Browsing category

CISO

Artificial Intelligence (AI), C-Suite, Chief Information Security Officer (CISO), CISO, Cognitive Security, Cyber Resiliency, cyber risk, Data Protection, DevOps, Incident Response (IR), Internet of Things (IoT), Privacy, SecDevOps, Security Awareness, Skills Gap,

In Such Transformative Times, the CISO Is Key to Delivering Digital Trust

For organizations today, staying competitive means undergoing rapid digital transformation, yet few appear to have a solid approach for handling the security and privacy implications of such a change. However, ensuring organizations adapt while also retaining a high level of digital trust is exactly where the chief information security officer (CISO) can help. CISOs are adept at reviewing the security of digital crown jewels — sensitive, business-critical data — aligning security to business goals, and ensuring that disruptive technologies such as artificial intelligence (AI), internet of things (IoT) devices and augmented reality are adopted with adequate security and privacy controls.

Conveniently, there are resources to guide CISOs on how to engage on these issues. One such resource is PwC’s “Digital Trust Insights” report, which replaces their long-running Global State of Information Security Survey (GSISS) series with a broader view of cyber risks awaiting the cognitive enterprise. The report — which is based on a survey of 3,000 executives and only about a dozen pages — provides advice for CISOs, boards and business executives to rally around key issues of digital trust as they work to build a reasonably secure digital world.

Get Security Involved Early On

It will come as no surprise to anyone in cybersecurity that the best way to avoid costly and awkward security fixes — or worse, an embarrassing and damaging breach — is to bring in the security function early on in a project. The stakes are even higher for digital transformation projects. While 91 percent of companies executing transformations bring in security and privacy as stakeholders, only 53 percent are proactively managing security and privacy risks “fully from the start.” This varies somewhat by sector, and as expected, the financial services sector is in the lead with 66 percent engaging security and privacy from the start, followed by the healthcare sector (65 percent). The consumer markets sector comes in last, at 49 percent.

Bringing in stakeholders from cybersecurity and privacy from the very beginning of transformation initiatives is key. As the report noted, “Most respondents say emerging technologies are critical for business, but fewer are very confident they have sufficient ‘digital trust’ controls in place.” This is reflected in the survey results with 4 out of 5 organizations reporting that the IoT is critical to at least some parts of their business, yet only 39 percent are “very comfortable” with the digital trust controls deploying alongside their IoT adoption.

Early involvement of the security function will also improve alignment of security efforts with the business, a concern that was raised in the report as few organizations regularly assess that their security controls, frameworks and strategies are still appropriate in light of the digitization of the enterprise and the changing privacy landscape.

Review Security Talent and Workforce Awareness

In most organizations, the security function is already stretched thin and thus not in a position to handle the many new challenges posed by an organization undergoing rapid digital transformation. When the CISO is spending most of his or her time fighting fires or pleading for budget and support, there is little time left to review high-level security strategy, ensure appropriate privacy controls around sensitive data, and adequately communicate enterprisewide security issues to top leadership and the board. Another concern is the low number of organizations that report having a security awareness program (34 percent), and even fewer require training on privacy policies and practices (31 percent).

The way forward is to perform a workforce gap assessment specifically for the cybersecurity and privacy functions, and to commit to filling key roles in security and privacy with the required level of talent. In addition, organizations should review and update — or implement if absent — policies about their IT assets and sensitive data. Security awareness campaigns should be conducted regularly, but avoid the one-size-fits-all web-based approach. Instead, look for or create engaging security awareness materials and evaluate the effectiveness of each campaign. As attackers are continuously refining their tactics, so should you with your security awareness activities.

Improve Communications and Engagement With the Board

As years go by, we get further validation that an increasing number of CISOs are providing the board with updates about cyber risks. Findings from the PwC report echo this progression, with 80 percent of organizations stating their board was provided a risk management strategy. However, only 27 percent of organizations report being “very comfortable” that the board is getting adequate metrics on cyber risk management. Instead, a greater number, 29 percent, report being “uncomfortable” with the adequacy of information reported.

Changing the nature of the engagement between the CISO and the C-suite will take time. But the change needs to get under way, starting with communicating how threats, regulations and third-party risks impact the organization’s cyber risks. CISOs should focus on producing metrics that track the risks to business objectives and how security activities are having a measurable impact to bring those risks down to an acceptable level. Greater emphasis should be placed on the nature and quality of interactions between the CISO and the decision-makers rather than having the CISO deliver a quarterly five-minute broadcast about the organization’s security posture.

Instead, CISOs should spend a little more time learning about their audience, what drives each line of business and their particular concerns, provide materials to prime questions ahead of time, and actively invest in their relationship with the rest of the C-suite and business directors.

Test Cyber Resilience and Improve Strategies

While awareness, engagement and being there from the start are important, the only way to know for sure that the organization is prepared to deal with a data disruption or full-blown cyberattack is to put its cyber defenses to the test. Testing the cyber resilience of the organization can take many forms, depending on the level of the staff or the executives involved. The PwC report found that fewer than half of mid-to-large organizations are “very comfortable” that they have adequately tested their cyber resilience.

Once again, the CISO can and should play a key role on this issue, but doesn’t have to start from an empty slate. Several key organizations have produced reports on cyber resilience, some written specifically for the C-suite and the board, while others were written with chief information officers (CIOs) and CISOs specifically in mind.

Among the many resilience reports available are those from IBM Security and Ponemon Institute, the World Economic Forum (WEF) and the U.S. Department of Homeland Security (DHS). The latter defines resilience in cyberspace as the “ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.” Organizations should evaluate their ability to adapt to changing conditions and threats, including adapting organizational strategies; prepare for (including anticipating and planning ahead of disruptions); withstand (an area that should be tested more regularly than during the yearly pen test); and recover from an adverse event.

The CISO Is Key to Successful Digital Transformation

“Companies that show the connected world how to lead in safety, security, reliability, privacy, and data ethics will be the titans of tomorrow.” — PwC “Digital Trust Insights” report

Becoming a cognitive enterprise will require major changes, changes that can shake the foundation of trust in the organization’s customers and partners. Organizations will need to balance digital innovation with cyber resilience by ensuring early engagement of the security function in major projects and seeking whole-enterprise visibility and awareness of digital risks. The CISO is key to the organization maintaining a high level of digital trust in such transformative times.

The post In Such Transformative Times, the CISO Is Key to Delivering Digital Trust appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christophe Veltsos

Artificial Intelligence (AI), CISO, cyber resilience, Incident Response, Incident Response (IR), Incident Response Plan, Machine Learning, Ponemon Institute, resilience, Threat Intelligence, Threat Sharing,

Cyber Resilience Study: Incident Response Plans and Security Automation Set High Performers Apart

Today, the Ponemon Institute released its fourth annual “The Cyber Resilient Organization” report. This global study was the first of its kind back in 2015 and has been proudly sponsored by IBM Security since the beginning.

Over time, the importance of cyber resilience within the organization has grown significantly. Security leaders are striving to benchmark the organization’s preparedness and level of security, and measuring cyber resilience is a good reflection of their ability to withstand cyberattacks.

This year’s study queried 3,655 IT and security professionals and covered 11 different global markets: the U.S., Canada, India, Germany, Japan, Brazil, the U.K., France, Australia, the Middle East and Southeast Asia.

Benchmarking Cyber Resilience to Identify Best Practices

When we look back on last year’s study, the biggest barrier to cyber resilience was a lack of investment in important tools, such as artificial intelligence (AI) and machine learning. We saw a significant change here with 23 percent of respondents now using security automation, which includes both AI and machine learning, extensively.

As part of this research, we created a benchmark for measuring cyber resilience by isolating the most cyber resilient organizations and uncovering their approaches and habits; we refer to these organizations as high performers. In this year’s study, 960 respondents — 26 percent of the total sample — identified as high performers. Let’s look at some of the key things these organizations are doing differently to achieve this enhanced level of cyber resilience.

