March 6, 2014 | Leave a Comment
BY KEVIN BOCEK, VP, SECURITY STRATEGY & THREAT INTELLIGENCE, VENAFI
Breached Enterprises Will Be Owned by The Mask operation for Years to Come
For over a year, Venafi has been charting the course of attacks on the trust established by keys and certificates. The dramatic rise in attacks has led Microsoft to declare “PKI is under attack” and Intel Security-McAfee to “question the validity of digital certificates as a trust mechanism.” From key and certificate stealing trojans to stolen certificate marketplaces, the cybercriminal community has woken up to a whole slew of new vulnerabilities and powerful attacks.
It now appears that in fact a monster has woken up! Kaspersky Labs hasidentified and documented what it terms as “one of the most advanced threats.” Known by its Spanish name “Careto,” The Mask operation is a sophisticated, organized attack using multiple attack methods to steal data. Its alarming set of targets include a variety of SSL, VPN, and SSH cryptographic keys and digital certificates.
The impact of this revelation is simple: breached organizations are now owned by The Mask operation. Cleaning up malware, reimaging servers, and resetting password won’t help. The attackers now own keys and certificates that provide the fundamental trust that is used to know if a server, cloud, or administrator is to be trusted. The attackers can decrypt communications and data formerly thought secure and private. The likely inability to remediate all of the compromised keys and certificates will leave the attacked breached for years, and in many cases decades.
Breached enterprises might as well bulldoze their data centers to regain ownership if they can’t replace all—not some—but all of their keys and certificates.
How can this be? Mask’s operations are known to steal SSH keys used to authenticate administrators, servers, virtual machines, and cloud services. SSH keys provide root-level access and don’t expire—ever. Steal an SSH key and you likely have perpetual backdoor access. That bleak outlook is why Forrester Consulting simply previously concluded, “Advanced threat detection provides an important layer of protection but is not a substitute for securing keys and certificates that can provide an attacker trusted status that evades detection.”
Breached organizations must now identify all keys and certificates and immediately replace them. Based on industry research and Venafi’s experience in securing Global 2000 enterprises and governments, the breached will likely have no visibility in to the scope of the problem facing them and no ability to respond to these attacks on keys and certificates by replacing all of them. They need to take quick action now as the true intentions and impact of The Mask operation are yet to be seen. Otherwise, they might as well invest in bulldozers instead of malware cleanup or new firewalls.
The analysis is troubling. The details to follow are even more troubling. The impact and seriousness of The Mask on the breached cannot be understated or underestimated. For those not involved, it serves as another lesson that attacks on keys and certificates are very, very real and every enterprise must gain visibility, controls, and response mechanisms now.
Attacking Trust: Ownership for Life
Mask’s operations to steal keys and certificates is alarming. By stealing and leveraging trusted status, The Mask organization can now impersonate, surveil, collect, and decrypt its targets’ communications and data. Essentially, The Mask operators own the breached and for a very long time to come.
In a masterful criminal effort, Mask’s team didn’t just create powerful weapons—they attacked where they know their targets have no visibility and no ability to respond. Yes, the breached can now clean up malware infections, reimage servers, and reset passwords. But, as research has shown, Mask’s targets will not be able to identify and replace the tens of thousand of SSL, SSH, and other keys and certificates stolen.
Mask’s targets are like fish just caught and hauled on to a fishing boat. Fish will struggle to get back in the water, but will slowly suffocate on the boat’s deck with no hopes of escaping and returning to the water. With the ability to impersonate, surveil, collect, decrypt its targets communications and data, and their targets inability to respond and remediate to the attacks already committed with keys and certificates there may be little hope for the breached as they wait to potentially be attacked and suffocated by the blind trust they relied upon is turned against them.
Mask’s Attack on Trust
Mask’s methods of attacking trust make it a monster. Stuxnet, like 27% of Android malware, used stolen certificates today, to enable its attack. SpyEye, Zeus, and over 800 other Trojans are known to steal keys and certificates. Mandiant and others have well documented the use of self-signed certificates and SSLin enabling the APT1 group to exfiltrate stolen intellectual property. What makes Mask so special is that it uses all of these methods, improves on them, and adds new innovations. It’s a perfected weapon.
