand:

  • the extent of IoT-related cyberattacks, data breaches and service disruptions;
  • whether their existing safeguards address IoT-specific threats and vulnerabilities;
  • who is accountable for IoT risks and security failures;
  • how to conduct an effective IoT-focused risk assessment;
  • how to improve third-party service provider risk management policies and processes;
  • how to train the workforce on IoT-related security risks; and
  • what sorts of in-house expertise is required to mitigate IoT-related risks.

The results of this latest research validate what many security leaders already know: IoT is the latest challenge in the never-ending race to manage the pace of change in the business environment. There are no easy solutions to the cybersecurity risks that emerge from increased reliance on third-party vendors to develop and maintain IoT technologies on behalf of corporate clients. As with any major disruptive event, security leaders need to forcefully communicate the strategic importance of managing third-party risks to obtain executive support and budget for new security initiatives focused on controlling the runaway expansion of IoT in the business environment.

 

About the Author

Adam Stone is Vice President of Consulting Services and Chief Privacy Officer for Minneapolis-based Secure Digital Solutions, Inc.(SDS). Our firm helps firms of all sizes efficiently navigate the complexities of today’s security and privacy challenges. Our seasoned professionals provide the leadership, support and guidance necessary to develop sustainable cybersecurity programs aligned to your business mission and objectives. For information about how your organization can develop a winning strategy for managing third-party security risks, contact us at (952) 544-0234 or info@trustsds.com.

18 Oct 2017

Creating a Health and Fitness Plan for Cyber Security

October 18th, 2017
Ed Snodgrass, CISO, Secure Digital Solutions
This article was originally posted on Forbes .

Virtually everyone wants to be healthier. Good health and fitness provide a multitude of benefits. Better quality of life, increased energy, sharper mental focus and lower risk of malady are but a few. But it takes work to enjoy the benefits. A four-hour marathoner won’t suddenly become a three-hour marathoner simply by acquiring the newest running shoe. It takes planning, discipline and execution, and there are countless obstacles lurking to derail you in your attainment of your goal — both known and unknown.

Ironically, this scenario also applies to an organization’s information security program. A mature and effective program empowers staff, allows for more effective enablement of the business, increases threat awareness and response, and lowers the risk of negative front-page exposure. However, like the marathoner example, simply purchasing the latest security technology won’t guarantee good security health and fitness. It takes the same planning, discipline and execution, as well as the same willingness and ability to overcome obstacles.

Here are eight steps to create an effective information security protocol in the form of a health and fitness plan:

Take inventory. Regardless of where you want to be, a good fitness plan starts with where you are today and an honest assessment of current capabilities. Perhaps it’s a body fat measurement or a VO2 test. A mile time or a max bench press. An evaluation of eating and sleeping habits. Whatever the assessment type, diligence and candor are critical. The same goes for the state of a security program. What are the program’s current capabilities, its level of expertise, the usable technologies available today? Honesty is the key. If a security program’s third-party management capability may not be where it should be, then it’s a baseline of current capability.

Set goals. This could be anything from dropping a few pounds to completing a full Ironman. Goals should be multifaceted. Along with determining the desired outcome brings the analysis of what it will take to get there based on the results of the initial inventory. Shaving an hour off a marathon time, for instance, will require a training plan with a schedule and a certain level of effort. So too will reducing vulnerabilities in a company’s critical infrastructure, lowering the time to respond to a security incident and complying with the newest data privacy regulations. Determining what an organization needs to accomplish from a security perspective should be the focus.

Execute. The fitness plan may call for a 1,000-meter swim on Monday, but there’s an errand to run, a call to make or it’s simply been a long day. There are countless roadblocks that could derail a detailed plan, and some truly can’t be avoided. However, most can. It’s oftentimes an attractive proposition to get security “quick wins” by acquiring a new tool or by making a short-term change in direction. In some cases, these actions are mandatory. But not in most. Plan the work and, more importantly, work the plan. It’s consistency that produces results.

