Tuesday, September 12, 2017

Equifax Data Breach: Laws - Framewors - Solutions


Equifax discovered unauthorized access on July 29th. 2 months later, the public was notified and the victims of breach (and potential victims of identity theft) are being offered monitoring services.
Each state has enacted Breach Notification statutes. California law, for example, requires notification at the most expedient time possible and without unreasonable delay. Notification can be delayed if law enforcement determines that notice would impede a criminal investigation (Cal. Civ. Code § 1798.82) But was a criminal investigation being impeded, and what factors were used to deem the determination reasonable?
An Amendment to the Breach Notification statute requires organizations to offer 12 months of monitoring services at no cost to the potential identity theft victim. (AB 1710)
It seems controversial that Equifax is offering their own monitoring service. If our homes are burglarized during use of a company’s home security system, should we accept a 12-month membership of home alert alarm system from the same company?
Anyone familiar with incident response will agree that it can be challenging to identify where to attribute the exploit, even after identifying how the exploit occurred. Equifax CEO, Richard Smith, believes that the Equifax exploit occurred via SQLI (structured query language injection). SQLI uses malicious code for backend database manipulation to access information that was not intended to be displayed. SQLI can be prevented or protected, should they occur.
WAF (web application firewalls) can prevent, but there is an issue with false-positive scripts getting blocked as well. However, this could impede operability of attractive functions of a company’s flagship product or service. The government generally does not insert itself into requiring this type of protective measure.
Data-Centric End-to-End Database Encryption can protect by making the data retrieved from SQLI valueless to the exploiter. Even in the event of a compromised Database Administrator’s account, the data viewable will still be encrypted. However, this can destroy data analytics and/or be cost prohibitive to implement in an organization. But the federal and state governments have inserted themselves by making encryption a legal requirement. FISMA (Federal Information Security Management Act) ratifies NIST (National Institute of Standards and Technology). NIST framework asks for encryption of data at rest, data in transit, and data in use (NIST 800-53 Rev.4 AC-3,4, MP-5(4), SC-8,28). HIPAA section 164.312(e)(I) is also federal law addressing encryption requirements as mandated technical safeguards.
What level of encryption was Equifax using, and what companies offer solutions that boast full compliance with the federal laws cited on encryption, or ability to eliminate the same threat for your organization that Equifax faced?

Wednesday, August 9, 2017

Tools to use to approach CISO strategy and how

A 10 step approach to identifying  critical pieces used to build a CISO’s strategic plan, and where to look for answers:

(Steps 1 through 9 prepare us for step 10.)

 1. Know your role

            (What to ask or what resources can help you find answers):

Job description, charter, org chart, who you report to, who reports to you, objectives, how your performance will be rated, what does this organization believe that the CISO role must achieve
2. Know your Audience

Who are the stakeholders, what are their backgrounds, what do they think is important, what do they think your role is, what do they think your role is not, do their perspectives require reshaping
3. Know your Organization

What sector(s), what flagship product or service, are they for profit, nonprofit, publicly traded, member owned, or government; what regulations govern their practices, who are their customers, where do their customers exist, CEO or board member’s vision

4. What’s your budget

Size of org, IT budget, IT Security budget, budget for HW, SW, outsourcing, training, cyber insurance policy, incident response reserves, cybersecurity premium and coverage
5. How many are on your team

The resources on your team and those who report to you are not necessarily the same answer. Projectized, functional or matrix-based organization?
6. Timelines/deadlines imposed upon you

Internal goals, litigation prep, DoD directive 8570.01 IAT proficiency levels of staff, PCI-DSS, new product delivery support, SDLC, EOL, fiscal year-end, new budget approval window, audits, ISO certifying deadlines
7. What do you have, how is it configured and where are the concerns

CMDB, Inventory, survey, assessment, policy, federated services, penetration testing

8. How are those concerns remediated and continuously monitored

Periodic reinvestigation, patch management plan, CMDB manager, change management logs, SIEM, SOC

9. What Protections/Defenses are in Place:

9a. How are your team of Admins and Security Professions securely managed

Privileged account management, Identity and Access Management, Multi-Factor Authentication, Change management, role overlap, checks and balances, mandatory vacations, monitoring and analysis of audit logs

9b. Tools, software, solutions, protective measures for:

Email; Web-Browser; Malware; Network Ports; Data Recovery Capability; Network Device settings; Boundary; Data Encryption; Multi-factor Authentication;  Wireless Access Points; Account Monitoring & Control; Application, Platform, OS-level software; Mobile Device Management, Policy, Threat Awareness & Training

9c. Penetration tests and red team exercises

9d. Incident Response Management Plan, and/or Cybersecurity Insurance
10. Where to harness efforts in the future

            This is the first place you begin to affirmatively plan after addressing 1-9, by putting pieces together to build a strategy that meets scope, budget, and time constraints unique to the organization. Once step 9 is reached, one will feel more self-assured and reliant that, “you know what you’re doing and where you’re  going with this.” Fact is, “how to build a strategy” is a question that is not answerable without first ascertaining these details. Failing to do so falls into the trap of beginning to offer solutions to problems that an organization either does not need solved, or is ill equipped to solve without reshaping of the answers to steps 1-9.

Bonus Step 11.

Do you really even want this job anymore? Are you going to be compensated appropriately to execute on the strategy formulated in step 10?

These ten steps assume that Risk is a function of vulnerability, threat, and consequences, divided by the controls in place.

They help posture toward adherence with CIS CSC, NIST, PCI, ISO or other frameworks, and help prepare for compliance with regulations that govern your organization. Steps 7-9 map directly to foundational CIS Critical Security Controls and NIST 800-53 Risk Management Framework, as ratified by FISMA law. The article conveys views and opinions but does not constitute legal advice.

You’ve likely followed these steps before, and many more. What’s your opinion on an approach to preparing CISO strategy?

Tuesday, July 25, 2017

CISA is actually a law now!

CISA is actually a law now!

 The Cybersecurity Information Sharing Act (CISA) was passed by Senate, House, and President. CISA is a law now. What is CISA? CISA incentivizes companies to share their cybersecurity threat indicators and defensive measures with the federal government. The incentives include providing legal protections such as limiting liability and from Freedom of Information Act (FOIA) disclosure requirements. The Department of Justice (DOJ) and Department of Homeland Security (DHS) could then share that information with eachother, local governments, and private entities. Previously, such sharing could put the sharer at risk of violating antitrust and privacy laws, or disclosure waiver of privilege under FOIA (applicable to gov. agencies such as DMV). All very costly violations of longstanding laws.

This is very controversial and has received heated backlash from some privacy advocacy groups and some corporations. While some corporations laud the idea of limiting their legal liabilities in exchange for sharing data.

There's more. Private organizations can now share with other non-federal entities as long as they justify that the information is directly related to and necessary to identify or describe a cybersecurity threat.

Is your organization taking advantage of this data sharing law? Why or why not? Some organizations are adamant that this enabled more of a Cyber Information Surveillance Act (CISA) than a CISA. Thoughts?

 ( https://www.congress.gov/bill/114th-congress/senate-bill/754)