Info Sec Pro Issue 17

7/31/2019 Info Sec Pro Issue 17

1/29

ISSU E NU M B E R 1 7

An (ISC)2 Digital Publication

www.isc2.org

Mobile device malware takes

social engineering to a newlevel with human vulnerability.

TheHUMAN

FACTORof SocialEngineering


2/29

What if you could:

HveyuSIEMupndunninginless than 15 minutes?

EsilycnfigueyuSecuityMngementSlutinyourselfithutthehelp

fhiedcnsultnts?

Viethevellstengthfsecuityndsttefcmplinceinsingle pane view?

Discvendmitigtesecuitythetsbeforetheyimpctyucebusiness?

Demonstrate compliance easilyithjustfesimplemuseclicks?

You can!NetIQsecuitymngementslutinsillgetyuthee.

JinNetIQfFREE WEBCAST SERIESfcusednthentmyfmdensecuity

thetsndhtbuildstngdefenseinyugniztin.Yuilllensimple

butvlubletechniquesnhtgetyusecuityslutinupndunningin

minutesinstedfdys.Yuillgininvlubleknledgenhtdetectnd

mitigtesecuitythetsndlenbutthebesttlsnthemketthelpyu

ccmplishtheseglshiledemnsttingcmplincetcuentegultins.

Over 70% of Security

Breaches Last Year HadEvidence in Log Files.

How Secure Are You?

Enhnce secuity nd simplify

cmplince css yu entie

entepiseith NetIQ secuity

mngement slutins.

LEarNHow

REGISTER

forthe

FREEWEBC

AST

TODAY!

NetIQ and the NetIQ logo are registered trademarks of NetIQ Corporation in the USA.. All other

company and product names are trademarks or registered trademarks of their respective companies.

2012 NetIQ Corporation. All rights reserved.


3/29

COVERPHOTOBYJASPERJAMES;ABOVEPHOTOBYLAWRENCEMANNING

[features]10 The Human Factor of

Social EngineeringMobile device malware takes

social engineering to a new level

with human vulnerability.

BY CRYSTAL BEDELL

14 Are You Ready for Next-Gen Security Audits?New technologies, various

social networking architectures

and compliance regulations are

a recipe or next-generation

security auditing.

BY PETER FRETTY

18 How to Self Promotethe Right WayAdvance in your career with

strategic sel-promotion.

BY SANDRA GITTLEN

ISSUE NUMBER 17 INFOSECURITY PROFESSIONAL 1

issue 17

[also inside]3 (ISC)2 Makes a Strong Push

Executive Letter From the desk o (ISC)2sExecutive Director Hord Tipton. 4Moderators CornerViews and Reviews Highlights from (ISC)2sevent moderator, Brandon Dunlap.

6 FYIMember News Read up on what (ISC)2 membersworldwide and the organization are doing.

20 Shelter from the Economic Storm(ISC)2 Foundation Results from The Foundations 2012Career Impact Survey.

21 Chapter Passport

Join a local (ISC)2

Chapter and make a(secure) diference in your community.

22 Confronting Mobility and the CloudQ& A (ISC)2 board member Dan Houser discussesmobility and cloud security.

24 A New Authentication ParadigmGlobal Insight Bringing an old technology back to lie.BY LARS MAGNUSSEN

2012 VOLUME 1

InfoSecurity Professionalis published by IDG Enterprise Custom Solutions Group, 492 Old Connecticut Path, Framingham, MA 01701 (phone: 508 935-4796). The inormation contained in this publicationrepresents the views and opinions o the respective authors and may not represent the views and opinions o (ISC) 2 on the issues discussed as o the date o publication. No part o this document may bereproduced, stored in or introduced into a retrieval system, or transmitted in any orm by any means (electronic, mechanical, photocopying, recording or othe rwise), or or any purpose, without the express writtenpermission o (ISC)2. (ISC)2, the (ISC)2 digital logo and all other (ISC)2 product, service or certifcation names are registered marks or trademarks o the International Inormation Systems Security CertifcationConsortium, Incorporated, in the United States and/or other countries. The names o actual companies and products mentioned herein may be the trademarks o their respective owners. For subscriptioninormation or to change your address, please visit www.isc2.org. To order additional copies or obt ain permission to reprint materials, please email [email protected]. To request advertising inormation,please email [email protected]. 2012 (ISC)2 Incorporated. All rights reserved.

14


4/29

View the Security Intelligence Report at www.microsoft.com/SIR

The Security Intelligence Report (SIR) is an analysis of the current threat landscapebased on data from internet services and over 600 million systems worldwide to

help you protect your organization, software, and people.

| Security Intelligence Report

Malware Data From Over600 Million Systems Worldwide

ONE SECURITY REPORT


5/29

Safe and Secure for all GenerationsTHE (ISC)2 MISSION: SERVE NOT ONLY INFOSEC PROFESSIONALS,

BUT ALSO REACH OUT TO THE NEXT-GENERATION.

I SEEMS A NEW YEAR hasjust begun, and suddenly, werenearly three months into it. Wevehit the ground running, with newBoard members, a new careersurvey (see page 20) and newplans or the 2012 Security Con-gress conerence in September.And were not slowing down any-time soon. We have much to lookorward to this year, thanks to ourever-energetic, dedicated staand members.

As I look at how ar weve comein our 20+ years, I cant help but remark on how our

organization and our membership have evolved. Weoriginally ocused on CISSP as the credential orsomeone who mastered security and required veyears or that certication. We have since broadenedour mission to serve other communities, developedother robust credentials, and we continue to add toour list o certications and resources.

Our approach today is to reach out to all genera-tions, to develop an awareness o and an interest ininormation security as a stable yet vibrant careerchoice. Our member volunteers now have morethan 1,000 hours in teaching our Sae and Secure

Online program, and were working with othernon-proits in educational segments around theworld to help spread the knowledge throughout sec-ondary schools to make cyber security awareness alielong pursuit.

We know that security threats are at the top oyour radar. Its our job to arm you with the most use-ul and inormative resources in order to prepare or

and combat the most dicult security issues.Te top challenges o note all into three areas:

Social media: his communication channelis becoming a way o lie, blurring the boundaries

between our personal and proessional realms. From

businesses, to educational institu-tions to young children, socialmedia is a vehicle that acilitatesnot only global communicationbut also social engineering andidentity thef.

Mobile technology: Mobiletechnology is much more sophis-ticated than ever. As Jayson E.Street, CIO at Stratagem 1 Solu-tions, notes in our HumanFactor o Social Engineeringarticle in this issue (see page 10),mobile phones are not phones.

Tey are computers that make phone calls. Mobil-

ity alone changes the security landscape.Application security: Social media, mobile tech-nology and applications create the perect securitystorm. Te more applications on the network, themore vulnerabilities in databases and elsewhere. Weare continually monitoring these areas so we canprovide you the proessional development tools youneed to stay ahead o them.

I you have expertise in any o these areas, wedlove to have your inputand your presentations.As we prepare or the second annual SecurityCongress, which takes place in September in Phila-

delphia Penn., U.S.A., we are seeking your knowl-edge to share with other members and conerenceattendees. You can submit your papers online athttps://www.isc2.org/conerences.aspx.

In the meantime, be sure to check out this issuesarticles on social engineering, audits, and, o course,the Foundation column, which eatures results othe (ISC)2 2012 Career Impact Survey.

