Insight Partner Views on Cybersecurity

A Compilation for Personal and Corporate Education

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

Contents

2

Introduction.............................................................................................3

The CISO role in cybersecurity: Solo or team sport?................................4

Security attacks and countermeasures………………………….……………………….7

Mobile device security: A new frontier for hackers.…………………………....11

U.S. Department of Defense sets its cloud security guidelines..............14

The emerging science of digital forensics……………………..……………………..17

Why fear the hackers? First invest in IT security change…………….....20

Take the next step..................................................................................22

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

IntroductionData security breaches and hacker attacks on private businesses, health organizations and government agencies in the U.S. have grabbed headlines with increasing frequency, it seems. There is zero doubt about the damage these events cause. Cybercriminals and hackers walk away with customers’ payment card information and employee data while companies and federal authorities investigate the source of the leaks and spend millions of dollars to repair the harm.

Some see these breaches as a threat to national security, and, in response, government has launched a “30-day Cybersecurity Sprint” as a tactic designed to beef up cybersecurity protocols.

Do your part in protecting information by educating yourself about cybersecurity. The “Insight Partner Views on Cyberecurity” e-book can help. By addressing security from multiple viewpoints, the e-book reinforces the need for society to build a culture that fully embraces information risk management.

3

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

officers. With the support of social mediacampaigns from Dell cybersecurity and the International Information Systems Security Certification Consortium, also known as ISC(2), NCI was able to collect a statistically significant number of responses across eight industry verticals. Although a formal analysis of the data is still being conducted, some important early revelations have already been identified.

While the overall survey broadly covered the domain, one of the most interesting insights for me came from a high-level response from just three questions:

The average length of time in the commercial sector between a network security breach and when the detection of that breach is more than 240 days, according to Gregory Touhill, deputy assistant secretary of Cybersecurity Operations and Programs for the Department of Homeland Security. What could happen to your company during that eight-month period? Could your company survive?

This alarming statistic is just one of the reasons why the National Cybersecurity Institute at Excelsior College (NCI) undertook the task of surveying the nation’s chief information security

4

The CISO role in cybersecurity: Solo or team sport?Kevin L. Jackson, CEO, GovCloud Network

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

5

• What are the top three items/resources you need to accomplish your job?

• Which of the following are the top five sources of application security risk within your organization?

• Which of the following five skill sets best prepares someone to become a chief information security officer?

The survey designers worked hard not to focus just on the technical aspects of the CISO role. To that end, respondents had to choose from nine job resources, 10 security risk options and 11 specific skill sets. They also enjoyed the option of writing in a response. Although every option on each of these three questions had some takers, the most predominant answers were:

• The top resource needed to accomplish the CISO job is the support of other management leaders.• The top source of application security risk is a lack of awareness of application security issues

within the organization; and• The best skill set for preparing someone to become a CISO is a statistical tie between business

knowledge and knowledge of IT security best practices.

Some may find it surprising that neither technical knowledge, technical skills nor the technology itself is an overwhelming favorite for the surveyed professionals. So with that observation, what truths can we learn from this answer set?

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

To be sure, additional analysis and rigor are needed, but from a personal point of view this early data hints that technical knowledge is not the primary CISO skill requirement. It also tips a hat toward the need for robust internal education as well a focus for reducing application security risks. For me, it also shows that a good CISO must also be a collaborative and communicative teacher across his or her organization. Is it me or do these traits describe a team leader or coach?

If you are a CISO, do these traits describe you? Are education and collaboration a core part of your company’s cybersecurity plan? Have you enabled management to give you the support needed for your own success? Can you describe yourself as the cyber team coach?

6

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

credit card records of customers from every store.[2] The Open Security Foundation’s (OSF) data loss database[3] contains information on data security breaches, including recent and large incidents. Recent breaches include 3.65 million records stolen from the United States Postal Service on November 10th and 2.7 million stolen from HSBC Bank A.S. on Nov. 12, both of this year.

Cyberattacks are on the increase, with six of the top 10 largest incidents occurring in 2013 (402 million) and 2014 (469 million to date).[1] A diverse set of industries is targeted. A mid-year breach report from Risk Based Security and the OSF[4] cited that 59 percent of reported attacks were in the business sector, followed by 16.1

Cybersecurity is rapidly becoming a significant issue in the C-suite as well as the population at large. The results of Dell’s Global Technology Adoption Index (GTAI)[1] show that security is a top concern for most of the 2000 global small and medium businesses surveyed. The outcomes further noted that such concerns create barriers to the adoption of critical technologies that drive value and growth: mobility, cloud and big data. In fact, many businesses are unprepared to address their potential security issues.