Monitor progress. This is straightforward. As the work on a plan progresses, health and fitness increase as demonstrated by the metrics. Mile times get better, pounds come off and performance improves. Similarly, success on the security front will bring progress, too. The clusters on the risk heat map transition from red to yellow to green, malware infections decrease, code quality gets better, significant compliance deficiencies are remediated, etc.

Adjust. At this point, there should be enough data to track alignment to goals. For a triathlete, it may be time to adjust the cycling schedule because that appears to be the weakest area — more hill training or longer distances. Some areas in the security plan may need adjustment as well. Perhaps risk management is improving and with it, security’s visibility of an enterprise. Because of this, more focus may be required on data loss prevention, for example, to reach security performance milestones.

Accomplish the first goal. Run the first 10k, shoot the first sub-90 round of golf, drop the first five pounds. For a security program, it may be achieving compliance, reduction of significant risk in an area or reducing online fraud by a certain percentage.  Whatever the first goal is — accomplish it.

Celebrate. Enjoy the fruits of labor and appreciate all who contributed.

Repeat.

11 Aug 2017

Ransomware Makes News But Is Not New

This article was originally posted on CSO Online

August 11th, 2017
By Ed Snodgrass, CISO

Photo Credit: Michael Kan

Chances are you’ve seen a similar image over the past several months.  Either on internal systems (hopefully not) or within the countless blogs, news stories and industry journals that bombard us every day with ominous warnings and dire consequences.  It is, of course, ransomware. And while it (and media coverage of it) has dominated the cybersecurity world for the last several years, it’s not new.  Also, not new are the fundamental security building-blocks necessary to mitigate its impact or the fact that it represents a cyber risk.

What does seem new is the incredible amount of singular focus on these incidents around the ‘cyber watercooler’ that drowned out the broader discussion of the underlying principles comprising a solid cyber security program.  In addition, the tenor of the cyber risk discussion has seemingly changed as well, from an enterprise-level conversation to a single-point conversation.  Neither of these trends are positive.

The first significant ransomware instance occurred in 1989.  It was coined the AIDS trojan and was released on 5.25” floppy disk.  Similar to today’s modus operandi, it attempted to extort currency from victims by encrypting their hard drive and demanding payment for decryption.  It was ultimately unsuccessful due to several factors, despite the lack of security in place at the time, but set a precedent with regard to criminal motivation and intent.  As most companies had yet to adopt personal computing and the internet was still in its infancy – used primarily by academia and scientists – the risk and potential of malware wasn’t well understood or communicated.

Throughout the 90’s the use of personal computing and the internet grew exponentially along with the creation of standardized operating systems and associated applications.  The adoption of personal computers and enterprise-level functionality increased within corporations as well, becoming the table stakes necessary to keep up with an increasingly connected marketplace.

It was during this time that a need emerged for organizations to create processes to manage and maintain their technology stack along with the need to hire internal [or external] experts to manage and refine those processes.  Building blocks emerged that formed the basis for how IT and cybersecurity is run today.  Identity and access management, anti-virus, firewalls, enterprise email, instant messaging, VPN, cryptography – all were developed rapidly during the technology boom of the 1990s.  While security was becoming more relevant and the notion of IT security risk was beginning to emerge, the major focus from an IT risk perspective centered primarily on availability and emerging IT processes reflected the focus on that aspect.

The late 1990s (and early 2000s) brought with them a new development in cybercrime.  The first significant uses of malware for financial gain began to manifest themselves within online banking applications. As waves of consumers adopted the convenience of managing their money without having to leave home or work, the criminal acquisition of credentials became both highly sought-after and increasingly more profitable.  The ability to transfer funds internationally had also advanced significantly, allowing cybercriminals to exploit this threat vector quickly and without a high likelihood of being apprehended.  As a result, the concept of cyber risk truly began to take shape.  Losses could now be measured in hard numbers that directly affected an organization’s bottom line and the realization emerged that steps had to be taken to address these new threats.