First, high performers have response plans. Fifty-five percent of high-performing organizations have a cybersecurity incident response plan (CSIRP) deployed across the organization, as opposed to only 23 percent of the rest of the pool. Meanwhile, 77 percent of businesses do not have a consistently deployed plan. While this figure hasn’t changed significantly in the four years since we started this research, there is a surprisingly large number of organizations that lack this fundamental building block to achieving cyber resilience.

This year, for the first time, we followed up with these respondents to understand what obstacles they faced. Some said they lacked the necessary staffing or strong leadership required to drive this process, while others pointed to difficulties with organizational structure that didn’t support a centralized approach.

It is no surprise, then, that nearly half (46 percent) of respondents said their organization has yet to reach full General Data Protection Regulation (GDPR) compliance nearly a year after the data privacy regulation took effect in May 2018. In future research, we plan to explore the reasons why companies lack a consistent incident response plan.

What Sets High-Performing Organizations Apart?

It’s clear that being a high performer has a positive impact on an organization’s security posture. High performers suffer fewer data breaches (41 percent versus 55 percent) and less disruption caused by cyberattacks. When we look further at the characteristics of high-performing organizations, it comes down to a blend of people, processes and technology.

In terms of people, the skills gap remains a critical barrier for most organizations, with respondents highlighting headcount gaps and the difficulty in hiring and retaining skilled staff as key hurdles. High-performing organizations are better able to address this and, more importantly, have leadership that values these skills and the importance of cyber resilience.

When it comes to processes, more than 55 percent of high-performing organizations have a consistently applied CSIRP, and they are more likely to participate in threat intelligence and data breach sharing partnerships (69 percent versus the average of 56 percent).

Finally, high performers identified IT complexity as a challenge. As a result, these organizations are more likely to have less security solutions deployed (39 versus 45) and to believe they have the right technology footprint to achieve cyber resilience.

Reduce the Cost of a Data Breach With Security Automation

There is a clear need for organizations to establish a strategy to address these challenges and think about how they handle security incidents in the context of the GDPR and other regulations.

The volume and severity of cyberattacks continue to rise, but research has shown that technology adoption around security automation can save organizations up to $1.55 million on the total cost of a data breach, whereas organizations that do not leverage security automation end up realizing a much higher total cost of a data breach.

Register for the Live Webinar on April 30 at 12 p.m. ET to learn more

The post Cyber Resilience Study: Incident Response Plans and Security Automation Set High Performers Apart appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Larry Ponemon

Artificial Intelligence (AI), CISO, Collaboration, RSA Conference, Security Conferences, Security Leaders, Security Leadership, Security Operations Center (SOC), Security Products, Security Professionals, Security Solutions, Skills Gap,

Rewrite the Rules to Reduce Complexity in Your Security Architecture

Complexity as it relates to security architecture is attracting a lot of attention. At RSA Conference (RSAC) earlier this year, I saw complexity discussed at multiple vendor booths and in several presentations. But what does it really mean? And is it really that bad?

To get to the root of why complexity is such a challenge, I think you have to take a step back and look at what it is that makes security architecture so complex. One look at the RSAC 2019 exhibit hall provided a clue.

Walking the exhibit floor, I was struck over and over by the sheer number of vendors exhibiting this year. Every inch of space was used to show new products, services, approaches, integrations — you name it. It was noisy and overwhelming for me, and I can only imagine what it must have been like for security directors who were walking around trying to make sense of what was new.

I think the crowded RSAC expo floor is an accurate representation of one of the biggest conundrums in cybersecurity: It is an industry in constant flux. Every day, there are new attacks, updated methods and changing compromise patterns in addition to changing regulatory standards and new business initiatives that need to be evaluated for risk. And since every business has its unique needs and requirements, it’s really no surprise that there are multiple ways to approach a problem, and thus a plethora of products and services available.

Without a doubt, variety is essential for empowering customers to opt for solutions that work best for their unique situations. However, this singular approach to problem solving has created an incredibly complex environment for security organizations to manage, and that has consequences.

“At any given time, the analysts in our security operations center are looking at 10–20 windows open per product,” said Devin Somppi, lead of security operations at BriteSky. “While each of my analysts is an expert in their role, sharing information across these fields is a challenge.”

Somppi referred to his team as the “human glue” binding all of their different security applications. What he means is that many of the individual security solutions produce data that must be analyzed and acted upon. On an individual level, this works great. However, when investigating a multilayered security incident, the data must be shared among the analysts, and that takes time.

“Take, for example, a very common incident: a targeted phishing attack,” said Somppi. “First surfaced through a SIEM, an analyst reviews the situation and kicks off an investigation. This involves multiple parts: checking with your threat intelligence team to run the file against the latest information, getting information from your email security appliance for headers to see if it’s been spoofed, notifying the user of the compromise. This process does work — we make it work — but it can be slow and arduous when that information is spread across multiple teams.”

That kind of delay can be disastrous for end users.

It’s Time to Think Differently About Security

In their RSA Conference session, Somppi and IBM Security Chief Technology Officer Sridhar Muppidi discussed how the biggest hurdle for the security industry — vendors — will be rethinking its approach to security.

“We really have to start looking at security as a team sport,” said Muppidi. An avid cyclist, Muppidi used the example of a peloton from his college cycling days.

“I’m not much of a sprinter, but I’m great at hills,” he said. “There are others in our group where sprinting was their strength. And once we started communicating and leveraging our individual strengths, we not only improved in our race, but as a whole we became much more efficient. The same can be true for security.”

Thinking of security as a team sport shouldn’t be too hard; after all, our adversaries do this very well. Most attackers buy, sell and trade secrets. They share data, swap methodologies and collaborate on processes, all in the name of compromising their targets. So why shouldn’t we defenders adopt the same approach?

The easy answer is that we should. As security vendors, when we communicate better — when we share information and leverage each other’s strengths — we enable organizations to actively defend their networks. More importantly, we empower them to grow their businesses.

The harder question is, how do we do it? In their joint session at RSAC 2019, Muppidi and Somppi laid out three ways the cybersecurity industry can rethink its approach and be more collaborative in its defense.

1. Break Down Silos Among Vendors

In the current environment, each security vendor has its own way of capturing information and it is very hard to integrate that data. While this works to address security issues at an individual level, this siloed approach to using and viewing security data is limiting the potential of not only our clients, but also what we as security vendors can do.

“In order for organizations to really see what cybersecurity can do for their business, we have to break down the silos we’ve built as vendors,” Muppidi said. “This means unifying not only technical capabilities like our APIs or our use of microservices, but also the overall experience. That requires addressing things like different views on data privacy or getting over our ‘competitive’ mindset.”

This is not easy to do, but it ultimately provides a better cybersecurity experience for organizations that are already struggling.

2. Rethink the Role of Security Analysts by Embracing Artificial Intelligence

Artificial intelligence (AI) will play a pivotal role in how we approach security in the coming years. AI will become the connective tissue between products, decreasing the need for the “human glue” Somppi described as the current approach to information sharing between technologies

“We will always need analysts,” said Somppi. “But they’ll be augmented by AI, and we’ll need to rethink the way they work. Analysts need to be the experts, but AI needs to be the glue.”

Ultimately, using AI to reduce the time it takes to connect data insights will make security stronger and our analysts less stressed.

3. Redefine Success as It Relates to Securing the Business

Every organization has a different measure of success when it comes to security. For some, success means speeding up the time it takes to detect a threat. Others are more concerned about how long it takes to remedy the situation, or maybe it’s all about applying lessons learned to make sure it doesn’t happen again. Without a doubt, these are all important, but we need to think differently.

“What if success means getting your SOC analysts home in time for dinner with their families?,” Muppidi asked. When considering the predicted security skills gap, reducing the stress among your security analysts is a critical measure of success.

“Finding resources tends to be a challenge for our industry,” said Somppi. “I can find technology for anything and everything, but to have someone who can utilize that technology is incredibly difficult. I don’t want to burn them out.”

In addition to keeping them engaged and interested in their area of defense, it’s also critical to reduce the rate of analyst burnout. By reducing workload and stress, you can empower your SOC analysts to focus on fewer, but higher-value projects that are more strategic to the organization and are focused on growth.