Sincerely,W. Hord iptonCISSP-ISSEP, CAP, CISA, CNSS

Executive Director, (ISC)

ISSUE NUMBER 17 INFOSECURIY PROFESSIONAL 3

executive letterFROM THE DESK OF THE (ISC)2 EXECUTIVE DIRECTOR


6/29

4 INFOSECURIY PROFESSIONAL ISSUE NUMBER 17

Management Team

Elise YacobellisExecutive Publisher

727-683-0782 n [email protected]

Timothy GaronPublisher


Marc G. ThompsonAssociate Publisher


Amanda DAlessandroCorporate Communications Specialist

727-785-0189 [email protected]

Sarah BohneSenior Communications Manager


Judy LiversSenior Manager of Marketing Development

727-785-0189 x239n

[email protected] Team

Christa CollinsRegional Sales Manager

U.S. Southeast and Midwest352-563-5264 n [email protected]

Jennifer HuntEvents Sales Manager


Lisa O'ConnellRegional Sales Manager


IDG Media Team

Charles Lee

Vice President, Custom Solutions GroupAlison Lutes

Project Manager

Joyce ChutchianSenior Managing Editor

508-628-4823 [email protected]

Kim HanArt Director

Lisa StevensonProduction Manager

ADVERTISER INDEX

IEEE p 13ISACA p 25(ISC)2 p 5; p 9 Inside Back Cover; Back CoverMicrosoft p 2Novell Inside Front CoverUniversi ty of London p 17

For information about advertising in thispublication, please contact Tim Garon at

tgaron@isc2org

ACCORDING O SOME ANCIEN CALENDARS, 2012

marks the end o days or lie on Earth. As the so-called ateul

year begins, I cant help but think they had it all wrong. Tis year

is like every other; a new year with a new beginning. Perhaps its

my optimism as I emerge rom the long dark winter. Maybe I

havent lost my youthul idealism (naivet?) aer all. Either way,

I think that this is our time, as security proessionals, to push

through our historical baggage and seek a new way orward.

Tis year should be the year that we break out o our I silos

and run through the organization with our banners held high

above our heads. We should be seeking to co-opt or coerce our

peers across the org chart to come to our side. Tis is the year

o convergence, but not in the way that we have been led to believe.

2012 is the year we push our business sense in the right direction. Metrics, as we

will discuss in this issue oInfoSecurity Professional, are a big part o our business

mindset. While we have spent a lot o time in the past couple o years discussing

the metrics o security, I pose the ollowing question: Is there really such a thing as

a metric or how secure we are? Instead, I suggest we track our operations like theywere a business unto themselves. I would go so ar as to posit that there is no such

thing as a security metric, only perormance metrics about how well our security

program is unctioning.o that end, we can develop our metrics programs with an eye toward other

areas o the enterprise in which we can become much more ingrained. For example,

as (ISC)2 has continued to deliver their Security Leadership Series on the soware

development liecycle, we have begun to introduce more topics in our Web series.

In the waning days o 2011, we discussed the risks associated with open-source

sotware (link to the archive, which qualiies or CPEs, can be ound here:

http://bit.ly/OpenSourceRisks). Tis represents some phenomenal opportunities

to introduce quality-oriented security metrics into our development processes.

Tis is but one example o how we can wave our banner across the enterprise,

showing ways in which the security unction can help x areas o ineciency and

quality, with a keen eye on the business benets o oversight.

Continuing in the same vein, and while it may seem like a long way o, (ISC)

2

and ASIS will be joining orces again in September or Security Congress, this time

in Philadelphia, Pa., U.S.A. Based on last years success, this program promises totruly bridge the gap across the great divide between traditional and logical security.

Im eeling pretty good about 2012. What about you?

As always, I look orward to continuing the conversation,

Brandon Dunlap

Managing Director o Research, Brightfy

[email protected]

www.brightfy.com

moderators cornerVIEWS AND REVIEWS FROM (ISC)2'S EVENT MODERATOR

2012: The End of the Beginning?


7/29

Connect with us!

www.isc2intersec.com

http://twitter.com/isc2

www.facebook.com/isc2fb

Are you considering the next steps to further develop your

nformation security knowledge and progress your career? Take it to

he next level with a CISSP Concentration. CISSPs with two years of

rofessional experience in one of the functional areas of architecture,

ngineering or management may seek a CISSP Concentration.

Watch the FREE webcasts on each domain and the value of holding

the CISSP-ISSAP, CISSP-ISSEP or CISSP-ISSMP to learn more.

Concentrating may open up new opportunities, including more

demanding roles in larger enterprises, more education opportunities

and a specialized certication to recognize your talents.

Want to be the best at what you do?

Just Concentrate.

Watch the Free Domain Webcasts for the CISSP-ISSAP, CISSP-ISSEP or CISSP-ISSMP

www.isc2.org/previews


8/29


(ISC)2 SECURITY CENTRAL is the new online resource or security proes-

sionals and the public at large. It ocuses on providing valuable resources

or those interested in the security feld and increasing security aware-

ness. (ISC)2 Security Central brings together inormation rom (ISC)2,

industry organizations, security practitioners and more. In addition

to searching the site or useul resources, (ISC)2 members and other

security proessionals are encouraged to contribute their security events,

publications, white papers, podcasts and more to share with other site

users. Stay tuned or more details soon on how you can contribute your

resources to the site and begin using (ISC)2 Security Central.

Introducing: (ISC)2 Security Central

New Year, New Board( I S C ) I S P R O U D T O A N N O U N C E the ollowing new members o its Board o Directors, who will servethree-year terms, eective January 1, 2012. Te (ISC) Board provides governance and oversight or theorganization, grants certications to qualiying candidates and enorces adherence to the (ISC) Code oEthics. Please welcome the ollowing new board members:

Daniel D. Houser, CISSP-ISSAP, CSSLP, Senior Security and Identity Architect or a Global 100healthcare organization (U.S.)

Wim Remes, CISSP, Manager o Inormation Security at Ernst & Young IRA FSO (Belgium)

Pro. Jill Slay (AM), Ph.D., Fellow o (ISC)2, CISSP, Dean: Research in the Division o I, Engineering andthe Environment at the University o South Australia and Proessor o Forensic Computing (Australia)

Greg Thompson, CISSP, Vice President and Deputy CISO at Scotiabank (Canada)

Te elected board ofcers or 2012, serving a one-year term include:

(ISC)BoardChair,Freddy Tan, CISSP (Singapore)

(ISC)ViceChair,Benjamin Gaddy, CISSP, CSSLP, SSCP (U.S.A.)

(ISC)BoardTreasurer,Flemming Faber, CISSP (Denmark)

(ISC)BoardSecretary,Richard Nealon, CISSP, SSCP (Ireland)

(ISC)2MEMBERNEWS

fy


9/29


(ISC)2 and ASIS Internationaleam Up Again

2012 (ISC)2

Security CongressRegistration Now Open

(ISC)2 AND ASIS INTERNATIONAL

have teamed up once again or

the largest security event o its

kind in the world. The second

annual (ISC)2 Security Congress

(www.isc2.org/conerences.

aspx), colocated with the ASIS

International 2012 58th Annual

Seminar and Exhibits, will take

place September 10-13, 2012

in Philadelphia, Pennsylvania,

at the Philadelphia Convention

Center. These events will bring

together more than 20,000

security proessionals rom

all disciplines, providing attendees with proessional development

opportunities that span both the traditional and inormation security

landscapes.

