Author: Arron Lucas
5 downloads 2 Views 6MB Size




A Publication for the (ISC)2‰ Membership






InfoSecurity Professional • 1 • July/August 2016 isc2.org





Top Reasons to Attend the FOCUS 16 Intel® Security Conference November 1-3 in Las Vegas

ARIA Resort and Casino

Hear Special Guest Keynotes,

Including Ted Koppel

Engage With Our Leaders Interact With an Ecosystem of Security Companies

Anticipate The Next Threat with McAfee® Labs

Jam With the Goo Goo Dolls Build Your Arsenal with

Case Study Successes

Quantify ROI of Security-

Based Outcomes

The Market Dynamics of Cybersecurity

Save $100. As an ISC2 member, you can save $100 off

your registration by using promo code FOCUS16 when registering! To learn more visit us at www.focus.intelsecurity.com/Focus2016 Intel and the Intel and McAfee logos are trademarks of Intel Corporation or McAfee, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. Copyright © 2016 Intel Corporation.





Why Reading is Still Fundamental




Let’s Move Forward By Stepping Up




Introducing the organization’s new IT executive; member discount for cyber risk analysis tool; preview of Security Congress; this year’s GISLA recipients; a successful U.K. road show; recommended read; spotlight on Singapore chapter; and more.

What to consider in a cloud cost analysis. PAGE 28



Seven Steps to Enhance Your Cyber Defense

How Lockheed Martin’s Cyber Kill Chain® can decimate the attacker. BY CRYSTAL BEDELL


Let’s Help Children Get Excited About Cybersecurity Careers



Ransomware Recovery Holding data hostage is a trending trick cybercriminals are using against you and your business. It’s time to fight back. BY RAJ KAUSHIK





Cost-Cutting through Cloud Computing Savings now drives both public and private sectors to embrace the technology, but due diligence is still essential. BY VINCENT MUTONGI

How Do You Size Up?



Jason Sachowski A Q&A with an inspiring member who lives and works in Canada.



‘Bullseye Breach’ We excerpt a chapter from an (ISC)2 member’s high-tech thriller, whose storyline should ring familiar. BY GREG SCOTT

Cover image by JOHN KUCZALA



Image (above) by ENRICO VARRASSO

InfoSecurity Professional is produced by Twirling Tiger Media, 7 Jeffrey Road, Franklin, MA 02038. Contact by email: [email protected] The information contained in this publication represents the views and opinions of the respective authors and may not represent the views and opinions of (ISC)2® on the issues discussed as of the date of publication. No part of this document print or digital may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of (ISC)2. (ISC)2, the (ISC)2 digital logo and all other product, service or certification names are registered marks or trademarks of the International Information Systems Security Certification Consortium, Incorporated, in the United States and/or other countries. The names of actual products and companies mentioned herein may be the trademarks of their respective owners. For subscription information, please visit www.isc2.org. To obtain permission to reprint materials, please email [email protected] To request advertising information, please email [email protected] ©2016 (ISC)2 Incorporated. All rights reserved.

InfoSecurity Professional • 3 • July/August 2016



Editor’s Note



SENIOR MANAGER, MEMBERSHIP MARKETING AND MEDIA SERVICES Jessica Hardy 727-785-0189 x4063 [email protected]


’M GOING TO give away my age, or at least my generation, when I mention the Reading is Fundamental television PSAs popular back when children’s programming only aired Saturday and possibly Sunday mornings, unless your antennae picked up UHF channels. The nonprofit RIF, now in its 50th year, provides free books to libraries and to children in families where buying books is beyond their budgets. It stresses the importance of strong reading skills, built through reading regularly, to be successful in school and beyond. I think most (ISC)2 members understand the importance of reading well beyond a formal education. It’s among the most common ways to consume information, both on- and offline. The issue we all now face is what to read, given the many options and limited time today’s daily life provides. We at the magazine keep that competition in mind when we create each issue, making sure the news items, columns and features aid in your professional development, not just technical know-how. The longer days of summer typically make reading, especially for pleasure, easier. There’s more sunlight, energy and vacation time to tackle recommended reads, be they popular novels, classic nonfiction works, magazine articles or all those blogs you bookmarked. We hope that InfoSecurity Professional remains on your reading list, too. This issue, we talk about a trend in cybersecurity analysis: Lockheed Martin’s Cyber Kill Chain®. Then, a member looks at the costs associated with cloud computing and another at ransomware recovery. A third member provides us an excerpt of his cybersecurity thriller, loosely based on one of the biggest data breaches in recent years. You won’t have Anne Saita, editor-introuble guessing the inspiration. chief, lives and works I hope your summer (or winter, depending on your in Southern California. location) is filled with good literature that inspires and empowers you in your work and in your relationships with those important to your well-being. If you get a chance between now and August, shoot me an email at [email protected] with the best book you’ve ever read. —ANNE SAITA

©Rob Andrew Photography

ADVERTISER INDEX For information about advertising in this publication, please contact Tim Garon at [email protected] Intel Security......................................................... 2 (ISC)2. ..................................................................... 5 Capella University............................................... 7 Qualys....................................................................13 Walden University............................................ 14 Black Hat...............................................................17 (ISC)2. ................................................................... 21

(ISC)2. ...................................................................22 Executive Women’s Forum.............................23 (ISC)2. ...................................................................27 TechTarget........................................................... 31 Twirling Tiger Media.........................................37 (ISC)2. .................................................................. 38

EXECUTIVE PUBLISHER Timothy Garon 508-529-6103 [email protected] MANAGER, GLOBAL COMMUNICATIONS Amanda D’Alessandro 727-785-0189 x4021 [email protected] MEDIA SERVICES COORDINATOR Michelle Schweitz 727-785-0189 x4055 [email protected] SALES TEAM EVENTS SALES MANAGER Jennifer Hunt 781-685-4667 [email protected] REGIONAL SALES MANAGER Lisa O’Connell 781-460-2105 [email protected] EDITORIAL ADVISORY BOARD Carlos Canoto South America Amanda D’Alessandro (ISC)2 Tushar Gokhale U.S.A. Javvad Malik EMEA J.J. Thompson U.S.A. Elise Yacobellis (ISC)2 TWIRLING TIGER MEDIA EDITORIAL TEAM EDITOR-IN-CHIEF Anne Saita [email protected] ART DIRECTOR & PRODUCTION Maureen Joyce [email protected] MANAGING EDITOR Deborah Johnson PROOFREADER Ken Krause

Twirling Tiger Media is certified as a women’s business enterprise by the Women’s Business Enterprise National Council (WBENC). This partnership reflects (ISC)2’s commitment to supplier diversity.


InfoSecurity Professional • 4 • July/August 2016




PRICING Ends JULY 31, 2016

Register Today! Sept. 12 - 15

Don’t miss out on the largest CPE opportunity of the year: Earn up to

46 CPEs

Orlando, FL • Orange County Conv. Center

Join us in Orlando, FL, September 12 - 15, for the 6th annual (ISC)2 Security Congress. Colocated with ASIS Seminar, this conference offers over 90 education sessions, designed to transcend all industry sectors, focus on current and emerging issues, best practices, and challenges. This event will advance you as a security leaders by arming you with the knowledge, tools, and expertise to protect your organizations.

Make sure you don’t miss these sessions! • Session #3230 - Cloud Security: Securing Your Public Cloud Infrastructure • Session #2232 - Professional Development: Hiring, Building, and Retaining

Top Security Talent • Session #4232 - Mobile: Malware Activity in Mobile Networks • Session #4235 - People Centric Security: Your Next CISO Should be a Lawyer View the full list of sessions at (ISC)2 Security Congress 2016.

(ISC)2 Members

Tracks include: • • • • • •

Incident Response Cloud Security Swiss Army Knife Mobile Devices - Security and Management Governance, Regulation and Compliance Application Security/Software Assurance

congress.isc2.org © Copyright 2016. (ISC)2, Inc. All rights reserved.

• • • • • •

Save $255

Malware Threats Professional Development Forensics Threat Intelligence People Centric Security


Colocated with





OBTAINED MY CISSP certification in 2006, and I have always been a proud member of (ISC)2. This is primarily because I believe that, as professionals, we should always strive to improve ourselves. Is there a better opportunity to achieve this than being part of an elite community of more than 100,000 fellow professionals across the globe? I honestly cannot think of one. I am incredibly honored that the membership has shown confidence in me (and Dave Kennedy, Kevin Charest and Professor Hiroshi Yasuda) to serve as a board member again. While volunteering for this role is obviously a conscious choice, the time my fellow board members and I spend away from work and family has the sole purpose of improving (ISC)2 as an organization, Wim Remes is the both for the membership and the industry at current chairperlarge. As the elected chairperson for 2016, I son of the board of can say confidently that the board serves the directors. He can be membership. Having representation from the reached at [email protected] security industry, government and academia on isc2.org. a global scale enables us to make good decisions for the future of (ISC)2, and the team we have is quite stellar and largely reflects the interests of our membership. Over the past decades, information security has grown into a complex profession. We have evolved from mostly network-focused technologists to a broad spectrum of specialists, ranging from ethical hackers to risk managers, active on all levels across industries. We’re required to understand everything from evaluating risk, to understanding cutting-edge technology before it becomes common knowledge, to securing infrastructures our societies depend upon. It is, by all means, no small feat for those who try to keep up every day. This is where I believe (ISC)2 as an organization can make the difference, but it needs more engagement from the community it created and for which it exists. We, the membership, have grown into experts in our respective fields, and we have learned both from our own successes and our own failures. We would be doing a dis-

service to our community if we, as the leading independent faction in our industry, didn’t allow our peers to learn from the path we have walked ourselves. There is always a call for information, and there is always a need for more knowledge. What we need today is for professionals to share information among each other, as freely and as widely as possible.

