Tuesday, June 24, 2014

Why senior leaders are the front line against cyberattacks

All companies are aware of the growing risk of cyberattacks, yet few are taking the steps necessary to protect critical information. The key? Senior managers need to lead.

June 2014 | byTucker Bailey, James Kaplan, and Chris Rezek
Why isn’t more being done to protect critical information assets? Senior executives understand that the global economy is still not sufficiently protected against cyberattacks, despite years of effort and annual spending of tens of billions of dollars. They understand that risk alone undermines trust and confidence in the digital economy, reducing its potential value by as much as $3 trillion by 2020.1 They understand most institutions have technology- and compliance-centric cybersecurity models that don’t scale, limit innovation, and provide insufficient protection. And they understand that institutions need to develop much more insight into the risks they face, implement differential protection for their most important assets, build security into broader IT environments, leverage analytics to assess emerging threats, improve incident response, and enlist frontline users as stewards of important information.

McKinsey’s James Kaplan explains what executives can do to protect their companies against cyberattacks.

The importance of cybersecurity is no secret to anyone who’s opened a newspaper or attended a board meeting. So, senior executives may ask, what’s the holdup? The answer is simple: understanding the issue is quite different from effectively addressing it. A number of structural and organizational issues complicate the process of implementing business-driven, risk-management-oriented cybersecurity operating models, and only sustained support from senior management can ensure progress and ultimately mitigate the risk of cyberattacks.

Structural hurdles to addressing cybersecurity

There are a number of factors that make getting the right cybersecurity capabilities in place difficult for large institutions. First, competitive imperatives mean executives must accept a certain level of cyberattack risk. As a chief information-security officer (CISO) at an investment bank said, “If I did as thorough a security assessment as I would like before we nailed up a direct connection to a hedge fund, our prime-brokerage business would cease to exist.” What this means is that in order to protect themselves without limiting their ability to innovate, companies have to make sophisticated trade-offs between risks and customer expectations.
Second, the implications of cybersecurity are pervasive—and that alone impedes the adoption of risk-mitigation strategies. Cybersecurity touches every business process and function, not only in operations but also in customer care, marketing, product development, procurement, human resources, and public affairs. Just two examples: product-development decisions often increase the volume of sensitive customer data that is collected, while procurement decisions can create the risk that vendors will treat sensitive intellectual property with less care than required.
Third, cybersecurity risk is difficult to quantify. There’s no single quantitative metric such as value at risk for cybersecurity, making it much harder to communicate the urgency to senior managers and engage them in required decisions. As one chief financial officer told us, “It feels like we’re constantly spending more on security, but I have no idea whether that’s enough or even what it does.”
Finally, it’s hard to change user behavior. For many institutions, the biggest vulnerability lies not with the company but with its customers. How do you prevent users from clicking on the wrong link, allowing their machines to be infected with malware? How do you stop them from transferring incredibly sensitive information to consumer services that may not be secure? Breaking through the noise at most institutions to communicate with frontline managers about cybersecurity risks is tough enough, let alone mitigating risks that are ostensibly beyond your control.

Senior managers must lead

Cybersecurity is a CEO-level issue. The risks of cyberattacks span functions and business units, companies and customers. And given the stakes and the challenging decisions posed by becoming cyberresilient, making the decisions necessary can only be achieved with active engagement from the CEO and other members of the senior-management team.
As part of research we undertook with the World Economic Forum on cybersecurity,2 we had the opportunity to interview executives from more than 200 institutions and perform deep dives on cybersecurity risk-management practices with more than 60 of the world’s 500 largest companies. Senior-management time and attention was identified as the single biggest driver of maturity in managing cybersecurity risks—more important than company size, sector, and resources provided. Our research also found that senior-management engagement varies dramatically. In some companies, the CISO meets the CEO every few weeks. Yet in others, the CISO has never met the CEO. In fact, the CISO may report to the chief technology officer, who reports to the chief information officer, who then reports to the CFO.
So what does senior management need to do? Among those companies that are making the most progress toward developing cyberresiliency, we identified four actions common among senior managers:
  • Actively engaging in strategic decision making. Just as with other types of enterprise risk, CEOs and the rest of the senior-management team must provide input on the organization’s overall level of risk appetite for loss of intellectual property, disclosure of customer information, and disruption of business operations. Subsequent to that, business-unit heads—and their management teams—must engage with cybersecurity managers to help prioritize information assets and make specific trade-offs between risk reduction and operational impact.
  • Driving consideration of cybersecurity implications across business functions. Senior managers at leading companies ensure business managers incorporate cybersecurity considerations into product, customer, and location decisions, while functional leaders are responsible for addressing cybersecurity considerations in human-resources and procurement decisions. In addition, they make sure that the disclosure of cybersecurity priorities is incorporated into the company’s public-affairs agenda.
  • Pushing changes in user behavior. Given how much sensitive data senior managers interact with, they have the chance to change and model their own behavior for the next level of managers. This can begin with simple steps, such as becoming more judicious about forwarding documents from corporate to personal e-mail accounts. In addition, senior management can and should provide the communications “airtime” and reinforcement required to help frontline employees understand what they need to do to protect critical information assets.
  • Ensuring effective governance and reporting is in place. No matter how thoughtful a set of cybersecurity policies and controls may be, some managers will seek to circumvent them. Senior management obviously needs to make sure that policies and controls make sense from a business standpoint. If they do, senior managers then need to backstop the cybersecurity team to help with enforcement. In addition, senior management should put in place effective, granular reporting on how the company is progressing against specific milestones in its cybersecurity program.
Pervasive digitization, open and interconnected technology environments, and sophisticated attackers make cybersecurity a critical social and business issue. If inadequately addressed, it could materially slow the pace of technology and business innovation in the years to come. That’s why companies must make rapid progress toward cyberresiliency, and only sustained focus and support from top management can overcome myriad structural and organizational hurdles. We know it’s possible—at some companies, this process is already under way. But it must take place on a broader scale if companies are to protect their critical information assets while retaining the ability to innovate and grow.
About the authors
Tucker Bailey is a principal in McKinsey’s Washington, DC, office; James Kaplan is a principal in the New York office; and Chris Rezek is a consultant in the Boston office.