(ISC)2 members have exclusive access to members-only events

such as a networking reception and Town Hall Meeting, not to

mention a signifcant discount on regular conerence registration

pricing. To register, visit www.isc2.org/congress2012

ISLAAsia-PacifcCall orNominations(Opening in March)

T H E C A L L F O R N O M I N A T I O N S

or the sixth annual (ISC)2 Asia-Pacifc

Inormation Security Leadership

Achievements will open in March

2012. Now is the time to recognize

an inormation security proessional

in the region who deserves to be

nominated or their leadership and

innovation in the inormation security

workorce. For more inormation, visit

www.isc2.org/isla.

Dont forget to take the quizand earn CPEs:

http://bit.ly/A7vA9AFor a list oevents (ISC)2 iseither hosting orsponsoring, visitwww.isc2.org

SAFETY FIRST: Safer Internet DayS A F E R I N T E R N E T D AY, organized by Insae, which is co-ounded by the European Union, is celebrated

annually in over 65 countries throughout Europe in early February. The Day recognizes the importance o

the Internet in the lives o children. Now in its ninth year, the theme or 2012s Saer Internet Day, connect-

ing generations and educating each other,emphasized the complexity o challenges currently aced by

children in their digitally connected lives. On February 7, 2012, (ISC)'s UK-based Sae and Secure Online

volunteers visited 19 schools, educating more than 4,000 students across the UK. For more on Saer

Internet Day, visit www.saerinternet.org/web/guest/saer-internet-day.

Stay tuned or more details soon on how you can contribute your resources to the site and begin using

(ISC) Security Central.
http://www.isc2.org/conferences.aspxhttp://www.isc2.org/conferences.aspxhttp://www.isc2.org/eventshttp://www.isc2.org/eventshttp://www.isc2.org/conferences.aspxhttp://www.isc2.org/conferences.aspx


10/29

8 INFOSECURITY PROFESSIONAL ISSUE NUMBER 17

Survey Says:Positive InoSecCareer Outlook or 2012A S P E C I A L T HA N K YO U to the 2,250+ (ISC)2 members

around the world who participated in the 2012 (ISC)2

Career Impact Survey. The results are in, and the infosec

industry remains steadfast with a bright future ahead.

Read the Foundation column on page 18 for more

information. Full results are available at

https://www.isc2.org/industry-resources.aspx.

NEW! IntroducingThe (ISC)2 KnowledgeVault

T H E ( I S C ) 2 K N O W L E D G E V A U L T interactivevideo series offers quick advice and featuresfrom (ISC)2 and InfoSecurity Professionalmagazine. Its a one-stop shop for securityresources that can also be shared via Twitter,Facebook, LinkedIn, etc.

Take a look at this online video and contentseries, and check back often for new videos,

valuable security resources and exclusive onlineissues of InfoSecurity Professionalmagazine!

Visit http://bit.ly/xoR6n

Tout It Out!See the latest blog posts by ellow (ISC) members

on the (ISC)2 blog at http://blog.isc2.org. Share your

innermost thoughts, advice and expertise with other

industry pros today.

As Seen in SC MagazineTHE SC MAGAZINE COVER STORY, The New Wave; Modern

Security Education, examines hands-on programs for

students pursuing Infosec careers. The (ISC)2 Foundation's

scholarship program is highlighted in this article.

(ISC)2 Helps Aspiring Pros

Prepare or Careers inCyber Security

( I S C ) H A S A D D E D the Certifed

Secure Sotware Liecycle Proes-

sional (CSSLP) and Certifed

Authorization Proessional (CAP)

credentials to its Associate o (ISC)2

program to help fll the pipeline

o qualifed inormation security

proessionals. Candidates who

pass the CISSP, CSSLP, CAP or

SSCP certifcation exam but lack

the proessional experience required

to become certifed will be granted

Associate o (ISC)2 status until they

meet the necessary experience

requirements (within the allotted

timerame or their preerred cer-

tifcation). The Associate o (ISC)2

program is also a great resource or

universities around the world looking

to assist graduates as they transition

into the proessional world.


11/29

(ISC)2 Global Awards ProgramPeople, processes and policies are all necessary to protect and

secure information assets. (ISC)2 recognizes the professionals

who are leading the way and making a difference in this ever

evolving industry, honoring their tireless effor ts and standards ofexcellence in the eld of information security.

For more information on the awards program, gala dinner ceremony or

to nominate an outstanding information security professional, visit

www.isc2awards.org

Nominate in March Nominate in May Nominate in May


12/29

Attackers are conducting social engineering attacks viasmartphones and tablet PCs to gather personal data rom

unsuspecting users. When those same devices are used to

access the corporate network and its resources, the corpo-

ration is at risk. Teres a signicant chance that whatever

credentials are stored on the phone will be collected, and a

large chance that those credentials are shared by other apps

within the corporation, says Ryan OHoro, senior security

consultant at IOActive.

With these credentials, attackers can log into the VPN

and get access to the corporate network, read users sent

emails, write and send email, access employee portals and

collect contact inormation to conduct urther social engi-neering attacks.

Te majority o corporations are not doing their duediligence or social engineering preparedness. Now that they

have laptops and phones with inormation on them, it means

that the threat to security or the corporation is increasing

instead o decreasing, even i they are attempting to keep

pace with it, says OHoro.

Social Engineering on Mobile Devices

Social engineering attacks can be carried out in a number

o ways on a mobile device. Similar to spam and phishing

attacks via desktop IM and email clients, attackers are using

SMS messages and mobile email to social engineer users omobile devices. SMS message spam can become a nuisance


There are plenty of reports on mobile malware and itspending explosion.It seems as i the media and antivirus vendors wouldhave I proessionals holding their breath as they wait or a wave o malware to hit smart

phones and tablet PCs. While the threat o mobile malware is real and likely to become

more serious, another critical threat to mobile devices is already well underway. It doesnt

rely on vulnerabilities in the operating system, so it cant be patched. It relies on human

vulnerability. Were talking about social engineering.

Mobile device malware takes social engineering to a

new level with human vulnerability.

byCRYSTAL BEDELL

TheFACTORof Social Engineering


13/29


14/29


and rack up exorbitant service ees or the user. Forged emails

and email spam can appear more legitimate on a mobile

device, given the screen real estate and users propensity or

brevity when sending email rom a mobile device.

Attackers also use social engineering to sell illegiti-

mate applications to users. Social engineering techniques

are used to convince the user to download applications.

Te app may be promoted as solving a particular problemor be associated with a popular movie or other cultural

trend to make it look appealing. Simply oering the appli-

cation ree o charge motivates unsuspect ing users to click

the download button. Oen times, the actual application

may serve a legitimate purpose, but collect personal data

in the background when the user accepts the terms and

conditions or use.

Research rm Loudhouse conducted a mobile device

security survey or vendor AdaptiveMobile and ound that

an average o 84 percent o all apps downloaded were ree,

compared to just 16 percent paid. Furthermore, users are

willing to risk their personal inormation to avoid payingor applications. wenty-ve percent o survey respon-

dents said they would be willing to download a ree app

that might contain personal inormation over a paid app

that denitely did not.