What we need today is for professionals to share information among each other, as freely and as widely as possible. I see a bright future for our profession, for (ISC)2 and for our membership, but I can also see the challenges we are facing on a daily basis. I’m personally committed to enabling our members to learn, to educate and to lead. Making sure that we have a platform that allows for information sharing in a trusted and confidential manner is but the first step. I can only ask our members to leverage the tools at hand to teach, to share and to disseminate knowledge. James Madison, undoubtedly one of the greatest statesmen that ever lived, once said, “The advancement and diffusion of knowledge is the only true guardian of liberty.” To enable our fellow professionals, new and old, to move forward, it is incumbent upon all of us to step up to the plate and make it happen. I can only be grateful to be among all of you as a member of the greatest association in our industry. ●

InfoSecurity Professional • 6 • July/August 2016






Get up-to-date security skills with Capella University’s Master’s in Information Assurance and Security (MS-IAS). Specializations include Digital Forensics, Network Defense, and Health Care Security. Along the way to your MS-IAS, earn up to 3 NSA focus area digital badges showcasing your mastery of skills in specific cybersecurity areas. Plus, the knowledge you gained for your CISSP®, CEH®, or CNDA® certifications can help you earn credit toward your MS-IAS, saving you time and money.

ANSWER THE CALL. START TODAY. CAPELLA.EDU/ISC2 OR 1.866.933.5836 See graduation rates, median student debt, and other information at www.capellaresults.com/outcomes.asp. ACCREDITATION: Capella University is accredited by the Higher Learning Commission. HIGHER LEARNING COMMISSION: https://www.hlcommission.org, 800.621.7440 CAPELLA UNIVERSITY: Capella Tower, 225 South Sixth Street, Ninth Floor, Minneapolis MN 55402, 1.888.CAPELLA (227.3552) ©Copyright 2016. Capella University. 16-8594






EFF HIGHMAN, former vice pres-

ident of software development at InfoZen, is the new director of IT services and solutions at (ISC)2. In his new role, Highman is responsible for achieving goals related to a global IT strategy. He intends to use Agile development techniques to address all aspects of (ISC)2’s technical infrastrucJeff Highman ture, assess new business requirements and integrate those requirements into the overall infrastructure. Highman has 20 years of experience spanning strategy, delivery and organizational change management for large-scale organizations. His experience spans a broad range of IT services from federal systems to commercial and cloud-based products. His work at the U.S. Patent and Trademark Office transformed the patent process from paper-based operations to a digital end-to-end process. Most recently, he pioneered the development and launch of a commercial SaaS product called Identrix. “(ISC)2 is planning to enable the next generation of security practitioners through modern channels of engagement,” he said. “Security professionals are the leaders that will pave the way for a more secure society at large. I look forward to serving this community.” ●

MEMBER DISCOUNT FOR CYBER RISK ANALYTICS TOOL (ISC)2 and PivotPoint Risk Analytics have joined together in a business partnership to help raise awareness of the need for cyberrisk analytics. The solution, called cyber value-at-risk analytics (CyVaR™), has the mission of empowering information security professionals to assess the financial impact of vulnerabilities and potential incidents to their organizations, to help them make more strategic business decisions and mitigate risks. (ISC)2 members receive a 35 percent discount off the first year of CyVaR services for their organization. Visit the member benefits page for more information (https://www.isc2.org/ member-benefits.aspx#PivotPoint). For additional information on how CyVar works, join us at 1 p.m. Eastern time on July 12 for a discussion and demo webcast: https://www.isc2.org/security-briefings/default.aspx?commid=210143. ● InfoSecurity Professional • 8 • July/August 2016

BE PART OF THE INDUSTRY’S LARGEST WORKFORCE STUDY Your opinion counts! Our latest Global Information Security Workforce Study survey is out, and we need your voice to help tell the story of what the information security workforce is facing. The study will cover everything from salaries and hiring practices to training requirements and corporate attitudes. The study, sponsored by the Center for Cyber Safety and Education with research conducted by Frost & Sullivan, provides a detailed picture of the global cybersecurity workforce. We’ve streamlined this year’s survey to 20 minutes for optimal participation. The survey is open until Sept. 30, and we’ll release results in early 2017. Check your inbox for your personalized invitation to participate in the survey. For more information, please visit https://www. isc2cares.org/IndustryResearch/ GISWS/. ●

CPEs Please note that (ISC)2 submits CPEs for (ISC)2’s InfoSecurity Professional magazine on your behalf within five business days. This will automatically assign you two Group A CPEs. https://live.blueskybroadcast.com/bsb/ client/CL_DEFAULT.asp?Client=411114&PCAT=7777&CAT=10427&Review=true





Threat Modeling: Designing for Security By Adam Shostack Suggested by Larry Marks, CISSP

on threat modeling, this book is a good place to start. The author clearly frames the discussion about terminology, and the corporate environment in which this methodology should be implemented, and identifies various effective approaches to implement threat modeling. There are explanations on how to examine software applications, or any system, by trying to find holes in them and ways they might be exploited. As a guide to help a developer or security practitioner identify potential security threats in the design, there are detailed instructions, including: • Several limited frameworks, such as STRIDE or CAPEC, to identify the various threats. These can be used as checklists to understand the architecture of the software design. In fact, the author’s approach is the approach recommended by Microsoft. • How to perform data flow diagrams to better identify the threat. • Applicability to the Agile approach of using sprints in designing, testing and releasing code. • Scaling the process for firms of different sizes: small, medium and large. • How to identify, assess and remediate coding issues that may involve threats before they hurt you or your customers. Threat Modeling: Designing for Security is not intended as a technical cookbook. This book offers very practical and timely experience and significant assistance. For the most part, it succeeds. ●

2015 (ISC)2 ANNUAL REPORT IS NOW AVAILABLE Read our year in review at https://www.isc2. org/management-annual-reports/default.aspx.

InfoSecurity Professional • 9 • July/August 2016

U.S. $325 million Financial damages incurred by ransomware CryptoWall3 between January 2015 and April 2016.


of ransomware infections were caused by phishing. Source: The Cyber Threat Alliance http://cyberthreatalliance.org/cryptowall-report.pdf

272.3 million

Number of stolen email accounts, most of which involved users of Mail.ru, Russia’s most popular email service, followed by Google, Yahoo and Microsoft email users. Source: Reuters – May 5, 2016



Image by iStock







EING RELEVANT IN a city where many securi-

ty-related chapters, interest groups and events coexist is quite a challenge, but the (ISC)2 Singapore Chapter realized that it was important to create a niche where the chapter can benefit the local security community rather than just organizing (ISC)2 events for its own sake. Thus, the chapter now hosts relaxed evening events with networking over dinner at low/no cost and maintains a focus that is relatively high-level compared to local hacker events. Now 170 members strong, the (ISC)2 Singapore Chapter was founded in 2012. The chapter’s mission is to provide information security education and networking opportunities for its members. (ISC)2 Singapore (ISC)2 SINGAPORE CHAPTER Chapter has CONTACT INFORMATION held security Secretary: Vijay Luiz seminars with Email: [email protected] Bit9+Carbon Website: https://www.isc2chapter.sg/sgp/ Black, Qualys,



New Executive Committee at (ISC)2 Singapore Chapter’s Annual General Meeting – October 10, 2015.

NEC, Splunk, F5 and Tenable, among others. Events have covered CCTV, breach detection, compliance, responsive security, security monitoring, bitcoin, vulnerability management, DDoS, privacy and more. Occasionally, the chapter keeps the topic light. Last November, members enjoyed an outing to watch the James Bond movie, Spectre. The (ISC)2 Singapore Chapter assisted at the Center for Cyber Safety and Education’s Safe and Secure Online booth during the RSA Conference APAC in 2015. The chapter’s plans include connecting volunteers with Safe and Secure Online and similar initiatives. Expect more monthly security events and chill-out sessions in the near future. ●

The EMV Chip and PIN liability shift will not stop payment breaches. Big healthcare hacks will make the headlines, but small breaches will cause the most damage. Cyber conflicts between countries will leave consumers and businesses as collateral damage. U.S. presidential candidates and campaigns will be attractive hacking targets. Hacktivism will make a comeback. Source: Experian – 2016 Data Breach Industry Forecast

InfoSecurity Professional • 10 • July/August 2016





Early registration rates are available until July 31. More details are available at congress.isc2.org.