Evading Detection With Trusted Status
As reported by Kaspersky, Mask’s Windows malware was digitally signed with a valid certificate. Just like the hundreds of certificates used in malware attacks tracked by the CCSS Forum, the valid certificates enabled the malicious code to run trusted.
Like some other attacks using certificates, Mask’s certificate are believed to have been purchased legally from VeriSign by representing a fictitious company TecSystem Ltd of Bulgaria. Once again, Gartner’s prophetic statement on the state of IT security and certificate comes true: “Certificates can no longer be blindly trusted.”
What makes Mask so devastating now and for years to come is its hunger for stealing keys and certificates. SSL keys and certificates, SSH keys, disk encryption keys, and others have all been stolen. Even more troubling is that Mask’s malware not only ran on Windows but also on Linux, Mac OS, and likely mobile platforms. The theft of both server, administrator, user, and device keys and certificates for everything from SSL for websites, to administrator access to servers with SSH, to VPN access from a remote site places the breached in jeopardy now and a troubling sign for everyone else of what’s to come.
The theft of so many keys and certificates is what’s likely to make Mask remembered for many years to come. Just as Stuxnet signaled to the cybercriminal community the benefits of using stolen certificates, Mask will signal the power in stealing as many kinds of keys and certificates that establish trust as possible. While a SSL key might be replaced and certificates will expire, SSH keys never expire. They will exist as a perpetual vulnerability until they are replaced and no longer trusted. SSH key rotation is something that few, if any, enterprises actually do. As more cybercriminals learn from Mask and accelerate the theft of keys and certificates, the less trust we’ll have in everything from servers, to clouds, to mobile devices.
Changing what’s trusted
If not troubling enough, Kasperky’s research has identified even more powerful capabilities in Mask’s toolset. Mask’s command set indicates that the malware could add and delete certificates to a system. This allows the attackers to set what certificates or Certificate Authorities could be trusted. These methods have been seen in the wild already going back to 2010 just as the Mask operation was gearing up. Changing what websites and software that’s trusted is a powerful weapon. Not only does it allow users and security systems alike to be tricked in to connecting to fake websites or running malicious software, it allows the encrypted communications to be decrypted.
Surveillance and monitoring today and well in to the future
Mask is also able to monitor and potentially capture network traffic. Kaspersky reports that multiple plugin modules are capable of intercepting network traffic. With stolen keys and certificates, Mask’s operators may have been able to easily monitor encrypted communications thought to be private and secure. Unfortunately, even with Mask’s known, active operations shutdown, the attacker will still be able to decrypt network communications that can be intercepted.
Escaping detection: flying under the radar with encryption
The Mask operator’s understood that exfiltrating data can be risky business and raise alarms. However, using encrypted traffic allowed Mask to keep its activities under the radar of detection. Kaspersky reports that Mask’s team used various methods including encrypting communications directly with RC-4 and also could use HTTPS. While the increased use of SSL/TLS to keep communications private is one of the reasons the BBC declared “2014: The Year of Encryption,” it also means attackers will be able to hide easier. The use of SSL and other encrypted traffic is a sign of things to come. Gartner predicts that by 2017, over 50% of all network attacks will use encryption.
The targets for Mask’s operation are reported to include government agencies, foreign-service operations, energy, oil, and gas companies, and private equity. Targets have been identified in Brazil, UK, and United States with Kaspersky’s analysis finding Spain, France, and Morocco among the most commonly targeted in terms of IP addresses and victim IDs.
With such powerful weaponry either enabled by or designed to attack trust established by keys and certificates, it appears at least one of the attacker’s intentions is to impersonate, surveil, collect, and decrypt its targets’ communications and data. And, the attackers intended to keep it that way for a long time to come. Stealing keys and certificates provides permanent access to data or systems until keys are replaced. Unfortunately, this will be years for most attacked organizations. And even worse, SSH keys never expire and will provide Mask’s attackers near perpetual root-level access inside of breached organization.