In addition, several large data breaches have raised the awareness of cybersecurity in the consciousness of the general population. For example, the Target security breach in December 2013 resulted in hackers accessing 40 million

7

Security Attacks and CountermeasuresSandra K. Johnson, CEO, SKJ Visioneering, LLC

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

8

percent from the government. Other reports show a data breach focus on the Finance & Insurance and Manufacturing industries (IBM),[5] and the Electronics Manufacturing and Agriculture and Mining industries (Cisco).[6]

The majority of these attacks are due to hacking, fraud and social engineering. For example, in the first half of 2014, 84.6 percent of cybersecurity incidents were due to external hacking, with an increased percentage of events exposing passwords, usernames and email.[4] The resulting breaches occur primarily through malware, including Trojan horses, adware, worms, viruses and downloaders.[6] Moreover, the overwhelming majority (95 percent) of security events evaluated by IBM include human error as a contributing factor.[5]

Data breach sourcesLet’s examine these primary sources of data breaches and high-level methodologies for minimizing such events. Malware is malicious software created for egregious objectives. It is designed to disrupt IT and other computer operational environments and to gain access to

sensitive data, such as personal records. Access is precipitated through various communication methodologies, such as email and instant message (IM) attachments, endpoints in an IT environment, applications and other vulnerabilities within such infrastructures as discovered by the attacker. Malware is intended to be quiet and hidden as it enters environments and is executed. There is a plethora of various types of existing malware; however, presented in Table 1 is a summary of the most active and effective malware[6]today.

Social engineering is a methodology that enables a perpetrator to persuade or induce an individual to provide sensitive information or access to the unauthorized perpetrator. The attacker is typically able

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

to do this by exploiting the fact that most people want to be helpful and avoid confrontation. By leveraging social media, face-to-face contact, telecommunications and other communication mechanisms, attackers are able to obtain information and access, either piecemeal or holistically, that permits their access to data, networks and other infrastructure.

Minimizing or averting attacks

The best protection against malware includes anti-malware and Internet security software. Such software can find and remove the overwhelming majority of the known malware prevalent today. Lists of the best antivirus and Internet security software, according to PCMag.org[7][8], are included inTable1 and Table 2, respectively, on the next page:

It is important that you keep your anti-malware and Internet security current, as new malware is introduced on a regular basis.

In addition, regular education is crucial for minimizing the impact of social engineering related attacks. The knowledge of how attackers can aggregate bits of information into a comprehensive

9

MALWARE DESCRIPTION

Trojan Deceptive code hidden

inside software that

appears to be safe

Adware Advertising-supported

software that can collect

user information when

executed (also known as

spyware)

Worm Standalone software that

replicates functional copies

by exploiting vulnerabilities

in targeted systems

Virus Code that can corrupt or

remove files, spread to

other computers (e.g., via

email) and attaches itself

into files and other

programs

Downloader Software that downloads

executable malicious code

without the users

knowledge or consent

Figure 1. Most active malware today

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

collection of sensitive information is important in preventing individuals from sharing such information or providing access to ‘friendly’ people.

Finally, it is paramount that users remain diligent regarding their passwords. The data shows that the majority of information obtained by attacks relates to sensitive personal information, including passwords. Also, programs that crack passwords or obtain them from other sources are readily available. Various lists of what to do, and not do, regarding passwords are readily available and is not included here. However, while it is difficult to remember all passwords for all of the authentication and access entry points used by an individual, one rule of thumb can be helpful. Make your passwords long, include digits and symbols, and use the first letter of a phrase you are most likely to remember. For example, from a line in the poem “Phenomenal Women” by Maya Angelou, who died this year, “I’m a woman Phenomenally, Phenomenal woman, That’s me”, one can create the password, “Iawp,pwtmMA14”. This includes the first letter of the words in this line, the poet’s initials and the year of death.

Moving forward, cyber attacks will be more prevalent, even as infrastructure growth, including network bandwidth, applications, mobile devices and other endpoints become more prolific. It is important to always be mindful of your activities, and know that education, due diligence and the relevant anti-malware and Internet security software can address the majority of security threats.

