Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.

Continual testing is one of the main tenants of data breach prevention. Your network has to remain secure to ward off attacks. The typical security test, known as a penetration test, provides a point-in-time view of your security, limiting your scope of analysis.

To broaden that scope, today security and risk professionals are taking a cue from software engineers and using a type of testing known as attack surface analysis. Rather than focusing on a specific point in time like the penetration test, this test views the network as a fluid system.

Attack surface analysis uses an entry and exit point framework to identify the full extent of a system’s attack surface.  This analysis is done on either computing or business process resources. In either instance, the entry/exit points of a system are the ways through which data (or hackers) enters or leaves a system and are the basis for attacks.

Some attacks may even use both computing process and business process entry/exit points. For example, a hacker goes to a department store and applies for a job. While there, he inserts a USB thumb drive loaded with malware or auto-execute code into an unprotected USB slot on a nearby computer.

The malicious code executes and gives him a foothold into the enterprise systems that he can then exploit remotely. In this scenario, the hacker has essentially completed an attack surface analysis on the store’s business process and located an unprotected USB slot. He has also done the same for the computing process though, in this scenario, he has created a new attack surface rather than using part of the existing one.

As a CISO, I identify the most important data sets and map the attack surfaces to those data sets. For example, the personally identifiable information (PII) of your employees may be of primary concern to your enterprise. To conduct an attack surface analysis, I would look at the systems that contain this data AND how and by whom that data is used. Is the data static or does it move between enterprise systems? If so, what are the business processes that require this data movement and what are the pipelines through which it moves? Viewed in this fashion I see a more fluid attack surface with connected entry and exit points – not just a single one at a time.

Fortunately there are tools to assist with the process. As more and more enterprises use cloud-based or Web-based services, we can take advantage of the Open Web Application Security Project (OWASP) framework for Web applications. OWASP is highly respected in the information security space. Its open source tools identify all entry points into a program but do so in a well-structured manner that encourages analysis. It maps both roles and resources to each entry point. It is designed to be used throughout the lifecycle of the system under review. I use the concepts of OWASP to map roles and resources for the supporting business processes of these same applications.

For a more risk-based view of attack surface analysis, I use the Open Source Security Testing Methodologies Manual (OSSTMM) tool, run by Pete Herzog and his team in Spain. It is exactly what it states – an open source community providing an entire security testing framework. OSSTMM is the tool created and maintained by the Institute for Security and Open Methodologies (ISECOM). I’ve personally used this framework for many years in a wide range of enterprises. Its beauty is the completeness of the OSSTMM with framework, templates worksheets and Risk Assessment Value (RAV) spreadsheet.

The RAV is what assists us in attack surface analysis. The RAV provides a mechanism where you can place risk values for all of the computing and business process attack entry/exit points. The RAV spreadsheet then provides an overall risk score that aids in prioritizing your attack surface resolution action plan. While the risk scores may not be perfect at times, it is an excellent tool to guide your actions and give you a more holistic view of your system and its weaknesses.

Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.

I’ve been actively involved in InfraGard for many years. InfraGard is a public/FBI partnership with a primary mission of protecting critical infrastructure.  Because of this partnership, I began to wonder if the U.S government had anything I could leverage in my own business operations. The answer is, “yes.”

I’ve used the guidelines from the National Institute of Standards and Technology (NIST) for many years as a basis for building information security programs around the world. While these are excellent building blocks, they don’t address my training needs in preparing for a cyber attack. So I also leverage resources from the Department of Homeland Security (DHS) and other agencies.

Here’s a look at some of the resources I find useful in testing and training for a data breach:

NIST Computer Security Handling Guide
In the back of this document (special publication 800-61) are table-top exercises to help train your incident response team.
While a bit limited in scope, they are an excellent starting point at no cost to you.

