Download - Info Sec Pro Issue 17
-
7/31/2019 Info Sec Pro Issue 17
1/29
ISSU E NU M B E R 1 7
An (ISC)2 Digital Publication
www.isc2.org
Mobile device malware takes
social engineering to a newlevel with human vulnerability.
TheHUMAN
FACTORof SocialEngineering
-
7/31/2019 Info Sec Pro Issue 17
2/29
What if you could:
HveyuSIEMupndunninginless than 15 minutes?
EsilycnfigueyuSecuityMngementSlutinyourselfithutthehelp
fhiedcnsultnts?
Viethevellstengthfsecuityndsttefcmplinceinsingle pane view?
Discvendmitigtesecuitythetsbeforetheyimpctyucebusiness?
Demonstrate compliance easilyithjustfesimplemuseclicks?
You can!NetIQsecuitymngementslutinsillgetyuthee.
JinNetIQfFREE WEBCAST SERIESfcusednthentmyfmdensecuity
thetsndhtbuildstngdefenseinyugniztin.Yuilllensimple
butvlubletechniquesnhtgetyusecuityslutinupndunningin
minutesinstedfdys.Yuillgininvlubleknledgenhtdetectnd
mitigtesecuitythetsndlenbutthebesttlsnthemketthelpyu
ccmplishtheseglshiledemnsttingcmplincetcuentegultins.
Over 70% of Security
Breaches Last Year HadEvidence in Log Files.
How Secure Are You?
Enhnce secuity nd simplify
cmplince css yu entie
entepiseith NetIQ secuity
mngement slutins.
LEarNHow
REGISTER
forthe
FREEWEBC
AST
TODAY!
NetIQ and the NetIQ logo are registered trademarks of NetIQ Corporation in the USA.. All other
company and product names are trademarks or registered trademarks of their respective companies.
2012 NetIQ Corporation. All rights reserved.
-
7/31/2019 Info Sec Pro Issue 17
3/29
COVERPHOTOBYJASPERJAMES;ABOVEPHOTOBYLAWRENCEMANNING
[features]10 The Human Factor of
Social EngineeringMobile device malware takes
social engineering to a new level
with human vulnerability.
BY CRYSTAL BEDELL
14 Are You Ready for Next-Gen Security Audits?New technologies, various
social networking architectures
and compliance regulations are
a recipe or next-generation
security auditing.
BY PETER FRETTY
18 How to Self Promotethe Right WayAdvance in your career with
strategic sel-promotion.
BY SANDRA GITTLEN
ISSUE NUMBER 17 INFOSECURITY PROFESSIONAL 1
issue 17
[also inside]3 (ISC)2 Makes a Strong Push
Executive Letter From the desk o (ISC)2sExecutive Director Hord Tipton. 4Moderators CornerViews and Reviews Highlights from (ISC)2sevent moderator, Brandon Dunlap.
6 FYIMember News Read up on what (ISC)2 membersworldwide and the organization are doing.
20 Shelter from the Economic Storm(ISC)2 Foundation Results from The Foundations 2012Career Impact Survey.
21 Chapter Passport
Join a local (ISC)2
Chapter and make a(secure) diference in your community.
22 Confronting Mobility and the CloudQ& A (ISC)2 board member Dan Houser discussesmobility and cloud security.
24 A New Authentication ParadigmGlobal Insight Bringing an old technology back to lie.BY LARS MAGNUSSEN
2012 VOLUME 1
InfoSecurity Professionalis published by IDG Enterprise Custom Solutions Group, 492 Old Connecticut Path, Framingham, MA 01701 (phone: 508 935-4796). The inormation contained in this publicationrepresents the views and opinions o the respective authors and may not represent the views and opinions o (ISC) 2 on the issues discussed as o the date o publication. No part o this document may bereproduced, stored in or introduced into a retrieval system, or transmitted in any orm by any means (electronic, mechanical, photocopying, recording or othe rwise), or or any purpose, without the express writtenpermission o (ISC)2. (ISC)2, the (ISC)2 digital logo and all other (ISC)2 product, service or certifcation names are registered marks or trademarks o the International Inormation Systems Security CertifcationConsortium, Incorporated, in the United States and/or other countries. The names o actual companies and products mentioned herein may be the trademarks o their respective owners. For subscriptioninormation or to change your address, please visit www.isc2.org. To order additional copies or obt ain permission to reprint materials, please email [email protected]. To request advertising inormation,please email [email protected]. 2012 (ISC)2 Incorporated. All rights reserved.
14
-
7/31/2019 Info Sec Pro Issue 17
4/29
View the Security Intelligence Report at www.microsoft.com/SIR
The Security Intelligence Report (SIR) is an analysis of the current threat landscapebased on data from internet services and over 600 million systems worldwide to
help you protect your organization, software, and people.
| Security Intelligence Report
Malware Data From Over600 Million Systems Worldwide
ONE SECURITY REPORT
-
7/31/2019 Info Sec Pro Issue 17
5/29
Safe and Secure for all GenerationsTHE (ISC)2 MISSION: SERVE NOT ONLY INFOSEC PROFESSIONALS,
BUT ALSO REACH OUT TO THE NEXT-GENERATION.
I SEEMS A NEW YEAR hasjust begun, and suddenly, werenearly three months into it. Wevehit the ground running, with newBoard members, a new careersurvey (see page 20) and newplans or the 2012 Security Con-gress conerence in September.And were not slowing down any-time soon. We have much to lookorward to this year, thanks to ourever-energetic, dedicated staand members.
As I look at how ar weve comein our 20+ years, I cant help but remark on how our
organization and our membership have evolved. Weoriginally ocused on CISSP as the credential orsomeone who mastered security and required veyears or that certication. We have since broadenedour mission to serve other communities, developedother robust credentials, and we continue to add toour list o certications and resources.
Our approach today is to reach out to all genera-tions, to develop an awareness o and an interest ininormation security as a stable yet vibrant careerchoice. Our member volunteers now have morethan 1,000 hours in teaching our Sae and Secure
Online program, and were working with othernon-proits in educational segments around theworld to help spread the knowledge throughout sec-ondary schools to make cyber security awareness alielong pursuit.
We know that security threats are at the top oyour radar. Its our job to arm you with the most use-ul and inormative resources in order to prepare or
and combat the most dicult security issues.Te top challenges o note all into three areas:
Social media: his communication channelis becoming a way o lie, blurring the boundaries
between our personal and proessional realms. From
businesses, to educational institu-tions to young children, socialmedia is a vehicle that acilitatesnot only global communicationbut also social engineering andidentity thef.
Mobile technology: Mobiletechnology is much more sophis-ticated than ever. As Jayson E.Street, CIO at Stratagem 1 Solu-tions, notes in our HumanFactor o Social Engineeringarticle in this issue (see page 10),mobile phones are not phones.
Tey are computers that make phone calls. Mobil-
ity alone changes the security landscape.Application security: Social media, mobile tech-nology and applications create the perect securitystorm. Te more applications on the network, themore vulnerabilities in databases and elsewhere. Weare continually monitoring these areas so we canprovide you the proessional development tools youneed to stay ahead o them.
I you have expertise in any o these areas, wedlove to have your inputand your presentations.As we prepare or the second annual SecurityCongress, which takes place in September in Phila-
delphia Penn., U.S.A., we are seeking your knowl-edge to share with other members and conerenceattendees. You can submit your papers online athttps://www.isc2.org/conerences.aspx.
In the meantime, be sure to check out this issuesarticles on social engineering, audits, and, o course,the Foundation column, which eatures results othe (ISC)2 2012 Career Impact Survey.