10

ANTIVIRUS SOFTWARE

Webroot Secure Anywhere

Antivirus (2015)

Norton AntiVirus (2014)

Kaspersky AntiVirus (2015)

Bitdefender Antivirus Plus

(2015)

F-Secure Anti-Virus 2014

INTERNET SECURITY

SOFTWARE

Bitdefender Total Security

(2014)

Norton Internet Security

(2014)

Webroot SecureAnywhere

Internet Security (2014)

Kaspersky Internet Security

(2014)

McAfee Internet Security

(2014)

Figure 2.. Top Antivirus Software [7]

Figure 3. Top Internet Security Software [8].

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

While mobile device security attacks are relatively small, they are the new frontier for hackers. Listed below are highlights from several mobile device surveys:

• The four top threats to mobile devices include: 1) lost and stolen phones; 2) insecure communications; 3) leveraging less-secure, third-party app stores; and 4) vulnerable development frameworks.

• One in 10 U.S. smartphone owners are victims of phone theft.

• Mobile malware attacks are increasing, with 2014 exhibiting a 75 percent increase in Android malware attacks on devices.

• The use of mobile devices to access enterprise resources introduces significant security risks.

Recent security breaches have heightened our awareness of cybersecurity issues. The Staples hack and other security breaches have resulted in unprecedented damages. However, the majority of mobile device users have yet to be sensitized to their personal and corporate security risks.

For example, a security study found that 69 percent of users store sensitive personal information on their mobile devices. Examples include banking information, confidential work-related items and provocative videos and photos. In addition, 51 percent of mobile device consumers share usernames and passwords with family, friends and colleagues. This in spite of the fact that 80 percent of such devices are unprotected by security software.

11

Mobile device security: A new frontier for hackersSandra K. Johnson, CEO, SKJ Visioneering, LLC

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

12

Cyberattackers are typically attempting to obtain access to sensitive or personal data, and then use it to access financial accounts. Some methodologies used include social engineering, distributing and executing malware, and accessing data through public Wi-Fi networks.

A recent survey found that phishing and scams for winning free stuff were the most popular SMS attacks. Unsolicited SMS messages attempted to trick users into providing detailed, sensitive information about their financial accounts at major banks. The mobile malware StealthGenie secretly monitors calls, texts and videos on mobile phones. Bitdefender has been able to break the secure communications between a Samsung watch and an Android device with ease, using brute force sniffing tools. (See “5 New Threats to Your Mobile Device Security” for more information.)

These are a sampling of the numerous cybercriminal methodologies for accessing user finances and data. Listed below are some user actions for reducing or minimizing a successful attack:• Always enable password or PIN protection on your device.• Run scans using a respected security and malware program on a regular basis (see the best antivirus

software for Android devices).• Subscribe to managed mobile device services such as anti-malware and mobile device locator

services; also lock the device and wipe all data in the event of device theft.• Encrypt mobile device data.• Install/run the latest versions of your device OS and all mobile apps.• Upgrade to the most recent firmware for your mobile device.• Do not access secure or highly sensitive information while using public Wi-Fi networks.• Avoid clicking on ads on your mobile devices.

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

• Do not configure phones to allow the installation of apps from unknown sources, e.g., only download from well-known and trusted app stores (although they are not foolproof).

• Observe all corporate bring-your-own-device (BYOD) and related policies.

In addition, ISO lists some common sense advice regarding mobile devices, as included below:

• Do not openly display a device — keep it in a pocket or handbag.• If possible, avoid using it in crowded areas.• Properly mark your phone with your ZIP code.• If the phone is lost or stolen, report it immediately to the police and to your service provider.• Be aware of your surroundings and the people near to you.• Do not leave it unattended – keep it with you at all times.• Make a note of your phone’s IMEI number.• Do not leave a device in view in an unattended vehicle.

13

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

(CSP). A CSP can have multiple CSOs, all withdifferent security postures.

This has always been the case. However, by making this distinction, DISA has reduced some areas of common confusion. This distinction should also make it clear that utilizing a compliant infrastructure as a service (IaaS) or platform as a service (PaaS) at a CSP does not make the resulting offering compliant. The CSO itself has to be fully evaluated for the Federal Risk and Authorization Management Program (FedRAMP) compliance.