ORE THAN 80 educational sessions designed to transcend all industry sectors will be available during (ISC)2’s sixth annual Security Congress, taking place Sept. 12–15 at the Orange County Convention Center in Orlando, Fla. Once again co-located with the ASIS International Annual Seminar and Exhibits, the combined events will bring together nearly 20,000 security professionals from around the world. A few notable sessions and speakers include: Application Security: Building a Secure Development Lifecycle on a Shoestring Budget – John Overbaugh, CISSP, chief information security officer, CyberVista. Cloud: Securing Your Public Cloud Infrastructure – Anthony Freed, director of corporate communications, Evident.io; Dave Lewis, CISSP, global security advocate, Akamai Technologies; Adrian Sanabria, senior security analyst, 451 Research; Tim Prendergast, CISSP, CEO, Evident.io. Incident Response: It’s Not if but When: Creating Your Incident Response Plan – Lucie Hayward, CISSP, PMP, managing consultant, Cyber Investigations, Kroll; Michael Quinn, associate managing director, cyber investigations, Kroll. Mobile: Malware Activity in Mobile Networks—an Insider View – Kevin McNamee, CISSP, director, Threat Intelligence Lab, Nokia. People-Centric Security: Your Next CISO Should be a Lawyer – Bruce deGrazia, CISSP, program chair, cybersecurity, The Graduate School, University of Maryland University College. Professional Development: Hiring, Building, and Retaining Top Security Talent – Kevin Flanagan, CISSP, CISSP-ISSMP, CISA, CISM, CEH; director, RSA; David Shearer, CISSP, CEO, (ISC)2; Deidre Diamond, founder and CEO, Cyber Security Network; Anne Saita, editor-in-chief of InfoSecurity Professional. Threats: Ripped from the Headlines: Demonstrations of the Year’s Top Breaches – Mike Landeck, CISSP, CyberSecology. ● InfoSecurity Professional • 11 • July/August 2016





of confirmed data breaches involved leveraging weak, default or stolen passwords.


of breaches involving insider misuse took months or years to discover.


of web app attacks where criminals stole data were financially motivated.


of compromises happened within minutes.


took weeks or more to discover. RE TURN TO


Image by ThinkStock



PRESENTING THIS YEAR’S GISLA RECIPIENTS Congratulations to the following recipients of this year’s Government Information Security Leadership Awards (GISLA®), which (ISC)2 announced at a Washington, D.C., gala in May. Technology Improvement – Individual Category Preston Werntz, chief of technology services for the National Cybersecurity and Communications Integration Center (NCCIC), is a member of the Department of Homeland Security (DHS) team known as the Automated Indicator Sharing initiative (AIS) that works to drive federal-civilian bidirectional threat information sharing. With a history of contributing to information sharing programs, mentorship and working to break down traditional internal boundaries, Werntz led the implementation of the AIS initiative at the NCCIC and successfully drove the AIS to operation. His efforts to improve threat information sharing have led to near real-time information sharing across 50-plus non-federal entities with 10 department and agency participants.

David Shearer, (ISC)2 CEO, David Rosinski, Khambrel Kennedy, Martin Gasca and Kenneth Adams.

Workforce Improvement – Individual Category Robert Collins, CISSP, CAP, CISO of the Indian Health Service (IHS), Department of Health and Human Services (HHS), is the principal healthcare advocate and provider for American Indians and Alaska Natives. He directs the IHS Division of Information Security (DIS), charged with safeguarding the healthcare information of 566 federally recognized Native American Indian and Alaska Native Tribes. Collins’ efforts to modernize the IHS cybersecurity program included the transfer of the DIS from Albuquerque, N.M., to the D.C. Metro area, which gave the program greater visibility and exposure to broader collaboration. He then created seven interoperable security teams led by subject matter experts. The result was increased accuracy and overall reporting through FISMA quarterly and annual reports and award-winning cybersecurity awareness campaigns. As a result of his leadership, the agency has increasingly built trust and a partnership with tribes by showing transparency in processes and increased confidence in the security program.

Process/Policy Improvement – Individual Category Gregory Touhill, U.S. Air Force brigadier general

(retired) and deputy assistant secretary DHS’s Office of Cybersecurity and Communications, leads DHS efforts to secure federal civilian networks, help the private sector manage cyber risk, coordinate interagency response to cyber incidents of national significance and engage with DHS’s international partners. In this role, he has helped

Preston Werntz, Carole Eberle and Gregory Touhill.

to measurably advance the capability of the National Cybersecurity and Communications Integration Center (NCCIC) to provide excellent technical response, analysis and customer service. Most notably, Touhill led the team that managed the response to the Office of Personnel Management (OPM) breach. He created processes utilizing DHS technology and interagency partnerships that focused on the best outcome for both the victims and the responders. Overall, Touhill has helped to build, exercise and transform DHS processes for working with critical partners across the country and around the world and demonstrates consistent dedication to advancing growth of the 24x7 NCCIC. Up-and-Coming Information Security Professional – Individual Category Azzar Nadvi, just two years after graduating from college, now serves as assistant to the director of the Cyber Joint Program Management Office (JPMO) at the Department of

InfoSecurity Professional • 12 • July/August 2016




Homeland Security (DHS). After President Barack Obama signed the Information Sharing and Analysis Organizations executive order, DHS had to move quickly to build a coalition of existing information sharing organizations and gain support for the effort. With limited resources, Nadvi was placed into a role typically reserved for a more senior member of the staff. He co-developed a multi-million-dollar grant, Notice of Funding Opportunity for the National Information Sharing Standards Organization, developed and managed the proposal, Objective Review Plan, and conducted proposal reviews, with technical analysis resulting in awardee selection. In all circumstances, he exemplified leadership and professionalism beyond his years. As a result of Navdi’s and his peers’ contributions, the ISAO Standards Organization was established in record time— less than seven months.

Community Awareness – Team Category

Led by David Rosinski, information systems security manager (ISSM), Naval Computer & Telecommunications Area Master Station Atlantic, Detachment Rota, Spain (NCTL Det Rota), provides a variety of IT services to more than 10,000 U.S. military and government personnel who are stationed or deployed within the Iberian Peninsula. Thanks to this team’s outstanding efforts to provide cybersecurity awareness for both the military professional and family communities—specifically during National Cyber Security Awareness Month (NCSAM) last October—they reached the majority of the 10,000 people associated with the U.S. military in Rota, Spain, changing awareness training from a one-way message to a two-way dialogue. As a result, there have not been any cyber incidents on the local network tied to user behavior since October 2015.

InfoSecurity Professional • 13 • July/August 2016




Most Valuable Industry Partner (MVIP) – Team Category

Cisco’s Advanced Malware Protection (AMP), developed by Al Huger, vice president of engineering, is an overarching inter-architecture project that ties together Cisco security products to create one holistic security ecosystem. The AMP technology allows end-users to connect security products and endpoints into one homogenous system that communicates within itself to find breaches. The system can then educate all components within the system to handle the breach. As a result, Cisco’s government customers are spending fewer human resources to monitor network health. In the long run, AMP is helping the government at all levels safely leverage network solutions to best serve its constituents.


F. Lynn McNulty Tribute Award Richard Hale is the deputy chief information officer for cybersecurity for the Department of Defense, where he acts as CISO for the government’s largest agency and, ostensibly, its most targeted. He is currently using new NIST security guidelines to update a Defense Federal Acquisition Regulation Supplement clause that would broaden the classes of information that industry must protect. He is also working across agencies to determine standards for cyber basics as they relate to unclassified information. Previously, Hale served as the chief information assurance executive at the Defense Information Systems Agency, overseeing all of the agency’s information assurance activities. ●

Ready to advance your career in cyber security, information technology, and other high-demand fields? Walden University offers the degree programs you need to stay competitive—and become a leader in your field: • Doctor of Information Technology (DIT)

Recognized Quality

• Doctor of Business Administration (DBA) • MS in Information Technology • Master of Information Systems Management (MISM) • MS in Health Informatics • Graduate Certificate in Information Systems “There’s nothing more valuable than learning something in class and then being able to put it to practical use.” Willie F. Jones, BS in Business Administration and Master of Information Systems Management Graduate (MISM), Doctor of Business Administration (DBA) Student

• BS in Computer Information Systems • BS in Information Technology


InfoSecurity Professional • 14 • July/August 2016






N MARCH AND early April, I joined our managing director for (ISC)2 EMEA, Dr. Adrian Davis, CISSP, on an unprecedented United Kingdom roadshow that drew the highest attendance of any event hosted by the U.K. Council of Professors and Heads of Computing (CPHC). Supported by the U.K. Cabinet Office, British Computing Society (BCS) and CPHC, our goal was to help computing science academics incorporate the groundbreaking Principles and Learning Outcomes for undergraduate degrees so that cybersecurity becomes a prominent component of any computer science degree program. (ISC)2 and CPHC published the guidelines in 2015. Of the 100-plus institutional members, more than 60 universities sent representatives to the talks, providing (ISC)2 EMEA officials outstanding outreach to this important community and an opportunity to influence the academic community that teaches more than 20,000 undergraduates in computing and IT-related subjects every year.