DHS/FEMA Certified Cyber Security Training
The online Domestic Preparedness Campus is a portal for
10 courses that address three demographics of your enterprise: Non-technical, Technical and Business Professional. While they are perhaps a bit broad and general at times, they are an excellent starting point for your enterprise.

The different courses include:

• Information Security for Everyone
• Cyber Ethics
• Cyber Law and White Collar Crime
• Information Security Basics
• Secure Software
• Network Assurance
• Digital Forensics Basics
• Business Information Continuity
• Information Risk Management
• Cyber Incident Analysis and Response

Homeland Security Exercise and Evaluation Program

This program from the DHS provides a standardized method of creating cyber security exercises. You work with a member of the DHS team to create and ultimately execute a testing program. My organization is currently setting up a tabletop exercise with DHS for all 23 of our organizational Information Security Officers next spring. For your company, I expect that the Training Exercises portion will prove the most valuable.

In total, they offer seven exercise types broken down into training and operational exercises.

Training Exercises
1. Seminar – A seminar is an informal discussion designed to orient participants to new or updated plans, policies or procedures.
2. Workshop – A workshop resembles a seminar but is employed to build specific products, such as a draft plan or policy.
3. Tabletop Exercise (TTX) – A table top exercise involves key personnel discussing simulated scenarios in an informal setting.
4. Games – A game is a simulation of operations that often involves two or more teams, usually in a competitive environment using rules, data and procedure designed to depict an actual or assumed real-life situation.

Operations-based Exercises
5. Drill – A drill is a coordinated, supervised activity usually employed to test a specific operation or function within a single entity.
6. Functional Exercise (FE) – A functional exercise examines and/or validates the coordination, command, and control between various multi-agency coordination centers. A functional exercise does not involve any “boots on the ground.”
7. Full-Scale Exercises (FSE) – A full-scale exercise is a multi-agency, multi-jurisdictional, multi-discipline exercise involving functional and “boots on the ground” response.

Cyber Storm
Cyber Storm is a biennial exercise that provides the framework for a government-sponsored cybersecurity exercise. It is a combination of international government agencies, national and state government agencies and private industry. Its stated aims are to:

• “Examine organizations’ capability to prepare for, protect from, and respond to cyber attacks’ potential effects
• Exercise strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and procedures
• Validate information sharing relationships and communications paths for collecting and disseminating cyber incident situational awareness, response and recovery information
• Examine means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.”

Cyber Storm III was used to hone and tune the latest U.S National Cyber Incident Response Plan released early in 2011. The 2010 exercise had 60 companies participating across many industry sectors.It also tested the newly formed National Cybersecurity and Communications Integration Center, which is the “boots on the ground” hub for national cybersecurity coordination.

Managing your enterprise security and privacy risk posture can be a daunting task at times. Hackers are more sophisticated and coordinated in their attacks. It’s pretty tough out there right now but new tools, processes and procedures will ultimately gain the upper hand. You are not alone. There are a wide range of resources freely available to help build the skill sets of our teams. I remain encouraged and look forward to the battle with new hope and fortitude.

Our guest blogger this week is Tom Bowers, Managing Director, Security Constructs LLC – a security architecture, data leakage prevention and global enterprise information consulting firm.

In my last post, I discussed how hackers choose their targets and the steps that companies can take to reduce that risk.  I’d like to continue this thought stream by offering a slightly different view on how we as security and risk professionals should be responding.  I call it Counter Competitive Intelligence (CCI), though CI professionals may disagree with that name.

CCI has two major advantages:

First, it forces you to understand your own business.  We’re not simply looking for how your company generates revenues but what the supporting business operation looks like as well.  This analysis forces us to build security as a business risk and not merely as a technology driven risk.

Second, this process assists us in offering business enabling security/risk structures instead of gate-keeping structures. You know the structures I mean, where we security and risk professionals are seen as the team that always says “no” to various lines of business (gatekeepers).

Combined, these two advantages of CCI enable unit heads within an enterprise to view us as business partners.