Sincerely,W. Hord iptonCISSP-ISSEP, CAP, CISA, CNSS
Executive Director, (ISC)
ISSUE NUMBER 17 INFOSECURIY PROFESSIONAL 3
executive letterFROM THE DESK OF THE (ISC)2 EXECUTIVE DIRECTOR
-
7/31/2019 Info Sec Pro Issue 17
6/29
4 INFOSECURIY PROFESSIONAL ISSUE NUMBER 17
Management Team
Elise YacobellisExecutive Publisher
727-683-0782 n [email protected]
Timothy GaronPublisher
508-529-6103 n [email protected]
Marc G. ThompsonAssociate Publisher
703-637-4408 n [email protected]
Amanda DAlessandroCorporate Communications Specialist
727-785-0189 [email protected]
Sarah BohneSenior Communications Manager
616-719-9113 n [email protected]
Judy LiversSenior Manager of Marketing Development
727-785-0189 x239n
[email protected] Team
Christa CollinsRegional Sales Manager
U.S. Southeast and Midwest352-563-5264 n [email protected]
Jennifer HuntEvents Sales Manager
781-685-4667 n [email protected]
Lisa O'ConnellRegional Sales Manager
781-460-2105 n [email protected]
IDG Media Team
Charles Lee
Vice President, Custom Solutions GroupAlison Lutes
Project Manager
Joyce ChutchianSenior Managing Editor
508-628-4823 [email protected]
Kim HanArt Director
Lisa StevensonProduction Manager
ADVERTISER INDEX
IEEE p 13ISACA p 25(ISC)2 p 5; p 9 Inside Back Cover; Back CoverMicrosoft p 2Novell Inside Front CoverUniversi ty of London p 17
For information about advertising in thispublication, please contact Tim Garon at
tgaron@isc2org
ACCORDING O SOME ANCIEN CALENDARS, 2012
marks the end o days or lie on Earth. As the so-called ateul
year begins, I cant help but think they had it all wrong. Tis year
is like every other; a new year with a new beginning. Perhaps its
my optimism as I emerge rom the long dark winter. Maybe I
havent lost my youthul idealism (naivet?) aer all. Either way,
I think that this is our time, as security proessionals, to push
through our historical baggage and seek a new way orward.
Tis year should be the year that we break out o our I silos
and run through the organization with our banners held high
above our heads. We should be seeking to co-opt or coerce our
peers across the org chart to come to our side. Tis is the year
o convergence, but not in the way that we have been led to believe.
2012 is the year we push our business sense in the right direction. Metrics, as we
will discuss in this issue oInfoSecurity Professional, are a big part o our business
mindset. While we have spent a lot o time in the past couple o years discussing
the metrics o security, I pose the ollowing question: Is there really such a thing as
a metric or how secure we are? Instead, I suggest we track our operations like theywere a business unto themselves. I would go so ar as to posit that there is no such
thing as a security metric, only perormance metrics about how well our security
program is unctioning.o that end, we can develop our metrics programs with an eye toward other
areas o the enterprise in which we can become much more ingrained. For example,
as (ISC)2 has continued to deliver their Security Leadership Series on the soware
development liecycle, we have begun to introduce more topics in our Web series.
In the waning days o 2011, we discussed the risks associated with open-source
sotware (link to the archive, which qualiies or CPEs, can be ound here:
http://bit.ly/OpenSourceRisks). Tis represents some phenomenal opportunities
to introduce quality-oriented security metrics into our development processes.
Tis is but one example o how we can wave our banner across the enterprise,
showing ways in which the security unction can help x areas o ineciency and
quality, with a keen eye on the business benets o oversight.
Continuing in the same vein, and while it may seem like a long way o, (ISC)
2
and ASIS will be joining orces again in September or Security Congress, this time
in Philadelphia, Pa., U.S.A. Based on last years success, this program promises totruly bridge the gap across the great divide between traditional and logical security.
Im eeling pretty good about 2012. What about you?
As always, I look orward to continuing the conversation,
Brandon Dunlap
Managing Director o Research, Brightfy
www.brightfy.com
moderators cornerVIEWS AND REVIEWS FROM (ISC)2'S EVENT MODERATOR
2012: The End of the Beginning?
-
7/31/2019 Info Sec Pro Issue 17
7/29
Connect with us!
www.isc2intersec.com
http://twitter.com/isc2
www.facebook.com/isc2fb
Are you considering the next steps to further develop your
nformation security knowledge and progress your career? Take it to
he next level with a CISSP Concentration. CISSPs with two years of
rofessional experience in one of the functional areas of architecture,
ngineering or management may seek a CISSP Concentration.
Watch the FREE webcasts on each domain and the value of holding
the CISSP-ISSAP, CISSP-ISSEP or CISSP-ISSMP to learn more.
Concentrating may open up new opportunities, including more
demanding roles in larger enterprises, more education opportunities
and a specialized certication to recognize your talents.
Want to be the best at what you do?
Just Concentrate.
Watch the Free Domain Webcasts for the CISSP-ISSAP, CISSP-ISSEP or CISSP-ISSMP
www.isc2.org/previews
-
7/31/2019 Info Sec Pro Issue 17
8/29
6 INFOSECURIY PROFESSIONAL ISSUE NUMBER 17
(ISC)2 SECURITY CENTRAL is the new online resource or security proes-
sionals and the public at large. It ocuses on providing valuable resources
or those interested in the security feld and increasing security aware-
ness. (ISC)2 Security Central brings together inormation rom (ISC)2,
industry organizations, security practitioners and more. In addition
to searching the site or useul resources, (ISC)2 members and other
security proessionals are encouraged to contribute their security events,
publications, white papers, podcasts and more to share with other site
users. Stay tuned or more details soon on how you can contribute your
resources to the site and begin using (ISC)2 Security Central.
Introducing: (ISC)2 Security Central
New Year, New Board( I S C ) I S P R O U D T O A N N O U N C E the ollowing new members o its Board o Directors, who will servethree-year terms, eective January 1, 2012. Te (ISC) Board provides governance and oversight or theorganization, grants certications to qualiying candidates and enorces adherence to the (ISC) Code oEthics. Please welcome the ollowing new board members:
Daniel D. Houser, CISSP-ISSAP, CSSLP, Senior Security and Identity Architect or a Global 100healthcare organization (U.S.)
Wim Remes, CISSP, Manager o Inormation Security at Ernst & Young IRA FSO (Belgium)
Pro. Jill Slay (AM), Ph.D., Fellow o (ISC)2, CISSP, Dean: Research in the Division o I, Engineering andthe Environment at the University o South Australia and Proessor o Forensic Computing (Australia)
Greg Thompson, CISSP, Vice President and Deputy CISO at Scotiabank (Canada)
Te elected board ofcers or 2012, serving a one-year term include:
(ISC)BoardChair,Freddy Tan, CISSP (Singapore)
(ISC)ViceChair,Benjamin Gaddy, CISSP, CSSLP, SSCP (U.S.A.)
(ISC)BoardTreasurer,Flemming Faber, CISSP (Denmark)
(ISC)BoardSecretary,Richard Nealon, CISSP, SSCP (Ireland)
(ISC)2MEMBERNEWS
fy
-
7/31/2019 Info Sec Pro Issue 17
9/29
ISSUE NUMBER 17 INFOSECURIY PROFESSIONAL 7
(ISC)2 and ASIS Internationaleam Up Again
2012 (ISC)2
Security CongressRegistration Now Open
(ISC)2 AND ASIS INTERNATIONAL
have teamed up once again or
the largest security event o its
kind in the world. The second
annual (ISC)2 Security Congress
(www.isc2.org/conerences.
aspx), colocated with the ASIS
International 2012 58th Annual
Seminar and Exhibits, will take
place September 10-13, 2012
in Philadelphia, Pennsylvania,
at the Philadelphia Convention
Center. These events will bring
together more than 20,000
security proessionals rom
all disciplines, providing attendees with proessional development
opportunities that span both the traditional and inormation security
landscapes.
