Sometime back I published an article “What it Really Takes to Stand up a SOC”. This included a MindMap showing everything you need to consider while making a decision about establishing an internal Security Operations Center. Take a look at the PDF Download link for this MindMap. Since then, many people have asked questions about estimating budget for standing up an internal SOC. Continue reading
Although traditional methods of communications like RESTful APIs can be used for IOT communications, MQTT and CoAP are the two major IoT protocols for exchanging messages in IoT networks. This is a quick overview of both of these protocols. Continue reading
Budget estimates are a major part of SOC business case. A typical budget will consist of capital cost, payroll expenses, and annual recurring costs. The budget estimates also helps in making decision about build an internal SOC or using SOC as a Service. Following is a summary of three major cost components. Capital Cost – […]
Information Security is a rapidly changing field as advancements due to disruptive technologies, like SDN, IoT, NFV and others, have direct impact on security management programs. Information Security professionals, in general, are perceived to be slow in adapting to new technologies and are many times considered a road block. This perception must change and this post […]
This is my latest Blog on CISOcast
Initiatives for Digital Transformation are at front and center of every major corporation to keep their business competitive and relevant. Many technology research organizations are publishing papers about different aspects of digital transformation, which is categorized as a new industrial revolution. Continue reading
Please note that this is an older post
It took some time to update the CISO MindMap but finally it is here. Thanks to all who provided suggestions for this update.
A very rapid change is happening across the industries. Whether it is digital transformation, Internet of Things (IoT), Software Defined Networking (SDN), crypto currencies, virtual reality, 3D printing or others, change is visible everywhere. These changes are happening across all industries. CISOs not only need to adapt quickly to these changes but need to be on the leading edge of these changes. Business enablement is becoming a key role of modern CISOs. Good luck with all of this!
UPDATE: If you are want to hang a printed copy of this mind map in your office, I would suggest using the CISO MindMap_a0 PDF and getting a 24×36 inch print from OfficeMax or some other place.
A related post to this mind map is about building a security operations center or SOC. Please refer to “What is Takes to Build a SOC“.
PDF versions of CISO mind map are available for download using the following links.
Embedding security into architecture and design of major IoT projects is the best way to catch problems earlier, avoid costly patchwork, lower the risk of data breaches, and to meet compliance needs. However, research shows that most of the times security is either completely forgotten or is just an afterthought. Same is true for IoT where race to the being first in the market is on, and taking care of security and privacy of critical assets is not given due importance in design and implementations. Continue reading
IoT is not only about connecting machines; the technology can do countless other amazing things. Recently I had the privilege of working with few non-profit organizations promoting education. The solution involved Raspberry Pi, which is used in many IoT application, to make a big difference in education.
Millions of families across the globe are forced into perpetual poverty due to lack of access to quality education.
Either schools are not available in many parts of the world, or, if schools exists, qualified teachers are hard to find. While many non-profit organizations are creating video lessons, in rural areas of many countries, Internet is not available to enable access to these video lessons. A major question is how to make this content available to students in these schools, and this is where Raspberry Pi comes into picture.
Our solution involves partnering with non-profit organizations creating video lessons and using Raspberry Pi to make these lessons available to schools. Raspberry Pi has proved to be a promising platform because of few key features:
- With Micro SD card, it is possible to load video lesson locally on the device eliminating the need for the Internet web servers.
- HDMI port is available to connect Raspberry Pi to a TV set in classroom.
- Raspberry Pi has a complete operating system which enables adding features like running local Web Server and Web Browser.
- Cost is one of the major factors. Raspberry Pi is available at very low-cost.
- There are no moving parts in Raspberry Pi, so the system can work for a long time with little to no support.
- While the main use case is to connect Raspberry Pi to a TV monitor in the classroom, WiFi is enabled so that other computers or handheld devices can also be used to view these lectures.
The hope is that this solution will bring much-needed solution to schools in villages and other remote areas to solve the issue of lack of teachers and quality lessons. This is especially important for science subjects where teacher are hard to find and retain. The overall cost of the solution is low as it needs a small size TV and a Raspberry Pi device. The next frontier is to add an option of solar panels to reach out to places where continuous electricity is not available. Raspberry Pi is a small device, but it is expected to make a big difference in the life of students in these neglected schools.
Phishing is becoming a major threat vector and preferred method for attackers to break into victim networks. Verizon Data Breach Investigations Report shows that more than two-third attacks in espionage category used phishing as an attack vector.
Typical phishing attacks start well before people start receiving phishing emails.
Attackers use social media web sites to do research on potential targets and to craft “real-looking” emails. Once phishing emails are launched, it is almost certain someone will click on a link or download a file and open it. However, the good news is that a phishing attack is not successful just because someone clicked on a link. There are a number of additional steps before data exfiltration where information security teams can interrupt the attack and break the chain of events to avoid the data breach.
