Category Archives: cybersecurity

What is the Open Data Exchange Layer?

Leave a reply

I am at Mcafee Focus 16 (#focus16).  I decided to come despite missing out on the CxO track.

The opening video talked about the need to collaborate and work together. Standing alone won’t work. “Together is Power!”

Chris Young announced Open Data Exchange Layer. I have been waiting for this for last 2 years. He has thrown down the gauntlet to their competitors. Are you listening, Cisco, Symantec, Microsoft and Palo Alto Networks?

Chris Young also mentioned automation, integration and orchestration.  Nice. Another key element is using the cloud as part of our cybersecurity efforts;  it expands and contracts with the individual and company’s needs. It is always available regardless of where the person is physically or virtually.
The Takeways

  1. Take a closer at ODXL. Is it real?
  2. Invite your current security product suppliers to add ODXL to their roadmaps
  3. Keep McAffee accountable to this “Together is Power” vision. Ask them to prove and deliver it!
  4. Ask Mcaffee to add other open standards,  like SACM, to their products

What is the CISO’s role?

Leave a reply

In 2015, KPMG released a glossy, but informative 9 page pamphlet entitled, ” Positioning the Chief Information Security Officer (CISO) for Success.”  KPMG starts off with answering two common questions on the first page:

  1. Where should a CISO start?
  2. What should a CISO do to assure that his/her security program is a success?

The answers are interrelated. In fact, #1 is the overarching answer (and The Takeaway) are:

  1. Understand the business strategy. The IT Sec program needs to align with business needs and strategy. This makes it easier (and possible) to obtain the necessary executive sponsorship and support.
  2. Transform IT Sec capabilities.  A CISO needs move the “organizations’s capabilities [see #1] and effectively manage resources to successfully deliver programs and services that improve security posture.”
  3. Navigate change (i.e., help, facilitate and lead). IT Security needs to respond to the needs of the business strategically (see #1 above) during fundamental change (e.g. M&A, deregulation, changes in sourcing models).
  4. Deliver value with confidence.  CISO’s need to reduce risk by leveraging technology (along with education, procedures, standards, etc.). IT Security needs to enable key elements of the business strategy (ummm…see #1 above). IT Security’s services and capabilities need to be delivered with the right balance of cost and performance.

KPMG also raise two valid points about how to achieve these objectives:

  1. Prioritize efforts
  2. Moving swiftly to execute your agenda

Why am I forced to change my password on a regular basis?

Leave a reply

I get asked various questions throughout the day about safety, compliance, policies, technologies etc.  Below is my detailed response to the question: why do we need to change our passwords on a regular basis?

 Why do we change passwords on a regular basis?

  1. It is required by regulations and standards
  2. It mitigates the problems that would occur if an attacker acquired the protected (i.e., “hashed”) passwords from a system.  Ideally, the password would be set to expire before the attacker could actually “brute force” the password from its protection and use it.  That is, the protection around the password is strong enough to hold off the brute force attack for 90 days (for example).  This is becoming more challenging with powerful computers
  3. Passwords are often stolen (e.g. via phishing) without the knowledge of the victim and not used immediately. These passwords are sold to organized crime. A password change will prevent the use of it by a thief.

What are healthcare companies doing?

  1. Below are the results from an informal and non-scientific survey posted to the “National Health Infrastructure Information Sharing & Analysis Center” email distribution list in September 2016.
  2. Question Asked:
  3. How often are people resetting passwords?
  4. Results
  5. 30 Day – 1
  6. 60 Day – 2
  7. 90 Day – 10
  8. 120 Day – 2
  9. 365 Day – 2

What is some recent research on mandatory password expiration?

  1. Both the Federal Trade Commission (FTC) and National Institute of Standard and Technology (NIST) have published papers/blog posting on requiring individuals to change their passwords on a regular basis.  The FTC blog posting specifically references specific studies from various universities.

What are some key points from the NIST posting?

  1. Routine password expiration / changes is “out.” Expiration encourages choice of less complex and/or multiple use passwords (e.g., using the password for your Gmail and work network login). Password changes should only occur if there is evidence of compromise
  2. Longer passwords are “in” (e.g. 8 character min,.> 64).
  3. Disallowing known weak / bad  passwords is in (P@ssw0rd)

What are some key points from the FTC blog posting?