Monday, June 2, 2014

Study: 97% of companies using network defenses get hacked anyway

Current network defenses are like the Maginot Line, analysts find.

A security study drawing data from more than 1,600 networks over a six-month period found that 97 percent of the networks experienced some form of breach—despite the use of multiple layers of network and computer security software. The study, performed by analysts from security appliance vendor FireEye and its security consulting wing Mandiant, compared current network defenses to the Maginot Line, the infamous French fortress chain that the Germans bypassed during their May 1940 invasion.
The data collected from network and e-mail monitoring appliances from October 2013 to March 2014 also showed that three-quarters of the networks had command-and-control traffic indicating the presence of active security breaches connected to over 35,000 unique command-and-control servers. Higher-education networks were the biggest source of botnet traffic.
FireEye and Mandiant analyzed real-time data from 1,614 FireEye appliances that had been placed on networks as part of “proof of value” trials; the devices provided monitoring. Each of the networks already had a “defense in depth” architecture, combining firewalls, intrusion detection and prevention systems, and antivirus software. Despite that, the appliances detected over 208,000 malware downloads across the monitored networks, of which 124,000 were unique malware variants.
On average, each network was subjected to 1.6 exploits and 122 malware droppers during the six-month period. FireEye and Mandiant analysts also reported that 27 percent of the monitored organizations in the study “experienced events known to be consistent with tools and tactics used by advanced persistent threat (APT) actors”—inferring that they were being attacked by either state-sponsored organizations or sophisticated criminal networks.

Sunday, June 1, 2014

OpenSSL krijgt nu wel serieuze aandacht


De nasleep van het Heartbleed-debacle heeft tot gevolg dat OpenSSL fors onder handen wordt genomen.
De organisatie heeft ook de ruimte gekregen om andere belangrijke open source initiatieven ruime aandacht te geven, zoals OpenSSH (het protocol voor remote command line inlog) en het Network Time Protocol (voor de synchronisatie van computerklokken).
De Linux Foundation heeft de mogelijkheid gekregen doordat de Heartbleed-bug veel grote bedrijven en organisaties heeft doen beseffen hoe belangrijk het werk aan de opensource-protocollen is. Gezamenlijk hebben zij 5,4 miljoen dollar ingelegd, voor projecten in de komende drie jaar.

Locked In: Keeping Your Enterprise Encryption Keys in Order

Posted by on in Data Security


Every year, spring cleaning results in a few re-discoveries around my house (“I own a weed whacker?”). This year, it also led to a new, nerve-racking game, “What Could These Keys Possibly Belong To?”
b2ap3_thumbnail_Close_up_key_management_encryption_contingency_infosec.jpgWhat does this key go to? Key management is the tricky part of encryption, though vital to keeping control over security.In a shelf in the basement, I found a ring with two keys of unknown origin. I shuffled around the house, garage and shed trying to match them up to every lock and door. Nothing. Keys without a lock … or a lock somewhere else without a key, put another way. Given my background in encryption and enterprise key management, my mind went to paranoid circumstances where I’d soon be locked out by a new lock in my own front door, or a situation where I’d go mad looking for buried treasure in my yard.
Key management is the really hard part of enterprise encryption. Encryption, in its own right, remains the most impenetrable data security option in your wider “defense in depth” approach. The best encryption also comes with sensible, easy key management. If you lock down data, you need to make sure you (and only you) can unlock it, too. In that same sense, you don’t want to start handing out crypto keys to the point where encryption is more rampant than useful. Too many keys can be just as damaging for you, your customers and your sensitive business documents.
We often share the story of one customer who came to us initially asking to “unlock” encryption from another vendor. Unfortunate for this German manufacturer, the other vendor’s encryption did not come with a “contingency” key (kind of like a master decrypt key for security administrators). So, when a rogue employee sent off docs he had encrypted, the manufacturer was without a matching decryption key to find out just what had left its company firewalls. Contingency key goes by a few terms – we’ve heard “private key escrow” with one big financial services client as well as controlled encryption; we’re all ears to what term makes sense for you. The important aspect of contingency key, however, is that your CISO, department head or info sec team has an emergency decrypt capability for the host of issues that can come up from unchecked encryption.
There are enough potential leaks and breaches coming at your business information every day. Make sure that the protection you employ doesn’t lock you out of the very data you’re securing


