Build Social Compliance Bridges, Not Blockades — For Your Own Sake

Nick Hayes

Compliance pros, try to recall your last interaction with your marketing peers about social media: How did it go? Was it productive? Who initiated the conversation?

If you’re like many organizations today, your answers go something like this: “Not well,” “no,” and “not me.”

Do you see a pattern? Now to be fair, marketers’ responses end up looking pretty similar. Just check out the questions my colleague Erna Alfred Liousas asked her marketing peers: Even hearing the word “compliance,” marketers shiver, sigh, or break into hives (or all three). This is the problem. Compliance turns into a roadblock, and you become the pariah vetoing valuable, brand-boosting marketing initiatives. Worse yet, the projects don’t go away; they come back and create more work, more reviews, and more wasted time and resources.

You can turn this around, and the benefits go far beyond work reduction. How? By building strong marketing partnerships and compliant initiatives early on. This allows you to:

  • Eliminate burdensome future compliance work. Social marketing initiatives that avoid compliance either result in live scenarios that put the organization at risk of costly fines or they end up on your desk at the last minute. Either way, you end up with more work. Or, you can partner with marketing at the beginning, identify compliance issues and propose suitable alternate strategies that reduce future friction.
Read more

Victim Blaming Won't Stop Global Ransomware Attacks

Jeff Pollard

The security industry has an accountability crisis. It's time to talk about it, then fix it. Whenever a massive cyber attack occurs inevitably a chorus of voices rises to blame the victims.  WannaCry on 5/12 and Petya on 6/27 yet again kicked off the familiar refrains of:

“If users didn’t click on stuff they shouldn’t….”

“If they patched they wouldn’t be down….”

“This is what happens when security isn’t a priority….”

“Now maybe someone will care about security…”

I have yet to meet a single user that clicked a malicious link intentionally – beyond security researchers and malware analysts that is. I have yet to meet anyone that delights in not patching as a badge of honor. There are great reasons not to patch, and terrible reasons not to patch. As always context and situation matter.

Except when we discover that Petya contained EternalBlue and EternalRomance, and can spread laterally via WMI and PSExec. Now our familiar refrain of blaming IT, the business, the user, is foiled. The malware author created the tool to use multiple attack vectors. Yes, patching helps, but this malware also captures credentials. So, if an organization has a single system they can’t patch for legitimate business reasons the malware can land, capture credentials, and then move laterally through the environment.

Here’s what S&R pros should take away from this:

  • Productive conversations usually don’t begin with accusations. Source: My significant other.
  • Geopolitics & cyberproliferation are emerging topics for CISOs.
  • Despite all the technical advances in the world, basic security hygiene will lead to wins.
Read more

Simplicity is a strategy that works.

Chase Cunningham

This last week I was fortunate enough to be invited out to Hollywood to participate in a large exercise for the entertainment industry focusing on cyber security planning and threat management.  There were folks in attendance from a variety of organizations, all of which were very interested in just how exposed they might be to data theft.  The resounding call from nearly every executive that I talked to during this event was that they were aware of how exposed they likely were, and that they were extremely worried about who would be next to have their movie or tv show leaked to the public. 

Read more

Cloud Security Spending Will Grow To $3.5 Billion By 2021

Jennifer Adams

Cloud is big business today. Forrester estimates that global cloud services revenues totaled $114 billion in 2016, up from $68 billion just two years ago — that’s annual growth of 30%. And we see the public cloud services market reaching $236 billion by 2020. What does this mean for cloud security?

·         This rapid shift to the cloud raises new issues and challenges for security and risk professionals. Traditional perimeter-based security tools do little to protect cloud workloads. Securing data and applications that reside in the cloud is increasingly critical as more mission-critical apps and high-value data and intellectual property move to the cloud.

·         Cloud security solutions are quickly evolving to meet these challenges. Our recently published Forrester Data: Cloud Security Solutions Forecast, 2016 To 2021 (Global) shows that we expect spending on global cloud security solutions to reach $3.5 billion by 2021 — an annual growth rate of 28% over the next five years. In the forecast, we examine four types of cloud security solutions: cloud security gateways; centralized cloud security management; hypervisor security; and native infrastructure-as-a-service/platform-as-a-service security.