Compliance responsibility is on the prime CSP. Expanding on the last point I made: Everything you put in a CSP environment is not,

Those watching federal cloud security in the defense space were pleased to learn the Defense Information Systems Agency (DISA) released the DOD Cloud Computing Security Requirements Guide (v1) (SRG) last month. This 152-page document outlines the security requirements that Department of Defense (DOD) mission owners must adhere to when procuring cloud-based services. While the document is very thorough and is required reading if you currently, or intend to provide, cloud-based services to the DOD, I wanted to cover some of the things that stood out to me.

CSPs are not compliant, but their offerings can be. The requirements guide makes it clear that there is a distinction between a Cloud Service Offering (CSO) and the Cloud Service Provider

14

US Department of Defense Sets Its Cloud Security GuidelinesJodi Kohut, Government Cloud Computing Professional

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

15

automatically compliant. The SRG states that, “While the CSP’s overall service offering may be inheriting controls and compliance from a third party, the prime CSP is ultimately responsible for complete compliance” (p. 3). This language gives me the sense that if mission owners want to work with a federal integrator (prime contractor) to move an application to a FedRAMP-compliant or soon-to-be-FedRAMP-compliant platform or infrastructure — and that integrator will be performing Operations and Maintenance (O&M) — they will also be responsible for the compliance of the solution and the underpinning platform or infrastructure services from a commercial cloud service provider.

In essence, the solution enabler becomes the prime CSP. This is perhaps an important nuance that may have important ramifications for the integrator and those who provide what DISA dubs commercial cloud service providers. Keep in mind that the SRG also recognizes the existence of DOD-owned and operated CSPs.

FedRAMP + controls. Because DOD systems are categorized differently from other federal government systems, the SRG lists additional security controls and enhancements that are necessary to implement for DOD systems. These controls are over and above the FedRAMP moderate baseline, and as such are called, “plus” controls. The SRG has dealt with privacy and security requirements as “overlays” to all of the FedRAMP and FedRAMP plus baseline controls.

Expanded CSP roles and responsibilities. (Appendix C-1). The SRG denotes that it is the CSP’s responsibility to provide Computer Network Defense (CND) services (all tiers) for its infrastructure and service offerings. CSPs must be willing to provide their own CND services and to be able and

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

willing to contract for more advanced security services as required by a mission owner. Here again, a prime CSP must be willing and able to provide complete compliance, including Computer Network Defense Service Provider (CNDSP) services.

A few takeawaysWhile this is not an adequate summary of the SRG, this long-awaited guide has provided some clarification around DOD’s expectations from Integrators, CSPs, and DOD mission owners. The DOD has clearly laid out for Integrators and CSPs the expectations for inclusion into the DISA Cloud Service Catalog. It will be interesting to see how and if the definition of a prime CSP evolves and how the industry and government alike adapt to that distinction.

My initial reaction to the SRG is that it limits the playing field of prime CSPs that are able to comply with these requirements today. For small integrators trying to migrate applications to the cloud on behalf of the federal government, it makes the proposition riskier. For example, if small integrators move something to an Amazon Web Services or Microsoft IaaS solution, they are now responsible for the security of the application and that underlying environment. The way this is currently written, I believe that integrators will have to decide whether or not they will take the risk to take responsibility for the application and the underlying environment.

16

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

In its SecureWorks “The Next Generation of Cybercrime” executive brief, Dell cites a study conducted by the Ponemon Institute, whichfound that “the average cost of a data breach was $7.2 million in 2010.” The rate of cybercrime and the impact of cyberbreaches have exponentially accelerated since then. This has resulted in the emerging science of digital forensics.

Without question, the rise in cyberleaks, nation-state cyber terrorism and the beach of consumer data across multiple industry domains has led to a heightened awareness of the enterprise and personal responsibilities associated with cybersecurity. The consumerization of IT and the adoption of cloud, mobile and social media by enterprise organizations is opening a new threat landscape and new threat vectors. Everyone is affected and everyone is talking about it, from senior executives to teenagers.

17

The Emerging Science of Digital ForensicsMelvin Greer, Managing Director Greer Institute

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

18

Digital forensics can be described as the science of preserving and analyzing digital evidence useful in the development of legal cases against cyber criminals. This new and growing field includes high-tech crime investigation and computational defense across traditional IT like hardware, servers, operating systems and networks, as well as the new digital environments of social, mobile and cloud. The emerging science of digital forensics and cybercrime investigation has become very important for national security, law enforcement, and information assurance. This convergent science combines law, computer science, finance, telecommunications, data analytics, and policing disciplines.