(ISC)2 members have exclusive access to members-only events
such as a networking reception and Town Hall Meeting, not to
mention a signifcant discount on regular conerence registration
pricing. To register, visit www.isc2.org/congress2012
ISLAAsia-PacifcCall orNominations(Opening in March)
T H E C A L L F O R N O M I N A T I O N S
or the sixth annual (ISC)2 Asia-Pacifc
Inormation Security Leadership
Achievements will open in March
2012. Now is the time to recognize
an inormation security proessional
in the region who deserves to be
nominated or their leadership and
innovation in the inormation security
workorce. For more inormation, visit
www.isc2.org/isla.
Dont forget to take the quizand earn CPEs:
http://bit.ly/A7vA9AFor a list oevents (ISC)2 iseither hosting orsponsoring, visitwww.isc2.org
SAFETY FIRST: Safer Internet DayS A F E R I N T E R N E T D AY, organized by Insae, which is co-ounded by the European Union, is celebrated
annually in over 65 countries throughout Europe in early February. The Day recognizes the importance o
the Internet in the lives o children. Now in its ninth year, the theme or 2012s Saer Internet Day, connect-
ing generations and educating each other,emphasized the complexity o challenges currently aced by
children in their digitally connected lives. On February 7, 2012, (ISC)'s UK-based Sae and Secure Online
volunteers visited 19 schools, educating more than 4,000 students across the UK. For more on Saer
Internet Day, visit www.saerinternet.org/web/guest/saer-internet-day.
Stay tuned or more details soon on how you can contribute your resources to the site and begin using
(ISC) Security Central.
http://www.isc2.org/conferences.aspxhttp://www.isc2.org/conferences.aspxhttp://www.isc2.org/eventshttp://www.isc2.org/eventshttp://www.isc2.org/conferences.aspxhttp://www.isc2.org/conferences.aspx -
7/31/2019 Info Sec Pro Issue 17
10/29
8 INFOSECURITY PROFESSIONAL ISSUE NUMBER 17
Survey Says:Positive InoSecCareer Outlook or 2012A S P E C I A L T HA N K YO U to the 2,250+ (ISC)2 members
around the world who participated in the 2012 (ISC)2
Career Impact Survey. The results are in, and the infosec
industry remains steadfast with a bright future ahead.
Read the Foundation column on page 18 for more
information. Full results are available at
https://www.isc2.org/industry-resources.aspx.
NEW! IntroducingThe (ISC)2 KnowledgeVault
T H E ( I S C ) 2 K N O W L E D G E V A U L T interactivevideo series offers quick advice and featuresfrom (ISC)2 and InfoSecurity Professionalmagazine. Its a one-stop shop for securityresources that can also be shared via Twitter,Facebook, LinkedIn, etc.
Take a look at this online video and contentseries, and check back often for new videos,
valuable security resources and exclusive onlineissues of InfoSecurity Professionalmagazine!
Visit http://bit.ly/xoR6n
Tout It Out!See the latest blog posts by ellow (ISC) members
on the (ISC)2 blog at http://blog.isc2.org. Share your
innermost thoughts, advice and expertise with other
industry pros today.
As Seen in SC MagazineTHE SC MAGAZINE COVER STORY, The New Wave; Modern
Security Education, examines hands-on programs for
students pursuing Infosec careers. The (ISC)2 Foundation's
scholarship program is highlighted in this article.
(ISC)2 Helps Aspiring Pros
Prepare or Careers inCyber Security
( I S C ) H A S A D D E D the Certifed
Secure Sotware Liecycle Proes-
sional (CSSLP) and Certifed
Authorization Proessional (CAP)
credentials to its Associate o (ISC)2
program to help fll the pipeline
o qualifed inormation security
proessionals. Candidates who
pass the CISSP, CSSLP, CAP or
SSCP certifcation exam but lack
the proessional experience required
to become certifed will be granted
Associate o (ISC)2 status until they
meet the necessary experience
requirements (within the allotted
timerame or their preerred cer-
tifcation). The Associate o (ISC)2
program is also a great resource or
universities around the world looking
to assist graduates as they transition
into the proessional world.
-
7/31/2019 Info Sec Pro Issue 17
11/29
(ISC)2 Global Awards ProgramPeople, processes and policies are all necessary to protect and
secure information assets. (ISC)2 recognizes the professionals
who are leading the way and making a difference in this ever
evolving industry, honoring their tireless effor ts and standards ofexcellence in the eld of information security.
For more information on the awards program, gala dinner ceremony or
to nominate an outstanding information security professional, visit
www.isc2awards.org
Nominate in March Nominate in May Nominate in May
-
7/31/2019 Info Sec Pro Issue 17
12/29
Attackers are conducting social engineering attacks viasmartphones and tablet PCs to gather personal data rom
unsuspecting users. When those same devices are used to
access the corporate network and its resources, the corpo-
ration is at risk. Teres a signicant chance that whatever
credentials are stored on the phone will be collected, and a
large chance that those credentials are shared by other apps
within the corporation, says Ryan OHoro, senior security
consultant at IOActive.
With these credentials, attackers can log into the VPN
and get access to the corporate network, read users sent
emails, write and send email, access employee portals and
collect contact inormation to conduct urther social engi-neering attacks.
Te majority o corporations are not doing their duediligence or social engineering preparedness. Now that they
have laptops and phones with inormation on them, it means
that the threat to security or the corporation is increasing
instead o decreasing, even i they are attempting to keep
pace with it, says OHoro.
Social Engineering on Mobile Devices
Social engineering attacks can be carried out in a number
o ways on a mobile device. Similar to spam and phishing
attacks via desktop IM and email clients, attackers are using
SMS messages and mobile email to social engineer users omobile devices. SMS message spam can become a nuisance
10 INFOSECURIY PROFESSIONAL ISSUE NUMBER 17
There are plenty of reports on mobile malware and itspending explosion.It seems as i the media and antivirus vendors wouldhave I proessionals holding their breath as they wait or a wave o malware to hit smart
phones and tablet PCs. While the threat o mobile malware is real and likely to become
more serious, another critical threat to mobile devices is already well underway. It doesnt
rely on vulnerabilities in the operating system, so it cant be patched. It relies on human
vulnerability. Were talking about social engineering.
Mobile device malware takes social engineering to a
new level with human vulnerability.
byCRYSTAL BEDELL
TheFACTORof Social Engineering
-
7/31/2019 Info Sec Pro Issue 17
13/29
-
7/31/2019 Info Sec Pro Issue 17
14/29
12 INFOSECURIY PROFESSIONAL ISSUE NUMBER 17
and rack up exorbitant service ees or the user. Forged emails
and email spam can appear more legitimate on a mobile
device, given the screen real estate and users propensity or
brevity when sending email rom a mobile device.
Attackers also use social engineering to sell illegiti-
mate applications to users. Social engineering techniques
are used to convince the user to download applications.
Te app may be promoted as solving a particular problemor be associated with a popular movie or other cultural
trend to make it look appealing. Simply oering the appli-
cation ree o charge motivates unsuspect ing users to click
the download button. Oen times, the actual application
may serve a legitimate purpose, but collect personal data
in the background when the user accepts the terms and
conditions or use.
Research rm Loudhouse conducted a mobile device
security survey or vendor AdaptiveMobile and ound that
an average o 84 percent o all apps downloaded were ree,
compared to just 16 percent paid. Furthermore, users are
willing to risk their personal inormation to avoid payingor applications. wenty-ve percent o survey respon-
dents said they would be willing to download a ree app
that might contain personal inormation over a paid app
that denitely did not.