Financial institutions and regulators responded to this realization by producing several significant requirements designed to directly address IT security and cyber risk.  GLBA, SOX, NIST and BASEL, to name a few, all intended to provide some semblance of best practice requirements while allowing institutions flexibility to implement the requirements in alignment with business goals.  While this didn’t specifically address the malware threat, it did begin to form the basic building blocks of a sound security program, complete with increasing consequences for not adopting some form of security process.

The mid-2000s and early 2010s brought the first ‘modern’ ransomware and the precursors to today’s crypto-ransomware.  Gpcoder, Winlock and so-called Police ransomware utilized a ‘locker’ approach, requiring victims to pay a fee to unlock files or perform some money-generating action to remove malicious functionality.  Police ransomware (locking the peripherals and displaying a warning screen from a supposed law enforcement agency) began to show the emerging effectiveness of social engineering.  In many cases, the user’s IP address was displayed, the screens were generated in a victim’s native language and a local or regional law enforcement logo was used, adding perceived legitimacy to the attack.  While these early variants were impactful, they were easily mitigated (compared to today’s efforts) due to their weak encryption and relatively basic infection methods.

Standards continued to emerge and evolve simultaneously to address these threats.   In 2004, for example, the 5 largest payment card brands combined their individual security requirements into the PCI DSS, establishing 12 standards sections for accomplishing 6 objectives.  While opinions vary on the effectiveness and necessity of the PCI DSS, many of the key requirements and processes in the standard outlined ways to address the threats.  Encryption standards, network segmentation, vulnerability management, file integrity monitoring, training and awareness, perimeter security, etc., all could be applied in varying degrees of strength and effectiveness throughout the corporate infrastructure (not only within the cardholder data environment) to make organizations more secure.

Today’s modern ransomware emerged in 2013 and has been dominant since.  Crypto-ransomware and its progressively more automated infection methods are straightforward and effective, encrypting the victim’s files using strong encryption and demanding payment using various means – most frequently today, cyber currency.  Recovery from these outbreaks is much more difficult and some organizations have had to resort to reformatting their entire hard drive population to remove the infection.

This standard and threat progression has produced two additional trends.  First, it made security more challenging to design and implement.  Transforming enterprise architecture, for example, from a flat network to a segmented network and creating processes to deploy, manage and maintain encryption keys, were not small efforts.  They required focus on people, process and technology to be effective.

Secondly, as security became more complex, effective enterprise implementation required knowledge, awareness and support from the business units within the organization.   Security leaders who recognized this, and could demonstrate and communicate the necessity of security being a critical part of doing business, typically received the funding and support required to build world-class programs.

The moral of the story is that, while there’s no such thing as 100 percent secure, the processes, tools and expertise to combat the threat has been around almost as long as the threat itself.  The two most recent outbreaks – WannaCry and Petya, for instance, likely could have been greatly minimized or potentially avoided altogether by focusing on the fundamentals.  The fixes were there well in advance of the outbreaks.  It simply took awareness and execution to address them before something bad happened.

No one can predict the future.  There will be bona fide threats that emerge without warning that the industry will have to collaborate on to address.  In the meantime, let’s cut through the ‘noise’, recognize today’s (ransomware) threats for what they are and how they compromise the organizations we’re responsible for protecting.  Let’s focus on ensuring the foundational building blocks are in place (patching, backups, vulnerability management, etc.) and be as ready as we can be to respond to future security news that’s new.

13 May 2017

Hiring a Security Rockstar

May 13th, 2017

Secure Digital Solutions CISO, Ed Snodgrass,recently had the privilege of writing for Forbes Technology Council. The title of the piece is “Looking To Sign A Security Rock Star? Money Isn’t Everything“. A summary of the article is given here with the full article located on Forbes.