There are a number of companies that are responding with new digital forensic processes, methods tool and solutions. In its digital forensics solution, Dell cites the use of a six-step digital forensic life cycle designed to leverage cloud computing and data center operations in the processing of digital evidence. Chief information security officers are using these new frameworks to:• Improve incident response• Develop new digital forensic techniques• Drive new investigatory standards

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

The cybersecurity landscape is constantly evolving, and it’s up to business and technical leaders to evolve their cyberdefenses in response. Here are key recommendations leaders should consider:• Update and complete an enterprise-wide security risk assessment. Identify security gaps and

emerging threats• Link strategic technology investments in security with robust and flexible processes for incident

response• Develop real-time monitoring and automated response techniques that provide real-time threat

analysis• Move from cyberdefense to cyberthreat intelligence. Develop a cyber toolkit which is more

proactive than reactive

Given the continued growth of cyber activity, the emerging science of digital forensics is sure to grow along with the sophisticated frameworks required to gather, analyze and investigate evidence that leads to an increased level of cybersecurity.

19

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

because when you pull back the curtain on many of the recent breaches, you’ll likely see a mirror.

In a recent case, sensitive data — including passwords — seem to have been stored in the clear, which is against all recommended best practices. There also may have been significant involvement from a company insider. Focusing on application hacks, some of the most devastating have been due to a failure of the application developers to follow some basic best practices for application development. Most of these breaches were not on cloud service providers. These successful attacks were on enterprise-built and managed IT infrastructures.

With all the news these days about cyberterrorism and hacking, the cloud may seem like the last place you would want to put your precious information. Pew Research has even suggested that cyber attacks are likely to increase. Some 61% of over 1,600 security expert respondents to a recent Pew Research survey said that a major attack causing widespread harm would occur by 2025.

The cold hard fact, however, is that fear of the cyberterrorist and hackers, while definitely valid, is mostly misplaced. I hold this contrarian view.

20

Why Fear the Hackers? First invest in IT security culture changeKevin L. Jackson, CEO, GovCloud Network

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

21

Our failure to protect our information and data is mostly due to our less than focused attitude toward cybersecurity. Policies, procedures and processes play an important part in preventing security incidents, but more is needed. Organizational employees must realize that they could be an entry point for hackers and be aware of their individual actions. IT professionals must follow industry standard best practices for application development, network configuration, system configuration, etc. Many of which have gone through multiple iterations over the years. Everyone must also be proactive in his or her identification and response to cyber threats. What I am describing is the need for a cultural change.

Creating a risk-conscious and security-aware culture is key to protecting an organization’s information infrastructure and data assets, risk management expert John P. Pironti wrote in a 2012 ISACA Journal article. Business leaders must begin viewing information security as a benefit, rather than as an obstacle, and employ threat and vulnerability analysis – rather than fear and doubt – to drive adoption of points of view and controls.

This eBook was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies

Now, take the next step in enhancing your own cybersecurity posture!

22

Computer Tips• Stay up-to-date. Use a firewall as well as cybersecurity

software, such as antivirus and antispyware, that will scan for computer security threats and uninstall them.

• Shop with care. Before submitting credit card information online, look at the URL to ensure you're on a HTTPS (Hypertext Transfer Protocol Secure) site.

• Laptop security. With the proper software installed, stolen laptops can be tracked to a physical location if they are connected to the Internet. Other software gives you remote access for computer security with the ability to erase your files or send them to a secure data center for recovery via the Web. back to top

Email & Social Networking Tips• Avoid spam and scams. Always question the legitimacy of

emails and social networking messages that ask for money or personal information. Spear phishing attacks mimic communications from a business to persuade you to divulge personal information.

• Network below the radar. Public profiles on social networking sites put you at risk by exposing information, such as your full birth date, hometown, employment history, etc., that a criminal could use to pose as you. Use privacy settings to ensure your personal information isn't public knowledge.

• Just don't. Don't open unknown attachments, don't click on unknown links, and don't share too much information online, That's a lot for don'ts but when your identity and computer could be at risk, it's better to play safe. The rewards aren't always worth the risks.