Loudhouse evaluated the data usage o 40 applica-
tions drawn rom the top 20 ree applications and top 20
ree games available or download across the iPhone and
Android stores and marketplaces. Case in point: rom
those 40 applications, Loudhouse ound that collected data
was passed on to more than 146 domains.
Psychological Principles at Work
Social engineering attacks via mobile devices work on the
same principles as those delivered via desktops. Te topic
is new: the considerations or social engineering related to
mobile platorms. But theyre not much dierent rom our
classic social engineering threats that are still persistent, and
were not dealing with it very well, says OHoro.
Jason Rhykerd, consultant, SystemExperts Corp., agrees.
Its the same concept and the same phi losophy, just a new
attack vector, he says.
Regardless o the attack vector, social engineering exploitsa users propensity to trust others. Te attacker takes advan-
tage o this trust to manipulate the user into perorming an
actionsay, clicking on a link in an email, or sharing con-
dential inormation. Te dierence between a social engi-
neering attack delivered via a desktop vs. a mobile device,
rom a psychological perspective, is the threshold o accept-
ability, says Jayson E. Street, CIO o Stratagem 1 Solutions.Te threshold o caution is lower. People are less cautious on
their mobile device than on a computer. Tey are more likely
to click on a link, Street says.
Street explains that the same email sent to a recipient on a
mobile device and a recipient on a desktop is more likely to be
opened by the mobile device user. Users have been educated
on social engineering threats or computers, but they dontyet understand that those threats also exist on their mobile
devices. Weve schooled ourselves that there are threats or
computers; be careul about email on your computer. Inor-
mation security has not gured out a proper way to explain to
people that its not a phone; its a computer that makes phonecalls, says Street.
Inormation security has not fgured out a proper
way to explain to people that its not a phone.Its a computer that makes phone calls.JAYSON E. STREET, CIO, Stratagem 1 Solutions
ILLUSTRATIONB
Y
CHRISTOS
GEORGHIOU
-
7/31/2019 Info Sec Pro Issue 17
15/29
ISSUE NUMBER 17 INFOSECURIY PROFESSIONAL 13
Te trust that users have in their landlines has carried over
to smartphones. In the eyes o the user, the device is a phone,
not a computer. Tis is evidenced by the buying cycle, explains
Street. People dont buy a new computer every year. And yet,
this is becoming the norm or smartphones. Meanwhile,
smartphones are becoming increasingly accessible to users
who are less tech-savvy. As the price goes down, the number
o users goes up. Attackers can easily exploit the inherent trustpeople have in their phones and use it against them.
Te orm actor and way that mobile devices are used also
lend themselves to a lower threshold o acceptability. For
example, it is easier to orge an email to be read on a mobile
device because users are likely to write sparingly. A user writ-
ing an email on a mobile device is likely to be on the move,
perhaps in a rush. Te email gets right to the point. Because
o the small keyboard, recipients are more orgiving o gram-
matical and spelling errors.
Users are also more likely to click on a link
delivered to them on a mobile device than they
are to click on that same link via their desktop.People want to do as little as possible to get what
they want, says OHoro. Tat means clicking
on the link without taking any precautionary
measures, especially when those precautionary
measures are difcult to execute.
Weve trained people to hover over a link
to see where its going or to type directly into
a browser instead o clicking. But these things
are harder i not impossible on a cell phone.Users would rather click on a link than type it,
and hovering over the link is not easy to do on a
phone, says Rhykerd.
Defense Measures
Deense measures are in order to protect end-
users and corporate assets. It goes back to the
basics. One o the most important actors with
social engineering, phishing and spam is edu-
cation and understanding. We dont click on
links unless we know what they are. Its a simple
answer. But its an honest and true answer as
well, says Rhykerd.
Corporations can have policies about whatcan be on mobile devices, but it doesnt mean
they have the tech controls as well. hatswhere the human element enters the picture.
With social engineering, the weakest link is
the human, and its always dierent. Te most
bang or your buck is that end-user educa-
tion. With dierent attack vectors creeping up
on us, its time or some updated education,
Rhykerd says.
User education starts with teaching people
that their smartphones and tablet PCs are mini-
computers that require cautionary measuressimilar to their desktops and laptops. However,
users do not patch their mobile devices and or some vulner-
abilities, no patches exist. For example, Street says Apple does
not release patches or iOS, so every single user still using
older iPhones remains vulnerable. here are apps to help
secure Android smartphones, but those are less vetted and
may cause more harm than good. For this reason, users need
to be more careul with their mobile devices than they cur-
rently are with their desktops.When were talking about social engineering, the patch
is called awareness. Its called education. People are smart
and intelligent. Tey just need to be made aware. Tey arent
going to do something to expose themselves, they just need
to understand what the threat is and that its real, Street
says.
Crystal Bedell is a Washington-based, award-winning writer
specializing in information security and computer networking.
Become an
IEEE Certifed BiometricsProessional
Learn more and register today!www.IEEEBiometricsCertifcation.org
Why CBP?
The IEEE Certifed Biometrics Proessional (CBP)
program has two major components: Certifcation and
Training. Proessionals and organizations can
both beneft rom the IEEE CBP program.
Key advantages are:
nProve your knowledge
nIncrease your credibility
nLearn a baseline o industryknowledge
nTrain employees
nGain a competitive advantage
-
7/31/2019 Info Sec Pro Issue 17
16/29
NEW TECHNOLOGIES, VARIOUS SOCIALNETWORKING ARCHITECTURES AND
COMPLIANCE REGULATIONS ARE ARECIPE FOR NEXT-GENERATION
SECURITY AUDITING. byPeter FrettyPHOT
O
BY
LAWRENCE
MANNING
14 INFOSECURIY PROFESSIONAL ISSUE NUMBER 17
ARE YOU READY
FOR NEXT-GENSECURITY AUDITS?
-
7/31/2019 Info Sec Pro Issue 17
17/29
ISSUE NUMBER 17 INFOSECURIY PROFESSIONAL 15
And as change occurs at superast speeds, enterprises rely heavily upon new tech-
nologies and processes to provide true competitive advantages. For security proes-
sionals, this means its time to prepare or the next-generation security audit.
Te next-generation security concept encompasses everything rom multi-
barrier network protection to context-aware computing to articial intelligence,
explains Damon Petraglia, CRISC, director o orensic and inormation security
services with New York City-based Chartstone Consulting.
When you combine new and advanced technologies with social networking,
dierent architecture approaches, cloud computing and conusing compliance
regulations, you have the recipe or a thousand dierent approaches to inorma-
tion security and security auditing, he says. Each o thesesocial networking,
architectures, cloud, and regulationsmust be considered on many levels includ-ing business need, return on investment as well as a risk management ramework.
Te question is simply: I we implement a given business solution, can the risk to the
organization be reduced to an acceptable level while retaining maximum benet o
the solution?
According to Petraglia, the diculty addressing this question is that ar too ofen
the audit mentality drives security proessionals. Tis may be eective or compli-ance purposes, but compliance does not always equal security, he says. Security
proessionals need to understand that compliance is yes or no, on or o, black or
white, and security is a million shades o grey. No system is ever 100 percent secure,
and the security proessional must understand that any given business needs to
unction within an acceptable level o risk. It is this balance that the organization
must strive or and the security proessional to assist or guide in implementing.Michael A. Davis, CEO o inley Park, Ill., U.S.A.-based Savid echnologies,
Inc. agrees, adding that these new technologies and business models change the
auditing paradigm because they require auditing on third parties at deeper levels.