Less Is More When It Comes to Your Security Architecture

The main takeaway from Somppi and Muppidi’s RSAC session is that it’s time for cybersecurity professionals to collaborate more and compete less. By breaking down silos among security teams and vendors, augmenting human intelligence with AI and machine learning, and empowering analysts to do more impactful work under less pressure, chief information security officers (CISOs) and business leaders can improve security output while also reducing the number of security products needed to protect the enterprise. Put simply, it’s time to make less matter more.

The post Rewrite the Rules to Reduce Complexity in Your Security Architecture appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jennifer Glenn

Advanced Threats, Banking Trojan, CISO, Cybercriminals, fraud, Fraud Detection, Fraud Protection, IBM X-Force Exchange, IBM X-Force Research, Malware, Tax Fraud, Threat Intelligence, Trickbot, trojan, X-Force,

Cybercriminals Spoof Major Accounting and Payroll Firms in Tax Season Malware Campaigns

It’s tax season in the U.S., which means one thing for cybercriminals: opportunity. While the deadline for filing is April 15, tax season stretches on for months beforehand, starting from the time businesses prepare employee payroll information such as W-2 forms. This gives cybercriminals plenty of time to launch campaigns in the hopes of ensnaring individuals and businesses in their various tax fraud, financial fraud and identity theft schemes.

IBM X-Force researchers recently scoured our spam traps for tax-themed malware spam campaigns to see what criminal gangs are up to this year, and we were not surprised to find several ongoing tax-themed campaigns. Three spam campaigns caught our attention because they were likely directed at businesses, with the potential to impact consumers as well. These campaigns attempted to deceive recipients into believing they were emailed by large accounting, tax and payroll services firms and carried malicious Microsoft Excel attachments with a payload familiar to us as one of the most common and effective banking Trojans: TrickBot.

TrickBot is financial malware that silently infects devices for the primary purpose of stealing valuable data such as banking credentials, and then follows up with wire fraud from the device owner’s account. If your computer is infected with TrickBot, the cybercriminals operating it have complete control and can do just about anything they wish on your device, including spreading to other computers on your network and emptying your company’s bank accounts, potentially costing millions of dollars.

We will dive deeper into TrickBot’s tactics, techniques and procedures (TTPs) below. But first, let’s look more closely at three spam campaigns that delivered TrickBot, which were the top tax-themed malware campaigns we’ve seen this year by spam volume.

Examination of Tax-Themed Spam Campaigns

The first thing to note about the tax-themed spam we have been seeing in the wild is that the campaigns spoofed (i.e., deceptively imitated) three of the biggest accounting firms, human resources services and payroll companies operating in the U.S. The spoofed companies included Paychex, a well-known payroll payments provider, and the HR management and services firm ADP, which published its own security alert on March 5, 2019, warning customers of the same malicious spam campaign.

The size of the spoofed firms suggests the criminals are likely to have some success in snagging individual users and businesses that are customers of these well-known companies. Recipients are more likely to expect an email about taxes from their service provider, so attackers can be much more successful if they spoof the names and email addresses of trusted HR services and accounting companies to deliver malware right around tax season.

It can often be difficult to assess the intended targets of banking Trojan campaigns and whether they target business or personal email accounts. Having looked at recipient domain names in our spam traps, we can assess that the campaigns target both business and personal email addresses. In TrickBot’s case, it would be safe to assume that businesses are being targeted for their bank accounts, and personal accounts are more likely to be used as money mules to siphon and redirect stolen funds through compromised users.

The second thing to note is that the spam emails appear to be related to one another and were clearly created by professionals, most likely associated with the TrickBot gang. The spam samples, which we dissect below, were more sophisticated than we typically see in other high-volume campaigns. Usually, tax campaigns consist of plain, poorly crafted emails asking recipients to open a malicious attachment. The sending address is commonly a free webmail address, and the message gives away the game with obvious clues that it is likely malspam.

In the TrickBot-delivering campaigns, however, attackers took extra steps to improve their deception techniques, from the way they crafted the messages to the brands they chose to impersonate. If you receive an email saying it is from a person or company you know and trust, you’re naturally less suspicious and may not look for other clues that it could be a malicious message. This is the moment every attacker is looking for: when the recipient’s guard lowers enough to make them open the attachment and even click to enable macros.

Once TrickBot is installed on a potentially vulnerable device and can reach other devices on the network, it can further spread and pivot. Finding only one unaware person in an organization is usually enough for attackers to get their foot in the door.

Campaign Timeline

Looking at the campaign timeline, our team was able to see that it has been active for a while, allowing attackers to cover a longer period when tax season is a relevant theme.

The first sample was received on Jan. 27, 2019, spoofing a large accounting firm.

Chart showing timeline of tax spam sample on Jan. 27, 2019

Subsequent campaigns were spotted on March 3, 2019, spoofing ADP.

Chart showing timeline of ADP spam sent March 3, 2019

On March 7, 2019, a campaign emerged spoofing Paychex.

Chart showing timeline of Paychex spam sent March 7, 2019

The bulk of the emails were received between 11:45 a.m. and 3:45 p.m. Eastern Standard Time (EST). In other words, these spam messages were sent during working hours for U.S. companies. All three email samples are written in English, adding evidence that the intended targets were located in the U.S. and other English-speaking countries, where there is a high likelihood of reaching customers of the three spoofed companies.

The “from” field of each email was spoofed using typosquatting to bolster the appearance that the emails are from the firms they purport to come from. None of the fake domains exist, nor were they registered by the companies themselves.

The messages were quite simple, only claiming to contain an attachment of tax or billing records. Subject lines were similarly simple, all including the word “tax” and beginning with FW: or RE: to trick recipients into thinking the email was forwarded or in response to a previous message.

Examples from each campaign appear below.

Sample 1: Large Accounting Firm

Subject: FW: 2018 EF Tax Incentive Billing

Body: Please see the attached Tax incentive billing

Example tax-themed phishing message from large accounting firm

Sample 2: ADP

Subject: FW: CASE #90ADP28TEFT – tax billing records

Body: Hi there, I have attached tax billing records for current period.

Example tax-themed phishing message from ADP

Sample 3: Paychex

Subject: RE: Tax verification documents

Body: Hi there, As requested, I have attached the details for your consideration. Thanks!

Example tax-themed phishing message from Paychex

To reinforce the illusion of legitimacy, the signatures of each of the emails mimic typical business signatures, including a name, job title and contact details, as well as mock email footers that the cybercriminals may have copied from legitimate business emails. A simple email to the spoofed companies could result in a response containing the actual footers, which can be copied. For example:

  • “This message (including any attachments) contains confidential information…”

  • “Please consider the environment before printing.”

  • “How are we doing? Let my manager know!”

The goal, of course, is to make the emails look as genuine as possible to gain the victims’ trust. The odds of someone opening attachments or clicking links are higher if the message looks as official and trustworthy as possible.

TrickBot in Sheep’s Clothing

What would malspam be without the malicious attachment? Probably an ordinary spam or phishing email. To investigate these tax malspam messages, we first examined the attachment in the ADP sample. The file contained an Excel document with an embedded macro. The macro itself was highly obfuscated, which makes analysis a bit more difficult, but as far as we could deobfuscate the macro, five batch files were dropped and started once we ran it.

In the Paychex sample, we observed the same behavior, only swapping different filenames and URLs. The accounting firm sample, on the other hand, dropped only one file. In each case, the dropped files called to a similar range of IP addresses for the payload, which eventually fetched and executed the TrickBot Trojan.

Here it becomes clear that the overall process — the mail style, the behavior of the attachments, the construct of the malware URL, the way it hides the .exe file behind an unknown domain path — is the same for all samples. This is also a strong indicator that the same actors might be involved in all three campaigns.

The average user will probably not notice any infections by TrickBot directly. Network admins, however, may eventually see changes in traffic or attempts to connect to blacklisted IPs and domains when the malware tries to connect to its command-and-control (C&C) servers.