What follows is a high-level summary of original article posted on Forbes.com May 3rd, 2017:

There’s a cybersecurity talent war going on. Skilled resources are in high demand, and the competition for them is fierce. Big companies pay big money to attract and retain talent, potentially leaving small to mid-size organizations in a tough spot to compete on those grounds alone. In summary

Give them a path forward:. You brought them in for what you need today. Work with them to build a plan for what you’ll need tomorrow. Discuss career aspirations, help them build an individual roadmap based on goals and milestones, and support it. Your people will know they have a challenging and rewarding future ahead. It’s mutually beneficial.

Share the company’s mission and strategy: Knowing how security and their specific role supports the company’s overall mission provides context and creates ownership in the organization’s success. The role they’re currently in may not be glamorous, but it’s critical and they know that.

Support continuing education and networking: Give them time to get that new security certification. The knowledge they’re gaining will make them smarter, and your company will be better off for it. Security conferences are important, too. Security pros need to stay up to date with the latest threats and the latest countermeasures showcased at these events. Yes, they go to network, too, but that’s not necessarily a terrible thing. After all, if they’re happy working for your company and others see that, perhaps a respected and talented colleague will want to be happy working for your company as well.

Respect and acknowledge their expertise: Security professionals are paranoid — and that’s a good thing. When they come in with a discovery or a suggestion (read: “We absolutely have to do this”), make sure you listen. Discuss it.  Weigh pros and cons, and ultimately, if your decision isn’t the course of action recommended, they’ll know why. They’ll know their council was valid and they’ll respect it.

Be real: Engaging in candid discussions about professional development is critical. The pros will take your constructive feedback as a personal challenge to better themselves rather than petty criticism — but only if you’re open to their constructive feedback as well. At the end of the day, they know you call the plays and they respect that.

Recognize their achievements: Security can be a thankless job because “no news is good news.” Much of the demanding work it takes to protect a company goes on behind the scenes and in windowless rooms. Appreciate what they do, and they’ll appreciate it, too.

If they want to leave, help them leave: That doesn’t mean push them out the door; it means set them up for success in their next role. Know what their new opportunity is offering them and why. Talk about the things they’ve learned and their professional growth as a member of your organization and thank them for being a part of the team. Despite the substantial number of security practitioners out there, it’s a small community. With so many open positions available, security pros can pick and choose where they go, and security culture is just as important as compensation. Build a great culture, and you’ll be amazed by the results.

11 Apr 2017

Quest for Excellence in Cybersecurity Management

April 10th, 2017
Adam Stone, Principal, Secure Digital Solutions

Baldrige’s recently-published framework raises the bar for information security leaders by tying cybersecurity program management to performance excellence.

The Baldrige Performance Excellence Program, the venerable organization behind the national award for Performance Excellence® and quality for U.S. firms, released the final version of the Baldrige Cybersecurity Excellence Builder v1.0 (BCEB) self-assessment tool following their annual summit last week in Baltimore. Initiated in response to Executive Order 13636, the BCEB blends two NIST products (the Cybersecurity Framework and the Baldrige Excellence Framework) into a single assessment methodology. The goal of the BCEB is to help security leaders assess the effectiveness of their approach to cybersecurity, as determined by the unique needs, goals, and capabilities of their firm. Organized by seven categories (leadership, strategy, customers, measurement, operations, customers, and results), the BCEB uses process maturity as the key metric for communicating the strengths and weaknesses of an organization’s cybersecurity program.

Process Maturity: The New Standard for Cybersecurity Performance Excellence

The maturity-focused cybersecurity management approach is a paradigm shift that threatens the deeply-entrenched risk- and compliance-focused assessments familiar to most in the industry. We have observed disagreement among security professionals about the what the word maturity actually represents. Some use the word to describe the effectiveness of security controls, while others use maturity to understand their firms’ ability to minimize cyber risk. Authoritative bodies, such as the Federal Financial Institutions Examination Council (FFIEC), appear to be adding to the confusion by blending the notion of process maturity with risk preparedness in the Cybersecurity Assessment Tool. In the end however, the FFIEC approach, along with similar assessment tools, still focus on more traditional controls-based risk management instead of performance excellence and quality.