Te problem with these actors is that most o the other disruptive technolo-
gies auditors had to deal with were simply new technologiesnew, aster and
better ways to do something everyone understood, Davis says. However, social
media and cloud computing are new business models and methods o collabora-
tion, meaning many audits need to start by simply understanding the actors beore
trying to audit them. Also, most I audits deal exclusively with I. Whereas cloud
and social media incorporate non-I olksmeaning the auditors communication
skills must improve as well.
NEED-TO-KNOW BASISAs security proessionals develop audit strategies, the need to keep up with tech-
nology, regulations, and new threats is not only a dicult task, its also essential.
Any business or technical process has a lifecycle.
Its crucial to incorporate core security concepts and
controls into the lifecycle of any given process.DAMON PETRAGLIA, CRISC, director o orensic and inormation security services, Chartstone Consulting
Organizations can prepare themselves
or success by revising and improving
their security risk management process
to have the ability to address special top-
ics outside the normal annual assess-
ment, explains Doug Landoll, Denver,
Colo., U.S.A.-based author oTe Secu-
rity Risk Assessment Handbook. Tey
can also ensure assessment proessionals
are aware o the risk associated with new
technologies, threats, and regulations,
he says. Davis suggests hiring outsidehelp to assist i your assessors are not
amiliar with these new technologies.
Tere is also a need or security pro-
essionals to ocus on improving theirunderstanding o the business processes,
security and technical perspectives, as
well as risk management. Security pro-
essionals need to be much more diverse
and dynamic now than ever beore. Tey
need to understand the business indus-
try, standards, and applicable require-
ments, and the core and advanced secu-rity concepts called upon, says Petraglia.
Petraglia adds that the real key is
being able to integrate all o these aspects
so the security proessional can holisti-
cally view the posture o a given net-
work rather than by individual security
compliance requirements. Te security
proessional must be able to understand
the interdependencies and interactions
between platorms and technologies,
and identiy inherent weaknesses and
vulnerabilities as a result o the interde-pendenciesall while providing techni-
cal and procedural solutions to ensure
maximum business process with mini-
mum level o risk, he says.
Its a given: Life in IT security is life in the fast lane.
-
7/31/2019 Info Sec Pro Issue 17
18/29
16 INFOSECURIY PROFESSIONAL ISSUE NUMBER 17
FIELDING FRESHPERSPECTIVEOrganizations need to understand
and employ the basics irst, then the
advances in technology or next genera-
tion, explains Petraglia. Anything can
be transitioned into the business pro-
cesses with little or no diculty. Both the
business and security proessional need
to realize that technologies such as cloud
or social media are increasingly neces-sary or the viability o the organization;
it is simply how to minimize the riskwhen implementing the solution, he
says. Any business or technical process
has a liecycle. Its crucial to incorporate
core security concepts and controls into
the liecycle o any given process.
According to Petraglia, taking a
basics-rst approach will ensure better
security as well as better control o the
investment as security is not retrotted.
Security must be considered rom con-ception through disposal o technical
and business process by both the orga-
nization and the security proessional.
Next-generation technologies and
concepts are easier to deal with rom
either a business or security perspective
i one understands the basic concept o
risk management, he says. Integra-
tion and advanced technology is here
to stay and will continue to evolve at
speeds aster than weve ever seen.
Unortunately, the same can be saidor the threats that ace our businesses,
systems, and data. Managing and bal-
ancing the risks through the thorough
understanding o the technologies,
security, and business processes by both
the business owners as well as the secu-
rity proessionals is the key.
A REFINED APPROACHTO SECURITY
For many, the concept o working withincreasingly third-party data sources
such as social media and the cloud pro-
vidersmeans the perimeter o the
organization starts to melt away, and
organizations need to embrace a rened
approach to security. Tis is a signicant
transition according to Davis.
Most security proessionals usesecurity policies that ollow the castle
and moat paradigm, where the com-
pany has a bunch o data on a bunch o
servers at its internal data center. In this
scenario, the company controls what
goes in and out by putting guardians
at the ront gates and orcing people to
come in over a moat, he says. Firewalls,
intrusion detection and prevention
systems, and Web application rewalls
all work ollowing this paradigm, but
every major breach analysis has shownthat data is much less likely to be stolen
because o a vulnerability in the trans-
port mechanism.
However, its important to realize that
the biggest risk is not on the outside. It
ofen involves the people who live and
work within the castleauthorized
and authenticated users with legitimate
access to data, whose network access canbe taken over by malware and attackers,
explains Davis.
Cloud services, globalization, andcollaboration have turned the security
paradigm on its head as legitimate users
are using these services to get work done,
but dont realize the security implica-
tions, Davis says. Te most eective
way a security proessional can adapt to
the new environment is to implement
data-centric security. o do that, we need
to articulate what makes data-centric
security dierent rom what most secu-
rity proessionals are doing now.
he data-centric approach workswhether dealing with social media,
cloud, or the next big technology
advancement, Davis says. He suggests
reerring to the Four Ws or the data-
centric security model: Where is the
data? What is the data? Who has access
to it? And why do they need access? Afer
all, Davis says, no matter what the tech-
nology does in the uture, your data is
still data, and it needs protection.
Peter Fretty is a freelance business andtechnology journalist based in Michigan.
WHY NEXT-GEN SECURITY AUDITS?
Here are a ew o the key components ueling the need or next-generation
security audit procedures:
8 SOCIAL NETWORKING: Whether through company-sponsoredblogs, employee access to Facebook, or outsiders posting negative Yelp
reviews, an organization needs to frst understand its exposure through
a social media risk assessment, explains Doug Landoll, author o The
Security Risk Assessment Handbook. These risks can be remediated
through improved security awareness training, updated policies and
procedures, and the implementation o new technology or services,
he says.
8CLOUD COMPUTING: In this scenario, services and business unit
systems are handled by an external service instead o an internal IT
department. To be prepared or the next-gen audit, security proessionals
need to understand how the cloud provider plans to meet organization
security requirements, and demonstrate that they will continue to meet
them as they evolve, Landoll says. A cloud service risk assessment
can document the security requirements, point out the areas o risk, and
provide recommendations or required contractual elements necessary
to maintain adequate security.
8COMPLIANCE REGULATIONS: Compliance regulations change
oten, and their interpretations and accepted application even more so.
As such, keeping up with PCI v2.0, HIPAA/HITECH/Meaningul Use,
and the constantly changing privacy regulations can be an insurmount-
able task. Organizations need to change their approach rom chasing
regulations to proactively creating a security program based on address-
ing risks, says Landoll. Such a program typically already contains the
essential elements called or in regulations.
-
7/31/2019 Info Sec Pro Issue 17
19/29
Gain crucial cyber security skills for your
senior level career
Join our professional network
Find out more
www.londoninternational.ac.uk/infosec
Gain expertise in the technical, legal, commercial and people aspects
of Cyber Security.
Tap into the commercially relevant knowledge of Royal Holloways
leading academics, which is based on their research and practical
consultancy experience.
Earn CPE credits on standalone modules.
With our prestigious MSc in Information Security by distance
learning you will:
You will become part of a network of over 2,000 industry professionals who
have participated in Royal Holloways cyber security programmes.
Join Royal Holloway on facebook and contribute to the debates on
information security: www.facebook.com/ISGofficial
This course has the best reputation. I would thoroughly
recommend it.
Andy Smith has over 20 years experience in information security.
He chose Royal Holloway as he was looking for a Masters programme
that would provide the theoretical underpinnings to support his
practical experience.