Meanwhile, TrickBot tries to steal as much data possible, typically focusing on stealing banking credentials from known banking websites, with the list of targeted banks changing regularly. The Trojan uses two techniques for stealing banking credentials: dynamic injection and redirection attacks. Dynamic injections are fetched in real time from the attack server instead of being written directly into a configuration file. Redirection attacks hijack the user to a page controlled by the attacker, a replica of the bank’s home page, tricking them into divulging their credentials and other authentication elements.

TrickBot is a highly sophisticated malware that can do plenty of damage beyond financial fraud. As X-Force researcher Limor Kessem noted in a recent investigation of organized cybercrime gangs, TrickBot, which ranked as the top financial malware of 2018, added new functions to the malware last year. On top of its existing capabilities, TrickBot can now steal remote desktop protocol (RDP) credentials, virtual network computing (VNC) credentials and PuTTY open-source terminal emulator credentials. TrickBot also steals Windows system reliability and performance data and features a new mechanism for storing its configuration and elliptic curve cryptography (ECC) public keys.

TrickBot’s operators have ample resources to develop the malware and are sure to have more tricks up their sleeve.

IoCs and Security Tips for Tax Season Malware

For more information on the TrickBot campaign’s indicators of compromise (IoCs), please visit X-Force Exchange.

Tips for IT Security Teams

  • Disable macros by default in Office documents.
  • Block all URL and IP-based IoCs at firewalls, intrusion detection systems (IDSs), web gateways, routers or other perimeter-based devices.
  • Use updated antivirus tools and make sure your current vendor has coverage for banking Trojans such as TrickBot.
  • Search for existing signs of the indicated IoCs in your environment and email systems.
  • Keep all critical and noncritical systems up to date and patched.
  • Report suspected tax scams to the IRS at phishing@irs.gov. You can also file a complaint with the U.S. Federal Trade Commission (FTC).

Tips for Users

  • The U.S. Internal Revenue Service (IRS) communicates via snail mail only; it does not initiate contact with taxpayers by email, phone, text messages or social media channels to request personal or financial information. Do not respond to such requests.
  • Don’t open unsolicited emails, click on links within such emails or open attachments coming from unknown senders. Most malware-laden emails will ask users to enable macros. Avoid doing that.
  • Even in the case of known senders, be careful about opening email attachments, especially ZIP or RAR archives and Office documents. Ideally, verify with the sender before opening any attachments.
  • If you receive an email claiming to be from your payroll vendor and you’re not sure if you can trust it, try logging into the provider’s website directly or calling your representative to confirm its validity.

Tips for IBM Security Customers

  • The emails and malware described above are blocked by IBM Security filters. URLs and IPs in the emails are recognized by IBM Security as malicious.
  • IBM Security’s database of malicious activities is updated every five minutes.
  • Check X-Force Exchange regularly for information on new campaigns and learn more about the X-Force Exchange Commercial API.

Download the IBM X-Force Threat Intelligence Index Report/button]

The post Cybercriminals Spoof Major Accounting and Payroll Firms in Tax Season Malware Campaigns appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Zorabedian

CISO, Compliance, Cybersecurity Legislation, Data Privacy, Data Protection, Data Security, General Data Protection Regulation (GDPR), IBM Security, IBM Security Guardium, Privacy, Privacy by Design, privacy regulations, regulatory compliance, Security by Design,

Preparing for the CCPA: Leverage GDPR Investments to Accelerate Readiness

The European Union (EU)’s General Data Protection Regulation (GDPR) is about to celebrate its first birthday, and similar regulations scheduled to go into effect early in 2020 — such as Brazil’s Lei Geral de Proteção de Dados (LGPD) and the California Consumer Privacy Act (CCPA) — will press organizations to look more holistically at how they address privacy. Because I’m an optimist, I think it’s possible a U.S. federal privacy law could also be passed in the next 18 months. In my experience, modern data privacy readiness and controls are largely based on common privacy principles and practices from the GDPR, which began enforcement on May 25, 2018.

But what does that really mean?

Apply GDPR Best Practices to Your CCPA Readiness Plan

Let’s take a step back and look at several of the high-level overlaps between the GDPR and the CCPA as an example. Keep in mind that within each regulation there are fine points that clearly differentiate them. While those are beyond the scope of this article, we suggest seeking legal advice should you need further help on this topic. Here is a high-level review:

  • While definitions vary, the general definition of “personal data” or “personal information” is virtually anything that can be used to identify an individual. Both regulations define and enumerate rules to enforce protecting an individual’s rights around his or her personal information.
  • According to the important right of disclosure or access, individuals have rights to transparency around the collection of their personal data and also to receipt or deletion of the data altogether.
  • The CCPA does not directly impose specific data security requirements, but establishes a right of action for certain data breaches caused by business failure to maintain reasonable security practices and procedures appropriate to the risk. Somewhat similarly, the GDPR requires appropriate technical and organizational measures necessary to ensure security appropriate to the risk.

As these basic overlaps between the GDPR and the CCPA illustrate, there is a set of common principles about transparency, including an individual’s right to access or request deletion of personal data, the need for security, and the potential for substantial penalties for noncompliance. While there are implementation differences between the various regulations — such as which organizations and individuals qualify, personal data definitions and individual rights (access, correction, deletion) — the IT best practices required to help your compliance program are largely the same. Some of these include:

  1. Security and privacy by design and by default;
  2. Locating, identifying and classifying personal data;
  3. Tracking personal data use via audit trails to demonstrate compliance;
  4. Providing for response capabilities to individual requests for access, correction, deletion and transfer of personal data and audit trails to demonstrate compliance;
  5. Implementing security controls according to risk (vulnerability assessments, access controls, activity monitoring, encryption); and
  6. Effectively preparing for and responding to breaches.

A Repeatable Framework for Protecting Regulated Data

In my experience as a practitioner, I find that it’s often helpful to follow a framework that guides you as you bring these best practices to life in your data privacy program. That’s why IBM created a five-step program to help you establish a repeatable process for protecting personal and regulated data, known as the Critical Data Protection Program:

Key features of an approach to protecting personal data

Figure 1: IBM’s Critical Data Protection Program

When it comes to preparing for the CCPA (and other regulations down the road), consider what steps you can take as an IT organization and how you will be working with your privacy/legal/compliance organizations. Your privacy team will undertake many of these activities, including assessments, policy setting and creating business processes.

  1. Start by obtaining executive sponsorship and budgets to support your privacy program. The higher up the executive chain, the better. The changes you may need to make will cross organizational boundaries, so support from the top will be critical to your success.
  2. Next, assess and understand your obligations — in other words, do a gap analysis. This may mean seeking legal counsel. Review your existing privacy policies, notices and statements. Do you have them? Where are they presented, and when were they last updated? Are they clearly written and easy to understand?
  3. Create a cross-functional team. When it comes to implementation, be sure to have all the right stakeholders involved. Privacy is not just a security issue, or even just a privacy issue; your cross-functional team should include departments such as marketing and HR, for example, due to the potentially regulated data they may be dealing with.
  4. Regardless of regulation, you will need to know what personal data assets you store, where they are located and how they are used. You will hear this often referred to as a data map. Data discovery is an essential part of creating a data map; it’s the process of identifying, inventorying and mapping personal data and data flows across your organization. A data security solution can help automate the process to avoid approaching it manually — after all, who couldn’t use fewer spreadsheets and more time?
  5. Review data retention schedules. How long do you retain the personal data you collect? It should be either as long as required for a legitimate business need or as required by law.
  6. Document privacy compliance activities, including processing operations involving personal data.
  7. Develop audit capabilities and processes. You will be required to demonstrate what you are doing to address your compliance obligations. You will need a robust audit plan and process to monitor ongoing conformity and help mitigate risk, both internally and with your data processors and other vendors.
  8. Implement privacy by design and security by design. Although not spelled out in the CCPA, this is an important GDPR requirement and it can save you a lot of redundant work regardless of the regulation. Going forward, if you develop new services and systems, it is likely that you will be expected to embed — by default and by design — processes and features that will help ensure privacy of personal data.
  9. Create breach response and notification protocols. In the event of a breach with the GDPR, under certain scenarios, you have 72 hours to notify the regulatory authority. Other states and jurisdictions have varied timelines; sectoral regulations such as New York’s Department of Financial Services 23 NYCRR 500 also mandate 72 hours. Achieving these tight deadlines may depend on having defined processes and protocols in place for investigating, containing and responding to data breaches.