Following are typical steps that are part of a phishing attack that happen in a sequence (which I call as a “phishing attack chain”):
- Attackers do research on public sources of information, craft phishing emails, and send to potential victims.
- When someone clicks on a link or downloads a file, attackers exploit an existing vulnerability to install malware or create a backdoor.
- Attackers use the malware or backdoor to download additional malware components.
- The malware is used to scan victim’s network, gather interesting information, and collect data.
- Exfiltrate data as last step of the attack.
Information security professionals can use the following security controls to break the phishing attack chain and avoid data loss:
- Create social media policy and educate employees about phishing attacks. This will not stop phishing attacks but can make the attackers task difficult.
- Use spam filters. However, spam filters are limited in the face of sophisticated and targeted phishing attacks.
- Sandboxing technologies, when used effectively for email, can be very helpful in identifying and blocking phishing emails by testing links and attachments for malware.
- If email software provides option for rewriting subject line or adding a footer to each email, use this feature for all email incoming from the Internet. Add specific words to subject line or a footer at the bottom of emails to warn recipients that that email is coming from outside of the company. This will help them be a little more cautious when clicking on links.
- Apply patches on end-user devices so that a click does not result in exploiting old and known vulnerabilities.
- Restrict outbound traffic on firewalls which will help deny malware unrestricted outbound access. Monitor for dropped outbound packets on firewalls to detect potential malware infections and as an early warning mechanism.
These are just few quick and simple controls but a comprehensive strategy is required to guard against phishing email attacks. A comprehensive approach will include many additional steps. For example, network segmentation, restricting email access on laptops/desktops that are used for controlled parts of the network, denying email and web access from servers, and other measure can be very helpful. Some businesses also use products and services for education and awareness which could be an effective tool. Cost-benefits analysis of all controls will help decide picking up the ones that have the best potential of mitigating risk associated with phishing attacks.
Data Breach Digest is the latest report from Verizon RISK team. This is the same Verizon team that publishes Verizon Data Breach Investigations Report or more commonly known as DBIR. The main idea behind the Data Breach Digest is to share knowledge about specific data breaches with the security community. This is a report that tells story behind selected data breaches: What happened, who did it, how was it discovered, the response, and recommendations so that you can avoid being in the same situation. It is a must read for every information security professional.
How Data Breach Digest is different from Verizon Data Breach Investigations Report (DBIR)? DBIR is more about finding trends from a large amount of data that Verizon collects from many partners across the globe. Data Breach Digest, on the other hand, takes the readers closer to individual breaches. There are only 18 data breaches in the Data Breach Digest. However, each of these 18 data breaches are discussed in detail.
Data Breach Patterns are Very Common
As noted in the report, contrary to what people think, breaches are not usually unique and follow very common patterns. Twelve out of eighteen data breached included in the digest cover about 60% of all data breaches cases recorded in DBIR.
Six other data breaches cover the most “lethal” data breaches that were either difficult to detect/stop or had huge impact on business.
Just to give you an idea about what you will find in the report, the first data breach in the list involves a targeted social engineering attack. It describes how an employment offer to chief design engineer through a social media site resulted in loss of intellectual property including design of an innovative construction equipment. While reading the story behind the data breach, you will realize how attackers trap people through social engineering and how incident response is more than just tools and technologies and investigators need to have general investigative skills as well.
If you have incident response responsibility or you want to manage information security program effectively, this report is for you. You will learn techniques attackers are using and how to defend against similar attacks.
If there is one thing that a reader can take away from the Data Breach Digest, it would be Attack-Defend Cards included in the report. Each of the eighteen data breaches included in this report comes with one-page summary named Attack-Defend Card. This page summarizes the breach scenario (including frequency and sophistication level), who are the attackers and what are their techniques, useful data about the incident, and how to defend against it.
A Tool for Security Awareness
Data Breach Digest is a great tool for security awareness programs. Readers can use the Attack-Defend Cards very effectively in raising awareness across IT and non-IT communities.
Want to know about dangers of USB devices? There is a card for that! Partner misuse, there a card for that! SQL Injection, there is a card for that. You got the idea!
Relevance to Industry Sectors
Just like DBIR, this report also sheds light on particular scenarios that a specific industry must pay attention to. Manufacturers, Transportation, Utilities and Professional Services folks: Pay special attention to Cyber Espionage. Accommodation, entertainment, retailers and hotels? POS intrusion is your biggest area of worry. Mining? Keep an eye on insiders. In short, you will find relevance of specific data breaches covered in this report to your industry.
This report is a good read for the weekend or if you are on a long flight to a regional office on the other side of the continent. Enjoy and share with others!
Data Breach Digest can be downloaded from Verizon web site http://www.verizonenterprise.com/verizon-insights/data-breach-digest/2016/