-
-
-
-
7/31/2019 Info Sec Pro Issue 17
20/29
PHOTO
BY
ANDY
ROBERTS
18 INFOSECURIY PROFESSIONAL ISSUE NUMBER 17
How to Self Promote
the Right Way
Like most careers, up h n n uy,yu hv b l-p; hng yu wn
wh yu upv nd h pny whl.
Y yplly, llng nn nl un un-
h p lw pl d dpd by
uy pnl.
T n nhn y n uy h p ppl
ng h wn hn, y Sh Lvnn, n xuv
h h hnlgy, n nd nnl ndu n
Bln, M., U.S.A. Ty l nd hn h -
plhn huld p hlv.
Ununly, h hdng bl p ny n I
uy u n u. nnd ldhp pn, uy pn-
l u undnlly hng. hy huldn g und
by h l-pn, whh h pjv n-
ng. Ind, hy huld nd hng plhn n
nl p dvnn, h y.
A gnn bl ny uy pnl -
phng n nvd xp n udyng l nd vn lg
n xv wh nbu h bun whl. T
hgh up yu g n h gnzn, h l yu pnd
ully dng h jb, nd pn unng
h hw h jb dn, dng Lvnn.
Expng n hng vngh p d,dng Jnn Kuh, CIO h Fnln W. Oln Cllg
Engnng n Ndh, M., U.S.A. Kuh, wh v
uy p h xuv l, y uy p-
nl nd b hd n bun l l ly n h h
nn h.
F nn, lw-lvl uy pn nd v-
whl h upv wh ny hnl dl. A hy
lb h p ldd, hy ln p wh lvn
h udn. Runnng n y nd yng h P X
puhng uh Y dn u . I nd nw why p-
n nd hw yu gng lv , Kuh y
H p n hw pg bng h pnllwng uy gy h n ng .
Self-promotion doesnthave to be a dirty word.A good strategy can helpyou advance your career.bySANDRA GITTLEN
-
7/31/2019 Info Sec Pro Issue 17
21/29
ISSUE NUMBER 17 INFOSECURIY PROFESSIONAL 19
Start at the Start
Suy pnl wh dy dvn h huld l lly
n gnznl h nd gu
u nbl ph.
F nn, d yu wn y n
h hnl d hng
u n bun whl? A
yu wllng ng ppl?
T nw h qun wll
llun gp n yu hd nd f
l l. F nn, yu wn v
n h bun d, hn yu gh
wn llg nnung du-n u n nn, ng
nd h y . I yu l ng-
n xpn, hn yu n nd
whp gn b ll. And
yu wn bdn yu nwldg
h gnzn vlu, hn
yu n gn up bwn-bg lunh
bu h dvn bun un
ld hlp yu g up pd.
Communicate Your Intentto Your Manager
Whl gh dunng, h-
ng yu gl l p
n hvng h. Gng bhnd yu
upv b fn p -
gy h n b. M upv
wn hlp nd hv n-
y u, Kuh y.
Mng n gn budg ppvl
nd yu pnl dvlpn
n nd h dunl pp-
un. Ty l hv ngh n hun bun nd h gn-
zn whl h uld p yu
ph.B yu h bg ng
wh yu b, u yu hv
nbl pln, y Bh R, n xu-
v nn h n Nw
Y, U.S.A. F nn, vlng
ul-dy nn n yu l,gu u hw yu jb wl l b vd
dung h .
Mng u undnd why
yu pnl gwh wuld b
dvngu h pny, h dd.
Sh nd ng l vbull pn h py h nbu-
n yull h pny n-
lly wh nng nd n
nd, ully, hgh pn.
Develop a Fan BaseBeyond Your Cubicle
Wh uh hd-dwn pn, u-
y pnl fn nd hlv l whn ghng
hng .Dng pl hng, uh -
ng h lng wy h lunh, n
quly l h ly. Yull hv h
ppuny y hll -w
nd vnully up lng nv-
n h hlp yu b undnd
h jb unn, Lvnn y.
Yu l n jn p-wd
nun ply n
h bun un. Hwv, yu u
vly pp n h ng b
n ply, R wn.Suy pnl n g nd
whu ppng u h
zn n , dng
Kuh. Sh nd vlun-
ng dvlp nd ld nng n
n ug pl nd pdu. O
yu n d wly l bl
h gnzn n ly p uh vu nd ud. h l
blh yu nwldg ld wh
n ully un nd
lun hghly gdd ll
ng h upp n.
Prove You Have Skinin the Game
b ndd pn, yuhv b n nvd n h vll
wll-bng h pny.On pph wuld b nl
vyhng yu ln n, w-
hp nd h l n n ppuny
h pny. F nn, yu
lnd bu p pdu h
wuld w n
dd h b ln, xpln why n
b . Sh hndu b-
hu wh p, ng nd xu-
v, R y.
Sh nug uy p-
nl, hy g xpu h bun un, dny wy
pv p v ny.
Suy pnl huld
ln nd dv p wh-
u xpng d pnl gn.
B ul n b n n pp-
un hl l-p.
Do Your Job Well
A u wy g hd n -
pny ply d yu jb wll. Iyu buy yng g h nx lvl
nd unwngly pn up h pny
, yu wn g vy .
W wh yu ng
nbl hdul h nu yu
w wll g dn whl yu ll u
yu pl.
Gng hd huld nv n
llng bhnd n yu dy--dy
pnbl.
Gittlen is a freelance business and tech-nology writer in the greater Boston area.
Dos and donts for self-promotion
DO Scope out realistic advancement opportunities within your organization.
DONT Threaten that youll quit if you dont get promoted.
DO Share the positive impact youve had by highlighting initiatives youve
led or participated in across the company and their results.
DONT Blanketly state that youve single-handedly effected change.
DO Seek out educational or training opportunities.
DONT Attend so many events in a row that your daily duties cant be
covered and the budget is drained for co-workers.
DO Work with your manager to achieve your goals.
DONT Seek help from his or her supervisor without his or her knowledge.
-
7/31/2019 Info Sec Pro Issue 17
22/29
20 INFOSECURIY PROFESSIONAL ISSUE NUMBER 17
giving cornerFOSTERING GOODWILL, EDUCATION, AND RESEARCH INITIATIVES
Infosec Careers: Shelter from the StormDESPITE A WAVERING ECONOMY, INFORMATION SECURITY CAREERS
OFFER STABILITY AND UPWARD MOBILITY.
ALHOUGH HE ECONOMIC SORM con-tinues to cast a dark cloud around the globe, theinormation security proession oers proessionalsshelter rom the storm. Tats just one o the tellinghighlights or inosec proessionals uncovered in anew career management research study o (ISC)members conducted by the (ISC) Foundation.
Te Foundations 2012 (ISC) Career ImpactSurvey shows that nearly all o the 2,258 proes-sionals who responded were employed in 2011. Othe ew unemployed, hal were without a job orsome portion o 2011 o their own volition, eitherto pursue proessional development, to relocategeographically, or to retire. Other ndings include:n 96% o respondents are currently employed.n O those unemployed during 2011, 2% were
laid o, and 2% were unemployed o their
own volition.n O those who sought employment last year,most relied on job websites, social media andnetworking or job seeking.
Advancement and salary opportunities drove35% o proessionals surveyed to seek new cybersecurity positions in 2011. And those who stayedin their position also saw increases in compensa-tion. O the 35% who changed jobs last year, 53%did so because they had advancement opportuni-ties. And, nearly 70% received salary increases last
year, while 55% expect to receive increases in 2012.New jobs are being created daily in the inor-mation security industry, and there is a bright out-look or job creation and greater budget exibilityin 2012 as well.n Roughly 34% o respondents experienced
a new-hire increase last year, although 27%saw an increase in layos.
n Around 30% o survey respondents expectinormation security budgets, equipment pur-chases and new hires to increase in 2012.
n 51% o respondents plan to hire inormation
security sta over the next year.