The bottom line is that approaching any privacy regulation requires a combination of people, process and technology. There is no one solution that can meet all needs. There are many technologies from IBM Security that can help — from data activity monitoring solutions to software-as-a-service (SaaS)-based risk analysis to encryption — and our privacy experts can help you get started in creating or augmenting your privacy program with services such as a CCPA readiness assessment.

Accelerate Your Readiness for New Data Privacy Regulations

Privacy regulations will continue to evolve, both in the U.S. and abroad. While there are many implementation differences, the IT controls and requirements for protecting personal data are largely the same. As you build out your program, don’t forget to leverage the existing investments you’ve made in preparing for other regulations — from both an organizational and technology perspective — to accelerate your readiness for new regulations.

With the right tools in place, you can implement a consolidated approach to help organize and automate your privacy controls program and, in the process, help build trust and accountability, whether with consumers, business partners or employees.

Learn more about privacy regulations: Download the white paper

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post Preparing for the CCPA: Leverage GDPR Investments to Accelerate Readiness appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Cindy Compert

CISO, Compliance, Cybersecurity Legislation, Data Privacy, Data Protection, Data Security, General Data Protection Regulation (GDPR), IBM Security, IBM Security Guardium, Privacy, Privacy by Design, privacy regulations, regulatory compliance, Security by Design,

Preparing for the CCPA: Leverage GDPR Investments to Accelerate Readiness

The European Union (EU)’s General Data Protection Regulation (GDPR) is about to celebrate its first birthday, and similar regulations scheduled to go into effect early in 2020 — such as Brazil’s Lei Geral de Proteção de Dados (LGPD) and the California Consumer Privacy Act (CCPA) — will press organizations to look more holistically at how they address privacy. Because I’m an optimist, I think it’s possible a U.S. federal privacy law could also be passed in the next 18 months. In my experience, modern data privacy readiness and controls are largely based on common privacy principles and practices from the GDPR, which began enforcement on May 25, 2018.

But what does that really mean?

Apply GDPR Best Practices to Your CCPA Readiness Plan

Let’s take a step back and look at several of the high-level overlaps between the GDPR and the CCPA as an example. Keep in mind that within each regulation there are fine points that clearly differentiate them. While those are beyond the scope of this article, we suggest seeking legal advice should you need further help on this topic. Here is a high-level review:

  • While definitions vary, the general definition of “personal data” or “personal information” is virtually anything that can be used to identify an individual. Both regulations define and enumerate rules to enforce protecting an individual’s rights around his or her personal information.
  • According to the important right of disclosure or access, individuals have rights to transparency around the collection of their personal data and also to receipt or deletion of the data altogether.
  • The CCPA does not directly impose specific data security requirements, but establishes a right of action for certain data breaches caused by business failure to maintain reasonable security practices and procedures appropriate to the risk. Somewhat similarly, the GDPR requires appropriate technical and organizational measures necessary to ensure security appropriate to the risk.

As these basic overlaps between the GDPR and the CCPA illustrate, there is a set of common principles about transparency, including an individual’s right to access or request deletion of personal data, the need for security, and the potential for substantial penalties for noncompliance. While there are implementation differences between the various regulations — such as which organizations and individuals qualify, personal data definitions and individual rights (access, correction, deletion) — the IT best practices required to help your compliance program are largely the same. Some of these include:

  1. Security and privacy by design and by default;
  2. Locating, identifying and classifying personal data;
  3. Tracking personal data use via audit trails to demonstrate compliance;
  4. Providing for response capabilities to individual requests for access, correction, deletion and transfer of personal data and audit trails to demonstrate compliance;
  5. Implementing security controls according to risk (vulnerability assessments, access controls, activity monitoring, encryption); and
  6. Effectively preparing for and responding to breaches.

A Repeatable Framework for Protecting Regulated Data

In my experience as a practitioner, I find that it’s often helpful to follow a framework that guides you as you bring these best practices to life in your data privacy program. That’s why IBM created a five-step program to help you establish a repeatable process for protecting personal and regulated data, known as the Critical Data Protection Program:

Key features of an approach to protecting personal data

Figure 1: IBM’s Critical Data Protection Program

When it comes to preparing for the CCPA (and other regulations down the road), consider what steps you can take as an IT organization and how you will be working with your privacy/legal/compliance organizations. Your privacy team will undertake many of these activities, including assessments, policy setting and creating business processes.

  1. Start by obtaining executive sponsorship and budgets to support your privacy program. The higher up the executive chain, the better. The changes you may need to make will cross organizational boundaries, so support from the top will be critical to your success.
  2. Next, assess and understand your obligations — in other words, do a gap analysis. This may mean seeking legal counsel. Review your existing privacy policies, notices and statements. Do you have them? Where are they presented, and when were they last updated? Are they clearly written and easy to understand?
  3. Create a cross-functional team. When it comes to implementation, be sure to have all the right stakeholders involved. Privacy is not just a security issue, or even just a privacy issue; your cross-functional team should include departments such as marketing and HR, for example, due to the potentially regulated data they may be dealing with.
  4. Regardless of regulation, you will need to know what personal data assets you store, where they are located and how they are used. You will hear this often referred to as a data map. Data discovery is an essential part of creating a data map; it’s the process of identifying, inventorying and mapping personal data and data flows across your organization. A data security solution can help automate the process to avoid approaching it manually — after all, who couldn’t use fewer spreadsheets and more time?
  5. Review data retention schedules. How long do you retain the personal data you collect? It should be either as long as required for a legitimate business need or as required by law.
  6. Document privacy compliance activities, including processing operations involving personal data.
  7. Develop audit capabilities and processes. You will be required to demonstrate what you are doing to address your compliance obligations. You will need a robust audit plan and process to monitor ongoing conformity and help mitigate risk, both internally and with your data processors and other vendors.
  8. Implement privacy by design and security by design. Although not spelled out in the CCPA, this is an important GDPR requirement and it can save you a lot of redundant work regardless of the regulation. Going forward, if you develop new services and systems, it is likely that you will be expected to embed — by default and by design — processes and features that will help ensure privacy of personal data.
  9. Create breach response and notification protocols. In the event of a breach with the GDPR, under certain scenarios, you have 72 hours to notify the regulatory authority. Other states and jurisdictions have varied timelines; sectoral regulations such as New York’s Department of Financial Services 23 NYCRR 500 also mandate 72 hours. Achieving these tight deadlines may depend on having defined processes and protocols in place for investigating, containing and responding to data breaches.

The bottom line is that approaching any privacy regulation requires a combination of people, process and technology. There is no one solution that can meet all needs. There are many technologies from IBM Security that can help — from data activity monitoring solutions to software-as-a-service (SaaS)-based risk analysis to encryption — and our privacy experts can help you get started in creating or augmenting your privacy program with services such as a CCPA readiness assessment.

Accelerate Your Readiness for New Data Privacy Regulations

Privacy regulations will continue to evolve, both in the U.S. and abroad. While there are many implementation differences, the IT controls and requirements for protecting personal data are largely the same. As you build out your program, don’t forget to leverage the existing investments you’ve made in preparing for other regulations — from both an organizational and technology perspective — to accelerate your readiness for new regulations.

With the right tools in place, you can implement a consolidated approach to help organize and automate your privacy controls program and, in the process, help build trust and accountability, whether with consumers, business partners or employees.