The BCS, one of the participating industry bodies in the project, immediately included the principles within its degree accreditation guidelines, making cybersecurity a mandatory component of most computing science degrees in the U.K. These roadshows are the culmination of a member initiative that the (ISC)2 EMEA Advisory Council began in 2012. The initiative was aimed at boosting employer confidence in new graduates despite their lack of experience, increasing awareness of cybersecurity as a career within a broad group of students, and stemming the proliferation of vulnerabilities in IT. The (ISC)2 EMEA team supported the Advisory Council, which is made up of member volunteers who give their time to varied projects, in hosting several meetings that brought together members, academics, industry bodies and government departments. The output from these meetings led to the development of the new principles and educational

By Lyndsay Turley Since September 2015, the (ISC)2 EMEA team has grown from an office of 10 to 15 people, expanding its outreach capability in education support, member services and other initiatives.

outcomes for undergraduate computing science degrees. The BCS, one of the participating industry bodies in the project, immediately included the principles within its degree accreditation guidelines, making cybersecurity a mandatory component of most computing science degrees in the U.K. The principles have since been referenced by EQANIE, which accredits computing science/informatics degrees at an EU level. The work, including an upcoming white paper to complement new competence standards and curricula guidelines, aims to broaden knowledge and interest about cybersecurity, the profession and the careers that are available. The ultimate goal is to attract more students to cybersecurity careers and to help prevent a growing serious shortage of skilled security professionals worldwide. As our region’s largest professional body with nearly 20,000 EMEA-based (ISC)2 members, and with employment markets now demanding more certified professionals, we are actively promoting security to young adults through educational partnerships. In fact, (ISC)2 is one of three education partners that developed the U.K.’s first Extended Project Qualification (EPQ) in cybersecurity. The qualification earns secondary school credits, awarding entry points needed for U.K. universities, and can also be pursued by anyone (and at any age). It focuses on students’ planning, research and practical skills. Our efforts are creating defined entry routes and opportunities for people to join the profession, rather than discover it by chance. They also have an impact on many vocations beyond security. The ambition is to address a breadth of need and motivate the development of a cyber-competent society that will, in the end, produce the variety and numbers of skilled individuals needed to realize the advantages offered by our digital world. ●

LYNDSAY TURLEY is director of communications and public affairs for the (ISC)2 EMEA Regional Office.

InfoSecurity Professional • 15 • July/August 2016




Sean Johnson is senior manager of information security at CSAA Insurance Group, a AAA Insurer. He can be reached at [email protected]

Let’s Help Children Get Excited About Cybersecurity Careers EVERY DAY, WE read about a critical talent shortage in the technology sector, where a shortfall of qualified talent will cause 25 percent of open cybersecurity jobs to go unfilled. This need is expected to grow by 30 percent over the next five years, yet statistically, only 10 percent of cybersecurity jobs are held by women. It seems clear to me that these two problems are linked, and they share a common solution. We need to do more to make critical knowledge of technology available to our future workforce, both young men and women alike. We’re rapidly approaching a time where half the workforce will be 30 and under, and roughly half of these professionals will be women. By not doing more to encourage both young men and women to consider careers in technology, specifically cybersecurity, we’re not using our most valuable resource in combating this talent shortage: the next generation. The success of the game Minecraft has already shown us that technology can resonate with both genders. We need to do more to introduce technology to all young students in new and interesting ways. Both for-profit and traditional brick-and-mortar universities have done a lot to target the cybersecurity talent shortage. Odds are students

will already have a good idea of what they want to do professionally by this time, so it may be too late to introduce these career paths during the college years. Addressing the talent shortage in the long run should start with exposure to critical technology skills during primary education. Sadly, computer science is only taught in one out of four high schools across the United States. With the talent shortage expected to continue unabated for another five or even 10 years, our focus needs to be on the talent that will be entering the workforce at those times. That means encouraging current high school and middle school children who are excited about technology and intrigued by cybersecurity, and giving them every opportunity to explore those fields of study. We should introduce technology and cybersecurity to all young students with the ultimate InfoSecurity Professional • 16 • July/August 2016

goal that many will find that technology resonates with them. How can we help? As professionals in the trenches, we can do a lot to help address this issue, and it all starts by getting involved. In the near term, talk to your HR department about taking on interns, or consider becoming a mentor to a high school student. In the long term, programs such as Cyber Patriot, Day of Code, Girls Who Code, Safe and Secure Online, and Technology Education and Literacy in Schools (TEALS) provide great opportunities to help spark interest in younger students. Talk to your local school board, and volunteer to help close the gap. To read more about the anticipated labor shortage, read the most recent (ISC)2 Global Information Security Workforce Study and plan to participate in the study survey, which is now open. ● RE TURN TO


Image by ThinkStock






THE EVOLUTION OF CYBER THREATS is driving the need for a new cyber defense strategy. The primary threat is no longer the massive virus outbreak that leaves a wake of destruction in its path. Instead, it’s the surreptitious attack on individual corporate networks that goes undetected for weeks, sometimes months, and results in data loss. To counter these advanced persistent threats (APTs), experts advocate an intelligence-based cyber defense strategy. One such model is Lockheed Martin’s seven-step Cyber Kill Chain®. PHOTO ILLUSTRATION BY JOHN KUCZALA

InfoSecurity Professional • 18 • July/August 2016





In 2006, under the guidance of Rohan Amin, Eric Hutchins and Michael Cloppert developed the Cyber Kill Chain. “We started seeing efforts to gain access to protected infrastructure at Lockheed Martin by people on the internet using technologies that were different than what we as security professionals had come to know to be commonplace,” recounts Cloppert, chief analyst for the Lockheed Martin Computer Incident Response Team (LM-CIRT) based in Gaithersburg, Md. “As we started to dig in on these things, we felt we were marginally more successful than our industry peers at the time, and we wanted to capture what we were doing differently from everyone else so we could communicate it to them.” The Cyber Kill Chain refers to seven discrete phases of an attack: 1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command and control (C2) 7. Actions on objectives

Enterprise IT organizations can gain an advantage over adversaries, according to Cloppert. “It is the objective, I think, for network defenders to be able to classify as much intelligence from an intrusion as possible so that the adversary has to change each and every thing that the defender has the ability to detect, respond or mitigate against,” adding that each phase of the Cyber Kill Chain presents a different opportunity to gather intelligence about an attack and deploy the appropriate countermeasures to stop it. “The beauty of it is…the adversary isn’t always able to see where in the kill chain an attack fails,” he asserts. “To try again and be successful, the adversary must either change everything they leveraged in the attack up to that point, or pick and choose elements to change.” And each of those changes incurs some cost, be it the monetary cost to purchase a new zero-day attack, the operational overhead to manage the infrastructure, or the productivity cost to carry out a new workflow, for example.

In the paper “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” Hutchins, Cloppert and Amin describe the kill chain in detail and provide a Course of Action Matrix with recommended defensive measures for each phase. “At each phase of an attack, the Cyber Kill Chain acts as a guide to instruct network defenders on what they may not know about an adversary,” Cloppert explains. “If I didn’t have any countermeasures across the kill chain and an adversary was successful, that means potentially there’s evidence in each phase of the intrusion. A robust forensic analysis of intrusion should be able to find all of this data or find some evidence in most phases, and once I find it, I can find a way to utilize it for detection and mitigation in the future. An attacker has to complete all seven phases to successfully execute an attack. He adds, however, “because the model has a degree of determinism, if you are able to implement a mitigation at any phase, that cuts off the chain and essentially causes the adversary to have to start over.” The goal isn’t simply to deploy a countermeasure at each phase of an attack and hope for the best, Cloppert advises, but to have visibility into the entire kill chain. “If an adversary makes it to phase five of the kill chain, that means the adversary was successful in the previous phases, and you can gather intelligence that enables you to implement a countermeasure to stop a future attack sooner.”

SUCCESS ON THE FRONT LINE OF AN ATTACK Robert Lee, CEO of Dragos Security, based in San Antonio, Texas, says he uses the Cyber Kill Chain to help his clients plan security investments. “The single biggest use is to identify patterns of intrusions—take individual attempts to break into the network, and identify that there is a campaign of efforts—and take proactive measures based on what we pull out of those intrusion analysis pieces.” “In principle, everyone should have visibility into each section of the network, and when appropriate, have mechanisms to block adversaries at those different levels,” he adds. Regarding Lockheed Martin, Cloppert says, “That’s how we use it here. That’s how we can classify all of our capabilities we have, identify gaps, and when we identify gaps that seem to be repeated over multiple intrusion attempts at a tactical level or across different capabilities at an operational level, those are the areas we want to invest money in either to procure a new solution or develop one ourselves.”

CHALLENGES WITH THE CYBER KILL CHAIN® Of course, any security strategy presents challenges, and Lockheed Martin’s Cyber Kill Chain is no different. The biggest challenge, however, appears to be the age-old misconception that technology is the be-all, end-all. “That will never be the case,” Dragos Security’s Lee says. “It’s naïve to think adversaries will be stopped by a box on the network.” The other problem Lee encounters is that organizations fail to make strategic investments. “Generally, people buy

InfoSecurity Professional • 19 • July/August 2016



SEVEN STEPS TO CONTROLLING A THREAT Lockheed Martin’s Cyber Kill Chain framework identifies the seven phases of an advanced persistent threat. To be successful, an adversary must complete all seven phases. However, a network defender can successfully stop a threat at any phase. Step 1


The attacker prepares and stages the operation. Malware is generated (usually via an automated tool) then coupled with an exploit to create a deliverable payload. Step 3


The attacker launches the operation, either by controlled delivery directly against web servers or by released delivery, such as email, social media or USB. Step 4


The attacker exploits a zero-day vulnerability to gain unauthorized access to the victim. The exploit can be triggered by the victim, for example, by opening an attachment in a malicious email, or by the attacker for server-based vulnerabilities. Step 5


The attacker installs a persistent backdoor or implant in the victim’s environment to enable him/her to continue to have access for a period of time. Step 6

Command and Control

The malware opens a two-way communications channel, usually over web, DNS or email protocols, to a command and control (C2) infrastructure. This enables the attacker to remotely control the victim’s environment. Step 7

—LYSA MYERS, security researcher, ESET


The attacker collects information about potential targets to determine which one is most likely to result in a successful attack. This information is then used when carrying out the attack. Step 2

“A lot of it is person power—actual eyes on the problem.”