Immediate Action: Fight Back or Be Owned
For organizations attacked by Mask, action must immediately be taken to respond and remediate the attacks on trust established by keys and certificates. Breached organizations must identify all keys and certificates on networks, in servers, on endpoints, and on mobile devices. Remediation can then proceed to generate new SSL keys and certificates, generate new VPN keys and certificates, and generate new SSH keys and removing previously trusted keys from authorized key lists. However, only with complete intelligence on all keys and certificate can remediation be considered successful.
For all other organizations, Mask is another warning that demonstrates the devastating impact attacks on keys and certificates can have. Organizations must have the ability to identify all keys and certificates, enforce a known good state, detect anomalies, and respond and remediate incidents. Organizations will then be able to change keys and certificates frequently, eliminate human intervention that can open the door for malware to steal keys and certificates, and be able to respond immediately.
March 5, 2014 | Leave a Comment
By Gavin Hill, Director of Product Marketing and Threat Research, Venafi
Before the Snowden breach, the average person rarely thought about encryption. Last year, however, encryption was at the forefront of everyone’s mind. People wanted to know what Edward Snowden disclosed about the National Security Agency (NSA) PRISM, how they could avoid being spied on, and how Snowden was able to compromise what’s believed to be one of the most secure networks in the world. Although not everyone has been paying attention, keys and certificates have actually been at the center of news for the last few years. Adversaries and insiders have long known how to abuse the trust established by keys and certificates and use them as the next attack vector.
One of the first projects I worked on this year with the Ponemon Institute was to understand how organizations are protecting themselves from a Snowden-like breach, resulting from vulnerabilities related to Secure Shell (SSH) keys. The research spanned four regions, which included responses from over 1800 large enterprises that ranged from 1000 to over 75’000 employees. What was very evident from the research is that most organizations are inadequately prepared for or incapable of detecting a security incident related to the compromise or misuse of SSH keys. Some chilling results:
- 51% of organizations have already been compromised via SSH
- 60% cannot detect new SSH keys on their networks or rely on administrators to report new keys
- 74% have no SSH policies or are manually enforcing their SSH policies
- 54% of organizations using scripted solutions to find new SSH keys were still compromised by rogue SSH keys on their networks in the last 24 months
- Global financial impact from one SSH-related security incident was between US $100,000 to $500,000 per organization
Operational versus vulnerability view
More than half (53%) of organizations surveyed lack the ability to define and enforce SSH policies from a central view. As a result, they typically rely on individual teams or application administrators to secure their own keys. Because these organizations do not have visibility into how SSH keys are used within the enterprise network, detecting any security incident related to the misuse of SSH keys is very difficult. Organizations that view SSH key security as an operational problem are clearly missing the point: keys and certificates are fast becoming one of cyber-criminals’ preferred attack vectors because of the trust status they provide.
74% have inadequate SSH security policies
74% of organizations either have no SSH policies or are manually enforcing an SSH policies. Using the latest GitHub exposure of more than 600 SSH private keys as an example of application administrator behavior, you can see just how well manual processes are enforced—they’re not. If you are not familiar with this example, enhancements to the GitHub search functionality inadvertently exposed hundreds of application administrators’ private keys that had been stored in GitHub, many by simple mistake. You cannot rely on manual processes to secure and protect SSH keys; mistakes are inevitable.
51% are already compromised
Last year the Ponemon Institute published the 2013 Annual Cost of Failed Trust Report. In this report, the most alarming key and certificate management threat was SSH. In the SSH research conducted in 2014, Ponemon Institute found that 51% of organizations across four regions had a security incident related to the compromise or misuse of SSH keys. More alarming is that 50% of the compromised organizations used homegrown scripted solutions to manage SSH keys. This clearly shows that scripted solutions cannot detect the anomalous usage of SSH keys or rogue SSH keys used nefariously. Moreover, 60% of organizations surveyed rely on application administrators to manually detect rogue SSH keys.