  1. Individuals who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily (e.g. “B@dpassword1” becomes “B@dpassword2”)
  2. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems

Where can I find more information?

I used the resources below to help with my response to your great question.

  1. http://www.slideshare.net/jim_fenton/toward-better-password-requirements
  2. https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
  3. http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2015-10/oct23_choong_password.pdf
  4. https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
  5. https://pages.nist.gov/800-63-3/

The Takeaways:  

  1. Each organization needs to critically evaluate all of their current administrative policies related to password management. Each company needs to weigh the costs and benefits of password expiration and consider other changes.  For example, a company may extend the password expiration time from 90 days to 180 days (or longer), but require longer passwords/password phrases. Based on the work of one researcher, the length would have be at least 14 characters to with stand a brute force attack
  2. Passwords will continue to be used at several organizations for several reasons:
    • Several regulations and standards still require periodic changes of passwords. For example, the Payment Card Industry Data Security Standard (version 3.1) requires passwords to be changed every 90 days.  HIPAA only states that passwords need periodic change cycles. The Health Information Trust Alliance’s Common Security framework (version 8.0, a framework for security controls for healthcare care companies, requires passwords to be changed every 90 days.
    • Several applications do not support long passwords so forced password resets would still be need.

 

 

Is there a quote by President Obama on cybersecurity?

Leave a reply

Traditionally, when we think about security and protecting ourselves, we think in terms of armor or walls. Increasingly, I find myself looking to medicine and thinking about viruses, antibodies. Part of the reason why cybersecurity continues to be so hard is because the threat is not a bunch of tanks rolling at you but a whole bunch of systems that may be vulnerable to a worm getting in there. It means that we’ve got to think differently about our security, make different investments that may not be as sexy but may actually end up being as important as anything.

What I spend a lot of time worrying about are things like pandemics. You can’t build walls in order to prevent the next airborne lethal flu from landing on our shores. Instead, what we need to be able to do is set up systems to create public health systems in all parts of the world, click triggers that tell us when we see something emerging, and make sure we’ve got quick protocols and systems that allow us to make vaccines a lot smarter. So if you take a public health model, and you think about how we can deal with, you know, the problems of cybersecurity, a lot may end up being really helpful in thinking about the AI threats (President Obama, Oct. 2016)

 

Is there a model for organizing an Information Security department?

Leave a reply

Every CISO wonders about the following questions:

  • What key functions does my  office cover?
  • How should I structurally organize these functions?
  • Who should I seek advice, input and guidance from within the organization?
  • How can I identify gaps in my program and fill them?

On Feb 22, 2016, Nader Mehravari and Julie Allen, both from the Software Engineering Institute at Carnegie Mellon Univerity, released  a blog post and white paper to help provider answers to these questions.

Key Functions

Screen Shot 2016-02-22 at 7.47.20 AM

4 Key Functions of CISO (Mehravari and Allen, 2016)

Organizational Chart

ciso_blog_figure2

Four Organizational Units of the CISO Office (Mehravari and Allen, 2016)

Advisory Group for the CISO

  • chief operating officer
  • chief information officer
  • chief financial officer
  • legal/privacy
  • human resources
  • communications / marketing
  • business unit VPs
  • engineering VP
  • information technology VP

Identifying and Closing Gaps

  • Map your current CISO structure to our recommended structure, departments, sub-functions, and activities
  • Determine which organizational units can continue as is, which need to change (i.e., expand or contract), and whether new units need to be created
  • Develop an implementation roadmap

The Bottom Line

  • Read the blog posting and more detailed whitepaper
  • Adapt recommendations and apply process outlined in the “Identifying and Closing Gaps” section

How do I protect my family from cybersecurity threats and risks?

Leave a reply

One of my passions is sharing my knowledge of cyber security risks with parents and their children. I am leading a discussion at Church on this topic this Sunday. Hopefully it will be useful. Please find and use my material below as you deem appropriate and useful!

Protect the family handout

Safe and Secure Parents handout

Protect the family-presentation