Loudhouse evaluated the data usage o 40 applica-

tions drawn rom the top 20 ree applications and top 20

ree games available or download across the iPhone and

Android stores and marketplaces. Case in point: rom

those 40 applications, Loudhouse ound that collected data

was passed on to more than 146 domains.

Psychological Principles at Work

Social engineering attacks via mobile devices work on the

same principles as those delivered via desktops. Te topic

is new: the considerations or social engineering related to

mobile platorms. But theyre not much dierent rom our

classic social engineering threats that are still persistent, and

were not dealing with it very well, says OHoro.

Jason Rhykerd, consultant, SystemExperts Corp., agrees.

Its the same concept and the same phi losophy, just a new

attack vector, he says.

Regardless o the attack vector, social engineering exploitsa users propensity to trust others. Te attacker takes advan-

tage o this trust to manipulate the user into perorming an

actionsay, clicking on a link in an email, or sharing con-

dential inormation. Te dierence between a social engi-

neering attack delivered via a desktop vs. a mobile device,

rom a psychological perspective, is the threshold o accept-

ability, says Jayson E. Street, CIO o Stratagem 1 Solutions.Te threshold o caution is lower. People are less cautious on

their mobile device than on a computer. Tey are more likely

to click on a link, Street says.

Street explains that the same email sent to a recipient on a

mobile device and a recipient on a desktop is more likely to be

opened by the mobile device user. Users have been educated

on social engineering threats or computers, but they dontyet understand that those threats also exist on their mobile

devices. Weve schooled ourselves that there are threats or

computers; be careul about email on your computer. Inor-

mation security has not gured out a proper way to explain to

people that its not a phone; its a computer that makes phonecalls, says Street.

Inormation security has not fgured out a proper

way to explain to people that its not a phone.Its a computer that makes phone calls.JAYSON E. STREET, CIO, Stratagem 1 Solutions

ILLUSTRATIONB

Y

CHRISTOS

GEORGHIOU


15/29


Te trust that users have in their landlines has carried over

to smartphones. In the eyes o the user, the device is a phone,

not a computer. Tis is evidenced by the buying cycle, explains

Street. People dont buy a new computer every year. And yet,

this is becoming the norm or smartphones. Meanwhile,

smartphones are becoming increasingly accessible to users

who are less tech-savvy. As the price goes down, the number

o users goes up. Attackers can easily exploit the inherent trustpeople have in their phones and use it against them.

Te orm actor and way that mobile devices are used also

lend themselves to a lower threshold o acceptability. For

example, it is easier to orge an email to be read on a mobile

device because users are likely to write sparingly. A user writ-

ing an email on a mobile device is likely to be on the move,

perhaps in a rush. Te email gets right to the point. Because

o the small keyboard, recipients are more orgiving o gram-

matical and spelling errors.

Users are also more likely to click on a link

delivered to them on a mobile device than they

are to click on that same link via their desktop.People want to do as little as possible to get what

they want, says OHoro. Tat means clicking

on the link without taking any precautionary

measures, especially when those precautionary

measures are difcult to execute.

Weve trained people to hover over a link

to see where its going or to type directly into

a browser instead o clicking. But these things

are harder i not impossible on a cell phone.Users would rather click on a link than type it,

and hovering over the link is not easy to do on a

phone, says Rhykerd.

Defense Measures

Deense measures are in order to protect end-

users and corporate assets. It goes back to the

basics. One o the most important actors with

social engineering, phishing and spam is edu-

cation and understanding. We dont click on

links unless we know what they are. Its a simple

answer. But its an honest and true answer as

well, says Rhykerd.

Corporations can have policies about whatcan be on mobile devices, but it doesnt mean

they have the tech controls as well. hatswhere the human element enters the picture.

With social engineering, the weakest link is

the human, and its always dierent. Te most

bang or your buck is that end-user educa-

tion. With dierent attack vectors creeping up

on us, its time or some updated education,

Rhykerd says.

User education starts with teaching people

that their smartphones and tablet PCs are mini-

computers that require cautionary measuressimilar to their desktops and laptops. However,

users do not patch their mobile devices and or some vulner-

abilities, no patches exist. For example, Street says Apple does

not release patches or iOS, so every single user still using

older iPhones remains vulnerable. here are apps to help

secure Android smartphones, but those are less vetted and

may cause more harm than good. For this reason, users need

to be more careul with their mobile devices than they cur-

rently are with their desktops.When were talking about social engineering, the patch

is called awareness. Its called education. People are smart

and intelligent. Tey just need to be made aware. Tey arent

going to do something to expose themselves, they just need

to understand what the threat is and that its real, Street

says.

Crystal Bedell is a Washington-based, award-winning writer

specializing in information security and computer networking.

Become an

IEEE Certifed BiometricsProessional

Learn more and register today!www.IEEEBiometricsCertifcation.org

Why CBP?

The IEEE Certifed Biometrics Proessional (CBP)

program has two major components: Certifcation and

Training. Proessionals and organizations can

both beneft rom the IEEE CBP program.

Key advantages are:

nProve your knowledge

nIncrease your credibility

nLearn a baseline o industryknowledge

nTrain employees

nGain a competitive advantage


16/29

NEW TECHNOLOGIES, VARIOUS SOCIALNETWORKING ARCHITECTURES AND

COMPLIANCE REGULATIONS ARE ARECIPE FOR NEXT-GENERATION

SECURITY AUDITING. byPeter FrettyPHOT

O

BY

LAWRENCE

MANNING


ARE YOU READY

FOR NEXT-GENSECURITY AUDITS?


17/29


And as change occurs at superast speeds, enterprises rely heavily upon new tech-

nologies and processes to provide true competitive advantages. For security proes-

sionals, this means its time to prepare or the next-generation security audit.

Te next-generation security concept encompasses everything rom multi-

barrier network protection to context-aware computing to articial intelligence,

explains Damon Petraglia, CRISC, director o orensic and inormation security

services with New York City-based Chartstone Consulting.

When you combine new and advanced technologies with social networking,

dierent architecture approaches, cloud computing and conusing compliance

regulations, you have the recipe or a thousand dierent approaches to inorma-

tion security and security auditing, he says. Each o thesesocial networking,

architectures, cloud, and regulationsmust be considered on many levels includ-ing business need, return on investment as well as a risk management ramework.

Te question is simply: I we implement a given business solution, can the risk to the

organization be reduced to an acceptable level while retaining maximum benet o

the solution?

According to Petraglia, the diculty addressing this question is that ar too ofen

the audit mentality drives security proessionals. Tis may be eective or compli-ance purposes, but compliance does not always equal security, he says. Security

proessionals need to understand that compliance is yes or no, on or o, black or

white, and security is a million shades o grey. No system is ever 100 percent secure,

and the security proessional must understand that any given business needs to

unction within an acceptable level o risk. It is this balance that the organization

must strive or and the security proessional to assist or guide in implementing.Michael A. Davis, CEO o inley Park, Ill., U.S.A.-based Savid echnologies,

Inc. agrees, adding that these new technologies and business models change the

auditing paradigm because they require auditing on third parties at deeper levels.