Te inormation security industry remainsocused on the security risks presented by mobiledevices (personal or business) and cloud comput-ing. O those surveyed, 56% reported increasedsecurity risk in 2011, with 38% attributing most othat activity to mobile devices. Focus on specicskills when hiring:n 81% o respondents said an understanding o
inormation security concepts is an importantactor in their hiring decisions. Other top ac-tors are directly related experience (72%) andtechnical skills (76%).
n op skills hiring managers seek are: operationssecurity (55%); security management practices(52%); access control systems/methodology(51%); security architecture/models (50%); riskmanagement (49%); telecom/network security
(45%); applications/system development secu-rity (44%); and cloud/virtualization (35%).
Ensuring there is a steady stream o qualied, cer-tied inormation security proessionals to protectsociety rom digital threats remains an issue. About80% o respondents indicate that they are having adifcult time nding people with the right skills andaptitude to ll vacancies. o ameliorate this prob-lem, (ISC) members can post their resumes or reeon Career ools, which employers can search orree. (ISC) also periodically hosts career assistance
programs, such as the career air that will be held atthe 2012 (ISC) Security Congress.At the (ISC) Foundation, were using the Sae
and Secure Online youth education program tointroduce youngsters to the proession. What canyou do? Consider donating to the Foundation insupport o youth education and scholarship pro-grams. Volunteer to go to local high schools to dis-cuss your career with students, and encourage themto enter this exciting, interesting, and secure eld.
o see the ul l survey results, visit https://www.isc2.org/industry-resources.aspx .
Julie Peeler, Director, (ISC)2 Foundation
https://www.isc2.org/Careers/Default.aspxhttps://cyberexchange.isc2.org/https://cyberexchange.isc2.org/https://www.isc2.org/industry-resources.aspxhttps://www.isc2.org/industry-resources.aspxhttps://www.isc2.org/industry-resources.aspxhttps://www.isc2.org/industry-resources.aspxhttps://cyberexchange.isc2.org/https://cyberexchange.isc2.org/https://www.isc2.org/Careers/Default.aspx -
7/31/2019 Info Sec Pro Issue 17
23/29
(ISC)2 Chapter Membership:The Value PropositionSINCE HE LAUNCH o the (ISC)2Chapter Pro-
gram in September 2011, we have received more
than 70 petitions to orm chapters around the world.
(ISC)2 members are eager to network with other
local proessionals to share knowledge, discuss cur-
rent industry trends, exchange resources and help
educate the community about inormation security.
Trough (ISC)2 chapters, members can spread
awareness o the proession and educate the public
on the dangers o cyber security threats, especially
among school-aged children, as well as teachers
and parents through the (ISC)2 Sae and Secure
Online program. It provides a valuable opportu-
nity or chapter members to use their skills to help
secure their local communities.
Why are members interested in joining an
(ISC)
2
Chapter, especially when there are manyother chapter organizations rom which to choose?
Here are some o the responses we received rom
(ISC)2 chartering chapter members:
n Belong to a local orum or networking
with local proessionals;
n Stay up-to-date on new technologies and
current trends;
n Promote the value o (ISC)2certications
among employers and proessionals;
n Create awareness and growth o theinormation security proession;
n
Contribute knowledge and resources toellow colleagues;
n Educate non-security proessionals about
protecting their inormation assets;
n Develop leadership and presentation skills;
n Reinorce the status o (ISC)2 credential
holders in remote locations o the world;
Te main purpose o the (ISC)2 Chapter Program
is to serve the needs o our members. By joining a
chapter, (ISC)2 members belong to a local network
o like-minded proessionals who are working
toward a common goal. For those members who are
not satised with the security organization that in
which they are currently involved, being a member
o an (ISC)2 Chapter provides them the opportunity
to contribute or make a diference elsewhere.
Tis is the time or you to make a diference
or your community and or yoursel. Dont wait.
Get involved today.
(ISC)2 Chapter DirectoryCheck out the new, interactive map on the (ISC)2
Chapter Directory. It now distinguishes chartering
chapters rom those that are already established.
Find an (ISC)2 Chapter near you by visiting: www.
isc2.org/ch-directory.
I a chapter doesnt exist in your area, con-
sider starting one. Visit www.isc2.org/ch-start ordetails (member log-in required).
Jayda Shriver, Chapter Program Manager
chapter passportMEMBERS CONNECT AND COLLABORATE
ISSUE NUMBER 17 INFOSECURIY PROFESSIONAL 21
https://www.isc2.org/chapters/default.aspxhttps://www.isc2.org/chapters/default.aspxhttps://cyberexchange.isc2.org/https://cyberexchange.isc2.org/https://www.isc2.org/CH-directory/default.aspxhttps://www.isc2.org/CH-directory/default.aspxhttps://www.isc2.org/CH-directory/default.aspxhttps://www.isc2.org/CH-directory/default.aspxhttps://www.isc2.org/CH-directory/default.aspxhttps://www.isc2.org/CH-directory/default.aspxhttps://cyberexchange.isc2.org/https://cyberexchange.isc2.org/https://www.isc2.org/chapters/default.aspxhttps://www.isc2.org/chapters/default.aspx -
7/31/2019 Info Sec Pro Issue 17
24/29
22 INFOSECURIY PROFESSIONAL ISSUE NUMBER 17
Q&AEXPERTS ADDRESS TRENDING SECURITY TOPICS
Embracing the Cloud EvolutionDAN HOUSER, AN (ISC)2 BOARD MEMBER FOR THE PAST THREEYEARS, IS A SENIOR SECURITY AND IDENTITY ARCHITECT FOR A
GLOBAL HEALTHCARE ORGANIZATION. HE LEADS A TEAM OF SECURITY
ARCHITECTS WHO PROVIDE SECURITY AND IDENTITY STRATEGIES,
ROADMAPS, SECURE MODELS, AND REFERENCE ARCHITECTURES.
Q: Youve worked as an information security pro-fessional for various industries, such as banking,
healthcare, and education. What stands out as the
common security aspect of all three industries?
While the risk tolerance between industries di-
ers, the undamental issues are all the same: how
do we enable the business to meet its objectives
with limited capital, and at the right risk model,
while protecting vital intellectual property? All
businesses struggle with managing a burgeoning
identity architecture, and their architecture teams
are always adapting to a stunning rate o change.
Tose patterns are largely the same across indus-tries. As security proessionals, we are trying to
gure out what cloud means to our business, and
many o us are both cloud service providers and
consumers o cloud services. All o us are dealing
with consumerization and what it means when
80% o your users are bringing their own smart-
phones and tablets to work.
Process change is another common issue. I
security vendors are usually selling tools, not pro-
cesses. As my CO at a bank said, A ool with a
tool is still a oolthat is, adding a tool to a prob-
lem where you have ignorance doesnt resolve theignorance. I think thats universally true. You have
to address personnel, process, and technology, and
process change is always harder than tool change.
Q: On which new healthcare security initiatives
are you currently working?