So how do we accomplish this miracle of security/risk management?  Through seven key steps:

1. Conduct competitive intelligence (CI) on your own company.  CI is a well-known and well-respected part of doing business, enabling you to understand your market, customer demographics, competitors, and political climate.  Start with your competitors, and then look at your own company, building a competitive profile that includes your firm’s strengths, weaknesses and growth areas.  Who are the movers and shakers in the enterprise and what various lines of business does your company pursue?  Read the past couple of annual reports to study your company’s financial health, top management changes, and strategic direction.

2. Now that you have taken a fresh look at your business, focus on the amount and location of information that is publicly available about the company.  Was the information found with a simple search query or did you find it on an employee’s blog posting?  What information is getting out in places such as Yahoo’s financial chat rooms? Conducting operational analysis here can lead to some breathtaking insight on unintended information loss.

3. Next, understand whether active disinformation is being used.  Some companies seed chat rooms and blogs with misleading information to throw off CI professionals from their competitors. The best advice here is to verify your sources and look for other evidence to support your conclusions.

4. Now for the response process.  Start by asking if a new policy might help in guiding employees while preventing critical data leakage.  While many companies have created policies concerning social media sites for just this reason, a great number of them fail to realize that “old school” chat rooms and discussion boards are still being used to damaging effect.

5. Ask yourself, can we modify our business processes to mitigate these leakage points?  Should we implement SSL between our business partners?  Do we update our contracts to include explicit language about third party information disclosure?  Should we have a formal review process for all conference sessions given by our employees?

6. Other questions to explore: can you leverage existing business/security/risk technology to help mitigate information leakage?  Have you considered using your anti-virus policy server to conduct application audits or assist in investigations?  Anti-virus servers touch nearly every endpoint on your system and contain a wide range of workstation information.  How about using your security operation center event data stream to give feedback on business application usage (type and location) and perhaps create an improved business process?

7. Finally, review new technologies both near and mid-term that may assist you in mitigating information loss.  Data leakage protection or content protection, enterprise digital rights management or encryption products are some examples.

I will not pretend that this is an easy process.  In fact, the first time I really tackled CCI it took me four years to build the business relationships required in-house to accomplish this process.  The payoff, however, was that we became the “go-to” security organization for business enabling architecture.

The process does work, and security and risk professionals find themselves hailed as heroes when it does.

Lastly, click here to download my white paper, Security as Business Risk: How Data Breaches Impact Bottom Lines. Security is a business risk which must be accounted for in every organization’s enterprise risk management plan. This white paper illustrates how to view data breaches from a business risk perspective by using real world examples and the major consequences of these breaches.

Our guest blogger this week is Tom Bowers, Managing Director, Security Constructs LLC – a security architecture, data leakage prevention and global enterprise information consulting firm.

The rash of large-scale data breaches in the news this year begs many questions, one of which is this: how do hackers select their victims?

The answer: research.

Hackers do their homework; in fact, an actual hack typically takes place only after many hours of first studying the target.

Here’s an inside look at a hacker in action:

1. Using search queries through such resources as Google and job sites, the hacker creates an initial map of the target’s vulnerabilities.  For example, job sites can offer a wealth of information such as hardware and software platform usage, including specific versions and its use within the enterprise.
2. The hacker fills out the map with a complete intelligence database on your company, perhaps using public sources such as government databases, financial filings and court records. Attackers want to understand such details as how much you spend on security each year, other breaches you’ve suffered, and whether you’re using LDAP or federated authentication systems.
3. The hacker tries to identify the person in charge of your security efforts.  As they research your Chief Security Officer or Chief Intelligence Security Officer (who they report to, conferences attended, talks given, media interviews, etc.) hackers can get a sense of whether this person is a political player or a security architect, and can infer the target’s philosophical stance on security and where they’re spending time and attention within the enterprise.
4. Next, hackers look for business partners, strategic customers and suppliers used by the target.  Sometimes it may be easier to attack a smaller business partner than the target itself.  Once again, this information comes from basic search engine queries; attackers use job sites and corporate career sites to build a basic map of the target’s network.
5. Once assembled, all of this information offers a list of potential and likely egress points within the target.