A never-ending nightmare
As the research suggests, organizations have limited visibility into how SSH keys are used in the enterprise network and no ability to apply policies to SSH keys. However, you would think that even organizations using manual, disparate SSH key management would provide guidelines for rotating SSH keys. After all, SSH keys have no expiration date. According to Ponemon Institute research, 50% of organizations do not have an SSH key rotation plan in place. At Venafi we’ve encountered a number of organizations that have SSH keys assigned to ex-employees on critical servers, and these ex-employees left the organization more than five years ago. Considering that SSH bypasses host-based controls and provides elevated privileges, every organization should make rotating keys a priority!
Time to respond
When asked how quickly their organization could identify and respond to a security incident related to compromised or misused SSH keys, nearly half (45%) of the respondents could mitigate the threat in one day or more. The length of time it takes to respond to a security incident, directly increases the financial burden organizations need to bear from the security incident. The financial impact for United Kingdom, Germany, and Australia ranged from US $100,000 to $250,000. US-based organizations were more significantly impacted, ranging from US $500,000 to $1000,000.
By using a stolen SSH private key, an adversary can gain rogue root access to enterprise networks and bypass all the security controls. Because organizations have no policies, visibility into SSH vulnerabilities, or ability to respond to an SSH-related attack, cyber-criminals are turning to SSH as an attack vector at an ever-increasing rate. Every organization needs to stop viewing SSH keys and the management thereof as an operational matter that can be resolved with a few simple discovery scripts or relying on individual application administrators to self-govern. You wouldn’t do that with domain credentials, so why treat SSH keys—which enable elevated root privilege—any differently?
Every organization needs to have central visibility into the entire SSH key inventory, understand how SSH keys are used on the enterprise network, and apply SSH policies. Only then will an organization be able to quickly detect security incidents related to SSH and immediately remediate them.
Want to learn more about SSH vulnerabilities? Download the Ponemon 2014 SSH Security Vulnerability Report Infographic now.
March 4, 2014 | Leave a Comment
By Gavin Hill
Global organizations are under attack, and the attackers are more dangerous and persistent than ever. While the motivations vary, the goal of today’s cybercriminal is to become and remain trusted on targeted networks in order to gain full access to sensitive, regulated and valuable data and intellectual property, and circumvent existing controls.
Among the fundamental security controls enterprises rely on to protect data and ensure trust is secure shell (SSH). Yet, according to new research by the Ponemon Institute, system and application administrators—not IT security—are responsible for securing and protecting SSH keys, which exposes critical security vulnerabilities.
The research also found nearly half of all enterprises never rotate or change SSH keys. This makes their networks, servers, and cloud systems owned by the malicious actors in perpetuity when SSH keys are stolen, and represents IT’s dirty little secret, which leaves known and open back doors for cyber-criminals to compromise networks.
Data loss prevention, advanced threat detection solutions and next-generation firewalls cannot consume SSH encrypted traffic, making it easy for adversaries to steal information—over extended periods—without detection. And unlike digital certificates, SSH keys never expire, leaving the vulnerabilities and figurative back doors open indefinably.
This exclusive new infographic provides you with the analysis needed to understand the breach and how it could impact you and your organization.
February 27, 2014 | Leave a Comment
Andreas Fuchsberger Eric Hibbard
The CSA announced today the re-appointment of Andreas Fuchsberger and Eric Hibbard as the Co-Chairs of the CSA’s International Standardization Council. As Co-Chairs, Fuchsberger and Hibbard will be responsible for the governance and oversight of the Council.
The CSA International Standardization Council plays the important role of working to coordinate all aspects of standardization efforts within the CSA. The Council’s efforts are executed by CSA Global through the CSA Standards Secretariat involving relevant CSA research working groups in collaboration with standard developing organizations (SDOs).
