[BreachExchange] They are gatekeepers of cyberworld

Mon Oct 2 20:07:22 EDT 2017

https://dailygazette.com/index.php/article/2017/09/29/
gatekeepers-of-the-cyberworld

After an onslaught of hacking, breaches and malware this year, and the
resultant waves of publicity, National Cybersecurity Awareness Month should
be a bit anticlimactic.

But for some people, the message never gets old.

One of the organizations most aware of cyberthreats and most active in
countering them is CIS, a non-profit steadily expanding its client base and
130-person workforce. Along with creating benchmarks and protocols by which
organizations large and small can secure their computer systems, CIS serves
public entities as a cybersecurity partner, including all 50 states and
1,400-plus municipalities containing more than 80 percent of the U.S.
population.

CIS — formerly the Center for Internet Security — is officially designated
by the U.S. Department of Homeland Security as the go-to source for free
cybersecurity services for state, local, territorial and tribal
governments. It is hired by private organizations and companies for similar
tasks.

CIS is keeping busy.

“Each year I think it can’t get any worse, and then it gets progressively
worse,” said Curtis Dukes, executive vice president and general manager of
the CIS Best Practices and Automation Group.

October is Cybersecurity Month, a Department of Homeland Security promotion
that gives prominence to issues CIS deals with every month.

Too many organizations, Dukes said, are not taking the critical steps of
setting up a secure system, then reducing what areas are vulnerable to
attack, then working to stay secure by following an industry-accepted
protocol of best practices.

CIS has developed CIS Controls and CIS Benchmarks as its defense against
cyberthreats. There are other protocols, each with their own supporters,
Dukes said, and while it would be nice for government and industry to all
agree on a single standard, “we’re not there yet.”

BUSINESS ADVICE

Steven Spano, president and chief operating officer of CIS, spoke Monday at
the annual meeting of the Business Council of New York State about the
importance of taking preventative steps before a cyberattack.

Having a chief information security officer in the company doesn’t
guarantee there won’t be a breach, he said, but not having a CISO will
likely make the breach worse.

“Now you have a PR nightmare on top of the breach,” Spano explained.

He advises companies to look at the cost of a breach, or of an
“extinction-level event.”

The $150,000 salary of a CISO seems small in comparison.

Not enough business leaders see this, he said.

“There’s a disconnect to how a lot of businesses approach cybersecurity. I
sense an intrinsic ignorance about the topic.”

Rather than admit ignorance, he said, they hand the problem off and hope it
gets fixed.

“Cyber is not static,” Spano said. “Trying to keep pace with the art and
the science is a big challenge.”

He also cautioned against outsourcing cybersecurity and forgetting about
it. Oversight is still needed. If there’s a breach, ultimately it’s the
business and its customers who will suffer, regardless of who was supposed
to be standing guard at the gate.

GOVERNMENT ALLY

In 2011, CIS took over the Multistate Information Sharing and Analysis
Center, which was created by New York state. The MS-ISAC remains a close
partner with New York state but also serves the other 49 states, the
District of Columbia and the five U.S. territories. There is no cost to
government users — Homeland Security picks up the tab for the states and
for more than 1,400 municipal entities.

The focus is on cyberthreats such as malware, but the MS-ISAC has also
warned its municipal partners about hacktivists — those who try to shut
down a government website in response to a local incident such as a police
shooting.

Such threats are more of a nuisance than a danger. Cyberterrorists and
cyberwarriors, by contrast, might want to damage critical infrastructure
such as the power grid.

The MS-ISAC can’t detect incoming attacks from unknown sources; its
function is to respond to known threats and weaknesses by recommending
security updates, and to help entities that have been attacked understand
how and why the attack was able to succeed.

If needed, its Computer Emergency Response Team can travel to the scene of
an attack to do forensics.

In their work, MS-ISAC personnel find varying levels of cyber vigilance
among municipal entities. This is a critical detail, because most attacks
target known weak spots.

The MS-ISAC’s Security Operations Center is staffed around the clock by
cybersecurity experts who respond to state and local government inquiries,
provide network monitoring for these governments, and watch for data dumps
that could compromise members’ websites. An intelligence team within the
SOC investigates attacks and looks for trending indications of threats,
though it does not work around the clock.

On Tuesday, the SOC was fairly quiet. The total number of tickets — any
request for action by a member — stood at one. Network monitoring and bug
tracking indicators were both zero. Advanced persistent threats —
state-sponsored attacks — also registered zero.

The scraper — an automated sweep of open-source websites for anything
potentially threatening to a municipal member — periodically bounced from
zero to one and back to zero.

The threat level was blue, or guarded — second-lowest on the five-step
scale from green (low) to red (severe). Multiple vulnerabilities in Google
Chrome and Joomla! were the latest threat warnings.

Blue indicates there are potentially significant vulnerabilities that
haven’t been exploited, or have been exploited without impact.

CIS has never gone to red threat. In 2014, the HeartBleed bug sent CIS to
the second-highest threat level, orange, which indicates high risk of
increased hacking, virus, or other malicious cyber activity that targets or
compromises core infrastructure, causes multiple service outages, causes
multiple system compromises, or compromises critical infrastructure.

The private client roster of CIS ranges from single-person companies to
Fortune 100 firms and stretches around the world. The fee-for-service
offerings include vulnerability assessments, consulting and training.

EQUIFAX

Also Tuesday, CIS issued a news release saying the breach at the credit
reporting agency Equifax — in which 143 million Americans’ personal
information was exposed — could have been prevented with implementation of
CIS Controls. The breach was an exploitation of a known vulnerability,
exactly the kind of situation CIS works to prevent.

Equifax’s CEO was ousted and its stock value plunged 35 percent in six
trading days in mid-September, erasing $6 billion in value — exactly the
kind of collateral damage Spano warned about.

Equifax is a particularly bad breach for consumers, Dukes said, because it
potentially provides all the information needed to validate a transaction
with a stolen identity.

“Once that information is lost, the criminal network can easily take that.”

Credit agencies’ relationship is with businesses selling or lending to
consumers, rather than with consumers themselves, Dukes said, so they are a
step removed from the people affected.

“Organizations that are holding this information need to be accountable to
us,” he said, suggesting that standards be set and federal regulations
implemented.

In the meantime, consumers should not wait for anyone to protect them,
Dukes recommended.

“I think it is now incumbent ... to do some amount of the due diligence
yourself,” he said.

For starters, people should take advantage of the right to a free credit
report every quarter, and make note of who is checking their credit and why.

Dukes expressed optimism that the business world will move away from
collecting such sensitive material as social security numbers.

And he urged people to stop giving out such personal identifying
information freely whenever asked.

“I think you have to be mindful each and every time you do an online
purchase,” he said.

________________________________

CONTROLS

CIS Benchmarks and CIS Controls are the centerpiece of the cybersecurity
program offered by CIS, formerly the Center For Internet Security.

Benchmarks is 100-plus configuration guidelines for various technology
groups to safeguard systems against evolving cyber threats.

Controls is 20 specific actions that can be used to implement the
objectives of cybersecurity frameworks created by the National Institute of
Standards and Technology, International Organization for Standardization,
Institute of Electrical and Electronics Engineers and Payment Card Industry
Security Standards Council. It is free, and to date has been downloaded
more than 85,000 times.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171002/5dd0e72b/attachment.html>