Actions on Objectives

At this point, the attacker can complete his/her mission, whether it’s exfiltrating or modifying data, destroying systems, or moving laterally through the environment. ●

products or technologies to invest in one or two areas but not the whole kill chain. When you apply all the different security investments, that gets you defense-in-depth, but the problem is the technologies are only meant to rule out the noise. Without adding time and visibility, technology doesn’t stop an attack.” Lockheed Martin’s Cloppert concurs, adding, “A capability can be turned into a control with the right intelligence applied to it. A firewall is a way you can enforce principle of least privilege on the network, but if you don’t know what to enforce that on, then it won’t do a whole lot of good. So that’s the big caveat. You can have all these technologies, but if you don’t have the intelligence to codify in the technology, it won’t classify as a control at least for these adversaries.” It all comes down to the human element. “A lot of it is person power—actual eyes on the problem,” advises Lysa Myers, a security researcher at San Diego’s ESET. And therein lies another challenge. Most organizations are comfortable buying a product because it has a fixed cost, Lee says. “Training and people are more difficult to justify.” But that doesn’t negate the need for people. “Solutions are meant to put the network in the defensible situation, but you have to have the people to defend it,” he adds. Despite the need for additional manpower, Myers says this approach still offers a cost benefit. “The amount you spend on a cyber defense strategy is significantly less than if you let an attack become a problem. People are under the illusion that it won’t happen to them, but we’re seeing every company—large and small, in every vertical—become a target. There’s no discriminating. Criminals see opportunities, and they go for them.”

COUNTERING KILL CHAIN CRITICISM This emphasis on intelligence is one of the criticisms of the Cyber Kill Chain. “What you don’t want is every company on earth trying to figure this out for themselves. They don’t have the experience or the time,” warns Tony Sager, senior vice president and chief evangelist at the Center for Internet Security in Arlington, Va. “There are not millions of unique attacks happening out there; there are millions of repeats of a very small number of ‘patterns.’ The general idea of the original Lockheed

InfoSecurity Professional • 20 • July/August 2016







Web analytics

Firewall ACL




Vigilant user




Proxy filter

In-line AV







“chroot” jail


Command and Control


Firewall ACL



Actions on Objectives

Audit log



DNS redirect

Quality of service



Source: U.S. Department of Defense


Start tracking the vulnerabilities keeping you up at night. Get Started This exclusive, members-only resource aggregates, categorizes and prioritizes vulnerabilities affecting tens of thousands of products. Create a customized feed filtered by the vendors, technologies and keywords that are relevant to your interests.


No new account is required to use Vulnerability Central and it’s free to members; just log in with your (ISC)2 member account.

InfoSecurity Professional • 21 • July/August 2016



paper was to use ‘intelligence’ information about attacks to identify the key patterns, so that one could better understand and anticipate or stop attackers at various and multiple stages during the pattern,” Sager says. “I believe that the vast majority of what people need to know to defend themselves is already in the public. The absence of threat intelligence is not the problem. It’s the ability to translate that intelligence into action.” Lockheed Martin’s Cloppert cautions that the intelligence available is not all of equal value. Information like an adversary’s capabilities, intent and geographic location are what he refers to as “operational level intelligence,” and it tends to be ubiquitous, regardless of the size and nature of the target. “There are elements that if you share them, everyone can benefit, but as you get more and more detailed, the likelihood of indicators being useful to defenders goes down,”

he says. This is simply due to the fact that every business configures its IT infrastructure differently. Ultimately, Cloppert advises, the Cyber Kill Chain “is one of many different models that all have an interplay with one another and enable people who are defending networks to think at tactical and operational levels as to how to prevent adversaries from being successful. To the extent that this model is useful, I think people should use it, but you have to apply some level of thought to this and for whatever reason, if it’s not useful, then OK. We’re not talking about the universal laws of physics that are indisputable. The Cyber Kill Chain is simply a way of looking at an intrusion from the perspective of an adversary.” ●

CRYSTAL BEDELL is a writer based in Spokane, Wash., who is a regular contributor to InfoSecurity Professional.

Make the connection with

chapterS! Get involved with your local (ISC)2 Chapter to meet industry experts and network with (ISC)2 credential holders and other information security professionals. It’s a great way to:

• Meet like-minded individuals • share knowledge

• Exchange resources • Earn CPES

To locate the closest chapter to you, visit the:

chapter Directory


InfoSecurity Professional • 22 • July/August 2016



14 thAnnual Invest in Yourself! ROI up to


19 CpE CrEdits

BUILD A NETWORK of thE Most dynaMiC WoMEn in our industry

TAKE HOME TOOLS, BEst praCtiCEs & solutions to aChiEvE suCCEss

Women of Influence Awards Nominate your peers, clients and customers for the

Women of Influence Awards.

Co-presented by CSO and Alta Associates, the awards honor four women for their accomplishments and leadership roles in the fields of security, risk management and privacy.

October 25-27, 2016 Hyatt Regency at Gainey Ranch I Scottsdale, AZ

BALANCING RISK and OPPORTUNITY: Join your peers and learn to transform cybersecurity, risk and privacy beyond the enterprise. Keynotes:

Susan C. Keating, President and Chief Executive Officer, National Foundation for Credit Counseling

Meg McCarthy, EVP Operations and Technology, Aetna Zoe Strickland, Global Chief Privacy Officer, JPMorgan Chase Nina Burleigh, National Correspondent, Newsweek OVER 25 SESSIONS THIS YEAR! BREAKOUTS, LIVE HACKS, TED TALKS AND EXPERT SPEAKERS. Panels Include:

– Visualizing Security Analytics So Managers Can Understand & Act – The Breaches We Know About; The Breaches We Don’t – Behavior Analytics, Insider Threat & Employee Privacy Rights

Winners will be announced at a ceremony during the EWF event. FOR NOMINATION FORM GO TO:

www.ewf-usa.com Nominations must be submitted by

July 31, 2016

forum host & awards co-prEsEntEr

forum host & awards co-prEsEntEr

diamond sponsors

For more information on the EWF or to register, please visit: www.ewf-usa.com







N JUNE 27, 2014, within a matter of hours, Code Spaces, an SaaS provider offering source code management tools like Git and Apache Subversion on Amazon Web Services (AWS), turned from a rock-solid company into a dysfunctional one. A malicious hacker reportedly got unauthorized access to its Amazon EC2 control panel and tried to extort money from the management. When Code Spaces engineers tried to change the root passwords, the malicious hacker deleted data, backups, machine configurations and offsite backups, forcing Code Spaces to close its doors. There weren’t any bad business decisions—Code Spaces did not do anything wrong—but the fact is that the company lost everything. Going out of business without any inkling, within a matter of hours, is scary. It’s also a real possibility for millions of individuals and organizations. Ransomware has been around for several years, but the malware is becoming more prevalent and a problem—to the point where it now has its own lexicon, including RR for ransomware recovery.

InfoSecurity Professional • 24 • July/August 2016



The basic idea of cloud computing is that your applications and data are scattered out there on the internet “somewhere,” available for your employees to access them from any computer whenever they want. But the authentication mechanism mainly depends upon the credentials. For instance, if Bill the Bad Actor provides John the CTO’s credentials to the Single-Sign-On Authenticator, then Bill the Bad Actor gains access to the whole system.

RANSOMWARE EVERYWHERE Ransomware is a type of malware that prevents or limits users from accessing their data. One kind of ransomware, CryptoBlocker, encrypts data. The other variant of ransomware, Curve-Tor-Bitcoin (CTB) Locker, uses TOR to hide command and control (C&C) communications. TOR is freeware for enabling anonymous communication with the mastermind server. The name is an acronym derived from the original software project name The Onion Router. Within two months after it was unleashed in September 2013, CryptoLocker raked in an estimated $27 million for its creators. In April, 2014, cybercriminals came up with more dangerous versions of ransomware, including CryptoWall and CryptoDefense. CoinVault attack, which Kaspersky Lab detected in May 2014, even offered the free decryption of one of the hostage files as a sign of proof. According to a recent NBC News report, ransomware has targeted at least 1 million victims nationwide, including individuals, small businesses, and even a Tennessee sheriff’s office. One California dentist reported that her practice came to a standstill because ransomware encrypted all electronic patient information, scheduling software and digital X-rays. The cybercriminals demanded $500 via an onscreen prompt to restore the files. On March 22, 2015, New Jersey school district Swedesboro-Woolwich was locked up due to ransomware CryptoWall 2.0, affecting the district’s entire operation, including Partnership for Assessment of Readiness for College and Careers (PARCC) exams, which are entirely computerized.

BIG RISKS DELIVER BIG PAYDAYS According to a public service announcement from the FBI’s Internet Crime Complaint Center (IC3), the CryptoWall cost U.S. businesses and consumers at least $18 million between April 2014 and June 2015. IC3 based its estimate on complaints from 992 CryptoWall victims and it includes related damages, such as the cost of network mitigation, loss of productivity, legal fees, IT services and credit monitoring services. The Cyber Threat Alliance (CTA) is an industry group

An example of a ransom pop-up.

formed to study emerging cyber threats by members including Intel Security, Palo Alto Networks, Fortinet and Symantec. In a report titled “Lucrative Ransomware Attacks: Analysis of the CryptoWall Version 3 Threat,” CTA found ransomware attacks very lucrative, resulting in an estimated $325 million in damages. This comprehensive report revealed the following interesting statistics: • 4,046 malware samples • 839 command and control URLs • 5 second-tier IP addresses used for command and control • 49 campaign code identifiers • 406,887 attempted infections of CryptoWall 3 • Global impact, but the North American region was most affected Cyber attacks are a blow to the capability and trustworthiness of any corporation. Understandably, it is very difficult to determine the exact number of ransomware victims, because some businesses caught in the trap would choose to protect their brand name over coming out publicly about the cyber-attack. Today, the ransomware threat has become a global epidemic.