Andreas Fuchsberger currently serves as the Regional Standards Officer at Microsoft where he is responsible for Microsoft’s Internal and external representation of ISO/IEC JTC1 for Central and Eastern Europe. Eric Hibbard currently serves as the CTO Security and Privacy at Hitachi Data Systems where he represents the interests of both Hitachi and key organizations (e.g., ABA, CSA, INCITS, IEEE, TCG, SNIA, etc.) in the development of domestic and international standards and other types of specifications.
For 2014, the group will continue with the strategic role of a gatekeeper managing the CSA research intellectual property (IP) and the contribution of these IP towards global standardization efforts as well as an expert body contributing towards any SDOs’ and National Bodies’ (NBs) cloud computing and security related standards development work. Due to the highly strategic value of the ISC as well as the sensitivity of work and protection of IP, membership application is only available to active corporate members with a strong background working with international standardization communities and processes.
The CSA would like to invite corporate members that are interested in influencing standardization efforts worldwide to join the ISC. For more information or to be considered for council membership please contact the CSA Standards Secretariat, Aloysius Cheang at email@example.com.
February 26, 2014 | Leave a Comment
Winner Now To Receive Full Pass to BlackHat, in Addition to DEF CON
San Francisco, CA – February 26, 2014 – The Cloud Security Alliance (CSA) today announced that it has upped the ante, as no one has yet been able to hack the Software Defined Perimeter (SDP) network since the contest began on Monday.
For the virtual hackathon, registered participants from all over the world have been given the IP addresses of the target file server as well as the SDP components protecting them. This in effect simulates an ‘insider attack’ – modeled after a real world environment – on both private cloud and public cloud infrastructure. Participants also have access to a reference SDP system to learn how the system works to plan their attack. The hackathon is built on a public cloud without any special protection except those provided by the Software Defined Perimeter. It helps validate the concept that software components can provide as much protection against network attacks as physical systems.
The first participant to successfully capture the target information on the protected server will receive an expenses paid trip to both BlackHat and DEF CON ® 22 conference, including air and hotel, held in Las Vegas August 6-10, 2014.
“We believe the SDP is a fundamental change in how we approach securing networks, and are encouraged that no one has been able to hack the prototype yet,” said Bob Flores, judge of the event, former CTO of the CIA, and President & CEO at Applicology Incorporated. “We want to challenge any interested party, anywhere in the world, to test the security of an SDP network.”
The Software Defined Perimeter (SDP) Initiative is a CSA project aimed at developing an architecture for securing consumer devices, cloud infrastructure as well as the “Internet of Things”, using the cloud to create highly secure and trusted end-to-end networks between any IP addressable entities. Full contest rules and registration are available at https://cloudsecurityalliance.org/research/sdp/.
Members of the media and analyst community interested in attending the event should contact firstname.lastname@example.org for more information, to receive press credentials and to schedule interviews with CSA leadership and conference speakers.
February 24, 2014 | Leave a Comment
by Thomas Pedersen, co-founder and CEO of OneLogin
Looks like we were on to something when we open sourced OneLogin’s first SAML Toolkit three years ago — theOneLogin 2014 State of SaaS Identity Management survey that we just completed with CSA shows that SaaS vendors are adopting SAML in droves. Of the 100 participants that completed the survey, 97 percent are backing the SAML standard for single sign-on into cloud application environments, many in response to customers asking for an easier, faster and more secure path to identity management and app provisioning.
We all know the headaches that enterprise IT managers face trying to keep up with their businesses’ demand for cloud apps while also maintaining security and compliance. SAML is now the Gold Standard for signing into cloud applications. Why? It completely eliminates all passwords and instead uses digital signatures to establish trust between the identity provider and the application. SAML-enabled SaaS applications deliver faster and more secure user provisioning in complex enterprise environments, and help simplify identity management across large and diverse user communities. Other key insights from the survey:
- SAML in wide use for single sign-on: 67 percent of the SaaS vendors surveyed use SAML today for single sign-on identity management, while 19 percent said they planned to implement SAML within the next 12 months. Only 3 percent had no plans to implement the standard.