Learn more about privacy regulations: Download the white paper

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post Preparing for the CCPA: Leverage GDPR Investments to Accelerate Readiness appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Cindy Compert

Artificial Intelligence (AI), breach, C-Suite, CISO, Collaboration, Cybercrime, Cybersecurity Jobs, Cyberthreats, Internet of Things (IoT), Malware-as-a-Service (MaaS), Managed Security Services (MSS), New Collar, RSA Conference, Security Professionals, Security Services, Security Spending, Skills Gap, Threat Sharing,

Stressed to Impress: Evolving Threats Raise the Stakes on Shared Security Culture

Cybersecurity experts are working longer hours and tackling more complex challenges as threat landscapes continue to evolve. Survey data from Farsight Security found that more than half of security professionals work weekends and nearly 30 percent work 10 or more hours a day. But companies still face a jobs shortfall: As reported by TechCrunch, research from (ISC)2 suggests a jobs gap of more than 3 million positions worldwide.

The result is no surprise; cybersecurity professionals are tasked to do more with less and deliver better results. One solution to this problem involves a necessary shift to improve security culture across three key areas: intraorganizational, interorganizational and metaorganizational.

Big Spend, Bigger Breaches

Before committing resources to shift culture and solve security problems, enterprises need to know what they’re up against. When it comes to defending against advanced cyberthreats, organizations face multiple areas of concern.

Growing Costs

According to Forbes, companies must be ever-vigilant for the “Big One,” the cybersecurity incident that will have disastrous consequences for a major enterprise, key infrastructure or even society as a whole. Add in the ever-present threat of smaller breaches due to new exploits or existing vulnerabilities, combined with the need to remediate these issues ASAP, and it’s no surprise that the global cost of cybercrime could reach $6 trillion annually by 2021, according to Cybersecurity Ventures.

Increasing Scope

RSA Conference 2019 had a simple theme: “Better.” The notion was a catchall, a way to acknowledge that all areas of cybersecurity — from frontline defenses to detection systems to user access processes — require ongoing support and improvement. As noted by ZDNet, however, this growing emphasis on continual improvement speaks to the ongoing success and increasing scope of new threat vectors; despite the industry’s best efforts, threat actors are still coming out ahead.

Trending Threats

Speaking of IT threats, information security professionals are faced with an evolving marketplace, one in which cybercriminals are willing to collaborate on new projects and cultivate as-a-service alternatives to compromise corporate networks. For example, CSO Online reported that attackers are now targeting enterprise video conferencing systems with internet of things (IoT) botnets, while Futurism spoke to the rise of the industrial safety system-disabling malware Triton — unchecked, this kind of infection could cause both financial and physical harm.

Mind Over Matter?

While C-suites have embraced the notion of cybersecurity as a business driver, effective change demands expert support. As noted by the MIT Techology Review, security professionals are stressed. Cybersecurity conferences now regularly feature community health sessions and tracks dedicated to helping IT experts manage their stress and ensure job demands don’t lead to negative consequences in other areas.

What’s stressing IT right now? A quick rundown includes:

  • Malware-as-a-service (MaaS) — According to Bleeping Computer, MaaS markets are rapidly expanding as malicious code makers recognize the value in selling and supporting threat infrastructure rather than assuming the risk of a direct attack. These markets “provide a huge trove of malicious tools and services.”
  • Missing money — Spending isn’t keeping up with new cyberthreats. As Forbes pointed out, while some institutions such as banks are ramping up their infosec budgets, others — such as government agencies that regulate critical utilities like power and water — aren’t keeping pace. The bottom line is that paltry budgets continue to plague information security efforts.
  • Moving target — Organizations are struggling to close the cybersecurity skills gap. This leaves existing professionals on the hook to do more with less while also finding ways to stay ahead of new IT threats.

The takeaway here is that cybersecurity employees have the right mindset but are often missing the material components required to effectively manage security expectations.

The Organizational Imperative

Evolving threats, employee stress and emerging expectations demand a fundamental shift, one that prioritizes companywide security culture over the siloed approaches of traditional IT infrastructure. Embracing this organizational imperative requires adaptation across three key areas.

1. Intraorganizational

Corporate end users — from frontline staff to managers and stakeholders — are the primary consumers of IT services and solutions. As a result, without intraorganizational support in the form of security-first culture, cybersecurity professionals face a losing battle. According to IBM security experts, making the shift requires “muscle memory” — security processes must be “required, enforceable and, above all, easily incorporated into the daily life of your users.”

Perceptive shifts are also critical; creating a security-first culture that recognizes the role of security spending and solutions in revenue generation rather than cost mitigation.

2. Interorganizational

Historically, organizations have been loathe to share security data, especially when it points to evidence of compromise or network vulnerability. The problem with this is that malicious actors aren’t shy about sharing attack data, putting cybersecurity in the untenable position of facing superior numbers armed with better intelligence. As the Federal News Network noted, this is starting to change — for example, the DoD-backed Security Coordination Center (SCC) focuses on threat sharing and mitigation to reduce attack impact.

Private companies must do the same. Interorganizational cooperation is no longer optional in the fight against opportunistic cybercriminals.

3. Metaorganizational

To reduce IT stress and improve overall defense, enterprises must think outside the box.

When it comes to bridging the skills gap, for example, companies are well-served with a new collar approach — leveraging new or existing staff who may not possess traditional college degrees but have the needed technical skills, aptitudes or passion for cybersecurity. This allows companies to fill critical positions without having to wait for the “perfect” candidate.

Another option? Managed security services designed to strengthen information security defenses and lower total costs. The right third-party partner can help deliver services, such as custom-built firewalls, intelligent log management and cloud-based intrusion detection, allowing cybersecurity specialists to focus on mission-critical initiatives.

Emerging solutions such as artificial intelligence and intelligent orchestration also offer key benefits. By automating essential, data-driven services, such as attack response, data breach notification and real-time productivity measurement, C-suites gain critical transparency while IT professionals get improved access to the information they need, when they need it.

Security Culture Must Adapt

Cybersecurity professionals are stressed, and with good reason: the stakes are higher than ever. They’re tasked with impressing C-suites, evading threats and improving infrastructure, but are hampered by time limitations, budget constraints and personnel gaps.

Bolstering IT and boosting the bottom line demands a critical shift. Security culture must adapt across intraorganizational, interorganizational and metaorganizational lines to empower shared responsibility, encourage honest collaboration and embrace new information security approaches.

The post Stressed to Impress: Evolving Threats Raise the Stakes on Shared Security Culture appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Douglas Bonderud

Artificial Intelligence (AI), breach, C-Suite, CISO, Collaboration, Cybercrime, Cybersecurity Jobs, Cyberthreats, Internet of Things (IoT), Malware-as-a-Service (MaaS), Managed Security Services (MSS), New Collar, RSA Conference, Security Professionals, Security Services, Security Spending, Skills Gap, Threat Sharing,

Stressed to Impress: Evolving Threats Raise the Stakes on Shared Security Culture

Cybersecurity experts are working longer hours and tackling more complex challenges as threat landscapes continue to evolve. Survey data from Farsight Security found that more than half of security professionals work weekends and nearly 30 percent work 10 or more hours a day. But companies still face a jobs shortfall: As reported by TechCrunch, research from (ISC)2 suggests a jobs gap of more than 3 million positions worldwide.

The result is no surprise; cybersecurity professionals are tasked to do more with less and deliver better results. One solution to this problem involves a necessary shift to improve security culture across three key areas: intraorganizational, interorganizational and metaorganizational.

Big Spend, Bigger Breaches

Before committing resources to shift culture and solve security problems, enterprises need to know what they’re up against. When it comes to defending against advanced cyberthreats, organizations face multiple areas of concern.

Growing Costs

According to Forbes, companies must be ever-vigilant for the “Big One,” the cybersecurity incident that will have disastrous consequences for a major enterprise, key infrastructure or even society as a whole. Add in the ever-present threat of smaller breaches due to new exploits or existing vulnerabilities, combined with the need to remediate these issues ASAP, and it’s no surprise that the global cost of cybercrime could reach $6 trillion annually by 2021, according to Cybersecurity Ventures.