5 ways computer security has truly advanced

May 27, 2014

Security isn't all gloom and doom. Amid the progress today, these four developments in particular have made us safer


5 ways computer security has truly advanced
As you may know, I like to rant about the poor state of computer security. I have reason to, because each year it appears we're losing the battle as more and more systems get exploited. We can't seem to take care of the simple stuff, like requiring better passwords or fixing DNS (who among you has enabled DNSSec?), much less the hard work it will take to make substantial improvements in the state of security.
Yet we've had some real wins -- and I don't talk about them enough. Here are some of the security advancements that have made a real difference.
[ It's time to take another look at security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
1. Security defaultsUsers will almost always choose the default option when presented with a computer security decision. When I first joined the computer world, almost every computer security prompt defaulted to an answer that made the system more vulnerable. Vendors were more concerned with making their software easy to use rather than secure, even when the default significantly raised security risk.
For example, when macro viruses first appeared, almost all office applications either autoran them or prompted the user to decide whether or not to run the macro. Hit Enter and you're infected. Eventually, software vendors learned that simply changing the default to No, although it required one extra click, would prevent all sorts of security ills.
Today, almost all software comes not only with more secure defaults, but if the software prompts the user to make a decision, the default is the secure answer. One of the best examples of this is Microsoft's User Account Control (UAC) prompts. When a UAC prompt shows up, if the user ignores it or hits Enter, the program requesting elevated access will be denied.
2. Drive encryption
Certainly one of the best improvements is how most vendors offer or enforce encryption on hard drives by default. Many times it is enabled without the user even noticing. For example, if you buy a Windows 8 computer, it has BitLocker Disk Encryption enabled by default. This includes Surface devices. When a user logs on as admin the first time, their encryption key is even backed up to the cloud (OneDrive) transparently in the background, in case they need it for a future recovery.
Most other OSes either turn on disk encryption by default or have it available and recommend that it be enabled by default. This includes mobile phones and devices. Today, it is a lot harder for a bootup floppy, CD-ROM, or USB key to bypass the victim's installed OS access control mechanisms to get at the wanted data.
Many stolen laptops that would otherwise have to be reported under various regulations are exempted if the laptop has an encrypted hard drive. Of course, these same protections are frustrating law enforcement, legitimate recovery processes, and customers alike. Depending on whether you use self-encrypting hard drives, OS protection, or third-party encryption software, key management has become more important than ever.

3. SSL by default
Led by Google, most Web services now enable SSL encryption by default. Previously, for most popular cloud, email, and calendars services, SSL was either not available or had to be specifically enabled by the user. This led to widespread theft of service passwords and cookies, especially across shared wireless networks, such as those in cafes. Today all major providers have followed Google's lead.
You may wonder why it took decades after the invention of SSL for vendors to enable it by default. The reason: SSL creates a significant performance penalty, but the increasing power of hardware has made that less of an issue.
Of course, even SSL has bugs, as the OpenSSL exploit recently showed. You really should be using TLS and not SSL, as most versions of SSL are no longer considered secure. Rest assured that when you connect to the most popular websites, you're probably using TLS, although you may want to check the HTTPS connection to verify.
4. Two-factor authentication for Web logons
One of the best developments on top of the SSL by default is out-of-band, two-factor authentication (2FA). Out-of-band means that the second factor is not communicated using the same network transmissions channel as the first factor.
In most cases, this means users can choose to have a secondary PIN code sent to them via SMS to their previously defined cellphone or sent to a second previously defined email account. It's pretty great. Some sites even allow you to use 2FA only when needed, such as on an untrusted public computer.
Note, however, that bad guys and malware have been getting around out-of-band 2FA authentication for more than a decade, starting with the original bancos Trojans. I discussed out-of-band, 2FA-evading Trojans back in 2006. Yes, 2FA is great, but it's not a cure-all.
5. UEFI (Unified Extensible Firmware Interface)
Prior to UEFI, which is a replacement for the system BIOS, it was trivial for bad guys and malware to fatally injure your computing device. Intel invented the original EFI standard in 2005, and while it had almost no real security mechanisms, it was a good start.
The truly secure UEFI 2.3.1 standard was released in 2013. Systems enabled with UEFI require that all code intending to modify a computer's firmware be signed by a previously approved vendor. Otherwise the modification gets blocked.
Still, it has yet to be proven if the UEFI standard will actually result in fewer compromises. UEFI is a standardized way of configuring firmware. The old BIOS method meant that almost every different model of computer ended up with a different BIOS. Each BIOS version requires a different modification routine, which meant it was harder for malware to silently infect. UEFI's standardization could end up being its Achilles' heel.
Nonetheless, these four advances give me hope that one day we will significantly reduce computer security risks. It's taking longer to do what we know we needed to do, but step by step, we're getting there.
This story, "5 ways computer security has truly advanced," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.