- Customer demand, security and speed drive adoption: 26 percent of survey respondents cited demand from existing customers as the primary driver behind their SAML adoption, 21 percent cited improved security and compliance, and nearly 22 percent cited quick integration into cloud application ecosystems.
- SAML adoption not limited to the web browser: 37 percent of the SaaS vendors surveyed leverage SAML on mobile versions of their apps, and 25 percent use SAML for desktop applications not including a web browser.
These findings speak volumes: SAML is stronger than ever and its momentum is fueled by the realization that the standard provides a massive security boost by enabling enterprises to more easily control access to their sensitive data. This is why OneLogin’s cloud solution for single sign-on and enterprise identity management is pre-integrated via SAML with more than 350 top enterprise applications, and why more than 150 SaaS vendors, including Dropbox, have used OneLogin’s free open source SAML Toolkits to SAML-enable their apps. Many thanks to CSA for collaborating with us on this survey, and we look forward to spreading the SAML gospel this week at RSA.
Thomas Pedersen is co-founder and CEO of OneLogin, the innovator in cloud-based enterprise identity management, ranked #1 inNetwork World Magazine’s review of SSO tools. Follow him on Twitter @thomasbpedersen
February 21, 2014 | Leave a Comment
Bob Flores, Former CTO of the CIA and President & CEO at Applicology Incorporated to Serve as Judge
The Cloud Security Alliance (CSA) today announced additional details on its upcoming virtual hackathon, open to anyone globally, being held in conjunction with the RSA Conference, kicking off Monday, February 24th.
The hackathon will kick off with a workshop on CSA’s Software Defined Perimeter (SDP) on Monday, February 24th, from 2:00p.m. to 3:00 p.m. at Moscone West, Room 2008. The workshop will provide participants a hands-on overview of the SDP protocol as well as detailed view of the hackathon. To register for the free workshop, email email@example.com.
For the virtual hackathon, participants will be given the IP addresses of the target file server as well as the SDP components protecting them. This in effect will simulate an ‘insider attack’ – modeled after the real world environments and one of the most difficult to prevent – on both private cloud and public cloud infrastructure. Participants will also have access to a reference SDP system to learn how the system works to plan their attack.
The first participant to successfully capture the target information on the protected server will receive an expenses paid trip to DEFCON ® 22, held in Las Vegas August 7-10, 2014. Bob Flores, former CTO of the CIA and President & CEO at Applicology Incorporated to will serve as judge of the event, naming the official winner of any successful hack. Contest rules are available at https://cloudsecurityalliance.org/research/sdp/.
The Software Defined Perimeter (SDP) Initiative is a new CSA project aimed at protecting application infrastructure from network-based attacks by using the cloud to create highly secure and trusted end-to-end networks between any IP addressable entities, allowing for systems that are highly resilient to network attacks.
Members of the media and analyst community interested in attending the event should contact firstname.lastname@example.org for more information, to receive press credentials and to schedule interviews with CSA leadership and conference speakers.
February 19, 2014 | Leave a Comment
KEVIN BOCEK, VP, SECURITY STRATEGY & THREAT INTELLIGENCE, VENAFI
Cybercriminals are moving faster than we think to weaponize the core element of trust on the Internet: digital certificates. The many fake certificates identified by Netcraft are just the tip of the iceberg. Cybercriminals are amping their attacks on trust because the results are so powerful.
Already over a quarter of Android malware are enabled by compromised certificates and there are hundreds of trojans infecting millions of computersdesigned to steal keys and certificates for resale and criminal use. Today a stolen certificate is worth over 500 times more than a credit card or personal identity.
By attacking the trust established by digital certificates, cybercriminals aren’t making a quick hit. No, their intent is to own their target. Fake, compromised, stolen, misused, illicitly obtained certificates give cybercriminals the power to impersonate, surveil, and monitor—and to do so undetected.
Just recently The Mask group infiltrated hundreds of organizations. The group’s malware stole encryption keys, digital certificates, and SSH keys. While their collection efforts have just now been identified and stopped after 7 years, the real impact is yet to come.