Read more

For More Cyber Operations Wins, Cheat…

Chase Cunningham

Before my last deployment (quite a while ago, thankfully) my unit was training on a variety of tactics to make us all more effective in an operational setting.  That’s the long way of saying we were all getting PT'd repeatedly and learning how terrible we were at stopping the bad guys, luckily we all got better as time went on.  Anyway... 

One of the most valuable lessons we learned from working with the guys in some of the more “special” operational roles was that things shouldn’t be fair. 

In other words, the bad guys didn’t play fair…Why should we?

How could we expect to win if we played nice and everyone else was moving with no holds barred?

I literally had a very crusty, very angry Master Chief say to me “if you ain’t cheating, you ain’t trying.”

Then we got PT'd again anyway, thanks to his acute observation of the squad’s failure to move on the threat fast enough, hurray push-ups.  But nevertheless, his message came through (many, many push-ups later).

We got very good at cheating.  We would do everything from placing sugar packets under rolling obstacles on the obstacle course so they didn't move and we could move faster, or shoving extra ammunition magazines in every conceivable spot on our persons we could find.  One guy sounded like he had been eating ammo for his morning cereal he jingled so much when he walked, but he always had rounds long after the bad guys had run out.  Once we had the concept down that in an operational setting, the bad guys weren’t playing fair – neither should we; our unit started winning more and taking the heat to the bad guys.  By the time we left for deployment we were very good at stacking the odds in our favor and we continued this for the whole of our operational time. 

Read more

IBM & Cisco Join Security Forces To Fight Cybercrime And The Competition

Stephanie Balaouras

I was lucky enough to be invited to IBM's 3rd annual Security Summit in NYC for about 300 of its customers. IBM used the event to showcase a new IBM and Cisco joint security initiative whereby the two will work to integrate their security solutions to better combat advanced threats. The philosophy of the partnership represents the idea that cyber defenders need to collaborate as well as cybercriminals seem to when it comes to sharing techniques and intelligence. The announcement is notable for a few reasons:

  • Two of the security industry’s largest portfolio players are teaming up. IBM and Cisco have become two of the largest portfolio players in the security industry, so most would expect the two to see each other as primary rivals rather than collaborators - particularly in the race to become the CIOs and CISO's trusted advisor in cybersecurity - a position that, in my opinion, is currently occupied by the security groups of the major management consultancies.
  • There are some areas of overlap but the two portfolios are very complementary. The complementary nature of the portfolios makes this both a smart and safe partnership:
    • Cisco leads in network-based security solutions and advanced malware protection.This includes NGFWs, NAC, network analysis, and they've done a great job extending their Advanced Malware Protection (AMP) capability beyond the network to endpoints, email, web security gateways etc. Cisco has made a lot of great investments in cloud security, especially with its acquisitions of OpenDNS and CloudLock.
Read more

Prepare for Increasing Frequency of “Nation-State” Cyberattacks with Strategy, not Technology

Chase Cunningham

Let me pose a question: “Is it a bad thing to give the average person a hand grenade with the pin pulled?” I think most of us would respond to that question with an emphatic “YES!”  No one in their right mind would think it's a good idea in any possible reality to allow anyone without extensive military or professional training to access an explosive--especially not one that is live and has no safety device in use. Bad things would happen, and people would probably lose their lives; at the very least, there would be damage to property. No matter what, this scenario would be a very bad thing and should NEVER happen.

OK, now let me change that question a bit: “Is it a bad thing for every person with a network connection to have access to extremely powerful nation-state-level cyber weapons?”  Hopefully you would respond similarly and say “YES!”

Just as the hand grenade juggling is a problem, so is the proliferation of nation-state-level exploits. These malicious tools and frameworks have spread across the world and are presenting a very complicated problem that must be solved. Unfortunately, the solution that we've currently been offered amounts to a variety of vendors slinging solutions and tools that, without good strategy, cannot effectively combat the myriad cyber artillery shells now being weaponized against every system that touches the World Wide Web. The bad guys have now officially proven that they can “outdev” the defensive technologies in place in many instances and have shown that it's highly likely that many installed legacy technologies are wide open to these weaponized attacks (anti-virus be darned) across the planet.