Te problem with these actors is that most o the other disruptive technolo-

gies auditors had to deal with were simply new technologiesnew, aster and

better ways to do something everyone understood, Davis says. However, social

media and cloud computing are new business models and methods o collabora-

tion, meaning many audits need to start by simply understanding the actors beore

trying to audit them. Also, most I audits deal exclusively with I. Whereas cloud

and social media incorporate non-I olksmeaning the auditors communication

skills must improve as well.

NEED-TO-KNOW BASISAs security proessionals develop audit strategies, the need to keep up with tech-

nology, regulations, and new threats is not only a dicult task, its also essential.

Any business or technical process has a lifecycle.

Its crucial to incorporate core security concepts and

controls into the lifecycle of any given process.DAMON PETRAGLIA, CRISC, director o orensic and inormation security services, Chartstone Consulting

Organizations can prepare themselves

or success by revising and improving

their security risk management process

to have the ability to address special top-

ics outside the normal annual assess-

ment, explains Doug Landoll, Denver,

Colo., U.S.A.-based author oTe Secu-

rity Risk Assessment Handbook. Tey

can also ensure assessment proessionals

are aware o the risk associated with new

technologies, threats, and regulations,

he says. Davis suggests hiring outsidehelp to assist i your assessors are not

amiliar with these new technologies.

Tere is also a need or security pro-

essionals to ocus on improving theirunderstanding o the business processes,

security and technical perspectives, as

well as risk management. Security pro-

essionals need to be much more diverse

and dynamic now than ever beore. Tey

need to understand the business indus-

try, standards, and applicable require-

ments, and the core and advanced secu-rity concepts called upon, says Petraglia.

Petraglia adds that the real key is

being able to integrate all o these aspects

so the security proessional can holisti-

cally view the posture o a given net-

work rather than by individual security

compliance requirements. Te security

proessional must be able to understand

the interdependencies and interactions

between platorms and technologies,

and identiy inherent weaknesses and

vulnerabilities as a result o the interde-pendenciesall while providing techni-

cal and procedural solutions to ensure

maximum business process with mini-

mum level o risk, he says.

Its a given: Life in IT security is life in the fast lane.


18/29


FIELDING FRESHPERSPECTIVEOrganizations need to understand

and employ the basics irst, then the

advances in technology or next genera-

tion, explains Petraglia. Anything can

be transitioned into the business pro-

cesses with little or no diculty. Both the

business and security proessional need

to realize that technologies such as cloud

or social media are increasingly neces-sary or the viability o the organization;

it is simply how to minimize the riskwhen implementing the solution, he

says. Any business or technical process

has a liecycle. Its crucial to incorporate

core security concepts and controls into

the liecycle o any given process.

According to Petraglia, taking a

basics-rst approach will ensure better

security as well as better control o the

investment as security is not retrotted.

Security must be considered rom con-ception through disposal o technical

and business process by both the orga-

nization and the security proessional.

Next-generation technologies and

concepts are easier to deal with rom

either a business or security perspective

i one understands the basic concept o

risk management, he says. Integra-

tion and advanced technology is here

to stay and will continue to evolve at

speeds aster than weve ever seen.

Unortunately, the same can be saidor the threats that ace our businesses,

systems, and data. Managing and bal-

ancing the risks through the thorough

understanding o the technologies,

security, and business processes by both

the business owners as well as the secu-

rity proessionals is the key.

A REFINED APPROACHTO SECURITY

For many, the concept o working withincreasingly third-party data sources

such as social media and the cloud pro-

vidersmeans the perimeter o the

organization starts to melt away, and

organizations need to embrace a rened

approach to security. Tis is a signicant

transition according to Davis.

Most security proessionals usesecurity policies that ollow the castle

and moat paradigm, where the com-

pany has a bunch o data on a bunch o

servers at its internal data center. In this

scenario, the company controls what

goes in and out by putting guardians

at the ront gates and orcing people to

come in over a moat, he says. Firewalls,

intrusion detection and prevention

systems, and Web application rewalls

all work ollowing this paradigm, but

every major breach analysis has shownthat data is much less likely to be stolen

because o a vulnerability in the trans-

port mechanism.

However, its important to realize that

the biggest risk is not on the outside. It

ofen involves the people who live and

work within the castleauthorized

and authenticated users with legitimate

access to data, whose network access canbe taken over by malware and attackers,

explains Davis.

Cloud services, globalization, andcollaboration have turned the security

paradigm on its head as legitimate users

are using these services to get work done,

but dont realize the security implica-

tions, Davis says. Te most eective

way a security proessional can adapt to

the new environment is to implement

data-centric security. o do that, we need

to articulate what makes data-centric

security dierent rom what most secu-

rity proessionals are doing now.

he data-centric approach workswhether dealing with social media,

cloud, or the next big technology

advancement, Davis says. He suggests

reerring to the Four Ws or the data-

centric security model: Where is the

data? What is the data? Who has access

to it? And why do they need access? Afer

all, Davis says, no matter what the tech-

nology does in the uture, your data is

still data, and it needs protection.

Peter Fretty is a freelance business andtechnology journalist based in Michigan.

WHY NEXT-GEN SECURITY AUDITS?

Here are a ew o the key components ueling the need or next-generation

security audit procedures:

8 SOCIAL NETWORKING: Whether through company-sponsoredblogs, employee access to Facebook, or outsiders posting negative Yelp

reviews, an organization needs to frst understand its exposure through

a social media risk assessment, explains Doug Landoll, author o The

Security Risk Assessment Handbook. These risks can be remediated

through improved security awareness training, updated policies and

procedures, and the implementation o new technology or services,

he says.

8CLOUD COMPUTING: In this scenario, services and business unit

systems are handled by an external service instead o an internal IT

department. To be prepared or the next-gen audit, security proessionals

need to understand how the cloud provider plans to meet organization

security requirements, and demonstrate that they will continue to meet

them as they evolve, Landoll says. A cloud service risk assessment

can document the security requirements, point out the areas o risk, and

provide recommendations or required contractual elements necessary

to maintain adequate security.

8COMPLIANCE REGULATIONS: Compliance regulations change

oten, and their interpretations and accepted application even more so.

As such, keeping up with PCI v2.0, HIPAA/HITECH/Meaningul Use,

and the constantly changing privacy regulations can be an insurmount-

able task. Organizations need to change their approach rom chasing

regulations to proactively creating a security program based on address-

ing risks, says Landoll. Such a program typically already contains the

essential elements called or in regulations.


19/29

Gain crucial cyber security skills for your

senior level career

Join our professional network

Find out more

www.londoninternational.ac.uk/infosec

Gain expertise in the technical, legal, commercial and people aspects

of Cyber Security.

Tap into the commercially relevant knowledge of Royal Holloways

leading academics, which is based on their research and practical

consultancy experience.

Earn CPE credits on standalone modules.

With our prestigious MSc in Information Security by distance

learning you will:

You will become part of a network of over 2,000 industry professionals who

have participated in Royal Holloways cyber security programmes.

Join Royal Holloway on facebook and contribute to the debates on

information security: www.facebook.com/ISGofficial

This course has the best reputation. I would thoroughly

recommend it.

Andy Smith has over 20 years experience in information security.

He chose Royal Holloway as he was looking for a Masters programme

that would provide the theoretical underpinnings to support his

practical experience.

-

-

-


20/29

PHOTO

BY

ANDY

ROBERTS


How to Self Promote

the Right Way

Like most careers, up h n n uy,yu hv b l-p; hng yu wn

wh yu upv nd h pny whl.