What is often missed in traditional risk and compliance assessments is a clear understanding of the value that cybersecurity provides to the business. When security leaders communicate in the language of compliance or risk (two inherently negative topics), they miss the opportunity to demonstrate to executives the ways in which mature cybersecurity processes can help enable business growth and sustainability. An emphasis on business enablement – expressed as a function of performance excellence and quality – is what sets the BCEB apart from the traditional cybersecurity assessment tools.

Cybersecurity risk traditionalists will be pleased to know that we do not suggest that process maturity metrics replace established risk formulations. Quite the opposite! We need to understand risk in order to set clear goals and effectively respond to the ever-changing threat landscape for their firms. When communicating the value of cybersecurity to executives however, security leaders will likely find that the BCEB tool kit provides a better picture of the organization’s capacity to identify opportunities and leverage the benefits of effective cybersecurity management.

For Secure Digital Solutions (SDS), the emergence of the Baldrige Cybersecurity Excellence Builder validates the power of the cybersecurity assessment methodology embedded in our TrustMAPP® platform. Both the BCEB and TrustMAPP use process maturity to express the degree to which an organization achieves consistent quality and performance excellence. With clear alignment to the firm’s mission, values and objectives, TrustMAPP helps security leaders bridge the gap between security operations (risk focused) and process maturity (business focused).

To learn more on how cloud-based TrustMAPP® can help you maximize the benefits of the Baldrige Cybersecurity Excellence Builder, ask for your free trial today.

TrustMAPP® is a registered trademark of Secure Digital Solutions, LLC. All rights reserved.

BALDRIGE EXCELLENCE FRAMEWORK™ is a trademark, and BALDRIGE PERFORMANCE EXCELLENCE PROGRAM and Design®, MALCOLM BALDRIGE NATIONAL QUALITY AWARD®, and PERFORMANCE EXCELLENCE® are federally registered trademarks, of the U.S. Department of Commerce, National Institute of Standards and Technology.

27 Oct 2015

Controls Are for Auditors

An Information Management Approach

By: Chad Boeckmann, CISSP, CISA (CEO, Secure Digital Solutions)

Consider this approach to information security: Controls are for auditors; processes are for managers. As someone who has for nearly two decades provided guidance to help companies improve their information security, I’ve concluded the typical industry approach to information security (focusing on controls) is too narrow.

Often, tools are purchased as a reaction to the latest threat or worse, a socially cool trend. To truly operationalize security, information security practitioners, particularly leaders (CISO’s), must focus on how to manage the security program, both data security and cyber security, based on performance of processes. Let’s take the following excerpt described by IIA:

The Institute of Internal Auditors (IIA) defines control, the control environment, and control processes as follows:

A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Control processes are the policies, procedures (both manual and automated) and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level an organization is willing to accept. Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance that the organization will achieve its objectives.

So how can you actually begin to measure your security program and operationalize performance based on process? First there are many controls that can be harmonized into processes. You might be thinking, “There are too many processes to manage effectively. Controls are easier.” I would challenge any security program, in most use cases, to identify more than 40 processes that need to be managed to align with regulatory and internal or external policy objectives for information security. Yes, this includes regulations such as GDPR, HIPAA, PCI DSS, FFIEC and frameworks like ISO27001/2 and NIST CSF.

Many of the regulatory controls and framework controls overlap considerably. To use a golf analogy, if we raise our eyes from the rough outlining the fairway, we can see the ball and pin clearly. Taking an industry recognized IT Management and Governance framework like COBIT and marrying it with a set of consolidated processes, your life as a CISO or information security practitioner becomes easier. Easier because you have the ability to align the organization’s objectives (the pin) with metrics related to the process (the fairway) to get the ball to the pin.

This is why we’ve automated this process with TrustMAPP. This is part 1 of a 2-part blog post. In the next entry I’ll discuss how to go about measuring process level performance to align with frameworks and regulations in a simplified but meaningful way.