Read more

Data is the perimeter, defend it that way

Chase Cunningham

Data is the perimeter, defend it that way

Unless you have been living under a rock or possibly hiding in the mountains of Montana with a giant beard and eating way too many government issued MRE’s you probably heard about the nuclear bomb of a ransomware attack that kicked off last week.  Welcome to the post apocalypse folks.  For years, many of us in the cybersecurity industry have been jumping up and down on desks and trying to get the world (writ large) to pay attention to managing and patching outdated systems and operating systems that have been running legacy software, to no avail.  Now that Pandora’s box has been opened and the bad guys have use the NSA leaked tools as weapons platforms all the sudden everyone gives a dang.  I caught no less than 17 talking heads on the news this morning stating that “this is the new reality”, and “cybercrime is a serious threat to our way of life.”  Duh, also water is wet and fire is hot.  Thank you news.  

Regardless of all the bad that is bouncing around the news and everywhere else today (and as I type this I can literally see a pew pew map on CNN that looks like a Zika Virus map showing the spread of WannaCry dominating the screen behind the anchor team) the reality around this “massive hack” and “global attack” is that if folks didn’t suck at patching their systems and followed basic best practices instead of crossing their fingers and hoping that they didn’t get hit the “end of days malware” would be basically ineffective.  The “hack” targets Windows XP systems, an old, outdated, unsupported OS that should have been pulled from use eons ago.  And if the legacy system running that OS couldn’t be pulled, IT SHOULD HAVE AT LEAST BEEN PATCHED.  Problem solved, or at least made manageable. 

Read more

Massive Ransomware Outbreak Highlights Need For A Digital Extortion Decision Tree

Jeff Pollard

5/12/2017 might be another day of cyber-infamy based on malware as hospitals and critical infrastructure providers are locked out of their machines due to what appears to be a new variant of ransomware dubbed WannaCry spreading through corporate networks. Like the ransomware outbreaks in mid-2016 here in the US, NHS hospitals are experiencing patient care issues as a result of the malware, with some shutdown completely as of 11:37 AM Eastern time.

Early analysis indicates the malware spreads via SMB protocol, possibly using a vulnerability published by Microsoft on March 14th, per CCN CERT National Cryptologic Center. This same exploit mechanism appeared to be in use by ETERNAL BLUE, included as part of the Shadow Brokers dump. Patching and update information from Microsoft is located here. For the specific list of affected systems, along with CVE Number, specific MS patch details, and alternative mitigation techniques check here.

Read more

NIST Is Jealous That PCI (Still) Matters More Than It Does

Jeff Pollard

The summary of the new Executive Order is a bit of a letdown:

Government agencies must complete a risk management report within 90 days. The risk report should align with NIST.

Outside of those with a risk fetish, this new EO probably isn’t that exciting from the perspective of any near-term cybersecurity transformation. That said, there are some aspects worth mentioning:

  • Cybersecurity is now a multi-agency public policy issue driven by the Executive Branch. The Department of Homeland Security, Office of Management and Budget, Department of Commerce, Department of Education, Department of Labor, and Office Personnel Management are all mentioned in the order.
  • The government wants to go shared services – including email, cloud, and cybersecurity services. The President requires a specific report on the costs related to modernizing government IT and cybersecurity by utilizing shared services.
  • Cybersecurity, services, and innovation are tied together with the order placing the Director of the American Technology Council as one primary stakeholder for the report modernizing IT and cybersecurity.
  • The order emphasizes workforce development as a key component of the United States cybersecurity advantage. Within 120 days the order requires the President receive a report on how to support the growth and sustainment of cybersecurity education.

Does the order change much? Not really.

Is it worth getting excited over? Absolutely, for those that felt the government had too few reports and committees.

For security practitioners? Probably not, but we are a cynical bunch by trade. It isn't transformative, but it does show incremental improvement by existing.

Then again, cybersecurity requirements for accepting credit cards are still tougher (and more enforceable) than ones for providing electricity....