Y yplly, llng nn nl un un-

h p lw pl d dpd by

uy pnl.

T n nhn y n uy h p ppl

ng h wn hn, y Sh Lvnn, n xuv

h h hnlgy, n nd nnl ndu n

Bln, M., U.S.A. Ty l nd hn h -

plhn huld p hlv.

Ununly, h hdng bl p ny n I

uy u n u. nnd ldhp pn, uy pn-

l u undnlly hng. hy huldn g und

by h l-pn, whh h pjv n-

ng. Ind, hy huld nd hng plhn n

nl p dvnn, h y.

A gnn bl ny uy pnl -

phng n nvd xp n udyng l nd vn lg

n xv wh nbu h bun whl. T

hgh up yu g n h gnzn, h l yu pnd

ully dng h jb, nd pn unng

h hw h jb dn, dng Lvnn.

Expng n hng vngh p d,dng Jnn Kuh, CIO h Fnln W. Oln Cllg

Engnng n Ndh, M., U.S.A. Kuh, wh v

uy p h xuv l, y uy p-

nl nd b hd n bun l l ly n h h

nn h.

F nn, lw-lvl uy pn nd v-

whl h upv wh ny hnl dl. A hy

lb h p ldd, hy ln p wh lvn

h udn. Runnng n y nd yng h P X

puhng uh Y dn u . I nd nw why p-

n nd hw yu gng lv , Kuh y

H p n hw pg bng h pnllwng uy gy h n ng .

Self-promotion doesnthave to be a dirty word.A good strategy can helpyou advance your career.bySANDRA GITTLEN


21/29


Start at the Start

Suy pnl wh dy dvn h huld l lly

n gnznl h nd gu

u nbl ph.

F nn, d yu wn y n

h hnl d hng

u n bun whl? A

yu wllng ng ppl?

T nw h qun wll

llun gp n yu hd nd f

l l. F nn, yu wn v

n h bun d, hn yu gh

wn llg nnung du-n u n nn, ng

nd h y . I yu l ng-

n xpn, hn yu n nd

whp gn b ll. And

yu wn bdn yu nwldg

h gnzn vlu, hn

yu n gn up bwn-bg lunh

bu h dvn bun un

ld hlp yu g up pd.

Communicate Your Intentto Your Manager

Whl gh dunng, h-

ng yu gl l p

n hvng h. Gng bhnd yu

upv b fn p -

gy h n b. M upv

wn hlp nd hv n-

y u, Kuh y.

Mng n gn budg ppvl

nd yu pnl dvlpn

n nd h dunl pp-

un. Ty l hv ngh n hun bun nd h gn-

zn whl h uld p yu

ph.B yu h bg ng

wh yu b, u yu hv

nbl pln, y Bh R, n xu-

v nn h n Nw

Y, U.S.A. F nn, vlng

ul-dy nn n yu l,gu u hw yu jb wl l b vd

dung h .

Mng u undnd why

yu pnl gwh wuld b

dvngu h pny, h dd.

Sh nd ng l vbull pn h py h nbu-

n yull h pny n-

lly wh nng nd n

nd, ully, hgh pn.

Develop a Fan BaseBeyond Your Cubicle

Wh uh hd-dwn pn, u-

y pnl fn nd hlv l whn ghng

hng .Dng pl hng, uh -

ng h lng wy h lunh, n

quly l h ly. Yull hv h

ppuny y hll -w

nd vnully up lng nv-

n h hlp yu b undnd

h jb unn, Lvnn y.

Yu l n jn p-wd

nun ply n

h bun un. Hwv, yu u

vly pp n h ng b

n ply, R wn.Suy pnl n g nd

whu ppng u h

zn n , dng

Kuh. Sh nd vlun-

ng dvlp nd ld nng n

n ug pl nd pdu. O

yu n d wly l bl

h gnzn n ly p uh vu nd ud. h l

blh yu nwldg ld wh

n ully un nd

lun hghly gdd ll

ng h upp n.

Prove You Have Skinin the Game

b ndd pn, yuhv b n nvd n h vll

wll-bng h pny.On pph wuld b nl

vyhng yu ln n, w-

hp nd h l n n ppuny

h pny. F nn, yu

lnd bu p pdu h

wuld w n

dd h b ln, xpln why n

b . Sh hndu b-

hu wh p, ng nd xu-

v, R y.

Sh nug uy p-

nl, hy g xpu h bun un, dny wy

pv p v ny.

Suy pnl huld

ln nd dv p wh-

u xpng d pnl gn.

B ul n b n n pp-

un hl l-p.

Do Your Job Well

A u wy g hd n -

pny ply d yu jb wll. Iyu buy yng g h nx lvl

nd unwngly pn up h pny

, yu wn g vy .

W wh yu ng

nbl hdul h nu yu

w wll g dn whl yu ll u

yu pl.

Gng hd huld nv n

llng bhnd n yu dy--dy

pnbl.

Gittlen is a freelance business and tech-nology writer in the greater Boston area.

Dos and donts for self-promotion

DO Scope out realistic advancement opportunities within your organization.

DONT Threaten that youll quit if you dont get promoted.

DO Share the positive impact youve had by highlighting initiatives youve

led or participated in across the company and their results.

DONT Blanketly state that youve single-handedly effected change.

DO Seek out educational or training opportunities.

DONT Attend so many events in a row that your daily duties cant be

covered and the budget is drained for co-workers.

DO Work with your manager to achieve your goals.

DONT Seek help from his or her supervisor without his or her knowledge.


22/29


giving cornerFOSTERING GOODWILL, EDUCATION, AND RESEARCH INITIATIVES

Infosec Careers: Shelter from the StormDESPITE A WAVERING ECONOMY, INFORMATION SECURITY CAREERS

OFFER STABILITY AND UPWARD MOBILITY.

ALHOUGH HE ECONOMIC SORM con-tinues to cast a dark cloud around the globe, theinormation security proession oers proessionalsshelter rom the storm. Tats just one o the tellinghighlights or inosec proessionals uncovered in anew career management research study o (ISC)members conducted by the (ISC) Foundation.

Te Foundations 2012 (ISC) Career ImpactSurvey shows that nearly all o the 2,258 proes-sionals who responded were employed in 2011. Othe ew unemployed, hal were without a job orsome portion o 2011 o their own volition, eitherto pursue proessional development, to relocategeographically, or to retire. Other ndings include:n 96% o respondents are currently employed.n O those unemployed during 2011, 2% were

laid o, and 2% were unemployed o their

own volition.n O those who sought employment last year,most relied on job websites, social media andnetworking or job seeking.

Advancement and salary opportunities drove35% o proessionals surveyed to seek new cybersecurity positions in 2011. And those who stayedin their position also saw increases in compensa-tion. O the 35% who changed jobs last year, 53%did so because they had advancement opportuni-ties. And, nearly 70% received salary increases last

year, while 55% expect to receive increases in 2012.New jobs are being created daily in the inor-mation security industry, and there is a bright out-look or job creation and greater budget exibilityin 2012 as well.n Roughly 34% o respondents experienced

a new-hire increase last year, although 27%saw an increase in layos.

n Around 30% o survey respondents expectinormation security budgets, equipment pur-chases and new hires to increase in 2012.

n 51% o respondents plan to hire inormation

security sta over the next year.