Increasing Scope

RSA Conference 2019 had a simple theme: “Better.” The notion was a catchall, a way to acknowledge that all areas of cybersecurity — from frontline defenses to detection systems to user access processes — require ongoing support and improvement. As noted by ZDNet, however, this growing emphasis on continual improvement speaks to the ongoing success and increasing scope of new threat vectors; despite the industry’s best efforts, threat actors are still coming out ahead.

Trending Threats

Speaking of IT threats, information security professionals are faced with an evolving marketplace, one in which cybercriminals are willing to collaborate on new projects and cultivate as-a-service alternatives to compromise corporate networks. For example, CSO Online reported that attackers are now targeting enterprise video conferencing systems with internet of things (IoT) botnets, while Futurism spoke to the rise of the industrial safety system-disabling malware Triton — unchecked, this kind of infection could cause both financial and physical harm.

Mind Over Matter?

While C-suites have embraced the notion of cybersecurity as a business driver, effective change demands expert support. As noted by the MIT Techology Review, security professionals are stressed. Cybersecurity conferences now regularly feature community health sessions and tracks dedicated to helping IT experts manage their stress and ensure job demands don’t lead to negative consequences in other areas.

What’s stressing IT right now? A quick rundown includes:

  • Malware-as-a-service (MaaS) — According to Bleeping Computer, MaaS markets are rapidly expanding as malicious code makers recognize the value in selling and supporting threat infrastructure rather than assuming the risk of a direct attack. These markets “provide a huge trove of malicious tools and services.”
  • Missing money — Spending isn’t keeping up with new cyberthreats. As Forbes pointed out, while some institutions such as banks are ramping up their infosec budgets, others — such as government agencies that regulate critical utilities like power and water — aren’t keeping pace. The bottom line is that paltry budgets continue to plague information security efforts.
  • Moving target — Organizations are struggling to close the cybersecurity skills gap. This leaves existing professionals on the hook to do more with less while also finding ways to stay ahead of new IT threats.

The takeaway here is that cybersecurity employees have the right mindset but are often missing the material components required to effectively manage security expectations.

The Organizational Imperative

Evolving threats, employee stress and emerging expectations demand a fundamental shift, one that prioritizes companywide security culture over the siloed approaches of traditional IT infrastructure. Embracing this organizational imperative requires adaptation across three key areas.

1. Intraorganizational

Corporate end users — from frontline staff to managers and stakeholders — are the primary consumers of IT services and solutions. As a result, without intraorganizational support in the form of security-first culture, cybersecurity professionals face a losing battle. According to IBM security experts, making the shift requires “muscle memory” — security processes must be “required, enforceable and, above all, easily incorporated into the daily life of your users.”

Perceptive shifts are also critical; creating a security-first culture that recognizes the role of security spending and solutions in revenue generation rather than cost mitigation.

2. Interorganizational

Historically, organizations have been loathe to share security data, especially when it points to evidence of compromise or network vulnerability. The problem with this is that malicious actors aren’t shy about sharing attack data, putting cybersecurity in the untenable position of facing superior numbers armed with better intelligence. As the Federal News Network noted, this is starting to change — for example, the DoD-backed Security Coordination Center (SCC) focuses on threat sharing and mitigation to reduce attack impact.

Private companies must do the same. Interorganizational cooperation is no longer optional in the fight against opportunistic cybercriminals.

3. Metaorganizational

To reduce IT stress and improve overall defense, enterprises must think outside the box.

When it comes to bridging the skills gap, for example, companies are well-served with a new collar approach — leveraging new or existing staff who may not possess traditional college degrees but have the needed technical skills, aptitudes or passion for cybersecurity. This allows companies to fill critical positions without having to wait for the “perfect” candidate.

Another option? Managed security services designed to strengthen information security defenses and lower total costs. The right third-party partner can help deliver services, such as custom-built firewalls, intelligent log management and cloud-based intrusion detection, allowing cybersecurity specialists to focus on mission-critical initiatives.

Emerging solutions such as artificial intelligence and intelligent orchestration also offer key benefits. By automating essential, data-driven services, such as attack response, data breach notification and real-time productivity measurement, C-suites gain critical transparency while IT professionals get improved access to the information they need, when they need it.

Security Culture Must Adapt

Cybersecurity professionals are stressed, and with good reason: the stakes are higher than ever. They’re tasked with impressing C-suites, evading threats and improving infrastructure, but are hampered by time limitations, budget constraints and personnel gaps.

Bolstering IT and boosting the bottom line demands a critical shift. Security culture must adapt across intraorganizational, interorganizational and metaorganizational lines to empower shared responsibility, encourage honest collaboration and embrace new information security approaches.

The post Stressed to Impress: Evolving Threats Raise the Stakes on Shared Security Culture appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Douglas Bonderud

CISO, IBM X-Force Command Center, Incident Response, Incident Response (IR), Professional Development, Security Professionals, Security Services, Security Training, X-Force,

Capture the Flag Competitions Can Help Close the Security Skills Gap

I first learned about gamification in college when I attended a talk about internship opportunities at IBM. Jason Flood and William Bailey, members of the security teams at IBM Collaboration Solutions (ICS) and Industry Solutions, made a great impression on me when they spoke about capture the flag (CTF) events they were building for students and the IT industry.

What really piqued my interest was how gamification and capture the flag events could teach people about security in a learning environment without a lot of pressure. I was what you would describe as a new collar candidate. I hadn’t gone straight into college after my primary education, instead going into the workforce as a laborer and truck driver. But I decided to go back to school to retrain and rewire my brain for new skills in the IT world.

I’ve always had an affinity for electrical things and learning how they worked. I was grounded once as a kid for taking apart the clothes iron and reassembling it in a nonconventional way. IT seemed to be the next logical progression in my career, where I could break stuff intentionally. After an internship at IBM, I was luckily accepted into the ethical hacking team in the Dublin, Ireland lab at the ripe old age of 33. The ethical hacking team at that time was very involved in providing cybersecurity education and CTF frameworks for universities and conferences throughout the U.K. and Ireland. Some members of that team have gone on to join IBM X-Force Red. It was during this time that I really caught the gamification bug.

Gamification and Capture the Flag: What Are They?

Most people interact with some form of gamification in their daily lives. What is it? Gamification — the application of game-design elements and game principles in nongame contexts — taps into that natural human need to play, improve and maybe win sometimes. For example, we use gamification when we collect coupons at the store, participate in loyalty programs and use fitness apps. Gamification is also used in the education system — think student rankings based on GPA, dean’s lists, honor rolls, scholarships, etc.

A capture the flag exercise is a gamified set of challenges designed to teach cybersecurity skills in a variety of categories. CTF events generally have a mixture of professionals and students participating. The types of CTF are Jeopardy-style, attack-defense and mixed.

Jeopardy-Style CTF

In a Jeopardy-style CTF, participants take on challenges in a range of categories, including application security, forensics, reverse engineering, cryptography and more. Teams discover “flags” and submit them for points. Challenges get progressively harder and teams earn more points based on the level of difficulty.

Attack-Defense CTF

In an attack-defense CTF, competitors attempt to compromise systems and services with known vulnerabilities. Once a team has compromised a system, it must then defend that system against opposing teams. Participants perform the actions of a red team (attackers) and switch to the blue team (defenders) seamlessly. This game can be continuous and run for many days.

A mixed CTF is a combination of both Jeopardy and attack-defense.

Many of the challenges in CTFs are built around the OWASP Top 10 Application Security Risks or the SANS Top 25 Most Dangerous Software Errors, which give participants a feel for real-world vulnerabilities that many industries have to contend with.

How CTF Events Can Help Recruit and Train Cybersecurity Experts

The value of CTFs in terms of cybersecurity awareness, training and education is evidenced by the number of CTF events out in the wild today and the caliber of participants. CTFs are valuable for sharpening the skills of technical operators. Just like athletes who constantly train to stay in top shape, cybersecurity experts need to keep on top of their game.

From attending and building CTFs myself, I have seen how they can be used to train new hires and employees and as a tool for recruitment. Given the impending global cybersecurity skills gap that’s expected to reach approximately 3.5 million unfilled jobs by 2021 and attacks rising year after year, as a community we need to engage people sooner in the career pipeline. This is why the new collar approach — considering job candidates who lack a college degree or cybersecurity background — is so vital.