PREVENTION IS BETTER THAN CURE A widespread ransomware campaign detected in September 2014 placed fake advertisements on websites such as Yahoo, AOL and The Atlantic. The attackers pressed CryptoWall

InfoSecurity Professional • 25 • July/August 2016



In today’s ruthless and competitive environment, cybersecurity needs to be foolproof, as it only takes a single breach to inflict serious damage to your data and business. 2.0 into service, which used Adobe Flash to exploit browser vulnerabilities and installed itself on the host computers. The attackers stole assets from reputed websites to make the malicious ads appear real. Once a user clicked on the authentic-looking malicious ad, the user files available on the system were encrypted, and owners were denied access to the files until they paid ransom for a decryption key. Money is the main motivator for cybercriminals. If they get ransom from a majority of their targets, they will only get bolder, greedier and more ruthless. According to the U.S. Department of Homeland Security’s website, decrypting files does not mean the malware infection itself is removed. What if the malware activates and locks files multiple times in a year? The ransom campaigns are launched against random individual computers or against selected corporations that have data in public and private clouds. The consequences from campaigns aimed at individuals and small businesses may be disastrous but limited to just those entities, but attacks against government agencies could bring major business, law enforcement and social services to a standstill. Rather than acquiesce to ransom demands, it is time to figure out what we can do so that we don’t have to give in to the demands and terms of malicious actors. This can only be done if all the doors that lead to our data are closed, and, in the case of an unauthorized entry, the invader must not be able to take over the whole environment.

RANSOMWARE THREAT MITIGATION In today’s ruthless and competitive environment, cybersecurity needs to be foolproof, as it only takes a single breach to inflict serious damage to your data and business. But in case of a security breach, we must be able to recover our systems without paying ransom, which ultimately translates into funding cybercriminals, thus making them bolder and highly sophisticated. Below are a number of useful measures that can help mitigate the risk of the ransomware threat: • Keep up-to-date: Ransomware is a constantly evolving threat. It is important to keep up-to-date with

new developments with awareness trainings. • Impose and enforce strict employee practices:

• •

– Avoid visiting malicious or compromised websites. – Keep track of browser extensions and plug-ins. – Don’t click spontaneously on links embedded in emails. – Delete spam permanently from your mailbox. – Beware of phishing sites and traps. If you are not, you may instantly expose your client to security threats. – Don’t install any unauthorized software. Update software vulnerabilities and patches: Ensure that software and operating systems in your organization are up-to-date with security patches. Secure mobile devices: Equip all mobile devices with security solutions and a remote-wipe program. Back up their data routinely. If ransomware locks a mobile device, the remote-wipe program should reset it to an agreed recovery point. Employ multilayered defense: Use multilayered security solutions like end-point, messaging and network protection. Onsite and offsite backup: Store, maintain and back up data and configurations regularly. Control system encryption: Two senior managers working in tandem should encrypt the whole system. They should also copy the decryption key to a designated, safe, unobtrusive location.

Ransomware is a thriving menace. With growing revenue, ransomware groups can continue to advance their techniques. Security practitioners need to recover their systems without paying ransom. There is no bulletproof solution, but we can certainly cut the veins of ransomware groups and bleed them to death. ●

Trained as a physicist and with a Ph.D. in science museum studies, RAJ KAUSHIK entered the field of IT in 2000. For the past 15 years, he has been involved in design, development and post-delivery management of enterprise applications. He has written numerous research and technical papers and popular science articles.

InfoSecurity Professional • 26 • July/August 2016



Accepting candy from a stranger is no longer like accepting candy from a stranger. Learn what the world’s leading cybersecurity professionals do to protect their kids from the dangers of the Internet. SAFEANDSECUREONLINE.ORG

A Program of the Center for Cyber Safety and Education C O N TA C T U S AT: w w w. S a f e A n d S e c u r e O n l i n e . o r g




InfoSecurity Professional • 28 • July/August 2016 InfoSecurity Professional • 28 • July/August 2016


ith the emergence of cloud technology in the last decade, we’ve seen a paradigm shift from traditional data center on-premise environments to data and applications being hosted in the cloud. Cloud providers like Google, Amazon, Microsoft, HP and Oracle have emerged as major players and taken control over the market. Enterprises tend to play safe by only embracing what is proven and tested, while not paying much attention to the possibilities and rewards RE TURN TO


of adopting new technologies. Now that cloud computing is maturing, public and private enterprises are bound to cut down on costs by migrating to the cloud. But before enterprises think of migrating their data to the cloud for cost saving purposes, it is essential that they perform due diligence by running cloud cost analysis tools. These tools provide a holistic picture that can guide CIOs when making decisions on whether to migrate to the cloud or stay with on-premise deployments.

WHAT IS CLOUD COMPUTING ANYWAY? Just in case you aren’t familiar with cloud computing, the National Institute of Standards and Technology (NIST) calls it “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management efforts or service provider interaction.” As cloud migration gains momentum, some CIOs have pushed back, expressing security concerns about storing their data and applications in the cloud. As much as these concerns are legitimate, we need to realize that a vast majority of data breaches affect data stored within on-premise, traditional data centers. Gartner has debunked this theory by saying that “cloud security is more of a trust issue than based on any reasonable analysis of actual security capabilities.” In March 2016, the Cloud Security Alliance published a list of cloud vulnerabilities called the “Treacherous 12.” These are the top 12 cloud computing threats enterprises face this year. By exercising due diligence, a majority of cloud providers have put measures in place to mitigate these threats. For instance, security updates are tested and applied immediately to applications in the cloud, while on-premise enterprises take about 30 to 60 days to apply the same critical patches. When all is said and done, cloud security will remain a shared responsibility between the tenants and their cloud providers. Gartner outlines three common cloud types most providers offer: • A private cloud is “a form of cloud computing that is used by only one organization, or that ensures that an organization is completely isolated from others.” • Public cloud computing is “a type of computing where scalable and elastic IT-enabled capabilities are provided as a service to external customers using internet technologies—i.e., public cloud computing uses cloud computing technologies to support customers that are external to the provider’s organization.”

• Hybrid cloud computing “refers to policy-based and

coordinated service provisioning, used and managed across a mixture of internal and external cloud services.” Basically, it’s a mixture of private and public cloud services. Before delving into the cost savings of cloud computing, let’s explore various models most cloud providers offer: Platform as a Service (PaaS) is a platform that allows tenants to develop, run and manage applications without the complexity of building and maintaining the infrastructure that is associated with large-scale applications deployments. PaaS provides simplicity, scalability and reliability. Infrastructure as a Service (IaaS) is a virtualized, standardized, highly automated offering where computer resources, complemented by storage and networking capabilities, are owned and hosted by a cloud provider and offered to tenants on-demand. Software as a Service (SaaS) is a software distribution model that enables applications to be hosted by a cloud provider and made available to tenants using a thin web client. The cloud provider uses a one-to-many model to service all tenants based on existing service level agreements. Before deciding whether to migrate to the cloud, federal agencies and private sector CIOs need to ask themselves several questions: • What is the return on investment (ROI) from such big migrations? • How much will this migration reduce the IT expenditures for my organization? • What benefit-to-cost ratios will my agency realize as a result of this migration? • What is the cost-benefit analysis of migrating to the cloud? With cloud adoption picking up speed, we are witnessing a large percentage of cloud applications running on the web or the internet. The majority of these apps are webfront hosted in the cloud, with back-end scaling databases, data warehouses and middleware. These virtualized shared configurations help agencies cut down on costs rather than relying on on-premise individualized configurations. A 2013 IBM study, “Under Cloud Cover: How Leaders Are Accelerating Competitive Differentiation,” found that organizations that embraced the cloud reported nearly double revenue growth and nearly 2.5 times higher gross profits than those companies that were more cautious about cloud computing. Further, the study found that the cloud’s strategic importance to business was expected to double over the next three years.

InfoSecurity Professional • 29 • July/August 2016



…88 percent of cloud users pointed to cost savings, and 56 percent of respondents agreed that cloud services have helped them boost profits. In 2014, TechTarget conducted a survey asking respondents to choose the three most important factors driving their companies’ public cloud implementation. Cost savings (54 percent), the need for elasticity/scalability (43 percent) and faster provisioning of services (42 percent) were the top drivers. So, how does cloud migration help enterprises cut down on costs?

LEVERAGING ECONOMIES OF SCALE Because hardware availability is provisioned on a large scale by the cloud provider, cloud computing allows organizations to enjoy large economies of scale. Since hardware in the cloud is shared among different tenants, organizations are expected to cut costs by utilizing hardware already available by the cloud provider. With the cost of buying and maintaining hardware being the onus of the cloud provider, this approach takes away the intricacies involved in buying and disposing of old hardware. In addition to cutting down on hardware costs, cloud computing helps to reduce storage space. An on-premise data center requires agencies to purchase, maintain and dispose of their old equipment. This delays business transactions and escalates operational costs. Harnessing the cloud’s economies of scale helps enterprises cut down on hardware costs.