The attackers now own thousands of keys and certificates and as result own the networks, servers, and applications of the breached. They can impersonate websites with stolen keys and certificates and have root-level access with SSH keys. Game over for these breach organizations. If they don’t fight back and change all of their keys and certificates immediately.
If businesses and governments don’t get a handle on the ways they are using certificate and can’t respond to these attacks, we all might as well be investing in bulldozers. Our data centers are worthless when the basic, foundational element of trust on the Internet—digital certificates—are compromised.
We can’t tell the good from the bad and so just need to bulldoze and start new. But, we don’t have a replacement technology for digital certificates so we have to stand and fight. Otherwise, the reality Gartner painted of “living in a world without trust” will come true (Gartner ID: G00238476).
February 17, 2014 | Leave a Comment
The workshop will provide a detailed demo and explanation of SDP, and will kick off the ‘virtual hackathon’ contest, which will last until 3pm PST on February 27, challenging participants to hack the SDP protocol, modeled after military-grade networks.
The SDP Hackathon gives participants the IP addresses of the target file server as well as the SDP components protecting them. This in effect will simulate an ‘insider attack’ – one of the most difficult to prevent – on both private cloud and public cloud infrastructure. Participants will also have access to a reference SDP system to learn how the system works to plan their attack.
The first participant to successfully capture the target information on the protected server will receive an expenses paid trip to DEF CON ® 22, held in Las Vegas August 7-10, 2014. Contest rules and registration are available at www.HackSDP.com. Space is limited, interested attendees should go to https://cloudsecurityalliance.org/events/csa-summit-2014/#_rsa to reserve a seat at the workshop.
February 13, 2014 | Leave a Comment
by John DiMaria, BSI
I was one of those invited to attended NIST Cybersecurity Framework launch yesterday at the White House. It was a very nice well organized and positive event.
“The Framework is a key deliverable from the Executive Order on “Improving Critical Infrastructure Cybersecurity” that President Obama announced in the 2013 State of the Union”. – White House Press Release.
Each of the Framework components (the Framework Core, Profiles, and Tiers) reinforces the connection between business drivers and cybersecurity activities. The Framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities.
•The Framework Core is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped by five functions — Identify, Protect, Detect, Respond, Recover — that provide a high-level view of an organization’s management of cyber risks.
•The Profiles can help organizations align their cybersecurity activities with business requirements, risk tolerances, and resources. Companies can use the Profiles to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.
•The Tiers provide a mechanism for organizations to view their approach and processes for managing cyber risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization’s overall risk management practices. – White House Press Release
First, congratulations to Adam Sedgewick and his team for a great job spearheading this unprecedented collaboration between government and private sector. DHS has also done a good job of launching this program along with the publication of the Framework.
Also like to say thank you to all the great professionals that attended all 5 workshops. I had the honor to work with many of them. We forged some great new business relationships and had some laughs along the way. One personal take-away was that no matter how old we get or how experienced we think we are, if you have discussions with the intent on listening and not answering, you can learn something from everyone you meet.
I am sure there will still be the naysayers and “headline grabbers” out there that will formulate and dwell on negatives, but being in the standards business for more than 20 years at all levels (and this is not a standard), I can tell you no initial framework, guidance or standard will ever 100% right out of the box.
Even President Obama stated after the launch, “While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity”.
As it was mentioned at the launch, this is a “living document”. A couple comments that stood out in my mind from the 3 CEO’s at Pepco, Lockheed and AT&T:
“We are only as good as our weakest link” (working with the supply-chain and getting them to adopt the framework in critical) and “National Security and the economy depend on good cybersecurity and globally recognized standards”. Time to pull together
As Benjamin Franklin said “If we do not hang together, we shall surely hang separately”.
There will be an industry expert panel discussing the framework on March 6th.
John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner, and Master HISP with over 28 years of experience in management systems and international standards. The views expressed in this blog are his own.