Te inormation security industry remainsocused on the security risks presented by mobiledevices (personal or business) and cloud comput-ing. O those surveyed, 56% reported increasedsecurity risk in 2011, with 38% attributing most othat activity to mobile devices. Focus on specicskills when hiring:n 81% o respondents said an understanding o

inormation security concepts is an importantactor in their hiring decisions. Other top ac-tors are directly related experience (72%) andtechnical skills (76%).

n op skills hiring managers seek are: operationssecurity (55%); security management practices(52%); access control systems/methodology(51%); security architecture/models (50%); riskmanagement (49%); telecom/network security

(45%); applications/system development secu-rity (44%); and cloud/virtualization (35%).

Ensuring there is a steady stream o qualied, cer-tied inormation security proessionals to protectsociety rom digital threats remains an issue. About80% o respondents indicate that they are having adifcult time nding people with the right skills andaptitude to ll vacancies. o ameliorate this prob-lem, (ISC) members can post their resumes or reeon Career ools, which employers can search orree. (ISC) also periodically hosts career assistance

programs, such as the career air that will be held atthe 2012 (ISC) Security Congress.At the (ISC) Foundation, were using the Sae

and Secure Online youth education program tointroduce youngsters to the proession. What canyou do? Consider donating to the Foundation insupport o youth education and scholarship pro-grams. Volunteer to go to local high schools to dis-cuss your career with students, and encourage themto enter this exciting, interesting, and secure eld.

o see the ul l survey results, visit https://www.isc2.org/industry-resources.aspx .

Julie Peeler, Director, (ISC)2 Foundation
https://www.isc2.org/Careers/Default.aspxhttps://cyberexchange.isc2.org/https://cyberexchange.isc2.org/https://www.isc2.org/industry-resources.aspxhttps://www.isc2.org/industry-resources.aspxhttps://www.isc2.org/industry-resources.aspxhttps://www.isc2.org/industry-resources.aspxhttps://cyberexchange.isc2.org/https://cyberexchange.isc2.org/https://www.isc2.org/Careers/Default.aspx


23/29

(ISC)2 Chapter Membership:The Value PropositionSINCE HE LAUNCH o the (ISC)2Chapter Pro-

gram in September 2011, we have received more

than 70 petitions to orm chapters around the world.

(ISC)2 members are eager to network with other

local proessionals to share knowledge, discuss cur-

rent industry trends, exchange resources and help

educate the community about inormation security.

Trough (ISC)2 chapters, members can spread

awareness o the proession and educate the public

on the dangers o cyber security threats, especially

among school-aged children, as well as teachers

and parents through the (ISC)2 Sae and Secure

Online program. It provides a valuable opportu-

nity or chapter members to use their skills to help

secure their local communities.

Why are members interested in joining an

(ISC)

2

Chapter, especially when there are manyother chapter organizations rom which to choose?

Here are some o the responses we received rom

(ISC)2 chartering chapter members:

n Belong to a local orum or networking

with local proessionals;

n Stay up-to-date on new technologies and

current trends;

n Promote the value o (ISC)2certications

among employers and proessionals;

n Create awareness and growth o theinormation security proession;

n

Contribute knowledge and resources toellow colleagues;

n Educate non-security proessionals about

protecting their inormation assets;

n Develop leadership and presentation skills;

n Reinorce the status o (ISC)2 credential

holders in remote locations o the world;

Te main purpose o the (ISC)2 Chapter Program

is to serve the needs o our members. By joining a

chapter, (ISC)2 members belong to a local network

o like-minded proessionals who are working

toward a common goal. For those members who are

not satised with the security organization that in

which they are currently involved, being a member

o an (ISC)2 Chapter provides them the opportunity

to contribute or make a diference elsewhere.

Tis is the time or you to make a diference

or your community and or yoursel. Dont wait.

Get involved today.

(ISC)2 Chapter DirectoryCheck out the new, interactive map on the (ISC)2

Chapter Directory. It now distinguishes chartering

chapters rom those that are already established.

Find an (ISC)2 Chapter near you by visiting: www.

isc2.org/ch-directory.

I a chapter doesnt exist in your area, con-

sider starting one. Visit www.isc2.org/ch-start ordetails (member log-in required).

Jayda Shriver, Chapter Program Manager

chapter passportMEMBERS CONNECT AND COLLABORATE

https://www.isc2.org/chapters/default.aspxhttps://www.isc2.org/chapters/default.aspxhttps://cyberexchange.isc2.org/https://cyberexchange.isc2.org/https://www.isc2.org/CH-directory/default.aspxhttps://www.isc2.org/CH-directory/default.aspxhttps://www.isc2.org/CH-directory/default.aspxhttps://www.isc2.org/CH-directory/default.aspxhttps://www.isc2.org/CH-directory/default.aspxhttps://www.isc2.org/CH-directory/default.aspxhttps://cyberexchange.isc2.org/https://cyberexchange.isc2.org/https://www.isc2.org/chapters/default.aspxhttps://www.isc2.org/chapters/default.aspx


24/29


Q&AEXPERTS ADDRESS TRENDING SECURITY TOPICS

Embracing the Cloud EvolutionDAN HOUSER, AN (ISC)2 BOARD MEMBER FOR THE PAST THREEYEARS, IS A SENIOR SECURITY AND IDENTITY ARCHITECT FOR A

GLOBAL HEALTHCARE ORGANIZATION. HE LEADS A TEAM OF SECURITY

ARCHITECTS WHO PROVIDE SECURITY AND IDENTITY STRATEGIES,

ROADMAPS, SECURE MODELS, AND REFERENCE ARCHITECTURES.

Q: Youve worked as an information security pro-fessional for various industries, such as banking,

healthcare, and education. What stands out as the

common security aspect of all three industries?

While the risk tolerance between industries di-

ers, the undamental issues are all the same: how

do we enable the business to meet its objectives

with limited capital, and at the right risk model,

while protecting vital intellectual property? All

businesses struggle with managing a burgeoning

identity architecture, and their architecture teams

are always adapting to a stunning rate o change.

Tose patterns are largely the same across indus-tries. As security proessionals, we are trying to

gure out what cloud means to our business, and

many o us are both cloud service providers and

consumers o cloud services. All o us are dealing

with consumerization and what it means when

80% o your users are bringing their own smart-

phones and tablets to work.

Process change is another common issue. I

security vendors are usually selling tools, not pro-

cesses. As my CO at a bank said, A ool with a

tool is still a oolthat is, adding a tool to a prob-

lem where you have ignorance doesnt resolve theignorance. I think thats universally true. You have

to address personnel, process, and technology, and

process change is always harder than tool change.

Q: On which new healthcare security initiatives

are you currently working?

Cloud and mobile. My company is working

aggressively on exploring the business case or cloud-

based models or our service. We already oer sev-

eral as innovative cloud solutions, and those bring

unique security challenges because its changing


25/29


AS SECURITY PROFESSIONALS, WE ARE TRYING TO

FIGURE OUT WHAT CLOUD MEANS TO OUR BUSINESS,AND MANY OF US ARE BOTH CLOUD SERVICE PROVIDERS

AND CONSUMERS OF CLOUD SERVICES.ALL OF US ARE

DEALING WITH CONSUMERIZATION AND WHAT IT

MEANS WHEN 80% OF YOUR USERS ARE BRINGING

THEIR OWN SMARTPHONES AND TABLETS TO WORK.

our business model in some cases. We are in our sec-ond year o a successul bring-your-own-device

program that has struck the right balance between

risk and usability. We are also deploying mobile

solutions to our customers to provide immediate

inormation access and to improve overall patient

care. Its a very exciting time to be leading secu-

rity initiatives in healthcare! Security in the cloud,

regardless o industry, is still uncertain.

Q: What are the biggest security issues, and how

do you see them changing?

I think that most cloud models are the ones thatweve been using or a decade. Te exception is

Inrastructure as a Service (IaaS), which is a more

recent innovation within most organizations, but

one that has been eectively used in the past with

grid and distributed models.I see cloud services as really just an evolution in

virtualization and service-oriented architecture,

not a complete revolution. Security issues arent

necessarily dierent rom secure design patterns

we have seen beore. Its merely the velocity o cloud

implementations that has changed dramatically.

Identity will remain a pivotal issue in extending asecure cloud presence, as will data security, appli-

cation security, and establishing and governing a

third-party trusted relationship.

Q: Where do you see the biggest security chal-

lenges in the next few years?

I think the most signicant issue were going to

ace is data being pushed to the edge, with con-sumerization o I driving tremendous innova-

tion and change. Weve now seen the tipping point,

where consumers are buying more computers than

companies. Tat is not only a huge change or I,

but also or a security model that has traditionally

been based on perimeter security.

Identity is the new perimeter, and both identity

and content are the most important parameters

to understand when trying to transition to a data

security model that works in todays I world. We

will need to change our models or how we think

about security in that context. Hard-core crypto iswhere we usually turn or data security. However,

cryptography may not be viable when those plat-

orms are lightweight with mobile chipsets and no

USB ports or other ability to extend hardware or

rmware (or, sometimes, even sofware) because

theyre consumer appliances.

Q: Are these challenges global?

As a global issue, consumerization and mobile

data security challenges will dier based on eco-

nomics and consumer inrastructure. However, I

think a substantial number o workers are bringinga smartphone to work in most developed nations,

or will do so in the next ew years. Globally, we

are responding to the same market orces and will

have the same issues, but with a dierent integra-

tion model and response. All industries, globally,

are seeing substantial changes in how we need to

think about mobile data security.


26/29


A New Authentication Paradigm?

WIH HE PROLIFERAION OF HE CLOUD, an

old issue has resuraced: seamless authentication and

authorization to remote services. Tis concern has

been around or many decades, with the development

o protocols like Kerberos and tools such as IKE and

AD. However, none o these protocols truly solved

the overall problem.User-ID/password is without a doubt the

single most used and trusted method to achieve

authentication and authorization. However, this

method has proven to ail more than we would like

to admit. Services oered by Microso, Google,

Amazon and Facebook are increasingly revered by

other Web services as trusted, using them as a sort o

public key inrastructure (PKI), though all are based

on user-ID/password. Why is this?

Te answer is administrative simplicity. All other

methods require more resources or a higher level

o user complexity. Te user-ID/password method,despite its unreliability and possibility o user

negligence, is cheapoen zero cost, compared to

other methods.

Central allocations and revocation are too

complex, and the responsible security staers simply

hope the user will not misuse any access privileges.

Still, statistics say 80 percent o all I crimes are

internal, reminding us that opportunity oen creates

the criminal.

In the age o the integrated cloud, perhaps its

time or a paradigm shia new multiplatorm,

authentication technology that would support

system owners and allow administrators to maintain

access control while utilizing the proper tools

(without using external services).

How can this be done? Lets ace it: the technology

has been around or years, such as private/public

keys and PKCS#12 certifcates. We just have to tweak

some protocols and tools to make this shi. Forstarters, we can use trusted certifcate data to validate

organizations. From there, individual keys can link

individuals to the organization.

Can it be done? Yes, it can be done. In act, it already

has been done, though most o us dont realize it. Te

model design or this type o tool is called Factorum.

Factorum was the authentication and authorizationprocess or the A& Plan9 Operating System (OS)

rom the early 1990s. Factorum works a lot like

SSH and IPSec public/private key processes, but its

not a part o the operating system. Rather, it sits on

top o the OS, and controls a single users access tothe complete system. Designed or a distributed,

multiserver environment, it supports all protocols

we can encounter, not just Web ones.

Plan9 and Factorum are no longer available, but

by adding Factorum-like unctionality to the current

PKI/AD and allowing local and remote systems, as

well as protocols like SAML2 to work with public/

private keys instead o current identity parameters, we

get a simplifed unctionality. Tis allows local system

owners to control access by distributing public keys

and revoking access by deleting the private ones.

By mimicking Factorums role-based authoriza-tion, we could give the user the right access in the

same way local AD installation would be accessed.

We could then have a trustworthy, boundless

single sign-on authentication/authorization with-

out multiple passwords or costly two-actor

authentication tools.

Lars Magnusson, CISSP, is an information security

manager in the Swedish automotive industry. He is

based in Trollhattan, Sweden and can be reached at

[email protected]

PHOTOB

YG

EORGE

DIEBOLD

global insightINTERNATIONAL INFORMATION SECURITY PERSPECTIVES


27/29

In a sea o IT proessionals,

ISACA members get noticed.

www.isaca.org/benefts-inosec

Many IT and inormation systems proessionals worldwide consider

membership in ISACA essential to their career advancement.

As a nonproft, global association, ISACA connects exceptional

people with exceptional knowledge to provide members with a

robust oering o proessional resources.

Get recognized

our members do.


28/29

Receive a new webcast each week.

(ISC)2

members must stay current in the evolving worldof software security. This series of webcasts will provide

you with a new webcast each week focusing on securing

a different phase of the software lifecycle. It will show you

what security measures need to take place at the beginning

in the requirements phase, how security must be built

in the design phase, and how to test if the application is

resilient enough to withstand attacks in the testing phase.

Also, this series will feature a webcast on the value of the

CSSLP and how to study for the exam. Connect with us:www.isc2intersec.comwww.twitter.com/isc2www.facebook.com/csslp

FREE(ISC)2

Webcast on

Securing the SDLC.www.isc2.org/csslppreview.aspx

Is your software

open to attacks?Slam the Door by

Learning Best Practices

for Securing the SDLC.
http://www.isc2.org/csslppreview.aspxhttp://www.isc2.org/csslppreview.aspx


29/29

The Fusion Of Logical

And Traditional SecuritySeptember 10-13, 2012 Philadelphia, PA

What You Can Expect220+conferencesessionsavailablethroughout25

educationtracks

Exclusive(ISC)2TownHallandMemberReception

Free1/2-daycredentialclinicsonSundayforCISSP,CSSLP,CAPandSSCP

2-dayofcialeducationprogramsforCISSPandCSSLP

2-daytechnicalprogramsoncloudsecurityanddigitalforensics

Impressivelineupofkeynotespeakers

InternationalGovernmentSummit

CPEsforattendingtheconference

Visit the website for more information and special pricing(members must register through the site).

Colocatedwith

ASIS2012

www.isc2.org/congress2012
https://www.isc2.org/congress2012https://www.isc2.org/congress2012

Info Sec Pro Issue 17

Documents

Transcript of Info Sec Pro Issue 17