While there is little you can do to prevent hackers from researching your company, you can reduce the threat this poses by conducting the same research yourself.  Though the process is a bit tedious to learn, it is free to use; you are simply conducting competitive intelligence upon your own enterprise.  By reviewing your own information, you can draw similar conclusions to the attackers, allowing you to strengthen those areas of your business that may be at risk.

For example, if you want to understand which of your web portals may be exposed to hackers, use the following search term in Google: “site:yourcompanyname.com – www.yourcompanyname.com”

This query specifies that you want to see everything on your site except WWW sites.  Web portals do not typically start with WWW and this query will show “eportal.yourcompanyname, ecomm.yourcompanyname.”

Portals are a great place to start as they usually contain associated user names and passwords;   this means that a database is storing these credentials, which is a potential goldmine for attackers.  You can set up a Google Alert to constantly watch for new portals; simply type in your query, select how often you want updates, and Google will send you an alert every time a new portal shows up in its results.

Knowledge is power.  The more you know about your own business, the better you can protect it from becoming prey to hacker-hawks circling in cyberspace.

Our guest blogger this week is Tom Bowers, Managing Director, Security Constructs LLC – a security architecture, data leakage prevention and global enterprise information consulting firm.

Back in the days of Prohibition, organized crime burst into the national consciousness with the “ka-pow” of a Tommy gun, capturing a sometimes romantic fascination that continues to this day.  The public face of organized crime may have morphed somewhat over the years, from Al Capone and Bugsy Siegal to Vito Corleone and Tony Soprano, but the mugshots have been generally similar and the contours of “the life” familiar.

With the advent of technology, however, organized crime has flocked to new outlaw opportunities that depart wildly from the old stomping grounds.  Today, cyber crime is the hot modern racket, with offenses ranging from the seemingly mundane (non-delivery of payment or merchandise top the list at 14.4% of all online crime), to the daring (scams impersonating the FBI, which come in second place at 13.2%), to the now well-known standbys (identity theft, rounding out third place at 9.8%).  At the center of the cyber crime explosion is organized crime, often formed into global gangs (frequently based in Eastern Europe), ever more sophisticated, and comprising a new kind of operation that doesn’t look anything like the movies.

Indeed, cyber criminals have been so successful in recent years that they have seemed unstoppable, leaving federal law enforcement struggling with the fast pace of attacks and ever-changing tactics.  The FBI gained headway – and large-scale arrests in the U.S. – with the hiring of more agents with computer science, business and operational analysis backgrounds, but cyber criminals responded by outsourcing their operations to countries with weak computer crime laws and law enforcement capabilities.  Investigations across borders were bogged down by legal proceedings, arrests and convictions were slow to materialize, and negative public outcry placed pressure on governments around the world.

But now the tide has changed.  The three-year-old International Multilateral Partnership Against Cyber Threats (IMPACT) is the world’s first not-for-profit comprehensive global public-private partnership against cyber threats, bringing together academia, industry experts and governments from more than 120 partner countries.  The Budapest Convention on Cybercrime, an effort to synchronize national cyber security laws, has been joined by more than 30 different countries.  The European Union, U.S and NATO are working together to tackle cyber crime and have announced the formation of a new cybercrime center, to be operational by 2013.

As international agreements begin to take shape, global law enforcement benefits from common frameworks for cooperation.  Accordingly, countries are beginning to share enforcement officers, time and talent…and cyber crime arrests are on the rise.  Clearly, a mobilized, globalized and flexible law enforcement response to cyber criminal activity – combined with best practices for data breach prevention – are the best ways to keep today’s mob offline and on the run.