I’ve also seen how CTFs can provide an opportunity for a company to interview large numbers of people in a safe and controlled environment. I’ve observed recruiters from many companies walk the CTF floor asking people questions during an event. The benefit for recruiters is that they can witness participants showcasing their technical, social and teamwork skills in person. Recruits can discuss vulnerabilities and demonstrate how they compromised systems, how the team broke down tasks and how they solved them.

The environment of a CTF is relaxed and fun, which enables people to show their social side. This environment removes the pressure of an interview, where you’re sitting in a chair in a small room, slumping awkwardly in an ill-fitting suit and hoping you don’t answer any of the questions wrong. The CTF is the place where you can make mistakes, hone your skills and become a better professional.

Engaging and Training the Next Wave of Cyber Professionals

I am lucky enough to have been part of many CTF events over the years, and I’ve seen the concept evolve into an amazing platform for engaging employees, raising awareness and training the future cyber workforce. I am also lucky to be part of IBM’s world-class X-Force Command special forces team as a gamification engineer.

IBM Security is at the forefront in the gamification space, as is evident from the unique facilities we have in the X-Force Command Cyber Range in Cambridge, Massachusetts and the X-Force Command Cyber Tactical Operations Center (C-TOC), a security operations center (SOC) and cyber range aboard an 18-wheeler tractor trailer, now touring Europe.

Our gamified breach simulations immerse participants in a scenario that brings them as close to the endgame as possible. In this high-pressure scenario, clients can test their processes, identify gaps in their security plan and train the muscle memory that is required for when worst happens.

My small part in this well-oiled machine is to provide the technical aspects of the cyber range offerings, building out attack scenarios in the attack-defense challenge we call Cyber Wargame. I also work on developing CTF events within IBM’s own CTF framework, doing my part to help engage and train the next wave of cyber professionals here at IBM.

It’s exciting to do this work for IBM, but I also enjoy taking my experience creating CTFs outside of my job. Last month, I was honored to have the opportunity, along with the Irish branch of the nonprofit security organization Honeynet Project, to support the inaugural cybersecurity competition at the Ireland Skills Live event. WorldSkills competitions have been running since 1950, but this was the first event in Ireland, with teams from universities across the country competing for a chance to represent the nation at a future event in a global WorldSkills competition.

The upcoming graduates’ passion for cybersecurity and vast array of knowledge was clear. Participants told me they had played in many CTFs and that they feel it gives them a better chance at employment. The interest from spectators was very high too, which was one of my main goals for this event. I really wanted to raise awareness among the public and remove some of the mystique around cybersecurity, while correcting the Hollywood notion some people have of cybersecurity.

The event was a success from a recruitment perspective, with many colleges and schools requesting an on-site event for their students. Parents and their kids asked for resources and locations where they could get more information and participate.

The security community offers many opportunities for information sharing, learning and networking, and none more so than a CTF event. Events like this can only help in tackling the cybersecurity skills gap going forward.

Discover How IBM X-Force Command Helps Teams Prepare for a Breach

The post Capture the Flag Competitions Can Help Close the Security Skills Gap appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Clarke

Business Continuity, C-Suite, Chief Information Officer (CIO), Chief Information Security Officer (CISO), CISO, cyber risk, Governance, Incident Response (IR), Risk, Risk Management, Security Leadership, Security Spending,

The Language of Business: Where the Board of Directors and Security Leaders Can Meet

A few years back, a business association asked me to deliver a cybersecurity presentation. I knew some in attendance would report back to their respective board of directors, and I expected it to be a challenging session because cybersecurity knowledge and literacy would be all over the map.

It’s a situation I’ve encountered regularly. I remember in one session with about 40 people, I asked what they thought “cybersecurity” meant. Somehow, I think I got 45 different answers. Even within an organization’s board of directors, people who absolutely need to be part of the cybersecurity conversation today, you’d likely get the same variance in responses.

But I welcomed the session because it gave me an opportunity to pilot a new presentation tactic. The presentation focused more on business in general and business development as opposed to cybersecurity, and the presentation style was so outside-the-box, I was actually nervous.

To Engage the Board, Talk Business, Not Cybersecurity

Going in, I knew some of the attendees expected to hear some cybersecurity techno-babble. I did none of that. Instead, I used the simplest possible language and cartoons to disarm these senior leaders for one reason: I wanted them to feel comfortable and able to talk freely about that bogeyman topic, cybersecurity.

By focusing on business and risk instead of cybersecurity, everybody in the room was fully tuned in. Cybersecurity was just color.

You see, by avoiding the technical nature of cybersecurity, the participants made the mental jump from “cybersecurity as an IT issue” to “cybersecurity as a business and risk issue.” They saw how cybersecurity issues could impact and influence their business development plans or pose growth problems. I remember one participant emphatically saying to the group, “You just made me understand this cybersecurity thing isn’t my IT department’s problem … it’s my problem!”

And just like that, you have a new teammate.

CSOs Are From Mars, CISOs Are From Venus and the Board of Directors Are From Andromeda

There has been a great deal of discussion on whether you should have a chief information officer (CIO), chief security officer (CSO) or chief information security officer (CISO), who should do what, what reporting chains should look like, and the need for this type of specialist. The good news is that there is increased interaction between these security leaders and CEOs and the board of directors. It’s a step in the right direction.

But interaction is not enough; it’s speaking the same language that matters. To do that, you actually need to know what you’re in the business of. No two organizations are alike.

As a general observation, I’ve found that security professionals sometimes have difficulty understanding what drives business in their organization. Reading financial statements and appreciating the importance of cash flow may not be a core competency of security teams, but in practice, they should be.

The same can be said for understanding supply chains, knowing who the key customers and vendors are, and determining which costs can really impact the organization’s ability to generate revenue or meet its business mission. These are all issues that senior leaders and the board of directors care about.

Now, these same issues do not necessarily fall within a security professional’s area of responsibility, but the ability to demonstrate business acumen gives the security professional incredible influence with these other players. Therefore, if security employees can demonstrate that they have more than a one-track mind, they may suddenly find more allies within the organization.

Your Job Is to Keep the Business Going

To keep the business going, you need to know how it works. That’s why asking the right business operations questions will make all the difference. You shouldn’t be asking your colleagues, “How long can you go without a computer?” (The answer almost certainly will be, “I can’t.”) Instead, you should be asking, “You don’t have a computer for 72 hours, how do we keep the business going?” Or, “If we lose network capability for 48 hours, how do we survive the downtime?” You get the idea. Note the emphasis on teamwork.

Ask the right questions the right way and you’ll be better prepared to:

To Improve Your Cybersecurity Posture, You Need to Understand the Business

Most successful business leaders understand that rocky times are part of the normal business cycle. The best even expect rocky times, especially during business development phases. That’s not what worries them.

What worries them is if the organization has the ability and resources to weather the storm. For this reason alone, IT and security professionals need to be able to talk business to the C-suite and the board of directors, especially if new security products need to be added into the organization’s portfolio.

Make Life Easy for Your Board of Directors

With increased pressure on the board of directors to play a more active role in cyber risk governance, it is incumbent on internal cybersecurity professionals to learn what makes the organization tick by talking return on investment, cost, growth metrics, cash flow, business development, resource management and so on. If you can speak the language of business, you are better positioned to demonstrate the value of cybersecurity investments to senior leaders. You’re making their life easier, which in turn makes your life easier.

So whether it’s a few online business basics and governance courses or talking with your nonsecurity colleagues about what drives the business, it’s a worthwhile investment in the grand scheme of things.

I understand these business spaces can sometimes make security employees uncomfortable. But if you can master the business language, you’ll suddenly find yourself not galaxies apart from your C-suite colleagues and board members, but rather in the same room, working together to meet the most pressing cybersecurity and business needs of the organization. That’s a good place to be.

The post The Language of Business: Where the Board of Directors and Security Leaders Can Meet appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: George Platsis