LOW LABOR COSTS Cloud providers host applications online via the cloud. In the cloud, labor assigned to manage infrastructure can be significantly reduced, if not eliminated altogether, as applications in the cloud run on automated and virtualized platforms. By migrating and leveraging cloud/human resources, agencies will eliminate the need for in-house IT staff. Cutting down on hiring and maintaining a large number of employees keeps the staff lean and efficient and reduces manpower and other human-related costs.

REDUCTION IN UPFRONT CAPITAL OUTLAYS Most cloud providers are now offering pay-as-you-go models that reduce the need for upfront capital outlays. In other words, companies in the private domain—especially small start-ups—do not need large infusions of initial capital to launch new businesses. Such models help small businesses that are struggling with IT budgets to start new businesses, discover new ways to grow and bring additional lines of profit into their organizations.

REDUCTION IN POWER/ELECTRICITY COSTS From a government perspective, operating hardware and software applications in an on-premise data center can cost agencies millions of dollars in power consumption and other related maintenance. Having your applications run and maintained by a cloud provider in their environment will definitely cut down on these expenses and save a lot of money. In the past, a number of cloud pundits have argued that greater productivity, innovation, a more agile environment, improved SLA and licensing negotiations—not cost savings—are some of the drivers for cloud adoption. This school of thought has dramatically shifted. According to a 2013 study conducted by Rackspace and Manchester Business School, of 1,300 companies surveyed in the U.K. and U.S, 88 percent of cloud users pointed to cost savings, and 56 percent of respondents agreed that cloud services have helped them boost profits. Additionally, 60 percent of respondents said cloud computing has reduced the need for their IT team to maintain infrastructure, giving them more time to focus on strategy and innovation. Further, 62 percent of the companies that have saved money are reinvesting those savings back into the business to increase headcount, boost wages and drive product innovation. The potential dangers of not embracing cloud technologies are enormous. Unless and until CIOs think of embracing the cloud, enterprises will keep wasting millions of dollars supporting applications hosted in legacy on-premise data centers. ●

PAY ONLY FOR WHAT YOU USE Most cloud providers do offer a la carte menus to tenants. Tenants can pick and choose solutions that meet their requirements. Tenants stand to benefit by choosing and paying only for solutions that they need. This cuts down on waste and redundancies.

VINCENT MUTONGI, CISSP, is a Washington, D.C.-based ISSO with over 18 years of cybersecurity experience supporting federal government agencies. He is currently supporting Department of Homeland Security Continuous Diagnostic Mitigation (CDM) and cloud migration initiatives.

InfoSecurity Professional • 30 • July/August 2016



Me Fr mb ee Off ersh er i p

Join millions of security pros who turn to SearchSecurity every day to solve their toughest security challenges. (ISC)² member, get your FREE membership, including access to our monthly online Information Security magazine, covering issues such as:

Malware analysis beyond the sandbox Defending against the digital invasion Regaining control of cloud compliance Emerging security threats from every which way Strategies for perimeter network security Get your free membership and online magazine in less than 2 minutes at: www.SearchSecurity.com/ISC2



After Russian cybercriminals make off with 40 million credit card numbers, an ad hoc team launches ‘Operation Lemonade’ in this excerpt from (ISC)2 member GREG SCOTT’S high-tech thriller, in which the good guys fight back.

Editor’s note: Liz Isaacs is the CIO of fictitious retailer Bullseye, headquartered in Minneapolis’s Nicollet Mall. Jesse Jonsen is a fraud analyst with Uncle Sam Bank, also in Minneapolis. She worked in the Bullseye fraud department before taking the job at the bank. The Bullseye eleventh floor conference room that Liz Isaacs reserved for the report on the credit card investigation had large windows overlooking Nicollet Mall. It was nearly 10 a.m., and shoppers scurried through the light snow to buy Christmas gifts. Bullseye shoppers had no way of knowing that when they swiped their cards at the checkout counter, their card numbers would make their way to St. Petersburg, Russia. The soft leather chairs around the oblong mahogany table filled up one by one as the members of the investigative team entered the room and took their seats. At one end of the table was Ryan MacMillan, looking groggy. In front of him sat a quart of orange juice and a box of tissues. Liz Isaacs, in a Vera Wang turquoise business suit with a Louis Vuitton raw silk blouse, stood at the door to welcome her guests. The first in was Jesse Jonsen, still wearing her well-worn black blazer, red turtleneck, and blue jeans, followed by Harlan Phillips, wearing his usual white shirt with rolled up sleeves and dark tie. “Jesse! How have you been?” said Liz, as she bent down to give her old colleague a hug and faux kisses near both cheeks. “I can’t tell you how much we miss you!” “You know, I feel just the same way, Liz. I’d like you to meet my manager, Harlan Phillips.” Jesse and Harlan sat down on the opposite end of the table from Ryan. Jerry Barkley came in next, with Agent Duncan behind him. When Jerry introduced himself, Liz said, “What a remarkable holiday sweater, Mr. Barkley. Is it one of ours?” “No ma’am. I picked it up at Goodwill last year. It was quite a bargain.” Jerry smiled at his lie, but noticed that Liz bit her cheek and winced. “And Agent Duncan, I hope you’re well this morning.” “Yes, ma’am, Ms. Isaacs, ma’am. By the way, did you receive the email I forwarded from Jerry?” Liz’s smile descended into a frown. “Yes, thank you. I’m sure we’ll be discussing it.” Agent Duncan and Jerry sat near Jesse, while Liz went to the center of InfoSecurity Professional • 32 • July/August 2016



Images by ThinkStock

the table and fumbled with the speakerphone. As soon as she achieved a dial tone, she went over to Ryan and gave him a gentle shake on the shoulder, though she appeared to dig her fingernails into him for good measure. He looked hazily across the table at the visitors. Liz went back near the phone. “I’d like to welcome you here today. As you know, our CEO Mr. Berger is out of the country on important business but agreed to join us by speakerphone today as a gesture of good will and cooperation.” Liz looked at a slip of paper and punched in the phone number but couldn’t get through. “Ryan, could you look up the country code for Barbados?” Jesse, Jerry, and Agent Duncan shared a furtive glance, each with a raised eyebrow. Liz finally got Berger on the speakerphone and introduced everyone. “Welcome to Bullseye International Headquarters, everyone,” said Berger. “I understand the FBI is concerned about a possible security issue?” “I’m Agent Duncan of the FBI. Thank you, Mr. Berger, for taking the time to meet with us this morning. Banks across the country report that about thirty million people have had their credit card numbers stolen, and everything points to Bullseye as the source of the leak.” “That’s what Liz told me,” said Berger. “I find that impossible to believe, but we agreed to cooperate with your investigation.” “The FBI appreciates your cooperation,” said Agent Duncan. “First, let’s bring everyone up to speed, starting with a report from Jerry Barkley on our forensic investigation at the Lake Street Bullseye last night. Did everyone get Jerry’s email?” “I’ll forward it to you right now, Mr. Berger,” said Liz, typing on her laptop. “Mr. Berger, this is Jerry Barkley. I’m in the IT security business on special assignment for Uncle Sam Bank. I wrote down the key points of last night’s investigation in some detail in that email. So, I’ll just summarize briefly for you now. Basically, we observed the data flow in a store by making a credit card purchase at a checkout counter, and we watched the interaction when one of your point-of-sale terminals booted up. We spent several hours analyzing this data, and that led us to look at some structural things in your operations.” “Did you verify that credit card information is being delivered to Russia?” asked Berger. “Not exactly,” said Jerry. “So all this discussion about a credit card leak is premature then,” said Liz. “I wouldn’t say that,” Jerry continued. “We found a nasty program in your point-of-sale system named GreenPOS. It appears to capture credit card data from each swipe, attach the store’s zip code to the file, and then store it in unencrypted form with all the other credit card numbers from that day of sales. My credit card number was appended to that file right after I swiped it.” “Agreed, that number should be encrypted,” said Liz, “but that still doesn’t imply we’re sending anything to Russia.” “We didn’t find anything going directly to Russia. As I said in the email, the exfiltration path goes from the store to one of three servers at corporate, and then to FTP sites in either Houston, Indianapolis, or New Mexico. We don’t know if the people operating those sites are in cahoots with the bad guys, or if they are simply being used.” “We have FBI teams visiting those locations as we speak,” chimed in Agent Duncan. “Our guess,” continued Jerry, “is those files are all traveling to Russia. The Russians group them in batches called ‘bases’ on an underground Russian website.” “Without a definite link to Russia yet,” said Liz, “why are you so suspicious of these files you found?” “For one thing,” said Jerry, “the file that contained my credit card number was given a name to look like a program, when it was actually a document. The obvious conclusion is someone’s trying to hide something.” “But I thought we had the best security design in the industry,” said Berger. “I understand we have an excellent firewall and antivirus software. How’s it even conceivable that somebody could do this?” “That’s right, Mr. Berger,” said Ryan. “I designed it myself.” InfoSecurity Professional • 33 • July/August 2016



Greg Scott, CISSP, is based in Minneapolis and author of Bullseye Breach. Learn more about the book at www.bullseyebreach. com.