Cloud and mobile. My company is working
aggressively on exploring the business case or cloud-
based models or our service. We already oer sev-
eral as innovative cloud solutions, and those bring
unique security challenges because its changing
-
7/31/2019 Info Sec Pro Issue 17
25/29
ISSUE NUMBER 17 INFOSECURIY PROFESSIONAL 23
AS SECURITY PROFESSIONALS, WE ARE TRYING TO
FIGURE OUT WHAT CLOUD MEANS TO OUR BUSINESS,AND MANY OF US ARE BOTH CLOUD SERVICE PROVIDERS
AND CONSUMERS OF CLOUD SERVICES.ALL OF US ARE
DEALING WITH CONSUMERIZATION AND WHAT IT
MEANS WHEN 80% OF YOUR USERS ARE BRINGING
THEIR OWN SMARTPHONES AND TABLETS TO WORK.
our business model in some cases. We are in our sec-ond year o a successul bring-your-own-device
program that has struck the right balance between
risk and usability. We are also deploying mobile
solutions to our customers to provide immediate
inormation access and to improve overall patient
care. Its a very exciting time to be leading secu-
rity initiatives in healthcare! Security in the cloud,
regardless o industry, is still uncertain.
Q: What are the biggest security issues, and how
do you see them changing?
I think that most cloud models are the ones thatweve been using or a decade. Te exception is
Inrastructure as a Service (IaaS), which is a more
recent innovation within most organizations, but
one that has been eectively used in the past with
grid and distributed models.I see cloud services as really just an evolution in
virtualization and service-oriented architecture,
not a complete revolution. Security issues arent
necessarily dierent rom secure design patterns
we have seen beore. Its merely the velocity o cloud
implementations that has changed dramatically.
Identity will remain a pivotal issue in extending asecure cloud presence, as will data security, appli-
cation security, and establishing and governing a
third-party trusted relationship.
Q: Where do you see the biggest security chal-
lenges in the next few years?
I think the most signicant issue were going to
ace is data being pushed to the edge, with con-sumerization o I driving tremendous innova-
tion and change. Weve now seen the tipping point,
where consumers are buying more computers than
companies. Tat is not only a huge change or I,
but also or a security model that has traditionally
been based on perimeter security.
Identity is the new perimeter, and both identity
and content are the most important parameters
to understand when trying to transition to a data
security model that works in todays I world. We
will need to change our models or how we think
about security in that context. Hard-core crypto iswhere we usually turn or data security. However,
cryptography may not be viable when those plat-
orms are lightweight with mobile chipsets and no
USB ports or other ability to extend hardware or
rmware (or, sometimes, even sofware) because
theyre consumer appliances.
Q: Are these challenges global?
As a global issue, consumerization and mobile
data security challenges will dier based on eco-
nomics and consumer inrastructure. However, I
think a substantial number o workers are bringinga smartphone to work in most developed nations,
or will do so in the next ew years. Globally, we
are responding to the same market orces and will
have the same issues, but with a dierent integra-
tion model and response. All industries, globally,
are seeing substantial changes in how we need to
think about mobile data security.
-
7/31/2019 Info Sec Pro Issue 17
26/29
24 INFOSECURIY PROFESSIONAL ISSUE NUMBER 17
A New Authentication Paradigm?
WIH HE PROLIFERAION OF HE CLOUD, an
old issue has resuraced: seamless authentication and
authorization to remote services. Tis concern has
been around or many decades, with the development
o protocols like Kerberos and tools such as IKE and
AD. However, none o these protocols truly solved
the overall problem.User-ID/password is without a doubt the
single most used and trusted method to achieve
authentication and authorization. However, this
method has proven to ail more than we would like
to admit. Services oered by Microso, Google,
Amazon and Facebook are increasingly revered by
other Web services as trusted, using them as a sort o
public key inrastructure (PKI), though all are based
on user-ID/password. Why is this?
Te answer is administrative simplicity. All other
methods require more resources or a higher level
o user complexity. Te user-ID/password method,despite its unreliability and possibility o user
negligence, is cheapoen zero cost, compared to
other methods.
Central allocations and revocation are too
complex, and the responsible security staers simply
hope the user will not misuse any access privileges.
Still, statistics say 80 percent o all I crimes are
internal, reminding us that opportunity oen creates
the criminal.
In the age o the integrated cloud, perhaps its
time or a paradigm shia new multiplatorm,
authentication technology that would support
system owners and allow administrators to maintain
access control while utilizing the proper tools
(without using external services).
How can this be done? Lets ace it: the technology
has been around or years, such as private/public
keys and PKCS#12 certifcates. We just have to tweak
some protocols and tools to make this shi. Forstarters, we can use trusted certifcate data to validate
organizations. From there, individual keys can link
individuals to the organization.
Can it be done? Yes, it can be done. In act, it already
has been done, though most o us dont realize it. Te
model design or this type o tool is called Factorum.
Factorum was the authentication and authorizationprocess or the A& Plan9 Operating System (OS)
rom the early 1990s. Factorum works a lot like
SSH and IPSec public/private key processes, but its
not a part o the operating system. Rather, it sits on
top o the OS, and controls a single users access tothe complete system. Designed or a distributed,
multiserver environment, it supports all protocols
we can encounter, not just Web ones.
Plan9 and Factorum are no longer available, but
by adding Factorum-like unctionality to the current
PKI/AD and allowing local and remote systems, as
well as protocols like SAML2 to work with public/
private keys instead o current identity parameters, we
get a simplifed unctionality. Tis allows local system
owners to control access by distributing public keys
and revoking access by deleting the private ones.
By mimicking Factorums role-based authoriza-tion, we could give the user the right access in the
same way local AD installation would be accessed.
We could then have a trustworthy, boundless
single sign-on authentication/authorization with-
out multiple passwords or costly two-actor
authentication tools.
Lars Magnusson, CISSP, is an information security
manager in the Swedish automotive industry. He is
based in Trollhattan, Sweden and can be reached at
PHOTOB
YG
EORGE
DIEBOLD
global insightINTERNATIONAL INFORMATION SECURITY PERSPECTIVES
-
7/31/2019 Info Sec Pro Issue 17
27/29
In a sea o IT proessionals,
ISACA members get noticed.
www.isaca.org/benefts-inosec
Many IT and inormation systems proessionals worldwide consider
membership in ISACA essential to their career advancement.
As a nonproft, global association, ISACA connects exceptional
people with exceptional knowledge to provide members with a
robust oering o proessional resources.
Get recognized
our members do.
-
7/31/2019 Info Sec Pro Issue 17
28/29
Receive a new webcast each week.
(ISC)2
members must stay current in the evolving worldof software security. This series of webcasts will provide
you with a new webcast each week focusing on securing
a different phase of the software lifecycle. It will show you
what security measures need to take place at the beginning
in the requirements phase, how security must be built
in the design phase, and how to test if the application is
resilient enough to withstand attacks in the testing phase.
Also, this series will feature a webcast on the value of the
CSSLP and how to study for the exam. Connect with us:www.isc2intersec.comwww.twitter.com/isc2www.facebook.com/csslp
FREE(ISC)2
Webcast on
Securing the SDLC.www.isc2.org/csslppreview.aspx
Is your software
open to attacks?Slam the Door by
Learning Best Practices
for Securing the SDLC.
http://www.isc2.org/csslppreview.aspxhttp://www.isc2.org/csslppreview.aspx -
7/31/2019 Info Sec Pro Issue 17
29/29
The Fusion Of Logical
And Traditional SecuritySeptember 10-13, 2012 Philadelphia, PA
What You Can Expect220+conferencesessionsavailablethroughout25
educationtracks
Exclusive(ISC)2TownHallandMemberReception
Free1/2-daycredentialclinicsonSundayforCISSP,CSSLP,CAPandSSCP
2-dayofcialeducationprogramsforCISSPandCSSLP
2-daytechnicalprogramsoncloudsecurityanddigitalforensics
Impressivelineupofkeynotespeakers
InternationalGovernmentSummit
CPEsforattendingtheconference
Visit the website for more information and special pricing(members must register through the site).
Colocatedwith
ASIS2012
www.isc2.org/congress2012
https://www.isc2.org/congress2012https://www.isc2.org/congress2012