“Your design has a problem,” said Jerry, looking at Ryan. “Every store should have its POS systems behind a firewall. All the bad guys had to do was sneak past your main firewall somehow, and then it was easy to infiltrate the computers that run your checkout counters.” Ryan looked more ashen as the conversation continued. “I took the advice of some of the finest consultants in the tech industry when I—er, when we designed that system. Besides, I still haven’t heard any definite proof that correlates Bullseye—specifically—with the bogus cards that are showing up on the street. “I should tell you then about the ten credit cards our bank issued last week,” said Jesse. Over the speakerphone, Berger blurted out, “What cards?” “We issued ten credit cards last week to certain bank employees across the country,” said Jesse. “They each went to their neighborhood Bullseye and bought one item. Then we canceled the cards and put alerts on them. Three phony cards showed up yesterday afternoon, all near the locations where they were first used. The only place they could have possibly come from was Bullseye. They weren’t used anywhere else.” Several seconds of silence followed. Jerry looked at Jesse and mouthed, “Wow!” He gave a quiet, respectful nod. Jesse smiled slightly at Jerry. “Wait a minute,” said Ryan. “We don’t know where this so-called leak is coming from.” “Yes,” said Liz. “How did it get on our internal servers?” “We don’t know yet,” said Jerry. “I’m surprised you haven’t gotten any alerts from your security team in Bangalore,” said Jesse. “When I worked here, I found they were pretty good at keeping track of any suspicious activity coming in or going out of your system.” “I assure you, our team in Bangalore is watching all those alerts,” said Liz. “We spent a lot of money putting all that in place.” “How do they communicate back to corporate?” asked Jerry. “Email,” said Ryan. “They email a group email address, and then a member of the security team handles it.” “Okay. Who are the group members?” asked Jerry. Ryan and Liz looked at each other. “Ummm,” said Ryan. “The group name is SecurityOps, and we set up Danielle Weyerhauser as the only email group member… Oh, wow! I just remembered Danielle left the company two months ago. She was just an intern and left when we couldn’t hire her.” “Why didn’t you hire her?” demanded Berger. “Well, sir,” said Liz. “You instituted a hiring freeze for everyone except retail workers.” The room went silent again. Jerry looked at Ryan and then Liz in disbelief. Ryan looked down. Liz stared straight ahead. Jesse muttered under her breath, “You mean I was replaced by an intern?” “So nobody at Bullseye is looking at alerts,” said Agent Duncan after several tense seconds. “Which means, for the past two months, at least, any email to the SecurityOps group from the team in India disappeared into a black hole. You spent a lot of money to put a system in place and then you didn’t use it. I suggest you resurrect the last years’ worth of messages from Bangalore for analysis. We have a team coming in from Quantico eager to take a look.” Liz started to protest but Berger cut her off. “Why don’t we hold off on assigning blame for now and focus on minimizing the damage and protecting Bullseye customers?” “An excellent idea, sir,” said Ryan. “All I can say,” said Liz, “is that if somebody broke into our system, it must have been a highly sophisticated operation.” “No,” said Jerry. “They messed up, which made it easy for us to find their GreenPOS program. They put it in the same folder where they collected stolen card data. They’re not that sophisticated. We can beat ’em.” “So what’s our next step?” asked Berger. Harlan looked at Jesse. Jesse looked at Agent Duncan. “We have more.” ● InfoSecurity Professional • 34 • July/August 2016




Pat Craven is the director of the Center for Cyber Safety and Education and can be reached at [email protected]


How Do You Size Up? Help us find out by participating in our next big global workforce study.


Everyone does. You can’t help but compare. It’s a normal thing to do. Heck, we’re all human, and it’s just natural to want to know Is my salary bigger than the person’s in the cube next to me? Are you being paid what you’re worth? How does your company stack up against others when it comes to benefits? Or what about compensation and work environment in today’s fast-changing and competitive cybersecurity world? Well, it is time to find out, and we need your help! Every two years, (ISC)2 and the Center for Cyber Safety and Education team up with other security-focused organizations, companies and government agencies to conduct the premier Global Information Security Workforce Study (GISWS), and now is the time for you to share your insights. In just 20 minutes, you can shed some light on your corner of the security world and reveal the industry in a way that no one else does. The GISWS survey has been totally redesigned and refocused with the help of new strategic partners like the Executive Women’s Forum and the International Consortium of Minority Cybersecurity Professionals, along with guidance from top industry and research experts. The goal is to provide an even better and deeper look into the security workforce. And it all starts with you. By now, you should have received an invitation to participate in the

survey from (ISC)² and Frost & Sullivan. If you trashed the unique URL that was sent, dig it out (check your spam box as well). Using that link will keep you from getting reminders over the next several months asking you to complete the survey. If you can’t find the email, you can still take the survey by going to www.isc2.org and click on the link there. To gain a comprehensive picture, it is important that as many people as possible participate from as many regions as possible. When we release the study in February 2017, it will have an entirely new look and feel. Gone will be the big book full of InfoSecurity Professional • 35 • July/August 2016

endless words and flat bar charts. In its place will be webpages full of interactive infographics and searchable data files. And, as an (ISC)2 member, we will give you exclusive access to select online data! Also, the new GISWS report will take a more regional focus, providing you workforce information that pertains to you and your local company and not just a broad global report—information that will be of interest to you whether you’re an employee or employer. It all starts with you taking a few minutes now to fill out the survey. Do it now before your next crisis gets in the way! Come on, you know you want to know. ● RE TURN TO


Image by ThinkStock




JASON SACHOWSKI Jason Sachowski lives in Toronto, Ontario, Canada and is originally from Dryden in Ontario. He is the director of Security Forensics and Civil Investigations at Scotiabank and has been an (ISC)2 member for nine years. EDITED BY ANNE SAITA

When did you realize you wanted to pursue a career in information security?

Going through high school in the mid-1990s, there weren’t a great deal of technology-based courses being offered. As graduation approached, I applied for both journalism/communication and film studies at a variety of university and college programs. After several rejections, I decided to go back for one more year of high school to focus on law and policing. From there, I went on to study physical security management at Fleming College in Peterborough, Ontario, Canada.

In my graduating year, I was speaking with the program coordinator about career options, where I learned about a new program being offered by Fleming College called Computer Security and Investigation. After doing some research, I came to learn what information security and digital forensics were all about, so I decided to give the program a try. It was probably well into my second year of the Computer Security and Investigation program when I started to think that this could really turn into a career, but I was still hesitant because there really weren’t a lot of jobs in the market for digital forensics. It wasn’t until my last semester when I was placed on my “work term” when I came to realize that this is what I wanted to do as a career. And, well, the rest is history. The financial industry is a prime target for cyber attacks and therefore a bellwether for both problems and solutions. What do you see happening within the banking industry in terms of preventing emerging and existing threats?

There are really a few sides of the spectrum when it comes to emerging and existing threats. The first is centered on the global changes happening in the way we conduct business. The digital transformation most organizations are experiencing InfoSecurity Professional • 36 • July/August 2016

is driving them to re-evaluate their business models and become more agile in finding new ways to meet customer demands that don’t tie them down to the traditional “brickand-mortar” approach. The second is how we—as security professionals and everyday users—go about making sure we protect our personal and otherwise confidential information in an always connected and technology-driven society. With demand growing for organizations to provide their increasingly mobile customer bases with products that are accessible at any time and from anywhere, the lines once separating the different types of information (e.g., banking, social media) are getting blurred as devices become “smarter” and provide users with greater functionality. Lastly, at the CEIC 2015 conference, I attended a keynote by Brian Krebs, where he was discussing his perspectives and insights into cyber crime and cybercriminals. During the Q&A session, I was able to ask him, from everything he has seen to date, what he thought the future held for cyber crime. He responded by describing how today’s cybercriminals execute attacks independent of each other and with little knowledge of their victims. Soon, we’ll see cybercriminals become much more coordinated in their efforts and have heightened contextual awareness of their victims, which means that cyber attacks will be better planned, executed, and specific data targeted for exfiltration. ● An expanded version of this interview will appear in the August issue of Insights, a companion e-newsletter for the (ISC)2 membership.





At Twirling Tiger Media, our dedicated editorial and graphics team can create relevant and valuable content that engages and nurtures your target audience and puts you center stage as a solution to their challenges. From concept to deliverables, we are your one-source content solution.

Top Functions of Content ✓ Acquire new customers/members ✓ Increase brand relevance/influence ✓ Increase brand engagement ✓ Improve brand perception ✓ Improve brand awareness ✓ Establish brand as thought leader ✓ Increase loyalty

Contact Bob Ostrow today at [email protected]

Our content creation capabilities include: Articles, Blogs, Case Studies, Content Marketing, Content Strategy, Custom Content, Digital Media, eBooks, Infographics, Inspirational Quotes, Leadership Guides, Marketing Collateral, Press Releases, Publications, RFPs and Proposals, SEO Copy, Success Stories, Web Content, White Papers and more! www.twirlingtigermedia.com

TWIRLING TIGER media creators of content you can sink your teeth into

Twirling Tiger Media is certified as a women’s business enterprise by the Women’s Business Enterprise National Council (WBENC) and federally designated as a Women-Owned Small Business (WOSB).

Cybersecurity Team Training for All Levels of IT Personnel

Through globally recognized IT security certifications and training programs, (ISC)² provides organizations with assurance that IT personnel have been tested on industry best practices and that they possess broad cybersecurity knowledge. From on-site training and online learning options to certification exam vouchers, our training approach is customizable and flexible so that training is delivered effectively and efficiently to your IT security employees at all levels. Optimize your training budget with our tailored corporate training solution.

Get your staff trained and certified Official Creator and Provider of: